[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[bugproxy]

** Tags removed: targetmilestone-inin---
** Tags added: targetmilestone-inin16043

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Released
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Released
Status in audit source package in Zesty:
  Won't Fix

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions

-- 
Mailing list: 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Manoj Iyer]

** Changed in: audit (Ubuntu Zesty)
   Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Released
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Released
Status in audit source package in Zesty:
  Won't Fix

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Frank Heimes]

** Changed in: ubuntu-power-systems
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Released
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Released
Status in audit source package in Zesty:
  Won't Fix

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Launchpad Bug Tracker]

This bug was fixed in the package audit - 1:2.4.5-1ubuntu2.1

---
audit (1:2.4.5-1ubuntu2.1) xenial; urgency=medium

  * debian/patches/02-print-loginuid-in-login-report.patch: Display the
loginuid when using aureport to display a login report (LP: #1724152)

 -- Tyler Hicks   Tue, 17 Oct 2017 20:03:34 +

** Changed in: audit (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Released
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

This SRU has been stuck in xenial-proposed for too long so I decided to
go ahead and verify it myself. The zesty SRU is no longer valid since
zesty has went EoL. The xenial SRU works as expected using the Test Case
described in the bug description.

** Tags removed: verification-needed verification-needed-xenial 
verification-needed-zesty
** Tags added: verification-done verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Committed
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Andrew Cloke]

** Tags added: triage-g

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Committed
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions

-- 
Mailing list: 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

@Pavithra Hello! I believe that your `aureport -l` is showing that the
bug is not fixed although I suspect that you did not install the auditd
package from zesty-proposed. Can you reply with the version of auditd
that was installed when you ran aureport?

It should be version 1:2.6.6-1ubuntu1.1 which can be installed by
enabling the proposed pocket:


  https://wiki.ubuntu.com/Testing/EnableProposed

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Committed
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Manoj Iyer]

** Changed in: ubuntu-power-systems
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Committed
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Brian Murray]

Hello bugproxy, or anyone else affected,

Accepted audit into zesty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/audit/1:2.6.6-1ubuntu1.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-zesty to verification-done-zesty. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-zesty. In either case, details of your testing
will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: audit (Ubuntu Zesty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-zesty

** Changed in: audit (Ubuntu Xenial)
   Status: In Progress => Fix Committed

** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  In Progress
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  Fix Committed
Status in audit source package in Zesty:
  Fix Committed

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

** Changed in: ubuntu-power-systems
 Assignee: Canonical Security Team (canonical-security) => Ubuntu Security 
Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  In Progress
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  In Progress
Status in audit source package in Zesty:
  In Progress

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Andrew Cloke]

** Changed in: ubuntu-power-systems
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  In Progress
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  In Progress
Status in audit source package in Zesty:
  In Progress

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

Fixes have been uploaded to Ubuntu 17.04 and Ubuntu 16.04 LTS and should
be accepted into the respective -proposed pockets soon. I'd greatly
appreciate it if IBM could verify the fixes once they've been accepted.
There will be an automated message posted at that time instructing
anyone interested about how to enable -proposed and verify the fix.
Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  New
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  In Progress
Status in audit source package in Zesty:
  In Progress

Bug description:
  [Impact]

  The aureport command, part of the audit userspace utilities,
  incorrectly reports the user id of successful logins. "-1" is printed
  instead of the expected user id.

  [Test Case]

  As root, run `login`. Proceed as follows:

  1. Login with a blank username and any password
  2. Login with an invalid username and any password
  3. Login with a valid username and an invalid password
  4. Login with a valid username and a valid password
  5. Exit from the login shell
  6. Run `aureport -l` and examine the last for login records

  An unpatched aureport will print the following:

  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
  3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
  4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
  5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107

  A patch aureport will print the correct output:

  Login Report
  
  # date time auid host term exe success event
  
  ...
  2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
  3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
  4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
  5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175

  Note the "1000" in the auid column on the #5 row. It should *not* be
  "-1".

  [Regression Potential]

  The regression potential is limited due to the change only affecting a
  single line of code, the fix comes from upstream, and that the
  aureport utility is not critical.

  [Original Report]

  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
     Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
     CGroup: /system.slice/auditd.service
     ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

** Description changed:

+ [Impact]
+ 
+ The aureport command, part of the audit userspace utilities, incorrectly
+ reports the user id of successful logins. "-1" is printed instead of the
+ expected user id.
+ 
+ [Test Case]
+ 
+ As root, run `login`. Proceed as follows:
+ 
+ 1. Login with a blank username and any password
+ 2. Login with an invalid username and any password
+ 3. Login with a valid username and an invalid password
+ 4. Login with a valid username and a valid password
+ 5. Exit from the login shell
+ 6. Run `aureport -l` and examine the last for login records
+ 
+ An unpatched aureport will print the following:
+ 
+ 
+ # date time auid host term exe success event
+ 
+ ...
+ 2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97
+ 3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99
+ 4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101
+ 5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107
+ 
+ A patch aureport will print the correct output:
+ 
+ Login Report
+ 
+ # date time auid host term exe success event
+ 
+ ...
+ 2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165
+ 3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167
+ 4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169
+ 5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175
+ 
+ Note the "1000" in the auid column on the #5 row. It should *not* be
+ "-1".
+ 
+ [Regression Potential]
+ 
+ The regression potential is limited due to the change only affecting a
+ single line of code, the fix comes from upstream, and that the aureport
+ utility is not critical.
+ 
+ [Original Report]
+ 
  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
- When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log. 
+ When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log.
  
  The following are details:
  
  root@roselp2:~# aureport -l
  
  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18
  
  The auid "-1" on the above line should be "1000? according to the
  audit.log.
  
- root@roselp2:~# grep ":18" /var/log/audit/audit.log 
+ root@roselp2:~# grep ":18" /var/log/audit/audit.log
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'
  
  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins
  
- 
  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux
  
- 
  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
-Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
-Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
-  Main PID: 4085 (auditd)
-CGroup: /system.slice/auditd.service
-??4085 /sbin/auditd -n
+    Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
+    Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
+  Main PID: 4085 (auditd)
+    CGroup: /system.slice/auditd.service
+    ??4085 /sbin/auditd -n
  
  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for
  
  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Tyler Hicks]

I have verified this bug on Ubuntu 17.04 and Ubuntu 16.04 LTS. It does
not affect Ubuntu 17.10 (artful) as the audit package is new enough in
that release to have received the upstream fix.

While performing the backport of the fix, I noticed that the code
comments around the area of the code that was modified were at odds with
the code changes. After determining that the code was correct and the
comments were incorrect, I opened a upstream pull request to fix the
comments:

  https://github.com/linux-audit/audit-userspace/pull/30

I'll proceed with only the code changes and leave the incorrect comment
for the purposes of this SRU.

** Changed in: audit (Ubuntu)
 Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) => 
Tyler Hicks (tyhicks)

** Changed in: audit (Ubuntu)
   Status: New => In Progress

** Changed in: audit (Ubuntu)
   Importance: Undecided => Medium

** Also affects: audit (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: audit (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: audit (Ubuntu Xenial)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: audit (Ubuntu Zesty)
 Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: audit (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: audit (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: audit (Ubuntu)
   Status: In Progress => Invalid

** Changed in: audit (Ubuntu)
 Assignee: Tyler Hicks (tyhicks) => (unassigned)

** Changed in: audit (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: audit (Ubuntu Zesty)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  New
Status in audit package in Ubuntu:
  Invalid
Status in audit source package in Xenial:
  In Progress
Status in audit source package in Zesty:
  In Progress

Bug description:
  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log. 

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log 
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  
  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  
  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
 Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
 Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
 CGroup: /system.slice/auditd.service
 ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : 

[Touch-packages] [Bug 1724152] Re: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04

[Frank Heimes]

** Also affects: ubuntu-power-systems
   Importance: Undecided
   Status: New

** Changed in: ubuntu-power-systems
   Importance: Undecided => Medium

** Changed in: ubuntu-power-systems
 Assignee: (unassigned) => Canonical Security Team (canonical-security)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1724152

Title:
  ISST-LTE: pVM: aureport couldn't get the right auid from the audit log
  on ubuntu16.04

Status in The Ubuntu-power-systems project:
  New
Status in audit package in Ubuntu:
  New

Bug description:
  == Comment: #0 - Miao Tao Feng  - 2016-11-23 02:46:25 ==
  When we develop new testcase for audit, we found that command "aureport -l" 
print out wrong auid "-1"  on ubuntu16.04  and it should be 1000 according to 
the audit.log. 

  The following are details:

  root@roselp2:~# aureport -l

  Login Report
  
  # date time auid host term exe success event
  
  1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18

  The auid "-1" on the above line should be "1000? according to the
  audit.log.

  root@roselp2:~# grep ":18" /var/log/audit/audit.log 
  type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 
msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 
addr=10.33.24.118 terminal=/dev/pts/0 res=success'

  root@roselp2:~# dpkg -s auditd
  Package: auditd
  Status: install ok installed
  Priority: extra
  Section: admin
  Installed-Size: 1051
  Maintainer: Ubuntu Developers 
  Architecture: ppc64el
  Source: audit
  Version: 1:2.4.5-1ubuntu2
  Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), 
libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
  Suggests: audispd-plugins

  
  root@roselp2:~# uname -a
  Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  
  root@roselp2:~# service auditd status
  ? auditd.service - Security Auditing Service
 Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor 
preset: e
 Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago
   Main PID: 4085 (auditd)
 CGroup: /system.slice/auditd.service
 ??4085 /sbin/auditd -n

  Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1
  Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320
  Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0
  Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000
  Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service.
  Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening 
for

  Please cherry pick https://github.com/linux-audit/audit-
  userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp