vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Source Code
GIT

Blame openssh-4.7p1-audit.patch

c10s-sig-hyperscale c10s-sig-hyperscale-2 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   257d66a4fb4febeb8b2aa576d1f801b9c6377a72
  2.   openssh-4.7p1-audit.patch
Blob History Raw
Jan F. Chadima 15914f 
diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
Jan F. Chadima 15914f 
--- openssh-5.2p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
Jan F. Chadima 15914f 
+++ openssh-5.2p1/auth.c	2009-08-09 09:22:23.634850536 +0200
Jan F. Chadima 15914f 
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
Tomáš Mráz c9833c 
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
Tomáš Mráz c9833c 
 # endif
Tomáš Mráz c9833c 
 #endif
Tomáš Mráz c9833c 
+#if HAVE_LINUX_AUDIT
Tomáš Mráz c9833c 
+	if (authenticated == 0 && !authctxt->postponed) {
Tomáš Mráz c9833c 
+		linux_audit_record_event(-1, authctxt->user, NULL,
Tomáš Mráz c9833c 
+			get_remote_ipaddr(), "sshd", 0);
Tomáš Mráz c9833c 
+	}
Tomáš Mráz c9833c 
+#endif
Tomáš Mráz c9833c 
 #ifdef SSH_AUDIT_EVENTS
Tomáš Mráz c9833c 
 	if (authenticated == 0 && !authctxt->postponed)
Tomáš Mráz c9833c 
 		audit_event(audit_classify_auth(method));
Jan F. Chadima 15914f 
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
Tomáš Mráz c9833c 
 		record_failed_login(user,
Tomáš Mráz c9833c 
 		    get_canonical_hostname(options.use_dns), "ssh");
Tomáš Mráz c9833c 
 #endif
Tomáš Mráz c9833c 
+#ifdef HAVE_LINUX_AUDIT
Tomáš Mráz c9833c 
+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
Tomáš Mráz c9833c 
+			"sshd", 0);
Tomáš Mráz c9833c 
+#endif
Tomáš Mráz c9833c 
 #ifdef SSH_AUDIT_EVENTS
Tomáš Mráz c9833c 
 		audit_event(SSH_INVALID_USER);
Tomáš Mráz c9833c 
 #endif /* SSH_AUDIT_EVENTS */
Jan F. Chadima 15914f 
diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
Jan F. Chadima 15914f 
--- openssh-5.2p1/config.h.in.audit	2009-02-23 01:18:12.000000000 +0100
Jan F. Chadima 15914f 
+++ openssh-5.2p1/config.h.in	2009-08-09 09:22:28.825939998 +0200
Jan F. Chadima 15914f 
@@ -1,5 +1,8 @@
Jan F. Chadima 15914f 
 /* config.h.in.  Generated from configure.ac by autoheader.  */
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+/* Define if building universal (internal helper macro) */
Jan F. Chadima 15914f 
+#undef AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
Jan F. Chadima 15914f 
    */
Jan F. Chadima 15914f 
 #undef AIX_GETNAMEINFO_HACK
Jan F. Chadima 15914f 
@@ -521,6 +524,9 @@
Jan F. Chadima 15914f 
 /* Define to 1 if you have the <lastlog.h> header file. */
Jan F. Chadima 15914f 
 #undef HAVE_LASTLOG_H
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+/* Define to 1 if you have the <libaudit.h> header file. */
Jan F. Chadima 15914f 
+#undef HAVE_LIBAUDIT_H
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 /* Define to 1 if you have the `bsm' library (-lbsm). */
Jan F. Chadima 15914f 
 #undef HAVE_LIBBSM
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
@@ -560,6 +566,9 @@
Jan F. Chadima 15914f 
 /* Define to 1 if you have the <limits.h> header file. */
Jan F. Chadima 15914f 
 #undef HAVE_LIMITS_H
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+/* Define if you want Linux audit support. */
Jan F. Chadima 15914f 
+#undef HAVE_LINUX_AUDIT
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
Jan F. Chadima 15914f 
 #undef HAVE_LINUX_IF_TUN_H
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
@@ -756,6 +765,9 @@
Jan F. Chadima 15914f 
 /* Define to 1 if you have the `setgroups' function. */
Jan F. Chadima 15914f 
 #undef HAVE_SETGROUPS
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+/* Define to 1 if you have the `setkeycreatecon' function. */
Jan F. Chadima 15914f 
+#undef HAVE_SETKEYCREATECON
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 /* Define to 1 if you have the `setlogin' function. */
Jan F. Chadima 15914f 
 #undef HAVE_SETLOGIN
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
@@ -1330,6 +1342,10 @@
Jan F. Chadima 15914f 
 /* Prepend the address family to IP tunnel traffic */
Jan F. Chadima 15914f 
 #undef SSH_TUN_PREPEND_AF
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+/* Define to your vendor patch level, if it has been modified from the
Jan F. Chadima 15914f 
+   upstream source release. */
Jan F. Chadima 15914f 
+#undef SSH_VENDOR_PATCHLEVEL
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 /* Define to 1 if you have the ANSI C header files. */
Jan F. Chadima 15914f 
 #undef STDC_HEADERS
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
@@ -1397,9 +1413,17 @@
Jan F. Chadima 15914f 
 /* Define if you want SELinux support. */
Jan F. Chadima 15914f 
 #undef WITH_SELINUX
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
-/* Define to 1 if your processor stores words with the most significant byte
Jan F. Chadima 15914f 
-   first (like Motorola and SPARC, unlike Intel and VAX). */
Jan F. Chadima 15914f 
-#undef WORDS_BIGENDIAN
Jan F. Chadima 15914f 
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
Jan F. Chadima 15914f 
+   significant byte first (like Motorola and SPARC, unlike Intel). */
Jan F. Chadima 15914f 
+#if defined AC_APPLE_UNIVERSAL_BUILD
Jan F. Chadima 15914f 
+# if defined __BIG_ENDIAN__
Jan F. Chadima 15914f 
+#  define WORDS_BIGENDIAN 1
Jan F. Chadima 15914f 
+# endif
Jan F. Chadima 15914f 
+#else
Jan F. Chadima 15914f 
+# ifndef WORDS_BIGENDIAN
Jan F. Chadima 15914f 
+#  undef WORDS_BIGENDIAN
Jan F. Chadima 15914f 
+# endif
Jan F. Chadima 15914f 
+#endif
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
 /* Define if xauth is found in your path */
Jan F. Chadima 15914f 
 #undef XAUTH_PATH
Jan F. Chadima 15914f 
diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
Jan F. Chadima 15914f 
--- openssh-5.2p1/configure.ac.audit	2009-08-09 09:22:23.608877833 +0200
Jan F. Chadima 15914f 
+++ openssh-5.2p1/configure.ac	2009-08-09 09:22:23.646244409 +0200
Jan F. Chadima 15914f 
@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
Jan F. Chadima 15914f 
 	fi ]
Jan F. Chadima 15914f 
 )
Jan F. Chadima 15914f
Jan F. Chadima 15914f 
+# Check whether user wants Linux audit support
Jan F. Chadima 15914f 
+LINUX_AUDIT_MSG="no"
Jan F. Chadima 15914f 
+AC_ARG_WITH(linux-audit,
Jan F. Chadima 15914f 
+	[  --with-linux-audit   Enable Linux audit support],
Jan F. Chadima 15914f 
+	[ if test "x$withval" != "xno" ; then
Jan F. Chadima 15914f 
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
Jan F. Chadima 15914f 
+		LINUX_AUDIT_MSG="yes"
Jan F. Chadima 15914f 
+		AC_CHECK_HEADERS(libaudit.h)
Jan F. Chadima 15914f 
+		SSHDLIBS="$SSHDLIBS -laudit"
Jan F. Chadima 15914f 
+	fi ]
Jan F. Chadima 15914f 
+)
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
 # Check whether user wants Kerberos 5 support
Jan F. Chadima 15914f 
 KRB5_MSG="no"
Jan F. Chadima 15914f 
 AC_ARG_WITH(kerberos5,
Jan F. Chadima 15914f 
@@ -4170,6 +4182,7 @@ echo "                       PAM support
Jan F. Chadima 15914f 
 echo "                   OSF SIA support: $SIA_MSG"
Jan F. Chadima 15914f 
 echo "                 KerberosV support: $KRB5_MSG"
Jan F. Chadima 15914f 
 echo "                   SELinux support: $SELINUX_MSG"
Jan F. Chadima 15914f 
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
Jan F. Chadima 15914f 
 echo "                 Smartcard support: $SCARD_MSG"
Jan F. Chadima 15914f 
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima 15914f 
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima 15914f 
diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
Jan F. Chadima 15914f 
--- openssh-5.2p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
Jan F. Chadima 15914f 
+++ openssh-5.2p1/loginrec.c	2009-08-09 09:22:23.667199702 +0200
Tomáš Mráz c9833c 
@@ -176,6 +176,10 @@
Tomáš Mráz ad07b9 
 #include "auth.h"
Tomáš Mráz ad07b9 
 #include "buffer.h"
Tomáš Mráz ad07b9
Tomáš Mráz ad07b9 
+#ifdef HAVE_LINUX_AUDIT
Tomáš Mráz ad07b9 
+# include <libaudit.h>
Tomáš Mráz ad07b9 
+#endif
Tomáš Mráz ad07b9 
+
Tomáš Mráz ad07b9 
 #ifdef HAVE_UTIL_H
Tomáš Mráz ad07b9 
 # include <util.h>
Tomáš Mráz ad07b9 
 #endif
Tomáš Mráz c9833c 
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
Tomáš Mráz ad07b9 
 int utmpx_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9 
 int wtmp_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9 
 int wtmpx_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9 
+#ifdef HAVE_LINUX_AUDIT
Tomáš Mráz ad07b9 
+int linux_audit_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9 
+#endif
Tomáš Mráz ad07b9 
 int lastlog_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9 
 int syslogin_write_entry(struct logininfo *li);
Tomáš Mráz ad07b9
Tomáš Mráz c9833c 
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
Tomáš Mráz ad07b9
Tomáš Mráz ad07b9 
 	/* set the timestamp */
Tomáš Mráz ad07b9 
 	login_set_current_time(li);
Tomáš Mráz ad07b9 
+#ifdef HAVE_LINUX_AUDIT
Tomáš Mráz ad07b9 
+	if (linux_audit_write_entry(li) == 0)
Tomáš Mráz ad07b9 
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
Tomáš Mráz ad07b9 
+#endif
Tomáš Mráz ad07b9 
 #ifdef USE_LOGIN
Tomáš Mráz ad07b9 
 	syslogin_write_entry(li);
Tomáš Mráz ad07b9 
 #endif
Jan F. Chadima 15914f 
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
Tomáš Mráz ad07b9 
 }
Tomáš Mráz ad07b9 
 #endif /* USE_WTMPX */
Tomáš Mráz ad07b9
Tomáš Mráz ad07b9 
+#ifdef HAVE_LINUX_AUDIT
Jan F. Chadima 15914f 
+static void
Jan F. Chadima 15914f 
+_audit_hexscape(const char *what, char *where, unsigned int size)
Jan F. Chadima 15914f 
+{
Jan F. Chadima 15914f 
+	const char *ptr = what;
Jan F. Chadima 15914f 
+	const char *hex = "0123456789ABCDEF";
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
+	while (*ptr) {
Jan F. Chadima 15914f 
+		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
Jan F. Chadima 15914f 
+			unsigned int i;
Jan F. Chadima 15914f 
+			ptr = what;
Jan F. Chadima 15914f 
+			for (i = 0; *ptr && i+2 < size; i += 2) {
Jan F. Chadima 15914f 
+				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
Jan F. Chadima 15914f 
+				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
Jan F. Chadima 15914f 
+				ptr++;
Jan F. Chadima 15914f 
+			}
Jan F. Chadima 15914f 
+			where[i] = '\0';
Jan F. Chadima 15914f 
+			return;
Jan F. Chadima 15914f 
+		}
Jan F. Chadima 15914f 
+		ptr++;
Jan F. Chadima 15914f 
+	}
Jan F. Chadima 15914f 
+	where[0] = '"';
Jan F. Chadima 15914f 
+	if ((unsigned)(ptr - what) < size - 3)
Jan F. Chadima 15914f 
+	{
Jan F. Chadima 15914f 
+		size = ptr - what + 3;
Jan F. Chadima 15914f 
+	}
Jan F. Chadima 15914f 
+	strncpy(where + 1, what, size - 3);
Jan F. Chadima 15914f 
+	where[size-2] = '"';
Jan F. Chadima 15914f 
+	where[size-1] = '\0';
Jan F. Chadima 15914f 
+}
Jan F. Chadima 15914f 
+
Jan F. Chadima 15914f 
+#define AUDIT_LOG_SIZE 128
Jan F. Chadima 15914f 
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
Jan F. Chadima 15914f 
+
Tomáš Mráz ad07b9 
+int
Tomáš Mráz ad07b9 
+linux_audit_record_event(int uid, const char *username,
Tomáš Mráz ad07b9 
+	const char *hostname, const char *ip, const char *ttyn, int success)
Tomáš Mráz ad07b9 
+{
Jan F. Chadima 15914f 
+	char buf[AUDIT_LOG_SIZE];
Tomáš Mráz ad07b9 
+	int audit_fd, rc;
Tomáš Mráz ad07b9 
+
Tomáš Mráz ad07b9 
+	audit_fd = audit_open();
Tomáš Mráz ad07b9 
+	if (audit_fd < 0) {
Tomáš Mráz ad07b9 
+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
Tomáš Mráz ad07b9 
+					errno == EAFNOSUPPORT)
Tomáš Mráz ad07b9 
+			return 1; /* No audit support in kernel */
Tomáš Mráz ad07b9 
+		else
Tomáš Mráz ad07b9 
+			return 0; /* Must prevent login */
Tomáš Mráz ad07b9 
+	}
Tomáš Mráz ad07b9 
+	if (username == NULL)
Tomáš Mráz ad07b9 
+		snprintf(buf, sizeof(buf), "uid=%d", uid);
Jan F. Chadima 15914f 
+	else {
Jan F. Chadima 15914f 
+		char encoded[AUDIT_ACCT_SIZE];
Jan F. Chadima 15914f 
+		_audit_hexscape(username, encoded, sizeof(encoded));
Jan F. Chadima 15914f 
+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
Jan F. Chadima 15914f 
+	}
Tomáš Mráz ad07b9 
+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
Tomáš Mráz ad07b9 
+		buf, hostname, ip, ttyn, success);
Tomáš Mráz ad07b9 
+	close(audit_fd);
Tomáš Mráz ad07b9 
+	if (rc >= 0)
Tomáš Mráz ad07b9 
+		return 1;
Tomáš Mráz ad07b9 
+	else
Tomáš Mráz ad07b9 
+		return 0;
Tomáš Mráz ad07b9 
+}
Tomáš Mráz ad07b9 
+
Tomáš Mráz ad07b9 
+int
Tomáš Mráz ad07b9 
+linux_audit_write_entry(struct logininfo *li)
Tomáš Mráz ad07b9 
+{
Tomáš Mráz ad07b9 
+	switch(li->type) {
Tomáš Mráz ad07b9 
+	case LTYPE_LOGIN:
Tomáš Mráz ad07b9 
+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
Tomáš Mráz ad07b9 
+			NULL, li->line, 1));
Tomáš Mráz ad07b9 
+	case LTYPE_LOGOUT:
Tomáš Mráz ad07b9 
+		return (1);	/* We only care about logins */
Tomáš Mráz ad07b9 
+	default:
Tomáš Mráz ad07b9 
+		logit("%s: invalid type field", __func__);
Tomáš Mráz ad07b9 
+		return (0);
Tomáš Mráz ad07b9 
+	}
Tomáš Mráz ad07b9 
+}
Tomáš Mráz ad07b9 
+#endif /* HAVE_LINUX_AUDIT */
Tomáš Mráz ad07b9 
+
Tomáš Mráz ad07b9 
 /**
Tomáš Mráz ad07b9 
  ** Low-level libutil login() functions
Tomáš Mráz ad07b9 
  **/
Jan F. Chadima 15914f 
diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
Jan F. Chadima 15914f 
--- openssh-5.2p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
Jan F. Chadima 15914f 
+++ openssh-5.2p1/loginrec.h	2009-08-09 09:22:23.641175349 +0200
Tomáš Mráz c9833c 
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
Tomáš Mráz c9833c 
 char *line_abbrevname(char *dst, const char *src, int dstsize);
Tomáš Mráz c9833c
Tomáš Mráz c9833c 
 void record_failed_login(const char *, const char *, const char *);
Tomáš Mráz c9833c 
+#ifdef HAVE_LINUX_AUDIT
Tomáš Mráz c9833c 
+int linux_audit_record_event(int uid, const char *username,
Tomáš Mráz c9833c 
+	const char *hostname, const char *ip, const char *ttyn, int success);
Tomáš Mráz c9833c 
+#endif /* HAVE_LINUX_AUDIT */
Tomáš Mráz c9833c
Tomáš Mráz c9833c 
 #endif /* _HAVE_LOGINREC_H_ */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation