Attachment #1934 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch

Lines 81-86 SSHOBJS= ssh.o readconf.o clientloop.o s Link Here

(-)Makefile.in (-1 / +2 lines)
81	roaming_common.o roaming_client.o	81	roaming_common.o roaming_client.o
82		82
83	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \	83	SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
		84	audit.o audit-bsm.o audit-linux.o platform.o \
84	sshpty.o sshlogin.o servconf.o serverloop.o \	85	sshpty.o sshlogin.o servconf.o serverloop.o \
85	auth.o auth1.o auth2.o auth-options.o session.o \	86	auth.o auth1.o auth2.o auth-options.o session.o \
86	auth-chall.o auth2-chall.o groupaccess.o \	87	auth-chall.o auth2-chall.o groupaccess.o \
Lines 90-96 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here
90	auth-krb5.o \	91	auth-krb5.o \
91	auth2-gss.o gss-serv.o gss-serv-krb5.o \	92	auth2-gss.o gss-serv.o gss-serv-krb5.o \
92	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \	93	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
93	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \	94	sftp-server.o sftp-common.o \
94	roaming_common.o roaming_serv.o	95	roaming_common.o roaming_serv.o
95		96
96	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out	97	MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out




}

void
audit_session_open(struct logininfo *li)
{
	/* not implemented */
}

void
audit_session_close(struct logininfo *li)
{
	/* not implemented */
}




/* $Id: audit-linux.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */

#include "includes.h"
#if defined(USE_LINUX_AUDIT)
#include <libaudit.h>
#include <unistd.h>
#include <string.h>

#include "log.h"
#include "audit.h"
#include "canohost.h"

const char* audit_username(void);

int
linux_audit_record_event(int uid, const char *username,
    const char *hostname, const char *ip, const char *ttyn, int success)
{
	int audit_fd, rc, saved_errno;

	audit_fd = audit_open();
	if (audit_fd < 0) {
		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
		    errno == EAFNOSUPPORT)
			return 1; /* No audit support in kernel */
		else
			return 0; /* Must prevent login */
	}
	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
	    NULL, "login", username ? username : "(unknown)",
	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
	saved_errno = errno;
	close(audit_fd);
	errno = saved_errno;
	return (rc >= 0);
}

/* Below is the sshd audit API code */

void
audit_connection_from(const char *host, int port)
{
}
	/* not implemented */

void
audit_run_command(const char *command)
{
	/* not implemented */
}

void
audit_session_open(struct logininfo *li)
{
	if (linux_audit_record_event(li->uid, NULL, li->hostname,
	    NULL, li->line, 1) == 0)
		fatal("linux_audit_write_entry failed: %s", strerror(errno));
}

void
audit_session_close(struct logininfo *li)
{
	/* not implemented */
}

void
audit_event(ssh_audit_event_t event)
{
	switch(event) {
	case SSH_AUTH_SUCCESS:
	case SSH_CONNECTION_CLOSE:
	case SSH_NOLOGIN:
	case SSH_LOGIN_EXCEED_MAXTRIES:
	case SSH_LOGIN_ROOT_DENIED:
		break;

	case SSH_AUTH_FAIL_NONE:
	case SSH_AUTH_FAIL_PASSWD:
	case SSH_AUTH_FAIL_KBDINT:
	case SSH_AUTH_FAIL_PUBKEY:
	case SSH_AUTH_FAIL_HOSTBASED:
	case SSH_AUTH_FAIL_GSSAPI:
	case SSH_INVALID_USER:
		linux_audit_record_event(-1, audit_username(), NULL,
			get_remote_ipaddr(), "sshd", 0);
		break;

	default:
		debug("%s: unhandled event %d", __func__, event);
	}
}

#endif /* USE_LINUX_AUDIT */




 * within a single connection.
 */
void
audit_session_open(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session open euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);

 * within a single connection.
 */
void
audit_session_close(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session close euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);

Lines 26-31 Link Here

(-)audit.h (-2 / +5 lines)
26		26
27	#ifndef _SSH_AUDIT_H	27	#ifndef _SSH_AUDIT_H
28	# define _SSH_AUDIT_H	28	# define _SSH_AUDIT_H
		29
		30	#include "loginrec.h"
		31
29	enum ssh_audit_event_type {	32	enum ssh_audit_event_type {
30	SSH_LOGIN_EXCEED_MAXTRIES,	33	SSH_LOGIN_EXCEED_MAXTRIES,
31	SSH_LOGIN_ROOT_DENIED,	34	SSH_LOGIN_ROOT_DENIED,
Lines 46-53 typedef enum ssh_audit_event_type ssh_au Link Here
46		49
47	void audit_connection_from(const char *, int);	50	void audit_connection_from(const char *, int);
48	void audit_event(ssh_audit_event_t);	51	void audit_event(ssh_audit_event_t);
49	void audit_session_open(const char *);	52	void audit_session_open(struct logininfo *);
50	void audit_session_close(const char *);	53	void audit_session_close(struct logininfo *);
51	void audit_run_command(const char *);	54	void audit_run_command(const char *);
52	ssh_audit_event_t audit_classify_auth(const char *);	55	ssh_audit_event_t audit_classify_auth(const char *);
53		56





AUDIT_MODULE=none
AC_ARG_WITH(audit,
	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
	[
	  AC_MSG_CHECKING(for supported audit module)
	  case "$withval" in

		AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
		AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
		;;
	  linux)
		AC_MSG_RESULT(linux)
		AUDIT_MODULE=linux
		dnl    Checks for headers, libs and functions
		AC_CHECK_HEADERS(libaudit.h)
		SSHDLIBS="$SSHDLIBS -laudit"
		AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
		;;
	  debug)
		AUDIT_MODULE=debug
		AC_MSG_RESULT(debug)
		AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
		;;
	  no)
		AC_MSG_RESULT(no)

Lines 566-571 struct winsize { Link Here

(-)defines.h (+5 lines)
566	# define CUSTOM_SSH_AUDIT_EVENTS	566	# define CUSTOM_SSH_AUDIT_EVENTS
567	#endif	567	#endif
568		568
		569	#ifdef USE_LINUX_AUDIT
		570	# define SSH_AUDIT_EVENTS
		571	# define CUSTOM_SSH_AUDIT_EVENTS
		572	#endif
		573
569	#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)	574	#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
570	# define __func__ __FUNCTION__	575	# define __func__ __FUNCTION__
571	#elif !defined(HAVE___func__)	576	#elif !defined(HAVE___func__)

Lines 468-476 login_write(struct logininfo *li) Link Here

(-)loginrec.c (-2 / +2 lines)
468	#endif	468	#endif
469	#ifdef SSH_AUDIT_EVENTS	469	#ifdef SSH_AUDIT_EVENTS
470	if (li->type == LTYPE_LOGIN)	470	if (li->type == LTYPE_LOGIN)
471	audit_session_open(li->line);	471	audit_session_open(li);
472	else if (li->type == LTYPE_LOGOUT)	472	else if (li->type == LTYPE_LOGOUT)
473	audit_session_close(li->line);	473	audit_session_close(li);
474	#endif	474	#endif
475	return (0);	475	return (0);
476	}	476	}

Return to bug 1402

Lines 305-317 audit_run_command(const char *command) Link Here

(-)audit-bsm.c (-2 / +2 lines)
305	}	305	}
306		306
307	void	307	void
308	audit_session_open(const char *ttyn)	308	audit_session_open(struct logininfo *li)
309	{	309	{
310	/* not implemented */	310	/* not implemented */
311	}	311	}
312		312
313	void	313	void
314	audit_session_close(const char *ttyn)	314	audit_session_close(struct logininfo *li)
315	{	315	{
316	/* not implemented */	316	/* not implemented */
317	}	317	}

Lines 147-155 audit_event(ssh_audit_event_t event) Link Here

(-)audit.c (-4 / +4 lines)
147	* within a single connection.	147	* within a single connection.
148	*/	148	*/
149	void	149	void
150	audit_session_open(const char *ttyn)	150	audit_session_open(struct logininfo *li)
151	{	151	{
152	const char *t = ttyn ? ttyn : "(no tty)";	152	const char *t = li->line ? li->line : "(no tty)";
153		153
154	debug("audit session open euid %d user %s tty name %s", geteuid(),	154	debug("audit session open euid %d user %s tty name %s", geteuid(),
155	audit_username(), t);	155	audit_username(), t);
Lines 163-171 audit_session_open(const char *ttyn) Link Here
163	* within a single connection.	163	* within a single connection.
164	*/	164	*/
165	void	165	void
166	audit_session_close(const char *ttyn)	166	audit_session_close(struct logininfo *li)
167	{	167	{
168	const char *t = ttyn ? ttyn : "(no tty)";	168	const char *t = li->line ? li->line : "(no tty)";
169		169
170	debug("audit session close euid %d user %s tty name %s", geteuid(),	170	debug("audit session close euid %d user %s tty name %s", geteuid(),
171	audit_username(), t);	171	audit_username(), t);

Lines 1330-1336 int main(void) Link Here

(-)configure.ac (-2 / +10 lines)
1330		1330
1331	AUDIT_MODULE=none	1331	AUDIT_MODULE=none
1332	AC_ARG_WITH(audit,	1332	AC_ARG_WITH(audit,
1333	[ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)],	1333	[ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
1334	[	1334	[
1335	AC_MSG_CHECKING(for supported audit module)	1335	AC_MSG_CHECKING(for supported audit module)
1336	case "$withval" in	1336	case "$withval" in
Lines 1354-1363 AC_ARG_WITH(audit, Link Here
1354	AC_CHECK_FUNCS(getaudit_addr aug_get_machine)	1354	AC_CHECK_FUNCS(getaudit_addr aug_get_machine)
1355	AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])	1355	AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module])
1356	;;	1356	;;
		1357	linux)
		1358	AC_MSG_RESULT(linux)
		1359	AUDIT_MODULE=linux
		1360	dnl Checks for headers, libs and functions
		1361	AC_CHECK_HEADERS(libaudit.h)
		1362	SSHDLIBS="$SSHDLIBS -laudit"
		1363	AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module])
		1364	;;
1357	debug)	1365	debug)
1358	AUDIT_MODULE=debug	1366	AUDIT_MODULE=debug
1359	AC_MSG_RESULT(debug)	1367	AC_MSG_RESULT(debug)
1360	AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module)	1368	AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module])
1361	;;	1369	;;
1362	no)	1370	no)
1363	AC_MSG_RESULT(no)	1371	AC_MSG_RESULT(no)

Added Link Here

(-)audit-linux.c (+120 lines)
1	/* $Id: audit-linux.c,v 1.1 jfch Exp $ */
2
3	/*
4	* Copyright 2010 Red Hat, Inc. All rights reserved.
5	* Use is subject to license terms.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26	*
27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
28	*/
29
30	#include "includes.h"
31	#if defined(USE_LINUX_AUDIT)
32	#include <libaudit.h>
33	#include <unistd.h>
34	#include <string.h>
35
36	#include "log.h"
37	#include "audit.h"
38	#include "canohost.h"
39
40	const char* audit_username(void);
41
42	int
43	linux_audit_record_event(int uid, const char *username,
44	const char hostname, const char ip, const char *ttyn, int success)
45	{
46	int audit_fd, rc, saved_errno;
47
48	audit_fd = audit_open();
49	if (audit_fd < 0) {
50	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
51	errno == EAFNOSUPPORT)
52	return 1; /* No audit support in kernel */
53	else
54	return 0; /* Must prevent login */
55	}
56	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
57	NULL, "login", username ? username : "(unknown)",
58	username == NULL ? uid : -1, hostname, ip, ttyn, success);
59	saved_errno = errno;
60	close(audit_fd);
61	errno = saved_errno;
62	return (rc >= 0);
63	}
64
65	/* Below is the sshd audit API code */
66
67	void
68	audit_connection_from(const char *host, int port)
69	{
70	}
71	/* not implemented */
72
73	void
74	audit_run_command(const char *command)
75	{
76	/* not implemented */
77	}
78
79	void
80	audit_session_open(struct logininfo *li)
81	{
82	if (linux_audit_record_event(li->uid, NULL, li->hostname,
83	NULL, li->line, 1) == 0)
84	fatal("linux_audit_write_entry failed: %s", strerror(errno));
85	}
86
87	void
88	audit_session_close(struct logininfo *li)
89	{
90	/* not implemented */
91	}
92
93	void
94	audit_event(ssh_audit_event_t event)
95	{
96	switch(event) {
97	case SSH_AUTH_SUCCESS:
98	case SSH_CONNECTION_CLOSE:
99	case SSH_NOLOGIN:
100	case SSH_LOGIN_EXCEED_MAXTRIES:
101	case SSH_LOGIN_ROOT_DENIED:
102	break;
103
104	case SSH_AUTH_FAIL_NONE:
105	case SSH_AUTH_FAIL_PASSWD:
106	case SSH_AUTH_FAIL_KBDINT:
107	case SSH_AUTH_FAIL_PUBKEY:
108	case SSH_AUTH_FAIL_HOSTBASED:
109	case SSH_AUTH_FAIL_GSSAPI:
110	case SSH_INVALID_USER:
111	linux_audit_record_event(-1, audit_username(), NULL,
112	get_remote_ipaddr(), "sshd", 0);
113	break;
114
115	default:
116	debug("%s: unhandled event %d", __func__, event);
117	}
118	}
119
120	#endif /* USE_LINUX_AUDIT */