From 483c73337b57e320fea35807da6cbe8d5f144f88 Mon Sep 17 00:00:00 2001 From: Jan F Date: Wed, 16 Feb 2011 17:30:51 +0100 Subject: [PATCH] improve audit of logins and auths --- openssh-5.8p1-audit1.patch | 120 +++++++++++++++++++++++++++++++++++++ openssh-5.8p1-audit2.patch | 24 ++++---- openssh.spec | 7 ++- 3 files changed, 138 insertions(+), 13 deletions(-) create mode 100644 openssh-5.8p1-audit1.patch diff --git a/openssh-5.8p1-audit1.patch b/openssh-5.8p1-audit1.patch new file mode 100644 index 0000000..1f519e2 --- /dev/null +++ b/openssh-5.8p1-audit1.patch @@ -0,0 +1,120 @@ +diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c +--- openssh-5.8p1/audit-linux.c.audit1 2011-02-16 15:49:11.000000000 +0100 ++++ openssh-5.8p1/audit-linux.c 2011-02-16 16:48:45.000000000 +0100 +@@ -39,8 +39,8 @@ + + const char* audit_username(void); + +-int +-linux_audit_record_event(int uid, const char *username, ++static int ++linux_audit_user_login(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) + { + int audit_fd, rc, saved_errno; +@@ -68,13 +68,62 @@ linux_audit_record_event(int uid, const + return (rc >= 0); + } + ++static int ++linux_audit_user_auth(int uid, const char *username, ++ const char *hostname, const char *ip, const char *ttyn, int success, int event) ++{ ++ int audit_fd, rc, saved_errno; ++ static const char *event_name[] = { ++ "exceed maxtries", ++ "root denied", ++ "success", ++ "none", ++ "paasword", ++ "chalenge-response", ++ "pubkey", ++ "hostbased", ++ "gssapi", ++ "invalid user", ++ "nologin", ++ "connection close", ++ "connection abandon", ++ "unknown" ++ }; ++ ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 1; /* No audit support in kernel */ ++ else ++ return 0; /* Must prevent login */ ++ } ++ ++ if ((event < 0) || (event > SSH_AUDIT_UNKNOWN)) ++ event = SSH_AUDIT_UNKNOWN; ++ ++ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, ++ NULL, event_name[event], username ? username : "(unknown)", ++ username == NULL ? uid : -1, hostname, ip, ttyn, success); ++ saved_errno = errno; ++ close(audit_fd); ++ /* ++ * Do not report error if the error is EPERM and sshd is run as non ++ * root user. ++ */ ++ if ((rc == -EPERM) && (geteuid() != 0)) ++ rc = 0; ++ errno = saved_errno; ++ return (rc >= 0); ++} ++ + /* Below is the sshd audit API code */ + + void + audit_connection_from(const char *host, int port) + { +-} + /* not implemented */ ++} + + void + audit_run_command(const char *command) +@@ -85,7 +134,7 @@ audit_run_command(const char *command) + void + audit_session_open(struct logininfo *li) + { +- if (linux_audit_record_event(li->uid, NULL, li->hostname, ++ if (linux_audit_user_login(li->uid, NULL, li->hostname, + NULL, li->line, 1) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); + } +@@ -101,10 +150,15 @@ audit_event(ssh_audit_event_t event) + { + switch(event) { + case SSH_AUTH_SUCCESS: +- case SSH_CONNECTION_CLOSE: ++ break; ++ + case SSH_NOLOGIN: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: ++ linux_audit_user_auth(-1, audit_username(), NULL, ++ get_remote_ipaddr(), "sshd", 0, event); ++ linux_audit_user_login(-1, audit_username(), NULL, ++ get_remote_ipaddr(), "sshd", 0); + break; + + case SSH_AUTH_FAIL_NONE: +@@ -113,8 +167,14 @@ audit_event(ssh_audit_event_t event) + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: ++ linux_audit_user_auth(-1, audit_username(), NULL, ++ get_remote_ipaddr(), "sshd", 0, event); ++ break; ++ ++ case SSH_CONNECTION_CLOSE: ++ case SSH_CONNECTION_ABANDON: + case SSH_INVALID_USER: +- linux_audit_record_event(-1, audit_username(), NULL, ++ linux_audit_user_login(-1, audit_username(), NULL, + get_remote_ipaddr(), "sshd", 0); + break; + diff --git a/openssh-5.8p1-audit2.patch b/openssh-5.8p1-audit2.patch index 362d7d3..0a20f1d 100644 --- a/openssh-5.8p1-audit2.patch +++ b/openssh-5.8p1-audit2.patch @@ -1,6 +1,6 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c --- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100 -+++ openssh-5.8p1/audit-bsm.c 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/audit-bsm.c 2011-02-16 17:09:00.000000000 +0100 @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } @@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c { diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c --- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit.c 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/audit.c 2011-02-16 17:09:01.000000000 +0100 @@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev) return(event_lookup[i].name); } @@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h --- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit.h 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/audit.h 2011-02-16 17:09:01.000000000 +0100 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -89,8 +89,8 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c ---- openssh-5.8p1/audit-linux.c.audit2 2011-01-17 11:15:30.000000000 +0100 -+++ openssh-5.8p1/audit-linux.c 2011-02-09 15:51:45.000000000 +0100 +--- openssh-5.8p1/audit-linux.c.audit2 2011-02-16 17:09:00.000000000 +0100 ++++ openssh-5.8p1/audit-linux.c 2011-02-16 17:10:29.000000000 +0100 @@ -37,6 +37,8 @@ #include "audit.h" #include "canohost.h" @@ -99,8 +99,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c + const char* audit_username(void); - int -@@ -68,6 +70,37 @@ linux_audit_record_event(int uid, const + static int +@@ -117,6 +119,37 @@ linux_audit_user_auth(int uid, const cha return (rc >= 0); } @@ -140,7 +140,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c void diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c --- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200 -+++ openssh-5.8p1/auth2-hostbased.c 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/auth2-hostbased.c 2011-02-16 17:09:01.000000000 +0100 @@ -136,6 +136,18 @@ done: return authenticated; } @@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c --- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100 -+++ openssh-5.8p1/auth2-pubkey.c 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/auth2-pubkey.c 2011-02-16 17:09:01.000000000 +0100 @@ -177,6 +177,18 @@ done: return authenticated; } @@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c { diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h --- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200 -+++ openssh-5.8p1/auth.h 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/auth.h 2011-02-16 17:09:01.000000000 +0100 @@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); @@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c --- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100 -+++ openssh-5.8p1/auth-rsa.c 2011-02-09 15:53:00.000000000 +0100 ++++ openssh-5.8p1/auth-rsa.c 2011-02-16 17:09:01.000000000 +0100 @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; @@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c /* diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c --- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200 -+++ openssh-5.8p1/monitor.c 2011-02-09 15:50:28.000000000 +0100 ++++ openssh-5.8p1/monitor.c 2011-02-16 17:09:01.000000000 +0100 @@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); diff --git a/openssh.spec b/openssh.spec index e2a1dc2..412971b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p1 -%define openssh_rel 1 +%define openssh_rel 2 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 30 @@ -96,6 +96,7 @@ Source5: pam_ssh_agent-rmheaders Patch100: openssh-5.6p1-wIm.patch Patch0: openssh-5.6p1-redhat.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 +Patch1: openssh-5.8p1-audit1.patch Patch2: openssh-5.8p1-audit2.patch Patch3: openssh-5.8p1-audit3.patch Patch4: openssh-5.8p1-audit4.patch @@ -283,6 +284,7 @@ The module is most useful for su and sudo service stacks. #Do not enable by default ###%patch100 -p1 -b .wIm %patch0 -p1 -b .redhat +%patch1 -p1 -b .audit1 %patch2 -p1 -b .audit2 %patch3 -p1 -b .audit3 %patch4 -p1 -b .audit4 @@ -602,6 +604,9 @@ fi %endif %changelog +* Wed Feb 16 2011 Jan F. Chadima - 5.8p1-2 + 0.9.2-30 +- improve audit of logins and auths + * Mon Feb 14 2011 Jan F. Chadima - 5.8p1-1 + 0.9.2-30 - bump openssh version to 5.8p1