Add log_format sudoers setting to select sudo or json format logs.

Defaults to sudo-format logs.
2020-10-27 15:26:02 -06:00
parent 6bc729aa36
commit 28d6771d24
7 changed files with 132 additions and 19 deletions
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "September 25, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "October 27, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -4416,6 +4416,33 @@ The default value is
 \fIany\fR.
 .RE
 .TP 14n
 log_format
 The event log format.
 Supported log formats are:
 .PP
 .RS 14n
 .PD 0
 .TP 10n
 json
 Logs in JSON format.
 JSON log entries contain the full user details as well as the execution
 environment if the command was allowed.
 .PD
 .TP 10n
 sudo
 Traditional sudo-style logs, see
 \fILOG FORMAT\fR
 for a description of the log file format.
 .PP
 This setting affects logs sent via
 syslog(3)
 as well as the file specified by the
 \fIlogfile\fR
 setting, if any.
 The default value is
 \fIsudo\fR.
 .RE
 .TP 14n
 logfile
 Path to the
 \fBsudo\fR
@@ -4896,9 +4923,19 @@ The group provider plugin API is described in detail in
 sudo_plugin(@mansectform@).
 .SH "LOG FORMAT"
 \fBsudoers\fR
-can log events using either
+can log events in either JSON or
-syslog(3)
+\fIsudo\fR
-or a simple log file.
+format,
 this section describes the
 \fIsudo\fR
 log format.
 Depending on
 \fIsudoers\fR
 configuration,
 \fBsudoers\fR
 can log events via
 syslog(3),
 to a local log file, or both.
 The log format is almost identical in both cases.
 .SS "Accepted command log entries"
 Commands that sudo runs are logged using the following format (split
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd September 25, 2020
+.Dd October 27, 2020
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -4129,6 +4129,30 @@ Negating the option results in a value of
 being used.
 The default value is
 .Em any .
 .It log_format
 The event log format.
 Supported log formats are:
 .Bl -tag -width 8n
 .It json
 Logs in JSON format.
 JSON log entries contain the full user details as well as the execution
 environment if the command was allowed.
 Due to limitations of the protocol, JSON events sent via
 .Em syslog
 may be truncated.
 .It sudo
 Traditional sudo-style logs, see
 .Sx "LOG FORMAT"
 for a description of the log file format.
 .El
 .Pp
 This setting affects logs sent via
 .Xr syslog 3
 as well as the file specified by the
 .Em logfile
 setting, if any.
 The default value is
 .Em sudo .
 .It logfile
 Path to the
 .Nm sudo
@@ -4574,9 +4598,19 @@ The group provider plugin API is described in detail in
 .Xr sudo_plugin @mansectform@ .
 .Sh LOG FORMAT
 .Nm
-can log events using either
+can log events in either JSON or
-.Xr syslog 3
+.Em sudo
-or a simple log file.
+format,
 this section describes the
 .Em sudo
 log format.
 Depending on
 .Em sudoers
 configuration,
 .Nm
 can log events via
 .Xr syslog 3 ,
 to a local log file, or both.
 The log format is almost identical in both cases.
 .Ss Accepted command log entries
 Commands that sudo runs are logged using the following format (split
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -38,6 +38,12 @@ static struct def_values def_data_timestamp_type[] = {
    { NULL, 0 },
 };
 static struct def_values def_data_log_format[] = {
    { "sudo", sudo },
    { "json", json },
    { NULL, 0 },
 };
 struct sudo_defs_types sudo_defs_table[] = {
    {
 	"syslog", T_LOGFAC|T_BOOL,
@@ -559,6 +565,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"runchroot", T_STR|T_BOOL|T_CHPATH,
 	N_("Root directory to change to before executing the command: %s"),
 	NULL,
    }, {
 	"log_format", T_TUPLE,
 	N_("The format of logs to produce: %s"),
 	def_data_log_format,
    }, {
 	NULL, 0, NULL
    }
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -260,6 +260,8 @@
 #define def_runcwd              (sudo_defs_table[I_RUNCWD].sd_un.str)
 #define I_RUNCHROOT             129
 #define def_runchroot           (sudo_defs_table[I_RUNCHROOT].sd_un.str)
 #define I_LOG_FORMAT            130
 #define def_log_format          (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
 enum def_tuple {
    never,
@@ -271,5 +273,7 @@ enum def_tuple {
    global,
    ppid,
    tty,
-    kernel
+    kernel,
    sudo,
    json
 };
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -405,3 +405,7 @@ runcwd
 runchroot
 	T_STR|T_BOOL|T_CHPATH
 	"Root directory to change to before executing the command: %s"
 log_format
 	T_TUPLE
 	"The format of logs to produce: %s"
 	sudo json
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -510,6 +510,8 @@ sudoers_log_open(int type, const char *log_file)
    bool uid_changed;
    FILE *fp = NULL;
    mode_t oldmask;
    int fd, flags;
    char *omode;
    debug_decl(sudoers_log_open, SUDOERS_DEBUG_DEFAULTS);
    switch (type) {
@@ -517,21 +519,32 @@ sudoers_log_open(int type, const char *log_file)
 	    openlog("sudo", def_syslog_pid ? LOG_PID : 0, def_syslog);
 	    break;
 	case EVLOG_FILE:
-	    /* Open log file as root, mode 0600. */
+	    /* Open log file as root, mode 0600 (cannot append to JSON). */
 	    if (def_log_format == json) {
 		flags = O_RDWR|O_CREAT;
 		omode = "w";
 	    } else {
 		flags = O_WRONLY|O_APPEND|O_CREAT;
 		omode = "a";
 	    }
 	    oldmask = umask(S_IRWXG|S_IRWXO);
 	    uid_changed = set_perms(PERM_ROOT);
-	    fp = fopen(log_file, "a");
+	    fd = open(log_file, flags, S_IRUSR|S_IWUSR);
 	    if (uid_changed && !restore_perms()) {
-		if (fp != NULL) {
+		if (fd != -1) {
-		    fclose(fp);
+		    close(fd);
-		    fp = NULL;
+		    fd = -1;
 		}
 	    }
 	    (void) umask(oldmask);
-	    if (fp == NULL && !warned) {
+	    if (fd == -1 || (fp = fdopen(fd, omode)) == NULL) {
-		warned = true;
+		if (!warned) {
-		log_warning(SLOG_SEND_MAIL|SLOG_NO_LOG,
+		    warned = true;
-		    N_("unable to open log file: %s"), log_file);
+		    log_warning(SLOG_SEND_MAIL|SLOG_NO_LOG,
 			N_("unable to open log file: %s"), log_file);
 		}
 		if (fd != -1)
 		    close(fd);
 	    }
 	    break;
 	default:
@@ -591,7 +604,7 @@ init_eventlog_config(void)
 	logtype |= EVLOG_FILE;
    eventlog_set_type(logtype);
-    eventlog_set_format(EVLOG_SUDO);
+    eventlog_set_format(def_log_format == sudo ? EVLOG_SUDO : EVLOG_JSON);
    eventlog_set_syslog_acceptpri(def_syslog_goodpri);
    eventlog_set_syslog_rejectpri(def_syslog_badpri);
    eventlog_set_syslog_alertpri(def_syslog_badpri);
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -1426,6 +1426,16 @@ cb_logfile(const union sudo_defs_val *sd_un)
    debug_return_bool(true);
 }
 static bool
 cb_log_format(const union sudo_defs_val *sd_un)
 {
    debug_decl(cb_log_format, SUDOERS_DEBUG_PLUGIN);
    eventlog_set_format(sd_un->tuple == sudo ? EVLOG_SUDO : EVLOG_JSON);
    debug_return_bool(true);
 }
 static bool
 cb_syslog(const union sudo_defs_val *sd_un)
 {
@@ -1601,6 +1611,7 @@ set_callbacks(void)
    sudo_defs_table[I_LOGLINELEN].callback = cb_loglinelen;
    sudo_defs_table[I_LOG_HOST].callback = cb_log_host;
    sudo_defs_table[I_LOGFILE].callback = cb_logfile;
    sudo_defs_table[I_LOG_FORMAT].callback = cb_log_format;
    sudo_defs_table[I_LOG_YEAR].callback = cb_log_year;
    sudo_defs_table[I_MAILERPATH].callback = cb_mailerpath;
    sudo_defs_table[I_MAILERFLAGS].callback = cb_mailerflags;