1 /* $Id: audit-bsm.c,v 1.5 2006/09/30 22:09:50 dtucker Exp $ */ 2 3 /* 4 * TODO 5 * 6 * - deal with overlap between this and sys_auth_allowed_user 7 * sys_auth_record_login and record_failed_login. 8 */ 9 10 /* 11 * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved. 12 * Use is subject to license terms. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 * 34 */ 35 /* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */ 36 37 #include "includes.h" 38 __RCSID("$FreeBSD$"); 39 #if defined(USE_BSM_AUDIT) 40 41 #include <sys/types.h> 42 43 #include <errno.h> 44 #include <stdarg.h> 45 #include <unistd.h> 46 47 #include "ssh.h" 48 #include "log.h" 49 #include "key.h" 50 #include "hostfile.h" 51 #include "auth.h" 52 #include "xmalloc.h" 53 54 #ifndef AUE_openssh 55 # define AUE_openssh 32800 56 #endif 57 #include <bsm/audit.h> 58 #include <bsm/libbsm.h> 59 #include <bsm/audit_uevents.h> 60 #include <bsm/audit_record.h> 61 #include <locale.h> 62 63 #if defined(HAVE_GETAUDIT_ADDR) 64 #define AuditInfoStruct auditinfo_addr 65 #define AuditInfoTermID au_tid_addr_t 66 #define GetAuditFunc(a,b) getaudit_addr((a),(b)) 67 #define GetAuditFuncText "getaudit_addr" 68 #define SetAuditFunc(a,b) setaudit_addr((a),(b)) 69 #define SetAuditFuncText "setaudit_addr" 70 #define AUToSubjectFunc au_to_subject_ex 71 #define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b)) 72 #else 73 #define AuditInfoStruct auditinfo 74 #define AuditInfoTermID au_tid_t 75 #define GetAuditFunc(a,b) getaudit(a) 76 #define GetAuditFuncText "getaudit" 77 #define SetAuditFunc(a,b) setaudit(a) 78 #define SetAuditFuncText "setaudit" 79 #define AUToSubjectFunc au_to_subject 80 #define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b)) 81 #endif 82 83 extern int cannot_audit(int); 84 extern void aug_init(void); 85 extern dev_t aug_get_port(void); 86 extern int aug_get_machine(char *, u_int32_t *, u_int32_t *); 87 extern void aug_save_auid(au_id_t); 88 extern void aug_save_uid(uid_t); 89 extern void aug_save_euid(uid_t); 90 extern void aug_save_gid(gid_t); 91 extern void aug_save_egid(gid_t); 92 extern void aug_save_pid(pid_t); 93 extern void aug_save_asid(au_asid_t); 94 extern void aug_save_tid(dev_t, unsigned int); 95 extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t); 96 extern int aug_save_me(void); 97 extern int aug_save_namask(void); 98 extern void aug_save_event(au_event_t); 99 extern void aug_save_sorf(int); 100 extern void aug_save_text(char *); 101 extern void aug_save_text1(char *); 102 extern void aug_save_text2(char *); 103 extern void aug_save_na(int); 104 extern void aug_save_user(char *); 105 extern void aug_save_path(char *); 106 extern int aug_save_policy(void); 107 extern void aug_save_afunc(int (*)(int)); 108 extern int aug_audit(void); 109 extern int aug_na_selected(void); 110 extern int aug_selected(void); 111 extern int aug_daemon_session(void); 112 113 #ifndef HAVE_GETTEXT 114 # define gettext(a) (a) 115 #endif 116 117 extern Authctxt *the_authctxt; 118 static AuditInfoTermID ssh_bsm_tid; 119 120 /* Below is the low-level BSM interface code */ 121 122 /* 123 * Check if the specified event is selected (enabled) for auditing. 124 * Returns 1 if the event is selected, 0 if not and -1 on failure. 125 */ 126 static int 127 selected(char *username, uid_t uid, au_event_t event, int sf) 128 { 129 int rc, sorf; 130 char naflags[512]; 131 struct au_mask mask; 132 133 mask.am_success = mask.am_failure = 0; 134 if (uid < 0) { 135 /* get flags for non-attributable (to a real user) events */ 136 rc = getacna(naflags, sizeof(naflags)); 137 if (rc == 0) 138 (void) getauditflagsbin(naflags, &mask); 139 } else 140 rc = au_user_mask(username, &mask); 141 142 sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; 143 return(au_preselect(event, &mask, sorf, AU_PRS_REREAD)); 144 } 145 146 static void 147 bsm_audit_record(int typ, char *string, au_event_t event_no) 148 { 149 int ad, rc, sel; 150 uid_t uid = -1; 151 gid_t gid = -1; 152 pid_t pid = getpid(); 153 AuditInfoTermID tid = ssh_bsm_tid; 154 155 if (the_authctxt != NULL && the_authctxt->valid) { 156 uid = the_authctxt->pw->pw_uid; 157 gid = the_authctxt->pw->pw_gid; 158 } 159 160 rc = (typ == 0) ? 0 : -1; 161 sel = selected(the_authctxt->user, uid, event_no, rc); 162 debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string); 163 if (!sel) 164 return; /* audit event does not match mask, do not write */ 165 166 debug3("BSM audit: writing audit new record"); 167 ad = au_open(); 168 169 (void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid, 170 pid, pid, &tid)); 171 (void) au_write(ad, au_to_text(string)); 172 (void) au_write(ad, AUToReturnFunc(typ, rc)); 173 174 rc = au_close(ad, AU_TO_WRITE, event_no); 175 if (rc < 0) 176 error("BSM audit: %s failed to write \"%s\" record: %s", 177 __func__, string, strerror(errno)); 178 } 179 180 static void 181 bsm_audit_session_setup(void) 182 { 183 int rc; 184 struct AuditInfoStruct info; 185 au_mask_t mask; 186 187 if (the_authctxt == NULL) { 188 error("BSM audit: session setup internal error (NULL ctxt)"); 189 return; 190 } 191 192 if (the_authctxt->valid) 193 info.ai_auid = the_authctxt->pw->pw_uid; 194 else 195 info.ai_auid = -1; 196 info.ai_asid = getpid(); 197 mask.am_success = 0; 198 mask.am_failure = 0; 199 200 (void) au_user_mask(the_authctxt->user, &mask); 201 202 info.ai_mask.am_success = mask.am_success; 203 info.ai_mask.am_failure = mask.am_failure; 204 205 info.ai_termid = ssh_bsm_tid; 206 207 rc = SetAuditFunc(&info, sizeof(info)); 208 if (rc < 0) 209 error("BSM audit: %s: %s failed: %s", __func__, 210 SetAuditFuncText, strerror(errno)); 211 } 212 213 static void 214 bsm_audit_bad_login(const char *what) 215 { 216 char textbuf[BSM_TEXTBUFSZ]; 217 218 if (the_authctxt->valid) { 219 (void) snprintf(textbuf, sizeof (textbuf), 220 gettext("invalid %s for user %s"), 221 what, the_authctxt->user); 222 bsm_audit_record(4, textbuf, AUE_openssh); 223 } else { 224 (void) snprintf(textbuf, sizeof (textbuf), 225 gettext("invalid user name \"%s\""), 226 the_authctxt->user); 227 bsm_audit_record(3, textbuf, AUE_openssh); 228 } 229 } 230 231 /* Below is the sshd audit API code */ 232 233 void 234 audit_connection_from(const char *host, int port) 235 { 236 AuditInfoTermID *tid = &ssh_bsm_tid; 237 char buf[1024]; 238 239 if (cannot_audit(0)) 240 return; 241 debug3("BSM audit: connection from %.100s port %d", host, port); 242 243 /* populate our terminal id structure */ 244 #if defined(HAVE_GETAUDIT_ADDR) 245 tid->at_port = (dev_t)port; 246 aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); 247 snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], 248 tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); 249 debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); 250 #else 251 /* this is used on IPv4-only machines */ 252 tid->port = (dev_t)port; 253 tid->machine = inet_addr(host); 254 snprintf(buf, sizeof(buf), "%08x", tid->machine); 255 debug3("BSM audit: machine ID %s", buf); 256 #endif 257 } 258 259 void 260 audit_run_command(const char *command) 261 { 262 /* not implemented */ 263 } 264 265 void 266 audit_session_open(const char *ttyn) 267 { 268 /* not implemented */ 269 } 270 271 void 272 audit_session_close(const char *ttyn) 273 { 274 /* not implemented */ 275 } 276 277 void 278 audit_event(ssh_audit_event_t event) 279 { 280 char textbuf[BSM_TEXTBUFSZ]; 281 static int logged_in = 0; 282 const char *user = the_authctxt ? the_authctxt->user : "(unknown user)"; 283 284 if (cannot_audit(0)) 285 return; 286 287 switch(event) { 288 case SSH_AUTH_SUCCESS: 289 logged_in = 1; 290 bsm_audit_session_setup(); 291 snprintf(textbuf, sizeof(textbuf), 292 gettext("successful login %s"), user); 293 bsm_audit_record(0, textbuf, AUE_openssh); 294 break; 295 296 case SSH_CONNECTION_CLOSE: 297 /* 298 * We can also get a close event if the user attempted auth 299 * but never succeeded. 300 */ 301 if (logged_in) { 302 snprintf(textbuf, sizeof(textbuf), 303 gettext("sshd logout %s"), the_authctxt->user); 304 bsm_audit_record(0, textbuf, AUE_logout); 305 } else { 306 debug("%s: connection closed without authentication", 307 __func__); 308 } 309 break; 310 311 case SSH_NOLOGIN: 312 bsm_audit_record(1, 313 gettext("logins disabled by /etc/nologin"), AUE_openssh); 314 break; 315 316 case SSH_LOGIN_EXCEED_MAXTRIES: 317 snprintf(textbuf, sizeof(textbuf), 318 gettext("too many tries for user %s"), the_authctxt->user); 319 bsm_audit_record(1, textbuf, AUE_openssh); 320 break; 321 322 case SSH_LOGIN_ROOT_DENIED: 323 bsm_audit_record(2, gettext("not_console"), AUE_openssh); 324 break; 325 326 case SSH_AUTH_FAIL_PASSWD: 327 bsm_audit_bad_login("password"); 328 break; 329 330 case SSH_AUTH_FAIL_KBDINT: 331 bsm_audit_bad_login("interactive password entry"); 332 break; 333 334 default: 335 debug("%s: unhandled event %d", __func__, event); 336 } 337 } 338 #endif /* BSM */ 339