Index: Makefile.in =================================================================== RCS file: /cvs/sudo/Makefile.in,v retrieving revision 1.325 diff -u -r1.325 Makefile.in --- Makefile.in 3 Nov 2008 18:19:14 -0000 1.325 +++ Makefile.in 30 Nov 2008 23:58:03 -0000 @@ -102,7 +102,7 @@ PROGS = @PROGS@ -SRCS = aix.c alias.c alloc.c check.c closefrom.c def_data.c defaults.c env.c \ +SRCS = aix.c alias.c alloc.c bsm_audit.c check.c closefrom.c def_data.c defaults.c env.c \ error.c fileops.c find_path.c fnmatch.c getcwd.c getprogname.c \ getspwuid.c gettime.c glob.c goodpath.c gram.c gram.y interfaces.c \ isblank.c lbuf.c ldap.c list.c logging.c match.c mkstemp.c memrchr.c \ @@ -226,6 +226,8 @@ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c alloc.o: $(srcdir)/alloc.c $(SUDODEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c +bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c check.o: $(srcdir)/check.c $(SUDODEP) $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c closefrom.o: $(srcdir)/closefrom.c config.h Index: configure.in =================================================================== RCS file: /cvs/sudo/configure.in,v retrieving revision 1.536 diff -u -r1.536 configure.in --- configure.in 26 Nov 2008 20:10:23 -0000 1.536 +++ configure.in 30 Nov 2008 23:58:03 -0000 @@ -13,6 +13,7 @@ dnl dnl Variables that get substituted in the Makefile and man pages dnl +AC_SUBST(HAVE_BSM_AUDIT) AC_SUBST(LIBTOOL) AC_SUBST(CFLAGS) AC_SUBST(PROGS) @@ -201,6 +202,20 @@ ;; esac]) +dnl +dnl Handle BSM auditing support. +dnl +AC_ARG_WITH(bsm-audit, [ --with-bsm-audit enable BSM audit support], +[case $with_bsm_audit in + yes) AC_DEFINE(HAVE_BSM_AUDIT) + SUDO_LIBS="${SUDO_LIBS} -lbsm" + SUDO_OBJS="${SUDO_OBJS} bsm_audit.o" + ;; + no) ;; + *) AC_MSG_ERROR(["--with-bsm-audit does not take an argument."]) + ;; +esac]) + AC_ARG_WITH(incpath, [ --with-incpath additional places to look for include files], [case $with_incpath in yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) @@ -2536,6 +2551,7 @@ AH_TEMPLATE(HAVE_AFS, [Define to 1 if you use AFS.]) AH_TEMPLATE(HAVE_AIXAUTH, [Define to 1 if you use AIX general authentication.]) AH_TEMPLATE(HAVE_BSD_AUTH_H, [Define to 1 if you use BSD authentication.]) +AH_TEMPLATE(HAVE_BSM_AUDIT, [Define to 1 to enable BSM auditing.]) AH_TEMPLATE(HAVE_DCE, [Define to 1 if you use OSF DCE.]) AH_TEMPLATE(HAVE_DD_FD, [Define to 1 if your `DIR' contains dd_fd.]) AH_TEMPLATE(HAVE_DIRFD, [Define to 1 if you have the `dirfd' function or macro.]) Index: sudo.c =================================================================== RCS file: /cvs/sudo/sudo.c,v retrieving revision 1.500 diff -u -r1.500 sudo.c --- sudo.c 18 Nov 2008 15:57:09 -0000 1.500 +++ sudo.c 30 Nov 2008 23:58:03 -0000 @@ -101,6 +101,10 @@ #include "interfaces.h" #include "version.h" +#ifdef HAVE_BSM_AUDIT +#include "bsm_audit.h" +#endif + #ifndef lint __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.500 2008/11/18 15:57:09 millert Exp $"; #endif /* lint */ @@ -382,9 +386,12 @@ /* Bail if a tty is required and we don't have one. */ if (def_requiretty) { - if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) + if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "no tty"); +#endif log_error(NO_MAIL, "sorry, you must have a tty to run sudo"); - else + } else (void) close(fd); } @@ -419,10 +426,17 @@ if (ISSET(validated, VALIDATE_OK)) { /* Finally tell the user if the command did not exist. */ - if (cmnd_status == NOT_FOUND_DOT) + if (cmnd_status == NOT_FOUND_DOT) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "command in current directory"); +#endif errorx(1, "ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); - else if (cmnd_status == NOT_FOUND) + } else if (cmnd_status == NOT_FOUND) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "%s: command not found", user_cmnd); +#endif errorx(1, "%s: command not found", user_cmnd); + } /* If user specified env vars make sure sudoers allows it. */ if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { @@ -509,14 +523,21 @@ closefrom(def_closefrom + 1); #ifndef PROFILING - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) + if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { +#ifdef HAVE_BSM_AUDIT + syslog(LOG_AUTH|LOG_ERR, "fork"); + audit_success(NewArgv); +#endif exit(0); - else { + } else { #ifdef HAVE_SELINUX if (is_selinux_enabled() > 0 && user_role != NULL) selinux_exec(user_role, user_type, NewArgv, ISSET(sudo_mode, MODE_LOGIN_SHELL)); #endif +#ifdef HAVE_BSM_AUDIT + audit_success(NewArgv); +#endif execv(safe_cmnd, NewArgv); } #else @@ -533,6 +554,9 @@ } warning("unable to execute %s", safe_cmnd); exit(127); } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "No user or host"); +#endif log_denial(validated, 1); exit(1); } else { @@ -554,6 +578,9 @@ /* Just tell the user they are not allowed to run foo. */ log_denial(validated, 1); } +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "validation failure"); +#endif exit(1); } exit(0); /* not reached */ @@ -1313,8 +1340,12 @@ if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL) runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); } else { - if ((runas_pw = sudo_getpwnam(user)) == NULL) + if ((runas_pw = sudo_getpwnam(user)) == NULL) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "unknown user: %s", user); +#endif log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user); + } } } Index: auth/sudo_auth.c =================================================================== RCS file: /cvs/sudo/auth/sudo_auth.c,v retrieving revision 1.38 diff -u -r1.38 sudo_auth.c --- auth/sudo_auth.c 7 Nov 2008 17:45:52 -0000 1.38 +++ auth/sudo_auth.c 30 Nov 2008 23:58:03 -0000 @@ -100,6 +100,9 @@ char *p; sudo_auth *auth; sigaction_t sa, osa; +#ifdef HAVE_BSM_AUDIT + extern char **NewArgv; +#endif /* Enable suspend during password entry. */ sigemptyset(&sa.sa_mask); @@ -108,11 +111,15 @@ (void) sigaction(SIGTSTP, &sa, &osa); /* Make sure we have at least one auth method. */ - if (auth_switch[0].name == NULL) + if (auth_switch[0].name == NULL) { +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "no authentication methods"); +#endif log_error(0, "%s %s %s", "There are no authentication methods compiled into sudo!", "If you want to turn off authentication, use the", "--disable-authentication configure option."); + } /* Set FLAG_ONEANDONLY if there is only one auth method. */ if (auth_switch[1].name == NULL) @@ -127,8 +134,12 @@ status = (auth->init)(pw, &prompt, auth); if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); - else if (status == AUTH_FATAL) /* XXX log */ + else if (status == AUTH_FATAL) { /* XXX log */ +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif exit(1); /* assume error msg already printed */ + } if (NEEDS_USER(auth)) set_perms(PERM_ROOT); @@ -145,8 +156,12 @@ status = (auth->setup)(pw, &prompt, auth); if (status == AUTH_FAILURE) CLR(auth->flags, FLAG_CONFIGURED); - else if (status == AUTH_FATAL) /* XXX log */ + else if (status == AUTH_FATAL) {/* XXX log */ +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif exit(1); /* assume error msg already printed */ + } if (NEEDS_USER(auth)) set_perms(PERM_ROOT); @@ -193,8 +208,12 @@ set_perms(PERM_USER); status = (auth->cleanup)(pw, auth); - if (status == AUTH_FATAL) /* XXX log */ + if (status == AUTH_FATAL) { /* XXX log */ +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif exit(1); /* assume error msg already printed */ + } if (NEEDS_USER(auth)) set_perms(PERM_ROOT); @@ -212,12 +231,18 @@ flags = 0; else flags = NO_MAIL; +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif log_error(flags, "%d incorrect password attempt%s", def_passwd_tries - counter, (def_passwd_tries - counter == 1) ? "" : "s"); } /* FALLTHROUGH */ case AUTH_FATAL: +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif exit(1); } /* NOTREACHED */