]> granicus.if.org Git - linux-pam/commitdiff
pam_tally2: Optionally log the tally count when checking.
authorTomas Mraz <tmraz@fedoraproject.org>
Wed, 16 Dec 2015 08:33:47 +0000 (09:33 +0100)
committerTomas Mraz <tmraz@fedoraproject.org>
Wed, 16 Dec 2015 08:33:47 +0000 (09:33 +0100)
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.

modules/pam_tally2/pam_tally2.8.xml
modules/pam_tally2/pam_tally2.c

index 2f3b2eb9ede326cf9425362236fba88c0bb1da78..cf5d76d9d78fac7afc0aa41939ad0a685a99409b 100644 (file)
@@ -54,6 +54,9 @@
       <arg choice="opt">
         no_log_info
       </arg>
+      <arg choice="opt">
+        debug
+      </arg>
     </cmdsynopsis>
     <cmdsynopsis id="pam_tally2-cmdsynopsis2">
       <command>pam_tally2</command>
                 </para>
               </listitem>
             </varlistentry>
+            <varlistentry>
+              <term>
+                <option>debug</option>
+              </term>
+              <listitem>
+                <para>
+                  Always log tally count when it is incremented as a debug level message to the system log.
+                </para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
index f5eebb10cca7c034c14efd97e817985c6a11fa80..e513f64c9c7f73d08f54b4a206ebc7c67b0fc7bf 100644 (file)
@@ -124,6 +124,7 @@ struct tally_options {
 #define OPT_AUDIT                       0100
 #define OPT_NOLOGNOTICE                 0400
 #define OPT_SERIALIZE                  01000
+#define OPT_DEBUG                      02000
 
 #define MAX_LOCK_WAITING_TIME 10
 
@@ -196,6 +197,9 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
       else if ( ! strcmp( *argv, "serialize" ) ) {
         opts->ctrl |= OPT_SERIALIZE;
       }
+      else if ( ! strcmp( *argv, "debug" ) ) {
+        opts->ctrl |= OPT_DEBUG;
+      }
       else if ( ! strcmp( *argv, "even_deny_root_account" ) ||
                 ! strcmp( *argv, "even_deny_root" ) ) {
        log_phase_no_auth(pamh, phase, *argv);
@@ -503,6 +507,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
             struct tallylog *tally)
 {
     int rv = PAM_SUCCESS;
+    int loglevel = LOG_DEBUG;
 #ifdef HAVE_LIBAUDIT
     char buf[64];
     int audit_fd = -1;
@@ -575,11 +580,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
             pam_info(pamh, _("Account locked due to %u failed logins"),
                    (unsigned int)tally->fail_cnt);
         }
-       if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
-            pam_syslog(pamh, LOG_NOTICE,
-                   "user %s (%lu) tally %hu, deny %hu",
-                  user, (unsigned long)uid, tally->fail_cnt, opts->deny);
-       }
+       loglevel = LOG_NOTICE;
         rv = PAM_AUTH_ERR;                 /* Only unconditional failure   */
         goto cleanup;
     }
@@ -609,6 +610,11 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
     }
 
 cleanup:
+    if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & OPT_DEBUG)) {
+        pam_syslog(pamh, loglevel,
+            "user %s (%lu) tally %hu, deny %hu",
+            user, (unsigned long)uid, tally->fail_cnt, opts->deny);
+    }
 #ifdef HAVE_LIBAUDIT
     if (audit_fd != -1) {
         close(audit_fd);