[linux-pam] Relax the conditions for fatal failure on auditing.
by Tomáš Mráz
commit 20047e7fdcfff6633d8201f0954be51f6378f1ae
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Thu Dec 17 17:43:27 2015 +0100
Relax the conditions for fatal failure on auditing.
The PAM library calls will not fail anymore for any uid if the return
value from the libaudit call is -EPERM.
* libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
libpam/pam_audit.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 24fb799..97a9a92 100644
--- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c
@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
pamh->audit_state |= PAMAUDIT_LOGGED;
if (rc < 0) {
- if (rc == -EPERM && getuid() != 0)
+ if (rc == -EPERM)
return 0;
if (errno != old_errno) {
old_errno = errno;
8 years, 4 months
[linux-pam] pam_tally2: Optionally log the tally count when checking.
by Tomáš Mráz
commit e0a996ec358af86153c0c00e67802e36283dadd0
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Wed Dec 16 09:33:47 2015 +0100
pam_tally2: Optionally log the tally count when checking.
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
modules/pam_tally2/pam_tally2.8.xml | 13 +++++++++++++
modules/pam_tally2/pam_tally2.c | 16 +++++++++++-----
2 files changed, 24 insertions(+), 5 deletions(-)
---
diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml
index 2f3b2eb..cf5d76d 100644
--- a/modules/pam_tally2/pam_tally2.8.xml
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -54,6 +54,9 @@
<arg choice="opt">
no_log_info
</arg>
+ <arg choice="opt">
+ debug
+ </arg>
</cmdsynopsis>
<cmdsynopsis id="pam_tally2-cmdsynopsis2">
<command>pam_tally2</command>
@@ -169,6 +172,16 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Always log tally count when it is incremented as a debug level message to the system log.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
index f5eebb1..e513f64 100644
--- a/modules/pam_tally2/pam_tally2.c
+++ b/modules/pam_tally2/pam_tally2.c
@@ -124,6 +124,7 @@ struct tally_options {
#define OPT_AUDIT 0100
#define OPT_NOLOGNOTICE 0400
#define OPT_SERIALIZE 01000
+#define OPT_DEBUG 02000
#define MAX_LOCK_WAITING_TIME 10
@@ -196,6 +197,9 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
else if ( ! strcmp( *argv, "serialize" ) ) {
opts->ctrl |= OPT_SERIALIZE;
}
+ else if ( ! strcmp( *argv, "debug" ) ) {
+ opts->ctrl |= OPT_DEBUG;
+ }
else if ( ! strcmp( *argv, "even_deny_root_account" ) ||
! strcmp( *argv, "even_deny_root" ) ) {
log_phase_no_auth(pamh, phase, *argv);
@@ -503,6 +507,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
struct tallylog *tally)
{
int rv = PAM_SUCCESS;
+ int loglevel = LOG_DEBUG;
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
@@ -575,11 +580,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
pam_info(pamh, _("Account locked due to %u failed logins"),
(unsigned int)tally->fail_cnt);
}
- if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
- pam_syslog(pamh, LOG_NOTICE,
- "user %s (%lu) tally %hu, deny %hu",
- user, (unsigned long)uid, tally->fail_cnt, opts->deny);
- }
+ loglevel = LOG_NOTICE;
rv = PAM_AUTH_ERR; /* Only unconditional failure */
goto cleanup;
}
@@ -609,6 +610,11 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
}
cleanup:
+ if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & OPT_DEBUG)) {
+ pam_syslog(pamh, loglevel,
+ "user %s (%lu) tally %hu, deny %hu",
+ user, (unsigned long)uid, tally->fail_cnt, opts->deny);
+ }
#ifdef HAVE_LIBAUDIT
if (audit_fd != -1) {
close(audit_fd);
8 years, 4 months