audit-linux.c revision 323134
1/* 2 * Copyright 2010 Red Hat, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 26 */ 27 28#include "includes.h" 29#if defined(USE_LINUX_AUDIT) 30#include <libaudit.h> 31#include <unistd.h> 32#include <string.h> 33 34#include "log.h" 35#include "audit.h" 36#include "canohost.h" 37#include "packet.h" 38 39const char *audit_username(void); 40 41int 42linux_audit_record_event(int uid, const char *username, const char *hostname, 43 const char *ip, const char *ttyn, int success) 44{ 45 int audit_fd, rc, saved_errno; 46 47 if ((audit_fd = audit_open()) < 0) { 48 if (errno == EINVAL || errno == EPROTONOSUPPORT || 49 errno == EAFNOSUPPORT) 50 return 1; /* No audit support in kernel */ 51 else 52 return 0; /* Must prevent login */ 53 } 54 rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 55 NULL, "login", username ? username : "(unknown)", 56 username == NULL ? uid : -1, hostname, ip, ttyn, success); 57 saved_errno = errno; 58 close(audit_fd); 59 60 /* 61 * Do not report error if the error is EPERM and sshd is run as non 62 * root user. 63 */ 64 if ((rc == -EPERM) && (geteuid() != 0)) 65 rc = 0; 66 errno = saved_errno; 67 68 return rc >= 0; 69} 70 71/* Below is the sshd audit API code */ 72 73void 74audit_connection_from(const char *host, int port) 75{ 76 /* not implemented */ 77} 78 79void 80audit_run_command(const char *command) 81{ 82 /* not implemented */ 83} 84 85void 86audit_session_open(struct logininfo *li) 87{ 88 if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 89 li->line, 1) == 0) 90 fatal("linux_audit_write_entry failed: %s", strerror(errno)); 91} 92 93void 94audit_session_close(struct logininfo *li) 95{ 96 /* not implemented */ 97} 98 99void 100audit_event(ssh_audit_event_t event) 101{ 102 struct ssh *ssh = active_state; /* XXX */ 103 104 switch(event) { 105 case SSH_AUTH_SUCCESS: 106 case SSH_CONNECTION_CLOSE: 107 case SSH_NOLOGIN: 108 case SSH_LOGIN_EXCEED_MAXTRIES: 109 case SSH_LOGIN_ROOT_DENIED: 110 break; 111 case SSH_AUTH_FAIL_NONE: 112 case SSH_AUTH_FAIL_PASSWD: 113 case SSH_AUTH_FAIL_KBDINT: 114 case SSH_AUTH_FAIL_PUBKEY: 115 case SSH_AUTH_FAIL_HOSTBASED: 116 case SSH_AUTH_FAIL_GSSAPI: 117 case SSH_INVALID_USER: 118 linux_audit_record_event(-1, audit_username(), NULL, 119 ssh_remote_ipaddr(ssh), "sshd", 0); 120 break; 121 default: 122 debug("%s: unhandled event %d", __func__, event); 123 break; 124 } 125} 126#endif /* USE_LINUX_AUDIT */ 127