improve audit of logins and auths

openssh-5.8p1-audit1.patch

@@ -1,22 +1,41 @@
 diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit1	2011-02-16 15:49:11.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit1	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-16 16:48:45.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-02-16 23:26:59.000000000 +0100
 @@ -39,8 +39,8 @@
  
  const char* audit_username(void);
  
 -int
 -linux_audit_record_event(int uid, const char *username,
-+static int
++static void
 +linux_audit_user_login(int uid, const char *username,
      const char *hostname, const char *ip, const char *ttyn, int success)
  {
  	int audit_fd, rc, saved_errno;
-@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const 
+@@ -49,9 +49,9 @@ linux_audit_record_event(int uid, const 
- 	return (rc >= 0);
+ 	if (audit_fd < 0) {
- }
+ 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- 
+ 		    errno == EAFNOSUPPORT)
-+static int
+-			return 1; /* No audit support in kernel */
++			return; /* No audit support in kernel */
+ 		else
+-			return 0; /* Must prevent login */
++			goto fatal_report; /* Must prevent login */
+ 	}
+ 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ 	    NULL, "login", username ? username : "(unknown)",
+@@ -65,7 +65,62 @@ linux_audit_record_event(int uid, const 
+ 	if ((rc == -EPERM) && (geteuid() != 0))
+ 		rc = 0;
+ 	errno = saved_errno;
+-	return (rc >= 0);
++	if (rc < 0) {
++fatal_report:
++		fatal("linux_audit_write_entry failed: %s", strerror(errno));
++	}
++}
++
++static void
 +linux_audit_user_auth(int uid, const char *username,
 +    const char *hostname, const char *ip, const char *ttyn, int success, int event)
 +{
@@ -42,9 +61,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	if (audit_fd < 0) {
 +		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 +		    errno == EAFNOSUPPORT)
-+			return 1; /* No audit support in kernel */
++			return; /* No audit support in kernel */
 +		else
-+			return 0; /* Must prevent login */
++			goto fatal_report; /* Must prevent login */
 +	}
 +	
 +	if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
@@ -62,11 +81,14 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	if ((rc == -EPERM) && (geteuid() != 0))
 +		rc = 0;
 +	errno = saved_errno;
-+	return (rc >= 0);
++	if (rc < 0) {
-+}
++fatal_report:
-+
++		fatal("linux_audit_write_entry failed: %s", strerror(errno));
- /* Below is the sshd audit API code */
++	}
+ }
  
+ /* Below is the sshd audit API code */
+@@ -73,8 +128,8 @@ linux_audit_record_event(int uid, const 
  void
  audit_connection_from(const char *host, int port)
  {
@@ -76,24 +98,29 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
  
  void
  audit_run_command(const char *command)
-@@ -85,7 +134,7 @@ audit_run_command(const char *command)
+@@ -85,9 +140,8 @@ audit_run_command(const char *command)
  void
  audit_session_open(struct logininfo *li)
  {
 -	if (linux_audit_record_event(li->uid, NULL, li->hostname,
-+	if (linux_audit_user_login(li->uid, NULL, li->hostname,
+-	    NULL, li->line, 1) == 0)
- 	    NULL, li->line, 1) == 0)
+-		fatal("linux_audit_write_entry failed: %s", strerror(errno));
- 		fatal("linux_audit_write_entry failed: %s", strerror(errno));
++	linux_audit_user_login(li->uid, NULL, li->hostname,
++	    NULL, li->line, 1);
  }
-@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event)
+ 
+ void
+@@ -101,20 +155,33 @@ audit_event(ssh_audit_event_t event)
  {
  	switch(event) {
  	case SSH_AUTH_SUCCESS:
 -	case SSH_CONNECTION_CLOSE:
++		linux_audit_user_auth(-1, audit_username(), NULL,
++			get_remote_ipaddr(), "sshd", 1, event);
 +		break;
 +
  	case SSH_NOLOGIN:
- 	case SSH_LOGIN_EXCEED_MAXTRIES:
+-	case SSH_LOGIN_EXCEED_MAXTRIES:
  	case SSH_LOGIN_ROOT_DENIED:
 +		linux_audit_user_auth(-1, audit_username(), NULL,
 +			get_remote_ipaddr(), "sshd", 0, event);
@@ -101,8 +128,10 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +			get_remote_ipaddr(), "sshd", 0);
  		break;
  
++	case SSH_LOGIN_EXCEED_MAXTRIES:
  	case SSH_AUTH_FAIL_NONE:
-@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event)
+ 	case SSH_AUTH_FAIL_PASSWD:
+ 	case SSH_AUTH_FAIL_KBDINT:
  	case SSH_AUTH_FAIL_PUBKEY:
  	case SSH_AUTH_FAIL_HOSTBASED:
  	case SSH_AUTH_FAIL_GSSAPI:

openssh-5.8p1-audit2.patch

@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 --- openssh-5.8p1/audit-bsm.c.audit2	2011-01-17 11:15:29.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-16 17:09:00.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-02-16 23:29:26.000000000 +0100
 @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
  	/* not implemented */
  }
@@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
  {
 diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 --- openssh-5.8p1/audit.c.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-02-16 23:29:26.000000000 +0100
 @@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
  	return(event_lookup[i].name);
  }
@@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 --- openssh-5.8p1/audit.h.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-02-16 23:29:26.000000000 +0100
 @@ -28,6 +28,7 @@
  # define _SSH_AUDIT_H
  
@@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit2	2011-02-16 17:09:00.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit2	2011-02-16 23:29:26.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-16 17:10:29.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-02-16 23:31:08.000000000 +0100
 @@ -37,6 +37,8 @@
  #include "audit.h"
  #include "canohost.h"
@@ -99,9 +99,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 +
  const char* audit_username(void);
  
- static int
+ static void
-@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha
+@@ -123,6 +125,37 @@ fatal_report:
- 	return (rc >= 0);
+ 	}
  }
  
 +int
@@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
  void
 diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.audit2	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/auth2-hostbased.c	2011-02-16 23:29:26.000000000 +0100
 @@ -136,6 +136,18 @@ done:
  	return authenticated;
  }
@@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
  hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.audit2	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c	2011-02-16 23:29:26.000000000 +0100
 @@ -177,6 +177,18 @@ done:
  	return authenticated;
  }
@@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
  {
 diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 --- openssh-5.8p1/auth.h.audit2	2010-05-10 03:58:03.000000000 +0200
-+++ openssh-5.8p1/auth.h	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/auth.h	2011-02-16 23:29:26.000000000 +0100
 @@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
  char	*authorized_keys_file(struct passwd *);
  char	*authorized_keys_file2(struct passwd *);
@@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
  void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.audit2	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/auth-rsa.c	2011-02-16 23:29:26.000000000 +0100
 @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
  {
  	u_char buf[32], mdbuf[16];
@@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
  /*
 diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
 --- openssh-5.8p1/monitor.c.audit2	2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1/monitor.c	2011-02-16 17:09:01.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-02-16 23:29:26.000000000 +0100
 @@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
  	if (!valid_data)
  		fatal("%s: bad signature data blob", __func__);

openssh.spec

@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 2
+%define openssh_rel 3
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -604,7 +604,7 @@ fi
 %endif
 
 %changelog
-* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-2 + 0.9.2-30
+* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
 - improve audit of logins and auths
 
 * Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30