diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit1a 2011-02-21 18:14:37.000000000 +0100
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:17:33.000000000 +0100
@@ -35,13 +35,20 @@
#include "log.h"
#include "audit.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "servconf.h"
#include "canohost.h"
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern u_int utmp_len;
const char* audit_username(void);
static void
-linux_audit_user_login(int uid, const char *username,
- const char *hostname, const char *ip, const char *ttyn, int success)
+linux_audit_user_logxxx(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
{
int audit_fd, rc, saved_errno;
@@ -53,7 +60,7 @@ linux_audit_user_login(int uid, const ch
else
goto fatal_report; /* Must prevent login */
}
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ rc = audit_log_acct_message(audit_fd, event,
NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
@@ -77,19 +84,19 @@ linux_audit_user_auth(int uid, const cha
{
int audit_fd, rc, saved_errno;
static const char *event_name[] = {
- "exceed maxtries",
+ "maxtries exceeded",
"root denied",
"success",
"none",
- "pasword",
- "chalenge-response",
+ "password",
+ "challenge-response",
"pubkey",
"hostbased",
"gssapi",
"invalid user",
"nologin",
- "connection close",
- "connection abandon",
+ "connection closed",
+ "connection abandoned",
"unknown"
};
@@ -123,6 +130,8 @@ fatal_report:
}
}
+static int user_login_count = 0;
+
/* Below is the sshd audit API code */
void
@@ -134,20 +143,31 @@ audit_connection_from(const char *host,
void
audit_run_command(const char *command)
{
- /* not implemented */
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_START);
+ if (!user_login_count++)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
}
void
audit_session_open(struct logininfo *li)
{
- linux_audit_user_login(li->uid, NULL, li->hostname,
- NULL, li->line, 1);
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_START);
+ if (!user_login_count++)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
}
void
audit_session_close(struct logininfo *li)
{
- /* not implemented */
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_END);
+ if (!--user_login_count)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
}
void
@@ -163,8 +183,8 @@ audit_event(ssh_audit_event_t event)
case SSH_LOGIN_ROOT_DENIED:
linux_audit_user_auth(-1, audit_username(), NULL,
get_remote_ipaddr(), "sshd", 0, event);
- linux_audit_user_login(-1, audit_username(), NULL,
- get_remote_ipaddr(), "sshd", 0);
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
break;
case SSH_LOGIN_EXCEED_MAXTRIES:
@@ -181,8 +201,8 @@ audit_event(ssh_audit_event_t event)
case SSH_CONNECTION_CLOSE:
case SSH_CONNECTION_ABANDON:
case SSH_INVALID_USER:
- linux_audit_user_login(-1, audit_username(), NULL,
- get_remote_ipaddr(), "sshd", 0);
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
break;
default: