Hi Damien, I'm working with the Solaris team that is integrating openssh into upcoming Solaris releases. I'm looking for advice from the upstream community. You were suggested for that advice. If there are other mailing lists you'd like me to ask, I'm happy to do so, or if you'd like to forward, please feel free to do so. The --with-audit=bsm (audit-bsm.c) configuration uses interfaces that were never officially stable in Solaris. Public support and documentation has been withdrawn from Solaris 11 for libbsm. The various interfaces can and have both changed incompatibly and been withdrawn. While it isn't publically documented, a new Solaris Audit interface has been created. For various build related reasons libbsm has been retained and contains the interface for use from Solaris 11 (parts of it were there from Solaris 9). I'm partially done with a Skunk works project that when finished is expected to be contributed upstream. My current prototype adds configuration --with-audit=solaris, which defines USE_SOLARIS_AUDIT and adds an audit-solaris.c file. The plan is for similar style changes to add auditing to sftp-server as well as extend to my current prototype to have parity with the SunSSH implementation. Does such configuration seem acceptable? The Solaris openssh team hasn't been using autoconf, and has been changing configure, config.h.in, Makefile.in by patches. For illustrative purposes I've updated configure.ac. I also have suggested wording for ChangeLog, INSTALL, README.platform. Thank you for your consideration and advice. Cheers, Gary.. configure.ac =========== AUDIT_MODULE=none AC_ARG_WITH([audit], ! [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)], + solaris) + AC_MSG_RESULT([solaris]) + AUDIT_MODULE=solaris + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS([bsm/adt.h], [], + [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])], + SSHDLIBS="$SSHDLIBS -lbsm" + AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module]) + ;; ChangeLog ========+ - (gww) The BSM (bsm) interfaces are obsolete and internal from Solaris 11. + The previously documented interfaces may change or be removed at any time. + From Solaris 11, the --with-audit=solaris option should be used. INSTALL ====== There are a few other options to the configure script: --with-audit=[module] enable additional auditing via the specified module. ! Currently, drivers for "debug" (additional info via syslog), and "bsm" ! (Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris" ! (Sun's Audit infrastructure from Solaris 11) are supported. README.platform ==============! Solaris ! ------- ! Prior to Solaris 11 ! ------------------- If you enable BSM auditing on Solaris, you need to update audit_event(4) for praudit(1m) to give sensible output. The following line needs to be added to /etc/security/audit_event: 32800:AUE_openssh:OpenSSH login:lo The BSM audit event range available for third party TCB applications is 32768 - 65535. Event number 32800 has been choosen for AUE_openssh. There is no official registry of 3rd party event numbers, so if this number is already in use on your system, you may change it at build time by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. From Solaris 11 --------------- Solaris Audit is supported by configuring --with-audit=solaris.
Hi Gary. On Thu, Dec 4, 2014 at 4:23 PM, Gary Winiger <gary.winiger at oracle.com> wrote:> Hi Damien, >[...] I'm not Damien, but I did much of the work integrating the original BSM patches. Firstly, I'm a little concerned about adding a dependency on an(other) undocumented API. Is it planned to publicly document this interface? As for the structure, what you propose sounds reasonable. Note that we can only accept code with license compatible with the 2-term BSD license (ISC style[1] preferred, 2-term BSD acceptable, see the policy [2] for more information). For the code itself, please follow the style guide [3], use unified diffs (diff -u) and break patches into small, discrete pieces. I'd also suggest opening a bug at bugzilla.mindrot.org to track the work and attach patches and such.> "bsm" (Sun's Legacy Basic Security Module prior to Solaris 11)Sun's is not the only BSM implementation these days, FreeBSD also has one. [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD [2] http://www.openbsd.org/policy.html [3] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 12/10/14 03:19, Darren Tucker wrote:> Hi Gary. > > On Thu, Dec 4, 2014 at 4:23 PM, Gary Winiger <gary.winiger at oracle.com> > wrote: > >> Hi Damien, >> > [...] > > I'm not Damien, but I did much of the work integrating the original BSM > patches.Great to meet you Darren. Thanks for the BSM work.> Firstly, I'm a little concerned about adding a dependency on an(other) > undocumented API. Is it planned to publicly document this interface?Yes, that has always been the plan. Unfortunately, the API currently requires tools and files that are only part of the core Solaris build process. Work has been slow to separate things out. IMO, it is in Solaris's best interests to maintain Solaris audit in OpenSSH.> As for the structure, what you propose sounds reasonable. Note that we can > only accept code with license compatible with the 2-term BSD license (ISC > style[1] preferred, 2-term BSD acceptable, see the policy [2] for more > information).Thanks for the "sounds reasonable." I'll move ahead that way. As for the license stuff, I'm not a lawyer, nor do I play one on TV. Oracle (which acquired Sun) seems to have many of them. I'll have to see what Oracle requires. Hopefully it is acceptable. I know that an Oracle copyright will be required. As I'm paid by Oracle when writing code, that seems reasonable to me. A CDDL may be required https://solaris.java.net/license.html> For the code itself, please follow the style guide [3], use unified diffs > (diff -u) and break patches into small, discrete pieces. I'd also suggest > opening a bug at bugzilla.mindrot.org to track the work and attach patches > and such.I'll review the style guide. As you may know Solaris has a style guide. This is the first hit google found http://www.cis.upenn.edu/~lee/06cse480/data/cstyle.ms.pdf I'm pretty sure it was also a Usenix paper. I'll open a bug/rfe when I get a little farther along. That probably won't be until 2015. If there's a compelling reason to do so sooner, I could probably squeeze it in.>> "bsm" (Sun's Legacy Basic Security Module prior to Solaris 11) > > Sun's is not the only BSM implementation these days, FreeBSD also has one.Point taken. I'll reword before asking for a patch to be accepted. A number of folk choose to "borrow" the audit stuff Sun did a couple decades ago. MacOS X also seems to be using the BSM style interfaces. I expect imported from FreeBSD. I've not looked closely at Darwin, other than as a MacOS user. (Since 1984 ;-) Thanks and Cheers, Gary..> > [1] > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD > [2] http://www.openbsd.org/policy.html > [3] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9 >
On Thu, 4 Dec 2014, Gary Winiger wrote:> The --with-audit=bsm (audit-bsm.c) configuration uses interfaces > that were never officially stable in Solaris. Public support and > documentation has been withdrawn from Solaris 11 for libbsm.That's a pity, because BSM is supported on other operating systems too. This makes it the closest thing to a cross-platform audit API around. It's disappointing and bit strange for Oracle to be going the opposite way now. -d