zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0036-Ticket-48958-Audit-fail-log-doesn-t-work-if-audit-lo.patch

7c7f29
From 4525faed1a8cb985596c0617abc6ce32fb85b7c2 Mon Sep 17 00:00:00 2001
7c7f29
From: William Brown <firstyear@redhat.com>
7c7f29
Date: Fri, 19 Aug 2016 12:49:17 +1000
7c7f29
Subject: [PATCH 36/45] Ticket 48958 - Audit fail log doesn't work if audit log
7c7f29
 disabled.
7c7f29
7c7f29
Bug Description:  Due to a configuration interpretation issue, when audit was
7c7f29
not enabled, but auditfail was with no log defined, the fail log should write to
7c7f29
the audit log location on failed events, but audit events should not be written.
7c7f29
This did not work.
7c7f29
7c7f29
Fix Description:  This was because when we wrote to the audit file in the
7c7f29
abscence of the auditfail log, the audit enabled state was checked. This adds a
7c7f29
check to determine what the source event was from, and to check the correct log
7c7f29
enabled state during the event processing.
7c7f29
7c7f29
https://fedorahosted.org/389/ticket/48958
7c7f29
7c7f29
Author: wibrown
7c7f29
7c7f29
Review by: nhosoi (Thank you!)
7c7f29
7c7f29
(cherry picked from commit 5fed8021a0487c092af6038d4a7dcce1ef3fab75)
7c7f29
---
7c7f29
 ldap/servers/slapd/auditlog.c   | 15 +++++----
7c7f29
 ldap/servers/slapd/log.c        | 71 ++++++++++++++++++++++++-----------------
7c7f29
 ldap/servers/slapd/proto-slap.h |  4 +--
7c7f29
 3 files changed, 53 insertions(+), 37 deletions(-)
7c7f29
7c7f29
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
7c7f29
index 0f4cc94..ec7111b 100644
7c7f29
--- a/ldap/servers/slapd/auditlog.c
7c7f29
+++ b/ldap/servers/slapd/auditlog.c
7c7f29
@@ -33,7 +33,7 @@ static int audit_hide_unhashed_pw = 1;
7c7f29
 static int auditfail_hide_unhashed_pw = 1;
7c7f29
 
7c7f29
 /* Forward Declarations */
7c7f29
-static void write_audit_file(int logtype, int optype, const char *dn, void *change, int flag, time_t curtime, int rc );
7c7f29
+static void write_audit_file(int logtype, int optype, const char *dn, void *change, int flag, time_t curtime, int rc, int sourcelog );
7c7f29
 
7c7f29
 static const char *modrdn_changes[4];
7c7f29
 
7c7f29
@@ -98,7 +98,7 @@ write_audit_log_entry( Slapi_PBlock *pb )
7c7f29
     curtime = current_time();
7c7f29
     /* log the raw, unnormalized DN */
7c7f29
     dn = slapi_sdn_get_udn(sdn);
7c7f29
-    write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, LDAP_SUCCESS);
7c7f29
+    write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, LDAP_SUCCESS, SLAPD_AUDIT_LOG);
7c7f29
 }
7c7f29
 
7c7f29
 void
7c7f29
@@ -169,10 +169,10 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
7c7f29
     auditfail_config = config_get_auditfaillog();
7c7f29
     if (auditfail_config == NULL || strlen(auditfail_config) == 0) {
7c7f29
         /* If no auditfail log write to audit log */
7c7f29
-        write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc);
7c7f29
+        write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG);
7c7f29
     } else {
7c7f29
         /* If we have our own auditfail log path */
7c7f29
-        write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc);
7c7f29
+        write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG);
7c7f29
     }
7c7f29
     slapi_ch_free_string(&auditfail_config);
7c7f29
 }
7c7f29
@@ -181,6 +181,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
7c7f29
 /*
7c7f29
  * Function: write_audit_file
7c7f29
  * Arguments: 
7c7f29
+ *            logtype - Destination where the message will go.
7c7f29
  *            optype - type of LDAP operation being logged
7c7f29
  *            dn     - distinguished name of entry being changed
7c7f29
  *            change - pointer to the actual change operation
7c7f29
@@ -188,6 +189,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
7c7f29
  *            flag   - only used by modrdn operations - value of deleteoldrdn flag
7c7f29
  *            curtime - the current time
7c7f29
  *            rc     - The ldap result code. Used in conjunction with auditfail
7c7f29
+ *            sourcelog - The source of the message (audit or auditfail)
7c7f29
  * Returns: nothing
7c7f29
  */
7c7f29
 static void
7c7f29
@@ -198,7 +200,8 @@ write_audit_file(
7c7f29
     void        *change,
7c7f29
     int         flag,
7c7f29
     time_t      curtime,
7c7f29
-    int         rc
7c7f29
+    int         rc,
7c7f29
+    int         sourcelog
7c7f29
 )
7c7f29
 {
7c7f29
     LDAPMod **mods;
7c7f29
@@ -359,7 +362,7 @@ write_audit_file(
7c7f29
     switch (logtype)
7c7f29
     {
7c7f29
     case SLAPD_AUDIT_LOG:
7c7f29
-        slapd_log_audit (l->ls_buf, l->ls_len);
7c7f29
+        slapd_log_audit (l->ls_buf, l->ls_len, sourcelog);
7c7f29
         break;
7c7f29
     case SLAPD_AUDITFAIL_LOG:
7c7f29
         slapd_log_auditfail (l->ls_buf, l->ls_len);
7c7f29
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
7c7f29
index a16c395..ae8b5f8 100644
7c7f29
--- a/ldap/servers/slapd/log.c
7c7f29
+++ b/ldap/servers/slapd/log.c
7c7f29
@@ -1962,14 +1962,26 @@ auditfail_log_openf( char *pathname, int locked)
7c7f29
 
7c7f29
 int
7c7f29
 slapd_log_audit (
7c7f29
-	char	*buffer,
7c7f29
-	int	buf_len)
7c7f29
+    char *buffer,
7c7f29
+    int buf_len,
7c7f29
+    int sourcelog)
7c7f29
 {
7c7f29
     /* We use this to route audit log entries to where they need to go */
7c7f29
     int retval = LDAP_SUCCESS;
7c7f29
     int lbackend = loginfo.log_backend; /* We copy this to make these next checks atomic */
7c7f29
+
7c7f29
+    int state = 0;
7c7f29
+    if (sourcelog == SLAPD_AUDIT_LOG) {
7c7f29
+        state = loginfo.log_audit_state;
7c7f29
+    } else if (sourcelog == SLAPD_AUDITFAIL_LOG ) {
7c7f29
+        state = loginfo.log_auditfail_state;
7c7f29
+    } else {
7c7f29
+        /* How did we even get here! */
7c7f29
+        return 1;
7c7f29
+    }
7c7f29
+
7c7f29
     if (lbackend & LOGGING_BACKEND_INTERNAL) {
7c7f29
-        retval = slapd_log_audit_internal(buffer, buf_len);
7c7f29
+        retval = slapd_log_audit_internal(buffer, buf_len, state);
7c7f29
     }
7c7f29
 
7c7f29
     if (retval != LDAP_SUCCESS) {
7c7f29
@@ -1989,33 +2001,34 @@ slapd_log_audit (
7c7f29
 
7c7f29
 int
7c7f29
 slapd_log_audit_internal (
7c7f29
-	char	*buffer,
7c7f29
-	int	buf_len)
7c7f29
+    char    *buffer,
7c7f29
+    int buf_len,
7c7f29
+    int state)
7c7f29
 {
7c7f29
-	if ( (loginfo.log_audit_state & LOGGING_ENABLED) && (loginfo.log_audit_file != NULL) ){
7c7f29
-		LOG_AUDIT_LOCK_WRITE( );
7c7f29
-		if (log__needrotation(loginfo.log_audit_fdes,
7c7f29
-					SLAPD_AUDIT_LOG) == LOG_ROTATE) {
7c7f29
-    		if (log__open_auditlogfile(LOGFILE_NEW, 1) != LOG_SUCCESS) {
7c7f29
-	    		LDAPDebug(LDAP_DEBUG_ANY,
7c7f29
-    				"LOGINFO: Unable to open audit file:%s\n",
7c7f29
-	    			loginfo.log_audit_file,0,0);
7c7f29
-    			LOG_AUDIT_UNLOCK_WRITE();
7c7f29
-	    		return 0;
7c7f29
-			}
7c7f29
-			while (loginfo.log_audit_rotationsyncclock <= loginfo.log_audit_ctime) {
7c7f29
-				loginfo.log_audit_rotationsyncclock += PR_ABS(loginfo.log_audit_rotationtime_secs);
7c7f29
-			}
7c7f29
-		}
7c7f29
-		if (loginfo.log_audit_state & LOGGING_NEED_TITLE) {
7c7f29
-			log_write_title( loginfo.log_audit_fdes);
7c7f29
-			loginfo.log_audit_state &= ~LOGGING_NEED_TITLE;
7c7f29
-		}
7c7f29
-	    LOG_WRITE_NOW_NO_ERR(loginfo.log_audit_fdes, buffer, buf_len, 0);
7c7f29
-   		LOG_AUDIT_UNLOCK_WRITE();
7c7f29
-	    return 0;
7c7f29
-	}
7c7f29
-	return 0;
7c7f29
+    if ( (state & LOGGING_ENABLED) && (loginfo.log_audit_file != NULL) ){
7c7f29
+        LOG_AUDIT_LOCK_WRITE( );
7c7f29
+        if (log__needrotation(loginfo.log_audit_fdes,
7c7f29
+                    SLAPD_AUDIT_LOG) == LOG_ROTATE) {
7c7f29
+            if (log__open_auditlogfile(LOGFILE_NEW, 1) != LOG_SUCCESS) {
7c7f29
+                LDAPDebug(LDAP_DEBUG_ANY,
7c7f29
+                    "LOGINFO: Unable to open audit file:%s\n",
7c7f29
+                    loginfo.log_audit_file,0,0);
7c7f29
+                LOG_AUDIT_UNLOCK_WRITE();
7c7f29
+                return 0;
7c7f29
+            }
7c7f29
+            while (loginfo.log_audit_rotationsyncclock <= loginfo.log_audit_ctime) {
7c7f29
+                loginfo.log_audit_rotationsyncclock += PR_ABS(loginfo.log_audit_rotationtime_secs);
7c7f29
+            }
7c7f29
+        }
7c7f29
+        if (state & LOGGING_NEED_TITLE) {
7c7f29
+            log_write_title( loginfo.log_audit_fdes);
7c7f29
+            state &= ~LOGGING_NEED_TITLE;
7c7f29
+        }
7c7f29
+        LOG_WRITE_NOW_NO_ERR(loginfo.log_audit_fdes, buffer, buf_len, 0);
7c7f29
+        LOG_AUDIT_UNLOCK_WRITE();
7c7f29
+        return 0;
7c7f29
+    }
7c7f29
+    return 0;
7c7f29
 }
7c7f29
 /******************************************************************************
7c7f29
 * write in the audit fail log
7c7f29
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
7c7f29
index 6bc1065..1f37010 100644
7c7f29
--- a/ldap/servers/slapd/proto-slap.h
7c7f29
+++ b/ldap/servers/slapd/proto-slap.h
7c7f29
@@ -766,8 +766,8 @@ int slapi_log_access( int level, char *fmt, ... )
7c7f29
 #else
7c7f29
         ;
7c7f29
 #endif
7c7f29
-int slapd_log_audit(char *buffer, int buf_len);
7c7f29
-int slapd_log_audit_internal(char *buffer, int buf_len);
7c7f29
+int slapd_log_audit(char *buffer, int buf_len, int sourcelog);
7c7f29
+int slapd_log_audit_internal(char *buffer, int buf_len, int state);
7c7f29
 int slapd_log_auditfail(char *buffer, int buf_len);
7c7f29
 int slapd_log_auditfail_internal(char *buffer, int buf_len);
7c7f29
 void log_access_flush();
7c7f29
-- 
7c7f29
2.4.11
7c7f29