From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 16 Nov 2022 14:59:49 +0000 (+0100)
Subject: ntp+cmdmon: log allow/deny commands
X-Git-Tag: 4.4-pre1~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e789b0817f393a18d1d34b0882ce7a2cc4bfbb9d;p=thirdparty%2Fchrony.git

ntp+cmdmon: log allow/deny commands

Log added NTP and command access restrictions, using INFO severity if
from a chronyc command, DEBUG otherwise (i.e. from the config).
---

diff --git a/cmdmon.c b/cmdmon.c
index 89ce191c..2eb23845 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -1799,6 +1799,9 @@ CAM_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status == ADF_BADSUBNET) {
     return 0;
   } else if (status == ADF_SUCCESS) {
+    LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+        allow ? "Allowed" : "Denied", all ? " all" : "", "command",
+        UTI_IPSubnetToString(ip_addr, subnet_bits));
     return 1;
   } else {
     return 0;
diff --git a/ntp_core.c b/ntp_core.c
index 63c5a3a2..1d39dedd 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -2856,6 +2856,10 @@ NCR_AddAccessRestriction(IPAddr *ip_addr, int subnet_bits, int allow, int all)
   if (status != ADF_SUCCESS)
     return 0;
 
+  LOG(LOG_GetContextSeverity(LOGC_Command), "%s%s %s access from %s",
+      allow ? "Allowed" : "Denied", all ? " all" : "", "NTP",
+      UTI_IPSubnetToString(ip_addr, subnet_bits));
+
   /* Keep server sockets open only when an address allowed */
   if (allow) {
     NTP_Remote_Address remote_addr;