Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Cherry-pick #10865 to 7.0: Handle different bad login types #10909

Merged
merged 1 commit into from
Feb 25, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Feb 22, 2019

Cherry-pick of PR #10865 to 7.0 branch. Original message:

Depending on the distro and the type of login attempt (e.g. ssh, local login) the ut_type value in /var/log/btmp is different. So far, the login dataset only responded to the rarer login type 7 (USER_PROCESS). The more common one (seems to be exclusively used on Fedora 29, but also used on Ubuntu 18.04 for failed SSH login attempts) is 6 (LOGIN_PROCESS) that we are currently ignoring.

This changes the code to have a separate function to process UTMP records from btmp files that treats both USER_PROCESS and LOGIN_PROCESS the same.

It also adds a unit test for failed logins including a btmp test file from Ubuntu 18.04 with three bad login attempts.

Depending on the distro and the type of login attempt (e.g. ssh, local login) the `ut_type` value in `/var/log/btmp` is different. So far, the login dataset only responded to the rarer login type `7` (`USER_PROCESS`). The more common one (seems to be exclusively used on Fedora 29, but also used on Ubuntu 18.04 for failed SSH login attempts) is `6` (`LOGIN_PROCESS`) that we are currently ignoring.

This changes the code to have a separate function to process UTMP records from btmp files that treats both `USER_PROCESS` and `LOGIN_PROCESS` the same.

It also adds a unit test for failed logins including a btmp test file from Ubuntu 18.04 with three bad login attempts.

(cherry picked from commit 94666a8)
@cwurm cwurm requested a review from a team as a code owner February 22, 2019 18:50
@cwurm cwurm changed the title Cherry-pick #10865 to 7.0: [Auditbeat] Handle different bad login types [Auditbeat] Cherry-pick #10865 to 7.0: Handle different bad login types Feb 22, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm merged commit 6a2956d into elastic:7.0 Feb 25, 2019
@cwurm cwurm deleted the backport_10865_7.0 branch February 25, 2019 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants