From b5ee10d44e6fc56ef9f9341c7bb40bb12ca2afbbc1f4a9b8171fb7b9307cf2c2 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Thu, 1 Mar 2007 21:07:15 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=3

---
 openssh-4.5p1-audit.patch  | 186 +++++++++++++++++++++++++++++++++++++
 openssh-askpass-gnome.spec |   2 +-
 openssh.changes            |   5 +
 openssh.spec               |   9 +-
 4 files changed, 199 insertions(+), 3 deletions(-)
 create mode 100644 openssh-4.5p1-audit.patch

diff --git a/openssh-4.5p1-audit.patch b/openssh-4.5p1-audit.patch
new file mode 100644
index 0000000..8742565
--- /dev/null
+++ b/openssh-4.5p1-audit.patch
@@ -0,0 +1,186 @@
+--- openssh-4.5p1/loginrec.c.audit	2006-09-07 14:57:54.000000000 +0200
++++ openssh-4.5p1/loginrec.c	2006-12-21 12:17:35.000000000 +0100
+@@ -175,6 +175,10 @@
+ #include "auth.h"
+ #include "buffer.h"
+ 
++#ifdef HAVE_LINUX_AUDIT
++# include <libaudit.h>
++#endif
++
+ #ifdef HAVE_UTIL_H
+ # include <util.h>
+ #endif
+@@ -201,6 +205,9 @@
+ int utmpx_write_entry(struct logininfo *li);
+ int wtmp_write_entry(struct logininfo *li);
+ int wtmpx_write_entry(struct logininfo *li);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_write_entry(struct logininfo *li);
++#endif
+ int lastlog_write_entry(struct logininfo *li);
+ int syslogin_write_entry(struct logininfo *li);
+ 
+@@ -439,6 +446,10 @@
+ 
+ 	/* set the timestamp */
+ 	login_set_current_time(li);
++#ifdef HAVE_LINUX_AUDIT
++	if (linux_audit_write_entry(li) == 0)
++		fatal("linux_audit_write_entry failed: %s", strerror(errno));
++#endif
+ #ifdef USE_LOGIN
+ 	syslogin_write_entry(li);
+ #endif
+@@ -1393,6 +1404,51 @@
+ }
+ #endif /* USE_WTMPX */
+ 
++#ifdef HAVE_LINUX_AUDIT
++int
++linux_audit_record_event(int uid, const char *username,
++	const char *hostname, const char *ip, const char *ttyn, int success)
++{
++	char buf[64];
++	int audit_fd, rc;
++
++	audit_fd = audit_open();
++	if (audit_fd < 0) {
++	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++					errno == EAFNOSUPPORT)
++			return 1; /* No audit support in kernel */
++		else
++			return 0; /* Must prevent login */
++	}
++	if (username == NULL)
++		snprintf(buf, sizeof(buf), "uid=%d", uid);
++	else
++		snprintf(buf, sizeof(buf), "acct=%s", username);
++	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
++		buf, hostname, ip, ttyn, success);
++	close(audit_fd);
++	if (rc >= 0)
++		return 1;
++	else
++		return 0;
++}
++
++int
++linux_audit_write_entry(struct logininfo *li)
++{
++	switch(li->type) {
++	case LTYPE_LOGIN:
++		return (linux_audit_record_event(li->uid, NULL, li->hostname,
++			NULL, li->line, 1));
++	case LTYPE_LOGOUT:
++		return (1);	/* We only care about logins */
++	default:
++		logit("%s: invalid type field", __func__);
++		return (0);
++	}
++}
++#endif /* HAVE_LINUX_AUDIT */
++
+ /**
+  ** Low-level libutil login() functions
+  **/
+--- openssh-4.5p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
++++ openssh-4.5p1/loginrec.h	2006-12-21 12:17:35.000000000 +0100
+@@ -127,5 +127,9 @@
+ char *line_abbrevname(char *dst, const char *src, int dstsize);
+ 
+ void record_failed_login(const char *, const char *, const char *);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_record_event(int uid, const char *username,
++	const char *hostname, const char *ip, const char *ttyn, int success);
++#endif /* HAVE_LINUX_AUDIT */
+ 
+ #endif /* _HAVE_LOGINREC_H_ */
+--- openssh-4.5p1/Makefile.in.audit	2006-10-23 23:44:47.000000000 +0200
++++ openssh-4.5p1/Makefile.in	2006-12-21 12:19:39.000000000 +0100
+@@ -45,6 +45,7 @@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ LIBSELINUX=@LIBSELINUX@
++LIBAUDIT=@LIBAUDIT@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBPAM=@LIBPAM@
+@@ -139,7 +140,7 @@
+ 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+--- openssh-4.5p1/config.h.in.audit	2006-11-07 14:07:01.000000000 +0100
++++ openssh-4.5p1/config.h.in	2006-12-21 12:17:35.000000000 +0100
+@@ -1305,6 +1305,9 @@
+ /* Define if you want SELinux support. */
+ #undef WITH_SELINUX
+ 
++/* Define if you want Linux audit support. */
++#undef HAVE_LINUX_AUDIT
++
+ /* Define to 1 if your processor stores words with the most significant byte
+    first (like Motorola and SPARC, unlike Intel and VAX). */
+ #undef WORDS_BIGENDIAN
+--- openssh-4.5p1/configure.ac.audit	2006-12-21 12:17:34.000000000 +0100
++++ openssh-4.5p1/configure.ac	2006-12-21 12:17:35.000000000 +0100
+@@ -3161,6 +3161,20 @@
+ )
+ AC_SUBST(LIBSELINUX)
+ 
++# Check whether user wants Linux audit support
++LINUX_AUDIT_MSG="no"
++LIBAUDIT=""
++AC_ARG_WITH(linux-audit,
++	[  --with-linux-audit   Enable Linux audit support],
++	[ if test "x$withval" != "xno" ; then
++		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
++		LINUX_AUDIT_MSG="yes"
++		AC_CHECK_HEADERS(libaudit.h)
++		LIBAUDIT="-laudit"
++	fi
++	])
++AC_SUBST(LIBAUDIT)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -3982,6 +3996,7 @@
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "               Linux audit support: $LINUX_AUDIT_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
+--- openssh-4.5p1/auth.c.audit	2006-10-27 17:10:16.000000000 +0200
++++ openssh-4.5p1/auth.c	2006-12-21 12:17:35.000000000 +0100
+@@ -286,6 +286,12 @@
+ 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+ # endif
+ #endif
++#if HAVE_LINUX_AUDIT
++	if (authenticated == 0 && !authctxt->postponed) {
++		linux_audit_record_event(-1, authctxt->user, NULL,
++			get_remote_ipaddr(), "sshd", 0);
++	}
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 	if (authenticated == 0 && !authctxt->postponed)
+ 		audit_event(audit_classify_auth(method));
+@@ -492,6 +498,10 @@
+ 		record_failed_login(user,
+ 		    get_canonical_hostname(options.use_dns), "ssh");
+ #endif
++#ifdef HAVE_LINUX_AUDIT
++		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
++			"sshd", 0);
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 		audit_event(SSH_INVALID_USER);
+ #endif /* SSH_AUDIT_EVENTS */
diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec
index f23d861..cb29c27 100644
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@@ -15,7 +15,7 @@ BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
 License:        Other License(s), see package
 Group:          Productivity/Networking/SSH
 Version:        4.5p1
-Release:        16
+Release:        18
 Requires:       openssh = %{version} openssh-askpass = %{version}
 Autoreqprov:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
diff --git a/openssh.changes b/openssh.changes
index 9a42939..37913fa 100644
--- a/openssh.changes
+++ b/openssh.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Mar  1 15:14:23 CET 2007 - anicka@suse.cz
+
+- add support for Linux audit (FATE #120269) 
+
 -------------------------------------------------------------------
 Wed Feb 21 11:21:48 CET 2007 - anicka@suse.cz
 
diff --git a/openssh.spec b/openssh.spec
index 13ca91c..efd3fcf 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -18,7 +18,7 @@ Name:           openssh
 %else
 %define _appdefdir      %{_prefix}/share/X11/app-defaults
 %endif
-BuildRequires:  krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
+BuildRequires:  audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
 License:        BSD License and BSD-like, X11/MIT
 Group:          Productivity/Networking/SSH
 Obsoletes:      ssh
@@ -28,7 +28,7 @@ PreReq:         /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq  %fillup_pr
 Conflicts:      nonfreessh
 Autoreqprov:    on
 Version:        4.5p1
-Release:        16
+Release:        18
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 URL:            http://www.openssh.com/
@@ -61,6 +61,7 @@ Patch40:        %{name}-%{version}-xauth.diff
 Patch41:        %{name}-%{version}-gcc-fix.patch
 Patch42:        %{name}-gssapi_krb5-fix.patch
 Patch43:        %{name}-%{version}-default-protocol.diff
+Patch44:        %{name}-%{version}-audit.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %package      askpass
 Summary:        A passphrase dialog for OpenSSH and the X Window System
@@ -148,6 +149,7 @@ Authors:
 %patch41
 %patch42
 %patch43
+%patch44 -p1
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}
@@ -185,6 +187,7 @@ LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RP
         --with-opensc \
 %endif
 	--disable-strip \
+	--with-linux-audit \
 	--with-xauth=%{_prefix}/bin/xauth \
         --target=%{_target_cpu}-suse-linux
 #        --with-afs=/usr \
@@ -290,6 +293,8 @@ rm -rf $RPM_BUILD_ROOT
 %config %_appdefdir/SshAskpass
 
 %changelog
+* Thu Mar 01 2007 - anicka@suse.cz
+- add support for Linux audit (FATE #120269)
 * Wed Feb 21 2007 - anicka@suse.cz
 - add firewall definition [#246921], FATE #300687,
   source: sshd.fw