Merge pull request #137646 from mkg20001/pam-audit

2024-11-10 16:45:51 +03:00 · 2021-10-19 15:28:51 +02:00 · 2021-10-19 15:28:51 +02:00 · b33ac6e5c0
commit b33ac6e5c0
parent 8bf6698ad0 f3d00b3a94
2 changed files with 48 additions and 2 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -197,6 +197,46 @@ let
        '';
      };

+      ttyAudit = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Enable or disable TTY auditing for specified users
+          '';
+        };
+
+        enablePattern = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = ''
+            For each user matching one of comma-separated
+            glob patterns, enable TTY auditing
+          '';
+        };
+
+        disablePattern = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+          description = ''
+            For each user matching one of comma-separated
+            glob patterns, disable TTY auditing
+          '';
+        };
+
+        openOnly = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Set the TTY audit flag when opening the session,
+            but do not restore it when closing the session.
+            Using this option is necessary for some services
+            that don't fork() to run the authenticated session,
+            such as sudo.
+          '';
+        };
+      };
+
      forwardXAuth = mkOption {
        default = false;
        type = types.bool;
@ -482,6 +522,12 @@ let
              "session ${
                if config.boot.isContainer then "optional" else "required"
              } pam_loginuid.so"}
+          ${optionalString cfg.ttyAudit.enable
+              "session required ${pkgs.pam}/lib/security/pam_tty_audit.so
+                open_only=${toString cfg.ttyAudit.openOnly}
+                ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}
+                ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
+              "}
          ${optionalString cfg.makeHomeDir
              "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
          ${optionalString cfg.updateWtmp
--- a/pkgs/os-specific/linux/pam/default.nix
+++ b/pkgs/os-specific/linux/pam/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext
+{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
 , nixosTests
 , withLibxcrypt ? false, libxcrypt
 }:
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ flex ]
    ++ lib.optional stdenv.buildPlatform.isDarwin gettext;

-  buildInputs = [ cracklib db4 ]
+  buildInputs = [ cracklib db4 audit ]
    ++ lib.optional withLibxcrypt libxcrypt;

  enableParallelBuilding = true;