openssh/patches/022-solaris_audit.patch

#
# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.
#
# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.
#
# Additional Solaris Auditing should include audit of password
#  change.
# Presuming it is appropriate, this patch should/will be updated
#  with additional files and updates to sources/audit-solaris.c
#
# Code is developed by the Solaris Audit team.
# It should/will likely be contributed up stream when done.
# This patch relies on sources/audit-solaris.c being copied into
#  the openssh source directory by the Makefile that configures
#  using --with-audit=solaris.
#
# The up stream community has been contacted about the plans.
#  No reply has yet been received.
#
# An additional patch relying on the --with-audit=solaris configuration
#  should/will be created for sftp Solaris Audit and password change.
#
diff -pur old/INSTALL new/INSTALL
--- old/INSTALL
+++ new/INSTALL
@@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/

 Basic Security Module (BSM):

-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
+Native BSM support is known to exist in Solaris from at least 2.5.1
+to Solaris 10.  From Solaris 11 the previously documented BSM (libbsm)
+interfaces are no longer public and are unsupported.  While not public
+interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
+Native BSM support is known to exist in FreeBSD 6.1 and OS X.
+Alternatively, you may use the OpenBSM implementation
+(http://www.openbsm.org).


 2. Building / Installation
@@ -147,8 +151,9 @@ name).
 There are a few other options to the configure script:

 --with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
+Currently, drivers for "debug" (additional info via syslog), and "bsm"
+(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
+(Sun's Audit infrastructure from Solaris 11) are supported.

 --with-pam enables PAM support. If PAM support is compiled in, it must
 also be enabled in sshd_config (refer to the UsePAM directive).
diff -pur old/Makefile.in new/Makefile.in
--- old/Makefile.in
+++ new/Makefile.in
@@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
    roaming_common.o roaming_client.o

 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-   audit.o audit-bsm.o audit-linux.o platform.o \
+   audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
    sshpty.o sshlogin.o servconf.o serverloop.o \
    auth.o auth1.o auth2.o auth-options.o session.o \
    auth-chall.o auth2-chall.o groupaccess.o \
diff -pur old/README.platform new/README.platform
--- old/README.platform
+++ new/README.platform
@@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base
 libssl-dev, libz-dev and libpam-dev.


-Solaris
--------
+Prior to Solaris 11
+-------------------
 If you enable BSM auditing on Solaris, you need to update audit_event(4)
 for praudit(1m) to give sensible output.  The following line needs to be
 added to /etc/security/audit_event:
@@ -82,6 +82,9 @@ There is no official registry of 3rd par
 number is already in use on your system, you may change it at build time
 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.

+From Solaris 11
+---------------
+Solaris Audit is supported by configuring --with-audit=solaris.

 Platforms using PAM
 -------------------
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in
+++ new/config.h.in
@@ -1635,6 +1635,9 @@
 /* Use Linux audit module */
 #undef USE_LINUX_AUDIT

+/* Use Solaris audit module */
+#undef USE_SOLARIS_AUDIT
+
 /* Enable OpenSSL engine support */
 #undef USE_OPENSSL_ENGINE

diff -pur old/configure.ac new/configure.ac
--- old/configure.ac
+++ new/configure.ac
@@ -1517,10 +1517,21 @@ AC_ARG_WITH([libedit],

 AUDIT_MODULE=none
 AC_ARG_WITH([audit],
-   [  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
+   [  --with-audit=module     Enable audit support (modules=debug,bsm,linux,solaris)],
    [
      AC_MSG_CHECKING([for supported audit module])
      case "$withval" in
+     solaris)
+       AC_MSG_RESULT([solaris])
+       AUDIT_MODULE=solaris
+       dnl    Checks for headers, libs and functions
+       AC_CHECK_HEADERS([bsm/adt.h], [],
+           [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])],
+           []
+       )
+       SSHDLIBS="$SSHDLIBS -lbsm"
+       AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module])
+       ;;
      bsm)
        AC_MSG_RESULT([bsm])
        AUDIT_MODULE=bsm
diff -pur old/defines.h new/defines.h
--- old/defines.h
+++ new/defines.h
@@ -635,6 +635,11 @@ struct winsize {
 # define CUSTOM_SSH_AUDIT_EVENTS
 #endif

+#ifdef USE_SOLARIS_AUDIT
+# define SSH_AUDIT_EVENTS
+# define CUSTOM_SSH_AUDIT_EVENTS
+#endif
+
 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
 #  define __func__ __FUNCTION__
 #elif !defined(HAVE___func__)
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
@@ -2234,7 +2234,9 @@ main(int ac, char **av)
    }

 #ifdef SSH_AUDIT_EVENTS
+#ifndef    USE_SOLARIS_AUDIT
    audit_event(SSH_AUTH_SUCCESS);
+#endif /* !USE_SOLARIS_AUDIT */
 #endif

 #ifdef GSSAPI
@@ -2264,6 +2266,10 @@ main(int ac, char **av)
        do_pam_session();
    }
 #endif
+#ifdef USE_SOLARIS_AUDIT
+   /* Audit should take place after all successful pam */
+   audit_event(SSH_AUTH_SUCCESS);
+#endif /* USE_SOLARIS_AUDIT */

    /*
     * In privilege separation, we fork another child and prepare