From c85513220c1bd3150e39c6277422d29cfa44acc7 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 27 Jul 2023 13:14:42 -0400 Subject: pam_faillock: fix formatting of audit messages pam_faillock uses audit_log_user_message to write to the audit system. It does not take an op argument, so you have to add one yourself. Otherwise the pam_faillock part of the message is lost because it's not in key=value format. Also, we can't use uid in that event because the kernel already adds that field. What we normally do is use 'suid' (meaning sender uid) as the field name. --- modules/pam_faillock/pam_faillock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_faillock') diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c index ca1c7035..a89909ab 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c @@ -248,7 +248,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies (void)pam_get_item(pamh, PAM_TTY, &tty); (void)pam_get_item(pamh, PAM_RHOST, &rhost); - snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, rhost, NULL, tty, 1); } @@ -364,7 +364,7 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies errno == EAFNOSUPPORT)) return PAM_SYSTEM_ERR; - snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, NULL, NULL, NULL, 1); -- cgit v1.2.3