Deprecate enable_krb and replace with transport config opt for remote…

… logging
caidongyun · Aug 8, 2018 · 77fbcf3 · 77fbcf3
1 parent 7900d14
commit 77fbcf3
Show file tree

Hide file tree

Showing 12 changed files with 105 additions and 49 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -27,6 +27,7 @@
 - Update lookup tables for the 4.18 kernel
 - Add auparse_normalizer support for SOFTWARE_UPDATE event
 - Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
 
 2.8.3
 - Correct msg function name in LRU debug code

diff --git a/audisp/plugins/remote/Makefile.am b/audisp/plugins/remote/Makefile.am
@@ -1,5 +1,5 @@
 # Makefile.am --
-# Copyright 2008-2009,2011,2015 Red Hat Inc., Durham, North Carolina.
+# Copyright 2008-2009,2011,2015,2018 Red Hat Inc., Durham, North Carolina.
 # All Rights Reserved.
 #
 # This library is free software; you can redistribute it and/or
@@ -36,8 +36,8 @@ TESTS = $(check_PROGRAMS)
 audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a
 audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c
 audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef
-audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now $(gss_libs)
-audisp_remote_LDADD = $(CAPNG_LDADD) -L${top_builddir}/common -laucommon
+audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) -L${top_builddir}/common -laucommon
 
 test_queue_SOURCES = queue.c test-queue.c
 

diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
@@ -1,5 +1,5 @@
 /* audisp-remote.c --
- * Copyright 2008-2012,2016 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -98,8 +98,11 @@ static int ar_write (int, const void *, int);
    credentials.  These are the ones we talk to the server with.  */
 gss_ctx_id_t my_context;
 
+#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
+#define CCACHE_NAME "MEMORY:audisp-remote"
+
 #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
-#define USE_GSS (config.enable_krb5)
+#define USE_GSS (config.transport == T_KRB5)
 #endif
 
 /* Compile-time expression verification */
@@ -741,9 +744,6 @@ static void gss_failure (const char *msg, int major_status, int minor_status)
 		syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \
 		return -1; }
 
-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
-#define CCACHE_NAME "MEMORY:audisp-remote"
-
 /* Each time we connect to the server, we negotiate a set of credentials and
    a security context. To do this, we need our own credentials first. For
    other Kerberos applications, the user will have called kinit (or otherwise
@@ -969,7 +969,7 @@ static int negotiate_credentials (void)
 #endif
 	return 0;
 }
-#endif
+#endif // USE_GSSAPI
 
 static int stop_sock(void)
 {
@@ -992,6 +992,10 @@ static int stop_transport(void)
 		case T_TCP:
 			rc = stop_sock();
 			break;
+		case T_KRB5:
+			// FIXME: shutdown kerberos
+			rc = -1;
+			break;
 		default:
 			rc = -1;
 			break;
@@ -1112,7 +1116,7 @@ static int init_sock(void)
 
 #ifdef USE_GSSAPI
 	if (USE_GSS) {
-		if (negotiate_credentials ()) {
+		if (negotiate_credentials()) {
 			rc = ET_PERMANENT;
 			goto out;
 		}
@@ -1313,7 +1317,7 @@ static int recv_msg_gss (unsigned char *header, char *msg, uint32_t *mlen)
 	free (utok.value);
 	return 0;
 }
-#endif
+#endif // USE_GSSAPI
 
 static int send_msg_tcp (unsigned char *header, const char *msg, uint32_t mlen)
 {

diff --git a/audisp/plugins/remote/audisp-remote.conf b/audisp/plugins/remote/audisp-remote.conf
@@ -26,7 +26,6 @@ generic_warning_action = syslog
 queue_error_action = stop
 overflow_action = syslog
 
-##enable_krb5 = no
 ##krb5_principal = 
 ##krb5_client_name = auditd
 ##krb5_key_file = /etc/audisp/audisp-remote.key
diff --git a/audisp/plugins/remote/audisp-remote.conf.5 b/audisp/plugins/remote/audisp-remote.conf.5
@@ -1,4 +1,4 @@
-.TH AUDISP-REMOTE.CONF: "5" "June 2016" "Red Hat" "System Administration Utilities"
+.TH AUDISP-REMOTE.CONF: "5" "Aug 2018" "Red Hat" "System Administration Utilities"
 .SH NAME
 audisp-remote.conf \- the audisp-remote configuration file
 .SH DESCRIPTION
@@ -19,11 +19,13 @@ set to the word
 then any available unpriviledged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from.
 .TP
 .I transport
-This parameter tells the remote logging app how to send events to the remote system. The only valid value right now is
-.IR tcp ".
+This parameter tells the remote logging app how to send events to the remote system. The valid options are
+.IR TCP ", and " KRB5 ".
 If set to
-.IR tcp ,
-the remote logging app will just make a normal clear text connection to the remote system. This is not used if kerberos is enabled.
+.IR TCP ,
+the remote logging app will just make a normal clear text connection to the remote system. If its set to
+.IR KRB5 ",
+then Kerberos 5 will be used for authentication and encryption. The default value is TCP.
 .TP
 .I mode
 This parameter tells the remote logging app what strategy to use getting records to the remote system. Valid values are
@@ -161,9 +163,15 @@ option will cause the remote logging app to put the computer system in single us
 option will cause the remote logging app to shutdown the computer system.
 .TP
 .I enable_krb5
-If set to "yes", Kerberos 5 will be used for authentication and
-encryption.  Default is "no".  Note that encryption can only be used
-with managed connections, not plain ASCII.
+This option is deprecated. Use the
+.IR transport
+option to enable Kerberos support. If this option follows the transport
+configuration option, it will override the transport setting. This would
+be the normal expected behavior for backwards compatibility. If set to
+.IR yes ",
+Kerberos 5 will be used for authentication and encryption.  Default is
+.IR no ".  Note that encryption can only be used with managed connections,
+not plain ASCII.
 .TP
 .I krb5_principal
 If specified, This is the expected principal for the server.  The

diff --git a/audisp/plugins/remote/remote-config.c b/audisp/plugins/remote/remote-config.c
@@ -1,5 +1,5 @@
 /* remote-config.c -- 
- * Copyright 2008,2009,2011,2015-16 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2008,2009,2011,2015-16,2018 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -139,6 +139,9 @@ static const struct kw_pair keywords[] =
 static const struct nv_list transport_words[] =
 {
   {"tcp",  T_TCP  },
+#ifdef USE_GSSAPI
+  {"krb5", T_KRB5 },
+#endif
   { NULL,  0 }
 };
 
@@ -220,7 +223,6 @@ void clear_config(remote_conf_t *config)
 #undef IA
 	config->overflow_action = OA_SYSLOG;
 
-	config->enable_krb5 = 0;
 	config->krb5_principal = NULL;
 	config->krb5_client_name = NULL;
 	config->krb5_key_file = NULL;
@@ -685,7 +687,8 @@ static int enable_krb5_parser(struct nv_pair *nv, int line,
 
 	for (i=0; enable_krb5_values[i].name != NULL; i++) {
 		if (strcasecmp(nv->value, enable_krb5_values[i].name) == 0) {
-			config->enable_krb5 = enable_krb5_values[i].option;
+			if (enable_krb5_values[i].option == 1)
+				config->transport = T_KRB5;
 			return 0;
 		}
 	}

diff --git a/audisp/plugins/remote/remote-config.h b/audisp/plugins/remote/remote-config.h
@@ -1,5 +1,5 @@
 /* remote-config.h -- 
- * Copyright 2008,2009,2011,2016 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2008,2009,2011,2016,2018 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -25,7 +25,7 @@
 #define REMOTE_CONFIG_H
 
 typedef enum { M_IMMEDIATE, M_STORE_AND_FORWARD  } rmode_t;
-typedef enum { T_TCP, T_SSL, T_GSSAPI, T_LABELED } transport_t;
+typedef enum { T_TCP, T_TLS, T_KRB5, T_LABELED } transport_t;
 typedef enum { F_ASCII, F_MANAGED } format_t;
 typedef enum { FA_IGNORE, FA_SYSLOG, FA_WARN_ONCE_CONT, FA_WARN_ONCE,
 	       FA_EXEC, FA_RECONNECT, FA_SUSPEND,
@@ -47,7 +47,6 @@ typedef struct remote_conf
 	unsigned int max_tries_per_record;
 	unsigned int max_time_per_record;
 	unsigned int heartbeat_timeout;
-	int enable_krb5;
 	const char *krb5_principal;
 	const char *krb5_client_name;
 	const char *krb5_key_file;

diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
@@ -1,4 +1,4 @@
-.TH AUDITD.CONF: "5" "June 2018" "Red Hat" "System Administration Utilities"
+.TH AUDITD.CONF: "5" "August 2018" "Red Hat" "System Administration Utilities"
 .SH NAME
 auditd.conf \- audit daemon configuration file
 .SH DESCRIPTION
@@ -277,9 +277,20 @@ for this parameter. You will also need to set the local_port option in the audis
 .I tcp_client_max_idle
 This parameter indicates the number of seconds that a client may be idle (i.e. no data from them at all) before auditd complains. This is used to close inactive connections if the client machine has a problem where it cannot shutdown the connection cleanly. Note that this is a global setting, and must be higher than any individual client heartbeat_timeout setting, preferably by a factor of two.  The default is zero, which disables this check.
 .TP
+.I transport
+If set to
+.IR TCP ",
+only clear text tcp connections will be used. If set to
+.IR KRB5 ",
+then Kerberos 5 will be used for authentication and encryption. The default value is TCP.
+.TP
 .I enable_krb5
-If set to "yes", Kerberos 5 will be used for authentication and
-encryption.  The default is "no".
+This option is deprecated. Use the
+.IR transport
+option above instead. If set to "yes", Kerberos 5 will be used for
+authentication and encryption.  The default is "no". If this option is set
+to "yes" and it follows the transport option, it will override the transport
+setting. This would be the normal expected behavior for backwards compatibility.
 .TP
 .I krb5_principal
 This is the principal for this server.  The default is "auditd".

diff --git a/init.d/auditd.conf b/init.d/auditd.conf
@@ -29,7 +29,7 @@ tcp_listen_queue = 5
 tcp_max_per_addr = 1
 ##tcp_client_ports = 1024-65535
 tcp_client_max_idle = 0
-enable_krb5 = no
+transport = TCP
 krb5_principal = auditd
 ##krb5_key_file = /etc/audit/audit.key
 distribute_network = no

diff --git a/src/auditd-config.c b/src/auditd-config.c
@@ -1,5 +1,5 @@
 /* auditd-config.c -- 
- * Copyright 2004-2011,2013-14,2016 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2004-2011,2013-14,2016,2018 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -125,6 +125,8 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
 static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
+static int transport_parser(struct nv_pair *nv, int line,
+		struct daemon_conf *config);
 static int enable_krb5_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
 static int krb5_principal_parser(struct nv_pair *nv, int line,
@@ -174,6 +176,7 @@ static const struct kw_pair keywords[] =
   {"use_libwrap",              use_libwrap_parser,              0 },
   {"tcp_client_ports",         tcp_client_ports_parser,         0 },
   {"tcp_client_max_idle",      tcp_client_max_idle_parser,      0 },
+  {"transport",                transport_parser,                0 },
   {"enable_krb5",              enable_krb5_parser,              0 },
   {"krb5_principal",           krb5_principal_parser,           0 },
   {"krb5_key_file",            krb5_key_file_parser,            0 },
@@ -254,6 +257,15 @@ static const struct nv_list overflow_actions[] =
   { NULL,     0 }
 };
 
+static const struct nv_list transport_words[] =
+{
+  {"tcp",  T_TCP  },
+#ifdef USE_GSSAPI
+  {"krb5", T_KRB5 },
+#endif
+  { NULL,  0 }
+};
+
 const char *email_command = "/usr/lib/sendmail";
 static int allow_links = 0;
 static const char *config_dir = NULL;
@@ -325,7 +337,7 @@ void clear_config(struct daemon_conf *config)
 	config->tcp_client_min_port = 0;
 	config->tcp_client_max_port = TCP_PORT_MAX;
 	config->tcp_client_max_idle = 0;
-	config->enable_krb5 = 0;
+	config->transport = T_TCP;
 	config->krb5_principal = NULL;
 	config->krb5_key_file = NULL;
 	config->distribute_network_events = 0;
@@ -1588,6 +1600,24 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
 #endif
 }
 
+static int transport_parser(struct nv_pair *nv, int line,
+	struct daemon_conf *config)
+{
+	int i;
+
+	audit_msg(LOG_DEBUG, "transport_parser called with: %s",
+		nv->value);
+
+	for (i=0; transport_words[i].name != NULL; i++) {
+		if (strcasecmp(nv->value, transport_words[i].name) == 0) {
+			config->transport = transport_words[i].option;
+			return 0;
+		}
+	}
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
+	return 1;
+}
+
 static int enable_krb5_parser(struct nv_pair *nv, int line,
 	struct daemon_conf *config)
 {
@@ -1604,7 +1634,8 @@ static int enable_krb5_parser(struct nv_pair *nv, int line,
 
 	for (i=0; yes_no_values[i].name != NULL; i++) {
 		if (strcasecmp(nv->value, yes_no_values[i].name) == 0) {
-			config->enable_krb5 = yes_no_values[i].option;
+			if (yes_no_values[i].option == 1)
+				config->transport = T_KRB5;
 			return 0;
 		}
 	}

diff --git a/src/auditd-config.h b/src/auditd-config.h
@@ -40,6 +40,7 @@ typedef enum { TEST_AUDITD, TEST_SEARCH } log_test_t;
 typedef enum { N_NONE, N_HOSTNAME, N_FQD, N_NUMERIC, N_USER } node_t;
 typedef enum { O_IGNORE, O_SYSLOG, O_SUSPEND, O_SINGLE,
 		O_HALT } overflow_action_t;
+typedef enum { T_TCP, T_TLS, T_KRB5, T_LABELED } transport_t;
 
 struct daemon_conf
 {
@@ -79,7 +80,7 @@ struct daemon_conf
 	unsigned long tcp_client_min_port;
 	unsigned long tcp_client_max_port;
 	unsigned long tcp_client_max_idle;
-	int enable_krb5;
+	int transport;
 	const char *krb5_principal;
 	const char *krb5_key_file;
 	int distribute_network_events;