pam_faillock: fix formatting of audit messages

pam_faillock uses audit_log_user_message to write to the audit system.
It does not take an op argument, so you have to add one yourself. Otherwise
the pam_faillock part of the message is lost because it's not in key=value
format.

Also, we can't use uid in that event because the kernel already adds that
field. What we normally do is use 'suid' (meaning sender uid) as the
field name.

1 files changed, 2 insertions, 2 deletions

diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index ca1c7035..a89909ab 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -248,7 +248,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
 
 				(void)pam_get_item(pamh, PAM_TTY, &tty);
 				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
-				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+				snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
 					rhost, NULL, tty, 1);
 			}
@@ -364,7 +364,7 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
 			errno == EAFNOSUPPORT))
 			return PAM_SYSTEM_ERR;
 
-		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+		snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
 			NULL, NULL, NULL, 1);