diff options
| author | Tomas Mraz <tm@t8m.info> | 2007-12-07 15:40:01 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2007-12-07 15:40:01 +0000 |
| commit | 8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 (patch) | |
| tree | a217a8080c67dbd2189a3fcdb3f627223e8f6101 /modules/pam_time | |
| parent | 67b5cdd945120d8b0fe4c40fe9df576fa5c2a9a2 (diff) | |
| download | pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.gz pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.tar.bz2 pam-8ae5f5769c4c611ca6918450bbe6e55dfa4e5926.zip | |
Relevant BUGIDs:
Purpose of commit: new feature and cleanup
Commit summary:
---------------
2007-12-07 Tomas Mraz <t8m@centrum.cz>
* libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version.
* libpam/pam_audit.c: Add _pam_audit_open() and
pam_modutil_audit_write().
(_pam_auditlog): Call _pam_audit_open().
* libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write().
* modules/pam_access/pam_access.8.xml: Add noaudit option.
Document auditing.
* modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and
only_new_group_syntax variables to struct login_info. Add noaudit
member.
(_parse_args): Adjust for the move of variables and add support for
noaudit option.
(group_match): Add debug parameter.
(string_match): Likewise.
(network_netmask_match): Likewise.
(login_access): Adjust for the move of variables. Add nonall_match.
Add call to pam_modutil_audit_write().
(list_match): Adjust for the move of variables.
(user_match): Likewise.
(from_match): Likewise.
(pam_sm_authenticate): Call _parse_args() earlier.
* modules/pam_limits/pam_limits.8.xml: Add noaudit option.
Document auditing.
* modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option.
(setup_limits): Call pam_modutil_audit_write().
* modules/pam_time/pam_time.8.xml: Add debug and noaudit options.
Document auditing.
* modules/pam_time/pam_time.c: Add option parsing (_pam_parse()).
(check_account): Call _pam_parse(). Call pam_modutil_audit_write()
and pam_syslog() on login denials.
Diffstat (limited to 'modules/pam_time')
| -rw-r--r-- | modules/pam_time/README | 3 | ||||
| -rw-r--r-- | modules/pam_time/pam_time.8.xml | 37 | ||||
| -rw-r--r-- | modules/pam_time/pam_time.c | 50 |
3 files changed, 87 insertions, 3 deletions
diff --git a/modules/pam_time/README b/modules/pam_time/README index abafd936..05eaec2c 100644 --- a/modules/pam_time/README +++ b/modules/pam_time/README @@ -14,6 +14,9 @@ from which they are making their request. By default rules for time/port access are taken from config file /etc/security/ time.conf. +If Linux PAM is compiled with audit support the module will report when it +denies access. + EXAMPLES These are some example lines which might be specified in /etc/security/ diff --git a/modules/pam_time/pam_time.8.xml b/modules/pam_time/pam_time.8.xml index de7bcad3..e0b149a7 100644 --- a/modules/pam_time/pam_time.8.xml +++ b/modules/pam_time/pam_time.8.xml @@ -22,6 +22,12 @@ <refsynopsisdiv> <cmdsynopsis id="pam_time-cmdsynopsis"> <command>pam_time.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + noaudit + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -41,11 +47,40 @@ By default rules for time/port access are taken from config file <filename>/etc/security/time.conf</filename>. </para> + <para> + If Linux PAM is compiled with audit support the module will report + when it denies access. + </para> </refsect1> <refsect1 id="pam_time-options"> <title>OPTIONS</title> - <para>This module does not recognise any options.</para> + <variablelist> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Some debug informations are printed with + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>noaudit</option> + </term> + <listitem> + <para> + Do not report logins at disallowed time to the audit subsystem. + </para> + </listitem> + </varlistentry> + + </variablelist> </refsect1> <refsect1 id="pam_time-services"> diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c index 56b418f4..8e3b2486 100644 --- a/modules/pam_time/pam_time.c +++ b/modules/pam_time/pam_time.c @@ -22,9 +22,16 @@ #include <fcntl.h> #include <netdb.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + #define PAM_TIME_BUFLEN 1000 #define FIELD_SEPARATOR ';' /* this is new as of .02 */ +#define PAM_DEBUG_ARG 0x0001 +#define PAM_NO_AUDIT 0x0002 + #ifndef TRUE # define TRUE 1 #endif @@ -46,6 +53,29 @@ typedef enum { AND, OR } operator; #include <security/_pam_macros.h> #include <security/pam_modules.h> #include <security/pam_ext.h> +#include <security/pam_modutil.h> + +static int +_pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +{ + int ctrl = 0; + + /* step through arguments */ + for (; argc-- > 0; ++argv) { + + /* generic options */ + + if (!strcmp(*argv, "debug")) { + ctrl |= PAM_DEBUG_ARG; + } else if (!strcmp(*argv, "noaudit")) { + ctrl |= PAM_NO_AUDIT; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } + + return ctrl; +} /* --- static functions for checking whether the user should be let in --- */ @@ -567,11 +597,15 @@ check_account(pam_handle_t *pamh, const char *service, PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + int argc, const char **argv) { const void *service=NULL, *void_tty=NULL; const char *tty; const char *user=NULL; + int ctrl; + int rv; + + ctrl = _pam_parse(pamh, argc, argv); /* set service name */ @@ -620,7 +654,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, D(("user=%s", user)); D(("tty=%s", tty)); - return check_account(pamh, service, tty, user); + rv = check_account(pamh, service, tty, user); + if (rv != PAM_SUCCESS) { +#ifdef HAVE_LIBAUDIT + if (!(ctrl & PAM_NO_AUDIT)) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_TIME, + "pam_time", rv); /* ignore return value as we fail anyway */ + } +#endif + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_DEBUG, "user %s rejected", user); + } + } + return rv; } /* end of module definition */ |