Add log_allowed and log_denied sudoers flags, defaulting to true.

2019-10-17 13:43:04 -06:00
parent 4229dfc566
commit cf6c60c102
8 changed files with 205 additions and 112 deletions
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "October 16, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "October 17, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -191,10 +191,10 @@ flags are enabled.
 This allows users to
 determine for themselves whether or not they are allowed to use
 \fBsudo\fR.
-All attempts to run
+By default, all attempts to run
 \fBsudo\fR
 (successful or not)
-will be logged, regardless of whether or not mail is sent.
+are logged, regardless of whether or not mail is sent.
 .PP
 If
 \fBsudo\fR
@@ -242,16 +242,21 @@ option can be used to select the type of time stamp record
 \fBsudoers\fR
 will use.
 .SS "Logging"
-\fBsudoers\fR
-can log both successful and unsuccessful attempts (as well
-as errors) to
-syslog(3),
-a log file, or both.
 By default,
 \fBsudoers\fR
-will log via
+logs both successful and unsuccessful attempts (as well
+as errors).
+The
+\fIlog_allowed\fR
+and
+\fIlog_denied\fR
+flags can be used to control this behavior.
+Messages can be logged to
+syslog(3),
+a log file, or both.
+The default is to log to
 syslog(3)
-but this is changeable via the
+but this is configurable via the
 \fIsyslog\fR
 and
 \fIlogfile\fR
@@ -2508,10 +2513,33 @@ This flag is
 \fI@insults@\fR
 by default.
 .TP 18n
+log_allowed
+If set,
+\fBsudoers\fR
+will log commands allowed by the policy to the system audit log
+(where supported) as well as to syslog and/or a log file.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.29 or higher.
+.TP 18n
+log_denied
+If set,
+\fBsudoers\fR
+will log commands denied by the policy to the system audit log
+(where supported) as well as to syslog and/or a log file.
+This flag is
+\fIon\fR
+by default.
+.sp
+This setting is only supported by version 1.8.29 or higher.
+.TP 18n
 log_host
-If set, the host name will be logged in the (non-syslog)
-\fBsudo\fR
-log file.
+If set, the host name will be included in log entries written to
+the file configured by the
+\fIlogfile\fR
+setting.
 This flag is
 \fIoff\fR
 by default.
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd October 16, 2019
+.Dd October 17, 2019
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -47,7 +47,7 @@ The policy format is described in detail in the
 .Sx SUDOERS FILE FORMAT
 section.
 For information on storing
-.Nm sudoers
+.Nm
 policy information
 in LDAP, please see
 .Xr sudoers.ldap @mansectform@ .
@@ -131,7 +131,7 @@ For more information on configuring
 please refer to its manual.
 .Ss User Authentication
 The
-.Nm sudoers
+.Nm
 security policy requires that most users authenticate
 themselves before they can use
 .Nm sudo .
@@ -142,7 +142,7 @@ user or command.
 Unlike
 .Xr su 1 ,
 when
-.Nm sudoers
+.Nm
 requires
 authentication, it validates the invoking user's credentials, not
 the target user's (or root's) credentials.
@@ -180,10 +180,10 @@ flags are enabled.
 This allows users to
 determine for themselves whether or not they are allowed to use
 .Nm sudo .
-All attempts to run
+By default, all attempts to run
 .Nm sudo
 (successful or not)
-will be logged, regardless of whether or not mail is sent.
+are logged, regardless of whether or not mail is sent.
 .Pp
 If
 .Nm sudo
@@ -191,7 +191,7 @@ is run by root and the
 .Ev SUDO_USER
 environment variable
 is set, the
-.Nm sudoers
+.Nm
 policy will use this value to determine who
 the actual user is.
 This can be used by a user to log commands
@@ -206,7 +206,7 @@ Note, however, that the
 file lookup is still done for root, not the user specified by
 .Ev SUDO_USER .
 .Pp
-.Nm sudoers
+.Nm
 uses per-user time stamp files for credential caching.
 Once a user has been authenticated, a record is written
 containing the user ID that was used to authenticate, the
@@ -223,25 +223,30 @@ minutes unless overridden by the
 option
 .Pc .
 By default,
-.Nm sudoers
+.Nm
 uses a separate record for each terminal, which means that
 a user's login sessions are authenticated separately.
 The
 .Em timestamp_type
 option can be used to select the type of time stamp record
-.Nm sudoers
+.Nm
 will use.
 .Ss Logging
-.Nm sudoers
-can log both successful and unsuccessful attempts (as well
-as errors) to
+By default,
+.Nm
+logs both successful and unsuccessful attempts (as well
+as errors).
+The
+.Em log_allowed
+and
+.Em log_denied
+flags can be used to control this behavior.
+Messages can be logged to
 .Xr syslog 3 ,
 a log file, or both.
-By default,
-.Nm sudoers
-will log via
+The default is to log to
 .Xr syslog 3
-but this is changeable via the
+but this is configurable via the
 .Em syslog
 and
 .Em logfile
@@ -250,7 +255,7 @@ See
 .Sx "LOG FORMAT"
 for a description of the log file format.
 .Pp
-.Nm sudoers
+.Nm
 is also capable of running a command in a pseudo-terminal and logging all
 input and/or output.
 The standard input, standard output and standard error can be logged
@@ -270,12 +275,12 @@ See
 for details on how I/O log files are stored.
 .Ss Command environment
 Since environment variables can influence program behavior,
-.Nm sudoers
+.Nm
 provides a means to restrict which variables from the user's
 environment are inherited by the command to be run.
 There are two
 distinct ways
-.Nm sudoers
+.Nm
 can deal with environment variables.
 .Pp
 By default, the
@@ -482,7 +487,7 @@ As a special case, if the
 .Fl i
 option (initial login) is
 specified,
-.Nm sudoers
+.Nm
 will initialize the environment regardless
 of the value of
 .Em env_reset .
@@ -1293,7 +1298,7 @@ or
 character.
 .\}
 .Ss Date_Spec
-.Nm sudoers
+.Nm
 rules can be specified with a start and end date via the
 .Li NOTBEFORE
 and
@@ -2360,10 +2365,31 @@ will insult users when they enter an incorrect password.
 This flag is
 .Em @insults@
 by default.
+.It log_allowed
+If set,
+.Nm
+will log commands allowed by the policy to the system audit log
+(where supported) as well as to syslog and/or a log file.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.29 or higher.
+.It log_denied
+If set,
+.Nm
+will log commands denied by the policy to the system audit log
+(where supported) as well as to syslog and/or a log file.
+This flag is
+.Em on
+by default.
+.Pp
+This setting is only supported by version 1.8.29 or higher.
 .It log_host
-If set, the host name will be logged in the (non-syslog)
-.Nm sudo
-log file.
+If set, the host name will be included in log entries written to
+the file configured by the
+.Em logfile
+setting.
 This flag is
 .Em off
 by default.
@@ -2452,7 +2478,7 @@ user if the user running
 .Nm sudo
 does not enter the correct password.
 If the command the user is attempting to run is not permitted by
-.Nm sudoers
+.Nm
 and one of the
 .Em mail_all_cmnds ,
 .Em mail_always ,
@@ -3562,7 +3588,7 @@ Note that changing the locale may affect how sudoers is interpreted.
 Defaults to
 .Dq Li C .
 .It timestamp_type
-.Nm sudoers
+.Nm
 uses per-user time stamp files for credential caching.
 The
 .Em timestamp_type
@@ -3720,7 +3746,7 @@ If the operating system does not support the
 system call, this setting has no effect.
 .It group_plugin
 A string containing a
-.Nm sudoers
+.Nm
 group plugin with optional arguments.
 The string should consist of the plugin
 path, either fully-qualified or relative to the
@@ -4392,7 +4418,7 @@ line in the
 .Xr sudo.conf @mansectform@
 file.
 .It unable to open @rundir@/ts/username
-.Nm sudoers
+.Nm
 was unable to read or create the user's time stamp file.
 This can happen when
 .Em timestampowner
@@ -4403,7 +4429,7 @@ The default mode for
 .Pa @rundir@
 is 0711.
 .It unable to write to @rundir@/ts/username
-.Nm sudoers
+.Nm
 was unable to write to the user's time stamp file.
 .It @rundir@/ts is owned by uid X, should be Y
 The time stamp directory is owned by a user other than
@@ -4411,18 +4437,18 @@ The time stamp directory is owned by a user other than
 This can occur when the value of
 .Em timestampowner
 has been changed.
-.Nm sudoers
+.Nm
 will ignore the time stamp directory until the owner is corrected.
 .It @rundir@/ts is group writable
 The time stamp directory is group-writable; it should be writable only by
 .Em timestampowner .
 The default mode for the time stamp directory is 0700.
-.Nm sudoers
+.Nm
 will ignore the time stamp directory until the mode is corrected.
 .El
 .Ss Notes on logging via syslog
 By default,
-.Nm sudoers
+.Nm
 logs messages via
 .Xr syslog 3 .
 The
@@ -4448,11 +4474,11 @@ For more information, see the description of
 If the
 .Em logfile
 option is set,
-.Nm sudoers
+.Nm
 will log to a local file, such as
 .Pa /var/log/sudo .
 When logging to a file,
-.Nm sudoers
+.Nm
 uses a format similar to
 .Xr syslog 3 ,
 with a few important differences:
@@ -4620,11 +4646,11 @@ List of network groups
 I/O log files
 .It Pa @rundir@/ts
 Directory containing time stamps for the
-.Nm sudoers
+.Nm
 security policy
 .It Pa @vardir@/lectured
 Directory containing lecture status files for the
-.Nm sudoers
+.Nm
 security policy
 .It Pa /etc/environment
 Initial environment for
@@ -5168,7 +5194,7 @@ user permission to run
 (see below).
 .Ss Secure editing
 The
-.Nm sudoers
+.Nm
 plugin includes
 .Nm sudoedit
 support which allows users to securely edit files with the editor
@@ -5242,7 +5268,7 @@ tag in the
 .Em sudoers
 file.
 .Ss Time stamp file checks
-.Nm sudoers
+.Nm
 will check the ownership of its time stamp directory
 .Po
 .Pa @rundir@/ts
@@ -5266,14 +5292,14 @@ or
 .Pa /var/run
 directory.
 To avoid potential problems,
-.Nm sudoers
+.Nm
 will ignore time stamp files that date from before the machine booted
 on systems where the boot time is available.
 .Pp
 Some systems with graphical desktop environments allow unprivileged
 users to change the system clock.
 Since
-.Nm sudoers
+.Nm
 relies on the system clock for time stamp validation, it may be
 possible on such systems for a user to run
 .Nm sudo
@@ -5281,16 +5307,16 @@ for longer than
 .Em timestamp_timeout
 by setting the clock back.
 To combat this,
-.Nm sudoers
+.Nm
 uses a monotonic clock (which never moves backwards) for its time stamps
 if the system supports it.
 .Pp
-.Nm sudoers
+.Nm
 will not honor time stamps set far in the future.
 Time stamps with a date greater than current_time + 2 *
 .Li TIMEOUT
 will be ignored and
-.Nm sudoers
+.Nm
 will log and complain.
 .Pp
 If the
@@ -5387,7 +5413,7 @@ file
 network interface handling
 .It Em nss
 network service switch handling in
-.Nm sudoers
+.Nm
 .It Em parser
 .Em sudoers
 file parsing
--- a/plugins/sudoers/audit.c
+++ b/plugins/sudoers/audit.c
@@ -45,6 +45,9 @@ audit_success(int argc, char *argv[])
    int rc = 0;
    debug_decl(audit_success, SUDOERS_DEBUG_AUDIT)

+    if (!def_log_allowed)
+	debug_return_int(0);
+
    if (argv != NULL) {
 #ifdef HAVE_BSM_AUDIT
 	if (bsm_audit_success(argv) == -1)
@@ -69,6 +72,9 @@ audit_failure(int argc, char *argv[], char const *const fmt, ...)
    int rc = 0;
    debug_decl(audit_success, SUDOERS_DEBUG_AUDIT)

+    if (!def_log_denied)
+	debug_return_int(0);
+
 #if defined(HAVE_BSM_AUDIT) || defined(HAVE_LINUX_AUDIT)
    if (argv != NULL) {
 	va_list ap;
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -497,6 +497,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"case_insensitive_group", T_FLAG,
 	N_("Ignore case when matching group names"),
 	NULL,
+    }, {
+	"log_allowed", T_FLAG,
+	N_("Log when a command is allowed by sudoers"),
+	NULL,
+    }, {
+	"log_denied", T_FLAG,
+	N_("Log when a command is denied by sudoers"),
+	NULL,
    }, {
 	NULL, 0, NULL
    }
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -228,6 +228,10 @@
 #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
 #define I_CASE_INSENSITIVE_GROUP 114
 #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+#define I_LOG_ALLOWED           115
+#define def_log_allowed         (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
+#define I_LOG_DENIED            116
+#define def_log_denied          (sudo_defs_table[I_LOG_DENIED].sd_un.flag)

 enum def_tuple {
 	never,
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -360,3 +360,9 @@ case_insensitive_user
 case_insensitive_group
 	T_FLAG
 	"Ignore case when matching group names"
+log_allowed
+	T_FLAG
+	"Log when a command is allowed by sudoers"
+log_denied
+	T_FLAG
+	"Log when a command is denied by sudoers"
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -576,6 +576,8 @@ init_defaults(void)
    def_sudoedit_checkdir = true;
    def_iolog_mode = S_IRUSR|S_IWUSR;
    def_fdexec = digest_only;
+    def_log_allowed = true;
+    def_log_denied = true;

    /* Syslog options need special care since they both strings and ints */
 #if (LOGGING & SLOG_SYSLOG)
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -240,6 +240,7 @@ log_denial(int status, bool inform_user)
    char *logline;
    int oldlocale;
    bool uid_changed, ret = true;
+    bool mailit;
    debug_decl(log_denial, SUDOERS_DEBUG_LOGGING)

    /* Handle auditing first (audit_failure() handles the locale itself). */
@@ -248,6 +249,10 @@ log_denial(int status, bool inform_user)
    else
 	audit_failure(NewArgc, NewArgv, N_("validation failure"));

+    /* Send mail based on status. */
+    mailit = should_mail(status);
+
+    if (def_log_denied || mailit) {
 	/* Log and mail messages should be in the sudoers locale. */
 	sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);

@@ -266,16 +271,16 @@ log_denial(int status, bool inform_user)
 	/* Become root if we are not already. */
 	uid_changed = set_perms(PERM_ROOT);

-    if (should_mail(status))
-	send_mail("%s", logline);	/* send mail based on status */
+	if (mailit)
+	    send_mail("%s", logline);	/* XXX - return value */

-    /*
-     * Log via syslog and/or a file.
-     */
+	/* Log via syslog and/or a file. */
+	if (def_log_denied) {
 	    if (def_syslog)
 		do_syslog(def_syslog_badpri, logline);
 	    if (def_logfile && !do_logfile(logline))
 		ret = false;
+	}

 	if (uid_changed) {
 	    if (!restore_perms())
@@ -286,6 +291,7 @@ log_denial(int status, bool inform_user)

 	/* Restore locale. */
 	sudoers_setlocale(oldlocale, NULL);
+    }

    /* Inform the user if they failed to authenticate (in their locale).  */
    if (inform_user) {
@@ -398,8 +404,13 @@ log_allowed(int status)
    char *logline;
    int oldlocale;
    bool uid_changed, ret = true;
+    bool mailit;
    debug_decl(log_allowed, SUDOERS_DEBUG_LOGGING)

+    /* Send mail based on status. */
+    mailit = should_mail(status);
+
+    if (def_log_allowed || mailit) {
 	/* Log and mail messages should be in the sudoers locale. */
 	sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);

@@ -409,17 +420,18 @@ log_allowed(int status)
 	/* Become root if we are not already. */
 	uid_changed = set_perms(PERM_ROOT);

-    /* XXX - return value */
-    if (should_mail(status))
-	send_mail("%s", logline);	/* send mail based on status */
+	if (mailit)
+	    send_mail("%s", logline);	/* XXX - return value */

 	/*
 	 * Log via syslog and/or a file.
 	 */
+	if (def_log_allowed) {
 	    if (def_syslog)
 		do_syslog(def_syslog_goodpri, logline);
 	    if (def_logfile && !do_logfile(logline))
 		ret = false;
+	}

 	if (uid_changed) {
 	    if (!restore_perms())
@@ -429,6 +441,7 @@ log_allowed(int status)
 	free(logline);

 	sudoers_setlocale(oldlocale, NULL);
+    }

    debug_return_bool(ret);
 }