Add case for PAM locked account message#19168
Conversation
andrewkroh
added
Integration:system
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
auth |
6329.11 | 5208.33 | -1120.78 (-17.71%) | 💔 |
security |
1213.59 | 892.86 | -320.73 (-26.43%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
|
ricardoamaro
left a comment
ricardoamaro
left a comment
There was a problem hiding this comment.
The intent is correct and the field values produced are right, but there are two blockers before this can merge.
Blocker 1: Performance regression (inline comment on line 38)
The new grok pattern uses %{DATA} inside grok-pam-users, which runs on every auth message without a pam_faillock( guard. The benchmark already shows -17.71% EPS on auth and -26.43% on security. The fix: a dedicated processor inserted before grok-pam-users, gated on ctx.message.contains('pam_faillock('), using %{USERNAME} instead of %{DATA}. See inline comment for the exact YAML.
Blocker 2: No test cases
changed_files: 1 — only message.yml was modified. There are no new pipeline test fixtures for a pam_faillock locked-account message. Without a test, there is no CI-level verification that user.name, event.outcome, event.action, and event.category are populated correctly. Add at least one .log + -expected.json pair to packages/system/data_stream/auth/_dev/test/pipeline/ with a message like:
pam_faillock(sshd:auth): Consecutive login failures for user testuser account temporarily locked
Also:
changelog.ymlentry is missing (checklist box is ticked but the diff does not include any changelog change).- Two minor issues flagged inline: outcome condition specificity (line 147) and
account_locked→account-locked(line 167).
| ignore_failure: true | ||
| patterns: | ||
| - 'for user %{QUOTE}?%{DATA:_temp.foruser}%{QUOTE}? by %{QUOTE}?%{DATA:_temp.byuser}%{QUOTE}?(?:\(uid=%{NUMBER:_temp.byuid}\))?$' | ||
| - 'pam_faillock\([^)]+\): %{DATA} for user %{USERNAME:_temp.foruser} account temporarily locked' |
There was a problem hiding this comment.
[Critical] %{DATA} in unguarded processor, root cause of the EPS regression
This pattern is added to the grok-pam-users processor, which runs on every auth message (the only guard is ctx.message != null && ctx.message != ""). %{DATA} resolves to .*? and requires backtracking on every non-matching message.
The fix is a dedicated processor placed before grok-pam-users, gated on pam_faillock(, using %{USERNAME} instead of %{DATA}:
- grok:
description: Grok username from pam_faillock locked account messages.
tag: grok-pam-faillock-users
field: message
ignore_missing: true
ignore_failure: true
if: ctx.message != null && ctx.message.contains('pam_faillock(')
patterns:
- 'for user %{USERNAME:_temp.pam_user} account temporarily locked'This also avoids a correctness risk: the existing for user %{DATA:_temp.foruser}$ pattern (pattern 3 in this same processor) would still fire for pam_faillock messages that don't match the new pattern, potentially writing "test account temporarily locked" into user.name. Inserting before grok-pam-users prevents that entirely.
| tag: set_outcome_failure_account_locked | ||
| field: event.outcome | ||
| value: failure | ||
| if: ctx.message != null && ctx.message.contains('account temporarily locked') |
There was a problem hiding this comment.
[Minor] Outcome condition is less specific than the action condition
This fires on any message containing 'account temporarily locked', including potential non-pam_faillock sources. The action setter a few processors later (tagged set_action_account_locked) correctly also requires pam_faillock(. Make these consistent:
if: ctx.message != null && ctx.message.contains('pam_faillock(') && ctx.message.contains('account temporarily locked')| - set: | ||
| tag: set_action_account_locked | ||
| field: event.action | ||
| value: account_locked |
There was a problem hiding this comment.
[Minor] Underscore vs hyphen. Inconsistent with existing action values
All other action values in this pipeline use hyphens: logged-on, logged-off. This should be:
value: account-locked
4 participants
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots