September 2008 - Linux-audit - Linux-Audit List Archives

[PATCH] Fix a bug of executing "aureport -tm"

by Peng Haitao

Hello steve, Use option "-tm" cannot report about terminals, when message type is USER_AVC. For example: # echo "type=USER_AVC msg=audit(1221880640.759:4904436): user pid=4748 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=37) : exe=\"?\" (sauid=81, hostname=?, addr=?, terminal=?)'" | aureport -tm Terminal Report ==================================== # date time term host exe auid event ==================================== <no events of interest were found> Signed-off-by: Peng Haitao <penght(a)cn.fujitsu.com> --- src/ausearch-parse.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index e3ffa8c..da1730f 100644 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -850,8 +850,11 @@ static int parse_user(const lnode *n, search_items *s) if (str) { str += 9; term = strchr(str, ' '); - if (term == NULL) - return 17; + if (term == NULL) { + term = strchr(str, ')'); + if (term == NULL) + return 17; + } *term = 0; s->terminal = strdup(str); *term = ' '; -- 1.5.4.2 -- Regards Peng Haitao

16 years, 3 months

2
1
0 / 0

[PATCH, RFC] Interpretation of TTY audit logs

by Miloslav Trmač

Hello, the attached patch implements TTY audit log data interpretation: it turns data=627F6361740D6964202D610D6C73202D6C202F626F090D10202D6C72740D0110011B661B640B202D6C7274156364202D1B7F6364207E6D69096C69096F090D6C730D126370201B3E63640D6C730D726D20627A496D09757F0D6364202D0D12637020051B7F626F09766D6C0937090D6364202F626F090D126D6B696E6974720D04 into "b",backspace,"cat",ret,"id -a",ret,"ls -l /bo",tab,ret,^P," -lrt",ret,^A,^P,^A,esc,"f",esc,"d",^K," -lrt",^U,"cd -",esc,backspace,"cd ~mi",tab,"li",tab,"o",tab,ret,"ls",ret,^R,"cp ",esc,">cd",ret,"ls",ret,"rm bzIm",tab,"u",backspace,ret,"cd -",ret,^R,"cp ",^E,esc,backspace,"bo",tab,"vml",tab,"7",tab,ret,"cd /bo",tab,ret,^R,"mkinitr",ret,^D (Usually, bash would be patched to emit an USER_TTY record for each command line, and each USER_TTY record causes emitting a TTY record for the collected data. This record was created without a patched bash, so it contains all commands in the session.) So far the patch supports only a few basic control sequences (arrow and function keys with no modifiers). Before I add many more, I have a few questions: * Is it OK to hard-code the control sequences in the library? Would it be preferable store them in a separate file instead, letting end-users add or modify control sequences? * How to share the code with src/ausearch-report.c? Copying the code is ugly; reasonable options are * move the data interpretation code to libaudit (either only TTY audit interpretation, or all of it) * link ausearch to libauparse * Is there any reason to support conflicting terminal types (e.g. something other than vt100-like terminals)? Are there conflicts in the control sequences emitted by commonly used terminal emulators? Thank you, Mirek

16 years, 3 months

2
1
0 / 0

audit-viewer help needed

by LC Bruzenak

F9, permissive/targeted audit-viewer: audit-viewer-0.3-1.fc9.x86_64 It was working fine, then I loaded several rpms (below). Now I get this on startup: Traceback (most recent call last): File "/usr/share/audit-viewer/main.py", line 71, in <module> if w.setup_initial_window(args): File "/usr/share/audit-viewer/main_window.py", line 158, in setup_initial_window self.new_list_tab([]) File "/usr/share/audit-viewer/main_window.py", line 176, in new_list_tab tab = ListTab(filters, self) File "/usr/share/audit-viewer/list_tab.py", line 161, in __init__ self.refresh() File "/usr/share/audit-viewer/list_tab.py", line 195, in refresh event_sequence = self.__refresh_get_event_sequence() File "/usr/share/audit-viewer/list_tab.py", line 483, in __refresh_get_event_sequence want_other_fields, True) File "/usr/share/audit-viewer/main_window.py", line 265, in read_events keep_raw_records) File "/usr/share/audit-viewer/event_source.py", line 135, in read_events e = events[(ts.serial, ts.sec, ts.milli)] AttributeError: 'NoneType' object has no attribute 'serial' Any ideas? Thx, LCB. - rpms added from yum.log (starting with working audit-viewer): Sep 17 13:25:54 Installed: audit-viewer-0.3-1.fc9.x86_64 Sep 17 16:44:32 Updated: scim-libs-1.4.7-24.fc9.x86_64 Sep 17 16:44:32 Updated: sqlite-3.5.9-1.fc9.x86_64 Sep 17 16:44:32 Updated: 12:libdhcp4client-4.0.0-17.fc9.x86_64 Sep 17 16:44:33 Updated: scim-1.4.7-24.fc9.x86_64 Sep 17 16:44:33 Updated: 12:dhclient-4.0.0-17.fc9.x86_64 Sep 17 16:44:34 Updated: alsa-utils-1.0.17-2.fc9.x86_64 Sep 17 16:44:34 Updated: xorg-x11-server-common-1.5.0-1.fc9.x86_64 Sep 17 16:44:35 Updated: xorg-x11-server-Xorg-1.5.0-1.fc9.x86_64 Sep 17 16:44:35 Updated: xorg-x11-drv-evdev-2.0.4-1.fc9.x86_64 Sep 18 11:11:11 Installed: wget-1.11.1-1.fc9.x86_64 Sep 18 13:32:00 Updated: audit-libs-1.7.7-1.fc9.x86_64 Sep 18 13:32:01 Updated: audit-1.7.7-1.fc9.x86_64 Sep 18 13:32:01 Updated: audit-libs-python-1.7.7-1.fc9.x86_64 Sep 18 13:32:02 Installed: system-config-audit-0.4.8-2.fc9.x86_64 Sep 18 13:32:11 Updated: audispd-plugins-1.7.7-1.fc9.x86_64 Sep 18 13:32:12 Installed: audit-debuginfo-1.7.7-1.fc9.x86_64 Sep 18 13:32:13 Updated: audit-libs-devel-1.7.7-1.fc9.x86_64 Sep 18 13:35:28 Installed: mysql-libs-5.0.51a-1.fc9.x86_64 Sep 18 13:35:29 Installed: perl-DBI-1.607-1.fc9.x86_64 Sep 18 13:35:29 Installed: mysql-5.0.51a-1.fc9.x86_64 Sep 18 13:35:29 Installed: perl-DBD-MySQL-4.005-8.fc9.x86_64 Sep 18 13:35:31 Installed: mysql-server-5.0.51a-1.fc9.x86_64 Sep 18 13:35:31 Installed: libpreludedb-0.9.14.1-3.fc9.x86_64 Sep 18 13:35:31 Installed: libpreludedb-mysql-0.9.14.1-3.fc9.x86_64 Sep 18 13:36:41 Installed: libpreludedb-python-0.9.14.1-3.fc9.x86_64 Sep 18 13:36:41 Installed: libprelude-python-0.9.17.2-1.fc9.x86_64 Sep 18 13:36:42 Installed: python-cheetah-2.0.1-2.fc9.x86_64 Sep 18 13:36:42 Installed: prelude-manager-0.9.14.2-1.fc9.x86_64 Sep 18 13:36:43 Installed: prewikka-0.9.14-1.fc9.noarch Sep 18 13:36:43 Installed: prelude-manager-db-plugin-0.9.14.2-1.fc9.x86_64 -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 3 months

1
0
0 / 0

[PATCH] Audit: Log TIOCSTI

by Miloslav Trmač

From: Miloslav Trmac <mitr(a)redhat.com> AUDIT_TTY records currently log all data read by processes marked for TTY input auditing, even if the data was "pushed back" using the TIOCSTI ioctl, not typed by the user. This patch records all TIOCSTI calls to disambiguate the input. It generates one audit message per character pushed back; considering TIOCSTI is used very rarely, this simple solution is probably good enough. (The only program I could find that uses TIOCSTI is mailx/nail in "header editing" mode, e.g. using the ~h escape. mailx is used very rarely, and the escapes are used even rarer.) Signed-Off-By: Miloslav Trmac <mitr(a)redhat.com> --- drivers/char/tty_audit.c | 75 +++++++++++++++++++++++++++++-------- drivers/char/tty_io.c | 1 include/linux/tty.h | 4 + 3 files changed, 65 insertions(+), 15 deletions(-) diff --git a/drivers/char/tty_audit.c b/drivers/char/tty_audit.c index 3582f43..d927616 100644 --- a/drivers/char/tty_audit.c +++ b/drivers/char/tty_audit.c @@ -67,6 +67,28 @@ static void tty_audit_buf_put(struct tty_audit_buf *buf) tty_audit_buf_free(buf); } +static void tty_audit_log(const char *description, struct task_struct *tsk, + uid_t loginuid, unsigned sessionid, int major, + int minor, unsigned char *data, size_t size) +{ + struct audit_buffer *ab; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); + if (ab) { + char name[sizeof(tsk->comm)]; + + audit_log_format(ab, "%s pid=%u uid=%u auid=%u ses=%u " + "major=%d minor=%d comm=", description, + tsk->pid, tsk->uid, loginuid, sessionid, + major, minor); + get_task_comm(name, tsk); + audit_log_untrustedstring(ab, name); + audit_log_format(ab, " data="); + audit_log_n_untrustedstring(ab, data, size); + audit_log_end(ab); + } +} + /** * tty_audit_buf_push - Push buffered data out * @@ -77,25 +99,12 @@ static void tty_audit_buf_push(struct task_struct *tsk, uid_t loginuid, unsigned int sessionid, struct tty_audit_buf *buf) { - struct audit_buffer *ab; - if (buf->valid == 0) return; if (audit_enabled == 0) return; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_TTY); - if (ab) { - char name[sizeof(tsk->comm)]; - - audit_log_format(ab, "tty pid=%u uid=%u auid=%u ses=%u " - "major=%d minor=%d comm=", tsk->pid, tsk->uid, - loginuid, sessionid, buf->major, buf->minor); - get_task_comm(name, tsk); - audit_log_untrustedstring(ab, name); - audit_log_format(ab, " data="); - audit_log_n_untrustedstring(ab, buf->data, buf->valid); - audit_log_end(ab); - } + tty_audit_log("tty", tsk, loginuid, sessionid, buf->major, buf->minor, + buf->data, buf->valid); buf->valid = 0; } @@ -150,6 +159,42 @@ void tty_audit_fork(struct signal_struct *sig) } /** + * tty_audit_tiocsti - Log TIOCSTI + */ +void tty_audit_tiocsti(struct tty_struct *tty, char ch) +{ + struct tty_audit_buf *buf; + int major, minor, should_audit; + + spin_lock_irq(&current->sighand->siglock); + should_audit = current->signal->audit_tty; + buf = current->signal->tty_audit_buf; + if (buf) + atomic_inc(&buf->count); + spin_unlock_irq(&current->sighand->siglock); + + major = tty->driver->major; + minor = tty->driver->minor_start + tty->index; + if (buf) { + mutex_lock(&buf->mutex); + if (buf->major == major && buf->minor == minor) + tty_audit_buf_push_current(buf); + mutex_unlock(&buf->mutex); + tty_audit_buf_put(buf); + } + + if (should_audit && audit_enabled) { + uid_t auid; + unsigned int sessionid; + + auid = audit_get_loginuid(current); + sessionid = audit_get_sessionid(current); + tty_audit_log("ioctl=TIOCSTI", current, auid, sessionid, major, + minor, &ch, 1); + } +} + +/** * tty_audit_push_task - Flush task's pending audit data */ void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid) diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c index daeb8f7..53cc0d6 100644 --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c @@ -2467,6 +2467,7 @@ static int tiocsti(struct tty_struct *tty, char __user *p) return -EPERM; if (get_user(ch, p)) return -EFAULT; + tty_audit_tiocsti(tty, ch); ld = tty_ldisc_ref_wait(tty); ld->ops->receive_buf(tty, &ch, &mbz, 1); tty_ldisc_deref(ld); diff --git a/include/linux/tty.h b/include/linux/tty.h index 0cbec74..3995211 100644 --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -403,6 +403,7 @@ extern void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, size_t size); extern void tty_audit_exit(void); extern void tty_audit_fork(struct signal_struct *sig); +extern void tty_audit_tiocsti(struct tty_struct *tty, char ch); extern void tty_audit_push(struct tty_struct *tty); extern void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid); @@ -411,6 +412,9 @@ static inline void tty_audit_add_data(struct tty_struct *tty, unsigned char *data, size_t size) { } +static inline void tty_audit_tiocsti(struct tty_struct *tty, char ch) +{ +} static inline void tty_audit_exit(void) { }

16 years, 3 months

1
0
0 / 0

audit 1.7.7 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Bug fixes for gss code in remote logging (DJ Delorie) - Fix ausearch -i to keep the node field in the output - ausyscall now does strstr match on syscall names - Makefile cleanup (Philipp Hahn) - Add watched syscall support to audisp-prelude - Use the right define for tcp_wrappers in auditd - Expose encoding API for fields being logged from user space Last time I did not provide release notes. I'll try to do that now. Since 1.7.5, we have added GSSAPI support to authenticate and encrypt events during transfer. There are some instructions in the man pages but I'll try to get a HOWTO put up on the main audit project page at some point. There is tcp_wrappers support for remote logging protection. you will need to put an entry in the server's /etc/hosts.allow file stating which host or subnet is allowed to connect. These are enabled by adding 2 options to the configure command, --with-libwrap --enable-gssapi-krb5. Connect/disconnect events are now audited in the server so that there are records of times & ip addresses for connections. Another thanks to the people at Fujitsu for sending several patches that went into 1.7.6. The syscall tables have been updated for the lastest prel-release kernel, 2.6.27. A new function was added to auparse that allows you to query information about the data type that is being held in the value portion of the record's fields. Notably, this allows you to know that you have a field that is escaped and needs to be interpretted to see something meaningful. New in 1.7.7... There are 3 new functions in libaudit for logging a field that may need encoding to prevent spaces or control characters from causing parsing problems. If you have a field that you know has the potential to be untrusted, user manipulated, or containing control characters or space, there is now a convenience function, audit_encode_nv_string. This function takes the name, value, and value length in bytes as the parameters and passes back a freshly malloc'ed memory buffer containing the formatted field. Another function was added to allow testing as to whether or not a field needs encoding, audit_value_needs_encoding. It takes the value and value length in bytes and replies with 1 or 0 depending on if it needs encoding or not. The last new function audit_encode_value performs a value encoding given a value and value length in bytes. The programmer is responsible for passing it a buffer that is 2 times the size of the value in bytes + 1. These last 2 are for people that need to take control over encoding but audit_encode_nv_string should be the main API people use. There was a bug in 1.7.6 wrt tcp_wrappers where the define had a typo in it. This means that 1.7.6 does not actually use tcp_wrappers. There were a couple bugs in remote logging for 64 bit platforms. These are now cleaned up. The ausyscall program now does substring matches by default and exact string matching by command line option. This was added after observing yet another dup syscall and another pipe syscall being added to the 2.6.27 kernel. You can now do ausyscall x86_64 dup and get all 3 syscall names and numbers. The prelude plugin now has a 4th type of watched audit event based on keys, sys. This came about after observing that many security targets need some rule that is syscall based and no good way to say what the event is based on the other 3 types. Please let me know if you run across any problems with this release. -Steve

16 years, 3 months

1
0
0 / 0

[PATCH] kerberos updates

by DJ Delorie

Follow-up to the previous kerberos patch, based on a review of the last patch by one of our kerberos guys (Thanks, Simo). (http://www.redhat.com/archives/linux-audit/2008-September/msg00032.html) This makes all the krb5-related config options more consistent (see the new man pages) as well as ironing out some more security related paranoia. All krb5-wrapped audit messages have the krb5= credential appended to them, too. diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.c trunk/audisp/plugins/remote/audisp-remote.c --- pristine/audisp/plugins/remote/audisp-remote.c 2008-09-14 14:34:12.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.c 2008-09-15 19:50:10.000000000 -0400 @@ -34,6 +34,7 @@ #include <time.h> #include <sys/select.h> #include <sys/socket.h> +#include <sys/stat.h> #include <netinet/in.h> #include <netinet/tcp.h> #ifdef USE_GSSAPI @@ -80,7 +81,7 @@ gss_ctx_id_t my_context; #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG -#define USE_GSS (config.gss_principal != NULL) +#define USE_GSS (config.enable_krb5) #endif /* @@ -487,8 +488,11 @@ krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_keytab keytab = NULL; - const char *krb_client_name; + const char *krb5_client_name; + char *slashptr; char host_name[255]; + struct stat st; + const char *key_file; token_ptr = GSS_C_NO_BUFFER; *gss_context = GSS_C_NO_CONTEXT; @@ -496,12 +500,32 @@ krberr = krb5_init_context (&kcontext); KCHECK (krberr, "krb5_init_context"); + if (config.krb5_key_file) + key_file = config.krb5_key_file; + else + key_file = KEYTAB_NAME; + unsetenv ("KRB5_KTNAME"); + setenv ("KRB5_KTNAME", key_file, 1); + + if (stat (key_file, &st) == 0) { + if ((st.st_mode & 07777) != 0400) { + syslog (LOG_ERR, "%s is not mode 0400 (it's %#o) - compromised key?", + key_file, st.st_mode & 07777); + return -1; + } + if (st.st_uid != 0) { + syslog (LOG_ERR, "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); + return -1; + } + } + /* This looks up the default real (*our* realm) from /etc/krb5.conf (or wherever) */ krberr = krb5_get_default_realm (kcontext, &realm_name); KCHECK (krberr, "krb5_get_default_realm"); - krb_client_name = config.krb_client_name ? config.krb_client_name : "auditd"; + krb5_client_name = config.krb5_client_name ? config.krb5_client_name : "auditd"; if (gethostname(host_name, sizeof(host_name)) != 0) { syslog (LOG_ERR, "gethostname: host name longer than %d characters?", sizeof (host_name)); @@ -509,16 +533,16 @@ } syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", - krb_client_name, host_name, realm_name); + krb5_client_name, host_name, realm_name); /* Encode our own "name" as auditd/remote(a)EXAMPLE.COM. */ krberr = krb5_build_principal (kcontext, &audit_princ, strlen(realm_name), realm_name, - krb_client_name, host_name, NULL); + krb5_client_name, host_name, NULL); KCHECK (krberr, "krb5_build_principal"); /* Locate our machine's key table, where our private key is * held. */ - krberr = krb5_kt_resolve (kcontext, KEYTAB_NAME, &keytab); + krberr = krb5_kt_resolve (kcontext, key_file, &keytab); KCHECK (krberr, "krb5_kt_resolve"); /* Identify a cache to hold the key in. The GSS wrappers look @@ -554,7 +578,17 @@ get its credentials and set up a security context for encryption. */ - name_buf.value = (char *)config.gss_principal; + if (config.krb5_principal == NULL) { + const char *name = config.krb5_client_name ? config.krb5_client_name : "auditd"; + config.krb5_principal = (char *) malloc (strlen (name) + 1 + + strlen (config.remote_server) + 1); + sprintf((char *)config.krb5_principal, "%s@%s", name, config.remote_server); + } + slashptr = strchr (config.krb5_principal, '/'); + if (slashptr) + *slashptr = '@'; + + name_buf.value = (char *)config.krb5_principal; name_buf.length = strlen(name_buf.value) + 1; major_status = gss_import_name(&minor_status, &name_buf, (gss_OID) gss_nt_service_name, &service_name_e); @@ -563,15 +597,6 @@ return -1; } - major_status = gss_acquire_cred(&minor_status, - service_name_e, GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, GSS_C_ACCEPT, - &service_creds, NULL, NULL); - if (major_status != GSS_S_COMPLETE) { - gss_failure("acquiring credentials", major_status, minor_status); - return -1; - } - /* Someone has to go first. In this case, it's us. */ if (send_token(sock, empty_token) < 0) { (void) gss_release_name(&minor_status, &service_name_e); @@ -628,6 +653,23 @@ (void) gss_release_name(&minor_status, &service_name_e); +#if 0 + major_status = gss_inquire_context (&minor_status, &my_context, NULL, + &service_name_e, NULL, NULL, + NULL, NULL, NULL); + if (major_status != GSS_S_COMPLETE) { + gss_failure("inquiring target name", major_status, minor_status); + return -1; + } + major_status = gss_display_name(&minor_status, service_name_e, &recv_tok, NULL); + gss_release_name(&minor_status, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("displaying name", major_status, minor_status); + return -1; + } + syslog(LOG_INFO, "GSS-API Connected to: %s", + (char *)recv_tok.value); +#endif return 0; } #endif diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf.5 trunk/audisp/plugins/remote/audisp-remote.conf.5 --- pristine/audisp/plugins/remote/audisp-remote.conf.5 2008-09-14 14:34:12.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.conf.5 2008-09-15 19:44:28.000000000 -0400 @@ -122,25 +122,34 @@ default value is 5 seconds. If too much time is used on a message, the network_failure_action action is performed. .TP -.I gss_principal -If specified, GSS (via Kerberos) will be used to encrypt the -connection to the server. The client and server will use the -specified principal to negotiate the encryption. The format for the -.I gss_principal -is like somename(a)EXAMPLE.COM, see the auditd.conf man page for -details. Note that encryption can only be used with managed -connections, not plain ASCII. +.I enable_krb5 +If set to "yes", Kerberos 5 will be used for authentication and +encryption. Default is "no". Note that encryption can only be used +with managed connections, not plain ASCII. .TP -.I krb_client_name +.I krb5_principal +If specified, This is the expected principal for the server. The +client and server will use the specified principal to negotiate the +encryption. The format for the +.I krb5_principal +is like somename/hostname, see the auditd.conf man page for +details. If not specified, the krb5_client_name and remote_server values +are used. +.TP +.I krb5_client_name This specifies the name portion of the client's own principal. If unspecified, the default is "auditd". The remainder of the principal will consist of the host's fully qualified domain name and the default Kerberos realm, like this: .I auditd/host14.example.com(a)EXAMPLE.COM -(assuming you gave "auditd" as the krb_client_name). The key for this -principal must be stored in +(assuming you gave "auditd" as the krb_client_name). Note that the +client and server must have the same principal name and realm. +.TP +.I krb5_key_file +Location of the key for this client's principal. +Note that the key file must be owned by root and mode 0400. +The default is .I /etc/audisp/audisp-remote.key -on the client machine. .SH "NOTES" diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.c trunk/audisp/plugins/remote/remote-config.c --- pristine/audisp/plugins/remote/remote-config.c 2008-09-14 14:34:12.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.c 2008-09-15 19:22:07.000000000 -0400 @@ -75,9 +75,13 @@ static int heartbeat_timeout_parser(struct nv_pair *nv, int line, remote_conf_t *config); #ifdef USE_GSSAPI -static int gss_principal_parser(struct nv_pair *nv, int line, +static int enable_krb5_parser(struct nv_pair *nv, int line, remote_conf_t *config); -static int krb_client_name_parser(struct nv_pair *nv, int line, +static int krb5_principal_parser(struct nv_pair *nv, int line, + remote_conf_t *config); +static int krb5_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config); +static int krb5_key_file_parser(struct nv_pair *nv, int line, remote_conf_t *config); #endif static int network_retry_time_parser(struct nv_pair *nv, int line, @@ -112,8 +116,10 @@ {"max_time_per_record", max_time_per_record_parser, 0 }, {"heartbeat_timeout", heartbeat_timeout_parser, 0 }, #ifdef USE_GSSAPI - {"gss_principal", gss_principal_parser, 0 }, - {"krb_client_name", krb_client_name_parser, 0 }, + {"enable_krb5", enable_krb5_parser, 0 }, + {"krb5_principal", krb5_principal_parser, 0 }, + {"krb5_client_name", krb5_client_name_parser, 0 }, + {"krb5_key_file", krb5_key_file_parser, 0 }, #endif {"network_failure_action", network_failure_action_parser, 0 }, {"disk_low_action", disk_low_action_parser, 0 }, @@ -157,6 +163,15 @@ { NULL, 0 } }; +#ifdef USE_GSSAPI +static const struct nv_list enable_krb5_values[] = +{ + {"yes", 1 }, + {"no", 0 }, + { NULL, 0 } +}; +#endif + /* * Set everything to its default value */ @@ -176,8 +191,10 @@ config->heartbeat_timeout = 0; #ifdef USE_GSSAPI - config->gss_principal = NULL; - config->krb_client_name = NULL; + config->enable_krb5 = 0; + config->krb5_principal = NULL; + config->krb5_client_name = NULL; + config->krb5_key_file = NULL; #endif #define IA(x,f) config->x##_action = f; config->x##_exe = NULL @@ -588,31 +605,55 @@ } #ifdef USE_GSSAPI -static int gss_principal_parser(struct nv_pair *nv, int line, +static int enable_krb5_parser(struct nv_pair *nv, int line, remote_conf_t *config) { const char *ptr = nv->value; + unsigned long i; - if (config->gss_principal) - free ((char *)config->gss_principal); - - if (strcmp (ptr, "none") == 0) { - config->gss_principal = NULL; - } else { - config->gss_principal = strdup(ptr); + for (i=0; enable_krb5_values[i].name != NULL; i++) { + if (strcasecmp(nv->value, enable_krb5_values[i].name) == 0) { + config->enable_krb5 = enable_krb5_values[i].option; + return 0; + } } + syslog(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int krb5_principal_parser(struct nv_pair *nv, int line, + remote_conf_t *config) +{ + const char *ptr = nv->value; + + if (config->krb5_principal) + free ((char *)config->krb5_principal); + + config->krb5_principal = strdup(ptr); + return 0; +} + +static int krb5_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config) +{ + const char *ptr = nv->value; + + if (config->krb5_client_name) + free ((char *)config->krb5_client_name); + + config->krb5_client_name = strdup(ptr); return 0; } -static int krb_client_name_parser(struct nv_pair *nv, int line, +static int krb5_key_file_parser(struct nv_pair *nv, int line, remote_conf_t *config) { const char *ptr = nv->value; - if (config->krb_client_name) - free ((char *)config->krb_client_name); + if (config->krb5_key_file) + free ((char *)config->krb5_key_file); - config->krb_client_name = strdup(ptr); + config->krb5_key_file = strdup(ptr); return 0; } #endif diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.h trunk/audisp/plugins/remote/remote-config.h --- pristine/audisp/plugins/remote/remote-config.h 2008-09-14 14:34:12.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.h 2008-09-15 19:14:04.000000000 -0400 @@ -44,8 +44,10 @@ unsigned int max_time_per_record; unsigned int heartbeat_timeout; #ifdef USE_GSSAPI - const char *gss_principal; - const char *krb_client_name; + int enable_krb5; + const char *krb5_principal; + const char *krb5_client_name; + const char *krb5_key_file; #endif failure_action_t network_failure_action; diff -x .svn -U 3 -r pristine/docs/auditd.conf.5 trunk/docs/auditd.conf.5 --- pristine/docs/auditd.conf.5 2008-09-12 10:49:21.000000000 -0400 +++ trunk/docs/auditd.conf.5 2008-09-15 19:44:29.000000000 -0400 @@ -243,17 +243,24 @@ client heartbeat setting, preferably by a factor of two. The default is zero, which disables this check. .TP -.I gss_principal -If specified, GSS (via Kerberos) will be used to encrypt the -connection with the client. The client and server will use the -specified principal to negotiate the encryption. Given a principal -named somename(a)EXAMPLE.COM, where somename is whatever you choose, the -server will look for a key named like -.I somename/hostname(a)EXAMPLE.COM +.I enable_krb5 +If set to "yes", Kerberos 5 will be used for authentication and +encryption. The default is "no". +.TP +.I krb5_principal +This is the principal for this server. The default is "auditd". +Given this default, the server will look for a key named like +.I auditd/hostname(a)EXAMPLE.COM stored in -.I /etc/krb5.keytab +.I /etc/audit/audit.key to authenticate itself, where hostname is the canonical name for the server's host, as returned by a DNS lookup of its IP address. +.TP +.I krb5_key_file +Location of the key for this client's principal. +Note that the key file must be owned by root and mode 0400. +The default is +.I /etc/audit/audit.key .SH NOTES In a CAPP environment, the audit trail is considered so important that access to system resources must be denied if an audit trail cannot be created. In this environment, it would be suggested that /var/log/audit be on its own partition. This is to ensure that space detection is accurate and that no other process comes along and consumes part of it. diff -x .svn -U 3 -r pristine/src/auditd-config.c trunk/src/auditd-config.c --- pristine/src/auditd-config.c 2008-09-12 10:49:20.000000000 -0400 +++ trunk/src/auditd-config.c 2008-09-15 19:33:30.000000000 -0400 @@ -114,7 +114,11 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line, struct daemon_conf *config); #ifdef USE_GSSAPI -static int gss_principal_parser(struct nv_pair *nv, int line, +static int enable_krb5_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); +static int krb5_principal_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); +static int krb5_key_file_parser(struct nv_pair *nv, int line, struct daemon_conf *config); #endif static int sanity_check(struct daemon_conf *config); @@ -146,7 +150,9 @@ {"tcp_client_ports", tcp_client_ports_parser, 0 }, {"tcp_client_max_idle", tcp_client_max_idle_parser, 0 }, #ifdef USE_GSSAPI - {"gss_principal", gss_principal_parser, 0 }, + {"enable_krb5", enable_krb5_parser, 0 }, + {"krb5_principal", krb5_principal_parser, 0 }, + {"krb5_key_file", krb5_key_file_parser, 0 }, #endif { NULL, NULL } }; @@ -207,6 +213,15 @@ { NULL, 0 } }; +#ifdef USE_GSSAPI +static const struct nv_list enable_krb5_values[] = +{ + {"yes", 1 }, + {"no", 0 }, + { NULL, 0 } +}; +#endif + const char *email_command = "/usr/lib/sendmail"; static int allow_links = 0; @@ -254,7 +269,9 @@ config->tcp_client_max_port = TCP_PORT_MAX; config->tcp_client_max_idle = 0; #ifdef USE_GSSAPI - config->gss_principal = NULL; + config->enable_krb5 = 0; + config->krb5_principal = NULL; + config->krb5_key_file = NULL; #endif } @@ -1346,18 +1363,44 @@ } #ifdef USE_GSSAPI -static int gss_principal_parser(struct nv_pair *nv, int line, +static int enable_krb5_parser(struct nv_pair *nv, int line, struct daemon_conf *config) { const char *ptr = nv->value; + unsigned long i; - audit_msg(LOG_DEBUG, "gss_principal_parser called with: %s", nv->value); + audit_msg(LOG_DEBUG, "enable_krb5_parser called with: %s", + nv->value); - if (strcmp (ptr, "none") == 0) { - config->gss_principal = NULL; - } else { - config->gss_principal = strdup(ptr); + for (i=0; enable_krb5_values[i].name != NULL; i++) { + if (strcasecmp(nv->value, enable_krb5_values[i].name) == 0) { + config->enable_krb5 = enable_krb5_values[i].option; + return 0; + } } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int krb5_principal_parser(struct nv_pair *nv, int line, + struct daemon_conf *config) +{ + const char *ptr = nv->value; + + audit_msg(LOG_DEBUG, "krb5_principal_parser called with: %s", nv->value); + + config->krb5_principal = strdup(ptr); + return 0; +} + +static int krb5_key_file_parser(struct nv_pair *nv, int line, + struct daemon_conf *config) +{ + const char *ptr = nv->value; + + audit_msg(LOG_DEBUG, "krb5_key_file_parser called with: %s", nv->value); + + config->krb5_key_file = strdup(ptr); return 0; } #endif diff -x .svn -U 3 -r pristine/src/auditd-config.h trunk/src/auditd-config.h --- pristine/src/auditd-config.h 2008-09-14 14:34:12.000000000 -0400 +++ trunk/src/auditd-config.h 2008-09-15 19:25:01.000000000 -0400 @@ -76,7 +76,9 @@ unsigned long tcp_client_max_port; unsigned long tcp_client_max_idle; #ifdef USE_GSSAPI - const char *gss_principal; + int enable_krb5; + const char *krb5_principal; + const char *krb5_key_file; #endif }; diff -x .svn -U 3 -r pristine/src/auditd-listen.c trunk/src/auditd-listen.c --- pristine/src/auditd-listen.c 2008-09-14 14:34:12.000000000 -0400 +++ trunk/src/auditd-listen.c 2008-09-16 18:05:06.000000000 -0400 @@ -45,6 +45,7 @@ #ifdef USE_GSSAPI #include <gssapi/gssapi.h> #include <gssapi/gssapi_generic.h> +#include <krb5.h> #endif #include "libaudit.h" #include "auditd-event.h" @@ -66,6 +67,8 @@ #ifdef USE_GSSAPI /* This holds the negotiated security context for this client. */ gss_ctx_id_t gss_context; + char *remote_name; + int remote_name_len; #endif unsigned char buffer [MAX_AUDIT_MESSAGE_LENGTH + 17]; } ev_tcp; @@ -76,6 +79,7 @@ #ifdef USE_GSSAPI /* This is used to hold our own private key. */ static gss_cred_id_t server_creds; +static char *my_service_name, *my_gss_realm; static int use_gss = 0; static char msgbuf[MAX_AUDIT_MESSAGE_LENGTH + 1]; #endif @@ -108,6 +112,10 @@ snprintf(emsg, sizeof(emsg), "addr=%s port=%d res=success", sockaddr_to_ip (&client->addr), ntohs (client->addr.sin_port)); send_audit_event(AUDIT_DAEMON_CLOSE, emsg); +#ifdef USE_GSSAPI + if (client->remote_name) + free (client->remote_name); +#endif close (client->io.fd); if (client_chain == client) client_chain = client->next; @@ -269,6 +277,10 @@ gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); } +#define KCHECK(x,f) if (x) { \ + audit_msg (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \ + return -1; } + /* These are our private credentials, which come from a key file on our server. They are aquired once, at program start. */ static int server_acquire_creds(const char *service_name, gss_cred_id_t *server_creds) @@ -277,6 +289,10 @@ gss_name_t server_name; OM_uint32 major_status, minor_status; + krb5_context kcontext = NULL; + int krberr; + + my_service_name = strdup (service_name); name_buf.value = (char *)service_name; name_buf.length = strlen(name_buf.value) + 1; major_status = gss_import_name(&minor_status, &name_buf, @@ -297,6 +313,11 @@ (void) gss_release_name(&minor_status, &server_name); + krberr = krb5_init_context (&kcontext); + KCHECK (krberr, "krb5_init_context"); + krberr = krb5_get_default_realm (kcontext, &my_gss_realm); + KCHECK (krberr, "krb5_get_default_realm"); + audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); return 0; @@ -313,6 +334,7 @@ OM_uint32 maj_stat, min_stat, acc_sec_min_stat; gss_ctx_id_t *context; OM_uint32 sess_flags; + char *slashptr, *atptr; context = & io->gss_context; *context = GSS_C_NO_CONTEXT; @@ -365,14 +387,42 @@ } while (maj_stat == GSS_S_CONTINUE_NEEDED); maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL); - if (maj_stat != GSS_S_COMPLETE) - gss_failure("displaying name", maj_stat, min_stat); - else - audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", - (char *)recv_tok.value); gss_release_name(&min_stat, &client); + + if (maj_stat != GSS_S_COMPLETE) { + gss_failure("displaying name", maj_stat, min_stat); + return -1; + } + + audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", + (char *)recv_tok.value); + io->remote_name = strdup (recv_tok.value); + io->remote_name_len = strlen (recv_tok.value); gss_release_buffer(&min_stat, &recv_tok); + slashptr = strchr (io->remote_name, '/'); + atptr = strchr (io->remote_name, '@'); + + if (!slashptr || !atptr) { + audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", + io->remote_name); + return -1; + } + + *slashptr = 0; + if (strcmp (io->remote_name, my_service_name)) { + audit_msg(LOG_ERR, "Unauthorized GSS client name: %s (not %s)", + io->remote_name, my_service_name); + return -1; + } + *slashptr = '/'; + + if (strcmp (atptr+1, my_gss_realm)) { + audit_msg(LOG_ERR, "Unauthorized GSS client realm: %s (not %s)", + atptr+1, my_gss_realm); + return -1; + } + return 0; } #endif /* USE_GSSAPI */ @@ -536,8 +586,14 @@ gss_failure("decrypting message", major_status, minor_status); } else { /* client_message() wants to NUL terminate it, - so copy it to a bigger buffer. */ + so copy it to a bigger buffer. Plus, we + want to add our own tag. */ memcpy (msgbuf, utok.value, utok.length); + while (utok.length > 0 && msgbuf[utok.length-1] == '\n') + utok.length --; + snprintf (msgbuf + utok.length, MAX_AUDIT_MESSAGE_LENGTH - utok.length, + " krb5=%s", io->remote_name); + utok.length += 6 + io->remote_name_len; client_message (io, utok.length, msgbuf); gss_release_buffer(&minor_status, &utok); } @@ -763,9 +819,36 @@ config->tcp_client_max_port); #ifdef USE_GSSAPI - if (config->gss_principal) { + if (config->enable_krb5) { + const char *princ = config->krb5_principal; + const char *key_file; + struct stat st; + + if (!princ) + princ = "auditd"; use_gss = 1; - server_acquire_creds(config->gss_principal, &server_creds); + /* This may fail, but we don't care. */ + unsetenv ("KRB5_KTNAME"); + if (config->krb5_key_file) + key_file = config->krb5_key_file; + else + key_file = "/etc/audit/audit.key"; + setenv ("KRB5_KTNAME", key_file, 1); + + if (stat (key_file, &st) == 0) { + if ((st.st_mode & 07777) != 0400) { + audit_msg (LOG_ERR, "%s is not mode 0400 (it's %#o) - compromised key?", + key_file, st.st_mode & 07777); + return -1; + } + if (st.st_uid != 0) { + audit_msg (LOG_ERR, "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); + return -1; + } + } + + server_acquire_creds(princ, &server_creds); } #endif @@ -782,8 +865,10 @@ close ( listen_socket ); #ifdef USE_GSSAPI - use_gss = 0; - gss_release_cred(&status, &server_creds); + if (use_gss) { + use_gss = 0; + gss_release_cred(&status, &server_creds); + } #endif while (client_chain) {

16 years, 3 months

2
1
0 / 0

no node= in ausearch

by LC Bruzenak

Just as an aside, I was sending in the auditctl event because I do not see the "node=" information in the ausearch results on my collector. So I wasn't certain which machine might be initiating the event. Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 3 months

3
8
0 / 0

audit collector startup help

by LC Bruzenak

DJ (or anyone) - Is there a HOWTO for activating the 1.7.5 aggregating feature? My apologies if I missed this earlier. I believe that the collector needs to uncomment the lines in /etc/auditd/auditd.conf and the senders/clients need to set active=yes, remote=<IP-address> in the audisp-remote.conf file. However, my collector auditd fails on start; it might be that I do not have it configured correctly. I have : audit-1.7.5-1.fc9.i386 Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 3 months

2
20
0 / 0

[PATCH] Audit: fix handling of 'strings' with NULL characters

by Eric Paris

currently audit_log_n_untrustedstring() uses audit_string_contains_control() to check if the 'string' has any control characters. If the 'string' has an embedded NULL audit_string_contains_control() will return that the data has no control characters and will then pass the string to audit_log_n_string with the total length, not the length up to the first NULL. audit_log_n_string does a memcpy of the entire length and so the actual audit record emitted may then contain a NULL and then whatever random memory is after the NULL. Since we want to log the entire octet stream (if we can't trust the data to be a string we can't trust that a NULL isn't actually a part of it) we should just consider NULL as a control character. If the caller is certain they want to stop at the first NULL they should be using audit_log_untrustedstring. Signed-off-by: Eric Paris <eparis(a)redhat.com> --- Miloslav, this is also going to take care of nulls in the TTY_AUDIT_USER message from userspace. Is it going to be common to have control characters on that code path as well? Do you want to change audit_receive_msg() to also use the hex encoding directly instead of the _n_untrustedstring interface? kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 4414e93..ccb8d68 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1370,7 +1370,7 @@ void audit_log_n_string(struct audit_buffer *ab, const char *string, int audit_string_contains_control(const char *string, size_t len) { const unsigned char *p; - for (p = string; p < (const unsigned char *)string + len && *p; p++) { + for (p = string; p < (const unsigned char *)string + len; p++) { if (*p == '"' || *p < 0x21 || *p > 0x7e) return 1; }

16 years, 3 months

3
3
0 / 0

[PATCH] bug fixes for gss code in audisp-remote

by DJ Delorie

* use memory cache for credentials to avoid file-based attack * client principal name is configurable * updated documentation and sample config file diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.c trunk/audisp/plugins/remote/audisp-remote.c --- pristine/audisp/plugins/remote/audisp-remote.c 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.c 2008-09-12 12:30:18.000000000 -0400 @@ -455,7 +455,7 @@ return -1; } #define KEYTAB_NAME "/etc/audisp/audisp-remote.key" -#define CCACHE_NAME "FILE:/tmp/audisp-remote.ccache" +#define CCACHE_NAME "MEMORY:audisp-remote" /* Each time we connect to the server, we negotiate a set of credentials and a security context. To do this, we need our own @@ -487,6 +487,8 @@ krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_keytab keytab = NULL; + const char *krb_client_name; + char host_name[255]; token_ptr = GSS_C_NO_BUFFER; *gss_context = GSS_C_NO_CONTEXT; @@ -498,12 +500,20 @@ /etc/krb5.conf (or wherever) */ krberr = krb5_get_default_realm (kcontext, &realm_name); KCHECK (krberr, "krb5_get_default_realm"); - syslog (LOG_ERR, "kerberos principal: auditd/remote@%s\n", realm_name); + krb_client_name = config.krb_client_name ? config.krb_client_name : "auditd"; + if (gethostname(host_name, sizeof(host_name)) != 0) { + syslog (LOG_ERR, "gethostname: host name longer than %d characters?", + sizeof (host_name)); + return -1; + } + + syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", + krb_client_name, host_name, realm_name); /* Encode our own "name" as auditd/remote(a)EXAMPLE.COM. */ krberr = krb5_build_principal (kcontext, &audit_princ, strlen(realm_name), realm_name, - "auditd", "remote", NULL); + krb_client_name, host_name, NULL); KCHECK (krberr, "krb5_build_principal"); /* Locate our machine's key table, where our private key is Only in trunk/audisp/plugins/remote: audisp-remote.c.mine Only in trunk/audisp/plugins/remote: audisp-remote.c.r87 Only in trunk/audisp/plugins/remote: audisp-remote.c.r94 diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf trunk/audisp/plugins/remote/audisp-remote.conf --- pristine/audisp/plugins/remote/audisp-remote.conf 2008-08-29 11:53:55.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.conf 2008-09-12 12:38:30.000000000 -0400 @@ -21,3 +21,6 @@ remote_ending_action = suspend generic_error_action = syslog generic_warning_action = syslog + +# gss_principal = something(a)EXAMPLE.COM +# krb_client_name = auditd diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf.5 trunk/audisp/plugins/remote/audisp-remote.conf.5 --- pristine/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 12:37:18.000000000 -0400 @@ -125,16 +125,23 @@ .I gss_principal If specified, GSS (via Kerberos) will be used to encrypt the connection to the server. The client and server will use the -specified principal to negotiate the encryption. The client will -use a key named like -.I auditd/remote(a)EXAMPLE.COM -stored in -.I /etc/audisp/audisp-remote.key -to authenticate itself. The format for the +specified principal to negotiate the encryption. The format for the .I gss_principal is like somename(a)EXAMPLE.COM, see the auditd.conf man page for details. Note that encryption can only be used with managed connections, not plain ASCII. +.TP +.I krb_client_name +This specifies the name portion of the client's own principal. If +unspecified, the default is "auditd". The remainder of the principal +will consist of the host's fully qualified domain name and the default +Kerberos realm, like this: +.I auditd/host14.example.com(a)EXAMPLE.COM +(assuming you gave "auditd" as the krb_client_name). The key for this +principal must be stored in +.I /etc/audisp/audisp-remote.key +on the client machine. + .SH "NOTES" Specifying a local port may make it difficult to restart the audit diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.c trunk/audisp/plugins/remote/remote-config.c --- pristine/audisp/plugins/remote/remote-config.c 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.c 2008-09-12 12:37:27.000000000 -0400 @@ -77,6 +77,8 @@ #ifdef USE_GSSAPI static int gss_principal_parser(struct nv_pair *nv, int line, remote_conf_t *config); +static int krb_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config); #endif static int network_retry_time_parser(struct nv_pair *nv, int line, remote_conf_t *config); @@ -111,6 +113,7 @@ {"heartbeat_timeout", heartbeat_timeout_parser, 0 }, #ifdef USE_GSSAPI {"gss_principal", gss_principal_parser, 0 }, + {"krb_client_name", krb_client_name_parser, 0 }, #endif {"network_failure_action", network_failure_action_parser, 0 }, {"disk_low_action", disk_low_action_parser, 0 }, @@ -174,6 +177,7 @@ config->heartbeat_timeout = 0; #ifdef USE_GSSAPI config->gss_principal = NULL; + config->krb_client_name = NULL; #endif #define IA(x,f) config->x##_action = f; config->x##_exe = NULL @@ -589,6 +593,9 @@ { const char *ptr = nv->value; + if (config->gss_principal) + free ((char *)config->gss_principal); + if (strcmp (ptr, "none") == 0) { config->gss_principal = NULL; } else { @@ -596,6 +603,18 @@ } return 0; } + +static int krb_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config) +{ + const char *ptr = nv->value; + + if (config->krb_client_name) + free ((char *)config->krb_client_name); + + config->krb_client_name = strdup(ptr); + return 0; +} #endif /* diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.h trunk/audisp/plugins/remote/remote-config.h --- pristine/audisp/plugins/remote/remote-config.h 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.h 2008-09-12 12:08:16.000000000 -0400 @@ -45,6 +45,7 @@ unsigned int heartbeat_timeout; #ifdef USE_GSSAPI const char *gss_principal; + const char *krb_client_name; #endif failure_action_t network_failure_action;

16 years, 3 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit September 2008