Created attachment 1396 [details] Proposed patch The attached patch adds support for auditing through the Linux Audit subsystem. The patch is included in Fedora and RHEL builds of OpenSSH. It was written by Steve Grubb, I did some small adjustments to it too.
Is there any reason you did not use the existing audit framework in audit.c rather than adding new code in the mainline? Also, what's the purpose of the "hexescape" code, and could strnvis be used for this purpose instead?
(In reply to comment #1) > Is there any reason you did not use the existing audit framework in > audit.c rather than adding new code in the mainline? Also, what's the The patch is rather old and it was originaly written for openssh-3.9p1 I think. But you're right that it should be rewritten to use the audit.c framework. > purpose of the "hexescape" code, and could strnvis be used for this > purpose instead? The escaping in Linux Audit is different from strnvis - either the whole string is escaped by using hexadecimal numbers or it starts and ends with '"' character.
*** Bug 1642 has been marked as a duplicate of this bug. ***
Created attachment 1930 [details] Patch using the ssh_audit subsystem Finally I got the time to rewrite the patch, can anybody review it? Please.
Created attachment 1931 [details] improoved patch
Thanks, this looks pretty good, target 5.7.
Comment on attachment 1931 [details] improoved patch >+/* #pragma ident "@(#)audit-linux.c 1.1 01/09/17 SMI" */ It looks like this file was originally based on the Sun-copyright audit-bsm.c. That said, it looks like none of the original Sun code remains. >+ else >+ return 0; /* Must prevent login */ whitespace. >+ if (rc >= 0) >+ return 1; >+ else >+ return 0; return(rc >= 0); ? >+ if (linux_audit_record_event(li->uid, NULL, li->hostname, >+ NULL, li->line, 1) == 0) indenting wrong (see http://www.openbsd.org/cgi-bin/man.cgi?query=style for the guidelines). >+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); the close() call in linux_audit_record_event() can reset errno, so if you're relying on what audit_log_acct_message sets you should save errno and restore it. > AUDIT_MODULE=none > AC_ARG_WITH(audit, >- [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], >+ [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm,linux)], I'm removing the EXPERIMENTAL tag as BSM has been in for years. >- audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ >+ audit.o audit-bsm.o audit-linux.o platform.o sftp-server.o sftp-common.o \ I'm moving the audit bits to a line on its own just for ease of maintenance. Will attach an updated patch shortly.
Created attachment 1934 [details] clean up patch some more
Created attachment 1939 [details] aditinal patch fr auditing authrized keys usage
Attached anther patch component, which allow to audit authorized keys usage. The key type, size and fingerprint are logged in the case of successful authorization using authorized (user) keys.
Created attachment 1940 [details] Aditional patch for auditing authorized keys usage
Created attachment 1942 [details] Aditional patch for auditing authorized keys usage
Created attachment 1943 [details] Aditional patch for auditing authorized keys usage
Created attachment 1945 [details] Aditional patch for auditing protocol negotiation results
Created attachment 1950 [details] Aditional patch for auditing authorized keys usage
Created attachment 1951 [details] Aditional patch for auditing (user and host) authorized keys usage
Created attachment 1952 [details] Aditional patch for auditing protocol negotiation results
Add the possibility to audit host based keys to the additional patch for audit authorized keys usage. Update the audit protocol negotiation patch to match with the authorized keys patch.
Created attachment 1954 [details] Aditional patch for auditing (user and host) authorized keys usage
Created attachment 1974 [details] Please add this to "clean up patch some more" This little add on repairs the reviewed patch. Without it the sshd cannot be run as non root user. Please add it to 5.7 also.
Created attachment 1975 [details] Aditional patch for auditing (user and host) authorized keys usage Improve the patch. Enable the sshd run as non root user.
Created attachment 1976 [details] Aditional patch for auditing protocol negotiation results Improve the patch, enable run sshd as mnon root user, enable rekeying.
Created attachment 1981 [details] base linux audit support (combined #1934 and #1974) This is the base-level audit support which I intend to put in for 5.7. I think the additional auditing capabilities/code needs further review. I changed the root-check to geteuid() and moved it to before the errno restore in case geteuid messes with errno (unlikely).
Comment on attachment 1981 [details] base linux audit support (combined #1934 and #1974) thanks, patch #1981 has been committed and will be in the 5.7p1 release. We'll look at the other parts next release.
Retarget unclosed bugs from 5.7=>5.8
Created attachment 2010 [details] patch removing duplicate audit
Created attachment 2011 [details] patch for better audit of user actions
Created attachment 2012 [details] patch adding logging the key based authentzations
Created attachment 2013 [details] patch adding results of the kex exchange
Created attachment 2014 [details] patch adding audit of session key destruction
Created attachment 2015 [details] patch adding audit of server kay destruction
upload new patch set for linux audit (and general audit also) the patchset depends on bz#1879 fingerprint patch
Retarget unresolved bugs/features to 6.0 release
Retarget unresolved bugs/features to 6.0 release (try again - bugzilla's "change several" isn't)
Current patch set (especially audit of session key destruction) does not work with openssh-5.9p1. I'm preparing the improved patches.
Created attachment 2085 [details] 00 remving duplicate audit suitable for 5.9p1
Created attachment 2086 [details] 01 better audit of user actions suitable for 5.9p1
Created attachment 2087 [details] 02 log the key based authentications suitable for 5.9p1
Created attachment 2088 [details] 03 audit protocol negotition results suitable for 5.9p1
Created attachment 2089 [details] 04 audit session key destruction suitable for 5.9p1
Created attachment 2090 [details] 05 audit server key destruction suitable for 5.9p1
The status of the bug was updated for the openssh 5.9p1
(In reply to comment #42) > Created attachment 2090 [details] > 05 audit server key destruction suitable for 5.9p1 I don't see the point of this one at all. Should every bzero() be an audit event?
Of course not :) These particular cases are required to meet common criteria.
Retarget from 6.0 to 6.1
Retarget 6.0 => 6.1
Retarget uncompleted bugs from 6.1 => 6.2
Retarget bugs from 6.1 => 6.2
retarget to openssh-6.3
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
Retarget incomplete bugs / feature requests to 6.6 release
Retarget to 6.7 release, since 6.6 was mostly bugfixing.
Remove from 6.6 tracking bug
Retarget incomplete bugs to 6.8 release.
These bugs are no longer targeted at the imminent 6.7 release
OpenSSH 6.8 is approaching release and closed for major work. Retarget these bugs for the next release.
Retarget to 6.9
Retarget pending bugs to openssh-7.1
Retarget to openssh-7.3
Created attachment 2795 [details] audit patch rebased for 7.2 HEAD Seems like this bug/feature request is still on the tracker. We use this patch, but today all the changes are merged into single patch, therefore it is not so nice view. I tried to clean up the patch, made it apply on the current HEAD and successfully checked functionality of configure&build&tests --with-audit=linux or without the audit enabled. All tests passed in both cases. I understand that some of the things might not fit upstream, but it would be fine to have at least the hooks in the code. I can restructure the patch/provide comments. Please let me know what is the most suitable way from your point of view.
retarget unfinished bugs to next release
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6.
remove 7.5 target
Any chance of this making it into next release - 7.7?
Move to OpenSSH 7.8 tracking bug
Retarget remaining bugs planned for 7.8 release to 7.9
Retarget unfinished bugs to OpenSSH 8.0
Retarget outstanding bugs at next release
Retarget these bugs to 8.2 release
Is this patch still used by anyone? It seems a bunch of stuff that is very obsolete...
(In reply to Damien Miller from comment #81) > Is this patch still used by anyone? It seems a bunch of stuff that > is very obsolete... Red Hat and Fedora are still carrying it I believe See: https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.6p1-audit.patch and https://git.centos.org/rpms/openssh/blob/c8/f/SOURCES/openssh-7.6p1-audit.patch
Right, we still use it in both Fedora and RHEL as you can see the links in the previous comment and even after 13 years, we would appreciate a review and considering including these changes. The Fedora patches are the most up-to-date version based on current OpenSSH 8.1 as the time of writing this comment: https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.6p1-audit.patch https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-7.1p2-audit-race-condition.patch