[Bug 125] add BSM audit support
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jan 31 11:48:27 EST 2005
http://bugzilla.mindrot.org/show_bug.cgi?id=125
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #795 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2005-01-31 11:48 -------
Created an attachment (id=796)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=796&action=view)
Add audit hooks to sshd
audit_cleanup() has been replaced with the CONNECTION_CLOSE and
CONNECTION_ABANDON events. Other minor cleanups.
Note that the hooks are (well, should be) now all privsep-aware, so once it's
ported the BSM audit module ought to work fine with privsep.
Now, some questions for the BSM cognoscenti:
- is there a limit on the size of the comand that can be written to the audit
log and if so, what?
- why does the original patch save the tty in sav_tty and then not use it?
- how does BSM differentiate between authentication events and session events?
eg the SSH2 protocol allows zero, one or many sessions (ie shells or commands)
to be associated with a single authentication (ie SSH connection). At the
moment, the audit hooks differentiate between a session (ie pty allocated) and
a command (no pty allocated). The original patch seemed to mix these two (it
will write a single login event after authentication but a logout event at
every session close).
- is there a reference on the format of the audit records? the au_* man pages
seem to cover *how* to write them but not *what* to write.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list