The bug is not in aureport or libaudit. aureport looks for AUDIT_USER_LOGIN events in the audit log but we're not generating them in login programs due to libaudit support not being enabled at build time or, in the case of lightdm, missing libaudit support.
Note that we are generating an AUDIT_LOGIN event from the kernel upon login but aureport and friends are looking for AUDIT_USER_LOGIN events from userspace. This will require changes to a several packages. So far, I've been able to determine that openssh needs to be built with --enable-audit=linux and lightdm needs to be patched to generate AUDIT_USER_LOGIN events. The lightdm pam configs may also need updating for calling out to pam_loginuid.so but I'm not sure if that's required at this point. The shadow package was recently modified to enable libaudit support (https://launchpad.net/ubuntu/+source/shadow/1:4.1.5.1-1.1ubuntu5) so that change will need to be SRU'ed. The util-linux source package can generate AUDIT_USER_INFO events from its login program but we're using the login program from the shadow source package. After looking at the util-linux source, I don't see a reason to build it against libaudit at this time. ** Also affects: openssh (Ubuntu) Importance: Undecided Status: New ** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New ** Also affects: shadow (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1478087 Title: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 Status in audit package in Ubuntu: New Status in lightdm package in Ubuntu: New Status in openssh package in Ubuntu: New Status in shadow package in Ubuntu: New Bug description: -- Problem Description -- We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login info. root@lakelp1:~# /etc/init.d/auditd status * auditd is running. root@lakelp1:~# auditctl -e 1 AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1 root@lakelp1:~# grep -i login /var/log/audit/audit.log type=LOGIN msg=audit(1437641256.987:67): pid=11752 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=4 res=1 type=LOGIN msg=audit(1437642646.478:85): pid=44269 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=5 res=1 type=LOGIN msg=audit(1437642700.295:90): pid=21504 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=6 res=1 type=LOGIN msg=audit(1437642765.339:104): pid=16628 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=7 res=1 type=LOGIN msg=audit(1437644638.593:130): pid=44443 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=8 res=1 root@lakelp1:~# aureport -l Login Report ============================================ # date time auid host term exe success event ============================================ <no events of interest were found> This looks like a bug in aureport or libaudit. In addition to giving admins falsely empty record selections, this would prevent successful completion of a Common Criteria certification. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
