linux-pam-commits
September 2012
linux-pam-commits@lists.fedorahosted.org
- 1 participants
- 2 discussions
[linux-pam] pam_selinux, pam_tally2: Add tty and rhost to audit data.
by Tomáš Mráz
commit 6b2a5b9f5595f39fb919c12c52c7f3c53f33f914
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Thu Sep 6 14:58:57 2012 +0200
pam_selinux, pam_tally2: Add tty and rhost to audit data.
modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.
modules/pam_selinux/pam_selinux.c | 5 ++++-
modules/pam_tally2/pam_tally2.c | 15 +++++++++------
2 files changed, 13 insertions(+), 7 deletions(-)
---
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index d66ccb4..473655c 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
int audit_fd = audit_open();
security_context_t default_raw=NULL;
security_context_t selected_raw=NULL;
+ const void *tty = NULL, *rhost = NULL;
rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
return rc;
}
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
- msg, NULL, NULL, NULL, success) <= 0) {
+ msg, rhost, NULL, tty, success) <= 0) {
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
goto out;
}
diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
index d3d6779..09e8585 100644
--- a/modules/pam_tally2/pam_tally2.c
+++ b/modules/pam_tally2/pam_tally2.c
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
+ const void *rhost = NULL, *tty = NULL;
#endif
if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
#endif
if (opts->deny != 0 && /* deny==0 means no deny */
tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
/* First say that max number was hit. */
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
if (uid) {
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
if (tally->fail_cnt == opts->deny+1) {
/* First say that max number was hit. */
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
11 years, 7 months
- 1
- 0
[linux-pam] Update configure.in to use more recent interfaces.
by Tomáš Mráz
commit c027252aac0be2fb1696ac9028458fed220b0be3
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Thu Sep 6 14:47:59 2012 +0200
Update configure.in to use more recent interfaces.
configure.in: Use LT_INIT instead of AC_PROG_LIBTOOL and AS_HELP_STRING instead
of AC_HELP_STRING.
configure.in | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/configure.in b/configure.in
index ae762a2..515b301 100644
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,8 @@ AC_INIT
AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE("Linux-PAM", 1.1.6)
-AC_PREREQ(2.61)
+LT_INIT([disable-static])
+AC_PREREQ([2.61])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_CANONICAL_HOST
@@ -82,7 +83,6 @@ AM_PROG_LEX
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MAKE_SET
-AC_PROG_LIBTOOL
AM_PROG_CC_C_O
PAM_LD_AS_NEEDED
PAM_LD_NO_UNDEFINED
@@ -532,7 +532,7 @@ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
AC_ARG_ENABLE([regenerate-docu],
- AC_HELP_STRING([--disable-regenerate-docu], [Don't re-build documentation from XML souces]),
+ AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
[enable_docu=$enableval], [enable_docu=yes])
dnl
dnl Check for xsltproc
11 years, 7 months
- 1
- 0
- ← Newer
- 1
- Older →