From ea52a829699e981a58a69a77342e7ca3715a5f5b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 17 Jan 2011 21:15:27 +1100 Subject: [PATCH] - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem support, based on patches from Tomas Mraz and jchadima at redhat. --- ChangeLog | 3 ++ LICENCE | 1 + Makefile.in | 5 +- audit-bsm.c | 6 +-- audit-linux.c | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++ audit.c | 10 ++-- audit.h | 9 ++-- configure.ac | 16 +++++-- defines.h | 7 ++- loginrec.c | 4 +- 10 files changed, 167 insertions(+), 20 deletions(-) create mode 100644 audit-linux.c diff --git a/ChangeLog b/ChangeLog index 6230fdc26f4a..f393ca491395 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ - (tim) [regress/agent-getpeereid.sh] shell portability fix. - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror on the tinderbox. + - (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h + configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem + support, based on patches from Tomas Mraz and jchadima at redhat. 20110116 - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-based diff --git a/LICENCE b/LICENCE index 3964b1d7718d..120d6fd54dbb 100644 --- a/LICENCE +++ b/LICENCE @@ -206,6 +206,7 @@ OpenSSH contains no GPL code. Sun Microsystems The SCO Group Daniel Walsh + Red Hat, Inc * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index c4011daf77da..77a78aa61295 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.319 2011/01/16 07:28:10 dtucker Exp $ +# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -82,6 +82,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ roaming_common.o roaming_client.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth1.o auth2.o auth-options.o session.o \ auth-chall.o auth2-chall.o groupaccess.o \ @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \ + sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out diff --git a/audit-bsm.c b/audit-bsm.c index 2c417bc27ca0..f196d4f1e814 100644 --- a/audit-bsm.c +++ b/audit-bsm.c @@ -1,4 +1,4 @@ -/* $Id: audit-bsm.c,v 1.6 2008/02/25 10:05:04 dtucker Exp $ */ +/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */ /* * TODO @@ -305,13 +305,13 @@ audit_run_command(const char *command) } void -audit_session_open(const char *ttyn) +audit_session_open(struct logininfo *li) { /* not implemented */ } void -audit_session_close(const char *ttyn) +audit_session_close(struct logininfo *li) { /* not implemented */ } diff --git a/audit-linux.c b/audit-linux.c new file mode 100644 index 000000000000..b3ee2f4daed8 --- /dev/null +++ b/audit-linux.c @@ -0,0 +1,126 @@ +/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ + +/* + * Copyright 2010 Red Hat, Inc. All rights reserved. + * Use is subject to license terms. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Red Hat author: Jan F. Chadima + */ + +#include "includes.h" +#if defined(USE_LINUX_AUDIT) +#include +#include +#include + +#include "log.h" +#include "audit.h" +#include "canohost.h" + +const char* audit_username(void); + +int +linux_audit_record_event(int uid, const char *username, + const char *hostname, const char *ip, const char *ttyn, int success) +{ + int audit_fd, rc, saved_errno; + + audit_fd = audit_open(); + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 1; /* No audit support in kernel */ + else + return 0; /* Must prevent login */ + } + rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + NULL, "login", username ? username : "(unknown)", + username == NULL ? uid : -1, hostname, ip, ttyn, success); + saved_errno = errno; + close(audit_fd); + /* + * Do not report error if the error is EPERM and sshd is run as non + * root user. + */ + if ((rc == -EPERM) && (geteuid() != 0)) + rc = 0; + errno = saved_errno; + return (rc >= 0); +} + +/* Below is the sshd audit API code */ + +void +audit_connection_from(const char *host, int port) +{ +} + /* not implemented */ + +void +audit_run_command(const char *command) +{ + /* not implemented */ +} + +void +audit_session_open(struct logininfo *li) +{ + if (linux_audit_record_event(li->uid, NULL, li->hostname, + NULL, li->line, 1) == 0) + fatal("linux_audit_write_entry failed: %s", strerror(errno)); +} + +void +audit_session_close(struct logininfo *li) +{ + /* not implemented */ +} + +void +audit_event(ssh_audit_event_t event) +{ + switch(event) { + case SSH_AUTH_SUCCESS: + case SSH_CONNECTION_CLOSE: + case SSH_NOLOGIN: + case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_ROOT_DENIED: + break; + + case SSH_AUTH_FAIL_NONE: + case SSH_AUTH_FAIL_PASSWD: + case SSH_AUTH_FAIL_KBDINT: + case SSH_AUTH_FAIL_PUBKEY: + case SSH_AUTH_FAIL_HOSTBASED: + case SSH_AUTH_FAIL_GSSAPI: + case SSH_INVALID_USER: + linux_audit_record_event(-1, audit_username(), NULL, + get_remote_ipaddr(), "sshd", 0); + break; + + default: + debug("%s: unhandled event %d", __func__, event); + } +} + +#endif /* USE_LINUX_AUDIT */ diff --git a/audit.c b/audit.c index dbea34cb23f6..ced57fa64c46 100644 --- a/audit.c +++ b/audit.c @@ -1,4 +1,4 @@ -/* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */ +/* $Id: audit.c,v 1.6 2011/01/17 10:15:30 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -147,9 +147,9 @@ audit_event(ssh_audit_event_t event) * within a single connection. */ void -audit_session_open(const char *ttyn) +audit_session_open(struct logininfo *li) { - const char *t = ttyn ? ttyn : "(no tty)"; + const char *t = li->line ? li->line : "(no tty)"; debug("audit session open euid %d user %s tty name %s", geteuid(), audit_username(), t); @@ -163,9 +163,9 @@ audit_session_open(const char *ttyn) * within a single connection. */ void -audit_session_close(const char *ttyn) +audit_session_close(struct logininfo *li) { - const char *t = ttyn ? ttyn : "(no tty)"; + const char *t = li->line ? li->line : "(no tty)"; debug("audit session close euid %d user %s tty name %s", geteuid(), audit_username(), t); diff --git a/audit.h b/audit.h index 695f723549ea..92ede5bc4728 100644 --- a/audit.h +++ b/audit.h @@ -1,4 +1,4 @@ -/* $Id: audit.h,v 1.3 2006/08/05 14:05:10 dtucker Exp $ */ +/* $Id: audit.h,v 1.4 2011/01/17 10:15:30 dtucker Exp $ */ /* * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. @@ -26,6 +26,9 @@ #ifndef _SSH_AUDIT_H # define _SSH_AUDIT_H + +#include "loginrec.h" + enum ssh_audit_event_type { SSH_LOGIN_EXCEED_MAXTRIES, SSH_LOGIN_ROOT_DENIED, @@ -46,8 +49,8 @@ typedef enum ssh_audit_event_type ssh_audit_event_t; void audit_connection_from(const char *, int); void audit_event(ssh_audit_event_t); -void audit_session_open(const char *); -void audit_session_close(const char *); +void audit_session_open(struct logininfo *); +void audit_session_close(struct logininfo *); void audit_run_command(const char *); ssh_audit_event_t audit_classify_auth(const char *); diff --git a/configure.ac b/configure.ac index 02e8423c0208..233d3cfa1a9d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.466 2011/01/17 05:17:09 djm Exp $ +# $Id: configure.ac,v 1.467 2011/01/17 10:15:30 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.466 $) +AC_REVISION($Revision: 1.467 $) AC_CONFIG_SRCDIR([ssh.c]) # local macros @@ -1378,7 +1378,7 @@ int main(void) AUDIT_MODULE=none AC_ARG_WITH(audit, - [ --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)], + [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], [ AC_MSG_CHECKING(for supported audit module) case "$withval" in @@ -1402,10 +1402,18 @@ AC_ARG_WITH(audit, AC_CHECK_FUNCS(getaudit_addr aug_get_machine) AC_DEFINE(USE_BSM_AUDIT, 1, [Use BSM audit module]) ;; + linux) + AC_MSG_RESULT(linux) + AUDIT_MODULE=linux + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS(libaudit.h) + SSHDLIBS="$SSHDLIBS -laudit" + AC_DEFINE(USE_LINUX_AUDIT, 1, [Use Linux audit module]) + ;; debug) AUDIT_MODULE=debug AC_MSG_RESULT(debug) - AC_DEFINE(SSH_AUDIT_EVENTS, 1, Use audit debugging module) + AC_DEFINE(SSH_AUDIT_EVENTS, 1, [Use audit debugging module]) ;; no) AC_MSG_RESULT(no) diff --git a/defines.h b/defines.h index ed438bd888e4..cd273066daf5 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.163 2010/11/23 23:50:05 djm Exp $ */ +/* $Id: defines.h,v 1.164 2011/01/17 10:15:31 dtucker Exp $ */ /* Constants */ @@ -607,6 +607,11 @@ struct winsize { # define CUSTOM_SSH_AUDIT_EVENTS #endif +#ifdef USE_LINUX_AUDIT +# define SSH_AUDIT_EVENTS +# define CUSTOM_SSH_AUDIT_EVENTS +#endif + #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) # define __func__ __FUNCTION__ #elif !defined(HAVE___func__) diff --git a/loginrec.c b/loginrec.c index 587d55f7dd7b..32941c985ea4 100644 --- a/loginrec.c +++ b/loginrec.c @@ -469,9 +469,9 @@ login_write(struct logininfo *li) #endif #ifdef SSH_AUDIT_EVENTS if (li->type == LTYPE_LOGIN) - audit_session_open(li->line); + audit_session_open(li); else if (li->type == LTYPE_LOGOUT) - audit_session_close(li->line); + audit_session_close(li); #endif return (0); }