Add libaudit support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Fix Released
|
Medium
|
Unassigned | ||
1.10 |
Fix Committed
|
Medium
|
Unassigned | ||
1.14 |
Fix Released
|
Medium
|
Unassigned | ||
1.16 |
Fix Released
|
Medium
|
Unassigned | ||
1.2 |
Won't Fix
|
Medium
|
Unassigned | ||
lightdm (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Triaged
|
Medium
|
Unassigned | ||
Vivid |
Won't Fix
|
Medium
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned | ||
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Mathieu Trudel-Lapierre | ||
Vivid |
Won't Fix
|
Low
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned | ||
shadow (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Mathieu Trudel-Lapierre | ||
Vivid |
Won't Fix
|
Low
|
Unassigned | ||
Wily |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Auditing support is a commonly used feature in large enterprises, and allows better tracking of actions happening on secured systems, especially when it comes to accounting for login events.
Such systems fail to correctly list login events in aureport due to some software not integrating libaudit.
[Test Case]
1) Install auditd
2) Login to the system multiple times (or allow for others to connect to the system)
3) Run aureport -l
System should list login information.
[Regression Potential]
There is minimal risk for issues since libaudit support only allows for generating extra logging saved on the local system. A possible side-effect of this may be that systems on which auditing is enabled and where there are many users of the affected software (see bug tasks), such as many logins over SSH, there may be an increased demand on disk space necessary for the auditing data.
---
-- Problem Description --
We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to
ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login
info.
root@lakelp1:~# /etc/init.d/auditd status
* auditd is running.
root@lakelp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1
root@lakelp1:~# grep -i login /var/log/
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
root@lakelp1:~# aureport -l
Login Report
=======
# date time auid host term exe success event
=======
<no events of interest were found>
This looks like a bug in aureport or libaudit. In addition to giving admins falsely empty record selections, this would prevent successful completion of a Common Criteria certification.
Related branches
- Robert Ancell: Approve
- PS Jenkins bot: Needs Fixing (continuous-integration)
-
Diff: 157 lines (+68/-0)6 files modifiedconfigure.ac (+17/-0)
debian/changelog (+15/-0)
debian/control (+1/-0)
debian/lightdm.lightdm-autologin.pam (+1/-0)
debian/lightdm.pam (+1/-0)
src/session-child.c (+33/-0)
tags: | added: architecture-ppc64le bugnameltc-127965 severity-critical targetmilestone-inin--- |
affects: | ubuntu → audit (Ubuntu) |
Changed in audit (Ubuntu): | |
assignee: | nobody → Taco Screen team (taco-screen-team) |
tags: |
added: targetmilestone-inin14043 removed: targetmilestone-inin--- |
tags: |
added: severity-high targetmilestone-inin1510 removed: severity-critical targetmilestone-inin14043 |
no longer affects: | audit (Ubuntu Trusty) |
no longer affects: | audit (Ubuntu Vivid) |
no longer affects: | audit (Ubuntu Wily) |
Changed in audit (Ubuntu): | |
status: | New → Invalid |
Changed in lightdm (Ubuntu Wily): | |
status: | New → Triaged |
Changed in lightdm (Ubuntu Vivid): | |
status: | New → Triaged |
Changed in lightdm (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in openssh (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in openssh (Ubuntu Vivid): | |
status: | New → Triaged |
Changed in openssh (Ubuntu Wily): | |
status: | New → Triaged |
Changed in shadow (Ubuntu Wily): | |
status: | New → Fix Released |
Changed in shadow (Ubuntu Vivid): | |
status: | New → Triaged |
Changed in shadow (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in lightdm: | |
importance: | Undecided → Medium |
status: | New → Fix Committed |
milestone: | none → 1.17.0 |
Changed in lightdm (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in lightdm (Ubuntu Vivid): | |
importance: | Undecided → Medium |
Changed in lightdm (Ubuntu Wily): | |
importance: | Undecided → Medium |
summary: |
- ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 + Add libaudit support |
Changed in audit (Ubuntu): | |
assignee: | Taco Screen team (taco-screen-team) → nobody |
tags: |
added: severity-medium removed: severity-high |
Changed in lightdm: | |
status: | Fix Committed → Fix Released |
Changed in openssh (Ubuntu Trusty): | |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
Changed in shadow (Ubuntu Trusty): | |
assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
description: | updated |
no longer affects: | audit (Ubuntu) |
Changed in openssh (Ubuntu): | |
importance: | Undecided → Medium |
Changed in shadow (Ubuntu): | |
importance: | Undecided → Medium |
Changed in openssh (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in openssh (Ubuntu Vivid): | |
importance: | Undecided → Low |
Changed in openssh (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in shadow (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in shadow (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in shadow (Ubuntu Vivid): | |
importance: | Undecided → Low |
Changed in openssh (Debian): | |
status: | Unknown → Fix Released |
tags: |
added: verification-done removed: verification-needed |
------- Comment From <email address hidden> 2015-07-28 21:47 EDT-------
Looks like LOGIN records are also omitted from ausearch (try ausearch -i). That seems to point to a libaudit issue.
Another strange thing is if it try to ltrace aureport or ausearch, it fails with a sigsegv.