libuser

Clone
Source Code
GIT

#38 Add audit events around user life cycle
Merged 5 years ago by jhrozek. Opened 5 years ago by jhrozek.
jhrozek/libuser audit  into  master

file modified
+9 -9 
@@ -116,7 +116,7 @@ 
 

  

  apps_lchage_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lchage_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lchage_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lchfn_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lchfn_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
 
@@ -124,19 +124,19 @@ 
 

  

  apps_lchsh_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lchsh_LDADD = apps/libapputil.la lib/libuser.la $(LTLIBINTL)
 

- apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lchsh_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lgroupadd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lgroupadd_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lgroupadd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lgroupdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lgroupdel_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lgroupdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lgroupmod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lgroupmod_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lgroupmod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lid_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lid_LDADD = lib/libuser.la $(LTLIBINTL)
 
@@ -152,15 +152,15 @@ 
 

  

  apps_luseradd_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_luseradd_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_luseradd_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_luserdel_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_luserdel_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_luserdel_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  apps_lusermod_CPPFLAGS = $(AM_CPPFLAGS) $(LOCALEDIR_CPPFLAGS)
 

  apps_lusermod_LDADD = lib/libuser.la $(LTLIBINTL)
 

- apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt
 

+ apps_lusermod_LDFLAGS = $(GMODULE_LIBS) -lpopt $(AUDIT_LIBS)
 

  

  lib_libuser_la_SOURCES = lib/common.c lib/config.c lib/entity.c lib/error.c \
 

  	lib/fs.c lib/getdate.y lib/internal.h lib/misc.c lib/modules.c \
 
@@ -170,7 +170,7 @@ 
 

  	-DMODULEDIR='"$(pkglibdir)"' -DNSCD='"$(NSCD)"' \
 

  	-DSYSCONFDIR='"$(sysconfdir)"'
 

  lib_libuser_la_LDFLAGS = $(GMODULE_LIBS) $(CRYPT_LIBS) $(SELINUX_LIBS) \
 

- 	-version-info 6:2:5
 

+ 	$(AUDIT_LIBS) -version-info 6:2:5
 

  lib_libuser_la_LIBADD = $(LTLIBINTL)
 

  

  modules_libuser_files_la_SOURCES = modules/files.c

file modified
+5 
@@ -29,6 +29,7 @@ 
 

  #include <popt.h>
 

  #include <glib.h>
 

  #include "../lib/user.h"
 

+ #include "../lib/user_private.h"
 

  #include "apputil.h"
 

  

  #define INVALID_LONG LONG_MIN
 
@@ -239,8 +240,12 @@ 
 

  			fprintf(stderr,
 

  				_("Failed to modify aging information for %s: "
 

  				  "%s\n"), user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
 

+ 				AUDIT_NO_ID, 0);
 

  			return 3;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_MGMT, "change-age", user,
 

+ 				AUDIT_NO_ID, 1);
 

  

  		lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 

  	}

file modified
+7 
@@ -26,6 +26,7 @@ 
 

  #include <string.h>
 

  #include <unistd.h>
 

  #include "../lib/user.h"
 

+ #include "../lib/user_private.h"
 

  #include "apputil.h"
 

  

  int
 
@@ -120,6 +121,8 @@ 
 

  				      NULL, &error) == FALSE) {
 

  			fprintf(stderr, _("Shell not changed: %s\n"),
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
 

+ 				AUDIT_NO_ID, 0);
 

  			return 1;
 

  		}
 

  		/* Modify the in-memory structure's shell attribute. */
 
@@ -132,9 +135,13 @@ 
 

  		if (lu_user_modify(ctx, ent, &error)) {
 

  			g_print(_("Shell changed.\n"));
 

  			lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
 

+ 				AUDIT_NO_ID, 1);
 

  		} else {
 

  			fprintf(stderr, _("Shell not changed: %s\n"),
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "change-shell", user,
 

+ 				AUDIT_NO_ID, 0);
 

  			return 1;
 

  		}
 

  	}

file modified
+5 
@@ -118,6 +118,8 @@ 
 

  	if (lu_group_add(ctx, ent, &error) == FALSE) {
 

  		fprintf(stderr, _("Group creation failed: %s\n"),
 

  			lu_strerror(error));
 

+ 		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
 

+ 				AUDIT_NO_ID, 0);
 

  		return 2;
 

  	}
 

  
@@ -127,5 +129,8 @@ 
 

  

  	lu_end(ctx);
 

  

+ 	lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
 

+ 				AUDIT_NO_ID, 1);
 

+ 

  	return 0;
 

  }

file modified
+6 
@@ -24,6 +24,7 @@ 
 

  #include <locale.h>
 

  #include <popt.h>
 

  #include "../lib/user.h"
 

+ #include "../lib/user_private.h"
 

  #include "apputil.h"
 

  

  int
 
@@ -90,6 +91,8 @@ 
 

  	if (lu_group_delete(ctx, ent, &error) == FALSE) {
 

  		fprintf(stderr, _("Group %s could not be deleted: %s\n"),
 

  			group, lu_strerror(error));
 

+ 		lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
 

+ 				AUDIT_NO_ID, 0);
 

  		return 3;
 

  	}
 

  
@@ -99,5 +102,8 @@ 
 

  

  	lu_end(ctx);
 

  

+ 	lu_audit_logger(AUDIT_DEL_GROUP, "delete-group", group,
 

+ 			AUDIT_NO_ID, 1);
 

+ 

  	return 0;
 

  }

file modified
+36 
@@ -138,8 +138,14 @@ 
 

  		    == FALSE) {
 

  			fprintf(stderr, _("Failed to set password for group "
 

  				"%s: %s\n"), group, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 					"changing-group-passwd", group,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 4;
 

  		}
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-passwd", group,
 

+ 				AUDIT_NO_ID, 1);
 

  	}
 

  

  	if (cryptedUserPassword) {
 
@@ -147,8 +153,14 @@ 
 

  				     &error) == FALSE) {
 

  			fprintf(stderr, _("Failed to set password for group "
 

  				"%s: %s\n"), group, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 					"changing-group-passwd", group,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 5;
 

  		}
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-passwd", group,
 

+ 				AUDIT_NO_ID, 1);
 

  	}
 

  

  	if (lock) {
 
@@ -156,8 +168,14 @@ 
 

  			fprintf(stderr,
 

  				_("Group %s could not be locked: %s\n"), group,
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 					"changing-group-lock", group,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 6;
 

  		}
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-lock", group,
 

+ 				AUDIT_NO_ID, 1);
 

  	}
 

  

  	if (unlock) {
 
@@ -165,8 +183,14 @@ 
 

  			fprintf(stderr,
 

  				_("Group %s could not be unlocked: %s\n"),
 

  				group, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 					"changing-group-lock", group,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 7;
 

  		}
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-lock", group,
 

+ 				AUDIT_NO_ID, 1);
 

  	}
 

  

  	change = gid || addAdmins || remAdmins || addMembers || remMembers;
 
@@ -241,8 +265,14 @@ 
 

  	if (change && lu_group_modify(ctx, ent, &error) == FALSE) {
 

  		fprintf(stderr, _("Group %s could not be modified: %s\n"),
 

  			group, lu_strerror(error));
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-members", group,
 

+ 				AUDIT_NO_ID, 0);
 

  		return 8;
 

  	}
 

+ 	lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 			"changing-group-members", group,
 

+ 			AUDIT_NO_ID, 1);
 

  	if (gidNumber != LU_VALUE_INVALID_ID) {
 

  		users = lu_users_enumerate_by_group_full(ctx, gid, &error);
 

  
@@ -256,8 +286,14 @@ 
 

  			fprintf(stderr,
 

  				_("Group %s could not be modified: %s\n"),
 

  				group, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 				"changing-group-id", group,
 

+ 				AUDIT_NO_ID, 0);
 

  			return 8;
 

  		}
 

+ 		lu_audit_logger(AUDIT_GRP_MGMT,
 

+ 			"changing-group-id", group,
 

+ 			AUDIT_NO_ID, 1);
 

  	}
 

  

  	lu_ent_free(ent);

file modified
+16 
@@ -210,8 +210,12 @@ 
 

  				lu_error_free(&error);
 

  			}
 

  			lu_end(ctx);
 

+ 			lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 1;
 

  		}
 

+ 		lu_audit_logger(AUDIT_ADD_GROUP, "add-group", name,
 

+ 				AUDIT_NO_ID, 1);
 

  	}
 

  

  	/* Retrieve the group ID. */
 
@@ -259,9 +263,13 @@ 
 

  	if (lu_user_add(ctx, ent, &error) == FALSE) {
 

  		fprintf(stderr, _("Account creation failed: %s.\n"),
 

  			lu_strerror(error));
 

+ 		lu_audit_logger(AUDIT_ADD_USER, "add-user", name,
 

+ 					AUDIT_NO_ID, 0);
 

+ 

  		return 3;
 

  	}
 

          lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 

+ 	lu_audit_logger(AUDIT_ADD_USER, "add-user", name, AUDIT_NO_ID, 1);
 

  

  	/* If we don't have the the don't-create-home flag, create the user's
 

  	 * home directory. */
 
@@ -282,8 +290,12 @@ 
 

  					&error) == FALSE) {
 

  			fprintf(stderr, _("Error creating %s: %s.\n"),
 

  				homeDirectory, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
 

+ 				uidNumber, 0);
 

  			return 7;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_MGMT, "add-home-dir", name,
 

+ 				uidNumber, 1);
 

  

  		/* Create a mail spool for the user. */
 

  		if (lu_mail_spool_create(ctx, ent, &error) != TRUE) {
 
@@ -311,8 +323,12 @@ 
 

  			fprintf(stderr, _("Error setting password for user "
 

  					  "%s: %s.\n"), name,
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
 

+ 					name, uidNumber, 0);
 

  			return 3;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
 

+ 					name, uidNumber, 1);
 

  	}
 

  	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);

file modified
+17 
@@ -26,6 +26,7 @@ 
 

  #include <string.h>
 

  #include <unistd.h>
 

  #include "../lib/user.h"
 

+ #include "../lib/user_private.h"
 

  #include "apputil.h"
 

  

  int
 
@@ -93,8 +94,12 @@ 
 

  	if (lu_user_delete(ctx, ent, &error) == FALSE) {
 

  		fprintf(stderr, _("User %s could not be deleted: %s.\n"),
 

  			user, lu_strerror(error));
 

+ 		lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
 

+ 				AUDIT_NO_ID, 0);
 

  		return 3;
 

  	}
 

+ 	lu_audit_logger(AUDIT_DEL_USER, "delete-user", user,
 

+ 			AUDIT_NO_ID, 1);
 

  

  	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 

  
@@ -126,9 +131,15 @@ 
 

  				fprintf(stderr, _("Group %s could not be "
 

  						  "deleted: %s.\n"), tmp,
 

  					lu_strerror(error));
 

+ 				lu_audit_logger_with_group (AUDIT_DEL_GROUP,
 

+ 					"delete-group", user, AUDIT_NO_ID,
 

+ 					tmp, 0);
 

  				return 7;
 

  			}
 

  		}
 

+ 		lu_audit_logger_with_group (AUDIT_DEL_GROUP,
 

+ 					    "delete-group", user,
 

+ 					    AUDIT_NO_ID, tmp, 1);
 

  		lu_ent_free(group_ent);
 

  		lu_nscd_flush_cache(LU_NSCD_CACHE_GROUP);
 

  	}
 
@@ -138,8 +149,14 @@ 
 

  			fprintf(stderr,
 

  				_("Error removing home directory: %s.\n"),
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT,
 

+ 					"deleting-home-directory", user,
 

+ 					AUDIT_NO_ID, 0);
 

  			return 9;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_MGMT, "deleting-home-directory", user,
 

+ 				AUDIT_NO_ID, 1);
 

+ 

  		/* Delete the user's mail spool. */
 

  		if (lu_mail_spool_remove(ctx, ent, &error) != TRUE) {
 

  			fprintf(stderr, _("Error removing mail spool: %s"),

file modified
+37 -1 
@@ -179,8 +179,13 @@ 
 

  			fprintf(stderr,
 

  				_("Failed to set password for user %s: %s.\n"),
 

  				user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_CHAUTHTOK,
 

+ 					"updating-password", user,
 

+ 					uidNumber, 0);
 

  			return 5;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
 

+ 				user, uidNumber, 0);
 

  	}
 

  

  	/* If we need to change a user's crypted password, try to change it,
 
@@ -192,8 +197,13 @@ 
 

  			fprintf(stderr,
 

  				_("Failed to set password for user %s: %s.\n"),
 

  				user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_CHAUTHTOK,
 

+ 					"updating-password", user,
 

+ 					uidNumber, 0);
 

  			return 6;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "updating-password",
 

+ 				user, uidNumber, 0);
 

  	}
 

  

  	/* If we need to lock/unlock the user's account, do that. */
 
@@ -202,16 +212,26 @@ 
 

  			fprintf(stderr,
 

  				_("User %s could not be locked: %s.\n"),
 

  				user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_CHAUTHTOK,
 

+ 					"locking-account", user,
 

+ 					uidNumber, 0);
 

  			return 7;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "locking-account",
 

+ 				user, uidNumber, 0);
 

  	}
 

  	if (unlock) {
 

  		if (lu_user_unlock(ctx, ent, &error) == FALSE) {
 

  			fprintf(stderr,
 

  				_("User %s could not be unlocked: %s.\n"),
 

  				user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_CHAUTHTOK,
 

+ 					"unlocking-account", user,
 

+ 					uidNumber, 0);
 

  			return 8;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_CHAUTHTOK, "unlocking-account",
 

+ 				user, uidNumber, 0);
 

  	}
 

  

  	/* Determine if we actually need to change anything. */
 
@@ -274,8 +294,13 @@ 
 

  	if (change && (lu_user_modify(ctx, ent, &error) == FALSE)) {
 

  		fprintf(stderr, _("User %s could not be modified: %s.\n"),
 

  			user, lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT,
 

+ 					"modify-account", user,
 

+ 					uidNumber, 0);
 

  		return 9;
 

  	}
 

+ 	lu_audit_logger(AUDIT_USER_MGMT, "modify-account",
 

+ 			user, uidNumber, 1);
 

  	lu_nscd_flush_cache(LU_NSCD_CACHE_PASSWD);
 

  

  	/* If the user's name changed, we need to update supplemental
 
@@ -322,12 +347,19 @@ 
 

  				}
 

  			}
 

  			/* Save the changes to the group. */
 

- 			if (lu_group_modify(ctx, group, &error) == FALSE)
 

+ 			if (lu_group_modify(ctx, group, &error) == FALSE) {
 

  				fprintf(stderr, _("Group %s could not be "
 

  						  "modified: %s.\n"),
 

  					lu_ent_get_first_string(group,
 

  								LU_GROUPNAME),
 

  					lu_strerror(error));
 

+ 				lu_audit_logger_with_group(AUDIT_USER_MGMT,
 

+ 						    "update-member-in-group", user, uidNumber,
 

+ 						    lu_ent_get_first_string(group, LU_GROUPNAME),0);
 

+ 			} else
 

+ 				lu_audit_logger_with_group(AUDIT_USER_MGMT,
 

+ 						    "update-member-in-group", user, uidNumber,
 

+ 						    lu_ent_get_first_string(group, LU_GROUPNAME),1);
 

  			lu_ent_free(group);
 

  		}
 

  		g_ptr_array_free(groups, TRUE);
 
@@ -353,8 +385,12 @@ 
 

  			fprintf(stderr, _("Error moving %s to %s: %s.\n"),
 

  				oldHomeDirectory, homeDirectory,
 

  				lu_strerror(error));
 

+ 			lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
 

+ 					user, uidNumber, 0);
 

  			return 12;
 

  		}
 

+ 		lu_audit_logger(AUDIT_USER_MGMT, "moving-home-dir",
 

+ 				user, uidNumber, 1);
 

  	}
 

  	g_free(oldHomeDirectory);

file modified
+17 
@@ -118,6 +118,23 @@ 
 

  fi
 

  AC_SUBST(SELINUX_LIBS)
 

  

+ AC_ARG_WITH(audit,
 

+ AS_HELP_STRING([--with-audit],[log using Linux Audit in addition to syslog]),
 

+ use_audit=$withval,
 

+ use_audit=auto)
 

+ if test x$use_audit != xno ; then
 

+         AC_SEARCH_LIBS([audit_open], [audit])
 

+         if test x$ac_cv_search_audit_open = xno ; then
 

+                 if test x$use_audit != xauto ; then
 

+                         AC_MSG_ERROR([requested Linux Audit, but libaudit was not found])
 

+                 fi
 

+         else
 

+                 AC_DEFINE(WITH_AUDIT,1,[Define if you want to use Linux Audit.])
 

+ 		AUDIT_LIBS=-laudit
 

+         fi
 

+ fi
 

+ AC_SUBST(AUDIT_LIBS)
 

+ 

  AC_C_CONST
 

  AC_TYPE_UID_T
 

  AC_TYPE_MODE_T

file modified
+64 -1 
@@ -16,9 +16,10 @@ 
 

   * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
 

   */
 

  

- #include <config.h>
 

+ #include "config.h"
 

  #include <glib.h>
 

  #include <string.h>
 

+ #include <stdlib.h>
 

  

  #include "internal.h"
 

  #include "user_private.h"
 
@@ -111,3 +112,65 @@ 
 

  	g_return_val_if_fail(name != NULL, FALSE);
 

  	return lu_common_group_default(module, name, is_system, ent, error);
 

  }
 

+ 

+ #ifdef WITH_AUDIT
 

+ static int audit_fd = 0;
 

+ 

+ /* result - 1 is "success" and 0 is "failed" */
 

+ void lu_audit_logger(int type, const char *op, const char *name,
 

+                         unsigned int id, unsigned int result)
 

+ {
 

+ 	if (audit_fd == 0) {
 

+ 		/* First time through */
 

+ 		audit_fd = audit_open();
 

+ 		if (audit_fd < 0) {
 

+ 			/* You get these only when the kernel doesn't have
 

+ 			 * audit compiled in. */
 

+ 			if (	   (errno == EINVAL)
 

+ 				|| (errno == EPROTONOSUPPORT)
 

+ 				|| (errno == EAFNOSUPPORT))
 

+ 					return;
 

+ 			fputs("Cannot open audit interface - aborting.\n", stderr);
 

+ 			exit(EXIT_FAILURE);
 

+ 		}
 

+ 	}
 

+ 	if (audit_fd < 0)
 

+ 		return;
 

+ 	audit_log_acct_message(audit_fd, type, NULL, op, name, id,
 

+ 		NULL, NULL, NULL, (int) result);
 

+ }
 

+ 

+ /* result - 1 is "success" and 0 is "failed" */
 

+ void lu_audit_logger_with_group (int type, const char *op, const char *name,
 

+ 		unsigned int id, const char *grp, unsigned int result)
 

+ {
 

+ 	int len;
 

+ 	char enc_group[(LOGIN_NAME_MAX*2)+1], buf[1024];
 

+ 

+ 	if (audit_fd == 0) {
 

+ 		/* First time through */
 

+ 		audit_fd = audit_open();
 

+ 		if (audit_fd < 0) {
 

+ 			/* You get these only when the kernel doesn't have
 

+ 			 * audit compiled in. */
 

+ 			if (	   (errno == EINVAL)
 

+ 				|| (errno == EPROTONOSUPPORT)
 

+ 				|| (errno == EAFNOSUPPORT))
 

+ 					return;
 

+ 			fputs("Cannot open audit interface - aborting.\n", stderr);
 

+ 			exit(EXIT_FAILURE);
 

+ 		}
 

+ 	}
 

+ 	if (audit_fd < 0)
 

+ 		return;
 

+ 	len = strnlen(grp, sizeof(enc_group)/2);
 

+ 	if (audit_value_needs_encoding(grp, len)) {
 

+ 		snprintf(buf, sizeof(buf), "%s grp=%s", op,
 

+ 			audit_encode_value(enc_group, grp, len));
 

+ 	} else {
 

+ 		snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
 

+ 	}
 

+ 	audit_log_acct_message(audit_fd, type, NULL, buf, name, id,
 

+ 			NULL, NULL, NULL, (int) result);
 

+ }
 

+ #endif

file modified
+15 
@@ -34,6 +34,9 @@ 
 

  #ifdef WITH_SELINUX
 

  #include <selinux/selinux.h>
 

  #endif
 

+ #ifdef WITH_AUDIT
 

+ #include <libaudit.h>
 

+ #endif
 

  #include "user.h"
 

  

  G_BEGIN_DECLS
 
@@ -357,6 +360,18 @@ 
 

  /* Append a copy of VALUES to DEST */
 

  void lu_util_append_values(GValueArray *dest, GValueArray *values);
 

  

+ #ifdef WITH_AUDIT
 

+ void lu_audit_logger(int type, const char *op, const char *name,
 

+ 		     unsigned int id, unsigned int result);
 

+ void lu_audit_logger_with_group(int type, const char *op, const char *name,
 

+ 				 unsigned int id, const char *grp,
 

+ 				 unsigned int result);
 

+ #else
 

+ #define lu_audit_logger(a, b, c, d, e)
 

+ #define lu_audit_logger_with_group(a, b, c, d, e, f)
 

+ #endif
 

+ #define AUDIT_NO_ID	((unsigned int) -1)
 

+ 

  G_END_DECLS
 

  

  #endif

Merges:
https://pagure.io/libuser/issue/18

Libuser needs audit events around the user and group account lifecycle.

Additional info:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events

btw Steve Grubb created the initial implementation and attached the first version of the patch to the BZ. I just cleaned it up, fixed some minor issues etc so the patch has his attribution, but I'll work on whatever might be raised during review (if any?)

Definitely let Steve Grubb review this, the format was a bit in flux during the previous revision.

The formatting issues should be fixed now, but nonetheless, let's ask if @sgrubb has any other issues with the patch.

After spot checking a few of these, it looks fine. We can always refine it later should we find a miscompare with shadow-utils.

Thanks, merging

Commit e1be01d fixes this pull-request

Pull-Request has been merged by jhrozek
5 years ago

Pull-Request has been merged by jhrozek
5 years ago
Metadata
None
No Tags
Changes Summary 12
+9 -9
file changed
Makefile.am
+5 -0
file changed
apps/lchage.c
+7 -0
file changed
apps/lchsh.c
+5 -0
file changed
apps/lgroupadd.c
+6 -0
file changed
apps/lgroupdel.c
+36 -0
file changed
apps/lgroupmod.c
+16 -0
file changed
apps/luseradd.c
+17 -0
file changed
apps/luserdel.c
+37 -1
file changed
apps/lusermod.c
+17 -0
file changed
configure.ac
+64 -1
file changed
lib/common.c
+15 -0
file changed
lib/user_private.h
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.