diff options
| author | Robert Ancell <robert.ancell@canonical.com> | 2015-09-16 13:31:44 -0400 |
|---|---|---|
| committer | Robert Ancell <robert.ancell@canonical.com> | 2015-09-16 13:31:44 -0400 |
| commit | 15ba72574090648c628ed6406ca315423a1a3f14 (patch) | |
| tree | c9c46d3aa40deb542085047c40c2bb52afdf24c8 | |
| parent | 520f38d716c028618e434fb243d61ba59b4dcbc1 (diff) | |
| download | lightdm-git-15ba72574090648c628ed6406ca315423a1a3f14.tar.gz | |
Use libaudit to generate audit events
| -rw-r--r-- | configure.ac | 17 | ||||
| -rw-r--r-- | debian/control | 1 | ||||
| -rw-r--r-- | debian/lightdm.lightdm-autologin.pam | 1 | ||||
| -rw-r--r-- | debian/lightdm.pam | 1 | ||||
| -rw-r--r-- | src/session-child.c | 33 |
5 files changed, 53 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index dfeca928..f9f6ebef 100644 --- a/configure.ac +++ b/configure.ac @@ -147,6 +147,23 @@ if test x"$enable_liblightdm_qt5" != "xno"; then fi AM_CONDITIONAL(COMPILE_LIBLIGHTDM_QT5, test x"$compile_liblightdm_qt5" != "xno") +AC_ARG_ENABLE([audit], + AS_HELP_STRING([--enable-audit], + [Enable audit logging of login and logout events [[default=auto]]]), + [enable_audit=$enableval], + [enable_audit=auto]) +if test x"$enable_audit" != "xno"; then + AC_CHECK_LIB([audit], [audit_log_user_message], + [AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support]) + LIGHTDM_LIBS="${LIGHTDM_LIBS} -laudit" + ], + [if test "x$enable_audit" != xauto; then + AC_MSG_FAILURE( + [--enable-audit was given, but test for libaudit failed]) + fi + ]) +fi + AC_MSG_CHECKING(whether to build tests) AC_ARG_ENABLE(tests, AS_HELP_STRING([--disable-tests], [Disable tests building]), diff --git a/debian/control b/debian/control index 3edf0812..11694c20 100644 --- a/debian/control +++ b/debian/control @@ -24,6 +24,7 @@ Build-Depends: debhelper (>= 7.0.50~), gtk-doc-tools, yelp-tools, dbus, + libaudit-dev Homepage: https://launchpad.net/lightdm # If you aren't a member of ~lightdm-team but need to upload packaging changes, # just go ahead. ~lightdm-team will notice and sync up the code again. diff --git a/debian/lightdm.lightdm-autologin.pam b/debian/lightdm.lightdm-autologin.pam index d38e7a83..f42a4f47 100644 --- a/debian/lightdm.lightdm-autologin.pam +++ b/debian/lightdm.lightdm-autologin.pam @@ -3,6 +3,7 @@ auth requisite pam_nologin.so auth required pam_permit.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/debian/lightdm.pam b/debian/lightdm.pam index 9bc58b52..c97f2ad6 100644 --- a/debian/lightdm.pam +++ b/debian/lightdm.pam @@ -6,6 +6,7 @@ auth optional pam_gnome_keyring.so auth optional pam_kwallet.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/src/session-child.c b/src/session-child.c index bd55f33f..1609274a 100644 --- a/src/session-child.c +++ b/src/session-child.c @@ -16,6 +16,7 @@ #include <utmp.h> #include <utmpx.h> #include <sys/mman.h> +#include <libaudit.h> #include "configuration.h" #include "session-child.h" @@ -220,6 +221,32 @@ updwtmpx (const gchar *wtmp_file, struct utmpx *ut) updwtmp (wtmp_file, &u); } +static void +audit_event (int type, const gchar *username, uid_t uid, const gchar *remote_host_name, const gchar *tty, gboolean success) +{ +#if HAVE_LIBAUDIT + int auditfd, result; + const char *op = NULL; + + auditfd = audit_open (); + if (auditfd < 0) { + g_printerr ("Error opening audit socket: %s\n", strerror (errno)); + return; + } + + if (type == AUDIT_USER_LOGIN) + op = "login"; + else if (type == AUDIT_USER_LOGOUT) + op = "logout"; + result = success == TRUE ? 1 : 0; + + if (audit_log_acct_message (auditfd, type, NULL, op, username, uid, remote_host_name, NULL, tty, result) <= 0) + g_printerr ("Error writing audit message: %s\n", strerror (errno)); + + close (auditfd); +#endif +} + int session_child_run (int argc, char **argv) { @@ -386,6 +413,8 @@ session_child_run (int argc, char **argv) ut.ut_tv.tv_usec = tv.tv_usec; updwtmpx ("/var/log/btmp", &ut); + + audit_event (AUDIT_USER_LOGIN, username, -1, remote_host_name, tty, FALSE); } /* Check account is valid */ @@ -701,6 +730,8 @@ session_child_run (int argc, char **argv) g_printerr ("Failed to write utmpx: %s\n", strerror (errno)); endutxent (); updwtmpx ("/var/log/wtmp", &ut); + + audit_event (AUDIT_USER_LOGIN, username, uid, remote_host_name, tty, TRUE); } waitpid (child_pid, &return_code, 0); @@ -737,6 +768,8 @@ session_child_run (int argc, char **argv) g_printerr ("Failed to write utmpx: %s\n", strerror (errno)); endutxent (); updwtmpx ("/var/log/wtmp", &ut); + + audit_event (AUDIT_USER_LOGOUT, username, uid, remote_host_name, tty, TRUE); } } |