Add log_exit setting in the sudo_logsrvd.conf eventlog stanza

This causes sudo_logsrvd to log a record with the exit status or terminating signal in response to an ExitMessage.
2021-07-09 11:08:44 -06:00
parent 17a415ae77
commit 0dd2b6442a
6 changed files with 73 additions and 8 deletions
--- a/doc/sudo_logsrvd.conf.man.in
+++ b/doc/sudo_logsrvd.conf.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "June 13, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "July 9, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -168,6 +168,7 @@ will enable the TCP keepalive socket option on the client connection.
 This enables the periodic transmission of keepalive messages to the client.
 If the client does not respond to a message in time, the connection will
 be closed.
+Defaults to true.
 .TP 10n
 timeout = number
 The amount of time, in seconds,
@@ -618,6 +619,12 @@ and
 The default value is
 \fIsyslog\fR.
 .TP 6n
+log_exit = boolean
+If true,
+\fBsudo_logsrvd\fR
+will log an event when a command exits or is terminated by a signal.
+Defaults to false.
+.TP 6n
 log_format = string
 The event log format.
 Supported log formats are
@@ -625,7 +632,7 @@ Supported log formats are
 for traditional sudo-style logs and
 \(lqjson\(rq
 for JSON-format logs.
-The JSON log entries contain the full contents of the accept, reject
+The JSON log entries contain the full contents of the accept, reject, exit
 and alert messages.
 The default value is
 \fIsudo\fR.
@@ -788,6 +795,7 @@ Sudo log server configuration file
 #server_log = syslog

 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the client to
@@ -859,6 +867,7 @@ Sudo log server configuration file
 #store_first = true

 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the relay to
@@ -945,11 +954,15 @@ Sudo log server configuration file
 #maxseq = 2176782336

 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog

+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+#log_exit = true
+
 # Event log format.
 # Currently only sudo-style event logs are supported.
 #log_format = sudo
--- a/doc/sudo_logsrvd.conf.mdoc.in
+++ b/doc/sudo_logsrvd.conf.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd June 13, 2021
+.Dd July 9, 2021
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -152,6 +152,7 @@ will enable the TCP keepalive socket option on the client connection.
 This enables the periodic transmission of keepalive messages to the client.
 If the client does not respond to a message in time, the connection will
 be closed.
+Defaults to true.
 .It timeout = number
 The amount of time, in seconds,
 .Nm sudo_logsrvd
@@ -550,6 +551,11 @@ and
 .Em none .
 The default value is
 .Em syslog .
+.It log_exit = boolean
+If true,
+.Nm sudo_logsrvd
+will log an event when a command exits or is terminated by a signal.
+Defaults to false.
 .It log_format = string
 The event log format.
 Supported log formats are
@@ -557,7 +563,7 @@ Supported log formats are
 for traditional sudo-style logs and
 .Dq json
 for JSON-format logs.
-The JSON log entries contain the full contents of the accept, reject
+The JSON log entries contain the full contents of the accept, reject, exit
 and alert messages.
 The default value is
 .Em sudo .
@@ -717,6 +723,7 @@ Sudo log server configuration file
 #server_log = syslog

 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the client to
@@ -788,6 +795,7 @@ Sudo log server configuration file
 #store_first = true

 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the relay to
@@ -874,11 +882,15 @@ Sudo log server configuration file
 #maxseq = 2176782336

 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog

+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+#log_exit = true
+
 # Event log format.
 # Currently only sudo-style event logs are supported.
 #log_format = sudo
--- a/examples/sudo_logsrvd.conf
+++ b/examples/sudo_logsrvd.conf
@@ -28,6 +28,7 @@
 #server_log = syslog

 # If true, enable the SO_KEEPALIVE socket option on client connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the client to
@@ -99,6 +100,7 @@
 #store_first = true

 # If true, enable the SO_KEEPALIVE socket option on relay connections.
+# Defaults to true.
 #tcp_keepalive = true

 # The amount of time, in seconds, the server will wait for the relay to
@@ -185,11 +187,15 @@
 #maxseq = 2176782336

 [eventlog]
-# Where to log accept, reject and alert events.
+# Where to log accept, reject, exit and alert events.
 # Accepted values are syslog, logfile, or none.
 # Defaults to syslog
 #log_type = syslog

+# Whether to log an event when a command exits or is terminated by a signal.
+# Defaults to false
+#log_exit = true
+
 # Event log format.
 # Supported log formats are "sudo" and "json"
 # Defaults to sudo
--- a/logsrvd/logsrvd.h
+++ b/logsrvd/logsrvd.h
@@ -219,6 +219,7 @@ SSL_CTX *logsrvd_server_tls_ctx(void);
 bool logsrvd_conf_relay_tls_check_peer(void);
 SSL_CTX *logsrvd_relay_tls_ctx(void);
 #endif
+bool logsrvd_conf_log_exit(void);
 mode_t logsrvd_conf_iolog_mode(void);
 void address_list_addref(struct server_address_list *);
 void address_list_delref(struct server_address_list *);
--- a/logsrvd/logsrvd_conf.c
+++ b/logsrvd/logsrvd_conf.c
@@ -158,6 +158,7 @@ static struct logsrvd_config {
    } iolog;
    struct logsrvd_config_eventlog {
 	int log_type;
+        bool log_exit;
 	enum eventlog_format log_format;
    } eventlog;
    struct logsrvd_config_syslog {
@@ -177,6 +178,13 @@ static struct logsrvd_config {

 static bool logsrvd_warn_enable_stderr = true;

+/* eventlog getters */
+bool
+logsrvd_conf_log_exit(void)
+{
+    return logsrvd_config->eventlog.log_exit;
+}
+
 /* iolog getters */
 mode_t
 logsrvd_conf_iolog_mode(void)
@@ -829,6 +837,19 @@ cb_eventlog_format(struct logsrvd_config *config, const char *str, size_t offset
    debug_return_bool(true);
 }

+static bool
+cb_eventlog_exit(struct logsrvd_config *config, const char *str, size_t offset)
+{
+    int val;
+    debug_decl(cb_eventlog_exit, SUDO_DEBUG_UTIL);
+
+    if ((val = sudo_strtobool(str)) == -1)
+	debug_return_bool(false);
+
+    config->eventlog.log_exit = val;
+    debug_return_bool(true);
+}
+
 /* syslog callbacks */
 static bool
 cb_syslog_maxlen(struct logsrvd_config *config, const char *str, size_t offset)
@@ -1044,6 +1065,7 @@ static struct logsrvd_config_entry iolog_conf_entries[] = {
 static struct logsrvd_config_entry eventlog_conf_entries[] = {
    { "log_type", cb_eventlog_type },
    { "log_format", cb_eventlog_format },
+    { "log_exit", cb_eventlog_exit },
    { NULL }
 };

@@ -1543,6 +1565,7 @@ logsrvd_conf_alloc(void)
    /* Event log defaults */
    config->eventlog.log_type = EVLOG_SYSLOG;
    config->eventlog.log_format = EVLOG_SUDO;
+    config->eventlog.log_exit = false;

    /* Syslog defaults */
    config->syslog.maxlen = 960;
--- a/logsrvd/logsrvd_local.c
+++ b/logsrvd/logsrvd_local.c
@@ -210,11 +210,14 @@ bool
 store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len,
    struct connection_closure *closure)
 {
+    const char *signame = NULL;
+    struct timespec run_time = { msg->run_time->tv_sec, msg->run_time->tv_nsec };
+    int flags = 0;
    mode_t mode;
    debug_decl(store_exit_local, SUDO_DEBUG_UTIL);

-    /* Sudo I/O logs don't store this info. */
    if (msg->signal != NULL && msg->signal[0] != '\0') {
+	signame = msg->signal;
 	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 	    "command was killed by SIG%s%s", msg->signal,
 	    msg->dumped_core ? " (core dumped)" : "");
@@ -222,6 +225,13 @@ store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len,
 	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 	    "command exited with %d", msg->exit_value);
    }
+    if (logsrvd_conf_log_exit()) {
+	if (!eventlog_exit(closure->evlog, flags, &run_time, msg->exit_value,
+		signame, msg->dumped_core, NULL, NULL)) {
+	    closure->errstr = _("error logging exit event");
+	    debug_return_bool(false);
+	}
+    }

    if (closure->log_io) {
 	/* Clear write bits from I/O timing file to indicate completion. */