[redhat-lspp] Initial CUPS auditing patch
Janak Desai
janak at us.ibm.com
Thu Aug 18 17:09:36 UTC 2005
Matt,
A couple of minor comments/questions ... inline.
-Janak
Matt Anderson wrote:
> After seeing what Cory and TCS have done I started working on some of
> the other LSPP requirements around printing. Attached is a patch that
> applies on top of Cups 1.2.23 with the TCS patch applied.
>
> Right now the patch is a basic audting framework with only a few audited
> events such as the classification of the cups daemon, if users are
> allowed to override the banners on the command line, that sort of thing.
> The patch currently uses AUDIT_USER as the message type. This was
> suggested by Steve as a work around while the message types are being
> decided. So far I've only really made Job related messages and Config
> related messages, but I'm sure more will come.
>
> Some sample messages are:
> 'CUPS Config: ClassifyOverride is enabled'
> 'CUPS Config: System wide Classification set to "classified"'
> 'CUPS Config: Setting printer "freecoffee" banners to "secret" "secret"'
> 'CUPS Config: Setting printer "localghost" banners to "topsecret" "none"'
> 'CUPS Job #1: being printed on "freecoffee" with labels "classified"
> "classified"'
>
> One thing I did try to do, but have since removed, is attempt to
> determine if the user specified "-o job_sheets=foo" which is the cups
> way to override the banners. It seems that with a system wide
> classification set this user option is overwritten. Auditing the
> client's end of printing could present some challenges due to the client
> - server nature of cups. One option may be to expand the way cups does
> IPP to include more meta data in the client request, although this is
> not without issues.
>
> Cups does seem to have support for classifications and labels, and this
> patch and the one from TCS improve on those features, but at this point
> I'm concerned that its basic infrastucture isn't right for what we need
> from a strict LSPP perspective. Things like a label translation table
> built-in seems like a feature that Trusted/Labeled printing users would
> like, but doesn't seem like something Cups would want to upstream.
>
> I'm going to be away thru the end of this week, but I wanted to get this
> out for comments. I'll be checking in on my mail, but don't be offened
> if I don't get back to you right away.
>
> -matt
>
>
> ------------------------------------------------------------------------
>
> diff -bur --exclude .svn cups/Makedefs.in cups-audit/Makedefs.in
> --- cups/Makedefs.in 2005-08-16 16:14:54.559365416 -0400
> +++ cups-audit/Makedefs.in 2005-08-16 16:12:44.077201720 -0400
> @@ -85,7 +85,7 @@
>
> ARFLAGS = @ARFLAGS@
> BACKLIBS = @BACKLIBS@
> -CFLAGS = $(RC_CFLAGS) $(SSLFLAGS) -DWITH_SELINUX_MLS @CPPFLAGS@ @CFLAGS@ -I.. $(OPTIONS)
> +CFLAGS = $(RC_CFLAGS) $(SSLFLAGS) -DWITH_SELINUX_MLS -DWITH_AUDIT @CPPFLAGS@ @CFLAGS@ -I.. $(OPTIONS)
> COMMONLIBS = @COMMONLIBS@
> CXXFLAGS = $(RC_CFLAGS) @CPPFLAGS@ @CXXFLAGS@ -I.. $(OPTIONS)
> CXXLIBS = @CXXLIBS@
> diff -bur --exclude .svn cups/scheduler/conf.c cups-audit/scheduler/conf.c
> --- cups/scheduler/conf.c 2005-08-16 13:09:38.133319048 -0400
> +++ cups-audit/scheduler/conf.c 2005-08-16 15:04:16.017721688 -0400
> @@ -50,6 +50,9 @@
> # include <syslog.h>
> #endif /* HAVE_VSYSLOG */
>
> +#ifdef WITH_AUDIT
> +# include <libaudit.h>
> +#endif /* WITH_AUDIT */
>
> /*
> * Possibly missing network definitions...
> @@ -142,6 +145,9 @@
> { "ServerName", &ServerName, VAR_STRING },
> { "ServerRoot", &ServerRoot, VAR_STRING },
> { "TempDir", &TempDir, VAR_STRING },
> +#ifdef WITH_AUDIT
> + { "AuditLog", &AuditLog, VAR_INTEGER },
> +#endif /* WITH_AUDIT */
> { "Timeout", &Timeout, VAR_INTEGER }
> };
> #define NUM_VARS (sizeof(variables) / sizeof(variables[0]))
> @@ -387,6 +393,14 @@
>
> cupsFileClose(fp);
>
> +#ifdef WITH_AUDIT
> + /* ClassifyOverride is set during read_cofiguration, if its on, report it now */
> + if (ClassifyOverride)
> + audit_log(AuditLog, AUDIT_USER, "CUPS Config: ClassifyOverride is enabled");
> + else
> + audit_log(AuditLog, AUDIT_USER, "CUPS Config: ClassifyOverride is disabled");
> +#endif /* WITH_AUDIT */
> +
Is it possible to make the message a little more explanatory? That is, what does
it mean when the ClassifyOverride flas is set or unset?
> if (!status)
> return (0);
>
> @@ -569,7 +583,13 @@
> ClearString(&Classification);
>
> if (Classification)
> + {
> LogMessage(L_INFO, "Security set to \"%s\"", Classification);
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Config: System wide Classification set to \"%s\"",
> + Classification);
> +#endif /* WITH_AUDIT */
> + }
>
> /*
> * Update the MaxClientsPerHost value, as needed...
> diff -bur --exclude .svn cups/scheduler/conf.h cups-audit/scheduler/conf.h
> --- cups/scheduler/conf.h 2005-08-16 13:09:38.137318440 -0400
> +++ cups-audit/scheduler/conf.h 2005-08-11 18:05:27.000000000 -0400
> @@ -167,6 +167,10 @@
> /* Number of MIME types */
> VAR const char **MimeTypes VALUE(NULL);
> /* Array of MIME types */
> +#ifdef WITH_AUDIT
> +VAR int AuditLog VALUE(-1);
> + /* File descriptor for audit */
> +#endif /* WITH_AUDIT */
>
> #ifdef HAVE_SSL
> VAR char *ServerCertificate VALUE(NULL);
> diff -bur --exclude .svn cups/scheduler/job.c cups-audit/scheduler/job.c
> --- cups/scheduler/job.c 2005-08-16 13:09:38.150316464 -0400
> +++ cups-audit/scheduler/job.c 2005-08-16 15:37:43.372557368 -0400
> @@ -69,6 +69,10 @@
> #include <selinux/selinux.h>
> #endif /* WITH_SELINUX_MLS */
>
> +#ifdef WITH_AUDIT
> +#include <libaudit.h>
> +#endif /* WITH_AUDIT */
> +
> /*
> * Local globals...
> */
> @@ -874,6 +878,10 @@
>
> if ((attr = ippFindAttribute(current->attrs, "job-printer-uri", IPP_TAG_URI)) != NULL)
> {
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: Changing destination from \"%s\" to \"%s\"",
> + id, attr->values[0].string.text, p->uri);
> +#endif /* WITH_AUDIT */
> free(attr->values[0].string.text);
> attr->values[0].string.text = strdup(p->uri);
> }
> @@ -1425,6 +1433,10 @@
> if ((current->job_sheets =
> ippFindAttribute(current->attrs, "job-sheets", IPP_TAG_ZERO)) != NULL)
> LogMessage(L_DEBUG, "... but someone added one without setting job_sheets!");
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: printing on \"%s\" without any banners",
> + id, printer->name);
> +#endif /* WITH_AUDIT */
> }
> else if (current->job_sheets->num_values == 1)
> LogMessage(L_DEBUG, "job-sheets=%s",
> @@ -1812,6 +1824,10 @@
> snprintf(classification, sizeof(classification), "CLASSIFICATION=%s",
> mls_label);
> envp[envc ++] = classification;
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: being printed on \"%s\" with label \"%s\"",
> + id, printer->name, mls_label);
> +#endif /* WITH_AUDIT */
This audit record is created when the job is submitted. Is it possible that
on the filter side, the CLASSIFICATION environment variable can be
changed/overridden/deleted in such a way that affects the actual labels
that come out on pages?
> }
> #else
> if (Classification && !banner_page)
> @@ -1829,6 +1845,10 @@
> attr->values[0].string.text);
>
> envp[envc ++] = classification;
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: being printed on \"%s\" with labels \"%s\" \"%s\"",
> + id, printer->name, attr->values[0].string.text, attr->values[1].string.text);
> +#endif /* WITH_AUDIT */
> }
> #endif /* WITH_SELINUX_MLS */
>
> diff -bur --exclude .svn cups/scheduler/main.c cups-audit/scheduler/main.c
> --- cups/scheduler/main.c 2005-08-16 13:09:38.154315856 -0400
> +++ cups-audit/scheduler/main.c 2005-08-11 17:47:31.000000000 -0400
> @@ -55,6 +55,9 @@
> # include <malloc.h>
> #endif /* HAVE_MALLOC_H && HAVE_MALLINFO */
>
> +#ifdef WITH_AUDIT
> +#include <libaudit.h>
> +#endif /* WITH_AUDIT */
>
> /*
> * Local functions...
> @@ -177,6 +180,10 @@
> if (!ConfigurationFile)
> SetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf");
>
> +#ifdef WITH_AUDIT
> + AuditLog = audit_open();
> +#endif /* WITH_AUDIT */
> +
> /*
> * If the user hasn't specified "-f", run in the background...
> */
> @@ -786,6 +793,10 @@
> free(input);
> free(output);
>
> +#ifdef WITH_AUDIT
> + audit_close(AuditLog);
> +#endif /* WITH_AUDIT */
> +
> return (!stop_scheduler);
> }
>
> diff -bur --exclude .svn cups/scheduler/Makefile cups-audit/scheduler/Makefile
> --- cups/scheduler/Makefile 2005-08-16 13:09:38.140317984 -0400
> +++ cups-audit/scheduler/Makefile 2005-08-15 17:45:08.305147448 -0400
> @@ -82,7 +82,7 @@
> echo Linking $@...
> $(CC) $(LDFLAGS) -o cupsd $(CUPSDOBJS) libmime.a \
> $(LIBZ) $(SSLLIBS) $(LIBSLP) $(PAMLIBS) $(LIBS) \
> - $(LIBPAPER) $(LIBMALLOC) -lselinux
> + $(LIBPAPER) $(LIBMALLOC) -lselinux -laudit
>
>
> #
> diff -bur --exclude .svn cups/scheduler/printers.c cups-audit/scheduler/printers.c
> --- cups/scheduler/printers.c 2005-08-16 13:09:38.144317376 -0400
> +++ cups-audit/scheduler/printers.c 2005-08-16 15:10:19.226505560 -0400
> @@ -56,6 +56,9 @@
>
> #include "cupsd.h"
>
> +#ifdef WITH_AUDIT
> +#include <libaudit.h>
> +#endif
>
> /*
> * Local functions...
> @@ -1275,6 +1278,11 @@
> attr->values[1].string.text = strdup(Classification ?
> Classification : p->job_sheets[1]);
> }
> +
> +#ifdef WITH_AUDIT
> + audit_log(AuditLog, AUDIT_USER, "CUPS Config: Setting printer \"%s\" banners to \"%s\" \"%s\"",
> + p->name, p->job_sheets[0], p->job_sheets[1]);
> +#endif /* WITH_AUDIT */
> }
>
> printer_type = p->type;
>
>
>
> ------------------------------------------------------------------------
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
More information about the Linux-audit
mailing list