Re: [Freeipa-users] sudo runs despite being denied by HBAC rules
On 02/09/2016 05:06 PM, Ian Collier wrote: Can anyone help me to understand these logs... is there maybe a bug here? The basic situation is that there is no HBAC rule that would allow sudo. When people try it, sss accepts their password but then denies them access to the sudo command. But despite this, our logs still contain some entries indicating that sudo was actually run. Of course the sudoers file then denied them access and sent the sysadmin an email. Here's a journal extract: Feb 09 11:34:58 hostname sudo[24453]: pam_unix(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: pam_unix(sudo:auth): auth could not identify password for [] Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): received for user : 7 (Authentication failure) Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: : user NOT in sudoers ; TTY=pts/1 ; PWD=/x ; USER=root ; COMMAND=x Feb 09 11:35:09 hostname sSMTP[24463]: Sent mail for r...@cs.ox.ac.uk (221 mail.cs.ox.ac.uk closing connection) uid=0 =root outbytes=607 What this seems to say: 1. pam_unix failed the password (expected because passwords are managed by IPA) 2. pam_sss accepted the password 3. pam_sss denied access to sudo:account Presumably sudo asked the user to try again and they re-typed the password 4. pam_sss accepted the password 5. pam_sss denied access to sudo:account 6. Three seconds later pam_unix said it "could not identify password" (?) 7. This time pam_sss failed the password and returned 7 (Authentication failure) 8. sudo ran anyway! I can't duplicate this behaviour myself but looking through the logs in our computer lab there are a few of these. See for instance the following which appears to deny access three times and then just run it anyway: Feb 02 10:31:12 hostname2 sudo[24468]: pam_unix(sudo:auth): authentication failure; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 02 10:31:15 hostname2 sudo[24468]: pam_sss(sudo:account): Access denied for user xyyx: 6 (Permission denied) Feb 02 10:31:15 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:accounting grantors=? acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 02 10:31:26 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:26 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39
Re: [Freeipa-users] sudo runs despite being denied by HBAC rules
I wrote... > Can anyone help me to understand these logs... is there maybe a bug here? > The basic situation is that there is no HBAC rule that would allow > sudo. When people try it, sss accepts their password but then denies > them access to the sudo command. But despite this, our logs still > contain some entries indicating that sudo was actually run. Of course > the sudoers file then denied them access and sent the sysadmin an > email. It turns out I am misinterpreting the logs. And because the sudoers file would normally allow me access, testing it with my own account didn't yield the same results. Essentially, if sudoers would deny access then it seems that sudo will log and email the sysadmin even if the user failed to supply a correct password. So there isn't a problem here after all. The user is being told their password was incorrect and sudo goes no further. But the email that the sysadmin receives is the same regardless of whether sudo accepted their password. If I try with my account, sudo tells me my password is incorrect but doesn't email the sysadmin, and it writes "3 incorrect password attempts" into the log instead of "user NOT in sudoers". Anyway, now I've added an HBAC rule that allows the system staff (but not general users) to run sudo, and this is working too. Sorry for the false alarm. Ian Collier. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sudo runs despite being denied by HBAC rules
Can anyone help me to understand these logs... is there maybe a bug here? The basic situation is that there is no HBAC rule that would allow sudo. When people try it, sss accepts their password but then denies them access to the sudo command. But despite this, our logs still contain some entries indicating that sudo was actually run. Of course the sudoers file then denied them access and sent the sysadmin an email. Here's a journal extract: Feb 09 11:34:58 hostname sudo[24453]: pam_unix(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:34:58 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:34:58 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:auth): authentication success; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 09 11:35:05 hostname sudo[24453]: pam_sss(sudo:account): Access denied for user : 6 (Permission denied) Feb 09 11:35:05 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:accounting grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: pam_unix(sudo:auth): auth could not identify password for [] Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): authentication failure; logname= uid=12113 euid=0 tty=/dev/pts/1 ruser= rhost= user= Feb 09 11:35:08 hostname sudo[24453]: pam_sss(sudo:auth): received for user : 7 (Authentication failure) Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='op=PAM:authentication grantors=? acct="" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname audit[24453]: pid=24453 uid=12113 auid=12113 ses=54 msg='cwd=2F6175xxx cmd=617074xxx terminal=pts/1 res=failed' Feb 09 11:35:08 hostname sudo[24453]: : user NOT in sudoers ; TTY=pts/1 ; PWD=/x ; USER=root ; COMMAND=x Feb 09 11:35:09 hostname sSMTP[24463]: Sent mail for r...@cs.ox.ac.uk (221 mail.cs.ox.ac.uk closing connection) uid=0 =root outbytes=607 What this seems to say: 1. pam_unix failed the password (expected because passwords are managed by IPA) 2. pam_sss accepted the password 3. pam_sss denied access to sudo:account Presumably sudo asked the user to try again and they re-typed the password 4. pam_sss accepted the password 5. pam_sss denied access to sudo:account 6. Three seconds later pam_unix said it "could not identify password" (?) 7. This time pam_sss failed the password and returned 7 (Authentication failure) 8. sudo ran anyway! I can't duplicate this behaviour myself but looking through the logs in our computer lab there are a few of these. See for instance the following which appears to deny access three times and then just run it anyway: Feb 02 10:31:12 hostname2 sudo[24468]: pam_unix(sudo:auth): authentication failure; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:14 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success' Feb 02 10:31:15 hostname2 sudo[24468]: pam_sss(sudo:account): Access denied for user xyyx: 6 (Permission denied) Feb 02 10:31:15 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:accounting grantors=? acct="xyyx" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed' Feb 02 10:31:26 hostname2 sudo[24468]: pam_sss(sudo:auth): authentication success; logname=xyyx uid=12106 euid=0 tty=/dev/pts/1 ruser=xyyx rhost= user=xyyx Feb 02 10:31:26 hostname2 audit[24468]: pid=24468 uid=12106 auid=12106 ses=39 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="xyyx"