xref: /freebsd/crypto/openssh/audit-bsm.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */
2 
3 /*
4  * TODO
5  *
6  * - deal with overlap between this and sys_auth_allowed_user
7  *   sys_auth_record_login and record_failed_login.
8  */
9 
10 /*
11  * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
12  * Use is subject to license terms.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33  *
34  */
35 /* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
36 
37 #include "includes.h"
38 __RCSID("$FreeBSD$");
39 #if defined(USE_BSM_AUDIT)
40 
41 #include <sys/types.h>
42 
43 #include <errno.h>
44 #include <stdarg.h>
45 #include <unistd.h>
46 
47 #include "ssh.h"
48 #include "log.h"
49 #include "key.h"
50 #include "hostfile.h"
51 #include "auth.h"
52 #include "xmalloc.h"
53 
54 #ifndef AUE_openssh
55 # define AUE_openssh     32800
56 #endif
57 #include <bsm/audit.h>
58 #include <bsm/libbsm.h>
59 #include <bsm/audit_uevents.h>
60 #include <bsm/audit_record.h>
61 #include <locale.h>
62 
63 #if defined(HAVE_GETAUDIT_ADDR)
64 #define	AuditInfoStruct		auditinfo_addr
65 #define AuditInfoTermID		au_tid_addr_t
66 #define GetAuditFunc(a,b)	getaudit_addr((a),(b))
67 #define GetAuditFuncText	"getaudit_addr"
68 #define SetAuditFunc(a,b)	setaudit_addr((a),(b))
69 #define SetAuditFuncText	"setaudit_addr"
70 #define AUToSubjectFunc		au_to_subject_ex
71 #define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
72 #else
73 #define	AuditInfoStruct		auditinfo
74 #define AuditInfoTermID		au_tid_t
75 #define GetAuditFunc(a,b)	getaudit(a)
76 #define GetAuditFuncText	"getaudit"
77 #define SetAuditFunc(a,b)	setaudit(a)
78 #define SetAuditFuncText	"setaudit"
79 #define AUToSubjectFunc		au_to_subject
80 #define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
81 #endif
82 
83 extern int	cannot_audit(int);
84 extern void	aug_init(void);
85 extern dev_t	aug_get_port(void);
86 extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
87 extern void	aug_save_auid(au_id_t);
88 extern void	aug_save_uid(uid_t);
89 extern void	aug_save_euid(uid_t);
90 extern void	aug_save_gid(gid_t);
91 extern void	aug_save_egid(gid_t);
92 extern void	aug_save_pid(pid_t);
93 extern void	aug_save_asid(au_asid_t);
94 extern void	aug_save_tid(dev_t, unsigned int);
95 extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
96 extern int	aug_save_me(void);
97 extern int	aug_save_namask(void);
98 extern void	aug_save_event(au_event_t);
99 extern void	aug_save_sorf(int);
100 extern void	aug_save_text(char *);
101 extern void	aug_save_text1(char *);
102 extern void	aug_save_text2(char *);
103 extern void	aug_save_na(int);
104 extern void	aug_save_user(char *);
105 extern void	aug_save_path(char *);
106 extern int	aug_save_policy(void);
107 extern void	aug_save_afunc(int (*)(int));
108 extern int	aug_audit(void);
109 extern int	aug_na_selected(void);
110 extern int	aug_selected(void);
111 extern int	aug_daemon_session(void);
112 
113 #ifndef HAVE_GETTEXT
114 # define gettext(a)	(a)
115 #endif
116 
117 extern Authctxt *the_authctxt;
118 static AuditInfoTermID ssh_bsm_tid;
119 
120 /* Below is the low-level BSM interface code */
121 
122 /*
123  * Check if the specified event is selected (enabled) for auditing.
124  * Returns 1 if the event is selected, 0 if not and -1 on failure.
125  */
126 static int
127 selected(char *username, uid_t uid, au_event_t event, int sf)
128 {
129 	int rc, sorf;
130 	char naflags[512];
131 	struct au_mask mask;
132 
133 	mask.am_success = mask.am_failure = 0;
134 	if (uid < 0) {
135 		/* get flags for non-attributable (to a real user) events */
136 		rc = getacna(naflags, sizeof(naflags));
137 		if (rc == 0)
138 			(void) getauditflagsbin(naflags, &mask);
139 	} else
140 		rc = au_user_mask(username, &mask);
141 
142 	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
143 	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
144 }
145 
146 static void
147 bsm_audit_record(int typ, char *string, au_event_t event_no)
148 {
149 	int		ad, rc, sel;
150 	uid_t		uid = -1;
151 	gid_t		gid = -1;
152 	pid_t		pid = getpid();
153 	AuditInfoTermID	tid = ssh_bsm_tid;
154 
155 	if (the_authctxt != NULL && the_authctxt->valid) {
156 		uid = the_authctxt->pw->pw_uid;
157 		gid = the_authctxt->pw->pw_gid;
158 	}
159 
160 	rc = (typ == 0) ? 0 : -1;
161 	sel = selected(the_authctxt->user, uid, event_no, rc);
162 	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
163 	if (!sel)
164 		return;	/* audit event does not match mask, do not write */
165 
166 	debug3("BSM audit: writing audit new record");
167 	ad = au_open();
168 
169 	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
170 	    pid, pid, &tid));
171 	(void) au_write(ad, au_to_text(string));
172 	(void) au_write(ad, AUToReturnFunc(typ, rc));
173 
174 	rc = au_close(ad, AU_TO_WRITE, event_no);
175 	if (rc < 0)
176 		error("BSM audit: %s failed to write \"%s\" record: %s",
177 		    __func__, string, strerror(errno));
178 }
179 
180 static void
181 bsm_audit_session_setup(void)
182 {
183 	int rc;
184 	struct AuditInfoStruct info;
185 	au_mask_t mask;
186 
187 	if (the_authctxt == NULL) {
188 		error("BSM audit: session setup internal error (NULL ctxt)");
189 		return;
190 	}
191 
192 	if (the_authctxt->valid)
193 		info.ai_auid = the_authctxt->pw->pw_uid;
194 	else
195 		info.ai_auid = -1;
196 	info.ai_asid = getpid();
197 	mask.am_success = 0;
198 	mask.am_failure = 0;
199 
200 	(void) au_user_mask(the_authctxt->user, &mask);
201 
202 	info.ai_mask.am_success  = mask.am_success;
203 	info.ai_mask.am_failure  = mask.am_failure;
204 
205 	info.ai_termid = ssh_bsm_tid;
206 
207 	rc = SetAuditFunc(&info, sizeof(info));
208 	if (rc < 0)
209 		error("BSM audit: %s: %s failed: %s", __func__,
210 		    SetAuditFuncText, strerror(errno));
211 }
212 
213 static void
214 bsm_audit_bad_login(const char *what)
215 {
216 	char textbuf[BSM_TEXTBUFSZ];
217 
218 	if (the_authctxt->valid) {
219 		(void) snprintf(textbuf, sizeof (textbuf),
220 			gettext("invalid %s for user %s"),
221 			    what, the_authctxt->user);
222 		bsm_audit_record(4, textbuf, AUE_openssh);
223 	} else {
224 		(void) snprintf(textbuf, sizeof (textbuf),
225 			gettext("invalid user name \"%s\""),
226 			    the_authctxt->user);
227 		bsm_audit_record(3, textbuf, AUE_openssh);
228 	}
229 }
230 
231 /* Below is the sshd audit API code */
232 
233 void
234 audit_connection_from(const char *host, int port)
235 {
236 	AuditInfoTermID *tid = &ssh_bsm_tid;
237 	char buf[1024];
238 
239 	if (cannot_audit(0))
240 		return;
241 	debug3("BSM audit: connection from %.100s port %d", host, port);
242 
243 	/* populate our terminal id structure */
244 #if defined(HAVE_GETAUDIT_ADDR)
245 	tid->at_port = (dev_t)port;
246 	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
247 	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
248 	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
249 	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
250 #else
251 	/* this is used on IPv4-only machines */
252 	tid->port = (dev_t)port;
253 	tid->machine = inet_addr(host);
254 	snprintf(buf, sizeof(buf), "%08x", tid->machine);
255 	debug3("BSM audit: machine ID %s", buf);
256 #endif
257 }
258 
259 void
260 audit_run_command(const char *command)
261 {
262 	/* not implemented */
263 }
264 
265 void
266 audit_session_open(const char *ttyn)
267 {
268 	/* not implemented */
269 }
270 
271 void
272 audit_session_close(const char *ttyn)
273 {
274 	/* not implemented */
275 }
276 
277 void
278 audit_event(ssh_audit_event_t event)
279 {
280 	char    textbuf[BSM_TEXTBUFSZ];
281 	static int logged_in = 0;
282 	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
283 
284 	if (cannot_audit(0))
285 		return;
286 
287 	switch(event) {
288 	case SSH_AUTH_SUCCESS:
289 		logged_in = 1;
290 		bsm_audit_session_setup();
291 		snprintf(textbuf, sizeof(textbuf),
292 		    gettext("successful login %s"), user);
293 		bsm_audit_record(0, textbuf, AUE_openssh);
294 		break;
295 
296 	case SSH_CONNECTION_CLOSE:
297 		/*
298 		 * We can also get a close event if the user attempted auth
299 		 * but never succeeded.
300 		 */
301 		if (logged_in) {
302 			snprintf(textbuf, sizeof(textbuf),
303 			    gettext("sshd logout %s"), the_authctxt->user);
304 			bsm_audit_record(0, textbuf, AUE_logout);
305 		} else {
306 			debug("%s: connection closed without authentication",
307 			    __func__);
308 		}
309 		break;
310 
311 	case SSH_NOLOGIN:
312 		bsm_audit_record(1,
313 		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
314 		break;
315 
316 	case SSH_LOGIN_EXCEED_MAXTRIES:
317 		snprintf(textbuf, sizeof(textbuf),
318 		    gettext("too many tries for user %s"), the_authctxt->user);
319 		bsm_audit_record(1, textbuf, AUE_openssh);
320 		break;
321 
322 	case SSH_LOGIN_ROOT_DENIED:
323 		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
324 		break;
325 
326 	case SSH_AUTH_FAIL_PASSWD:
327 		bsm_audit_bad_login("password");
328 		break;
329 
330 	case SSH_AUTH_FAIL_KBDINT:
331 		bsm_audit_bad_login("interactive password entry");
332 		break;
333 
334 	default:
335 		debug("%s: unhandled event %d", __func__, event);
336 	}
337 }
338 #endif /* BSM */
339