From: Todd C. Miller Date: Wed, 16 Jun 2010 14:04:24 +0000 (-0400) Subject: Add Linux audit support. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=526d2f91b9f917c0e3fc888c970f55bbe619e1a3;p=sudo Add Linux audit support. --HG-- branch : 1.7 --- diff --git a/INSTALL b/INSTALL index bf05a4d88..82637fb5d 100644 --- a/INSTALL +++ b/INSTALL @@ -141,6 +141,10 @@ Special features/options: Enable support for sudo BSM audit logs on systems that support it. Currently only supported under FreeBSD and Mac OS X. + --with-linux-audit + Enable audit support for Linux systems. Audits attempts + to run a command as well as SELinux role changes. + --with-csops Add CSOps standard options. You probably aren't interested in this. diff --git a/audit.c b/audit.c index 59ea5262e..9226d301d 100644 --- a/audit.c +++ b/audit.c @@ -38,26 +38,32 @@ #ifdef HAVE_BSM_AUDIT # include "bsm_audit.h" #endif +#ifdef HAVE_LINUX_AUDIT +# include "linux_audit.h" +#endif void #ifdef __STDC__ -audit_success(char **exec_args) +audit_success(char *exec_args[]) #else audit_success(exec_args) - const char **exec_args; + const char *exec_args[]; #endif { #ifdef HAVE_BSM_AUDIT bsm_audit_success(exec_args); #endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_command(exec_args, 1); +#endif } void #ifdef __STDC__ -audit_failure(char **exec_args, char const *const fmt, ...) +audit_failure(char *exec_args[], char const *const fmt, ...) #else audit_failure(exec_args, fmt, va_alist) - const char **exec_args; + const char *exec_args[]; char const *const fmt; va_dcl #endif @@ -71,6 +77,9 @@ audit_failure(exec_args, fmt, va_alist) #endif #ifdef HAVE_BSM_AUDIT bsm_audit_failure(exec_args, fmt, ap); +#endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_command(exec_args, 0); #endif va_end(ap); } diff --git a/bsm_audit.c b/bsm_audit.c index 054d621b3..b388b86f7 100644 --- a/bsm_audit.c +++ b/bsm_audit.c @@ -29,6 +29,8 @@ #include #include +#include "bsm_audit.h" + void log_error(int flags, const char *fmt, ...) __attribute__((__noreturn__)); static int diff --git a/config.h.in b/config.h.in index 8a86ba9a6..792b40c5e 100644 --- a/config.h.in +++ b/config.h.in @@ -64,7 +64,7 @@ /* Define to 1 if you use BSD authentication. */ #undef HAVE_BSD_AUTH_H -/* Define to 1 to enable BSM auditing. */ +/* Define to 1 to enable BSM audit support. */ #undef HAVE_BSM_AUDIT /* Define to 1 if you have the `closefrom' function. */ @@ -301,6 +301,9 @@ /* Define to 1 if you have the `dl' library (-ldl). */ #undef HAVE_LIBDL +/* Define to 1 to enable Linux audit support. */ +#undef HAVE_LINUX_AUDIT + /* Define to 1 if you have the `lockf' function. */ #undef HAVE_LOCKF @@ -400,6 +403,9 @@ /* Define to 1 to enable SELinux RBAC support. */ #undef HAVE_SELINUX +/* Define to 1 if you have the `setauthdb' function. */ +#undef HAVE_SETAUTHDB + /* Define to 1 if you have the `setenv' function. */ #undef HAVE_SETENV diff --git a/configure b/configure index 8d827f3b8..5b854c47c 100755 --- a/configure +++ b/configure @@ -902,6 +902,7 @@ with_CC with_rpath with_blibpath with_bsm_audit +with_linux_audit with_incpath with_libpath with_libraries @@ -1656,6 +1657,7 @@ Optional Packages: --with-rpath pass -R flag in addition to -L for lib paths --with-blibpath=PATH pass -blibpath flag to ld for additional lib paths --with-bsm-audit enable BSM audit support + --with-linux-audit enable Linux audit support --with-incpath additional places to look for include files --with-libpath additional places to look for libraries --with-libraries additional libraries to link with @@ -2922,6 +2924,22 @@ fi +# Check whether --with-linux-audit was given. +if test "${with_linux_audit+set}" = set; then : + withval=$with_linux_audit; case $with_linux_audit in + yes) $as_echo "#define HAVE_LINUX_AUDIT 1" >>confdefs.h + + SUDO_LIBS="${SUDO_LIBS} -laudit" + SUDO_OBJS="${SUDO_OBJS} linux_audit.o" + ;; + no) ;; + *) as_fn_error "\"--with-linux-audit does not take an argument.\"" "$LINENO" 5 + ;; +esac +fi + + + # Check whether --with-incpath was given. if test "${with_incpath+set}" = set; then : withval=$with_incpath; case $with_incpath in @@ -6539,13 +6557,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6542: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6560: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6545: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6563: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6548: output\"" >&5) + (eval echo "\"\$as_me:6566: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7750,7 +7768,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7753 "configure"' > conftest.$ac_ext + echo '#line 7771 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9143,11 +9161,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9146: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9164: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9150: \$? = $ac_status" >&5 + echo "$as_me:9168: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9482,11 +9500,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9485: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9503: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9489: \$? = $ac_status" >&5 + echo "$as_me:9507: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9587,11 +9605,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9590: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9608: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9594: \$? = $ac_status" >&5 + echo "$as_me:9612: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9642,11 +9660,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9645: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9663: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9649: \$? = $ac_status" >&5 + echo "$as_me:9667: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12009,7 +12027,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12012 "configure" +#line 12030 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12105,7 +12123,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12108 "configure" +#line 12126 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -20449,6 +20467,8 @@ fi + + diff --git a/configure.in b/configure.in index 5250b1236..2ad34a48a 100644 --- a/configure.in +++ b/configure.in @@ -234,6 +234,20 @@ AC_ARG_WITH(bsm-audit, [AS_HELP_STRING([--with-bsm-audit], [enable BSM audit sup ;; esac]) +dnl +dnl Handle Linux auditing support. +dnl +AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux audit support])], +[case $with_linux_audit in + yes) AC_DEFINE(HAVE_LINUX_AUDIT) + SUDO_LIBS="${SUDO_LIBS} -laudit" + SUDO_OBJS="${SUDO_OBJS} linux_audit.o" + ;; + no) ;; + *) AC_MSG_ERROR(["--with-linux-audit does not take an argument."]) + ;; +esac]) + AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])], [case $with_incpath in yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) @@ -2775,7 +2789,7 @@ AH_TEMPLATE(HAL_INSULTS, [Define to 1 if you want 2001-like insults.]) AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.]) AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.]) AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.]) -AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM auditing.]) +AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM audit support.]) AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.]) AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.]) AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.]) @@ -2803,6 +2817,7 @@ AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_in AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.]) AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs . (OpenLDAP does not)]) AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.]) +AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.]) AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.]) AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file.]) diff --git a/logging.h b/logging.h index e8e5d8b6b..c95423ed4 100644 --- a/logging.h +++ b/logging.h @@ -47,8 +47,8 @@ # define MAXSYSLOGLEN 960 #endif -void audit_success __P((char **)); -void audit_failure __P((char **, char const * const, ...)); +void audit_success __P((char *[])); +void audit_failure __P((char *[], char const * const, ...)); void log_allowed __P((int)); void log_denial __P((int, int)); void log_error __P((int flags, const char *fmt, ...)) diff --git a/selinux.c b/selinux.c index 8bbd6ebb9..d7b47567c 100644 --- a/selinux.c +++ b/selinux.c @@ -36,7 +36,7 @@ #include #include #include -#ifdef WITH_AUDIT +#ifdef HAVE_LINUX_AUDIT #include #endif @@ -47,7 +47,7 @@ #include #include "sudo.h" -#include "pathnames.h" +#include "linux_audit.h" static struct selinux_state { security_context_t old_context; @@ -314,6 +314,11 @@ selinux_setup(const char *role, const char *type, const char *ttyn, } #endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_role_change(se_state.old_context, se_state.new_context, + se_state.ttyn); +#endif + rval = 0; done: @@ -335,11 +340,6 @@ selinux_execve(const char *path, char *argv[], char *envp[]) return; } -#ifdef WITH_AUDIT - if (send_audit_message(1, se_state.old_context, se_state.new_context, se_state.ttyn)) - return; -#endif - /* We use the "spare" slot in argv to store sesh. */ --argv; argv[0] = *argv[1] == '-' ? "-sesh" : "sesh";