forked from rpms/openssh
Renable audit.
This commit is contained in:
parent
c54a8b0af7
commit
2ed3f9b53a
237
openssh-5.3p1-audit.patch
Normal file
237
openssh-5.3p1-audit.patch
Normal file
@ -0,0 +1,237 @@
|
||||
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
|
||||
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
|
||||
+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200
|
||||
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
|
||||
--- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200
|
||||
+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200
|
||||
@@ -533,6 +533,9 @@
|
||||
/* Define to 1 if you have the <lastlog.h> header file. */
|
||||
#undef HAVE_LASTLOG_H
|
||||
|
||||
+/* Define to 1 if you have the <libaudit.h> header file. */
|
||||
+#undef HAVE_LIBAUDIT_H
|
||||
+
|
||||
/* Define to 1 if you have the `bsm' library (-lbsm). */
|
||||
#undef HAVE_LIBBSM
|
||||
|
||||
@@ -572,6 +575,9 @@
|
||||
/* Define to 1 if you have the <limits.h> header file. */
|
||||
#undef HAVE_LIMITS_H
|
||||
|
||||
+/* Define if you want Linux audit support. */
|
||||
+#undef HAVE_LINUX_AUDIT
|
||||
+
|
||||
/* Define to 1 if you have the <linux/if_tun.h> header file. */
|
||||
#undef HAVE_LINUX_IF_TUN_H
|
||||
|
||||
@@ -768,6 +774,9 @@
|
||||
/* Define to 1 if you have the `setgroups' function. */
|
||||
#undef HAVE_SETGROUPS
|
||||
|
||||
+/* Define to 1 if you have the `setkeycreatecon' function. */
|
||||
+#undef HAVE_SETKEYCREATECON
|
||||
+
|
||||
/* Define to 1 if you have the `setlogin' function. */
|
||||
#undef HAVE_SETLOGIN
|
||||
|
||||
@@ -1348,6 +1357,10 @@
|
||||
/* Prepend the address family to IP tunnel traffic */
|
||||
#undef SSH_TUN_PREPEND_AF
|
||||
|
||||
+/* Define to your vendor patch level, if it has been modified from the
|
||||
+ upstream source release. */
|
||||
+#undef SSH_VENDOR_PATCHLEVEL
|
||||
+
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200
|
||||
+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200
|
||||
@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
|
||||
fi ]
|
||||
)
|
||||
|
||||
+# Check whether user wants Linux audit support
|
||||
+LINUX_AUDIT_MSG="no"
|
||||
+AC_ARG_WITH(linux-audit,
|
||||
+ [ --with-linux-audit Enable Linux audit support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||||
+ LINUX_AUDIT_MSG="yes"
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -4226,6 +4238,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
||||
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
|
||||
+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+# include <libaudit.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_UTIL_H
|
||||
# include <util.h>
|
||||
#endif
|
||||
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
|
||||
int utmpx_write_entry(struct logininfo *li);
|
||||
int wtmp_write_entry(struct logininfo *li);
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ if (linux_audit_write_entry(li) == 0)
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+#endif
|
||||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+static void
|
||||
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
||||
+{
|
||||
+ const char *ptr = what;
|
||||
+ const char *hex = "0123456789ABCDEF";
|
||||
+
|
||||
+ while (*ptr) {
|
||||
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
||||
+ unsigned int i;
|
||||
+ ptr = what;
|
||||
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
||||
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
||||
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[i] = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[0] = '"';
|
||||
+ if ((unsigned)(ptr - what) < size - 3)
|
||||
+ {
|
||||
+ size = ptr - what + 3;
|
||||
+ }
|
||||
+ strncpy(where + 1, what, size - 3);
|
||||
+ where[size-2] = '"';
|
||||
+ where[size-1] = '\0';
|
||||
+}
|
||||
+
|
||||
+#define AUDIT_LOG_SIZE 128
|
||||
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
||||
+
|
||||
+int
|
||||
+linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, rc;
|
||||
+
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ if (username == NULL)
|
||||
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
|
||||
+ else {
|
||||
+ char encoded[AUDIT_ACCT_SIZE];
|
||||
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
||||
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
||||
+ }
|
||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ buf, hostname, ip, ttyn, success);
|
||||
+ close(audit_fd);
|
||||
+ if (rc >= 0)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+linux_audit_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1); /* We only care about logins */
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
|
||||
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200
|
||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
@ -63,7 +63,7 @@
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 5.3p1
|
||||
Release: 2%{?dist}%{?rescue_rel}
|
||||
Release: 3%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
@ -79,6 +79,7 @@ Patch2: openssh-5.3p1-skip-initial.patch
|
||||
Patch4: openssh-5.2p1-vendor.patch
|
||||
Patch12: openssh-5.2p1-selinux.patch
|
||||
Patch13: openssh-5.3p1-mls.patch
|
||||
Patch16: openssh-5.3p1-audit.patch
|
||||
Patch18: openssh-5.0p1-pam_selinux.patch
|
||||
Patch19: openssh-5.2p1-sesftp.patch
|
||||
Patch22: openssh-3.9p1-askpass-keep-above.patch
|
||||
@ -207,6 +208,7 @@ an X11 passphrase dialog for OpenSSH.
|
||||
#SELinux
|
||||
%patch12 -p1 -b .selinux
|
||||
%patch13 -p1 -b .mls
|
||||
%patch16 -p1 -b .audit
|
||||
%patch18 -p1 -b .pam_selinux
|
||||
%patch19 -p1 -b .sesftp
|
||||
%endif
|
||||
@ -460,6 +462,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3
|
||||
- Reenable audit.
|
||||
|
||||
* Fri Oct 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2
|
||||
- Upgrade to new wersion 5.3p1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user