search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Support storing statd-callout state in cluster filesystem
[samba4-gss.git] / auth / auth_log.c
bloba918db4e37fd4eb7dfe575090de0b8073ea7b5cb
1 /*
2
3 Authentication and authorization logging
4
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22 * Debug log levels for authentication logging (these both map to
23 * LOG_NOTICE in syslog)
24 */
25 #define AUTH_FAILURE_LEVEL 2
26 #define AUTH_SUCCESS_LEVEL 3
27 #define AUTHZ_SUCCESS_LEVEL 4
28 #define KDC_AUTHZ_FAILURE_LEVEL 2
29 #define KDC_AUTHZ_SUCCESS_LEVEL 3
30
31 /* 5 is used for both authentication and authorization */
32 #define AUTH_ANONYMOUS_LEVEL 5
33 #define AUTHZ_ANONYMOUS_LEVEL 5
34
35 #define AUTHZ_JSON_TYPE "Authorization"
36 #define AUTH_JSON_TYPE "Authentication"
37 #define KDC_AUTHZ_JSON_TYPE "KDC Authorization"
38
39 /*
40 * JSON message version numbers
41 *
42 * If adding a field increment the minor version
43 * If removing or changing the format/meaning of a field
44 * increment the major version.
45 */
46 #define AUTH_MAJOR 1
47 #define AUTH_MINOR 3
48 #define AUTHZ_MAJOR 1
49 #define AUTHZ_MINOR 2
50 #define KDC_AUTHZ_MAJOR 1
51 #define KDC_AUTHZ_MINOR 0
52
53 #include "includes.h"
54 #include "../lib/tsocket/tsocket.h"
55 #include "common_auth.h"
56 #include "lib/util/util_str_escape.h"
57 #include "libcli/security/dom_sid.h"
58 #include "libcli/security/security_token.h"
59 #include "librpc/gen_ndr/server_id.h"
60 #include "source4/lib/messaging/messaging.h"
61 #include "source4/lib/messaging/irpc.h"
62 #include "lib/util/server_id_db.h"
63 #include "lib/param/param.h"
64 #include "librpc/ndr/libndr.h"
65 #include "librpc/gen_ndr/windows_event_ids.h"
66 #include "lib/audit_logging/audit_logging.h"
67
68 /*
69 * Determine the type of the password supplied for the
70 * authorisation attempt.
71 *
72 */
73 static const char* get_password_type(const struct auth_usersupplied_info *ui);
74
75 #ifdef HAVE_JANSSON
76
77 #include <jansson.h>
78 #include "system/time.h"
79
80 /*
81 * Write the json object to the debug logs.
82 *
83 */
84 static void log_json(struct imessaging_context *msg_ctx,
85 struct loadparm_context *lp_ctx,
86 struct json_object *object,
87 int debug_class,
88 int debug_level)
89 {
90 audit_log_json(object, debug_class, debug_level);
91 if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
92 audit_message_send(msg_ctx,
93 AUTH_EVENT_NAME,
94 MSG_AUTH_LOG,
95 object);
96 }
97 }
98
99 /*
100 * Determine the Windows logon type for the current authorisation attempt.
101 *
102 * Currently Samba only supports
103 *
104 * 2 Interactive A user logged on to this computer.
105 * 3 Network A user or computer logged on to this computer from
106 * the network.
107 * 8 NetworkCleartext A user logged on to this computer from the network.
108 * The user's password was passed to the authentication
109 * package in its unhashed form.
110 *
111 */
112 static enum event_logon_type get_logon_type(
113 const struct auth_usersupplied_info *ui)
114 {
115 if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
116 || (ui->password_state == AUTH_PASSWORD_PLAIN)) {
117 return EVT_LOGON_NETWORK_CLEAR_TEXT;
118 } else if (ui->flags & USER_INFO_INTERACTIVE_LOGON) {
119 return EVT_LOGON_INTERACTIVE;
120 }
121 return EVT_LOGON_NETWORK;
122 }
123
124 /*
125 * Write a machine parsable json formatted authentication log entry.
126 *
127 * IF removing or changing the format/meaning of a field please update the
128 * major version number AUTH_MAJOR
129 *
130 * IF adding a new field please update the minor version number AUTH_MINOR
131 *
132 * To process the resulting log lines from the command line use jq to
133 * parse the json.
134 *
135 * grep "^ {" log file |
136 * jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
137 * \(.Authentication.clientDomain)\t
138 * \(.Authentication.clientAccount)
139 * \t\(.Authentication.workstation)
140 * \t\(.Authentication.remoteAddress)
141 * \t\(.Authentication.localAddress)"'
142 */
143 static void log_authentication_event_json(
144 struct imessaging_context *msg_ctx,
145 struct loadparm_context *lp_ctx,
146 const struct timeval *start_time,
147 const struct auth_usersupplied_info *ui,
148 NTSTATUS status,
149 const char *domain_name,
150 const char *account_name,
151 struct dom_sid *sid,
152 const struct authn_audit_info *client_audit_info,
153 const struct authn_audit_info *server_audit_info,
154 enum event_id_type event_id,
155 int debug_level)
156 {
157 struct json_object wrapper = json_empty_object;
158 struct json_object authentication = json_empty_object;
159 struct json_object client_policy = json_null_object();
160 struct json_object server_policy = json_null_object();
161 char logon_id[19];
162 int rc = 0;
163 const char *clientDomain = ui->orig_client.domain_name ?
164 ui->orig_client.domain_name :
165 ui->client.domain_name;
166 const char *clientAccount = ui->orig_client.account_name ?
167 ui->orig_client.account_name :
168 ui->client.account_name;
169
170 authentication = json_new_object();
171 if (json_is_invalid(&authentication)) {
172 goto failure;
173 }
174 rc = json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
175 if (rc != 0) {
176 goto failure;
177 }
178 rc = json_add_int(&authentication,
179 "eventId",
180 event_id);
181 if (rc != 0) {
182 goto failure;
183 }
184 snprintf(logon_id,
185 sizeof( logon_id),
186 "%"PRIx64"",
187 ui->logon_id);
188 rc = json_add_string(&authentication, "logonId", logon_id);
189 if (rc != 0) {
190 goto failure;
191 }
192 rc = json_add_int(&authentication, "logonType", get_logon_type(ui));
193 if (rc != 0) {
194 goto failure;
195 }
196 rc = json_add_string(&authentication, "status", nt_errstr(status));
197 if (rc != 0) {
198 goto failure;
199 }
200 rc = json_add_address(&authentication, "localAddress", ui->local_host);
201 if (rc != 0) {
202 goto failure;
203 }
204 rc =
205 json_add_address(&authentication, "remoteAddress", ui->remote_host);
206 if (rc != 0) {
207 goto failure;
208 }
209 rc = json_add_string(
210 &authentication, "serviceDescription", ui->service_description);
211 if (rc != 0) {
212 goto failure;
213 }
214 rc = json_add_string(
215 &authentication, "authDescription", ui->auth_description);
216 if (rc != 0) {
217 goto failure;
218 }
219 rc = json_add_string(
220 &authentication, "clientDomain", clientDomain);
221 if (rc != 0) {
222 goto failure;
223 }
224 rc = json_add_string(
225 &authentication, "clientAccount", clientAccount);
226 if (rc != 0) {
227 goto failure;
228 }
229 rc = json_add_string(
230 &authentication, "workstation", ui->workstation_name);
231 if (rc != 0) {
232 goto failure;
233 }
234 rc = json_add_string(&authentication, "becameAccount", account_name);
235 if (rc != 0) {
236 goto failure;
237 }
238 rc = json_add_string(&authentication, "becameDomain", domain_name);
239 if (rc != 0) {
240 goto failure;
241 }
242 rc = json_add_sid(&authentication, "becameSid", sid);
243 if (rc != 0) {
244 goto failure;
245 }
246 rc = json_add_string(
247 &authentication, "mappedAccount", ui->mapped.account_name);
248 if (rc != 0) {
249 goto failure;
250 }
251 rc = json_add_string(
252 &authentication, "mappedDomain", ui->mapped.domain_name);
253 if (rc != 0) {
254 goto failure;
255 }
256 rc = json_add_string(&authentication,
257 "netlogonComputer",
258 ui->netlogon_trust_account.computer_name);
259 if (rc != 0) {
260 goto failure;
261 }
262 rc = json_add_string(&authentication,
263 "netlogonTrustAccount",
264 ui->netlogon_trust_account.account_name);
265 if (rc != 0) {
266 goto failure;
267 }
268 rc = json_add_flags32(
269 &authentication, "netlogonNegotiateFlags",
270 ui->netlogon_trust_account.negotiate_flags);
271 if (rc != 0) {
272 goto failure;
273 }
274 rc = json_add_int(&authentication,
275 "netlogonSecureChannelType",
276 ui->netlogon_trust_account.secure_channel_type);
277 if (rc != 0) {
278 goto failure;
279 }
280 rc = json_add_sid(&authentication,
281 "netlogonTrustAccountSid",
282 ui->netlogon_trust_account.sid);
283 if (rc != 0) {
284 goto failure;
285 }
286 rc = json_add_string(
287 &authentication, "passwordType", get_password_type(ui));
288 if (rc != 0) {
289 goto failure;
290 }
291
292 if (client_audit_info != NULL) {
293 client_policy = json_from_audit_info(client_audit_info);
294 if (json_is_invalid(&client_policy)) {
295 goto failure;
296 }
297 }
298
299 rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy);
300 if (rc != 0) {
301 goto failure;
302 }
303
304 if (server_audit_info != NULL) {
305 server_policy = json_from_audit_info(server_audit_info);
306 if (json_is_invalid(&server_policy)) {
307 goto failure;
308 }
309 }
310
311 rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy);
312 if (rc != 0) {
313 goto failure;
314 }
315
316 wrapper = json_new_object();
317 if (json_is_invalid(&wrapper)) {
318 goto failure;
319 }
320 rc = json_add_timestamp(&wrapper);
321 if (rc != 0) {
322 goto failure;
323 }
324 rc = json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
325 if (rc != 0) {
326 goto failure;
327 }
328 rc = json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
329 if (rc != 0) {
330 goto failure;
331 }
332
333 /*
334 * While not a general-purpose profiling solution this will
335 * assist some to determine how long NTLM and KDC
336 * authentication takes once this process can handle it. This
337 * covers transactions elsewhere but not (eg) the delay while
338 * this is waiting unread on the input socket.
339 */
340 if (start_time != NULL) {
341 struct timeval current_time = timeval_current();
342 uint64_t duration = usec_time_diff(&current_time,
343 start_time);
344 rc = json_add_int(&authentication, "duration", duration);
345 if (rc != 0) {
346 goto failure;
347 }
348 }
349
350 log_json(msg_ctx,
351 lp_ctx,
352 &wrapper,
353 DBGC_AUTH_AUDIT_JSON,
354 debug_level);
355 json_free(&wrapper);
356 return;
357 failure:
358 json_free(&server_policy);
359 json_free(&client_policy);
360 /*
361 * On a failure authentication will not have been added to wrapper so it
362 * needs to be freed to avoid a leak.
363 *
364 */
365 json_free(&authentication);
366 json_free(&wrapper);
367 DBG_ERR("Failed to write authentication event JSON log message\n");
368 }
369
370 /*
371 * Log details of a successful authorization to a service,
372 * in a machine parsable json format
373 *
374 * IF removing or changing the format/meaning of a field please update the
375 * major version number AUTHZ_MAJOR
376 *
377 * IF adding a new field please update the minor version number AUTHZ_MINOR
378 *
379 * To process the resulting log lines from the command line use jq to
380 * parse the json.
381 *
382 * grep "^ {" log_file |\
383 * jq -rc '"\(.timestamp)\t
384 * \(.Authorization.domain)\t
385 * \(.Authorization.account)\t
386 * \(.Authorization.remoteAddress)"'
387 *
388 */
389 static void log_successful_authz_event_json(
390 struct imessaging_context *msg_ctx,
391 struct loadparm_context *lp_ctx,
392 const struct tsocket_address *remote,
393 const struct tsocket_address *local,
394 const char *service_description,
395 const char *auth_type,
396 const char *transport_protection,
397 struct auth_session_info *session_info,
398 const struct authn_audit_info *client_audit_info,
399 const struct authn_audit_info *server_audit_info,
400 int debug_level)
401 {
402 struct json_object wrapper = json_empty_object;
403 struct json_object authorization = json_empty_object;
404 struct json_object client_policy = json_null_object();
405 struct json_object server_policy = json_null_object();
406 int rc = 0;
407
408 authorization = json_new_object();
409 if (json_is_invalid(&authorization)) {
410 goto failure;
411 }
412 rc = json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
413 if (rc != 0) {
414 goto failure;
415 }
416 rc = json_add_address(&authorization, "localAddress", local);
417 if (rc != 0) {
418 goto failure;
419 }
420 rc = json_add_address(&authorization, "remoteAddress", remote);
421 if (rc != 0) {
422 goto failure;
423 }
424 rc = json_add_string(
425 &authorization, "serviceDescription", service_description);
426 if (rc != 0) {
427 goto failure;
428 }
429 rc = json_add_string(&authorization, "authType", auth_type);
430 if (rc != 0) {
431 goto failure;
432 }
433 rc = json_add_string(
434 &authorization, "domain", session_info->info->domain_name);
435 if (rc != 0) {
436 goto failure;
437 }
438 rc = json_add_string(
439 &authorization, "account", session_info->info->account_name);
440 if (rc != 0) {
441 goto failure;
442 }
443 rc = json_add_sid(
444 &authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
445 if (rc != 0) {
446 goto failure;
447 }
448 rc = json_add_guid(
449 &authorization, "sessionId", &session_info->unique_session_token);
450 if (rc != 0) {
451 goto failure;
452 }
453 rc = json_add_string(
454 &authorization, "logonServer", session_info->info->logon_server);
455 if (rc != 0) {
456 goto failure;
457 }
458 rc = json_add_string(
459 &authorization, "transportProtection", transport_protection);
460 if (rc != 0) {
461 goto failure;
462 }
463 rc = json_add_flags32(&authorization, "accountFlags", session_info->info->acct_flags);
464 if (rc != 0) {
465 goto failure;
466 }
467
468 if (client_audit_info != NULL) {
469 client_policy = json_from_audit_info(client_audit_info);
470 if (json_is_invalid(&client_policy)) {
471 goto failure;
472 }
473 }
474
475 rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy);
476 if (rc != 0) {
477 goto failure;
478 }
479
480 if (server_audit_info != NULL) {
481 server_policy = json_from_audit_info(server_audit_info);
482 if (json_is_invalid(&server_policy)) {
483 goto failure;
484 }
485 }
486
487 rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
488 if (rc != 0) {
489 goto failure;
490 }
491
492 wrapper = json_new_object();
493 if (json_is_invalid(&wrapper)) {
494 goto failure;
495 }
496 rc = json_add_timestamp(&wrapper);
497 if (rc != 0) {
498 goto failure;
499 }
500 rc = json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
501 if (rc != 0) {
502 goto failure;
503 }
504 rc = json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization);
505 if (rc != 0) {
506 goto failure;
507 }
508
509 log_json(msg_ctx,
510 lp_ctx,
511 &wrapper,
512 DBGC_AUTH_AUDIT_JSON,
513 debug_level);
514 json_free(&wrapper);
515 return;
516 failure:
517 json_free(&server_policy);
518 json_free(&client_policy);
519 /*
520 * On a failure authorization will not have been added to wrapper so it
521 * needs to be freed to avoid a leak.
522 *
523 */
524 json_free(&authorization);
525 json_free(&wrapper);
526 DBG_ERR("Unable to log Authentication event JSON audit message\n");
527 }
528
529 /*
530 * Log details of an authorization to a service, in a machine parsable json
531 * format
532 *
533 * IF removing or changing the format/meaning of a field please update the
534 * major version number KDC_AUTHZ_MAJOR
535 *
536 * IF adding a new field please update the minor version number KDC_AUTHZ_MINOR
537 *
538 * To process the resulting log lines from the command line use jq to
539 * parse the json.
540 *
541 * grep "^ {" log_file |\
542 * jq -rc '"\(.timestamp)\t
543 * \(."KDC Authorization".domain)\t
544 * \(."KDC Authorization".account)\t
545 * \(."KDC Authorization".remoteAddress)"'
546 *
547 */
548 static void log_authz_event_json(
549 struct imessaging_context *msg_ctx,
550 struct loadparm_context *lp_ctx,
551 const struct tsocket_address *remote,
552 const struct tsocket_address *local,
553 const struct authn_audit_info *server_audit_info,
554 const char *service_description,
555 const char *auth_type,
556 const char *domain_name,
557 const char *account_name,
558 const struct dom_sid *sid,
559 const char *logon_server,
560 const struct timeval authtime,
561 NTSTATUS status,
562 int debug_level)
563 {
564 struct json_object wrapper = json_empty_object;
565 struct json_object authorization = json_empty_object;
566 struct json_object server_policy = json_null_object();
567 int rc = 0;
568
569 authorization = json_new_object();
570 if (json_is_invalid(&authorization)) {
571 goto failure;
572 }
573 rc = json_add_version(&authorization, KDC_AUTHZ_MAJOR, KDC_AUTHZ_MINOR);
574 if (rc != 0) {
575 goto failure;
576 }
577 rc = json_add_string(&authorization, "status", nt_errstr(status));
578 if (rc != 0) {
579 goto failure;
580 }
581 rc = json_add_address(&authorization, "localAddress", local);
582 if (rc != 0) {
583 goto failure;
584 }
585 rc = json_add_address(&authorization, "remoteAddress", remote);
586 if (rc != 0) {
587 goto failure;
588 }
589 rc = json_add_string(
590 &authorization, "serviceDescription", service_description);
591 if (rc != 0) {
592 goto failure;
593 }
594 rc = json_add_string(&authorization, "authType", auth_type);
595 if (rc != 0) {
596 goto failure;
597 }
598 rc = json_add_string(&authorization, "domain", domain_name);
599 if (rc != 0) {
600 goto failure;
601 }
602 rc = json_add_string(&authorization, "account", account_name);
603 if (rc != 0) {
604 goto failure;
605 }
606 rc = json_add_sid(&authorization, "sid", sid);
607 if (rc != 0) {
608 goto failure;
609 }
610 rc = json_add_string(&authorization, "logonServer", logon_server);
611 if (rc != 0) {
612 goto failure;
613 }
614 rc = json_add_time(&authorization, "authTime", authtime);
615 if (rc != 0) {
616 goto failure;
617 }
618
619 if (server_audit_info != NULL) {
620 server_policy = json_from_audit_info(server_audit_info);
621 if (json_is_invalid(&server_policy)) {
622 goto failure;
623 }
624 }
625
626 rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
627 if (rc != 0) {
628 goto failure;
629 }
630
631 wrapper = json_new_object();
632 if (json_is_invalid(&wrapper)) {
633 goto failure;
634 }
635 rc = json_add_timestamp(&wrapper);
636 if (rc != 0) {
637 goto failure;
638 }
639 rc = json_add_string(&wrapper, "type", KDC_AUTHZ_JSON_TYPE);
640 if (rc != 0) {
641 goto failure;
642 }
643 rc = json_add_object(&wrapper, KDC_AUTHZ_JSON_TYPE, &authorization);
644 if (rc != 0) {
645 goto failure;
646 }
647
648 log_json(msg_ctx,
649 lp_ctx,
650 &wrapper,
651 DBGC_AUTH_AUDIT_JSON,
652 debug_level);
653 json_free(&wrapper);
654 return;
655 failure:
656 json_free(&server_policy);
657 /*
658 * On a failure authorization will not have been added to wrapper so it
659 * needs to be freed to avoid a leak.
660 */
661 json_free(&authorization);
662 json_free(&wrapper);
663 DBG_ERR("Unable to log KDC Authorization event JSON audit message\n");
664 }
665
666 #else
667
668 static void log_no_json(struct imessaging_context *msg_ctx,
669 struct loadparm_context *lp_ctx)
670 {
671 if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
672 static bool auth_event_logged = false;
673 if (auth_event_logged == false) {
674 auth_event_logged = true;
675 DBG_ERR("auth event notification = true but Samba was "
676 "not compiled with jansson\n");
677 }
678 } else {
679 static bool json_logged = false;
680 if (json_logged == false) {
681 json_logged = true;
682 DBG_NOTICE("JSON auth logs not available unless "
683 "compiled with jansson\n");
684 }
685 }
686 }
687
688 static void log_authentication_event_json(
689 struct imessaging_context *msg_ctx,
690 struct loadparm_context *lp_ctx,
691 const struct timeval *start_time,
692 const struct auth_usersupplied_info *ui,
693 NTSTATUS status,
694 const char *domain_name,
695 const char *account_name,
696 struct dom_sid *sid,
697 const struct authn_audit_info *client_audit_info,
698 const struct authn_audit_info *server_audit_info,
699 enum event_id_type event_id,
700 int debug_level)
701 {
702 log_no_json(msg_ctx, lp_ctx);
703 }
704
705 static void log_successful_authz_event_json(
706 struct imessaging_context *msg_ctx,
707 struct loadparm_context *lp_ctx,
708 const struct tsocket_address *remote,
709 const struct tsocket_address *local,
710 const char *service_description,
711 const char *auth_type,
712 const char *transport_protection,
713 struct auth_session_info *session_info,
714 const struct authn_audit_info *client_audit_info,
715 const struct authn_audit_info *server_audit_info,
716 int debug_level)
717 {
718 log_no_json(msg_ctx, lp_ctx);
719 }
720
721 static void log_authz_event_json(
722 struct imessaging_context *msg_ctx,
723 struct loadparm_context *lp_ctx,
724 const struct tsocket_address *remote,
725 const struct tsocket_address *local,
726 const struct authn_audit_info *server_audit_info,
727 const char *service_description,
728 const char *auth_type,
729 const char *domain_name,
730 const char *account_name,
731 const struct dom_sid *sid,
732 const char *logon_server,
733 const struct timeval authtime,
734 NTSTATUS status,
735 int debug_level)
736 {
737 log_no_json(msg_ctx, lp_ctx);
738 }
739
740 #endif
741
742 /*
743 * Determine the type of the password supplied for the
744 * authorisation attempt.
745 *
746 */
747 static const char* get_password_type(const struct auth_usersupplied_info *ui)
748 {
749
750 const char *password_type = NULL;
751
752 if (ui->password_type != NULL) {
753 password_type = ui->password_type;
754 } else if (ui->auth_description != NULL &&
755 strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
756 {
757 if (ui->netlogon_trust_account.authenticate_kerberos) {
758 password_type = "Kerberos";
759 } else if (ui->netlogon_trust_account.negotiate_flags
760 & NETLOGON_NEG_SUPPORTS_AES) {
761 password_type = "HMAC-SHA256";
762 } else if (ui->netlogon_trust_account.negotiate_flags
763 & NETLOGON_NEG_STRONG_KEYS) {
764 password_type = "HMAC-MD5";
765 } else {
766 password_type = "DES";
767 }
768 } else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
769 (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
770 ui->password.response.nt.length == 24) {
771 password_type = "MSCHAPv2";
772 } else if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
773 || (ui->password_state == AUTH_PASSWORD_PLAIN)) {
774 password_type = "Plaintext";
775 } else if (ui->password_state == AUTH_PASSWORD_HASH) {
776 password_type = "Supplied-NT-Hash";
777 } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
778 && ui->password.response.nt.length > 24) {
779 password_type = "NTLMv2";
780 } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
781 && ui->password.response.nt.length == 24) {
782 password_type = "NTLMv1";
783 } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
784 && ui->password.response.lanman.length == 24) {
785 password_type = "LANMan";
786 } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
787 && ui->password.response.nt.length == 0
788 && ui->password.response.lanman.length == 0) {
789 password_type = "No-Password";
790 }
791 return password_type;
792 }
793
794 /*
795 * Write a human readable authentication log entry.
796 *
797 */
798 static void log_authentication_event_human_readable(
799 const struct auth_usersupplied_info *ui,
800 NTSTATUS status,
801 const char *domain_name,
802 const char *account_name,
803 struct dom_sid *sid,
804 int debug_level)
805 {
806 TALLOC_CTX *frame = NULL;
807
808 const char *ts = NULL; /* formatted current time */
809 char *remote = NULL; /* formatted remote host */
810 char *local = NULL; /* formatted local host */
811 char *nl = NULL; /* NETLOGON details if present */
812 char *trust_computer_name = NULL;
813 char *trust_account_name = NULL;
814 char *logon_line = NULL;
815 const char *password_type = NULL;
816 const char *clientDomain = ui->orig_client.domain_name ?
817 ui->orig_client.domain_name :
818 ui->client.domain_name;
819 const char *clientAccount = ui->orig_client.account_name ?
820 ui->orig_client.account_name :
821 ui->client.account_name;
822
823 frame = talloc_stackframe();
824
825 password_type = get_password_type(ui);
826 /* Get the current time */
827 ts = audit_get_timestamp(frame);
828
829 /* Only log the NETLOGON details if they are present */
830 if (ui->netlogon_trust_account.computer_name ||
831 ui->netlogon_trust_account.account_name) {
832 trust_computer_name = log_escape(frame,
833 ui->netlogon_trust_account.computer_name);
834 trust_account_name = log_escape(frame,
835 ui->netlogon_trust_account.account_name);
836 nl = talloc_asprintf(frame,
837 " NETLOGON computer [%s] trust account [%s]",
838 trust_computer_name, trust_account_name);
839 }
840
841 remote = tsocket_address_string(ui->remote_host, frame);
842 local = tsocket_address_string(ui->local_host, frame);
843
844 if (NT_STATUS_IS_OK(status)) {
845 struct dom_sid_buf sid_buf;
846
847 logon_line = talloc_asprintf(frame,
848 " became [%s]\\[%s] [%s].",
849 log_escape(frame, domain_name),
850 log_escape(frame, account_name),
851 dom_sid_str_buf(sid, &sid_buf));
852 } else {
853 logon_line = talloc_asprintf(
854 frame,
855 " mapped to [%s]\\[%s].",
856 log_escape(frame, ui->mapped.domain_name),
857 log_escape(frame, ui->mapped.account_name));
858 }
859
860 DEBUGC(DBGC_AUTH_AUDIT, debug_level,
861 ("Auth: [%s,%s] user [%s]\\[%s]"
862 " at [%s] with [%s] status [%s]"
863 " workstation [%s] remote host [%s]"
864 "%s local host [%s]"
865 " %s\n",
866 ui->service_description,
867 ui->auth_description,
868 log_escape(frame, clientDomain),
869 log_escape(frame, clientAccount),
870 ts,
871 password_type,
872 nt_errstr(status),
873 log_escape(frame, ui->workstation_name),
874 remote,
875 logon_line,
876 local,
877 nl ? nl : ""
878 ));
879
880 talloc_free(frame);
881 }
882
883 /*
884 * Log details of an authentication attempt.
885 * Successful and unsuccessful attempts are logged.
886 *
887 * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
888 * authentication events over the message bus.
889 */
890 void log_authentication_event(
891 struct imessaging_context *msg_ctx,
892 struct loadparm_context *lp_ctx,
893 const struct timeval *start_time,
894 const struct auth_usersupplied_info *ui,
895 NTSTATUS status,
896 const char *domain_name,
897 const char *account_name,
898 struct dom_sid *sid,
899 const struct authn_audit_info *client_audit_info,
900 const struct authn_audit_info *server_audit_info)
901 {
902 /* set the log level */
903 int debug_level = AUTH_FAILURE_LEVEL;
904 enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON;
905
906 if (NT_STATUS_IS_OK(status)) {
907 debug_level = AUTH_SUCCESS_LEVEL;
908 event_id = EVT_ID_SUCCESSFUL_LOGON;
909 if (dom_sid_equal(sid, &global_sid_Anonymous)) {
910 debug_level = AUTH_ANONYMOUS_LEVEL;
911 }
912 }
913
914 if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) {
915 log_authentication_event_human_readable(ui,
916 status,
917 domain_name,
918 account_name,
919 sid,
920 debug_level);
921 }
922 if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
923 (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
924 log_authentication_event_json(msg_ctx,
925 lp_ctx,
926 start_time,
927 ui,
928 status,
929 domain_name,
930 account_name,
931 sid,
932 client_audit_info,
933 server_audit_info,
934 event_id,
935 debug_level);
936 }
937 }
938
939
940
941 /*
942 * Log details of a successful authorization to a service,
943 * in a human readable format.
944 *
945 */
946 static void log_successful_authz_event_human_readable(
947 const struct tsocket_address *remote,
948 const struct tsocket_address *local,
949 const char *service_description,
950 const char *auth_type,
951 struct auth_session_info *session_info,
952 int debug_level)
953 {
954 TALLOC_CTX *frame = NULL;
955
956 const char *ts = NULL; /* formatted current time */
957 char *remote_str = NULL; /* formatted remote host */
958 char *local_str = NULL; /* formatted local host */
959 struct dom_sid_buf sid_buf;
960
961 frame = talloc_stackframe();
962
963 /* Get the current time */
964 ts = audit_get_timestamp(frame);
965
966 remote_str = tsocket_address_string(remote, frame);
967 local_str = tsocket_address_string(local, frame);
968
969 DEBUGC(DBGC_AUTH_AUDIT, debug_level,
970 ("Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]"
971 " at [%s]"
972 " Remote host [%s]"
973 " local host [%s]\n",
974 service_description,
975 auth_type,
976 log_escape(frame, session_info->info->domain_name),
977 log_escape(frame, session_info->info->account_name),
978 dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
979 &sid_buf),
980 ts,
981 remote_str,
982 local_str));
983
984 talloc_free(frame);
985 }
986
987 /*
988 * Log details of a successful authorization to a service.
989 *
990 * Only successful authorizations are logged. For clarity:
991 * - NTLM bad passwords will be recorded by log_authentication_event
992 * - Kerberos decrypt failures need to be logged in gensec_gssapi et al
993 *
994 * The service may later refuse authorization due to an ACL.
995 *
996 * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
997 * authentication events over the message bus.
998 */
999 void log_successful_authz_event(
1000 struct imessaging_context *msg_ctx,
1001 struct loadparm_context *lp_ctx,
1002 const struct tsocket_address *remote,
1003 const struct tsocket_address *local,
1004 const char *service_description,
1005 const char *auth_type,
1006 const char *transport_protection,
1007 struct auth_session_info *session_info,
1008 const struct authn_audit_info *client_audit_info,
1009 const struct authn_audit_info *server_audit_info)
1010 {
1011 int debug_level = AUTHZ_SUCCESS_LEVEL;
1012
1013 /* set the log level */
1014 if (security_token_is_anonymous(session_info->security_token)) {
1015 debug_level = AUTH_ANONYMOUS_LEVEL;
1016 }
1017
1018 if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) {
1019 log_successful_authz_event_human_readable(remote,
1020 local,
1021 service_description,
1022 auth_type,
1023 session_info,
1024 debug_level);
1025 }
1026 if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
1027 (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
1028 log_successful_authz_event_json(msg_ctx, lp_ctx,
1029 remote,
1030 local,
1031 service_description,
1032 auth_type,
1033 transport_protection,
1034 session_info,
1035 client_audit_info,
1036 server_audit_info,
1037 debug_level);
1038 }
1039 }
1040
1041 /*
1042 * Log details of an authorization to a service.
1043 *
1044 * NOTE: msg_ctx and lp_ctx are optional, but when supplied, allow streaming the
1045 * authorization events over the message bus.
1046 */
1047 void log_authz_event(
1048 struct imessaging_context *msg_ctx,
1049 struct loadparm_context *lp_ctx,
1050 const struct tsocket_address *remote,
1051 const struct tsocket_address *local,
1052 const struct authn_audit_info *server_audit_info,
1053 const char *service_description,
1054 const char *auth_type,
1055 const char *domain_name,
1056 const char *account_name,
1057 const struct dom_sid *sid,
1058 const char *logon_server,
1059 const struct timeval authtime,
1060 NTSTATUS status)
1061 {
1062 /* set the log level */
1063 int debug_level = KDC_AUTHZ_FAILURE_LEVEL;
1064
1065 if (NT_STATUS_IS_OK(status)) {
1066 debug_level = KDC_AUTHZ_SUCCESS_LEVEL;
1067 }
1068
1069 if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
1070 (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
1071 log_authz_event_json(msg_ctx, lp_ctx,
1072 remote,
1073 local,
1074 server_audit_info,
1075 service_description,
1076 auth_type,
1077 domain_name,
1078 account_name,
1079 sid,
1080 logon_server,
1081 authtime,
1082 status,
1083 debug_level);
1084 }
1085 }
GSS-enabled samba4