Ubuntu
audit package

aulastlog doesn't report logins

Bug #1319278 reported by Seth Arnold
This bug report is a duplicate of:  Bug #1478087: Add libaudit support. Edit Remove
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
audit (Ubuntu)
New
Undecided
Unassigned

Bug Description

aulastlog and aulast don't appear to be functioning correctly:

root@hunt:~# aulast
root@hunt:~# aulastlog
Username Port From Latest
root **Never logged in**
daemon **Never logged in**
bin **Never logged in**
sys **Never logged in**
sync **Never logged in**
games **Never logged in**
man **Never logged in**
lp **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
proxy **Never logged in**
www-data **Never logged in**
backup **Never logged in**
list **Never logged in**
irc **Never logged in**
gnats **Never logged in**
nobody **Never logged in**
libuuid **Never logged in**
syslog **Never logged in**
messagebus **Never logged in**
colord **Never logged in**
lightdm **Never logged in**
whoopsie **Never logged in**
avahi-autoipd **Never logged in**
avahi **Never logged in**
usbmux **Never logged in**
kernoops **Never logged in**
pulse **Never logged in**
rtkit **Never logged in**
speech-dispatcher **Never logged in**
hplip **Never logged in**
saned **Never logged in**
sarnold **Never logged in**
sshd **Never logged in**
libvirt-qemu **Never logged in**
libvirt-dnsmasq **Never logged in**
sbuild **Never logged in**
lxc-dnsmasq **Never logged in**
dictd **Never logged in**
statd **Never logged in**
dnsmasq **Never logged in**
ntp **Never logged in**
pdns **Never logged in**
clickpkg **Never logged in**
usermetrics **Never logged in**
root@hunt:~#

I would expect at least my user account sarnold should have logged in -- it was how I got to sudo, after all.

There's no shortage of logging information, it just appears the logs for USER_LOGIN are missing:

root@hunt:~# ausearch -l | wc -l
262312
root@hunt:~# ausearch -l | grep USER_LOGIN | wc -l
0
root@hunt:~#

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: auditd 1:2.3.2-2ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
Uname: Linux 3.13.0-24-generic x86_64
ApportVersion: 2.14.1-0ubuntu3
Architecture: amd64
Date: Tue May 13 23:48:21 2014
InstallationDate: Installed on 2012-10-18 (573 days ago)
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20120823.1)
ProcEnviron:
 LANGUAGE=en_US
 TERM=rxvt-unicode
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: audit
UpgradeStatus: Upgraded to trusty on 2014-04-12 (32 days ago)
mtime.conffile..etc.audit.audit.rules: 2013-07-11T10:45:01

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Laurent Bigonville (bigon) wrote :

Hi,

This bug might actually be due to the fact that the entry point applications (login, xDM,...) are not calling pam_loginuid module in the PAM session stack.

I'm personally not using ubuntu anymore, so I cannot really verify this.

Cheers

Revision history for this message
Seth Arnold (seth-arnold) wrote :

At least /etc/pam.d/sshd on my system is configured to use pam_loginuid:

$ grep pam_login -r /etc/pam.d/
/etc/pam.d/sshd:session required pam_loginuid.so

Revision history for this message
Tyler Hicks (tyhicks) wrote :

FYI, I've been updating bug #1478087 with my findings to fix audit login/logout event logging.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.