From 46e31a74d71f877750179a6ac19e805e74f17f4f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 9 Mar 2024 10:59:54 -0700 Subject: [PATCH] Add "json_pretty" log format, currently the same as "json". In a future version, "json" will be an alias for "json_compact" instead. GitHub issue #357. --- docs/sudo_logsrvd.conf.man.in | 42 +++++++++++++++++++++------------- docs/sudo_logsrvd.conf.mdoc.in | 37 ++++++++++++++++++------------ docs/sudoers.man.in | 40 ++++++++++++++++++++------------ docs/sudoers.mdoc.in | 35 +++++++++++++++++----------- include/sudo_eventlog.h | 3 ++- lib/eventlog/eventlog.c | 2 ++ logsrvd/logsrvd_conf.c | 2 ++ plugins/sudoers/def_data.c | 1 + plugins/sudoers/def_data.h | 1 + plugins/sudoers/def_data.in | 2 +- plugins/sudoers/logging.c | 15 +----------- plugins/sudoers/sudoers.c | 27 ++++++++++++++++++++++ plugins/sudoers/sudoers.h | 1 + plugins/sudoers/sudoers_cb.c | 19 +-------------- 14 files changed, 135 insertions(+), 92 deletions(-) diff --git a/docs/sudo_logsrvd.conf.man.in b/docs/sudo_logsrvd.conf.man.in index 5faf05722..c0ed26d5a 100644 --- a/docs/sudo_logsrvd.conf.man.in +++ b/docs/sudo_logsrvd.conf.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "March 8, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "March 9, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -688,30 +688,40 @@ Supported log formats are: .PD 0 .TP 6n json -Log events in JSON format. -The JSON log entries contain the full contents of the accept, reject, exit +Currently, this is an alias for +\fIjson_pretty\fR. +In a future version of +\fBsudo_logsrvd\fR, +\fIjson\fR +will be equivalent to +\fIjson_compact\fR. +JSON log entries contain the full contents of the accept, reject, exit and alert messages. +.PD +.TP 6n +json_compact +Log events in +\(lqcompact\(rq +(minified) JSON format. +Each event is written as a separate JSON object on single line without +extraneous white space. +Due to limitations of the protocol, JSON events sent via +\fIsyslog\fR +may be truncated. +.TP 6n +json_pretty +Log events in +\(lqpretty\(rq +JSON format. When logging to a file, the entire file is treated as a single JSON object consisting of multiple events, each event spanning multiple lines. When logging via \fIsyslog\fR, -events are stored in compact (minified) format, described below. -.PD -.TP 6n -json_compact -Log events in compact (minified) JSON format. -Each event is written as a separate JSON object on single line without -extraneous white space. -When logging via -\fIsyslog\fR, there is no difference between the -\fIjson\fR +\fIjson_pretty\fR and \fIjson_compact\fR formats. -Due to limitations of the protocol, JSON events sent via -\fIsyslog\fR -may be truncated. .TP 6n sudo Log events in traditional sudo-style log format. diff --git a/docs/sudo_logsrvd.conf.mdoc.in b/docs/sudo_logsrvd.conf.mdoc.in index 64b6de567..a1ee89329 100644 --- a/docs/sudo_logsrvd.conf.mdoc.in +++ b/docs/sudo_logsrvd.conf.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd March 8, 2024 +.Dd March 9, 2024 .Dt SUDO_LOGSRVD.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -614,28 +614,37 @@ The event log format. Supported log formats are: .Bl -tag -width 4n .It json -Log events in JSON format. -The JSON log entries contain the full contents of the accept, reject, exit +Currently, this is an alias for +.Em json_pretty . +In a future version of +.Nm sudo_logsrvd , +.Em json +will be equivalent to +.Em json_compact . +JSON log entries contain the full contents of the accept, reject, exit and alert messages. +.It json_compact +Log events in +.Dq compact +(minified) JSON format. +Each event is written as a separate JSON object on single line without +extraneous white space. +Due to limitations of the protocol, JSON events sent via +.Em syslog +may be truncated. +.It json_pretty +Log events in +.Dq pretty +JSON format. When logging to a file, the entire file is treated as a single JSON object consisting of multiple events, each event spanning multiple lines. When logging via .Em syslog , -events are stored in compact (minified) format, described below. -.It json_compact -Log events in compact (minified) JSON format. -Each event is written as a separate JSON object on single line without -extraneous white space. -When logging via -.Em syslog , there is no difference between the -.Em json +.Em json_pretty and .Em json_compact formats. -Due to limitations of the protocol, JSON events sent via -.Em syslog -may be truncated. .It sudo Log events in traditional sudo-style log format. See the diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 9d5abf0ec..c08fa17b0 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "March 8, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "March 9, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -5381,30 +5381,40 @@ Supported log formats are: .PD 0 .TP 6n json -Log events in JSON format. +Currently, this is an alias for +\fIjson_pretty\fR. +In a future version of +\fBsudo\fR, +\fIjson\fR +will be equivalent to +\fIjson_compact\fR. JSON log entries contain the full user details as well as the execution environment if the command was allowed. +.PD +.TP 6n +json_compact +Log events in +\(lqcompact\(rq +(minified) JSON format. +Each event is written as a separate JSON object on single line without +extraneous white space. +Due to limitations of the protocol, JSON events sent via +\fIsyslog\fR +may be truncated. +.TP 6n +json_pretty +Log events in +\(lqpretty\(rq +JSON format. When logging to a file, the entire file is treated as a single JSON object consisting of multiple events, each event spanning multiple lines. When logging via \fIsyslog\fR, -events are stored in compact (minified) format, described below. -.PD -.TP 6n -json_compact -Log events in compact (minified) JSON format. -Each event is written as a separate JSON object on single line without -extraneous white space. -When logging via -\fIsyslog\fR, there is no difference between the -\fIjson\fR +\fIjson_pretty\fR and \fIjson_compact\fR formats. -Due to limitations of the protocol, JSON events sent via -\fIsyslog\fR -may be truncated. .TP 6n sudo Log events in traditional sudo-style format, see diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 278c53517..e8feb9a1c 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd March 8, 2024 +.Dd March 9, 2024 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -5054,28 +5054,37 @@ The event log format. Supported log formats are: .Bl -tag -width 4n .It json -Log events in JSON format. +Currently, this is an alias for +.Em json_pretty . +In a future version of +.Nm sudo , +.Em json +will be equivalent to +.Em json_compact . JSON log entries contain the full user details as well as the execution environment if the command was allowed. +.It json_compact +Log events in +.Dq compact +(minified) JSON format. +Each event is written as a separate JSON object on single line without +extraneous white space. +Due to limitations of the protocol, JSON events sent via +.Em syslog +may be truncated. +.It json_pretty +Log events in +.Dq pretty +JSON format. When logging to a file, the entire file is treated as a single JSON object consisting of multiple events, each event spanning multiple lines. When logging via .Em syslog , -events are stored in compact (minified) format, described below. -.It json_compact -Log events in compact (minified) JSON format. -Each event is written as a separate JSON object on single line without -extraneous white space. -When logging via -.Em syslog , there is no difference between the -.Em json +.Em json_pretty and .Em json_compact formats. -Due to limitations of the protocol, JSON events sent via -.Em syslog -may be truncated. .It sudo Log events in traditional sudo-style format, see .Sx "EVENT LOGGING" diff --git a/include/sudo_eventlog.h b/include/sudo_eventlog.h index 48e3a122f..f374dc06d 100644 --- a/include/sudo_eventlog.h +++ b/include/sudo_eventlog.h @@ -44,7 +44,8 @@ enum event_type { enum eventlog_format { EVLOG_SUDO, EVLOG_JSON, - EVLOG_JSON_COMPACT + EVLOG_JSON_COMPACT, + EVLOG_JSON_PRETTY }; /* Eventlog flag values. */ diff --git a/lib/eventlog/eventlog.c b/lib/eventlog/eventlog.c index 92747ea13..cd893d39d 100644 --- a/lib/eventlog/eventlog.c +++ b/lib/eventlog/eventlog.c @@ -1132,6 +1132,7 @@ do_syslog(int event_type, int flags, struct eventlog_args *args, break; case EVLOG_JSON: case EVLOG_JSON_COMPACT: + case EVLOG_JSON_PRETTY: ret = do_syslog_json(pri, event_type, args, evlog); break; default: @@ -1304,6 +1305,7 @@ do_logfile(int event_type, int flags, struct eventlog_args *args, break; case EVLOG_JSON: case EVLOG_JSON_COMPACT: + case EVLOG_JSON_PRETTY: ret = do_logfile_json(evl_conf->format, event_type, args, evlog); break; default: diff --git a/logsrvd/logsrvd_conf.c b/logsrvd/logsrvd_conf.c index 92cc44ac9..e6fbaf720 100644 --- a/logsrvd/logsrvd_conf.c +++ b/logsrvd/logsrvd_conf.c @@ -905,6 +905,8 @@ cb_eventlog_format(struct logsrvd_config *config, const char *str, size_t offset config->eventlog.log_format = EVLOG_JSON; else if (strcmp(str, "json_compact") == 0) config->eventlog.log_format = EVLOG_JSON_COMPACT; + else if (strcmp(str, "json_pretty") == 0) + config->eventlog.log_format = EVLOG_JSON_PRETTY; else if (strcmp(str, "sudo") == 0) config->eventlog.log_format = EVLOG_SUDO; else diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 538e7bd79..554f35788 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -42,6 +42,7 @@ static struct def_values def_data_log_format[] = { { "sudo", sudo }, { "json", json }, { "json_compact", json_compact }, + { "json_pretty", json_pretty }, { NULL, 0 }, }; diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index b03363b6d..7bc92bd21 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -339,6 +339,7 @@ enum def_tuple { sudo, json, json_compact, + json_pretty, dso, trace }; diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 16c71d96c..db64d6589 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -426,7 +426,7 @@ runchroot log_format T_TUPLE "The format of logs to produce: %s" - sudo json json_compact + sudo json json_compact json_pretty selinux T_FLAG "Enable SELinux RBAC support" diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index 17e9cf002..7564c5dc3 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -1132,29 +1132,16 @@ sudoers_log_close(int type, FILE *fp) void init_eventlog_config(void) { - enum eventlog_format format; int logtype = 0; debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING); - switch (def_log_format) { - case json: - format = EVLOG_JSON; - break; - case json_compact: - format = EVLOG_JSON_COMPACT; - break; - default: - format = EVLOG_SUDO; - break; - } - if (def_syslog) logtype |= EVLOG_SYSLOG; if (def_logfile) logtype |= EVLOG_FILE; + sudoers_set_log_format(def_log_format); eventlog_set_type(logtype); - eventlog_set_format(format); eventlog_set_syslog_acceptpri(def_syslog_goodpri); eventlog_set_syslog_rejectpri(def_syslog_badpri); eventlog_set_syslog_alertpri(def_syslog_badpri); diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 8e7f6a384..8d312f680 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -1554,3 +1554,30 @@ sudoers_get_context(void) { return &sudoers_ctx; } + +bool +sudoers_set_log_format(enum def_tuple tuple) +{ + enum eventlog_format format; + debug_decl(cb_log_format, SUDOERS_DEBUG_PLUGIN); + + switch (tuple) { + case json: + format = EVLOG_JSON; + break; + case json_compact: + format = EVLOG_JSON_COMPACT; + break; + case json_pretty: + format = EVLOG_JSON_PRETTY; + break; + case sudo: + format = EVLOG_SUDO; + break; + default: + debug_return_bool(false); + } + eventlog_set_format(format); + + debug_return_bool(true); +} diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 132bd7c62..e7ad7d254 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -459,6 +459,7 @@ void sudoers_cleanup(void); bool sudoers_override_umask(void); const struct sudoers_context *sudoers_get_context(void); bool sudoers_set_mode(unsigned int flags, unsigned int mask); +bool sudoers_set_log_format(enum def_tuple tuple); /* sudoers_ctx_free.c */ void sudoers_ctx_free(struct sudoers_context *ctx); diff --git a/plugins/sudoers/sudoers_cb.c b/plugins/sudoers/sudoers_cb.c index 3d46a7a15..466d9d393 100644 --- a/plugins/sudoers/sudoers_cb.c +++ b/plugins/sudoers/sudoers_cb.c @@ -228,24 +228,7 @@ static bool cb_log_format(struct sudoers_context *ctx, const char *file, int line, int column, const union sudo_defs_val *sd_un, int op) { - enum eventlog_format format; - debug_decl(cb_log_format, SUDOERS_DEBUG_PLUGIN); - - switch (sd_un->tuple) { - case json: - format = EVLOG_JSON; - break; - case json_compact: - format = EVLOG_JSON_COMPACT; - break; - default: - format = EVLOG_SUDO; - break; - } - - eventlog_set_format(format); - - debug_return_bool(true); + return sudoers_set_log_format(sd_un->tuple); } static bool