movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge pull request #137646 from mkg20001/pam-audit

Browse source
This commit is contained in:
Maciej Krüger 2021-10-19 15:28:51 +02:00 committed by GitHub
commit b33ac6e5c0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

46
nixos/modules/security/pam.nix
View file

@ -197,6 +197,46 @@ let
''; '';
}; };
ttyAudit = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable or disable TTY auditing for specified users
'';
};
enablePattern = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
For each user matching one of comma-separated
glob patterns, enable TTY auditing
'';
};
disablePattern = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
For each user matching one of comma-separated
glob patterns, disable TTY auditing
'';
};
openOnly = mkOption {
type = types.bool;
default = false;
description = ''
Set the TTY audit flag when opening the session,
but do not restore it when closing the session.
Using this option is necessary for some services
that don't fork() to run the authenticated session,
such as sudo.
'';
};
};
forwardXAuth = mkOption { forwardXAuth = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -482,6 +522,12 @@ let
"session ${ "session ${
if config.boot.isContainer then "optional" else "required" if config.boot.isContainer then "optional" else "required"
} pam_loginuid.so"} } pam_loginuid.so"}
${optionalString cfg.ttyAudit.enable
"session required ${pkgs.pam}/lib/security/pam_tty_audit.so
open_only=${toString cfg.ttyAudit.openOnly}
${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}
${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
"}
${optionalString cfg.makeHomeDir ${optionalString cfg.makeHomeDir
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
${optionalString cfg.updateWtmp ${optionalString cfg.updateWtmp

4
pkgs/os-specific/linux/pam/default.nix
View file

@ -1,4 +1,4 @@
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
, nixosTests , nixosTests
, withLibxcrypt ? false, libxcrypt , withLibxcrypt ? false, libxcrypt
}: }:
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ flex ] nativeBuildInputs = [ flex ]
++ lib.optional stdenv.buildPlatform.isDarwin gettext; ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
buildInputs = [ cracklib db4 ] buildInputs = [ cracklib db4 audit ]
++ lib.optional withLibxcrypt libxcrypt; ++ lib.optional withLibxcrypt libxcrypt;
enableParallelBuilding = true; enableParallelBuilding = true;