1 Add Solaris auditing to sudo. |
|
2 Code was developed in-house. |
|
3 Plan is to contribute these changes upstream to |
|
4 the latest sudo release, currently 1.8.10p2. |
|
5 |
|
6 --- sudo-1.8.9p5/config.h.in 2014-03-26 22:54:30.317626194 +0100 |
|
7 +++ sudo-1.8.9p5/config.h.in 2014-03-26 22:54:07.840975014 +0100 |
|
8 @@ -542,6 +542,9 @@ |
|
9 /* Define to 1 if you have the `snprintf' function. */ |
|
10 #undef HAVE_SNPRINTF |
|
11 |
|
12 +/* Define to 1 to enable Solaris audit support. */ |
|
13 +#undef HAVE_SOLARIS_AUDIT |
|
14 + |
|
15 /* Define to 1 if you have the <spawn.h> header file. */ |
|
16 #undef HAVE_SPAWN_H |
|
17 |
|
18 --- sudo-1.8.9p5/configure.ac 2014-04-02 15:08:32.733744734 -0700 |
|
19 +++ sudo-1.8.9p5/configure.ac 2014-04-02 15:01:57.931070340 -0700 |
|
20 @@ -15,6 +15,7 @@ dnl |
|
21 dnl Variables that get substituted in the Makefile and man pages |
|
22 dnl |
|
23 AC_SUBST([HAVE_BSM_AUDIT]) |
|
24 +AC_SUBST([HAVE_SOLARIS_AUDIT]) |
|
25 AC_SUBST([SHELL]) |
|
26 AC_SUBST([LIBTOOL]) |
|
27 AC_SUBST([CFLAGS]) |
|
28 @@ -322,6 +323,28 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING |
|
29 esac]) |
|
30 |
|
31 dnl |
|
32 +dnl Handle Solaris auditing support. |
|
33 +dnl |
|
34 +AC_ARG_WITH(solaris-audit, [AS_HELP_STRING([--with-solaris-audit], [enable Solaris audit support])], |
|
35 +[case $with_solaris_audit in |
|
36 + yes) AC_DEFINE(HAVE_SOLARIS_AUDIT) |
|
37 + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" |
|
38 + SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo" |
|
39 + ;; |
|
40 + no) ;; |
|
41 + *) AC_MSG_ERROR(["--with-solaris-audit does not take an argument."]) |
|
42 + ;; |
|
43 +esac]) |
|
44 + |
|
45 +dnl |
|
46 +dnl Check for use of Solaris audit with BSM or Linux audit |
|
47 +dnl |
|
48 +if test -n "$with_solaris_audit" && (test -n "$with_bsm_audit" || test -n "$with_linux_audit"); then |
|
49 + AC_MSG_ERROR([BSM/Linux and Solaris auditing options are mutually exclusive.]) |
|
50 +fi |
|
51 + |
|
52 + |
|
53 +dnl |
|
54 dnl Handle SSSD support. |
|
55 dnl |
|
56 AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])], |
|
57 @@ -3820,6 +3843,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 |
|
58 AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) |
|
59 AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) |
|
60 AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.]) |
|
61 +AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.]) |
|
62 AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.]) |
|
63 AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.]) |
|
64 AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.]) |
|
65 --- sudo-1.8.9p5/INSTALL 2014-03-26 22:55:50.218196304 +0100 |
|
66 +++ sudo-1.8.9p5/INSTALL 2014-03-26 22:55:37.278167183 +0100 |
|
67 @@ -386,6 +386,9 @@ |
|
68 the user name (separated by a slash) when creating the |
|
69 principal name. |
|
70 |
|
71 + --with-solaris-audit |
|
72 + Enable audit support for Solaris systems. |
|
73 + |
|
74 --with-opie[=DIR] |
|
75 Enable NRL OPIE OTP (One Time Password) support. If specified, |
|
76 DIR should contain include and lib directories with opie.h |
|
77 --- sudo-1.8.9p5/MANIFEST 2014-03-26 22:57:04.778504180 +0100 |
|
78 +++ sudo-1.8.9p5/MANIFEST 2014-03-26 22:56:53.268979852 +0100 |
|
79 @@ -369,6 +369,8 @@ |
|
80 plugins/sudoers/set_perms.c |
|
81 plugins/sudoers/sha2.c |
|
82 plugins/sudoers/sha2.h |
|
83 +plugins/sudoers/solaris_audit.c |
|
84 +plugins/sudoers/solaris_audit.h |
|
85 plugins/sudoers/sssd.c |
|
86 plugins/sudoers/sudo_nss.c |
|
87 plugins/sudoers/sudo_nss.h |
|
88 --- sudo-1.8.9p5/mkdep.pl 2014-03-26 22:58:36.454013953 +0100 |
|
89 +++ sudo-1.8.9p5/mkdep.pl 2014-03-26 22:58:24.406067303 +0100 |
|
90 @@ -67,7 +67,7 @@ |
|
91 $makefile =~ s:\@DEV\@::g; |
|
92 $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; |
|
93 $makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:; |
|
94 - $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:; |
|
95 + $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:; |
|
96 # XXX - fill in AUTH_OBJS from contents of the auth dir instead |
|
97 $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; |
|
98 $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o:; |
|
99 --- sudo-1.8.9p5/plugins/sudoers/audit.c 2014-03-26 22:59:28.211242562 +0100 |
|
100 +++ sudo-1.8.9p5/plugins/sudoers/audit.c 2014-03-26 22:59:08.314263649 +0100 |
|
101 @@ -43,6 +43,9 @@ |
|
102 #ifdef HAVE_LINUX_AUDIT |
|
103 # include "linux_audit.h" |
|
104 #endif |
|
105 +#ifdef HAVE_SOLARIS_AUDIT |
|
106 +# include "solaris_audit.h" |
|
107 +#endif |
|
108 |
|
109 #define DEFAULT_TEXT_DOMAIN "sudoers" |
|
110 #include "gettext.h" |
|
111 @@ -59,6 +62,9 @@ |
|
112 #ifdef HAVE_LINUX_AUDIT |
|
113 linux_audit_command(exec_args, 1); |
|
114 #endif |
|
115 +#ifdef HAVE_SOLARIS_AUDIT |
|
116 + solaris_audit_success(exec_args); |
|
117 +#endif |
|
118 } |
|
119 |
|
120 debug_return; |
|
121 @@ -82,6 +88,9 @@ |
|
122 #ifdef HAVE_LINUX_AUDIT |
|
123 linux_audit_command(exec_args, 0); |
|
124 #endif |
|
125 +#ifdef HAVE_SOLARIS_AUDIT |
|
126 + solaris_audit_failure(exec_args, fmt, ap); |
|
127 +#endif |
|
128 va_end(ap); |
|
129 } |
|
130 |
|
131 --- sudo-1.8.9p5/plugins/sudoers/Makefile.in 2014-03-26 23:02:57.999081022 +0100 |
|
132 +++ sudo-1.8.9p5/plugins/sudoers/Makefile.in 2014-03-26 23:02:48.982043568 +0100 |
|
133 @@ -457,7 +457,7 @@ |
|
134 $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c |
|
135 audit.lo: $(srcdir)/audit.c $(incdir)/gettext.h $(incdir)/missing.h \ |
|
136 $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h $(srcdir)/linux_audit.h \ |
|
137 - $(srcdir)/logging.h $(top_builddir)/config.h \ |
|
138 + $(srcdir)/solaris_audit.h $(srcdir)/logging.h $(top_builddir)/config.h \ |
|
139 $(top_srcdir)/compat/stdbool.h |
|
140 $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c |
|
141 base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \ |
|
142 @@ -659,6 +659,9 @@ |
|
143 $(incdir)/gettext.h $(incdir)/missing.h $(incdir)/sudo_debug.h \ |
|
144 $(srcdir)/linux_audit.h $(top_builddir)/config.h |
|
145 $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/linux_audit.c |
|
146 +solaris_audit.lo: $(srcdir)/solaris_audit.c $(top_builddir)/config.h \ |
|
147 + $(srcdir)/sudoers.h $(incdir)/sudo_debug.h $(srcdir)/solaris_audit.h |
|
148 + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c |
|
149 locale.lo: $(srcdir)/locale.c $(incdir)/alloc.h $(incdir)/fatal.h \ |
|
150 $(incdir)/gettext.h $(incdir)/missing.h $(srcdir)/logging.h \ |
|
151 $(top_builddir)/config.h $(top_srcdir)/compat/stdbool.h |
|
152 diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c sudo-1.8.6p7/plugins/sudoers/solaris_audit.c |
|
153 --- sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.c 1969-12-31 16:00:00.000000000 -0800 |
|
154 +++ sudo-1.8.6p7/plugins/sudoers/solaris_audit.c 2014-03-18 12:09:27.850924000 -0700 |
|
155 @@ -0,0 +1,95 @@ |
|
156 +/* |
|
157 + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. |
|
158 + */ |
|
159 + |
|
160 +#include <config.h> |
|
161 +#include <stdarg.h> |
|
162 +#include <stdio.h> |
|
163 +#include <stdlib.h> |
|
164 +#include <string.h> |
|
165 + |
|
166 +#include <bsm/adt.h> |
|
167 +#include <bsm/adt_event.h> |
|
168 + |
|
169 +#include "sudoers.h" |
|
170 +#include "sudo_debug.h" |
|
171 +#include "solaris_audit.h" |
|
172 + |
|
173 +adt_session_data_t *ah; /* audit session handle */ |
|
174 +adt_event_data_t *event; /* event to be generated */ |
|
175 +char cwd[MAXPATHLEN]; |
|
176 +char cmdpath[PATH_MAX]; |
|
177 + |
|
178 +static void |
|
179 +adt_sudo_common(char *exec_args[]) |
|
180 +{ |
|
181 + int argc; |
|
182 + |
|
183 + if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { |
|
184 + log_warning(USE_ERRNO | NO_STDERR, _("sudo: adt_start_session")); |
|
185 + } |
|
186 + if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) { |
|
187 + log_warning(USE_ERRNO | NO_STDERR, _("sudo: alloc_event")); |
|
188 + } |
|
189 + if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof (cwd))) == NULL) { |
|
190 + log_warning(USE_ERRNO | NO_STDERR, _("sudo: can't add cwd path")); |
|
191 + } |
|
192 + for (argc = 0; exec_args[argc] != NULL; argc++) { |
|
193 + continue; |
|
194 + } |
|
195 + |
|
196 + /* get the real executable name */ |
|
197 + if (user_cmnd != NULL) { |
|
198 + if (strlcpy(cmdpath, (const char *)user_cmnd, |
|
199 + sizeof (cmdpath)) >= sizeof (cmdpath)) { |
|
200 + log_warning(NO_STDERR, |
|
201 + _("sudo: truncated audit path " "user_cmnd: %s"), |
|
202 + user_cmnd); |
|
203 + } |
|
204 + } else { |
|
205 + if (strlcpy(cmdpath, (const char *)exec_args[0], |
|
206 + sizeof (cmdpath)) >= sizeof (cmdpath)) { |
|
207 + log_warning(NO_STDERR, |
|
208 + _("sudo: truncated audit path " "argv[0]: %s"), |
|
209 + exec_args[0]); |
|
210 + } |
|
211 + } |
|
212 + |
|
213 + event->adt_sudo.cmdpath = cmdpath; |
|
214 + |
|
215 + event->adt_sudo.argc = argc - 1; |
|
216 + event->adt_sudo.argv = &exec_args[1]; |
|
217 + event->adt_sudo.envp = env_get(); |
|
218 +} |
|
219 + |
|
220 + |
|
221 +void |
|
222 +solaris_audit_success(char *exec_args[]) |
|
223 +{ |
|
224 + adt_sudo_common(exec_args); |
|
225 + |
|
226 + if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) { |
|
227 + log_warning(USE_ERRNO | NO_STDERR, |
|
228 + _("sudo: adt_put_event(success)")); |
|
229 + } |
|
230 + adt_free_event(event); |
|
231 + (void) adt_end_session(ah); |
|
232 +} |
|
233 + |
|
234 +void |
|
235 +solaris_audit_failure(char *exec_args[], char const *const fmt, va_list ap) |
|
236 +{ |
|
237 + adt_sudo_common(exec_args); |
|
238 + |
|
239 + if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) { |
|
240 + log_warning(USE_ERRNO | NO_STDERR, |
|
241 + _("sudo: audit_failure message too long")); |
|
242 + } |
|
243 + if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) { |
|
244 + log_warning(USE_ERRNO | NO_STDERR, |
|
245 + _("sudo: adt_put_event(failure)")); |
|
246 + } |
|
247 + free(event->adt_sudo.errmsg); |
|
248 + adt_free_event(event); |
|
249 + (void) adt_end_session(ah); |
|
250 +} |
|
251 diff -rupN sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.h sudo-1.8.6p7/plugins/sudoers/solaris_audit.h |
|
252 --- sudo-1.8.6p7-orig/plugins/sudoers/solaris_audit.h 1969-12-31 16:00:00.000000000 -0800 |
|
253 +++ sudo-1.8.6p7/plugins/sudoers/solaris_audit.h 2014-03-18 14:20:22.069087000 -0700 |
|
254 @@ -0,0 +1,11 @@ |
|
255 +/* |
|
256 + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. |
|
257 + */ |
|
258 + |
|
259 +#ifndef _SUDO_SOLARIS_AUDIT_H |
|
260 +#define _SUDO_SOLARIS_AUDIT_H |
|
261 + |
|
262 +void solaris_audit_success(char **); |
|
263 +void solaris_audit_failure(char **, char const * const, va_list); |
|
264 + |
|
265 +#endif /* _SUDO_SOLARIS_AUDIT_H */ |
|
266 |
|