From 18dbc52e4bd82b368a4be90ea0f928d1e75f24bd Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 27 Jun 2014 16:01:40 -0600 Subject: [PATCH] Add Solaris audit support; from Gary Winiger at Oracle. --- INSTALL | 3 + MANIFEST | 2 + config.h.in | 3 + configure | 21 ++++++ configure.ac | 16 +++++ mkdep.pl | 2 +- plugins/sudoers/Makefile.in | 13 +++- plugins/sudoers/audit.c | 13 ++++ plugins/sudoers/solaris_audit.c | 124 ++++++++++++++++++++++++++++++++ plugins/sudoers/solaris_audit.h | 23 ++++++ 10 files changed, 218 insertions(+), 2 deletions(-) create mode 100644 plugins/sudoers/solaris_audit.c create mode 100644 plugins/sudoers/solaris_audit.h diff --git a/INSTALL b/INSTALL index 7dad0e7d0..ba2b278e6 100644 --- a/INSTALL +++ b/INSTALL @@ -400,6 +400,9 @@ Authentication options: the user name (separated by a slash) when creating the principal name. + --with-solaris-audit + Enable audit support for Solaris systems. + --with-opie[=DIR] Enable NRL OPIE OTP (One Time Password) support. If specified, DIR should contain include and lib directories with opie.h diff --git a/MANIFEST b/MANIFEST index 645edb29c..90709633b 100644 --- a/MANIFEST +++ b/MANIFEST @@ -422,6 +422,8 @@ plugins/sudoers/regress/visudo/test4.sh plugins/sudoers/regress/visudo/test5.out.ok plugins/sudoers/regress/visudo/test5.sh plugins/sudoers/set_perms.c +plugins/sudoers/solaris_audit.c +plugins/sudoers/solaris_audit.h plugins/sudoers/sssd.c plugins/sudoers/sudo_nss.c plugins/sudoers/sudo_nss.h diff --git a/config.h.in b/config.h.in index d75a99545..7097ffeb3 100644 --- a/config.h.in +++ b/config.h.in @@ -548,6 +548,9 @@ /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF +/* Define to 1 to enable Solaris audit support. */ +#undef HAVE_SOLARIS_AUDIT + /* Define to 1 if you have the header file. */ #undef HAVE_SPAWN_H diff --git a/configure b/configure index b6cfffea9..042d0c977 100755 --- a/configure +++ b/configure @@ -791,6 +791,7 @@ CPPFLAGS PROGS CFLAGS LIBTOOL +HAVE_SOLARIS_AUDIT HAVE_BSM_AUDIT target_alias host_alias @@ -841,6 +842,7 @@ with_rpath with_blibpath with_bsm_audit with_linux_audit +with_solaris_audit with_sssd with_sssd_lib with_incpath @@ -1628,6 +1630,7 @@ Optional Packages: --with-blibpath=PATH deprecated --with-bsm-audit enable BSM audit support --with-linux-audit enable Linux audit support + --with-solaris-audit enable Solaris audit support --with-sssd enable SSSD support --with-sssd-lib path to the SSSD library --with-incpath additional places to look for include files @@ -2974,6 +2977,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;} + # @@ -3998,6 +4002,22 @@ fi +# Check whether --with-solaris-audit was given. +if test "${with_solaris_audit+set}" = set; then : + withval=$with_solaris_audit; case $with_solaris_audit in + yes) $as_echo "#define HAVE_SOLARIS_AUDIT 1" >>confdefs.h + + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo" + ;; + no) ;; + *) as_fn_error $? "\"--with-solaris-audit does not take an argument.\"" "$LINENO" 5 + ;; +esac +fi + + + # Check whether --with-sssd was given. if test "${with_sssd+set}" = set; then : withval=$with_sssd; case $with_sssd in @@ -24920,5 +24940,6 @@ fi + diff --git a/configure.ac b/configure.ac index d8f2531d8..5093b5582 100644 --- a/configure.ac +++ b/configure.ac @@ -15,6 +15,7 @@ dnl dnl Variables that get substituted in the Makefile and man pages dnl AC_SUBST([HAVE_BSM_AUDIT]) +AC_SUBST([HAVE_SOLARIS_AUDIT]) AC_SUBST([SHELL]) AC_SUBST([LIBTOOL]) AC_SUBST([CFLAGS]) @@ -331,6 +332,20 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux aud ;; esac]) +dnl +dnl Handle Solaris auditing support. +dnl +AC_ARG_WITH(solaris-audit, [AS_HELP_STRING([--with-solaris-audit], [enable Solaris audit support])], +[case $with_solaris_audit in + yes) AC_DEFINE(HAVE_SOLARIS_AUDIT) + SUDOERS_LIBS="${SUDOERS_LIBS} -lbsm" + SUDOERS_OBJS="${SUDOERS_OBJS} solaris_audit.lo" + ;; + no) ;; + *) AC_MSG_ERROR(["--with-solaris-audit does not take an argument."]) + ;; +esac]) + dnl dnl Handle SSSD support. dnl @@ -3924,6 +3939,7 @@ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) AH_TEMPLATE(HAVE_RFC1938_SKEYCHALLENGE, [Define to 1 if the skeychallenge() function is RFC1938-compliant and takes 4 arguments.]) +AH_TEMPLATE(HAVE_SOLARIS_AUDIT, [Define to 1 to enable Solaris audit support.]) AH_TEMPLATE(HAVE_ST__TIM, [Define to 1 if your struct stat uses an st__tim union.]) AH_TEMPLATE(HAVE_ST_MTIM, [Define to 1 if your struct stat has an st_mtim member.]) AH_TEMPLATE(HAVE_ST_MTIMESPEC, [Define to 1 if your struct stat has an st_mtimespec member.]) diff --git a/mkdep.pl b/mkdep.pl index bff2045ce..bfeae9c29 100755 --- a/mkdep.pl +++ b/mkdep.pl @@ -67,7 +67,7 @@ sub mkdep { $makefile =~ s:\@DEV\@::g; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@SUDO_OBJS\@:openbsd.o preload.o selinux.o sesh.o solaris.o sudo_noexec.lo:; - $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:; + $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo solaris_audit.lo sssd.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sha2.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o inet_pton:; diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index b9e7fa8a6..42808d469 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -463,7 +463,8 @@ alias.lo: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c audit.lo: $(srcdir)/audit.c $(incdir)/compat/stdbool.h $(incdir)/gettext.h \ $(incdir)/missing.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \ - $(srcdir)/linux_audit.h $(srcdir)/logging.h $(top_builddir)/config.h + $(srcdir)/linux_audit.h $(srcdir)/logging.h \ + $(srcdir)/solaris_audit.h $(top_builddir)/config.h $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c base64.lo: $(srcdir)/base64.c $(incdir)/missing.h $(incdir)/sudo_debug.h \ $(top_builddir)/config.h @@ -809,6 +810,16 @@ sia.lo: $(authdir)/sia.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c +solaris_audit.lo: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/fatal.h \ + $(incdir)/gettext.h $(incdir)/missing.h $(incdir)/queue.h \ + $(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/solaris_audit.c sssd.lo: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/fatal.h $(incdir)/gettext.h $(incdir)/missing.h \ $(incdir)/queue.h $(incdir)/sudo_alloc.h $(incdir)/sudo_debug.h \ diff --git a/plugins/sudoers/audit.c b/plugins/sudoers/audit.c index 5d388d62a..19befece5 100644 --- a/plugins/sudoers/audit.c +++ b/plugins/sudoers/audit.c @@ -46,6 +46,9 @@ #ifdef HAVE_LINUX_AUDIT # include "linux_audit.h" #endif +#ifdef HAVE_SOLARIS_AUDIT +# include "solaris_audit.h" +#endif int audit_success(int argc, char *argv[]) @@ -61,6 +64,10 @@ audit_success(int argc, char *argv[]) #ifdef HAVE_LINUX_AUDIT if (linux_audit_command(argv, 1) == -1) rc = -1; +#endif +#ifdef HAVE_SOLARIS_AUDIT + if (solaris_audit_success(argc, argv) == -1) + rc = -1; #endif } @@ -93,6 +100,12 @@ audit_failure(int argc, char *argv[], char const *const fmt, ...) rc = -1; va_end(ap); #endif +#ifdef HAVE_SOLARIS_AUDIT + va_start(ap, fmt); + if (solaris_audit_failure(argc, argv, _(fmt), ap) == -1) + rc = -1; + va_end(ap); +#endif sudoers_setlocale(oldlocale, NULL); } diff --git a/plugins/sudoers/solaris_audit.c b/plugins/sudoers/solaris_audit.c new file mode 100644 index 000000000..cea60ce13 --- /dev/null +++ b/plugins/sudoers/solaris_audit.c @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include + +#include +#include + +#include "sudoers.h" +#include "sudo_debug.h" +#include "solaris_audit.h" + +static adt_session_data_t *ah; /* audit session handle */ +static adt_event_data_t *event; /* event to be generated */ +static char cwd[MAXPATHLEN]; +static char cmdpath[PATH_MAX]; + +static int +adt_sudo_common(int argc, char *argv[]) +{ + if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { + log_warning(SLOG_NO_STDERR, "adt_start_session"); + return -1; + } + if ((event = adt_alloc_event(ah, ADT_sudo)) == NULL) { + log_warning(SLOG_NO_STDERR, "alloc_event"); + (void) adt_end_session(ah); + return -1; + } + if ((event->adt_sudo.cwdpath = getcwd(cwd, sizeof(cwd))) == NULL) { + log_warning(SLOG_NO_STDERR, _("unable to get current working directory")); + } + + /* get the real executable name */ + if (user_cmnd != NULL) { + if (strlcpy(cmdpath, (const char *)user_cmnd, + sizeof(cmdpath)) >= sizeof(cmdpath)) { + log_warningx(SLOG_NO_STDERR, + _("truncated audit path user_cmnd: %s"), + user_cmnd); + } + } else { + if (strlcpy(cmdpath, (const char *)argv[0], + sizeof(cmdpath)) >= sizeof(cmdpath)) { + log_warningx(SLOG_NO_STDERR, + _("truncated audit path argv[0]: %s"), + argv[0]); + } + } + + event->adt_sudo.cmdpath = cmdpath; + event->adt_sudo.argc = argc - 1; + event->adt_sudo.argv = &argv[1]; + event->adt_sudo.envp = env_get(); + + return 0; +} + + +/* + * Returns 0 on success or -1 on error. + */ +int +solaris_audit_success(int argc, char *argv[]) +{ + int rc = -1; + + if (adt_sudo_common(argc, argv) != 0) { + return -1; + } + if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) { + log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_SUCCESS)"); + } else { + rc = 0; + } + adt_free_event(event); + (void) adt_end_session(ah); + + return rc; +} + +/* + * Returns 0 on success or -1 on error. + */ +int +solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list ap) +{ + int rc = -1; + + if (adt_sudo_common(argc, argv) != 0) { + return -1; + } + if (vasprintf(&event->adt_sudo.errmsg, fmt, ap) == -1) { + log_warning(SLOG_NO_STDERR, + _("audit_failure message too long")); + } + if (adt_put_event(event, ADT_FAILURE, ADT_FAIL_VALUE_PROGRAM) != 0) { + log_warning(SLOG_NO_STDERR, "adt_put_event(ADT_FAILURE)"); + } else { + rc = 0; + } + free(event->adt_sudo.errmsg); + adt_free_event(event); + (void) adt_end_session(ah); + + return 0; +} diff --git a/plugins/sudoers/solaris_audit.h b/plugins/sudoers/solaris_audit.h new file mode 100644 index 000000000..ed19f4e62 --- /dev/null +++ b/plugins/sudoers/solaris_audit.h @@ -0,0 +1,23 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _SUDOERS_SOLARIS_AUDIT_H +#define _SUDOERS_SOLARIS_AUDIT_H + +int solaris_audit_success(int argc, char *argv[]); +int solaris_audit_failure(int argc, char *argv[], char const *const fmt, va_list); + +#endif /* _SUDOERS_SOLARIS_AUDIT_H */