diff options
| author | Tomas Mraz <tmraz@fedoraproject.org> | 2015-12-16 09:33:47 +0100 |
|---|---|---|
| committer | Tomas Mraz <tmraz@fedoraproject.org> | 2015-12-16 09:33:47 +0100 |
| commit | e0a996ec358af86153c0c00e67802e36283dadd0 (patch) | |
| tree | 2193ed1da857acdaf4e2bf1d7d9e24b0dfbe619d /modules/pam_tally2 | |
| parent | d8a7ffb9564cd0d76064c926d3ae15d074952b4b (diff) | |
| download | pam-e0a996ec358af86153c0c00e67802e36283dadd0.tar.gz pam-e0a996ec358af86153c0c00e67802e36283dadd0.tar.bz2 pam-e0a996ec358af86153c0c00e67802e36283dadd0.zip | |
pam_tally2: Optionally log the tally count when checking.
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
Diffstat (limited to 'modules/pam_tally2')
| -rw-r--r-- | modules/pam_tally2/pam_tally2.8.xml | 13 | ||||
| -rw-r--r-- | modules/pam_tally2/pam_tally2.c | 16 |
2 files changed, 24 insertions, 5 deletions
diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml index 2f3b2eb9..cf5d76d9 100644 --- a/modules/pam_tally2/pam_tally2.8.xml +++ b/modules/pam_tally2/pam_tally2.8.xml @@ -54,6 +54,9 @@ <arg choice="opt"> no_log_info </arg> + <arg choice="opt"> + debug + </arg> </cmdsynopsis> <cmdsynopsis id="pam_tally2-cmdsynopsis2"> <command>pam_tally2</command> @@ -169,6 +172,16 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Always log tally count when it is incremented as a debug level message to the system log. + </para> + </listitem> + </varlistentry> </variablelist> </listitem> </varlistentry> diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c index f5eebb10..e513f64c 100644 --- a/modules/pam_tally2/pam_tally2.c +++ b/modules/pam_tally2/pam_tally2.c @@ -124,6 +124,7 @@ struct tally_options { #define OPT_AUDIT 0100 #define OPT_NOLOGNOTICE 0400 #define OPT_SERIALIZE 01000 +#define OPT_DEBUG 02000 #define MAX_LOCK_WAITING_TIME 10 @@ -196,6 +197,9 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, else if ( ! strcmp( *argv, "serialize" ) ) { opts->ctrl |= OPT_SERIALIZE; } + else if ( ! strcmp( *argv, "debug" ) ) { + opts->ctrl |= OPT_DEBUG; + } else if ( ! strcmp( *argv, "even_deny_root_account" ) || ! strcmp( *argv, "even_deny_root" ) ) { log_phase_no_auth(pamh, phase, *argv); @@ -503,6 +507,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, struct tallylog *tally) { int rv = PAM_SUCCESS; + int loglevel = LOG_DEBUG; #ifdef HAVE_LIBAUDIT char buf[64]; int audit_fd = -1; @@ -575,11 +580,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, pam_info(pamh, _("Account locked due to %u failed logins"), (unsigned int)tally->fail_cnt); } - if (!(opts->ctrl & OPT_NOLOGNOTICE)) { - pam_syslog(pamh, LOG_NOTICE, - "user %s (%lu) tally %hu, deny %hu", - user, (unsigned long)uid, tally->fail_cnt, opts->deny); - } + loglevel = LOG_NOTICE; rv = PAM_AUTH_ERR; /* Only unconditional failure */ goto cleanup; } @@ -609,6 +610,11 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, } cleanup: + if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & OPT_DEBUG)) { + pam_syslog(pamh, loglevel, + "user %s (%lu) tally %hu, deny %hu", + user, (unsigned long)uid, tally->fail_cnt, opts->deny); + } #ifdef HAVE_LIBAUDIT if (audit_fd != -1) { close(audit_fd); |