diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-04-20 12:10:55 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-04-20 17:31:01 +0200 |
commit | 34964273ee5f808eae601e32cb23275a8988e3e1 (patch) | |
tree | d75538a45fd4d141c7d9de5df6ed2f31fe53d5df | |
parent | 22c11f8ef1529b2858c4946b2c666cca79908ef7 (diff) | |
download | NetworkManager-34964273ee5f808eae601e32cb23275a8988e3e1.tar.gz |
audit: log changed properties when updating a connection
The main purpose of audit logging is to understand who did what to the
system configuration, so it is useful to log also the list of changed
properties when a connection is updated:
op="connection-update"
uuid="2f3e48fc-5f47-41d9-9278-d2871378df43"
name="pppoe1"
args="pppoe.username,pppoe.password" <========
pid=9523
uid=1001
result="success"
-rw-r--r-- | src/nm-audit-manager.c | 9 | ||||
-rw-r--r-- | src/nm-audit-manager.h | 7 | ||||
-rw-r--r-- | src/nm-manager.c | 14 | ||||
-rw-r--r-- | src/settings/nm-settings-connection.c | 64 | ||||
-rw-r--r-- | src/settings/nm-settings.c | 4 |
5 files changed, 78 insertions, 20 deletions
diff --git a/src/nm-audit-manager.c b/src/nm-audit-manager.c index 728575f663..7096e81934 100644 --- a/src/nm-audit-manager.c +++ b/src/nm-audit-manager.c @@ -233,10 +233,10 @@ nm_audit_manager_audit_enabled (NMAuditManager *self) void _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, NMSettingsConnection *connection, - gboolean result, gpointer subject_context, const char *reason) + gboolean result, const char *args, gpointer subject_context, const char *reason) { gs_unref_ptrarray GPtrArray *fields = NULL; - AuditField uuid_field = { }, name_field = { }; + AuditField uuid_field = { }, name_field = { }, args_field = { }; g_return_if_fail (op); @@ -252,6 +252,11 @@ _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, gui g_ptr_array_add (fields, &name_field); } + if (args) { + _audit_field_init_string (&args_field, "args", args, FALSE, BACKEND_ALL); + g_ptr_array_add (fields, &args_field); + } + _audit_log_helper (self, fields, file, line, func, op, result, subject_context, reason); } diff --git a/src/nm-audit-manager.h b/src/nm-audit-manager.h index ed53be6921..ecf581efed 100644 --- a/src/nm-audit-manager.h +++ b/src/nm-audit-manager.h @@ -67,13 +67,13 @@ GType nm_audit_manager_get_type (void); NMAuditManager *nm_audit_manager_get (void); gboolean nm_audit_manager_audit_enabled (NMAuditManager *self); -#define nm_audit_log_connection_op(op, connection, result, subject_context, reason) \ +#define nm_audit_log_connection_op(op, connection, result, args, subject_context, reason) \ G_STMT_START { \ NMAuditManager *_audit = nm_audit_manager_get (); \ \ if (nm_audit_manager_audit_enabled (_audit)) { \ _nm_audit_manager_log_connection_op (_audit, __FILE__, __LINE__, G_STRFUNC, \ - (op), (connection), (result), (subject_context), \ + (op), (connection), (result), (args), (subject_context), \ (reason)); \ } \ } G_STMT_END @@ -100,7 +100,8 @@ gboolean nm_audit_manager_audit_enabled (NMAuditManager *self); void _nm_audit_manager_log_connection_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, NMSettingsConnection *connection, - gboolean result, gpointer subject_context, const char *reason); + gboolean result, const char *args, gpointer subject_context, + const char *reason); void _nm_audit_manager_log_control_op (NMAuditManager *self, const char *file, guint line, const char *func, const char *op, const char *arg, diff --git a/src/nm-manager.c b/src/nm-manager.c index 149f6d7118..1cc5b4a987 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -3304,7 +3304,7 @@ _activation_auth_done (NMActiveConnection *active, g_dbus_method_invocation_return_value (context, g_variant_new ("(o)", nm_exported_object_get_path (NM_EXPORTED_OBJECT (active)))); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, TRUE, NULL, subject, NULL); g_object_unref (active); return; @@ -3316,7 +3316,7 @@ _activation_auth_done (NMActiveConnection *active, } g_assert (error); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, NULL, subject, error->message); _internal_activation_failed (self, active, error->message); @@ -3404,7 +3404,7 @@ impl_manager_activate_connection (NMManager *self, error: if (connection) { - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ACTIVATE, connection, FALSE, NULL, subject, error->message); } g_clear_object (&active); @@ -3453,6 +3453,7 @@ activation_add_done (NMSettings *settings, nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, nm_active_connection_get_settings_connection (active), TRUE, + NULL, nm_active_connection_get_subject (active), NULL); return; @@ -3467,6 +3468,7 @@ activation_add_done (NMSettings *settings, nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, + NULL, nm_active_connection_get_subject (active), error->message); g_clear_error (&local); @@ -3511,6 +3513,7 @@ _add_and_activate_auth_done (NMActiveConnection *active, nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, + NULL, nm_active_connection_get_subject (active), error->message); g_dbus_method_invocation_take_error (context, error); @@ -3612,7 +3615,7 @@ impl_manager_add_and_activate_connection (NMManager *self, return; error: - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, subject, error->message); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD_ACTIVATE, NULL, FALSE, NULL, subject, error->message); g_clear_object (&connection); g_slist_free (all_connections); g_clear_object (&subject); @@ -3708,6 +3711,7 @@ deactivate_net_auth_done_cb (NMAuthChain *chain, nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, nm_active_connection_get_settings_connection (active), !error, + NULL, nm_auth_chain_get_subject (chain), error ? error->message : NULL); } @@ -3781,7 +3785,7 @@ impl_manager_deactivate_connection (NMManager *self, done: if (error) { if (connection) { - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DEACTIVATE, connection, FALSE, NULL, subject, error->message); } g_dbus_method_invocation_take_error (context, error); diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c index 26d1be63cb..55b3d38239 100644 --- a/src/settings/nm-settings-connection.c +++ b/src/settings/nm-settings-connection.c @@ -1527,6 +1527,7 @@ typedef struct { NMAuthSubject *subject; NMConnection *new_settings; gboolean save_to_disk; + char *audit_args; } UpdateInfo; typedef struct { @@ -1598,12 +1599,13 @@ update_complete (NMSettingsConnection *self, else g_dbus_method_invocation_return_value (info->context, NULL); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error, info->audit_args, info->subject, error ? error->message : NULL); g_clear_object (&info->subject); g_clear_object (&info->agent_mgr); g_clear_object (&info->new_settings); + g_free (info->audit_args); memset (info, 0, sizeof (*info)); g_free (info); } @@ -1635,6 +1637,49 @@ con_update_cb (NMSettingsConnection *self, update_complete (self, info, error); } +static char * +con_list_changed_props (NMConnection *old, NMConnection *new) +{ + gs_unref_hashtable GHashTable *diff = NULL; + GHashTable *setting_diff; + char *setting_name, *prop_name; + GHashTableIter iter, iter2; + gboolean same; + GString *str; + + same = nm_connection_diff (old, new, + NM_SETTING_COMPARE_FLAG_EXACT | + NM_SETTING_COMPARE_FLAG_DIFF_RESULT_NO_DEFAULT, + &diff); + + if (same || !diff) + return NULL; + + str = g_string_sized_new (32); + g_hash_table_iter_init (&iter, diff); + + while (g_hash_table_iter_next (&iter, + (gpointer *) &setting_name, + (gpointer *) &setting_diff)) { + if (!setting_diff) + continue; + + g_hash_table_iter_init (&iter2, setting_diff); + + while (g_hash_table_iter_next (&iter2, (gpointer *) &prop_name, NULL)) { + g_string_append (str, setting_name); + g_string_append_c (str, '.'); + g_string_append (str, prop_name); + g_string_append_c (str, ','); + } + } + + if (str->len) + str->str[str->len - 1] = '\0'; + + return g_string_free (str, FALSE); +} + static void update_auth_cb (NMSettingsConnection *self, GDBusMethodInvocation *context, @@ -1664,6 +1709,9 @@ update_auth_cb (NMSettingsConnection *self, update_agent_secrets_cache (self, info->new_settings); } + if (nm_audit_manager_audit_enabled (nm_audit_manager_get ())) + info->audit_args = con_list_changed_props (NM_CONNECTION (self), info->new_settings); + if (info->save_to_disk) { nm_settings_connection_replace_and_commit (self, info->new_settings, @@ -1767,7 +1815,7 @@ settings_connection_update_helper (NMSettingsConnection *self, return; error: - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, subject, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, NULL, subject, error->message); g_clear_object (&tmp); @@ -1816,7 +1864,7 @@ con_delete_cb (NMSettingsConnection *self, g_dbus_method_invocation_return_value (info->context, NULL); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, - !error, info->subject, error ? error->message : NULL); + !error, NULL, info->subject, error ? error->message : NULL); g_free (info); } @@ -1830,7 +1878,7 @@ delete_auth_cb (NMSettingsConnection *self, CallbackInfo *info; if (error) { - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject, error->message); g_dbus_method_invocation_return_gerror (context, error); return; @@ -1879,7 +1927,7 @@ impl_settings_connection_delete (NMSettingsConnection *self, return; out_err: - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject, error->message); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject, error->message); g_dbus_method_invocation_take_error (context, error); } @@ -1972,7 +2020,7 @@ clear_secrets_cb (NMSettingsConnection *self, g_dbus_method_invocation_return_value (info->context, NULL); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - !error, info->subject, error ? error->message : NULL); + !error, NULL, info->subject, error ? error->message : NULL); g_free (info); } @@ -1989,7 +2037,7 @@ dbus_clear_secrets_auth_cb (NMSettingsConnection *self, if (error) { g_dbus_method_invocation_return_gerror (context, error); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - FALSE, subject, error->message); + FALSE, NULL, subject, error->message); } else { /* Clear secrets in connection and caches */ nm_connection_clear_secrets (NM_CONNECTION (self)); @@ -2029,7 +2077,7 @@ impl_settings_connection_clear_secrets (NMSettingsConnection *self, g_object_unref (subject); } else { nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - FALSE, NULL, error->message); + FALSE, NULL, NULL, error->message); g_dbus_method_invocation_take_error (context, error); } } diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c index 758a6c02d6..ee6e4f8078 100644 --- a/src/settings/nm-settings.c +++ b/src/settings/nm-settings.c @@ -1373,12 +1373,12 @@ impl_settings_add_connection_add_cb (NMSettings *self, { if (error) { g_dbus_method_invocation_return_gerror (context, error); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, NULL, FALSE, subject, error->message); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, NULL, FALSE, NULL, subject, error->message); } else { g_dbus_method_invocation_return_value ( context, g_variant_new ("(o)", nm_connection_get_path (NM_CONNECTION (connection)))); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, connection, TRUE, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_ADD, connection, TRUE, NULL, subject, NULL); } } |