diff options
Diffstat (limited to 'modules/pam_unix')
| -rw-r--r-- | modules/pam_unix/Makefile.am | 2 | ||||
| -rw-r--r-- | modules/pam_unix/unix_update.c | 17 |
2 files changed, 18 insertions, 1 deletions
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index c510f87f..1780e586 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -74,7 +74,7 @@ unix_update_SOURCES = unix_update.c audit.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" unix_update_LDFLAGS = @EXE_LDFLAGS@ -unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ +unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ endif if ENABLE_REGENERATE_MAN diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 49a70ff3..4adaa5af 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -27,6 +27,10 @@ #include <signal.h> #include <time.h> #include <sys/time.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include "audit.h" +#endif #include <security/_pam_types.h> #include <security/_pam_macros.h> @@ -80,7 +84,12 @@ set_password(const char *forwho, const char *shadow, const char *remember) We always allow change from null pass. */ if (getuid()) { retval = helper_verify_password(forwho, pass, 1); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); +#endif if (retval != PAM_SUCCESS) { + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", + getuidname(getuid())); goto done; } } @@ -100,6 +109,11 @@ set_password(const char *forwho, const char *shadow, const char *remember) retval = unix_update_passwd(forwho, towhat); } +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_CHAUTHTOK, getuidname(getuid()), retval); +#endif + + done: pam_overwrite_array(pass); pam_overwrite_array(towhat); @@ -135,6 +149,9 @@ int main(int argc, char *argv[]) helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); +#endif fprintf(stderr ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); |