#

# This patch provides a check to see if bsm is supported and if so then

# configures the build for the KRB5KDC audit plugin support for Solaris based

# systems.

#

# The patch also builds a temporary audit module for kadmind that provides a

# temporary solution until an adminstrative plugin framework is available,

# upstream.

#

# This patch is not intended to be contributed to MIT as the changes are Solaris

# specific and, in the case for kadmind, a temporary solution.

#

# Patch source: in-house

#

--- a/src/config/pre.in

+++ b/src/config/pre.in

@@ -212,6 +212,7 @@ MODULE_DIR = @libdir@/krb5/plugins

 KRB5_DB_MODULE_DIR = $(MODULE_DIR)/kdb

 KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth

 KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata

+KRB5_AU_MODULE_DIR = $(MODULE_DIR)/audit

 KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5

 KRB5_TLS_MODULE_DIR = $(MODULE_DIR)/tls

 KRB5_LOCALEDIR = @localedir@

--- a/src/configure.in

+++ b/src/configure.in

@@ -188,7 +188,7 @@ if test "$withval" = yes; then

 fi

 # Check which (if any) audit plugin to build

-audit_plugin=""

+audit_plugin="solaris"

 AC_ARG_ENABLE([audit-plugin],

 AC_HELP_STRING([--enable-audit-plugin=IMPL],

                [use audit plugin @<:@ do not use audit @:>@]), , enableval=no)

@@ -203,6 +203,13 @@ if test "$enableval" != no; then

                      audit_plugin=plugins/audit/simple ],

                      AC_MSG_ERROR([libaudit not found or undefined symbol audit_log_user_message]))

         ;;

+    solaris)

+        AC_CHECK_LIB(bsm, adt_start_session,

+                     [AUDIT_IMPL_LIBS=-lbsm

+                     K5_GEN_MAKEFILE(plugins/audit/solaris)

+                     audit_plugin=plugins/audit/solaris ],

+                     AC_MSG_ERROR([bsm not found or undefined symbol adt_start_session]))

+	;;

     *)

         AC_MSG_ERROR([Unknown audit plugin implementation $enableval.])

         ;;

--- a/src/kadmin/server/deps

+++ b/src/kadmin/server/deps

@@ -132,4 +132,23 @@ $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTO

   $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \

   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \

   $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \

-  ipropd_svc.c misc.h

+  ipropd_svc.c misc.h kadmind_audit.h

+$(OUTPRE)kadmind_audit.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \

+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \

+  $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \

+  $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \

+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \

+  $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \

+  $(BUILDTOP)/include/osconf.h $(COM_ERR_DEPS) $(VERTO_DEPS) \

+  $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \

+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \

+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \

+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \

+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \

+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \

+  $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-platform.h \

+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \

+  $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \

+  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \

+  $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \

+  kadmind_audit.c kadmind_audit.h

--- a/src/kadmin/server/ipropd_svc.c

+++ b/src/kadmin/server/ipropd_svc.c

@@ -191,6 +191,9 @@ iprop_get_updates_1_svc(kdb_last_t *arg,

 	DPRINT("%s: PERMISSION DENIED: clprinc=`%s'\n\tsvcprinc=`%s'\n",

 		whoami, client_name, service_name);

+	audit_kadmind("Incremental updates", "null", client_name, service_name,

+	    "Unauthorized request", rqstp->rq_xprt, ret.ret);

+

 	krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,

 			 client_name, service_name,

 			 client_addr(rqstp->rq_xprt));

@@ -217,6 +220,10 @@ iprop_get_updates_1_svc(kdb_last_t *arg,

 	   ((kret == 0) ? "success" : error_message(kret)),

 	   client_name, service_name);

+    audit_kadmind("Incremental updates", "null", client_name, service_name,

+	((kret == 0) ? "success" : (char *)error_message(kret)), rqstp->rq_xprt,

+	ret.ret);

+

     krb5_klog_syslog(LOG_NOTICE,

 		     _("Request: %s, %s, %s, client=%s, service=%s, addr=%s"),

 		     whoami,

@@ -336,6 +343,10 @@ ipropx_resync(uint32_t vers, struct svc_

 	ret.ret = UPDATE_PERM_DENIED;

 	DPRINT("%s: Permission denied\n", whoami);

+

+	audit_kadmind("Full resync", "null", client_name, service_name,

+	    "Unauthorized request", rqstp->rq_xprt, ret.ret);

+

 	krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami,

 			 client_name, service_name,

 			 client_addr(rqstp->rq_xprt));

@@ -444,6 +455,10 @@ ipropx_resync(uint32_t vers, struct svc_

 	DPRINT("%s: spawned resync process %d, client=%s, "

 		"service=%s, addr=%s\n", whoami, fret, client_name,

 		service_name, client_addr(rqstp->rq_xprt));

+

+	audit_kadmind("Full resync", "null", client_name, service_name,

+	    "success", rqstp->rq_xprt, ret.ret);

+

 	krb5_klog_syslog(LOG_NOTICE,

 			 _("Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"),

 			 whoami, fret,

--- a/src/kadmin/server/Makefile.in

+++ b/src/kadmin/server/Makefile.in

@@ -7,13 +7,15 @@ LOCALINCLUDES = -I$(top_srcdir)/lib/gssa

 	-I$(BUILDTOP)/lib/gssapi/krb5 -I$(top_srcdir)/lib/kadm5/srv

 PROG = kadmind

-OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o

-SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c

+OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o \

+	kadmind_audit.o

+SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c \

+	kadmind_audit.c

 all:: $(PROG)

 $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(VERTO_DEPLIB)

-	$(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) -lpam

+	$(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) -lpam -lbsm

 install::

 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG)

--- a/src/kadmin/server/misc.h

+++ b/src/kadmin/server/misc.h

@@ -8,6 +8,7 @@

 #define _MISC_H 1

 #include "net-server.h"         /* for krb5_fulladdr */

+#include "kadmind_audit.h"

 int

 setup_gss_names(struct svc_req *, gss_buffer_desc *,

--- a/src/kadmin/server/server_stubs.c

+++ b/src/kadmin/server/server_stubs.c

@@ -312,6 +312,29 @@ log_unauth(

     slen = server->length;

     trunc_name(&slen, &sdots);

+    {

+	char *client_str = NULL, *server_str = NULL;

+	int len;

+

+	len = asprintf(&client_str, "%.*s%s", (int)clen, (char *)client->value,

+	    cdots);

+	if (len == -1)

+	    return ENOMEM;

+

+	len = asprintf(&server_str, "%.*s%s", (int)slen, (char *)server->value,

+	    sdots);

+	if (len == -1) {

+	    free(client_str);

+	    return ENOMEM;

+	}

+

+	audit_kadmind(op, target, client_str, server_str,

+	    _("Unauthorized request"), rqstp->rq_xprt, 1);

+

+	free(client_str);

+	free(server_str);

+    }

+

     /* okay to cast lengths to int because trunc_name limits max value */

     return krb5_klog_syslog(LOG_NOTICE,

                             _("Unauthorized request: %s, %.*s%s, "

@@ -343,6 +366,29 @@ log_done(

     slen = server->length;

     trunc_name(&slen, &sdots);

+    {

+	char *client_str = NULL, *server_str = NULL;

+	int len;

+

+	len = asprintf(&client_str, "%.*s%s", (int)clen, (char *)client->value,

+	    cdots);

+	if (len == -1)

+	    return ENOMEM;

+

+	len = asprintf(&server_str, "%.*s%s", (int)slen, (char *)server->value,

+	    sdots);

+	if (len == -1) {

+	    free(client_str);

+	    return ENOMEM;

+	}

+

+	audit_kadmind(op, target, client_str, server_str, (char *)errmsg,

+	    rqstp->rq_xprt, strcmp("success", errmsg) ? 1 : 0);

+

+	free(client_str);

+	free(server_str);

+    }

+

     /* okay to cast lengths to int because trunc_name limits max value */

     return krb5_klog_syslog(LOG_NOTICE,

                             _("Request: %s, %.*s%s, %s, "

--- a/src/kdc/kdc_audit.c

+++ b/src/kdc/kdc_audit.c

@@ -80,6 +80,11 @@ load_audit_modules(krb5_context context)

     if (context == NULL || handles != NULL)

         return EINVAL;

+    ret = k5_plugin_register_dyn(context, PLUGIN_INTERFACE_AUDIT, "solaris",

+	"audit");

+    if (ret)

+	return ret;

+

     /* Get audit plugin vtable. */

     ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_AUDIT, &modules);

     if (ret)

--- a/src/Makefile.in

+++ b/src/Makefile.in

@@ -65,7 +65,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROO

 		$(FILE_CATDIR) \

 		$(KRB5_LIBDIR) $(KRB5_INCDIR) \

 		$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \

-		$(KRB5_AD_MODULE_DIR) \

+		$(KRB5_AD_MODULE_DIR) $(KRB5_AU_MODULE_DIR) \

 		$(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \

 		@localstatedir@ @localstatedir@/krb5kdc \

 		@runstatedir@ @runstatedir@/krb5kdc \