Do not attempt to pass hostnames to audit (inconsistency) (#1534577)

This commit is contained in:
Jakub Jelen 2018-01-17 10:08:26 +01:00
parent 32dc9bd1cd
commit f284c5eb83

View File

@ -310,7 +310,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
--- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200 --- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200
+++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200 +++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200
@@ -33,25 +33,38 @@ @@ -33,27 +33,40 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -337,7 +337,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
-linux_audit_record_event(int uid, const char *username, const char *hostname, -linux_audit_record_event(int uid, const char *username, const char *hostname,
- const char *ip, const char *ttyn, int success) - const char *ip, const char *ttyn, int success)
+static void +static void
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname, +linux_audit_user_logxxx(int uid, const char *username,
+ const char *ip, const char *ttyn, int success, int event) + const char *ip, const char *ttyn, int success, int event)
{ {
int audit_fd, rc, saved_errno; int audit_fd, rc, saved_errno;
@ -354,8 +354,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, - rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+ rc = audit_log_acct_message(audit_fd, event, + rc = audit_log_acct_message(audit_fd, event,
NULL, "login", username ? username : "(unknown)", NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success); - username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
saved_errno = errno; saved_errno = errno;
close(audit_fd);
@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const @@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
rc = 0; rc = 0;
errno = saved_errno; errno = saved_errno;
@ -369,7 +372,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+ +
+static void +static void
+linux_audit_user_auth(int uid, const char *username, +linux_audit_user_auth(int uid, const char *username,
+ const char *hostname, const char *ip, const char *ttyn, int success, int event) + const char *ip, const char *ttyn, int success, int event)
+{ +{
+ int audit_fd, rc, saved_errno; + int audit_fd, rc, saved_errno;
+ static const char *event_name[] = { + static const char *event_name[] = {
@ -403,7 +406,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+ +
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
+ NULL, event_name[event], username ? username : "(unknown)", + NULL, event_name[event], username ? username : "(unknown)",
+ username == NULL ? uid : -1, hostname, ip, ttyn, success); + username == NULL ? uid : -1, NULL, ip, ttyn, success);
+ saved_errno = errno; + saved_errno = errno;
+ close(audit_fd); + close(audit_fd);
+ /* + /*
@ -455,7 +458,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
@@ -76,24 +177,51 @@ audit_connection_from(const char *host, @@ -76,24 +177,55 @@ audit_connection_from(const char *host,
/* not implemented */ /* not implemented */
} }
@ -465,21 +468,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
{ {
- /* not implemented */ - /* not implemented */
+ if (!user_login_count++) + if (!user_login_count++)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ NULL, "ssh", 1, AUDIT_USER_LOGIN); + ssh_remote_ipaddr(active_state),
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), + "ssh", 1, AUDIT_USER_LOGIN);
+ NULL, "ssh", 1, AUDIT_USER_START); + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_START);
+ return 0; + return 0;
+} +}
+ +
+void +void
+audit_end_command(int handle, const char *command) +audit_end_command(int handle, const char *command)
+{ +{
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ NULL, "ssh", 1, AUDIT_USER_END); + ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count) + if (user_login_count && !--user_login_count)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns), + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT); + ssh_remote_ipaddr(active_state),
+ "ssh", 1, AUDIT_USER_LOGOUT);
+} +}
+ +
+void +void
@ -496,9 +503,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
- fatal("linux_audit_write_entry failed: %s", strerror(errno)); - fatal("linux_audit_write_entry failed: %s", strerror(errno));
+ if (!user_login_count++) + if (!user_login_count++)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname, + linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGIN); + li->line, 1, AUDIT_USER_LOGIN);
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname, + linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_START); + li->line, 1, AUDIT_USER_START);
} }
void void
@ -506,10 +513,10 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
{ {
- /* not implemented */ - /* not implemented */
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname, + linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_END); + li->line, 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count) + if (user_login_count && !--user_login_count)
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname, + linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ NULL, li->line, 1, AUDIT_USER_LOGOUT); + li->line, 1, AUDIT_USER_LOGOUT);
} }
void void
@ -518,16 +525,16 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
switch(event) { switch(event) {
case SSH_AUTH_SUCCESS: case SSH_AUTH_SUCCESS:
- case SSH_CONNECTION_CLOSE: - case SSH_CONNECTION_CLOSE:
+ linux_audit_user_auth(-1, audit_username(), NULL, + linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 1, event); + ssh_remote_ipaddr(ssh), "ssh", 1, event);
+ break; + break;
+ +
case SSH_NOLOGIN: case SSH_NOLOGIN:
- case SSH_LOGIN_EXCEED_MAXTRIES: - case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_LOGIN_ROOT_DENIED: case SSH_LOGIN_ROOT_DENIED:
+ linux_audit_user_auth(-1, audit_username(), NULL, + linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, event); + ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ linux_audit_user_logxxx(-1, audit_username(), NULL, + linux_audit_user_logxxx(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break; break;
+ case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_EXCEED_MAXTRIES:
@ -537,7 +544,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
case SSH_AUTH_FAIL_PUBKEY: case SSH_AUTH_FAIL_PUBKEY:
case SSH_AUTH_FAIL_HOSTBASED: case SSH_AUTH_FAIL_HOSTBASED:
case SSH_AUTH_FAIL_GSSAPI: case SSH_AUTH_FAIL_GSSAPI:
+ linux_audit_user_auth(-1, audit_username(), NULL, + linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, event); + ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ break; + break;
+ +
@ -545,11 +552,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
+ if (user_login_count) { + if (user_login_count) {
+ while (user_login_count--) + while (user_login_count--)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), + ssh_remote_ipaddr(ssh),
+ NULL, "ssh", 1, AUDIT_USER_END); + "ssh", 1, AUDIT_USER_END);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, + linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns), + ssh_remote_ipaddr(ssh),
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT); + "ssh", 1, AUDIT_USER_LOGOUT);
+ } + }
+ break; + break;
+ +
@ -557,7 +564,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
case SSH_INVALID_USER: case SSH_INVALID_USER:
- linux_audit_record_event(-1, audit_username(), NULL, - linux_audit_record_event(-1, audit_username(), NULL,
- ssh_remote_ipaddr(ssh), "sshd", 0); - ssh_remote_ipaddr(ssh), "sshd", 0);
+ linux_audit_user_logxxx(-1, audit_username(), NULL, + linux_audit_user_logxxx(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN); + ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
break; break;
default: default: