Merge pull request #137646 from mkg20001/pam-audit

authored by

Maciej Krüger and committed by
GitHub
b33ac6e5 8bf6698a

+48 -2
+46
nixos/modules/security/pam.nix
··· 197 197 ''; 198 198 }; 199 199 200 + ttyAudit = { 201 + enable = mkOption { 202 + type = types.bool; 203 + default = false; 204 + description = '' 205 + Enable or disable TTY auditing for specified users 206 + ''; 207 + }; 208 + 209 + enablePattern = mkOption { 210 + type = types.nullOr types.str; 211 + default = null; 212 + description = '' 213 + For each user matching one of comma-separated 214 + glob patterns, enable TTY auditing 215 + ''; 216 + }; 217 + 218 + disablePattern = mkOption { 219 + type = types.nullOr types.str; 220 + default = null; 221 + description = '' 222 + For each user matching one of comma-separated 223 + glob patterns, disable TTY auditing 224 + ''; 225 + }; 226 + 227 + openOnly = mkOption { 228 + type = types.bool; 229 + default = false; 230 + description = '' 231 + Set the TTY audit flag when opening the session, 232 + but do not restore it when closing the session. 233 + Using this option is necessary for some services 234 + that don't fork() to run the authenticated session, 235 + such as sudo. 236 + ''; 237 + }; 238 + }; 239 + 200 240 forwardXAuth = mkOption { 201 241 default = false; 202 242 type = types.bool; ··· 482 522 "session ${ 483 523 if config.boot.isContainer then "optional" else "required" 484 524 } pam_loginuid.so"} 525 + ${optionalString cfg.ttyAudit.enable 526 + "session required ${pkgs.pam}/lib/security/pam_tty_audit.so 527 + open_only=${toString cfg.ttyAudit.openOnly} 528 + ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} 529 + ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} 530 + "} 485 531 ${optionalString cfg.makeHomeDir 486 532 "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} 487 533 ${optionalString cfg.updateWtmp
+2 -2
pkgs/os-specific/linux/pam/default.nix
··· 1 - { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext 1 + { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit 2 2 , nixosTests 3 3 , withLibxcrypt ? false, libxcrypt 4 4 }: ··· 18 18 nativeBuildInputs = [ flex ] 19 19 ++ lib.optional stdenv.buildPlatform.isDarwin gettext; 20 20 21 - buildInputs = [ cracklib db4 ] 21 + buildInputs = [ cracklib db4 audit ] 22 22 ++ lib.optional withLibxcrypt libxcrypt; 23 23 24 24 enableParallelBuilding = true;