From be8c9d1e9239450665baa17cf8ec659dc6150cf7 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Tue, 2 Sep 2008 14:12:30 +0000 Subject: [PATCH] audit improvements, thnx. to sgrubb@redhat.com --- shadow-4.1.2-audit.patch | 447 +++++++++++++++++++++++++++++++++++++++ shadow-utils.spec | 7 +- 2 files changed, 453 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.2-audit.patch diff --git a/shadow-4.1.2-audit.patch b/shadow-4.1.2-audit.patch new file mode 100644 index 0000000..89a53bf --- /dev/null +++ b/shadow-4.1.2-audit.patch @@ -0,0 +1,447 @@ +diff -urp shadow-4.1.2.orig/src/groupadd.c shadow-4.1.2/src/groupadd.c +--- shadow-4.1.2.orig/src/groupadd.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/groupadd.c 2008-09-02 09:05:14.000000000 -0400 +@@ -205,7 +205,7 @@ static void grp_update (void) + } + #endif /* SHADOWGRP */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", group_name, ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", group_name, + group_id, 1); + #endif + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", +@@ -269,7 +269,7 @@ static void open_files (void) + if (!gr_lock ()) { + fprintf (stderr, _("%s: unable to lock group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "locking group file", + group_name, -1, 0); + #endif + exit (E_GRP_UPDATE); +@@ -277,7 +277,7 @@ static void open_files (void) + if (!gr_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "opening group file", + group_name, -1, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -310,7 +310,7 @@ static void fail_exit (int code) + + #ifdef WITH_AUDIT + if (code != E_SUCCESS) { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding group", ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", + group_name, -1, 0); + } + #endif +diff -urp shadow-4.1.2.orig/src/groupdel.c shadow-4.1.2/src/groupdel.c +--- shadow-4.1.2.orig/src/groupdel.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/groupdel.c 2008-09-02 09:04:18.000000000 -0400 +@@ -100,7 +100,7 @@ static void fail_exit (int code) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", + group_name, -1, 0); + #endif + +@@ -143,7 +143,7 @@ static void grp_update (void) + static void close_files (void) + { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", group_name, ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", group_name, + group_id, 1); + #endif + SYSLOG ((LOG_INFO, "remove group `%s'\n", group_name)); +@@ -316,7 +316,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: group %s does not exist\n"), + Prog, group_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_GROUP, Prog, + "deleting group", + group_name, -1, 0); + #endif +@@ -338,7 +338,7 @@ int main (int argc, char **argv) + Prog, group_name); + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting group", ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", + group_name, -1, 0); + #endif + if (!yp_get_default_domain (&nis_domain) && +diff -urp shadow-4.1.2.orig/src/useradd.c shadow-4.1.2/src/useradd.c +--- shadow-4.1.2.orig/src/useradd.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/useradd.c 2008-09-02 08:47:31.000000000 -0400 +@@ -216,7 +216,7 @@ static void fail_exit (int code) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, -1, ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, -1, + 0); + #endif + SYSLOG ((LOG_INFO, "failed adding user `%s', data deleted", user_name)); +@@ -793,7 +793,7 @@ static void grp_update (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding user to group", user_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, "add `%s' to group `%s'", +@@ -844,7 +844,7 @@ static void grp_update (void) + fail_exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding user to shadow group", user_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, "add `%s' to shadow group `%s'", +@@ -1162,7 +1162,7 @@ static void process_flags (int argc, cha + ("%s: invalid user name '%s'\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", + user_name, -1, 0); + #endif + exit (E_BAD_ARG); +@@ -1251,7 +1251,7 @@ static void open_files (void) + if (!pw_lock ()) { + fprintf (stderr, _("%s: unable to lock password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "locking password file", user_name, user_id, 0); + #endif + exit (E_PW_UPDATE); +@@ -1260,7 +1260,7 @@ static void open_files (void) + if (!pw_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "opening password file", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); +@@ -1271,7 +1271,7 @@ static void open_files (void) + _("%s: cannot lock shadow password file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "locking shadow password file", user_name, + user_id, 0); + #endif +@@ -1283,7 +1283,7 @@ static void open_files (void) + _("%s: cannot open shadow password file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "opening shadow password file", user_name, + user_id, 0); + #endif +@@ -1385,6 +1385,10 @@ static void grp_add (void) + * Write out the new group file entry. + */ + if (!gr_update (&grp)) { ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, ++ "adding group", grp.gr_name, -1, 0); ++#endif + fprintf (stderr, _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); + } +@@ -1393,11 +1397,19 @@ static void grp_add (void) + * Write out the new shadow group entries as well. + */ + if (is_shadow_grp && !sgr_update (&sgrp)) { ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, ++ "adding group", grp.gr_name, -1, 0); ++#endif + fprintf (stderr, _("%s: error adding new group entry\n"), Prog); + fail_exit (E_GRP_UPDATE); + } + #endif /* SHADOWGRP */ + SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid)); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_GROUP, Prog, "adding group", ++ grp.gr_name, -1, 1); ++#endif + do_grp_update++; + } + +@@ -1486,13 +1498,13 @@ static void usr_update (void) + ("%s: error adding new shadow password entry\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding shadow password", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, + user_id, 1); + #endif + +@@ -1522,7 +1534,7 @@ static void selinux_update_mapping () { + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding SELinux user mapping", user_name, user_id, 0); + #endif + } +@@ -1551,7 +1563,7 @@ static void create_home (void) + ("%s: cannot create directory %s\n"), + Prog, user_home); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", user_name, + user_id, 0); + #endif +@@ -1562,7 +1574,7 @@ static void create_home (void) + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); + home_added++; + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_USER, Prog, + "adding home directory", user_name, user_id, 1); + #endif + #ifdef WITH_SELINUX +@@ -1722,7 +1734,7 @@ int main (int argc, char **argv) + if (getpwnam (user_name)) { /* local, no need for xgetpwnam */ + fprintf (stderr, _("%s: user %s exists\n"), Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", + user_name, -1, 0); + #endif + fail_exit (E_NAME_IN_USE); +@@ -1741,7 +1753,7 @@ int main (int argc, char **argv) + ("%s: group %s exists - if you want to add this user to that group, use -g.\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_ADD_GROUP, Prog, + "adding group", user_name, -1, 0); + #endif + fail_exit (E_NAME_IN_USE); +@@ -1772,7 +1784,7 @@ int main (int argc, char **argv) + if (getpwuid (user_id) != NULL) { + fprintf (stderr, _("%s: UID %u is not unique\n"), Prog, (unsigned int) user_id); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user", user_name, user_id, 0); ++ audit_logger (AUDIT_ADD_USER, Prog, "adding user", user_name, user_id, 0); + #endif + fail_exit (E_UID_IN_USE); + } +diff -urp shadow-4.1.2.orig/src/userdel.c shadow-4.1.2/src/userdel.c +--- shadow-4.1.2.orig/src/userdel.c 2008-09-02 08:31:11.000000000 -0400 ++++ shadow-4.1.2/src/userdel.c 2008-09-02 09:03:20.000000000 -0400 +@@ -170,7 +170,7 @@ static void update_groups (void) + * Update the DBM group file with the new entry as well. + */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user from group", user_name, user_id, + 0); + #endif +@@ -220,8 +220,8 @@ static void update_groups (void) + #endif + + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "deleting group", user_name, user_id, 0); ++ audit_logger (AUDIT_DEL_GROUP, Prog, "deleting group", ++ grp->gr_name, -1, 1); + #endif + SYSLOG ((LOG_INFO, + "removed group `%s' owned by `%s'\n", +@@ -270,7 +270,7 @@ static void update_groups (void) + exit (E_GRP_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user from shadow group", user_name, + user_id, 0); + #endif +@@ -327,7 +327,7 @@ static void fail_exit (int code) + sgr_unlock (); + #endif + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user", user_name, ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting user", user_name, + user_id, 0); + #endif + exit (code); +@@ -344,7 +344,7 @@ static void open_files (void) + if (!pw_lock ()) { + fprintf (stderr, _("%s: unable to lock password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking password file", user_name, user_id, 0); + #endif + exit (E_PW_UPDATE); +@@ -352,7 +352,7 @@ static void open_files (void) + if (!pw_open (O_RDWR)) { + fprintf (stderr, _("%s: unable to open password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening password file", user_name, user_id, 0); + #endif + fail_exit (E_PW_UPDATE); +@@ -361,7 +361,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot lock shadow password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking shadow password file", user_name, + user_id, 0); + #endif +@@ -371,7 +371,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: cannot open shadow password file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening shadow password file", user_name, + user_id, 0); + #endif +@@ -380,7 +380,7 @@ static void open_files (void) + if (!gr_lock ()) { + fprintf (stderr, _("%s: unable to lock group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "locking group file", ++ audit_logger (AUDIT_DEL_USER, Prog, "locking group file", + user_name, user_id, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -388,7 +388,7 @@ static void open_files (void) + if (!gr_open (O_RDWR)) { + fprintf (stderr, _("%s: cannot open group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "opening group file", ++ audit_logger (AUDIT_DEL_USER, Prog, "opening group file", + user_name, user_id, 0); + #endif + fail_exit (E_GRP_UPDATE); +@@ -398,7 +398,7 @@ static void open_files (void) + fprintf (stderr, + _("%s: unable to lock shadow group file\n"), Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "locking shadow group file", user_name, user_id, + 0); + #endif +@@ -408,7 +408,7 @@ static void open_files (void) + fprintf (stderr, _("%s: cannot open shadow group file\n"), + Prog); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "opening shadow group file", user_name, user_id, + 0); + #endif +@@ -436,7 +436,7 @@ static void update_user (void) + fail_exit (E_PW_UPDATE); + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting user entries", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting user entries", + user_name, user_id, 1); + #endif + SYSLOG ((LOG_INFO, "delete user `%s'\n", user_name)); +@@ -476,7 +476,7 @@ static void user_busy (const char *name, + _("%s: user %s is currently logged in\n"), Prog, name); + if (!fflg) { + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user logged in", name, -1, 0); + #endif + exit (E_USER_BUSY); +@@ -577,7 +577,7 @@ static void remove_mailbox (void) + if (fflg) { + unlink (mailfile); /* always remove, ignore errors */ + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 1); + #endif + return; +@@ -589,7 +589,7 @@ static void remove_mailbox (void) + ("%s: %s not owned by %s, not removing\n"), + Prog, mailfile, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 0); + #endif + return; +@@ -601,7 +601,7 @@ static void remove_mailbox (void) + } + #ifdef WITH_AUDIT + else { +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "deleting mail file", ++ audit_logger (AUDIT_DEL_USER, Prog, "deleting mail file", + user_name, user_id, 1); + } + #endif +@@ -713,7 +713,7 @@ int main (int argc, char **argv) + fprintf (stderr, _("%s: user %s does not exist\n"), + Prog, user_name); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting user not found", user_name, -1, 0); + #endif + exit (E_NOTFOUND); +@@ -799,14 +799,14 @@ int main (int argc, char **argv) + _("%s: error removing directory %s\n"), + Prog, user_home); + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, + user_id, 1); + #endif + errors++; + } + #ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, user_id, 1); + #endif + } +@@ -838,7 +838,7 @@ int main (int argc, char **argv) + #endif /* USE_PAM */ + #ifdef WITH_AUDIT + if (errors) +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ audit_logger (AUDIT_DEL_USER, Prog, + "deleting home directory", user_name, -1, 0); + #endif + exit (errors ? E_HOMEDIR : E_SUCCESS); diff --git a/shadow-utils.spec b/shadow-utils.spec index a76b6c8..bb91134 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -17,6 +17,7 @@ Patch1: shadow-4.1.2-goodname.patch Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch Patch4: shadow-4.1.2-gmSEGV.patch +Patch5: shadow-4.1.2-audit.patch License: BSD Group: System Environment/Base @@ -46,6 +47,7 @@ are used for managing group accounts. %patch2 -p1 -b .selinux %patch3 -p1 -b .sysAccountDownhill %patch4 -p1 -b .gmSEGV +%patch5 -p1 -b .audit rm po/*.gmo @@ -186,6 +188,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Sep 02 2008 Peter Vrabec 2:4.1.2-6 +- audit improvements, thnx. to sgrubb@redhat.com + * Thu Sep 02 2008 Peter Vrabec 2:4.1.2-5 - fix groupmems issues (#459825)