Correctly audit hostname and IP address

Resolves: RHEL-22316

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2024-05-02 16:12:31 +02:00
parent 03eff3f0f1
commit 7fedb4cdc0
2 changed files with 114 additions and 1 deletions

View File

@ -0,0 +1,106 @@
diff --color -ruNp a/audit-linux.c b/audit-linux.c
--- a/audit-linux.c 2024-05-09 12:38:08.843017319 +0200
+++ b/audit-linux.c 2024-05-09 12:47:05.162267634 +0200
@@ -52,7 +52,7 @@ extern u_int utmp_len;
const char *audit_username(void);
static void
-linux_audit_user_logxxx(int uid, const char *username,
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
const char *ip, const char *ttyn, int success, int event)
{
int audit_fd, rc, saved_errno;
@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
}
rc = audit_log_acct_message(audit_fd, event,
NULL, "login", username ? username : "(unknown)",
- username == NULL ? uid : -1, NULL, ip, ttyn, success);
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
close(audit_fd);
@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
{
if (!user_login_count++)
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_LOGIN);
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_START);
return 0;
@@ -193,10 +195,12 @@ void
audit_end_command(struct ssh *ssh, int handle, const char *command)
{
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_END);
if (user_login_count && !--user_login_count)
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_LOGOUT);
}
@@ -211,19 +215,27 @@ void
audit_session_open(struct logininfo *li)
{
if (!user_login_count++)
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ linux_audit_user_logxxx(li->uid, NULL,
+ options.use_dns ? li->hostname : NULL,
+ options.use_dns ? NULL : li->hostname,
li->line, 1, AUDIT_USER_LOGIN);
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ linux_audit_user_logxxx(li->uid, NULL,
+ options.use_dns ? li->hostname : NULL,
+ options.use_dns ? NULL : li->hostname,
li->line, 1, AUDIT_USER_START);
}
void
audit_session_close(struct logininfo *li)
{
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ linux_audit_user_logxxx(li->uid, NULL,
+ options.use_dns ? li->hostname : NULL,
+ options.use_dns ? NULL : li->hostname,
li->line, 1, AUDIT_USER_END);
if (user_login_count && !--user_login_count)
- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ linux_audit_user_logxxx(li->uid, NULL,
+ options.use_dns ? li->hostname : NULL,
+ options.use_dns ? NULL : li->hostname,
li->line, 1, AUDIT_USER_LOGOUT);
}
@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
linux_audit_user_auth(-1, audit_username(),
ssh_remote_ipaddr(ssh), "ssh", 0, event);
linux_audit_user_logxxx(-1, audit_username(),
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break;
case SSH_AUTH_FAIL_PASSWD:
@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
if (user_login_count) {
while (user_login_count--)
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_END);
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh),
"ssh", 1, AUDIT_USER_LOGOUT);
}
@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
case SSH_CONNECTION_ABANDON:
case SSH_INVALID_USER:
linux_audit_user_logxxx(-1, audit_username(),
+ options.use_dns ? remote_hostname(ssh) : NULL,
ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break;
default:

View File

@ -47,7 +47,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1 %global openssh_ver 8.7p1
%global openssh_rel 39 %global openssh_rel 40
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5 %global pam_ssh_agent_rel 5
@ -84,6 +84,8 @@ Patch100: openssh-6.7p1-coverity.patch
Patch200: openssh-7.6p1-audit.patch Patch200: openssh-7.6p1-audit.patch
# Audit race condition in forked child (#1310684) # Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch Patch201: openssh-7.1p2-audit-race-condition.patch
# Correctly audit hostname and IP address
Patch202: openssh-8.7p1-audit-hostname.patch
# --- pam_ssh-agent --- # --- pam_ssh-agent ---
# make it build reusing the openssh sources # make it build reusing the openssh sources
@ -484,6 +486,7 @@ popd
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
%patch202 -p1 -b .audit-hostname
%patch700 -p1 -b .fips %patch700 -p1 -b .fips
%patch1000 -p1 -b .minimize-sha1-use %patch1000 -p1 -b .minimize-sha1-use
@ -798,6 +801,10 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Thu May 02 2024 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-40
- Correctly audit hostname and IP address
Resolves: RHEL-22316
* Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-39 * Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-39
- Use FIPS-compatible API for key derivation - Use FIPS-compatible API for key derivation
Resolves: RHEL-32809 Resolves: RHEL-32809