openssh/openssh-5.9p1-audit.patch

225 lines
6.6 KiB
Diff
Raw Normal View History

# add support for Linux audit (FATE #120269)
================================================================================
--- openssh-6.2p2.orig/Makefile.in
+++ openssh-6.2p2/Makefile.in
@@ -47,6 +47,7 @@ LIBS=@LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
+LIBAUDIT=@LIBAUDIT@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
AR=@AR@
@@ -144,7 +145,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(LIBAUDIT)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-6.2p2.orig/auth.c
+++ openssh-6.2p2/auth.c
@@ -298,6 +298,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -606,6 +612,10 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
--- openssh-6.2p2.orig/config.h.in
+++ openssh-6.2p2/config.h.in
@@ -1554,6 +1554,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
#if defined AC_APPLE_UNIVERSAL_BUILD
--- openssh-6.2p2.orig/configure.ac
+++ openssh-6.2p2/configure.ac
@@ -3653,6 +3653,20 @@ AC_ARG_WITH([selinux],
AC_SUBST([SSHLIBS])
AC_SUBST([SSHDLIBS])
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH([linux-audit],
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE([HAVE_LINUX_AUDIT],[1],[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS([libaudit.h])
+ LIBAUDIT="-laudit"
+ fi
+ ])
+AC_SUBST([LIBAUDIT])
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH([kerberos5],
@@ -4569,6 +4583,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-6.2p2.orig/loginrec.c
+++ openssh-6.2p2/loginrec.c
@@ -176,6 +176,10 @@
#include "auth.h"
#include "buffer.h"
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
#ifdef HAVE_UTIL_H
# include <util.h>
#endif
@@ -198,6 +202,9 @@ int utmp_write_entry(struct logininfo *l
int utmpx_write_entry(struct logininfo *li);
int wtmp_write_entry(struct logininfo *li);
int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
int lastlog_write_entry(struct logininfo *li);
int syslogin_write_entry(struct logininfo *li);
@@ -438,6 +445,10 @@ login_write(struct logininfo *li)
/* set the timestamp */
login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+ if (linux_audit_write_entry(li) == 0)
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
#ifdef USE_LOGIN
syslogin_write_entry(li);
#endif
@@ -1402,6 +1413,87 @@ wtmpx_get_entry(struct logininfo *li)
}
#endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int
+linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success)
+{
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc;
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */
+ else
+ return 0; /* Must prevent login */
+ }
+ if (username == NULL)
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
+ else {
+ char encoded[AUDIT_ACCT_SIZE];
+ _audit_hexscape(username, encoded, sizeof(encoded));
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
+ }
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+ buf, hostname, ip, ttyn, success);
+ close(audit_fd);
+ if (rc >= 0)
+ return 1;
+ else
+ return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+ switch(li->type) {
+ case LTYPE_LOGIN:
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
+ NULL, li->line, 1));
+ case LTYPE_LOGOUT:
+ return (1); /* We only care about logins */
+ default:
+ logit("%s: invalid type field", __func__);
+ return (0);
+ }
+}
+#endif /* HAVE_LINUX_AUDIT */
+
/**
** Low-level libutil login() functions
**/
--- openssh-6.2p2.orig/loginrec.h
+++ openssh-6.2p2/loginrec.h
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */