#

# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.

#

# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.

#

# Additional Solaris Auditing should include audit of password

#  change.

# Presuming it is appropriate, this patch should/will be updated

#  with additional files and updates to sources/audit-solaris.c 

#

# Code is developed by the Solaris Audit team.

# It should/will likely be contributed up stream when done.

# This patch relies on sources/audit-solaris.c being copied into

#  the openssh source directory by the Makefile that configures

#  using --with-audit=solaris.

#

# The up stream community has been contacted about the plans.

#  No reply has yet been received.

#

# An additional patch relying on the --with-audit=solaris configuration

#  should/will be created for sftp Solaris Audit and password change.

#

diff -pur old/INSTALL new/INSTALL

--- old/INSTALL

+++ new/INSTALL

@@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/

 Basic Security Module (BSM):

-Native BSM support is know to exist in Solaris from at least 2.5.1,

-FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM

-implementation (http://www.openbsm.org).

+Native BSM support is known to exist in Solaris from at least 2.5.1

+to Solaris 10.  From Solaris 11 the previously documented BSM (libbsm)

+interfaces are no longer public and are unsupported.  While not public

+interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.

+Native BSM support is known to exist in FreeBSD 6.1 and OS X.

+Alternatively, you may use the OpenBSM implementation

+(http://www.openbsm.org).

 2. Building / Installation

@@ -147,8 +151,9 @@ name).

 There are a few other options to the configure script:

 --with-audit=[module] enable additional auditing via the specified module.

-Currently, drivers for "debug" (additional info via syslog) and "bsm"

-(Sun's Basic Security Module) are supported.

+Currently, drivers for "debug" (additional info via syslog), and "bsm"

+(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"

+(Sun's Audit infrastructure from Solaris 11) are supported.

 --with-pam enables PAM support. If PAM support is compiled in, it must

 also be enabled in sshd_config (refer to the UsePAM directive).

diff -pur old/Makefile.in new/Makefile.in

--- old/Makefile.in

+++ new/Makefile.in

@@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s

 	roaming_common.o roaming_client.o

 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \

-	audit.o audit-bsm.o audit-linux.o platform.o \

+	audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \

 	sshpty.o sshlogin.o servconf.o serverloop.o \

 	auth.o auth1.o auth2.o auth-options.o session.o \

 	auth-chall.o auth2-chall.o groupaccess.o \

diff -pur old/README.platform new/README.platform

--- old/README.platform

+++ new/README.platform

@@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base

 libssl-dev, libz-dev and libpam-dev.

-Solaris

--------

+Prior to Solaris 11

+-------------------

 If you enable BSM auditing on Solaris, you need to update audit_event(4)

 for praudit(1m) to give sensible output.  The following line needs to be

 added to /etc/security/audit_event:

@@ -82,6 +82,9 @@ There is no official registry of 3rd par

 number is already in use on your system, you may change it at build time

 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.

+From Solaris 11

+---------------

+Solaris Audit is supported by configuring --with-audit=solaris.

 Platforms using PAM

 -------------------

diff -pur old/config.h.in new/config.h.in

--- old/config.h.in

+++ new/config.h.in

@@ -1635,6 +1635,9 @@

 /* Use Linux audit module */

 #undef USE_LINUX_AUDIT

+/* Use Solaris audit module */

+#undef USE_SOLARIS_AUDIT

+

 /* Enable OpenSSL engine support */

 #undef USE_OPENSSL_ENGINE

diff -pur old/configure.ac new/configure.ac

--- old/configure.ac

+++ new/configure.ac

@@ -1517,10 +1517,21 @@ AC_ARG_WITH([libedit],

 AUDIT_MODULE=none

 AC_ARG_WITH([audit],

-	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],

+	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux,solaris)],

 	[

 	  AC_MSG_CHECKING([for supported audit module])

 	  case "$withval" in

+	  solaris)

+		AC_MSG_RESULT([solaris])

+		AUDIT_MODULE=solaris

+		dnl    Checks for headers, libs and functions

+		AC_CHECK_HEADERS([bsm/adt.h], [],

+		    [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])],

+		    []

+		)

+		SSHDLIBS="$SSHDLIBS -lbsm"

+		AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module])

+		;;

 	  bsm)

 		AC_MSG_RESULT([bsm])

 		AUDIT_MODULE=bsm

diff -pur old/defines.h new/defines.h

--- old/defines.h

+++ new/defines.h

@@ -635,6 +635,11 @@ struct winsize {

 # define CUSTOM_SSH_AUDIT_EVENTS

 #endif

+#ifdef USE_SOLARIS_AUDIT

+# define SSH_AUDIT_EVENTS

+# define CUSTOM_SSH_AUDIT_EVENTS

+#endif

+

 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)

 #  define __func__ __FUNCTION__

 #elif !defined(HAVE___func__)

diff -pur old/sshd.c new/sshd.c

--- old/sshd.c

+++ new/sshd.c

@@ -2234,7 +2234,9 @@ main(int ac, char **av)

 	}

 #ifdef SSH_AUDIT_EVENTS

+#ifndef	USE_SOLARIS_AUDIT

 	audit_event(SSH_AUTH_SUCCESS);

+#endif	/* !USE_SOLARIS_AUDIT */

 #endif

 #ifdef GSSAPI

@@ -2264,6 +2266,10 @@ main(int ac, char **av)

 		do_pam_session();

 	}

 #endif

+#ifdef	USE_SOLARIS_AUDIT

+	/* Audit should take place after all successful pam */

+	audit_event(SSH_AUTH_SUCCESS);

+#endif	/* USE_SOLARIS_AUDIT */

 	/*

 	 * In privilege separation, we fork another child and prepare