Blob Blame History Raw
From 72962208c42ea202f1e31f2f3ac1b523cd545b06 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 3 Aug 2018 11:33:05 +0200
Subject: [PATCH] Add audit events around user life cycle

---
 Makefile.am        | 18 ++++++-------
 apps/lchage.c      |  5 ++++
 apps/lchsh.c       |  7 +++++
 apps/lgroupadd.c   |  5 ++++
 apps/lgroupdel.c   |  6 +++++
 apps/lgroupmod.c   | 36 +++++++++++++++++++++++++
 apps/luseradd.c    | 16 +++++++++++
 apps/luserdel.c    | 17 ++++++++++++
 apps/lusermod.c    | 38 +++++++++++++++++++++++++-
 configure.ac       | 17 ++++++++++++
 lib/common.c       | 66 +++++++++++++++++++++++++++++++++++++++++++++-
 lib/user_private.h | 15 +++++++++++
 12 files changed, 235 insertions(+), 11 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 080f97e8cc81a77dd0413c3b6fe7fe8002499393..9f099bd71941a869274a502a3130802731d83c24 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -116,7 +116,7 @@ apps_libapputil_la_LDFLAGS = $(GOBJECT_LIBS) -lpam -lpam_misc $(SELINUX_LIBS)
 
 apps_lchage_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lchage_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lchfn_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lchfn_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
@@ -124,19 +124,19 @@ apps_lchfn_LDFLAGS = $(GMODULE_LIBS) -lpopt
 
 apps_lchsh_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lchsh_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
-apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lgroupadd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lgroupadd_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lgroupdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lgroupdel_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lgroupmod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lgroupmod_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lid_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lid_LDADD = lib/libuser.la $(LTLIBINTL)
@@ -152,15 +152,15 @@ apps_lpasswd_LDFLAGS = $(GMODULE_LIBS) -lpopt
 
 apps_luseradd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_luseradd_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_luserdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_luserdel_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 apps_lusermod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 apps_lusermod_LDADD = lib/libuser.la $(LTLIBINTL)
-apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt
+apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 
 lib_libuser_la_SOURCES = lib/common.c lib/config.c lib/entity.c lib/error.c \
 	lib/fs.c lib/getdate.y lib/internal.h lib/misc.c lib/modules.c \
@@ -170,7 +170,7 @@ lib_libuser_la_CPPFLAGS = $(GMODULE_CFLAGS) -Ilib $(LOCALEDIR_CPPFLAGS) \
 	-DMODULEDIR='"$(pkglibdir)"' -DNSCD='"$(NSCD)"' \
 	-DSYSCONFDIR='"$(sysconfdir)"'
 lib_libuser_la_LDFLAGS = $(GMODULE_LIBS) $(CRYPT_LIBS) $(SELINUX_LIBS) \
-	-version-info 6:2:5
+	$(AUDIT_LIBS) -version-info 6:2:5
 lib_libuser_la_LIBADD = $(LTLIBINTL)
 
 modules_libuser_files_la_SOURCES = modules/files.c
diff --git a/apps/lchage.c b/apps/lchage.c
index bad296ccf0755dd6781b1a2e6397dccb1f7dbd12..1a4f04883062cb11f15a2e34d37e127fef2a374e 100644
--- a/apps/lchage.c
+++ b/apps/lchage.c
@@ -29,6 +29,7 @@
 #include <popt.h>
 #include <glib.h>
 #include "../lib/user.h"
+#include "../lib/user_private.h"
 #include "apputil.h"
 
 #define INVALID_LONG LONG_MIN
@@ -239,8 +240,12 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Failed to modify aging information for %s: "
 				  "%s\n"), user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
+				AUDIT_NO_ID, 0);
 			return 3;
 		}
+		lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
+				AUDIT_NO_ID, 1);
 
 		lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 	}
diff --git a/apps/lchsh.c b/apps/lchsh.c
index 7c8a9246d4548a7f6fbacce91cdfdf4372799943..555ed2ea7b0d5a90bf37a7f23c398b382ac45a38 100644
--- a/apps/lchsh.c
+++ b/apps/lchsh.c
@@ -26,6 +26,7 @@
 #include <string.h>
 #include <unistd.h>
 #include "../lib/user.h"
+#include "../lib/user_private.h"
 #include "apputil.h"
 
 int
@@ -120,6 +121,8 @@ main(int argc, const char **argv)
 				      NULL, &error) == FALSE) {
 			fprintf(stderr, _("Shell not changed: %s\n"),
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+				AUDIT_NO_ID, 0);
 			return 1;
 		}
 		/* Modify the in-memory structure's shell attribute. */
@@ -132,9 +135,13 @@ main(int argc, const char **argv)
 		if (lu_user_modify(ctx, ent, &error)) {
 			g_print(_("Shell changed.\n"));
 			lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+				AUDIT_NO_ID, 1);
 		} else {
 			fprintf(stderr, _("Shell not changed: %s\n"),
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
+				AUDIT_NO_ID, 0);
 			return 1;
 		}
 	}
diff --git a/apps/lgroupadd.c b/apps/lgroupadd.c
index d73ee864adac9e5dbc7d98392190db225d116143..3fa2a1df5ac5838ef256541c07ae6028e4f6a80b 100644
--- a/apps/lgroupadd.c
+++ b/apps/lgroupadd.c
@@ -118,6 +118,8 @@ main(int argc, const char **argv)
 	if (lu_group_add(ctx, ent, &error) == FALSE) {
 		fprintf(stderr, _("Group creation failed: %s\n"),
 			lu_strerror(error));
+		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+				AUDIT_NO_ID, 0);
 		return 2;
 	}
 
@@ -127,5 +129,8 @@ main(int argc, const char **argv)
 
 	lu_end(ctx);
 
+	lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+				AUDIT_NO_ID, 1);
+
 	return 0;
 }
diff --git a/apps/lgroupdel.c b/apps/lgroupdel.c
index e0fd6c6d42f55eef82f0790f551721972c129b5f..c5ccbed95cb834719cd109a81e6f979bb737dc71 100644
--- a/apps/lgroupdel.c
+++ b/apps/lgroupdel.c
@@ -24,6 +24,7 @@
 #include <locale.h>
 #include <popt.h>
 #include "../lib/user.h"
+#include "../lib/user_private.h"
 #include "apputil.h"
 
 int
@@ -90,6 +91,8 @@ main(int argc, const char **argv)
 	if (lu_group_delete(ctx, ent, &error) == FALSE) {
 		fprintf(stderr, _("Group %s could not be deleted: %s\n"),
 			group, lu_strerror(error));
+		lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
+				AUDIT_NO_ID, 0);
 		return 3;
 	}
 
@@ -99,5 +102,8 @@ main(int argc, const char **argv)
 
 	lu_end(ctx);
 
+	lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
+			AUDIT_NO_ID, 1);
+
 	return 0;
 }
diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c
index 21170e06f37370d7b2f2d936048ae7abf24fd181..0ad0ae4f39d32435b4668ef15ec678d8ea319e5c 100644
--- a/apps/lgroupmod.c
+++ b/apps/lgroupmod.c
@@ -138,8 +138,14 @@ main(int argc, const char **argv)
 		    == FALSE) {
 			fprintf(stderr, _("Failed to set password for group "
 				"%s: %s\n"), group, lu_strerror(error));
+			lu_audit_logger(AUDIT_GRP_MGMT,
+					"changing-group-passwd", group,
+					AUDIT_NO_ID, 0);
 			return 4;
 		}
+		lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-passwd", group,
+				AUDIT_NO_ID, 1);
 	}
 
 	if (cryptedUserPassword) {
@@ -147,8 +153,14 @@ main(int argc, const char **argv)
 				     &error) == FALSE) {
 			fprintf(stderr, _("Failed to set password for group "
 				"%s: %s\n"), group, lu_strerror(error));
+			lu_audit_logger(AUDIT_GRP_MGMT,
+					"changing-group-passwd", group,
+					AUDIT_NO_ID, 0);
 			return 5;
 		}
+		lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-passwd", group,
+				AUDIT_NO_ID, 1);
 	}
 
 	if (lock) {
@@ -156,8 +168,14 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Group %s could not be locked: %s\n"), group,
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_GRP_MGMT,
+					"changing-group-lock", group,
+					AUDIT_NO_ID, 0);
 			return 6;
 		}
+		lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-lock", group,
+				AUDIT_NO_ID, 1);
 	}
 
 	if (unlock) {
@@ -165,8 +183,14 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Group %s could not be unlocked: %s\n"),
 				group, lu_strerror(error));
+			lu_audit_logger(AUDIT_GRP_MGMT,
+					"changing-group-lock", group,
+					AUDIT_NO_ID, 0);
 			return 7;
 		}
+		lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-lock", group,
+				AUDIT_NO_ID, 1);
 	}
 
 	change = gid || addAdmins || remAdmins || addMembers || remMembers;
@@ -241,8 +265,14 @@ main(int argc, const char **argv)
 	if (change && lu_group_modify(ctx, ent, &error) == FALSE) {
 		fprintf(stderr, _("Group %s could not be modified: %s\n"),
 			group, lu_strerror(error));
+		lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-members", group,
+				AUDIT_NO_ID, 0);
 		return 8;
 	}
+	lu_audit_logger(AUDIT_GRP_MGMT,
+			"changing-group-members", group,
+			AUDIT_NO_ID, 1);
 	if (gidNumber != LU_VALUE_INVALID_ID) {
 		users = lu_users_enumerate_by_group_full(ctx, gid, &error);
 
@@ -256,8 +286,14 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Group %s could not be modified: %s\n"),
 				group, lu_strerror(error));
+			lu_audit_logger(AUDIT_GRP_MGMT,
+				"changing-group-id", group,
+				AUDIT_NO_ID, 0);
 			return 8;
 		}
+		lu_audit_logger(AUDIT_GRP_MGMT,
+			"changing-group-id", group,
+			AUDIT_NO_ID, 1);
 	}
 
 	lu_ent_free(ent);
diff --git a/apps/luseradd.c b/apps/luseradd.c
index 7839183c00f892ad50f77f5aed6ada07cd3c125b..9d7f4f10a9c6f849e551f017f05c2e67e4a56259 100644
--- a/apps/luseradd.c
+++ b/apps/luseradd.c
@@ -210,8 +210,12 @@ main(int argc, const char **argv)
 				lu_error_free(&error);
 			}
 			lu_end(ctx);
+			lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+					AUDIT_NO_ID, 0);
 			return 1;
 		}
+		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
+				AUDIT_NO_ID, 1);
 	}
 
 	/* Retrieve the group ID. */
@@ -259,9 +263,13 @@ main(int argc, const char **argv)
 	if (lu_user_add(ctx, ent, &error) == FALSE) {
 		fprintf(stderr, _("Account creation failed: %s.\n"),
 			lu_strerror(error));
+		lu_audit_logger(AUDIT_ADD_USER, "add-user", name,
+					AUDIT_NO_ID, 0);
+
 		return 3;
 	}
         lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
+	lu_audit_logger(AUDIT_ADD_USER, "add-user", name, AUDIT_NO_ID, 1);
 
 	/* If we don't have the the don't-create-home flag, create the user's
 	 * home directory. */
@@ -282,8 +290,12 @@ main(int argc, const char **argv)
 					&error) == FALSE) {
 			fprintf(stderr, _("Error creating %s: %s.\n"),
 				homeDirectory, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
+				uidNumber, 0);
 			return 7;
 		}
+		lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
+				uidNumber, 1);
 
 		/* Create a mail spool for the user. */
 		if (lu_mail_spool_create(ctx, ent, &error) != TRUE) {
@@ -311,8 +323,12 @@ main(int argc, const char **argv)
 			fprintf(stderr, _("Error setting password for user "
 					  "%s: %s.\n"), name,
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+					name, uidNumber, 0);
 			return 3;
 		}
+		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+					name, uidNumber, 1);
 	}
 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 
diff --git a/apps/luserdel.c b/apps/luserdel.c
index 2f39a4ffb8ae47ac5dc3c84270b54a8ca68c7403..7e20fa7ea9bf4082967bc6931a8557936bfda0a2 100644
--- a/apps/luserdel.c
+++ b/apps/luserdel.c
@@ -26,6 +26,7 @@
 #include <string.h>
 #include <unistd.h>
 #include "../lib/user.h"
+#include "../lib/user_private.h"
 #include "apputil.h"
 
 int
@@ -93,8 +94,12 @@ main(int argc, const char **argv)
 	if (lu_user_delete(ctx, ent, &error) == FALSE) {
 		fprintf(stderr, _("User %s could not be deleted: %s.\n"),
 			user, lu_strerror(error));
+		lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
+				AUDIT_NO_ID, 0);
 		return 3;
 	}
+	lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
+			AUDIT_NO_ID, 1);
 
 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 
@@ -126,9 +131,15 @@ main(int argc, const char **argv)
 				fprintf(stderr, _("Group %s could not be "
 						  "deleted: %s.\n"), tmp,
 					lu_strerror(error));
+				lu_audit_logger_with_group (AUDIT_DEL_GROUP,
+					"delete-group", user, AUDIT_NO_ID,
+					tmp, 0);
 				return 7;
 			}
 		}
+		lu_audit_logger_with_group (AUDIT_DEL_GROUP,
+					    "delete-group", user,
+					    AUDIT_NO_ID, tmp, 1);
 		lu_ent_free(group_ent);
 		lu_nscd_flush_cache(LU_NSCD_CACHE_GROUP);
 	}
@@ -138,8 +149,14 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Error removing home directory: %s.\n"),
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT,
+					"deleting-home-directory", user,
+					AUDIT_NO_ID, 0);
 			return 9;
 		}
+		lu_audit_logger(AUDIT_USER_MGMT, "deleting-home-directory", user,
+				AUDIT_NO_ID, 1);
+
 		/* Delete the user's mail spool. */
 		if (lu_mail_spool_remove(ctx, ent, &error) != TRUE) {
 			fprintf(stderr, _("Error removing mail spool: %s"),
diff --git a/apps/lusermod.c b/apps/lusermod.c
index afec147475736f0b814b5e1f30c77064f3915c20..143157f114c93960fb879d9e6e0c1fb914f3ffcb 100644
--- a/apps/lusermod.c
+++ b/apps/lusermod.c
@@ -179,8 +179,13 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Failed to set password for user %s: %s.\n"),
 				user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
+					"updating-password", user,
+					uidNumber, 0);
 			return 5;
 		}
+		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+				user, uidNumber, 0);
 	}
 
 	/* If we need to change a user's crypted password, try to change it,
@@ -192,8 +197,13 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("Failed to set password for user %s: %s.\n"),
 				user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
+					"updating-password", user,
+					uidNumber, 0);
 			return 6;
 		}
+		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
+				user, uidNumber, 0);
 	}
 
 	/* If we need to lock/unlock the user's account, do that. */
@@ -202,16 +212,26 @@ main(int argc, const char **argv)
 			fprintf(stderr,
 				_("User %s could not be locked: %s.\n"),
 				user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
+					"locking-account", user,
+					uidNumber, 0);
 			return 7;
 		}
+		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "locking-account",
+				user, uidNumber, 0);
 	}
 	if (unlock) {
 		if (lu_user_unlock(ctx, ent, &error) == FALSE) {
 			fprintf(stderr,
 				_("User %s could not be unlocked: %s.\n"),
 				user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_CHAUTHTOK, 
+					"unlocking-account", user,
+					uidNumber, 0);
 			return 8;
 		}
+		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "unlocking-account",
+				user, uidNumber, 0);
 	}
 
 	/* Determine if we actually need to change anything. */
@@ -274,8 +294,13 @@ main(int argc, const char **argv)
 	if (change && (lu_user_modify(ctx, ent, &error) == FALSE)) {
 		fprintf(stderr, _("User %s could not be modified: %s.\n"),
 			user, lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, 
+					"modify-account", user,
+					uidNumber, 0);
 		return 9;
 	}
+	lu_audit_logger(AUDIT_USER_MGMT, "modify-account",
+			user, uidNumber, 1);
 	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 
 	/* If the user's name changed, we need to update supplemental
@@ -322,12 +347,19 @@ main(int argc, const char **argv)
 				}
 			}
 			/* Save the changes to the group. */
-			if (lu_group_modify(ctx, group, &error) == FALSE)
+			if (lu_group_modify(ctx, group, &error) == FALSE) {
 				fprintf(stderr, _("Group %s could not be "
 						  "modified: %s.\n"),
 					lu_ent_get_first_string(group,
 								LU_GROUPNAME),
 					lu_strerror(error));
+				lu_audit_logger_with_group(AUDIT_USER_MGMT, 
+						    "update-member-in-group", user, uidNumber,
+						    lu_ent_get_first_string(group, LU_GROUPNAME),0);
+			} else
+				lu_audit_logger_with_group(AUDIT_USER_MGMT, 
+						    "update-member-in-group", user, uidNumber,
+						    lu_ent_get_first_string(group, LU_GROUPNAME),1);
 			lu_ent_free(group);
 		}
 		g_ptr_array_free(groups, TRUE);
@@ -353,8 +385,12 @@ main(int argc, const char **argv)
 			fprintf(stderr, _("Error moving %s to %s: %s.\n"),
 				oldHomeDirectory, homeDirectory,
 				lu_strerror(error));
+			lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
+					user, uidNumber, 0);
 			return 12;
 		}
+		lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
+				user, uidNumber, 1);
 	}
 	g_free(oldHomeDirectory);
 
diff --git a/configure.ac b/configure.ac
index 3e68b16a1f65ff5e5e3e905c1ffce8993e562176..0bd4a67d4c77fa1b701d74dbeab908a192dbf4d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -118,6 +118,23 @@ if test "x$selinux" != xno ; then
 fi
 AC_SUBST(SELINUX_LIBS)
 
+AC_ARG_WITH(audit,
+AS_HELP_STRING([--with-audit],[log using Linux Audit in addition to syslog]),
+use_audit=$withval,
+use_audit=auto)
+if test x$use_audit != xno ; then
+        AC_SEARCH_LIBS([audit_open], [audit])
+        if test x$ac_cv_search_audit_open = xno ; then
+                if test x$use_audit != xauto ; then
+                        AC_MSG_ERROR([requested Linux Audit, but libaudit was not found])
+                fi
+        else
+                AC_DEFINE(WITH_AUDIT,1,[Define if you want to use Linux Audit.])
+		AUDIT_LIBS=-laudit
+        fi
+fi
+AC_SUBST(AUDIT_LIBS)
+
 AC_C_CONST
 AC_TYPE_UID_T
 AC_TYPE_MODE_T
diff --git a/lib/common.c b/lib/common.c
index fc5df7461111908ff3eae59608ce0a51d62e155e..dce7e570ec9c92b56b28f15ab503fb7a641b660e 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -16,9 +16,10 @@
  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
  */
 
-#include <config.h>
+#include "config.h"
 #include <glib.h>
 #include <string.h>
+#include <stdlib.h>
 
 #include "internal.h"
 #include "user_private.h"
@@ -111,3 +112,66 @@ lu_common_sgroup_default(struct lu_module *module,
 	g_return_val_if_fail(name != NULL, FALSE);
 	return lu_common_group_default(module, name, is_system, ent, error);
 }
+
+#ifdef WITH_AUDIT
+static int audit_fd = 0;
+
+/* result - 1 is "success" and 0 is "failed" */
+void lu_audit_logger(int type, const char *op, const char *name,
+                        unsigned int id, unsigned int result)
+{
+	if (audit_fd == 0) {
+		/* First time through */
+		audit_fd = audit_open();
+		if (audit_fd < 0) {
+			/* You get these only when the kernel doesn't have
+			 * audit compiled in. */
+			if (	   (errno == EINVAL)
+				|| (errno == EPROTONOSUPPORT)
+				|| (errno == EAFNOSUPPORT))
+					return;
+			fputs("Cannot open audit interface - aborting.\n", stderr);
+			exit(EXIT_FAILURE);
+		}
+	}
+	if (audit_fd < 0)
+		return;
+	audit_log_acct_message(audit_fd, type, NULL, op, name, id,
+		NULL, NULL, NULL, (int) result);
+}
+
+/* result - 1 is "success" and 0 is "failed" */
+void lu_audit_logger_with_group (int type, const char *op, const char *name,
+		unsigned int id, const char *grp, unsigned int result)
+{
+	int len;
+	char enc_group[(LOGIN_NAME_MAX*2)+1], buf[1024];
+
+	if (audit_fd == 0) {
+		/* First time through */
+		audit_fd = audit_open();
+		if (audit_fd < 0) {
+			/* You get these only when the kernel doesn't have
+			 * audit compiled in. */
+			if (	   (errno == EINVAL)
+				|| (errno == EPROTONOSUPPORT)
+				|| (errno == EAFNOSUPPORT))
+					return;
+			fputs("Cannot open audit interface - aborting.\n", stderr);
+			exit(EXIT_FAILURE);
+		}
+	}
+	if (audit_fd < 0)
+		return;
+	len = strnlen(grp, sizeof(enc_group)/2);
+	if (audit_value_needs_encoding(grp, len)) {
+		snprintf(buf, sizeof(buf), "%s grp=%s", op,
+			audit_encode_value(enc_group, grp, len));
+	} else {
+		snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
+	}
+	audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
+			NULL, NULL, NULL, (int) result);
+}
+#endif
+
diff --git a/lib/user_private.h b/lib/user_private.h
index a4869c138d51519539b6939406cdb0fee23ab7f6..02b813c47ee359db774bb85a2aa7aa12e18d3067 100644
--- a/lib/user_private.h
+++ b/lib/user_private.h
@@ -34,6 +34,9 @@
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #endif
+#ifdef WITH_AUDIT
+#include <libaudit.h>
+#endif
 #include "user.h"
 
 G_BEGIN_DECLS
@@ -357,6 +360,18 @@ id_t lu_get_first_unused_id(struct lu_context *ctx, enum lu_entity_type type,
 /* Append a copy of VALUES to DEST */
 void lu_util_append_values(GValueArray *dest, GValueArray *values);
 
+#ifdef WITH_AUDIT
+void lu_audit_logger(int type, const char *op, const char *name,
+		     unsigned int id, unsigned int result);
+void lu_audit_logger_with_group(int type, const char *op, const char *name,
+				 unsigned int id, const char *grp,
+				 unsigned int result);
+#else
+#define lu_audit_logger(a, b, c, d, e)
+#define lu_audit_logger_with_group(a, b, c, d, e, f)
+#endif
+#define AUDIT_NO_ID	((unsigned int) -1)
+
 G_END_DECLS
 
 #endif
-- 
2.17.1