Adding Solaris Audit to sshd (and sftp-server)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Damien,

I'm working with the Solaris team that is integrating openssh
into upcoming Solaris releases.  I'm looking for advice from the
upstream community.  You were suggested for that advice.  If
there are other mailing lists you'd like me to ask, I'm happy
to do so, or if you'd like to forward, please feel free to do so.

The --with-audit=bsm (audit-bsm.c) configuration uses interfaces
that were never officially stable in Solaris.  Public support and
documentation has been withdrawn from Solaris 11 for libbsm.
The various interfaces can and have both changed incompatibly and
been withdrawn.  While it isn't publically documented, a new
Solaris Audit interface has been created.  For various build related
reasons libbsm has been retained and contains the interface for use
from Solaris 11 (parts of it were there from Solaris 9).

I'm partially done with a Skunk works project that when finished
is expected to be contributed upstream.

My current prototype adds configuration --with-audit=solaris,
which defines USE_SOLARIS_AUDIT and adds an audit-solaris.c file.
The plan is for similar style changes to add auditing to
sftp-server as well as extend to my current prototype to have
parity with the SunSSH implementation.

Does such configuration seem acceptable?

The Solaris openssh team hasn't been using autoconf, and has
been changing configure, config.h.in, Makefile.in by patches.
For illustrative purposes I've updated configure.ac.  I also have
suggested wording for ChangeLog, INSTALL, README.platform.

Thank you for your consideration and advice.

Cheers,
Gary..

configure.ac
============
  AUDIT_MODULE=none
  AC_ARG_WITH([audit],
! [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)],

+         solaris)
+               AC_MSG_RESULT([solaris])
+               AUDIT_MODULE=solaris
+               dnl    Checks for headers, libs and functions
+               AC_CHECK_HEADERS([bsm/adt.h], [],
+ [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])],
+               SSHDLIBS="$SSHDLIBS -lbsm"
+ AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module])
+               ;;

ChangeLog
=========
+ - (gww) The BSM (bsm) interfaces are obsolete and internal from Solaris 11. + The previously documented interfaces may change or be removed at any time.
+   From Solaris 11, the --with-audit=solaris option should be used.

INSTALL
=======
  There are a few other options to the configure script:

--with-audit=[module] enable additional auditing via the specified module.
! Currently, drivers for "debug" (additional info via syslog), and "bsm"
! (Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
! (Sun's Audit infrastructure from Solaris 11) are supported.

README.platform
===============
! Solaris
! -------

! Prior to Solaris 11
! -------------------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

        32800:AUE_openssh:OpenSSH login:lo

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.

From Solaris 11
---------------
Solaris Audit is supported by configuring --with-audit=solaris.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux