AIX audit support

[ajaykini]

1. Core Audit Implementation Changes

File: [audit.c]

Added AIX-Specific Audit Support:

AIX Headers: Added <sys/audit.h> and <usersec.h> for AIX audit subsystem
Enhanced [audit_username()]: Improved logic to handle NULL authctxt cases
AIX Event Names: Added AIX-compliant event names in [audit_event_lookup()]:
SSH_exceedmtrix, SSH_rootdned, SSH_authsuccess, etc.
Standard names for non-AIX: LOGIN_EXCEED_MAXTRIES, AUTH_SUCCESS, etc.
Enhanced [audit_event()] Function:

UID Tracking: Added auth_uid to track authenticating user's UID
AIX UID Retrieval: Uses getuserattr() on AIX, getpwnam() on other systems
Remote IP Handling: Safely handles NULL ssh pointer
Detailed Logging: Logs auth_uid, username, event type, and remote IP
AIX Audit Writing: Calls auditwrite() with proper result codes (0=success, 1=failure)
Error Handling: Proper buffer truncation checks and error logging
Enhanced [audit_session_open()] Function:

AIX-Specific Implementation: Complete audit trail for session opens
Detailed Context: Logs username, tty, hostname, PID, and UID
AIX Audit Integration: Writes to AIX audit subsystem with auditwrite()
Fallback for Non-AIX: Maintains simple debug logging for other platforms

2. Audit Header Changes

File: [audit.h]
Added New Event Types:

SSH_BAD_PCKT, // bad/invalid packet received
SSH_CIPHER_NO_MATCH, // cipher negotiation failed
SSH_SESSION_OPEN, // session opened

These events enable tracking
of security-relevant protocol events.

3. Client/Server Separation Solution

File: [audit-stub.c] (NEW FILE)

Purpose:
Provides
no-op
stub implementations
of all audit functions for client binaries.
Key Design:

Conditional Compilation: Uses #ifndef CUSTOM_SSH_AUDIT_EVENTS
Complete Stub Set: All 6 audit functions stubbed:

4. Testing done to check if the audit recrds are getting captured post starting the audit system on AIX:

> tail -f stream.out
event      login  status   time           command             wpar name         
--------------- -------- ----------- ------------------------ ------------------------------- ------------------------- 
S_PASSWD_READ  root   OK     Tue Feb 03 11:44:53 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:44:53 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
SSH_connabndn  root   OK     Tue Feb 03 11:44:57 2026 sshd-session          Global           
    audit event euid 0 user root event 12 (SSH_connabndn) remote ip XX.XX.XX.XX)     ---------------> here 
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:00 2026 cron              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:00 2026 cron              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:04 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:04 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global           
    audit object read event detected /etc/security/passwd
SSH_authsuccess root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global      -----------------> here      
    audit event euid 0 user root event 2 (SSH_authsuccess) remote ip (XX.XX.XX.XX)
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:14 2026 db2fm              Global
..
..
SSH_sessionopn  root     OK          Thu Feb 05 03:59:36 2026 sshd-session                    Global     -----------------> here
        audit session open auth_uid 0 user root tty /dev/pts/4 hostname XX.XX.XX.XX pid 16384454     
..
..
SSH_badpckt     root     FAIL        Thu Feb 05 05:04:37 2026 sshd-auth                       Global    -----------------> here 
        audit event for user (unknown user) event 13 (SSH_badpckt) remote ip (XX.XX.XX.XX)

[daztucker]

Please stop creating and immediately closing pull requests. You can update an open PR by updating your fork on GitHub.

[daztucker]

The first problem is that you are sprinkling platform specific code throughout the platform-independent audit.c. you should put the AIX specific stuff into its own file, similar to audit-bsm.c or audit-linux.c

[ajaykini]

The first problem is that you are sprinkling platform specific code throughout the platform-independent audit.c. you should put the AIX specific stuff into its own file, similar to audit-bsm.c or audit-linux.c

so instead of creating a stub what I could have done is create a new file audit-aix.c and have all the audit specific implementation there and receptively make necessary changes in Makefile.in

[daztucker]

so instead of creating a stub what I could have done is create a new file audit-aix.c and have all the audit specific implementation there and receptively make necessary changes in Makefile.in

Yes. audit.c is the stub (plus some helper functions). Platforms specific code goes into its own file.

[daztucker]

It's very difficult to follow what you are changing with all of the commits on top of commits.
Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

[ajaykini]

It's very difficult to follow what you are changing with all of the commits on top of commits. Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

Sure @daztucker , I understand that there are several commits. Let me re-submit the PR with all the aix specific changes.
Thank you, Will keep this in mind when submitting further PR's

[daztucker]

It's very difficult to follow what you are changing with all of the commits on top of commits. Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

Sure @daztucker , I understand that there are several commits. Let me re-submit the PR with all the aix specific changes. Thank you, Will keep this in mind when submitting further PR's

You did it again . Please don't open then immediately close PRs, instead leave one open and update it:

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/keeping-your-pull-request-in-sync-with-the-base-branch

[ajaykini]

so instead of creating a stub what I could have done is create a new file audit-aix.c and have all the audit specific implementation there and receptively make necessary changes in Makefile.in

Yes. audit.c is the stub (plus some helper functions). Platforms specific code goes into its own file.

I tried to incorporate the suggestion by making necessary changes to the congifure.ac, Makefile.in. also created a new file named audit-aix.c.
In the Makefile.in

It's very difficult to follow what you are changing with all of the commits on top of commits. Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

do you want me to

It's very difficult to follow what you are changing with all of the commits on top of commits. Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

do you want me to revert all the changes

It's very difficult to follow what you are changing with all of the commits on top of commits. Please remove all of the superfluous changes and rebase it onto master and I'll take another look at it.

Sure @daztucker , I understand that there are several commits. Let me re-submit the PR with all the aix specific changes. Thank you, Will keep this in mind when submitting further PR's

You did it again . Please don't open then immediately close PRs, instead leave one open and update it:

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/keeping-your-pull-request-in-sync-with-the-base-branch

Sorry my bad. Thanks for sharing this document. Will follow and keep this handy.