openssh/openssh-5.9p1-audit.patch

# add support for Linux audit (FATE #120269)
================================================================================
Index: openssh-5.8p1/Makefile.in
===================================================================
--- openssh-5.8p1.orig/Makefile.in
+++ openssh-5.8p1/Makefile.in
@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 SSHLIBS=@SSHLIBS@
+LIBAUDIT=@LIBAUDIT@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 AR=@AR@
@@ -146,7 +147,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
Index: openssh-5.8p1/auth.c
===================================================================
--- openssh-5.8p1.orig/auth.c
+++ openssh-5.8p1/auth.c
@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
+#if HAVE_LINUX_AUDIT
+	if (authenticated == 0 && !authctxt->postponed) {
+		linux_audit_record_event(-1, authctxt->user, NULL,
+			get_remote_ipaddr(), "sshd", 0);
+	}
+#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef HAVE_LINUX_AUDIT
+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+			"sshd", 0);
+#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
Index: openssh-5.8p1/config.h.in
===================================================================
--- openssh-5.8p1.orig/config.h.in
+++ openssh-5.8p1/config.h.in
@@ -1460,6 +1460,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
 #if defined AC_APPLE_UNIVERSAL_BUILD
Index: openssh-5.8p1/configure.ac
===================================================================
--- openssh-5.8p1.orig/configure.ac
+++ openssh-5.8p1/configure.ac
@@ -3522,6 +3522,20 @@ AC_ARG_WITH(selinux,
 AC_SUBST([SSHLIBS])
 AC_SUBST([SSHDLIBS])
 
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH([linux-audit],
+	[  --with-linux-audit   Enable Linux audit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE([HAVE_LINUX_AUDIT],[1],[Define if you want Linux audit support.])
+		LINUX_AUDIT_MSG="yes"
+		AC_CHECK_HEADERS([libaudit.h])
+		LIBAUDIT="-laudit"
+	fi
+	])
+AC_SUBST([LIBAUDIT])
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH([kerberos5],
@@ -4316,6 +4330,7 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
Index: openssh-5.8p1/loginrec.c
===================================================================
--- openssh-5.8p1.orig/loginrec.c
+++ openssh-5.8p1/loginrec.c
@@ -176,6 +176,10 @@
 #include "auth.h"
 #include "buffer.h"
 
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
 int utmpx_write_entry(struct logininfo *li);
 int wtmp_write_entry(struct logininfo *li);
 int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
 
@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
 
 	/* set the timestamp */
 	login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+	if (linux_audit_write_entry(li) == 0)
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
 }
 #endif /* USE_WTMPX */
 
+#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+	const char *ptr = what;
+	const char *hex = "0123456789ABCDEF";
+
+	while (*ptr) {
+		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+			unsigned int i;
+			ptr = what;
+			for (i = 0; *ptr && i+2 < size; i += 2) {
+				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
+				ptr++;
+			}
+			where[i] = '\0';
+			return;
+		}
+		ptr++;
+	}
+	where[0] = '"';
+	if ((unsigned)(ptr - what) < size - 3)
+	{
+		size = ptr - what + 3;
+	}
+	strncpy(where + 1, what, size - 3);
+	where[size-2] = '"';
+	where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int
+linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success)
+{
+	char buf[AUDIT_LOG_SIZE];
+	int audit_fd, rc;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+					errno == EAFNOSUPPORT)
+			return 1; /* No audit support in kernel */
+		else
+			return 0; /* Must prevent login */
+	}
+	if (username == NULL)
+		snprintf(buf, sizeof(buf), "uid=%d", uid);
+	else {
+		char encoded[AUDIT_ACCT_SIZE];
+		_audit_hexscape(username, encoded, sizeof(encoded));
+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
+	}
+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+		buf, hostname, ip, ttyn, success);
+	close(audit_fd);
+	if (rc >= 0)
+		return 1;
+	else
+		return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+	switch(li->type) {
+	case LTYPE_LOGIN:
+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
+			NULL, li->line, 1));
+	case LTYPE_LOGOUT:
+		return (1);	/* We only care about logins */
+	default:
+		logit("%s: invalid type field", __func__);
+		return (0);
+	}
+}
+#endif /* HAVE_LINUX_AUDIT */
+
 /**
  ** Low-level libutil login() functions
  **/
Index: openssh-5.8p1/loginrec.h
===================================================================
--- openssh-5.8p1.orig/loginrec.h
+++ openssh-5.8p1/loginrec.h
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 
 void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
 
 #endif /* _HAVE_LOGINREC_H_ */