--- gdm-2.19.1/daemon/verify-pam.c.audit-login	2007-05-13 22:08:24.000000000 -0400

+++ gdm-2.19.1/daemon/verify-pam.c	2007-05-21 11:59:00.000000000 -0400

@@ -55,6 +55,14 @@

 #include <bsm/adt_event.h>

 #endif	/* HAVE_ADT */

+#define  AU_FAILED 0

+#define  AU_SUCCESS 1

+#ifdef HAVE_LIBAUDIT

+#include <libaudit.h>

+#else

+#define log_to_audit_system(l,h,d,s)	do { ; } while (0)

+#endif

+

 /* Evil, but this way these things are passed to the child session */

 static pam_handle_t *pamh = NULL;

@@ -789,6 +797,54 @@ create_pamh (GdmDisplay *d,

 }

 /**

+ * log_to_audit_system:

+ * @login: Name of user

+ * @hostname: Name of host machine

+ * @tty: Name of display 

+ * @success: 1 for success, 0 for failure

+ *

+ * Logs the success or failure of the login attempt with the linux kernel

+ * audit system. The intent is to capture failed events where the user

+ * fails authentication or otherwise is not permitted to login. There are

+ * many other places where pam could potentially fail and cause login to 

+ * fail, but these are system failures rather than the signs of an account

+ * being hacked.

+ *

+ * Returns nothing.

+ */

+

+#ifdef HAVE_LIBAUDIT

+static void 

+log_to_audit_system(const char *login,

+		    const char *hostname,

+		    const char *tty,

+		    gboolean success)

+{

+	struct passwd *pw;

+	char buf[64];

+	int audit_fd;

+

+	audit_fd = audit_open();

+	if (login)

+		pw = getpwnam(login);

+	else {

+		login = "unknown";

+		pw = NULL;

+	}

+	if (pw) {

+		snprintf(buf, sizeof(buf), "uid=%d", pw->pw_uid);

+		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,

+				       buf, hostname, NULL, tty, (int)success);

+	} else {

+		snprintf(buf, sizeof(buf), "acct=%s", login);

+		audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,

+				       buf, hostname, NULL, tty, (int)success);

+	}

+	close(audit_fd);

+}

+#endif

+

+/**

  * gdm_verify_user:

  * @username: Name of user or NULL if we should ask

  * @display: Name of display to register with the authentication system

@@ -910,6 +966,8 @@ gdm_verify_user (GdmDisplay *d,

 	/* Start authentication session */

 	did_we_ask_for_password = FALSE;

 	if ((pamerr = pam_authenticate (pamh, null_tok)) != PAM_SUCCESS) {

+		/* Log the failed login attempt */

+		log_to_audit_system(login, d->hostname, display, AU_FAILED);

 		if ( ! ve_string_empty (selected_user)) {

 			pam_handle_t *tmp_pamh;

@@ -1030,6 +1088,8 @@ gdm_verify_user (GdmDisplay *d,

 	       ( ! gdm_daemon_config_get_value_bool (GDM_KEY_ALLOW_REMOTE_ROOT) && ! local) ) &&

 	     pwent != NULL &&

 	     pwent->pw_uid == 0) {

+		/* Log the failed login attempt */

+		log_to_audit_system(login, d->hostname, display, AU_FAILED);

 		gdm_error (_("Root login disallowed on display '%s'"),

 			   display);

 		gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,

@@ -1063,6 +1123,8 @@ gdm_verify_user (GdmDisplay *d,

 		break;

 	case PAM_NEW_AUTHTOK_REQD :

 		if ((pamerr = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK)) != PAM_SUCCESS) {

+			/* Log the failed login attempt */

+			log_to_audit_system(login, d->hostname, display, AU_FAILED);

 			gdm_error (_("Authentication token change failed for user %s"), login);

 			gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,

 						      _("\nThe change of the authentication token failed. "

@@ -1080,18 +1142,24 @@ gdm_verify_user (GdmDisplay *d,

 #endif	/* HAVE_ADT */

 		break;

 	case PAM_ACCT_EXPIRED :

+		/* Log the failed login attempt */

+		log_to_audit_system(login, d->hostname, display, AU_FAILED);

 		gdm_error (_("User %s no longer permitted to access the system"), login);

 		gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,

 					      _("\nThe system administrator has disabled your account."));

 		error_msg_given = TRUE;

 		goto pamerr;

 	case PAM_PERM_DENIED :

+		/* Log the failed login attempt */

+		log_to_audit_system(login, d->hostname, display, AU_FAILED);

 		gdm_error (_("User %s not permitted to gain access at this time"), login);

 		gdm_slave_greeter_ctl_no_ret (GDM_ERRBOX,

 					      _("\nThe system administrator has disabled access to the system temporarily."));

 		error_msg_given = TRUE;

 		goto pamerr;

 	default :

+		/* Log the failed login attempt */

+		log_to_audit_system(login, d->hostname, display, AU_FAILED);

 		if (gdm_slave_action_pending ())

 			gdm_error (_("Couldn't set acct. mgmt for %s"), login);

 		goto pamerr;

@@ -1143,6 +1211,8 @@ gdm_verify_user (GdmDisplay *d,

 			gdm_error (_("Couldn't open session for %s"), login);

 		goto pamerr;

 	}

+	/* Login succeeded */

+	log_to_audit_system(login, d->hostname, display, AU_SUCCESS);

 	/* Workaround to avoid gdm messages being logged as PAM_pwdb */

 	gdm_log_shutdown ();

--- gdm-2.19.1/configure.ac.audit-login	2007-05-13 22:08:48.000000000 -0400

+++ gdm-2.19.1/configure.ac	2007-05-21 11:37:59.000000000 -0400

@@ -837,6 +837,10 @@ else

 fi

 AC_SUBST(logdir, $GDM_LOG_DIR)

+AC_ARG_WITH(libaudit,

+  [  --with-libaudit=[auto/yes/no]  Add Linux audit support [default=auto]],,

+  with_libaudit=auto)

+

 withval=""

 AC_ARG_WITH(at-bindir,

 [  --with-at-bindir=<PATH>   PATH to Accessible Technology programs [default=BINDIR]],)

@@ -948,6 +952,24 @@ else

    AC_MSG_RESULT(no)

 fi

+# Check for Linux auditing API

+#

+# libaudit detection

+if test x$with_libaudit = xno ; then

+    have_libaudit=no;

+else

+    # See if we have audit daemon library

+    AC_CHECK_LIB(audit, audit_log_user_message,

+                 have_libaudit=yes, have_libaudit=no)

+fi

+

+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)

+

+if test x$have_libaudit = xyes ; then

+    EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -laudit"

+    AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])

+fi

+

 # Check for Solaris auditing API

 # Note, Solaris auditing not supported for Solaris 9 or earlier and

 # should not be used on these versions of Solaris if auditing is