------- Comment From [email protected] 2017-12-05 03:51 EDT------- (In reply to comment #14) > (In reply to comment #13) > > (In reply to comment #11) > > > Pavithra, Canonical has asked for an update. Could you verify the fix? > > > Thanks. > > > > Can you please give the steps to recreate. I have not tested this before. > > > > root@ltc-garri3:~# aureport -l > > > > Login Report > > ============================================ > > # date time auid host term exe success event > > ============================================ > > <no events of interest were found> > > > > > > Thanks, > > Pavithra > > Recreation steps > > 1. start the auditd service > > service auditd start > > 2. login and logout to the machine using ssh and that will log ssh login > events in aureport. > > 3. Do aureport -l and check for auid
Below is the output on 17.04 machine. ubuntu@ltc-garri3:~$ uname -a Linux ltc-garri3 4.10.0-38-generic #42-Ubuntu SMP Tue Oct 10 13:22:54 UTC 2017 ppc64le ppc64le ppc64le GNU/Linux root@ltc-garri3:/home/ubuntu# aureport -l Login Report ============================================ # date time auid host term exe success event ============================================ 1. 12/04/2017 22:29:35 root 9.124.35.113 sshd /usr/sbin/sshd no 134 2. 12/04/2017 22:32:46 root 9.124.35.113 sshd /usr/sbin/sshd no 135 3. 12/04/2017 22:32:51 root 9.124.35.113 sshd /usr/sbin/sshd no 137 4. 12/04/2017 22:32:56 root 9.124.35.113 sshd /usr/sbin/sshd no 139 5. 12/04/2017 22:33:01 root 9.124.35.113 sshd /usr/sbin/sshd no 140 6. 12/04/2017 22:33:05 root 9.124.35.113 sshd /usr/sbin/sshd no 142 7. 12/04/2017 22:33:10 root 9.124.35.113 sshd /usr/sbin/sshd no 144 8. 12/04/2017 22:50:04 root 9.79.212.207 sshd /usr/sbin/sshd no 158 9. 12/04/2017 22:50:10 root 9.79.212.207 sshd /usr/sbin/sshd no 160 10. 12/04/2017 22:50:16 root 9.79.212.207 sshd /usr/sbin/sshd no 162 11. 12/04/2017 23:12:03 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 169 12. 12/04/2017 23:12:06 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 176 13. 12/04/2017 23:40:23 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 223 14. 12/05/2017 00:28:24 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 313 15. 12/05/2017 00:28:27 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 320 16. 12/05/2017 00:28:56 ubuntu 9.124.35.113 sshd /usr/sbin/sshd no 330 17. 12/05/2017 00:28:58 -1 9.124.35.113 /dev/pts/0 /usr/sbin/sshd yes 337 18. 12/05/2017 02:46:14 root 9.109.212.222 sshd /usr/sbin/sshd no 384 19. 12/05/2017 02:46:27 root 9.109.212.222 sshd /usr/sbin/sshd no 386 20. 12/05/2017 02:46:31 root 9.109.212.222 sshd /usr/sbin/sshd no 388 21. 12/05/2017 02:46:36 root 9.109.212.222 sshd /usr/sbin/sshd no 390 22. 12/05/2017 02:46:45 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 391 23. 12/05/2017 02:46:49 -1 9.109.212.222 /dev/pts/1 /usr/sbin/sshd yes 398 24. 12/05/2017 02:48:22 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 409 25. 12/05/2017 02:48:27 -1 9.109.212.222 /dev/pts/2 /usr/sbin/sshd yes 416 26. 12/05/2017 02:48:33 ubuntu 9.109.212.222 sshd /usr/sbin/sshd no 419 27. 12/05/2017 02:48:37 -1 9.109.212.222 /dev/pts/2 /usr/sbin/sshd yes 426 Thanks, Pavithra ------- Comment From [email protected] 2017-12-08 03:27 EDT------- marking the above comment external -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1724152 Title: ISST-LTE: pVM: aureport couldn't get the right auid from the audit log on ubuntu16.04 Status in The Ubuntu-power-systems project: Fix Committed Status in audit package in Ubuntu: Invalid Status in audit source package in Xenial: Fix Committed Status in audit source package in Zesty: Fix Committed Bug description: [Impact] The aureport command, part of the audit userspace utilities, incorrectly reports the user id of successful logins. "-1" is printed instead of the expected user id. [Test Case] As root, run `login`. Proceed as follows: 1. Login with a blank username and any password 2. Login with an invalid username and any password 3. Login with a valid username and an invalid password 4. Login with a valid username and a valid password 5. Exit from the login shell 6. Run `aureport -l` and examine the last for login records An unpatched aureport will print the following: ============================================ # date time auid host term exe success event ============================================ ... 2. 10/17/2017 23:45:32 UNKNOWN ? /dev/pts/8 /bin/login no 97 3. 10/17/2017 23:45:39 UNKNOWN ? /dev/pts/8 /bin/login no 99 4. 10/17/2017 23:45:45 tyhicks ? /dev/pts/8 /bin/login no 101 5. 10/17/2017 23:45:49 -1 ? /dev/pts/8 /bin/login yes 107 A patch aureport will print the correct output: Login Report ============================================ # date time auid host term exe success event ============================================ ... 2. 10/17/2017 23:52:44 UNKNOWN ? /dev/pts/8 /bin/login no 165 3. 10/17/2017 23:52:52 UNKNOWN ? /dev/pts/8 /bin/login no 167 4. 10/17/2017 23:52:58 tyhicks ? /dev/pts/8 /bin/login no 169 5. 10/17/2017 23:53:02 1000 ? /dev/pts/8 /bin/login yes 175 Note the "1000" in the auid column on the #5 row. It should *not* be "-1". [Regression Potential] The regression potential is limited due to the change only affecting a single line of code, the fix comes from upstream, and that the aureport utility is not critical. [Original Report] == Comment: #0 - Miao Tao Feng <[email protected]> - 2016-11-23 02:46:25 == When we develop new testcase for audit, we found that command "aureport -l" print out wrong auid "-1" on ubuntu16.04 and it should be 1000 according to the audit.log. The following are details: root@roselp2:~# aureport -l Login Report ============================================ # date time auid host term exe success event ============================================ 1. 11/23/2016 02:20:12 -1 10.33.24.118 /dev/pts/0 /usr/sbin/sshd yes 18 The auid "-1" on the above line should be "1000? according to the audit.log. root@roselp2:~# grep ":18" /var/log/audit/audit.log type=USER_LOGIN msg=audit(1479889212.292:18): pid=4177 uid=0 auid=1000 ses=4 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.33.24.118 addr=10.33.24.118 terminal=/dev/pts/0 res=success' root@roselp2:~# dpkg -s auditd Package: auditd Status: install ok installed Priority: extra Section: admin Installed-Size: 1051 Maintainer: Ubuntu Developers <[email protected]> Architecture: ppc64el Source: audit Version: 1:2.4.5-1ubuntu2 Depends: lsb-base (>= 3.0-6), mawk | gawk, init-system-helpers (>= 1.18~), libaudit1 (>= 1:2.4.2), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17) Suggests: audispd-plugins root@roselp2:~# uname -a Linux roselp2 4.4.0-47-generic #68-Ubuntu SMP Wed Oct 26 19:38:24 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux root@roselp2:~# service auditd status ? auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: e Active: active (running) since Wed 2016-11-23 02:19:21 CST; 19s ago Main PID: 4085 (auditd) CGroup: /system.slice/auditd.service ??4085 /sbin/auditd -n Nov 23 02:19:21 roselp2 auditctl[4086]: enabled 0 Nov 23 02:19:21 roselp2 auditctl[4086]: failure 1 Nov 23 02:19:21 roselp2 auditctl[4086]: pid 0 Nov 23 02:19:21 roselp2 auditctl[4086]: rate_limit 0 Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_limit 320 Nov 23 02:19:21 roselp2 auditctl[4086]: lost 0 Nov 23 02:19:21 roselp2 auditctl[4086]: backlog 0 Nov 23 02:19:21 roselp2 auditctl[4086]: backlog_wait_time 15000 Nov 23 02:19:21 roselp2 systemd[1]: Started Security Auditing Service. Nov 23 02:19:21 roselp2 auditd[4085]: Init complete, auditd 2.4.5 listening for Please cherry pick https://github.com/linux-audit/audit- userspace/commit/25097d64344828a80acf681da5c1dacc4ea3c069 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1724152/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
