Add/enhance audit support on AIX

Makefile.in

@@ -113,8 +113,10 @@ P11OBJS= ssh-pkcs11-client.o
 
 SKOBJS=	ssh-sk-client.o
 
+AUDOBJ= audit-aix.o audit.o
+
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o $(SKOBJS)
+	sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o $(SKOBJS) $(AUDOBJ)
 
 SSHDOBJS=sshd.o \
 	platform-listen.o \
@@ -123,7 +125,7 @@ SSHDOBJS=sshd.o \
 	$(P11OBJS) $(SKOBJS)
 
 SSHD_SESSION_OBJS=sshd-session.o auth-rhosts.o auth-passwd.o \
-	audit.o audit-bsm.o audit-linux.o platform.o \
+	audit-bsm.o audit-linux.o audit-aix.o audit.o platform.o \
 	sshpty.o sshlogin.o servconf.o serverloop.o \
 	auth.o auth2.o auth2-methods.o auth-options.o session.o \
 	auth2-chall.o groupaccess.o \
@@ -143,7 +145,7 @@ SSHD_AUTH_OBJS=sshd-auth.o \
 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	monitor_wrap.o auth-krb5.o \
-	audit.o audit-bsm.o audit-linux.o platform.o \
+	audit-bsm.o audit-linux.o audit-aix.o audit.o platform.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-darwin.o \
 	sandbox-seccomp-filter.o sandbox-capsicum.o  sandbox-solaris.o \
@@ -166,7 +168,7 @@ P11HELPER_OBJS=	ssh-pkcs11-helper.o ssh-pkcs11.o $(SKOBJS)
 
 SKHELPER_OBJS=	ssh-sk-helper.o ssh-sk.o sk-usbhid.o ssherr-nolibcrypto.o
 
-SSHKEYSCAN_OBJS=ssh-keyscan.o $(P11OBJS) $(SKOBJS)
+SSHKEYSCAN_OBJS=ssh-keyscan.o $(P11OBJS) $(SKOBJS) $(AUDOBJ)
 
 SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o ssherr-nolibcrypto.o
 

audit-aix.c

@@ -0,0 +1,278 @@
+/*
+ * Copyright (c) 2026 IBM Ajay Kini.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+
+#ifdef USE_AIX_AUDIT
+# include <sys/audit.h>
+# include <usersec.h>
+
+
+#include "audit.h"
+#include "log.h"
+#include "hostfile.h"
+
+
+const char *
+audit_event_lookup(ssh_audit_event_t ev)
+{
+	int i;
+	static struct event_lookup_struct {
+		ssh_audit_event_t event;
+		const char *name;
+	} event_lookup[] = {
+		/* These envent names comply with AIX audit requirements */
+		{SSH_LOGIN_EXCEED_MAXTRIES,	"SSH_exceedmtrix"},
+		{SSH_LOGIN_ROOT_DENIED,		"SSH_rootdned"},
+		{SSH_AUTH_SUCCESS,		"SSH_authsuccess"},
+		{SSH_AUTH_FAIL_NONE,		"SSH_failnone"},
+		{SSH_AUTH_FAIL_PASSWD,		"SSH_failpasswd"},
+		{SSH_AUTH_FAIL_KBDINT,		"SSH_failkbdint"},
+		{SSH_AUTH_FAIL_PUBKEY,		"SSH_failpubkey"},
+		{SSH_AUTH_FAIL_HOSTBASED,	"SSH_failhstbsd"},
+		{SSH_AUTH_FAIL_GSSAPI,		"SSH_failgssapi"},
+		{SSH_INVALID_USER,		"SSH_invldusr"},
+		{SSH_NOLOGIN,			"SSH_nologin"},
+		{SSH_CONNECTION_CLOSE,		"SSH_connclose"},
+		{SSH_CONNECTION_ABANDON,	"SSH_connabndn"},
+		{SSH_BAD_PCKT,					"SSH_badpckt"},
+		{SSH_CIPHER_NO_MATCH,			"SSH_cipmismatch"},
+		{SSH_SESSION_OPEN,				"SSH_sessionopn"},
+		{SSH_AUDIT_UNKNOWN,		"SSH_auditknwn"}
+	};
+
+	for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
+		if (event_lookup[i].event == ev)
+			break;
+	return (event_lookup[i].name);
+}
+
+/*
+ * Called after a connection has been accepted but before any authentication
+ * has been attempted.
+ */
+void
+audit_connection_from(const char *host, int port)
+{
+	debug("audit connection from %s port %d euid %d", host, port,
+	    (int)geteuid());
+}
+
+/*
+ * Called when various events occur (see audit.h for a list of possible
+ * events and what they mean).
+ */
+void
+audit_event(struct ssh *ssh, ssh_audit_event_t event)
+{
+	char buf[1024];
+	const char *username;
+	const char *event_name;
+	const char *remote_ip;
+	int ret;
+	uid_t auth_uid;  /* UID of the user attempting authentication */
+	int res = 0;  /* AIX audit result code: 0 = success */
+
+	/* Debug: Log that audit_event was called */
+	debug("audit_event: called with event=%d", event);
+
+	/* Get username from authctxt */
+	username = audit_username();
+
+	/* Get the UID of the authenticating user */
+	auth_uid = (uid_t)-1;  /* Default to -1 if user doesn't exist */
+
+	/* On AIX, use getuserattr to get UID from username */
+	if (username != NULL ) {
+		int uid_val;
+		if (getuserattr(username, S_ID, &uid_val, SEC_INT) == 0) {
+			auth_uid = (uid_t)uid_val;
+		}
+	}
+
+	event_name = audit_event_lookup(event);
+
+	/* Set audit result code based on event type */
+	switch (event) {
+	case SSH_AUTH_FAIL_NONE:
+	case SSH_AUTH_FAIL_PASSWD:
+	case SSH_AUTH_FAIL_KBDINT:
+	case SSH_AUTH_FAIL_PUBKEY:
+	case SSH_AUTH_FAIL_HOSTBASED:
+	case SSH_AUTH_FAIL_GSSAPI:
+	case SSH_INVALID_USER:
+	case SSH_BAD_PCKT:
+	case SSH_CIPHER_NO_MATCH:
+		res = 1;  /* Failure */
+		break;
+	default:
+		res = 0;  /* Success */
+		break;
+	}
+
+	/* Handle NULL ssh pointer gracefully */
+	if (ssh != NULL) {
+		remote_ip = ssh_remote_ipaddr(ssh);
+	} else {
+		remote_ip = "(unknown)";
+	}
+
+	/* Build audit message with proper error checking */
+	if (auth_uid == (uid_t)-1) {
+		ret = snprintf(buf, sizeof(buf),
+		    "audit event for user %s event %d (%s) remote ip (%s)",
+		     username, event, event_name, remote_ip);
+	} else {
+		ret = snprintf(buf, sizeof(buf),
+		    "audit event auth_uid %u user %s event %d (%s) remote ip (%s)",
+		    (unsigned int)auth_uid, username, event, event_name, remote_ip);
+	}
+
+	/* Check for truncation */
+	if (ret < 0 || (size_t)ret >= sizeof(buf)) {
+		debug("audit_event: message truncated (needed %d bytes)", ret);
+	}
+
+	/* Log to debug output */
+	if (auth_uid == (uid_t)-1) {
+		debug("audit event auth_uid -1 user %s event %d (%s) remote ip (%s)", 
+			username, event, event_name, remote_ip);
+	} else {
+		debug("audit event auth_uid %u user %s event %d (%s) remote ip (%s)",
+		    (unsigned int)auth_uid, username, event, event_name, remote_ip);
+	}
+
+	/* Write to AIX audit subsystem with required format */
+	if (auditwrite(event_name, res, buf, strlen(buf) + 1, 0) < 0) {
+		error("auditwrite failed for event %s: %s",
+		    event_name, strerror(errno));
+	}
+}
+
+/*
+ * Called when a user session is started.  Argument is the tty allocated to
+ * the session, or NULL if no tty was allocated.
+ *
+ * Note that this may be called multiple times if multiple sessions are used
+ * within a single connection.
+ */
+void
+audit_session_open(struct logininfo *li)
+{
+	const char *t = li->line ? li->line : "(no tty)";
+	const char *username;
+	const char *hostname;
+	const char *event_name;
+	char buf[1024];
+	int ret;
+	uid_t auth_uid;
+
+	int res = 0;  /* AIX audit result code: 0 = success for session open */
+
+	/* Use username from logininfo if available, otherwise from authctxt */
+	if (li->username[0] != '\0') {
+		username = li->username;
+	} else {
+		username = audit_username();
+	}
+
+	/* Use hostname from logininfo if available */
+	if (li->hostname[0] != '\0') {
+		hostname = li->hostname;
+	} else {
+		hostname = "(unknown)";
+	}
+
+	/* Get the UID from logininfo */
+	auth_uid = li->uid;
+
+	event_name = audit_event_lookup(SSH_SESSION_OPEN);
+
+	/* Build audit message with logininfo details */
+	if (auth_uid == (uid_t)-1) {
+		ret = snprintf(buf, sizeof(buf),
+		    "audit session open auth_uid -1 user %s tty %s hostname %s pid %ld",
+			 username, t, hostname, (long)li->pid);
+	} else {
+		ret = snprintf(buf, sizeof(buf),
+		    "audit session open auth_uid %u user %s tty %s hostname %s pid %ld",
+		    (unsigned int)auth_uid, username, t, hostname, (long)li->pid);
+	}
+
+	/* Check for truncation */
+	if (ret < 0 || (size_t)ret >= sizeof(buf)) {
+		debug("audit_session_open: message truncated (needed %d bytes)", ret);
+	}
+
+	/* Log to debug output */
+	if (auth_uid == (uid_t)-1) {
+		debug("audit session open auth_uid -1 user %s tty %s hostname %s pid %ld",
+			 username, t, hostname, (long)li->pid);
+	} else {
+		debug("audit session open auth_uid %u user %s tty %s hostname %s pid %ld",
+		    (unsigned int)auth_uid, username, t, hostname, (long)li->pid);
+	}
+
+	/* Write to AIX audit subsystem */
+	if (auditwrite(event_name, res, buf, strlen(buf) + 1, 0) < 0) {
+		error("auditwrite failed for event %s: %s",
+		    event_name, strerror(errno));
+	}
+}
+
+/*
+ * Called when a user session is closed.  Argument is the tty allocated to
+ * the session, or NULL if no tty was allocated.
+ *
+ * Note that this may be called multiple times if multiple sessions are used
+ * within a single connection.
+ */
+void
+audit_session_close(struct logininfo *li)
+{
+	const char *t = li->line ? li->line : "(no tty)";
+
+	debug("audit session close euid %d user %s tty name %s", geteuid(),
+	    audit_username(), t);
+}
+
+/*
+ * This will be called when a user runs a non-interactive command.  Note that
+ * it may be called multiple times for a single connection since SSH2 allows
+ * multiple sessions within a single connection.
+ */
+void
+audit_run_command(const char *command)
+{
+	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
+	    audit_username(), command);
+}
+
+#endif /* USE_AIX_AUDIT  */

audit.c

@@ -28,11 +28,12 @@
 #include <string.h>
 #include <unistd.h>
 
-#ifdef SSH_AUDIT_EVENTS
+#if defined(SSH_AUDIT_EVENTS)
 
 #include "audit.h"
 #include "log.h"
 #include "hostfile.h"
+#ifndef CUSTOM_SSH_AUDIT_EVENTS
 #include "auth.h"
 
 /*
@@ -41,6 +42,7 @@
  * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
  */
 extern Authctxt *the_authctxt;
+#endif
 
 /* Maybe add the audit class to struct Authmethod? */
 ssh_audit_event_t
@@ -72,11 +74,15 @@ audit_username(void)
 	static const char unknownuser[] = "(unknown user)";
 	static const char invaliduser[] = "(invalid user)";
 
+#ifndef CUSTOM_SSH_AUDIT_EVENTS
 	if (the_authctxt == NULL || the_authctxt->user == NULL)
 		return (unknownuser);
 	if (!the_authctxt->valid)
 		return (invaliduser);
 	return (the_authctxt->user);
+#else
+	return (unknownuser);
+#endif
 }
 
 const char *
@@ -100,6 +106,9 @@ audit_event_lookup(ssh_audit_event_t ev)
 		{SSH_NOLOGIN,			"NOLOGIN"},
 		{SSH_CONNECTION_CLOSE,		"CONNECTION_CLOSE"},
 		{SSH_CONNECTION_ABANDON,	"CONNECTION_ABANDON"},
+		{SSH_BAD_PCKT,		"BAD_PCKT"},
+		{SSH_CIPHER_NO_MATCH,	"CIPHER_NO_MATCH"},
+		{SSH_SESSION_OPEN,	"SESSION_OPEN"},
 		{SSH_AUDIT_UNKNOWN,		"AUDIT_UNKNOWN"}
 	};
 
@@ -182,3 +191,4 @@ audit_run_command(const char *command)
 }
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
+

audit.h

@@ -43,6 +43,9 @@ enum ssh_audit_event_type {
 	SSH_NOLOGIN,		/* denied by /etc/nologin, not implemented */
 	SSH_CONNECTION_CLOSE,	/* closed after attempting auth or session */
 	SSH_CONNECTION_ABANDON,	/* closed without completing auth */
+	SSH_BAD_PCKT,		/* bad/invalid packet received */
+	SSH_CIPHER_NO_MATCH,	/* cipher negotiation failed */
+	SSH_SESSION_OPEN,	/* session opened */
 	SSH_AUDIT_UNKNOWN
 };
 typedef enum ssh_audit_event_type ssh_audit_event_t;