PAM misconfiguration for auditd results in audit trail loss
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
audit (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Won't Fix
|
Low
|
Unassigned |
Bug Description
The auditd package included in Debian Wheezy and Ubuntu 12.04 LTS (and probably other Debian and Ubuntu releases as well) adds pam_loginuid.so to the /etc/pam.
The man page for pam_loginuid, however, warns us not to do that, as this will cause the original user context to be lost in the audit logs (emphasis mine):
The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to
be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There
are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the
purpose by changing the loginuid to the account they just switched to.
The fix, of course, is never to add pam_loginuid.so to any common PAM configuration file - or to exclude common-session and common-
I can confirm that Ubuntu 12.04 and 12.10 have 'session required pam_loginuid.so' in common-session and common- session- noninteractive as a result of installing auditd.
FYI, Ubuntu 13.10 and 14.04 have 'session required pam_loginuid.so' in sshd only (unrelated to auditd).