Login Detection Ques

[djgrover101-debug]

I am working on detecting successful user login events on Linux systems using eBPF, and I’m facing reliability issues when relying on user-space authentication libraries (PAM).

Current approach

• I attach uprobes to pam_authenticate() (entry + exit).
• This works only when:
  • PAM is enabled
  • PAM is correctly configured
  • The service actually uses PAM

Problem
In real environments:

• PAM may be disabled, misconfigured, or not used at all
• Some services authenticate users via non-PAM mechanisms
• PAM may return failure (e.g. ret = 7), yet:
  • Authentication succeeds via another module
  • A real login session is established
• This results in false negatives: genuine logins are reported as failed

Additionally, user-space hooks are fragile due to:

• PAM module replacement
• Non-standard library paths
• LD_PRELOAD / library path manipulation
• Services statically linked or using custom auth code

What I’m trying to achieve
I understand that:

• The kernel does not know authentication semantics (password success/failure)
• Authentication itself is a user-space concern

However, I want to know:

1. Is there a kernel-level, service-agnostic way to reliably identify that a real login session has occurred (SSH, FTP, console, etc.), without purely relying on user-space authentication libraries?

2. Are there kernel signals or state transitions (e.g. credential changes, session creation, process ancestry, TTY allocation, audit hooks, etc.) that can be used to infer a successful login, even though the kernel does not perform authentication?

3. From a design perspective:

   • Is it expected that one must hook multiple user-space authentication frameworks (PAM, custom modules, application-specific auth)?
   • Or is there a common convergence point (kernel or otherwise) that services eventually reach after successful authentication?

4. Can we use user space and kernel level things together and series of event capturing to make a concrete function?

Goal
The goal is to build a robust, low-false-negative login detection mechanism that:

• Works across different services (SSH, FTP, others)
• Is resilient to user-space bypasses
• Minimizes reliance on fragile user-space hooks

I’m looking for design guidance, not a specific implementation.