Correctly audit hostname and IP address

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

openssh-8.7p1-audit-hostname.patch

@@ -0,0 +1,106 @@
+diff --color -ruNp a/audit-linux.c b/audit-linux.c
+--- a/audit-linux.c	2024-05-09 12:38:08.843017319 +0200
++++ b/audit-linux.c	2024-05-09 12:47:05.162267634 +0200
+@@ -52,7 +52,7 @@ extern u_int utmp_len;
+ const char *audit_username(void);
+ 
+ static void
+-linux_audit_user_logxxx(int uid, const char *username,
++linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
+     const char *ip, const char *ttyn, int success, int event)
+ {
+ 	int audit_fd, rc, saved_errno;
+@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
+ 	}
+ 	rc = audit_log_acct_message(audit_fd, event,
+ 	    NULL, "login", username ? username : "(unknown)",
+-	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
++	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ 	saved_errno = errno;
+ 	close(audit_fd);
+ 
+@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
+ {
+ 	if (!user_login_count++)
+ 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    options.use_dns ? remote_hostname(ssh) : NULL,
+ 		    ssh_remote_ipaddr(ssh),
+ 		    "ssh", 1, AUDIT_USER_LOGIN);
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    options.use_dns ? remote_hostname(ssh) : NULL,
+ 	    ssh_remote_ipaddr(ssh),
+ 	    "ssh", 1, AUDIT_USER_START);
+ 	return 0;
+@@ -193,10 +195,12 @@ void
+ audit_end_command(struct ssh *ssh, int handle, const char *command)
+ {
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    options.use_dns ? remote_hostname(ssh) : NULL,
+ 	    ssh_remote_ipaddr(ssh),
+ 	    "ssh", 1, AUDIT_USER_END);
+ 	if (user_login_count && !--user_login_count)
+ 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    options.use_dns ? remote_hostname(ssh) : NULL,
+ 		    ssh_remote_ipaddr(ssh),
+ 		    "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+@@ -211,19 +215,27 @@ void
+ audit_session_open(struct logininfo *li)
+ {
+ 	if (!user_login_count++)
+-		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++		linux_audit_user_logxxx(li->uid, NULL,
++		    options.use_dns ? li->hostname : NULL,
++		    options.use_dns ? NULL : li->hostname,
+ 		    li->line, 1, AUDIT_USER_LOGIN);
+-	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++	linux_audit_user_logxxx(li->uid, NULL,
++	    options.use_dns ? li->hostname : NULL,
++	    options.use_dns ? NULL : li->hostname,
+ 	    li->line, 1, AUDIT_USER_START);
+ }
+ 
+ void
+ audit_session_close(struct logininfo *li)
+ {
+-	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++	linux_audit_user_logxxx(li->uid, NULL,
++	    options.use_dns ? li->hostname : NULL,
++	    options.use_dns ? NULL : li->hostname,
+ 	    li->line, 1, AUDIT_USER_END);
+ 	if (user_login_count && !--user_login_count)
+-		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++		linux_audit_user_logxxx(li->uid, NULL,
++		    options.use_dns ? li->hostname : NULL,
++		    options.use_dns ? NULL : li->hostname,
+ 		    li->line, 1, AUDIT_USER_LOGOUT);
+ }
+ 
+@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 		linux_audit_user_auth(-1, audit_username(),
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ 		linux_audit_user_logxxx(-1, audit_username(),
++			options.use_dns ? remote_hostname(ssh) : NULL,
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ 		break;
+ 	case SSH_AUTH_FAIL_PASSWD:
+@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 		if (user_login_count) {
+ 			while (user_login_count--)
+ 				linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++				    options.use_dns ? remote_hostname(ssh) : NULL,
+ 				    ssh_remote_ipaddr(ssh),
+ 				    "ssh", 1, AUDIT_USER_END);
+ 			linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++			    options.use_dns ? remote_hostname(ssh) : NULL,
+ 			    ssh_remote_ipaddr(ssh),
+ 			    "ssh", 1, AUDIT_USER_LOGOUT);
+ 		}
+@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ 	case SSH_CONNECTION_ABANDON:
+ 	case SSH_INVALID_USER:
+ 		linux_audit_user_logxxx(-1, audit_username(),
++			options.use_dns ? remote_hostname(ssh) : NULL,
+ 			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ 		break;
+ 	default:

openssh.spec

@@ -54,7 +54,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.2
+Release: %{openssh_rel}%{?dist}.3
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -88,6 +88,8 @@ Patch200: openssh-7.6p1-audit.patch
 Patch201: openssh-7.1p2-audit-race-condition.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2049947
 Patch202: openssh-9.0p1-audit-log.patch
+# Correctly audit hostname and IP address
+Patch203: openssh-8.7p1-audit-hostname.patch
 
 # --- pam_ssh-agent ---
 # make it build reusing the openssh sources
@@ -421,6 +423,7 @@ popd
 %patch -P 200 -p1 -b .audit
 %patch -P 201 -p1 -b .audit-race
 %patch -P 202 -p1 -b .audit-log
+%patch -P 203 -p1 -b .audit-hostname
 %patch -P 700 -p1 -b .fips
 
 %patch -P 1002 -p1 -b .ssh-manpage
@@ -739,6 +742,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu May 09 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.3
+- Correctly audit hostname and IP address (RHEL-22316)
+
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.6p1-1.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild