Solaris/IRIX audit support: login.c vs loginrec.c
Rip Loomis
loomisg at cist.saic.com
Thu Aug 31 05:52:00 EST 2000
Comments requested:
I have internally-generated patches against
commercial SSH 1.2.27 that add full support
for generation of kernel-level audit data
on Solaris 2.5.1+ and IRIX 6.2/6.5, and
I'm finally getting around to porting them
to OpenSSH.
One piece that had been previously implemented
was generation of login/logout events in
record_login and record_logout in login.c--but
now those functions are mostly shells for the
stuff in loginrec.c. It looks as though it
would be easier for me to just drop these
into login.c, but the functionality might
be more useful to other projects if it was
integrated into loginrec.c.
What's the best answer?
Related questions:
1. Will anyone besides me (and certain
customers) actually use this sort of
functionality?
2. Is anyone else working on anything similar?
I had abstracted much of the functionality
out into "sshaudit.c" and "sshaudit.h", and
would intend to continue that. I'm not
personally sure whether the functionality is
important on HP-UX or Tru64, each of which
has its own bizarre auditing methodology.
It appears on HP-UX that it's not even possible
to generate audit events directly from sshd
itself, but only indirectly (through any audited
library call that fails/succeeds)--which means that
there would seem to be no way to generate an
audit event on login failure.
It's also not clear whether specific action
must be taken to generate audit data under
the correct UID, or whether those OSs
automagically set the audit user ID to the
actual user. On both IRIX and Solaris, if
sshd is running as root and no action is
taken to re-initialize the audit ID to the user's
true UID, then all actions taken during the SSH
session appear in the audit trail to have been
performed by root. (Note that patches to fix this
specific issue for IRIX were included in OpenSSH
as of June 2000--my patches also generate additional
audit data for failed login/successful login/logout).
Rip Loomis Voice Number: (410) 953-6874
--------------------------------------------------------
Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com
More information about the openssh-unix-dev
mailing list