Bug 1489086

Summary: auditd log showing incorrect info related to passwd and USER_CHAUTHTOK
Product: Red Hat Enterprise Linux 7 Reporter: Yogita <ysoni>
Component: passwdAssignee: Jiri Kucera <jkucera>
Status: CLOSED ERRATA QA Contact: Jan Houska <jhouska>
Severity: low Docs Contact:
Priority: medium    
Version: 7.4CC: djez, ebenes, fkrska, jhouska, jkucera, omoris, ovasik, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: passwd-0.79-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1549619, 1630904, 1630910, 1660473    

Description Yogita 2017-09-06 16:22:11 UTC 
Description of problem:
On a new redhat 7.4, passwd –S to check the status of a user generates the following event  :

node=xxxxx type=USER_CHAUTHTOK msg=audit(28/08/17 16:34:18.632:54145) : pid=31134 uid=root auid=xxxxx ses=3866 msg='op=password status displayed for user id=ftp exe=/usr/bin/passwd hostname= xxxxx addr=? terminal=pts/1 res=success'


Version-Release number of selected component (if applicable):
[root@rhel7u4-1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

[root@rhel7u4-1 ~]# rpm -q audit
audit-2.7.6-3.el7.x86_64


How reproducible:

[root@rhel7u4-1 ~]# passwd -S jack
jack LK 2017-09-06 0 99999 7 -1 (Password locked.)

[root@rhel7u4-1 ~]# tail -1 /var/log/audit/audit.log
type=USER_CHAUTHTOK msg=audit(1504694881.101:98531): pid=10394 uid=0 auid=0 ses=4285 msg='op=password status displayed for user id=1000 exe="/usr/bin/passwd" hostname=rhel7u4-1.gsslab.pnq2.redhat.com addr=? terminal=pts/0 res=success'

Actual results:

As per below article, USER_CHAUTHTOK means "Triggered when a user account attribute is modified."  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Audit_Record_Types.html
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Expected results:
This message should have not contained USER_CHAUTHOK as type.

Additional info:
Please follow below discussion trail -
https://www.redhat.com/archives/linux-audit/2017-August/msg00121.html
Comment 2 Steve Grubb 2017-09-06 19:09:48 UTC 
There are a series of commits to upstream passwd that fixes the auditing:

https://pagure.io/passwd/commits/master

These would need to be applied in the passwd package to fix the auditing. passwd is not an approved component for 7.5, so maybe we can target this for 7.6?
Comment 20 Jan Houska 2019-05-31 15:01:20 UTC 
VERIFIED

OLD FAIL:
version: audit-2.8.4-4.el7

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 10:57:15 ] :: [  BEGIN   ] :: Triggering reproducer :: actually running 'passwd -S jack'
jack LK 2019-05-30 0 99999 7 -1 (Zamčené heslo.)
:: [ 10:57:15 ] :: [   PASS   ] :: Triggering reproducer (Expected 0, got 0)
:: [ 10:57:15 ] :: [  BEGIN   ] :: Running 'tail -1 /var/log/audit/audit.log > audit.log.out'
:: [ 10:57:15 ] :: [   PASS   ] :: Command 'tail -1 /var/log/audit/audit.log > audit.log.out' (Expected 0, got 0)
:: [ 10:57:15 ] :: [   FAIL   ] :: File 'audit.log.out' should contain '^type=USER_MGMT' 
:: [ 10:57:15 ] :: [   FAIL   ] :: File 'audit.log.out' should not contain '^type=USER_CHAUTHTOK' 
---audit.log.out-----------------------------------
type=USER_CHAUTHTOK msg=audit(1559314635.063:566): pid=13225 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=password status displayed for user id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-199.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=success'
--/audit.log.out-----------------------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 2 good, 2 bad
::   RESULT: FAIL

NEW PASS:
version: audit-2.8.5-4.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 10:57:24 ] :: [  BEGIN   ] :: Triggering reproducer :: actually running 'passwd -S jack'
jack LK 2019-05-30 0 99999 7 -1 (Zamčené heslo.)
:: [ 10:57:24 ] :: [   PASS   ] :: Triggering reproducer (Expected 0, got 0)
:: [ 10:57:24 ] :: [  BEGIN   ] :: Running 'tail -1 /var/log/audit/audit.log > audit.log.out'
:: [ 10:57:24 ] :: [   PASS   ] :: Command 'tail -1 /var/log/audit/audit.log > audit.log.out' (Expected 0, got 0)
:: [ 10:57:24 ] :: [   PASS   ] :: File 'audit.log.out' should contain '^type=USER_MGMT' 
:: [ 10:57:24 ] :: [   PASS   ] :: File 'audit.log.out' should not contain '^type=USER_CHAUTHTOK' 
---audit.log.out-----------------------------------
type=USER_MGMT msg=audit(1559314644.792:614): pid=11349 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=pam_tally2 reset=0 id=1000 exe="/usr/sbin/pam_tally2" hostname=? addr=? terminal=/dev/pts/1 res=success'
--/audit.log.out-----------------------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Test)
Comment 22 errata-xmlrpc 2019-08-06 13:11:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2257