diff options
| author | Robert Ancell <robert.ancell@canonical.com> | 2015-09-07 16:28:48 +1200 |
|---|---|---|
| committer | Robert Ancell <robert.ancell@canonical.com> | 2015-09-07 16:28:48 +1200 |
| commit | 5033cab2f56d5ee1ea9f789f6fe59dd99b7d6e12 (patch) | |
| tree | bd67358c68d8091ddc5764c8bb8a3d8b1d805309 | |
| parent | 450ddaa2abfdaa9e5b02b64d8818303ff7400ed4 (diff) | |
| parent | 8fe51939ad74f86f7d2e7256d01cb46bd6e5b403 (diff) | |
| download | lightdm-5033cab2f56d5ee1ea9f789f6fe59dd99b7d6e12.tar.gz | |
Use libaudit to generate audit events
| -rw-r--r-- | configure.ac | 17 | ||||
| -rw-r--r-- | debian/control | 1 | ||||
| -rw-r--r-- | debian/lightdm.lightdm-autologin.pam | 1 | ||||
| -rw-r--r-- | debian/lightdm.pam | 1 | ||||
| -rw-r--r-- | src/session-child.c | 33 |
5 files changed, 53 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index a85846aa..27a0e096 100644 --- a/configure.ac +++ b/configure.ac @@ -129,6 +129,23 @@ if test x"$enable_liblightdm_qt5" != "xno"; then fi AM_CONDITIONAL(COMPILE_LIBLIGHTDM_QT5, test x"$compile_liblightdm_qt5" != "xno") +AC_ARG_ENABLE([audit], + AS_HELP_STRING([--enable-audit], + [Enable audit logging of login and logout events [[default=auto]]]), + [enable_audit=$enableval], + [enable_audit=auto]) +if test x"$enable_audit" != "xno"; then + AC_CHECK_LIB([audit], [audit_log_user_message], + [AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support]) + LIGHTDM_LIBS="${LIGHTDM_LIBS} -laudit" + ], + [if test "x$enable_audit" != xauto; then + AC_MSG_FAILURE( + [--enable-audit was given, but test for libaudit failed]) + fi + ]) +fi + AC_MSG_CHECKING(whether to build tests) AC_ARG_ENABLE(tests, AS_HELP_STRING([--disable-tests], [Disable tests building]), diff --git a/debian/control b/debian/control index ba8f485d..d12b24c0 100644 --- a/debian/control +++ b/debian/control @@ -27,6 +27,7 @@ Build-Depends: debhelper (>= 9), gtk-doc-tools, yelp-tools, dbus, + libaudit-dev Homepage: https://launchpad.net/lightdm # If you aren't a member of ~lightdm-team but need to upload packaging changes, # just go ahead. ~lightdm-team will notice and sync up the code again. diff --git a/debian/lightdm.lightdm-autologin.pam b/debian/lightdm.lightdm-autologin.pam index d38e7a83..f42a4f47 100644 --- a/debian/lightdm.lightdm-autologin.pam +++ b/debian/lightdm.lightdm-autologin.pam @@ -3,6 +3,7 @@ auth requisite pam_nologin.so auth required pam_permit.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/debian/lightdm.pam b/debian/lightdm.pam index cf564db0..821a2a64 100644 --- a/debian/lightdm.pam +++ b/debian/lightdm.pam @@ -7,6 +7,7 @@ auth optional pam_kwallet.so auth optional pam_kwallet5.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/src/session-child.c b/src/session-child.c index e85f57da..f84e6c7b 100644 --- a/src/session-child.c +++ b/src/session-child.c @@ -16,6 +16,7 @@ #include <utmp.h> #include <utmpx.h> #include <sys/mman.h> +#include <libaudit.h> #include "configuration.h" #include "session-child.h" @@ -220,6 +221,32 @@ updwtmpx (const gchar *wtmp_file, struct utmpx *ut) updwtmp (wtmp_file, &u); } +static void +audit_event (int type, const gchar *username, uid_t uid, const gchar *remote_host_name, const gchar *tty, gboolean success) +{ +#if HAVE_LIBAUDIT + int auditfd, result; + const char *op = NULL; + + auditfd = audit_open (); + if (auditfd < 0) { + g_printerr ("Error opening audit socket: %s\n", strerror (errno)); + return; + } + + if (type == AUDIT_USER_LOGIN) + op = "login"; + else if (type == AUDIT_USER_LOGOUT) + op = "logout"; + result = success == TRUE ? 1 : 0; + + if (audit_log_acct_message (auditfd, type, NULL, op, username, uid, remote_host_name, NULL, tty, result) <= 0) + g_printerr ("Error writing audit message: %s\n", strerror (errno)); + + close (auditfd); +#endif +} + int session_child_run (int argc, char **argv) { @@ -386,6 +413,8 @@ session_child_run (int argc, char **argv) ut.ut_tv.tv_usec = tv.tv_usec; updwtmpx ("/var/log/btmp", &ut); + + audit_event (AUDIT_USER_LOGIN, username, -1, remote_host_name, tty, FALSE); } /* Check account is valid */ @@ -701,6 +730,8 @@ session_child_run (int argc, char **argv) g_printerr ("Failed to write utmpx: %s\n", strerror (errno)); endutxent (); updwtmpx ("/var/log/wtmp", &ut); + + audit_event (AUDIT_USER_LOGIN, username, uid, remote_host_name, tty, TRUE); } waitpid (child_pid, &return_code, 0); @@ -737,6 +768,8 @@ session_child_run (int argc, char **argv) g_printerr ("Failed to write utmpx: %s\n", strerror (errno)); endutxent (); updwtmpx ("/var/log/wtmp", &ut); + + audit_event (AUDIT_USER_LOGOUT, username, uid, remote_host_name, tty, TRUE); } } |