[Bug 125] add BSM audit support

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Feb 15 20:22:59 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=125


djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
    Attachment #826|                            |ok+
               Flag|                            |




------- Additional Comments From djm at mindrot.org  2005-02-15 20:22 -------
(From update of attachment 826)
>Index: LICENCE
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/LICENCE,v
>retrieving revision 1.17
>diff -u -p -r1.17 LICENCE
>--- LICENCE	5 Nov 2004 09:00:03 -0000	1.17
>+++ LICENCE	30 Jan 2005 12:15:38 -0000
>@@ -203,6 +203,7 @@ OpenSSH contains no GPL code.
> 	Wayne Schroeder
> 	William Jones
> 	Darren Tucker
>+	Sun Microsystems
> 
>      * Redistribution and use in source and binary forms, with or without
>      * modification, are permitted provided that the following conditions
>Index: Makefile.in
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v
>retrieving revision 1.268
>diff -u -p -r1.268 Makefile.in
>--- Makefile.in	2 Feb 2005 13:20:53 -0000	1.268
>+++ Makefile.in	2 Feb 2005 13:27:40 -0000
>@@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
> 	auth-krb5.o \
> 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
>-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o
>+	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
>+	audit.o audit-bsm.o
> 
> MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
>Index: README.platform
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/README.platform,v
>retrieving revision 1.2
>diff -u -p -r1.2 README.platform
>--- README.platform	23 Apr 2004 08:57:13 -0000	1.2
>+++ README.platform	30 Jan 2005 12:15:38 -0000
>@@ -23,8 +23,20 @@ openssl-devel, zlib, minres, minires-dev
> 
> Solaris
> -------
>-Currently, sshd does not support BSM auditting.  This can show up as errors
>-when editting cron entries via crontab.  See.
>-http://bugzilla.mindrot.org/show_bug.cgi?id=125
>+If you enable BSM auditing on Solaris, you need to update audit_event(4)
>+for praudit(1m) to give sensible output.  The following line needs to be
>+added to /etc/security/audit_event:
>+
>+	32800:AUE_openssh:OpenSSH login:lo
>+
>+If the contrib/buildpkg.sh script is used, the included postinstall
>+script will add the line for you.
>+
>+The BSM audit event range available for third party TCB applications is
>+32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
>+There is no official registry of 3rd party event numbers, so if this
>+number is already in use on your system, you may change it at build time
>+by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
>+
> 
> $Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $
>Index: audit-bsm.c
>===================================================================
>RCS file: audit-bsm.c
>diff -N audit-bsm.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ audit-bsm.c	15 Feb 2005 08:41:13 -0000
>@@ -0,0 +1,329 @@
>+/* $Id$ */
>+
>+/*
>+ * TODO
>+ *
>+ * - deal with overlap between this and sys_auth_allowed_user
>+ *   sys_auth_record_login and record_failed_login.
>+ */
>+
>+/*
>+ * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
>+ * Use is subject to license terms.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ *    notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ *    notice, this list of conditions and the following disclaimer in the
>+ *    documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ *
>+ */
>+/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
>+
>+#include "includes.h"
>+#if defined(USE_BSM_AUDIT)
>+
>+#include "ssh.h"
>+#include "log.h"
>+#include "auth.h"
>+#include "xmalloc.h"
>+
>+#ifndef AUE_openssh
>+# define AUE_openssh     32800
>+#endif
>+#include <bsm/audit.h>
>+#include <bsm/libbsm.h>
>+#include <bsm/audit_uevents.h>
>+#include <bsm/audit_record.h>
>+#include <locale.h>
>+
>+#if defined(HAVE_GETAUDIT_ADDR)
>+#define	AuditInfoStruct		auditinfo_addr
>+#define AuditInfoTermID		au_tid_addr_t
>+#define GetAuditFunc(a,b)	getaudit_addr((a),(b))
>+#define GetAuditFuncText	"getaudit_addr"
>+#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
>+#define SetAuditFuncText	"setaudit_addr"
>+#define AUToSubjectFunc		au_to_subject_ex
>+#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
>+#else
>+#define	AuditInfoStruct		auditinfo
>+#define AuditInfoTermID		au_tid_t
>+#define GetAuditFunc(a,b)	getaudit(a)
>+#define GetAuditFuncText	"getaudit"
>+#define SetAuditFunc(a,b)	setaudit(a)
>+#define SetAuditFuncText	"setaudit"
>+#define AUToSubjectFunc		au_to_subject
>+#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
>+#endif
>+
>+extern int	cannot_audit(int);
>+extern void	aug_init(void);
>+extern dev_t	aug_get_port(void);
>+extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
>+extern void	aug_save_auid(au_id_t);
>+extern void	aug_save_uid(uid_t);
>+extern void	aug_save_euid(uid_t);
>+extern void	aug_save_gid(gid_t);
>+extern void	aug_save_egid(gid_t);
>+extern void	aug_save_pid(pid_t);
>+extern void	aug_save_asid(au_asid_t);
>+extern void	aug_save_tid(dev_t, unsigned int);
>+extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
>+extern int	aug_save_me(void);
>+extern int	aug_save_namask(void);
>+extern void	aug_save_event(au_event_t);
>+extern void	aug_save_sorf(int);
>+extern void	aug_save_text(char *);
>+extern void	aug_save_text1(char *);
>+extern void	aug_save_text2(char *);
>+extern void	aug_save_na(int);
>+extern void	aug_save_user(char *);
>+extern void	aug_save_path(char *);
>+extern int	aug_save_policy(void);
>+extern void	aug_save_afunc(int (*)(int));
>+extern int	aug_audit(void);
>+extern int	aug_na_selected(void);
>+extern int	aug_selected(void);
>+extern int	aug_daemon_session(void);
>+
>+#ifndef HAVE_GETTEXT
>+# define gettext(a)	(a)
>+#endif
>+
>+extern Authctxt *the_authctxt;
>+static AuditInfoTermID ssh_bsm_tid;
>+
>+/* Below is the low-level BSM interface code */
>+
>+/*
>+ * Check if the specified event is selected (enabled) for auditting.

s/auditting/auditing/

I think configure should print a "read the README.bsm" or something if BSM is
enabled.

Otherwise OK.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list