group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Frank Heimes <1724152@xxxxxxxxxxxxxxxxxx>
Date: Wed, 04 Apr 2018 17:02:54 -0000
Reply-to: Bug 1724152 <1724152@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: ubuntu-power-systems
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Released
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Released
Status in audit source package in Zesty:
  Won't Fix

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  ============================================
  # date time auid host term exe success event
  ============================================
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  ============================================
  # date time auid host term exe success event
  ============================================
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng <fengmt@xxxxxxxxxx> - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  ============================================
  # date time auid host term exe success event
  ============================================
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss@xxxxxxxxxxxxxxxx>
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
             ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions