[Bug 1478087] Re: Add libaudit support

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Fri Jan 22 18:35:37 UTC 2016 

** Description changed:

+ [Impact]
+ Auditing support is a commonly used feature in large enterprises, and allows better tracking of actions happening on secured systems, especially when it comes to accounting for login events.
+ 
+ Such systems fail to correctly list login events in aureport due to some
+ software not integrating libaudit.
+ 
+ [Test Case]
+ 1) Install auditd
+ 2) Login to the system multiple times (or allow for others to connect to the system)
+ 3) Run aureport -l
+ 
+ System should list login information.
+ 
+ [Regression Potential]
+ There is minimal risk for issues since libaudit support only allows for generating extra logging saved on the local system. A possible side-effect of this may be that systems on which auditing is enabled and where there are many users of the affected software (see bug tasks), such as many logins over SSH, there may be an increased demand on disk space necessary for the auditing data.
+ 
+ ---
+ 
  -- Problem Description --
  We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to
- ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login 
+ ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login
  info.
  
  root at lakelp1:~# /etc/init.d/auditd status
-  * auditd is running.
+  * auditd is running.
  
  root at lakelp1:~# auditctl -e 1
  AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1
  
  root at lakelp1:~# grep -i login /var/log/audit/audit.log
  type=LOGIN msg=audit(1437641256.987:67): pid=11752 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=4 res=1
  type=LOGIN msg=audit(1437642646.478:85): pid=44269 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=5 res=1
  type=LOGIN msg=audit(1437642700.295:90): pid=21504 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=6 res=1
  type=LOGIN msg=audit(1437642765.339:104): pid=16628 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1
  type=LOGIN msg=audit(1437644638.593:130): pid=44443 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=8 res=1
- 
  
  root at lakelp1:~# aureport -l
  
  Login Report
  ============================================
  # date time auid host term exe success event
  ============================================
  <no events of interest were found>
  
  This looks like a bug in aureport or libaudit. In addition to giving
  admins falsely empty record selections, this would prevent successful
  completion of a Common Criteria certification.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1478087

Title:
  Add libaudit support

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1478087/+subscriptions

More information about the Ubuntu-server-bugs mailing list