| 2017-10-09 15:28:14 |
Joy Latten |
bug |
|
|
added bug |
| 2017-10-09 15:29:54 |
Joy Latten |
summary |
Add "--with-audit" config option so that the hwclock command creates audit records when it is used to alter the hardware clock. |
[SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. |
|
| 2017-10-09 15:47:48 |
Joy Latten |
description |
[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled.
Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running.
[FIX]
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled.
Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
|
| 2017-10-09 15:52:18 |
Joy Latten |
attachment added |
|
debdiff of version 3.3 and 3.4~joyppa2 https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out |
|
| 2017-10-09 16:07:03 |
Joy Latten |
attachment added |
|
EAL hwclock testcase https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1722313/+attachment/4966040/+files/test_hwclock.bash |
|
| 2017-10-09 16:11:51 |
Joy Latten |
description |
[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled.
Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled.
Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.
Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
|
| 2017-10-10 15:32:23 |
Joy Latten |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745771 |
|
| 2017-10-10 15:32:23 |
Joy Latten |
bug task added |
|
util-linux (Debian) |
|
| 2017-10-10 15:48:00 |
dann frazier |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-10-10 15:48:00 |
dann frazier |
bug task added |
|
util-linux (Ubuntu Xenial) |
|
| 2017-10-10 15:48:00 |
dann frazier |
nominated for series |
|
Ubuntu Artful |
|
| 2017-10-10 15:48:00 |
dann frazier |
bug task added |
|
util-linux (Ubuntu Artful) |
|
| 2017-10-10 15:48:00 |
dann frazier |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-10-10 15:48:00 |
dann frazier |
bug task added |
|
util-linux (Ubuntu Zesty) |
|
| 2017-10-10 20:18:58 |
Joy Latten |
summary |
[SRU][xenial] Add "--with-audit" config option so that the hwclock command creates an audit record when the hardware clock is altered. |
[SRU][xenial] Enable auditing in util-linux. |
|
| 2017-10-10 20:36:43 |
Joy Latten |
description |
[IMPACT]
There is a requirement for Common Criteria EAL2 certification that changes to the system's hardware clock be audited/monitored. In Ubuntu the hwclock command can be used to alter the system's hardware clock. Thus this event needs to be audited for EAL2. The hwclock command within util-linux has the ability to create an audit event when the system's hardware clock is altered, but this ability is enabled via the --with-audit config option. This option is currently not enabled.
Only the hwclock and the login commands within util-linux package use this --with-audit config option to enable auditing. However, it appears the login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change. The change would enable (1) call to audit_open to create a netlink socket descritor. (2) generate an audit entry when system hardware clock altered. The entry will be logged into the /var/log/audit/audit.log IF auditd is installed and running.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.
Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
[IMPACT]
Enable auditing in util-linux. The config option, --with-audit enables auditing.
Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change.
The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged.
That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.
Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
|
| 2017-10-12 15:19:19 |
Brian Murray |
tags |
|
rls-aa-notfixing |
|
| 2017-10-13 06:32:25 |
Bug Watch Updater |
util-linux (Debian): status |
Unknown |
New |
|
| 2017-11-09 16:16:39 |
Joy Latten |
attachment removed |
debdiff of version 3.3 and 3.4~joyppa2 https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/4966026/+files/debdiff.out |
|
|
| 2017-11-09 17:27:20 |
Joy Latten |
attachment added |
|
debdiff.xenial https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006617/+files/debdiff.xenial |
|
| 2017-11-09 17:28:39 |
Joy Latten |
attachment added |
|
debdiff.zesty https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006619/+files/debdiff.zesty |
|
| 2017-11-09 17:29:49 |
Joy Latten |
attachment added |
|
debdiff.artful https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006620/+files/debdiff.artful |
|
| 2017-11-09 21:55:07 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
| 2017-11-09 22:00:05 |
Joy Latten |
util-linux (Ubuntu): status |
New |
In Progress |
|
| 2017-11-09 22:01:32 |
Eric Desrochers |
util-linux (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2017-11-09 22:01:37 |
Eric Desrochers |
util-linux (Ubuntu): importance |
Undecided |
Medium |
|
| 2017-11-09 22:01:40 |
Eric Desrochers |
util-linux (Ubuntu Zesty): importance |
Undecided |
Medium |
|
| 2017-11-09 22:01:44 |
Eric Desrochers |
util-linux (Ubuntu Artful): importance |
Undecided |
Medium |
|
| 2017-11-09 22:03:30 |
Eric Desrochers |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2017-11-09 22:08:07 |
Eric Desrochers |
util-linux (Ubuntu): assignee |
|
Joy Latten (j-latten) |
|
| 2017-11-09 22:14:18 |
Joy Latten |
attachment added |
|
debdiff.bionic https://bugs.launchpad.net/debian/+source/util-linux/+bug/1722313/+attachment/5006681/+files/debdiff.bionic |
|
| 2017-11-10 14:09:04 |
Joy Latten |
summary |
[SRU][xenial] Enable auditing in util-linux. |
Enable auditing in util-linux. |
|
| 2017-11-10 15:22:08 |
Marc Deslauriers |
util-linux (Ubuntu Xenial): status |
New |
In Progress |
|
| 2017-11-10 15:22:10 |
Marc Deslauriers |
util-linux (Ubuntu Zesty): status |
New |
In Progress |
|
| 2017-11-10 15:22:12 |
Marc Deslauriers |
util-linux (Ubuntu Artful): status |
New |
In Progress |
|
| 2017-11-10 16:02:34 |
Eric Desrochers |
bug |
|
|
added subscriber SRU Verification |
| 2017-11-20 15:28:15 |
Łukasz Zemczak |
util-linux (Ubuntu): status |
In Progress |
Fix Released |
|
| 2017-11-20 15:46:15 |
Łukasz Zemczak |
util-linux (Ubuntu Artful): status |
In Progress |
Fix Committed |
|
| 2017-11-20 15:46:16 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-11-28 20:13:12 |
Joy Latten |
tags |
rls-aa-notfixing |
rls-aa-notfixing verification-done-artful |
|
| 2017-11-30 19:58:43 |
Brian Murray |
util-linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2017-11-30 20:00:09 |
Brian Murray |
util-linux (Ubuntu Zesty): status |
In Progress |
Fix Committed |
|
| 2017-11-30 20:04:21 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2017-12-01 19:06:45 |
Joy Latten |
tags |
rls-aa-notfixing verification-done-artful |
rls-aa-notfixing verification-done-artful verification-done-xenial |
|
| 2017-12-01 19:09:39 |
Joy Latten |
description |
[IMPACT]
Enable auditing in util-linux. The config option, --with-audit enables auditing.
Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change.
The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged if auditd daemon is running. Otherwise, nothing gets logged.
That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.
Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
[IMPACT]
Enable auditing in util-linux. The config option, --with-audit enables auditing.
Only the hwclock and the login commands within util-linux package have source code for auditing. But that source code is disabled by default and requires the config option, --with-audit to enable it. The login command is not built nor shipped in util-linux. Ubuntu uses the login command from shadow instead. Thus, only hwclock command would be affected by this change.
The change would enable the hwclock command to generate an audit log message to /var/log/audit/audit.log whenever it changes the hardware clock. This message will only get logged to /var/log/audit/audit.log, if auditd daemon is running. Otherwise, if the auditd is not running, like most log messages, it will get logged to /var/log/kern.log and|or /var/log/syslog if these services are enabled.
That the hwclock generates an audit message when hardware clock is changed is a requirement for Common Criteria EAL2 certification for Xenial.
[TEST]
This has been tested on both P8 and amd64 architectures. With the patch all the Common Criteria testcases pass for hwclock. Before this patch, the functional part of the testcase passed, but the check for the triggered audit records would fail. Attached the Common Criteria testcase below.
Also, the util-linux package has testcases that get run during the build. All of these pass. Pointer to build log below.
[REGRESSION POTENTIAL]
The regression potential for this should be small. This change does not take away from any current functionality. It just adds the ability to generate an audit entry when system hardware clock is altered. |
|
| 2017-12-01 20:08:39 |
Joy Latten |
tags |
rls-aa-notfixing verification-done-artful verification-done-xenial |
rls-aa-notfixing verification-done-artful verification-done-xenial verification-done-zesty |
|
| 2018-02-14 14:34:29 |
Launchpad Janitor |
util-linux (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
| 2018-02-14 14:34:35 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2018-02-14 14:34:53 |
Launchpad Janitor |
util-linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2018-03-08 12:29:57 |
Bug Watch Updater |
util-linux (Debian): status |
New |
Fix Released |
|
