Re: Feature Request re: syslog and bashhist

[Ondrej Oprala]

On 10.08.2015 22:19, Chet Ramey wrote:
On 8/9/15 1:37 PM, aixtools wrote:
Hi,
Via google I came across the define named

config-top.h:/* #define SYSLOG_HISTORY */

Changing it (manually) to
config-top.h:#define SYSLOG_HISTORY

Adds syslog statements such as:
Aug  9 16:52:55 x064 user:info syslog: HISTORY: PID=262242 UID=0 ls -ltr

Request #1
Add a ./configure variable, e.g., --with-syslog_history
I will think about this, but I am inclined not to do it.  It's easy enough
to enable for those few user who want to do so.

Request #2

At the request of a bash user on AIX I made the following change to make
the syslog output "standardized" to AIX format for many applications so
that the output looks like this:

Aug  9 17:30:12 x064 user:info syslog: bash[454682]: UID=0: ls -ltr
The better way to do this is to use openlog().  I will add the necessary
pieces to call openlog with the shell name as the identifier and LOG_PID
as the default value for the log options.

Chet
We have recently had a customer request for this, and Steve Grubb corrected
the original patch for auditing. IIRC, aureport-2.4.2 should be able to 
handle the USER_TTY
events now. With his permission, I'm attaching the new patch.
 Thanks
   Ondrej
diff -urp bash-4.3.orig/lib/readline/readline.c bash-4.3/lib/readline/readline.c
--- bash-4.3.orig/lib/readline/readline.c	2015-04-08 12:06:23.079210184 -0400
+++ bash-4.3/lib/readline/readline.c	2015-04-08 14:20:13.254638488 -0400
@@ -57,6 +57,7 @@ extern int errno;
 
 #if defined (HAVE_DECL_AUDIT_USER_TTY)
 #  include <sys/socket.h>
+#  include <libaudit.h>
 #  include <linux/audit.h>
 #  include <linux/netlink.h>
 #endif
@@ -340,38 +341,31 @@ rl_set_prompt (prompt)
 static void
 audit_tty (char *string)
 {
+  struct audit_message req;
   struct sockaddr_nl addr;
-  struct msghdr msg;
-  struct nlmsghdr nlm;
-  struct iovec iov[2];
   size_t size;
   int fd;
 
   size = strlen (string) + 1;
-  fd = socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+  fd = socket (PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
   if (fd < 0)
     return;
-  nlm.nlmsg_len = NLMSG_LENGTH (size);
-  nlm.nlmsg_type = AUDIT_USER_TTY;
-  nlm.nlmsg_flags = NLM_F_REQUEST;
-  nlm.nlmsg_seq = 0;
-  nlm.nlmsg_pid = 0;
-  iov[0].iov_base = &nlm;
-  iov[0].iov_len = sizeof (nlm);
-  iov[1].iov_base = string;
-  iov[1].iov_len = size;
+  if (NLMSG_SPACE(size) > MAX_AUDIT_MESSAGE_LENGTH)
+    return; 
+
+  memset(&req, 0, sizeof(req));
+  req.nlh.nlmsg_len = NLMSG_SPACE(size);
+  req.nlh.nlmsg_type = AUDIT_USER_TTY;
+  req.nlh.nlmsg_flags = NLM_F_REQUEST;
+  req.nlh.nlmsg_seq = 0;
+  if (size && string)
+    memcpy(NLMSG_DATA(&req.nlh), string, size);
+  memset(&addr, 0, sizeof(addr));
   addr.nl_family = AF_NETLINK;
-  addr.nl_pad = 0;
   addr.nl_pid = 0;
   addr.nl_groups = 0;
-  msg.msg_name = &addr;
-  msg.msg_namelen = sizeof (addr);
-  msg.msg_iov = iov;
-  msg.msg_iovlen = 2;
-  msg.msg_control = NULL;
-  msg.msg_controllen = 0;
-  msg.msg_flags = 0;
-  (void)sendmsg (fd, &msg, 0);
+
+  sendto(fd, &req, req.nlh.nlmsg_len, 0, (struct sockaddr*)&addr, sizeof(addr));
   close (fd);
 }
 #endif
@@ -426,9 +420,9 @@ readline (prompt)
     RL_SETSTATE (RL_STATE_CALLBACK);
 #endif
 
-#if HAVE_DECL_AUDIT_TTY && defined (ENABLE_TTY_AUDIT_SUPPORT)
+#if HAVE_DECL_AUDIT_USER_TTY && defined (ENABLE_TTY_AUDIT_SUPPORT)
   if (value)
-    _rl_audit_tty (value);
+    audit_tty (value);
 #endif
 
   return (value);
diff -urp bash-4.3.orig/lib/readline/util.c bash-4.3/lib/readline/util.c
--- bash-4.3.orig/lib/readline/util.c	2013-09-02 13:36:12.000000000 -0400
+++ bash-4.3/lib/readline/util.c	2015-04-08 14:18:21.165632509 -0400
@@ -539,53 +539,3 @@ _rl_settracefp (fp)
 }
 #endif
 
-
-#if HAVE_DECL_AUDIT_USER_TTY && defined (ENABLE_TTY_AUDIT_SUPPORT)
-#include <sys/socket.h>
-#include <linux/audit.h>
-#include <linux/netlink.h>
-
-/* Report STRING to the audit system. */
-void
-_rl_audit_tty (string)
-     char *string;
-{
-  struct sockaddr_nl addr;
-  struct msghdr msg;
-  struct nlmsghdr nlm;
-  struct iovec iov[2];
-  size_t size;
-  int fd;
-
-  fd = socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
-  if (fd < 0)
-    return;
-  size = strlen (string) + 1;
-
-  nlm.nlmsg_len = NLMSG_LENGTH (size);
-  nlm.nlmsg_type = AUDIT_USER_TTY;
-  nlm.nlmsg_flags = NLM_F_REQUEST;
-  nlm.nlmsg_seq = 0;
-  nlm.nlmsg_pid = 0;
-
-  iov[0].iov_base = &nlm;
-  iov[0].iov_len = sizeof (nlm);
-  iov[1].iov_base = string;
-  iov[1].iov_len = size;
-
-  addr.nl_family = AF_NETLINK;
-  addr.nl_pid = 0;
-  addr.nl_groups = 0;
-
-  msg.msg_name = &addr;
-  msg.msg_namelen = sizeof (addr);
-  msg.msg_iov = iov;
-  msg.msg_iovlen = 2;
-  msg.msg_control = NULL;
-  msg.msg_controllen = 0;
-  msg.msg_flags = 0;
-
-  (void)sendmsg (fd, &msg, 0);
-  close (fd);
-}
-#endif