audit.c

   1 /* $Id: audit.c,v 1.3 2005/07/17 07:26:44 djm Exp $ */
   2
   3 /*
   4  * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef SSH_AUDIT_EVENTS
  30
  31 #include "audit.h"
  32 #include "log.h"
  33 #include "auth.h"
  34
  35 /*
  36  * Care must be taken when using this since it WILL NOT be initialized when
  37  * audit_connection_from() is called and MAY NOT be initialized when
  38  * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
  39  */
  40 extern Authctxt *the_authctxt;
  41
  42 /* Maybe add the audit class to struct Authmethod? */
  43 ssh_audit_event_t
  44 audit_classify_auth(const char *method)
  45 {
  46         if (strcmp(method, "none") == 0)
  47                 return SSH_AUTH_FAIL_NONE;
  48         else if (strcmp(method, "password") == 0)
  49                 return SSH_AUTH_FAIL_PASSWD;
  50         else if (strcmp(method, "publickey") == 0 ||
  51             strcmp(method, "rsa") == 0)
  52                 return SSH_AUTH_FAIL_PUBKEY;
  53         else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
  54             strcmp(method, "challenge-response") == 0)
  55                 return SSH_AUTH_FAIL_KBDINT;
  56         else if (strcmp(method, "hostbased") == 0 ||
  57             strcmp(method, "rhosts-rsa") == 0)
  58                 return SSH_AUTH_FAIL_HOSTBASED;
  59         else if (strcmp(method, "gssapi-with-mic") == 0)
  60                 return SSH_AUTH_FAIL_GSSAPI;
  61         else
  62                 return SSH_AUDIT_UNKNOWN;
  63 }
  64
  65 /* helper to return supplied username */
  66 const char *
  67 audit_username(void)
  68 {
  69         static const char unknownuser[] = "(unknown user)";
  70         static const char invaliduser[] = "(invalid user)";
  71
  72         if (the_authctxt == NULL || the_authctxt->user == NULL)
  73                 return (unknownuser);
  74         if (!the_authctxt->valid)
  75                 return (invaliduser);
  76         return (the_authctxt->user);
  77 }
  78
  79 const char *
  80 audit_event_lookup(ssh_audit_event_t ev)
  81 {
  82         int i;
  83         static struct event_lookup_struct {
  84                 ssh_audit_event_t event;
  85                 const char *name;
  86         } event_lookup[] = {
  87                 {SSH_LOGIN_EXCEED_MAXTRIES,     "LOGIN_EXCEED_MAXTRIES"},
  88                 {SSH_LOGIN_ROOT_DENIED,         "LOGIN_ROOT_DENIED"},
  89                 {SSH_AUTH_SUCCESS,              "AUTH_SUCCESS"},
  90                 {SSH_AUTH_FAIL_NONE,            "AUTH_FAIL_NONE"},
  91                 {SSH_AUTH_FAIL_PASSWD,          "AUTH_FAIL_PASSWD"},
  92                 {SSH_AUTH_FAIL_KBDINT,          "AUTH_FAIL_KBDINT"},
  93                 {SSH_AUTH_FAIL_PUBKEY,          "AUTH_FAIL_PUBKEY"},
  94                 {SSH_AUTH_FAIL_HOSTBASED,       "AUTH_FAIL_HOSTBASED"},
  95                 {SSH_AUTH_FAIL_GSSAPI,          "AUTH_FAIL_GSSAPI"},
  96                 {SSH_INVALID_USER,              "INVALID_USER"},
  97                 {SSH_NOLOGIN,                   "NOLOGIN"},
  98                 {SSH_CONNECTION_CLOSE,          "CONNECTION_CLOSE"},
  99                 {SSH_CONNECTION_ABANDON,        "CONNECTION_ABANDON"},
 100                 {SSH_AUDIT_UNKNOWN,             "AUDIT_UNKNOWN"}
 101         };
 102
 103         for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
 104                 if (event_lookup[i].event == ev)
 105                         break;
 106         return(event_lookup[i].name);
 107 }
 108
 109 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 110 /*
 111  * Null implementations of audit functions.
 112  * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
 113  */
 114
 115 /*
 116  * Called after a connection has been accepted but before any authentication
 117  * has been attempted.
 118  */
 119 void
 120 audit_connection_from(const char *host, int port)
 121 {
 122         debug("audit connection from %s port %d euid %d", host, port,
 123             (int)geteuid());
 124 }
 125
 126 /*
 127  * Called when various events occur (see audit.h for a list of possible
 128  * events and what they mean).
 129  */
 130 void
 131 audit_event(ssh_audit_event_t event)
 132 {
 133         debug("audit event euid %d user %s event %d (%s)", geteuid(),
 134             audit_username(), event, audit_event_lookup(event));
 135 }
 136
 137 /*
 138  * Called when a user session is started.  Argument is the tty allocated to
 139  * the session, or NULL if no tty was allocated.
 140  *
 141  * Note that this may be called multiple times if multiple sessions are used
 142  * within a single connection.
 143  */
 144 void
 145 audit_session_open(const char *ttyn)
 146 {
 147         const char *t = ttyn ? ttyn : "(no tty)";
 148
 149         debug("audit session open euid %d user %s tty name %s", geteuid(),
 150             audit_username(), t);
 151 }
 152
 153 /*
 154  * Called when a user session is closed.  Argument is the tty allocated to
 155  * the session, or NULL if no tty was allocated.
 156  *
 157  * Note that this may be called multiple times if multiple sessions are used
 158  * within a single connection.
 159  */
 160 void
 161 audit_session_close(const char *ttyn)
 162 {
 163         const char *t = ttyn ? ttyn : "(no tty)";
 164
 165         debug("audit session close euid %d user %s tty name %s", geteuid(),
 166             audit_username(), t);
 167 }
 168
 169 /*
 170  * This will be called when a user runs a non-interactive command.  Note that
 171  * it may be called multiple times for a single connection since SSH2 allows
 172  * multiple sessions within a single connection.
 173  */
 174 void
 175 audit_run_command(const char *command)
 176 {
 177         debug("audit run command euid %d user %s command '%.200s'", geteuid(),
 178             audit_username(), command);
 179 }
 180 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 181 #endif /* SSH_AUDIT_EVENTS */