Do not attempt to pass hostnames to audit (inconsistency) (#1534577)

This commit is contained in:
Jakub Jelen 2018-01-17 10:08:26 +01:00
parent 32dc9bd1cd
commit f284c5eb83

View File

@ -310,7 +310,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
--- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200
+++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200
@@ -33,25 +33,38 @@
@@ -33,27 +33,40 @@
#include "log.h"
#include "audit.h"
@ -337,7 +337,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
-linux_audit_record_event(int uid, const char *username, const char *hostname,
- const char *ip, const char *ttyn, int success)
+static void
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
+linux_audit_user_logxxx(int uid, const char *username,
+ const char *ip, const char *ttyn, int success, int event)
{
int audit_fd, rc, saved_errno;
@ -354,8 +354,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ rc = audit_log_acct_message(audit_fd, event,
NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
- username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
saved_errno = errno;
close(audit_fd);
@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
rc = 0;
errno = saved_errno;
@ -369,7 +372,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+
+static void
+linux_audit_user_auth(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
+ const char *ip, const char *ttyn, int success, int event)
+{
+ int audit_fd, rc, saved_errno;
+ static const char *event_name[] = {
@ -403,7 +406,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
+ NULL, event_name[event], username ? username : "(unknown)",
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
+ saved_errno = errno;
+ close(audit_fd);
+ /*
@ -455,7 +458,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
/* Below is the sshd audit API code */
void
@@ -76,24 +177,51 @@ audit_connection_from(const char *host,
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */
}
@ -465,21 +468,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
{
- /* not implemented */
+ if (!user_login_count++)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_START);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_LOGIN);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_START);
+ return 0;
+}
+
+void
+audit_end_command(int handle, const char *command)
+{
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_END);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_LOGOUT);
+}
+
+void
@ -496,9 +503,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
+ if (!user_login_count++)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
+ li->line, 1, AUDIT_USER_LOGIN);
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_START);
+ li->line, 1, AUDIT_USER_START);
}
void
@ -506,10 +513,10 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
{
- /* not implemented */
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_END);
+ li->line, 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
+ li->line, 1, AUDIT_USER_LOGOUT);
}
void
@ -518,16 +525,16 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
switch(event) {
case SSH_AUTH_SUCCESS:
- case SSH_CONNECTION_CLOSE:
+ linux_audit_user_auth(-1, audit_username(), NULL,
+ linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 1, event);
+ break;
+
case SSH_NOLOGIN:
- case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_LOGIN_ROOT_DENIED:
+ linux_audit_user_auth(-1, audit_username(), NULL,
+ linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
+ linux_audit_user_logxxx(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break;
+ case SSH_LOGIN_EXCEED_MAXTRIES:
@ -537,7 +544,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
case SSH_AUTH_FAIL_PUBKEY:
case SSH_AUTH_FAIL_HOSTBASED:
case SSH_AUTH_FAIL_GSSAPI:
+ linux_audit_user_auth(-1, audit_username(), NULL,
+ linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ break;
+
@ -545,11 +552,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+ if (user_login_count) {
+ while (user_login_count--)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_END);
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_END);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+ break;
+
@ -557,7 +564,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
case SSH_INVALID_USER:
- linux_audit_record_event(-1, audit_username(), NULL,
- ssh_remote_ipaddr(ssh), "sshd", 0);
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
+ linux_audit_user_logxxx(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break;
default: