audit-bsm.c revision 181104
1/* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */ 2 3/* 4 * TODO 5 * 6 * - deal with overlap between this and sys_auth_allowed_user 7 * sys_auth_record_login and record_failed_login. 8 */ 9 10/* 11 * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. 12 * Use is subject to license terms. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 * 34 */ 35/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ 36 37#include "includes.h" 38#if defined(USE_BSM_AUDIT) 39 40#include <sys/types.h> 41 42#include <errno.h> 43#include <stdarg.h> 44#include <unistd.h> 45 46#include "ssh.h" 47#include "log.h" 48#include "key.h" 49#include "hostfile.h" 50#include "auth.h" 51#include "xmalloc.h" 52 53#ifndef AUE_openssh 54# define AUE_openssh 32800 55#endif 56#include <bsm/audit.h> 57#include <bsm/libbsm.h> 58#include <bsm/audit_uevents.h> 59#include <bsm/audit_record.h> 60#include <locale.h> 61 62#if defined(HAVE_GETAUDIT_ADDR) 63#define AuditInfoStruct auditinfo_addr 64#define AuditInfoTermID au_tid_addr_t 65#define GetAuditFunc(a,b) getaudit_addr((a),(b)) 66#define GetAuditFuncText "getaudit_addr" 67#define SetAuditFunc(a,b) setaudit_addr((a),(b)) 68#define SetAuditFuncText "setaudit_addr" 69#define AUToSubjectFunc au_to_subject_ex 70#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) 71#else 72#define AuditInfoStruct auditinfo 73#define AuditInfoTermID au_tid_t 74#define GetAuditFunc(a,b) getaudit(a) 75#define GetAuditFuncText "getaudit" 76#define SetAuditFunc(a,b) setaudit(a) 77#define SetAuditFuncText "setaudit" 78#define AUToSubjectFunc au_to_subject 79#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) 80#endif 81 82extern int cannot_audit(int); 83extern void aug_init(void); 84extern dev_t aug_get_port(void); 85extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); 86extern void aug_save_auid(au_id_t); 87extern void aug_save_uid(uid_t); 88extern void aug_save_euid(uid_t); 89extern void aug_save_gid(gid_t); 90extern void aug_save_egid(gid_t); 91extern void aug_save_pid(pid_t); 92extern void aug_save_asid(au_asid_t); 93extern void aug_save_tid(dev_t, unsigned int); 94extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); 95extern int aug_save_me(void); 96extern int aug_save_namask(void); 97extern void aug_save_event(au_event_t); 98extern void aug_save_sorf(int); 99extern void aug_save_text(char *); 100extern void aug_save_text1(char *); 101extern void aug_save_text2(char *); 102extern void aug_save_na(int); 103extern void aug_save_user(char *); 104extern void aug_save_path(char *); 105extern int aug_save_policy(void); 106extern void aug_save_afunc(int (*)(int)); 107extern int aug_audit(void); 108extern int aug_na_selected(void); 109extern int aug_selected(void); 110extern int aug_daemon_session(void); 111 112#ifndef HAVE_GETTEXT 113# define gettext(a) (a) 114#endif 115 116extern Authctxt *the_authctxt; 117static AuditInfoTermID ssh_bsm_tid; 118 119/* Below is the low-level BSM interface code */ 120 121/* 122 * Check if the specified event is selected (enabled) for auditing. 123 * Returns 1 if the event is selected, 0 if not and -1 on failure. 124 */ 125static int 126selected(char *username, uid_t uid, au_event_t event, int sf) 127{ 128 int rc, sorf; 129 char naflags[512]; 130 struct au_mask mask; 131 132 mask.am_success = mask.am_failure = 0; 133 if (uid < 0) { 134 /* get flags for non-attributable (to a real user) events */ 135 rc = getacna(naflags, sizeof(naflags)); 136 if (rc == 0) 137 (void) getauditflagsbin(naflags, &mask); 138 } else 139 rc = au_user_mask(username, &mask); 140 141 sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; 142 return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); 143} 144 145static void 146bsm_audit_record(int typ, char *string, au_event_t event_no) 147{ 148 int ad, rc, sel; 149 uid_t uid = -1; 150 gid_t gid = -1; 151 pid_t pid = getpid(); 152 AuditInfoTermID tid = ssh_bsm_tid; 153 154 if (the_authctxt != NULL && the_authctxt->valid) { 155 uid = the_authctxt->pw->pw_uid; 156 gid = the_authctxt->pw->pw_gid; 157 } 158 159 rc = (typ == 0) ? 0 : -1; 160 sel = selected(the_authctxt->user, uid, event_no, rc); 161 debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); 162 if (!sel) 163 return; /* audit event does not match mask, do not write */ 164 165 debug3("BSM audit: writing audit new record"); 166 ad = au_open(); 167 168 (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, 169 pid, pid, &tid)); 170 (void) au_write(ad, au_to_text(string)); 171 (void) au_write(ad, AUToReturnFunc(typ, rc)); 172 173 rc = au_close(ad, AU_TO_WRITE, event_no); 174 if (rc < 0) 175 error("BSM audit: %s failed to write \"%s\" record: %s", 176 __func__, string, strerror(errno)); 177} 178 179static void 180bsm_audit_session_setup(void) 181{ 182 int rc; 183 struct AuditInfoStruct info; 184 au_mask_t mask; 185 186 if (the_authctxt == NULL) { 187 error("BSM audit: session setup internal error (NULL ctxt)"); 188 return; 189 } 190 191 if (the_authctxt->valid) 192 info.ai_auid = the_authctxt->pw->pw_uid; 193 else 194 info.ai_auid = -1; 195 info.ai_asid = getpid(); 196 mask.am_success = 0; 197 mask.am_failure = 0; 198 199 (void) au_user_mask(the_authctxt->user, &mask); 200 201 info.ai_mask.am_success = mask.am_success; 202 info.ai_mask.am_failure = mask.am_failure; 203 204 info.ai_termid = ssh_bsm_tid; 205 206 rc = SetAuditFunc(&info, sizeof(info)); 207 if (rc < 0) 208 error("BSM audit: %s: %s failed: %s", __func__, 209 SetAuditFuncText, strerror(errno)); 210} 211 212static void 213bsm_audit_bad_login(const char *what) 214{ 215 char textbuf[BSM_TEXTBUFSZ]; 216 217 if (the_authctxt->valid) { 218 (void) snprintf(textbuf, sizeof (textbuf), 219 gettext("invalid %s for user %s"), 220 what, the_authctxt->user); 221 bsm_audit_record(4, textbuf, AUE_openssh); 222 } else { 223 (void) snprintf(textbuf, sizeof (textbuf), 224 gettext("invalid user name \"%s\""), 225 the_authctxt->user); 226 bsm_audit_record(3, textbuf, AUE_openssh); 227 } 228} 229 230/* Below is the sshd audit API code */ 231 232void 233audit_connection_from(const char *host, int port) 234{ 235 AuditInfoTermID *tid = &ssh_bsm_tid; 236 char buf[1024]; 237 238 if (cannot_audit(0)) 239 return; 240 debug3("BSM audit: connection from %.100s port %d", host, port); 241 242 /* populate our terminal id structure */ 243#if defined(HAVE_GETAUDIT_ADDR) 244 tid->at_port = (dev_t)port; 245 aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); 246 snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], 247 tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); 248 debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); 249#else 250 /* this is used on IPv4-only machines */ 251 tid->port = (dev_t)port; 252 tid->machine = inet_addr(host); 253 snprintf(buf, sizeof(buf), "%08x", tid->machine); 254 debug3("BSM audit: machine ID %s", buf); 255#endif 256} 257 258void 259audit_run_command(const char *command) 260{ 261 /* not implemented */ 262} 263 264void 265audit_session_open(const char *ttyn) 266{ 267 /* not implemented */ 268} 269 270void 271audit_session_close(const char *ttyn) 272{ 273 /* not implemented */ 274} 275 276void 277audit_event(ssh_audit_event_t event) 278{ 279 char textbuf[BSM_TEXTBUFSZ]; 280 static int logged_in = 0; 281 const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; 282 283 if (cannot_audit(0)) 284 return; 285 286 switch(event) { 287 case SSH_AUTH_SUCCESS: 288 logged_in = 1; 289 bsm_audit_session_setup(); 290 snprintf(textbuf, sizeof(textbuf), 291 gettext("successful login %s"), user); 292 bsm_audit_record(0, textbuf, AUE_openssh); 293 break; 294 295 case SSH_CONNECTION_CLOSE: 296 /* 297 * We can also get a close event if the user attempted auth 298 * but never succeeded. 299 */ 300 if (logged_in) { 301 snprintf(textbuf, sizeof(textbuf), 302 gettext("sshd logout %s"), the_authctxt->user); 303 bsm_audit_record(0, textbuf, AUE_logout); 304 } else { 305 debug("%s: connection closed without authentication", 306 __func__); 307 } 308 break; 309 310 case SSH_NOLOGIN: 311 bsm_audit_record(1, 312 gettext("logins disabled by /etc/nologin"), AUE_openssh); 313 break; 314 315 case SSH_LOGIN_EXCEED_MAXTRIES: 316 snprintf(textbuf, sizeof(textbuf), 317 gettext("too many tries for user %s"), the_authctxt->user); 318 bsm_audit_record(1, textbuf, AUE_openssh); 319 break; 320 321 case SSH_LOGIN_ROOT_DENIED: 322 bsm_audit_record(2, gettext("not_console"), AUE_openssh); 323 break; 324 325 case SSH_AUTH_FAIL_PASSWD: 326 bsm_audit_bad_login("password"); 327 break; 328 329 case SSH_AUTH_FAIL_KBDINT: 330 bsm_audit_bad_login("interactive password entry"); 331 break; 332 333 default: 334 debug("%s: unhandled event %d", __func__, event); 335 } 336} 337#endif /* BSM */ 338