1 # |
|
2 # This patch provides a check to see if bsm is supported and if so then |
|
3 # configures the build for the KRB5KDC audit plugin support for Solaris based |
|
4 # systems. |
|
5 # |
|
6 # The patch also builds a temporary audit module for kadmind that provides a |
|
7 # temporary solution until an adminstrative plugin framework is available, |
|
8 # upstream. |
|
9 # |
|
10 # This patch is not intended to be contributed to MIT as the changes are Solaris |
|
11 # specific and, in the case for kadmind, a temporary solution. |
|
12 # |
|
13 # Patch source: in-house |
|
14 # |
|
15 --- a/src/config/pre.in |
|
16 +++ b/src/config/pre.in |
|
17 @@ -212,6 +212,7 @@ MODULE_DIR = @libdir@/krb5/plugins |
|
18 KRB5_DB_MODULE_DIR = $(MODULE_DIR)/kdb |
|
19 KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth |
|
20 KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata |
|
21 +KRB5_AU_MODULE_DIR = $(MODULE_DIR)/audit |
|
22 KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5 |
|
23 KRB5_TLS_MODULE_DIR = $(MODULE_DIR)/tls |
|
24 KRB5_LOCALEDIR = @localedir@ |
|
25 --- a/src/configure.in |
|
26 +++ b/src/configure.in |
|
27 @@ -188,7 +188,7 @@ if test "$withval" = yes; then |
|
28 fi |
|
29 |
|
30 # Check which (if any) audit plugin to build |
|
31 -audit_plugin="" |
|
32 +audit_plugin="solaris" |
|
33 AC_ARG_ENABLE([audit-plugin], |
|
34 AC_HELP_STRING([--enable-audit-plugin=IMPL], |
|
35 [use audit plugin @<:@ do not use audit @:>@]), , enableval=no) |
|
36 @@ -203,6 +203,13 @@ if test "$enableval" != no; then |
|
37 audit_plugin=plugins/audit/simple ], |
|
38 AC_MSG_ERROR([libaudit not found or undefined symbol audit_log_user_message])) |
|
39 ;; |
|
40 + solaris) |
|
41 + AC_CHECK_LIB(bsm, adt_start_session, |
|
42 + [AUDIT_IMPL_LIBS=-lbsm |
|
43 + K5_GEN_MAKEFILE(plugins/audit/solaris) |
|
44 + audit_plugin=plugins/audit/solaris ], |
|
45 + AC_MSG_ERROR([bsm not found or undefined symbol adt_start_session])) |
|
46 + ;; |
|
47 *) |
|
48 AC_MSG_ERROR([Unknown audit plugin implementation $enableval.]) |
|
49 ;; |
|
50 --- a/src/kadmin/server/deps |
|
51 +++ b/src/kadmin/server/deps |
|
52 @@ -132,4 +132,23 @@ $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTO |
|
53 $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ |
|
54 $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ |
|
55 $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \ |
|
56 - ipropd_svc.c misc.h |
|
57 + ipropd_svc.c misc.h kadmind_audit.h |
|
58 +$(OUTPRE)kadmind_audit.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ |
|
59 + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ |
|
60 + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ |
|
61 + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ |
|
62 + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ |
|
63 + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ |
|
64 + $(BUILDTOP)/include/osconf.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ |
|
65 + $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ |
|
66 + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ |
|
67 + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ |
|
68 + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ |
|
69 + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ |
|
70 + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ |
|
71 + $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-platform.h \ |
|
72 + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ |
|
73 + $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ |
|
74 + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ |
|
75 + $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \ |
|
76 + kadmind_audit.c kadmind_audit.h |
|
77 --- a/src/kadmin/server/ipropd_svc.c |
|
78 +++ b/src/kadmin/server/ipropd_svc.c |
|
79 @@ -191,6 +191,9 @@ iprop_get_updates_1_svc(kdb_last_t *arg, |
|
80 DPRINT("%s: PERMISSION DENIED: clprinc=`%s'\n\tsvcprinc=`%s'\n", |
|
81 whoami, client_name, service_name); |
|
82 |
|
83 + audit_kadmind("Incremental updates", "null", client_name, service_name, |
|
84 + "Unauthorized request", rqstp->rq_xprt, ret.ret); |
|
85 + |
|
86 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami, |
|
87 client_name, service_name, |
|
88 client_addr(rqstp->rq_xprt)); |
|
89 @@ -217,6 +220,10 @@ iprop_get_updates_1_svc(kdb_last_t *arg, |
|
90 ((kret == 0) ? "success" : error_message(kret)), |
|
91 client_name, service_name); |
|
92 |
|
93 + audit_kadmind("Incremental updates", "null", client_name, service_name, |
|
94 + ((kret == 0) ? "success" : (char *)error_message(kret)), rqstp->rq_xprt, |
|
95 + ret.ret); |
|
96 + |
|
97 krb5_klog_syslog(LOG_NOTICE, |
|
98 _("Request: %s, %s, %s, client=%s, service=%s, addr=%s"), |
|
99 whoami, |
|
100 @@ -336,6 +343,10 @@ ipropx_resync(uint32_t vers, struct svc_ |
|
101 ret.ret = UPDATE_PERM_DENIED; |
|
102 |
|
103 DPRINT("%s: Permission denied\n", whoami); |
|
104 + |
|
105 + audit_kadmind("Full resync", "null", client_name, service_name, |
|
106 + "Unauthorized request", rqstp->rq_xprt, ret.ret); |
|
107 + |
|
108 krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, whoami, |
|
109 client_name, service_name, |
|
110 client_addr(rqstp->rq_xprt)); |
|
111 @@ -444,6 +455,10 @@ ipropx_resync(uint32_t vers, struct svc_ |
|
112 DPRINT("%s: spawned resync process %d, client=%s, " |
|
113 "service=%s, addr=%s\n", whoami, fret, client_name, |
|
114 service_name, client_addr(rqstp->rq_xprt)); |
|
115 + |
|
116 + audit_kadmind("Full resync", "null", client_name, service_name, |
|
117 + "success", rqstp->rq_xprt, ret.ret); |
|
118 + |
|
119 krb5_klog_syslog(LOG_NOTICE, |
|
120 _("Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s"), |
|
121 whoami, fret, |
|
122 --- a/src/kadmin/server/Makefile.in |
|
123 +++ b/src/kadmin/server/Makefile.in |
|
124 @@ -7,13 +7,15 @@ LOCALINCLUDES = -I$(top_srcdir)/lib/gssa |
|
125 -I$(BUILDTOP)/lib/gssapi/krb5 -I$(top_srcdir)/lib/kadm5/srv |
|
126 |
|
127 PROG = kadmind |
|
128 -OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o |
|
129 -SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c |
|
130 +OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o \ |
|
131 + kadmind_audit.o |
|
132 +SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c \ |
|
133 + kadmind_audit.c |
|
134 |
|
135 all:: $(PROG) |
|
136 |
|
137 $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) $(VERTO_DEPLIB) |
|
138 - $(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) -lpam |
|
139 + $(CC_LINK) -o $(PROG) $(OBJS) $(APPUTILS_LIB) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB5_BASE_LIBS) $(VERTO_LIBS) -lpam -lbsm |
|
140 |
|
141 install:: |
|
142 $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG) |
|
143 --- a/src/kadmin/server/misc.h |
|
144 +++ b/src/kadmin/server/misc.h |
|
145 @@ -8,6 +8,7 @@ |
|
146 #define _MISC_H 1 |
|
147 |
|
148 #include "net-server.h" /* for krb5_fulladdr */ |
|
149 +#include "kadmind_audit.h" |
|
150 |
|
151 int |
|
152 setup_gss_names(struct svc_req *, gss_buffer_desc *, |
|
153 --- a/src/kadmin/server/server_stubs.c |
|
154 +++ b/src/kadmin/server/server_stubs.c |
|
155 @@ -312,6 +312,29 @@ log_unauth( |
|
156 slen = server->length; |
|
157 trunc_name(&slen, &sdots); |
|
158 |
|
159 + { |
|
160 + char *client_str = NULL, *server_str = NULL; |
|
161 + int len; |
|
162 + |
|
163 + len = asprintf(&client_str, "%.*s%s", (int)clen, (char *)client->value, |
|
164 + cdots); |
|
165 + if (len == -1) |
|
166 + return ENOMEM; |
|
167 + |
|
168 + len = asprintf(&server_str, "%.*s%s", (int)slen, (char *)server->value, |
|
169 + sdots); |
|
170 + if (len == -1) { |
|
171 + free(client_str); |
|
172 + return ENOMEM; |
|
173 + } |
|
174 + |
|
175 + audit_kadmind(op, target, client_str, server_str, |
|
176 + _("Unauthorized request"), rqstp->rq_xprt, 1); |
|
177 + |
|
178 + free(client_str); |
|
179 + free(server_str); |
|
180 + } |
|
181 + |
|
182 /* okay to cast lengths to int because trunc_name limits max value */ |
|
183 return krb5_klog_syslog(LOG_NOTICE, |
|
184 _("Unauthorized request: %s, %.*s%s, " |
|
185 @@ -343,6 +366,29 @@ log_done( |
|
186 slen = server->length; |
|
187 trunc_name(&slen, &sdots); |
|
188 |
|
189 + { |
|
190 + char *client_str = NULL, *server_str = NULL; |
|
191 + int len; |
|
192 + |
|
193 + len = asprintf(&client_str, "%.*s%s", (int)clen, (char *)client->value, |
|
194 + cdots); |
|
195 + if (len == -1) |
|
196 + return ENOMEM; |
|
197 + |
|
198 + len = asprintf(&server_str, "%.*s%s", (int)slen, (char *)server->value, |
|
199 + sdots); |
|
200 + if (len == -1) { |
|
201 + free(client_str); |
|
202 + return ENOMEM; |
|
203 + } |
|
204 + |
|
205 + audit_kadmind(op, target, client_str, server_str, (char *)errmsg, |
|
206 + rqstp->rq_xprt, strcmp("success", errmsg) ? 1 : 0); |
|
207 + |
|
208 + free(client_str); |
|
209 + free(server_str); |
|
210 + } |
|
211 + |
|
212 /* okay to cast lengths to int because trunc_name limits max value */ |
|
213 return krb5_klog_syslog(LOG_NOTICE, |
|
214 _("Request: %s, %.*s%s, %s, " |
|
215 --- a/src/kdc/kdc_audit.c |
|
216 +++ b/src/kdc/kdc_audit.c |
|
217 @@ -80,6 +80,11 @@ load_audit_modules(krb5_context context) |
|
218 if (context == NULL || handles != NULL) |
|
219 return EINVAL; |
|
220 |
|
221 + ret = k5_plugin_register_dyn(context, PLUGIN_INTERFACE_AUDIT, "solaris", |
|
222 + "audit"); |
|
223 + if (ret) |
|
224 + return ret; |
|
225 + |
|
226 /* Get audit plugin vtable. */ |
|
227 ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_AUDIT, &modules); |
|
228 if (ret) |
|
229 --- a/src/Makefile.in |
|
230 +++ b/src/Makefile.in |
|
231 @@ -65,7 +65,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROO |
|
232 $(FILE_CATDIR) \ |
|
233 $(KRB5_LIBDIR) $(KRB5_INCDIR) \ |
|
234 $(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \ |
|
235 - $(KRB5_AD_MODULE_DIR) \ |
|
236 + $(KRB5_AD_MODULE_DIR) $(KRB5_AU_MODULE_DIR) \ |
|
237 $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \ |
|
238 @localstatedir@ @localstatedir@/krb5kdc \ |
|
239 @runstatedir@ @runstatedir@/krb5kdc \ |
|