rpms/gdm/devel gdm-2.8.0.4-audit-login.patch, NONE, 1.1 gdm.spec, 1.97, 1.98
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 17 21:18:49 UTC 2005
- Previous message (by thread): rpms/evolution/devel evo-calendar-print-with-pango-6.patch, NONE, 1.1 .cvsignore, 1.36, 1.37 evolution.spec, 1.92, 1.93 sources, 1.36, 1.37
- Next message (by thread): rpms/bind/FC-4 bind-9.3.1-fix_dbus.patch, NONE, 1.1 named-dbus.conf, NONE, 1.1 named.service, NONE, 1.1 bind.spec, 1.65, 1.66
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: sgrubb
Update of /cvs/dist/rpms/gdm/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17307
Modified Files:
gdm.spec
Added Files:
gdm-2.8.0.4-audit-login.patch
Log Message:
* Mon Oct 17 2005 Steve Grubb <sgrubb at redhat.com> 1:2.8.0.4-6
- add login audit patch (bug 170569)
gdm-2.8.0.4-audit-login.patch:
configure.in | 22 ++++++++++++++++
daemon/verify-pam.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 92 insertions(+)
--- NEW FILE gdm-2.8.0.4-audit-login.patch ---
diff -urp gdm-2.8.0.4.orig/configure.in gdm-2.8.0.4/configure.in
--- gdm-2.8.0.4.orig/configure.in 2005-10-17 14:01:04.000000000 -0400
+++ gdm-2.8.0.4/configure.in 2005-10-17 16:26:03.000000000 -0400
@@ -69,6 +69,10 @@ AC_ARG_WITH(dmx,
AC_ARG_WITH(selinux, [ --with-selinux Add SELinux support])
+AC_ARG_WITH(libaudit,
+ [ --with-libaudit=[auto/yes/no] Add Linux audit support [default=auto]],,
+ with_libaudit=auto)
+
withval=""
AC_ARG_WITH(post-path,
[ --with-post-path=<PATH> add PATH to end of user's PATH when logging in],[
@@ -857,6 +861,24 @@ else
AC_MSG_RESULT(no)
fi
+# Check for Linux auditing API
+#
+# libaudit detection
+if test x$with_libaudit = xno ; then
+ have_libaudit=no;
+else
+ # See if we have audit daemon library
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ have_libaudit=yes, have_libaudit=no)
+fi
+
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
+
+if test x$have_libaudit = xyes ; then
+ EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -laudit"
+ AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+fi
+
# Check for Solaris auditing API
# Note, Solaris auditing not supported for Solaris 9 or earlier and
# should not be used on these versions of Solaris if auditing is
diff -urp gdm-2.8.0.4.orig/daemon/verify-pam.c gdm-2.8.0.4/daemon/verify-pam.c
--- gdm-2.8.0.4.orig/daemon/verify-pam.c 2005-10-17 14:01:04.000000000 -0400
+++ gdm-2.8.0.4/daemon/verify-pam.c 2005-10-17 16:28:16.000000000 -0400
@@ -46,6 +46,14 @@
#include <bsm/adt_event.h>
#endif /* HAVE_ADT */
+#define AU_FAILED 0
+#define AU_SUCCESS 1
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#else
+#define log_to_audit_system(l,h,d,s) do { ; } while (0)
+#endif
+
/* Configuration option variables */
extern gboolean GdmAllowRoot;
extern gboolean GdmAllowRemoteRoot;
@@ -698,6 +706,53 @@ create_pamh (GdmDisplay *d,
return TRUE;
}
+/**
+ * log_to_audit_system:
+ * @login: Name of user
+ * @hostname: Name of host machine
+ * @tty: Name of display
+ * @success: 1 for success, 0 for failure
+ *
+ * Logs the success or failure of the login attempt with the linux kernel
+ * audit system. The intent is to capture failed events where the user
+ * fails authentication or otherwise is not permitted to login. There are
+ * many other places where pam could potentially fail and cause login to
+ * fail, but these are system failures rather than the signs of an account
+ * being hacked.
+ *
+ * Returns nothing.
+ */
+
+#ifdef HAVE_LIBAUDIT
+static void
+log_to_audit_system(const char *login,
+ const char *hostname,
+ const char *tty,
+ gboolean success)
+{
+ struct passwd *pw;
+ char buf[64];
+ int audit_fd;
+
+ audit_fd = audit_open();
+ if (login)
+ pw = getpwnam(login);
+ else {
+ login = "unknown";
+ pw = NULL;
+ }
+ if (pw) {
+ snprintf(buf, sizeof(buf), "uid=%d", pw->pw_uid);
+ audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, NULL, tty, (int)success);
+ } else {
+ snprintf(buf, sizeof(buf), "acct=%s", login);
+ audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, NULL, tty, (int)success);
+ }
+ close(audit_fd);
+}
+#endif
/**
* gdm_verify_user:
@@ -799,6 +854,9 @@ authenticate_again:
gdm_verify_select_user (NULL);
/* Start authentication session */
if ((pamerr = pam_authenticate (pamh, null_tok)) != PAM_SUCCESS) {
+ /* Log the failed login attempt */
+ log_to_audit_system(tmp_PAM_USER, d->hostname, display, AU_FAILED);
+
if ( ! ve_string_empty (selected_user)) {
pam_handle_t *tmp_pamh;
@@ -879,6 +937,8 @@ authenticate_again:
( ! GdmAllowRemoteRoot && ! local) ) &&
pwent != NULL &&
pwent->pw_uid == 0) {
+ /* Log the failed login attempt */
+ log_to_audit_system(login, d->hostname, display, AU_FAILED);
gdm_error (_("Root login disallowed on display '%s'"),
display);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
@@ -906,6 +966,8 @@ authenticate_again:
break;
case PAM_NEW_AUTHTOK_REQD :
if ((pamerr = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK)) != PAM_SUCCESS) {
+ /* Log the failed login attempt */
+ log_to_audit_system(login, d->hostname, display, AU_FAILED);
gdm_error (_("Authentication token change failed for user %s"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nThe change of the authentication token failed. "
@@ -923,18 +985,24 @@ authenticate_again:
#endif /* HAVE_ADT */
break;
case PAM_ACCT_EXPIRED :
+ /* Log the failed login attempt */
+ log_to_audit_system(login, d->hostname, display, AU_FAILED);
gdm_error (_("User %s no longer permitted to access the system"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nThe system administrator has disabled your account."));
error_msg_given = TRUE;
goto pamerr;
case PAM_PERM_DENIED :
+ /* Log the failed login attempt */
+ log_to_audit_system(login, d->hostname, display, AU_FAILED);
gdm_error (_("User %s not permitted to gain access at this time"), login);
gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,
_("\nThe system administrator has disabled access to the system temporarily."));
error_msg_given = TRUE;
goto pamerr;
default :
+ /* Log the failed login attempt */
+ log_to_audit_system(login, d->hostname, display, AU_FAILED);
if (gdm_slave_action_pending ())
gdm_error (_("Couldn't set acct. mgmt for %s"), login);
goto pamerr;
@@ -981,6 +1049,8 @@ authenticate_again:
gdm_error (_("Couldn't open session for %s"), login);
goto pamerr;
}
+ /* Login succeeded */
+ log_to_audit_system(login, d->hostname, display, AU_SUCCESS);
/* Workaround to avoid gdm messages being logged as PAM_pwdb */
closelog ();
Index: gdm.spec
===================================================================
RCS file: /cvs/dist/rpms/gdm/devel/gdm.spec,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- gdm.spec 17 Oct 2005 15:33:42 -0000 1.97
+++ gdm.spec 17 Oct 2005 21:18:41 -0000 1.98
@@ -1,4 +1,5 @@
%define libselinuxver 1.27.7
+%define libauditver 1.0.6
%define pango_version 1.2.0
%define gtk2_version 2.6.0
%define libglade2_version 2.0.0
@@ -14,7 +15,7 @@
Summary: The GNOME Display Manager.
Name: gdm
Version: 2.8.0.4
-Release: 5
+Release: 6
Epoch: 1
License: LGPL/GPL
Group: User Interface/X
@@ -39,6 +40,7 @@
Patch13: gdm-2.8.0.2-prune-lang-list.patch
Patch14: gdm-2.8.0.2-hide-throbber.patch
Patch15: gdm-2.8.0.4-clean-up-leaks.patch
+Patch16: gdm-2.8.0.4-audit-login.patch
BuildRoot: %{_tmppath}/gdm-%{PACKAGE_VERSION}-root
@@ -78,7 +80,9 @@
BuildRequires: libattr-devel
BuildRequires: gettext
BuildRequires: libselinux-devel >= %{libselinuxver}
+BuildRequires: audit-libs-devel >= %{libauditver}
Requires: libselinux >= %{libselinuxver}
+Requires: audit-libs >= %{libauditver}
%description
Gdm (the GNOME Display Manager) is a highly configurable
@@ -92,7 +96,6 @@
%patch1 -p1 -b .change-defaults
%patch2 -p1 -b .add-pam-timestamp-module
%patch3 -p1 -b .fix-selinux-check
-exit
%patch4 -p1 -b .session-errors-in-tmp
%patch5 -p1 -b .update-switchdesk-location
##%patch6 -p1 -b .wait-for-bootup
@@ -105,6 +108,7 @@
%patch13 -p1 -b .prune-lang-list
%patch14 -p1 -b .hide-throbber
%patch15 -p1 -b .clean-up-leaks
+%patch16 -p1 -b .audit-login
# fix the time format for ja
perl -pi -e "s|^msgstr \"%a %b %d, %H:%M\"|msgstr \"%m/%d \(%a\) %H:%M\"|; s|^msgstr \"%a %b %d, %I:%M %p\"|msgstr \"%m/%d \(%a\) %p %I:%M\"|" po/ja.po
@@ -266,6 +270,9 @@
%attr(1770, root, gdm) %dir %{_localstatedir}/gdm
%changelog
+* Mon Oct 17 2005 Steve Grubb <sgrubb at redhat.com> 1:2.8.0.4-6
+- add login audit patch (bug 170569)
+
* Mon Oct 17 2005 Ray Strode <rstrode at redhat.com> 1:2.8.0.4-5
- bump redhat-artwork requirement to get rid of the boot
throbber for now, since it seems to have reappeared
- Previous message (by thread): rpms/evolution/devel evo-calendar-print-with-pango-6.patch, NONE, 1.1 .cvsignore, 1.36, 1.37 evolution.spec, 1.92, 1.93 sources, 1.36, 1.37
- Next message (by thread): rpms/bind/FC-4 bind-9.3.1-fix_dbus.patch, NONE, 1.1 named-dbus.conf, NONE, 1.1 named.service, NONE, 1.1 bind.spec, 1.65, 1.66
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list