Debian
audit package

  1. Bug #1848330
  2. Comment #18

Comment 18 for bug 1848330

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Since it's difficult to reproduce the bug, what I'm going to do is setup a system with the previous auditd, setup some rules, confirm they are working, then upgrade, and confirm it keeps working, also after a reboot.

# Bionic verification

auditd from bionic:
auditd:
  Installed: 1:2.8.2-1ubuntu1
  Candidate: 1:2.8.2-1ubuntu1
  Version table:
 *** 1:2.8.2-1ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Created a simple rule:
# cat /etc/audit/rules.d/30-shadow.rules
-w /etc/shadow -p wa -k shadow-changed

Loaded after restart:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

Confirmed a change to the file gets logged:
# chmod 0400 /etc/shadow
#

/var/log/audit/auditd.log (parsed with ausearch -i):
type=PROCTITLE msg=audit(01/18/21 17:49:31.077:32) : proctitle=chmod 0400 /etc/shadow
type=PATH msg=audit(01/18/21 17:49:31.077:32) : item=0 name=/etc/shadow inode=64070 dev=fc:01 mode=file,640 ouid=root ogid=shadow rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(01/18/21 17:49:31.077:32) : cwd=/root
type=SYSCALL msg=audit(01/18/21 17:49:31.077:32) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xffffff9c a1=0x5577580dc1c0 a2=0400 a3=0x0 items=1 ppid=1499 pid=1992 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod key=shadow-changed

Now updating the package:
# apt-cache policy auditd
auditd:
  Installed: 1:2.8.2-1ubuntu1.1
  Candidate: 1:2.8.2-1ubuntu1.1
  Version table:
 *** 1:2.8.2-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:2.8.2-1ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

(and its deps, like libaudit1, etc).

The same rule continues loaded:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

Also after a manual restart:
# systemctl restart auditd
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed

And changing /etc/shadow is logged (let's use 0640 this time):
# chmod 0640 /etc/shadow
#

log:
type=PROCTITLE msg=audit(01/18/21 17:54:51.942:56) : proctitle=chmod 0640 /etc/shadow
type=PATH msg=audit(01/18/21 17:54:51.942:56) : item=0 name=/etc/shadow inode=64070 dev=fc:01 mode=file,400 ouid=root ogid=shadow rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(01/18/21 17:54:51.942:56) : cwd=/root
type=SYSCALL msg=audit(01/18/21 17:54:51.942:56) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xffffff9c a1=0x563ae04471c0 a2=0640 a3=0x0 items=1 ppid=1499 pid=2845 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod key=shadow-changed

I then rebooted the system, performed the same tests, and got the same results with the updated package.

It would be great if people who were affected by this bug, and can reasonably reproduce it, could test the packages from proposed. In the meantime, I'll mark this as verification succeeded.