jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Update the audit patch

Browse Source
This commit is contained in:
Jan F. Chadima 2009-12-21 10:54:59 +00:00
parent c32d4acc8b
commit ecd50fd460
2 changed files with 56 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
openssh-5.3p1-audit.patch
View File

@ -1,15 +1,15 @@
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 --- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200 +++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent @@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
get_canonical_hostname(options.use_dns), "ssh", &loginmsg); get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif # endif
#endif #endif
+#if HAVE_LINUX_AUDIT +#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) { + if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL, + linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0); + get_remote_ipaddr(), "sshd", 0);
+ } + }
+#endif +#endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed) if (authenticated == 0 && !authctxt->postponed)
@ -19,79 +19,35 @@ diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
get_canonical_hostname(options.use_dns), "ssh"); get_canonical_hostname(options.use_dns), "ssh");
#endif #endif
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), + linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0); + "sshd", 0);
+#endif +#endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER); audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
--- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200
+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200
@@ -533,6 +533,9 @@
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
+/* Define to 1 if you have the <libaudit.h> header file. */
+#undef HAVE_LIBAUDIT_H
+
/* Define to 1 if you have the `bsm' library (-lbsm). */
#undef HAVE_LIBBSM
@@ -572,6 +575,9 @@
/* Define to 1 if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if you have the <linux/if_tun.h> header file. */
#undef HAVE_LINUX_IF_TUN_H
@@ -768,6 +774,9 @@
/* Define to 1 if you have the `setgroups' function. */
#undef HAVE_SETGROUPS
+/* Define to 1 if you have the `setkeycreatecon' function. */
+#undef HAVE_SETKEYCREATECON
+
/* Define to 1 if you have the `setlogin' function. */
#undef HAVE_SETLOGIN
@@ -1348,6 +1357,10 @@
/* Prepend the address family to IP tunnel traffic */
#undef SSH_TUN_PREPEND_AF
+/* Define to your vendor patch level, if it has been modified from the
+ upstream source release. */
+#undef SSH_VENDOR_PATCHLEVEL
+
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200 --- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100
+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200 +++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100
@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux, @@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
fi ] fi ]
) )
+# Check whether user wants Linux audit support +# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no" +LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit, +AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support], + [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then + [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) + AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes" + LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h) + AC_CHECK_HEADERS(libaudit.h)
+ SSHDLIBS="$SSHDLIBS -laudit" + SSHDLIBS="$SSHDLIBS -laudit"
+ fi ] + fi ]
+) +)
+ +
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@@ -4226,6 +4238,7 @@ echo " PAM support @@ -4234,6 +4246,7 @@ echo " PAM support
echo " OSF SIA support: $SIA_MSG" echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
@ -101,7 +57,7 @@ diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 --- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200 +++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100
@@ -176,6 +176,10 @@ @@ -176,6 +176,10 @@
#include "auth.h" #include "auth.h"
#include "buffer.h" #include "buffer.h"
@ -128,94 +84,54 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
/* set the timestamp */ /* set the timestamp */
login_set_current_time(li); login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+ if (linux_audit_write_entry(li) == 0) + if (linux_audit_write_entry(li) == 0)
+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); + fatal("linux_audit_write_entry failed: %s", strerror(errno));
+#endif +#endif
#ifdef USE_LOGIN #ifdef USE_LOGIN
syslogin_write_entry(li); syslogin_write_entry(li);
#endif #endif
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) @@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
} }
#endif /* USE_WTMPX */ #endif /* USE_WTMPX */
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+static void
+_audit_hexscape(const char *what, char *where, unsigned int size)
+{
+ const char *ptr = what;
+ const char *hex = "0123456789ABCDEF";
+
+ while (*ptr) {
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
+ unsigned int i;
+ ptr = what;
+ for (i = 0; *ptr && i+2 < size; i += 2) {
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
+ ptr++;
+ }
+ where[i] = '\0';
+ return;
+ }
+ ptr++;
+ }
+ where[0] = '"';
+ if ((unsigned)(ptr - what) < size - 3)
+ {
+ size = ptr - what + 3;
+ }
+ strncpy(where + 1, what, size - 3);
+ where[size-2] = '"';
+ where[size-1] = '\0';
+}
+
+#define AUDIT_LOG_SIZE 128
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
+
+int +int
+linux_audit_record_event(int uid, const char *username, +linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success) + const char *hostname, const char *ip, const char *ttyn, int success)
+{ +{
+ char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc;
+ int audit_fd, rc;
+ +
+ audit_fd = audit_open(); + audit_fd = audit_open();
+ if (audit_fd < 0) { + if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT || + if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT) + errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */ + return 1; /* No audit support in kernel */
+ else + else
+ return 0; /* Must prevent login */ + return 0; /* Must prevent login */
+ } + }
+ if (username == NULL) + rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ snprintf(buf, sizeof(buf), "uid=%d", uid); + NULL, "login", username ? username : "(unknown)",
+ else { + username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ char encoded[AUDIT_ACCT_SIZE]; + close(audit_fd);
+ _audit_hexscape(username, encoded, sizeof(encoded)); + if (rc >= 0)
+ snprintf(buf, sizeof(buf), "acct=%s", encoded); + return 1;
+ } + else
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, + return 0;
+ buf, hostname, ip, ttyn, success);
+ close(audit_fd);
+ if (rc >= 0)
+ return 1;
+ else
+ return 0;
+} +}
+ +
+int +int
+linux_audit_write_entry(struct logininfo *li) +linux_audit_write_entry(struct logininfo *li)
+{ +{
+ switch(li->type) { + switch(li->type) {
+ case LTYPE_LOGIN: + case LTYPE_LOGIN:
+ return (linux_audit_record_event(li->uid, NULL, li->hostname, + return (linux_audit_record_event(li->uid, NULL, li->hostname,
+ NULL, li->line, 1)); + NULL, li->line, 1));
+ case LTYPE_LOGOUT: + case LTYPE_LOGOUT:
+ return (1); /* We only care about logins */ + return (1); /* We only care about logins */
+ default: + default:
+ logit("%s: invalid type field", __func__); + logit("%s: invalid type field", __func__);
+ return (0); + return (0);
+ } + }
+} +}
+#endif /* HAVE_LINUX_AUDIT */ +#endif /* HAVE_LINUX_AUDIT */
+ +
@ -224,14 +140,14 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
**/ **/
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 --- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200 +++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
char *line_abbrevname(char *dst, const char *src, int dstsize); char *line_abbrevname(char *dst, const char *src, int dstsize);
void record_failed_login(const char *, const char *, const char *); void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username, +int linux_audit_record_event(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success); + const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */ +#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */ #endif /* _HAVE_LOGINREC_H_ */

5
openssh.spec
View File

@ -69,7 +69,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
Version: 5.3p1 Version: 5.3p1
Release: 12%{?dist}%{?rescue_rel} Release: 13%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#URL1: http://pamsshauth.sourceforge.net #URL1: http://pamsshauth.sourceforge.net
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -525,6 +525,9 @@ fi
%endif %endif
%changelog %changelog
* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
- Update the audit patch
* Fri Dec 4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12 * Fri Dec 4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12
- Add possibility to autocreate only RSA key into initscript (#533339) - Add possibility to autocreate only RSA key into initscript (#533339)