Re: [redhat-lspp] Initial CUPS auditing patch

After seeing what Cory and TCS have done I started working on some of the other LSPP requirements around printing. Attached is a patch that applies on top of Cups 1.2.23 with the TCS patch applied. Right now the patch is a basic audting framework with only a few audited events such as the classification of the cups daemon, if users are allowed to override the banners on the command line, that sort of thing. The patch currently uses AUDIT_USER as the message type. This was suggested by Steve as a work around while the message types are being decided. So far I've only really made Job related messages and Config related messages, but I'm sure more will come. Some sample messages are: 'CUPS Config: ClassifyOverride is enabled' 'CUPS Config: System wide Classification set to "classified"' 'CUPS Config: Setting printer "freecoffee" banners to "secret" "secret"' 'CUPS Config: Setting printer "localghost" banners to "topsecret" "none"' 'CUPS Job #1: being printed on "freecoffee" with labels "classified" "classified"' One thing I did try to do, but have since removed, is attempt to determine if the user specified "-o job_sheets=foo" which is the cups way to override the banners. It seems that with a system wide classification set this user option is overwritten. Auditing the client's end of printing could present some challenges due to the client - server nature of cups. One option may be to expand the way cups does IPP to include more meta data in the client request, although this is not without issues. Cups does seem to have support for classifications and labels, and this patch and the one from TCS improve on those features, but at this point I'm concerned that its basic infrastucture isn't right for what we need from a strict LSPP perspective. Things like a label translation table built-in seems like a feature that Trusted/Labeled printing users would like, but doesn't seem like something Cups would want to upstream. I'm going to be away thru the end of this week, but I wanted to get this out for comments. I'll be checking in on my mail, but don't be offened if I don't get back to you right away. -matt ------------------------------------------------------------------------ diff -bur --exclude .svn cups/Makedefs.in cups-audit/Makedefs.in --- cups/Makedefs.in 2005-08-16 16:14:54.559365416 -0400 +++ cups-audit/Makedefs.in 2005-08-16 16:12:44.077201720 -0400 @@ -85,7 +85,7 @@ ARFLAGS = @ARFLAGS@ BACKLIBS = @BACKLIBS@ -CFLAGS = $(RC_CFLAGS) $(SSLFLAGS) -DWITH_SELINUX_MLS @CPPFLAGS@ @CFLAGS@ -I.. $(OPTIONS) +CFLAGS = $(RC_CFLAGS) $(SSLFLAGS) -DWITH_SELINUX_MLS -DWITH_AUDIT @CPPFLAGS@ @CFLAGS@ -I.. $(OPTIONS) COMMONLIBS = @COMMONLIBS@ CXXFLAGS = $(RC_CFLAGS) @CPPFLAGS@ @CXXFLAGS@ -I.. $(OPTIONS) CXXLIBS = @CXXLIBS@ diff -bur --exclude .svn cups/scheduler/conf.c cups-audit/scheduler/conf.c --- cups/scheduler/conf.c 2005-08-16 13:09:38.133319048 -0400 +++ cups-audit/scheduler/conf.c 2005-08-16 15:04:16.017721688 -0400 @@ -50,6 +50,9 @@ # include <syslog.h> #endif /* HAVE_VSYSLOG */ +#ifdef WITH_AUDIT +# include <libaudit.h> +#endif /* WITH_AUDIT */ /* * Possibly missing network definitions... @@ -142,6 +145,9 @@ { "ServerName", &ServerName, VAR_STRING }, { "ServerRoot", &ServerRoot, VAR_STRING }, { "TempDir", &TempDir, VAR_STRING }, +#ifdef WITH_AUDIT + { "AuditLog", &AuditLog, VAR_INTEGER }, +#endif /* WITH_AUDIT */ { "Timeout", &Timeout, VAR_INTEGER } }; #define NUM_VARS (sizeof(variables) / sizeof(variables[0])) @@ -387,6 +393,14 @@ cupsFileClose(fp); +#ifdef WITH_AUDIT + /* ClassifyOverride is set during read_cofiguration, if its on, report it now */ + if (ClassifyOverride) + audit_log(AuditLog, AUDIT_USER, "CUPS Config: ClassifyOverride is enabled"); + else + audit_log(AuditLog, AUDIT_USER, "CUPS Config: ClassifyOverride is disabled"); +#endif /* WITH_AUDIT */ +

if (!status) return (0); @@ -569,7 +583,13 @@ ClearString(&Classification); if (Classification) + { LogMessage(L_INFO, "Security set to \"%s\"", Classification); +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Config: System wide Classification set to \"%s\"", + Classification); +#endif /* WITH_AUDIT */ + } /* * Update the MaxClientsPerHost value, as needed... diff -bur --exclude .svn cups/scheduler/conf.h cups-audit/scheduler/conf.h --- cups/scheduler/conf.h 2005-08-16 13:09:38.137318440 -0400 +++ cups-audit/scheduler/conf.h 2005-08-11 18:05:27.000000000 -0400 @@ -167,6 +167,10 @@ /* Number of MIME types */ VAR const char **MimeTypes VALUE(NULL); /* Array of MIME types */ +#ifdef WITH_AUDIT +VAR int AuditLog VALUE(-1); + /* File descriptor for audit */ +#endif /* WITH_AUDIT */ #ifdef HAVE_SSL VAR char *ServerCertificate VALUE(NULL); diff -bur --exclude .svn cups/scheduler/job.c cups-audit/scheduler/job.c --- cups/scheduler/job.c 2005-08-16 13:09:38.150316464 -0400 +++ cups-audit/scheduler/job.c 2005-08-16 15:37:43.372557368 -0400 @@ -69,6 +69,10 @@ #include <selinux/selinux.h> #endif /* WITH_SELINUX_MLS */ +#ifdef WITH_AUDIT +#include <libaudit.h> +#endif /* WITH_AUDIT */ + /* * Local globals... */ @@ -874,6 +878,10 @@ if ((attr = ippFindAttribute(current->attrs, "job-printer-uri", IPP_TAG_URI)) != NULL) { +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: Changing destination from \"%s\" to \"%s\"", + id, attr->values[0].string.text, p->uri); +#endif /* WITH_AUDIT */ free(attr->values[0].string.text); attr->values[0].string.text = strdup(p->uri); } @@ -1425,6 +1433,10 @@ if ((current->job_sheets = ippFindAttribute(current->attrs, "job-sheets", IPP_TAG_ZERO)) != NULL) LogMessage(L_DEBUG, "... but someone added one without setting job_sheets!"); +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: printing on \"%s\" without any banners", + id, printer->name); +#endif /* WITH_AUDIT */ } else if (current->job_sheets->num_values == 1) LogMessage(L_DEBUG, "job-sheets=%s", @@ -1812,6 +1824,10 @@ snprintf(classification, sizeof(classification), "CLASSIFICATION=%s", mls_label); envp[envc ++] = classification; +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: being printed on \"%s\" with label \"%s\"", + id, printer->name, mls_label); +#endif /* WITH_AUDIT */

} #else if (Classification && !banner_page) @@ -1829,6 +1845,10 @@ attr->values[0].string.text); envp[envc ++] = classification; +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: being printed on \"%s\" with labels \"%s\" \"%s\"", + id, printer->name, attr->values[0].string.text, attr->values[1].string.text); +#endif /* WITH_AUDIT */ } #endif /* WITH_SELINUX_MLS */ diff -bur --exclude .svn cups/scheduler/main.c cups-audit/scheduler/main.c --- cups/scheduler/main.c 2005-08-16 13:09:38.154315856 -0400 +++ cups-audit/scheduler/main.c 2005-08-11 17:47:31.000000000 -0400 @@ -55,6 +55,9 @@ # include <malloc.h> #endif /* HAVE_MALLOC_H && HAVE_MALLINFO */ +#ifdef WITH_AUDIT +#include <libaudit.h> +#endif /* WITH_AUDIT */ /* * Local functions... @@ -177,6 +180,10 @@ if (!ConfigurationFile) SetString(&ConfigurationFile, CUPS_SERVERROOT "/cupsd.conf"); +#ifdef WITH_AUDIT + AuditLog = audit_open(); +#endif /* WITH_AUDIT */ + /* * If the user hasn't specified "-f", run in the background... */ @@ -786,6 +793,10 @@ free(input); free(output); +#ifdef WITH_AUDIT + audit_close(AuditLog); +#endif /* WITH_AUDIT */ + return (!stop_scheduler); } diff -bur --exclude .svn cups/scheduler/Makefile cups-audit/scheduler/Makefile --- cups/scheduler/Makefile 2005-08-16 13:09:38.140317984 -0400 +++ cups-audit/scheduler/Makefile 2005-08-15 17:45:08.305147448 -0400 @@ -82,7 +82,7 @@ echo Linking $@... $(CC) $(LDFLAGS) -o cupsd $(CUPSDOBJS) libmime.a \ $(LIBZ) $(SSLLIBS) $(LIBSLP) $(PAMLIBS) $(LIBS) \ - $(LIBPAPER) $(LIBMALLOC) -lselinux + $(LIBPAPER) $(LIBMALLOC) -lselinux -laudit # diff -bur --exclude .svn cups/scheduler/printers.c cups-audit/scheduler/printers.c --- cups/scheduler/printers.c 2005-08-16 13:09:38.144317376 -0400 +++ cups-audit/scheduler/printers.c 2005-08-16 15:10:19.226505560 -0400 @@ -56,6 +56,9 @@ #include "cupsd.h" +#ifdef WITH_AUDIT +#include <libaudit.h> +#endif /* * Local functions... @@ -1275,6 +1278,11 @@ attr->values[1].string.text = strdup(Classification ? Classification : p->job_sheets[1]); } + +#ifdef WITH_AUDIT + audit_log(AuditLog, AUDIT_USER, "CUPS Config: Setting printer \"%s\" banners to \"%s\" \"%s\"", + p->name, p->job_sheets[0], p->job_sheets[1]); +#endif /* WITH_AUDIT */ } printer_type = p->type; ------------------------------------------------------------------------ -- redhat-lspp mailing list redhat-lspp(a)redhat.com https://www.redhat.com/mailman/listinfo/redhat-lspp