improve audit of logins and auths

2011-02-16 23:36:59 +01:00 · 2011-02-16 23:36:59 +01:00 · b9127ef973
commit b9127ef973
parent 483c73337b
3 changed files with 65 additions and 36 deletions
--- a/openssh-5.8p1-audit1.patch
+++ b/openssh-5.8p1-audit1.patch
@ -1,22 +1,41 @@
 diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit1	2011-02-16 15:49:11.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-16 16:48:45.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit1	2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-16 23:26:59.000000000 +0100
@@ -39,8 +39,8 @@
 
 const char* audit_username(void);
 
 -int
 -linux_audit_record_event(int uid, const char *username,
-+static int
+static void
 +linux_audit_user_login(int uid, const char *username,
     const char *hostname, const char *ip, const char *ttyn, int success)
 {
 	int audit_fd, rc, saved_errno;
-@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const 
- 	return (rc >= 0);
- }
- 
-+static int
+@@ -49,9 +49,9 @@ linux_audit_record_event(int uid, const 
+ 	if (audit_fd < 0) {
+ 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ 		    errno == EAFNOSUPPORT)
+-			return 1; /* No audit support in kernel */
+			return; /* No audit support in kernel */
+ 		else
+-			return 0; /* Must prevent login */
+			goto fatal_report; /* Must prevent login */
+ 	}
+ 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ 	    NULL, "login", username ? username : "(unknown)",
+@@ -65,7 +65,62 @@ linux_audit_record_event(int uid, const 
+ 	if ((rc == -EPERM) && (geteuid() != 0))
+ 		rc = 0;
+ 	errno = saved_errno;
+-	return (rc >= 0);
+	if (rc < 0) {
+fatal_report:
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+	}
+}
+
+static void
 +linux_audit_user_auth(int uid, const char *username,
 +    const char *hostname, const char *ip, const char *ttyn, int success, int event)
 +{
@ -42,9 +61,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	if (audit_fd < 0) {
 +		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 +		    errno == EAFNOSUPPORT)
-+			return 1; /* No audit support in kernel */
+			return; /* No audit support in kernel */
 +		else
-+			return 0; /* Must prevent login */
+			goto fatal_report; /* Must prevent login */
 +	}
 +	
 +	if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
@ -62,11 +81,14 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	if ((rc == -EPERM) && (geteuid() != 0))
 +		rc = 0;
 +	errno = saved_errno;
-+	return (rc >= 0);
-+}
-+
- /* Below is the sshd audit API code */
+	if (rc < 0) {
+fatal_report:
+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+	}
+ }
 
+ /* Below is the sshd audit API code */
+@@ -73,8 +128,8 @@ linux_audit_record_event(int uid, const 
 void
 audit_connection_from(const char *host, int port)
 {
@ -76,24 +98,29 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 
 void
 audit_run_command(const char *command)
-@@ -85,7 +134,7 @@ audit_run_command(const char *command)
+@@ -85,9 +140,8 @@ audit_run_command(const char *command)
 void
 audit_session_open(struct logininfo *li)
 {
 -	if (linux_audit_record_event(li->uid, NULL, li->hostname,
-+	if (linux_audit_user_login(li->uid, NULL, li->hostname,
- 	    NULL, li->line, 1) == 0)
- 		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+-	    NULL, li->line, 1) == 0)
+-		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+	linux_audit_user_login(li->uid, NULL, li->hostname,
+	    NULL, li->line, 1);
 }
-@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event)
+ 
+ void
+@@ -101,20 +155,33 @@ audit_event(ssh_audit_event_t event)
 {
 	switch(event) {
 	case SSH_AUTH_SUCCESS:
 -	case SSH_CONNECTION_CLOSE:
+		linux_audit_user_auth(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 1, event);
 +		break;
 +
 	case SSH_NOLOGIN:
- 	case SSH_LOGIN_EXCEED_MAXTRIES:
+-	case SSH_LOGIN_EXCEED_MAXTRIES:
 	case SSH_LOGIN_ROOT_DENIED:
 +		linux_audit_user_auth(-1, audit_username(), NULL,
 +			get_remote_ipaddr(), "sshd", 0, event);
@ -101,8 +128,10 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +			get_remote_ipaddr(), "sshd", 0);
 		break;
 
+	case SSH_LOGIN_EXCEED_MAXTRIES:
 	case SSH_AUTH_FAIL_NONE:
-@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event)
+ 	case SSH_AUTH_FAIL_PASSWD:
+ 	case SSH_AUTH_FAIL_KBDINT:
 	case SSH_AUTH_FAIL_PUBKEY:
 	case SSH_AUTH_FAIL_HOSTBASED:
 	case SSH_AUTH_FAIL_GSSAPI:
--- a/openssh-5.8p1-audit2.patch
+++ b/openssh-5.8p1-audit2.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 --- openssh-5.8p1/audit-bsm.c.audit2	2011-01-17 11:15:29.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-16 17:09:00.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-16 23:29:26.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
 	/* not implemented */
 }
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 {
 diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 --- openssh-5.8p1/audit.c.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/audit.c	2011-02-16 23:29:26.000000000 +0100
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
 	return(event_lookup[i].name);
 }
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 --- openssh-5.8p1/audit.h.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-16 23:29:26.000000000 +0100
@@ -28,6 +28,7 @@
 # define _SSH_AUDIT_H
 
@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit2	2011-02-16 17:09:00.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-16 17:10:29.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit2	2011-02-16 23:29:26.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-16 23:31:08.000000000 +0100
@@ -37,6 +37,8 @@
 #include "audit.h"
 #include "canohost.h"
@ -99,9 +99,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 +
 const char* audit_username(void);
 
- static int
-@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha
- 	return (rc >= 0);
+ static void
+@@ -123,6 +125,37 @@ fatal_report:
+ 	}
 }
 
 +int
@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 void
 diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.audit2	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-16 23:29:26.000000000 +0100
@@ -136,6 +136,18 @@ done:
 	return authenticated;
 }
@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.audit2	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-16 23:29:26.000000000 +0100
@@ -177,6 +177,18 @@ done:
 	return authenticated;
 }
@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 {
 diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 --- openssh-5.8p1/auth.h.audit2	2010-05-10 03:58:03.000000000 +0200
-+++ openssh-5.8p1/auth.h	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/auth.h	2011-02-16 23:29:26.000000000 +0100
@@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
 char	*authorized_keys_file(struct passwd *);
 char	*authorized_keys_file2(struct passwd *);
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.audit2	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c	2011-02-16 23:29:26.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
 {
 	u_char buf[32], mdbuf[16];
@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 /*
 diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
 --- openssh-5.8p1/monitor.c.audit2	2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1/monitor.c	2011-02-16 17:09:01.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-16 23:29:26.000000000 +0100
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
 	if (!valid_data)
 		fatal("%s: bad signature data blob", __func__);
--- a/openssh.spec
+++ b/openssh.spec
@ -71,7 +71,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 2
+%define openssh_rel 3
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30

@ -604,7 +604,7 @@ fi
 %endif

 %changelog
-* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-2 + 0.9.2-30
+* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
 - improve audit of logins and auths

 * Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30