Bugzilla – Attachment 755 Details for
Bug 125
add BSM audit support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add intrumentation for audit to sshd (still work in progress).
openssh-audit-base.patch (text/plain), 16.03 KB, created by
Darren Tucker
on 2004-12-20 20:26:19 AEDT
(
hide
)
Description:
Add intrumentation for audit to sshd (still work in progress).
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2004-12-20 20:26:19 AEDT
Size:
16.03 KB
patch
obsolete
>Index: auth1.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v >retrieving revision 1.104 >diff -u -p -r1.104 auth1.c >--- auth1.c 3 Dec 2004 03:33:47 -0000 1.104 >+++ auth1.c 20 Dec 2004 04:37:53 -0000 >@@ -247,8 +247,10 @@ do_authloop(Authctxt *authctxt) > #else > /* Special handling for root */ > if (authenticated && authctxt->pw->pw_uid == 0 && >- !auth_root_allowed(get_authname(type))) >+ !auth_root_allowed(get_authname(type))) { > authenticated = 0; >+ PRIVSEP(audit_event(ROOT_NOT_CONSOLE)); >+ } > #endif > > #ifdef USE_PAM >@@ -283,8 +285,10 @@ do_authloop(Authctxt *authctxt) > if (authenticated) > return; > >- if (authctxt->failures++ > options.max_authtries) >+ if (authctxt->failures++ > options.max_authtries) { >+ PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); >+ } > > packet_start(SSH_SMSG_FAILURE); > packet_send(); >Index: auth2.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v >retrieving revision 1.132 >diff -u -p -r1.132 auth2.c >--- auth2.c 3 Dec 2004 03:33:47 -0000 1.132 >+++ auth2.c 20 Dec 2004 08:55:49 -0000 >@@ -167,6 +167,7 @@ input_userauth_request(int type, u_int32 > if (options.use_pam) > PRIVSEP(start_pam(authctxt)); > #endif >+ PRIVSEP(audit_event(INVALID_USER)); > } > setproctitle("%s%s", authctxt->valid ? user : "unknown", > use_privsep ? " [net]" : ""); >@@ -214,8 +215,10 @@ userauth_finish(Authctxt *authctxt, int > > /* Special handling for root */ > if (authenticated && authctxt->pw->pw_uid == 0 && >- !auth_root_allowed(method)) >+ !auth_root_allowed(method)) { > authenticated = 0; >+ PRIVSEP(audit_event(ROOT_NOT_CONSOLE)); >+ } > > #ifdef USE_PAM > if (options.use_pam && authenticated) { >@@ -255,8 +258,10 @@ userauth_finish(Authctxt *authctxt, int > /* now we can break out */ > authctxt->success = 1; > } else { >- if (authctxt->failures++ > options.max_authtries) >+ if (authctxt->failures++ > options.max_authtries) { >+ PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES)); > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); >+ } > methods = authmethods_get(); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); >Index: auth.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v >retrieving revision 1.89 >diff -u -p -r1.89 auth.c >--- auth.c 12 Aug 2004 12:40:25 -0000 1.89 >+++ auth.c 20 Dec 2004 08:54:22 -0000 >@@ -240,8 +240,17 @@ auth_log(Authctxt *authctxt, int authent > info); > > #ifdef CUSTOM_FAILED_LOGIN >- if (authenticated == 0 && strcmp(method, "password") == 0) >- record_failed_login(authctxt->user, "ssh"); >+ /* write loginfail events only if privileged */ >+ if (authenticated == 0 && geteuid() == 0) { >+ if (strcmp(method, "password") == 0) { >+ record_failed_login(authctxt->user, "ssh"); >+ audit_event(LOGIN_FAIL_BADPW); >+ } else if (strcmp(method, "keyboard-interactive") == 0) { >+ audit_event(LOGIN_FAIL_KBDINT); >+ } else { >+ audit_event(LOGIN_FAIL_OTHER); >+ } >+ } > #endif > } > >@@ -467,6 +476,7 @@ getpwnamallow(const char *user) > #ifdef CUSTOM_FAILED_LOGIN > record_failed_login(user, "ssh"); > #endif >+ audit_event(INVALID_USER); > return (NULL); > } > if (!allowed_user(pw)) >Index: auth.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.h,v >retrieving revision 1.63 >diff -u -p -r1.63 auth.h >--- auth.h 11 Sep 2004 13:07:03 -0000 1.63 >+++ auth.h 20 Dec 2004 03:14:50 -0000 >@@ -130,6 +130,7 @@ int auth_shadow_pwexpired(Authctxt *); > #endif > > #include "auth-pam.h" >+#include "audit.h" > void disable_forwarding(void); > > void do_authentication(Authctxt *); >Index: loginrec.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/loginrec.c,v >retrieving revision 1.62 >diff -u -p -r1.62 loginrec.c >--- loginrec.c 12 Sep 2004 05:26:01 -0000 1.62 >+++ loginrec.c 20 Dec 2004 07:46:18 -0000 >@@ -131,6 +131,7 @@ > #include "loginrec.h" > #include "log.h" > #include "atomicio.h" >+#include "auth.h" > > #ifdef HAVE_UTIL_H > # include <util.h> >@@ -205,6 +206,7 @@ login_login(struct logininfo *li) > int > login_logout(struct logininfo *li) > { >+ audit_event(LOGOUT); > li->type = LTYPE_LOGOUT; > return (login_write(li)); > } >@@ -420,6 +422,8 @@ login_write(struct logininfo *li) > !sys_auth_record_login(li->username,li->hostname,li->line)) > logit("Writing login record failed for %s", li->username); > #endif >+ if (li->type == LTYPE_LOGIN) >+ audit_save_ttyn(li->line); > return (0); > } > >Index: monitor.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v >retrieving revision 1.77 >diff -u -p -r1.77 monitor.c >--- monitor.c 11 Sep 2004 13:07:03 -0000 1.77 >+++ monitor.c 20 Dec 2004 08:55:30 -0000 >@@ -143,6 +143,8 @@ int mm_answer_gss_userok(int, Buffer *); > int mm_answer_gss_checkmic(int, Buffer *); > #endif > >+int mm_answer_audit_event(int, Buffer *); >+ > static Authctxt *authctxt; > static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ > >@@ -196,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] > #endif > {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, > {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, >+ {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, > #ifdef GSSAPI > {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, > {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, >@@ -239,6 +242,7 @@ struct mon_table mon_dispatch_proto15[] > {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, > {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, > #endif >+ {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, > {0, 0, NULL} > }; > >@@ -1489,6 +1493,29 @@ mm_answer_term(int sock, Buffer *req) > > /* Terminate process */ > exit(res); >+} >+ >+/* Report that an audit event occurred */ >+int >+mm_answer_audit_event(int socket, Buffer *m) >+{ >+ enum audit_event_type event; >+ >+ debug3("%s", __func__); >+ >+ event = buffer_get_int(m); >+ switch(event) { >+ case AUTH_FAILED: >+ case LOGIN_EXCEED_MAXTRIES: >+ case ROOT_NOT_CONSOLE: >+ case INVALID_USER: >+ audit_event(event); >+ break; >+ default: >+ fatal("Audit event type %d not permitted", event); >+ } >+ >+ return (0); > } > > void >Index: monitor.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.h,v >retrieving revision 1.19 >diff -u -p -r1.19 monitor.h >--- monitor.h 17 Nov 2003 11:18:22 -0000 1.19 >+++ monitor.h 20 Dec 2004 03:45:31 -0000 >@@ -46,6 +46,7 @@ enum monitor_reqtype { > MONITOR_REQ_PTYCLEANUP, > MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, > MONITOR_REQ_SESSID, >+ MONITOR_REQ_AUDIT_EVENT, > MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, > MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, > MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, >Index: monitor_wrap.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v >retrieving revision 1.49 >diff -u -p -r1.49 monitor_wrap.c >--- monitor_wrap.c 11 Sep 2004 13:07:03 -0000 1.49 >+++ monitor_wrap.c 20 Dec 2004 08:20:26 -0000 >@@ -1103,6 +1103,20 @@ mm_auth_rsa_verify_response(Key *key, BI > return (success); > } > >+void >+mm_audit_event(enum audit_event_type event) >+{ >+ Buffer m; >+ >+ debug3("%s entering", __func__); >+ >+ buffer_init(&m); >+ buffer_put_int(&m, event); >+ >+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m); >+ buffer_free(&m); >+} >+ > #ifdef GSSAPI > OM_uint32 > mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid) >Index: monitor_wrap.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v >retrieving revision 1.19 >diff -u -p -r1.19 monitor_wrap.h >--- monitor_wrap.h 22 Jun 2004 02:56:02 -0000 1.19 >+++ monitor_wrap.h 20 Dec 2004 04:49:21 -0000 >@@ -74,6 +74,9 @@ int mm_sshpam_respond(void *, u_int, cha > void mm_sshpam_free_ctx(void *); > #endif > >+#include "audit.h" >+void mm_audit_event(enum audit_event_type); >+ > struct Session; > void mm_terminate(void); > int mm_pty_allocate(int *, int *, char *, int); >Index: audit.c >=================================================================== >RCS file: audit.c >diff -N audit.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit.c 20 Dec 2004 08:55:12 -0000 >@@ -0,0 +1,98 @@ >+/* $Id$ */ >+ >+/* >+ * Copyright (c) 2004 Darren Tucker. All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#include "includes.h" >+#ifndef CUSTOM_AUDIT_EVENTS >+ >+#include "audit.h" >+ >+#ifdef DEBUG_AUDIT_HOOKS >+#include "log.h" >+#include "auth.h" >+ >+extern Authctxt *the_authctxt; >+#endif >+ >+/* Null implementations of audit functions */ >+ >+void >+audit_connection_from(const char *host, int port) >+{ >+#ifdef DEBUG_AUDIT_HOOKS >+ debug("%s: euid %d connection from %s port %d", __func__, geteuid(), >+ host, port); >+#endif >+} >+ >+void >+audit_event(enum audit_event_type event) >+{ >+#ifdef DEBUG_AUDIT_HOOKS >+ char *eventstr[] = { >+ "AUTH_FAILED", >+ "LOGIN_SUCCESS", >+ "LOGIN_EXCEED_MAXTRIES", >+ "LOGIN_FAIL_BADPW", >+ "LOGIN_FAIL_KBDINT", >+ "LOGIN_FAIL_OTHER", >+ "INVALID_USER", >+ "ROOT_NOT_CONSOLE", >+ "NOLOGIN", >+ "LOGOUT" >+ }; >+ >+ debug("%s: euid %d user %s event %d (%s)", __func__, geteuid(), >+ the_authctxt->user, event, eventstr[event]); >+#endif >+} >+ >+void >+audit_save_ttyn(const char *ttyn) >+{ >+#ifdef DEBUG_AUDIT_HOOKS >+ debug("%s: euid %d user %s tty name %s", __func__, geteuid(), >+ the_authctxt->user, ttyn); >+#endif >+} >+ >+void >+audit_run_command(const char *command) >+{ >+#ifdef DEBUG_AUDIT_HOOKS >+ debug("%s: euid %d user %s command '%s'", __func__, geteuid(), >+ the_authctxt->user, command); >+#endif >+} >+ >+void >+record_failed_login(const char *user, const char *ttyname) >+{ >+#ifdef DEBUG_AUDIT_HOOKS >+ debug("%s: (audit) euid %d user %s ttyname %s", __func__, geteuid(), >+ user, ttyname); >+#endif >+} >+#endif >Index: audit.h >=================================================================== >RCS file: audit.h >diff -N audit.h >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit.h 20 Dec 2004 08:54:43 -0000 >@@ -0,0 +1,51 @@ >+/* $Id$ */ >+ >+/* >+ * Copyright (c) 2004 Darren Tucker. All rights reserved. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#include "auth.h" >+ >+#ifndef _SSH_AUDIT_H >+# define _SSH_AUDIT_H >+enum audit_event_type { >+ AUTH_FAILED, /* merge with LOGIN_FAIL_BADPW? */ >+ LOGIN_SUCCESS, >+ LOGIN_EXCEED_MAXTRIES, >+ LOGIN_FAIL_BADPW, >+ LOGIN_FAIL_KBDINT, >+ LOGIN_FAIL_OTHER, >+ INVALID_USER, >+ ROOT_NOT_CONSOLE, >+ NOLOGIN, >+ LOGOUT >+}; >+ >+void audit_init(Authctxt *ctxt); >+void audit_connection_from(const char *host, int port); >+void audit_event(enum audit_event_type event); >+void audit_save_ttyn(const char *ttyn); >+void audit_run_command(const char *command); >+void record_failed_login(const char *, const char *); >+ >+#endif /* _SSH_AUDIT_H */ >Index: session.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v >retrieving revision 1.290 >diff -u -p -r1.290 session.c >--- session.c 11 Sep 2004 13:09:54 -0000 1.290 >+++ session.c 20 Dec 2004 08:27:44 -0000 >@@ -1228,6 +1228,7 @@ do_nologin(struct passwd *pw) > /* /etc/nologin exists. Print its contents and exit. */ > logit("User %.100s not allowed because %s exists", > pw->pw_name, _PATH_NOLOGIN); >+ audit_event(NOLOGIN); /* XXX: unprivileged */ > while (fgets(buf, sizeof(buf), f)) > fputs(buf, stderr); > fclose(f); >@@ -1428,6 +1429,8 @@ do_child(Session *s, const char *command > do_motd(); > #else /* HAVE_OSF_SIA */ > do_nologin(pw); >+ if (command != NULL) >+ audit_run_command(command); /* XXX: unprivileged */ > do_setusercontext(pw); > /* > * PAM session modules in do_setusercontext may have >Index: sshd.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v >retrieving revision 1.299 >diff -u -p -r1.299 sshd.c >--- sshd.c 5 Nov 2004 09:20:59 -0000 1.299 >+++ sshd.c 19 Dec 2004 00:42:46 -0000 >@@ -1631,7 +1631,7 @@ main(int ac, char **av) > > remote_port = get_remote_port(); > remote_ip = get_remote_ipaddr(); >- >+ audit_connection_from(remote_ip, remote_port); > #ifdef LIBWRAP > /* Check whether logins are denied from this host. */ > if (packet_connection_is_on_socket()) { >@@ -1704,6 +1704,8 @@ main(int ac, char **av) > } > > authenticated: >+ audit_event(LOGIN_SUCCESS); >+ > /* > * In privilege separation, we fork another child and prepare > * file descriptor passing. >Index: Makefile.in >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v >retrieving revision 1.266 >diff -u -p -r1.266 Makefile.in >--- Makefile.in 7 Nov 2004 09:14:34 -0000 1.266 >+++ Makefile.in 20 Dec 2004 02:59:28 -0000 >@@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw > monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ > auth-krb5.o \ > auth2-gss.o gss-serv.o gss-serv-krb5.o \ >- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o >+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o \ >+ audit-bsm.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=755">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 125
:
131
|
192
|
355
|
438
|
500
|
560
|
618
|
619
|
647
|
753
|
754
|
755
|
756
|
793
|
794
|
795
|
796
|
800
|
804
|
820
|
826
|
845
|
846