- (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
audit breakage in Solaris 11. Patch from Magnus Johansson.
This commit is contained in:
parent
a3f297de91
commit
93a2d41505
|
@ -1,3 +1,7 @@
|
|||
20120224
|
||||
- (dtucker) [audit-bsm.c configure.ac] bug #1968: enable workarounds for BSM
|
||||
audit breakage in Solaris 11. Patch from Magnus Johansson.
|
||||
|
||||
20120215
|
||||
- (tim) [openbsd-compat/bsd-misc.h sshd.c] Fix conflicting return type for
|
||||
unsetenv due to rev 1.14 change to setenv.c. Cast unsetenv to void in sshd.c
|
||||
|
|
79
audit-bsm.c
79
audit-bsm.c
|
@ -1,4 +1,4 @@
|
|||
/* $Id: audit-bsm.c,v 1.7 2011/01/17 10:15:29 dtucker Exp $ */
|
||||
/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* TODO
|
||||
|
@ -45,6 +45,10 @@
|
|||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifdef BROKEN_BSM_API
|
||||
#include <libscf.h>
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
#include "log.h"
|
||||
#include "key.h"
|
||||
|
@ -114,6 +118,12 @@ extern int aug_daemon_session(void);
|
|||
extern Authctxt *the_authctxt;
|
||||
static AuditInfoTermID ssh_bsm_tid;
|
||||
|
||||
#ifdef BROKEN_BSM_API
|
||||
/* For some reason this constant is no longer defined
|
||||
in Solaris 11. */
|
||||
#define BSM_TEXTBUFSZ 256
|
||||
#endif
|
||||
|
||||
/* Below is the low-level BSM interface code */
|
||||
|
||||
/*
|
||||
|
@ -161,6 +171,65 @@ aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef BROKEN_BSM_API
|
||||
/*
|
||||
In Solaris 11 the audit daemon has been moved to SMF. In the process
|
||||
they simply dropped getacna() from the API, since it read from a now
|
||||
non-existent config file. This function re-implements getacna() to
|
||||
read from the SMF repository instead.
|
||||
*/
|
||||
int
|
||||
getacna(char *auditstring, int len)
|
||||
{
|
||||
scf_handle_t *handle = NULL;
|
||||
scf_property_t *property = NULL;
|
||||
scf_value_t *value = NULL;
|
||||
int ret = 0;
|
||||
|
||||
handle = scf_handle_create(SCF_VERSION);
|
||||
if (handle == NULL)
|
||||
return -2; /* The man page for getacna on Solaris 10 states
|
||||
we should return -2 in case of error and set
|
||||
errno to indicate the error. We don't bother
|
||||
with errno here, though, since the only use
|
||||
of this function below doesn't check for errors
|
||||
anyway.
|
||||
*/
|
||||
|
||||
ret = scf_handle_bind(handle);
|
||||
if (ret == -1)
|
||||
return -2;
|
||||
|
||||
property = scf_property_create(handle);
|
||||
if (property == NULL)
|
||||
return -2;
|
||||
|
||||
ret = scf_handle_decode_fmri(handle,
|
||||
"svc:/system/auditd:default/:properties/preselection/naflags",
|
||||
NULL, NULL, NULL, NULL, property, 0);
|
||||
if (ret == -1)
|
||||
return -2;
|
||||
|
||||
value = scf_value_create(handle);
|
||||
if (value == NULL)
|
||||
return -2;
|
||||
|
||||
ret = scf_property_get_value(property, value);
|
||||
if (ret == -1)
|
||||
return -2;
|
||||
|
||||
ret = scf_value_get_astring(value, auditstring, len);
|
||||
if (ret == -1)
|
||||
return -2;
|
||||
|
||||
scf_value_destroy(value);
|
||||
scf_property_destroy(property);
|
||||
scf_handle_destroy(handle);
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Check if the specified event is selected (enabled) for auditing.
|
||||
* Returns 1 if the event is selected, 0 if not and -1 on failure.
|
||||
|
@ -213,7 +282,15 @@ bsm_audit_record(int typ, char *string, au_event_t event_no)
|
|||
(void) au_write(ad, au_to_text(string));
|
||||
(void) au_write(ad, AUToReturnFunc(typ, rc));
|
||||
|
||||
#ifdef BROKEN_BSM_API
|
||||
/* The last argument is the event modifier flags. For
|
||||
some seemingly undocumented reason it was added in
|
||||
Solaris 11. */
|
||||
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
|
||||
#else
|
||||
rc = au_close(ad, AU_TO_WRITE, event_no);
|
||||
#endif
|
||||
|
||||
if (rc < 0)
|
||||
error("BSM audit: %s failed to write \"%s\" record: %s",
|
||||
__func__, string, strerror(errno));
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $Id: configure.ac,v 1.486 2012/01/17 03:03:37 dtucker Exp $
|
||||
# $Id: configure.ac,v 1.487 2012/02/23 23:40:43 dtucker Exp $
|
||||
#
|
||||
# Copyright (c) 1999-2004 Damien Miller
|
||||
#
|
||||
|
@ -15,7 +15,7 @@
|
|||
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
|
||||
AC_REVISION($Revision: 1.486 $)
|
||||
AC_REVISION($Revision: 1.487 $)
|
||||
AC_CONFIG_SRCDIR([ssh.c])
|
||||
AC_LANG([C])
|
||||
|
||||
|
@ -1434,6 +1434,11 @@ AC_ARG_WITH([audit],
|
|||
# These are optional
|
||||
AC_CHECK_FUNCS([getaudit_addr aug_get_machine])
|
||||
AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module])
|
||||
if test "$sol2ver" -eq 11; then
|
||||
SSHDLIBS="$SSHDLIBS -lscf"
|
||||
AC_DEFINE([BROKEN_BSM_API], [1],
|
||||
[The system has incomplete BSM API])
|
||||
fi
|
||||
;;
|
||||
linux)
|
||||
AC_MSG_RESULT([linux])
|
||||
|
|
Loading…
Reference in New Issue