[Bug 1026852] Re: [MIR] audit (pulls in libprelude)

Ubuntu Foundations Team Bug Bot 1026852 at bugs.launchpad.net
Tue Nov 27 00:16:34 UTC 2012 

The attachment "audit_1.7.18-1ubuntu2.debdiff" of this bug report has
been identified as being a patch in the form of a debdiff.  The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff.  In the event that this is in
fact not a patch you can resolve this situation by removing the tag
'patch' from the bug report and editing the attachment so that it is not
flagged as a patch.  Additionally, if you are member of the ubuntu-
sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by
Brian Murray.  Please contact him regarding any issues with the action
taken in this bug report.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1026852

Title:
  [MIR] audit (pulls in libprelude)

Status in “audit” package in Ubuntu:
  New
Status in “libev” package in Ubuntu:
  Invalid
Status in “libprelude” package in Ubuntu:
  Invalid

Bug description:
  This is a MIR to bring a portion of binary packages built from the audit source
  package into main. The binary packages of interest (some of which are created by the attached debdiff for the audit package) are:
   - auditd-common
   - auditd-light
   - libaudit0
   - libaudit-dev
   - python-audit

  The binary pacakges that may remain in universe are:
   - auditd
   - audispd-plugins
   - system-config-audit

  Availability:
   - Available in universe for all arches

  Rationale:
   - Discussed as part of the P and Q security catch all blueprints
     + https://blueprints.launchpad.net/ubuntu/+spec/security-p-catch-all
     + https://blueprints.launchpad.net/ubuntu/+spec/security-q-catch-all
   - libaudit0 is a build dependency of the Debian cron package
     + https://launchpad.net/bugs/878155
   - The audit log can already used by AppArmor
     + http://wiki.apparmor.net/index.php/AppArmor_Failures#Messages_in_the_Log_files

  Security:
   - One CVE (CVE-2008-1628) in the project's history
   - Note that CVEs have been assigned for the kernel audit subsystem, but those
     are unrelated to the audit userspace code
   - Security risk involved since auditd is a daemon that runs as root
     + Implementing privilege dropping would not be trivial:
       http://www.redhat.com/archives/linux-audit/2009-October/msg00011.html
   - auditd can open up a port and listen for audit messages from remote machines
     + The default auditd.conf is *not* configured to open a port
     + auditd doesn't create a socket unless tcp_listen_port is set in
       auditd.conf (see auditd_tcp_listen_init() in src/auditd-listen.c)
     + The upstream build system does not allow disabling of the networking code
   - The audispd-plugins binary package contains functionality to send audit
     messages to remote machines but a main inclusion is not being requested for
     audispd-plugins

  Quality Assurance:
   - Basic audit logging works immediately after auditd package installation
   - The upstream maintainer is active on the mailing list
     + https://www.redhat.com/mailman/listinfo/linux-audit
   - The lastest upstream release was on March 23, 2012
   - 4 "normal" bugs (one linked to a Debian bug) opened against Ubuntu audit
     source package
     + https://bugs.launchpad.net/ubuntu/+source/audit
   - 5 "normal" bugs opened against the Debian audit source package
     + http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=audit
   - 'make check' tests are enabled in the build
   - debian/watch exists

  UI Standards:
   - The only end-user application is in the system-config-audit binary package,
     which is not included in this MIR

  Dependencies:
   - One build dependency is not in main
     + libprelude-dev binary and source package is in universe
     + NOTE: libev-dev is a current Build-Dependency, but it is not required because
       audit contains its own libev. The attached debdiff removes it from audit's
       Build-Dependency list.
   - All relevant binary dependencies are in in main
     + check-mir points out menu and chkconfig, but they are dependencies of
       system-config-audit, which is not included in this MIR

  Standards Compliance:
   - No lintian errors
   - 9 overridden lintian warnings due to non-standard file/dir permissions
     because config and log files are intentionally installed with restrictive
     file permissions due to the security-related nature of the package (see
     debian/auditd.lintian-overrides)

  Maintenance:
   - This is a relatively simple package that seems to be well maintained
     upstream and in Debian
   - Should not require a dedicated maintainer in Ubuntu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1026852/+subscriptions

More information about the Ubuntu-sponsors mailing list