← Back to team overview

desktop-packages team mailing list archive

[Bug 1478087] Re: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3

 

The bug is not in aureport or libaudit. aureport looks for
AUDIT_USER_LOGIN events in the audit log but we're not generating them
in login programs due to libaudit support not being enabled at build
time or, in the case of lightdm, missing libaudit support.

Note that we are generating an AUDIT_LOGIN event from the kernel upon
login but aureport and friends are looking for AUDIT_USER_LOGIN events
from userspace.

This will require changes to a several packages. So far, I've been able
to determine that openssh needs to be built with --enable-audit=linux
and lightdm needs to be patched to generate AUDIT_USER_LOGIN events. The
lightdm pam configs may also need updating for calling out to
pam_loginuid.so but I'm not sure if that's required at this point.

The shadow package was recently modified to enable libaudit support
(https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu5) so
that change will need to be SRU'ed.

The util-linux source package can generate AUDIT_USER_INFO events from
its login program but we're using the login program from the shadow
source package. After looking at the util-linux source, I don't see a
reason to build it against libaudit at this time.

** Also affects: openssh (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: lightdm (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: shadow (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1478087

Title:
  ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3

Status in audit package in Ubuntu:
  New
Status in lightdm package in Ubuntu:
  New
Status in openssh package in Ubuntu:
  New
Status in shadow package in Ubuntu:
  New

Bug description:
  -- Problem Description --
  We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to
  ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login 
  info.

  root@lakelp1:~# /etc/init.d/auditd status
   * auditd is running.

  root@lakelp1:~# auditctl -e 1
  AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1

  root@lakelp1:~# grep -i login /var/log/audit/audit.log
  type=LOGIN msg=audit(1437641256.987:67): pid=11752 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=4 res=1
  type=LOGIN msg=audit(1437642646.478:85): pid=44269 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=5 res=1
  type=LOGIN msg=audit(1437642700.295:90): pid=21504 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=6 res=1
  type=LOGIN msg=audit(1437642765.339:104): pid=16628 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
  type=LOGIN msg=audit(1437644638.593:130): pid=44443 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=8 res=1

  
  root@lakelp1:~# aureport -l

  Login Report
  ============================================
  # date time auid host term exe success event
  ============================================
  <no events of interest were found>

  This looks like a bug in aureport or libaudit. In addition to giving
  admins falsely empty record selections, this would prevent successful
  completion of a Common Criteria certification.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087/+subscriptions