From b430e2d1c93414cb14e9a3557ac895e864138497 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 4 Jan 2024 18:23:50 +0100 Subject: pam_unix: add audit support to unix_update(8) Emit audit reports in the helper unix_update(8) about abnormal executions, unprivileged authentications, and password updates. Also log unprivileged authentication failures to syslog. --- modules/pam_unix/Makefile.am | 2 +- modules/pam_unix/unix_update.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index c510f87f..1780e586 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -74,7 +74,7 @@ unix_update_SOURCES = unix_update.c audit.c md5_good.c md5_broken.c bigcrypt.c \ passverify.c unix_update_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" unix_update_LDFLAGS = @EXE_LDFLAGS@ -unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ +unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ endif if ENABLE_REGENERATE_MAN diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 49a70ff3..4adaa5af 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -27,6 +27,10 @@ #include #include #include +#ifdef HAVE_LIBAUDIT +#include +#include "audit.h" +#endif #include #include @@ -80,7 +84,12 @@ set_password(const char *forwho, const char *shadow, const char *remember) We always allow change from null pass. */ if (getuid()) { retval = helper_verify_password(forwho, pass, 1); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); +#endif if (retval != PAM_SUCCESS) { + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", + getuidname(getuid())); goto done; } } @@ -100,6 +109,11 @@ set_password(const char *forwho, const char *shadow, const char *remember) retval = unix_update_passwd(forwho, towhat); } +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_CHAUTHTOK, getuidname(getuid()), retval); +#endif + + done: pam_overwrite_array(pass); pam_overwrite_array(towhat); @@ -135,6 +149,9 @@ int main(int argc, char *argv[]) helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); +#endif fprintf(stderr ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); -- cgit v1.2.3