diff options
| author | Tomas Mraz <tm@t8m.info> | 2006-01-12 10:06:49 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2006-01-12 10:06:49 +0000 |
| commit | 94483545da687d9dba81175575d07ba9f77a3eb5 (patch) | |
| tree | f401c4f560af05cf6bf492eb8a36183b80b80d8d /libpam/pam_audit.c | |
| parent | 52fa7eff1bc0d56ad8ba8df0764d2c93383e17ef (diff) | |
| download | pam-94483545da687d9dba81175575d07ba9f77a3eb5.tar.gz pam-94483545da687d9dba81175575d07ba9f77a3eb5.tar.bz2 pam-94483545da687d9dba81175575d07ba9f77a3eb5.zip | |
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2006-01-12 Steve Grubb <sgrubb@redhat.com>
* configure.in: Add check for audit library.
* libpam/Makefile.am (libpam_la_LDFLAGS): Add LIBAUDIT.
(libpam_la_SOURCES): Add pam_audit.c.
* libpam/pam_account.c (pam_acct_mgmt): Add _pam_auditlog() call.
* libpam/pam_auth.c (pam_authenticate), (pam_setcred): Likewise.
* libpam/pam_password.c (pam_chauthtok): Likewise.
* libpam/pam_session.c (pam_open_session),
(pam_close_session): Likewise.
* libpam/pam_private.h: Add audit_state member to pam_handle,
declare _pam_auditlog and _pam_audit_end.
* libpam/pam_start.c (pam_start): Initialize audit_state.
* libpam/pam_audit.c: New file with _pam_auditlog and _pam_audit_end
implementation.
* libpam/pam_end.c (pam_end): Add _pam_audit_end() call.
* NEWS: Note about added auditing.
Diffstat (limited to 'libpam/pam_audit.c')
| -rw-r--r-- | libpam/pam_audit.c | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c new file mode 100644 index 00000000..7c067d9b --- /dev/null +++ b/libpam/pam_audit.c @@ -0,0 +1,128 @@ +/* pam_audit.c -- Instrumentation code for Linux Auditing System */ + +/* (C) 2005-2006 Red Hat, Inc. -- Licensing details are in the COPYING + file accompanying the Linux-PAM source distribution. + + Authors: + Steve Grubb <sgrubb@redhat.com> */ + +#include "pam_private.h" +#include <stdio.h> +#include <syslog.h> + +#if HAVE_LIBAUDIT +#include <libaudit.h> +#include <pwd.h> +#include <netdb.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <arpa/inet.h> +#include <errno.h> + +#define PAMAUDIT_LOGGED 1 + +static int +_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, + const char *message, int retval) +{ + int rc; + char buf[256]; + + snprintf(buf, sizeof(buf), "PAM: %s acct=%s ", message, + (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?"); + + rc = audit_log_user_message( audit_fd, type, buf, + pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); + + pamh->audit_state |= PAMAUDIT_LOGGED; + return rc; +} + +int +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +{ + const char *message; + int type; + int audit_fd; + + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have + * audit compiled in. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return retval; + + /* this should only fail in case of extreme resource shortage, + * need to prevent login in that case for CAPP compliance. + */ + pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %s", + strerror(errno)); + return PAM_SYSTEM_ERR; + } + + switch (action) { + case PAM_AUTHENTICATE: + message = "authentication"; + type = AUDIT_USER_AUTH; + break; + case PAM_OPEN_SESSION: + message = "session open"; + type = AUDIT_USER_START; + break; + case PAM_CLOSE_SESSION: + message = "session close"; + type = AUDIT_USER_END; + break; + case PAM_ACCOUNT: + message = "accounting"; + type = AUDIT_USER_ACCT; + break; + case PAM_CHAUTHTOK: + message = "chauthtok"; + type = AUDIT_USER_CHAUTHTOK; + break; + case PAM_SETCRED: + message = "setcred"; + if (flags & PAM_ESTABLISH_CRED) + type = AUDIT_CRED_ACQ; + else if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED)) + type = AUDIT_CRED_REFR; + else if (flags & PAM_DELETE_CRED) + type = AUDIT_CRED_DISP; + else + type = AUDIT_USER_ERR; + break; + case _PAM_ACTION_DONE: + message = "bad_ident"; + type = AUDIT_USER_ERR; + break; + default: + message = "UNKNOWN"; + type = AUDIT_USER_ERR; + pam_syslog(pamh, LOG_CRIT, "_pam_auditlog() should never get here"); + retval = PAM_SYSTEM_ERR; + } + + if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) + retval = PAM_SYSTEM_ERR; + + audit_close(audit_fd); + return retval; +} + +int +_pam_audit_end(pam_handle_t *pamh, int status UNUSED) +{ + if (! (pamh->audit_state & PAMAUDIT_LOGGED)) { + /* PAM library is being shut down without any of the auditted + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ + _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); + } + + return 0; +} + +#endif /* HAVE_LIBAUDIT */ |