PR#2: Add custom logging patches - rpms/bash

rpms / bash

#2 Add custom logging patches

Merged 12 months ago by dcavalca. Opened a year ago by rcolebaugh.

rpms/ rcolebaugh/bash c9s-sig-hyperscale into c9s-sig-hyperscale

fix and bump changelog date

Raymond Colebaugh • 12 months ago

61f98b

Add custom logging patches

Raymond Colebaugh • a year ago

7bac1e

bash.spec

file modified

+15 -1

		`@@ -1,12 +1,13 @@`
		`#% define beta_tag rc2`
		`%define patchleveltag .8`
		`%define baseversion 5.1`
		`+ %define hyperscale_rel 1`
		`%bcond_without tests`

		`Version: %{baseversion}%{patchleveltag}`
		`Name: bash`
		`Summary: The GNU Bourne Again shell`
		`- Release: 6%{?dist}`
		`+ Release: 6.%{hyperscale_rel}%{?dist}`
		`License: GPLv3+`
		`Url: https://www.gnu.org/software/bash`
		`Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz`
		`@@ -93,6 +94,11 @@`
		`# 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform`
		`Patch130: bash-5.2-check-xform.patch`

		`+ %if 0%{?facebook}`
		`+ Patch0: fb-Configure-bash-to-log-the-commands-to-authpriv.patch`
		`+ Patch12: fb-Add-SSH-session-ID-to-bash-syslog-logging.patch`
		`+ %endif`
		`+`
		`BuildRequires: gcc`
		`BuildRequires: texinfo bison`
		`BuildRequires: ncurses-devel`
		`@@ -140,7 +146,11 @@`
		`# Recycles pids is neccessary. When bash's last fork's pid was X`
		`# and new fork's pid is also X, bash has to wait for this same pid.`
		`# Without Recycles pids bash will not wait.`
		`+ %if 0%{?facebook}`
		+ MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY"
		`+ %else`
		MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY -DSYSLOG_SHOPT=0"
		`+ %endif`

		`# work around missing deps in Makefiles`
		`make "$MFLAGS" version.h`
		`@@ -324,6 +334,10 @@`
		`%{_libdir}/pkgconfig/%{name}.pc`

		`%changelog`
		`+ * Wed May 24 2023 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 5.1.8-6.1`
		`+ - Add SSH session ID to bash syslog logging`
		`+ - Configure bash to log the commands to authpriv`
		`+`
		`* Tue Nov 22 2022 Siteshwar Vashisht <svashisht@redhat.com> - 5.1.8-6`
		`- Add a null check in parameter_brace_transform() function`
		`Resolves: CVE-2022-3715`

fb-Add-SSH-session-ID-to-bash-syslog-logging.patch

file added

+79

		`@@ -0,0 +1,79 @@`
		`+ Index: b/bashhist.c`
		`+ ===================================================================`
		`+ --- a/bashhist.c`
		`+ +++ b/bashhist.c`
		`+ @@ -266,6 +266,44 @@ bash_history_inhibit_expansion (string, i)`
		`+ }`
		`+ #endif`
		`+`
		`+ +#if defined (SYSLOG_HISTORY)`
		`+ +#define SESSION_ID_MAXLEN 100`
		`+ +`
		`+ +static char *session_id = NULL;`
		`+ +`
		`+ +static void`
		`+ +bash_initialize_session_id ()`
		`+ +{`
		`+ + const char *env_var = get_string_value ("LOG_SESSION_ID");`
		`+ + if (!env_var) {`
		`+ + session_id = "";`
		`+ + return;`
		`+ + }`
		`+ + const int env_var_len = strlen(env_var);`
		`+ + if (env_var_len == 0) {`
		`+ + session_id = "";`
		`+ + return;`
		`+ + }`
		`+ + const int size = env_var_len < SESSION_ID_MAXLEN ? (env_var_len + 1) : SESSION_ID_MAXLEN;`
		`+ + char trunc = (char )malloc (size);`
		`+ + strncpy (trunc, env_var, size - 1);`
		`+ + trunc[size - 1] = '\0';`
		`+ + session_id = trunc;`
		`+ +}`
		`+ +`
		`+ +static const char *`
		`+ +bash_get_session_id () {`
		`+ + if (!session_id) bash_initialize_session_id ();`
		`+ + return session_id;`
		`+ +}`
		`+ +`
		`+ +static void`
		`+ +bash_cleanup_session_id () {`
		`+ + if (session_id && *session_id) free(session_id);`
		`+ + session_id = NULL;`
		`+ +}`
		`+ +#endif`
		`+ +`
		`+ void`
		`+ bash_initialize_history ()`
		`+ {`
		`+ @@ -275,6 +313,9 @@ bash_initialize_history ()`
		`+ history_inhibit_expansion_function = bash_history_inhibit_expansion;`
		`+ sv_histchars ("histchars");`
		`+ #endif`
		`+ +#if defined (SYSLOG_HISTORY)`
		`+ + bash_initialize_session_id ();`
		`+ +#endif`
		`+ }`
		`+`
		`+ void`
		`+ @@ -509,6 +550,9 @@ maybe_save_shell_history ()`
		`+ sv_histsize ("HISTFILESIZE");`
		`+ }`
		`+ }`
		`+ +#if defined (SYSLOG_HISTORY)`
		`+ + bash_cleanup_session_id ();`
		`+ +#endif`
		`+ return (result);`
		`+ }`
		`+`
		`+ @@ -879,7 +879,8 @@ bash_syslog_history (line)`
		`+ first = 0;`
		`+ }`
		`+`
		`+ - hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d", getpid(), current_user.uid);`
		`+ + const char *user_name = current_user.user_name ?: "";`
		`+ + hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d USER=%s LOG_SESSION_ID=%s", getpid(), current_user.uid, user_name, bash_get_session_id());`
		`+ msglen = strlen (line);`
		`+`
		`+ if ((msglen + hdrlen + 1) < SYSLOG_MAXLEN)`

fb-Configure-bash-to-log-the-commands-to-authpriv.patch

file added

+16

		`@@ -0,0 +1,16 @@`
		`+ Index: b/config-top.h`
		`+ ===================================================================`
		`+ --- a/config-top.h`
		`+ +++ b/config-top.h`
		`+ @@ -117,9 +117,9 @@`
		`+`
		`+ /* Define if you want each line saved to the history list in bashhist.c:`
		`+ bash_add_history() to be sent to syslog(). */`
		`+ -/* #define SYSLOG_HISTORY */`
		`+ +#define SYSLOG_HISTORY`
		`+ #if defined (SYSLOG_HISTORY)`
		`+ -# define SYSLOG_FACILITY LOG_USER`
		`+ +# define SYSLOG_FACILITY LOG_AUTHPRIV`
		`+ # define SYSLOG_LEVEL LOG_INFO`
		`+ # define OPENLOG_OPTS LOG_PID`
		`+ #endif`