[redhat-lspp] audit records when specifying an invalid context at ssh login

[Klaus Heinrich Kiwi]

<posted & mailed>

Ok, when I try to login as testuser/sysadm_r at host, but testuser isn't
allowed as sysam_r, I get:

type=USER_AUTH msg=audit(1170871741.978:4373): user pid=18653 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
authentication acct=testuser : exe="/usr/sbin/sshd"
(hostname=alex.ltc.br.ibm.com, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1170871741.982:4374): user pid=18653 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
accounting acct=testuser : exe="/usr/sbin/sshd"
(hostname=alex.ltc.br.ibm.com, addr=127.0.0.1, terminal=ssh res=success)'
type=USER_ERR msg=audit(1170871741.992:4375): user pid=18651 uid=0
auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM:
bad_ident acct=? : exe="/usr/sbin/sshd" (hostname=alex.ltc.br.ibm.com,
addr=127.0.0.1, terminal=ssh res=failed)'

Note that, from the above, we can't tell that a user was trying to access an
invalid context (and what context). Same thing happens when the user
successfully logs-in using a non-default role/level - no audit record
telling what kind of transition was made.

In previous refreshes, we needed to use 'newrole' and both success and
failures were audited as 'USER_ROLE_CHANGE' records.

I must ask: is this the expected behavior and is this ok with the
certification requirements?

 Klaus


-- 
.:klaus h kiwi <klausk at br.ibm.com>:.