Light Display Manager

Merge lp:~tyhicks/lightdm/auditing into lp:lightdm

  1. auditing
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Merged at revision: 2183
Proposed branch: lp:~tyhicks/lightdm/auditing
Merge into: lp:lightdm
Diff against target: 157 lines (+68/-0)
6 files modified
configure.ac (+17/-0)
debian/changelog (+15/-0)
debian/control (+1/-0)
debian/lightdm.lightdm-autologin.pam (+1/-0)
debian/lightdm.pam (+1/-0)
src/session-child.c (+33/-0)
To merge this branch: bzr merge lp:~tyhicks/lightdm/auditing
Reviewer Review Type Date Requested Status
Robert Ancell Approve
PS Jenkins bot continuous-integration Needs Fixing
Review via email: mp+269828@code.launchpad.net

Description of the change

Adds the ability to generate audit log events when a user is logging in or out.

I've tested logging in and out as an admin user w/ password, a standard user w/ password, an autologin user, and a guest session. Unfortunately, I don't know how to test remote sessions.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Is it kosher to modify configure.ac directly?

Thanks

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

FAILED: Continuous integration, rev:2181
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~tyhicks/lightdm/auditing/+merge/269828/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/lightdm-ci/312/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-wily-amd64-ci/2
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-wily-armhf-ci/2

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/312/rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

@Seth - This is an upstream lightdm merge request so I am modifying configure.ac and src/session-child.c directly. It is maybe a bit confusing since the upstream lightdm project contains a debian/ directory, which I've also updated accordingly in this merge.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Yay, yet another auditing system...

Looks fine otherwise.

review: Approve
Revision history for this message
Sebastien Bacher (seb128) wrote :

those changes seem to create an issue with the lockscreen, see bug #1498775

Revision history for this message
Robert Ancell (robert-ancell) wrote :

This has been disabled until we solve the issue in bug 1498775.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'configure.ac'
--- configure.ac 2015-08-16 22:44:33 +0000
+++ configure.ac 2015-09-02 01:58:24 +0000
@@ -129,6 +129,23 @@
129fi129fi
130AM_CONDITIONAL(COMPILE_LIBLIGHTDM_QT5, test x"$compile_liblightdm_qt5" != "xno")130AM_CONDITIONAL(COMPILE_LIBLIGHTDM_QT5, test x"$compile_liblightdm_qt5" != "xno")
131131
132AC_ARG_ENABLE([audit],
133 AS_HELP_STRING([--enable-audit],
134 [Enable audit logging of login and logout events [[default=auto]]]),
135 [enable_audit=$enableval],
136 [enable_audit=auto])
137if test x"$enable_audit" != "xno"; then
138 AC_CHECK_LIB([audit], [audit_log_user_message],
139 [AC_DEFINE(HAVE_LIBAUDIT, 1, [libaudit support])
140 LIGHTDM_LIBS="${LIGHTDM_LIBS} -laudit"
141 ],
142 [if test "x$enable_audit" != xauto; then
143 AC_MSG_FAILURE(
144 [--enable-audit was given, but test for libaudit failed])
145 fi
146 ])
147fi
148
132AC_MSG_CHECKING(whether to build tests)149AC_MSG_CHECKING(whether to build tests)
133AC_ARG_ENABLE(tests,150AC_ARG_ENABLE(tests,
134 AS_HELP_STRING([--disable-tests], [Disable tests building]),151 AS_HELP_STRING([--disable-tests], [Disable tests building]),
135152
=== modified file 'debian/changelog'
--- debian/changelog 2015-08-26 08:42:02 +0000
+++ debian/changelog 2015-09-02 01:58:24 +0000
@@ -1,3 +1,18 @@
1lightdm (1.15.3-0ubuntu4) UNRELEASED; urgency=medium
2
3 * Generate login and logout events that can be used by the Linux Audit tools
4 such as aulast and aureport (LP: #1319278) (LP: #1478087)
5 - Link against libaudit and log AUDIT_USER_LOGIN and AUDIT_USER_LOGOUT
6 events after appending entries to the wtmp file. These events go to the
7 audit log and can then be consumed by the Linux Audit tools.
8 - debian/control: Add libaudit-dev to Build-Depends
9 - debian/lightdm.pam, debian/lightdm-autologin.pam: Set the loginuid for
10 the process that is authenticating. This allows for the UID to be
11 properly set when AUDIT_USER_LOGIN and AUDIT_USER_LOGOUT events are
12 logged.
13
14 -- Tyler Hicks <tyhicks@canonical.com> Tue, 01 Sep 2015 20:37:22 -0500
15
1lightdm (1.15.3-0ubuntu3) wily; urgency=medium16lightdm (1.15.3-0ubuntu3) wily; urgency=medium
217
3 * debian/lightdm.postrm:18 * debian/lightdm.postrm:
419
=== modified file 'debian/control'
--- debian/control 2015-08-10 04:38:18 +0000
+++ debian/control 2015-09-02 01:58:24 +0000
@@ -27,6 +27,7 @@
27 gtk-doc-tools,27 gtk-doc-tools,
28 yelp-tools,28 yelp-tools,
29 dbus,29 dbus,
30 libaudit-dev
30Homepage: https://launchpad.net/lightdm31Homepage: https://launchpad.net/lightdm
31# If you aren't a member of ~lightdm-team but need to upload packaging changes,32# If you aren't a member of ~lightdm-team but need to upload packaging changes,
32# just go ahead. ~lightdm-team will notice and sync up the code again.33# just go ahead. ~lightdm-team will notice and sync up the code again.
3334
=== modified file 'debian/lightdm.lightdm-autologin.pam'
--- debian/lightdm.lightdm-autologin.pam 2013-07-16 23:36:16 +0000
+++ debian/lightdm.lightdm-autologin.pam 2015-09-02 01:58:24 +0000
@@ -3,6 +3,7 @@
3auth required pam_permit.so3auth required pam_permit.so
4@include common-account4@include common-account
5session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close5session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
6session required pam_loginuid.so
6session required pam_limits.so7session required pam_limits.so
7@include common-session8@include common-session
8session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open9session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
910
=== modified file 'debian/lightdm.pam'
--- debian/lightdm.pam 2015-08-24 10:51:30 +0000
+++ debian/lightdm.pam 2015-09-02 01:58:24 +0000
@@ -7,6 +7,7 @@
7auth optional pam_kwallet5.so7auth optional pam_kwallet5.so
8@include common-account8@include common-account
9session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close9session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
10session required pam_loginuid.so
10session required pam_limits.so11session required pam_limits.so
11@include common-session12@include common-session
12session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open13session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
1314
=== modified file 'src/session-child.c'
--- src/session-child.c 2015-03-18 22:36:10 +0000
+++ src/session-child.c 2015-09-02 01:58:24 +0000
@@ -16,6 +16,7 @@
16#include <utmp.h>16#include <utmp.h>
17#include <utmpx.h>17#include <utmpx.h>
18#include <sys/mman.h>18#include <sys/mman.h>
19#include <libaudit.h>
1920
20#include "configuration.h"21#include "configuration.h"
21#include "session-child.h"22#include "session-child.h"
@@ -220,6 +221,32 @@
220 updwtmp (wtmp_file, &u);221 updwtmp (wtmp_file, &u);
221}222}
222223
224static void
225audit_event (int type, const gchar *username, uid_t uid, const gchar *remote_host_name, const gchar *tty, gboolean success)
226{
227#if HAVE_LIBAUDIT
228 int auditfd, result;
229 const char *op = NULL;
230
231 auditfd = audit_open ();
232 if (auditfd < 0) {
233 g_printerr ("Error opening audit socket: %s\n", strerror (errno));
234 return;
235 }
236
237 if (type == AUDIT_USER_LOGIN)
238 op = "login";
239 else if (type == AUDIT_USER_LOGOUT)
240 op = "logout";
241 result = success == TRUE ? 1 : 0;
242
243 if (audit_log_acct_message (auditfd, type, NULL, op, username, uid, remote_host_name, NULL, tty, result) <= 0)
244 g_printerr ("Error writing audit message: %s\n", strerror (errno));
245
246 close (auditfd);
247#endif
248}
249
223int250int
224session_child_run (int argc, char **argv)251session_child_run (int argc, char **argv)
225{252{
@@ -386,6 +413,8 @@
386 ut.ut_tv.tv_usec = tv.tv_usec;413 ut.ut_tv.tv_usec = tv.tv_usec;
387414
388 updwtmpx ("/var/log/btmp", &ut);415 updwtmpx ("/var/log/btmp", &ut);
416
417 audit_event (AUDIT_USER_LOGIN, username, -1, remote_host_name, tty, FALSE);
389 }418 }
390419
391 /* Check account is valid */420 /* Check account is valid */
@@ -701,6 +730,8 @@
701 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));730 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));
702 endutxent ();731 endutxent ();
703 updwtmpx ("/var/log/wtmp", &ut);732 updwtmpx ("/var/log/wtmp", &ut);
733
734 audit_event (AUDIT_USER_LOGIN, username, uid, remote_host_name, tty, TRUE);
704 }735 }
705736
706 waitpid (child_pid, &return_code, 0);737 waitpid (child_pid, &return_code, 0);
@@ -737,6 +768,8 @@
737 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));768 g_printerr ("Failed to write utmpx: %s\n", strerror (errno));
738 endutxent ();769 endutxent ();
739 updwtmpx ("/var/log/wtmp", &ut);770 updwtmpx ("/var/log/wtmp", &ut);
771
772 audit_event (AUDIT_USER_LOGOUT, username, uid, remote_host_name, tty, TRUE);
740 }773 }
741 }774 }
742775

Subscribers

People subscribed via source and target branches