diff --git a/pam-1.1.8-audit-user-mgmt.patch b/pam-1.1.8-audit-user-mgmt.patch new file mode 100644 index 0000000..ef9cb4f --- /dev/null +++ b/pam-1.1.8-audit-user-mgmt.patch @@ -0,0 +1,55 @@ +diff -up Linux-PAM-1.1.8/modules/pam_faillock/main.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_faillock/main.c +--- Linux-PAM-1.1.8/modules/pam_faillock/main.c.audit-user-mgmt 2014-10-17 12:09:12.928490104 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-17 12:09:43.001169008 +0200 +@@ -127,7 +127,6 @@ do_user(struct options *opts, const char + } + if (opts->reset) { + #ifdef HAVE_LIBAUDIT +- char buf[64]; + int audit_fd; + #endif + +@@ -141,10 +140,8 @@ do_user(struct options *opts, const char + if ((audit_fd=audit_open()) >= 0) { + + if (pwd != NULL) { +- snprintf(buf, sizeof(buf), "faillock reset uid=%u", +- pwd->pw_uid); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, NULL, rv == 0); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); + } + close(audit_fd); + } +diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c +--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200 +@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) + #ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif +@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) + } + else if ( !cline_reset ) { + #ifdef HAVE_LIBAUDIT +- char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "pam_tally2-reset-all-accts reset=0", "*", -1, ++ NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif diff --git a/pam.spec b/pam.spec index 8dc158d..8410309 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 17%{?dist} +Release: 18%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -55,6 +55,7 @@ Patch39: pam-1.1.8-audit-grantor.patch Patch40: pam-1.1.8-man-dbsuffix.patch Patch41: pam-1.1.8-limits-check-process.patch Patch42: pam-1.1.8-limits-docfix.patch +Patch43: pam-1.1.8-audit-user-mgmt.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -144,6 +145,7 @@ cp %{SOURCE18} . %patch40 -p1 -b .dbsuffix %patch41 -p1 -b .check-process %patch42 -p1 -b .docfix +%patch43 -p1 -b .audit-user-mgmt %build autoreconf -i @@ -394,6 +396,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Oct 17 2014 Tomáš Mráz 1.1.8-18 +- use USER_MGMT type for auditing in the pam_tally2 and faillock + apps (#1151576) + * Thu Sep 11 2014 Tomáš Mráz 1.1.8-17 - update the audit-grantor patch with the upstream changes - pam_userdb: correct the example in man page (#1078784)