From 8ae5f5769c4c611ca6918450bbe6e55dfa4e5926 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm@t8m.info>
Date: Fri, 7 Dec 2007 15:40:01 +0000
Subject: Relevant BUGIDs:

Purpose of commit: new feature and cleanup

Commit summary:
---------------
2007-12-07  Tomas Mraz  <t8m@centrum.cz>

        * libpam/libpam.map: Add LIBPAM_MODUTIL_1.1 version.
        * libpam/pam_audit.c: Add _pam_audit_open() and
        pam_modutil_audit_write().
        (_pam_auditlog): Call _pam_audit_open().
        * libpam/include/security/pam_modutil.h: Add pam_modutil_audit_write().
        * modules/pam_access/pam_access.8.xml: Add noaudit option.
        Document auditing.
        * modules/pam_access/pam_access.c: Move fs, sep, pam_access_debug, and
        only_new_group_syntax variables to struct login_info. Add noaudit
        member.
        (_parse_args): Adjust for the move of variables and add support for
        noaudit option.
        (group_match): Add debug parameter.
        (string_match): Likewise.
        (network_netmask_match): Likewise.
        (login_access): Adjust for the move of variables. Add nonall_match.
        Add call to pam_modutil_audit_write().
        (list_match): Adjust for the move of variables.
        (user_match): Likewise.
        (from_match): Likewise.
        (pam_sm_authenticate): Call _parse_args() earlier.
        * modules/pam_limits/pam_limits.8.xml: Add noaudit option.
        Document auditing.
        * modules/pam_limits/pam_limits.c (_pam_parse): Add noaudit option.
        (setup_limits): Call pam_modutil_audit_write().
        * modules/pam_time/pam_time.8.xml: Add debug and noaudit options.
        Document auditing.
        * modules/pam_time/pam_time.c: Add option parsing (_pam_parse()).
        (check_account): Call _pam_parse(). Call pam_modutil_audit_write()
        and pam_syslog() on login denials.
---
 modules/pam_limits/pam_limits.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'modules/pam_limits/pam_limits.c')

diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index d65e64bf..f1e29b85 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -41,6 +41,10 @@
 #include <pwd.h>
 #include <locale.h>
 
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>                                                                                                                                            
+#endif
+
 /* Module defines */
 #define LINE_LENGTH 1024
 
@@ -101,6 +105,7 @@ struct pam_limit_s {
 #define PAM_DEBUG_ARG       0x0001
 #define PAM_DO_SETREUID     0x0002
 #define PAM_UTMP_EARLY      0x0004
+#define PAM_NO_AUDIT        0x0008
 
 /* Limits from globbed files. */
 #define LIMITS_CONF_GLOB LIMITS_FILE_DIR
@@ -126,6 +131,8 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 	    ctrl |= PAM_DO_SETREUID;
 	} else if (!strcmp(*argv,"utmp_early")) {
 	    ctrl |= PAM_UTMP_EARLY;
+	} else if (!strcmp(*argv,"noaudit")) {
+	    ctrl |= PAM_NO_AUDIT;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
 	}
@@ -595,6 +602,13 @@ static int setup_limits(pam_handle_t *pamh,
 	D(("skip login limit check for uid=0"));
     } else if (pl->login_limit > 0) {
         if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
+#ifdef HAVE_LIBAUDIT
+	    if (!(ctrl & PAM_NO_AUDIT)) {
+        	pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
+            	    "pam_limits", PAM_PERM_DENIED);
+		/* ignore return value as we fail anyway */
+            }
+#endif
             retval |= LOGIN_ERR;
 	}
     } else if (pl->login_limit == 0) {
-- 
cgit v1.2.3