<div dir="ltr"><div>Hi Steve,<br><br></div>We already have libaudit support, see:<br><a href="https://bugs.launchpad.net/bugs/1478087">https://bugs.launchpad.net/bugs/1478087</a><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, 4 Dec 2015 at 09:39 Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
In order to correctly audit a user's session, the audit utilities need system<br>
entry points to send an audit event that summarizes if an interactive session<br>
will be allowed. For reference, the expectations are listed here:<br>
<br>
<a href="http://people.redhat.com/sgrubb/audit/user-login-lifecycle.txt" rel="noreferrer" target="_blank">http://people.redhat.com/sgrubb/audit/user-login-lifecycle.txt</a><br>
<br>
The patch below adds the sending of this event to lightdm. I have tested it as<br>
applied to lightdm 1.10.5 and seems to be working. In the process I found<br>
something odd with pam and I'll describe that in a separate email thread.<br>
<br>
Signed-off-by: "Steve Grubb" <<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>><br>
<br>
<br>
<br>
<br>
diff -urp lightdm-1.10.5.orig/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> lightdm-1.10.5/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
--- lightdm-1.10.5.orig/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> 2015-11-13 19:13:06.000000000 -0500<br>
+++ lightdm-1.10.5/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> 2015-11-21 11:19:19.355321264 -0500<br>
@@ -190,6 +190,26 @@ AC_ARG_WITH(greeter-user,<br>
AC_SUBST(GREETER_USER)<br>
AC_DEFINE_UNQUOTED(GREETER_USER, "$GREETER_USER", User to run greeter as)<br>
<br>
+AC_ARG_WITH([audit],<br>
+ AS_HELP_STRING([--with-audit], [compile with audit support]),<br>
+ [], [with_audit=no]<br>
+)<br>
+<br>
+if test x$with_audit = xno ; then<br>
+ have_audit=no;<br>
+else<br>
+ AC_CHECK_LIB(audit, audit_log_user_message,<br>
+ have_audit=yes, have_audit=no)<br>
+ AS_CASE([$with_audit:$have_audit],<br>
+ [yes:no],<br>
+ [AC_MSG_ERROR([Audit selected but libaudit not found (or does not support audit_log_user_message())])]<br>
+ )<br>
+ if test x$have_audit = xyes ; then<br>
+ AC_DEFINE(WITH_AUDIT,1,[Define if you want to send login events to the audit system.])<br>
+ fi<br>
+fi<br>
+AM_CONDITIONAL(HAVE_AUDIT, test x$have_audit = xyes)<br>
+<br>
dnl ###########################################################################<br>
dnl Documentation<br>
dnl ###########################################################################<br>
diff -urp lightdm-1.10.5.orig/src/Makefile.am lightdm-1.10.5/src/Makefile.am<br>
--- lightdm-1.10.5.orig/src/Makefile.am 2014-04-08 00:30:25.000000000 -0400<br>
+++ lightdm-1.10.5/src/Makefile.am 2015-11-21 11:16:55.177313574 -0500<br>
@@ -92,6 +92,10 @@ lightdm_LDADD = \<br>
-lgcrypt \<br>
-lpam<br>
<br>
+if HAVE_AUDIT<br>
+lightdm_LDADD += -laudit<br>
+endif<br>
+<br>
dm_tool_SOURCES = \<br>
dm-tool.c<br>
<br>
diff -urp lightdm-1.10.5.orig/src/session-child.c lightdm-1.10.5/src/session-child.c<br>
--- lightdm-1.10.5.orig/src/session-child.c 2015-11-13 19:50:26.000000000 -0500<br>
+++ lightdm-1.10.5/src/session-child.c 2015-11-21 11:16:55.177313574 -0500<br>
@@ -16,6 +16,9 @@<br>
#include <utmp.h><br>
#include <utmpx.h><br>
#include <sys/mman.h><br>
+#ifdef WITH_AUDIT<br>
+# include <libaudit.h><br>
+#endif<br>
<br>
#include "configuration.h"<br>
#include "session-child.h"<br>
@@ -220,6 +223,33 @@ updwtmpx (const gchar *wtmp_file, struct<br>
updwtmp (wtmp_file, &u);<br>
}<br>
<br>
+#ifdef WITH_AUDIT<br>
+static void log_audit(const struct utmpx *ut, const char *tty, int status)<br>
+{<br>
+ int audit_fd;<br>
+ struct passwd *pwd;<br>
+<br>
+ audit_fd = audit_open();<br>
+ if (audit_fd == -1)<br>
+ return;<br>
+ pwd = getpwnam(ut->ut_user);<br>
+ audit_log_acct_message(audit_fd,<br>
+ AUDIT_USER_LOGIN,<br>
+ NULL,<br>
+ "login",<br>
+ ut->ut_user ? ut->ut_user : "(unknown)",<br>
+ pwd ? pwd->pw_uid : (unsigned int) -1,<br>
+ ut->ut_host,<br>
+ NULL,<br>
+ tty,<br>
+ status);<br>
+<br>
+ close(audit_fd);<br>
+}<br>
+#else /* !WITH_LIBAUDIT */<br>
+# define log_audit(mut, mtty, mstatus)<br>
+#endif<br>
+<br>
int<br>
session_child_run (int argc, char **argv)<br>
{<br>
@@ -355,7 +385,7 @@ session_child_run (int argc, char **argv<br>
if (pam_get_item (pam_handle, PAM_USER, (const void **) &new_username) != PAM_SUCCESS)<br>
{<br>
pam_end (pam_handle, 0);<br>
- return EXIT_FAILURE;<br>
+ goto err_out;<br>
}<br>
g_free (username);<br>
username = g_strdup (new_username);<br>
@@ -386,6 +416,7 @@ session_child_run (int argc, char **argv<br>
ut.ut_tv.tv_usec = tv.tv_usec;<br>
<br>
updwtmpx ("/var/log/btmp", &ut);<br>
+ log_audit(&ut, tty, 0);<br>
}<br>
<br>
/* Check account is valid */<br>
@@ -442,14 +473,14 @@ session_child_run (int argc, char **argv<br>
{<br>
g_printerr ("No user selected during authentication\n");<br>
pam_end (pam_handle, 0);<br>
- return EXIT_FAILURE;<br>
+ goto err_out;<br>
}<br>
<br>
/* Stop if we didn't authenticated */<br>
if (authentication_result != PAM_SUCCESS)<br>
{<br>
pam_end (pam_handle, 0);<br>
- return EXIT_FAILURE;<br>
+ goto err_out;<br>
}<br>
<br>
/* Get the command to run (blocks) */<br>
@@ -482,7 +513,7 @@ session_child_run (int argc, char **argv<br>
{<br>
pam_setcred (pam_handle, PAM_REINITIALIZE_CRED);<br>
pam_end (pam_handle, 0);<br>
- return EXIT_SUCCESS;<br>
+ goto err_out;<br>
}<br>
<br>
/* Redirect stderr to a log file */<br>
@@ -522,7 +553,7 @@ session_child_run (int argc, char **argv<br>
{<br>
g_printerr ("Failed to establish PAM credentials: %s\n", pam_strerror (pam_handle, result));<br>
pam_end (pam_handle, 0);<br>
- return EXIT_FAILURE;<br>
+ goto err_out;<br>
}<br>
<br>
/* Open the session */<br>
@@ -531,7 +562,20 @@ session_child_run (int argc, char **argv<br>
{<br>
g_printerr ("Failed to open PAM session: %s\n", pam_strerror (pam_handle, result));<br>
pam_end (pam_handle, 0);<br>
- return EXIT_FAILURE;<br>
+ goto err_out;<br>
+ } else {<br>
+ /* Write successful login to audit system */<br>
+ struct utmpx ut;<br>
+<br>
+ memset (&ut, 0, sizeof (ut));<br>
+ if (tty)<br>
+ strncpy (ut.ut_line, tty + strlen ("/dev/"), sizeof (ut.ut_line));<br>
+ strncpy (ut.ut_user, username, sizeof (ut.ut_user));<br>
+ if (xdisplay)<br>
+ strncpy (ut.ut_host, xdisplay, sizeof (ut.ut_host));<br>
+ else if (remote_host_name)<br>
+ strncpy (ut.ut_host, remote_host_name, sizeof (ut.ut_host));<br>
+ log_audit(&ut, tty, 1);<br>
}<br>
<br>
/* Open a connection to the system bus for ConsoleKit - we must keep it open or CK will close the session */<br>
@@ -775,4 +819,20 @@ session_child_run (int argc, char **argv<br>
<br>
/* Return result of session process to the daemon */<br>
return return_code;<br>
+<br>
+err_out:<br>
+ {<br>
+ struct utmpx ut;<br>
+<br>
+ memset (&ut, 0, sizeof (ut));<br>
+ if (tty)<br>
+ strncpy (ut.ut_line, tty + strlen ("/dev/"), sizeof (ut.ut_line));<br>
+ strncpy (ut.ut_user, username, sizeof (ut.ut_user));<br>
+ if (xdisplay)<br>
+ strncpy (ut.ut_host, xdisplay, sizeof (ut.ut_host));<br>
+ else if (remote_host_name)<br>
+ strncpy (ut.ut_host, remote_host_name, sizeof (ut.ut_host));<br>
+ log_audit(&ut, tty, 0);<br>
+ }<br>
+ return EXIT_FAILURE;<br>
}<br>
<br>
_______________________________________________<br>
LightDM mailing list<br>
<a href="mailto:LightDM@lists.freedesktop.org" target="_blank">LightDM@lists.freedesktop.org</a><br>
<a href="http://lists.freedesktop.org/mailman/listinfo/lightdm" rel="noreferrer" target="_blank">http://lists.freedesktop.org/mailman/listinfo/lightdm</a><br>
</blockquote></div>