[202305] Fix TACACS local accounting disabled when debug flag disabled. (#19061)

liuh-80 · web-flow · commit cd195a5ba37c · 2024-05-31T09:26:29.000+08:00
Why I did it TACACS accounting trace log is only for debug, improve code to not generate trace log when debug disabled. Manually cherry-pick following 2 PR, because fir PR has a code bug, PR validation will block it: #16482 #18357 Work item tracking Microsoft ADO: 25270078 How I did it Ignore TACACS accounting trace log when debug disabled. How to verify it Pass all UT. Manually verified the auditd-tacplus not generate trace log when debug disabled.
diff --git a/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch b/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch
@@ -13,15 +13,15 @@ Subject: [PATCH] Remove user secret from accounting log.
  regex_helper.h           |  17 +++
  sudoers_helper.c         | 250 +++++++++++++++++++++++++++++++++++++++
  sudoers_helper.h         |  18 +++
- trace.c                  |  21 ++++
+ trace.c                  |  31 +++++
  trace.h                  |  10 ++
  unittest/Makefile        |  21 ++++
  unittest/mock.h          |  17 +++
  unittest/mock_helper.c   |  65 ++++++++++
  unittest/mock_helper.h   |  48 ++++++++
  unittest/password_test.c | 199 +++++++++++++++++++++++++++++++
  unittest/sudoers         |   5 +
- 17 files changed, 931 insertions(+), 4 deletions(-)
+ 17 files changed, 941 insertions(+), 4 deletions(-)
  create mode 100644 password.c
  create mode 100644 password.h
  create mode 100644 regex_helper.c
@@ -700,7 +700,7 @@ new file mode 100644
 index 0000000..44bbbc7
 --- /dev/null
 +++ b/trace.c
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,31 @@
 +#include <stdarg.h>
 +#include <stdio.h>
 +#include <string.h>
@@ -709,9 +709,19 @@ index 0000000..44bbbc7
 +
 +#include "trace.h"
 +
++/* Tacacs+ support lib */
++#include <libtac/support.h>
++
++/* Tacacs control flag */
++extern int tacacs_ctrl;
++
 +/* Output trace log. */
 +void trace(const char *format, ...)
 +{
++    if ((tacacs_ctrl & PAM_TAC_DEBUG) == 0) {
++        return;
++    }
++
 +    // convert log to a string because va args resoursive issue:
 +    // http://www.c-faq.com/varargs/handoff.html
 +    char logBuffer[MAX_LINE_SIZE];
diff --git a/src/tacacs/audisp/patches/0003-Add-local-accounting.patch b/src/tacacs/audisp/patches/0003-Add-local-accounting.patch
@@ -70,12 +70,12 @@ index 0000000..e23acec
 +#include "trace.h"
 +
 +/* Accounting log format. */
-+#define ACCOUNTING_LOG_FORMAT "Accounting: user: %s, tty: %s, host: %s, command: %s, type: %d, task ID: %d"
++#define ACCOUNTING_LOG_FORMAT "Audisp-tacplus: Accounting: user: %s, tty: %s, host: %s, command: %s, type: %d, task ID: %d"
 +
 +/* Write the accounting information to syslog. */
 +void accounting_to_syslog(char *user, char *tty, char *host, char *cmdmsg, int type, uint16_t task_id)
 +{
-+    trace(ACCOUNTING_LOG_FORMAT, user, tty, host, cmdmsg, type, task_id);
++    syslog(LOG_INFO, ACCOUNTING_LOG_FORMAT, user, tty, host, cmdmsg, type, task_id);
 +}
 \ No newline at end of file
 diff --git a/local_accounting.h b/local_accounting.h
