-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Auditbeat] Cherry-pick #10865 to 7.x: Handle different bad login typ…
…es (#10910) Cherry-pick of PR #10865 to 7.x branch. Original message: Depending on the distro and the type of login attempt (e.g. ssh, local login) the `ut_type` value in `/var/log/btmp` is different. So far, the login dataset only responded to the rarer login type `7` (`USER_PROCESS`). The more common one (seems to be exclusively used on Fedora 29, but also used on Ubuntu 18.04 for failed SSH login attempts) is `6` (`LOGIN_PROCESS`) that we are currently ignoring. This changes the code to have a separate function to process UTMP records from btmp files that treats both `USER_PROCESS` and `LOGIN_PROCESS` the same. It also adds a unit test for failed logins including a btmp test file from Ubuntu 18.04 with three bad login attempts.
- Loading branch information
Christoph Wurm
authored
Feb 25, 2019
1 parent
8e7239f
commit 9377f06
Showing
4 changed files
with
145 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.