Attachment 753 Details for Bug 125 – Add intrumentation for audit to sshd (still work in progress).

[patch] Add intrumentation for audit to sshd (still work in progress).

openssh-audit-base.patch (text/plain), 17.85 KB, created by Darren Tucker on 2004-12-20 16:24:32 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2004-12-20 16:24:32 AEDT

Size: 17.85 KB

patch

obsolete

>Index: Makefile.in
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v
>retrieving revision 1.266
>diff -u -p -r1.266 Makefile.in
>--- Makefile.in	7 Nov 2004 09:14:34 -0000	1.266
>+++ Makefile.in	20 Dec 2004 02:59:28 -0000
>@@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
> 	auth-krb5.o \
> 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
>-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
>+	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o \
>+	audit-bsm.o
> 
> MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
>Index: auth.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
>retrieving revision 1.89
>diff -u -p -r1.89 auth.c
>--- auth.c	12 Aug 2004 12:40:25 -0000	1.89
>+++ auth.c	20 Dec 2004 04:28:52 -0000
>@@ -240,8 +240,14 @@ auth_log(Authctxt *authctxt, int authent
> 	    info);
> 
> #ifdef CUSTOM_FAILED_LOGIN
>-	if (authenticated == 0 && strcmp(method, "password") == 0)
>-		record_failed_login(authctxt->user, "ssh");
>+	if (authenticated == 0) {
>+		if  (strcmp(method, "password") == 0) {
>+			record_failed_login(authctxt->user, "ssh");
>+			audit_event(LOGIN_FAIL_BADPW);
>+		} else if (strcmp(method, "keyboard-interactive") == 0) {
>+			audit_event(LOGIN_FAIL_KBDINT);
>+		}
>+	}
> #endif
> }
> 
>Index: auth.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.h,v
>retrieving revision 1.63
>diff -u -p -r1.63 auth.h
>--- auth.h	11 Sep 2004 13:07:03 -0000	1.63
>+++ auth.h	20 Dec 2004 03:14:50 -0000
>@@ -130,6 +130,7 @@ int auth_shadow_pwexpired(Authctxt *);
> #endif
> 
> #include "auth-pam.h"
>+#include "audit.h"
> void disable_forwarding(void);
> 
> void	do_authentication(Authctxt *);
>Index: auth1.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
>retrieving revision 1.104
>diff -u -p -r1.104 auth1.c
>--- auth1.c	3 Dec 2004 03:33:47 -0000	1.104
>+++ auth1.c	20 Dec 2004 04:37:53 -0000
>@@ -247,8 +247,10 @@ do_authloop(Authctxt *authctxt)
> #else
> 		/* Special handling for root */
> 		if (authenticated && authctxt->pw->pw_uid == 0 &&
>-		    !auth_root_allowed(get_authname(type)))
>+		    !auth_root_allowed(get_authname(type))) {
> 			authenticated = 0;
>+			PRIVSEP(audit_event(ROOT_NOT_CONSOLE));
>+		}
> #endif
> 
> #ifdef USE_PAM
>@@ -283,8 +285,10 @@ do_authloop(Authctxt *authctxt)
> 		if (authenticated)
> 			return;
> 
>-		if (authctxt->failures++ > options.max_authtries)
>+		if (authctxt->failures++ > options.max_authtries) {
>+			PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES));
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
>+		}
> 
> 		packet_start(SSH_SMSG_FAILURE);
> 		packet_send();
>Index: auth2.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
>retrieving revision 1.132
>diff -u -p -r1.132 auth2.c
>--- auth2.c	3 Dec 2004 03:33:47 -0000	1.132
>+++ auth2.c	20 Dec 2004 04:06:11 -0000
>@@ -167,6 +167,7 @@ input_userauth_request(int type, u_int32
> 			if (options.use_pam)
> 				PRIVSEP(start_pam(authctxt));
> #endif
>+			PRIVSEP(audit_event(ILLEGAL_USER));
> 		}
> 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
> 		    use_privsep ? " [net]" : "");
>@@ -214,8 +215,10 @@ userauth_finish(Authctxt *authctxt, int 
> 
> 	/* Special handling for root */
> 	if (authenticated && authctxt->pw->pw_uid == 0 &&
>-	    !auth_root_allowed(method))
>+	    !auth_root_allowed(method)) {
> 		authenticated = 0;
>+		PRIVSEP(audit_event(ROOT_NOT_CONSOLE));
>+	}
> 
> #ifdef USE_PAM
> 	if (options.use_pam && authenticated) {
>@@ -255,8 +258,11 @@ userauth_finish(Authctxt *authctxt, int 
> 		/* now we can break out */
> 		authctxt->success = 1;
> 	} else {
>-		if (authctxt->failures++ > options.max_authtries)
>+		if (authctxt->failures++ > options.max_authtries) {
>+			PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES));
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
>+		}
>+		PRIVSEP(audit_event(AUTH_FAILED));
> 		methods = authmethods_get();
> 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
> 		packet_put_cstring(methods);
>Index: configure.ac
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v
>retrieving revision 1.234
>diff -u -p -r1.234 configure.ac
>--- configure.ac	9 Dec 2004 02:29:59 -0000	1.234
>+++ configure.ac	20 Dec 2004 04:42:24 -0000
>@@ -874,6 +874,20 @@ AC_ARG_WITH(libedit,
> 	fi ]
> )
> 
>+BSM_MSG="no"
>+AC_ARG_WITH(bsmaudit,
>+	[  --with-bsmaudit              Enable BSM audit support],
>+	[ if test "x$withval" != "no" ; then
>+		dnl    Checks for headers, libs and functions
>+		AC_CHECK_HEADERS(bsm/audit.h, [],
>+		    [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)])
>+		AC_CHECK_LIB(bsm, getaudit, [],
>+		    [AC_MSG_ERROR(BSM enabled and required library not found)])
>+		AC_CHECK_FUNCS(getaudit getaudit_addr gettext, [],
>+		    [AC_MSG_ERROR(BSM enabled and required function not found)])
>+	fi ]
>+)
>+
> dnl    Checks for library functions. Please keep in alphabetical order
> AC_CHECK_FUNCS(\
> 	arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
>@@ -1776,6 +1790,8 @@ fi
> TYPE_SOCKLEN_T
> 
> AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
>+
>+AC_CHECK_TYPES(in_addr_t,,,[#include <netinet/in.h>])
> 
> AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
> 	AC_TRY_COMPILE(
>Index: defines.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/defines.h,v
>retrieving revision 1.117
>diff -u -p -r1.117 defines.h
>--- defines.h	22 Jun 2004 03:27:16 -0000	1.117
>+++ defines.h	20 Dec 2004 05:28:37 -0000
>@@ -288,6 +288,10 @@ struct	sockaddr_un {
> };
> #endif /* HAVE_SYS_UN_H */
> 
>+#ifndef HAVE_IN_ADDR_T
>+typedef u_int32_t	in_addr_t;
>+#endif
>+
> #if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
> #define _STRUCT_WINSIZE
> struct winsize {
>@@ -529,6 +533,11 @@ struct winsize {
> #ifndef GETPGRP_VOID
> # define getpgrp() getpgrp(0)
> #endif
>+
>+#if defined(HAVE_BSM_AUDIT_H) && defined(HAVE_LIBBSM)
>+# define USE_BSM_AUDIT
>+#endif
>+#define CUSTOM_FAILED_LOGIN
> 
> /* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
> #if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
>Index: loginrec.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/loginrec.c,v
>retrieving revision 1.62
>diff -u -p -r1.62 loginrec.c
>--- loginrec.c	12 Sep 2004 05:26:01 -0000	1.62
>+++ loginrec.c	20 Dec 2004 03:13:13 -0000
>@@ -131,6 +131,7 @@
> #include "loginrec.h"
> #include "log.h"
> #include "atomicio.h"
>+#include "auth.h"
> 
> #ifdef HAVE_UTIL_H
> # include <util.h>
>@@ -205,6 +206,7 @@ login_login(struct logininfo *li)
> int
> login_logout(struct logininfo *li)
> {
>+	audit_event(LOGOUT);
> 	li->type = LTYPE_LOGOUT;
> 	return (login_write(li));
> }
>Index: monitor.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
>retrieving revision 1.77
>diff -u -p -r1.77 monitor.c
>--- monitor.c	11 Sep 2004 13:07:03 -0000	1.77
>+++ monitor.c	20 Dec 2004 04:36:25 -0000
>@@ -143,6 +143,10 @@ int mm_answer_gss_userok(int, Buffer *);
> int mm_answer_gss_checkmic(int, Buffer *);
> #endif
> 
>+#ifdef AUDIT_EVENTS
>+int mm_answer_audit_event(int, Buffer *);
>+#endif
>+
> static Authctxt *authctxt;
> static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
> 
>@@ -196,6 +200,9 @@ struct mon_table mon_dispatch_proto20[] 
> #endif
>     {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
>     {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
>+#endif
> #ifdef GSSAPI
>     {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
>     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
>@@ -239,6 +246,9 @@ struct mon_table mon_dispatch_proto15[] 
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
> #endif
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
>+#endif
>     {0, 0, NULL}
> };
> 
>@@ -1490,6 +1500,34 @@ mm_answer_term(int sock, Buffer *req)
> 	/* Terminate process */
> 	exit(res);
> }
>+
>+#ifdef AUDIT_EVENTS
>+/* Report that an audit event occurred */
>+
>+int
>+mm_answer_audit_event(int socket, Buffer *m)
>+{
>+	enum audit_event_type event;
>+
>+	debug3("%s", __func__);
>+
>+	event = buffer_get_int(m);
>+	switch(event) {
>+	case AUTH_FAILED:
>+	case LOGIN_EXCEED_MAXTRIES:
>+	case LOGIN_FAIL_BADPW:
>+	case LOGIN_FAIL_KBDINT:
>+	case ROOT_NOT_CONSOLE:
>+	case ILLEGAL_USER:
>+		audit_event(event);
>+		break;
>+	default:
>+		fatal("Audit event type %d not permitted", event);
>+	}
>+
>+	return (0);
>+}
>+#endif
> 
> void
> monitor_apply_keystate(struct monitor *pmonitor)
>Index: monitor.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.h,v
>retrieving revision 1.19
>diff -u -p -r1.19 monitor.h
>--- monitor.h	17 Nov 2003 11:18:22 -0000	1.19
>+++ monitor.h	20 Dec 2004 03:45:31 -0000
>@@ -46,6 +46,7 @@ enum monitor_reqtype {
> 	MONITOR_REQ_PTYCLEANUP,
> 	MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY,
> 	MONITOR_REQ_SESSID,
>+	MONITOR_REQ_AUDIT_EVENT,
> 	MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED,
> 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
> 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
>Index: monitor_wrap.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v
>retrieving revision 1.49
>diff -u -p -r1.49 monitor_wrap.c
>--- monitor_wrap.c	11 Sep 2004 13:07:03 -0000	1.49
>+++ monitor_wrap.c	18 Sep 2004 06:58:17 -0000
>@@ -1103,6 +1103,22 @@ mm_auth_rsa_verify_response(Key *key, BI
> 	return (success);
> }
> 
>+void
>+mm_audit_event(enum audit_event_type event)
>+{
>+#ifdef AUDIT_EVENTS
>+	Buffer m;
>+
>+	debug3("%s entering", __func__);
>+
>+	buffer_init(&m);
>+	buffer_put_int(&m, event);
>+
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m);
>+	buffer_free(&m);
>+#endif /* AUDIT_EVENTS */
>+}
>+
> #ifdef GSSAPI
> OM_uint32
> mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
>Index: monitor_wrap.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v
>retrieving revision 1.19
>diff -u -p -r1.19 monitor_wrap.h
>--- monitor_wrap.h	22 Jun 2004 02:56:02 -0000	1.19
>+++ monitor_wrap.h	20 Dec 2004 04:49:21 -0000
>@@ -74,6 +74,9 @@ int mm_sshpam_respond(void *, u_int, cha
> void mm_sshpam_free_ctx(void *);
> #endif
> 
>+#include "audit.h"
>+void mm_audit_event(enum audit_event_type);
>+
> struct Session;
> void mm_terminate(void);
> int mm_pty_allocate(int *, int *, char *, int);
>Index: session.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
>retrieving revision 1.290
>diff -u -p -r1.290 session.c
>--- session.c	11 Sep 2004 13:09:54 -0000	1.290
>+++ session.c	18 Sep 2004 06:58:17 -0000
>@@ -570,6 +570,8 @@ do_exec_pty(Session *s, const char *comm
> 			cray_init_job(s->pw); /* set up cray jid and tmpdir */
> #endif /* _UNICOS */
> 			do_login(s, command);
>+			if (s->tty != NULL)
>+				audit_save_ttyn(s->tty);
> 		}
> # ifdef LOGIN_NEEDS_UTMPX
> 		else
>@@ -1231,6 +1233,7 @@ do_nologin(struct passwd *pw)
> 		while (fgets(buf, sizeof(buf), f))
> 			fputs(buf, stderr);
> 		fclose(f);
>+		audit_event(NOLOGIN);
> 		fflush(NULL);
> 		exit(254);
> 	}
>@@ -1428,6 +1431,8 @@ do_child(Session *s, const char *command
> 			do_motd();
> #else /* HAVE_OSF_SIA */
> 		do_nologin(pw);
>+		if (command != NULL)
>+			audit_run_command(command);
> 		do_setusercontext(pw);
> 		/*
> 		 * PAM session modules in do_setusercontext may have
>Index: sshd.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v
>retrieving revision 1.299
>diff -u -p -r1.299 sshd.c
>--- sshd.c	5 Nov 2004 09:20:59 -0000	1.299
>+++ sshd.c	19 Dec 2004 00:42:46 -0000
>@@ -1631,7 +1631,7 @@ main(int ac, char **av)
> 
> 	remote_port = get_remote_port();
> 	remote_ip = get_remote_ipaddr();
>-
>+	audit_connection_from(remote_ip, remote_port);
> #ifdef LIBWRAP
> 	/* Check whether logins are denied from this host. */
> 	if (packet_connection_is_on_socket()) {
>@@ -1704,6 +1704,8 @@ main(int ac, char **av)
> 	}
> 
>  authenticated:
>+	audit_event(LOGIN_SUCCESS);
>+
> 	/*
> 	 * In privilege separation, we fork another child and prepare
> 	 * file descriptor passing.
>Index: audit.c
>===================================================================
>RCS file: audit.c
>diff -N audit.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ audit.c	20 Dec 2004 05:04:15 -0000
>@@ -0,0 +1,96 @@
>+/* $Id$ */
>+
>+/*
>+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+#include "includes.h"
>+#ifndef AUDIT_EVENTS
>+
>+#define DEBUG_AUDIT_HOOKS 1	/* XXX */
>+
>+#include "audit.h"
>+
>+#ifdef DEBUG_AUDIT_HOOKS
>+#include "log.h"
>+#include "auth.h"
>+
>+extern Authctxt *the_authctxt;
>+#endif
>+
>+/* Null implementations of audit functions */
>+
>+void
>+audit_connection_from(const char *host, int port)
>+{
>+#ifdef DEBUG_AUDIT_HOOKS
>+	debug("%s: connection from %s port %d", __func__, host, port);
>+#endif
>+}
>+
>+void
>+audit_event(enum audit_event_type event)
>+{
>+#ifdef DEBUG_AUDIT_HOOKS
>+	char *eventstr[] = {
>+		"AUTH_FAILED",
>+		"LOGIN_SUCCESS",
>+		"LOGIN_EXCEED_MAXTRIES",
>+		"LOGIN_FAIL_BADPW",
>+		"LOGIN_FAIL_KBDINT",
>+		"ILLEGAL_USER",
>+		"ROOT_NOT_CONSOLE",
>+		"NOLOGIN",
>+		"LOGOUT"
>+	};
>+
>+	debug("%s: event %d (%s) for user %s", __func__, event, eventstr[event],
>+	    the_authctxt->user);
>+#endif
>+}
>+
>+void
>+audit_save_ttyn(const char *ttyn)
>+{
>+#ifdef DEBUG_AUDIT_HOOKS
>+	debug("%s: user %s tty name %s", __func__, the_authctxt->user, ttyn);
>+#endif
>+}
>+
>+void
>+audit_run_command(const char *command)
>+{
>+#ifdef DEBUG_AUDIT_HOOKS
>+	debug("%s: user %s command '%s'", __func__, the_authctxt->user,
>+	    command);
>+#endif
>+}
>+
>+void
>+record_failed_login(const char *user, const char *ttyname)
>+{
>+#ifdef DEBUG_AUDIT_HOOKS
>+	debug("%s: (audit) user %s ttyname %s", __func__, user, ttyname);
>+#endif
>+}
>+#endif
>Index: audit.h
>===================================================================
>RCS file: audit.h
>diff -N audit.h
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ audit.h	20 Dec 2004 04:45:09 -0000
>@@ -0,0 +1,50 @@
>+/* $Id$ */
>+
>+/*
>+ * Copyright (c) 2004 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+#include "auth.h"
>+
>+#ifndef SSHAUDIT_H
>+# define SSHAUDIT_H
>+enum audit_event_type {
>+	AUTH_FAILED,		/* merge with LOGIN_FAIL_BADPW? */
>+	LOGIN_SUCCESS,
>+	LOGIN_EXCEED_MAXTRIES,
>+	LOGIN_FAIL_BADPW,
>+	LOGIN_FAIL_KBDINT,
>+	ILLEGAL_USER,
>+	ROOT_NOT_CONSOLE,
>+	NOLOGIN,
>+	LOGOUT
>+};
>+
>+void audit_init(Authctxt *ctxt);
>+void audit_connection_from(const char *host, int port);
>+void audit_event(enum audit_event_type event);
>+void audit_save_ttyn(const char *ttyn);
>+void audit_run_command(const char *command);
>+void record_failed_login(const char *, const char *);
>+
>+#endif /* SSHAUDIT_H */

Actions: View | Diff

Attachments on bug 125: 131 | 192 | 355 | 438 | 500 | 560 | 618 | 619 | 647 | 753 | 754 | 755 | 756 | 793 | 794 | 795 | 796 | 800 | 804 | 820 | 826 | 845 | 846