Enable auditing in util-linux.

Bug #1722313 reported by Joy Latten on 2017-10-09
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Debian)
New
Unknown
util-linux (Ubuntu)
Medium
Joy Latten
Xenial
Medium
Unassigned
Zesty
Medium
Unassigned
Artful
Medium
Unassigned

Bug Description

[IMPACT]
Enable auditing in util-linux. The config option, --with-audit enables auditing.

Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change.

The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled.

That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial.

[TEST]

This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.

Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.

[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered.

Joy Latten (j-latten) on 2017-10-09
summary: - Add "--with-audit" config option so that the hwclock command creates
- audit records when it is used to alter the hardware clock.
+ [SRU][xenial] Add "--with-audit" config option so that the hwclock
+ command creates an audit record when the hardware clock is altered.
Joy Latten (j-latten) wrote :

Comment #3 Should have read "Common Criteria EAL2 hwclock testcase".

description: updated
Joy Latten (j-latten) on 2017-10-10
summary: - [SRU][xenial] Add "--with-audit" config option so that the hwclock
- command creates an audit record when the hardware clock is altered.
+ [SRU][xenial] Enable auditing in util-linux.
Joy Latten (j-latten) on 2017-10-10
description: updated
tags: added: rls-aa-notfixing
Changed in util-linux (Debian):
status: Unknown → New
Joy Latten (j-latten) wrote :
Joy Latten (j-latten) wrote :
Joy Latten (j-latten) wrote :

Build logs and test runs can be found in PPA at, https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+packages

Please note, the versioning of the packages are incorrect in PPA, my apologies. I did them correctly in the debdiff for each release that I have attached.

Comment #3 just contains the testcase I use to verify that the audit entry is created when the config option is enabled.

Joy Latten (j-latten) on 2017-11-09
Changed in util-linux (Ubuntu):
status: New → In Progress
Eric Desrochers (slashd) on 2017-11-09
Changed in util-linux (Ubuntu Xenial):
importance: Undecided → Medium
Changed in util-linux (Ubuntu):
importance: Undecided → Medium
Changed in util-linux (Ubuntu Zesty):
importance: Undecided → Medium
Changed in util-linux (Ubuntu Artful):
importance: Undecided → Medium
Eric Desrochers (slashd) on 2017-11-09
Changed in util-linux (Ubuntu):
assignee: nobody → Joy Latten (j-latten)
Joy Latten (j-latten) wrote :
Joy Latten (j-latten) wrote :

I have also submitted a patch against recent debian version of this package to Debian. Just in case, I also noted in the debian bug thread the following:

- util-linux package is Priority: required and the libaudit1 package is
Priority: optional.

Possibly this is no longer a problem in reference to a change in Version
4.0.1 listed here,
https://www.debian.org/doc/packaging-manuals/upgrading-checklist.txt

Joy Latten (j-latten) on 2017-11-10
summary: - [SRU][xenial] Enable auditing in util-linux.
+ Enable auditing in util-linux.
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, uploaded for processing by the SRU team with a couple of minor changelog changes: added bug number, fixed versioning.

Thanks!

Changed in util-linux (Ubuntu Xenial):
status: New → In Progress
Changed in util-linux (Ubuntu Zesty):
status: New → In Progress
Changed in util-linux (Ubuntu Artful):
status: New → In Progress
Changed in util-linux (Ubuntu):
status: In Progress → Fix Released

Hello Joy, or anyone else affected,

Accepted util-linux into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.30.1-0ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in util-linux (Ubuntu Artful):
status: In Progress → Fix Committed
Joy Latten (j-latten) wrote :

Generated an artful VM and verified that this is fixed in artful.

ubuntu@artfulguest:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="17.10 (Artful Aardvark)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 17.10"
VERSION_ID="17.10"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=artful
UBUNTU_CODENAME=artful

altered the hwclock via "sudo hwclock --set --date "1/1/2000 00:00:00"

received following audit log message in appropriate log files when applicable.
type=USER_CMD msg=audit(1511896792.291:29): pid=3008 uid=1000 auid=1000 ses=2 msg='cwd="/home/ubuntu" cmd="hwclock" terminal=pts/0 res=success'

Joy Latten (j-latten) wrote :

Sorry, comment #13 had a cut-and-paste issue.

log message is,
type=USYS_CONFIG msg=audit(1511898182.500:184): pid=3305 uid=0 auid=1000 ses=2 msg='op=change-system-time exe="/sbin/hwclock" hostname=artfulguest addr=? terminal=pts/0 res=success'

Joy Latten (j-latten) wrote :

version of package verified on artful,

ubuntu@artfulguest:~$ dpkg -l | grep util-linux
ii util-linux 2.30.1-0ubuntu4.1 amd64 miscellaneous system utilities

Joy Latten (j-latten) on 2017-11-28
tags: added: verification-done-artful
Brian Murray (brian-murray) wrote :

Hello Joy, or anyone else affected,

Accepted util-linux into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.27.1-6ubuntu3.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in util-linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in util-linux (Ubuntu Zesty):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Joy, or anyone else affected,

Accepted util-linux into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.29-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Joy Latten (j-latten) wrote :

Verified on xenial on a P8 and a z13 zlpar.

From P8:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

$ uname -a
Linux xxxx 4.4.0-87-generic #110-Ubuntu SMP Tue Jul 18 12:53:44 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux

$ dpkg -l | grep util-linux
ii util-linux 2.27.1-6ubuntu3.4 ppc64el miscellaneous system utilities

resulting log message, after altering system clock,

type=USYS_CONFIG msg=audit(1512153890.632:29): pid=26156 uid=0 auid=1000 ses=998 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success'

--------------------

Test on z-13 zlpar,

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

uname -a
Linux xxxx 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:35:14 UTC 2017 s390x s390x s390x GNU/Linux

ubuntu@s1lp12:~$ dpkg -l | grep util-linux
ii util-linux 2.27.1-6ubuntu3.4 s390x miscellaneous system utilities

$ /usr/bin/sudo hwclock --set --date "1/1/2000 00:00:00"
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --debug option to see the details of our search for an access method.

This is correct behaviour since zlpar cannot access the hw clock and is consistent with prior versions.

message logged indicates the failure,
type=USYS_CONFIG msg=audit(1512154473.517:12321): pid=84471 uid=0 auid=1000 ses=1134 msg='changing system time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/1 res=failed'

tags: added: verification-done-xenial
description: updated
Joy Latten (j-latten) wrote :

verified successfully in amd64 VM for zesty.

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="17.04 (Zesty Zapus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 17.04"
VERSION_ID="17.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=zesty
UBUNTU_CODENAME=zesty

$ dpkg -l | grep util-linux
ii util-linux 2.29-1ubuntu2.2 amd64 miscellaneous system utilities

$ uname -a
Linux zestyguest 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

message logged after altering hardware clock,

type=USYS_CONFIG msg=audit(1512158548.257:24): pid=3081 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success'

tags: added: verification-done-zesty
Robie Basak (racb) wrote :

Please could someone check the autopkgtest failures listed against this SRU in http://people.canonical.com/~ubuntu-archive/pending-sru.html?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.