[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#797727: openssh should be built with audit support on Linux

Package: openssh
Version: 1:6.9p1-1
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu wily ubuntu-patch

Dear Maintainer,

We've received a couple bugs in Ubuntu regarding the lack of support for
Linux Audit login event support:

  https://launchpad.net/bugs/1319278
  https://launchpad.net/bugs/1478087

The aulast and aureport tools do not work for sshd logins because
openssh is not built with audit support. This means that
AUDIT_USER_LOGIN events aren't logged by sshd so the Linux Audit tools
do not find login information in the audit log.

I've performed a test build of openssh, built with --with-audit=linux,
and verified that AUDIT_USER_LOGIN events are correctly logged:

  type=USER_LOGIN msg=audit(1441160388.221:321): pid=5751 uid=0 auid=1000 ses=11 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.1.8.1 addr=10.1.8.1 terminal=/dev/pts/7 res=success'

The aulast tool works as expected using the test openssh build:

  $ sudo aulast
  tyhicks  pts/7        10.1.8.1         Tue Sep  1 21:19   still logged in

I've attached a patch containing the simple changes needed to enable
audit support on Linux.

Thanks for considering the patch.

-- System Information:
Debian Release: jessie/sid
  APT prefers vivid-updates
  APT policy: (500, 'vivid-updates'), (500, 'vivid-security'), (500, 'vivid')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru openssh-6.9p1/debian/changelog openssh-6.9p1/debian/changelog
diff -Nru openssh-6.9p1/debian/control openssh-6.9p1/debian/control
--- openssh-6.9p1/debian/control	2015-08-20 04:34:45.000000000 -0500
+++ openssh-6.9p1/debian/control	2015-09-01 21:08:53.000000000 -0500
@@ -2,7 +2,7 @@
 Section: net
 Priority: standard
 Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 9~), dh-exec, libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg-dev (>= 1.16.1~), libck-connector-dev, dh-autoreconf, autotools-dev, dh-systemd (>= 1.4)
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3), libssl-dev (>= 0.9.8g), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 9~), dh-exec, libselinux1-dev [linux-any], libkrb5-dev | heimdal-dev, dpkg-dev (>= 1.16.1~), libck-connector-dev, dh-autoreconf, autotools-dev, dh-systemd (>= 1.4), libaudit-dev
 XS-Testsuite: autopkgtest
 Standards-Version: 3.9.6
 Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org>
diff -Nru openssh-6.9p1/debian/rules openssh-6.9p1/debian/rules
--- openssh-6.9p1/debian/rules	2015-08-20 04:34:45.000000000 -0500
+++ openssh-6.9p1/debian/rules	2015-08-31 17:12:30.000000000 -0500
@@ -91,6 +91,7 @@
 confflags += --with-ssl-engine
 ifeq ($(DEB_HOST_ARCH_OS),linux)
 confflags += --with-selinux
+confflags += --with-audit=linux
 endif
 ifeq ($(DISTRIBUTOR),Ubuntu)
 confflags += --with-consolekit
Reply to: