Bugzilla – Attachment 754 Details for
Bug 125
add BSM audit support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Use audit hooks in patch #753 for BSM auditting (work in progress)
openssh-audit-bsm.patch (text/plain), 13.77 KB, created by
Darren Tucker
on 2004-12-20 16:26:21 AEDT
(
hide
)
Description:
Use audit hooks in patch #753 for BSM auditting (work in progress)
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-12-20 16:26:21 AEDT
Size:
13.77 KB
patch
obsolete
>Index: audit-bsm.c >=================================================================== >RCS file: audit-bsm.c >diff -N audit-bsm.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit-bsm.c 20 Dec 2004 05:05:21 -0000 >@@ -0,0 +1,324 @@ >+/* $Id$ */ >+ >+/* >+ * TODO >+ * >+ * - deal with overlap between this and sys_auth_allowed_user >+ * sys_auth_record_login and record_failed_login. >+ * >+ * - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety. >+ */ >+ >+/* >+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. >+ * Use is subject to license terms. >+ * >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ * >+ */ >+/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ >+ >+#include "includes.h" >+#if defined(AUDIT_EVENTS) && defined(USE_BSM_AUDIT) >+ >+#ifndef AUE_openssh >+# define AUE_openssh 32800 >+#endif >+ >+#include "ssh.h" >+#include "log.h" >+#include "auth.h" >+#include "xmalloc.h" >+#include "audit-bsm.h" >+ >+#ifndef HAVE_GETTEXT >+# define gettext(a) (a) >+#endif >+ >+extern Authctxt *the_authctxt; >+ >+static char sav_ttyn[512]; >+static char sav_name[512]; >+static int sav_port = -1; >+static uid_t sav_uid = -1; >+static gid_t sav_gid = -1; >+static uint32_t sav_machine[4] = { 0,0,0,0}; >+static uint32_t sav_iptype = 0; >+static char sav_host[MAXHOSTNAMELEN]; >+static char *sav_cmd = NULL; >+ >+void >+audit_connection_from(const char *host, int port) >+{ >+ int i; >+#if !defined(HAVE_GETAUDIT_ADDR) >+ in_addr_t ia; >+#endif >+ >+ if (cannot_audit(0)) >+ return; >+ >+ /* save port */ >+ sav_port = port; >+ debug3("BSM audit: sav_port=%d", sav_port); >+ >+ /* save host */ >+ (void) strlcpy(sav_host, host, sizeof(sav_host)); >+ debug3("BSM audit: sav_host=%s", sav_host); >+ memset(sav_machine, 0, sizeof(sav_machine)); >+#if defined(HAVE_GETAUDIT_ADDR) >+ (void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype); >+ debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype); >+#else >+ ia = inet_addr(host); >+ memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0])); >+ sav_iptype = 0; /* not used, but just in case */ >+#endif >+ for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) { >+ debug3("BSM audit: sav_machine[%d]=%08lx", >+ i, (long)sav_machine[i]); >+ } >+} >+ >+void >+audit_run_command(const char *command) >+{ >+ if (cannot_audit(0)) >+ return; >+ >+ if (sav_cmd != NULL) { >+ free(sav_cmd); >+ sav_cmd = NULL; >+ } >+ sav_cmd = xstrdup(command); >+ debug3("BSM audit: sav_cmd=%s", sav_cmd); >+} >+ >+void >+audit_save_ttyn(const char *ttyn) >+{ >+ if (cannot_audit(0)) >+ return; >+ >+ (void) strlcpy(sav_ttyn, ttyn, sizeof(sav_ttyn)); >+ debug3("BSM audit: sav_ttyn=%s", sav_ttyn); >+} >+ >+static void >+solaris_audit_record(int typ, char *string, au_event_t event_no) >+{ >+ int ad, rc, sel; >+ uid_t uid; >+ gid_t gid; >+ pid_t pid; >+ AuditInfoTermID tid; >+ >+ uid = sav_uid; >+ gid = sav_gid; >+ pid = getpid(); >+ >+ get_terminal_id(&tid); >+ >+ if (typ == 0) >+ rc = 0; >+ else >+ rc = -1; >+ >+ sel = selected(sav_name, uid, event_no, rc); >+ debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); >+ if (!sel) >+ return; >+ >+ ad = au_open(); >+ >+ (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, >+ pid, pid, &tid)); >+ (void) au_write(ad, au_to_text(string)); >+ if (sav_cmd != NULL) { >+ (void) au_write(ad, au_to_text(sav_cmd)); >+ } >+ (void) au_write(ad, AUToReturnFunc(typ, rc)); >+ >+ rc = au_close(ad, AU_TO_WRITE, event_no); >+ if (rc < 0) { >+ error("BSM audit: solaris_audit_record failed to write " >+ "\"%s\" record: %s", string, strerror(errno)); >+ } >+} >+ >+static void >+solaris_audit_session_setup(void) >+{ >+ int rc; >+ struct AuditInfoStruct info; >+ au_mask_t mask; >+ struct AuditInfoStruct now; >+ >+ info.ai_auid = sav_uid; >+ info.ai_asid = getpid(); >+ mask.am_success = 0; >+ mask.am_failure = 0; >+ >+ (void) au_user_mask(sav_name, &mask); >+ >+ info.ai_mask.am_success = mask.am_success; >+ info.ai_mask.am_failure = mask.am_failure; >+ >+ /* see if terminal id already set */ >+ if (GetAuditFunc(&now, sizeof(now)) < 0) { >+ error("BSM audit: solaris_audit_session_setup: %s failed: %s", >+ GetAuditFuncText, strerror(errno)); >+ } >+ >+ debug("BSM solaris_audit_setup_session: calling get_terminal_id"); >+ get_terminal_id(&(info.ai_termid)); >+ >+ rc = SetAuditFunc(&info, sizeof(info)); >+ if (rc < 0) { >+ error("BSM audit: solaris_audit_session_setup: %s failed: %s", >+ SetAuditFuncText, strerror(errno)); >+ } >+} >+ >+ >+static void >+get_terminal_id(AuditInfoTermID *tid) >+{ >+#if defined(HAVE_GETAUDIT_ADDR) >+ tid->at_port = sav_port; >+ tid->at_type = sav_iptype; >+ tid->at_addr[0] = sav_machine[0]; >+ tid->at_addr[1] = sav_machine[1]; >+ tid->at_addr[2] = sav_machine[2]; >+ tid->at_addr[3] = sav_machine[3]; >+#else >+ tid->port = sav_port; >+ tid->machine = sav_machine[0]; >+#endif >+} >+ >+void >+solaris_audit_bad_pw(const char *what) >+{ >+ char textbuf[BSM_TEXTBUFSZ]; >+ >+ if (sav_uid == -1) { >+ (void) snprintf(textbuf, sizeof (textbuf), >+ gettext("invalid user name \"%s\""), sav_name); >+ solaris_audit_record(3, textbuf, AUE_openssh); >+ } else { >+ (void) snprintf(textbuf, sizeof (textbuf), >+ gettext("invalid %s for user %s"), what, sav_name); >+ solaris_audit_record(4, textbuf, AUE_openssh); >+ } >+} >+ >+void >+audit_event(enum audit_event_type event) >+{ >+ char textbuf[BSM_TEXTBUFSZ]; >+ >+ if (cannot_audit(0)) >+ return; >+ >+ switch(event) { >+ case LOGOUT: >+ snprintf(textbuf, sizeof(textbuf), >+ gettext("sshd logout %s"), sav_name); >+ solaris_audit_record(0, textbuf, AUE_logout); >+ break; >+ >+ case NOLOGIN: >+ solaris_audit_record(1, >+ gettext("logins disabled by /etc/nologin"), AUE_openssh); >+ break; >+ >+ case LOGIN_EXCEED_MAXTRIES: >+ snprintf(textbuf, sizeof(textbuf), >+ gettext("too many tries for user %s"), sav_name); >+ solaris_audit_record(1, textbuf, AUE_openssh); >+ break; >+ >+ case ROOT_NOT_CONSOLE: >+ solaris_audit_record(2, gettext("not_console"), AUE_openssh); >+ break; >+ >+ case LOGIN_SUCCESS: >+ solaris_audit_session_setup(); >+ snprintf(textbuf, sizeof(textbuf), >+ gettext("successful login %s"), sav_name); >+ solaris_audit_record(0, textbuf, AUE_openssh); >+ break; >+ >+ case LOGIN_FAIL_BADPW: >+ solaris_audit_bad_pw("password"); >+ break; >+ >+ case LOGIN_FAIL_KBDINT: >+ solaris_audit_bad_pw("interactive password entry"); >+ break; >+ >+ case AUTH_FAILED: >+ solaris_audit_bad_pw("authorization"); >+ break; >+ >+ case ILLEGAL_USER: >+ /* not used */ >+ break; >+ } >+} >+ >+static int >+selected(char *nam, uid_t uid, au_event_t event, int sf) >+{ >+ int rc, sorf; >+ char naflags[512]; >+ struct au_mask mask; >+ >+ mask.am_success = mask.am_failure = 0; >+ if (uid < 0) { >+ rc = getacna(naflags, 256); /* get non-attrib flags */ >+ if (rc == 0) >+ (void) getauditflagsbin(naflags, &mask); >+ } else { >+ rc = au_user_mask(nam, &mask); >+ } >+ >+ if (sf == 0) { >+ sorf = AU_PRS_SUCCESS; >+ } else { >+ sorf = AU_PRS_FAILURE; >+ } >+ rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD); >+ >+ return rc; >+} >+ >+# ifdef CUSTOM_FAILED_LOGIN >+/* TODO */ >+void >+record_failed_login(const char *user, const char *ttyname) >+{ >+} >+# endif >+ >+#endif /* BSM */ >Index: audit-bsm.h >=================================================================== >RCS file: audit-bsm.h >diff -N audit-bsm.h >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit-bsm.h 1 Jun 2004 02:24:55 -0000 >@@ -0,0 +1,98 @@ >+/* $Id$ */ >+ >+/* >+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. >+ * Use is subject to license terms. >+ * >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ * >+ */ >+/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ >+ >+#include "includes.h" >+#ifdef USE_BSM_AUDIT >+ >+#define AUE_openssh 32800 >+ >+#include <bsm/audit.h> >+#include <bsm/libbsm.h> >+#include <bsm/audit_uevents.h> >+#include <bsm/audit_record.h> >+#include <locale.h> >+ >+#if defined(HAVE_GETAUDIT_ADDR) >+#define AuditInfoStruct auditinfo_addr >+#define AuditInfoTermID au_tid_addr_t >+#define GetAuditFunc(a,b) getaudit_addr((a),(b)) >+#define GetAuditFuncText "getaudit_addr" >+#define SetAuditFunc(a,b) setaudit_addr((a),(b)) >+#define SetAuditFuncText "setaudit_addr" >+#define AUToSubjectFunc au_to_subject_ex >+#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) >+#else >+#define AuditInfoStruct auditinfo >+#define AuditInfoTermID au_tid_t >+#define GetAuditFunc(a,b) getaudit(a) >+#define GetAuditFuncText "getaudit" >+#define SetAuditFunc(a,b) setaudit(a) >+#define SetAuditFuncText "setaudit" >+#define AUToSubjectFunc au_to_subject >+#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) >+#endif >+ >+static void solaris_audit_record(int typ, char *string, au_event_t event_no); >+static void solaris_audit_session_setup(void); >+static int selected(char *nam, uid_t uid, au_event_t event, int sf); >+ >+static void get_terminal_id(AuditInfoTermID *tid); >+ >+extern int cannot_audit(int); >+extern void aug_init(void); >+extern dev_t aug_get_port(void); >+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); >+extern void aug_save_auid(au_id_t); >+extern void aug_save_uid(uid_t); >+extern void aug_save_euid(uid_t); >+extern void aug_save_gid(gid_t); >+extern void aug_save_egid(gid_t); >+extern void aug_save_pid(pid_t); >+extern void aug_save_asid(au_asid_t); >+extern void aug_save_tid(dev_t, unsigned int); >+extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); >+extern int aug_save_me(void); >+extern int aug_save_namask(void); >+extern void aug_save_event(au_event_t); >+extern void aug_save_sorf(int); >+extern void aug_save_text(char *); >+extern void aug_save_text1(char *); >+extern void aug_save_text2(char *); >+extern void aug_save_na(int); >+extern void aug_save_user(char *); >+extern void aug_save_path(char *); >+extern int aug_save_policy(void); >+extern void aug_save_afunc(int (*)(int)); >+extern int aug_audit(void); >+extern int aug_na_selected(void); >+extern int aug_selected(void); >+extern int aug_daemon_session(void); >+ >+#endif >Index: LICENCE >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/LICENCE,v >retrieving revision 1.17 >diff -u -p -r1.17 LICENCE >--- LICENCE 5 Nov 2004 09:00:03 -0000 1.17 >+++ LICENCE 19 Dec 2004 00:42:44 -0000 >@@ -203,6 +203,7 @@ OpenSSH contains no GPL code. > Wayne Schroeder > William Jones > Darren Tucker >+ Sun Microsystems > > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >Index: README.platform >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/README.platform,v >retrieving revision 1.2 >diff -u -p -r1.2 README.platform >--- README.platform 23 Apr 2004 08:57:13 -0000 1.2 >+++ README.platform 26 Apr 2004 02:22:11 -0000 >@@ -23,8 +23,20 @@ openssl-devel, zlib, minres, minires-dev > > Solaris > ------- >-Currently, sshd does not support BSM auditting. This can show up as errors >-when editting cron entries via crontab. See. >-http://bugzilla.mindrot.org/show_bug.cgi?id=125 >+If you enable BSM auditing on Solaris, you need to update audit_event(4) >+for praudit(1m) to give sensible output. The following line needs to be >+added to /etc/security/audit_event: >+ >+ 32800:AUE_openssh:OpenSSH login:lo >+ >+If the contrib/buildpkg.sh script is used, the included postinstall >+script will add the line for you. >+ >+The BSM audit event range available for third party TCB applications is >+32768 - 65535. Event number 32800 has been choosen for AUE_openssh. >+There is no official registry of 3rd party event numbers, so if this >+number is already in use on your system, change the value of >+AUE_openssh in openbsd-compat/bsd-solaris.h and rebuild. >+ > > $Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=754">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 125
:
131
|
192
|
355
|
438
|
500
|
560
|
618
|
619
|
647
|
753
|
754
|
755
|
756
|
793
|
794
|
795
|
796
|
800
|
804
|
820
|
826
|
845
|
846