|
Jan F |
483c73 |
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
|
Jan F |
b9127e |
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
|
Jan F |
b9127e |
+++ openssh-5.8p1/audit-linux.c 2011-02-16 23:26:59.000000000 +0100
|
|
Jan F |
483c73 |
@@ -39,8 +39,8 @@
|
|
Jan F |
483c73 |
|
|
Jan F |
483c73 |
const char* audit_username(void);
|
|
Jan F |
483c73 |
|
|
Jan F |
483c73 |
-int
|
|
Jan F |
483c73 |
-linux_audit_record_event(int uid, const char *username,
|
|
Jan F |
b9127e |
+static void
|
|
Jan F |
483c73 |
+linux_audit_user_login(int uid, const char *username,
|
|
Jan F |
483c73 |
const char *hostname, const char *ip, const char *ttyn, int success)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
int audit_fd, rc, saved_errno;
|
|
Jan F |
b9127e |
@@ -49,9 +49,9 @@ linux_audit_record_event(int uid, const
|
|
Jan F |
b9127e |
if (audit_fd < 0) {
|
|
Jan F |
b9127e |
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
Jan F |
b9127e |
errno == EAFNOSUPPORT)
|
|
Jan F |
b9127e |
- return 1; /* No audit support in kernel */
|
|
Jan F |
b9127e |
+ return; /* No audit support in kernel */
|
|
Jan F |
b9127e |
else
|
|
Jan F |
b9127e |
- return 0; /* Must prevent login */
|
|
Jan F |
b9127e |
+ goto fatal_report; /* Must prevent login */
|
|
Jan F |
b9127e |
}
|
|
Jan F |
b9127e |
rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
|
Jan F |
b9127e |
NULL, "login", username ? username : "(unknown)",
|
|
Jan F |
b9127e |
@@ -65,7 +65,62 @@ linux_audit_record_event(int uid, const
|
|
Jan F |
b9127e |
if ((rc == -EPERM) && (geteuid() != 0))
|
|
Jan F |
b9127e |
rc = 0;
|
|
Jan F |
b9127e |
errno = saved_errno;
|
|
Jan F |
b9127e |
- return (rc >= 0);
|
|
Jan F |
b9127e |
+ if (rc < 0) {
|
|
Jan F |
b9127e |
+fatal_report:
|
|
Jan F |
b9127e |
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
b9127e |
+ }
|
|
Jan F |
b9127e |
+}
|
|
Jan F |
b9127e |
+
|
|
Jan F |
b9127e |
+static void
|
|
Jan F |
483c73 |
+linux_audit_user_auth(int uid, const char *username,
|
|
Jan F |
483c73 |
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
|
Jan F |
483c73 |
+{
|
|
Jan F |
483c73 |
+ int audit_fd, rc, saved_errno;
|
|
Jan F |
483c73 |
+ static const char *event_name[] = {
|
|
Jan F |
483c73 |
+ "exceed maxtries",
|
|
Jan F |
483c73 |
+ "root denied",
|
|
Jan F |
483c73 |
+ "success",
|
|
Jan F |
483c73 |
+ "none",
|
|
Jan F |
2c1a4a |
+ "pasword",
|
|
Jan F |
483c73 |
+ "chalenge-response",
|
|
Jan F |
483c73 |
+ "pubkey",
|
|
Jan F |
483c73 |
+ "hostbased",
|
|
Jan F |
483c73 |
+ "gssapi",
|
|
Jan F |
483c73 |
+ "invalid user",
|
|
Jan F |
483c73 |
+ "nologin",
|
|
Jan F |
483c73 |
+ "connection close",
|
|
Jan F |
483c73 |
+ "connection abandon",
|
|
Jan F |
483c73 |
+ "unknown"
|
|
Jan F |
483c73 |
+ };
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ audit_fd = audit_open();
|
|
Jan F |
483c73 |
+ if (audit_fd < 0) {
|
|
Jan F |
483c73 |
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
|
Jan F |
483c73 |
+ errno == EAFNOSUPPORT)
|
|
Jan F |
b9127e |
+ return; /* No audit support in kernel */
|
|
Jan F |
483c73 |
+ else
|
|
Jan F |
b9127e |
+ goto fatal_report; /* Must prevent login */
|
|
Jan F |
483c73 |
+ }
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
|
|
Jan F |
483c73 |
+ event = SSH_AUDIT_UNKNOWN;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
|
|
Jan F |
483c73 |
+ NULL, event_name[event], username ? username : "(unknown)",
|
|
Jan F |
483c73 |
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
|
Jan F |
483c73 |
+ saved_errno = errno;
|
|
Jan F |
483c73 |
+ close(audit_fd);
|
|
Jan F |
483c73 |
+ /*
|
|
Jan F |
483c73 |
+ * Do not report error if the error is EPERM and sshd is run as non
|
|
Jan F |
483c73 |
+ * root user.
|
|
Jan F |
483c73 |
+ */
|
|
Jan F |
483c73 |
+ if ((rc == -EPERM) && (geteuid() != 0))
|
|
Jan F |
483c73 |
+ rc = 0;
|
|
Jan F |
483c73 |
+ errno = saved_errno;
|
|
Jan F |
b9127e |
+ if (rc < 0) {
|
|
Jan F |
b9127e |
+fatal_report:
|
|
Jan F |
b9127e |
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
b9127e |
+ }
|
|
Jan F |
b9127e |
}
|
|
Jan F |
483c73 |
|
|
Jan F |
b9127e |
/* Below is the sshd audit API code */
|
|
Jan F |
b9127e |
@@ -73,8 +128,8 @@ linux_audit_record_event(int uid, const
|
|
Jan F |
483c73 |
void
|
|
Jan F |
483c73 |
audit_connection_from(const char *host, int port)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
-}
|
|
Jan F |
483c73 |
/* not implemented */
|
|
Jan F |
483c73 |
+}
|
|
Jan F |
483c73 |
|
|
Jan F |
483c73 |
void
|
|
Jan F |
483c73 |
audit_run_command(const char *command)
|
|
Jan F |
b9127e |
@@ -85,9 +140,8 @@ audit_run_command(const char *command)
|
|
Jan F |
483c73 |
void
|
|
Jan F |
483c73 |
audit_session_open(struct logininfo *li)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
- if (linux_audit_record_event(li->uid, NULL, li->hostname,
|
|
Jan F |
b9127e |
- NULL, li->line, 1) == 0)
|
|
Jan F |
b9127e |
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
|
Jan F |
b9127e |
+ linux_audit_user_login(li->uid, NULL, li->hostname,
|
|
Jan F |
b9127e |
+ NULL, li->line, 1);
|
|
Jan F |
483c73 |
}
|
|
Jan F |
b9127e |
|
|
Jan F |
b9127e |
void
|
|
Jan F |
b9127e |
@@ -101,20 +155,33 @@ audit_event(ssh_audit_event_t event)
|
|
Jan F |
483c73 |
{
|
|
Jan F |
483c73 |
switch(event) {
|
|
Jan F |
483c73 |
case SSH_AUTH_SUCCESS:
|
|
Jan F |
483c73 |
- case SSH_CONNECTION_CLOSE:
|
|
Jan F |
b9127e |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
b9127e |
+ get_remote_ipaddr(), "sshd", 1, event);
|
|
Jan F |
483c73 |
+ break;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
case SSH_NOLOGIN:
|
|
Jan F |
b9127e |
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
|
Jan F |
483c73 |
case SSH_LOGIN_ROOT_DENIED:
|
|
Jan F |
483c73 |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ get_remote_ipaddr(), "sshd", 0, event);
|
|
Jan F |
483c73 |
+ linux_audit_user_login(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ get_remote_ipaddr(), "sshd", 0);
|
|
Jan F |
483c73 |
break;
|
|
Jan F |
483c73 |
|
|
Jan F |
b9127e |
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_NONE:
|
|
Jan F |
b9127e |
case SSH_AUTH_FAIL_PASSWD:
|
|
Jan F |
b9127e |
case SSH_AUTH_FAIL_KBDINT:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_PUBKEY:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_HOSTBASED:
|
|
Jan F |
483c73 |
case SSH_AUTH_FAIL_GSSAPI:
|
|
Jan F |
483c73 |
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ get_remote_ipaddr(), "sshd", 0, event);
|
|
Jan F |
483c73 |
+ break;
|
|
Jan F |
483c73 |
+
|
|
Jan F |
483c73 |
+ case SSH_CONNECTION_CLOSE:
|
|
Jan F |
483c73 |
+ case SSH_CONNECTION_ABANDON:
|
|
Jan F |
483c73 |
case SSH_INVALID_USER:
|
|
Jan F |
483c73 |
- linux_audit_record_event(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
+ linux_audit_user_login(-1, audit_username(), NULL,
|
|
Jan F |
483c73 |
get_remote_ipaddr(), "sshd", 0);
|
|
Jan F |
483c73 |
break;
|
|
Jan F |
483c73 |
|