diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-04-20 12:10:55 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2016-04-20 17:31:01 +0200 |
commit | 34964273ee5f808eae601e32cb23275a8988e3e1 (patch) | |
tree | d75538a45fd4d141c7d9de5df6ed2f31fe53d5df /src/settings/nm-settings-connection.c | |
parent | 22c11f8ef1529b2858c4946b2c666cca79908ef7 (diff) | |
download | NetworkManager-34964273ee5f808eae601e32cb23275a8988e3e1.tar.gz |
audit: log changed properties when updating a connection
The main purpose of audit logging is to understand who did what to the
system configuration, so it is useful to log also the list of changed
properties when a connection is updated:
op="connection-update"
uuid="2f3e48fc-5f47-41d9-9278-d2871378df43"
name="pppoe1"
args="pppoe.username,pppoe.password" <========
pid=9523
uid=1001
result="success"
Diffstat (limited to 'src/settings/nm-settings-connection.c')
-rw-r--r-- | src/settings/nm-settings-connection.c | 64 |
1 files changed, 56 insertions, 8 deletions
diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c index 26d1be63cb..55b3d38239 100644 --- a/src/settings/nm-settings-connection.c +++ b/src/settings/nm-settings-connection.c @@ -1527,6 +1527,7 @@ typedef struct { NMAuthSubject *subject; NMConnection *new_settings; gboolean save_to_disk; + char *audit_args; } UpdateInfo; typedef struct { @@ -1598,12 +1599,13 @@ update_complete (NMSettingsConnection *self, else g_dbus_method_invocation_return_value (info->context, NULL); - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, !error, info->audit_args, info->subject, error ? error->message : NULL); g_clear_object (&info->subject); g_clear_object (&info->agent_mgr); g_clear_object (&info->new_settings); + g_free (info->audit_args); memset (info, 0, sizeof (*info)); g_free (info); } @@ -1635,6 +1637,49 @@ con_update_cb (NMSettingsConnection *self, update_complete (self, info, error); } +static char * +con_list_changed_props (NMConnection *old, NMConnection *new) +{ + gs_unref_hashtable GHashTable *diff = NULL; + GHashTable *setting_diff; + char *setting_name, *prop_name; + GHashTableIter iter, iter2; + gboolean same; + GString *str; + + same = nm_connection_diff (old, new, + NM_SETTING_COMPARE_FLAG_EXACT | + NM_SETTING_COMPARE_FLAG_DIFF_RESULT_NO_DEFAULT, + &diff); + + if (same || !diff) + return NULL; + + str = g_string_sized_new (32); + g_hash_table_iter_init (&iter, diff); + + while (g_hash_table_iter_next (&iter, + (gpointer *) &setting_name, + (gpointer *) &setting_diff)) { + if (!setting_diff) + continue; + + g_hash_table_iter_init (&iter2, setting_diff); + + while (g_hash_table_iter_next (&iter2, (gpointer *) &prop_name, NULL)) { + g_string_append (str, setting_name); + g_string_append_c (str, '.'); + g_string_append (str, prop_name); + g_string_append_c (str, ','); + } + } + + if (str->len) + str->str[str->len - 1] = '\0'; + + return g_string_free (str, FALSE); +} + static void update_auth_cb (NMSettingsConnection *self, GDBusMethodInvocation *context, @@ -1664,6 +1709,9 @@ update_auth_cb (NMSettingsConnection *self, update_agent_secrets_cache (self, info->new_settings); } + if (nm_audit_manager_audit_enabled (nm_audit_manager_get ())) + info->audit_args = con_list_changed_props (NM_CONNECTION (self), info->new_settings); + if (info->save_to_disk) { nm_settings_connection_replace_and_commit (self, info->new_settings, @@ -1767,7 +1815,7 @@ settings_connection_update_helper (NMSettingsConnection *self, return; error: - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, subject, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_UPDATE, self, FALSE, NULL, subject, error->message); g_clear_object (&tmp); @@ -1816,7 +1864,7 @@ con_delete_cb (NMSettingsConnection *self, g_dbus_method_invocation_return_value (info->context, NULL); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, - !error, info->subject, error ? error->message : NULL); + !error, NULL, info->subject, error ? error->message : NULL); g_free (info); } @@ -1830,7 +1878,7 @@ delete_auth_cb (NMSettingsConnection *self, CallbackInfo *info; if (error) { - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject, + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject, error->message); g_dbus_method_invocation_return_gerror (context, error); return; @@ -1879,7 +1927,7 @@ impl_settings_connection_delete (NMSettingsConnection *self, return; out_err: - nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, subject, error->message); + nm_audit_log_connection_op (NM_AUDIT_OP_CONN_DELETE, self, FALSE, NULL, subject, error->message); g_dbus_method_invocation_take_error (context, error); } @@ -1972,7 +2020,7 @@ clear_secrets_cb (NMSettingsConnection *self, g_dbus_method_invocation_return_value (info->context, NULL); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - !error, info->subject, error ? error->message : NULL); + !error, NULL, info->subject, error ? error->message : NULL); g_free (info); } @@ -1989,7 +2037,7 @@ dbus_clear_secrets_auth_cb (NMSettingsConnection *self, if (error) { g_dbus_method_invocation_return_gerror (context, error); nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - FALSE, subject, error->message); + FALSE, NULL, subject, error->message); } else { /* Clear secrets in connection and caches */ nm_connection_clear_secrets (NM_CONNECTION (self)); @@ -2029,7 +2077,7 @@ impl_settings_connection_clear_secrets (NMSettingsConnection *self, g_object_unref (subject); } else { nm_audit_log_connection_op (NM_AUDIT_OP_CONN_CLEAR_SECRETS, self, - FALSE, NULL, error->message); + FALSE, NULL, NULL, error->message); g_dbus_method_invocation_take_error (context, error); } } |