15e8dbd04SDag-Erling Smørgrav /* $Id: audit-bsm.c,v 1.1 2005/02/20 10:08:00 dtucker Exp $ */ 25e8dbd04SDag-Erling Smørgrav 35e8dbd04SDag-Erling Smørgrav /* 45e8dbd04SDag-Erling Smørgrav * TODO 55e8dbd04SDag-Erling Smørgrav * 65e8dbd04SDag-Erling Smørgrav * - deal with overlap between this and sys_auth_allowed_user 75e8dbd04SDag-Erling Smørgrav * sys_auth_record_login and record_failed_login. 85e8dbd04SDag-Erling Smørgrav */ 95e8dbd04SDag-Erling Smørgrav 105e8dbd04SDag-Erling Smørgrav /* 115e8dbd04SDag-Erling Smørgrav * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. 125e8dbd04SDag-Erling Smørgrav * Use is subject to license terms. 135e8dbd04SDag-Erling Smørgrav * 145e8dbd04SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 155e8dbd04SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 165e8dbd04SDag-Erling Smørgrav * are met: 175e8dbd04SDag-Erling Smørgrav * 1. Redistributions of source code must retain the above copyright 185e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer. 195e8dbd04SDag-Erling Smørgrav * 2. Redistributions in binary form must reproduce the above copyright 205e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer in the 215e8dbd04SDag-Erling Smørgrav * documentation and/or other materials provided with the distribution. 225e8dbd04SDag-Erling Smørgrav * 235e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 245e8dbd04SDag-Erling Smørgrav * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 255e8dbd04SDag-Erling Smørgrav * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 265e8dbd04SDag-Erling Smørgrav * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 275e8dbd04SDag-Erling Smørgrav * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 285e8dbd04SDag-Erling Smørgrav * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 295e8dbd04SDag-Erling Smørgrav * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 305e8dbd04SDag-Erling Smørgrav * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 315e8dbd04SDag-Erling Smørgrav * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 325e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 335e8dbd04SDag-Erling Smørgrav * 345e8dbd04SDag-Erling Smørgrav */ 355e8dbd04SDag-Erling Smørgrav /* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ 365e8dbd04SDag-Erling Smørgrav 375e8dbd04SDag-Erling Smørgrav #include "includes.h" 385e8dbd04SDag-Erling Smørgrav #if defined(USE_BSM_AUDIT) 395e8dbd04SDag-Erling Smørgrav 405e8dbd04SDag-Erling Smørgrav #include "ssh.h" 415e8dbd04SDag-Erling Smørgrav #include "log.h" 425e8dbd04SDag-Erling Smørgrav #include "auth.h" 435e8dbd04SDag-Erling Smørgrav #include "xmalloc.h" 445e8dbd04SDag-Erling Smørgrav 455e8dbd04SDag-Erling Smørgrav #ifndef AUE_openssh 465e8dbd04SDag-Erling Smørgrav # define AUE_openssh 32800 475e8dbd04SDag-Erling Smørgrav #endif 485e8dbd04SDag-Erling Smørgrav #include <bsm/audit.h> 495e8dbd04SDag-Erling Smørgrav #include <bsm/libbsm.h> 505e8dbd04SDag-Erling Smørgrav #include <bsm/audit_uevents.h> 515e8dbd04SDag-Erling Smørgrav #include <bsm/audit_record.h> 525e8dbd04SDag-Erling Smørgrav #include <locale.h> 535e8dbd04SDag-Erling Smørgrav 545e8dbd04SDag-Erling Smørgrav #if defined(HAVE_GETAUDIT_ADDR) 555e8dbd04SDag-Erling Smørgrav #define AuditInfoStruct auditinfo_addr 565e8dbd04SDag-Erling Smørgrav #define AuditInfoTermID au_tid_addr_t 575e8dbd04SDag-Erling Smørgrav #define GetAuditFunc(a,b) getaudit_addr((a),(b)) 585e8dbd04SDag-Erling Smørgrav #define GetAuditFuncText "getaudit_addr" 595e8dbd04SDag-Erling Smørgrav #define SetAuditFunc(a,b) setaudit_addr((a),(b)) 605e8dbd04SDag-Erling Smørgrav #define SetAuditFuncText "setaudit_addr" 615e8dbd04SDag-Erling Smørgrav #define AUToSubjectFunc au_to_subject_ex 625e8dbd04SDag-Erling Smørgrav #define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) 635e8dbd04SDag-Erling Smørgrav #else 645e8dbd04SDag-Erling Smørgrav #define AuditInfoStruct auditinfo 655e8dbd04SDag-Erling Smørgrav #define AuditInfoTermID au_tid_t 665e8dbd04SDag-Erling Smørgrav #define GetAuditFunc(a,b) getaudit(a) 675e8dbd04SDag-Erling Smørgrav #define GetAuditFuncText "getaudit" 685e8dbd04SDag-Erling Smørgrav #define SetAuditFunc(a,b) setaudit(a) 695e8dbd04SDag-Erling Smørgrav #define SetAuditFuncText "setaudit" 705e8dbd04SDag-Erling Smørgrav #define AUToSubjectFunc au_to_subject 715e8dbd04SDag-Erling Smørgrav #define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) 725e8dbd04SDag-Erling Smørgrav #endif 735e8dbd04SDag-Erling Smørgrav 745e8dbd04SDag-Erling Smørgrav extern int cannot_audit(int); 755e8dbd04SDag-Erling Smørgrav extern void aug_init(void); 765e8dbd04SDag-Erling Smørgrav extern dev_t aug_get_port(void); 775e8dbd04SDag-Erling Smørgrav extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); 785e8dbd04SDag-Erling Smørgrav extern void aug_save_auid(au_id_t); 795e8dbd04SDag-Erling Smørgrav extern void aug_save_uid(uid_t); 805e8dbd04SDag-Erling Smørgrav extern void aug_save_euid(uid_t); 815e8dbd04SDag-Erling Smørgrav extern void aug_save_gid(gid_t); 825e8dbd04SDag-Erling Smørgrav extern void aug_save_egid(gid_t); 835e8dbd04SDag-Erling Smørgrav extern void aug_save_pid(pid_t); 845e8dbd04SDag-Erling Smørgrav extern void aug_save_asid(au_asid_t); 855e8dbd04SDag-Erling Smørgrav extern void aug_save_tid(dev_t, unsigned int); 865e8dbd04SDag-Erling Smørgrav extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); 875e8dbd04SDag-Erling Smørgrav extern int aug_save_me(void); 885e8dbd04SDag-Erling Smørgrav extern int aug_save_namask(void); 895e8dbd04SDag-Erling Smørgrav extern void aug_save_event(au_event_t); 905e8dbd04SDag-Erling Smørgrav extern void aug_save_sorf(int); 915e8dbd04SDag-Erling Smørgrav extern void aug_save_text(char *); 925e8dbd04SDag-Erling Smørgrav extern void aug_save_text1(char *); 935e8dbd04SDag-Erling Smørgrav extern void aug_save_text2(char *); 945e8dbd04SDag-Erling Smørgrav extern void aug_save_na(int); 955e8dbd04SDag-Erling Smørgrav extern void aug_save_user(char *); 965e8dbd04SDag-Erling Smørgrav extern void aug_save_path(char *); 975e8dbd04SDag-Erling Smørgrav extern int aug_save_policy(void); 985e8dbd04SDag-Erling Smørgrav extern void aug_save_afunc(int (*)(int)); 995e8dbd04SDag-Erling Smørgrav extern int aug_audit(void); 1005e8dbd04SDag-Erling Smørgrav extern int aug_na_selected(void); 1015e8dbd04SDag-Erling Smørgrav extern int aug_selected(void); 1025e8dbd04SDag-Erling Smørgrav extern int aug_daemon_session(void); 1035e8dbd04SDag-Erling Smørgrav 1045e8dbd04SDag-Erling Smørgrav #ifndef HAVE_GETTEXT 1055e8dbd04SDag-Erling Smørgrav # define gettext(a) (a) 1065e8dbd04SDag-Erling Smørgrav #endif 1075e8dbd04SDag-Erling Smørgrav 1085e8dbd04SDag-Erling Smørgrav extern Authctxt *the_authctxt; 1095e8dbd04SDag-Erling Smørgrav static AuditInfoTermID ssh_bsm_tid; 1105e8dbd04SDag-Erling Smørgrav 1115e8dbd04SDag-Erling Smørgrav /* Below is the low-level BSM interface code */ 1125e8dbd04SDag-Erling Smørgrav 1135e8dbd04SDag-Erling Smørgrav /* 1145e8dbd04SDag-Erling Smørgrav * Check if the specified event is selected (enabled) for auditing. 1155e8dbd04SDag-Erling Smørgrav * Returns 1 if the event is selected, 0 if not and -1 on failure. 1165e8dbd04SDag-Erling Smørgrav */ 1175e8dbd04SDag-Erling Smørgrav static int 1185e8dbd04SDag-Erling Smørgrav selected(char *username, uid_t uid, au_event_t event, int sf) 1195e8dbd04SDag-Erling Smørgrav { 1205e8dbd04SDag-Erling Smørgrav int rc, sorf; 1215e8dbd04SDag-Erling Smørgrav char naflags[512]; 1225e8dbd04SDag-Erling Smørgrav struct au_mask mask; 1235e8dbd04SDag-Erling Smørgrav 1245e8dbd04SDag-Erling Smørgrav mask.am_success = mask.am_failure = 0; 1255e8dbd04SDag-Erling Smørgrav if (uid < 0) { 1265e8dbd04SDag-Erling Smørgrav /* get flags for non-attributable (to a real user) events */ 1275e8dbd04SDag-Erling Smørgrav rc = getacna(naflags, sizeof(naflags)); 1285e8dbd04SDag-Erling Smørgrav if (rc == 0) 1295e8dbd04SDag-Erling Smørgrav (void) getauditflagsbin(naflags, &mask); 1305e8dbd04SDag-Erling Smørgrav } else 1315e8dbd04SDag-Erling Smørgrav rc = au_user_mask(username, &mask); 1325e8dbd04SDag-Erling Smørgrav 1335e8dbd04SDag-Erling Smørgrav sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; 1345e8dbd04SDag-Erling Smørgrav return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); 1355e8dbd04SDag-Erling Smørgrav } 1365e8dbd04SDag-Erling Smørgrav 1375e8dbd04SDag-Erling Smørgrav static void 1385e8dbd04SDag-Erling Smørgrav bsm_audit_record(int typ, char *string, au_event_t event_no) 1395e8dbd04SDag-Erling Smørgrav { 1405e8dbd04SDag-Erling Smørgrav int ad, rc, sel; 1415e8dbd04SDag-Erling Smørgrav uid_t uid = -1; 1425e8dbd04SDag-Erling Smørgrav gid_t gid = -1; 1435e8dbd04SDag-Erling Smørgrav pid_t pid = getpid(); 1445e8dbd04SDag-Erling Smørgrav AuditInfoTermID tid = ssh_bsm_tid; 1455e8dbd04SDag-Erling Smørgrav 1465e8dbd04SDag-Erling Smørgrav if (the_authctxt != NULL && the_authctxt->valid) { 1475e8dbd04SDag-Erling Smørgrav uid = the_authctxt->pw->pw_uid; 1485e8dbd04SDag-Erling Smørgrav gid = the_authctxt->pw->pw_gid; 1495e8dbd04SDag-Erling Smørgrav } 1505e8dbd04SDag-Erling Smørgrav 1515e8dbd04SDag-Erling Smørgrav rc = (typ == 0) ? 0 : -1; 1525e8dbd04SDag-Erling Smørgrav sel = selected(the_authctxt->user, uid, event_no, rc); 1535e8dbd04SDag-Erling Smørgrav debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); 1545e8dbd04SDag-Erling Smørgrav if (!sel) 1555e8dbd04SDag-Erling Smørgrav return; /* audit event does not match mask, do not write */ 1565e8dbd04SDag-Erling Smørgrav 1575e8dbd04SDag-Erling Smørgrav debug3("BSM audit: writing audit new record"); 1585e8dbd04SDag-Erling Smørgrav ad = au_open(); 1595e8dbd04SDag-Erling Smørgrav 1605e8dbd04SDag-Erling Smørgrav (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, 1615e8dbd04SDag-Erling Smørgrav pid, pid, &tid)); 1625e8dbd04SDag-Erling Smørgrav (void) au_write(ad, au_to_text(string)); 1635e8dbd04SDag-Erling Smørgrav (void) au_write(ad, AUToReturnFunc(typ, rc)); 1645e8dbd04SDag-Erling Smørgrav 1655e8dbd04SDag-Erling Smørgrav rc = au_close(ad, AU_TO_WRITE, event_no); 1665e8dbd04SDag-Erling Smørgrav if (rc < 0) 1675e8dbd04SDag-Erling Smørgrav error("BSM audit: %s failed to write \"%s\" record: %s", 1685e8dbd04SDag-Erling Smørgrav __func__, string, strerror(errno)); 1695e8dbd04SDag-Erling Smørgrav } 1705e8dbd04SDag-Erling Smørgrav 1715e8dbd04SDag-Erling Smørgrav static void 1725e8dbd04SDag-Erling Smørgrav bsm_audit_session_setup(void) 1735e8dbd04SDag-Erling Smørgrav { 1745e8dbd04SDag-Erling Smørgrav int rc; 1755e8dbd04SDag-Erling Smørgrav struct AuditInfoStruct info; 1765e8dbd04SDag-Erling Smørgrav au_mask_t mask; 1775e8dbd04SDag-Erling Smørgrav 1785e8dbd04SDag-Erling Smørgrav if (the_authctxt == NULL) { 1795e8dbd04SDag-Erling Smørgrav error("BSM audit: session setup internal error (NULL ctxt)"); 1805e8dbd04SDag-Erling Smørgrav return; 1815e8dbd04SDag-Erling Smørgrav } 1825e8dbd04SDag-Erling Smørgrav 1835e8dbd04SDag-Erling Smørgrav if (the_authctxt->valid) 1845e8dbd04SDag-Erling Smørgrav info.ai_auid = the_authctxt->pw->pw_uid; 1855e8dbd04SDag-Erling Smørgrav else 1865e8dbd04SDag-Erling Smørgrav info.ai_auid = -1; 1875e8dbd04SDag-Erling Smørgrav info.ai_asid = getpid(); 1885e8dbd04SDag-Erling Smørgrav mask.am_success = 0; 1895e8dbd04SDag-Erling Smørgrav mask.am_failure = 0; 1905e8dbd04SDag-Erling Smørgrav 1915e8dbd04SDag-Erling Smørgrav (void) au_user_mask(the_authctxt->user, &mask); 1925e8dbd04SDag-Erling Smørgrav 1935e8dbd04SDag-Erling Smørgrav info.ai_mask.am_success = mask.am_success; 1945e8dbd04SDag-Erling Smørgrav info.ai_mask.am_failure = mask.am_failure; 1955e8dbd04SDag-Erling Smørgrav 1965e8dbd04SDag-Erling Smørgrav info.ai_termid = ssh_bsm_tid; 1975e8dbd04SDag-Erling Smørgrav 1985e8dbd04SDag-Erling Smørgrav rc = SetAuditFunc(&info, sizeof(info)); 1995e8dbd04SDag-Erling Smørgrav if (rc < 0) 2005e8dbd04SDag-Erling Smørgrav error("BSM audit: %s: %s failed: %s", __func__, 2015e8dbd04SDag-Erling Smørgrav SetAuditFuncText, strerror(errno)); 2025e8dbd04SDag-Erling Smørgrav } 2035e8dbd04SDag-Erling Smørgrav 2045e8dbd04SDag-Erling Smørgrav static void 2055e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login(const char *what) 2065e8dbd04SDag-Erling Smørgrav { 2075e8dbd04SDag-Erling Smørgrav char textbuf[BSM_TEXTBUFSZ]; 2085e8dbd04SDag-Erling Smørgrav 2095e8dbd04SDag-Erling Smørgrav if (the_authctxt->valid) { 2105e8dbd04SDag-Erling Smørgrav (void) snprintf(textbuf, sizeof (textbuf), 2115e8dbd04SDag-Erling Smørgrav gettext("invalid %s for user %s"), 2125e8dbd04SDag-Erling Smørgrav what, the_authctxt->user); 2135e8dbd04SDag-Erling Smørgrav bsm_audit_record(4, textbuf, AUE_openssh); 2145e8dbd04SDag-Erling Smørgrav } else { 2155e8dbd04SDag-Erling Smørgrav (void) snprintf(textbuf, sizeof (textbuf), 2165e8dbd04SDag-Erling Smørgrav gettext("invalid user name \"%s\""), 2175e8dbd04SDag-Erling Smørgrav the_authctxt->user); 2185e8dbd04SDag-Erling Smørgrav bsm_audit_record(3, textbuf, AUE_openssh); 2195e8dbd04SDag-Erling Smørgrav } 2205e8dbd04SDag-Erling Smørgrav } 2215e8dbd04SDag-Erling Smørgrav 2225e8dbd04SDag-Erling Smørgrav /* Below is the sshd audit API code */ 2235e8dbd04SDag-Erling Smørgrav 2245e8dbd04SDag-Erling Smørgrav void 2255e8dbd04SDag-Erling Smørgrav audit_connection_from(const char *host, int port) 2265e8dbd04SDag-Erling Smørgrav { 2275e8dbd04SDag-Erling Smørgrav AuditInfoTermID *tid = &ssh_bsm_tid; 2285e8dbd04SDag-Erling Smørgrav char buf[1024]; 2295e8dbd04SDag-Erling Smørgrav 2305e8dbd04SDag-Erling Smørgrav if (cannot_audit(0)) 2315e8dbd04SDag-Erling Smørgrav return; 2325e8dbd04SDag-Erling Smørgrav debug3("BSM audit: connection from %.100s port %d", host, port); 2335e8dbd04SDag-Erling Smørgrav 2345e8dbd04SDag-Erling Smørgrav /* populate our terminal id structure */ 2355e8dbd04SDag-Erling Smørgrav #if defined(HAVE_GETAUDIT_ADDR) 2365e8dbd04SDag-Erling Smørgrav tid->at_port = (dev_t)port; 2375e8dbd04SDag-Erling Smørgrav aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); 2385e8dbd04SDag-Erling Smørgrav snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], 2395e8dbd04SDag-Erling Smørgrav tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); 2405e8dbd04SDag-Erling Smørgrav debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); 2415e8dbd04SDag-Erling Smørgrav #else 2425e8dbd04SDag-Erling Smørgrav /* this is used on IPv4-only machines */ 2435e8dbd04SDag-Erling Smørgrav tid->port = (dev_t)port; 2445e8dbd04SDag-Erling Smørgrav tid->machine = inet_addr(host); 2455e8dbd04SDag-Erling Smørgrav snprintf(buf, sizeof(buf), "%08x", tid->machine); 2465e8dbd04SDag-Erling Smørgrav debug3("BSM audit: machine ID %s", buf); 2475e8dbd04SDag-Erling Smørgrav #endif 2485e8dbd04SDag-Erling Smørgrav } 2495e8dbd04SDag-Erling Smørgrav 2505e8dbd04SDag-Erling Smørgrav void 2515e8dbd04SDag-Erling Smørgrav audit_run_command(const char *command) 2525e8dbd04SDag-Erling Smørgrav { 2535e8dbd04SDag-Erling Smørgrav /* not implemented */ 2545e8dbd04SDag-Erling Smørgrav } 2555e8dbd04SDag-Erling Smørgrav 2565e8dbd04SDag-Erling Smørgrav void 2575e8dbd04SDag-Erling Smørgrav audit_session_open(const char *ttyn) 2585e8dbd04SDag-Erling Smørgrav { 2595e8dbd04SDag-Erling Smørgrav /* not implemented */ 2605e8dbd04SDag-Erling Smørgrav } 2615e8dbd04SDag-Erling Smørgrav 2625e8dbd04SDag-Erling Smørgrav void 2635e8dbd04SDag-Erling Smørgrav audit_session_close(const char *ttyn) 2645e8dbd04SDag-Erling Smørgrav { 2655e8dbd04SDag-Erling Smørgrav /* not implemented */ 2665e8dbd04SDag-Erling Smørgrav } 2675e8dbd04SDag-Erling Smørgrav 2685e8dbd04SDag-Erling Smørgrav void 2695e8dbd04SDag-Erling Smørgrav audit_event(ssh_audit_event_t event) 2705e8dbd04SDag-Erling Smørgrav { 2715e8dbd04SDag-Erling Smørgrav char textbuf[BSM_TEXTBUFSZ]; 2725e8dbd04SDag-Erling Smørgrav static int logged_in = 0; 2735e8dbd04SDag-Erling Smørgrav const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; 2745e8dbd04SDag-Erling Smørgrav 2755e8dbd04SDag-Erling Smørgrav if (cannot_audit(0)) 2765e8dbd04SDag-Erling Smørgrav return; 2775e8dbd04SDag-Erling Smørgrav 2785e8dbd04SDag-Erling Smørgrav switch(event) { 2795e8dbd04SDag-Erling Smørgrav case SSH_AUTH_SUCCESS: 2805e8dbd04SDag-Erling Smørgrav logged_in = 1; 2815e8dbd04SDag-Erling Smørgrav bsm_audit_session_setup(); 2825e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 2835e8dbd04SDag-Erling Smørgrav gettext("successful login %s"), user); 2845e8dbd04SDag-Erling Smørgrav bsm_audit_record(0, textbuf, AUE_openssh); 2855e8dbd04SDag-Erling Smørgrav break; 2865e8dbd04SDag-Erling Smørgrav 2875e8dbd04SDag-Erling Smørgrav case SSH_CONNECTION_CLOSE: 2885e8dbd04SDag-Erling Smørgrav /* 2895e8dbd04SDag-Erling Smørgrav * We can also get a close event if the user attempted auth 2905e8dbd04SDag-Erling Smørgrav * but never succeeded. 2915e8dbd04SDag-Erling Smørgrav */ 2925e8dbd04SDag-Erling Smørgrav if (logged_in) { 2935e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 2945e8dbd04SDag-Erling Smørgrav gettext("sshd logout %s"), the_authctxt->user); 2955e8dbd04SDag-Erling Smørgrav bsm_audit_record(0, textbuf, AUE_logout); 2965e8dbd04SDag-Erling Smørgrav } else { 2975e8dbd04SDag-Erling Smørgrav debug("%s: connection closed without authentication", 2985e8dbd04SDag-Erling Smørgrav __func__); 2995e8dbd04SDag-Erling Smørgrav } 3005e8dbd04SDag-Erling Smørgrav break; 3015e8dbd04SDag-Erling Smørgrav 3025e8dbd04SDag-Erling Smørgrav case SSH_NOLOGIN: 3035e8dbd04SDag-Erling Smørgrav bsm_audit_record(1, 3045e8dbd04SDag-Erling Smørgrav gettext("logins disabled by /etc/nologin"), AUE_openssh); 3055e8dbd04SDag-Erling Smørgrav break; 3065e8dbd04SDag-Erling Smørgrav 3075e8dbd04SDag-Erling Smørgrav case SSH_LOGIN_EXCEED_MAXTRIES: 3085e8dbd04SDag-Erling Smørgrav snprintf(textbuf, sizeof(textbuf), 3095e8dbd04SDag-Erling Smørgrav gettext("too many tries for user %s"), the_authctxt->user); 3105e8dbd04SDag-Erling Smørgrav bsm_audit_record(1, textbuf, AUE_openssh); 3115e8dbd04SDag-Erling Smørgrav break; 3125e8dbd04SDag-Erling Smørgrav 3135e8dbd04SDag-Erling Smørgrav case SSH_LOGIN_ROOT_DENIED: 3145e8dbd04SDag-Erling Smørgrav bsm_audit_record(2, gettext("not_console"), AUE_openssh); 3155e8dbd04SDag-Erling Smørgrav break; 3165e8dbd04SDag-Erling Smørgrav 3175e8dbd04SDag-Erling Smørgrav case SSH_AUTH_FAIL_PASSWD: 3185e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login("password"); 3195e8dbd04SDag-Erling Smørgrav break; 3205e8dbd04SDag-Erling Smørgrav 3215e8dbd04SDag-Erling Smørgrav case SSH_AUTH_FAIL_KBDINT: 3225e8dbd04SDag-Erling Smørgrav bsm_audit_bad_login("interactive password entry"); 3235e8dbd04SDag-Erling Smørgrav break; 3245e8dbd04SDag-Erling Smørgrav 3255e8dbd04SDag-Erling Smørgrav default: 3265e8dbd04SDag-Erling Smørgrav debug("%s: unhandled event %d", __func__, event); 3275e8dbd04SDag-Erling Smørgrav } 3285e8dbd04SDag-Erling Smørgrav } 3295e8dbd04SDag-Erling Smørgrav #endif /* BSM */ 330