isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add log_exit setting in the sudo_logsrvd.conf eventlog stanza

Browse Source 
This causes sudo_logsrvd to log a record with the exit status or
terminating signal in response to an ExitMessage.
This commit is contained in:
Todd C. Miller
2021-07-09 11:08:44 -06:00
parent 17a415ae77
commit 0dd2b6442a
6 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
doc/sudo_logsrvd.conf.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "June 13, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO_LOGSRVD.CONF" "@mansectform@" "July 9, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -168,6 +168,7 @@ will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client. This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will If the client does not respond to a message in time, the connection will
be closed. be closed.
Defaults to true.
.TP 10n .TP 10n
timeout = number timeout = number
The amount of time, in seconds, The amount of time, in seconds,
@@ -618,6 +619,12 @@ and
The default value is The default value is
\fIsyslog\fR. \fIsyslog\fR.
.TP 6n .TP 6n
log_exit = boolean
If true,
\fBsudo_logsrvd\fR
will log an event when a command exits or is terminated by a signal.
Defaults to false.
.TP 6n
log_format = string log_format = string
The event log format. The event log format.
Supported log formats are Supported log formats are
@@ -625,7 +632,7 @@ Supported log formats are
for traditional sudo-style logs and for traditional sudo-style logs and
\(lqjson\(rq \(lqjson\(rq
for JSON-format logs. for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject The JSON log entries contain the full contents of the accept, reject, exit
and alert messages. and alert messages.
The default value is The default value is
\fIsudo\fR. \fIsudo\fR.
@@ -788,6 +795,7 @@ Sudo log server configuration file
#server_log = syslog #server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections. # If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to # The amount of time, in seconds, the server will wait for the client to
@@ -859,6 +867,7 @@ Sudo log server configuration file
#store_first = true #store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections. # If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to # The amount of time, in seconds, the server will wait for the relay to
@@ -945,11 +954,15 @@ Sudo log server configuration file
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
# Where to log accept, reject and alert events. # Where to log accept, reject, exit and alert events.
# Accepted values are syslog, logfile, or none. # Accepted values are syslog, logfile, or none.
# Defaults to syslog # Defaults to syslog
#log_type = syslog #log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format. # Event log format.
# Currently only sudo-style event logs are supported. # Currently only sudo-style event logs are supported.
#log_format = sudo #log_format = sudo

18
doc/sudo_logsrvd.conf.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd June 13, 2021 .Dd July 9, 2021
.Dt SUDO_LOGSRVD.CONF @mansectform@ .Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -152,6 +152,7 @@ will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client. This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will If the client does not respond to a message in time, the connection will
be closed. be closed.
Defaults to true.
.It timeout = number .It timeout = number
The amount of time, in seconds, The amount of time, in seconds,
.Nm sudo_logsrvd .Nm sudo_logsrvd
@@ -550,6 +551,11 @@ and
.Em none . .Em none .
The default value is The default value is
.Em syslog . .Em syslog .
.It log_exit = boolean
If true,
.Nm sudo_logsrvd
will log an event when a command exits or is terminated by a signal.
Defaults to false.
.It log_format = string .It log_format = string
The event log format. The event log format.
Supported log formats are Supported log formats are
@@ -557,7 +563,7 @@ Supported log formats are
for traditional sudo-style logs and for traditional sudo-style logs and
.Dq json .Dq json
for JSON-format logs. for JSON-format logs.
The JSON log entries contain the full contents of the accept, reject The JSON log entries contain the full contents of the accept, reject, exit
and alert messages. and alert messages.
The default value is The default value is
.Em sudo . .Em sudo .
@@ -717,6 +723,7 @@ Sudo log server configuration file
#server_log = syslog #server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections. # If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to # The amount of time, in seconds, the server will wait for the client to
@@ -788,6 +795,7 @@ Sudo log server configuration file
#store_first = true #store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections. # If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to # The amount of time, in seconds, the server will wait for the relay to
@@ -874,11 +882,15 @@ Sudo log server configuration file
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
# Where to log accept, reject and alert events. # Where to log accept, reject, exit and alert events.
# Accepted values are syslog, logfile, or none. # Accepted values are syslog, logfile, or none.
# Defaults to syslog # Defaults to syslog
#log_type = syslog #log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format. # Event log format.
# Currently only sudo-style event logs are supported. # Currently only sudo-style event logs are supported.
#log_format = sudo #log_format = sudo

8
examples/sudo_logsrvd.conf
View File

@@ -28,6 +28,7 @@
#server_log = syslog #server_log = syslog
# If true, enable the SO_KEEPALIVE socket option on client connections. # If true, enable the SO_KEEPALIVE socket option on client connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the client to # The amount of time, in seconds, the server will wait for the client to
@@ -99,6 +100,7 @@
#store_first = true #store_first = true
# If true, enable the SO_KEEPALIVE socket option on relay connections. # If true, enable the SO_KEEPALIVE socket option on relay connections.
# Defaults to true.
#tcp_keepalive = true #tcp_keepalive = true
# The amount of time, in seconds, the server will wait for the relay to # The amount of time, in seconds, the server will wait for the relay to
@@ -185,11 +187,15 @@
#maxseq = 2176782336 #maxseq = 2176782336
[eventlog] [eventlog]
# Where to log accept, reject and alert events. # Where to log accept, reject, exit and alert events.
# Accepted values are syslog, logfile, or none. # Accepted values are syslog, logfile, or none.
# Defaults to syslog # Defaults to syslog
#log_type = syslog #log_type = syslog
# Whether to log an event when a command exits or is terminated by a signal.
# Defaults to false
#log_exit = true
# Event log format. # Event log format.
# Supported log formats are "sudo" and "json" # Supported log formats are "sudo" and "json"
# Defaults to sudo # Defaults to sudo

1
logsrvd/logsrvd.h
View File

@@ -219,6 +219,7 @@ SSL_CTX *logsrvd_server_tls_ctx(void);
bool logsrvd_conf_relay_tls_check_peer(void); bool logsrvd_conf_relay_tls_check_peer(void);
SSL_CTX *logsrvd_relay_tls_ctx(void); SSL_CTX *logsrvd_relay_tls_ctx(void);
#endif #endif
bool logsrvd_conf_log_exit(void);
mode_t logsrvd_conf_iolog_mode(void); mode_t logsrvd_conf_iolog_mode(void);
void address_list_addref(struct server_address_list *); void address_list_addref(struct server_address_list *);
void address_list_delref(struct server_address_list *); void address_list_delref(struct server_address_list *);

23
logsrvd/logsrvd_conf.c
View File

@@ -158,6 +158,7 @@ static struct logsrvd_config {
} iolog; } iolog;
struct logsrvd_config_eventlog { struct logsrvd_config_eventlog {
int log_type; int log_type;
bool log_exit;
enum eventlog_format log_format; enum eventlog_format log_format;
} eventlog; } eventlog;
struct logsrvd_config_syslog { struct logsrvd_config_syslog {
@@ -177,6 +178,13 @@ static struct logsrvd_config {
static bool logsrvd_warn_enable_stderr = true; static bool logsrvd_warn_enable_stderr = true;
/* eventlog getters */
bool
logsrvd_conf_log_exit(void)
{
return logsrvd_config->eventlog.log_exit;
}
/* iolog getters */ /* iolog getters */
mode_t mode_t
logsrvd_conf_iolog_mode(void) logsrvd_conf_iolog_mode(void)
@@ -829,6 +837,19 @@ cb_eventlog_format(struct logsrvd_config *config, const char *str, size_t offset
debug_return_bool(true); debug_return_bool(true);
} }
static bool
cb_eventlog_exit(struct logsrvd_config *config, const char *str, size_t offset)
{
int val;
debug_decl(cb_eventlog_exit, SUDO_DEBUG_UTIL);
if ((val = sudo_strtobool(str)) == -1)
debug_return_bool(false);
config->eventlog.log_exit = val;
debug_return_bool(true);
}
/* syslog callbacks */ /* syslog callbacks */
static bool static bool
cb_syslog_maxlen(struct logsrvd_config *config, const char *str, size_t offset) cb_syslog_maxlen(struct logsrvd_config *config, const char *str, size_t offset)
@@ -1044,6 +1065,7 @@ static struct logsrvd_config_entry iolog_conf_entries[] = {
static struct logsrvd_config_entry eventlog_conf_entries[] = { static struct logsrvd_config_entry eventlog_conf_entries[] = {
{ "log_type", cb_eventlog_type }, { "log_type", cb_eventlog_type },
{ "log_format", cb_eventlog_format }, { "log_format", cb_eventlog_format },
{ "log_exit", cb_eventlog_exit },
{ NULL } { NULL }
}; };
@@ -1543,6 +1565,7 @@ logsrvd_conf_alloc(void)
/* Event log defaults */ /* Event log defaults */
config->eventlog.log_type = EVLOG_SYSLOG; config->eventlog.log_type = EVLOG_SYSLOG;
config->eventlog.log_format = EVLOG_SUDO; config->eventlog.log_format = EVLOG_SUDO;
config->eventlog.log_exit = false;
/* Syslog defaults */ /* Syslog defaults */
config->syslog.maxlen = 960; config->syslog.maxlen = 960;

12
logsrvd/logsrvd_local.c
View File

@@ -210,11 +210,14 @@ bool
store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len, store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len,
struct connection_closure *closure) struct connection_closure *closure)
{ {
const char *signame = NULL;
struct timespec run_time = { msg->run_time->tv_sec, msg->run_time->tv_nsec };
int flags = 0;
mode_t mode; mode_t mode;
debug_decl(store_exit_local, SUDO_DEBUG_UTIL); debug_decl(store_exit_local, SUDO_DEBUG_UTIL);
/* Sudo I/O logs don't store this info. */
if (msg->signal != NULL && msg->signal[0] != '\0') { if (msg->signal != NULL && msg->signal[0] != '\0') {
signame = msg->signal;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"command was killed by SIG%s%s", msg->signal, "command was killed by SIG%s%s", msg->signal,
msg->dumped_core ? " (core dumped)" : ""); msg->dumped_core ? " (core dumped)" : "");
@@ -222,6 +225,13 @@ store_exit_local(ExitMessage *msg, uint8_t *buf, size_t len,
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"command exited with %d", msg->exit_value); "command exited with %d", msg->exit_value);
} }
if (logsrvd_conf_log_exit()) {
if (!eventlog_exit(closure->evlog, flags, &run_time, msg->exit_value,
signame, msg->dumped_core, NULL, NULL)) {
closure->errstr = _("error logging exit event");
debug_return_bool(false);
}
}
if (closure->log_io) { if (closure->log_io) {
/* Clear write bits from I/O timing file to indicate completion. */ /* Clear write bits from I/O timing file to indicate completion. */