[Bug 125] add BSM audit support

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Feb 2 15:46:22 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From djm at mindrot.org  2005-02-02 15:46 -------
(From update of attachment 796)
>+/* helper to return supplied username */
>+static const char *
>+audit_username(void)
>+{
>+	static const char unknownuser[] = "(unknown user)";
>+
>+	if (the_authctxt == NULL || the_authctxt->user == NULL)
>+		return (unknownuser);
>+	return (the_authctxt->user);

What about when !authctxt->valid, shouldn't it return "Invalid User" or
something to prevent leakage of mistyped passwords into logs?

>+void
>+audit_connection_from(const char *host, int port)
>+{
>+	debug("%s: euid %d connection from %s port %d", __func__, geteuid(),
>+	    host, port);
>+}

Remember: __func__ is verboten :)

>+/*
>+ * Called when various events occur (see audit.h for a list of possible
>+ * events and what they mean).
>+ */
>+void
>+audit_event(ssh_audit_event_t event)
>+{
>+	char *eventstr[] = {
>+		"LOGIN_EXCEED_MAXTRIES",
>+		"LOGIN_ROOT_DENIED",
>+		"AUTH_SUCCESS",
>+		"AUTH_FAIL_NONE",
>+		"AUTH_FAIL_PASSWD",
>+		"AUTH_FAIL_KBDINT",
>+		"AUTH_FAIL_PUBKEY",
>+		"AUTH_FAIL_HOSTBASED",
>+		"AUTH_FAIL_GSSAPI",
>+		"INVALID_USER",
>+		"NOLOGIN",
>+		"CONNECTION_CLOSE",
>+		"CONNECTION_ABANDON",
>+		"AUDIT_UNKNOWN"
>+	};

Rather than maintaining this list and the mapping for auth method names earlier
in this file, would it be nicer to whack them all into an array-of-struct (int,
char*, char*) and provide lookup functions?

Looks OK otherwise




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list