#2 Add custom logging patches
Merged 2 years ago by dcavalca. Opened 2 years ago by rcolebaugh.
rpms/ rcolebaugh/bash c9s-sig-hyperscale  into  c9s-sig-hyperscale

file modified
+15 -1
@@ -1,12 +1,13 @@ 

  #% define beta_tag rc2

  %define patchleveltag .8

  %define baseversion 5.1

+ %define hyperscale_rel 1

  %bcond_without tests

  

  Version: %{baseversion}%{patchleveltag}

  Name: bash

  Summary: The GNU Bourne Again shell

- Release: 6%{?dist}

+ Release: 6.%{hyperscale_rel}%{?dist}

  License: GPLv3+

  Url: https://www.gnu.org/software/bash

  Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz
@@ -93,6 +94,11 @@ 

  # 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform

  Patch130: bash-5.2-check-xform.patch

  

+ %if 0%{?facebook}

+ Patch0: fb-Configure-bash-to-log-the-commands-to-authpriv.patch

+ Patch12: fb-Add-SSH-session-ID-to-bash-syslog-logging.patch

+ %endif

+ 

  BuildRequires:  gcc

  BuildRequires: texinfo bison

  BuildRequires: ncurses-devel
@@ -140,7 +146,11 @@ 

  # Recycles pids is neccessary. When bash's last fork's pid was X

  # and new fork's pid is also X, bash has to wait for this same pid.

  # Without Recycles pids bash will not wait.

+ %if 0%{?facebook}

+ MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY"

+ %else

  MFLAGS="CPPFLAGS=-D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='\"/usr/local/bin:/usr/bin\"' `getconf LFS_CFLAGS` -DSYSLOG_HISTORY -DSYSLOG_SHOPT=0"

+ %endif

  

  # work around missing deps in Makefiles

  make "$MFLAGS" version.h
@@ -324,6 +334,10 @@ 

  %{_libdir}/pkgconfig/%{name}.pc

  

  %changelog

+ * Wed May 24 2023 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 5.1.8-6.1

+ - Add SSH session ID to bash syslog logging

+ - Configure bash to log the commands to authpriv

+ 

  * Tue Nov 22 2022 Siteshwar Vashisht <svashisht@redhat.com> - 5.1.8-6

  - Add a null check in parameter_brace_transform() function

    Resolves: CVE-2022-3715

@@ -0,0 +1,79 @@ 

+ Index: b/bashhist.c

+ ===================================================================

+ --- a/bashhist.c

+ +++ b/bashhist.c

+ @@ -266,6 +266,44 @@ bash_history_inhibit_expansion (string, i)

+  }

+  #endif

+  

+ +#if defined (SYSLOG_HISTORY)

+ +#define SESSION_ID_MAXLEN 100

+ +

+ +static char *session_id = NULL;

+ +

+ +static void

+ +bash_initialize_session_id ()

+ +{

+ +  const char *env_var = get_string_value ("LOG_SESSION_ID");

+ +  if (!env_var) {

+ +    session_id = "";

+ +    return;

+ +  }

+ +  const int env_var_len = strlen(env_var);

+ +  if (env_var_len == 0) {

+ +    session_id = "";

+ +    return;

+ +  }

+ +  const int size = env_var_len < SESSION_ID_MAXLEN ? (env_var_len + 1) : SESSION_ID_MAXLEN;

+ +  char *trunc = (char *)malloc (size);

+ +  strncpy (trunc, env_var, size - 1);

+ +  trunc[size - 1] = '\0';

+ +  session_id = trunc;

+ +}

+ +

+ +static const char *

+ +bash_get_session_id () {

+ +  if (!session_id) bash_initialize_session_id ();

+ +  return session_id;

+ +}

+ +

+ +static void

+ +bash_cleanup_session_id () {

+ +  if (session_id && *session_id) free(session_id);

+ +  session_id = NULL;

+ +}

+ +#endif

+ +

+  void

+  bash_initialize_history ()

+  {

+ @@ -275,6 +313,9 @@ bash_initialize_history ()

+    history_inhibit_expansion_function = bash_history_inhibit_expansion;

+    sv_histchars ("histchars");

+  #endif

+ +#if defined (SYSLOG_HISTORY)

+ +  bash_initialize_session_id ();

+ +#endif

+  }

+  

+  void

+ @@ -509,6 +550,9 @@ maybe_save_shell_history ()

+  	  sv_histsize ("HISTFILESIZE");

+  	}

+      }

+ +#if defined (SYSLOG_HISTORY)

+ +  bash_cleanup_session_id ();

+ +#endif

+    return (result);

+  }

+  

+ @@ -879,7 +879,8 @@ bash_syslog_history (line)

+        first = 0;

+      }

+  

+ -  hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d", getpid(), current_user.uid);

+ +  const char *user_name = current_user.user_name ?: "";

+ +  hdrlen = snprintf (loghdr, sizeof(loghdr), "HISTORY: PID=%d UID=%d USER=%s LOG_SESSION_ID=%s", getpid(), current_user.uid, user_name, bash_get_session_id());

+    msglen = strlen (line);

+  

+    if ((msglen + hdrlen + 1) < SYSLOG_MAXLEN)

@@ -0,0 +1,16 @@ 

+ Index: b/config-top.h

+ ===================================================================

+ --- a/config-top.h

+ +++ b/config-top.h

+ @@ -117,9 +117,9 @@

+  

+  /* Define if you want each line saved to the history list in bashhist.c:

+     bash_add_history() to be sent to syslog(). */

+ -/* #define SYSLOG_HISTORY */

+ +#define SYSLOG_HISTORY

+  #if defined (SYSLOG_HISTORY)

+ -#  define SYSLOG_FACILITY LOG_USER

+ +#  define SYSLOG_FACILITY LOG_AUTHPRIV

+  #  define SYSLOG_LEVEL LOG_INFO

+  #  define OPENLOG_OPTS LOG_PID

+  #endif

Introduces the logging patches to enable syslog logging by default to the AUTHPRIV syslog facility

1 new commit added

  • fix and bump changelog date
2 years ago

Pull-Request has been merged by dcavalca

2 years ago