forked from pool/openssh
Marcus Meissner
2e210d7ee3
ok OBS-URL: https://build.opensuse.org/request/show/59094 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=4
237 lines
7.1 KiB
Diff
237 lines
7.1 KiB
Diff
# add support for Linux audit (FATE #120269)
|
|
================================================================================
|
|
Index: openssh-5.7p1/Makefile.in
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/Makefile.in
|
|
+++ openssh-5.7p1/Makefile.in
|
|
@@ -46,6 +46,7 @@ LD=@LD@
|
|
CFLAGS=@CFLAGS@
|
|
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
|
LIBS=@LIBS@
|
|
+LIBAUDIT=@LIBAUDIT@
|
|
SSHDLIBS=@SSHDLIBS@
|
|
LIBEDIT=@LIBEDIT@
|
|
AR=@AR@
|
|
@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
|
|
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
|
|
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
|
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
|
|
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
|
|
|
|
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
|
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
Index: openssh-5.7p1/auth.c
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/auth.c
|
|
+++ openssh-5.7p1/auth.c
|
|
@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
|
|
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
|
# endif
|
|
#endif
|
|
+#if HAVE_LINUX_AUDIT
|
|
+ if (authenticated == 0 && !authctxt->postponed) {
|
|
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
|
+ get_remote_ipaddr(), "sshd", 0);
|
|
+ }
|
|
+#endif
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
if (authenticated == 0 && !authctxt->postponed)
|
|
audit_event(audit_classify_auth(method));
|
|
@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
|
|
record_failed_login(user,
|
|
get_canonical_hostname(options.use_dns), "ssh");
|
|
#endif
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
|
+ "sshd", 0);
|
|
+#endif
|
|
#ifdef SSH_AUDIT_EVENTS
|
|
audit_event(SSH_INVALID_USER);
|
|
#endif /* SSH_AUDIT_EVENTS */
|
|
Index: openssh-5.7p1/config.h.in
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/config.h.in
|
|
+++ openssh-5.7p1/config.h.in
|
|
@@ -1460,6 +1460,9 @@
|
|
/* Define if you want SELinux support. */
|
|
#undef WITH_SELINUX
|
|
|
|
+/* Define if you want Linux audit support. */
|
|
+#undef HAVE_LINUX_AUDIT
|
|
+
|
|
/* Define to 1 if your processor stores words with the most significant byte
|
|
first (like Motorola and SPARC, unlike Intel and VAX). */
|
|
#undef WORDS_BIGENDIAN
|
|
Index: openssh-5.7p1/configure.ac
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/configure.ac
|
|
+++ openssh-5.7p1/configure.ac
|
|
@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux,
|
|
fi ]
|
|
)
|
|
|
|
+# Check whether user wants Linux audit support
|
|
+LINUX_AUDIT_MSG="no"
|
|
+LIBAUDIT=""
|
|
+AC_ARG_WITH(linux-audit,
|
|
+ [ --with-linux-audit Enable Linux audit support],
|
|
+ [ if test "x$withval" != "xno" ; then
|
|
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
|
+ LINUX_AUDIT_MSG="yes"
|
|
+ AC_CHECK_HEADERS(libaudit.h)
|
|
+ LIBAUDIT="-laudit"
|
|
+ fi
|
|
+ ])
|
|
+AC_SUBST(LIBAUDIT)
|
|
+
|
|
# Check whether user wants Kerberos 5 support
|
|
KRB5_MSG="no"
|
|
AC_ARG_WITH(kerberos5,
|
|
@@ -4315,6 +4329,7 @@ echo " PAM support
|
|
echo " OSF SIA support: $SIA_MSG"
|
|
echo " KerberosV support: $KRB5_MSG"
|
|
echo " SELinux support: $SELINUX_MSG"
|
|
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
|
echo " Smartcard support: $SCARD_MSG"
|
|
echo " S/KEY support: $SKEY_MSG"
|
|
echo " TCP Wrappers support: $TCPW_MSG"
|
|
Index: openssh-5.7p1/loginrec.c
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/loginrec.c
|
|
+++ openssh-5.7p1/loginrec.c
|
|
@@ -176,6 +176,10 @@
|
|
#include "auth.h"
|
|
#include "buffer.h"
|
|
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+# include <libaudit.h>
|
|
+#endif
|
|
+
|
|
#ifdef HAVE_UTIL_H
|
|
# include <util.h>
|
|
#endif
|
|
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
|
|
int utmpx_write_entry(struct logininfo *li);
|
|
int wtmp_write_entry(struct logininfo *li);
|
|
int wtmpx_write_entry(struct logininfo *li);
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+int linux_audit_write_entry(struct logininfo *li);
|
|
+#endif
|
|
int lastlog_write_entry(struct logininfo *li);
|
|
int syslogin_write_entry(struct logininfo *li);
|
|
|
|
@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
|
|
|
|
/* set the timestamp */
|
|
login_set_current_time(li);
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+ if (linux_audit_write_entry(li) == 0)
|
|
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
+#endif
|
|
#ifdef USE_LOGIN
|
|
syslogin_write_entry(li);
|
|
#endif
|
|
@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
|
|
}
|
|
#endif /* USE_WTMPX */
|
|
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+static void
|
|
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
|
+{
|
|
+ const char *ptr = what;
|
|
+ const char *hex = "0123456789ABCDEF";
|
|
+
|
|
+ while (*ptr) {
|
|
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
|
+ unsigned int i;
|
|
+ ptr = what;
|
|
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
|
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
|
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
|
+ ptr++;
|
|
+ }
|
|
+ where[i] = '\0';
|
|
+ return;
|
|
+ }
|
|
+ ptr++;
|
|
+ }
|
|
+ where[0] = '"';
|
|
+ if ((unsigned)(ptr - what) < size - 3)
|
|
+ {
|
|
+ size = ptr - what + 3;
|
|
+ }
|
|
+ strncpy(where + 1, what, size - 3);
|
|
+ where[size-2] = '"';
|
|
+ where[size-1] = '\0';
|
|
+}
|
|
+
|
|
+#define AUDIT_LOG_SIZE 128
|
|
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
|
+
|
|
+int
|
|
+linux_audit_record_event(int uid, const char *username,
|
|
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
|
+{
|
|
+ char buf[AUDIT_LOG_SIZE];
|
|
+ int audit_fd, rc;
|
|
+
|
|
+ audit_fd = audit_open();
|
|
+ if (audit_fd < 0) {
|
|
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
+ errno == EAFNOSUPPORT)
|
|
+ return 1; /* No audit support in kernel */
|
|
+ else
|
|
+ return 0; /* Must prevent login */
|
|
+ }
|
|
+ if (username == NULL)
|
|
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
|
|
+ else {
|
|
+ char encoded[AUDIT_ACCT_SIZE];
|
|
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
|
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
|
+ }
|
|
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
|
+ buf, hostname, ip, ttyn, success);
|
|
+ close(audit_fd);
|
|
+ if (rc >= 0)
|
|
+ return 1;
|
|
+ else
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int
|
|
+linux_audit_write_entry(struct logininfo *li)
|
|
+{
|
|
+ switch(li->type) {
|
|
+ case LTYPE_LOGIN:
|
|
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
|
|
+ NULL, li->line, 1));
|
|
+ case LTYPE_LOGOUT:
|
|
+ return (1); /* We only care about logins */
|
|
+ default:
|
|
+ logit("%s: invalid type field", __func__);
|
|
+ return (0);
|
|
+ }
|
|
+}
|
|
+#endif /* HAVE_LINUX_AUDIT */
|
|
+
|
|
/**
|
|
** Low-level libutil login() functions
|
|
**/
|
|
Index: openssh-5.7p1/loginrec.h
|
|
===================================================================
|
|
--- openssh-5.7p1.orig/loginrec.h
|
|
+++ openssh-5.7p1/loginrec.h
|
|
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
|
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
|
|
|
void record_failed_login(const char *, const char *, const char *);
|
|
+#ifdef HAVE_LINUX_AUDIT
|
|
+int linux_audit_record_event(int uid, const char *username,
|
|
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
|
+#endif /* HAVE_LINUX_AUDIT */
|
|
|
|
#endif /* _HAVE_LOGINREC_H_ */
|