On 09/25/2014 07:07 PM, Michal Židek wrote:
On 08/12/2014 03:13 PM, Michal Židek wrote:
These two patches are initial patches for tickets
https://fedorahosted.org/sssd/ticket/2373
https://fedorahosted.org/sssd/ticket/2372
I will add wrappers for more libaudit functions as
needed in later patches.
As for now, the audit support is not build by default
so you need to run --with-libaudit. I would like to
make it default when we have the above tickets
solved.
Thanks,
Michal
New version of patches attached.
Michal
Rebased and updated patches are attached. There were some
Makefile.am and specfile issues with the previous version.
Michal
>From 2d84800b5f66d5bbc2be3f444e82e959300b2bb2 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Thu, 25 Sep 2014 18:05:02 +0200
Subject: [PATCH 1/2] AUDIT: Add audit support for SSSD
This patch adds helper wrapper macros for audit_open
and audit_log_acct_message.
Part of:
https://fedorahosted.org/sssd/ticket/2373
---
Makefile.am | 13 ++++++++
configure.ac | 5 +++
contrib/sssd.spec.in | 1 +
src/conf_macros.m4 | 16 +++++++++
src/external/libaudit.m4 | 9 +++++
src/tests/dlopen-tests.c | 1 +
src/util/sss_audit.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++
src/util/sss_audit.h | 46 ++++++++++++++++++++++++++
src/util/util.h | 1 +
9 files changed, 178 insertions(+)
create mode 100644 src/external/libaudit.m4
create mode 100644 src/util/sss_audit.c
create mode 100644 src/util/sss_audit.h
diff --git a/Makefile.am b/Makefile.am
index b85341f..83d1c90 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -510,6 +510,7 @@ dist_noinst_HEADERS = \
src/util/sss_ini.h \
src/util/sss_format.h \
src/util/sss_config.h \
+ src/util/sss_audit.h \
src/util/refcount.h \
src/util/find_uid.h \
src/util/user_info_msg.h \
@@ -653,6 +654,17 @@ endif
#####################
# Utility libraries #
#####################
+pkglib_LTLIBRARIES += libsss_audit.la
+libsss_audit_la_SOURCES = \
+ src/util/sss_audit.c \
+ $(NULL)
+libsss_audit_la_LIBADD = \
+ libsss_debug.la \
+ $(AUDIT_LIBS) \
+ $(NULL)
+libsss_audit_la_LDFLAGS = \
+ -avoid-version
+
pkglib_LTLIBRARIES += libsss_debug.la
libsss_debug_la_SOURCES = \
src/util/debug.c \
@@ -759,6 +771,7 @@ SSSD_INTERNAL_LTLIBS = \
libsss_crypt.la \
libsss_debug.la \
libsss_child.la \
+ libsss_audit.la \
$(NULL)
if BUILD_IFP
diff --git a/configure.ac b/configure.ac
index e5ec204..7828d06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -138,6 +138,7 @@ WITH_NFS
WITH_NFS_LIB_PATH
WITH_LIBWBCLIENT
WITH_SSSD_USER
+WITH_LIBAUDIT
m4_include([src/external/pkg.m4])
m4_include([src/external/libpopt.m4])
@@ -178,6 +179,10 @@ if test x$build_config_lib = xyes; then
m4_include([src/external/libaugeas.m4])
fi
+if test x"$with_libaudit" = xyes; then
+ m4_include([src/external/libaudit.m4])
+fi
+
WITH_UNICODE_LIB
if test x$unicode_lib = xlibunistring; then
m4_include([src/external/libunistring.m4])
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 5bfb167..303d2e1 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -590,6 +590,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libsss_semanage.so
+%{_libdir}/%{name}/libsss_audit.so
# 3rd party application libraries
%{_libdir}/sssd/modules/libsss_autofs.so
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index fbee81f..1013931 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -701,6 +701,22 @@ AC_DEFUN([WITH_SAMBA],
AM_CONDITIONAL([BUILD_SAMBA], [test x"$with_samba" = xyes])
])
+AC_DEFUN([WITH_LIBAUDIT],
+ [ AC_ARG_WITH([libaudit],
+ [AC_HELP_STRING([--with-libaudit],
+ [Whether to build with libaudit libraries [yes]]
+ )
+ ],
+ [with_libaudit=$withval],
+ [with_libaudit=no]
+ )
+
+ if test x"$with_libaudit" = xyes; then
+ AC_DEFINE(BUILD_LIBAUDIT, 1, [whether to build with libaudit support])
+ fi
+ AM_CONDITIONAL([BUILD_LIBAUDIT], [test x"$with_libaudit" = xyes])
+ ])
+
AC_ARG_ENABLE([dbus-tests],
[AS_HELP_STRING([--enable-dbus-tests],
[enable running tests using a dbus server instance [default=yes]])],
diff --git a/src/external/libaudit.m4 b/src/external/libaudit.m4
new file mode 100644
index 0000000..28bad46
--- /dev/null
+++ b/src/external/libaudit.m4
@@ -0,0 +1,9 @@
+AC_SUBST(AUDIT_LIBS)
+
+AC_CHECK_HEADER([libaudit.h],
+ [AC_CHECK_LIB([audit],
+ [audit_open],
+ [AUDIT_LIBS="-laudit"],
+ [AC_MSG_ERROR([libaudit missing audit_open])], [] )],
+ [AC_MSG_ERROR([libaudit not found. To compile SSSD without libaudit support, run configure with --without-libaudit option.])]
+)
diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c
index 7e56d65..3c591cd 100644
--- a/src/tests/dlopen-tests.c
+++ b/src/tests/dlopen-tests.c
@@ -38,6 +38,7 @@ struct so {
const char *libs[6];
} so[] = {
{ "libsss_debug.so", { LIBPFX"libsss_debug.so", NULL } },
+ { "libsss_audit.so", { LIBPFX"libsss_audit.so", NULL } },
{ "libsss_semanage.so", { LIBPFX"libsss_semanage.so", NULL } },
{ "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } },
{ "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } },
diff --git a/src/util/sss_audit.c b/src/util/sss_audit.c
new file mode 100644
index 0000000..a4a25cd
--- /dev/null
+++ b/src/util/sss_audit.c
@@ -0,0 +1,86 @@
+/*
+ Authors:
+ Michal Zidek <mzi...@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "src/util/util.h"
+
+#ifdef BUILD_LIBAUDIT
+
+#include <libaudit.h>
+
+int sss_audit_fd;
+
+void sss_audit_init(void)
+{
+ errno_t err;
+
+ sss_audit_fd = audit_open();
+ if (sss_audit_fd == -1) {
+ err = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to itialize auditing: [%d]: %s\n",
+ err, strerror(err));
+ }
+}
+
+void sss_audit_acct(int type,
+ const char *op,
+ const char *name,
+ unsigned int id,
+ int result)
+{
+ errno_t ret;
+
+ if (sss_audit_fd == -1) {
+ /* No auditing. */
+ return;
+ } else {
+ ret = audit_log_acct_message(sss_audit_fd,
+ type,
+ NULL, /* program name */
+ op,
+ name,
+ id,
+ NULL, /* host */
+ NULL, /* addr */
+ NULL, /* tty */
+ result);
+ if (ret <= 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "audit_log_acct_message failed\n");
+ }
+ }
+}
+
+#else /*BUILD_LIBAUDIT*/
+
+void sss_audit_init(void)
+{
+ return;
+}
+
+void sss_audit_acct(int type,
+ const char *op,
+ const char *name,
+ unsigned int id,
+ int result)
+{
+ return;
+}
+
+#endif /* BUILD_LIBAUDIT */
diff --git a/src/util/sss_audit.h b/src/util/sss_audit.h
new file mode 100644
index 0000000..f99c0a1
--- /dev/null
+++ b/src/util/sss_audit.h
@@ -0,0 +1,46 @@
+/*
+ Authors:
+ Michal Zidek <mzi...@redhat.com>
+
+ Copyright (C) 2014 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SSS_AUDIT_H_
+#define _SSS_AUDIT_H_
+
+#define SSS_AUDIT_FAILURE 0
+#define SSS_AUDIT_SUCCESS 1
+#define SSS_AUDIT_NO_ID ((unsigned int) -1)
+
+#ifdef BUILD_LIBAUDIT
+#include <libaudit.h>
+#else
+/* Enumerate all libaudit message types that we use across SSSD
+ * for the case when libaudit.h is not available. */
+enum {
+ AUDIT_ADD_USER
+};
+#endif
+
+void sss_audit_init(void);
+
+void sss_audit_acct(int type,
+ const char *op,
+ const char *name,
+ unsigned int id,
+ int result);
+
+#endif /* _SSS_AUDIT_H_ */
diff --git a/src/util/util.h b/src/util/util.h
index ffc8a87..2cf0bf3 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -50,6 +50,7 @@
#include "util/util_errors.h"
#include "util/util_safealign.h"
#include "util/sss_format.h"
+#include "util/sss_audit.h"
#define _(STRING) gettext (STRING)
--
1.9.3
>From 60bf61bdd64702e0c6f58ce694bdaefc540bb1b9 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Tue, 12 Aug 2014 08:33:14 -0400
Subject: [PATCH 2/2] AUDIT: audit requirements for sss_useradd
Added audit support for sss_useradd.
Part of:
https://fedorahosted.org/sssd/ticket/2373
---
src/tools/sss_useradd.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
index 8521b83..566d697 100644
--- a/src/tools/sss_useradd.c
+++ b/src/tools/sss_useradd.c
@@ -28,6 +28,7 @@
#include <unistd.h>
#include "util/util.h"
+#include "util/sss_audit.h"
#include "db/sysdb.h"
#include "tools/tools_util.h"
#include "tools/sss_sync_ops.h"
@@ -64,9 +65,12 @@ int main(int argc, const char **argv)
int ret;
errno_t sret;
bool in_transaction = false;
+ bool user_added = false;
debug_prg_name = argv[0];
+ sss_audit_init();
+
ret = set_locale();
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -122,6 +126,8 @@ int main(int argc, const char **argv)
} else {
ERROR("Error initializing the tools\n");
}
+ sss_audit_acct(AUDIT_ADD_USER, "initializing the tools",
+ pc_username, SSS_AUDIT_NO_ID, SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -130,6 +136,8 @@ int main(int argc, const char **argv)
ret = parse_name_domain(tctx, pc_username);
if (ret != EOK) {
ERROR("Invalid domain specified in FQDN\n");
+ sss_audit_acct(AUDIT_ADD_USER, "parsing domain",
+ pc_username, SSS_AUDIT_NO_ID, SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -140,6 +148,9 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot parse groups to add the user to\n");
ERROR("Internal error while parsing parameters\n");
+ sss_audit_acct(AUDIT_ADD_USER, "parsing groups",
+ tctx->octx->name, SSS_AUDIT_NO_ID,
+ SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -149,6 +160,9 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot parse FQDN groups to add the user to\n");
ERROR("Groups must be in the same domain as user\n");
+ sss_audit_acct(AUDIT_ADD_USER, "parsing group domain",
+ tctx->octx->name, SSS_AUDIT_NO_ID,
+ SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -157,6 +171,9 @@ int main(int argc, const char **argv)
ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup);
if (ret != EOK) {
ERROR("Cannot find group %1$s in local domain\n", badgroup);
+ sss_audit_acct(AUDIT_ADD_USER, "checking group names",
+ tctx->octx->name, SSS_AUDIT_NO_ID,
+ SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -172,6 +189,9 @@ int main(int argc, const char **argv)
pc_create_home, pc_skeldir);
if (ret != EOK) {
ERROR("Cannot set default values\n");
+ sss_audit_acct(AUDIT_ADD_USER, "setting default valuse",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
+
ret = EXIT_FAILURE;
goto fini;
}
@@ -179,6 +199,8 @@ int main(int argc, const char **argv)
/* arguments processed, go on to actual work */
if (id_in_range(tctx->octx->uid, tctx->octx->domain) != EOK) {
ERROR("The selected UID is outside the allowed range\n");
+ sss_audit_acct(AUDIT_ADD_USER, "checking if UID is in range",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -186,6 +208,9 @@ int main(int argc, const char **argv)
tctx->error = sysdb_transaction_start(tctx->sysdb);
if (tctx->error != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+ sss_audit_acct(AUDIT_ADD_USER, "starting sysdb transaction",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
+
goto done;
}
in_transaction = true;
@@ -193,12 +218,16 @@ int main(int argc, const char **argv)
/* useradd */
tctx->error = useradd(tctx, tctx->octx);
if (tctx->error) {
+ sss_audit_acct(AUDIT_ADD_USER, "adding user",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
goto done;
}
tctx->error = sysdb_transaction_commit(tctx->sysdb);
if (tctx->error) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
+ sss_audit_acct(AUDIT_ADD_USER, "commit transaction",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
goto done;
}
in_transaction = false;
@@ -208,6 +237,8 @@ int main(int argc, const char **argv)
ret = set_seuser(tctx->octx->name, pc_selinux_user, NULL);
if (ret != EOK) {
ERROR("Cannot set SELinux login context\n");
+ sss_audit_acct(AUDIT_ADD_USER, "setting SELinux login context",
+ tctx->octx->name, tctx->octx->uid, SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -221,6 +252,9 @@ int main(int argc, const char **argv)
tctx->octx->name,
tctx->octx);
if (ret != EOK) {
+ sss_audit_acct(AUDIT_ADD_USER, "getting user info",
+ tctx->octx->name, tctx->octx->uid,
+ SSS_AUDIT_FAILURE);
ERROR("Cannot get info about the user\n");
ret = EXIT_FAILURE;
goto fini;
@@ -237,6 +271,9 @@ int main(int argc, const char **argv)
"data from skeldir\n");
} else if (ret != EOK) {
ERROR("Cannot create user's home directory: %1$s\n", strerror(ret));
+ sss_audit_acct(AUDIT_ADD_USER, "creating home directory",
+ tctx->octx->name, tctx->octx->uid,
+ SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
@@ -251,11 +288,16 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot create user's mail spool: [%d][%s].\n",
ret, strerror(ret));
+ sss_audit_acct(AUDIT_ADD_USER, "creating mail spool",
+ tctx->octx->name, tctx->octx->uid,
+ SSS_AUDIT_FAILURE);
ret = EXIT_FAILURE;
goto fini;
}
}
+ user_added = true;
+
done:
if (in_transaction) {
sret = sysdb_transaction_cancel(tctx->sysdb);
@@ -285,7 +327,11 @@ done:
}
ret = EXIT_SUCCESS;
-
+ if (user_added) {
+ sss_audit_acct(AUDIT_ADD_USER, "adding user",
+ tctx->octx->name, tctx->octx->uid,
+ SSS_AUDIT_SUCCESS);
+ }
fini:
poptFreeContext(pc);
talloc_free(tctx);
--
1.9.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
