Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
1. Core Audit Implementation Changes
File: [audit.c]
Added AIX-Specific Audit Support:
AIX Headers: Added <sys/audit.h> and <usersec.h> for AIX audit subsystem
Enhanced [audit_username()]: Improved logic to handle NULL authctxt cases
AIX Event Names: Added AIX-compliant event names in [audit_event_lookup()]:
SSH_exceedmtrix, SSH_rootdned, SSH_authsuccess, etc.
Standard names for non-AIX: LOGIN_EXCEED_MAXTRIES, AUTH_SUCCESS, etc.
Enhanced [audit_event()] Function:
UID Tracking: Added auth_uid to track authenticating user's UID
AIX UID Retrieval: Uses getuserattr() on AIX, getpwnam() on other systems
Remote IP Handling: Safely handles NULL ssh pointer
Detailed Logging: Logs auth_uid, username, event type, and remote IP
AIX Audit Writing: Calls auditwrite() with proper result codes (0=success, 1=failure)
Error Handling: Proper buffer truncation checks and error logging
Enhanced [audit_session_open()] Function:
AIX-Specific Implementation: Complete audit trail for session opens
Detailed Context: Logs username, tty, hostname, PID, and UID
AIX Audit Integration: Writes to AIX audit subsystem with auditwrite()
Fallback for Non-AIX: Maintains simple debug logging for other platforms
2. Audit Header Changes
File: [audit.h]
Added New Event Types:
SSH_BAD_PCKT, // bad/invalid packet received
SSH_CIPHER_NO_MATCH, // cipher negotiation failed
SSH_SESSION_OPEN, // session opened
These events enable tracking
of security-relevant protocol events.
3. Client/Server Separation Solution
File: [audit-stub.c] (NEW FILE)
Purpose:
Provides
no-op
stub implementations
of all audit functions for client binaries.
Key Design:
Conditional Compilation: Uses #ifndef CUSTOM_SSH_AUDIT_EVENTS
Complete Stub Set: All 6 audit functions stubbed:
S_PASSWD_READ root OK Tue Feb 03 11:44:53 2026 db2fm Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:44:53 2026 db2fm Global
audit object read event detected /etc/security/passwd
SSH_connabndn root OK Tue Feb 03 11:44:57 2026 sshd-session Global
audit event euid 0 user root event 12 (SSH_connabndn) remote ip XX.XX.XX.XX) ---------------> here
S_PASSWD_READ root OK Tue Feb 03 11:45:00 2026 cron Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:45:00 2026 cron Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:45:04 2026 db2fm Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:45:04 2026 db2fm Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:45:05 2026 sshd-session Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Tue Feb 03 11:45:05 2026 sshd-session Global
audit object read event detected /etc/security/passwd
SSH_authsuccess root OK Tue Feb 03 11:45:05 2026 sshd-session Global -----------------> here
audit event euid 0 user root event 2 (SSH_authsuccess) remote ip (XX.XX.XX.XX)
S_PASSWD_READ root OK Tue Feb 03 11:45:14 2026 db2fm Global
..
..
SSH_sessionopn root OK Thu Feb 05 03:59:36 2026 sshd-session Global
audit session open auth_uid 0 user root tty /dev/pts/4 hostname XX.XX.XX.XX pid 16384454
..
..
SSH_badpckt root FAIL Thu Feb 05 05:04:37 2026 sshd-auth Global
audit event for user (unknown user) event 13 (SSH_badpckt) remote ip (XX.XX.XX.XX)