1 /* $Id: audit-bsm.c,v 1.3 2006/08/16 01:40:45 djm Exp $ */
6 * - deal with overlap between this and sys_auth_allowed_user
7 * sys_auth_record_login and record_failed_login.
11 * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
12 * Use is subject to license terms.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 /* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
38 #if defined(USE_BSM_AUDIT)
40 #include <sys/types.h>
52 # define AUE_openssh 32800
54 #include <bsm/audit.h>
55 #include <bsm/libbsm.h>
56 #include <bsm/audit_uevents.h>
57 #include <bsm/audit_record.h>
60 #if defined(HAVE_GETAUDIT_ADDR)
61 #define AuditInfoStruct auditinfo_addr
62 #define AuditInfoTermID au_tid_addr_t
63 #define GetAuditFunc(a,b) getaudit_addr((a),(b))
64 #define GetAuditFuncText "getaudit_addr"
65 #define SetAuditFunc(a,b) setaudit_addr((a),(b))
66 #define SetAuditFuncText "setaudit_addr"
67 #define AUToSubjectFunc au_to_subject_ex
68 #define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
70 #define AuditInfoStruct auditinfo
71 #define AuditInfoTermID au_tid_t
72 #define GetAuditFunc(a,b) getaudit(a)
73 #define GetAuditFuncText "getaudit"
74 #define SetAuditFunc(a,b) setaudit(a)
75 #define SetAuditFuncText "setaudit"
76 #define AUToSubjectFunc au_to_subject
77 #define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
80 extern int cannot_audit(int);
81 extern void aug_init(void);
82 extern dev_t
aug_get_port(void);
83 extern int aug_get_machine(char *, u_int32_t
*, u_int32_t
*);
84 extern void aug_save_auid(au_id_t
);
85 extern void aug_save_uid(uid_t
);
86 extern void aug_save_euid(uid_t
);
87 extern void aug_save_gid(gid_t
);
88 extern void aug_save_egid(gid_t
);
89 extern void aug_save_pid(pid_t
);
90 extern void aug_save_asid(au_asid_t
);
91 extern void aug_save_tid(dev_t
, unsigned int);
92 extern void aug_save_tid_ex(dev_t
, u_int32_t
*, u_int32_t
);
93 extern int aug_save_me(void);
94 extern int aug_save_namask(void);
95 extern void aug_save_event(au_event_t
);
96 extern void aug_save_sorf(int);
97 extern void aug_save_text(char *);
98 extern void aug_save_text1(char *);
99 extern void aug_save_text2(char *);
100 extern void aug_save_na(int);
101 extern void aug_save_user(char *);
102 extern void aug_save_path(char *);
103 extern int aug_save_policy(void);
104 extern void aug_save_afunc(int (*)(int));
105 extern int aug_audit(void);
106 extern int aug_na_selected(void);
107 extern int aug_selected(void);
108 extern int aug_daemon_session(void);
111 # define gettext(a) (a)
114 extern Authctxt
*the_authctxt
;
115 static AuditInfoTermID ssh_bsm_tid
;
117 /* Below is the low-level BSM interface code */
120 * Check if the specified event is selected (enabled) for auditing.
121 * Returns 1 if the event is selected, 0 if not and -1 on failure.
124 selected(char *username
, uid_t uid
, au_event_t event
, int sf
)
130 mask
.am_success
= mask
.am_failure
= 0;
132 /* get flags for non-attributable (to a real user) events */
133 rc
= getacna(naflags
, sizeof(naflags
));
135 (void) getauditflagsbin(naflags
, &mask
);
137 rc
= au_user_mask(username
, &mask
);
139 sorf
= (sf
== 0) ? AU_PRS_SUCCESS
: AU_PRS_FAILURE
;
140 return(au_preselect(event
, &mask
, sorf
, AU_PRS_REREAD
));
144 bsm_audit_record(int typ
, char *string
, au_event_t event_no
)
149 pid_t pid
= getpid();
150 AuditInfoTermID tid
= ssh_bsm_tid
;
152 if (the_authctxt
!= NULL
&& the_authctxt
->valid
) {
153 uid
= the_authctxt
->pw
->pw_uid
;
154 gid
= the_authctxt
->pw
->pw_gid
;
157 rc
= (typ
== 0) ? 0 : -1;
158 sel
= selected(the_authctxt
->user
, uid
, event_no
, rc
);
159 debug3("BSM audit: typ %d rc %d \"%s\"", typ
, rc
, string
);
161 return; /* audit event does not match mask, do not write */
163 debug3("BSM audit: writing audit new record");
166 (void) au_write(ad
, AUToSubjectFunc(uid
, uid
, gid
, uid
, gid
,
168 (void) au_write(ad
, au_to_text(string
));
169 (void) au_write(ad
, AUToReturnFunc(typ
, rc
));
171 rc
= au_close(ad
, AU_TO_WRITE
, event_no
);
173 error("BSM audit: %s failed to write \"%s\" record: %s",
174 __func__
, string
, strerror(errno
));
178 bsm_audit_session_setup(void)
181 struct AuditInfoStruct info
;
184 if (the_authctxt
== NULL
) {
185 error("BSM audit: session setup internal error (NULL ctxt)");
189 if (the_authctxt
->valid
)
190 info
.ai_auid
= the_authctxt
->pw
->pw_uid
;
193 info
.ai_asid
= getpid();
197 (void) au_user_mask(the_authctxt
->user
, &mask
);
199 info
.ai_mask
.am_success
= mask
.am_success
;
200 info
.ai_mask
.am_failure
= mask
.am_failure
;
202 info
.ai_termid
= ssh_bsm_tid
;
204 rc
= SetAuditFunc(&info
, sizeof(info
));
206 error("BSM audit: %s: %s failed: %s", __func__
,
207 SetAuditFuncText
, strerror(errno
));
211 bsm_audit_bad_login(const char *what
)
213 char textbuf
[BSM_TEXTBUFSZ
];
215 if (the_authctxt
->valid
) {
216 (void) snprintf(textbuf
, sizeof (textbuf
),
217 gettext("invalid %s for user %s"),
218 what
, the_authctxt
->user
);
219 bsm_audit_record(4, textbuf
, AUE_openssh
);
221 (void) snprintf(textbuf
, sizeof (textbuf
),
222 gettext("invalid user name \"%s\""),
224 bsm_audit_record(3, textbuf
, AUE_openssh
);
228 /* Below is the sshd audit API code */
231 audit_connection_from(const char *host
, int port
)
233 AuditInfoTermID
*tid
= &ssh_bsm_tid
;
238 debug3("BSM audit: connection from %.100s port %d", host
, port
);
240 /* populate our terminal id structure */
241 #if defined(HAVE_GETAUDIT_ADDR)
242 tid
->at_port
= (dev_t
)port
;
243 aug_get_machine((char *)host
, &(tid
->at_addr
[0]), &(tid
->at_type
));
244 snprintf(buf
, sizeof(buf
), "%08x %08x %08x %08x", tid
->at_addr
[0],
245 tid
->at_addr
[1], tid
->at_addr
[2], tid
->at_addr
[3]);
246 debug3("BSM audit: iptype %d machine ID %s", (int)tid
->at_type
, buf
);
248 /* this is used on IPv4-only machines */
249 tid
->port
= (dev_t
)port
;
250 tid
->machine
= inet_addr(host
);
251 snprintf(buf
, sizeof(buf
), "%08x", tid
->machine
);
252 debug3("BSM audit: machine ID %s", buf
);
257 audit_run_command(const char *command
)
259 /* not implemented */
263 audit_session_open(const char *ttyn
)
265 /* not implemented */
269 audit_session_close(const char *ttyn
)
271 /* not implemented */
275 audit_event(ssh_audit_event_t event
)
277 char textbuf
[BSM_TEXTBUFSZ
];
278 static int logged_in
= 0;
279 const char *user
= the_authctxt
? the_authctxt
->user
: "(unknown user)";
285 case SSH_AUTH_SUCCESS
:
287 bsm_audit_session_setup();
288 snprintf(textbuf
, sizeof(textbuf
),
289 gettext("successful login %s"), user
);
290 bsm_audit_record(0, textbuf
, AUE_openssh
);
293 case SSH_CONNECTION_CLOSE
:
295 * We can also get a close event if the user attempted auth
296 * but never succeeded.
299 snprintf(textbuf
, sizeof(textbuf
),
300 gettext("sshd logout %s"), the_authctxt
->user
);
301 bsm_audit_record(0, textbuf
, AUE_logout
);
303 debug("%s: connection closed without authentication",
310 gettext("logins disabled by /etc/nologin"), AUE_openssh
);
313 case SSH_LOGIN_EXCEED_MAXTRIES
:
314 snprintf(textbuf
, sizeof(textbuf
),
315 gettext("too many tries for user %s"), the_authctxt
->user
);
316 bsm_audit_record(1, textbuf
, AUE_openssh
);
319 case SSH_LOGIN_ROOT_DENIED
:
320 bsm_audit_record(2, gettext("not_console"), AUE_openssh
);
323 case SSH_AUTH_FAIL_PASSWD
:
324 bsm_audit_bad_login("password");
327 case SSH_AUTH_FAIL_KBDINT
:
328 bsm_audit_bad_login("interactive password entry");
332 debug("%s: unhandled event %d", __func__
, event
);