104 lines
3.3 KiB
Diff
104 lines
3.3 KiB
Diff
|
diff -up Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am
|
||
|
--- Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed 2008-02-06 15:21:34.000000000 +0100
|
||
|
+++ Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am 2008-02-22 16:11:02.000000000 +0100
|
||
|
@@ -53,7 +53,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_
|
||
|
passverify.c
|
||
|
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||
|
unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||
|
-unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||
|
+unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||
|
|
||
|
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||
|
passverify.c
|
||
|
diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c
|
||
|
--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed 2008-02-22 15:39:03.000000000 +0100
|
||
|
+++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c 2008-02-22 16:34:29.000000000 +0100
|
||
|
@@ -24,6 +24,10 @@
|
||
|
#include <shadow.h>
|
||
|
#include <signal.h>
|
||
|
#include <time.h>
|
||
|
+#include <errno.h>
|
||
|
+#ifdef HAVE_LIBAUDIT
|
||
|
+#include <libaudit.h>
|
||
|
+#endif
|
||
|
|
||
|
#include <security/_pam_types.h>
|
||
|
#include <security/_pam_macros.h>
|
||
|
@@ -54,6 +58,37 @@ static int _check_expiry(const char *una
|
||
|
return retval;
|
||
|
}
|
||
|
|
||
|
+static int _audit_log(int type, const char *uname, int rc)
|
||
|
+{
|
||
|
+#ifdef HAVE_LIBAUDIT
|
||
|
+ int audit_fd;
|
||
|
+
|
||
|
+ audit_fd = audit_open();
|
||
|
+ if (audit_fd < 0) {
|
||
|
+ /* You get these error codes only when the kernel doesn't have
|
||
|
+ * audit compiled in. */
|
||
|
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||
|
+ errno == EAFNOSUPPORT)
|
||
|
+ return PAM_SUCCESS;
|
||
|
+
|
||
|
+ helper_log_err(LOG_CRIT, "audit_open() failed: %m");
|
||
|
+ return PAM_AUTH_ERR;
|
||
|
+ }
|
||
|
+
|
||
|
+ rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd",
|
||
|
+ uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS);
|
||
|
+ if (rc == -EPERM && geteuid() != 0) {
|
||
|
+ rc = 0;
|
||
|
+ }
|
||
|
+
|
||
|
+ audit_close(audit_fd);
|
||
|
+
|
||
|
+ return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
|
||
|
+#else
|
||
|
+ return PAM_SUCCESS;
|
||
|
+#endif
|
||
|
+}
|
||
|
+
|
||
|
int main(int argc, char *argv[])
|
||
|
{
|
||
|
char pass[MAXPASS + 1];
|
||
|
@@ -82,6 +117,7 @@ int main(int argc, char *argv[])
|
||
|
helper_log_err(LOG_NOTICE
|
||
|
,"inappropriate use of Unix helper binary [UID=%d]"
|
||
|
,getuid());
|
||
|
+ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
|
||
|
fprintf(stderr
|
||
|
,"This binary is not designed for running in this way\n"
|
||
|
"-- the system administrator has been informed\n");
|
||
|
@@ -118,9 +154,10 @@ int main(int argc, char *argv[])
|
||
|
nullok = 1;
|
||
|
else if (strcmp(option, "nonull") == 0)
|
||
|
nullok = 0;
|
||
|
- else
|
||
|
+ else {
|
||
|
+ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
|
||
|
return PAM_SYSTEM_ERR;
|
||
|
-
|
||
|
+ }
|
||
|
/* read the password from stdin (a pipe from the pam_unix module) */
|
||
|
|
||
|
npass = read_passwords(STDIN_FILENO, 1, passwords);
|
||
|
@@ -141,11 +178,16 @@ int main(int argc, char *argv[])
|
||
|
/* return pass or fail */
|
||
|
|
||
|
if (retval != PAM_SUCCESS) {
|
||
|
- if (!nullok || !blankpass)
|
||
|
+ if (!nullok || !blankpass) {
|
||
|
/* no need to log blank pass test */
|
||
|
+ if (getuid() != 0)
|
||
|
+ _audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR);
|
||
|
helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
|
||
|
+ }
|
||
|
return PAM_AUTH_ERR;
|
||
|
} else {
|
||
|
+ if (getuid() != 0)
|
||
|
+ return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS);
|
||
|
return PAM_SUCCESS;
|
||
|
}
|
||
|
}
|