[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
rpms/openssh/devel openssh-4.2p1-audit.patch, NONE, 1.1 openssh.spec, 1.70, 1.71

From: fedora-cvs-commits redhat com
To: fedora-cvs-commits redhat com
Subject: rpms/openssh/devel openssh-4.2p1-audit.patch, NONE, 1.1 openssh.spec, 1.70, 1.71
Date: Fri, 28 Oct 2005 12:03:20 -0400
Author: tmraz

Update of /cvs/dist/rpms/openssh/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12793

Modified Files:
	openssh.spec 
Added Files:
	openssh-4.2p1-audit.patch 
Log Message:
* Fri Oct 28 2005 Tomas Mraz <tmraz redhat com> 4.2p1-5
- put back the possibility to skip SELinux patch
- add patch for user login auditing by Steve Grubb


openssh-4.2p1-audit.patch:
 Makefile.in  |    3 ++-
 auth.c       |   10 ++++++++++
 config.h.in  |    3 +++
 configure.ac |   15 +++++++++++++++
 loginrec.c   |   58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 loginrec.h   |    4 ++++
 6 files changed, 92 insertions(+), 1 deletion(-)

--- NEW FILE openssh-4.2p1-audit.patch ---
diff -ur openssh-4.2p1.orig/auth.c openssh-4.2p1/auth.c
--- openssh-4.2p1.orig/auth.c	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/auth.c	2005-10-27 17:10:17.000000000 -0400
@@ -260,6 +260,12 @@
 		record_failed_login(authctxt->user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#if HAVE_LINUX_AUDIT
+	if (authenticated == 0 && !authctxt->postponed) {
+		linux_audit_record_event(-1, authctxt->user, NULL,
+			get_remote_ipaddr(), "sshd", 0);
+	}
+#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed) {
 		ssh_audit_event_t event;
@@ -500,6 +506,10 @@
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef HAVE_LINUX_AUDIT
+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+			"sshd", 0);
+#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
diff -ur openssh-4.2p1.orig/config.h.in openssh-4.2p1/config.h.in
--- openssh-4.2p1.orig/config.h.in	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/config.h.in	2005-10-27 17:13:24.000000000 -0400
@@ -1204,6 +1204,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
diff -ur openssh-4.2p1.orig/configure.ac openssh-4.2p1/configure.ac
--- openssh-4.2p1.orig/configure.ac	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/configure.ac	2005-10-27 17:17:26.000000000 -0400
@@ -2681,6 +2681,20 @@
 	])
 AC_SUBST(LIBSELINUX)
 
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH(linux-audit,
+	[  --with-linux-audit   Enable Linux audit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+		LINUX_AUDIT_MSG="yes"
+		AC_CHECK_HEADERS(libaudit.h)
+		LIBAUDIT="-laudit"
+	fi
+	])
+AC_SUBST(LIBAUDIT)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -3474,6 +3488,7 @@
 echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
diff -ur openssh-4.2p1.orig/loginrec.c openssh-4.2p1/loginrec.c
--- openssh-4.2p1.orig/loginrec.c	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/loginrec.c	2005-10-27 17:27:43.000000000 -0400
@@ -165,6 +165,10 @@
 # include <libutil.h>
 #endif
 
+#ifdef HAVE_LINUX_AUDIT
+# include <libaudit.h>
+#endif
+
 RCSID("$Id: loginrec.c,v 1.70 2005/07/17 07:26:44 djm Exp $");
 
 /**
@@ -185,6 +189,9 @@
 int utmpx_write_entry(struct logininfo *li);
 int wtmp_write_entry(struct logininfo *li);
 int wtmpx_write_entry(struct logininfo *li);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_write_entry(struct logininfo *li);
+#endif
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
 
@@ -423,6 +430,10 @@
 
 	/* set the timestamp */
 	login_set_current_time(li);
+#ifdef HAVE_LINUX_AUDIT
+	if (linux_audit_write_entry(li) == 0)
+		return 0;
+#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
@@ -1377,6 +1388,53 @@
 }
 #endif /* USE_WTMPX */
 
+#ifdef HAVE_LINUX_AUDIT
+int
+linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success)
+{
+	char buf[64];
+	int audit_fd, rc;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+					errno == EAFNOSUPPORT)
+			return 1; /* No audit support in kernel */
+		else
+			return 0; /* Must prevent login */
+	}
+	if (username == NULL)
+		snprintf(buf, sizeof(buf), "uid=%d", uid);
+	else
+		snprintf(buf, sizeof(buf), "acct=%s", username);
+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+		buf, hostname, ip, ttyn, success);
+	close(audit_fd);
+	if (rc > 0)
+		return 1;
+	else
+		return 0;
+}
+
+int
+linux_audit_write_entry(struct logininfo *li)
+{
+	switch(li->type) {
+	case LTYPE_LOGIN:
+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
+			NULL, li->line, 1));
+	case LTYPE_LOGOUT:
+		return (1);	/* We only care about logins */
+	default:
+		logit("%s: invalid type field", __func__);
+		return (0);
+	}
+}
+#endif /* HAVE_LINUX_AUDIT
+
+/* Please see the notes above wtmp_islogin() for information about the
+
 /**
  ** Low-level libutil login() functions
  **/
diff -ur openssh-4.2p1.orig/loginrec.h openssh-4.2p1/loginrec.h
--- openssh-4.2p1.orig/loginrec.h	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/loginrec.h	2005-10-27 17:11:45.000000000 -0400
@@ -133,5 +133,9 @@
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 
 void record_failed_login(const char *, const char *, const char *);
+#ifdef HAVE_LINUX_AUDIT
+int linux_audit_record_event(int uid, const char *username,
+	const char *hostname, const char *ip, const char *ttyn, int success);
+#endif /* HAVE_LINUX_AUDIT */
 
 #endif /* _HAVE_LOGINREC_H_ */
diff -ur openssh-4.2p1.orig/Makefile.in openssh-4.2p1/Makefile.in
--- openssh-4.2p1.orig/Makefile.in	2005-10-27 15:38:56.000000000 -0400
+++ openssh-4.2p1/Makefile.in	2005-10-27 17:29:10.000000000 -0400
@@ -44,6 +44,7 @@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS= LIBS@
 LIBSELINUX= LIBSELINUX@
+LIBAUDIT= LIBAUDIT@
 LIBEDIT= LIBEDIT@
 LIBPAM= LIBPAM@
 LIBWRAP= LIBWRAP@
@@ -137,7 +138,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)


Index: openssh.spec
===================================================================
RCS file: /cvs/dist/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- openssh.spec	18 Oct 2005 20:57:59 -0000	1.70
+++ openssh.spec	28 Oct 2005 16:02:53 -0000	1.71
@@ -1,4 +1,9 @@
 %define WITH_SELINUX 1
+%if %{WITH_SELINUX}
+# Audit patch applicable only over SELinux patch
+%define WITH_AUDIT 1
+%endif
+
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74
 %define sshd_gid    74
@@ -71,7 +76,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
 Name: openssh
 Version: 4.2p1
-%define rel 4
+%define rel 5
 %if %{rescue}
 Release: %{rel}rescue
 %else
@@ -93,6 +98,7 @@
 Patch4: openssh-4.0p1-vendor.patch
 Patch5: openssh-3.9p1-noinitlog.patch
 Patch12: openssh-selinux.patch
+Patch16: openssh-4.2p1-audit.patch
 Patch20: openssh-3.9p1-gssapimitm.patch
 Patch21: openssh-3.9p1-safe-stop.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
@@ -147,8 +153,15 @@
 BuildPreReq: krb5-devel
 %endif
 
+%if %{WITH_SELINUX}
 Requires: libselinux >= 1.27.7
 BuildRequires: libselinux-devel >= 1.27.7
+%endif
+
+%if %{WITH_AUDIT}
+Requires: audit-libs >= 1.0.8
+BuildRequires: audit-libs >= 1.0.8
+%endif
 
 %package clients
 Summary: OpenSSH clients.
@@ -228,7 +241,16 @@
 %patch3 -p1 -b .krb5-config
 %patch4 -p1 -b .vendor
 %patch5 -p1 -b .noinitlog
+
+%if %{WITH_SELINUX}
+#SELinux
 %patch12 -p1 -b .selinux
+%endif
+
+%if %{WITH_AUDIT}
+%patch16 -p1 -b .audit
+%endif
+
 #%patch20 -p0 -b .gssapimitm
 %patch21 -p1 -b .safe-stop
 %patch22 -p1 -b .keep-above
@@ -297,7 +319,12 @@
 %else
 	--with-pam \
 %endif
+%if %{WITH_SELINUX}
 	--with-selinux \
+%endif
+%if %{WITH_AUDIT}
+	--with-linux-audit \
+%endif
 %if %{kerberos5}
 	--with-kerberos5${krb5_prefix:+=${krb5_prefix}}
 %else
@@ -514,6 +541,10 @@
 %endif
 
 %changelog
+* Fri Oct 28 2005 Tomas Mraz <tmraz redhat com> 4.2p1-5
+- put back the possibility to skip SELinux patch
+- add patch for user login auditing by Steve Grubb
+
 * Tue Oct 18 2005 Dan Walsh <dwalsh redhat com> 4.2p1-4
 - Change selinux patch to use get_default_context_with_rolelevel in libselinux.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]