Attachment #1931 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




}

void
audit_session_open(struct logininfo *li)
{
	/* not implemented */
}

void
audit_session_close(struct logininfo *li)
{
	/* not implemented */
}




 * within a single connection.
 */
void
audit_session_open(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session open euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);

 * within a single connection.
 */
void
audit_session_close(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session close euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);

Lines 26-31 Link Here

(-)openssh-5.6p1/audit.h.audit (-2 / +5 lines)
26		26
27	#ifndef _SSH_AUDIT_H	27	#ifndef _SSH_AUDIT_H
28	# define _SSH_AUDIT_H	28	# define _SSH_AUDIT_H
		29
		30	#include "loginrec.h"
		31
29	enum ssh_audit_event_type {	32	enum ssh_audit_event_type {
30	SSH_LOGIN_EXCEED_MAXTRIES,	33	SSH_LOGIN_EXCEED_MAXTRIES,
31	SSH_LOGIN_ROOT_DENIED,	34	SSH_LOGIN_ROOT_DENIED,
Lines 46-53 typedef enum ssh_audit_event_type ssh_au Link Here
46		49
47	void audit_connection_from(const char *, int);	50	void audit_connection_from(const char *, int);
48	void audit_event(ssh_audit_event_t);	51	void audit_event(ssh_audit_event_t);
49	void audit_session_open(const char *);	52	void audit_session_open(struct logininfo *);
50	void audit_session_close(const char *);	53	void audit_session_close(struct logininfo *);
51	void audit_run_command(const char *);	54	void audit_run_command(const char *);
52	ssh_audit_event_t audit_classify_auth(const char *);	55	ssh_audit_event_t audit_classify_auth(const char *);
53		56




/* $Id: audit-linux.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */
/* #pragma ident	"@(#)audit-linux.c	1.1	01/09/17 SMI" */

#include "includes.h"
#if defined(USE_LINUX_AUDIT)
#include <libaudit.h>
#include <unistd.h>
#include <string.h>

#include "log.h"
#include "audit.h"
#include "canohost.h"

const char* audit_username(void);

int
linux_audit_record_event(int uid, const char *username,
	const char *hostname, const char *ip, const char *ttyn, int success)
{
	int audit_fd, rc;

	audit_fd = audit_open();
	if (audit_fd < 0) {
		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
				errno == EAFNOSUPPORT)
			return 1; /* No audit support in kernel */
		else
                        return 0; /* Must prevent login */
	}
	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
		NULL, "login", username ? username : "(unknown)",
		username == NULL ? uid : -1, hostname, ip, ttyn, success);
	close(audit_fd);
	if (rc >= 0)
		return 1;
	else
		return 0;
}

/* Below is the sshd audit API code */

void
audit_connection_from(const char *host, int port)
{
}
	/* not implemented */

void
audit_run_command(const char *command)
{
	/* not implemented */
}

void
audit_session_open(struct logininfo *li)
{
	if (linux_audit_record_event(li->uid, NULL, li->hostname,
		NULL, li->line, 1) == 0)
	fatal("linux_audit_write_entry failed: %s", strerror(errno));
}

void
audit_session_close(struct logininfo *li)
{
	/* not implemented */
}

void
audit_event(ssh_audit_event_t event)
{
	switch(event) {
	case SSH_AUTH_SUCCESS:
	case SSH_CONNECTION_CLOSE:
	case SSH_NOLOGIN:
	case SSH_LOGIN_EXCEED_MAXTRIES:
	case SSH_LOGIN_ROOT_DENIED:
		break;

	case SSH_AUTH_FAIL_NONE:
	case SSH_AUTH_FAIL_PASSWD:
	case SSH_AUTH_FAIL_KBDINT:
	case SSH_AUTH_FAIL_PUBKEY:
	case SSH_AUTH_FAIL_HOSTBASED:
	case SSH_AUTH_FAIL_GSSAPI:
	case SSH_INVALID_USER:
		linux_audit_record_event(-1, audit_username(), NULL,
			get_remote_ipaddr(), "sshd", 0);
		break;

	default:
		debug("%s: unhandled event %d", __func__, event);
	}
}

#endif /* USE_LINUX_AUDIT */





AUDIT_MODULE=none
AC_ARG_WITH(audit,
	[  --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm,linux)],
	[
	  AC_MSG_CHECKING(for supported audit module)
	  case "$withval" in

		AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
		AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
		;;
	  linux)
		AC_MSG_RESULT(linux)
		AUDIT_MODULE=linux
		dnl    Checks for headers, libs and functions
		AC_CHECK_HEADERS(libaudit.h)
		SSHDLIBS="$SSHDLIBS -laudit"
		AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
		;;
	  debug)
		AUDIT_MODULE=debug
		AC_MSG_RESULT(debug)
		AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
		;;
	  no)
		AC_MSG_RESULT(no)

Lines 566-571 struct winsize { Link Here

(-)openssh-5.6p1/defines.h.audit (+5 lines)
566	# define CUSTOM_SSH_AUDIT_EVENTS	566	# define CUSTOM_SSH_AUDIT_EVENTS
567	#endif	567	#endif
568		568
		569	#ifdef USE_LINUX_AUDIT
		570	# define SSH_AUDIT_EVENTS
		571	# define CUSTOM_SSH_AUDIT_EVENTS
		572	#endif
		573
569	#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)	574	#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
570	# define __func__ __FUNCTION__	575	# define __func__ __FUNCTION__
571	#elif !defined(HAVE___func__)	576	#elif !defined(HAVE___func__)

Lines 468-476 login_write(struct logininfo *li) Link Here

(-)openssh-5.6p1/loginrec.c.audit (-2 / +2 lines)
468	#endif	468	#endif
469	#ifdef SSH_AUDIT_EVENTS	469	#ifdef SSH_AUDIT_EVENTS
470	if (li->type == LTYPE_LOGIN)	470	if (li->type == LTYPE_LOGIN)
471	audit_session_open(li->line);	471	audit_session_open(li);
472	else if (li->type == LTYPE_LOGOUT)	472	else if (li->type == LTYPE_LOGOUT)
473	audit_session_close(li->line);	473	audit_session_close(li);
474	#endif	474	#endif
475	return (0);	475	return (0);
476	}	476	}

Lines 90-96 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)openssh-5.6p1/Makefile.in.audit (-1 / +1 lines)
90	auth-krb5.o \	90	auth-krb5.o \
91	auth2-gss.o gss-serv.o gss-serv-krb5.o \	91	auth2-gss.o gss-serv.o gss-serv-krb5.o \
92	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	92	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
93	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \	93	audit.o audit-bsm.o audit-linux.o platform.o sftp-server.o sftp-common.o \
94	roaming_common.o roaming_serv.o	94	roaming_common.o roaming_serv.o
95		95
96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out

Return to bug 1402

Lines 305-317 audit_run_command(const char *command) Link Here

(-)openssh-5.6p1/audit-bsm.c.audit (-2 / +2 lines)
305	}	305	}
306		306
307	void	307	void
308	audit_session_open(const char *ttyn)	308	audit_session_open(struct logininfo *li)
309	{	309	{
310	/* not implemented */	310	/* not implemented */
311	}	311	}
312		312
313	void	313	void
314	audit_session_close(const char *ttyn)	314	audit_session_close(struct logininfo *li)
315	{	315	{
316	/* not implemented */	316	/* not implemented */
317	}	317	}

Lines 147-155 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.6p1/audit.c.audit (-4 / +4 lines)
147	* within a single connection.	147	* within a single connection.
148	*/	148	*/
149	void	149	void
150	audit_session_open(const char *ttyn)	150	audit_session_open(struct logininfo *li)
151	{	151	{
152	const char *t = ttyn ? ttyn : "(no tty)";	152	const char *t = li->line ? li->line : "(no tty)";
153		153
154	debug("audit session open euid %d user %s tty name %s", geteuid(),	154	debug("audit session open euid %d user %s tty name %s", geteuid(),
155	audit_username(), t);	155	audit_username(), t);
Lines 163-171 audit_session_open(const char *ttyn) Link Here
163	* within a single connection.	163	* within a single connection.
164	*/	164	*/
165	void	165	void
166	audit_session_close(const char *ttyn)	166	audit_session_close(struct logininfo *li)
167	{	167	{
168	const char *t = ttyn ? ttyn : "(no tty)";	168	const char *t = li->line ? li->line : "(no tty)";
169		169
170	debug("audit session close euid %d user %s tty name %s", geteuid(),	170	debug("audit session close euid %d user %s tty name %s", geteuid(),
171	audit_username(), t);	171	audit_username(), t);

Lines 1308-1314 int main(void) Link Here

(-)openssh-5.6p1/configure.ac.audit (-2 / +10 lines)
1308		1308
1309	AUDIT_MODULE=none	1309	AUDIT_MODULE=none
1310	AC_ARG_WITH(audit,	1310	AC_ARG_WITH(audit,
1311	[ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)],	1311	[ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm,linux)],
1312	[	1312	[
1313	AC_MSG_CHECKING(for supported audit module)	1313	AC_MSG_CHECKING(for supported audit module)
1314	case "$withval" in	1314	case "$withval" in
Lines 1332-1341 AC_ARG_WITH(audit, Link Here
1332	AC_CHECK_FUNCS(getaudit_addr aug_get_machine)	1332	AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
1333	AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])	1333	AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
1334	;;	1334	;;
		1335	linux)
		1336	AC_MSG_RESULT(linux)
		1337	AUDIT_MODULE=linux
		1338	dnl Checks for headers, libs and functions
		1339	AC_CHECK_HEADERS(libaudit.h)
		1340	SSHDLIBS="$SSHDLIBS -laudit"
		1341	AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
		1342	;;
1335	debug)	1343	debug)
1336	AUDIT_MODULE=debug	1344	AUDIT_MODULE=debug
1337	AC_MSG_RESULT(debug)	1345	AC_MSG_RESULT(debug)
1338	AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)	1346	AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
1339	;;	1347	;;
1340	no)	1348	no)
1341	AC_MSG_RESULT(no)	1349	AC_MSG_RESULT(no)

Line 0 Link Here

(-)openssh-5.6p1/audit-linux.c.audit (+122 lines)
		1	/* $Id: audit-linux.c,v 1.1 jfch Exp $ */
		2
		3	/*
		4	* Copyright 2010 Red Hat, Inc. All rights reserved.
		5	* Use is subject to license terms.
		6	*
		7	* Redistribution and use in source and binary forms, with or without
		8	* modification, are permitted provided that the following conditions
		9	* are met:
		10	* 1. Redistributions of source code must retain the above copyright
		11	* notice, this list of conditions and the following disclaimer.
		12	* 2. Redistributions in binary form must reproduce the above copyright
		13	* notice, this list of conditions and the following disclaimer in the
		14	* documentation and/or other materials provided with the distribution.
		15	*
		16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		26	*
		27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
		28	*/
		29	/* #pragma ident "@(#)audit-linux.c 1.1 01/09/17 SMI" */
		30
		31	#include "includes.h"
		32	#if defined(USE_LINUX_AUDIT)
		33	#include <libaudit.h>
		34	#include <unistd.h>
		35	#include <string.h>
		36
		37	#include "log.h"
		38	#include "audit.h"
		39	#include "canohost.h"
		40
		41	const char* audit_username(void);
		42
		43	int
		44	linux_audit_record_event(int uid, const char *username,
		45	const char hostname, const char ip, const char *ttyn, int success)
		46	{
		47	int audit_fd, rc;
		48
		49	audit_fd = audit_open();
		50	if (audit_fd < 0) {
		51	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		52	errno == EAFNOSUPPORT)
		53	return 1; /* No audit support in kernel */
		54	else
		55	return 0; /* Must prevent login */
		56	}
		57	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
		58	NULL, "login", username ? username : "(unknown)",
		59	username == NULL ? uid : -1, hostname, ip, ttyn, success);
		60	close(audit_fd);
		61	if (rc >= 0)
		62	return 1;
		63	else
		64	return 0;
65	}
66
67	/* Below is the sshd audit API code */
68
69	void
70	audit_connection_from(const char *host, int port)
71	{
72	}
73	/* not implemented */
74
75	void
76	audit_run_command(const char *command)
77	{
78	/* not implemented */
79	}
80
81	void
82	audit_session_open(struct logininfo *li)
83	{
84	if (linux_audit_record_event(li->uid, NULL, li->hostname,
85	NULL, li->line, 1) == 0)
86	fatal("linux_audit_write_entry failed: %s", strerror(errno));
87	}
88
89	void
90	audit_session_close(struct logininfo *li)
91	{
92	/* not implemented */
93	}
94
95	void
96	audit_event(ssh_audit_event_t event)
97	{
98	switch(event) {
99	case SSH_AUTH_SUCCESS:
100	case SSH_CONNECTION_CLOSE:
101	case SSH_NOLOGIN:
102	case SSH_LOGIN_EXCEED_MAXTRIES:
103	case SSH_LOGIN_ROOT_DENIED:
104	break;
105
106	case SSH_AUTH_FAIL_NONE:
107	case SSH_AUTH_FAIL_PASSWD:
108	case SSH_AUTH_FAIL_KBDINT:
109	case SSH_AUTH_FAIL_PUBKEY:
110	case SSH_AUTH_FAIL_HOSTBASED:
111	case SSH_AUTH_FAIL_GSSAPI:
112	case SSH_INVALID_USER:
113	linux_audit_record_event(-1, audit_username(), NULL,
114	get_remote_ipaddr(), "sshd", 0);
115	break;
116
117	default:
118	debug("%s: unhandled event %d", __func__, event);
119	}
120	}
121
122	#endif /* USE_LINUX_AUDIT */