forked from rpms/openssh
Update the audit patch
This commit is contained in:
Jan F. Chadima
parent
c32d4acc8b
commit
ecd50fd460
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
|
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
|
||||||
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
|
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
|
||||||
+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200
|
+++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100
|
||||||
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
|
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||||
# endif
|
# endif
|
||||||
@ -25,54 +25,10 @@ diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
|
|||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
audit_event(SSH_INVALID_USER);
|
audit_event(SSH_INVALID_USER);
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
|
|
||||||
--- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200
|
|
||||||
+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200
|
|
||||||
@@ -533,6 +533,9 @@
|
|
||||||
/* Define to 1 if you have the <lastlog.h> header file. */
|
|
||||||
#undef HAVE_LASTLOG_H
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the <libaudit.h> header file. */
|
|
||||||
+#undef HAVE_LIBAUDIT_H
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `bsm' library (-lbsm). */
|
|
||||||
#undef HAVE_LIBBSM
|
|
||||||
|
|
||||||
@@ -572,6 +575,9 @@
|
|
||||||
/* Define to 1 if you have the <limits.h> header file. */
|
|
||||||
#undef HAVE_LIMITS_H
|
|
||||||
|
|
||||||
+/* Define if you want Linux audit support. */
|
|
||||||
+#undef HAVE_LINUX_AUDIT
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the <linux/if_tun.h> header file. */
|
|
||||||
#undef HAVE_LINUX_IF_TUN_H
|
|
||||||
|
|
||||||
@@ -768,6 +774,9 @@
|
|
||||||
/* Define to 1 if you have the `setgroups' function. */
|
|
||||||
#undef HAVE_SETGROUPS
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `setkeycreatecon' function. */
|
|
||||||
+#undef HAVE_SETKEYCREATECON
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `setlogin' function. */
|
|
||||||
#undef HAVE_SETLOGIN
|
|
||||||
|
|
||||||
@@ -1348,6 +1357,10 @@
|
|
||||||
/* Prepend the address family to IP tunnel traffic */
|
|
||||||
#undef SSH_TUN_PREPEND_AF
|
|
||||||
|
|
||||||
+/* Define to your vendor patch level, if it has been modified from the
|
|
||||||
+ upstream source release. */
|
|
||||||
+#undef SSH_VENDOR_PATCHLEVEL
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the ANSI C header files. */
|
|
||||||
#undef STDC_HEADERS
|
|
||||||
|
|
||||||
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
||||||
--- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200
|
--- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100
|
||||||
+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200
|
+++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100
|
||||||
@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
|
@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
|
||||||
fi ]
|
fi ]
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -91,7 +47,7 @@ diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
|||||||
# Check whether user wants Kerberos 5 support
|
# Check whether user wants Kerberos 5 support
|
||||||
KRB5_MSG="no"
|
KRB5_MSG="no"
|
||||||
AC_ARG_WITH(kerberos5,
|
AC_ARG_WITH(kerberos5,
|
||||||
@@ -4226,6 +4238,7 @@ echo " PAM support
|
@@ -4234,6 +4246,7 @@ echo " PAM support
|
||||||
echo " OSF SIA support: $SIA_MSG"
|
echo " OSF SIA support: $SIA_MSG"
|
||||||
echo " KerberosV support: $KRB5_MSG"
|
echo " KerberosV support: $KRB5_MSG"
|
||||||
echo " SELinux support: $SELINUX_MSG"
|
echo " SELinux support: $SELINUX_MSG"
|
||||||
@ -101,7 +57,7 @@ diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
|||||||
echo " TCP Wrappers support: $TCPW_MSG"
|
echo " TCP Wrappers support: $TCPW_MSG"
|
||||||
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
||||||
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
|
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
|
||||||
+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200
|
+++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100
|
||||||
@@ -176,6 +176,10 @@
|
@@ -176,6 +176,10 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "buffer.h"
|
#include "buffer.h"
|
||||||
@ -134,49 +90,15 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
|||||||
#ifdef USE_LOGIN
|
#ifdef USE_LOGIN
|
||||||
syslogin_write_entry(li);
|
syslogin_write_entry(li);
|
||||||
#endif
|
#endif
|
||||||
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
|
@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
|
||||||
}
|
}
|
||||||
#endif /* USE_WTMPX */
|
#endif /* USE_WTMPX */
|
||||||
|
|
||||||
+#ifdef HAVE_LINUX_AUDIT
|
+#ifdef HAVE_LINUX_AUDIT
|
||||||
+static void
|
|
||||||
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
|
||||||
+{
|
|
||||||
+ const char *ptr = what;
|
|
||||||
+ const char *hex = "0123456789ABCDEF";
|
|
||||||
+
|
|
||||||
+ while (*ptr) {
|
|
||||||
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
|
||||||
+ unsigned int i;
|
|
||||||
+ ptr = what;
|
|
||||||
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
|
||||||
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
|
||||||
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
|
||||||
+ ptr++;
|
|
||||||
+ }
|
|
||||||
+ where[i] = '\0';
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ ptr++;
|
|
||||||
+ }
|
|
||||||
+ where[0] = '"';
|
|
||||||
+ if ((unsigned)(ptr - what) < size - 3)
|
|
||||||
+ {
|
|
||||||
+ size = ptr - what + 3;
|
|
||||||
+ }
|
|
||||||
+ strncpy(where + 1, what, size - 3);
|
|
||||||
+ where[size-2] = '"';
|
|
||||||
+ where[size-1] = '\0';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define AUDIT_LOG_SIZE 128
|
|
||||||
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
|
||||||
+
|
|
||||||
+int
|
+int
|
||||||
+linux_audit_record_event(int uid, const char *username,
|
+linux_audit_record_event(int uid, const char *username,
|
||||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||||
+{
|
+{
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
|
||||||
+ int audit_fd, rc;
|
+ int audit_fd, rc;
|
||||||
+
|
+
|
||||||
+ audit_fd = audit_open();
|
+ audit_fd = audit_open();
|
||||||
@ -187,15 +109,9 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
|||||||
+ else
|
+ else
|
||||||
+ return 0; /* Must prevent login */
|
+ return 0; /* Must prevent login */
|
||||||
+ }
|
+ }
|
||||||
+ if (username == NULL)
|
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||||
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
|
+ NULL, "login", username ? username : "(unknown)",
|
||||||
+ else {
|
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||||
+ char encoded[AUDIT_ACCT_SIZE];
|
|
||||||
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
|
||||||
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
|
||||||
+ }
|
|
||||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
|
||||||
+ buf, hostname, ip, ttyn, success);
|
|
||||||
+ close(audit_fd);
|
+ close(audit_fd);
|
||||||
+ if (rc >= 0)
|
+ if (rc >= 0)
|
||||||
+ return 1;
|
+ return 1;
|
||||||
@ -224,7 +140,7 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
|||||||
**/
|
**/
|
||||||
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
|
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
|
||||||
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||||
+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200
|
+++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100
|
||||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||||
|
|
||||||
|
|||||||
@ -69,7 +69,7 @@
|
|||||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: 5.3p1
|
Version: 5.3p1
|
||||||
Release: 12%{?dist}%{?rescue_rel}
|
Release: 13%{?dist}%{?rescue_rel}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: http://pamsshauth.sourceforge.net
|
#URL1: http://pamsshauth.sourceforge.net
|
||||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
@ -525,6 +525,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
|
||||||
|
- Update the audit patch
|
||||||
|
|
||||||
* Fri Dec 4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12
|
* Fri Dec 4 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-12
|
||||||
- Add possibility to autocreate only RSA key into initscript (#533339)
|
- Add possibility to autocreate only RSA key into initscript (#533339)
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user