Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1638105

Summary: Passwd does not support ACCT_LOCK & ACCT_UNLOCK audit record type
Product: Red Hat Enterprise Linux 7 Reporter: Akshay Jain <akjain>
Component: passwdAssignee: Jiri Kucera <jkucera>
Status: CLOSED ERRATA QA Contact: Jan Houska <jhouska>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.6CC: djez, hhorak, jhouska, ovasik, sgrubb, tbowling
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: passwd-0.79-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:11:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1630904, 1630910, 1660473    

Description Akshay Jain 2018-10-10 17:21:01 UTC 
Description of problem:
audit-2.8.1-3.el7_5.1.x86_64 does not support ACCT_LOCK audit record type

Version-Release number of selected component (if applicable):
audit-2.8.1-3.el7_5.1.x86_64 
Kernel-3.10.0-123.el7.x86_64


How reproducible:
Yes


Steps to Reproduce:
1. Create a test user name gluster

[root@rhel7u0-2 ~]# useradd gluster

2. Lock the user account with passwd

[root@rhel7u0-2 ~]# passwd -l gluster
Locking password for user gluster.
passwd: Success

3. Unlock the user account with passwd 

[root@rhel7u0-2 ~]#  passwd -u gluster
Unlocking password for user gluster.
passwd: Success

4. Search for audit event type in audit log

[root@rhel7u0-2 ~]# ausearch --start recent -m acct_lock,acct_unlock
<no matches>

Actual results:

[root@rhel7u0-2 ~]# ausearch --start recent -m acct_lock,acct_unlock
<no matches>

Expected results:

Working correctly on fedora28

1> Lock user

[root@localhost ~]# passwd -l bhutan
Locking password for user bhutan.
passwd: Success

2> Unlock user

[root@localhost ~]# passwd -u bhutan
Unlocking password for user bhutan.
passwd: Success

3> Search audit event

[root@localhost ~]# ausearch --start recent -m acct_lock,acct_unlock
----
time->Wed Oct 10 22:35:17 2018
type=ACCT_LOCK msg=audit(1539191117.908:507): pid=9156 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=locked-password id=1001 exe="/usr/bin/passwd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'
----
time->Wed Oct 10 22:35:25 2018
type=ACCT_UNLOCK msg=audit(1539191125.613:508): pid=9157 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=unlocked-password id=1001 exe="/usr/bin/passwd" hostname=localhost.localdomain addr=? terminal=pts/0 res=success'

4. Installed kernel version

[root@localhost ~]# uname -r
4.17.11-200.fc28.x86_64

5. Audit version

[root@localhost ~]# rpm -qi audit
Name        : audit
Version     : 2.8.4
Release     : 2.fc28
Architecture: x86_64
Install Date: Tue 07 Aug 2018 11:31:44 AM IST
Group       : Unspecified
Size        : 678772
License     : GPLv2+
Signature   : RSA/SHA256, Thu 19 Jul 2018 01:56:42 PM IST, Key ID e08e7e629db62fb1
Source RPM  : audit-2.8.4-2.fc28.src.rpm
Build Date  : Wed 18 Jul 2018 10:57:34 PM IST
Build Host  : buildhw-02.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://people.redhat.com/sgrubb/audit/
Bug URL     : https://bugz.fedoraproject.org/audit
Summary     : User space tools for 2.6 kernel auditing
Description :
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.


Additional info:
 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-audit_record_types.
Comment 2 Steve Grubb 2018-10-11 13:44:53 UTC 
Transferring to passwd since it sends the event.
Comment 4 Jiri Kucera 2019-01-31 08:50:48 UTC 
Fixed in upstream commit 137db0d (https://pagure.io/passwd/c/137db0d6f2fd668081133c172ae7726d28ce95b6?branch=master#).
Comment 9 Jan Houska 2019-06-11 15:28:03 UTC 
VERIFIED


OLD PASS:
passwd-0.79-4.el7

::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 11:25:26 ] :: [  BEGIN   ] :: Looking for audit event :: actually running 'ausearch --start recent -m acct_lock,acct_unlock'
<no matches>
:: [ 11:25:26 ] :: [   FAIL   ] :: Looking for audit event (Expected 0, got 1)
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should contain 'type=ACCT_LOCK' 
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should contain 'type=ACCT_UNLOCK' 
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should contain 'exe="/usr/bin/passwd"' 
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should contain 'res=success' 
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should contain 'res=failed' 
:: [ 11:25:26 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.REk92228' should not contain '<no matches>' 
--content of  /var/tmp/rlRun_LOG.REk92228------------
<no matches>
--/content of  /var/tmp/rlRun_LOG.REk92228-----------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 0 good, 7 bad
::   RESULT: FAIL




NEW PASS:
passwd-0.79-5.el7

::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 11:25:18 ] :: [  BEGIN   ] :: Looking for audit event :: actually running 'ausearch --start recent -m acct_lock,acct_unlock'
----
time->Tue Jun 11 11:23:53 2019
type=ACCT_LOCK msg=audit(1560266633.439:483): pid=17807 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=locked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=success'
----
time->Tue Jun 11 11:23:53 2019
type=ACCT_UNLOCK msg=audit(1560266633.458:484): pid=17824 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=unlocked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=failed'
----
time->Tue Jun 11 11:25:18 2019
type=ACCT_LOCK msg=audit(1560266718.651:732): pid=24315 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=locked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=success'
----
time->Tue Jun 11 11:25:18 2019
type=ACCT_UNLOCK msg=audit(1560266718.671:733): pid=24332 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=unlocked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=failed'
:: [ 11:25:18 ] :: [   PASS   ] :: Looking for audit event (Expected 0, got 0)
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should contain 'type=ACCT_LOCK' 
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should contain 'type=ACCT_UNLOCK' 
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should contain 'exe="/usr/bin/passwd"' 
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should contain 'res=success' 
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should contain 'res=failed' 
:: [ 11:25:18 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.KR7dwkHG' should not contain '<no matches>' 
--content of  /var/tmp/rlRun_LOG.KR7dwkHG------------
----
time->Tue Jun 11 11:23:53 2019
type=ACCT_LOCK msg=audit(1560266633.439:483): pid=17807 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=locked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=success'
----
time->Tue Jun 11 11:23:53 2019
type=ACCT_UNLOCK msg=audit(1560266633.458:484): pid=17824 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=unlocked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=failed'
----
time->Tue Jun 11 11:25:18 2019
type=ACCT_LOCK msg=audit(1560266718.651:732): pid=24315 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=locked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=success'
----
time->Tue Jun 11 11:25:18 2019
type=ACCT_UNLOCK msg=audit(1560266718.671:733): pid=24332 uid=0 auid=0 ses=3 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=unlocked-password id=1000 exe="/usr/bin/passwd" hostname=ci-vm-10-0-136-73.hosted.upshift.rdu2.redhat.com addr=? terminal=pts/1 res=failed'
--/content of  /var/tmp/rlRun_LOG.KR7dwkHG-----------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 0s
::   Assertions: 7 good, 0 bad
::   RESULT: PASS (Test)
Comment 10 Jan Houska 2019-06-13 09:29:01 UTC 
https://beaker.engineering.redhat.com/jobs/3600329
Comment 13 errata-xmlrpc 2019-08-06 13:11:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2257