CWRU/audit-patch

Date: Tue, 06 Feb 2007 16:06:58 -0500
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: bash and linux audit
To: chet.ramey@case.edu
Organization: Red Hat

OK, I released audit 1.4 Sunday which has the logging function for user
commands. It produces audit events like this:

type=USER_CMD msg=audit(01/30/2007 18:23:45.793:143) : user pid=22862 uid=root
auid=root subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=/root/test dir cmd=ls -l (terminal=tty1 res=success)'

diff -urp bash-3.2.orig/config-bot.h bash-3.2/config-bot.h
--- bash-3.2.orig/config-bot.h	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/config-bot.h	2007-01-20 11:59:23.000000000 -0500
@@ -97,6 +97,11 @@
 #  define RESTRICTED_SHELL_NAME "rbash"
 #endif
 
+/* If the shell is called by this name, it will become audited. */
+#if defined (AUDIT_SHELL)
+#  define AUDIT_SHELL_NAME "aubash"
+#endif
+
 /***********************************************************/
 /* Make sure feature defines have necessary prerequisites. */
 /***********************************************************/
diff -urp bash-3.2.orig/config.h.in bash-3.2/config.h.in
--- bash-3.2.orig/config.h.in	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/config.h.in	2007-01-20 11:59:23.000000000 -0500
@@ -81,6 +81,11 @@
    flag. */
 #undef RESTRICTED_SHELL
 
+/* Define AUDIT_SHELL if you want the generated shell to audit all
+   actions performed by root account.  The shell thus generated can become
+   audited by being run with the name "aubash". */
+#undef AUDIT_SHELL
+
 /* Define DISABLED_BUILTINS if you want "builtin foo" to always run the
    shell builtin "foo", even if it has been disabled with "enable -n foo". */
 #undef DISABLED_BUILTINS
diff -urp bash-3.2.orig/configure.in bash-3.2/configure.in
--- bash-3.2.orig/configure.in	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/configure.in	2007-01-20 11:59:23.000000000 -0500
@@ -162,6 +162,7 @@ opt_history=yes
 opt_bang_history=yes
 opt_dirstack=yes
 opt_restricted=yes
+opt_audit=yes
 opt_process_subst=yes
 opt_prompt_decoding=yes
 opt_select=yes
@@ -195,8 +196,8 @@ dnl a minimal configuration turns everyt
 dnl added individually
 if test $opt_minimal_config = yes; then
 	opt_job_control=no opt_alias=no opt_readline=no
-	opt_history=no opt_bang_history=no opt_dirstack=no
-	opt_restricted=no opt_process_subst=no opt_prompt_decoding=no
+	opt_history=no opt_bang_history=no opt_dirstack=no opt_restricted=no
+	opt_audit=no opt_process_subst=no opt_prompt_decoding=no
 	opt_select=no opt_help=no opt_array_variables=no opt_dparen_arith=no
 	opt_brace_expansion=no opt_disabled_builtins=no opt_command_timing=no
 	opt_extended_glob=no opt_cond_command=no opt_arith_for_command=no
@@ -227,6 +228,7 @@ AC_ARG_ENABLE(progcomp, AC_HELP_STRING([
 AC_ARG_ENABLE(prompt-string-decoding, AC_HELP_STRING([--enable-prompt-string-decoding], [turn on escape character decoding in prompts]), opt_prompt_decoding=$enableval)
 AC_ARG_ENABLE(readline, AC_HELP_STRING([--enable-readline], [turn on command line editing]), opt_readline=$enableval)
 AC_ARG_ENABLE(restricted, AC_HELP_STRING([--enable-restricted], [enable a restricted shell]), opt_restricted=$enableval)
+AC_ARG_ENABLE(audit, AC_HELP_STRING([--enable-audit], [enable an audited shell]), opt_audit=$enableval)
 AC_ARG_ENABLE(select, AC_HELP_STRING([--enable-select], [include select command]), opt_select=$enableval)
 AC_ARG_ENABLE(separate-helpfiles, AC_HELP_STRING([--enable-separate-helpfiles], [use external files for help builtin documentation]), opt_separate_help=$enableval)
 AC_ARG_ENABLE(single-help-strings, AC_HELP_STRING([--enable-single-help-strings], [store help documentation as a single string to ease translation]), opt_single_longdoc_strings=$enableval)
@@ -254,6 +256,10 @@ fi
 if test $opt_restricted = yes; then
 AC_DEFINE(RESTRICTED_SHELL)
 fi
+if test $opt_audit = yes; then
+AC_DEFINE(AUDIT_SHELL)
+AUDIT_LIB='-laudit'
+fi
 if test $opt_process_subst = yes; then
 AC_DEFINE(PROCESS_SUBSTITUTION)
 fi
@@ -355,6 +361,8 @@ AC_SUBST(HELPDIRDEFINE)
 AC_SUBST(HELPINSTALL)
 AC_SUBST(HELPSTRINGS)
 
+AC_SUBST(AUDIT_LIB)
+
 echo ""
 echo "Beginning configuration for bash-$BASHVERS-$RELSTATUS for ${host_cpu}-${host_vendor}-${host_os}"
 echo ""
diff -urp bash-3.2.orig/doc/bash.1 bash-3.2/doc/bash.1
--- bash-3.2.orig/doc/bash.1	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/doc/bash.1	2007-01-20 11:59:23.000000000 -0500
@@ -155,6 +155,12 @@ single-character options to be recognize
 .PP
 .PD 0
 .TP
+.B \-\-audit
+The shell logs all commands run by the root user (see
+.SM
+.B "AUDIT SHELL"
+below).
+.TP
 .B \-\-debugger
 Arrange for the debugger profile to be executed before the shell
 starts.
@@ -8770,6 +8776,17 @@ turns off any restrictions in the shell 
 script.
 .\" end of rbash.1
 .if \n(zY=1 .ig zY
+.SH "AUDIT SHELL"
+.zY
+.PP
+If
+.B bash
+is started with the name
+.BR aubash ,
+or the
+.B \-\-audit
+option is supplied at invocation, the shell logs all commands issued by the root user to the audit system.
+.if \n(zY=1 .ig zY
 .SH "SEE ALSO"
 .PD 0
 .TP
diff -urp bash-3.2.orig/eval.c bash-3.2/eval.c
--- bash-3.2.orig/eval.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/eval.c	2007-01-20 11:59:23.000000000 -0500
@@ -45,6 +45,11 @@
 #  include "bashhist.h"
 #endif
 
+#if defined (AUDIT_SHELL)
+#  include <libaudit.h>
+#  include <errno.h>
+#endif
+
 extern int EOF_reached;
 extern int indirection_level;
 extern int posixly_correct;
@@ -58,6 +63,38 @@ extern int rpm_requires;
 static void send_pwd_to_eterm __P((void));
 static sighandler alrm_catcher __P((int));
 
+#if defined (AUDIT_SHELL)
+static int audit_fd = -1;
+
+static int
+audit_start ()
+{
+  audit_fd = audit_open ();
+  if (audit_fd < 0)
+    return -1;
+  else
+    return 0;
+}
+
+static int
+audit (cmd, result)
+        char *cmd;
+        int result;
+{
+  int rc;
+
+  if (audit_fd < 0)
+    return 0;
+
+  rc = audit_log_user_command (audit_fd, AUDIT_USER_CMD, cmd,
+                               NULL, !result);
+  close (audit_fd);
+  audit_fd = -1;
+  return rc;
+}
+#endif
+
+
 /* Read and execute commands until EOF is reached.  This assumes that
    the input source has already been initialized. */
 int
@@ -145,7 +182,25 @@ reader_loop ()
 
 	      executing = 1;
 	      stdin_redir = 0;
+#if defined (AUDIT_SHELL)
+              if (audited && interactive_shell && getuid () == 0)
+                {
+                  if (audit_start () < 0)
+                    {
+                      if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+                          errno != EAFNOSUPPORT)
+                        return EXECUTION_FAILURE;
+                    }
+                }
+#endif
+
 	      execute_command (current_command);
+#if defined (AUDIT_SHELL)
+              {
+                extern char *shell_input_line;
+                audit (shell_input_line, last_command_exit_value);
+              }
+#endif
 
 	    exec_done:
 	      QUIT;
diff -urp bash-3.2.orig/externs.h bash-3.2/externs.h
--- bash-3.2.orig/externs.h	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/externs.h	2007-01-20 12:05:00.000000000 -0500
@@ -77,6 +77,10 @@ extern int shell_is_restricted __P((char
 extern int maybe_make_restricted __P((char *));
 #endif
 
+#if defined (AUDIT_SHELL)
+extern int maybe_make_audited __P((char *));
+#endif
+
 extern void unset_bash_input __P((int));
 extern void get_current_user_info __P((void));
 
diff -urp bash-3.2.orig/flags.c bash-3.2/flags.c
--- bash-3.2.orig/flags.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/flags.c	2007-01-20 11:59:23.000000000 -0500
@@ -142,6 +142,12 @@ int restricted = 0;		/* currently restri
 int restricted_shell = 0;	/* shell was started in restricted mode. */
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+/* Non-zero means that this shell is audited. An audited shell records
+   each command that the root user executes. */
+int audited = 0;		/* shell was started in audit mode. */
+#endif /* AUDIT_SHELL */
+
 /* Non-zero means that this shell is running in `privileged' mode.  This
    is required if the shell is to run setuid.  If the `-p' option is
    not supplied at startup, and the real and effective uids or gids
diff -urp bash-3.2.orig/flags.h bash-3.2/flags.h
--- bash-3.2.orig/flags.h	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/flags.h	2007-01-20 11:59:23.000000000 -0500
@@ -66,6 +66,10 @@ extern int restricted;
 extern int restricted_shell;
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+extern int audited;
+#endif /* AUDIT_SHELL */
+
 extern int *find_flag __P((int));
 extern int change_flag __P((int, int));
 extern char *which_set_flags __P((void));
Only in bash-3.2: .made
diff -urp bash-3.2.orig/Makefile.in bash-3.2/Makefile.in
--- bash-3.2.orig/Makefile.in	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/Makefile.in	2007-01-20 11:59:23.000000000 -0500
@@ -366,6 +366,8 @@ MALLOC_LIBRARY = @MALLOC_LIBRARY@
 MALLOC_LDFLAGS = @MALLOC_LDFLAGS@
 MALLOC_DEP = @MALLOC_DEP@
 
+AUDIT_LIB = @AUDIT_LIB@
+
 ALLOC_HEADERS = $(ALLOC_LIBSRC)/getpagesize.h $(ALLOC_LIBSRC)/shmalloc.h \
 		$(ALLOC_LIBSRC)/imalloc.h $(ALLOC_LIBSRC)/mstats.h \
 		$(ALLOC_LIBSRC)/table.h $(ALLOC_LIBSRC)/watch.h
@@ -386,7 +388,7 @@ BASHINCFILES =	 $(BASHINCDIR)/posixstat.
 		 $(BASHINCDIR)/ocache.h
 
 LIBRARIES = $(SHLIB_LIB) $(READLINE_LIB) $(HISTORY_LIB) $(TERMCAP_LIB) $(GLOB_LIB) \
-	    $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS)
+	    $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS) $(AUDIT_LIB)
 
 LIBDEP = $(SHLIB_DEP) $(INTL_DEP) $(READLINE_DEP) $(HISTORY_DEP) $(TERMCAP_DEP) $(GLOB_DEP) \
 	 $(TILDE_DEP) $(MALLOC_DEP)
diff -urp bash-3.2.orig/parse.y bash-3.2/parse.y
--- bash-3.2.orig/parse.y	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/parse.y	2007-01-20 11:59:23.000000000 -0500
@@ -258,7 +258,7 @@ int need_here_doc;
 
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
-static char *shell_input_line = (char *)NULL;
+char *shell_input_line = (char *)NULL;
 static int shell_input_line_index;
 static int shell_input_line_size;	/* Amount allocated for shell_input_line. */
 static int shell_input_line_len;	/* strlen (shell_input_line) */
diff -urp bash-3.2.orig/shell.c bash-3.2/shell.c
--- bash-3.2.orig/shell.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/shell.c	2007-01-20 12:04:23.000000000 -0500
@@ -240,6 +240,9 @@ struct {
 #if defined (RESTRICTED_SHELL)
   { "restricted", Int, &restricted, (char **)0x0 },
 #endif
+#if defined (AUDIT_SHELL)
+  { "audit", Int, &audited, (char **)0x0 },
+#endif
   { "verbose", Int, &echo_input_at_read, (char **)0x0 },
   { "version", Int, &do_version, (char **)0x0 },
   { "wordexp", Int, &wordexp_only, (char **)0x0 },
@@ -644,6 +647,10 @@ main (argc, argv, env)
     maybe_make_restricted (shell_name);
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+    maybe_make_audited (shell_name);
+#endif
+
   if (wordexp_only)
     {
       startup_state = 3;
@@ -1143,6 +1150,29 @@ maybe_make_restricted (name)
 }
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+/* Perhaps make this shell an `audited' one, based on NAME.  If the
+   basename of NAME is "aubash", then this shell is audited.  The
+   name of the audited shell is a configurable option, see config.h.
+   In an audited shell, all actions performed by root will be logged
+   to the audit system.
+   Do this also if `audited' is already set to 1 maybe the shell was
+   started with --audit. */
+int
+maybe_make_audited (name)
+     char *name;
+{
+  char *temp;
+
+  temp = base_pathname (name);
+  if (*temp == '-')
+    temp++;
+  if (audited || (STREQ (temp, AUDIT_SHELL_NAME)))
+    audited = 1;
+  return (audited);
+}
+#endif /* AUDIT_SHELL */
+
 /* Fetch the current set of uids and gids and return 1 if we're running
    setuid or setgid. */
 static int