diff --git a/ChangeLog b/ChangeLog index 836cc0dfcbe6..87ae13abe522 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20050220 + - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac + defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure + --with-audit=bsm to enable. Patch originally from Sun Microsystems, + parts by John R. Jackson. ok djm@ + 20050216 - (djm) write seed to temporary file and atomically rename into place; ok dtucker@ @@ -2148,4 +2154,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3659 2005/02/16 11:49:31 dtucker Exp $ +$Id: ChangeLog,v 1.3660 2005/02/20 10:01:48 dtucker Exp $ diff --git a/LICENCE b/LICENCE index f9062bd51f5e..ae03eb3a7d49 100644 --- a/LICENCE +++ b/LICENCE @@ -203,6 +203,7 @@ OpenSSH contains no GPL code. Wayne Schroeder William Jones Darren Tucker + Sun Microsystems * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index c6cfef11a2e4..71036c118a8d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.268 2005/02/02 13:20:53 dtucker Exp $ +# $Id: Makefile.in,v 1.269 2005/02/20 10:01:49 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + audit.o audit-bsm.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff --git a/README.platform b/README.platform index 4e7b84d39684..af551de481e5 100644 --- a/README.platform +++ b/README.platform @@ -32,8 +32,17 @@ openssl-devel, zlib, minres, minires-devel. Solaris ------- -Currently, sshd does not support BSM auditting. This can show up as errors -when editting cron entries via crontab. See. -http://bugzilla.mindrot.org/show_bug.cgi?id=125 +If you enable BSM auditing on Solaris, you need to update audit_event(4) +for praudit(1m) to give sensible output. The following line needs to be +added to /etc/security/audit_event: -$Id: README.platform,v 1.4 2005/02/15 11:44:05 dtucker Exp $ + 32800:AUE_openssh:OpenSSH login:lo + +The BSM audit event range available for third party TCB applications is +32768 - 65535. Event number 32800 has been choosen for AUE_openssh. +There is no official registry of 3rd party event numbers, so if this +number is already in use on your system, you may change it at build time +by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. + + +$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $ diff --git a/configure.ac b/configure.ac index fe6b002d4254..1bf067a2f398 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.244 2005/02/16 11:49:31 dtucker Exp $ +# $Id: configure.ac,v 1.245 2005/02/20 10:01:49 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -881,6 +881,37 @@ AC_ARG_WITH(libedit, fi ] ) +AUDIT_MODULE=none +AC_ARG_WITH(audit, + [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ + AC_MSG_CHECKING(for supported audit module) + case "$withval" in + bsm) + AC_MSG_RESULT(bsm) + AUDIT_MODULE=bsm + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(bsm/audit.h, [], + [AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)]) + AC_CHECK_LIB(bsm, getaudit, [], + [AC_MSG_ERROR(BSM enabled and required library not found)]) + AC_CHECK_FUNCS(getaudit, [], + [AC_MSG_ERROR(BSM enabled and required function not found)]) + # These are optional + AC_CHECK_FUNCS(getaudit_addr gettext) + AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM audit module]) + ;; + debug) + AUDIT_MODULE=debug + AC_MSG_RESULT(debug) + AC_DEFINE(SSH_AUDIT_EVENTS, [], Use audit debugging module) + ;; + *) + AC_MSG_ERROR([Unknown audit module $withval]) + ;; + esac ] +) + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS(\ arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ @@ -1846,6 +1877,8 @@ TYPE_SOCKLEN_T AC_CHECK_TYPES(sig_atomic_t,,,[#include ]) +AC_CHECK_TYPES(in_addr_t,,,[#include ]) + AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [ AC_TRY_COMPILE( [ @@ -3195,3 +3228,7 @@ if test ! -z "$NO_PEERCHECK" ; then echo "" fi +if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." +fi diff --git a/defines.h b/defines.h index 4d59408adc9b..7758bc37a5bb 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.118 2005/02/02 12:30:25 dtucker Exp $ */ +/* $Id: defines.h,v 1.119 2005/02/20 10:01:49 dtucker Exp $ */ /* Constants */ @@ -288,6 +288,10 @@ struct sockaddr_un { }; #endif /* HAVE_SYS_UN_H */ +#ifndef HAVE_IN_ADDR_T +typedef u_int32_t in_addr_t; +#endif + #if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE) #define _STRUCT_WINSIZE struct winsize { @@ -530,6 +534,11 @@ struct winsize { # define getpgrp() getpgrp(0) #endif +#ifdef USE_BSM_AUDIT +# define SSH_AUDIT_EVENTS +# define CUSTOM_SSH_AUDIT_EVENTS +#endif + /* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */ #if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f) # define OPENSSL_free(x) Free(x)