Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2049947 - Additional audit logging
Summary: Additional audit logging
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 35
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Norbert Pócs
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-02 23:22 UTC by Tom Stimson
Modified: 2022-10-24 17:46 UTC (History)
8 users (show)

Fixed In Version: openssh-9.0p1-8.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-24 17:46:35 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
patch implementing enhancement request (deleted)
2022-02-02 23:22 UTC, Tom Stimson
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-385 0 None None None 2022-02-02 23:34:00 UTC

Description Tom Stimson 2022-02-02 23:22:36 UTC
Created attachment 1858764 [details]
patch implementing enhancement request

Description of problem:

I'd like to have additional information audited about the SSH key used to log in.  Specifically, when using SSH certificates from trusted CAs, I'd like to know the id of the key and the principal that is logging in.  This is particularly useful information to have when multiple principals have been granted access to an account.  Sshd is logging some of that to syslog already, but it's not in the audit stream where it can be correlated with user activity.

I've attached a patch with the code to generate these audit messages.  If you'd prefer a pull request, let me know and I'll create one.  I wasn't sure if you'd want the audit patch updated to include this change, or take it as a separate patch.

Note, I'm submitting this change request to Fedora instead of upstream OpenSSH, because the audit functionality this builds on is in an existing Fedora patch, and not upstream.


How reproducible:
100%

Steps to Reproduce:
1. Generate a CA key.
2. Setup a host to trust the CA key.
3. Create a test user.
4. Grant a test principal access to the test user account.
5. Generate a test ssh key.
6. Sign the ssh key with the ca key, including the test principal in the certificate.
7. Check the audit logs.

I can provide more explicit commands to test with if necessary.


Expected results:

Example audit records of a certificate with two principals logging into the testuser account.

type=USER_AUTH msg=audit(1643837305.329:4859): pid=194677 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=cert key_id="testident" cert_serial=1 cert_issuer_alg="RSA" cert_issuer_fp="SHA256:rxlBPzSwfzBwGoqMBXquRhC+xDUO76Zui0JnKV+Jd4U" acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=? res=success'^]UID="root" AUID="unset"
type=USER_AUTH msg=audit(1643837305.329:4860): pid=194677 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=principal cert_principal="test_principal" acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=::1 terminal=? res=success'^]UID="root" AUID="unset"


Additional info:

Comment 2 Tom Stimson 2022-06-08 17:46:04 UTC
Any feedback on this request?  Is this something that you are willing to include?

Comment 3 Norbert Pócs 2022-06-09 07:09:10 UTC
Hi Tom,

Yes, this is planned for the next year quarter.

Comment 4 Fedora Update System 2022-10-24 17:44:12 UTC
FEDORA-2022-e33cabe508 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e33cabe508

Comment 5 Fedora Update System 2022-10-24 17:46:35 UTC
FEDORA-2022-e33cabe508 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.