[TACACS+] Add audisp-tacplus for per-command accounting. (sonic-net#8750

)

This pull request integrate audisp-tacplus to SONiC for per-command accounting.

#### Why I did it
To support TACACS per-command accounting, we integrate audisp-tacplus project to sonic.

#### How I did it
1. Add auditd service to SONiC
2. Port and patch audisp-tacplus to SONiC

#### How to verify it
UT with CUnit to cover all new code in usersecret-filter.c
Also pass all current UT.

#### Which release branch to backport (provide reason below if selected)
N/A

#### Description for the changelog
Add audisp-tacplus for per-command accounting.

#### A picture of a cute animal (not mandatory but encouraged)

build_debian.sh

@@ -324,7 +324,8 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     haveged                 \
     fdisk                   \
     gpg                     \
-    jq
+    jq                      \
+    auditd
 
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
 ## Pre-install the fundamental packages for amd64 (x86)

files/build_templates/sonic_debian_extension.j2

@@ -277,6 +277,9 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/libnss-tacplus_*.deb || \
 # Install bash-tacplus
 sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
+# Install audisp-tacplus
+sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/audisp-tacplus_*.deb || \
+    sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
 # Disable tacplus by default
 sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
 sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf

rules/tacacs.mk

@@ -16,8 +16,6 @@ LIBTAC_DEV = libtac-dev_$(PAM_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
 $(LIBTAC_DEV)_DEPENDS += $(LIBTAC2)
 $(eval $(call add_derived_package,$(LIBTAC2),$(LIBTAC_DEV)))
 
-
-
 # libnss-tacplus packages
 NSS_TACPLUS_VERSION = 1.0.4-1
 
@@ -29,6 +27,16 @@ $(LIBNSS_TACPLUS)_RDEPENDS += $(LIBTAC2)
 $(LIBNSS_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/nss
 SONIC_MAKE_DEBS += $(LIBNSS_TACPLUS)
 
+# audisp-tacplus packages
+AUDISP_TACPLUS_VERSION = 1.0.2
+
+export AUDISP_TACPLUS_VERSION
+
+AUDISP_TACPLUS = audisp-tacplus_$(AUDISP_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
+$(AUDISP_TACPLUS)_DEPENDS += $(LIBTAC_DEV)
+$(AUDISP_TACPLUS)_RDEPENDS += $(LIBTAC2)
+$(AUDISP_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/audisp
+SONIC_MAKE_DEBS += $(AUDISP_TACPLUS)
 
 # bash-tacplus packages
 BASH_TACPLUS_VERSION = 1.0.0
@@ -41,7 +49,6 @@ $(BASH_TACPLUS)_RDEPENDS += $(LIBTAC2)
 $(BASH_TACPLUS)_SRC_PATH = $(SRC_PATH)/tacacs/bash_tacplus
 SONIC_DPKG_DEBS += $(BASH_TACPLUS)
 
-
 # The .c, .cpp, .h & .hpp files under src/{$DBG_SRC_ARCHIVE list}
 # are archived into debug one image to facilitate debugging.
 #

slave.mk

@@ -949,7 +949,8 @@ $(addprefix $(TARGET_PATH)/, $(SONIC_INSTALLERS)) : $(TARGET_PATH)/% : \
                 $(SONIC_UTILITIES_DATA) \
                 $(SONIC_HOST_SERVICES_DATA) \
                 $(BASH) \
-                $(BASH_TACPLUS)) \
+                $(BASH_TACPLUS) \
+                $(AUDISP_TACPLUS)) \
         $$(addprefix $(TARGET_PATH)/,$$($$*_DOCKERS)) \
         $$(addprefix $(TARGET_PATH)/,$$(SONIC_PACKAGES_LOCAL)) \
         $$(addprefix $(FILES_PATH)/,$$($$*_FILES)) \

sonic-slave-bullseye/Dockerfile.j2

@@ -349,7 +349,10 @@ RUN apt-get update && apt-get install -y \
         libdbus-1-dev \
         libgirepository1.0-dev \
         libsystemd-dev \
-        pkg-config
+        pkg-config \
+# For audisp-tacplus
+        libauparse-dev \
+        auditd
 
 RUN apt-get -y build-dep openssh
 

sonic-slave-buster/Dockerfile.j2

@@ -354,7 +354,10 @@ RUN apt-get update && apt-get install -y \
         libdbus-1-dev \
         libgirepository1.0-dev \
         libsystemd-dev \
-        pkg-config
+        pkg-config \
+# For audisp-tacplus
+        libauparse-dev \
+        auditd
 
 # For iproute2
 RUN apt-get install -y -t buster-backports \

sonic-slave-jessie/Dockerfile.j2

@@ -239,6 +239,9 @@ RUN apt-get update && apt-get install -y \
         libcunit1-dev \
 # For initramfs
         bash-completion \
+# For audisp-tacplus
+        libauparse-dev \
+        auditd \
 {% if CONFIGURED_ARCH == "amd64" -%}
 # For sonic vs image build
         dosfstools \

sonic-slave-stretch/Dockerfile.j2

@@ -295,7 +295,10 @@ RUN apt-get update && apt-get install -y \
         libxml2-utils \
         xsltproc \
         python-lxml \
-        libexpat1-dev
+        libexpat1-dev \
+# For audisp-tacplus
+        libauparse-dev \
+        auditd
 
 # Install dependencies for dhcp relay test 
 RUN pip3 install parameterized==0.8.1

src/sonic-host-services/scripts/hostcfgd

@@ -100,6 +100,18 @@ def obfuscate(data):
     else:
         return data
 
+def get_pid(procname):
+    for dirname in os.listdir('/proc'):
+        if dirname == 'curproc':
+            continue
+        try:
+            with open('/proc/{}/cmdline'.format(dirname), mode='r') as fd:
+                content = fd.read()
+        except Exception as ex:
+            continue
+        if procname in content:
+            return dirname
+    return ""
 
 class Feature(object):
     """ Represents a feature configuration from CONFIG_DB data. """
@@ -534,6 +546,18 @@ class AaaCfg(object):
         if modify_conf:
             self.modify_conf_file()
 
+    def notify_audisp_tacplus_reload_config(self):
+        pid = get_pid("/sbin/audisp-tacplus")
+        syslog.syslog(syslog.LOG_INFO, "Found audisp-tacplus PID: {}".format(pid))
+        if pid == "":
+            return
+
+        # audisp-tacplus will reload TACACS+ config when receive SIGHUP
+        try:
+            os.kill(int(pid), signal.SIGHUP)
+        except Exception as ex:
+            syslog.syslog(syslog.LOG_WARNING, "Send SIGHUP to audisp-tacplus failed with exception: {}".format(ex))
+
     def handle_radius_source_intf_ip_chg(self, key):
         modify_conf=False
         if 'src_intf' in self.radius_global:
@@ -769,6 +793,9 @@ class AaaCfg(object):
         with open(NSS_TACPLUS_CONF, 'w') as f:
             f.write(nss_tacplus_conf)
 
+        # Notify auditd plugin to reload tacacs config.
+        self.notify_audisp_tacplus_reload_config()
+
         # Set debug in nss-radius conf
         template_file = os.path.abspath(NSS_RADIUS_CONF_TEMPLATE)
         template = env.get_template(template_file)

src/tacacs/.gitignore

@@ -1,5 +1,8 @@
 *
 !.gitignore
+audisp/*
+!audisp/Makefile
+!audisp/*.patch
 !bash_tacplus/*
 nsm/*
 !nsm/Makefile

src/tacacs/audisp/Makefile

@@ -0,0 +1,30 @@
+.ONESHELL:
+SHELL = /bin/bash
+.SHELLFLAGS += -e
+
+MAIN_TARGET = audisp-tacplus_$(AUDISP_TACPLUS_VERSION)_$(CONFIGURED_ARCH).deb
+
+$(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
+	# Obtain audisp-tacplus
+	rm -rf ./audisp-tacplus
+
+	git clone https://github.com/daveolson53/audisp-tacplus.git
+
+	# checkout by sha1
+	pushd ./audisp-tacplus
+	git checkout 559c9f22edd4f2dea0ecedffb3ad9502b12a75b6
+
+	# Apply patches
+	cp -r ../patches patches
+	quilt push -a
+
+	# fix aclocal depency issue by run auto.sh
+	./auto.sh
+
+	# build package
+	dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR)
+	popd
+
+	mv $(DERIVED_TARGETS) $* $(DEST)/
+
+$(addprefix $(DEST)/, $(DERIVED_TARGETS)): $(DEST)/% : $(DEST)/$(MAIN_TARGET)