mjhjmtu

Lately I've been exploring the aureport tool, but I've noticed the following in the outputs and behavior of it.

For example, running the following command:

# aureport --failed

Displays the following snippet:

Failed Summary Report
======================
Number of failed logins: 11783
Number of failed authentications: 41679

What exactly is the difference between the two? Man page isn't much of a help either:

-l, --login Report about logins

-au, --auth Report about authentication attempts

What is the difference between Failed Authentications and Failed Logins? I looked in all documents I could find but none explained the difference.

UPDATE:

I have done some testing, and here are my findings so far:

• trying to ssh into a box using an incorrect username, generates 1 failed login and 3 failed authentications.




• trying to ssh into a box using a correct username, but an incorrect password, generates 1 failed login and 2 failed authentications.

I'm still looking into this..

Alright I believe I've cracked this:

On a successful login, you generate 1 login and 2 authentications (One for PAM, and one for sshd):

type=USER_AUTH msg=audit(1526764807.252:118047): pid=25901 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=172.16.1.10 addr=172.16.1.10 terminal=ssh res=success'
type=USER_AUTH msg=audit(1526764807.261:118050): pid=25901 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=172.16.1.10 terminal=ssh res=success'

type=USER_LOGIN msg=audit(1526764807.488:118058): pid=25907 uid=0 auid=0 ses=16568 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=172.16.1.10 addr=172.16.1.10 terminal=/dev/pts/1 res=success'

However, on a failed login, it depends on many factors, in my case, I did a login with an incorrect username, and supplied a password. This generated 1 login failure, and 3 authentication failure messages (1 for Public Key attempt, 1 for password, and 1 for sshd):

type=USER_AUTH msg=audit(1526765733.046:118093): pid=27246 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="incorrectuser" exe="/usr/sbin/sshd" hostname=? addr=172.16.1.101 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1526765734.217:118094): pid=27246 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="incorrectuser" exe="/usr/sbin/sshd" hostname=172.16.1.101 addr=172.16.1.101 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1526765736.654:118095): pid=27246 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="incorrectuser" exe="/usr/sbin/sshd" hostname=? addr=172.16.1.101 terminal=ssh res=failed' 

type=USER_LOGIN msg=audit(1526765737.144:118101): pid=27246 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="incorrectuser" exe="/usr/sbin/sshd" hostname=? addr=172.16.1.101 terminal=ssh res=failed'

So basically, if I omit the use of public key by enforcing password login with ssh option, I get only two authentication messages, instead of three.

I'm marking this as Solved. However, if someone has any reference document where it dives more into this, I'd be more than happy to have it.