From 0c4853fd8580413542a1a5fcc5fcb82191983689 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Thu, 28 Aug 2025 17:03:51 +1200 Subject: [PATCH] dsdb:audit: password_change loggers take a new flag argument This will allow a key credential link change to be logged, but we don't do that anywhere in this commit. Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer --- source4/dsdb/samdb/ldb_modules/audit_log.c | 28 +++++++++++++------ .../samdb/ldb_modules/tests/test_audit_log.c | 8 +++--- .../ldb_modules/tests/test_audit_log_errors.c | 10 +++---- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/audit_log.c b/source4/dsdb/samdb/ldb_modules/audit_log.c index 08d11141d29..ccecc333491 100644 --- a/source4/dsdb/samdb/ldb_modules/audit_log.c +++ b/source4/dsdb/samdb/ldb_modules/audit_log.c @@ -481,7 +481,8 @@ failure: static struct json_object password_change_json( struct ldb_module *module, const struct ldb_request *request, - const struct ldb_reply *reply) + const struct ldb_reply *reply, + bool public_key_changed) { struct ldb_context *ldb = NULL; const struct dom_sid *sid = NULL; @@ -502,10 +503,14 @@ static struct json_object password_change_json( remote = dsdb_audit_get_remote_address(ldb); sid = dsdb_audit_get_user_sid(module); dn = dsdb_audit_get_primary_dn(request); - action = get_password_action(request, reply); unique_session_token = dsdb_audit_get_unique_session_token(module); - event_id = get_password_windows_event_id(request, reply); - + if (public_key_changed) { + action = "Public key change"; + event_id = EVT_ID_DIRECTORY_OBJECT_CHANGE; + } else { + action = get_password_action(request, reply); + event_id = get_password_windows_event_id(request, reply); + } audit = json_new_object(); if (json_is_invalid(&audit)) { goto failure; @@ -771,7 +776,8 @@ static char *password_change_human_readable( TALLOC_CTX *mem_ctx, struct ldb_module *module, const struct ldb_request *request, - const struct ldb_reply *reply) + const struct ldb_reply *reply, + bool is_public_key_change) { struct ldb_context *ldb = NULL; const char *remote_host = NULL; @@ -789,7 +795,12 @@ static char *password_change_human_readable( remote_host = dsdb_audit_get_remote_host(ldb, ctx); sid = dsdb_audit_get_user_sid(module); timestamp = audit_get_timestamp(ctx); - action = get_password_action(request, reply); + + if (is_public_key_change) { + action = "Public key change"; + } else { + action = get_password_action(request, reply); + } dn = dsdb_audit_get_primary_dn(request); log_entry = talloc_asprintf( @@ -1166,7 +1177,8 @@ static void log_standard_operation( ctx, module, request, - reply); + reply, + false); audit_log_human_text( PASSWORD_HR_TAG, entry, @@ -1199,7 +1211,7 @@ static void log_standard_operation( && audit_private->send_password_events)) { if (password_changed) { struct json_object json; - json = password_change_json(module, request, reply); + json = password_change_json(module, request, reply, false); audit_log_json( &json, DBGC_DSDB_PWD_AUDIT_JSON, diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c index fecaa3e5a43..f4dae8b1c86 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c @@ -826,7 +826,7 @@ static void test_password_change_json_empty(void **state) rc = gettimeofday(&tv, NULL); assert_return_code(rc, errno); before = tv.tv_sec; - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_int_equal(3, json_object_size(json.root)); @@ -955,7 +955,7 @@ static void test_password_change_json(void **state) rc = gettimeofday(&tv, NULL); assert_return_code(rc, errno); before = tv.tv_sec; - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_int_equal(3, json_object_size(json.root)); @@ -1751,7 +1751,7 @@ static void test_password_change_hr_empty(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - line = password_change_human_readable(ctx, module, req, reply); + line = password_change_human_readable(ctx, module, req, reply, false); assert_non_null(line); /* @@ -1843,7 +1843,7 @@ static void test_password_change_hr(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - line = password_change_human_readable(ctx, module, req, reply); + line = password_change_human_readable(ctx, module, req, reply, false); assert_non_null(line); /* diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log_errors.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log_errors.c index 29317686908..35b07b7ec10 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log_errors.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log_errors.c @@ -286,7 +286,7 @@ static void test_password_change_json(void **state) */ will_return(__wrap_json_new_object, false); - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_true(json_is_invalid(&json)); @@ -297,7 +297,7 @@ static void test_password_change_json(void **state) will_return(__wrap_json_new_object, true); will_return(__wrap_json_add_version, JSON_ERROR); - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_true(json_is_invalid(&json)); /* @@ -308,7 +308,7 @@ static void test_password_change_json(void **state) will_return(__wrap_json_add_version, 0); will_return(__wrap_json_new_object, false); - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_true(json_is_invalid(&json)); /* @@ -320,7 +320,7 @@ static void test_password_change_json(void **state) will_return(__wrap_json_new_object, true); will_return(__wrap_json_add_timestamp, JSON_ERROR); - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_true(json_is_invalid(&json)); /* @@ -331,7 +331,7 @@ static void test_password_change_json(void **state) will_return(__wrap_json_new_object, true); will_return(__wrap_json_add_timestamp, 0); - json = password_change_json(module, req, reply); + json = password_change_json(module, req, reply, false); assert_false(json_is_invalid(&json)); json_free(&json); -- 2.47.3