Since it's difficult to reproduce the bug, what I'm going to do is setup
a system with the previous auditd, setup some rules, confirm they are
working, then upgrade, and confirm it keeps working, also after a
reboot.
# Bionic verification
auditd from bionic:
auditd:
Installed: 1:2.8.2-1ubuntu1
Candidate: 1:2.8.2-1ubuntu1
Version table:
*** 1:2.8.2-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
Created a simple rule:
# cat /etc/audit/rules.d/30-shadow.rules
-w /etc/shadow -p wa -k shadow-changed
Loaded after restart:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed
Confirmed a change to the file gets logged:
# chmod 0400 /etc/shadow
#
/var/log/audit/auditd.log (parsed with ausearch -i):
type=PROCTITLE msg=audit(01/18/21 17:49:31.077:32) : proctitle=chmod 0400
/etc/shadow
type=PATH msg=audit(01/18/21 17:49:31.077:32) : item=0 name=/etc/shadow
inode=64070 dev=fc:01 mode=file,640 ouid=root ogid=shadow rdev=00:00
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(01/18/21 17:49:31.077:32) : cwd=/root
type=SYSCALL msg=audit(01/18/21 17:49:31.077:32) : arch=x86_64 syscall=fchmodat
success=yes exit=0 a0=0xffffff9c a1=0x5577580dc1c0 a2=0400 a3=0x0 items=1
ppid=1499 pid=1992 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod
key=shadow-changed
Now updating the package:
# apt-cache policy auditd
auditd:
Installed: 1:2.8.2-1ubuntu1.1
Candidate: 1:2.8.2-1ubuntu1.1
Version table:
*** 1:2.8.2-1ubuntu1.1 500
500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64
Packages
100 /var/lib/dpkg/status
1:2.8.2-1ubuntu1 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
(and its deps, like libaudit1, etc).
The same rule continues loaded:
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed
Also after a manual restart:
# systemctl restart auditd
# auditctl -l
-w /etc/shadow -p wa -k shadow-changed
And changing /etc/shadow is logged (let's use 0640 this time):
# chmod 0640 /etc/shadow
#
log:
type=PROCTITLE msg=audit(01/18/21 17:54:51.942:56) : proctitle=chmod 0640
/etc/shadow
type=PATH msg=audit(01/18/21 17:54:51.942:56) : item=0 name=/etc/shadow
inode=64070 dev=fc:01 mode=file,400 ouid=root ogid=shadow rdev=00:00
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(01/18/21 17:54:51.942:56) : cwd=/root
type=SYSCALL msg=audit(01/18/21 17:54:51.942:56) : arch=x86_64 syscall=fchmodat
success=yes exit=0 a0=0xffffff9c a1=0x563ae04471c0 a2=0640 a3=0x0 items=1
ppid=1499 pid=2845 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod
key=shadow-changed
I then rebooted the system, performed the same tests, and got the same results
with the updated package.
It would be great if people who were affected by this bug, and can
reasonably reproduce it, could test the packages from proposed. In the
meantime, I'll mark this as verification succeeded.
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1848330
Title:
Installing auditd sometimes fails in post-inst
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
