ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

Bug #1724152 reported by bugproxy on 2017-10-17
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
Medium
Ubuntu Security Team
audit (Ubuntu)
Medium
Unassigned
Xenial
Medium
Tyler Hicks
Zesty
Medium
Tyler Hicks

Bug Description

[Impact]

The aureport command, part of the audit userspace utilities, incorrectly reports the user id of successful logins. "-1" is printed instead of the expected user id.

[Test Case]

As root, run `login`. Proceed as follows:

1. Login with a blank username and any password
2. Login with an invalid username and any password
3. Login with a valid username and an invalid password
4. Login with a valid username and a valid password
5. Exit from the login shell
6. Run `aureport -l` and examine the last for login records

An unpatched aureport will print the following:

============================================
# date time auid host term exe success event
============================================
...
2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

A patch aureport will print the correct output:

Login Report
============================================
# date time auid host term exe success event
============================================
...
2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

Note the "1000" in the auid column on the #5 row. It should *not* be "-1".

[Regression Potential]

The regression potential is limited due to the change only affecting a single line of code, the fix comes from upstream, and that the aureport utility is not critical.

[Original Report]

== Comment: #0 - Miao Tao Feng <email address hidden> - 2016-11-23 02:46:25 ==
When we develop new testcase for audit, we found that command "aureport -l" print out wrong auid "-1" on ubuntu16.04 and it should be 1000 according to the audit.log.

The following are details:

root@roselp2:~# aureport -l

Login Report
============================================
# date time auid host term exe success event
============================================
1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

The auid "-1" on the above line should be "1000? according to the audit.log.

root@roselp2:~# grep ":18" /var/log/audit/audit.log
type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 addr=10.33.24.118 terminal=/dev/pts/0 res=success'

root@roselp2:~# dpkg -s auditd
Package: auditd
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 1051
Maintainer: Ubuntu Developers <email address hidden>
Architecture: ppc64el
Source: audit
Version: 1:2.4.5-1ubuntu2
Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
Suggests: audispd-plugins

root@roselp2:~# uname -a
Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux

root@roselp2:~# service auditd status
? auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: e
   Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
 Main PID: 4085 (auditd)
   CGroup: /system.slice/auditd.service
           ??4085 /sbin/auditd -n

Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening for

Please cherry pick https://github.com/linux-audit/audit-userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

bugproxy (bugproxy) on 2017-10-17
tags: added: architecture-ppc64le bugnameltc-149041 severity-medium targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → audit (Ubuntu)
Changed in ubuntu-power-systems:
importance: Undecided → Medium
assignee: nobody → Canonical Security Team (canonical-security)
Tyler Hicks (tyhicks) wrote :

I have verified this bug on Ubuntu 17.04 and Ubuntu 16.04 LTS. It does not affect Ubuntu 17.10 (artful) as the audit package is new enough in that release to have received the upstream fix.

While performing the backport of the fix, I noticed that the code comments around the area of the code that was modified were at odds with the code changes. After determining that the code was correct and the comments were incorrect, I opened a upstream pull request to fix the comments:

  https://github.com/linux-audit/audit-userspace/pull/30

I'll proceed with only the code changes and leave the incorrect comment for the purposes of this SRU.

Changed in audit (Ubuntu):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Tyler Hicks (tyhicks)
status: New → In Progress
importance: Undecided → Medium
Changed in audit (Ubuntu Xenial):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in audit (Ubuntu Zesty):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in audit (Ubuntu Xenial):
status: New → In Progress
Changed in audit (Ubuntu Zesty):
status: New → In Progress
Changed in audit (Ubuntu):
status: In Progress → Invalid
assignee: Tyler Hicks (tyhicks) → nobody
Tyler Hicks (tyhicks) on 2017-10-18
Changed in audit (Ubuntu Xenial):
importance: Undecided → Medium
Changed in audit (Ubuntu Zesty):
importance: Undecided → Medium
Tyler Hicks (tyhicks) on 2017-10-18
description: updated
Tyler Hicks (tyhicks) wrote :

Fixes have been uploaded to Ubuntu 17.04 and Ubuntu 16.04 LTS and should be accepted into the respective -proposed pockets soon. I'd greatly appreciate it if IBM could verify the fixes once they've been accepted. There will be an automated message posted at that time instructing anyone interested about how to enable -proposed and verify the fix. Thanks!

Changed in ubuntu-power-systems:
status: New → In Progress
Tyler Hicks (tyhicks) on 2017-10-18
Changed in ubuntu-power-systems:
assignee: Canonical Security Team (canonical-security) → Ubuntu Security Team (ubuntu-security)

Hello bugproxy, or anyone else affected,

Accepted audit into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/audit/1:2.6.6-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in audit (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in audit (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello bugproxy, or anyone else affected,

Accepted audit into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/audit/1:2.4.5-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

------- Comment From <email address hidden> 2017-11-10 03:35 EDT-------
Pavithra, Can you please verify this issue on 17.04 and 16.04 LTS

Manoj Iyer (manjo) on 2017-11-13
Changed in ubuntu-power-systems:
status: In Progress → Fix Committed
bugproxy (bugproxy) wrote :
Download full text (3.2 KiB)

------- Comment From <email address hidden> 2017-12-05 03:51 EDT-------
(In reply to comment #14)
> (In reply to comment #13)
> > (In reply to comment #11)
> > > Pavithra, Canonical has asked for an update. Could you verify the fix?
> > > Thanks.
> >
> > Can you please give the steps to recreate. I have not tested this before.
> >
> > root@ltc-garri3:~# aureport -l
> >
> > Login Report
> > ============================================
> > # date time auid host term exe success event
> > ============================================
> > <no events of interest were found>
> >
> >
> > Thanks,
> > Pavithra
>
> Recreation steps
>
> 1. start the auditd service
>
> service auditd start
>
> 2. login and logout to the machine using ssh and that will log ssh login
> events in aureport.
>
> 3. Do aureport -l and check for auid

Below is the output on 17.04 machine.

ubuntu@ltc-garri3:~$ uname -a
Linux ltc-garri3 4.10.0-38-generic #42-Ubuntu SMP Tue Oct 10 13:22:54 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux

root@ltc-garri3:/home/ubuntu# aureport -l

Login Report
============================================
# date time auid host term exe success event
============================================
1. 12/04/2017 22:29:35 root 9.124.35.113 sshd /usr/sbin/sshd no 134
2. 12/04/2017 22:32:46 root 9.124.35.113 sshd /usr/sbin/sshd no 135
3. 12/04/2017 22:32:51 root 9.124.35.113 sshd /usr/sbin/sshd no 137
4. 12/04/2017 22:32:56 root 9.124.35.113 sshd /usr/sbin/sshd no 139
5. 12/04/2017 22:33:01 root 9.124.35.113 sshd /usr/sbin/sshd no 140
6. 12/04/2017 22:33:05 root 9.124.35.113 sshd /usr/sbin/sshd no 142
7. 12/04/2017 22:33:10 root 9.124.35.113 sshd /usr/sbin/sshd no 144
8. 12/04/2017 22:50:04 root 9.79.212.207 sshd /usr/sbin/sshd no 158
9. 12/04/2017 22:50:10 root 9.79.212.207 sshd /usr/sbin/sshd no 160
10. 12/04/2017 22:50:16 root 9.79.212.207 sshd /usr/sbin/sshd no 162
11. 12/04/2017 23:12:03 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 169
12. 12/04/2017 23:12:06 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 176
13. 12/04/2017 23:40:23 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 223
14. 12/05/2017 00:28:24 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 313
15. 12/05/2017 00:28:27 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 320
16. 12/05/2017 00:28:56 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 330
17. 12/05/2017 00:28:58 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 337
18. 12/05/2017 02:46:14 root 9.109.212.222 sshd /usr/sbin/sshd no 384
19. 12/05/2017 02:46:27 root 9.109.212.222 sshd /usr/sbin/sshd no 386
20. 12/05/2017 02:46:31 root 9.109.212.222 sshd /usr/sbin/sshd no 388
21. 12/05/2017 02:46:36 root 9.109.212.222 sshd /usr/sbin/sshd no 390
22. 12/05/2017 02:46:45 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 391
23. 12/05/2017 02:46:49 -1 9.109.212.222 /dev/pts/1 /usr/sbin/sshd yes 398
24. 12/05/2017 02:48:22 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 409
25. 12/05/2017 02:48:27 -1 9.109.212.222 /dev/pts/2 /usr/sbin/sshd yes 416
26. 12/05/2017 02:48:33 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 419
27. 12/05/2017 02:48:37 -1 9.109.212.222 /dev/pts/2 /usr/sbin/sshd yes 426

Thanks,
Pavithra

------- Comment From <email address hidden> 2017-12-08 03:27 EDT-------
marki...

Read more...

Tyler Hicks (tyhicks) wrote :

@Pavithra Hello! I believe that your `aureport -l` is showing that the bug is not fixed although I suspect that you did not install the auditd package from zesty-proposed. Can you reply with the version of auditd that was installed when you ran aureport?

It should be version 1:2.6.6-1ubuntu1.1 which can be installed by enabling the proposed pocket:

  https://wiki.ubuntu.com/Testing/EnableProposed

Thanks!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers