improve audit of logins and auths

This commit is contained in:
Jan F 2011-02-16 17:30:51 +01:00
parent 003cb0b27f
commit 483c73337b
3 changed files with 138 additions and 13 deletions

120
openssh-5.8p1-audit1.patch Normal file
View File

@ -0,0 +1,120 @@
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit1 2011-02-16 15:49:11.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-16 16:48:45.000000000 +0100
@@ -39,8 +39,8 @@
const char* audit_username(void);
-int
-linux_audit_record_event(int uid, const char *username,
+static int
+linux_audit_user_login(int uid, const char *username,
const char *hostname, const char *ip, const char *ttyn, int success)
{
int audit_fd, rc, saved_errno;
@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const
return (rc >= 0);
}
+static int
+linux_audit_user_auth(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
+{
+ int audit_fd, rc, saved_errno;
+ static const char *event_name[] = {
+ "exceed maxtries",
+ "root denied",
+ "success",
+ "none",
+ "paasword",
+ "chalenge-response",
+ "pubkey",
+ "hostbased",
+ "gssapi",
+ "invalid user",
+ "nologin",
+ "connection close",
+ "connection abandon",
+ "unknown"
+ };
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 1; /* No audit support in kernel */
+ else
+ return 0; /* Must prevent login */
+ }
+
+ if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
+ event = SSH_AUDIT_UNKNOWN;
+
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
+ NULL, event_name[event], username ? username : "(unknown)",
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ saved_errno = errno;
+ close(audit_fd);
+ /*
+ * Do not report error if the error is EPERM and sshd is run as non
+ * root user.
+ */
+ if ((rc == -EPERM) && (geteuid() != 0))
+ rc = 0;
+ errno = saved_errno;
+ return (rc >= 0);
+}
+
/* Below is the sshd audit API code */
void
audit_connection_from(const char *host, int port)
{
-}
/* not implemented */
+}
void
audit_run_command(const char *command)
@@ -85,7 +134,7 @@ audit_run_command(const char *command)
void
audit_session_open(struct logininfo *li)
{
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
+ if (linux_audit_user_login(li->uid, NULL, li->hostname,
NULL, li->line, 1) == 0)
fatal("linux_audit_write_entry failed: %s", strerror(errno));
}
@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event)
{
switch(event) {
case SSH_AUTH_SUCCESS:
- case SSH_CONNECTION_CLOSE:
+ break;
+
case SSH_NOLOGIN:
case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_LOGIN_ROOT_DENIED:
+ linux_audit_user_auth(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0, event);
+ linux_audit_user_login(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0);
break;
case SSH_AUTH_FAIL_NONE:
@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_PUBKEY:
case SSH_AUTH_FAIL_HOSTBASED:
case SSH_AUTH_FAIL_GSSAPI:
+ linux_audit_user_auth(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0, event);
+ break;
+
+ case SSH_CONNECTION_CLOSE:
+ case SSH_CONNECTION_ABANDON:
case SSH_INVALID_USER:
- linux_audit_record_event(-1, audit_username(), NULL,
+ linux_audit_user_login(-1, audit_username(), NULL,
get_remote_ipaddr(), "sshd", 0);
break;

View File

@ -1,6 +1,6 @@
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c 2011-02-16 17:09:00.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
/* not implemented */
}
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
{
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.8p1/audit.c 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit.c 2011-02-16 17:09:01.000000000 +0100
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name);
}
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.8p1/audit.h 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit.h 2011-02-16 17:09:01.000000000 +0100
@@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit2 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-09 15:51:45.000000000 +0100
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-16 17:09:00.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-16 17:10:29.000000000 +0100
@@ -37,6 +37,8 @@
#include "audit.h"
#include "canohost.h"
@ -99,8 +99,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
+
const char* audit_username(void);
int
@@ -68,6 +70,37 @@ linux_audit_record_event(int uid, const
static int
@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha
return (rc >= 0);
}
@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
void
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-16 17:09:01.000000000 +0100
@@ -136,6 +136,18 @@ done:
return authenticated;
}
@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-16 17:09:01.000000000 +0100
@@ -177,6 +177,18 @@ done:
return authenticated;
}
@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
{
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
+++ openssh-5.8p1/auth.h 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth.h 2011-02-16 17:09:01.000000000 +0100
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *);
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c 2011-02-09 15:53:00.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c 2011-02-16 17:09:01.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{
u_char buf[32], mdbuf[16];
@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
/*
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
+++ openssh-5.8p1/monitor.c 2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/monitor.c 2011-02-16 17:09:01.000000000 +0100
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data)
fatal("%s: bad signature data blob", __func__);

View File

@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p1
%define openssh_rel 1
%define openssh_rel 2
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 30
@ -96,6 +96,7 @@ Source5: pam_ssh_agent-rmheaders
Patch100: openssh-5.6p1-wIm.patch
Patch0: openssh-5.6p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch1: openssh-5.8p1-audit1.patch
Patch2: openssh-5.8p1-audit2.patch
Patch3: openssh-5.8p1-audit3.patch
Patch4: openssh-5.8p1-audit4.patch
@ -283,6 +284,7 @@ The module is most useful for su and sudo service stacks.
#Do not enable by default
###%patch100 -p1 -b .wIm
%patch0 -p1 -b .redhat
%patch1 -p1 -b .audit1
%patch2 -p1 -b .audit2
%patch3 -p1 -b .audit3
%patch4 -p1 -b .audit4
@ -602,6 +604,9 @@ fi
%endif
%changelog
* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-2 + 0.9.2-30
- improve audit of logins and auths
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
- bump openssh version to 5.8p1