Add/enhance audit support on AIX

[ajaykini]

1. Core Audit Implementation Changes

File: [audit.c]

Added AIX-Specific Audit Support:

AIX Headers: Added <sys/audit.h> and <usersec.h> for AIX audit subsystem
Enhanced [audit_username()]: Improved logic to handle NULL authctxt cases
AIX Event Names: Added AIX-compliant event names in [audit_event_lookup()]:
SSH_exceedmtrix, SSH_rootdned, SSH_authsuccess, etc.
Standard names for non-AIX: LOGIN_EXCEED_MAXTRIES, AUTH_SUCCESS, etc.
Enhanced [audit_event()] Function:

UID Tracking: Added auth_uid to track authenticating user's UID
AIX UID Retrieval: Uses getuserattr() on AIX, getpwnam() on other systems
Remote IP Handling: Safely handles NULL ssh pointer
Detailed Logging: Logs auth_uid, username, event type, and remote IP
AIX Audit Writing: Calls auditwrite() with proper result codes (0=success, 1=failure)
Error Handling: Proper buffer truncation checks and error logging
Enhanced [audit_session_open()] Function:

AIX-Specific Implementation: Complete audit trail for session opens
Detailed Context: Logs username, tty, hostname, PID, and UID
AIX Audit Integration: Writes to AIX audit subsystem with auditwrite()
Fallback for Non-AIX: Maintains simple debug logging for other platforms

2. Audit Header Changes

File: [audit.h]
Added New Event Types:

SSH_BAD_PCKT, // bad/invalid packet received
SSH_CIPHER_NO_MATCH, // cipher negotiation failed
SSH_SESSION_OPEN, // session opened

These events enable tracking
of security-relevant protocol events.

3. Client/Server Separation Solution

File: [audit-aix.c] (NEW FILE)

Purpose:
Provides AIX specific implementations of all audit functions for Server binaries.

Key Design:
Conditional Compilation: Uses USE_AIX_AUDIT

4. Testing:

Check if the audit records are getting captured post starting the audit system on AIX as different user and different use case:

> tail -f stream.out
event      login  status   time           command             wpar name         
--------------- -------- ----------- ------------------------ ------------------------------- ------------------------- 
S_PASSWD_READ  root   OK     Tue Feb 03 11:44:53 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:44:53 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
SSH_connabndn  root   OK     Tue Feb 03 11:44:57 2026 sshd-session          Global           
    audit event euid 0 user root event 12 (SSH_connabndn) remote ip XX.XX.XX.XX)     ---------------> here 
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:00 2026 cron              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:00 2026 cron              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:04 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:04 2026 db2fm              Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global           
    audit object read event detected /etc/security/passwd
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global           
    audit object read event detected /etc/security/passwd
SSH_authsuccess root   OK     Tue Feb 03 11:45:05 2026 sshd-session          Global      -----------------> here      
    audit event euid 0 user root event 2 (SSH_authsuccess) remote ip (XX.XX.XX.XX)
S_PASSWD_READ  root   OK     Tue Feb 03 11:45:14 2026 db2fm              Global
..
..
SSH_sessionopn  root     OK          Thu Feb 05 03:59:36 2026 sshd-session                    Global
        audit session open auth_uid 0 user root tty /dev/pts/4 hostname XX.XX.XX.XX pid 16384454
..
..
SSH_badpckt     root     FAIL        Thu Feb 05 05:04:37 2026 sshd-auth                       Global
        audit event for user (unknown user) event 13 (SSH_badpckt) remote ip (XX.XX.XX.XX)

[daztucker]

conditionally define SSH_AUDIT_EVENTS in defines.h and don't sprinkle platform specific ifdefs everywhere. see USE_BSM_AUDIT and USE_LINUX_AUDIT in defines.h for examples.

[daztucker]

this part is incorrect. see the description of how it's supposed to work elsewhere

[daztucker]

this is where the shims start. revert this part.

[daztucker]

why is this here?

[daztucker]

what's this for? it looks like either an unrelated change or a bad merge.

[daztucker]

why are you changing this?

[daztucker]

this part is also unnecessary. if SSH_AUDIT_EVENTS is enabled the hooks are enabled and so are the debug implementations. if SSH_AUDIT_EVENTS and CUSTOM_SSH_AUDIT_EVENTS is enabled your alternative implementations in audit-aix.c.

[daztucker]

this already exists in audit.c and does not need to be duplicated here

[daztucker]

ditto

[daztucker]

all of this code is inside AIX specific ifdefs so you do not need to handle other systems here,

[ajaykini]

@daztucker , I have reworked on the the review comments and have incorporated it as a part of the 2nd commit. Please let me know if anything more needs to be addressed.

I also see that the CI checks w.r.t Ubuntu Kitchensink are failing , not sure why this is failing , any suggestions would be helpful.

Thank you,
Ajay Kini K