Bugzilla – Attachment 1981 Details for
Bug 1402
Support auditing through Linux Audit subsystem
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
base linux audit support (combined #1934 and #1974)
openssh-linux-audit2.patch (text/plain), 10.26 KB, created by
Darren Tucker
on 2011-01-17 11:52:20 AEDT
(
hide
)
Description:
base linux audit support (combined #1934 and #1974)
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2011-01-17 11:52:20 AEDT
Size:
10.26 KB
patch
obsolete
>Index: LICENCE >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/LICENCE,v >retrieving revision 1.23 >diff -u -p -r1.23 LICENCE >--- LICENCE 12 Mar 2007 20:37:49 -0000 1.23 >+++ LICENCE 17 Jan 2011 00:37:12 -0000 >@@ -206,6 +206,7 @@ OpenSSH contains no GPL code. > Sun Microsystems > The SCO Group > Daniel Walsh >+ Red Hat, Inc > > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >Index: Makefile.in >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v >retrieving revision 1.319 >diff -u -p -r1.319 Makefile.in >--- Makefile.in 16 Jan 2011 07:28:10 -0000 1.319 >+++ Makefile.in 17 Jan 2011 00:33:15 -0000 >@@ -82,6 +82,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s > roaming_common.o roaming_client.o > > SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ >+ audit.o audit-bsm.o audit-linux.o platform.o \ > sshpty.o sshlogin.o servconf.o serverloop.o \ > auth.o auth1.o auth2.o auth-options.o session.o \ > auth-chall.o auth2-chall.o groupaccess.o \ >@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw > auth-krb5.o \ > auth2-gss.o gss-serv.o gss-serv-krb5.o \ > loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ >- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ >+ sftp-server.o sftp-common.o \ > roaming_common.o roaming_serv.o > > MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out >Index: audit-bsm.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/audit-bsm.c,v >retrieving revision 1.6 >diff -u -p -r1.6 audit-bsm.c >--- audit-bsm.c 25 Feb 2008 10:05:04 -0000 1.6 >+++ audit-bsm.c 17 Jan 2011 00:33:15 -0000 >@@ -305,13 +305,13 @@ audit_run_command(const char *command) > } > > void >-audit_session_open(const char *ttyn) >+audit_session_open(struct logininfo *li) > { > /* not implemented */ > } > > void >-audit_session_close(const char *ttyn) >+audit_session_close(struct logininfo *li) > { > /* not implemented */ > } >Index: audit-linux.c >=================================================================== >RCS file: audit-linux.c >diff -N audit-linux.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit-linux.c 17 Jan 2011 00:45:13 -0000 >@@ -0,0 +1,126 @@ >+/* $Id: audit-linux.c,v 1.1 jfch Exp $ */ >+ >+/* >+ * Copyright 2010 Red Hat, Inc. All rights reserved. >+ * Use is subject to license terms. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ * >+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com> >+ */ >+ >+#include "includes.h" >+#if defined(USE_LINUX_AUDIT) >+#include <libaudit.h> >+#include <unistd.h> >+#include <string.h> >+ >+#include "log.h" >+#include "audit.h" >+#include "canohost.h" >+ >+const char* audit_username(void); >+ >+int >+linux_audit_record_event(int uid, const char *username, >+ const char *hostname, const char *ip, const char *ttyn, int success) >+{ >+ int audit_fd, rc, saved_errno; >+ >+ audit_fd = audit_open(); >+ if (audit_fd < 0) { >+ if (errno == EINVAL || errno == EPROTONOSUPPORT || >+ errno == EAFNOSUPPORT) >+ return 1; /* No audit support in kernel */ >+ else >+ return 0; /* Must prevent login */ >+ } >+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, >+ NULL, "login", username ? username : "(unknown)", >+ username == NULL ? uid : -1, hostname, ip, ttyn, success); >+ saved_errno = errno; >+ close(audit_fd); >+ /* >+ * Do not report error if the error is EPERM and sshd is run as non >+ * root user. >+ */ >+ if ((rc == -EPERM) && (geteuid() != 0)) >+ rc = 0; >+ errno = saved_errno; >+ return (rc >= 0); >+} >+ >+/* Below is the sshd audit API code */ >+ >+void >+audit_connection_from(const char *host, int port) >+{ >+} >+ /* not implemented */ >+ >+void >+audit_run_command(const char *command) >+{ >+ /* not implemented */ >+} >+ >+void >+audit_session_open(struct logininfo *li) >+{ >+ if (linux_audit_record_event(li->uid, NULL, li->hostname, >+ NULL, li->line, 1) == 0) >+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); >+} >+ >+void >+audit_session_close(struct logininfo *li) >+{ >+ /* not implemented */ >+} >+ >+void >+audit_event(ssh_audit_event_t event) >+{ >+ switch(event) { >+ case SSH_AUTH_SUCCESS: >+ case SSH_CONNECTION_CLOSE: >+ case SSH_NOLOGIN: >+ case SSH_LOGIN_EXCEED_MAXTRIES: >+ case SSH_LOGIN_ROOT_DENIED: >+ break; >+ >+ case SSH_AUTH_FAIL_NONE: >+ case SSH_AUTH_FAIL_PASSWD: >+ case SSH_AUTH_FAIL_KBDINT: >+ case SSH_AUTH_FAIL_PUBKEY: >+ case SSH_AUTH_FAIL_HOSTBASED: >+ case SSH_AUTH_FAIL_GSSAPI: >+ case SSH_INVALID_USER: >+ linux_audit_record_event(-1, audit_username(), NULL, >+ get_remote_ipaddr(), "sshd", 0); >+ break; >+ >+ default: >+ debug("%s: unhandled event %d", __func__, event); >+ } >+} >+ >+#endif /* USE_LINUX_AUDIT */ >Index: audit.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/audit.c,v >retrieving revision 1.5 >diff -u -p -r1.5 audit.c >--- audit.c 1 Sep 2006 05:38:36 -0000 1.5 >+++ audit.c 17 Jan 2011 00:33:15 -0000 >@@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event) > * within a single connection. > */ > void >-audit_session_open(const char *ttyn) >+audit_session_open(struct logininfo *li) > { >- const char *t = ttyn ? ttyn : "(no tty)"; >+ const char *t = li->line ? li->line : "(no tty)"; > > debug("audit session open euid %d user %s tty name %s", geteuid(), > audit_username(), t); >@@ -163,9 +163,9 @@ audit_session_open(const char *ttyn) > * within a single connection. > */ > void >-audit_session_close(const char *ttyn) >+audit_session_close(struct logininfo *li) > { >- const char *t = ttyn ? ttyn : "(no tty)"; >+ const char *t = li->line ? li->line : "(no tty)"; > > debug("audit session close euid %d user %s tty name %s", geteuid(), > audit_username(), t); >Index: audit.h >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/audit.h,v >retrieving revision 1.3 >diff -u -p -r1.3 audit.h >--- audit.h 5 Aug 2006 14:05:10 -0000 1.3 >+++ audit.h 17 Jan 2011 00:33:15 -0000 >@@ -26,6 +26,9 @@ > > #ifndef _SSH_AUDIT_H > # define _SSH_AUDIT_H >+ >+#include "loginrec.h" >+ > enum ssh_audit_event_type { > SSH_LOGIN_EXCEED_MAXTRIES, > SSH_LOGIN_ROOT_DENIED, >@@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_au > > void audit_connection_from(const char *, int); > void audit_event(ssh_audit_event_t); >-void audit_session_open(const char *); >-void audit_session_close(const char *); >+void audit_session_open(struct logininfo *); >+void audit_session_close(struct logininfo *); > void audit_run_command(const char *); > ssh_audit_event_t audit_classify_auth(const char *); > >Index: configure.ac >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v >retrieving revision 1.465 >diff -u -p -r1.465 configure.ac >--- configure.ac 16 Jan 2011 07:28:12 -0000 1.465 >+++ configure.ac 17 Jan 2011 00:33:15 -0000 >@@ -1377,7 +1377,7 @@ int main(void) > > AUDIT_MODULE=none > AC_ARG_WITH(audit, >- [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], >+ [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], > [ > AC_MSG_CHECKING(for supported audit module) > case "$withval" in >@@ -1401,10 +1401,18 @@ AC_ARG_WITH(audit, > AC_CHECK_FUNCS(getaudit_addr aug_get_machine) > AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) > ;; >+ linux) >+ AC_MSG_RESULT(linux) >+ AUDIT_MODULE=linux >+ dnl Checks for headers, libs and functions >+ AC_CHECK_HEADERS(libaudit.h) >+ SSHDLIBS="$SSHDLIBS -laudit" >+ AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module]) >+ ;; > debug) > AUDIT_MODULE=debug > AC_MSG_RESULT(debug) >- AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) >+ AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module]) > ;; > no) > AC_MSG_RESULT(no) >Index: defines.h >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/defines.h,v >retrieving revision 1.163 >diff -u -p -r1.163 defines.h >--- defines.h 23 Nov 2010 23:50:05 -0000 1.163 >+++ defines.h 17 Jan 2011 00:33:15 -0000 >@@ -607,6 +607,11 @@ struct winsize { > # define CUSTOM_SSH_AUDIT_EVENTS > #endif > >+#ifdef USE_LINUX_AUDIT >+# define SSH_AUDIT_EVENTS >+# define CUSTOM_SSH_AUDIT_EVENTS >+#endif >+ > #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) > # define __func__ __FUNCTION__ > #elif !defined(HAVE___func__) >Index: loginrec.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/loginrec.c,v >retrieving revision 1.89 >diff -u -p -r1.89 loginrec.c >--- loginrec.c 2 Jan 2011 10:44:00 -0000 1.89 >+++ loginrec.c 17 Jan 2011 00:33:15 -0000 >@@ -469,9 +469,9 @@ login_write(struct logininfo *li) > #endif > #ifdef SSH_AUDIT_EVENTS > if (li->type == LTYPE_LOGIN) >- audit_session_open(li->line); >+ audit_session_open(li); > else if (li->type == LTYPE_LOGOUT) >- audit_session_close(li->line); >+ audit_session_close(li); > #endif > return (0); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1981">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
djm
:
ok+
Actions:
View
|
Diff
Attachments on
bug 1402
:
1396
|
1930
|
1931
|
1934
|
1939
|
1940
|
1942
|
1943
|
1945
|
1950
|
1951
|
1952
|
1954
|
1974
|
1975
|
1976
|
1981
|
2010
|
2011
|
2012
|
2013
|
2014
|
2015
|
2085
|
2086
|
2087
|
2088
|
2089
|
2090
|
2795