audit.c

   1 /* $Id: audit.c,v 1.4 2006/08/05 14:05:10 dtucker Exp $ */
   2
   3 /*
   4  * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef SSH_AUDIT_EVENTS
  30
  31 #include "audit.h"
  32 #include "log.h"
  33 #include "key.h"
  34 #include "hostfile.h"
  35 #include "auth.h"
  36
  37 /*
  38  * Care must be taken when using this since it WILL NOT be initialized when
  39  * audit_connection_from() is called and MAY NOT be initialized when
  40  * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
  41  */
  42 extern Authctxt *the_authctxt;
  43
  44 /* Maybe add the audit class to struct Authmethod? */
  45 ssh_audit_event_t
  46 audit_classify_auth(const char *method)
  47 {
  48         if (strcmp(method, "none") == 0)
  49                 return SSH_AUTH_FAIL_NONE;
  50         else if (strcmp(method, "password") == 0)
  51                 return SSH_AUTH_FAIL_PASSWD;
  52         else if (strcmp(method, "publickey") == 0 ||
  53             strcmp(method, "rsa") == 0)
  54                 return SSH_AUTH_FAIL_PUBKEY;
  55         else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
  56             strcmp(method, "challenge-response") == 0)
  57                 return SSH_AUTH_FAIL_KBDINT;
  58         else if (strcmp(method, "hostbased") == 0 ||
  59             strcmp(method, "rhosts-rsa") == 0)
  60                 return SSH_AUTH_FAIL_HOSTBASED;
  61         else if (strcmp(method, "gssapi-with-mic") == 0)
  62                 return SSH_AUTH_FAIL_GSSAPI;
  63         else
  64                 return SSH_AUDIT_UNKNOWN;
  65 }
  66
  67 /* helper to return supplied username */
  68 const char *
  69 audit_username(void)
  70 {
  71         static const char unknownuser[] = "(unknown user)";
  72         static const char invaliduser[] = "(invalid user)";
  73
  74         if (the_authctxt == NULL || the_authctxt->user == NULL)
  75                 return (unknownuser);
  76         if (!the_authctxt->valid)
  77                 return (invaliduser);
  78         return (the_authctxt->user);
  79 }
  80
  81 const char *
  82 audit_event_lookup(ssh_audit_event_t ev)
  83 {
  84         int i;
  85         static struct event_lookup_struct {
  86                 ssh_audit_event_t event;
  87                 const char *name;
  88         } event_lookup[] = {
  89                 {SSH_LOGIN_EXCEED_MAXTRIES,     "LOGIN_EXCEED_MAXTRIES"},
  90                 {SSH_LOGIN_ROOT_DENIED,         "LOGIN_ROOT_DENIED"},
  91                 {SSH_AUTH_SUCCESS,              "AUTH_SUCCESS"},
  92                 {SSH_AUTH_FAIL_NONE,            "AUTH_FAIL_NONE"},
  93                 {SSH_AUTH_FAIL_PASSWD,          "AUTH_FAIL_PASSWD"},
  94                 {SSH_AUTH_FAIL_KBDINT,          "AUTH_FAIL_KBDINT"},
  95                 {SSH_AUTH_FAIL_PUBKEY,          "AUTH_FAIL_PUBKEY"},
  96                 {SSH_AUTH_FAIL_HOSTBASED,       "AUTH_FAIL_HOSTBASED"},
  97                 {SSH_AUTH_FAIL_GSSAPI,          "AUTH_FAIL_GSSAPI"},
  98                 {SSH_INVALID_USER,              "INVALID_USER"},
  99                 {SSH_NOLOGIN,                   "NOLOGIN"},
 100                 {SSH_CONNECTION_CLOSE,          "CONNECTION_CLOSE"},
 101                 {SSH_CONNECTION_ABANDON,        "CONNECTION_ABANDON"},
 102                 {SSH_AUDIT_UNKNOWN,             "AUDIT_UNKNOWN"}
 103         };
 104
 105         for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
 106                 if (event_lookup[i].event == ev)
 107                         break;
 108         return(event_lookup[i].name);
 109 }
 110
 111 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 112 /*
 113  * Null implementations of audit functions.
 114  * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
 115  */
 116
 117 /*
 118  * Called after a connection has been accepted but before any authentication
 119  * has been attempted.
 120  */
 121 void
 122 audit_connection_from(const char *host, int port)
 123 {
 124         debug("audit connection from %s port %d euid %d", host, port,
 125             (int)geteuid());
 126 }
 127
 128 /*
 129  * Called when various events occur (see audit.h for a list of possible
 130  * events and what they mean).
 131  */
 132 void
 133 audit_event(ssh_audit_event_t event)
 134 {
 135         debug("audit event euid %d user %s event %d (%s)", geteuid(),
 136             audit_username(), event, audit_event_lookup(event));
 137 }
 138
 139 /*
 140  * Called when a user session is started.  Argument is the tty allocated to
 141  * the session, or NULL if no tty was allocated.
 142  *
 143  * Note that this may be called multiple times if multiple sessions are used
 144  * within a single connection.
 145  */
 146 void
 147 audit_session_open(const char *ttyn)
 148 {
 149         const char *t = ttyn ? ttyn : "(no tty)";
 150
 151         debug("audit session open euid %d user %s tty name %s", geteuid(),
 152             audit_username(), t);
 153 }
 154
 155 /*
 156  * Called when a user session is closed.  Argument is the tty allocated to
 157  * the session, or NULL if no tty was allocated.
 158  *
 159  * Note that this may be called multiple times if multiple sessions are used
 160  * within a single connection.
 161  */
 162 void
 163 audit_session_close(const char *ttyn)
 164 {
 165         const char *t = ttyn ? ttyn : "(no tty)";
 166
 167         debug("audit session close euid %d user %s tty name %s", geteuid(),
 168             audit_username(), t);
 169 }
 170
 171 /*
 172  * This will be called when a user runs a non-interactive command.  Note that
 173  * it may be called multiple times for a single connection since SSH2 allows
 174  * multiple sessions within a single connection.
 175  */
 176 void
 177 audit_run_command(const char *command)
 178 {
 179         debug("audit run command euid %d user %s command '%.200s'", geteuid(),
 180             audit_username(), command);
 181 }
 182 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 183 #endif /* SSH_AUDIT_EVENTS */