This commit is contained in:
OBS User unknown
Git OBS Bridge
parent
ff7037cadc
commit
b5ee10d44e
186
openssh-4.5p1-audit.patch
Normal file
186
openssh-4.5p1-audit.patch
Normal file
@ -0,0 +1,186 @@
|
||||
--- openssh-4.5p1/loginrec.c.audit 2006-09-07 14:57:54.000000000 +0200
|
||||
+++ openssh-4.5p1/loginrec.c 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -175,6 +175,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+# include <libaudit.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_UTIL_H
|
||||
# include <util.h>
|
||||
#endif
|
||||
@@ -201,6 +205,9 @@
|
||||
int utmpx_write_entry(struct logininfo *li);
|
||||
int wtmp_write_entry(struct logininfo *li);
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -439,6 +446,10 @@
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ if (linux_audit_write_entry(li) == 0)
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+#endif
|
||||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1393,6 +1404,51 @@
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int
|
||||
+linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+{
|
||||
+ char buf[64];
|
||||
+ int audit_fd, rc;
|
||||
+
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ if (username == NULL)
|
||||
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
|
||||
+ else
|
||||
+ snprintf(buf, sizeof(buf), "acct=%s", username);
|
||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ buf, hostname, ip, ttyn, success);
|
||||
+ close(audit_fd);
|
||||
+ if (rc >= 0)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+linux_audit_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1); /* We only care about logins */
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
--- openssh-4.5p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.5p1/loginrec.h 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -127,5 +127,9 @@
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
||||
--- openssh-4.5p1/Makefile.in.audit 2006-10-23 23:44:47.000000000 +0200
|
||||
+++ openssh-4.5p1/Makefile.in 2006-12-21 12:19:39.000000000 +0100
|
||||
@@ -45,6 +45,7 @@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
LIBSELINUX=@LIBSELINUX@
|
||||
+LIBAUDIT=@LIBAUDIT@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBPAM=@LIBPAM@
|
||||
@@ -139,7 +140,7 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
--- openssh-4.5p1/config.h.in.audit 2006-11-07 14:07:01.000000000 +0100
|
||||
+++ openssh-4.5p1/config.h.in 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -1305,6 +1305,9 @@
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
+/* Define if you want Linux audit support. */
|
||||
+#undef HAVE_LINUX_AUDIT
|
||||
+
|
||||
/* Define to 1 if your processor stores words with the most significant byte
|
||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||
#undef WORDS_BIGENDIAN
|
||||
--- openssh-4.5p1/configure.ac.audit 2006-12-21 12:17:34.000000000 +0100
|
||||
+++ openssh-4.5p1/configure.ac 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -3161,6 +3161,20 @@
|
||||
)
|
||||
AC_SUBST(LIBSELINUX)
|
||||
|
||||
+# Check whether user wants Linux audit support
|
||||
+LINUX_AUDIT_MSG="no"
|
||||
+LIBAUDIT=""
|
||||
+AC_ARG_WITH(linux-audit,
|
||||
+ [ --with-linux-audit Enable Linux audit support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||||
+ LINUX_AUDIT_MSG="yes"
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ LIBAUDIT="-laudit"
|
||||
+ fi
|
||||
+ ])
|
||||
+AC_SUBST(LIBAUDIT)
|
||||
+
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -3982,6 +3996,7 @@
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
--- openssh-4.5p1/auth.c.audit 2006-10-27 17:10:16.000000000 +0200
|
||||
+++ openssh-4.5p1/auth.c 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -286,6 +286,12 @@
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -492,6 +498,10 @@
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@ -15,7 +15,7 @@ BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-dev
|
||||
License: Other License(s), see package
|
||||
Group: Productivity/Networking/SSH
|
||||
Version: 4.5p1
|
||||
Release: 16
|
||||
Release: 18
|
||||
Requires: openssh = %{version} openssh-askpass = %{version}
|
||||
Autoreqprov: on
|
||||
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
|
||||
|
||||
@ -1,3 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 1 15:14:23 CET 2007 - anicka@suse.cz
|
||||
|
||||
- add support for Linux audit (FATE #120269)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 21 11:21:48 CET 2007 - anicka@suse.cz
|
||||
|
||||
|
||||
@ -18,7 +18,7 @@ Name: openssh
|
||||
%else
|
||||
%define _appdefdir %{_prefix}/share/X11/app-defaults
|
||||
%endif
|
||||
BuildRequires: krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
|
||||
BuildRequires: audit-devel krb5-devel opensc-devel openssl-devel pam-devel tcpd-devel xorg-x11-devel
|
||||
License: BSD License and BSD-like, X11/MIT
|
||||
Group: Productivity/Networking/SSH
|
||||
Obsoletes: ssh
|
||||
@ -28,7 +28,7 @@ PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_pr
|
||||
Conflicts: nonfreessh
|
||||
Autoreqprov: on
|
||||
Version: 4.5p1
|
||||
Release: 16
|
||||
Release: 18
|
||||
%define xversion 1.2.4.1
|
||||
Summary: Secure Shell Client and Server (Remote Login Program)
|
||||
URL: http://www.openssh.com/
|
||||
@ -61,6 +61,7 @@ Patch40: %{name}-%{version}-xauth.diff
|
||||
Patch41: %{name}-%{version}-gcc-fix.patch
|
||||
Patch42: %{name}-gssapi_krb5-fix.patch
|
||||
Patch43: %{name}-%{version}-default-protocol.diff
|
||||
Patch44: %{name}-%{version}-audit.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%package askpass
|
||||
Summary: A passphrase dialog for OpenSSH and the X Window System
|
||||
@ -148,6 +149,7 @@ Authors:
|
||||
%patch41
|
||||
%patch42
|
||||
%patch43
|
||||
%patch44 -p1
|
||||
cp -v %{SOURCE4} .
|
||||
cp -v %{SOURCE6} .
|
||||
cd ../x11-ssh-askpass-%{xversion}
|
||||
@ -185,6 +187,7 @@ LDFLAGS="-pie" CFLAGS="$RPM_OPT_FLAGS $PIEFLAGS -fstack-protector" CXXFLAGS="$RP
|
||||
--with-opensc \
|
||||
%endif
|
||||
--disable-strip \
|
||||
--with-linux-audit \
|
||||
--with-xauth=%{_prefix}/bin/xauth \
|
||||
--target=%{_target_cpu}-suse-linux
|
||||
# --with-afs=/usr \
|
||||
@ -290,6 +293,8 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%config %_appdefdir/SshAskpass
|
||||
|
||||
%changelog
|
||||
* Thu Mar 01 2007 - anicka@suse.cz
|
||||
- add support for Linux audit (FATE #120269)
|
||||
* Wed Feb 21 2007 - anicka@suse.cz
|
||||
- add firewall definition [#246921], FATE #300687,
|
||||
source: sshd.fw
|
||||
|
||||
Loading…
Reference in New Issue
Block a user