NetBSD Problem Report #42540
From www@NetBSD.org Tue Dec 29 15:30:15 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id D0ACB63C37E
for <gnats-bugs@gnats.NetBSD.org>; Tue, 29 Dec 2009 15:30:15 +0000 (UTC)
Message-Id: <20091229153015.9457063B844@www.NetBSD.org>
Date: Tue, 29 Dec 2009 15:30:15 +0000 (UTC)
From: eravin@panix.com
Reply-To: eravin@panix.com
To: gnats-bugs@NetBSD.org
Subject: /usr/bin/login does not log normal logins, does not log IP addresses
X-Send-Pr-Version: www-1.0
>Number: 42540
>Category: bin
>Synopsis: /usr/bin/login does not log normal logins, does not log IP addresses
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 29 15:35:00 +0000 2009
>Closed-Date: Sun Aug 28 20:13:52 +0000 2011
>Last-Modified: Sun Aug 28 20:13:52 +0000 2011
>Originator: Ed Ravin
>Release: 5.0.1
>Organization:
Public Access Networks Corp
>Environment:
NetBSD panix5.panix.com 5.0.1 NetBSD 5.0.1 (PANIX-XEN3U-USER) #0: Thu Nov 5 07:26:24 EST 2009 root@juggler.panix.com:/devel/netbsd/5.0.1/src/sys/arch/i386/compile/PANIX-XEN3U-USER i386
>Description:
1. /usr/bin/login does not seem to generate syslog messages for normal, successful logins. syslog messages are only produced in case of error, in case of root login, and a few other special cases.
2. When /usr/bin/login does generate syslog messages regarding remote connections, it uses the looked-up hostname, not the IP address. The IP address is needed since the results of DNS lookups can change over time and are not a reliable way to audit which hosts are connecting to you,
>How-To-Repeat:
Connect to a NetBSD system via telnet and log in as a regular (non-root) user.
Try to find any syslog output generated by the login event.
>Fix:
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Date: Tue, 29 Dec 2009 10:44:07 -0500
On Dec 29, 3:35pm, eravin@panix.com (eravin@panix.com) wrote:
-- Subject: bin/42540: /usr/bin/login does not log normal logins, does not lo
| 1. /usr/bin/login does not seem to generate syslog messages for
| normal, successful logins. syslog messages are only produced in
| case of error, in case of root login, and a few other special cases.
Yes, that is the historical behavior.
| 2. When /usr/bin/login does generate syslog messages regarding
| remote connections, it uses the looked-up hostname, not the IP
| address. The IP address is needed since the results of DNS lookups
| can change over time and are not a reliable way to audit which
| hosts are connecting to you,
Yes, because it is only being passed in the hostname; it does not
lookup anything. Even the hostname passed can be bogus (although
one presumes that the daemon that forks login is trusted).
So your desired behavior is to use getpeername(2) to determine if
the login is remote and always syslog(LOG_INFO the infomation?
christos
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Date: Tue, 29 Dec 2009 10:48:32 -0500
On Dec 29, 10:44am, christos@zoulas.com (Christos Zoulas) wrote:
-- Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does no
| Yes, because it is only being passed in the hostname; it does not
| lookup anything. Even the hostname passed can be bogus (although
| one presumes that the daemon that forks login is trusted).
|
| So your desired behavior is to use getpeername(2) to determine if
| the login is remote and always syslog(LOG_INFO the infomation?
Now that I looked more into it, it will use getpeername(2) to fill in
the address in wtmpx. Isn't that good enough? (looking through the wtmpx
records?)
christos
From: Ed Ravin <eravin@panix.com>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, eravin@panix.com
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
log IP addresses
Date: Tue, 29 Dec 2009 11:30:25 -0500
On Tue, Dec 29, 2009 at 03:45:03PM +0000, Christos Zoulas wrote:
...
> | 1. /usr/bin/login does not seem to generate syslog messages for
> | normal, successful logins. syslog messages are only produced in
> | case of error, in case of root login, and a few other special cases.
>
> Yes, that is the historical behavior.
Indeed it is, but modern operating systems need to keep audit trails.
And some shops won't even allow deployments of operating systems that
can't be audited for login/logout events.
> | 2. When /usr/bin/login does generate syslog messages regarding
> | remote connections, it uses the looked-up hostname, not the IP
> | address. The IP address is needed since the results of DNS lookups
> | can change over time and are not a reliable way to audit which
> | hosts are connecting to you,
>
> Yes, because it is only being passed in the hostname; it does not
> lookup anything. Even the hostname passed can be bogus (although
> one presumes that the daemon that forks login is trusted).
The daemon is trusted, but the DNS is not - a malicious network
operator could create a false DNS entry, telnet to the NetBSD
host, then change it back. When the operator of the NetBSD system
reviews the logs, the hostname found in the log will not point to
the IP address that originated the telnet session. There are also
non-malicious cases where DNS could change after the telnet session
is over.
> So your desired behavior is to use getpeername(2) to determine if
> the login is remote and always syslog(LOG_INFO the infomation?
My desired behavior is to have a reliable audit trail of logins that
include the username and, for remote logins, the IP address they logged
in from.
I believe the same issue occurs when rlogind calls /usr/bin/login.
Also, I see there's a "-a IP-address" option to /usr/bin/login that
might be useful if telnetd/rlogind used it when invoking login.
-- Ed
From: Ed Ravin <eravin@panix.com>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, eravin@panix.com
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
log IP addresses
Date: Tue, 29 Dec 2009 11:47:37 -0500
On Tue, Dec 29, 2009 at 03:50:04PM +0000, Christos Zoulas wrote:
> | Yes, because it is only being passed in the hostname; it does not
> | lookup anything. Even the hostname passed can be bogus (although
> | one presumes that the daemon that forks login is trusted).
> |
> | So your desired behavior is to use getpeername(2) to determine if
> | the login is remote and always syslog(LOG_INFO the infomation?
>
> Now that I looked more into it, it will use getpeername(2) to fill in
> the address in wtmpx. Isn't that good enough? (looking through the wtmpx
> records?)
It's nowhere near as good as syslog for audit trails - syslogs can be
sent immediately to another host for safekeeping, while wtmp is stored
locally and is the first thing that gets zapped after a successful
break-in. Also, once it's in syslog, it can be tracked by a whole bunch
of automated tools (for people doing security auditing, IDS, etc.).
All the more recently written programs that do authentication, like ftpd
and sshd, generate syslog messages for logins.
-- Ed
From: jnemeth@victoria.tc.ca (John Nemeth)
To: gnats-bugs@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Cc:
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Date: Tue, 29 Dec 2009 09:44:23 -0800
On Apr 16, 3:42am, eravin@panix.com wrote:
}
} >Number: 42540
} >Synopsis: /usr/bin/login does not log normal logins, does not log IP addresses
} >Arrival-Date: Tue Dec 29 15:35:00 +0000 2009
} >Originator: Ed Ravin
} >Release: 5.0.1
} >Description:
} 1. /usr/bin/login does not seem to generate syslog messages for
} normal, successful logins. syslog messages are only produced in case
} of error, in case of root login, and a few other special cases.
}
} 2. When /usr/bin/login does generate syslog messages regarding remote
} connections, it uses the looked-up hostname, not the IP address. The
} IP address is needed since the results of DNS lookups can change over
} time and are not a reliable way to audit which hosts are connecting
} to you,
/var/log/authlog should have an entry for the telnet connection, i.e:
Dec 29 09:37:43 P4-3679GHz inetd[4279]: connection from localhost(127.0.0.1), service telnet (tcp)
Is this good enough for seeing what hosts connect to you, or do you
need something that associates the connection with a user?
}-- End of excerpt from eravin@panix.com
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42540 CVS commit: src/usr.bin/login
Date: Tue, 29 Dec 2009 14:26:13 -0500
Module Name: src
Committed By: christos
Date: Tue Dec 29 19:26:13 UTC 2009
Modified Files:
src/usr.bin/login: Makefile login.c login_pam.c
Added Files:
src/usr.bin/login: common.c common.h
Log Message:
PR/42540: Ed Ravin: /usr/bin/login does not log normal logins, and does not
log ip addresses.
- Factor out the common code in login.c and login_pam.c into common.c
- Always log a login event
- Check passed in sockaddr against the one from getpeername(2).
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.51 src/usr.bin/login/Makefile
cvs rdiff -u -r0 -r1.1 src/usr.bin/login/common.c src/usr.bin/login/common.h
cvs rdiff -u -r1.96 -r1.97 src/usr.bin/login/login.c
cvs rdiff -u -r1.19 -r1.20 src/usr.bin/login/login_pam.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: eravin@panix.com
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
log IP addresses
Date: Wed, 30 Dec 2009 22:07:06 +0000
On Tue, Dec 29, 2009 at 04:50:06PM +0000, Ed Ravin wrote:
>> Now that I looked more into it, it will use getpeername(2) to fill in
>> the address in wtmpx. Isn't that good enough? (looking through the wtmpx
>> records?)
>
> It's nowhere near as good as syslog for audit trails - syslogs can be
> sent immediately to another host for safekeeping, while wtmp is stored
> locally and is the first thing that gets zapped after a successful
> break-in. Also, once it's in syslog, it can be tracked by a whole bunch
> of automated tools (for people doing security auditing, IDS, etc.).
>
> All the more recently written programs that do authentication, like ftpd
> and sshd, generate syslog messages for logins.
While this is all true, wtmp (and also /var/account/acct) is part of
the system's overall log information, and in the long run it'd
probably be better to be able to ship it around as well.
Either that or we should take the plunge and kill off wtmp entirely in
favor of sending that information through syslog... although that has
other issues...
--
David A. Holland
dholland@netbsd.org
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 22 Aug 2011 01:15:06 +0000
State-Changed-Why:
Was the patch Christos committed a year and a half ago adequate? Does it
need to be pulled up to 5.1_STABLE or can this PR just be closed?
From: Ed Ravin <eravin@panix.com>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, dholland@NetBSD.org
Subject: Re: bin/42540 (/usr/bin/login does not log normal logins, does not
log IP addresses)
Date: Sat, 27 Aug 2011 23:06:21 -0400
The patch is adequate. Thanks very much, and by all means, close the PR.
-- Ed
On Mon, Aug 22, 2011 at 01:15:08AM +0000, dholland@NetBSD.org wrote:
> Synopsis: /usr/bin/login does not log normal logins, does not log IP addresses
>
> State-Changed-From-To: open->feedback
> State-Changed-By: dholland@NetBSD.org
> State-Changed-When: Mon, 22 Aug 2011 01:15:06 +0000
> State-Changed-Why:
> Was the patch Christos committed a year and a half ago adequate? Does it
> need to be pulled up to 5.1_STABLE or can this PR just be closed?
>
>
>
--
Ed Ravin | Warning - this email may contain rhetorical
| devices, metaphors, analogies, typographical
eravin@ | errors, or just plain snarkiness. A sense of
panix.com | humor may be required for proper interpretation.
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 28 Aug 2011 20:13:52 +0000
State-Changed-Why:
Can be closed. Thanks for getting back to me, and sorry this sat around
for two years.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.