Use libaudit to generate audit events

diff --git a/configure.ac b/configure.ac
index a85846aa19540926ec1992f86ce7659677ccaa5f..27a0e096764ff9bab18e439a9aa0420d780b7a69 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -129,6 +129,23 @@ if test x"$enable_liblightdm_qt5" != "xno"; then
 fi
 AM_CONDITIONAL(COMPILE_LIBLIGHTDM_QT5, test x"$compile_liblightdm_qt5" != "xno")
 
+AC_ARG_ENABLE([audit],
+    AS_HELP_STRING([--enable-audit],
+                   [Enable audit logging of login and logout events [[default=auto]]]),
+    [enable_audit=$enableval],
+    [enable_audit=auto])
+if test x"$enable_audit" != "xno"; then
+    AC_CHECK_LIB([audit], [audit_log_user_message],
+                 [AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support])
+                  LIGHTDM_LIBS="${LIGHTDM_LIBS} -laudit"
+                 ],
+                 [if test "x$enable_audit" != xauto; then
+                    AC_MSG_FAILURE(
+                      [--enable-audit was given, but test for libaudit failed])
+                  fi
+                 ])
+fi
+
 AC_MSG_CHECKING(whether to build tests)
 AC_ARG_ENABLE(tests,
         AS_HELP_STRING([--disable-tests], [Disable tests building]),

diff --git a/debian/control b/debian/control
index ba8f485d7709730a9d2462a9e796ba24eb30dada..d12b24c086c07309c28e10b06449965edd7e66db 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Build-Depends: debhelper (>= 9),
                gtk-doc-tools,
                yelp-tools,
                dbus,
+               libaudit-dev
 Homepage: https://launchpad.net/lightdm
 # If you aren't a member of ~lightdm-team but need to upload packaging changes,
 # just go ahead.  ~lightdm-team will notice and sync up the code again.

diff --git a/debian/lightdm.lightdm-autologin.pam b/debian/lightdm.lightdm-autologin.pam
index d38e7a83e978096eff5e77c425a642b945845f94..f42a4f4720a89800f03f11e49e3ba58e98841778 100644 (file)
--- a/debian/lightdm.lightdm-autologin.pam
+++ b/debian/lightdm.lightdm-autologin.pam
@@ -3,6 +3,7 @@ auth    requisite       pam_nologin.so
 auth    required        pam_permit.so
 @include common-account
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session required        pam_loginuid.so
 session required        pam_limits.so
 @include common-session
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

diff --git a/debian/lightdm.pam b/debian/lightdm.pam
index cf564db0af06f9c17e0266b04504df1368cfa9ff..821a2a64b9cc933d755fb0e50818ed5b710f4bd4 100644 (file)
--- a/debian/lightdm.pam
+++ b/debian/lightdm.pam
@@ -7,6 +7,7 @@ auth    optional        pam_kwallet.so
 auth    optional        pam_kwallet5.so
 @include common-account
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+session required        pam_loginuid.so
 session required        pam_limits.so
 @include common-session
 session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

diff --git a/src/session-child.c b/src/session-child.c
index e85f57da27073059235748217e100dc64470f3ea..f84e6c7b0f8349a5d178139f32bc0a7f963da485 100644 (file)
--- a/src/session-child.c
+++ b/src/session-child.c
@@ -16,6 +16,7 @@
 #include <utmp.h>
 #include <utmpx.h>
 #include <sys/mman.h>
+#include <libaudit.h>
 
 #include "configuration.h"
 #include "session-child.h"
@@ -220,6 +221,32 @@ updwtmpx (const gchar *wtmp_file, struct utmpx *ut)
     updwtmp (wtmp_file, &u);
 }
 
+static void
+audit_event (int type, const gchar *username, uid_t uid, const gchar *remote_host_name, const gchar *tty, gboolean success)
+{
+#if HAVE_LIBAUDIT
+    int auditfd, result;
+    const char *op = NULL;
+
+    auditfd = audit_open ();
+    if (auditfd < 0) {
+        g_printerr ("Error opening audit socket: %s\n", strerror (errno));
+        return;
+    }
+
+    if (type == AUDIT_USER_LOGIN)
+        op = "login";
+    else if (type == AUDIT_USER_LOGOUT)
+        op = "logout";
+    result = success == TRUE ? 1 : 0;
+
+    if (audit_log_acct_message (auditfd, type, NULL, op, username, uid, remote_host_name, NULL, tty, result) <= 0)
+        g_printerr ("Error writing audit message: %s\n", strerror (errno));
+
+    close (auditfd);
+#endif
+}
+
 int
 session_child_run (int argc, char **argv)
 {
@@ -386,6 +413,8 @@ session_child_run (int argc, char **argv)
             ut.ut_tv.tv_usec = tv.tv_usec;
 
             updwtmpx ("/var/log/btmp", &ut);
+
+            audit_event (AUDIT_USER_LOGIN, username, -1, remote_host_name, tty, FALSE);
         }
 
         /* Check account is valid */
@@ -701,6 +730,8 @@ session_child_run (int argc, char **argv)
                 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));
             endutxent ();
             updwtmpx ("/var/log/wtmp", &ut);
+
+            audit_event (AUDIT_USER_LOGIN, username, uid, remote_host_name, tty, TRUE);
         }
 
         waitpid (child_pid, &return_code, 0);
@@ -737,6 +768,8 @@ session_child_run (int argc, char **argv)
                 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));
             endutxent ();
             updwtmpx ("/var/log/wtmp", &ut);
+
+            audit_event (AUDIT_USER_LOGOUT, username, uid, remote_host_name, tty, TRUE);
         }
     }