improve audit of logins and auths

2011-02-16 17:30:51 +01:00 · 2011-02-16 17:30:51 +01:00 · 483c73337b
parent 003cb0b27f
commit 483c73337b
3 changed files with 138 additions and 13 deletions
--- a/openssh-5.8p1-audit1.patch
+++ b/openssh-5.8p1-audit1.patch
@ -0,0 +1,120 @@
+diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
+--- openssh-5.8p1/audit-linux.c.audit1	2011-02-16 15:49:11.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-16 16:48:45.000000000 +0100
+@@ -39,8 +39,8 @@
+ 
+ const char* audit_username(void);
+ 
+-int
+-linux_audit_record_event(int uid, const char *username,
+static int
+linux_audit_user_login(int uid, const char *username,
+     const char *hostname, const char *ip, const char *ttyn, int success)
+ {
+ 	int audit_fd, rc, saved_errno;
+@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const 
+ 	return (rc >= 0);
+ }
+ 
+static int
+linux_audit_user_auth(int uid, const char *username,
+    const char *hostname, const char *ip, const char *ttyn, int success, int event)
+{
+	int audit_fd, rc, saved_errno;
+	static const char *event_name[] = {
+		"exceed maxtries",
+		"root denied",
+		"success",
+		"none",
+		"paasword",
+		"chalenge-response",
+		"pubkey",
+		"hostbased",
+		"gssapi",
+		"invalid user",
+		"nologin",
+		"connection close",
+		"connection abandon",
+		"unknown"
+	};
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+		    errno == EAFNOSUPPORT)
+			return 1; /* No audit support in kernel */
+		else
+			return 0; /* Must prevent login */
+	}
+	
+	if ((event < 0) || (event > SSH_AUDIT_UNKNOWN))
+		event = SSH_AUDIT_UNKNOWN;
+
+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
+	    NULL, event_name[event], username ? username : "(unknown)",
+	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+	saved_errno = errno;
+	close(audit_fd);
+	/*
+	 * Do not report error if the error is EPERM and sshd is run as non
+	 * root user.
+	 */
+	if ((rc == -EPERM) && (geteuid() != 0))
+		rc = 0;
+	errno = saved_errno;
+	return (rc >= 0);
+}
+
+ /* Below is the sshd audit API code */
+ 
+ void
+ audit_connection_from(const char *host, int port)
+ {
+-}
+ 	/* not implemented */
+}
+ 
+ void
+ audit_run_command(const char *command)
+@@ -85,7 +134,7 @@ audit_run_command(const char *command)
+ void
+ audit_session_open(struct logininfo *li)
+ {
+-	if (linux_audit_record_event(li->uid, NULL, li->hostname,
+	if (linux_audit_user_login(li->uid, NULL, li->hostname,
+ 	    NULL, li->line, 1) == 0)
+ 		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+ }
+@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event)
+ {
+ 	switch(event) {
+ 	case SSH_AUTH_SUCCESS:
+-	case SSH_CONNECTION_CLOSE:
+		break;
+
+ 	case SSH_NOLOGIN:
+ 	case SSH_LOGIN_EXCEED_MAXTRIES:
+ 	case SSH_LOGIN_ROOT_DENIED:
+		linux_audit_user_auth(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 0, event);
+		linux_audit_user_login(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 0);
+ 		break;
+ 
+ 	case SSH_AUTH_FAIL_NONE:
+@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event)
+ 	case SSH_AUTH_FAIL_PUBKEY:
+ 	case SSH_AUTH_FAIL_HOSTBASED:
+ 	case SSH_AUTH_FAIL_GSSAPI:
+		linux_audit_user_auth(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 0, event);
+		break;
+
+	case SSH_CONNECTION_CLOSE:
+	case SSH_CONNECTION_ABANDON:
+ 	case SSH_INVALID_USER:
+-		linux_audit_record_event(-1, audit_username(), NULL,
+		linux_audit_user_login(-1, audit_username(), NULL,
+ 			get_remote_ipaddr(), "sshd", 0);
+ 		break;
+ 
--- a/openssh-5.8p1-audit2.patch
+++ b/openssh-5.8p1-audit2.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 --- openssh-5.8p1/audit-bsm.c.audit2	2011-01-17 11:15:29.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-16 17:09:00.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
 	/* not implemented */
 }
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 {
 diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 --- openssh-5.8p1/audit.c.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit.c	2011-02-16 17:09:01.000000000 +0100
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
 	return(event_lookup[i].name);
 }
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 --- openssh-5.8p1/audit.h.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-16 17:09:01.000000000 +0100
@@ -28,6 +28,7 @@
 # define _SSH_AUDIT_H
 
@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-09 15:51:45.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit2	2011-02-16 17:09:00.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-16 17:10:29.000000000 +0100
@@ -37,6 +37,8 @@
 #include "audit.h"
 #include "canohost.h"
@ -99,8 +99,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 +
 const char* audit_username(void);
 
- int
-@@ -68,6 +70,37 @@ linux_audit_record_event(int uid, const 
+ static int
+@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha
 	return (rc >= 0);
 }
 
@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 void
 diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.audit2	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-16 17:09:01.000000000 +0100
@@ -136,6 +136,18 @@ done:
 	return authenticated;
 }
@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.audit2	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-16 17:09:01.000000000 +0100
@@ -177,6 +177,18 @@ done:
 	return authenticated;
 }
@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 {
 diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 --- openssh-5.8p1/auth.h.audit2	2010-05-10 03:58:03.000000000 +0200
-+++ openssh-5.8p1/auth.h	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/auth.h	2011-02-16 17:09:01.000000000 +0100
@@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
 char	*authorized_keys_file(struct passwd *);
 char	*authorized_keys_file2(struct passwd *);
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.audit2	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-09 15:53:00.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c	2011-02-16 17:09:01.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
 {
 	u_char buf[32], mdbuf[16];
@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 /*
 diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
 --- openssh-5.8p1/monitor.c.audit2	2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1/monitor.c	2011-02-09 15:50:28.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-16 17:09:01.000000000 +0100
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
 	if (!valid_data)
 		fatal("%s: bad signature data blob", __func__);
--- a/openssh.spec
+++ b/openssh.spec
@ -71,7 +71,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 1
+%define openssh_rel 2
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30

@ -96,6 +96,7 @@ Source5: pam_ssh_agent-rmheaders
 Patch100: openssh-5.6p1-wIm.patch
 Patch0: openssh-5.6p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
+Patch1: openssh-5.8p1-audit1.patch
 Patch2: openssh-5.8p1-audit2.patch
 Patch3: openssh-5.8p1-audit3.patch
 Patch4: openssh-5.8p1-audit4.patch
@ -283,6 +284,7 @@ The module is most useful for su and sudo service stacks.
 #Do not enable by default
 ###%patch100 -p1 -b .wIm
 %patch0 -p1 -b .redhat
+%patch1 -p1 -b .audit1
 %patch2 -p1 -b .audit2
 %patch3 -p1 -b .audit3
 %patch4 -p1 -b .audit4
@ -602,6 +604,9 @@ fi
 %endif

 %changelog
+* Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-2 + 0.9.2-30
+- improve audit of logins and auths
+
 * Mon Feb 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-1 + 0.9.2-30
 - bump openssh version to 5.8p1