diff options
| author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-04-05 09:48:26 -0700 |
|---|---|---|
| committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2010-04-05 09:48:26 -0700 |
| commit | c6a8e270ab694c2291216b8c554c2f5f9dcf0fd0 (patch) | |
| tree | d964a27ef6a135377ef09358e9414af5ac747ca4 /eval.c | |
| parent | 8c105a156601216de19ff17fca1ab34fe798f1c5 (diff) | |
| download | vyatta-bash-c6a8e270ab694c2291216b8c554c2f5f9dcf0fd0.tar.gz vyatta-bash-c6a8e270ab694c2291216b8c554c2f5f9dcf0fd0.zip | |
Add auditing support to bash
This is based on earlier (unaccepted) patch to add auditing
support which wasd done by Steve Grubb at Redhat.
This patch depends on audit 1.4 to provide a logging function.
The resulting audit message looks like this:
time->Tue Jan 30 18:23:45 2007
type=USER_CMD msg=audit(1170199425.793:143): user pid=22862 uid=0 auid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=2F726F6F742F7465737420646972 cmd=6C73202D6C (terminal=tty1
res=success)'
Which translates to:
type=USER_CMD msg=audit(01/30/2007 18:23:45.793:143) : user pid=22862 uid=root
auid=root subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=/root/test dir cmd=ls -l (terminal=tty1 res=success)'
This patch causes bash to log all command line arguments when the shell
is started as aubash or "bash --audit". The preferred methos is to make a
symlink frp, bash to aubash and then add aubash to /etc/shells. Then you
can change root's shell to aubash.
Diffstat (limited to 'eval.c')
| -rw-r--r-- | eval.c | 55 |
1 files changed, 55 insertions, 0 deletions
@@ -45,6 +45,11 @@ # include "bashhist.h" #endif +#if defined (AUDIT_SHELL) +# include <libaudit.h> +# include <errno.h> +#endif + extern int EOF_reached; extern int indirection_level; extern int posixly_correct; @@ -62,6 +67,38 @@ extern char *current_readline_line; extern int current_readline_line_index; #endif +#if defined (AUDIT_SHELL) +static int audit_fd = -1; + +static int +audit_start () +{ + audit_fd = audit_open (); + if (audit_fd < 0) + return -1; + else + return 0; +} + +static int +audit (cmd, result) + char *cmd; + int result; +{ + int rc; + + if (audit_fd < 0) + return 0; + + rc = audit_log_user_command (audit_fd, AUDIT_USER_CMD, cmd, + NULL, !result); + close (audit_fd); + audit_fd = -1; + return rc; +} +#endif + + /* Read and execute commands until EOF is reached. This assumes that the input source has already been initialized. */ int @@ -149,7 +186,25 @@ reader_loop () executing = 1; stdin_redir = 0; +#if defined (AUDIT_SHELL) + if (audited && interactive_shell && getuid () == 0) + { + if (audit_start () < 0) + { + if (errno != EINVAL && errno != EPROTONOSUPPORT && + errno != EAFNOSUPPORT) + return EXECUTION_FAILURE; + } + } +#endif + execute_command (current_command); +#if defined (AUDIT_SHELL) + { + extern char *shell_input_line; + audit (shell_input_line, last_command_exit_value); + } +#endif exec_done: QUIT; |