http://bugzilla.mindrot.org/show_bug.cgi?id=125 alex.bell at bt.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alex.bell at bt.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #755 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-01-30 00:46 ------- Created an attachment (id=793) --> (http://bugzilla.mindrot.org/attachment.cgi?id=793&action=view) Add audit hooks to sshd .fixes the problem of lack of privilege in the nologin and save_command events. The nologin handling is ugly though. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #793 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-01-30 16:24 ------- Created an attachment (id=794) --> (http://bugzilla.mindrot.org/attachment.cgi?id=794&action=view) Add audit hooks to sshd OK, I think this one is ready. (Don't get excited yet folks, it's just the hooks at this stage.) I dropped the /etc/nologin handling because it was ugly. With a little restructuring to do_nologin it can be done cleanly, but it can wait. Things that ought to be looked at in this patch: - the audit hooks in the monitor are enabled unconditionally post-auth. audit_event() is pretty harmless, but audit_run_command takes a string. - should audit_run_command and/or the monitor do sanity checking (strnvis? enforce a max length?) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #794 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-01-30 21:33 ------- Created an attachment (id=795) --> (http://bugzilla.mindrot.org/attachment.cgi?id=795&action=view) Add audit hooks to sshd. Now separates authentication and session events, since one SSH2 connection may carry multiple sessions. (eg "ssh -N" will record a successful authentication but zero sessions.) Adds some more auth types (hostbased, gssapi). Adds comments (so it must be done!) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #795 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-01-31 11:48 ------- Created an attachment (id=796) --> (http://bugzilla.mindrot.org/attachment.cgi?id=796&action=view) Add audit hooks to sshd audit_cleanup() has been replaced with the CONNECTION_CLOSE and CONNECTION_ABANDON events. Other minor cleanups. Note that the hooks are (well, should be) now all privsep-aware, so once it's ported the BSM audit module ought to work fine with privsep. Now, some questions for the BSM cognoscenti: - is there a limit on the size of the comand that can be written to the audit log and if so, what? - why does the original patch save the tty in sav_tty and then not use it? - how does BSM differentiate between authentication events and session events? eg the SSH2 protocol allows zero, one or many sessions (ie shells or commands) to be associated with a single authentication (ie SSH connection). At the moment, the audit hooks differentiate between a session (ie pty allocated) and a command (no pty allocated). The original patch seemed to mix these two (it will write a single login event after authentication but a logout event at every session close). - is there a reference on the format of the audit records? the au_* man pages seem to cover *how* to write them but not *what* to write. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From djm at mindrot.org 2005-02-02 15:46 ------- (From update of attachment 796)>+/* helper to return supplied username */ >+static const char * >+audit_username(void) >+{ >+ static const char unknownuser[] = "(unknown user)"; >+ >+ if (the_authctxt == NULL || the_authctxt->user == NULL) >+ return (unknownuser); >+ return (the_authctxt->user);What about when !authctxt->valid, shouldn't it return "Invalid User" or something to prevent leakage of mistyped passwords into logs?>+void >+audit_connection_from(const char *host, int port) >+{ >+ debug("%s: euid %d connection from %s port %d", __func__, geteuid(), >+ host, port); >+}Remember: __func__ is verboten :)>+/* >+ * Called when various events occur (see audit.h for a list of possible >+ * events and what they mean). >+ */ >+void >+audit_event(ssh_audit_event_t event) >+{ >+ char *eventstr[] = { >+ "LOGIN_EXCEED_MAXTRIES", >+ "LOGIN_ROOT_DENIED", >+ "AUTH_SUCCESS", >+ "AUTH_FAIL_NONE", >+ "AUTH_FAIL_PASSWD", >+ "AUTH_FAIL_KBDINT", >+ "AUTH_FAIL_PUBKEY", >+ "AUTH_FAIL_HOSTBASED", >+ "AUTH_FAIL_GSSAPI", >+ "INVALID_USER", >+ "NOLOGIN", >+ "CONNECTION_CLOSE", >+ "CONNECTION_ABANDON", >+ "AUDIT_UNKNOWN" >+ };Rather than maintaining this list and the mapping for auth method names earlier in this file, would it be nicer to whack them all into an array-of-struct (int, char*, char*) and provide lookup functions? Looks OK otherwise ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From dtucker at zip.com.au 2005-02-03 00:25 ------- Patch #796 has been committed so the hooks are in. Will attach my current working patch for the BSM part shortly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #756 is|0 |1 obsolete| | Attachment #796 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-02-03 00:43 ------- Created an attachment (id=800) --> (http://bugzilla.mindrot.org/attachment.cgi?id=800&action=view) Use audit hooks for BSM auditting (still work in progress) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #800 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-02-06 12:40 ------- Created an attachment (id=804) --> (http://bugzilla.mindrot.org/attachment.cgi?id=804&action=view) Use audit hooks for BSM auditting I think this is ready to start testing. I have put up a snapshot with the patch applied at: http://www.zip.com.au/~dtucker/tmp/openssh-audit-bsm.tar.gz There's some code in the patch #if'ed out. I think the code in question should be removed but it's left there for discussion. Remaining issues: - what is the correct way to construct the device identifier part of Terminal ID? The telnet events seem to use something other than a source port. - what is the value of logging the command supplied to sshd? It seems to be an attempt to mimic AUE_rshd but it's not equivalent since there may be zero, one or many command sessions supplied in a given sshd session. Would this not be better handled by using the built-in "ex" class? Appending it as text token to the logout event seems wrong for a couple of reasons: - it'll only ever record the last command supplied - by my read the text tokens are limited to 255 bytes in length (or 127 if the "length" field is unsigned, the docs don't say). If it's really required then should it not be a separate event number? - why does the patch call GetAuditFunc(&now, sizeof (now))? AFAICT the "now" struct is never used after being populated. - why does the original patch save the tty name? AFAICT it's never used. - should all of the au_* functions have their return codes checked, or is checking au_close() adequate? - what values should be specified with the return token? praudit seems to interpret the "process error" as an errno. Are these just picked arbitrarily by the application, with zero as success? I noticed that later patches try to use error numbers from 240 - 255, outside of the errno range, is this advisable? And are these expected to be stable for a given application (ie sshd)? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From phil at usc.edu 2005-02-06 13:33 ------- For what it's worth, the security team at USC will begin testing this as a replacement for are inferior in-house auditd patch around the last week in February - we've been pushed back a bit. -Phil ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #804 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-02-11 17:30 ------- Created an attachment (id=820) --> (http://bugzilla.mindrot.org/attachment.cgi?id=820&action=view) Use audit hooks for BSM auditting Update to match recent changes in the audit interface in sshd. Note that the argument to enable it has changed, use $ ./configure --with-audit=bsm [other flags] A patched snapshot tarball is also available at: http://www.zip.com.au/~dtucker/tmp/openssh-audit-bsm.tar.gz Anyone interested in seeing this in the next release really should test this... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From djm at mindrot.org 2005-02-14 12:10 ------- (From update of attachment 820)>Index: audit-bsm.c...>+/* >+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. >+ * Use is subject to license terms.If you have made substantial changes to this file, you should assert copyright too.>+#ifndef HAVE_GETTEXT >+# define gettext(a) (a) >+#endifIs this necessary for auditing? Can we just scrub out the couple of gettext references? We don't internationalise any other messages from sshd...>Index: audit-bsm.h...>+#include "includes.h" >+#ifdef USE_BSM_AUDIT >+ >+#ifndef AUE_openssh >+# define AUE_openssh 32800 >+#endif >+#include <bsm/audit.h> >+#include <bsm/libbsm.h> >+#include <bsm/audit_uevents.h> >+#include <bsm/audit_record.h> >+#include <locale.h> >+ >+#if defined(HAVE_GETAUDIT_ADDR) >+#define AuditInfoStruct auditinfo_addr >+#define AuditInfoTermID au_tid_addr_t >+#define GetAuditFunc(a,b) getaudit_addr((a),(b)) >+#define GetAuditFuncText "getaudit_addr" >+#define SetAuditFunc(a,b) setaudit_addr((a),(b)) >+#define SetAuditFuncText "setaudit_addr" >+#define AUToSubjectFunc au_to_subject_ex >+#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) >+#else >+#define AuditInfoStruct auditinfo >+#define AuditInfoTermID au_tid_t >+#define GetAuditFunc(a,b) getaudit(a) >+#define GetAuditFuncText "getaudit" >+#define SetAuditFunc(a,b) setaudit(a) >+#define SetAuditFuncText "setaudit" >+#define AUToSubjectFunc au_to_subject >+#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) >+#endif >+ >+extern int cannot_audit(int); >+extern void aug_init(void); >+extern dev_t aug_get_port(void); >+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); >+extern void aug_save_auid(au_id_t); >+extern void aug_save_uid(uid_t); >+extern void aug_save_euid(uid_t); >+extern void aug_save_gid(gid_t); >+extern void aug_save_egid(gid_t); >+extern void aug_save_pid(pid_t); >+extern void aug_save_asid(au_asid_t); >+extern void aug_save_tid(dev_t, unsigned int); >+extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); >+extern int aug_save_me(void); >+extern int aug_save_namask(void); >+extern void aug_save_event(au_event_t); >+extern void aug_save_sorf(int); >+extern void aug_save_text(char *); >+extern void aug_save_text1(char *); >+extern void aug_save_text2(char *); >+extern void aug_save_na(int); >+extern void aug_save_user(char *); >+extern void aug_save_path(char *); >+extern int aug_save_policy(void); >+extern void aug_save_afunc(int (*)(int)); >+extern int aug_audit(void); >+extern int aug_na_selected(void); >+extern int aug_selected(void); >+extern int aug_daemon_session(void);Wouldn't most of this stuff be better off living in audit-bsm.c? It isn't used elsewhere in the tree.>Index: configure.ac...>+ # These are optional >+ AC_CHECK_FUNCS(getaudit_addr gettext)Ditto comment about gettext above. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From dtucker at zip.com.au 2005-02-15 19:32 ------- (In reply to comment #41)> If you have made substantial changes to this file, you should assert copyright > too.My main contribution appears to be repeated use of the "d" key :-)> Is this necessary for auditing? Can we just scrub out the couple of gettext > references? We don't internationalise any other messages from sshd...I don't know if it's required but it was in the original patches. I just made it optional.> >Index: audit-bsm.h[...]> Wouldn't most of this stuff be better off living in audit-bsm.c? It isn't used > elsewhere in the tree.The original idea was to move the OS interface out of the way so I could concentrate on the code. It can go back into audit-bsm.c. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #820 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2005-02-15 19:47 ------- Created an attachment (id=826) --> (http://bugzilla.mindrot.org/attachment.cgi?id=826&action=view) Use audit hooks for BSM auditting Update with djm's feedback. Also removed all of the #ifdef'ed out code. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #826| |ok+ Flag| | ------- Additional Comments From djm at mindrot.org 2005-02-15 20:22 ------- (From update of attachment 826)>Index: LICENCE >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/LICENCE,v >retrieving revision 1.17 >diff -u -p -r1.17 LICENCE >--- LICENCE 5 Nov 2004 09:00:03 -0000 1.17 >+++ LICENCE 30 Jan 2005 12:15:38 -0000 >@@ -203,6 +203,7 @@ OpenSSH contains no GPL code. > Wayne Schroeder > William Jones > Darren Tucker >+ Sun Microsystems > > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >Index: Makefile.in >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v >retrieving revision 1.268 >diff -u -p -r1.268 Makefile.in >--- Makefile.in 2 Feb 2005 13:20:53 -0000 1.268 >+++ Makefile.in 2 Feb 2005 13:27:40 -0000 >@@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw > monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ > auth-krb5.o \ > auth2-gss.o gss-serv.o gss-serv-krb5.o \ >- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o >+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ >+ audit.o audit-bsm.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 >Index: README.platform >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/README.platform,v >retrieving revision 1.2 >diff -u -p -r1.2 README.platform >--- README.platform 23 Apr 2004 08:57:13 -0000 1.2 >+++ README.platform 30 Jan 2005 12:15:38 -0000 >@@ -23,8 +23,20 @@ openssl-devel, zlib, minres, minires-dev > > Solaris > ------- >-Currently, sshd does not support BSM auditting. This can show up as errors >-when editting cron entries via crontab. See. >-http://bugzilla.mindrot.org/show_bug.cgi?id=125 >+If you enable BSM auditing on Solaris, you need to update audit_event(4) >+for praudit(1m) to give sensible output. The following line needs to be >+added to /etc/security/audit_event: >+ >+ 32800:AUE_openssh:OpenSSH login:lo >+ >+If the contrib/buildpkg.sh script is used, the included postinstall >+script will add the line for you. >+ >+The BSM audit event range available for third party TCB applications is >+32768 - 65535. Event number 32800 has been choosen for AUE_openssh. >+There is no official registry of 3rd party event numbers, so if this >+number is already in use on your system, you may change it at build time >+by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. >+ > > $Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $ >Index: audit-bsm.c >==================================================================>RCS file: audit-bsm.c >diff -N audit-bsm.c >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ audit-bsm.c 15 Feb 2005 08:41:13 -0000 >@@ -0,0 +1,329 @@ >+/* $Id$ */ >+ >+/* >+ * TODO >+ * >+ * - deal with overlap between this and sys_auth_allowed_user >+ * sys_auth_record_login and record_failed_login. >+ */ >+ >+/* >+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. >+ * Use is subject to license terms. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, this list of conditions and the following disclaimer. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * >+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR >+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES >+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ * >+ */ >+/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ >+ >+#include "includes.h" >+#if defined(USE_BSM_AUDIT) >+ >+#include "ssh.h" >+#include "log.h" >+#include "auth.h" >+#include "xmalloc.h" >+ >+#ifndef AUE_openssh >+# define AUE_openssh 32800 >+#endif >+#include <bsm/audit.h> >+#include <bsm/libbsm.h> >+#include <bsm/audit_uevents.h> >+#include <bsm/audit_record.h> >+#include <locale.h> >+ >+#if defined(HAVE_GETAUDIT_ADDR) >+#define AuditInfoStruct auditinfo_addr >+#define AuditInfoTermID au_tid_addr_t >+#define GetAuditFunc(a,b) getaudit_addr((a),(b)) >+#define GetAuditFuncText "getaudit_addr" >+#define SetAuditFunc(a,b) setaudit_addr((a),(b)) >+#define SetAuditFuncText "setaudit_addr" >+#define AUToSubjectFunc au_to_subject_ex >+#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) >+#else >+#define AuditInfoStruct auditinfo >+#define AuditInfoTermID au_tid_t >+#define GetAuditFunc(a,b) getaudit(a) >+#define GetAuditFuncText "getaudit" >+#define SetAuditFunc(a,b) setaudit(a) >+#define SetAuditFuncText "setaudit" >+#define AUToSubjectFunc au_to_subject >+#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) >+#endif >+ >+extern int cannot_audit(int); >+extern void aug_init(void); >+extern dev_t aug_get_port(void); >+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); >+extern void aug_save_auid(au_id_t); >+extern void aug_save_uid(uid_t); >+extern void aug_save_euid(uid_t); >+extern void aug_save_gid(gid_t); >+extern void aug_save_egid(gid_t); >+extern void aug_save_pid(pid_t); >+extern void aug_save_asid(au_asid_t); >+extern void aug_save_tid(dev_t, unsigned int); >+extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); >+extern int aug_save_me(void); >+extern int aug_save_namask(void); >+extern void aug_save_event(au_event_t); >+extern void aug_save_sorf(int); >+extern void aug_save_text(char *); >+extern void aug_save_text1(char *); >+extern void aug_save_text2(char *); >+extern void aug_save_na(int); >+extern void aug_save_user(char *); >+extern void aug_save_path(char *); >+extern int aug_save_policy(void); >+extern void aug_save_afunc(int (*)(int)); >+extern int aug_audit(void); >+extern int aug_na_selected(void); >+extern int aug_selected(void); >+extern int aug_daemon_session(void); >+ >+#ifndef HAVE_GETTEXT >+# define gettext(a) (a) >+#endif >+ >+extern Authctxt *the_authctxt; >+static AuditInfoTermID ssh_bsm_tid; >+ >+/* Below is the low-level BSM interface code */ >+ >+/* >+ * Check if the specified event is selected (enabled) for auditting.s/auditting/auditing/ I think configure should print a "read the README.bsm" or something if BSM is enabled. Otherwise OK. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From dtucker at zip.com.au 2005-02-23 21:58 ------- Thanks, this has now been applied and it's in the snaps: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ The package stuff needs to be re-done. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.