MFC the audit modifications to login so audit context is properly set and

the correct audit records are submitted.

Reviewed by:	rwatson
Obtained from:	TrustedBSD Project

usr.bin/login/Makefile

@@ -2,10 +2,10 @@
 # $FreeBSD$
 
 PROG=	login
-SRCS=	login.c login_fbtab.c
+SRCS=	login.c login_audit.c login_fbtab.c
 CFLAGS+=-DLOGALL
 DPADD=	${LIBUTIL} ${LIBPAM}
-LDADD=	-lutil ${MINUSLPAM}
+LDADD=	-lutil ${MINUSLPAM} -lbsm
 
 .if !defined(NO_SETUID_LOGIN)
 BINOWN=	root

usr.bin/login/login.1

@@ -122,6 +122,13 @@ command which is similar or identical to this utility.
 Consult the
 .Xr builtin 1
 manual page.
+.Pp
+The 
+.Nm
+utility will submit an audit record when login succeeds or fails.
+Failure to determine the current auditing state will
+result in an error exit from
+.Nm .
 .Sh FILES
 .Bl -tag -width ".Pa /etc/login.conf" -compact
 .It Pa /etc/fbtab
@@ -139,6 +146,10 @@ configure authentication services
 .It Pa /etc/pam.d/login
 .Xr pam 8
 configuration file
+.It Pa /etc/security/audit_user
+user flags for auditing
+.It Pa /etc/security/audit_control
+global flags for auditing
 .El
 .Sh SEE ALSO
 .Xr builtin 1 ,

usr.bin/login/login.c

@@ -173,6 +173,7 @@ main(int argc, char *argv[])
 	login_cap_t *lc = NULL;
 	login_cap_t *lc_user = NULL;
 	pid_t pid;
+	char auditsuccess = 1;
 
 	(void)signal(SIGQUIT, SIG_IGN);
 	(void)signal(SIGINT, SIG_IGN);
@@ -291,16 +292,19 @@ main(int argc, char *argv[])
 		pam_err = pam_start("login", username, &pamc, &pamh);
 		if (pam_err != PAM_SUCCESS) {
 			pam_syslog("pam_start()");
+			au_login_fail("PAM Error", 1);
 			bail(NO_SLEEP_EXIT, 1);
 		}
 		pam_err = pam_set_item(pamh, PAM_TTY, tty);
 		if (pam_err != PAM_SUCCESS) {
 			pam_syslog("pam_set_item(PAM_TTY)");
+			au_login_fail("PAM Error", 1);
 			bail(NO_SLEEP_EXIT, 1);
 		}
 		pam_err = pam_set_item(pamh, PAM_RHOST, hostname);
 		if (pam_err != PAM_SUCCESS) {
 			pam_syslog("pam_set_item(PAM_RHOST)");
+			au_login_fail("PAM Error", 1);
 			bail(NO_SLEEP_EXIT, 1);
 		}
 
@@ -317,6 +321,7 @@ main(int argc, char *argv[])
 		    (uid == (uid_t)0 || uid == (uid_t)pwd->pw_uid)) {
 			/* already authenticated */
 			rval = 0;
+			auditsuccess = 0; /* opened a terminal window only */
 		} else {
 			fflag = 0;
 			(void)setpriority(PRIO_PROCESS, 0, -4);
@@ -329,6 +334,12 @@ main(int argc, char *argv[])
 
 		pam_cleanup();
 
+		/*
+		 * We are not exiting here, but this corresponds to a failed
+		 * login event, so set exitstatus to 1.
+		 */
+		au_login_fail("Login incorrect", 1);
+
 		(void)printf("Login incorrect\n");
 		failures++;
 
@@ -351,6 +362,10 @@ main(int argc, char *argv[])
 
 	endpwent();
 
+	/* Audit successful login. */
+	if (auditsuccess)
+		au_login_success();
+
 	/*
 	 * Establish the login class.
 	 */
@@ -936,6 +951,7 @@ bail(int sec, int eval)
 {
 
 	pam_cleanup();
+	audit_logout();
 	(void)sleep(sec);
 	exit(eval);
 }

usr.bin/login/login.h

@@ -27,4 +27,8 @@
 
 void	login_fbtab(char *, uid_t, gid_t);
 
-extern	char **environ;
+void	au_login_success(void);
+void	au_login_fail(char *errmsg, int na);
+
+extern char		**environ;
+extern struct passwd	*pwd;