From 72962208c42ea202f1e31f2f3ac1b523cd545b06 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Fri, 3 Aug 2018 11:33:05 +0200 Subject: [PATCH] Add audit events around user life cycle --- Makefile.am | 18 ++++++------- apps/lchage.c | 5 ++++ apps/lchsh.c | 7 +++++ apps/lgroupadd.c | 5 ++++ apps/lgroupdel.c | 6 +++++ apps/lgroupmod.c | 36 +++++++++++++++++++++++++ apps/luseradd.c | 16 +++++++++++ apps/luserdel.c | 17 ++++++++++++ apps/lusermod.c | 38 +++++++++++++++++++++++++- configure.ac | 17 ++++++++++++ lib/common.c | 66 +++++++++++++++++++++++++++++++++++++++++++++- lib/user_private.h | 15 +++++++++++ 12 files changed, 235 insertions(+), 11 deletions(-) diff --git a/Makefile.am b/Makefile.am index 080f97e8cc81a77dd0413c3b6fe7fe8002499393..9f099bd71941a869274a502a3130802731d83c24 100644 --- a/Makefile.am +++ b/Makefile.am @@ -116,7 +116,7 @@ apps_libapputil_la_LDFLAGS = $(GOBJECT_LIBS) -lpam -lpam_misc $(SELINUX_LIBS) apps_lchage_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lchage_LDADD = lib/libuser.la $(LTLIBINTL) -apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lchfn_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lchfn_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL) @@ -124,19 +124,19 @@ apps_lchfn_LDFLAGS = $(GMODULE_LIBS) -lpopt apps_lchsh_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lchsh_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL) -apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lgroupadd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lgroupadd_LDADD = lib/libuser.la $(LTLIBINTL) -apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lgroupdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lgroupdel_LDADD = lib/libuser.la $(LTLIBINTL) -apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lgroupmod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lgroupmod_LDADD = lib/libuser.la $(LTLIBINTL) -apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lid_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lid_LDADD = lib/libuser.la $(LTLIBINTL) @@ -152,15 +152,15 @@ apps_lpasswd_LDFLAGS = $(GMODULE_LIBS) -lpopt apps_luseradd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_luseradd_LDADD = lib/libuser.la $(LTLIBINTL) -apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_luserdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_luserdel_LDADD = lib/libuser.la $(LTLIBINTL) -apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) apps_lusermod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS) apps_lusermod_LDADD = lib/libuser.la $(LTLIBINTL) -apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt +apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS) lib_libuser_la_SOURCES = lib/common.c lib/config.c lib/entity.c lib/error.c \ lib/fs.c lib/getdate.y lib/internal.h lib/misc.c lib/modules.c \ @@ -170,7 +170,7 @@ lib_libuser_la_CPPFLAGS = $(GMODULE_CFLAGS) -Ilib $(LOCALEDIR_CPPFLAGS) \ -DMODULEDIR='"$(pkglibdir)"' -DNSCD='"$(NSCD)"' \ -DSYSCONFDIR='"$(sysconfdir)"' lib_libuser_la_LDFLAGS = $(GMODULE_LIBS) $(CRYPT_LIBS) $(SELINUX_LIBS) \ - -version-info 6:2:5 + $(AUDIT_LIBS) -version-info 6:2:5 lib_libuser_la_LIBADD = $(LTLIBINTL) modules_libuser_files_la_SOURCES = modules/files.c diff --git a/apps/lchage.c b/apps/lchage.c index bad296ccf0755dd6781b1a2e6397dccb1f7dbd12..1a4f04883062cb11f15a2e34d37e127fef2a374e 100644 --- a/apps/lchage.c +++ b/apps/lchage.c @@ -29,6 +29,7 @@ #include #include #include "../lib/user.h" +#include "../lib/user_private.h" #include "apputil.h" #define INVALID_LONG LONG_MIN @@ -239,8 +240,12 @@ main(int argc, const char **argv) fprintf(stderr, _("Failed to modify aging information for %s: " "%s\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, "change-age", user, + AUDIT_NO_ID, 0); return 3; } + lu_audit_logger(AUDIT_USER_MGMT, "change-age", user, + AUDIT_NO_ID, 1); lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); } diff --git a/apps/lchsh.c b/apps/lchsh.c index 7c8a9246d4548a7f6fbacce91cdfdf4372799943..555ed2ea7b0d5a90bf37a7f23c398b382ac45a38 100644 --- a/apps/lchsh.c +++ b/apps/lchsh.c @@ -26,6 +26,7 @@ #include #include #include "../lib/user.h" +#include "../lib/user_private.h" #include "apputil.h" int @@ -120,6 +121,8 @@ main(int argc, const char **argv) NULL, &error) == FALSE) { fprintf(stderr, _("Shell not changed: %s\n"), lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user, + AUDIT_NO_ID, 0); return 1; } /* Modify the in-memory structure's shell attribute. */ @@ -132,9 +135,13 @@ main(int argc, const char **argv) if (lu_user_modify(ctx, ent, &error)) { g_print(_("Shell changed.\n")); lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); + lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user, + AUDIT_NO_ID, 1); } else { fprintf(stderr, _("Shell not changed: %s\n"), lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user, + AUDIT_NO_ID, 0); return 1; } } diff --git a/apps/lgroupadd.c b/apps/lgroupadd.c index d73ee864adac9e5dbc7d98392190db225d116143..3fa2a1df5ac5838ef256541c07ae6028e4f6a80b 100644 --- a/apps/lgroupadd.c +++ b/apps/lgroupadd.c @@ -118,6 +118,8 @@ main(int argc, const char **argv) if (lu_group_add(ctx, ent, &error) == FALSE) { fprintf(stderr, _("Group creation failed: %s\n"), lu_strerror(error)); + lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name, + AUDIT_NO_ID, 0); return 2; } @@ -127,5 +129,8 @@ main(int argc, const char **argv) lu_end(ctx); + lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name, + AUDIT_NO_ID, 1); + return 0; } diff --git a/apps/lgroupdel.c b/apps/lgroupdel.c index e0fd6c6d42f55eef82f0790f551721972c129b5f..c5ccbed95cb834719cd109a81e6f979bb737dc71 100644 --- a/apps/lgroupdel.c +++ b/apps/lgroupdel.c @@ -24,6 +24,7 @@ #include #include #include "../lib/user.h" +#include "../lib/user_private.h" #include "apputil.h" int @@ -90,6 +91,8 @@ main(int argc, const char **argv) if (lu_group_delete(ctx, ent, &error) == FALSE) { fprintf(stderr, _("Group %s could not be deleted: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group, + AUDIT_NO_ID, 0); return 3; } @@ -99,5 +102,8 @@ main(int argc, const char **argv) lu_end(ctx); + lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group, + AUDIT_NO_ID, 1); + return 0; } diff --git a/apps/lgroupmod.c b/apps/lgroupmod.c index 21170e06f37370d7b2f2d936048ae7abf24fd181..0ad0ae4f39d32435b4668ef15ec678d8ea319e5c 100644 --- a/apps/lgroupmod.c +++ b/apps/lgroupmod.c @@ -138,8 +138,14 @@ main(int argc, const char **argv) == FALSE) { fprintf(stderr, _("Failed to set password for group " "%s: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-passwd", group, + AUDIT_NO_ID, 0); return 4; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-passwd", group, + AUDIT_NO_ID, 1); } if (cryptedUserPassword) { @@ -147,8 +153,14 @@ main(int argc, const char **argv) &error) == FALSE) { fprintf(stderr, _("Failed to set password for group " "%s: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-passwd", group, + AUDIT_NO_ID, 0); return 5; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-passwd", group, + AUDIT_NO_ID, 1); } if (lock) { @@ -156,8 +168,14 @@ main(int argc, const char **argv) fprintf(stderr, _("Group %s could not be locked: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-lock", group, + AUDIT_NO_ID, 0); return 6; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-lock", group, + AUDIT_NO_ID, 1); } if (unlock) { @@ -165,8 +183,14 @@ main(int argc, const char **argv) fprintf(stderr, _("Group %s could not be unlocked: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-lock", group, + AUDIT_NO_ID, 0); return 7; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-lock", group, + AUDIT_NO_ID, 1); } change = gid || addAdmins || remAdmins || addMembers || remMembers; @@ -241,8 +265,14 @@ main(int argc, const char **argv) if (change && lu_group_modify(ctx, ent, &error) == FALSE) { fprintf(stderr, _("Group %s could not be modified: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-members", group, + AUDIT_NO_ID, 0); return 8; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-members", group, + AUDIT_NO_ID, 1); if (gidNumber != LU_VALUE_INVALID_ID) { users = lu_users_enumerate_by_group_full(ctx, gid, &error); @@ -256,8 +286,14 @@ main(int argc, const char **argv) fprintf(stderr, _("Group %s could not be modified: %s\n"), group, lu_strerror(error)); + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-id", group, + AUDIT_NO_ID, 0); return 8; } + lu_audit_logger(AUDIT_GRP_MGMT, + "changing-group-id", group, + AUDIT_NO_ID, 1); } lu_ent_free(ent); diff --git a/apps/luseradd.c b/apps/luseradd.c index 7839183c00f892ad50f77f5aed6ada07cd3c125b..9d7f4f10a9c6f849e551f017f05c2e67e4a56259 100644 --- a/apps/luseradd.c +++ b/apps/luseradd.c @@ -210,8 +210,12 @@ main(int argc, const char **argv) lu_error_free(&error); } lu_end(ctx); + lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name, + AUDIT_NO_ID, 0); return 1; } + lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name, + AUDIT_NO_ID, 1); } /* Retrieve the group ID. */ @@ -259,9 +263,13 @@ main(int argc, const char **argv) if (lu_user_add(ctx, ent, &error) == FALSE) { fprintf(stderr, _("Account creation failed: %s.\n"), lu_strerror(error)); + lu_audit_logger(AUDIT_ADD_USER, "add-user", name, + AUDIT_NO_ID, 0); + return 3; } lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); + lu_audit_logger(AUDIT_ADD_USER, "add-user", name, AUDIT_NO_ID, 1); /* If we don't have the the don't-create-home flag, create the user's * home directory. */ @@ -282,8 +290,12 @@ main(int argc, const char **argv) &error) == FALSE) { fprintf(stderr, _("Error creating %s: %s.\n"), homeDirectory, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name, + uidNumber, 0); return 7; } + lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name, + uidNumber, 1); /* Create a mail spool for the user. */ if (lu_mail_spool_create(ctx, ent, &error) != TRUE) { @@ -311,8 +323,12 @@ main(int argc, const char **argv) fprintf(stderr, _("Error setting password for user " "%s: %s.\n"), name, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password", + name, uidNumber, 0); return 3; } + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password", + name, uidNumber, 1); } lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); diff --git a/apps/luserdel.c b/apps/luserdel.c index 2f39a4ffb8ae47ac5dc3c84270b54a8ca68c7403..7e20fa7ea9bf4082967bc6931a8557936bfda0a2 100644 --- a/apps/luserdel.c +++ b/apps/luserdel.c @@ -26,6 +26,7 @@ #include #include #include "../lib/user.h" +#include "../lib/user_private.h" #include "apputil.h" int @@ -93,8 +94,12 @@ main(int argc, const char **argv) if (lu_user_delete(ctx, ent, &error) == FALSE) { fprintf(stderr, _("User %s could not be deleted: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_DEL_USER, "delete-user", user, + AUDIT_NO_ID, 0); return 3; } + lu_audit_logger(AUDIT_DEL_USER, "delete-user", user, + AUDIT_NO_ID, 1); lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); @@ -126,9 +131,15 @@ main(int argc, const char **argv) fprintf(stderr, _("Group %s could not be " "deleted: %s.\n"), tmp, lu_strerror(error)); + lu_audit_logger_with_group (AUDIT_DEL_GROUP, + "delete-group", user, AUDIT_NO_ID, + tmp, 0); return 7; } } + lu_audit_logger_with_group (AUDIT_DEL_GROUP, + "delete-group", user, + AUDIT_NO_ID, tmp, 1); lu_ent_free(group_ent); lu_nscd_flush_cache(LU_NSCD_CACHE_GROUP); } @@ -138,8 +149,14 @@ main(int argc, const char **argv) fprintf(stderr, _("Error removing home directory: %s.\n"), lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, + "deleting-home-directory", user, + AUDIT_NO_ID, 0); return 9; } + lu_audit_logger(AUDIT_USER_MGMT, "deleting-home-directory", user, + AUDIT_NO_ID, 1); + /* Delete the user's mail spool. */ if (lu_mail_spool_remove(ctx, ent, &error) != TRUE) { fprintf(stderr, _("Error removing mail spool: %s"), diff --git a/apps/lusermod.c b/apps/lusermod.c index afec147475736f0b814b5e1f30c77064f3915c20..143157f114c93960fb879d9e6e0c1fb914f3ffcb 100644 --- a/apps/lusermod.c +++ b/apps/lusermod.c @@ -179,8 +179,13 @@ main(int argc, const char **argv) fprintf(stderr, _("Failed to set password for user %s: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_CHAUTHTOK, + "updating-password", user, + uidNumber, 0); return 5; } + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password", + user, uidNumber, 0); } /* If we need to change a user's crypted password, try to change it, @@ -192,8 +197,13 @@ main(int argc, const char **argv) fprintf(stderr, _("Failed to set password for user %s: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_CHAUTHTOK, + "updating-password", user, + uidNumber, 0); return 6; } + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password", + user, uidNumber, 0); } /* If we need to lock/unlock the user's account, do that. */ @@ -202,16 +212,26 @@ main(int argc, const char **argv) fprintf(stderr, _("User %s could not be locked: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_CHAUTHTOK, + "locking-account", user, + uidNumber, 0); return 7; } + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "locking-account", + user, uidNumber, 0); } if (unlock) { if (lu_user_unlock(ctx, ent, &error) == FALSE) { fprintf(stderr, _("User %s could not be unlocked: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_CHAUTHTOK, + "unlocking-account", user, + uidNumber, 0); return 8; } + lu_audit_logger(AUDIT_USER_CHAUTHTOK, "unlocking-account", + user, uidNumber, 0); } /* Determine if we actually need to change anything. */ @@ -274,8 +294,13 @@ main(int argc, const char **argv) if (change && (lu_user_modify(ctx, ent, &error) == FALSE)) { fprintf(stderr, _("User %s could not be modified: %s.\n"), user, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, + "modify-account", user, + uidNumber, 0); return 9; } + lu_audit_logger(AUDIT_USER_MGMT, "modify-account", + user, uidNumber, 1); lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD); /* If the user's name changed, we need to update supplemental @@ -322,12 +347,19 @@ main(int argc, const char **argv) } } /* Save the changes to the group. */ - if (lu_group_modify(ctx, group, &error) == FALSE) + if (lu_group_modify(ctx, group, &error) == FALSE) { fprintf(stderr, _("Group %s could not be " "modified: %s.\n"), lu_ent_get_first_string(group, LU_GROUPNAME), lu_strerror(error)); + lu_audit_logger_with_group(AUDIT_USER_MGMT, + "update-member-in-group", user, uidNumber, + lu_ent_get_first_string(group, LU_GROUPNAME),0); + } else + lu_audit_logger_with_group(AUDIT_USER_MGMT, + "update-member-in-group", user, uidNumber, + lu_ent_get_first_string(group, LU_GROUPNAME),1); lu_ent_free(group); } g_ptr_array_free(groups, TRUE); @@ -353,8 +385,12 @@ main(int argc, const char **argv) fprintf(stderr, _("Error moving %s to %s: %s.\n"), oldHomeDirectory, homeDirectory, lu_strerror(error)); + lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir", + user, uidNumber, 0); return 12; } + lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir", + user, uidNumber, 1); } g_free(oldHomeDirectory); diff --git a/configure.ac b/configure.ac index 3e68b16a1f65ff5e5e3e905c1ffce8993e562176..0bd4a67d4c77fa1b701d74dbeab908a192dbf4d7 100644 --- a/configure.ac +++ b/configure.ac @@ -118,6 +118,23 @@ if test "x$selinux" != xno ; then fi AC_SUBST(SELINUX_LIBS) +AC_ARG_WITH(audit, +AS_HELP_STRING([--with-audit],[log using Linux Audit in addition to syslog]), +use_audit=$withval, +use_audit=auto) +if test x$use_audit != xno ; then + AC_SEARCH_LIBS([audit_open], [audit]) + if test x$ac_cv_search_audit_open = xno ; then + if test x$use_audit != xauto ; then + AC_MSG_ERROR([requested Linux Audit, but libaudit was not found]) + fi + else + AC_DEFINE(WITH_AUDIT,1,[Define if you want to use Linux Audit.]) + AUDIT_LIBS=-laudit + fi +fi +AC_SUBST(AUDIT_LIBS) + AC_C_CONST AC_TYPE_UID_T AC_TYPE_MODE_T diff --git a/lib/common.c b/lib/common.c index fc5df7461111908ff3eae59608ce0a51d62e155e..dce7e570ec9c92b56b28f15ab503fb7a641b660e 100644 --- a/lib/common.c +++ b/lib/common.c @@ -16,9 +16,10 @@ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. */ -#include +#include "config.h" #include #include +#include #include "internal.h" #include "user_private.h" @@ -111,3 +112,66 @@ lu_common_sgroup_default(struct lu_module *module, g_return_val_if_fail(name != NULL, FALSE); return lu_common_group_default(module, name, is_system, ent, error); } + +#ifdef WITH_AUDIT +static int audit_fd = 0; + +/* result - 1 is "success" and 0 is "failed" */ +void lu_audit_logger(int type, const char *op, const char *name, + unsigned int id, unsigned int result) +{ + if (audit_fd == 0) { + /* First time through */ + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these only when the kernel doesn't have + * audit compiled in. */ + if ( (errno == EINVAL) + || (errno == EPROTONOSUPPORT) + || (errno == EAFNOSUPPORT)) + return; + fputs("Cannot open audit interface - aborting.\n", stderr); + exit(EXIT_FAILURE); + } + } + if (audit_fd < 0) + return; + audit_log_acct_message(audit_fd, type, NULL, op, name, id, + NULL, NULL, NULL, (int) result); +} + +/* result - 1 is "success" and 0 is "failed" */ +void lu_audit_logger_with_group (int type, const char *op, const char *name, + unsigned int id, const char *grp, unsigned int result) +{ + int len; + char enc_group[(LOGIN_NAME_MAX*2)+1], buf[1024]; + + if (audit_fd == 0) { + /* First time through */ + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these only when the kernel doesn't have + * audit compiled in. */ + if ( (errno == EINVAL) + || (errno == EPROTONOSUPPORT) + || (errno == EAFNOSUPPORT)) + return; + fputs("Cannot open audit interface - aborting.\n", stderr); + exit(EXIT_FAILURE); + } + } + if (audit_fd < 0) + return; + len = strnlen(grp, sizeof(enc_group)/2); + if (audit_value_needs_encoding(grp, len)) { + snprintf(buf, sizeof(buf), "%s grp=%s", op, + audit_encode_value(enc_group, grp, len)); + } else { + snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp); + } + audit_log_acct_message(audit_fd, type, NULL, buf, name, id, + NULL, NULL, NULL, (int) result); +} +#endif + diff --git a/lib/user_private.h b/lib/user_private.h index a4869c138d51519539b6939406cdb0fee23ab7f6..02b813c47ee359db774bb85a2aa7aa12e18d3067 100644 --- a/lib/user_private.h +++ b/lib/user_private.h @@ -34,6 +34,9 @@ #ifdef WITH_SELINUX #include #endif +#ifdef WITH_AUDIT +#include +#endif #include "user.h" G_BEGIN_DECLS @@ -357,6 +360,18 @@ id_t lu_get_first_unused_id(struct lu_context *ctx, enum lu_entity_type type, /* Append a copy of VALUES to DEST */ void lu_util_append_values(GValueArray *dest, GValueArray *values); +#ifdef WITH_AUDIT +void lu_audit_logger(int type, const char *op, const char *name, + unsigned int id, unsigned int result); +void lu_audit_logger_with_group(int type, const char *op, const char *name, + unsigned int id, const char *grp, + unsigned int result); +#else +#define lu_audit_logger(a, b, c, d, e) +#define lu_audit_logger_with_group(a, b, c, d, e, f) +#endif +#define AUDIT_NO_ID ((unsigned int) -1) + G_END_DECLS #endif -- 2.17.1