Ubuntu
openssh package

sshd have no USER_LOGOUT audit event

Bug #1948357 reported by lizhijian on 2021-10-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	openssh (Ubuntu)	Triaged	Medium	Unassigned

Bug Description

ubuntu 18.04

lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
lizj@FNSTPC:~/.local/bin$ dpkg -l | grep openssh
ii openssh-client 1:7.6p1-4ubuntu0.5 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.5 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.5 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
lizj@FNSTPC:~/.local/bin$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

while in my fedora 33 host, it includes USER_LOGOUT as below

fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
[root@iaas-rpma ~]# rpm -qa | grep openssh
openssh-8.4p1-1.1.fc33.x86_64
openssh-clients-8.4p1-1.1.fc33.x86_64
openssh-server-8.4p1-1.1.fc33.x86_64

Revision history for this message

lizhijian (zhijianli88) wrote on 2021-10-22:

first report here: https://listman.redhat.com/archives/linux-audit/2021-October/msg00069.html

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-10-22:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status:	New → Confirmed

Revision history for this message

Utkarsh Gupta (utkarsh) wrote on 2021-10-25:

Hello,

Thank you for taking the time to file out this bug. As I see, the report is correct and we could indeed use the same patch that Fedora/RH uses. Maybe, while at it also forward this bug report to Debian (and if possible, attach the fixing patch that fixes this)?

That said, I'm marking this as server-next so someone can TAL at this and get this fixed for 22.04 release, at least. We can later see if it's worth SRU'ing back to older releases or not.

Let me know if you have any questions or concerns. TIA!

Changed in openssh (Ubuntu):
status:	Confirmed → Triaged
importance:	Undecided → Medium
tags:	added: server-next server-todo

Revision history for this message

Athos Ribeiro (athos-ribeiro) wrote on 2021-11-23:

As per [1], the difference reported in the bug is seen due to a pair of patches carried by Fedora/RH.

This seems to be a feature (not a fix), therefore, I am not sure if this would be suitable for an SRU.

The patch proposed in [1] seems to be under review for a long time (and parts of the patch have landed upstream over the years).

The last upstream comment [2] (from Jan. 2020) states that the patch is obsolete. Moreover, the Red Hat bug mentioned in their spec file which points to the bug where the patch was likely discussed and proposed is private [3]. Therefore, I wonder if we want to introduce this feature in 22.04 (LTS) or wait for further upstream feedback in [1].

Since the next steps are not clear, I am removing the server-next/server-todo tags from the bug.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=1402
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1402#c81
[3] https://src.fedoraproject.org/rpms/openssh/blob/c5e4c28ae15caed8a03d682c1adf2fa619968222/f/openssh.spec#_84