pam_selinux, pam_tally2: Add tty and rhost to audit data.

modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.

2 files changed, 13 insertions, 7 deletions

diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index d66ccb46..473655c5 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
 	int audit_fd = audit_open();
 	security_context_t default_raw=NULL;
 	security_context_t selected_raw=NULL;
+	const void *tty = NULL, *rhost = NULL;
 	rc = -1;
 	if (audit_fd < 0) {
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
 		pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
 		return rc;
 	}
+	(void)pam_get_item(pamh, PAM_TTY, &tty);
+	(void)pam_get_item(pamh, PAM_RHOST, &rhost);
 	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
 		pam_syslog(pamh, LOG_ERR, "Error translating default context.");
 		default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
 		goto out;
 	}
 	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
-				   msg, NULL, NULL, NULL, success) <= 0) {
+				   msg, rhost, NULL, tty, success) <= 0) {
 		pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
 		goto out;
 	}
diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
index d3d6779a..09e85855 100644
--- a/modules/pam_tally2/pam_tally2.c
+++ b/modules/pam_tally2/pam_tally2.c
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
 #ifdef HAVE_LIBAUDIT
     char buf[64];
     int audit_fd = -1;
+    const void *rhost = NULL, *tty = NULL;
 #endif
 
     if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
     if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
                             errno == EAFNOSUPPORT))
          return PAM_SYSTEM_ERR;
+    (void)pam_get_item(pamh, PAM_TTY, &tty);
+    (void)pam_get_item(pamh, PAM_RHOST, &rhost);
 #endif
     if (opts->deny != 0 &&                        /* deny==0 means no deny        */
         tally->fail_cnt > opts->deny &&           /* tally>deny means exceeded    */
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
             /* First say that max number was hit. */
             snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
             audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
         }
 #endif
         if (uid) {
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
 #ifdef HAVE_LIBAUDIT
                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
 #endif
 	            rv = PAM_SUCCESS;
 		    goto cleanup;
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
 #ifdef HAVE_LIBAUDIT
                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
 #endif
 	            rv = PAM_SUCCESS;
 	            goto cleanup;
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
         if (tally->fail_cnt == opts->deny+1) {
             /* First say that max number was hit. */
             audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
         }
 #endif
 
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
         int audit_fd = audit_open();
         snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
         audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-                buf, NULL, NULL, NULL, 1);
+                buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
         if (audit_fd >=0)
                 close(audit_fd);
 #endif
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
       int audit_fd = audit_open();
       snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
       audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-              buf, NULL, NULL, NULL, 1);
+              buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
       if (audit_fd >=0)
               close(audit_fd);
 #endif