Overview

File kdm-audit-log.diff of Package kdebase3

Index: kdm/backend/client.c
===================================================================
--- kdm/backend/client.c	(Revision 662873)
+++ kdm/backend/client.c	(Arbeitskopie)
@@ -82,6 +82,14 @@
 # include <time.h>
 #endif /* USE_PAM || _AIX */
 
+#define  AU_FAILED 0
+#define  AU_SUCCESS 1
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#else
+#define log_to_audit_system(l,h,d,s)	do { ; } while (0)
+#endif
+
 /*
  * Session data, mostly what struct verify_info was for
  */
@@ -286,6 +294,56 @@
 {}
 # endif
 
+ /**
+ * log_to_audit_system:
+ * @login: Name of user
+ * @hostname: Name of host machine
+ * @tty: Name of display 
+ * @success: 1 for success, 0 for failure
+ *
+ * Logs the success or failure of the login attempt with the linux kernel
+ * audit system. The intent is to capture failed events where the user
+ * fails authentication or otherwise is not permitted to login. There are
+ * many other places where pam could potentially fail and cause login to 
+ * fail, but these are system failures rather than the signs of an account
+ * being hacked.
+ *
+ * Returns nothing.
+ */
+
+#ifdef HAVE_LIBAUDIT
+static void 
+log_to_audit_system (const char *loginname,
+		     const char *hostname,
+		     const char *tty,
+		     int success)
+{
+	struct passwd *pw;
+	char buf[64];
+	int audit_fd;
+
+	audit_fd = audit_open();
+	if (loginname)
+		pw = getpwnam(loginname);
+	else {
+		loginname = "unknown";
+		pw = NULL;
+	}
+	Debug("log_to_audit %p %s\n", pw, loginname);
+
+	if (pw) {
+		snprintf(buf, sizeof(buf), "uid=%d", pw->pw_uid);
+		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+			buf, hostname, NULL, tty, (int)success);
+	} else {
+		snprintf(buf, sizeof(buf), "acct=%s", loginname);
+		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+			buf, hostname, NULL, tty, (int)success);
+	}
+	close(audit_fd);
+}
+#endif
+
 static int
 doPAMAuth( const char *psrv, struct pam_data *pdata )
 {
@@ -344,6 +402,8 @@
 		GSendStr( curuser );
 	}
 	if (pretc != PAM_SUCCESS) {
+	        /* Log the failed login attempt */
+	        log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 		switch (pretc) {
 		case PAM_USER_UNKNOWN:
 		case PAM_AUTH_ERR:
@@ -678,6 +738,8 @@
 	if (!p->pw_uid) {
 		if (!rootok && !td->allowRootLogin)
 			V_RET_FAIL( "Root logins are not allowed" );
+		/* Log the failed login attempt */
+		log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 		return 1; /* don't deny root to log in */
 	}
 
@@ -714,6 +776,8 @@
 			}
 			if (pretc == PAM_SUCCESS)
 				break;
+			/* Log the failed login attempt */
+			log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 			/* effectively there is only PAM_AUTHTOK_ERR */
 			GSendInt( V_FAIL );
 		}
@@ -803,6 +867,8 @@
 				GSendInt( V_MSG_ERR );
 				GSendStr( "Your account has expired;"
 				          " please contact your system administrator" );
+				/* Log the failed login attempt */
+				log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 				GSendInt( V_FAIL );
 				LC_RET0;
 			} else if (tim > (expir - warntime) && !quietlog) {
@@ -837,6 +903,8 @@
 				GSendInt( V_MSG_ERR );
 				GSendStr( "Your account has expired;"
 				          " please contact your system administrator" );
+				/* Log the failed login attempt */
+				log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 				GSendInt( V_FAIL );
 				LC_RET0;
 			}
@@ -896,6 +964,8 @@
 			close( fd );
 		}
 		GSendStr( "Logins are not allowed at the moment.\nTry again later" );
+		/* Log the failed login attempt */
+		log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 		GSendInt( V_FAIL );
 		LC_RET0;
 	}
@@ -906,6 +976,8 @@
 		PrepErrorGreet();
 		GSendInt( V_MSG_ERR );
 		GSendStr( "You are not allowed to login at the moment" );
+		/* Log the failed login attempt */
+		log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 		GSendInt( V_FAIL );
 		LC_RET0;
 	}
@@ -917,6 +989,8 @@
 			Debug( "shell not in /etc/shells\n" );
 			endusershell();
 			V_RET_FAIL( "Your login shell is not listed in /etc/shells" );
+			/* Log the failed login attempt */
+			log_to_audit_system (curuser, td->remoteHost, td->name, AU_FAILED);
 		}
 		if (!strcmp( s, p->pw_shell )) {
 			endusershell();
@@ -1326,6 +1400,9 @@
 # define D_LOGIN_SETGROUP 0
 #endif /* USE_PAM */
 
+	/* Login succeeded */
+	log_to_audit_system (curuser, td->remoteHost, td->name, AU_SUCCESS);
+
 	removeAuth = 1;
 	chownCtrl( &td->ctrl, curuid );
 	endpwent();
Index: kdm/configure.in.in
===================================================================
--- kdm/configure.in.in	(Revision 662873)
+++ kdm/configure.in.in	(Arbeitskopie)
@@ -241,3 +241,27 @@
 fi
 
 dnl AC_OUTPUT(kdm/kfrontend/sessions/kde.desktop)
+
+
+AC_ARG_WITH(libaudit,
+  [  --with-libaudit=[auto/yes/no]  Add Linux audit support [default=auto]],,
+  with_libaudit=auto)
+
+# Check for Linux auditing API
+#
+# libaudit detection
+if test x$with_libaudit = xno ; then
+    have_libaudit=no;
+else
+    # See if we have audit daemon library
+    AC_CHECK_LIB(audit, audit_log_user_message,
+                 have_libaudit=yes, have_libaudit=no)
+fi
+
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
+
+if test x$have_libaudit = xyes ; then
+    EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -laudit"
+    AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+fi
+
openSUSE Build Service is sponsored by
Places