From e497100c07aa95e315c4c881d54cb88e57675e80 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Thu, 23 Jul 2015 12:24:32 +0800
Subject: Bug 1185823 - add additional [audit] syslog entries

---
 Bugzilla.pm                      | 19 ++++++++++++++++---
 Bugzilla/Auth.pm                 |  1 +
 Bugzilla/Bug.pm                  |  6 ++++++
 Bugzilla/User.pm                 | 13 ++++++-------
 extensions/AntiSpam/Extension.pm | 26 +++++++-------------------
 extensions/BMO/Extension.pm      |  7 +++----
 6 files changed, 39 insertions(+), 33 deletions(-)

diff --git a/Bugzilla.pm b/Bugzilla.pm
index afaf77395..8a0ff2fd7 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -59,11 +59,13 @@ use Bugzilla::Metrics::Collector;
 use Bugzilla::Metrics::Template;
 use Bugzilla::Metrics::Memcached;
 
+use Date::Parse;
+use DateTime::TimeZone;
+use Encode;
 use File::Basename;
 use File::Spec::Functions;
-use DateTime::TimeZone;
-use Date::Parse;
 use Safe;
+use Sys::Syslog qw(:DEFAULT);
 
 #####################################################################
 # Constants
@@ -659,6 +661,14 @@ sub local_timezone {
              ||= DateTime::TimeZone->new(name => 'local');
 }
 
+# Send messages to syslog for the auditing systems (eg. mozdef) to pick up.
+sub audit {
+    my ($class, $message) = @_;
+    openlog('apache', 'cons,pid', 'local4');
+    syslog('notice', '[audit] ' . encode_utf8($message));
+    closelog();
+}
+
 # This creates the request cache for non-mod_perl installations.
 # This is identical to Install::Util::_cache so that things loaded
 # into Install::Util::_cache during installation can be read out
@@ -1047,6 +1057,10 @@ this Bugzilla installation.
 Tells you whether or not a specific feature is enabled. For names
 of features, see C<OPTIONAL_MODULES> in C<Bugzilla::Install::Requirements>.
 
+=item C<audit>
+
+Feeds the provided message into our centralised auditing system.
+
 =back
 
 =head1 B<CACHING>
@@ -1126,4 +1140,3 @@ information.
 =back
 
 =back
-
diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index e9bd214fd..81b972ac5 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -243,6 +243,7 @@ sub _handle_login_result {
             $template->process('email/lockout.txt.tmpl', $vars, \$message)
                 || ThrowTemplateError($template->error);
             MessageToMTA($message);
+            Bugzilla->audit(sprintf('<%s> triggered lockout of %s after %s attempts', $address, $user, $attempts));
         }
 
         $unlock_at->set_time_zone($user->timezone);
diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm
index 042f9c801..76b845f71 100644
--- a/Bugzilla/Bug.pm
+++ b/Bugzilla/Bug.pm
@@ -1028,6 +1028,12 @@ sub update {
         my @added_names   = map { $new_groups{$_}->name } @$added_gr;
         $changes->{'bug_group'} = [join(', ', @removed_names),
                                    join(', ', @added_names)];
+
+        # we only audit when bugs protected with a secure-mail enabled group
+        # are made public
+        if (!scalar @{ $self->groups_in } && any { $old_groups{$_}->secure_mail } @$removed_gr) {
+            Bugzilla->audit(sprintf('%s made Bug %s public (%s)', $user->login, $self->id, $self->short_desc));
+        }
     }
 
     # Comments and comment tags
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm
index d72009629..b2f913266 100644
--- a/Bugzilla/User.pm
+++ b/Bugzilla/User.pm
@@ -182,6 +182,7 @@ sub _update_groups {
     my $group_changes = shift;
     my $changes = shift;
     my $dbh = Bugzilla->dbh;
+    my $user = Bugzilla->user;
 
     # Update group settings.
     my $sth_add_mapping = $dbh->prepare(
@@ -203,14 +204,12 @@ sub _update_groups {
         my ($removed, $added) = @{$group_changes->{$is_bless}};
 
         foreach my $group (@$removed) {
-            $sth_remove_mapping->execute(
-                $self->id, $group->id, $is_bless, GRANT_DIRECT
-             );
+            $sth_remove_mapping->execute($self->id, $group->id, $is_bless, GRANT_DIRECT);
+            Bugzilla->audit(sprintf('%s <%s> removed group %s from %s', $user->login, remote_ip(), $group->name, $self->login));
         }
         foreach my $group (@$added) {
-            $sth_add_mapping->execute(
-                $self->id, $group->id, $is_bless, GRANT_DIRECT
-             );
+            $sth_add_mapping->execute($self->id, $group->id, $is_bless, GRANT_DIRECT);
+            Bugzilla->audit(sprintf('%s <%s> added group %s from %s', $user->login, remote_ip(), $group->name, $self->login));
         }
 
         if (! $is_bless) {
@@ -222,7 +221,7 @@ sub _update_groups {
 
             $dbh->do(
                 $query, undef,
-                $self->id, Bugzilla->user->id,
+                $self->id, $user->id,
                 get_field_id('bug_group'),
                 join(', ', map { $_->name } @$removed),
                 join(', ', map { $_->name } @$added)
diff --git a/extensions/AntiSpam/Extension.pm b/extensions/AntiSpam/Extension.pm
index 7e1823346..2abba291d 100644
--- a/extensions/AntiSpam/Extension.pm
+++ b/extensions/AntiSpam/Extension.pm
@@ -16,9 +16,7 @@ use Bugzilla::Error;
 use Bugzilla::Group;
 use Bugzilla::Util qw(remote_ip trick_taint);
 use Email::Address;
-use Encode;
 use Socket;
-use Sys::Syslog qw(:DEFAULT setlogsock);
 
 our $VERSION = '1';
 
@@ -39,7 +37,7 @@ sub _project_honeypot_blocking {
     return if $status != 127
               || $threat < Bugzilla->params->{honeypot_threat_threshold};
 
-    _syslog(sprintf("[audit] blocked <%s> from creating %s, honeypot %s", $ip, $login, $honeypot));
+    Bugzilla->audit(sprintf("blocked <%s> from creating %s, honeypot %s", $ip, $login, $honeypot));
     ThrowUserError('account_creation_restricted');
 }
 
@@ -73,6 +71,7 @@ sub _comment_blocking {
 
     my $regex = '\b(?:' . join('|', map { quotemeta } @$blocklist) . ')\b';
     if ($params->{thetext} =~ /$regex/i) {
+        Bugzilla->audit(sprintf("blocked <%s> %s from commenting, blacklisted phrase", remote_ip(), $user->login));
         ThrowUserError('antispam_comment_blocked');
     }
 }
@@ -90,7 +89,7 @@ sub _domain_blocking {
         $address->host
     );
     if ($blocked) {
-        _syslog(sprintf("[audit] blocked <%s> from creating %s, blacklisted domain", remote_ip(), $login));
+        Bugzilla->audit(sprintf("blocked <%s> from creating %s, blacklisted domain", remote_ip(), $login));
         ThrowUserError('account_creation_restricted');
     }
 }
@@ -109,7 +108,7 @@ sub _ip_blocking {
         $ip
     );
     if ($blocked) {
-        _syslog(sprintf("[audit] blocked <%s> from creating %s, blacklisted IP", $ip, $login));
+        Bugzilla->audit(sprintf("blocked <%s> from creating %s, blacklisted IP", $ip, $login));
         ThrowUserError('account_creation_restricted');
     }
 }
@@ -139,7 +138,7 @@ sub _cc_limit {
 
     my $cc_count = ref($params->{$cc_field}) ? scalar(@{ $params->{$cc_field} }) : 1;
     if ($cc_count > Bugzilla->params->{antispam_multi_user_limit_count}) {
-        _syslog(sprintf("[audit] blocked <%s> from CC'ing %s users", Bugzilla->user->login, $cc_count));
+        Bugzilla->audit(sprintf("blocked <%s> from CC'ing %s users", Bugzilla->user->login, $cc_count));
         delete $params->{$cc_field};
         if (exists $params->{cc} && exists $params->{cc}->{add}) {
             delete $params->{cc}->{add};
@@ -153,7 +152,7 @@ sub bug_set_flags {
 
     my $flag_count = @{ $args->{new_flags} };
     if ($flag_count > Bugzilla->params->{antispam_multi_user_limit_count}) {
-        _syslog(sprintf("[audit] blocked <%s> from flaging %s users", Bugzilla->user->login, $flag_count));
+        Bugzilla->audit(sprintf("blocked <%s> from flaging %s users", Bugzilla->user->login, $flag_count));
         # empty the arrayref
         $#{ $args->{new_flags} } = -1;
     }
@@ -230,7 +229,7 @@ sub comment_after_add_tag {
         );
         $author->set_disable_mail(1);
         $author->update();
-        _syslog(sprintf("[audit] antispam disabled <%s>: %s", $author->login, $reason));
+        Bugzilla->audit(sprintf("antispam disabled <%s>: %s", $author->login, $reason));
     }
 }
 
@@ -369,15 +368,4 @@ sub db_schema_abstract_schema {
     };
 }
 
-#
-# utilities
-#
-
-sub _syslog {
-    my $message = shift;
-    openlog('apache', 'cons,pid', 'local4');
-    syslog('notice', encode_utf8($message));
-    closelog();
-}
-
 __PACKAGE__->NAME;
diff --git a/extensions/BMO/Extension.pm b/extensions/BMO/Extension.pm
index 3d46ead6b..ccf079b06 100644
--- a/extensions/BMO/Extension.pm
+++ b/extensions/BMO/Extension.pm
@@ -49,7 +49,7 @@ use File::MimeInfo::Magic;
 use List::MoreUtils qw(natatime any);
 use List::Util qw(first);
 use Scalar::Util qw(blessed);
-use Sys::Syslog qw(:DEFAULT setlogsock);
+use Sys::Syslog qw(:DEFAULT);
 use Text::Balanced qw( extract_bracketed extract_multiple );
 
 use Bugzilla::Extension::BMO::Constants;
@@ -741,7 +741,7 @@ sub object_end_of_create {
         my $user = $args->{object};
 
         # Log real IP addresses for auditing
-        _syslog(sprintf('[audit] <%s> created user %s', remote_ip(), $user->login));
+        Bugzilla->audit(sprintf('<%s> created user %s', remote_ip(), $user->login));
 
         # Add default searches to new user's footer
         my $dbh = Bugzilla->dbh;
@@ -762,8 +762,7 @@ sub object_end_of_create {
 
     } elsif ($class eq 'Bugzilla::Bug') {
         # Log real IP addresses for auditing
-        _syslog(sprintf('[audit] %s <%s> created bug %s',
-            Bugzilla->user->login, remote_ip(), $args->{object}->id));
+        Bugzilla->audit(sprintf('%s <%s> created bug %s', Bugzilla->user->login, remote_ip(), $args->{object}->id));
     }
 }
 
-- 
cgit v1.2.3-24-g4f1b