Ubuntu
audit package

PAM misconfiguration for auditd results in audit trail loss

Bug #1291661 reported by Michael S. Fischer
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
audit (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Won't Fix
Low
Unassigned
Quantal
Won't Fix
Low
Unassigned

Bug Description

The auditd package included in Debian Wheezy and Ubuntu 12.04 LTS (and probably other Debian and Ubuntu releases as well) adds pam_loginuid.so to the /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive PAM sub-configuration files. These sub-configuration files are in turn included by reference in the /etc/pam.d/su and /etc/pam.d/sudo files. This results in pam_loginuid.so being included when the user context is switched by running su or sudo.

The man page for pam_loginuid, however, warns us not to do that, as this will cause the original user context to be lost in the audit logs (emphasis mine):

       The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to
       be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There
       are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the
       purpose by changing the loginuid to the account they just switched to.

The fix, of course, is never to add pam_loginuid.so to any common PAM configuration file - or to exclude common-session and common-session-noninteractive from /etc/pam.d/su and /etc/pam.d/sudo, replacing it with the respective files' constituent lines, but without pam_loginuid.so.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I can confirm that Ubuntu 12.04 and 12.10 have 'session required pam_loginuid.so' in common-session and common-session-noninteractive as a result of installing auditd.

FYI, Ubuntu 13.10 and 14.04 have 'session required pam_loginuid.so' in sshd only (unrelated to auditd).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. For the affected releases of Ubuntu, this package is in universe and is community maintained. We discussed this issue with the Debian maintainer do not feel it warrants a security update.

However, since it is community maintained you have the option of posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Thanks again

information type: Private Security → Public Security
Changed in audit (Ubuntu):
status: New → Incomplete
status: Incomplete → Fix Released
Changed in audit (Ubuntu Precise):
status: New → Incomplete
Changed in audit (Ubuntu Quantal):
status: New → Incomplete
Changed in audit (Ubuntu Precise):
importance: Undecided → Low
Changed in audit (Ubuntu Quantal):
importance: Undecided → Low
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in audit (Ubuntu Quantal):
status: Incomplete → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in audit (Ubuntu Precise):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.