# add support for Linux audit (FATE #120269) ================================================================================ --- openssh-5.2p1/Makefile.in +++ openssh-5.2p1/Makefile.in @@ -44,6 +44,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +LIBAUDIT=@LIBAUDIT@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ AR=@AR@ @@ -137,7 +138,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) --- openssh-5.2p1/auth.c +++ openssh-5.2p1/auth.c @@ -287,6 +287,12 @@ get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif +#if HAVE_LINUX_AUDIT + if (authenticated == 0 && !authctxt->postponed) { + linux_audit_record_event(-1, authctxt->user, NULL, + get_remote_ipaddr(), "sshd", 0); + } +#endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); @@ -533,6 +539,10 @@ record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef HAVE_LINUX_AUDIT + linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), + "sshd", 0); +#endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ --- openssh-5.2p1/config.h.in +++ openssh-5.2p1/config.h.in @@ -1397,6 +1397,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX +/* Define if you want Linux audit support. */ +#undef HAVE_LINUX_AUDIT + /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN --- openssh-5.2p1/configure.ac +++ openssh-5.2p1/configure.ac @@ -3340,6 +3340,20 @@ fi ] ) +# Check whether user wants Linux audit support +LINUX_AUDIT_MSG="no" +LIBAUDIT="" +AC_ARG_WITH(linux-audit, + [ --with-linux-audit Enable Linux audit support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) + LINUX_AUDIT_MSG="yes" + AC_CHECK_HEADERS(libaudit.h) + LIBAUDIT="-laudit" + fi + ]) +AC_SUBST(LIBAUDIT) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -4160,6 +4174,7 @@ echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" +echo " Linux audit support: $LINUX_AUDIT_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" --- openssh-5.2p1/loginrec.c +++ openssh-5.2p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" +#ifdef HAVE_LINUX_AUDIT +# include +#endif + #ifdef HAVE_UTIL_H # include #endif @@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l int utmpx_write_entry(struct logininfo *li); int wtmp_write_entry(struct logininfo *li); int wtmpx_write_entry(struct logininfo *li); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_write_entry(struct logininfo *li); +#endif int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); @@ -440,6 +447,10 @@ login_write(struct logininfo *li) /* set the timestamp */ login_set_current_time(li); +#ifdef HAVE_LINUX_AUDIT + if (linux_audit_write_entry(li) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); +#endif #ifdef USE_LOGIN syslogin_write_entry(li); #endif @@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ +#ifdef HAVE_LINUX_AUDIT +static void +_audit_hexscape(const char *what, char *where, unsigned int size) +{ + const char *ptr = what; + const char *hex = "0123456789ABCDEF"; + + while (*ptr) { + if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { + unsigned int i; + ptr = what; + for (i = 0; *ptr && i+2 < size; i += 2) { + where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ + where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ + ptr++; + } + where[i] = '\0'; + return; + } + ptr++; + } + where[0] = '"'; + if ((unsigned)(ptr - what) < size - 3) + { + size = ptr - what + 3; + } + strncpy(where + 1, what, size - 3); + where[size-2] = '"'; + where[size-1] = '\0'; +} + +#define AUDIT_LOG_SIZE 128 +#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) + +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ + char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc; + + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 1; /* No audit support in kernel */ + else + return 0; /* Must prevent login */ + } + if (username == NULL) + snprintf(buf, sizeof(buf), "uid=%d", uid); + else { + char encoded[AUDIT_ACCT_SIZE]; + _audit_hexscape(username, encoded, sizeof(encoded)); + snprintf(buf, sizeof(buf), "acct=%s", encoded); + } + rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + buf, hostname, ip, ttyn, success); + close(audit_fd); + if (rc >= 0) + return 1; + else + return 0; +} + +int +linux_audit_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (linux_audit_record_event(li->uid, NULL, li->hostname, + NULL, li->line, 1)); + case LTYPE_LOGOUT: + return (1); /* We only care about logins */ + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif /* HAVE_LINUX_AUDIT */ + /** ** Low-level libutil login() functions **/ --- openssh-5.2p1/loginrec.h +++ openssh-5.2p1/loginrec.h @@ -127,5 +127,9 @@ char *line_abbrevname(char *dst, const char *src, int dstsize); void record_failed_login(const char *, const char *, const char *); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success); +#endif /* HAVE_LINUX_AUDIT */ #endif /* _HAVE_LOGINREC_H_ */