<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.32.2">
</HEAD>
<BODY>
On Wed, 2011-08-10 at 20:37 +0200, Matěj Cepl wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
From: Steve Grubb <<A HREF="mailto:sgrubb@redhat.com">sgrubb@redhat.com</A>>
<A HREF="https://bugzilla.redhat.com/469357">https://bugzilla.redhat.com/469357</A>
Thanks for help with this patch to
"Gaetan Nadon" <<A HREF="mailto:memsize@videotron.ca">memsize@videotron.ca</A>>
</PRE>
</BLOCKQUOTE>
Thanks for your patience. I noticed that the log to audit will only work if PAM is available.<BR>
When a user configures --with-libaudit but PAM is not installed, Linux Audit won't work<BR>
and there is no way for the user to figure out why. I'll figure out an additional check tomorrow<BR>
and post it. The configuration should abort if libaudit is requested (=yes) but libpam is missing.<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
Signed-off-by: Matěj Cepl <<A HREF="mailto:mcepl@redhat.com">mcepl@redhat.com</A>>
---
configure.ac | 16 +++++++++++++++-
greeter/greet.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0c79999..ef2302c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -145,6 +145,20 @@ if test "x$USE_SELINUX" != "xno" ; then
)
fi
+# Check for Linux Audit support
+AC_ARG_WITH(libaudit, AS_HELP_STRING([--with-libaudit],
+ [Add support for Linux Audit (default is autodetected)]),
+ [USE_LINUX_AUDIT=$withval], [USE_LINUX_AUDIT=auto])
+if test "x$USE_LINUX_AUDIT" != "xno" ; then
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ [AC_DEFINE(USE_LINUX_AUDIT,1,[Use Linux Audit support])]
+ XDMGREET_LIBS="$XDMGREET_LIBS -laudit",
+ [AS_IF([test "x$USE_LINUX_AUDIT" = "xyes"],
+ [AC_MSG_ERROR([Linux Audit support requested, but audit_log_user_message not found.])]
+ )]
+ )
+fi
+
# FIXME: Find better test for which OS'es use su -m - for now, just try to
# mirror the Imakefile setting of:
# if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
@@ -171,7 +185,7 @@ AC_SUBST(SU)
# Define a configure option to locate a special file (/dev/random or /dev/urandom)
# that serves as a random or a pseudorandom number generator
-AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device\[=<pathname>\]],
+AC_ARG_WITH(random-device, AS_HELP_STRING([--with-random-device=<pathname>],
        [Use <pathname> as a source of randomness (default is auto-detected)]),
        [USE_DEVICE="$withval"], [USE_DEVICE="auto"])
if test x$USE_DEVICE != xno ; then
diff --git a/greeter/greet.c b/greeter/greet.c
index 87d2a83..2d26c69 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -86,6 +86,13 @@ from The Open Group.
# endif
#endif
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <pwd.h>
+#else
+#define log_to_audit_system(l,h,s) do { ; } while (0)
+#endif
+
#include <string.h>
#if defined(SECURE_RPC) && defined(sun)
@@ -415,6 +422,29 @@ FailedLogin (struct display *d, const char *username)
DrawFail (login);
}
+#ifdef USE_PAM
+#ifdef HAVE_LIBAUDIT
+static void
+log_to_audit_system(const pam_handle_t *pamhp, int success)
+{
+        struct passwd *pw = NULL;
+        char *hostname = NULL, *tty = NULL, *login=NULL;
+        int audit_fd;
+
+        audit_fd = audit_open();
+        pam_get_item(pamhp, PAM_RHOST, &hostname);
+        pam_get_item(pamhp, PAM_TTY, &tty);
+        pam_get_item(pamhp, PAM_USER, &login);
+        if (login)
+                pw = getpwnam(login);
+                audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+                        NULL, "login", login ? login : "(unknown)",
+                        pw ? pw->pw_uid : -1, hostname, NULL, tty, success);
+        close(audit_fd);
+}
+#endif
+#endif
+
_X_EXPORT
greet_user_rtn GreetUser(
struct display *d,
@@ -600,6 +630,7 @@ greet_user_rtn GreetUser(
        if ((pam_error == PAM_SUCCESS) && (Verify (d, greet, verify))) {
         SetPrompt (login, 1, "Login Successful", LOGIN_TEXT_INFO, False);
         SetValue (login, 1, NULL);
+         log_to_audit_system(*pamhp, 1);
         break;
        } else {
         /* Try to fill in username for failed login error log */
@@ -611,6 +642,7 @@ greet_user_rtn GreetUser(
                                         (void *) &username));
         }
         FailedLogin (d, username);
+         log_to_audit_system(*pamhp, 0);
         RUN_AND_CHECK_PAM_ERROR(pam_end,
                                 (*pamhp, pam_error));
        }
--
1.7.6
_______________________________________________
<A HREF="mailto:xorg-devel@lists.x.org">xorg-devel@lists.x.org</A>: X.Org development
Archives: <A HREF="http://lists.x.org/archives/xorg-devel">http://lists.x.org/archives/xorg-devel</A>
Info: <A HREF="http://lists.x.org/mailman/listinfo/xorg-devel">http://lists.x.org/mailman/listinfo/xorg-devel</A>
</PRE>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>