Attachment 1689 Details for Bug 1642 – Patch solving the problem

[patch] Patch solving the problem

audit.patch (text/plain), 8.03 KB, created by jchadima on 2009-09-01 17:35:51 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: jchadima

Created: 2009-09-01 17:35:51 AEST

Size: 8.03 KB

patch

obsolete

>diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
>--- openssh-5.2p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
>+++ openssh-5.2p1/auth.c	2009-08-09 09:22:23.634850536 +0200
>@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
> 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
> # endif
> #endif
>+#if HAVE_LINUX_AUDIT
>+	if (authenticated == 0 && !authctxt->postponed) {
>+		linux_audit_record_event(-1, authctxt->user, NULL,
>+			get_remote_ipaddr(), "sshd", 0);
>+	}
>+#endif
> #ifdef SSH_AUDIT_EVENTS
> 	if (authenticated == 0 && !authctxt->postponed)
> 		audit_event(audit_classify_auth(method));
>@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
> 		record_failed_login(user,
> 		    get_canonical_hostname(options.use_dns), "ssh");
> #endif
>+#ifdef HAVE_LINUX_AUDIT
>+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
>+			"sshd", 0);
>+#endif
> #ifdef SSH_AUDIT_EVENTS
> 		audit_event(SSH_INVALID_USER);
> #endif /* SSH_AUDIT_EVENTS */
>diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
>--- openssh-5.2p1/config.h.in.audit	2009-02-23 01:18:12.000000000 +0100
>+++ openssh-5.2p1/config.h.in	2009-08-09 09:22:28.825939998 +0200
>@@ -1,5 +1,8 @@
> /* config.h.in.  Generated from configure.ac by autoheader.  */
> 
>+/* Define if building universal (internal helper macro) */
>+#undef AC_APPLE_UNIVERSAL_BUILD
>+
> /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
>    */
> #undef AIX_GETNAMEINFO_HACK
>@@ -521,6 +524,9 @@
> /* Define to 1 if you have the <lastlog.h> header file. */
> #undef HAVE_LASTLOG_H
> 
>+/* Define to 1 if you have the <libaudit.h> header file. */
>+#undef HAVE_LIBAUDIT_H
>+
> /* Define to 1 if you have the `bsm' library (-lbsm). */
> #undef HAVE_LIBBSM
> 
>@@ -560,6 +566,9 @@
> /* Define to 1 if you have the <limits.h> header file. */
> #undef HAVE_LIMITS_H
> 
>+/* Define if you want Linux audit support. */
>+#undef HAVE_LINUX_AUDIT
>+
> /* Define to 1 if you have the <linux/if_tun.h> header file. */
> #undef HAVE_LINUX_IF_TUN_H
> 
>@@ -756,6 +765,9 @@
> /* Define to 1 if you have the `setgroups' function. */
> #undef HAVE_SETGROUPS
> 
>+/* Define to 1 if you have the `setkeycreatecon' function. */
>+#undef HAVE_SETKEYCREATECON
>+
> /* Define to 1 if you have the `setlogin' function. */
> #undef HAVE_SETLOGIN
> 
>@@ -1330,6 +1342,10 @@
> /* Prepend the address family to IP tunnel traffic */
> #undef SSH_TUN_PREPEND_AF
> 
>+/* Define to your vendor patch level, if it has been modified from the
>+   upstream source release. */
>+#undef SSH_VENDOR_PATCHLEVEL
>+
> /* Define to 1 if you have the ANSI C header files. */
> #undef STDC_HEADERS
> 
>@@ -1397,9 +1413,17 @@
> /* Define if you want SELinux support. */
> #undef WITH_SELINUX
> 
>-/* Define to 1 if your processor stores words with the most significant byte
>-   first (like Motorola and SPARC, unlike Intel and VAX). */
>-#undef WORDS_BIGENDIAN
>+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
>+   significant byte first (like Motorola and SPARC, unlike Intel). */
>+#if defined AC_APPLE_UNIVERSAL_BUILD
>+# if defined __BIG_ENDIAN__
>+#  define WORDS_BIGENDIAN 1
>+# endif
>+#else
>+# ifndef WORDS_BIGENDIAN
>+#  undef WORDS_BIGENDIAN
>+# endif
>+#endif
> 
> /* Define if xauth is found in your path */
> #undef XAUTH_PATH
>diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
>--- openssh-5.2p1/configure.ac.audit	2009-08-09 09:22:23.608877833 +0200
>+++ openssh-5.2p1/configure.ac	2009-08-09 09:22:23.646244409 +0200
>@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
> 	fi ]
> )
> 
>+# Check whether user wants Linux audit support
>+LINUX_AUDIT_MSG="no"
>+AC_ARG_WITH(linux-audit,
>+	[  --with-linux-audit   Enable Linux audit support],
>+	[ if test "x$withval" != "xno" ; then
>+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
>+		LINUX_AUDIT_MSG="yes"
>+		AC_CHECK_HEADERS(libaudit.h)
>+		SSHDLIBS="$SSHDLIBS -laudit"
>+	fi ]
>+)
>+
> # Check whether user wants Kerberos 5 support
> KRB5_MSG="no"
> AC_ARG_WITH(kerberos5,
>@@ -4170,6 +4182,7 @@ echo "                       PAM support
> echo "                   OSF SIA support: $SIA_MSG"
> echo "                 KerberosV support: $KRB5_MSG"
> echo "                   SELinux support: $SELINUX_MSG"
>+echo "               Linux audit support: $LINUX_AUDIT_MSG"
> echo "                 Smartcard support: $SCARD_MSG"
> echo "                     S/KEY support: $SKEY_MSG"
> echo "              TCP Wrappers support: $TCPW_MSG"
>diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
>--- openssh-5.2p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
>+++ openssh-5.2p1/loginrec.c	2009-08-09 09:22:23.667199702 +0200
>@@ -176,6 +176,10 @@
> #include "auth.h"
> #include "buffer.h"
> 
>+#ifdef HAVE_LINUX_AUDIT
>+# include <libaudit.h>
>+#endif
>+
> #ifdef HAVE_UTIL_H
> # include <util.h>
> #endif
>@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
> int utmpx_write_entry(struct logininfo *li);
> int wtmp_write_entry(struct logininfo *li);
> int wtmpx_write_entry(struct logininfo *li);
>+#ifdef HAVE_LINUX_AUDIT
>+int linux_audit_write_entry(struct logininfo *li);
>+#endif
> int lastlog_write_entry(struct logininfo *li);
> int syslogin_write_entry(struct logininfo *li);
> 
>@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
> 
> 	/* set the timestamp */
> 	login_set_current_time(li);
>+#ifdef HAVE_LINUX_AUDIT
>+	if (linux_audit_write_entry(li) == 0)
>+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
>+#endif
> #ifdef USE_LOGIN
> 	syslogin_write_entry(li);
> #endif
>@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
> }
> #endif /* USE_WTMPX */
> 
>+#ifdef HAVE_LINUX_AUDIT
>+static void
>+_audit_hexscape(const char *what, char *where, unsigned int size)
>+{
>+	const char *ptr = what;
>+	const char *hex = "0123456789ABCDEF";
>+
>+	while (*ptr) {
>+		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
>+			unsigned int i;
>+			ptr = what;
>+			for (i = 0; *ptr && i+2 < size; i += 2) {
>+				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
>+				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
>+				ptr++;
>+			}
>+			where[i] = '\0';
>+			return;
>+		}
>+		ptr++;
>+	}
>+	where[0] = '"';
>+	if ((unsigned)(ptr - what) < size - 3)
>+	{
>+		size = ptr - what + 3;
>+	}
>+	strncpy(where + 1, what, size - 3);
>+	where[size-2] = '"';
>+	where[size-1] = '\0';
>+}
>+
>+#define AUDIT_LOG_SIZE 128
>+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
>+
>+int
>+linux_audit_record_event(int uid, const char *username,
>+	const char *hostname, const char *ip, const char *ttyn, int success)
>+{
>+	char buf[AUDIT_LOG_SIZE];
>+	int audit_fd, rc;
>+
>+	audit_fd = audit_open();
>+	if (audit_fd < 0) {
>+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
>+					errno == EAFNOSUPPORT)
>+			return 1; /* No audit support in kernel */
>+		else
>+			return 0; /* Must prevent login */
>+	}
>+	if (username == NULL)
>+		snprintf(buf, sizeof(buf), "uid=%d", uid);
>+	else {
>+		char encoded[AUDIT_ACCT_SIZE];
>+		_audit_hexscape(username, encoded, sizeof(encoded));
>+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
>+	}
>+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
>+		buf, hostname, ip, ttyn, success);
>+	close(audit_fd);
>+	if (rc >= 0)
>+		return 1;
>+	else
>+		return 0;
>+}
>+
>+int
>+linux_audit_write_entry(struct logininfo *li)
>+{
>+	switch(li->type) {
>+	case LTYPE_LOGIN:
>+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
>+			NULL, li->line, 1));
>+	case LTYPE_LOGOUT:
>+		return (1);	/* We only care about logins */
>+	default:
>+		logit("%s: invalid type field", __func__);
>+		return (0);
>+	}
>+}
>+#endif /* HAVE_LINUX_AUDIT */
>+
> /**
>  ** Low-level libutil login() functions
>  **/
>diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
>--- openssh-5.2p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
>+++ openssh-5.2p1/loginrec.h	2009-08-09 09:22:23.641175349 +0200
>@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
> char *line_abbrevname(char *dst, const char *src, int dstsize);
> 
> void record_failed_login(const char *, const char *, const char *);
>+#ifdef HAVE_LINUX_AUDIT
>+int linux_audit_record_event(int uid, const char *username,
>+	const char *hostname, const char *ip, const char *ttyn, int success);
>+#endif /* HAVE_LINUX_AUDIT */
> 
> #endif /* _HAVE_LOGINREC_H_ */

Actions: View | Diff

Attachments on bug 1642: 1689