Enable support for sudo BSM audit logs on systems that support
it. Currently only supported under FreeBSD and Mac OS X.
+ --with-linux-audit
+ Enable audit support for Linux systems. Audits attempts
+ to run a command as well as SELinux role changes.
+
--with-csops
Add CSOps standard options. You probably aren't interested in this.
#ifdef HAVE_BSM_AUDIT
# include "bsm_audit.h"
#endif
+#ifdef HAVE_LINUX_AUDIT
+# include "linux_audit.h"
+#endif
void
#ifdef __STDC__
-audit_success(char **exec_args)
+audit_success(char *exec_args[])
#else
audit_success(exec_args)
- const char **exec_args;
+ const char *exec_args[];
#endif
{
#ifdef HAVE_BSM_AUDIT
bsm_audit_success(exec_args);
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_command(exec_args, 1);
+#endif
}
void
#ifdef __STDC__
-audit_failure(char **exec_args, char const *const fmt, ...)
+audit_failure(char *exec_args[], char const *const fmt, ...)
#else
audit_failure(exec_args, fmt, va_alist)
- const char **exec_args;
+ const char *exec_args[];
char const *const fmt;
va_dcl
#endif
#endif
#ifdef HAVE_BSM_AUDIT
bsm_audit_failure(exec_args, fmt, ap);
+#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_command(exec_args, 0);
#endif
va_end(ap);
}
#include <errno.h>
#include <unistd.h>
+#include "bsm_audit.h"
+
void log_error(int flags, const char *fmt, ...) __attribute__((__noreturn__));
static int
/* Define to 1 if you use BSD authentication. */
#undef HAVE_BSD_AUTH_H
-/* Define to 1 to enable BSM auditing. */
+/* Define to 1 to enable BSM audit support. */
#undef HAVE_BSM_AUDIT
/* Define to 1 if you have the `closefrom' function. */
/* Define to 1 if you have the `dl' library (-ldl). */
#undef HAVE_LIBDL
+/* Define to 1 to enable Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if you have the `lockf' function. */
#undef HAVE_LOCKF
/* Define to 1 to enable SELinux RBAC support. */
#undef HAVE_SELINUX
+/* Define to 1 if you have the `setauthdb' function. */
+#undef HAVE_SETAUTHDB
+
/* Define to 1 if you have the `setenv' function. */
#undef HAVE_SETENV
with_rpath
with_blibpath
with_bsm_audit
+with_linux_audit
with_incpath
with_libpath
with_libraries
--with-rpath pass -R flag in addition to -L for lib paths
--with-blibpath=PATH pass -blibpath flag to ld for additional lib paths
--with-bsm-audit enable BSM audit support
+ --with-linux-audit enable Linux audit support
--with-incpath additional places to look for include files
--with-libpath additional places to look for libraries
--with-libraries additional libraries to link with
+# Check whether --with-linux-audit was given.
+if test "${with_linux_audit+set}" = set; then :
+ withval=$with_linux_audit; case $with_linux_audit in
+ yes) $as_echo "#define HAVE_LINUX_AUDIT 1" >>confdefs.h
+
+ SUDO_LIBS="${SUDO_LIBS} -laudit"
+ SUDO_OBJS="${SUDO_OBJS} linux_audit.o"
+ ;;
+ no) ;;
+ *) as_fn_error "\"--with-linux-audit does not take an argument.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
# Check whether --with-incpath was given.
if test "${with_incpath+set}" = set; then :
withval=$with_incpath; case $with_incpath in
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:6542: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:6560: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:6545: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:6563: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:6548: output\"" >&5)
+ (eval echo "\"\$as_me:6566: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 7753 "configure"' > conftest.$ac_ext
+ echo '#line 7771 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9146: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9164: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9150: \$? = $ac_status" >&5
+ echo "$as_me:9168: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9485: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9503: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9489: \$? = $ac_status" >&5
+ echo "$as_me:9507: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9590: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9608: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9594: \$? = $ac_status" >&5
+ echo "$as_me:9612: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9645: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9663: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9649: \$? = $ac_status" >&5
+ echo "$as_me:9667: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12012 "configure"
+#line 12030 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12108 "configure"
+#line 12126 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
+
+
;;
esac])
+dnl
+dnl Handle Linux auditing support.
+dnl
+AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux audit support])],
+[case $with_linux_audit in
+ yes) AC_DEFINE(HAVE_LINUX_AUDIT)
+ SUDO_LIBS="${SUDO_LIBS} -laudit"
+ SUDO_OBJS="${SUDO_OBJS} linux_audit.o"
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-linux-audit does not take an argument."])
+ ;;
+esac])
+
AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
[case $with_incpath in
yes) AC_MSG_ERROR(["must give --with-incpath an argument."])
AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.])
AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.])
AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.])
-AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM auditing.])
+AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM audit support.])
AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.])
AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.])
AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.])
AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])
AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
+AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file.])
# define MAXSYSLOGLEN 960
#endif
-void audit_success __P((char **));
-void audit_failure __P((char **, char const * const, ...));
+void audit_success __P((char *[]));
+void audit_failure __P((char *[], char const * const, ...));
void log_allowed __P((int));
void log_denial __P((int, int));
void log_error __P((int flags, const char *fmt, ...))
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
-#ifdef WITH_AUDIT
+#ifdef HAVE_LINUX_AUDIT
#include <libaudit.h>
#endif
#include <selinux/get_context_list.h>
#include "sudo.h"
-#include "pathnames.h"
+#include "linux_audit.h"
static struct selinux_state {
security_context_t old_context;
}
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_role_change(se_state.old_context, se_state.new_context,
+ se_state.ttyn);
+#endif
+
rval = 0;
done:
return;
}
-#ifdef WITH_AUDIT
- if (send_audit_message(1, se_state.old_context, se_state.new_context, se_state.ttyn))
- return;
-#endif
-
/* We use the "spare" slot in argv to store sesh. */
--argv;
argv[0] = *argv[1] == '-' ? "-sesh" : "sesh";
projects / sudo / commitdiff