minor auditing fixes

This commit is contained in:
Tomas Mraz 2019-06-07 14:40:46 +02:00
parent c2e806d82c
commit e17e2fa767
3 changed files with 56 additions and 15 deletions

View File

@ -327,3 +327,23 @@ index 5ad812f7..516417b7 100644
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
diff -up shadow-4.6/man/groupadd.8.xml.manfix shadow-4.6/man/groupadd.8.xml
--- shadow-4.6/man/groupadd.8.xml.manfix 2019-04-02 16:35:52.096637444 +0200
+++ shadow-4.6/man/groupadd.8.xml 2019-06-07 14:23:57.477602106 +0200
@@ -320,13 +320,13 @@
<varlistentry>
<term><replaceable>4</replaceable></term>
<listitem>
- <para>GID not unique (when <option>-o</option> not used)</para>
+ <para>GID is already used (when called without <option>-o</option>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable>9</replaceable></term>
<listitem>
- <para>group name not unique</para>
+ <para>group name is already used</para>
</listitem>
</varlistentry>
<varlistentry>

View File

@ -834,16 +834,23 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.audit_msg, info_group.audit_msg,
group_name, AUDIT_NO_ID, group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
@@ -472,7 +472,7 @@ static void close_files (void) @@ -472,7 +472,14 @@ static void close_files (void)
exit (E_GRP_UPDATE); exit (E_GRP_UPDATE);
} }
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_ACCT, Prog, - audit_logger (AUDIT_USER_ACCT, Prog,
+ /* If both happened, log password change as its more important */
+ if (pflg)
+ audit_logger (AUDIT_GRP_CHAUTHTOK, Prog,
+ info_gshadow.audit_msg,
+ group_name, AUDIT_NO_ID,
+ SHADOW_AUDIT_SUCCESS);
+ else
+ audit_logger (AUDIT_GRP_MGMT, Prog, + audit_logger (AUDIT_GRP_MGMT, Prog,
info_gshadow.audit_msg, info_gshadow.audit_msg,
group_name, AUDIT_NO_ID, group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
@@ -495,7 +495,7 @@ static void close_files (void) @@ -495,7 +502,7 @@ static void close_files (void)
exit (E_GRP_UPDATE); exit (E_GRP_UPDATE);
} }
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
@ -852,7 +859,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_passwd.audit_msg, info_passwd.audit_msg,
group_name, AUDIT_NO_ID, group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
@@ -510,8 +510,8 @@ static void close_files (void) @@ -510,8 +517,8 @@ static void close_files (void)
} }
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
@ -863,7 +870,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
group_name, AUDIT_NO_ID, group_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
#endif #endif
@@ -523,6 +523,8 @@ static void close_files (void) @@ -523,6 +530,8 @@ static void close_files (void)
*/ */
static void prepare_failure_reports (void) static void prepare_failure_reports (void)
{ {
@ -872,7 +879,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
info_group.name = group_name; info_group.name = group_name;
#ifdef SHADOWGRP #ifdef SHADOWGRP
info_gshadow.name = group_name; info_gshadow.name = group_name;
@@ -535,76 +537,106 @@ static void prepare_failure_reports (voi @@ -535,76 +544,109 @@ static void prepare_failure_reports (voi
#endif #endif
info_passwd.audit_msg = xmalloc (512); info_passwd.audit_msg = xmalloc (512);
@ -971,6 +978,9 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
+ free(nv_pair); + free(nv_pair);
} }
if (pflg) { if (pflg) {
+ strncat(info_passwd.audit_msg, "op=change-password",
+ 511 - strlen (info_passwd.action));
+
+ /* Note: audit doesn't want this value recorded */ + /* Note: audit doesn't want this value recorded */
strncat (info_group.action, ", new password", strncat (info_group.action, ", new password",
- 511 - strlen (info_group.audit_msg)); - 511 - strlen (info_group.audit_msg));
@ -1006,7 +1016,7 @@ diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
"%lu", (unsigned long int) group_newid); "%lu", (unsigned long int) group_newid);
} }
info_group.audit_msg[511] = '\0'; info_group.audit_msg[511] = '\0';
@@ -612,6 +644,11 @@ static void prepare_failure_reports (voi @@ -612,6 +654,11 @@ static void prepare_failure_reports (voi
info_gshadow.audit_msg[511] = '\0'; info_gshadow.audit_msg[511] = '\0';
#endif #endif
info_passwd.audit_msg[511] = '\0'; info_passwd.audit_msg[511] = '\0';
@ -1603,16 +1613,24 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_PW_UPDATE); fail_exit (E_PW_UPDATE);
} }
#ifdef ENABLE_SUBIDS #ifdef ENABLE_SUBIDS
@@ -1997,7 +1939,7 @@ static void usr_update (void) @@ -1996,9 +1938,14 @@ static void usr_update (void)
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
+ /*
+ * Even though we have the ID of the user, we won't send it now
+ * because its not written to disk yet. After close_files it is
+ * and we can use the real ID thereafter.
+ */
audit_logger (AUDIT_ADD_USER, Prog, audit_logger (AUDIT_ADD_USER, Prog,
- "adding user", - "adding user",
- user_name, (unsigned int) user_id,
+ "add-user", + "add-user",
user_name, (unsigned int) user_id, + user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
#endif #endif
@@ -2032,12 +1974,6 @@ static void create_home (void) /*
@@ -2032,12 +1979,6 @@ static void create_home (void)
fprintf (stderr, fprintf (stderr,
_("%s: cannot create directory %s\n"), _("%s: cannot create directory %s\n"),
Prog, prefix_user_home); Prog, prefix_user_home);
@ -1625,7 +1643,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_HOMEDIR); fail_exit (E_HOMEDIR);
} }
(void) chown (prefix_user_home, user_id, user_gid); (void) chown (prefix_user_home, user_id, user_gid);
@@ -2045,8 +1981,8 @@ static void create_home (void) @@ -2045,8 +1986,8 @@ static void create_home (void)
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
home_added = true; home_added = true;
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
@ -1636,7 +1654,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
user_name, (unsigned int) user_id, user_name, (unsigned int) user_id,
SHADOW_AUDIT_SUCCESS); SHADOW_AUDIT_SUCCESS);
#endif #endif
@@ -2231,12 +2167,6 @@ int main (int argc, char **argv) @@ -2231,12 +2172,6 @@ int main (int argc, char **argv)
*/ */
if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */ if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name); fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
@ -1649,7 +1667,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE); fail_exit (E_NAME_IN_USE);
} }
@@ -2252,12 +2182,6 @@ int main (int argc, char **argv) @@ -2252,12 +2187,6 @@ int main (int argc, char **argv)
fprintf (stderr, fprintf (stderr,
_("%s: group %s exists - if you want to add this user to that group, use -g.\n"), _("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
Prog, user_name); Prog, user_name);
@ -1662,7 +1680,7 @@ diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
fail_exit (E_NAME_IN_USE); fail_exit (E_NAME_IN_USE);
} }
} }
@@ -2287,12 +2211,6 @@ int main (int argc, char **argv) @@ -2287,12 +2216,6 @@ int main (int argc, char **argv)
fprintf (stderr, fprintf (stderr,
_("%s: UID %lu is not unique\n"), _("%s: UID %lu is not unique\n"),
Prog, (unsigned long) user_id); Prog, (unsigned long) user_id);

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.6 Version: 4.6
Release: 13%{?dist} Release: 14%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -246,6 +246,9 @@ done
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%changelog %changelog
* Fri Jun 7 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-14
- minor auditing fixes
* Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13 * Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-13
- use lckpwdf() again to disable concurrent edits of databases by - use lckpwdf() again to disable concurrent edits of databases by
other applications other applications