Attachment 796 Details for Bug 125 – Add audit hooks to sshd

[patch] Add audit hooks to sshd

openssh-audit-hooks6.patch (text/plain), 21.96 KB, created by Darren Tucker on 2005-01-31 11:48:26 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Darren Tucker

Created: 2005-01-31 11:48:26 AEDT

Size: 21.96 KB

patch

obsolete

>Index: Makefile.in
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v
>retrieving revision 1.267
>diff -u -p -r1.267 Makefile.in
>--- Makefile.in	18 Jan 2005 01:05:18 -0000	1.267
>+++ Makefile.in	29 Jan 2005 08:47:28 -0000
>@@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
> 	auth-krb5.o \
> 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
>-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o
>+	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o
> 
> MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
>Index: audit.c
>===================================================================
>RCS file: audit.c
>diff -N audit.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ audit.c	31 Jan 2005 00:06:01 -0000
>@@ -0,0 +1,168 @@
>+/* $Id$ */
>+
>+/*
>+ * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+#include "includes.h"
>+
>+#ifdef AUDIT_EVENTS
>+
>+#include "audit.h"
>+#include "log.h"
>+#include "auth.h"
>+
>+/*
>+ * Care must be taken when using this since it WILL NOT be initialized when
>+ * audit_connection_from() is called and MAY NOT be initialized when
>+ * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
>+ */
>+extern Authctxt *the_authctxt;
>+
>+/* Maybe add the audit class to struct Authmethod? */
>+ssh_audit_event_t
>+audit_classify_auth(const char *method)
>+{
>+	if (strcmp(method, "none") == 0)
>+		return AUTH_FAIL_NONE;
>+	else if (strcmp(method, "password") == 0)
>+		return AUTH_FAIL_PASSWD;
>+	else if (strcmp(method, "publickey") == 0 ||
>+	    strcmp(method, "rsa") == 0)
>+		return AUTH_FAIL_PUBKEY;
>+	else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
>+	    strcmp(method, "challenge-response") == 0)
>+		return AUTH_FAIL_KBDINT;
>+	else if (strcmp(method, "hostbased") == 0 ||
>+	    strcmp(method, "rhosts-rsa") == 0)
>+		return AUTH_FAIL_HOSTBASED;
>+	else if (strcmp(method, "gssapi-with-mic") == 0)
>+		return AUTH_FAIL_GSSAPI;
>+	else
>+		return AUDIT_UNKNOWN;
>+}
>+
>+# ifndef CUSTOM_AUDIT_EVENTS
>+
>+/*
>+ * Null implementations of audit functions.
>+ * These get used if AUDIT_EVENTS is defined but no audit module is enabled.
>+ */
>+
>+/* helper to return supplied username */
>+static const char *
>+audit_username(void)
>+{
>+	static const char unknownuser[] = "(unknown user)";
>+
>+	if (the_authctxt == NULL || the_authctxt->user == NULL)
>+		return (unknownuser);
>+	return (the_authctxt->user);
>+}
>+
>+/*
>+ * Called after a connection has been accepted but before any authentication
>+ * has been attempted.
>+ */
>+void
>+audit_connection_from(const char *host, int port)
>+{
>+	debug("%s: euid %d connection from %s port %d", __func__, geteuid(),
>+	    host, port);
>+}
>+
>+/*
>+ * Called when various events occur (see audit.h for a list of possible
>+ * events and what they mean).
>+ */
>+void
>+audit_event(ssh_audit_event_t event)
>+{
>+	char *eventstr[] = {
>+		"LOGIN_EXCEED_MAXTRIES",
>+		"LOGIN_ROOT_DENIED",
>+		"AUTH_SUCCESS",
>+		"AUTH_FAIL_NONE",
>+		"AUTH_FAIL_PASSWD",
>+		"AUTH_FAIL_KBDINT",
>+		"AUTH_FAIL_PUBKEY",
>+		"AUTH_FAIL_HOSTBASED",
>+		"AUTH_FAIL_GSSAPI",
>+		"INVALID_USER",
>+		"NOLOGIN",
>+		"CONNECTION_CLOSE",
>+		"CONNECTION_ABANDON",
>+		"AUDIT_UNKNOWN"
>+	};
>+
>+	if (event >= sizeof(eventstr) / sizeof(*eventstr))
>+		fatal("event %d outside valid range", event);
>+	debug("%s: euid %d user %s event %d (%s)", __func__, geteuid(),
>+	    audit_username(), event, eventstr[event]);
>+}
>+
>+/*
>+ * Called when a user session is started.  Argument is the tty allocated to
>+ * the session, or NULL if no tty was allocated.
>+ *
>+ * Note that this may be called multiple times if multiple sessions are used
>+ * within a single connection.
>+ */
>+void
>+audit_session_open(const char *ttyn)
>+{
>+	const char *t = ttyn ? ttyn : "(no tty)";
>+
>+	debug("%s: euid %d user %s tty name %s", __func__, geteuid(),
>+	     audit_username(), t);
>+}
>+
>+/*
>+ * Called when a user session is closed.  Argument is the tty allocated to
>+ * the session, or NULL if no tty was allocated.
>+ *
>+ * Note that this may be called multiple times if multiple sessions are used
>+ * within a single connection.
>+ */
>+void
>+audit_session_close(const char *ttyn)
>+{
>+	const char *t = ttyn ? ttyn : "(no tty)";
>+
>+	debug("%s: euid %d user %s tty name %s", __func__, geteuid(),
>+	     audit_username(), t);
>+}
>+
>+/*
>+ * This will be called when a user runs a non-interactive command.  Note that
>+ * it may be called multiple times for a single connection since SSH2 allows
>+ * multiple sessions within a single connection.
>+ */
>+void
>+audit_run_command(const char *command)
>+{
>+	debug("%s: euid %d user %s command '%s'", __func__, geteuid(),
>+	    audit_username(), command);
>+}
>+# endif  /* !defined CUSTOM_AUDIT_EVENTS */
>+#endif /* AUDIT_EVENTS */
>Index: audit.h
>===================================================================
>RCS file: audit.h
>diff -N audit.h
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ audit.h	30 Jan 2005 23:49:07 -0000
>@@ -0,0 +1,56 @@
>+/* $Id$ */
>+
>+/*
>+ * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ */
>+
>+#include "auth.h"
>+
>+#ifndef _SSH_AUDIT_H
>+# define _SSH_AUDIT_H
>+enum ssh_audit_event_type {
>+	LOGIN_EXCEED_MAXTRIES,
>+	LOGIN_ROOT_DENIED,
>+	AUTH_SUCCESS,
>+	AUTH_FAIL_NONE,
>+	AUTH_FAIL_PASSWD,
>+	AUTH_FAIL_KBDINT,	/* keyboard-interactive or challenge-response */
>+	AUTH_FAIL_PUBKEY,	/* ssh2 pubkey or ssh1 rsa */
>+	AUTH_FAIL_HOSTBASED,	/* ssh2 hostbased or ssh1 rhostsrsa */
>+	AUTH_FAIL_GSSAPI,
>+	INVALID_USER,
>+	NOLOGIN,		/* denied by /etc/nologin, not implemented */
>+	CONNECTION_CLOSE,	/* closed after attempting auth or session */
>+	CONNECTION_ABANDON,	/* closed without completing auth */
>+	AUDIT_UNKNOWN
>+};
>+typedef enum ssh_audit_event_type ssh_audit_event_t;
>+
>+void	audit_connection_from(const char *, int);
>+void	audit_event(ssh_audit_event_t);
>+void	audit_session_open(const char *);
>+void	audit_session_close(const char *);
>+void	audit_run_command(const char *);
>+ssh_audit_event_t audit_classify_auth(const char *);
>+
>+#endif /* _SSH_AUDIT_H */
>Index: auth.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v
>retrieving revision 1.90
>diff -u -p -r1.90 auth.c
>--- auth.c	24 Jan 2005 10:56:48 -0000	1.90
>+++ auth.c	31 Jan 2005 00:09:31 -0000
>@@ -50,6 +50,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/2
> #include "misc.h"
> #include "bufaux.h"
> #include "packet.h"
>+#include "monitor_wrap.h"
> 
> /* import */
> extern ServerOptions options;
>@@ -246,6 +247,44 @@ auth_log(Authctxt *authctxt, int authent
> 	if (authenticated == 0 && strcmp(method, "password") == 0)
> 		record_failed_login(authctxt->user, "ssh");
> #endif
>+#ifdef AUDIT_EVENTS
>+	if (authenticated == 0 && !authctxt->postponed) {
>+		ssh_audit_event_t event;
>+
>+		debug3("%s: audit failed auth attempt, method %s euid %d",
>+		    __func__, method, geteuid());
>+		/*
>+		 * Because the auth loop is used in both monitor and slave,
>+		 * we must be careful to send each event only once and with
>+		 * enough privs to write the event.
>+		 */
>+		event = audit_classify_auth(method);
>+		switch(event) {
>+		case AUTH_FAIL_NONE:
>+		case AUTH_FAIL_PASSWD:
>+		case AUTH_FAIL_KBDINT:
>+			if (geteuid() == 0)
>+				audit_event(event);
>+			break;
>+		case AUTH_FAIL_PUBKEY:
>+		case AUTH_FAIL_HOSTBASED:
>+		case AUTH_FAIL_GSSAPI:
>+			/*
>+			 * This is required to handle the case where privsep
>+			 * is enabled but it's root logging in, since
>+			 * use_privsep won't be cleared until after a
>+			 * successful login.
>+			 */
>+			if (geteuid() == 0)
>+				audit_event(event);
>+			else
>+				PRIVSEP(audit_event(event));
>+			break;
>+		default:
>+			error("unknown authentication audit event %d", event);
>+		}
>+	}
>+#endif
> }
> 
> /*
>@@ -470,6 +509,9 @@ getpwnamallow(const char *user)
> #ifdef CUSTOM_FAILED_LOGIN
> 		record_failed_login(user, "ssh");
> #endif
>+#ifdef AUDIT_EVENTS
>+		audit_event(INVALID_USER);
>+#endif /* AUDIT_EVENTS */
> 		return (NULL);
> 	}
> 	if (!allowed_user(pw))
>Index: auth.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.h,v
>retrieving revision 1.64
>diff -u -p -r1.64 auth.h
>--- auth.h	20 Jan 2005 11:20:51 -0000	1.64
>+++ auth.h	29 Jan 2005 13:09:11 -0000
>@@ -130,6 +130,7 @@ int auth_shadow_pwexpired(Authctxt *);
> #endif
> 
> #include "auth-pam.h"
>+#include "audit.h"
> void remove_kbdint_device(const char *);
> 
> void disable_forwarding(void);
>Index: auth1.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v
>retrieving revision 1.104
>diff -u -p -r1.104 auth1.c
>--- auth1.c	3 Dec 2004 03:33:47 -0000	1.104
>+++ auth1.c	31 Jan 2005 00:16:04 -0000
>@@ -247,8 +247,12 @@ do_authloop(Authctxt *authctxt)
> #else
> 		/* Special handling for root */
> 		if (authenticated && authctxt->pw->pw_uid == 0 &&
>-		    !auth_root_allowed(get_authname(type)))
>+		    !auth_root_allowed(get_authname(type))) {
> 			authenticated = 0;
>+# ifdef AUDIT_EVENTS
>+			PRIVSEP(audit_event(LOGIN_ROOT_DENIED));
>+# endif
>+		}
> #endif
> 
> #ifdef USE_PAM
>@@ -283,8 +287,12 @@ do_authloop(Authctxt *authctxt)
> 		if (authenticated)
> 			return;
> 
>-		if (authctxt->failures++ > options.max_authtries)
>+		if (authctxt->failures++ > options.max_authtries) {
>+#ifdef AUDIT_EVENTS
>+			PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES));
>+#endif
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
>+		}
> 
> 		packet_start(SSH_SMSG_FAILURE);
> 		packet_send();
>Index: auth2.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v
>retrieving revision 1.132
>diff -u -p -r1.132 auth2.c
>--- auth2.c	3 Dec 2004 03:33:47 -0000	1.132
>+++ auth2.c	31 Jan 2005 00:16:22 -0000
>@@ -167,6 +167,9 @@ input_userauth_request(int type, u_int32
> 			if (options.use_pam)
> 				PRIVSEP(start_pam(authctxt));
> #endif
>+#ifdef AUDIT_EVENTS
>+			PRIVSEP(audit_event(INVALID_USER));
>+#endif
> 		}
> 		setproctitle("%s%s", authctxt->valid ? user : "unknown",
> 		    use_privsep ? " [net]" : "");
>@@ -214,8 +217,12 @@ userauth_finish(Authctxt *authctxt, int 
> 
> 	/* Special handling for root */
> 	if (authenticated && authctxt->pw->pw_uid == 0 &&
>-	    !auth_root_allowed(method))
>+	    !auth_root_allowed(method)) {
> 		authenticated = 0;
>+#ifdef AUDIT_EVENTS
>+		PRIVSEP(audit_event(LOGIN_ROOT_DENIED));
>+#endif
>+	}
> 
> #ifdef USE_PAM
> 	if (options.use_pam && authenticated) {
>@@ -255,8 +262,12 @@ userauth_finish(Authctxt *authctxt, int 
> 		/* now we can break out */
> 		authctxt->success = 1;
> 	} else {
>-		if (authctxt->failures++ > options.max_authtries)
>+		if (authctxt->failures++ > options.max_authtries) {
>+#ifdef AUDIT_EVENTS
>+			PRIVSEP(audit_event(LOGIN_EXCEED_MAXTRIES));
>+#endif
> 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
>+		}
> 		methods = authmethods_get();
> 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
> 		packet_put_cstring(methods);
>Index: loginrec.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/loginrec.c,v
>retrieving revision 1.62
>diff -u -p -r1.62 loginrec.c
>--- loginrec.c	12 Sep 2004 05:26:01 -0000	1.62
>+++ loginrec.c	30 Jan 2005 09:03:49 -0000
>@@ -131,6 +131,7 @@
> #include "loginrec.h"
> #include "log.h"
> #include "atomicio.h"
>+#include "auth.h"
> 
> #ifdef HAVE_UTIL_H
> # include <util.h>
>@@ -419,6 +420,12 @@ login_write(struct logininfo *li)
> 	if (li->type == LTYPE_LOGIN && 
> 	   !sys_auth_record_login(li->username,li->hostname,li->line))
> 		logit("Writing login record failed for %s", li->username);
>+#endif
>+#ifdef AUDIT_EVENTS
>+	if (li->type == LTYPE_LOGIN)
>+		audit_session_open(li->line);
>+	else if (li->type == LTYPE_LOGOUT)
>+		audit_session_close(li->line);
> #endif
> 	return (0);
> }
>Index: monitor.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
>retrieving revision 1.77
>diff -u -p -r1.77 monitor.c
>--- monitor.c	11 Sep 2004 13:07:03 -0000	1.77
>+++ monitor.c	31 Jan 2005 00:29:00 -0000
>@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
> int mm_answer_gss_checkmic(int, Buffer *);
> #endif
> 
>+#ifdef AUDIT_EVENTS
>+int mm_answer_audit_event(int, Buffer *);
>+int mm_answer_audit_command(int, Buffer *);
>+#endif
>+
> static Authctxt *authctxt;
> static BIGNUM *ssh1_challenge = NULL;	/* used for ssh1 rsa auth */
> 
>@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] 
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
> #endif
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
>+#endif
> #ifdef BSD_AUTH
>     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
>     {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
>@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20
>     {MONITOR_REQ_PTY, 0, mm_answer_pty},
>     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
>     {MONITOR_REQ_TERM, 0, mm_answer_term},
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
>+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
>+#endif
>     {0, 0, NULL}
> };
> 
>@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] 
>     {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
>     {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
> #endif
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
>+#endif
>     {0, 0, NULL}
> };
> 
>@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15
>     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
>     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
>     {MONITOR_REQ_TERM, 0, mm_answer_term},
>+#ifdef AUDIT_EVENTS
>+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
>+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
>+#endif
>     {0, 0, NULL}
> };
> 
>@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
> 	if (options.use_pam)
> 		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
> #endif
>+#ifdef AUDIT_EVENTS
>+	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1);
>+#endif
> 
> 	return (0);
> }
>@@ -1490,6 +1512,49 @@ mm_answer_term(int sock, Buffer *req)
> 	/* Terminate process */
> 	exit(res);
> }
>+
>+#ifdef AUDIT_EVENTS
>+/* Report that an audit event occurred */
>+int
>+mm_answer_audit_event(int socket, Buffer *m)
>+{
>+	ssh_audit_event_t event;
>+
>+	debug3("%s entering", __func__);
>+
>+	event = buffer_get_int(m);
>+	buffer_free(m);
>+	switch(event) {
>+	case AUTH_FAIL_PUBKEY:
>+	case AUTH_FAIL_HOSTBASED:
>+	case AUTH_FAIL_GSSAPI:
>+	case LOGIN_EXCEED_MAXTRIES:
>+	case LOGIN_ROOT_DENIED:
>+	case CONNECTION_CLOSE:
>+		audit_event(event);
>+		break;
>+	default:
>+		fatal("Audit event type %d not permitted", event);
>+	}
>+
>+	return (0);
>+}
>+
>+int
>+mm_answer_audit_command(int socket, Buffer *m)
>+{
>+	u_int len;
>+	char *cmd;
>+
>+	debug3("%s entering", __func__);
>+	cmd = buffer_get_string(m, &len);
>+	/* sanity check command, if so how? */
>+	audit_run_command(cmd);
>+	xfree(cmd);
>+	buffer_free(m);
>+	return (0);
>+}
>+#endif /* AUDIT_EVENTS */
> 
> void
> monitor_apply_keystate(struct monitor *pmonitor)
>Index: monitor.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.h,v
>retrieving revision 1.19
>diff -u -p -r1.19 monitor.h
>--- monitor.h	17 Nov 2003 11:18:22 -0000	1.19
>+++ monitor.h	29 Jan 2005 10:08:13 -0000
>@@ -59,6 +59,7 @@ enum monitor_reqtype {
> 	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
> 	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
> 	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
>+	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
> 	MONITOR_REQ_TERM
> };
> 
>Index: monitor_wrap.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.c,v
>retrieving revision 1.49
>diff -u -p -r1.49 monitor_wrap.c
>--- monitor_wrap.c	11 Sep 2004 13:07:03 -0000	1.49
>+++ monitor_wrap.c	30 Jan 2005 06:43:18 -0000
>@@ -1103,6 +1103,36 @@ mm_auth_rsa_verify_response(Key *key, BI
> 	return (success);
> }
> 
>+#ifdef AUDIT_EVENTS
>+void
>+mm_audit_event(ssh_audit_event_t event)
>+{
>+	Buffer m;
>+
>+	debug3("%s entering", __func__);
>+
>+	buffer_init(&m);
>+	buffer_put_int(&m, event);
>+
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_EVENT, &m);
>+	buffer_free(&m);
>+}
>+
>+void
>+mm_audit_run_command(const char *command)
>+{
>+	Buffer m;
>+
>+	debug3("%s entering command %s", __func__, command);
>+
>+	buffer_init(&m);
>+	buffer_put_cstring(&m, command);
>+
>+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
>+	buffer_free(&m);
>+}
>+#endif /* AUDIT_EVENTS */
>+
> #ifdef GSSAPI
> OM_uint32
> mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
>Index: monitor_wrap.h
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor_wrap.h,v
>retrieving revision 1.19
>diff -u -p -r1.19 monitor_wrap.h
>--- monitor_wrap.h	22 Jun 2004 02:56:02 -0000	1.19
>+++ monitor_wrap.h	30 Jan 2005 06:42:59 -0000
>@@ -74,6 +74,12 @@ int mm_sshpam_respond(void *, u_int, cha
> void mm_sshpam_free_ctx(void *);
> #endif
> 
>+#ifdef AUDIT_EVENTS
>+#include "audit.h"
>+void mm_audit_event(ssh_audit_event_t);
>+void mm_audit_run_command(const char *);
>+#endif
>+
> struct Session;
> void mm_terminate(void);
> int mm_pty_allocate(int *, int *, char *, int);
>Index: session.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
>retrieving revision 1.291
>diff -u -p -r1.291 session.c
>--- session.c	19 Jan 2005 23:55:46 -0000	1.291
>+++ session.c	30 Jan 2005 23:42:20 -0000
>@@ -665,6 +665,18 @@ do_exec(Session *s, const char *command)
> 		debug("Forced command '%.900s'", command);
> 	}
> 
>+#ifdef AUDIT_EVENTS
>+	if (command != NULL)
>+		PRIVSEP(audit_run_command(command));
>+	else if (s->ttyfd == -1) {
>+		char *shell = s->pw->pw_shell;
>+
>+		if (shell[0] == '\0')	/* empty shell means /bin/sh */
>+			shell =_PATH_BSHELL;
>+		PRIVSEP(audit_run_command(shell));
>+	}
>+#endif
>+
> #ifdef GSSAPI
> 	if (options.gss_authentication) {
> 		temporarily_use_uid(s->pw);
>@@ -2309,6 +2321,10 @@ do_cleanup(Authctxt *authctxt)
> 		sshpam_cleanup();
> 		sshpam_thread_cleanup();
> 	}
>+#endif
>+
>+#ifdef AUDIT_EVENTS
>+	PRIVSEP(audit_event(CONNECTION_CLOSE));
> #endif
> 
> 	/* remove agent socket */
>Index: sshd.c
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshd.c,v
>retrieving revision 1.302
>diff -u -p -r1.302 sshd.c
>--- sshd.c	24 Jan 2005 10:55:49 -0000	1.302
>+++ sshd.c	31 Jan 2005 00:26:06 -0000
>@@ -1628,6 +1628,9 @@ main(int ac, char **av)
> 	remote_port = get_remote_port();
> 	remote_ip = get_remote_ipaddr();
> 
>+#ifdef AUDIT_EVENTS
>+	audit_connection_from(remote_ip, remote_port);
>+#endif
> #ifdef LIBWRAP
> 	/* Check whether logins are denied from this host. */
> 	if (packet_connection_is_on_socket()) {
>@@ -1697,6 +1700,10 @@ main(int ac, char **av)
> 	}
> 
>  authenticated:
>+#ifdef AUDIT_EVENTS
>+	audit_event(AUTH_SUCCESS);
>+#endif
>+
> 	/*
> 	 * In privilege separation, we fork another child and prepare
> 	 * file descriptor passing.
>@@ -2008,6 +2015,9 @@ do_ssh2_kex(void)
> void
> cleanup_exit(int i)
> {
>+#ifdef AUDIT_EVENTS
>+	audit_event(CONNECTION_ABANDON);
>+#endif
> 	if (the_authctxt)
> 		do_cleanup(the_authctxt);
> 	_exit(i);

Actions: View | Diff

Attachments on bug 125: 131 | 192 | 355 | 438 | 500 | 560 | 618 | 619 | 647 | 753 | 754 | 755 | 756 | 793 | 794 | 795 | 796 | 800 | 804 | 820 | 826 | 845 | 846