[Auditbeat] Cherry-pick #10865 to 7.0: Handle different bad login types #10909
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #10865 to 7.0 branch. Original message:
Depending on the distro and the type of login attempt (e.g. ssh, local login) the
ut_type
value in/var/log/btmp
is different. So far, the login dataset only responded to the rarer login type7
(USER_PROCESS
). The more common one (seems to be exclusively used on Fedora 29, but also used on Ubuntu 18.04 for failed SSH login attempts) is6
(LOGIN_PROCESS
) that we are currently ignoring.This changes the code to have a separate function to process UTMP records from btmp files that treats both
USER_PROCESS
andLOGIN_PROCESS
the same.It also adds a unit test for failed logins including a btmp test file from Ubuntu 18.04 with three bad login attempts.