[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-pam-commits
Subject: [linux-pam] pam_tally2: Optionally log the tally count when checking.
From: Tomáš Mráz <tmraz () fedoraproject ! org>
Date: 2015-12-16 8:36:06
Message-ID: 20151216083606.72B7E61341 () fedorahosted ! org
[Download RAW message or body]
commit e0a996ec358af86153c0c00e67802e36283dadd0
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed Dec 16 09:33:47 2015 +0100
pam_tally2: Optionally log the tally count when checking.
* modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option.
(tally_check): Always log the tally count with debug option.
modules/pam_tally2/pam_tally2.8.xml | 13 +++++++++++++
modules/pam_tally2/pam_tally2.c | 16 +++++++++++-----
2 files changed, 24 insertions(+), 5 deletions(-)
---
diff --git a/modules/pam_tally2/pam_tally2.8.xml \
b/modules/pam_tally2/pam_tally2.8.xml index 2f3b2eb..cf5d76d 100644
--- a/modules/pam_tally2/pam_tally2.8.xml
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -54,6 +54,9 @@
<arg choice="opt">
no_log_info
</arg>
+ <arg choice="opt">
+ debug
+ </arg>
</cmdsynopsis>
<cmdsynopsis id="pam_tally2-cmdsynopsis2">
<command>pam_tally2</command>
@@ -169,6 +172,16 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Always log tally count when it is incremented as a debug level \
message to the system log. + </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
index f5eebb1..e513f64 100644
--- a/modules/pam_tally2/pam_tally2.c
+++ b/modules/pam_tally2/pam_tally2.c
@@ -124,6 +124,7 @@ struct tally_options {
#define OPT_AUDIT 0100
#define OPT_NOLOGNOTICE 0400
#define OPT_SERIALIZE 01000
+#define OPT_DEBUG 02000
#define MAX_LOCK_WAITING_TIME 10
@@ -196,6 +197,9 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
else if ( ! strcmp( *argv, "serialize" ) ) {
opts->ctrl |= OPT_SERIALIZE;
}
+ else if ( ! strcmp( *argv, "debug" ) ) {
+ opts->ctrl |= OPT_DEBUG;
+ }
else if ( ! strcmp( *argv, "even_deny_root_account" ) ||
! strcmp( *argv, "even_deny_root" ) ) {
log_phase_no_auth(pamh, phase, *argv);
@@ -503,6 +507,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, \
uid_t uid, struct tallylog *tally)
{
int rv = PAM_SUCCESS;
+ int loglevel = LOG_DEBUG;
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
@@ -575,11 +580,7 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, \
uid_t uid, pam_info(pamh, _("Account locked due to %u failed logins"),
(unsigned int)tally->fail_cnt);
}
- if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
- pam_syslog(pamh, LOG_NOTICE,
- "user %s (%lu) tally %hu, deny %hu",
- user, (unsigned long)uid, tally->fail_cnt, opts->deny);
- }
+ loglevel = LOG_NOTICE;
rv = PAM_AUTH_ERR; /* Only unconditional failure */
goto cleanup;
}
@@ -609,6 +610,11 @@ tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, \
uid_t uid, }
cleanup:
+ if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & \
OPT_DEBUG)) { + pam_syslog(pamh, loglevel,
+ "user %s (%lu) tally %hu, deny %hu",
+ user, (unsigned long)uid, tally->fail_cnt, opts->deny);
+ }
#ifdef HAVE_LIBAUDIT
if (audit_fd != -1) {
close(audit_fd);
_______________________________________________
linux-pam-commits mailing list
linux-pam-commits@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/linux-pam-commits@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic