diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2024-01-04 18:23:50 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2024-01-15 20:01:23 +0000 |
| commit | b430e2d1c93414cb14e9a3557ac895e864138497 (patch) | |
| tree | 885eebd6d63d1bc048c9609a8f3d83df3c448788 | |
| parent | 32112a7b6075e23d7acba37b9272be4a3926bd33 (diff) | |
| download | pam-b430e2d1c93414cb14e9a3557ac895e864138497.tar.gz pam-b430e2d1c93414cb14e9a3557ac895e864138497.tar.bz2 pam-b430e2d1c93414cb14e9a3557ac895e864138497.zip | |
pam_unix: add audit support to unix_update(8)
Emit audit reports in the helper unix_update(8) about abnormal
executions, unprivileged authentications, and password updates.
Also log unprivileged authentication failures to syslog.
| -rw-r--r-- | modules/pam_unix/Makefile.am | 2 | ||||
| -rw-r--r-- | modules/pam_unix/unix_update.c | 17 |
2 files changed, 18 insertions, 1 deletions
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index c510f87f..1780e586 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -74,7 +74,7 @@ unix_update_SOURCES = unix_update.c audit.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" unix_update_LDFLAGS = @EXE_LDFLAGS@ -unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ +unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ endif if ENABLE_REGENERATE_MAN diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 49a70ff3..4adaa5af 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -27,6 +27,10 @@ #include <signal.h> #include <time.h> #include <sys/time.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include "audit.h" +#endif #include <security/_pam_types.h> #include <security/_pam_macros.h> @@ -80,7 +84,12 @@ set_password(const char *forwho, const char *shadow, const char *remember) We always allow change from null pass. */ if (getuid()) { retval = helper_verify_password(forwho, pass, 1); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); +#endif if (retval != PAM_SUCCESS) { + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", + getuidname(getuid())); goto done; } } @@ -100,6 +109,11 @@ set_password(const char *forwho, const char *shadow, const char *remember) retval = unix_update_passwd(forwho, towhat); } +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_CHAUTHTOK, getuidname(getuid()), retval); +#endif + + done: pam_overwrite_array(pass); pam_overwrite_array(towhat); @@ -135,6 +149,9 @@ int main(int argc, char *argv[]) helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); +#endif fprintf(stderr ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); |