[Bug 1865504] Re: hwclock reports incorrect status in audit message

Mauricio Faria de Oliveira mfo at canonical.com
Wed Mar 11 19:41:11 UTC 2020 

** Description changed:

- [IMPACT]
- hwclock reports incrorect status in audit message
+ [Impact]
  
- hwclock calls audit_log_user_message(3) to create an audit entry.
- audit_log_user_message(3) result 1 is "success" and 0 is
- "failed", hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse
- status. Thus reports it's status incorrectly in audit message. 
+ hwclock reports incorrect status in audit message:
+ - hwclock calls audit_log_user_message(3) to create an audit entry.
+ - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
+ - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
+ - Thus reports its status incorrectly in audit message.
  
  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.
  
  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
  
- [TEST]
+ [Test Steps]
  
  Steps to test:
  1. Install auditd
  2. Run following testcase,
  
  # hwclock
  2020-03-02 15:03:03.280351+0000
+ 
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+0000
+ 
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+0000
  
  Following audit messages from /var/log/audit/audit.log,
  
- type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed'
- type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-fips addr=? terminal=pts/0 res=failed'
+ type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000
+ ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-
+ fips addr=? terminal=pts/0 res=failed'
+ 
+ type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000
+ ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-
+ fips addr=? terminal=pts/0 res=failed'
  
  Note that last entry in each audit record produced when hardware clock
- was modified has, "res=failed". Although, testcase shows no failure
+ was modified has, "res=failed". Although, testcase shows no* failure
  occurred.
  
  [Regression Potential]
+ 
+ Changes limited to the result value passed to audit_log_user_message(3),
+ so the audit messages will change the 'res=' field (to correct result.)
+ 
  There should not be any regression to fix the status given to auditd.

** Description changed:

  [Impact]
  
  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.
  
  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.
  
  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a
  
  [Test Steps]
  
  Steps to test:
  1. Install auditd
  2. Run following testcase,
  
  # hwclock
  2020-03-02 15:03:03.280351+0000
  
  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+0000
  
  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+0000
  
  Following audit messages from /var/log/audit/audit.log,
  
+ Note that last field in each audit record produced when hardware clock
+ was modified has, "res=failed". Although, testcase shows no* failure
+ occurred.
+ 
  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0 auid=1000
  ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-
  fips addr=? terminal=pts/0 res=failed'
  
  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0 auid=1000
  ses=1 msg='op=change-system-time exe="/sbin/hwclock" hostname=bionic-
  fips addr=? terminal=pts/0 res=failed'
  
- Note that last entry in each audit record produced when hardware clock
- was modified has, "res=failed". Although, testcase shows no* failure
- occurred.
- 
  [Regression Potential]
  
  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)
  
  There should not be any regression to fix the status given to auditd.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1865504

Title:
  hwclock reports incorrect status in audit message

Status in util-linux package in Ubuntu:
  Fix Released
Status in util-linux source package in Bionic:
  In Progress
Status in util-linux source package in Eoan:
  In Progress
Status in util-linux package in Debian:
  Unknown

Bug description:
  [Impact]

  hwclock reports incorrect status in audit message:
  - hwclock calls audit_log_user_message(3) to create an audit entry.
  - audit_log_user_message(3) result 1 is "success" and 0 is "failed".
  - hwclock use standard EXIT_{SUCCESS,FAILURE} macros with reverse status.
  - Thus reports its status incorrectly in audit message.

  It is a requirement for Common Criteria Certification that hwclock
  reports correct status in audit message.

  This has been fixed upstream in https://github.com/karelzak/util-
  linux/commit/189edf1fe501ea39b35911337eab1740888fae7a

  [Test Steps]

  Steps to test:
  1. Install auditd
  2. Run following testcase,

  # hwclock
  2020-03-02 15:03:03.280351+0000

  # hwclock --set --date "1/1/2000 00:00:00"
  # echo $?
  0
  # hwclock
  2000-01-01 00:00:05.413924+0000

  # hwclock --utc --systohc
  # echo $?
  0
  # hwclock
  2020-03-02 15:07:00.264331+0000

  Following audit messages from /var/log/audit/audit.log,

  Note that last field in each audit record produced when hardware clock
  was modified has, "res=failed". Although, testcase shows no* failure
  occurred.

  type=USYS_CONFIG msg=audit(1583161562.884:105): pid=2084 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  type=USYS_CONFIG msg=audit(1583161614.497:106): pid=2103 uid=0
  auid=1000 ses=1 msg='op=change-system-time exe="/sbin/hwclock"
  hostname=bionic-fips addr=? terminal=pts/0 res=failed'

  [Regression Potential]

  Changes limited to the result value passed to audit_log_user_message(3),
  so the audit messages will change the 'res=' field (to correct result.)

  There should not be any regression to fix the status given to auditd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1865504/+subscriptions

More information about the foundations-bugs mailing list