improve audit of logins and auths
This commit is contained in:
parent
483c73337b
commit
b9127ef973
@ -1,22 +1,41 @@
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit1 2011-02-16 15:49:11.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-16 16:48:45.000000000 +0100
|
||||
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-16 23:26:59.000000000 +0100
|
||||
@@ -39,8 +39,8 @@
|
||||
|
||||
const char* audit_username(void);
|
||||
|
||||
-int
|
||||
-linux_audit_record_event(int uid, const char *username,
|
||||
+static int
|
||||
+static void
|
||||
+linux_audit_user_login(int uid, const char *username,
|
||||
const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const
|
||||
return (rc >= 0);
|
||||
@@ -49,9 +49,9 @@ linux_audit_record_event(int uid, const
|
||||
if (audit_fd < 0) {
|
||||
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
errno == EAFNOSUPPORT)
|
||||
- return 1; /* No audit support in kernel */
|
||||
+ return; /* No audit support in kernel */
|
||||
else
|
||||
- return 0; /* Must prevent login */
|
||||
+ goto fatal_report; /* Must prevent login */
|
||||
}
|
||||
|
||||
+static int
|
||||
rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
NULL, "login", username ? username : "(unknown)",
|
||||
@@ -65,7 +65,62 @@ linux_audit_record_event(int uid, const
|
||||
if ((rc == -EPERM) && (geteuid() != 0))
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
- return (rc >= 0);
|
||||
+ if (rc < 0) {
|
||||
+fatal_report:
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+linux_audit_user_auth(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
||||
+{
|
||||
@ -42,9 +61,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ return; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ goto fatal_report; /* Must prevent login */
|
||||
+ }
|
||||
+
|
||||
+ if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
|
||||
@ -62,11 +81,14 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
+ if ((rc == -EPERM) && (geteuid() != 0))
|
||||
+ rc = 0;
|
||||
+ errno = saved_errno;
|
||||
+ return (rc >= 0);
|
||||
+}
|
||||
+
|
||||
/* Below is the sshd audit API code */
|
||||
+ if (rc < 0) {
|
||||
+fatal_report:
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Below is the sshd audit API code */
|
||||
@@ -73,8 +128,8 @@ linux_audit_record_event(int uid, const
|
||||
void
|
||||
audit_connection_from(const char *host, int port)
|
||||
{
|
||||
@ -76,24 +98,29 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
|
||||
void
|
||||
audit_run_command(const char *command)
|
||||
@@ -85,7 +134,7 @@ audit_run_command(const char *command)
|
||||
@@ -85,9 +140,8 @@ audit_run_command(const char *command)
|
||||
void
|
||||
audit_session_open(struct logininfo *li)
|
||||
{
|
||||
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ if (linux_audit_user_login(li->uid, NULL, li->hostname,
|
||||
NULL, li->line, 1) == 0)
|
||||
fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
- NULL, li->line, 1) == 0)
|
||||
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+ linux_audit_user_login(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1);
|
||||
}
|
||||
@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event)
|
||||
|
||||
void
|
||||
@@ -101,20 +155,33 @@ audit_event(ssh_audit_event_t event)
|
||||
{
|
||||
switch(event) {
|
||||
case SSH_AUTH_SUCCESS:
|
||||
- case SSH_CONNECTION_CLOSE:
|
||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 1, event);
|
||||
+ break;
|
||||
+
|
||||
case SSH_NOLOGIN:
|
||||
case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_LOGIN_ROOT_DENIED:
|
||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0, event);
|
||||
@ -101,8 +128,10 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
break;
|
||||
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_AUTH_FAIL_NONE:
|
||||
@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event)
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-16 17:09:00.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
||||
/* not implemented */
|
||||
}
|
||||
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||
{
|
||||
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-16 17:09:00.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-16 17:10:29.000000000 +0100
|
||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-16 23:31:08.000000000 +0100
|
||||
@@ -37,6 +37,8 @@
|
||||
#include "audit.h"
|
||||
#include "canohost.h"
|
||||
@ -99,9 +99,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
+
|
||||
const char* audit_username(void);
|
||||
|
||||
static int
|
||||
@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha
|
||||
return (rc >= 0);
|
||||
static void
|
||||
@@ -123,6 +125,37 @@ fatal_report:
|
||||
}
|
||||
}
|
||||
|
||||
+int
|
||||
@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
void
|
||||
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -136,6 +136,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -177,6 +177,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||
{
|
||||
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||
+++ openssh-5.8p1/auth.h 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/auth.h 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
||||
char *authorized_keys_file(struct passwd *);
|
||||
char *authorized_keys_file2(struct passwd *);
|
||||
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
{
|
||||
u_char buf[32], mdbuf[16];
|
||||
@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||
/*
|
||||
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-16 17:09:01.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-16 23:29:26.000000000 +0100
|
||||
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
|
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 2
|
||||
%define openssh_rel 3
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
@ -604,7 +604,7 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-2 + 0.9.2-30
|
||||
* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
|
||||
- improve audit of logins and auths
|
||||
|
||||
* Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
|
||||
|
Loading…
Reference in New Issue
Block a user