Adding Solaris Audit to sshd (and sftp-server)

Gary Winiger gary.winiger at oracle.com
Thu Dec 11 07:07:17 EST 2014


On 12/10/14 03:19, Darren Tucker wrote:
> Hi Gary.
>
> On Thu, Dec 4, 2014 at 4:23 PM, Gary Winiger <gary.winiger at oracle.com>
> wrote:
>
>> Hi Damien,
>>
> [...]
>
> I'm not Damien, but I did much of the work integrating the original BSM
> patches.

	Great to meet you Darren.  Thanks for the BSM work.

> Firstly, I'm a little concerned about adding a dependency on an(other)
> undocumented API.  Is it planned to publicly document this interface?

	Yes, that has always been the plan.  Unfortunately, the API
	currently requires tools and files that are only part of the
	core Solaris build process.  Work has been slow to separate
	things out.
	IMO, it is in Solaris's best interests to maintain Solaris
	audit in OpenSSH.

> As for the structure, what you propose sounds reasonable.  Note that we can
> only accept code with license compatible with the 2-term BSD license (ISC
> style[1] preferred, 2-term BSD acceptable, see the policy [2] for more
> information).

	Thanks for the "sounds reasonable."  I'll move ahead that way.
	As for the license stuff, I'm not a lawyer, nor do I play one on
	TV.  Oracle (which acquired Sun) seems to have many of them.

	I'll have to see what Oracle requires.  Hopefully it is
	acceptable.  I know that an Oracle copyright will be required.
	As I'm paid by Oracle when writing code, that seems reasonable
	to me.  A CDDL may be required
https://solaris.java.net/license.html
	
> For the code itself, please follow the style guide [3], use unified diffs
> (diff -u) and break patches into small, discrete pieces.  I'd also suggest
> opening a bug at bugzilla.mindrot.org to track the work and attach patches
> and such.

	I'll review the style guide.  As you may know Solaris has a
	style guide.  This is the first hit google found
http://www.cis.upenn.edu/~lee/06cse480/data/cstyle.ms.pdf
	I'm pretty sure it was also a Usenix paper.

	I'll open a bug/rfe when I get a little farther along.
	That probably won't be until 2015.  If there's a compelling
	reason to do so sooner, I could probably squeeze it in.

>> "bsm" (Sun's Legacy Basic Security Module prior to Solaris 11)
>
> Sun's is not the only BSM implementation these days, FreeBSD also has one.

	Point taken.  I'll reword before asking for a patch to be
	accepted.
	A number of folk choose to "borrow" the audit stuff Sun did a
	couple decades ago.  MacOS X also seems to be using the BSM
	style interfaces.  I expect imported from FreeBSD.
	I've not looked closely at Darwin, other than as a MacOS user.
	(Since 1984 ;-)

Thanks and Cheers,
Gary..
>
> [1]
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD
> [2] http://www.openbsd.org/policy.html
> [3] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9
>



More information about the openssh-unix-dev mailing list