|
1 # |
|
2 # Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1. |
|
3 # |
|
4 # Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1. |
|
5 # |
|
6 # Additional Solaris Auditing should include audit of password |
|
7 # change. |
|
8 # Presuming it is appropriate, this patch should/will be updated |
|
9 # with additional files and updates to sources/audit-solaris.c |
|
10 # |
|
11 # Code is developed by the Solaris Audit team. |
|
12 # It should/will likely be contributed up stream when done. |
|
13 # This patch relies on sources/audit-solaris.c being copied into |
|
14 # the openssh source directory by the Makefile that configures |
|
15 # using --with-audit=solaris. |
|
16 # |
|
17 # The up stream community has been contacted about the plans. |
|
18 # No reply has yet been received. |
|
19 # |
|
20 # An additional patch relying on the --with-audit=solaris configuration |
|
21 # should/will be created for sftp Solaris Audit and password change. |
|
22 # |
|
23 --- orig/config.h.in 2014-11-05 13:11:59.968745838 -0800 |
|
24 +++ new/config.h.in 2014-10-13 14:00:31.117475979 -0700 |
|
25 @@ -1628,6 +1628,9 @@ |
|
26 /* Use Linux audit module */ |
|
27 #undef USE_LINUX_AUDIT |
|
28 |
|
29 +/* Use Solaris audit module */ |
|
30 +#undef USE_SOLARIS_AUDIT |
|
31 + |
|
32 /* Enable OpenSSL engine support */ |
|
33 #undef USE_OPENSSL_ENGINE |
|
34 |
|
35 --- orig/configure 2014-11-05 13:11:59.971959419 -0800 |
|
36 +++ new/configure 2014-12-04 08:43:59.945675841 -0800 |
|
37 @@ -1420,7 +1420,7 @@ |
|
38 --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) |
|
39 --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) |
|
40 --with-libedit[=PATH] Enable libedit support for sftp |
|
41 - --with-audit=module Enable audit support (modules=debug,bsm,linux) |
|
42 + --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris) |
|
43 --with-pie Build Position Independent Executables if possible |
|
44 --with-ssl-dir=PATH Specify path to OpenSSL installation |
|
45 --without-openssl-header-check Disable OpenSSL version consistency check |
|
46 @@ -10185,6 +10185,27 @@ |
|
47 $as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h |
|
48 |
|
49 ;; |
|
50 + solaris) |
|
51 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: solaris" >&5 |
|
52 +$as_echo "solaris" >&6; } |
|
53 + AUDIT_MODULE=solaris |
|
54 + for ac_header in bsm/adt.h |
|
55 +do : |
|
56 + ac_fn_c_check_header_compile "$LINENO" "bsm/adt.h" "ac_cv_header_bsm_adt_h" "" |
|
57 +if test "x$ac_cv_header_bsm_adt_h" = xyes; then : |
|
58 + cat >>confdefs.h <<_ACEOF |
|
59 +#define HAVE_ADT_H 1 |
|
60 +_ACEOF |
|
61 + |
|
62 +else |
|
63 + as_fn_error $? "Solaris Audit enabled and bsm/adt.h not found" "$LINENO" 5 |
|
64 +fi |
|
65 + |
|
66 +done |
|
67 + |
|
68 + SSHDLIBS="$SSHDLIBS -lbsm" |
|
69 +$as_echo "#define USE_SOLARIS_AUDIT 1" >>confdefs.h |
|
70 + ;; |
|
71 debug) |
|
72 AUDIT_MODULE=debug |
|
73 { $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5 |
|
74 --- orig/defines.h 2014-01-17 05:12:38.000000000 -0800 |
|
75 +++ new/defines.h 2014-09-12 10:09:27.000000000 -0700 |
|
76 @@ -622,6 +622,11 @@ |
|
77 # define CUSTOM_SSH_AUDIT_EVENTS |
|
78 #endif |
|
79 |
|
80 +#ifdef USE_SOLARIS_AUDIT |
|
81 +# define SSH_AUDIT_EVENTS |
|
82 +# define CUSTOM_SSH_AUDIT_EVENTS |
|
83 +#endif |
|
84 + |
|
85 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) |
|
86 # define __func__ __FUNCTION__ |
|
87 #elif !defined(HAVE___func__) |
|
88 --- orig/INSTALL 2013-03-06 17:33:35.000000000 -0800 |
|
89 +++ new/INSTALL 2014-12-04 08:41:24.369920230 -0800 |
|
90 @@ -97,9 +97,13 @@ |
|
91 |
|
92 Basic Security Module (BSM): |
|
93 |
|
94 -Native BSM support is know to exist in Solaris from at least 2.5.1, |
|
95 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
|
96 -implementation (http://www.openbsm.org). |
|
97 +Native BSM support is known to exist in Solaris from at least 2.5.1 |
|
98 +to Solaris 10. From Solaris 11 the previously documented BSM (libbsm) |
|
99 +interfaces are no longer public and are unsupported. While not public |
|
100 +interfaces, audit-solaris.c implements Solaris Audit from Solaris 11. |
|
101 +Native BSM support is known to exist in FreeBSD 6.1 and OS X. |
|
102 +Alternatively, you may use the OpenBSM implementation |
|
103 +(http://www.openbsm.org). |
|
104 |
|
105 |
|
106 2. Building / Installation |
|
107 @@ -152,8 +156,9 @@ |
|
108 There are a few other options to the configure script: |
|
109 |
|
110 --with-audit=[module] enable additional auditing via the specified module. |
|
111 -Currently, drivers for "debug" (additional info via syslog) and "bsm" |
|
112 -(Sun's Basic Security Module) are supported. |
|
113 +Currently, drivers for "debug" (additional info via syslog), and "bsm" |
|
114 +(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris" |
|
115 +(Sun's Audit infrastructure from Solaris 11) are supported. |
|
116 |
|
117 --with-pam enables PAM support. If PAM support is compiled in, it must |
|
118 also be enabled in sshd_config (refer to the UsePAM directive). |
|
119 --- orig/Makefile.in 2014-11-12 15:18:05.366726810 -0800 |
|
120 +++ new/Makefile.in 2014-11-12 15:22:36.825227512 -0800 |
|
121 @@ -84,7 +84,7 @@ |
|
122 roaming_common.o roaming_client.o |
|
123 |
|
124 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
|
125 - audit.o audit-bsm.o audit-linux.o platform.o \ |
|
126 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ |
|
127 sshpty.o sshlogin.o servconf.o serverloop.o \ |
|
128 auth.o auth1.o auth2.o auth-options.o session.o \ |
|
129 auth-chall.o auth2-chall.o groupaccess.o \ |
|
130 --- orig/README.platform 2009-08-28 16:14:48.000000000 -0700 |
|
131 +++ new/README.platform 2014-09-12 09:45:50.000000000 -0700 |
|
132 @@ -68,8 +68,8 @@ |
|
133 libssl-dev, libz-dev and libpam-dev. |
|
134 |
|
135 |
|
136 -Solaris |
|
137 -------- |
|
138 +Prior to Solaris 11 |
|
139 +------------------- |
|
140 If you enable BSM auditing on Solaris, you need to update audit_event(4) |
|
141 for praudit(1m) to give sensible output. The following line needs to be |
|
142 added to /etc/security/audit_event: |
|
143 @@ -82,6 +82,9 @@ |
|
144 number is already in use on your system, you may change it at build time |
|
145 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
|
146 |
|
147 +From Solaris 11 |
|
148 +--------------- |
|
149 +Solaris Audit is supported by configuring --with-audit=solaris. |
|
150 |
|
151 Platforms using PAM |
|
152 ------------------- |
|
153 --- orig/sshd.c 2014-11-05 13:11:59.974945893 -0800 |
|
154 +++ new/sshd.c 2014-11-10 13:33:12.279354856 -0800 |
|
155 @@ -2139,7 +2139,9 @@ |
|
156 #endif |
|
157 |
|
158 #ifdef SSH_AUDIT_EVENTS |
|
159 +#ifndef USE_SOLARIS_AUDIT |
|
160 audit_event(SSH_AUTH_SUCCESS); |
|
161 +#endif /* !USE_SOLARIS_AUDIT */ |
|
162 #endif |
|
163 |
|
164 #ifdef GSSAPI |
|
165 @@ -2169,6 +2171,10 @@ |
|
166 do_pam_session(); |
|
167 } |
|
168 #endif |
|
169 +#ifdef USE_SOLARIS_AUDIT |
|
170 + /* Audit should take place after all successful pam */ |
|
171 + audit_event(SSH_AUTH_SUCCESS); |
|
172 +#endif /* USE_SOLARIS_AUDIT */ |
|
173 |
|
174 /* |
|
175 * In privilege separation, we fork another child and prepare |