Adding Solaris Audit to sshd (and sftp-server)

Gary Winiger gary.winiger at oracle.com
Fri Dec 5 08:23:34 EST 2014


Hi Damien,

I'm working with the Solaris team that is integrating openssh
into upcoming Solaris releases.  I'm looking for advice from the
upstream community.  You were suggested for that advice.  If
there are other mailing lists you'd like me to ask, I'm happy
to do so, or if you'd like to forward, please feel free to do so.

The --with-audit=bsm (audit-bsm.c) configuration uses interfaces
that were never officially stable in Solaris.  Public support and
documentation has been withdrawn from Solaris 11 for libbsm.
The various interfaces can and have both changed incompatibly and
been withdrawn.  While it isn't publically documented, a new
Solaris Audit interface has been created.  For various build related
reasons libbsm has been retained and contains the interface for use
from Solaris 11 (parts of it were there from Solaris 9).

I'm partially done with a Skunk works project that when finished
is expected to be contributed upstream.

My current prototype adds configuration --with-audit=solaris,
which defines USE_SOLARIS_AUDIT and adds an audit-solaris.c file.
The plan is for similar style changes to add auditing to
sftp-server as well as extend to my current prototype to have
parity with the SunSSH implementation.

Does such configuration seem acceptable?

The Solaris openssh team hasn't been using autoconf, and has
been changing configure, config.h.in, Makefile.in by patches.
For illustrative purposes I've updated configure.ac.  I also have
suggested wording for ChangeLog, INSTALL, README.platform.

Thank you for your consideration and advice.

Cheers,
Gary..

configure.ac
============
   AUDIT_MODULE=none
   AC_ARG_WITH([audit],
!       [  --with-audit=module     Enable audit support 
(modules=debug,bsm,linux,solaris)],

+         solaris)
+               AC_MSG_RESULT([solaris])
+               AUDIT_MODULE=solaris
+               dnl    Checks for headers, libs and functions
+               AC_CHECK_HEADERS([bsm/adt.h], [],
+                   [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h 
not found])],
+               SSHDLIBS="$SSHDLIBS -lbsm"
+               AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit 
module])
+               ;;

ChangeLog
=========
+ - (gww) The BSM (bsm) interfaces are obsolete and internal from 
Solaris 11.
+   The previously documented interfaces may change or be removed at any 
time.
+   From Solaris 11, the --with-audit=solaris option should be used.

INSTALL
=======
   There are a few other options to the configure script:

   --with-audit=[module] enable additional auditing via the specified 
module.
! Currently, drivers for "debug" (additional info via syslog), and "bsm"
! (Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
! (Sun's Audit infrastructure from Solaris 11) are supported.

README.platform
===============
! Solaris
! -------

! Prior to Solaris 11
! -------------------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

         32800:AUE_openssh:OpenSSH login:lo

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.

 From Solaris 11
---------------
Solaris Audit is supported by configuring --with-audit=solaris.


More information about the openssh-unix-dev mailing list