[Bug 125] add BSM audit support

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Jan 31 11:48:27 EST 2005


dtucker at zip.com.au changed:

           What    |Removed                     |Added
 Attachment #795 is|0                           |1
           obsolete|                            |

------- Additional Comments From dtucker at zip.com.au  2005-01-31 11:48 -------
Created an attachment (id=796)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=796&action=view)
Add audit hooks to sshd

audit_cleanup() has been replaced with the CONNECTION_CLOSE and
CONNECTION_ABANDON events.  Other minor cleanups.

Note that the hooks are (well, should be) now all privsep-aware, so once it's
ported the BSM audit module ought to work fine with privsep.

Now, some questions for the BSM cognoscenti:

- is there a limit on the size of the comand that can be written to the audit
log and if so, what?

- why does the original patch save the tty in sav_tty and then not use it?

- how does BSM differentiate between authentication events and session events?
eg the SSH2 protocol allows zero, one or many sessions (ie shells or commands)
to be associated with a single authentication (ie SSH connection).  At the
moment, the audit hooks differentiate between a session (ie pty allocated) and
a command (no pty allocated).  The original patch seemed to mix these two (it
will write a single login event after authentication but a logout event at
every session close).

- is there a reference on the format of the audit records?  the au_* man pages
seem to cover *how* to write them but not *what* to write.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list