|
 |
146491 |
diff --git a/passwd.c b/passwd.c
|
|
|
146491 |
index 45acf02..27ad6fe 100644
|
|
|
146491 |
--- a/passwd.c
|
|
|
146491 |
+++ b/passwd.c
|
|
|
146491 |
@@ -63,7 +63,6 @@
|
|
|
146491 |
#ifdef WITH_AUDIT
|
|
|
146491 |
#include <libaudit.h>
|
|
|
146491 |
#else
|
|
|
146491 |
-#define audit_log_user_message(d,ty,m,h,a,t,r) do { ; } while(0)
|
|
|
146491 |
#define audit_log_acct_message(d,ty,p,o,n,i,h,a,t,r) do { ; } while(0)
|
|
|
146491 |
static int audit_open(void) { errno = EPROTONOSUPPORT; return -1; }
|
|
|
146491 |
#endif
|
|
|
146491 |
@@ -274,13 +273,10 @@ parse_args(int argc, const char **argv,
|
|
|
146491 |
/* The only flag which unprivileged users get to use is -k. */
|
|
|
146491 |
if ((passwd_flags & ~PASSWD_KEEP) &&
|
|
|
146491 |
(getuid() != 0)) {
|
|
|
146491 |
- if (passwd_flags & PASSWD_STATUS) {
|
|
|
146491 |
+ /* Auditing is not needed for displaying status */
|
|
|
146491 |
+ if (passwd_flags != PASSWD_STATUS) {
|
|
|
146491 |
audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "password status display",
|
|
|
146491 |
- NULL, getuid(), NULL, NULL, NULL, 0);
|
|
|
146491 |
- } else {
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "password attribute change",
|
|
|
146491 |
+ NULL, "attempted-to-change-password-attribute",
|
|
|
146491 |
NULL, getuid(), NULL, NULL, NULL, 0);
|
|
|
146491 |
}
|
|
|
146491 |
fprintf(stderr, _("Only root can do that.\n"));
|
|
|
146491 |
@@ -293,8 +289,8 @@ parse_args(int argc, const char **argv,
|
|
|
146491 |
if (getuid() != 0) {
|
|
|
146491 |
/* The invoking user was not root. */
|
|
|
146491 |
audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "password change", extraArgs[0],
|
|
|
146491 |
- getuid(), NULL, NULL, NULL, 0);
|
|
|
146491 |
+ NULL, "attempted-to-change-password",
|
|
|
146491 |
+ extraArgs[0], getuid(), NULL, NULL, NULL, 0);
|
|
|
146491 |
fprintf(stderr,
|
|
|
146491 |
_("%s: Only root can specify a user name.\n"),
|
|
|
146491 |
progname);
|
|
|
146491 |
@@ -392,7 +388,7 @@ main(int argc, const char **argv)
|
|
|
146491 |
fprintf(stderr, _("%s: SELinux denying access due to security policy.\n"), progname);
|
|
|
146491 |
|
|
|
146491 |
audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "change password", NULL, pwd->pw_uid,
|
|
|
146491 |
+ NULL, "attempted-to-change-password", NULL, pwd->pw_uid,
|
|
|
146491 |
NULL, NULL, NULL, 0);
|
|
|
146491 |
exit(1);
|
|
|
146491 |
}
|
|
|
146491 |
@@ -404,8 +400,8 @@ main(int argc, const char **argv)
|
|
|
146491 |
printf("%s: %s\n", progname,
|
|
|
146491 |
retval ==
|
|
|
146491 |
0 ? _("Success") : _("Error (password not set?)"));
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "lock password", NULL, pwd->pw_uid,
|
|
|
146491 |
+ audit_log_acct_message(audit_fd, AUDIT_ACCT_LOCK,
|
|
|
146491 |
+ NULL, "locked-password", NULL, pwd->pw_uid,
|
|
|
146491 |
NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
@@ -419,8 +415,8 @@ main(int argc, const char **argv)
|
|
|
146491 |
retval ==
|
|
|
146491 |
-2 ? _("Unsafe operation (use -f to force)") :
|
|
|
146491 |
_("Error (password not set?)"));
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "unlock password", NULL, pwd->pw_uid,
|
|
|
146491 |
+ audit_log_acct_message(audit_fd, AUDIT_ACCT_UNLOCK,
|
|
|
146491 |
+ NULL, "unlocked-password", NULL, pwd->pw_uid,
|
|
|
146491 |
NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
@@ -431,8 +427,8 @@ main(int argc, const char **argv)
|
|
|
146491 |
printf("%s: %s\n", progname,
|
|
|
146491 |
retval ==
|
|
|
146491 |
0 ? _("Success") : _("Error"));
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "expire password", NULL, pwd->pw_uid,
|
|
|
146491 |
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT,
|
|
|
146491 |
+ NULL, "expired-password", NULL, pwd->pw_uid,
|
|
|
146491 |
NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
@@ -443,16 +439,14 @@ main(int argc, const char **argv)
|
|
|
146491 |
printf("%s: %s\n", progname,
|
|
|
146491 |
(retval == 0) ? _("Success") : _("Error"));
|
|
|
146491 |
audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "delete password", NULL, pwd->pw_uid,
|
|
|
146491 |
+ NULL, "deleted-password", NULL, pwd->pw_uid,
|
|
|
146491 |
NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
/* Display account status. */
|
|
|
146491 |
if (passwd_flags & PASSWD_STATUS) {
|
|
|
146491 |
+ /* Auditing is not needed for displaying status */
|
|
|
146491 |
retval = pwdb_display_status(username);
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "password status displayed for user",
|
|
|
146491 |
- NULL, pwd->pw_uid, NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
/* Adjust aging parameters. */
|
|
|
146491 |
@@ -462,12 +456,12 @@ main(int argc, const char **argv)
|
|
|
146491 |
retval = pwdb_update_aging(username, min, max, warn, inact, -2);
|
|
|
146491 |
printf("%s: %s\n", progname,
|
|
|
146491 |
(retval == 0) ? _("Success") : _("Error"));
|
|
|
146491 |
- snprintf(aubuf, sizeof(aubuf), "password aging data updated "
|
|
|
146491 |
- "- acct=%s, uid=%u, min=%li, max=%li,"
|
|
|
146491 |
- " warn=%li, inact=%li", username,
|
|
|
146491 |
- pwd->pw_uid, min, max, warn, inact);
|
|
|
146491 |
- audit_log_user_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- aubuf, NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
+ snprintf(aubuf, sizeof(aubuf), "changed-password-aging"
|
|
|
146491 |
+ " min=%li max=%li warn=%li inact=%li",
|
|
|
146491 |
+ min, max, warn, inact);
|
|
|
146491 |
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT,
|
|
|
146491 |
+ NULL, aubuf, NULL, pwd->pw_uid,
|
|
|
146491 |
+ NULL, NULL, NULL, retval == 0);
|
|
|
146491 |
return retval;
|
|
|
146491 |
}
|
|
|
146491 |
|
|
|
146491 |
@@ -548,33 +542,22 @@ main(int argc, const char **argv)
|
|
|
146491 |
}
|
|
|
146491 |
#endif
|
|
|
146491 |
|
|
|
146491 |
- /* Go for it. */
|
|
|
146491 |
+ /* Go for it. Note: pam will send audit event. */
|
|
|
146491 |
retval = pam_chauthtok(pamh,
|
|
|
146491 |
(passwd_flags & PASSWD_KEEP) ?
|
|
|
146491 |
PAM_CHANGE_EXPIRED_AUTHTOK : 0);
|
|
|
146491 |
if (retval == PAM_SUCCESS) {
|
|
|
146491 |
/* We're done. Tell the invoking user that it worked. */
|
|
|
146491 |
retval = pam_end(pamh, PAM_SUCCESS);
|
|
|
146491 |
- if (passwd_flags & PASSWD_KEEP) {
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "change expired password", NULL,
|
|
|
146491 |
- pwd->pw_uid, NULL, NULL, NULL,
|
|
|
146491 |
- retval == PAM_SUCCESS);
|
|
|
146491 |
+ if (passwd_flags & PASSWD_KEEP)
|
|
|
146491 |
printf(_("%s: expired authentication tokens updated successfully.\n"),
|
|
|
146491 |
progname);
|
|
|
146491 |
- } else {
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "change password", NULL, pwd->pw_uid,
|
|
|
146491 |
- NULL, NULL, NULL, retval == PAM_SUCCESS);
|
|
|
146491 |
+ else
|
|
|
146491 |
printf(_("%s: all authentication tokens updated successfully.\n"),
|
|
|
146491 |
progname);
|
|
|
146491 |
- }
|
|
|
146491 |
retval = 0;
|
|
|
146491 |
} else {
|
|
|
146491 |
/* Horrors! It failed. Relay the bad news. */
|
|
|
146491 |
- audit_log_acct_message(audit_fd, AUDIT_USER_CHAUTHTOK,
|
|
|
146491 |
- NULL, "change password", NULL, pwd->pw_uid,
|
|
|
146491 |
- NULL, NULL, NULL, retval == PAM_SUCCESS);
|
|
|
146491 |
fprintf(stderr, "%s: %s\n", progname,
|
|
|
146491 |
pam_strerror(pamh, retval));
|
|
|
146491 |
pam_end(pamh, retval);
|