# add support for Linux audit (FATE #120269) ================================================================================ --- openssh-4.7p1/Makefile.in +++ openssh-4.7p1/Makefile.in @@ -44,6 +44,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +LIBAUDIT=@LIBAUDIT@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ @@ -136,7 +137,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) --- openssh-4.7p1/auth.c +++ openssh-4.7p1/auth.c @@ -286,6 +286,12 @@ get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif +#if HAVE_LINUX_AUDIT + if (authenticated == 0 && !authctxt->postponed) { + linux_audit_record_event(-1, authctxt->user, NULL, + get_remote_ipaddr(), "sshd", 0); + } +#endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); @@ -492,6 +498,10 @@ record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), + "sshd", 0); +#endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ --- openssh-4.7p1/config.h.in +++ openssh-4.7p1/config.h.in @@ -1334,6 +1334,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX +/* Define if you want Linux audit support. */ +#undef HAVE_LINUX_AUDIT + /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN --- openssh-4.7p1/configure.ac +++ openssh-4.7p1/configure.ac @@ -3216,6 +3216,20 @@ fi ] ) +# Check whether user wants Linux audit support +LINUX_AUDIT_MSG="no" +LIBAUDIT="" +AC_ARG_WITH(linux-audit, + [ --with-linux-audit Enable Linux audit support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) + LINUX_AUDIT_MSG="yes" + AC_CHECK_HEADERS(libaudit.h) + LIBAUDIT="-laudit" + fi + ]) +AC_SUBST(LIBAUDIT) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -4036,6 +4050,7 @@ echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " Linux audit support: $LINUX_AUDIT_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" --- openssh-4.7p1/loginrec.c +++ openssh-4.7p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" +#ifdef HAVE_LINUX_AUDIT +# include +#endif + #ifdef HAVE_UTIL_H # include #endif @@ -202,6 +206,9 @@ int utmpx_write_entry(struct logininfo *li); int wtmp_write_entry(struct logininfo *li); int wtmpx_write_entry(struct logininfo *li); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_write_entry(struct logininfo *li); +#endif int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); @@ -440,6 +447,10 @@ /* set the timestamp */ login_set_current_time(li); +#ifdef HAVE_LINUX_AUDIT + if (linux_audit_write_entry(li) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); +#endif #ifdef USE_LOGIN syslogin_write_entry(li); #endif @@ -1394,6 +1405,51 @@ } #endif /* USE_WTMPX */ +#ifdef HAVE_LINUX_AUDIT +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ + char buf[64]; + int audit_fd, rc; + + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 1; /* No audit support in kernel */ + else + return 0; /* Must prevent login */ + } + if (username == NULL) + snprintf(buf, sizeof(buf), "uid=%d", uid); + else + snprintf(buf, sizeof(buf), "acct=%s", username); + rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + buf, hostname, ip, ttyn, success); + close(audit_fd); + if (rc >= 0) + return 1; + else + return 0; +} + +int +linux_audit_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (linux_audit_record_event(li->uid, NULL, li->hostname, + NULL, li->line, 1)); + case LTYPE_LOGOUT: + return (1); /* We only care about logins */ + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif /* HAVE_LINUX_AUDIT */ + /** ** Low-level libutil login() functions **/ --- openssh-4.7p1/loginrec.h +++ openssh-4.7p1/loginrec.h @@ -127,5 +127,9 @@ char *line_abbrevname(char *dst, const char *src, int dstsize); void record_failed_login(const char *, const char *, const char *); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success); +#endif /* HAVE_LINUX_AUDIT */ #endif /* _HAVE_LOGINREC_H_ */