From f284c5eb834dc3621cb25af6ca164207cb3f19ad Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Jan 17 2018 09:10:28 +0000 Subject: Do not attempt to pass hostnames to audit (inconsistency) (#1534577) --- diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index bc9a470..b09ef65 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -310,7 +310,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c --- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200 +++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200 -@@ -33,25 +33,38 @@ +@@ -33,27 +33,40 @@ #include "log.h" #include "audit.h" @@ -337,7 +337,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c -linux_audit_record_event(int uid, const char *username, const char *hostname, - const char *ip, const char *ttyn, int success) +static void -+linux_audit_user_logxxx(int uid, const char *username, const char *hostname, ++linux_audit_user_logxxx(int uid, const char *username, + const char *ip, const char *ttyn, int success, int event) { int audit_fd, rc, saved_errno; @@ -354,8 +354,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c - rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + rc = audit_log_acct_message(audit_fd, event, NULL, "login", username ? username : "(unknown)", - username == NULL ? uid : -1, hostname, ip, ttyn, success); +- username == NULL ? uid : -1, hostname, ip, ttyn, success); ++ username == NULL ? uid : -1, NULL, ip, ttyn, success); saved_errno = errno; + close(audit_fd); + @@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const rc = 0; errno = saved_errno; @@ -369,7 +372,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c + +static void +linux_audit_user_auth(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success, int event) ++ const char *ip, const char *ttyn, int success, int event) +{ + int audit_fd, rc, saved_errno; + static const char *event_name[] = { @@ -403,7 +406,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c + + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, + NULL, event_name[event], username ? username : "(unknown)", -+ username == NULL ? uid : -1, hostname, ip, ttyn, success); ++ username == NULL ? uid : -1, NULL, ip, ttyn, success); + saved_errno = errno; + close(audit_fd); + /* @@ -455,7 +458,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c /* Below is the sshd audit API code */ void -@@ -76,24 +177,51 @@ audit_connection_from(const char *host, +@@ -76,24 +177,55 @@ audit_connection_from(const char *host, /* not implemented */ } @@ -465,21 +468,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c { - /* not implemented */ + if (!user_login_count++) -+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_LOGIN); -+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_START); ++ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ ssh_remote_ipaddr(active_state), ++ "ssh", 1, AUDIT_USER_LOGIN); ++ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ ssh_remote_ipaddr(active_state), ++ "ssh", 1, AUDIT_USER_START); + return 0; +} + +void +audit_end_command(int handle, const char *command) +{ -+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_END); ++ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ ssh_remote_ipaddr(active_state), ++ "ssh", 1, AUDIT_USER_END); + if (user_login_count && !--user_login_count) -+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_LOGOUT); ++ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, ++ ssh_remote_ipaddr(active_state), ++ "ssh", 1, AUDIT_USER_LOGOUT); +} + +void @@ -496,9 +503,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c - fatal("linux_audit_write_entry failed: %s", strerror(errno)); + if (!user_login_count++) + linux_audit_user_logxxx(li->uid, NULL, li->hostname, -+ NULL, li->line, 1, AUDIT_USER_LOGIN); ++ li->line, 1, AUDIT_USER_LOGIN); + linux_audit_user_logxxx(li->uid, NULL, li->hostname, -+ NULL, li->line, 1, AUDIT_USER_START); ++ li->line, 1, AUDIT_USER_START); } void @@ -506,10 +513,10 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c { - /* not implemented */ + linux_audit_user_logxxx(li->uid, NULL, li->hostname, -+ NULL, li->line, 1, AUDIT_USER_END); ++ li->line, 1, AUDIT_USER_END); + if (user_login_count && !--user_login_count) + linux_audit_user_logxxx(li->uid, NULL, li->hostname, -+ NULL, li->line, 1, AUDIT_USER_LOGOUT); ++ li->line, 1, AUDIT_USER_LOGOUT); } void @@ -518,16 +525,16 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c switch(event) { case SSH_AUTH_SUCCESS: - case SSH_CONNECTION_CLOSE: -+ linux_audit_user_auth(-1, audit_username(), NULL, ++ linux_audit_user_auth(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 1, event); + break; + case SSH_NOLOGIN: - case SSH_LOGIN_EXCEED_MAXTRIES: case SSH_LOGIN_ROOT_DENIED: -+ linux_audit_user_auth(-1, audit_username(), NULL, ++ linux_audit_user_auth(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 0, event); -+ linux_audit_user_logxxx(-1, audit_username(), NULL, ++ linux_audit_user_logxxx(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); break; + case SSH_LOGIN_EXCEED_MAXTRIES: @@ -537,7 +544,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c case SSH_AUTH_FAIL_PUBKEY: case SSH_AUTH_FAIL_HOSTBASED: case SSH_AUTH_FAIL_GSSAPI: -+ linux_audit_user_auth(-1, audit_username(), NULL, ++ linux_audit_user_auth(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 0, event); + break; + @@ -545,11 +552,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c + if (user_login_count) { + while (user_login_count--) + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, -+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_END); ++ ssh_remote_ipaddr(ssh), ++ "ssh", 1, AUDIT_USER_END); + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, -+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), -+ NULL, "ssh", 1, AUDIT_USER_LOGOUT); ++ ssh_remote_ipaddr(ssh), ++ "ssh", 1, AUDIT_USER_LOGOUT); + } + break; + @@ -557,7 +564,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c case SSH_INVALID_USER: - linux_audit_record_event(-1, audit_username(), NULL, - ssh_remote_ipaddr(ssh), "sshd", 0); -+ linux_audit_user_logxxx(-1, audit_username(), NULL, ++ linux_audit_user_logxxx(-1, audit_username(), + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); break; default: