From ca0c815368138ae75bebb19974568e1088e60f55 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Tue, 23 Jan 2024 12:13:48 +0800 Subject: [PATCH 1/2] [TACACS] Ignore TACACS accounting trace log when debug disabled. (#16482) Ignore TACACS accounting trace log when debug disabled. #### Why I did it TACACS accounting trace log is only for debug, improve code to not generate trace log when debug disabled. ##### Work item tracking - Microsoft ADO: 25270078 #### How I did it Ignore TACACS accounting trace log when debug disabled. #### How to verify it Pass all UT. Manually verified the auditd-tacplus not generate trace log when debug disabled. ### Description for the changelog Ignore TACACS accounting trace log when debug disabled. --- ...-Remove-user-secret-from-accounting-log.patch | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch b/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch index 1cacaa8a0614..209db4937758 100644 --- a/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch +++ b/src/tacacs/audisp/patches/0002-Remove-user-secret-from-accounting-log.patch @@ -13,7 +13,7 @@ Subject: [PATCH] Remove user secret from accounting log. regex_helper.h | 17 +++ sudoers_helper.c | 250 +++++++++++++++++++++++++++++++++++++++ sudoers_helper.h | 18 +++ - trace.c | 21 ++++ + trace.c | 31 +++++ trace.h | 10 ++ unittest/Makefile | 21 ++++ unittest/mock.h | 17 +++ @@ -21,7 +21,7 @@ Subject: [PATCH] Remove user secret from accounting log. unittest/mock_helper.h | 48 ++++++++ unittest/password_test.c | 199 +++++++++++++++++++++++++++++++ unittest/sudoers | 5 + - 17 files changed, 931 insertions(+), 4 deletions(-) + 17 files changed, 941 insertions(+), 4 deletions(-) create mode 100644 password.c create mode 100644 password.h create mode 100644 regex_helper.c @@ -700,7 +700,7 @@ new file mode 100644 index 0000000..44bbbc7 --- /dev/null +++ b/trace.c -@@ -0,0 +1,21 @@ +@@ -0,0 +1,31 @@ +#include +#include +#include @@ -709,9 +709,19 @@ index 0000000..44bbbc7 + +#include "trace.h" + ++/* Tacacs+ support lib */ ++#include ++ ++/* Tacacs control flag */ ++extern int tacacs_ctrl; ++ +/* Output trace log. */ +void trace(const char *format, ...) +{ ++ if ((tacacs_ctrl & PAM_TAC_DEBUG) == 0) { ++ return; ++ } ++ + // convert log to a string because va args resoursive issue: + // http://www.c-faq.com/varargs/handoff.html + char logBuffer[MAX_LINE_SIZE]; From fc2929dec94f8fc73aceeafdf603c884364c1688 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Thu, 21 Mar 2024 12:28:39 +0800 Subject: [PATCH 2/2] Fix tacacs local accounting break. (#18357) Fix TACACS local accounting disabled when debug flag disabled. #### Why I did it TACACS local accounting use trace() method to output local accounting log, following PR disable trace log when debug flag disabled, https://github.com/sonic-net/sonic-buildimage/pull/16482 Because test case issue, this regression not found. the issue only exists on master branch. ### How I did it Fix TACACS local accounting disabled when debug flag disabled. #### How to verify it Pass all UT. Fix TACACS accounting UT to prevent regression. ### Tested branch (Please provide the tested image version) - [] SONiC.master-16482.360728-2c8b4066f #### Description for the changelog Fix TACACS local accounting disabled when debug flag disabled. --- src/tacacs/audisp/patches/0003-Add-local-accounting.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tacacs/audisp/patches/0003-Add-local-accounting.patch b/src/tacacs/audisp/patches/0003-Add-local-accounting.patch index 1883f55914fa..00f7b1349505 100644 --- a/src/tacacs/audisp/patches/0003-Add-local-accounting.patch +++ b/src/tacacs/audisp/patches/0003-Add-local-accounting.patch @@ -70,12 +70,12 @@ index 0000000..e23acec +#include "trace.h" + +/* Accounting log format. */ -+#define ACCOUNTING_LOG_FORMAT "Accounting: user: %s, tty: %s, host: %s, command: %s, type: %d, task ID: %d" ++#define ACCOUNTING_LOG_FORMAT "Audisp-tacplus: Accounting: user: %s, tty: %s, host: %s, command: %s, type: %d, task ID: %d" + +/* Write the accounting information to syslog. */ +void accounting_to_syslog(char *user, char *tty, char *host, char *cmdmsg, int type, uint16_t task_id) +{ -+ trace(ACCOUNTING_LOG_FORMAT, user, tty, host, cmdmsg, type, task_id); ++ syslog(LOG_INFO, ACCOUNTING_LOG_FORMAT, user, tty, host, cmdmsg, type, task_id); +} \ No newline at end of file diff --git a/local_accounting.h b/local_accounting.h