Bugzilla – Attachment 1689 Details for
Bug 1642
Add user login auditing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch solving the problem
audit.patch (text/plain), 8.03 KB, created by
jchadima
on 2009-09-01 17:35:51 AEST
(
hide
)
Description:
Patch solving the problem
Filename:
MIME Type:
Creator:
jchadima
Created:
2009-09-01 17:35:51 AEST
Size:
8.03 KB
patch
obsolete
>diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c >--- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 >+++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200 >@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent > get_canonical_hostname(options.use_dns), "ssh", &loginmsg); > # endif > #endif >+#if HAVE_LINUX_AUDIT >+ if (authenticated == 0 && !authctxt->postponed) { >+ linux_audit_record_event(-1, authctxt->user, NULL, >+ get_remote_ipaddr(), "sshd", 0); >+ } >+#endif > #ifdef SSH_AUDIT_EVENTS > if (authenticated == 0 && !authctxt->postponed) > audit_event(audit_classify_auth(method)); >@@ -533,6 +539,10 @@ getpwnamallow(const char *user) > record_failed_login(user, > get_canonical_hostname(options.use_dns), "ssh"); > #endif >+#ifdef HAVE_LINUX_AUDIT >+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), >+ "sshd", 0); >+#endif > #ifdef SSH_AUDIT_EVENTS > audit_event(SSH_INVALID_USER); > #endif /* SSH_AUDIT_EVENTS */ >diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in >--- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100 >+++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200 >@@ -1,5 +1,8 @@ > /* config.h.in. Generated from configure.ac by autoheader. */ > >+/* Define if building universal (internal helper macro) */ >+#undef AC_APPLE_UNIVERSAL_BUILD >+ > /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address > */ > #undef AIX_GETNAMEINFO_HACK >@@ -521,6 +524,9 @@ > /* Define to 1 if you have the <lastlog.h> header file. */ > #undef HAVE_LASTLOG_H > >+/* Define to 1 if you have the <libaudit.h> header file. */ >+#undef HAVE_LIBAUDIT_H >+ > /* Define to 1 if you have the `bsm' library (-lbsm). */ > #undef HAVE_LIBBSM > >@@ -560,6 +566,9 @@ > /* Define to 1 if you have the <limits.h> header file. */ > #undef HAVE_LIMITS_H > >+/* Define if you want Linux audit support. */ >+#undef HAVE_LINUX_AUDIT >+ > /* Define to 1 if you have the <linux/if_tun.h> header file. */ > #undef HAVE_LINUX_IF_TUN_H > >@@ -756,6 +765,9 @@ > /* Define to 1 if you have the `setgroups' function. */ > #undef HAVE_SETGROUPS > >+/* Define to 1 if you have the `setkeycreatecon' function. */ >+#undef HAVE_SETKEYCREATECON >+ > /* Define to 1 if you have the `setlogin' function. */ > #undef HAVE_SETLOGIN > >@@ -1330,6 +1342,10 @@ > /* Prepend the address family to IP tunnel traffic */ > #undef SSH_TUN_PREPEND_AF > >+/* Define to your vendor patch level, if it has been modified from the >+ upstream source release. */ >+#undef SSH_VENDOR_PATCHLEVEL >+ > /* Define to 1 if you have the ANSI C header files. */ > #undef STDC_HEADERS > >@@ -1397,9 +1413,17 @@ > /* Define if you want SELinux support. */ > #undef WITH_SELINUX > >-/* Define to 1 if your processor stores words with the most significant byte >- first (like Motorola and SPARC, unlike Intel and VAX). */ >-#undef WORDS_BIGENDIAN >+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most >+ significant byte first (like Motorola and SPARC, unlike Intel). */ >+#if defined AC_APPLE_UNIVERSAL_BUILD >+# if defined __BIG_ENDIAN__ >+# define WORDS_BIGENDIAN 1 >+# endif >+#else >+# ifndef WORDS_BIGENDIAN >+# undef WORDS_BIGENDIAN >+# endif >+#endif > > /* Define if xauth is found in your path */ > #undef XAUTH_PATH >diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac >--- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200 >+++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200 >@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux, > fi ] > ) > >+# Check whether user wants Linux audit support >+LINUX_AUDIT_MSG="no" >+AC_ARG_WITH(linux-audit, >+ [ --with-linux-audit Enable Linux audit support], >+ [ if test "x$withval" != "xno" ; then >+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) >+ LINUX_AUDIT_MSG="yes" >+ AC_CHECK_HEADERS(libaudit.h) >+ SSHDLIBS="$SSHDLIBS -laudit" >+ fi ] >+) >+ > # Check whether user wants Kerberos 5 support > KRB5_MSG="no" > AC_ARG_WITH(kerberos5, >@@ -4170,6 +4182,7 @@ echo " PAM support > echo " OSF SIA support: $SIA_MSG" > echo " KerberosV support: $KRB5_MSG" > echo " SELinux support: $SELINUX_MSG" >+echo " Linux audit support: $LINUX_AUDIT_MSG" > echo " Smartcard support: $SCARD_MSG" > echo " S/KEY support: $SKEY_MSG" > echo " TCP Wrappers support: $TCPW_MSG" >diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c >--- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 >+++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200 >@@ -176,6 +176,10 @@ > #include "auth.h" > #include "buffer.h" > >+#ifdef HAVE_LINUX_AUDIT >+# include <libaudit.h> >+#endif >+ > #ifdef HAVE_UTIL_H > # include <util.h> > #endif >@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l > int utmpx_write_entry(struct logininfo *li); > int wtmp_write_entry(struct logininfo *li); > int wtmpx_write_entry(struct logininfo *li); >+#ifdef HAVE_LINUX_AUDIT >+int linux_audit_write_entry(struct logininfo *li); >+#endif > int lastlog_write_entry(struct logininfo *li); > int syslogin_write_entry(struct logininfo *li); > >@@ -440,6 +447,10 @@ login_write(struct logininfo *li) > > /* set the timestamp */ > login_set_current_time(li); >+#ifdef HAVE_LINUX_AUDIT >+ if (linux_audit_write_entry(li) == 0) >+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); >+#endif > #ifdef USE_LOGIN > syslogin_write_entry(li); > #endif >@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) > } > #endif /* USE_WTMPX */ > >+#ifdef HAVE_LINUX_AUDIT >+static void >+_audit_hexscape(const char *what, char *where, unsigned int size) >+{ >+ const char *ptr = what; >+ const char *hex = "0123456789ABCDEF"; >+ >+ while (*ptr) { >+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { >+ unsigned int i; >+ ptr = what; >+ for (i = 0; *ptr && i+2 < size; i += 2) { >+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ >+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ >+ ptr++; >+ } >+ where[i] = '\0'; >+ return; >+ } >+ ptr++; >+ } >+ where[0] = '"'; >+ if ((unsigned)(ptr - what) < size - 3) >+ { >+ size = ptr - what + 3; >+ } >+ strncpy(where + 1, what, size - 3); >+ where[size-2] = '"'; >+ where[size-1] = '\0'; >+} >+ >+#define AUDIT_LOG_SIZE 128 >+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) >+ >+int >+linux_audit_record_event(int uid, const char *username, >+ const char *hostname, const char *ip, const char *ttyn, int success) >+{ >+ char buf[AUDIT_LOG_SIZE]; >+ int audit_fd, rc; >+ >+ audit_fd = audit_open(); >+ if (audit_fd < 0) { >+ if (errno == EINVAL || errno == EPROTONOSUPPORT || >+ errno == EAFNOSUPPORT) >+ return 1; /* No audit support in kernel */ >+ else >+ return 0; /* Must prevent login */ >+ } >+ if (username == NULL) >+ snprintf(buf, sizeof(buf), "uid=%d", uid); >+ else { >+ char encoded[AUDIT_ACCT_SIZE]; >+ _audit_hexscape(username, encoded, sizeof(encoded)); >+ snprintf(buf, sizeof(buf), "acct=%s", encoded); >+ } >+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, >+ buf, hostname, ip, ttyn, success); >+ close(audit_fd); >+ if (rc >= 0) >+ return 1; >+ else >+ return 0; >+} >+ >+int >+linux_audit_write_entry(struct logininfo *li) >+{ >+ switch(li->type) { >+ case LTYPE_LOGIN: >+ return (linux_audit_record_event(li->uid, NULL, li->hostname, >+ NULL, li->line, 1)); >+ case LTYPE_LOGOUT: >+ return (1); /* We only care about logins */ >+ default: >+ logit("%s: invalid type field", __func__); >+ return (0); >+ } >+} >+#endif /* HAVE_LINUX_AUDIT */ >+ > /** > ** Low-level libutil login() functions > **/ >diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h >--- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 >+++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200 >@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch > char *line_abbrevname(char *dst, const char *src, int dstsize); > > void record_failed_login(const char *, const char *, const char *); >+#ifdef HAVE_LINUX_AUDIT >+int linux_audit_record_event(int uid, const char *username, >+ const char *hostname, const char *ip, const char *ttyn, int success); >+#endif /* HAVE_LINUX_AUDIT */ > > #endif /* _HAVE_LOGINREC_H_ */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1642
: 1689