<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.32.2">
</HEAD>
<BODY>
On Tue, 2011-08-09 at 16:57 +0200, Matěj Cepl wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<A HREF="https://bugzilla.redhat.com/469357">https://bugzilla.redhat.com/469357</A>
Patch by Steve Grubb <sgrubb at redhat dot com>
Signed-off-by: Matěj Cepl <<A HREF="mailto:mcepl@redhat.com">mcepl@redhat.com</A>>
---
configure.ac | 24 +++++++++++++++++++++++-
greeter/greet.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0c79999..f55455a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -145,6 +145,28 @@ if test "x$USE_SELINUX" != "xno" ; then
)
fi
+AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
+ [Add Linux audit support (default=auto)]),
+ [with_libaudit="$withval"], [with_libaudit=auto])
+
+# Check for Linux auditing API
+#
+# libaudit detection
+if test x$with_libaudit = xno ; then
+ have_libaudit=no;
+else
+ # See if we have audit daemon library
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ have_libaudit=yes, have_libaudit=no)
+fi
+
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
</PRE>
</BLOCKQUOTE>
This AM_CONDITIONAL is dead code. It would be used in Makefile.am to skip a section of the makefile (perhaps I missed it).
<BLOCKQUOTE TYPE=CITE>
<PRE>
+
+if test x$have_libaudit = xyes ; then
+ XDMGREET_LIBS="$XDMGREET_LIBS -laudit"
+ AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+fi
+
</PRE>
</BLOCKQUOTE>
Sorry, I had some more time to look at it :-)<BR>
<BR>
Assuming the default is "auto" and is acceptable for most users, there is a missing behaviour. When a user specifies "--with-libaudit", he really wants it. If it is not installed, there is no feedback and it silently fails. So there is no difference between "auto" and "yes". This is why you see statements similar to this:
<BLOCKQUOTE>
<PRE>
AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])
</PRE>
</BLOCKQUOTE>
This tells the user "you want libaudit, but it's nowhere to be found". PAM and SELinux options are coded this way, it would be more consistent to have Linux Audit option coded the same way.<BR>
<BR>
This is the code I unit tested. It provides a complete implementation for the libaudit option. Some variable names may not match the C code patch.<BR>
<BR>
<BLOCKQUOTE>
<PRE>
# Check for Linux Audit support
AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
[Add support for Linux Audit (default is autodetected)]),
[USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
if test "x$USE_LINUX_AUDIT" != "xno" ; then
AC_CHECK_LIB(audit, audit_log_user_message,
[AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
[AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
[AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
)]
)
fi
</PRE>
</BLOCKQUOTE>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
# FIXME: Find better test for which OS'es use su -m - for now, just try to
# mirror the Imakefile setting of:
# if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
@@ -171,7 +193,7 @@ AC_SUBST(SU)
# Define a configure option to locate a special file (/dev/random or /dev/urandom)
# that serves as a random or a pseudorandom number generator
-AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
+AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
[Use <pathname> as a source of randomness (default is auto-detected)]),
[USE_DEVICE="$withval"], [USE_DEVICE="auto"])
if test x$USE_DEVICE != xno ; then
diff --git a/greeter/greet.c b/greeter/greet.c
index 87d2a83..2d26c69 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -86,6 +86,13 @@ from The Open Group.
# endif
#endif
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <pwd.h>
+#else
+#define log_to_audit_system(l,h,s) do { ; } while (0)
+#endif
+
#include <string.h>
#if defined(SECURE_RPC) && defined(sun)
@@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username)
DrawFail (login);
}
+#ifdef USE_PAM
+#ifdef HAVE_LIBAUDIT
+static void
+log_to_audit_system(const pam_handle_t *pamhp, int success)
+{
+ struct passwd *pw = NULL;
+ char *hostname = NULL, *tty = NULL, *login=NULL;
+ int audit_fd;
+
+ audit_fd = audit_open();
+ pam_get_item(pamhp, PAM_RHOST, &hostname);
+ pam_get_item(pamhp, PAM_TTY, &tty);
+ pam_get_item(pamhp, PAM_USER, &login);
+ if (login)
+ pw = getpwnam(login);
+ audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ NULL, "login", login ? login : "(unknown)",
+ pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
+ close(audit_fd);
+}
+#endif
+#endif
+
_X_EXPORT
greet_user_rtn GreetUser(
struct display *d,
@@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
SetValue (login, 1, NULL);
+ log_to_audit_system(*pamhp, 1);
break;
} else {
/* Try to fill in username for failed login error log */
@@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
(void *) &username));
}
FailedLogin (d, username);
+ log_to_audit_system(*pamhp, 0);
RUN_AND_CHECK_PAM_ERROR(pam_end,
(*pamhp, pam_error));
}
--
1.7.6
_______________________________________________
<A HREF="mailto:xorg-devel@lists.x.org">xorg-devel@lists.x.org</A>: X.Org development
Archives: <A HREF="http://lists.x.org/archives/xorg-devel">http://lists.x.org/archives/xorg-devel</A>
Info: <A HREF="http://lists.x.org/mailman/listinfo/xorg-devel">http://lists.x.org/mailman/listinfo/xorg-devel</A>
</PRE>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>