openssh/devel/openssh-5.3p1-audit.patch

diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
--- openssh-5.3p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
+++ openssh-5.3p1/auth.c	2009-10-11 13:02:47.000000000 +0200
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
+#if HAVE_LINUX_AUDIT
+	if (authenticated == 0 && !authctxt->postponed) {
+		linux_audit_record_event(-1, authctxt->user, NULL,
+			get_remote_ipaddr(), "sshd", 0);
+	}
+#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef HAVE_LINUX_AUDIT
+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+			"sshd", 0);
+#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
--- openssh-5.3p1/config.h.in.audit	2009-09-26 08:31:14.000000000 +0200
+++ openssh-5.3p1/config.h.in	2009-10-11 13:09:41.000000000 +0200
@@ -533,6 +533,9 @@
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
 
+/* Define to 1 if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
 /* Define to 1 if you have the `bsm' library (-lbsm). */
 #undef HAVE_LIBBSM
 
@@ -572,6 +575,9 @@
 /* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
 #undef HAVE_LINUX_IF_TUN_H
 
@@ -768,6 +774,9 @@
 /* Define to 1 if you have the `setgroups' function. */
 #undef HAVE_SETGROUPS
 
+/* Define to 1 if you have the `setkeycreatecon' function. */
+#undef HAVE_SETKEYCREATECON
+
 /* Define to 1 if you have the `setlogin' function. */
 #undef HAVE_SETLOGIN
 
@@ -1348,6 +1357,10 @@
 /* Prepend the address family to IP tunnel traffic */
 #undef SSH_TUN_PREPEND_AF
 
+/* Define to your vendor patch level, if it has been modified from the
+   upstream source release. */
+#undef SSH_VENDOR_PATCHLEVEL
+
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.audit	2009-09-11 06:56:08.000000000 +0200
+++ openssh-5.3p1/configure.ac	2009-10-11 13:08:03.000000000 +0200
@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
 	fi ]
 )
 
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
+	[  --with-linux-audit   Enable Linux audit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+		LINUX_AUDIT_MSG="yes"
+		AC_CHECK_HEADERS(libaudit.h)
+		SSHDLIBS="$SSHDLIBS -laudit"
+	fi ]
+)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -4226,6 +4238,7 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
--- openssh-5.3p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
+++ openssh-5.3p1/loginrec.c	2009-10-11 13:06:16.000000000 +0200
@@ -176,6 +176,10 @@
 #include "auth.h"
 #include "buffer.h"
 
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
 int utmpx_write_entry(struct logininfo *li);
 int wtmp_write_entry(struct logininfo *li);
 int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
 
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
 
 	/* set the timestamp */
 	login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+	if (linux_audit_write_entry(li) == 0)
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
 }
 #endif /* USE_WTMPX */
 
+#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+	const char *ptr = what;
+	const char *hex = "0123456789ABCDEF";
+
+	while (*ptr) {
+		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+			unsigned int i;
+			ptr = what;
+			for (i = 0; *ptr && i+2 < size; i += 2) {
+				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
+				ptr++;
+			}
+			where[i] = '\0';
+			return;
+		}
+		ptr++;
+	}
+	where[0] = '"';
+	if ((unsigned)(ptr - what) < size - 3)
+	{
+		size = ptr - what + 3;
+	}
+	strncpy(where + 1, what, size - 3);
+	where[size-2] = '"';
+	where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int
+linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success)
+{
+	char buf[AUDIT_LOG_SIZE];
+	int audit_fd, rc;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+					errno == EAFNOSUPPORT)
+			return 1; /* No audit support in kernel */
+		else
+			return 0; /* Must prevent login */
+	}
+	if (username == NULL)
+		snprintf(buf, sizeof(buf), "uid=%d", uid);
+	else {
+		char encoded[AUDIT_ACCT_SIZE];
+		_audit_hexscape(username, encoded, sizeof(encoded));
+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
+	}
+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+		buf, hostname, ip, ttyn, success);
+	close(audit_fd);
+	if (rc >= 0)
+		return 1;
+	else
+		return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+	switch(li->type) {
+	case LTYPE_LOGIN:
+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
+			NULL, li->line, 1));
+	case LTYPE_LOGOUT:
+		return (1);	/* We only care about logins */
+	default:
+		logit("%s: invalid type field", __func__);
+		return (0);
+	}
+}
+#endif /* HAVE_LINUX_AUDIT */
+
 /**
  ** Low-level libutil login() functions
  **/
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
--- openssh-5.3p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.3p1/loginrec.h	2009-10-11 13:04:28.000000000 +0200
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 
 void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
 
 #endif /* _HAVE_LOGINREC_H_ */
1	diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
2	--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
3	+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200
4	@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
5	get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
6	# endif
7	#endif
8	+#if HAVE_LINUX_AUDIT
9	+ if (authenticated == 0 && !authctxt->postponed) {
10	+ linux_audit_record_event(-1, authctxt->user, NULL,
11	+ get_remote_ipaddr(), "sshd", 0);
12	+ }
13	+#endif
14	#ifdef SSH_AUDIT_EVENTS
15	if (authenticated == 0 && !authctxt->postponed)
16	audit_event(audit_classify_auth(method));
17	@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
18	record_failed_login(user,
19	get_canonical_hostname(options.use_dns), "ssh");
20	#endif
21	+#ifdef HAVE_LINUX_AUDIT
22	+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
23	+ "sshd", 0);
24	+#endif
25	#ifdef SSH_AUDIT_EVENTS
26	audit_event(SSH_INVALID_USER);
27	#endif /* SSH_AUDIT_EVENTS */
28	diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
29	--- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200
30	+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200
31	@@ -533,6 +533,9 @@
32	/* Define to 1 if you have the <lastlog.h> header file. */
33	#undef HAVE_LASTLOG_H
34
35	+/* Define to 1 if you have the <libaudit.h> header file. */
36	+#undef HAVE_LIBAUDIT_H
37	+
38	/* Define to 1 if you have the `bsm' library (-lbsm). */
39	#undef HAVE_LIBBSM
40
41	@@ -572,6 +575,9 @@
42	/* Define to 1 if you have the <limits.h> header file. */
43	#undef HAVE_LIMITS_H
44
45	+/* Define if you want Linux audit support. */
46	+#undef HAVE_LINUX_AUDIT
47	+
48	/* Define to 1 if you have the <linux/if_tun.h> header file. */
49	#undef HAVE_LINUX_IF_TUN_H
50
51	@@ -768,6 +774,9 @@
52	/* Define to 1 if you have the `setgroups' function. */
53	#undef HAVE_SETGROUPS
54
55	+/* Define to 1 if you have the `setkeycreatecon' function. */
56	+#undef HAVE_SETKEYCREATECON
57	+
58	/* Define to 1 if you have the `setlogin' function. */
59	#undef HAVE_SETLOGIN
60
61	@@ -1348,6 +1357,10 @@
62	/* Prepend the address family to IP tunnel traffic */
63	#undef SSH_TUN_PREPEND_AF
64
65	+/* Define to your vendor patch level, if it has been modified from the
66	+ upstream source release. */
67	+#undef SSH_VENDOR_PATCHLEVEL
68	+
69	/* Define to 1 if you have the ANSI C header files. */
70	#undef STDC_HEADERS
71
72	diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
73	--- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200
74	+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200
75	@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
76	fi ]
77	)
78
79	+# Check whether user wants Linux audit support
80	+LINUX_AUDIT_MSG="no"
81	+AC_ARG_WITH(linux-audit,
82	+ [ --with-linux-audit Enable Linux audit support],
83	+ [ if test "x$withval" != "xno" ; then
84	+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
85	+ LINUX_AUDIT_MSG="yes"
86	+ AC_CHECK_HEADERS(libaudit.h)
87	+ SSHDLIBS="$SSHDLIBS -laudit"
88	+ fi ]
89	+)
90	+
91	# Check whether user wants Kerberos 5 support
92	KRB5_MSG="no"
93	AC_ARG_WITH(kerberos5,
94	@@ -4226,6 +4238,7 @@ echo " PAM support
95	echo " OSF SIA support: $SIA_MSG"
96	echo " KerberosV support: $KRB5_MSG"
97	echo " SELinux support: $SELINUX_MSG"
98	+echo " Linux audit support: $LINUX_AUDIT_MSG"
99	echo " Smartcard support: $SCARD_MSG"
100	echo " S/KEY support: $SKEY_MSG"
101	echo " TCP Wrappers support: $TCPW_MSG"
102	diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
103	--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
104	+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200
105	@@ -176,6 +176,10 @@
106	#include "auth.h"
107	#include "buffer.h"
108
109	+#ifdef HAVE_LINUX_AUDIT
110	+# include <libaudit.h>
111	+#endif
112	+
113	#ifdef HAVE_UTIL_H
114	# include <util.h>
115	#endif
116	@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
117	int utmpx_write_entry(struct logininfo *li);
118	int wtmp_write_entry(struct logininfo *li);
119	int wtmpx_write_entry(struct logininfo *li);
120	+#ifdef HAVE_LINUX_AUDIT
121	+int linux_audit_write_entry(struct logininfo *li);
122	+#endif
123	int lastlog_write_entry(struct logininfo *li);
124	int syslogin_write_entry(struct logininfo *li);
125
126	@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
127
128	/* set the timestamp */
129	login_set_current_time(li);
130	+#ifdef HAVE_LINUX_AUDIT
131	+ if (linux_audit_write_entry(li) == 0)
132	+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
133	+#endif
134	#ifdef USE_LOGIN
135	syslogin_write_entry(li);
136	#endif
137	@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
138	}
139	#endif /* USE_WTMPX */
140
141	+#ifdef HAVE_LINUX_AUDIT
142	+static void
143	+_audit_hexscape(const char what, char where, unsigned int size)
144	+{
145	+ const char *ptr = what;
146	+ const char *hex = "0123456789ABCDEF";
147	+
148	+ while (*ptr) {
149	+ if (ptr == '"' \|\| ptr < 0x21 \|\| *ptr > 0x7E) {
150	+ unsigned int i;
151	+ ptr = what;
152	+ for (i = 0; *ptr && i+2 < size; i += 2) {
153	+ where[i] = hex[((unsigned)ptr & 0xF0)>>4]; / Upper nibble */
154	+ where[i+1] = hex[(unsigned)ptr & 0x0F]; / Lower nibble */
155	+ ptr++;
156	+ }
157	+ where[i] = '\0';
158	+ return;
159	+ }
160	+ ptr++;
161	+ }
162	+ where[0] = '"';
163	+ if ((unsigned)(ptr - what) < size - 3)
164	+ {
165	+ size = ptr - what + 3;
166	+ }
167	+ strncpy(where + 1, what, size - 3);
168	+ where[size-2] = '"';
169	+ where[size-1] = '\0';
170	+}
171	+
172	+#define AUDIT_LOG_SIZE 128
173	+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
174	+
175	+int
176	+linux_audit_record_event(int uid, const char *username,
177	+ const char hostname, const char ip, const char *ttyn, int success)
178	+{
179	+ char buf[AUDIT_LOG_SIZE];
180	+ int audit_fd, rc;
181	+
182	+ audit_fd = audit_open();
183	+ if (audit_fd < 0) {
184	+ if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
185	+ errno == EAFNOSUPPORT)
186	+ return 1; /* No audit support in kernel */
187	+ else
188	+ return 0; /* Must prevent login */
189	+ }
190	+ if (username == NULL)
191	+ snprintf(buf, sizeof(buf), "uid=%d", uid);
192	+ else {
193	+ char encoded[AUDIT_ACCT_SIZE];
194	+ _audit_hexscape(username, encoded, sizeof(encoded));
195	+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
196	+ }
197	+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
198	+ buf, hostname, ip, ttyn, success);
199	+ close(audit_fd);
200	+ if (rc >= 0)
201	+ return 1;
202	+ else
203	+ return 0;
204	+}
205	+
206	+int
207	+linux_audit_write_entry(struct logininfo *li)
208	+{
209	+ switch(li->type) {
210	+ case LTYPE_LOGIN:
211	+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
212	+ NULL, li->line, 1));
213	+ case LTYPE_LOGOUT:
214	+ return (1); /* We only care about logins */
215	+ default:
216	+ logit("%s: invalid type field", __func__);
217	+ return (0);
218	+ }
219	+}
220	+#endif /* HAVE_LINUX_AUDIT */
221	+
222	/**
223	** Low-level libutil login() functions
224	**/
225	diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
226	--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
227	+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200
228	@@ -127,5 +127,9 @@ char line_stripname(char dst, const ch
229	char line_abbrevname(char dst, const char *src, int dstsize);
230
231	void record_failed_login(const char , const char , const char *);
232	+#ifdef HAVE_LINUX_AUDIT
233	+int linux_audit_record_event(int uid, const char *username,
234	+ const char hostname, const char ip, const char *ttyn, int success);
235	+#endif /* HAVE_LINUX_AUDIT */
236
237	#endif /* _HAVE_LOGINREC_H_ */
admin@fedoraproject.org	ViewVC Help
Powered by ViewVC 1.1.2