1761efaa7SDag-Erling Smørgrav /* $Id: audit-bsm.c,v 1.4 2006/09/01 05:38:36 djm Exp $ */ 25e8dbd04SDag-Erling Smørgrav 35e8dbd04SDag-Erling Smørgrav /* 45e8dbd04SDag-Erling Smørgrav * TODO 55e8dbd04SDag-Erling Smørgrav * 65e8dbd04SDag-Erling Smørgrav * - deal with overlap between this and sys_auth_allowed_user 75e8dbd04SDag-Erling Smørgrav * sys_auth_record_login and record_failed_login. 85e8dbd04SDag-Erling Smørgrav */ 95e8dbd04SDag-Erling Smørgrav 105e8dbd04SDag-Erling Smørgrav /* 115e8dbd04SDag-Erling Smørgrav * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. 125e8dbd04SDag-Erling Smørgrav * Use is subject to license terms. 135e8dbd04SDag-Erling Smørgrav * 145e8dbd04SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 155e8dbd04SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 165e8dbd04SDag-Erling Smørgrav * are met: 175e8dbd04SDag-Erling Smørgrav * 1. Redistributions of source code must retain the above copyright 185e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer. 195e8dbd04SDag-Erling Smørgrav * 2. Redistributions in binary form must reproduce the above copyright 205e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer in the 215e8dbd04SDag-Erling Smørgrav * documentation and/or other materials provided with the distribution. 225e8dbd04SDag-Erling Smørgrav * 235e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 245e8dbd04SDag-Erling Smørgrav * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 255e8dbd04SDag-Erling Smørgrav * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 265e8dbd04SDag-Erling Smørgrav * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 275e8dbd04SDag-Erling Smørgrav * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 285e8dbd04SDag-Erling Smørgrav * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 295e8dbd04SDag-Erling Smørgrav * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 305e8dbd04SDag-Erling Smørgrav * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 315e8dbd04SDag-Erling Smørgrav * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 325e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 335e8dbd04SDag-Erling Smørgrav * 345e8dbd04SDag-Erling Smørgrav */ 355e8dbd04SDag-Erling Smørgrav /* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ 365e8dbd04SDag-Erling Smørgrav 375e8dbd04SDag-Erling Smørgrav #include "includes.h" 381aa495caSDag-Erling Smørgrav __RCSID("$FreeBSD$"); 395e8dbd04SDag-Erling Smørgrav #if defined(USE_BSM_AUDIT) 405e8dbd04SDag-Erling Smørgrav 41761efaa7SDag-Erling Smørgrav #include <sys/types.h> 42761efaa7SDag-Erling Smørgrav 431aa495caSDag-Erling Smørgrav #include <errno.h> 44761efaa7SDag-Erling Smørgrav #include <stdarg.h> 45761efaa7SDag-Erling Smørgrav #include <unistd.h> 46761efaa7SDag-Erling Smørgrav 475e8dbd04SDag-Erling Smørgrav #include "ssh.h" 485e8dbd04SDag-Erling Smørgrav #include "log.h" 49761efaa7SDag-Erling Smørgrav #include "key.h" 50761efaa7SDag-Erling Smørgrav #include "hostfile.h" 515e8dbd04SDag-Erling Smørgrav #include "auth.h" 525e8dbd04SDag-Erling Smørgrav #include "xmalloc.h" 535e8dbd04SDag-Erling Smørgrav 545e8dbd04SDag-Erling Smørgrav #ifndef AUE_openssh 555e8dbd04SDag-Erling Smørgrav # define AUE_openssh 32800 565e8dbd04SDag-Erling Smørgrav #endif 575e8dbd04SDag-Erling Smørgrav #include <bsm/audit.h> 585e8dbd04SDag-Erling Smørgrav #include <bsm/libbsm.h> 595e8dbd04SDag-Erling Smørgrav #include <bsm/audit_uevents.h> 605e8dbd04SDag-Erling Smørgrav #include <bsm/audit_record.h> 615e8dbd04SDag-Erling Smørgrav #include <locale.h> 625e8dbd04SDag-Erling Smørgrav 635e8dbd04SDag-Erling Smørgrav #if defined(HAVE_GETAUDIT_ADDR) 645e8dbd04SDag-Erling Smørgrav #define AuditInfoStruct auditinfo_addr 655e8dbd04SDag-Erling Smørgrav #define AuditInfoTermID au_tid_addr_t 665e8dbd04SDag-Erling Smørgrav #define GetAuditFunc(a,b) getaudit_addr((a),(b)) 675e8dbd04SDag-Erling Smørgrav #define GetAuditFuncText "getaudit_addr" 685e8dbd04SDag-Erling Smørgrav #define SetAuditFunc(a,b) setaudit_addr((a),(b)) 695e8dbd04SDag-Erling Smørgrav #define SetAuditFuncText "setaudit_addr" 705e8dbd04SDag-Erling Smørgrav #define AUToSubjectFunc au_to_subject_ex 715e8dbd04SDag-Erling Smørgrav #define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) 725e8dbd04SDag-Erling Smørgrav #else 735e8dbd04SDag-Erling Smørgrav #define AuditInfoStruct auditinfo 745e8dbd04SDag-Erling Smørgrav #define AuditInfoTermID au_tid_t 755e8dbd04SDag-Erling Smørgrav #define GetAuditFunc(a,b) getaudit(a) 765e8dbd04SDag-Erling Smørgrav #define GetAuditFuncText "getaudit" 775e8dbd04SDag-Erling Smørgrav #define SetAuditFunc(a,b) setaudit(a) 785e8dbd04SDag-Erling Smørgrav #define SetAuditFuncText "setaudit" 795e8dbd04SDag-Erling Smørgrav #define AUToSubjectFunc au_to_subject 805e8dbd04SDag-Erling Smørgrav #define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) 815e8dbd04SDag-Erling Smørgrav #endif 825e8dbd04SDag-Erling Smørgrav 835e8dbd04SDag-Erling Smørgrav extern int cannot_audit(int); 845e8dbd04SDag-Erling Smørgrav extern void aug_init(void); 855e8dbd04SDag-Erling Smørgrav extern dev_t aug_get_port(void); 865e8dbd04SDag-Erling Smørgrav extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); 875e8dbd04SDag-Erling Smørgrav extern void aug_save_auid(au_id_t); 885e8dbd04SDag-Erling Smørgrav extern void aug_save_uid(uid_t); 895e8dbd04SDag-Erling Smørgrav extern void aug_save_euid(uid_t); 905e8dbd04SDag-Erling Smørgrav extern void aug_save_gid(gid_t); 915e8dbd04SDag-Erling Smørgrav extern void aug_save_egid(gid_t); 925e8dbd04SDag-Erling Smørgrav extern void aug_save_pid(pid_t); 935e8dbd04SDag-Erling Smørgrav extern void aug_save_asid(au_asid_t); 945e8dbd04SDag-Erling Smørgrav extern void aug_save_tid(dev_t, unsigned int); 955e8dbd04SDag-Erling Smørgrav extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); 965e8dbd04SDag-Erling Smørgrav extern int aug_save_me(void); 975e8dbd04SDag-Erling Smørgrav extern int aug_save_namask(void); 985e8dbd04SDag-Erling Smørgrav extern void aug_save_event(au_event_t); 995e8dbd04SDag-Erling Smørgrav extern void aug_save_sorf(int); 1005e8dbd04SDag-Erling Smørgrav extern void aug_save_text(char *); 1015e8dbd04SDag-Erling Smørgrav extern void aug_save_text1(char *); 1025e8dbd04SDag-Erling Smørgrav extern void aug_save_text2(char *); 1035e8dbd04SDag-Erling Smørgrav extern void aug_save_na(int); 1045e8dbd04SDag-Erling Smørgrav extern void aug_save_user(char *); 1055e8dbd04SDag-Erling Smørgrav extern void aug_save_path(char *); 1065e8dbd04SDag-Erling Smørgrav extern int aug_save_policy(void); 1075e8dbd04SDag-Erling Smørgrav extern void aug_save_afunc(int (*)(int)); 1085e8dbd04SDag-Erling Smørgrav extern int aug_audit(void); 1095e8dbd04SDag-Erling Smørgrav extern int aug_na_selected(void); 1105e8dbd04SDag-Erling Smørgrav extern int aug_selected(void); 1115e8dbd04SDag-Erling Smørgrav extern int aug_daemon_session(void); 1125e8dbd04SDag-Erling Smørgrav 1135e8dbd04SDag-Erling Smørgrav #ifndef HAVE_GETTEXT 1145e8dbd04SDag-Erling Smørgrav # define gettext(a) (a) 1155e8dbd04SDag-Erling Smørgrav #endif 1165e8dbd04SDag-Erling Smørgrav 1175e8dbd04SDag-Erling Smørgrav extern Authctxt *the_authctxt; 1185e8dbd04SDag-Erling Smørgrav static AuditInfoTermID ssh_bsm_tid; 1195e8dbd04SDag-Erling Smørgrav 1205e8dbd04SDag-Erling Smørgrav /* Below is the low-level BSM interface code */ 1215e8dbd04SDag-Erling Smørgrav 1225e8dbd04SDag-Erling Smørgrav /* 1235e8dbd04SDag-Erling Smørgrav * Check if the specified event is selected (enabled) for auditing. 1245e8dbd04SDag-Erling Smørgrav * Returns 1 if the event is selected, 0 if not and -1 on failure. 1255e8dbd04SDag-Erling Smørgrav */ 1265e8dbd04SDag-Erling Smørgrav static int 1275e8dbd04SDag-Erling Smørgrav selected(char *username, uid_t uid, au_event_t event, int sf) 1285e8dbd04SDag-Erling Smørgrav { 1295e8dbd04SDag-Erling Smørgrav int rc, sorf; 1305e8dbd04SDag-Erling Smørgrav char naflags[512]; 1315e8dbd04SDag-Erling Smørgrav struct au_mask mask; 1325e8dbd04SDag-Erling Smørgrav 1335e8dbd04SDag-Erling Smørgrav mask.am_success = mask.am_failure = 0; 1345e8dbd04SDag-Erling Smørgrav if (uid < 0) { 1355e8dbd04SDag-Erling Smørgrav /* get flags for non-attributable (to a real user) events */ 1365e8dbd04SDag-Erling Smørgrav rc = getacna(naflags, sizeof(naflags)); 1375e8dbd04SDag-Erling Smørgrav if (rc == 0) 1385e8dbd04SDag-Erling Smørgrav (void) getauditflagsbin(naflags, &mask); 1395e8dbd04SDag-Erling Smørgrav } else 1405e8dbd04SDag-Erling Smørgrav rc = au_user_mask(username, &mask); 1415e8dbd04SDag-Erling Smørgrav 1425e8dbd04SDag-Erling Smørgrav sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; 1435e8dbd04SDag-Erling Smørgrav return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); 1445e8dbd04SDag-Erling Smørgrav } 1455e8dbd04SDag-Erling Smørgrav 1465e8dbd04SDag-Erling Smørgrav static void 1475e8dbd04SDag-Erling Smørgrav bsm_audit_record(int typ, char *string, au_event_t event_no) 1485e8dbd04SDag-Erling Smørgrav { 1495e8dbd04SDag-Erling Smørgrav int ad, rc, sel; 1505e8dbd04SDag-Erling Smørgrav uid_t uid = -1; 1515e8dbd04SDag-Erling Smørgrav gid_t gid = -1; 1525e8dbd04SDag-Erling Smørgrav pid_t pid = getpid(); 1535e8dbd04SDag-Erling Smørgrav AuditInfoTermID tid = ssh_bsm_tid; 1545e8dbd04SDag-Erling Smørgrav 1555e8dbd04SDag-Erling Smørgrav if (the_authctxt != NULL && the_authctxt->valid) { 1565e8dbd04SDag-Erling Smørgrav uid = the_authctxt->pw->pw_uid; 1575e8dbd04SDag-Erling Smørgrav gid = the_authctxt->pw->pw_gid; 1585e8dbd04SDag-Erling Smørgrav } 1595e8dbd04SDag-Erling Smørgrav 1605e8dbd04SDag-Erling Smørgrav rc = (typ == 0) ? 0 : -1; 1615e8dbd04SDag-Erling Smørgrav sel = selected(the_authctxt->user, uid, event_no, rc); 1625e8dbd04SDag-Erling Smørgrav debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); 1635e8dbd04SDag-Erling Smørgrav if (!sel) 1645e8dbd04SDag-Erling Smørgrav return; /* audit event does not match mask, do not write */ 1655e8dbd04SDag-Erling Smørgrav 1665e8dbd04SDag-Erling Smørgrav debug3("BSM audit: writing audit new record"); 1675e8dbd04SDag-Erling Smørgrav ad = au_open(); 1685e8dbd04SDag-Erling Smørgrav 1695e8dbd04SDag-Erling Smørgrav (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, 1705e8dbd04SDag-Erling Smørgrav pid, pid, &tid)); 1715e8dbd04SDag-Erling Smørgrav (void) au_write(ad, au_to_text(string)); 1725e8dbd04SDag-Erling Smørgrav (void) au_write(ad, AUToReturnFunc(typ, rc)); 1735e8dbd04SDag-Erling Smørgrav 1745e8dbd04SDag-Erling Smørgrav rc = au_close(ad, AU_TO_WRITE, event_no); 1755e8dbd04SDag-Erling Smørgrav if (rc < 0) 1765e8dbd04SDag-Erling Smørgrav error("BSM audit: %s failed to write \"%s\" record: %s", 1775e8dbd04SDag-Erling Smørgrav __func__, string, strerror(errno)); 1785e8dbd04SDag-Erling Smørgrav } 1795e8dbd04SDag-Erling Smørgrav 1805e8dbd04SDag-Erling Smørgrav static void 1815e8dbd04SDag-Erling Smørgrav bsm_audit_session_setup(void) 1825e8dbd04SDag-Erling Smørgrav { 1835e8dbd04SDag-Erling Smørgrav int rc; 1845e8dbd04SDag-Erling Smørgrav struct AuditInfoStruct info; 1855e8dbd04SDag-Erling Smørgrav au_mask_t mask; 1865e8dbd04SDag-Erling Smørgrav 1875e8dbd04SDag-Erling Smørgrav if (the_authctxt == NULL) { 1885e8dbd04SDag-Erling Smørgrav error("BSM audit: session setup internal error (NULL ctxt)"); 1895e8dbd04SDag-Erling Smørgrav return; 1905e8dbd04SDag-Erling Smørgrav } 1915e8dbd04SDag-Erling Smørgrav 1925e8dbd04SDag-Erling Smørgrav if (the_authctxt->valid) 1935e8dbd04SDag-Erling Smørgrav info.ai_auid = the_authctxt->pw->pw_uid; 1945e8dbd04SDag-Erling Smørgrav else 1955e8dbd04SDag-Erling Smørgrav info.ai_auid = -1; 1965e8dbd04SDag-Erling Smørgrav info.ai_asid = getpid(); 1975e8dbd04SDag-Erling Smørgrav mask.am_success = 0; 1985e8dbd04SDag-Erling Smørgrav mask.am_failure = 0; 1995e8dbd04SDag-Erling Smørgrav 2005e8dbd04SDag-Erling Smørgrav (void) au_user_mask(the_authctxt->user, &mask); 2015e8dbd04SDag-Erling Smørgrav 2025e8dbd04SDag-Erling Smørgrav info.ai_mask.am_success = mask.am_success; 2035e8dbd04SDag-Erling Smørgrav info.ai_mask.am_failure = mask.am_failure; 2045e8dbd04SDag-Erling Smørgrav 2055e8dbd04SDag-Erling Smørgrav info.ai_termid = ssh_bsm_tid; 2065e8dbd04SDag-Erling Smørgrav 2075e8dbd04SDag-Erling Smørgrav rc = SetAuditFunc(&info, sizeof(info)); 2085e8dbd04SDag-Erling Smørgrav if (rc < 0) 2095e8dbd04SDag-Erling Smørgrav error("BSM audit: %s: %s failed: %s", __func__, 2105e8dbd04SDag-Erling Smørgrav SetAuditFuncText, strerror(errno)); 2115e8dbd04SDag-Erling Smørgrav } 2125e8dbd04SDag-Erling Smørgrav 2135e8dbd04SDag-Erling Smørgrav static void 2145e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login(const char *what) 2155e8dbd04SDag-Erling Smørgrav { 2165e8dbd04SDag-Erling Smørgrav char textbuf[BSM_TEXTBUFSZ]; 2175e8dbd04SDag-Erling Smørgrav 2185e8dbd04SDag-Erling Smørgrav if (the_authctxt->valid) { 2195e8dbd04SDag-Erling Smørgrav (void) snprintf(textbuf, sizeof (textbuf), 2205e8dbd04SDag-Erling Smørgrav gettext("invalid %s for user %s"), 2215e8dbd04SDag-Erling Smørgrav what, the_authctxt->user); 2225e8dbd04SDag-Erling Smørgrav bsm_audit_record(4, textbuf, AUE_openssh); 2235e8dbd04SDag-Erling Smørgrav } else { 2245e8dbd04SDag-Erling Smørgrav (void) snprintf(textbuf, sizeof (textbuf), 2255e8dbd04SDag-Erling Smørgrav gettext("invalid user name \"%s\""), 2265e8dbd04SDag-Erling Smørgrav the_authctxt->user); 2275e8dbd04SDag-Erling Smørgrav bsm_audit_record(3, textbuf, AUE_openssh); 2285e8dbd04SDag-Erling Smørgrav } 2295e8dbd04SDag-Erling Smørgrav } 2305e8dbd04SDag-Erling Smørgrav 2315e8dbd04SDag-Erling Smørgrav /* Below is the sshd audit API code */ 2325e8dbd04SDag-Erling Smørgrav 2335e8dbd04SDag-Erling Smørgrav void 2345e8dbd04SDag-Erling Smørgrav audit_connection_from(const char *host, int port) 2355e8dbd04SDag-Erling Smørgrav { 2365e8dbd04SDag-Erling Smørgrav AuditInfoTermID *tid = &ssh_bsm_tid; 2375e8dbd04SDag-Erling Smørgrav char buf[1024]; 2385e8dbd04SDag-Erling Smørgrav 2395e8dbd04SDag-Erling Smørgrav if (cannot_audit(0)) 2405e8dbd04SDag-Erling Smørgrav return; 2415e8dbd04SDag-Erling Smørgrav debug3("BSM audit: connection from %.100s port %d", host, port); 2425e8dbd04SDag-Erling Smørgrav 2435e8dbd04SDag-Erling Smørgrav /* populate our terminal id structure */ 2445e8dbd04SDag-Erling Smørgrav #if defined(HAVE_GETAUDIT_ADDR) 2455e8dbd04SDag-Erling Smørgrav tid->at_port = (dev_t)port; 2465e8dbd04SDag-Erling Smørgrav aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); 2475e8dbd04SDag-Erling Smørgrav snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], 2485e8dbd04SDag-Erling Smørgrav tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); 2495e8dbd04SDag-Erling Smørgrav debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); 2505e8dbd04SDag-Erling Smørgrav #else 2515e8dbd04SDag-Erling Smørgrav /* this is used on IPv4-only machines */ 2525e8dbd04SDag-Erling Smørgrav tid->port = (dev_t)port; 2535e8dbd04SDag-Erling Smørgrav tid->machine = inet_addr(host); 2545e8dbd04SDag-Erling Smørgrav snprintf(buf, sizeof(buf), "%08x", tid->machine); 2555e8dbd04SDag-Erling Smørgrav debug3("BSM audit: machine ID %s", buf); 2565e8dbd04SDag-Erling Smørgrav #endif 2575e8dbd04SDag-Erling Smørgrav } 2585e8dbd04SDag-Erling Smørgrav 2595e8dbd04SDag-Erling Smørgrav void 2605e8dbd04SDag-Erling Smørgrav audit_run_command(const char *command) 2615e8dbd04SDag-Erling Smørgrav { 2625e8dbd04SDag-Erling Smørgrav /* not implemented */ 2635e8dbd04SDag-Erling Smørgrav } 2645e8dbd04SDag-Erling Smørgrav 2655e8dbd04SDag-Erling Smørgrav void 2665e8dbd04SDag-Erling Smørgrav audit_session_open(const char *ttyn) 2675e8dbd04SDag-Erling Smørgrav { 2685e8dbd04SDag-Erling Smørgrav /* not implemented */ 2695e8dbd04SDag-Erling Smørgrav } 2705e8dbd04SDag-Erling Smørgrav 2715e8dbd04SDag-Erling Smørgrav void 2725e8dbd04SDag-Erling Smørgrav audit_session_close(const char *ttyn) 2735e8dbd04SDag-Erling Smørgrav { 2745e8dbd04SDag-Erling Smørgrav /* not implemented */ 2755e8dbd04SDag-Erling Smørgrav } 2765e8dbd04SDag-Erling Smørgrav 2775e8dbd04SDag-Erling Smørgrav void 2785e8dbd04SDag-Erling Smørgrav audit_event(ssh_audit_event_t event) 2795e8dbd04SDag-Erling Smørgrav { 2805e8dbd04SDag-Erling Smørgrav char textbuf[BSM_TEXTBUFSZ]; 2815e8dbd04SDag-Erling Smørgrav static int logged_in = 0; 2825e8dbd04SDag-Erling Smørgrav const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; 2835e8dbd04SDag-Erling Smørgrav 2845e8dbd04SDag-Erling Smørgrav if (cannot_audit(0)) 2855e8dbd04SDag-Erling Smørgrav return; 2865e8dbd04SDag-Erling Smørgrav 2875e8dbd04SDag-Erling Smørgrav switch(event) { 2885e8dbd04SDag-Erling Smørgrav case SSH_AUTH_SUCCESS: 2895e8dbd04SDag-Erling Smørgrav logged_in = 1; 2905e8dbd04SDag-Erling Smørgrav bsm_audit_session_setup(); 2915e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 2925e8dbd04SDag-Erling Smørgrav gettext("successful login %s"), user); 2935e8dbd04SDag-Erling Smørgrav bsm_audit_record(0, textbuf, AUE_openssh); 2945e8dbd04SDag-Erling Smørgrav break; 2955e8dbd04SDag-Erling Smørgrav 2965e8dbd04SDag-Erling Smørgrav case SSH_CONNECTION_CLOSE: 2975e8dbd04SDag-Erling Smørgrav /* 2985e8dbd04SDag-Erling Smørgrav * We can also get a close event if the user attempted auth 2995e8dbd04SDag-Erling Smørgrav * but never succeeded. 3005e8dbd04SDag-Erling Smørgrav */ 3015e8dbd04SDag-Erling Smørgrav if (logged_in) { 3025e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 3035e8dbd04SDag-Erling Smørgrav gettext("sshd logout %s"), the_authctxt->user); 3045e8dbd04SDag-Erling Smørgrav bsm_audit_record(0, textbuf, AUE_logout); 3055e8dbd04SDag-Erling Smørgrav } else { 3065e8dbd04SDag-Erling Smørgrav debug("%s: connection closed without authentication", 3075e8dbd04SDag-Erling Smørgrav __func__); 3085e8dbd04SDag-Erling Smørgrav } 3095e8dbd04SDag-Erling Smørgrav break; 3105e8dbd04SDag-Erling Smørgrav 3115e8dbd04SDag-Erling Smørgrav case SSH_NOLOGIN: 3125e8dbd04SDag-Erling Smørgrav bsm_audit_record(1, 3135e8dbd04SDag-Erling Smørgrav gettext("logins disabled by /etc/nologin"), AUE_openssh); 3145e8dbd04SDag-Erling Smørgrav break; 3155e8dbd04SDag-Erling Smørgrav 3165e8dbd04SDag-Erling Smørgrav case SSH_LOGIN_EXCEED_MAXTRIES: 3175e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 3185e8dbd04SDag-Erling Smørgrav gettext("too many tries for user %s"), the_authctxt->user); 3195e8dbd04SDag-Erling Smørgrav bsm_audit_record(1, textbuf, AUE_openssh); 3205e8dbd04SDag-Erling Smørgrav break; 3215e8dbd04SDag-Erling Smørgrav 3225e8dbd04SDag-Erling Smørgrav case SSH_LOGIN_ROOT_DENIED: 3235e8dbd04SDag-Erling Smørgrav bsm_audit_record(2, gettext("not_console"), AUE_openssh); 3245e8dbd04SDag-Erling Smørgrav break; 3255e8dbd04SDag-Erling Smørgrav 3265e8dbd04SDag-Erling Smørgrav case SSH_AUTH_FAIL_PASSWD: 3275e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login("password"); 3285e8dbd04SDag-Erling Smørgrav break; 3295e8dbd04SDag-Erling Smørgrav 3305e8dbd04SDag-Erling Smørgrav case SSH_AUTH_FAIL_KBDINT: 3315e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login("interactive password entry"); 3325e8dbd04SDag-Erling Smørgrav break; 3335e8dbd04SDag-Erling Smørgrav 3345e8dbd04SDag-Erling Smørgrav default: 3355e8dbd04SDag-Erling Smørgrav debug("%s: unhandled event %d", __func__, event); 3365e8dbd04SDag-Erling Smørgrav } 3375e8dbd04SDag-Erling Smørgrav } 3385e8dbd04SDag-Erling Smørgrav #endif /* BSM */ 339