xref: /freebsd/crypto/openssh/audit-bsm.c (revision d9a42747950146bf03cda7f6e25d219253f8a57a)
1 /*
2  * TODO
3  *
4  * - deal with overlap between this and sys_auth_allowed_user
5  *   sys_auth_record_login and record_failed_login.
6  */
7 
8 /*
9  * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
10  * Use is subject to license terms.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  *
32  */
33 /* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
34 
35 #include "includes.h"
36 #if defined(USE_BSM_AUDIT)
37 
38 #include <sys/types.h>
39 
40 #include <errno.h>
41 #include <netdb.h>
42 #include <stdarg.h>
43 #include <string.h>
44 #include <unistd.h>
45 
46 #ifdef BROKEN_BSM_API
47 #include <libscf.h>
48 #endif
49 
50 #include "ssh.h"
51 #include "log.h"
52 #include "hostfile.h"
53 #include "auth.h"
54 #include "xmalloc.h"
55 
56 #ifndef AUE_openssh
57 # define AUE_openssh     32800
58 #endif
59 #include <bsm/audit.h>
60 #include <bsm/libbsm.h>
61 #include <bsm/audit_uevents.h>
62 #include <bsm/audit_record.h>
63 #include <locale.h>
64 
65 #if defined(HAVE_GETAUDIT_ADDR)
66 #define	AuditInfoStruct		auditinfo_addr
67 #define AuditInfoTermID		au_tid_addr_t
68 #define SetAuditFunc(a,b)	setaudit_addr((a),(b))
69 #define SetAuditFuncText	"setaudit_addr"
70 #define AUToSubjectFunc		au_to_subject_ex
71 #define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
72 #else
73 #define	AuditInfoStruct		auditinfo
74 #define AuditInfoTermID		au_tid_t
75 #define SetAuditFunc(a,b)	setaudit(a)
76 #define SetAuditFuncText	"setaudit"
77 #define AUToSubjectFunc		au_to_subject
78 #define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
79 #endif
80 
81 #ifndef cannot_audit
82 extern int	cannot_audit(int);
83 #endif
84 extern void	aug_init(void);
85 extern void	aug_save_auid(au_id_t);
86 extern void	aug_save_uid(uid_t);
87 extern void	aug_save_euid(uid_t);
88 extern void	aug_save_gid(gid_t);
89 extern void	aug_save_egid(gid_t);
90 extern void	aug_save_pid(pid_t);
91 extern void	aug_save_asid(au_asid_t);
92 extern void	aug_save_tid(dev_t, unsigned int);
93 extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
94 extern int	aug_save_me(void);
95 extern int	aug_save_namask(void);
96 extern void	aug_save_event(au_event_t);
97 extern void	aug_save_sorf(int);
98 extern void	aug_save_text(char *);
99 extern void	aug_save_text1(char *);
100 extern void	aug_save_text2(char *);
101 extern void	aug_save_na(int);
102 extern void	aug_save_user(char *);
103 extern void	aug_save_path(char *);
104 extern int	aug_save_policy(void);
105 extern void	aug_save_afunc(int (*)(int));
106 extern int	aug_audit(void);
107 extern int	aug_na_selected(void);
108 extern int	aug_selected(void);
109 extern int	aug_daemon_session(void);
110 
111 #ifndef HAVE_GETTEXT
112 # define gettext(a)	(a)
113 #endif
114 
115 extern Authctxt *the_authctxt;
116 static AuditInfoTermID ssh_bsm_tid;
117 
118 #ifdef BROKEN_BSM_API
119 /* For some reason this constant is no longer defined
120    in Solaris 11. */
121 #define BSM_TEXTBUFSZ 256
122 #endif
123 
124 /* Below is the low-level BSM interface code */
125 
126 /*
127  * aug_get_machine is only required on IPv6 capable machines, we use a
128  * different mechanism in audit_connection_from() for IPv4-only machines.
129  * getaudit_addr() is only present on IPv6 capable machines.
130  */
131 #if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
132 extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
133 #else
134 static int
135 aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
136 {
137 	struct addrinfo *ai;
138 	struct sockaddr_in *in4;
139 	struct sockaddr_in6 *in6;
140 	int ret = 0, r;
141 
142 	if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
143 		error("BSM audit: getaddrinfo failed for %.100s: %.100s", host,
144 		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
145 		return -1;
146 	}
147 
148 	switch (ai->ai_family) {
149 	case AF_INET:
150 		in4 = (struct sockaddr_in *)ai->ai_addr;
151 		*type = AU_IPv4;
152 		memcpy(addr, &in4->sin_addr, sizeof(struct in_addr));
153 		break;
154 #ifdef AU_IPv6
155 	case AF_INET6:
156 		in6 = (struct sockaddr_in6 *)ai->ai_addr;
157 		*type = AU_IPv6;
158 		memcpy(addr, &in6->sin6_addr, sizeof(struct in6_addr));
159 		break;
160 #endif
161 	default:
162 		error("BSM audit: unknown address family for %.100s: %d",
163 		    host, ai->ai_family);
164 		ret = -1;
165 	}
166 	freeaddrinfo(ai);
167 	return ret;
168 }
169 #endif
170 
171 #ifdef BROKEN_BSM_API
172 /*
173   In Solaris 11 the audit daemon has been moved to SMF. In the process
174   they simply dropped getacna() from the API, since it read from a now
175   non-existent config file. This function re-implements getacna() to
176   read from the SMF repository instead.
177  */
178 int
179 getacna(char *auditstring, int len)
180 {
181 	scf_handle_t *handle = NULL;
182 	scf_property_t *property = NULL;
183 	scf_value_t *value = NULL;
184 	int ret = 0;
185 
186 	/*
187 	 * The man page for getacna on Solaris 10 states we should return -2
188 	 * in case of error and set errno to indicate the error. We don't
189 	 * bother with errno here, though, since the only use of this function
190 	 * below doesn't check for errors anyway.
191 	*/
192 	handle = scf_handle_create(SCF_VERSION);
193 	if (handle == NULL)
194 		return -2;
195 
196 	ret = scf_handle_bind(handle);
197 	if (ret == -1)
198 		return -2;
199 
200 	property = scf_property_create(handle);
201 	if (property == NULL)
202 		return -2;
203 
204 	ret = scf_handle_decode_fmri(handle,
205 	    "svc:/system/auditd:default/:properties/preselection/naflags",
206 	    NULL, NULL, NULL, NULL, property, 0);
207 	if (ret == -1)
208 		return -2;
209 
210 	value = scf_value_create(handle);
211 	if (value == NULL)
212 		return -2;
213 
214 	ret = scf_property_get_value(property, value);
215 	if (ret == -1)
216 		return -2;
217 
218 	ret = scf_value_get_astring(value, auditstring, len);
219 	if (ret == -1)
220 		return -2;
221 
222 	scf_value_destroy(value);
223 	scf_property_destroy(property);
224 	scf_handle_destroy(handle);
225 
226 	return 0;
227 }
228 #endif
229 
230 /*
231  * Check if the specified event is selected (enabled) for auditing.
232  * Returns 1 if the event is selected, 0 if not and -1 on failure.
233  */
234 static int
235 selected(char *username, uid_t uid, au_event_t event, int sf)
236 {
237 	int rc, sorf;
238 	char naflags[512];
239 	struct au_mask mask;
240 
241 	mask.am_success = mask.am_failure = 0;
242 	if (uid < 0) {
243 		/* get flags for non-attributable (to a real user) events */
244 		rc = getacna(naflags, sizeof(naflags));
245 		if (rc == 0)
246 			(void) getauditflagsbin(naflags, &mask);
247 	} else
248 		rc = au_user_mask(username, &mask);
249 
250 	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
251 	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
252 }
253 
254 static void
255 bsm_audit_record(int typ, char *string, au_event_t event_no)
256 {
257 	int		ad, rc, sel;
258 	uid_t		uid = -1;
259 	gid_t		gid = -1;
260 	pid_t		pid = getpid();
261 	AuditInfoTermID	tid = ssh_bsm_tid;
262 
263 	if (the_authctxt != NULL && the_authctxt->valid) {
264 		uid = the_authctxt->pw->pw_uid;
265 		gid = the_authctxt->pw->pw_gid;
266 	}
267 
268 	rc = (typ == 0) ? 0 : -1;
269 	sel = selected(the_authctxt->user, uid, event_no, rc);
270 	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
271 	if (!sel)
272 		return;	/* audit event does not match mask, do not write */
273 
274 	debug3("BSM audit: writing audit new record");
275 	ad = au_open();
276 
277 	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
278 	    pid, pid, &tid));
279 	(void) au_write(ad, au_to_text(string));
280 	(void) au_write(ad, AUToReturnFunc(typ, rc));
281 
282 #ifdef BROKEN_BSM_API
283 	/*
284 	 * The last argument is the event modifier flags. For some seemingly
285 	 * undocumented reason it was added in Solaris 11.
286 	 */
287 	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
288 #else
289 	rc = au_close(ad, AU_TO_WRITE, event_no);
290 #endif
291 
292 	if (rc < 0)
293 		error("BSM audit: %s failed to write \"%s\" record: %s",
294 		    __func__, string, strerror(errno));
295 }
296 
297 static void
298 bsm_audit_session_setup(void)
299 {
300 	int rc;
301 	struct AuditInfoStruct info;
302 	au_mask_t mask;
303 
304 	if (the_authctxt == NULL) {
305 		error("BSM audit: session setup internal error (NULL ctxt)");
306 		return;
307 	}
308 
309 	if (the_authctxt->valid)
310 		info.ai_auid = the_authctxt->pw->pw_uid;
311 	else
312 		info.ai_auid = -1;
313 	info.ai_asid = getpid();
314 	mask.am_success = 0;
315 	mask.am_failure = 0;
316 
317 	(void) au_user_mask(the_authctxt->user, &mask);
318 
319 	info.ai_mask.am_success  = mask.am_success;
320 	info.ai_mask.am_failure  = mask.am_failure;
321 
322 	info.ai_termid = ssh_bsm_tid;
323 
324 	rc = SetAuditFunc(&info, sizeof(info));
325 	if (rc < 0)
326 		error("BSM audit: %s: %s failed: %s", __func__,
327 		    SetAuditFuncText, strerror(errno));
328 }
329 
330 static void
331 bsm_audit_bad_login(const char *what)
332 {
333 	char textbuf[BSM_TEXTBUFSZ];
334 
335 	if (the_authctxt->valid) {
336 		(void) snprintf(textbuf, sizeof (textbuf),
337 			gettext("invalid %s for user %s"),
338 			    what, the_authctxt->user);
339 		bsm_audit_record(4, textbuf, AUE_openssh);
340 	} else {
341 		(void) snprintf(textbuf, sizeof (textbuf),
342 			gettext("invalid user name \"%s\""),
343 			    the_authctxt->user);
344 		bsm_audit_record(3, textbuf, AUE_openssh);
345 	}
346 }
347 
348 /* Below is the sshd audit API code */
349 
350 void
351 audit_connection_from(const char *host, int port)
352 {
353 	AuditInfoTermID *tid = &ssh_bsm_tid;
354 	char buf[1024];
355 
356 	if (cannot_audit(0))
357 		return;
358 	debug3("BSM audit: connection from %.100s port %d", host, port);
359 
360 	/* populate our terminal id structure */
361 #if defined(HAVE_GETAUDIT_ADDR)
362 	tid->at_port = (dev_t)port;
363 	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
364 	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
365 	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
366 	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
367 #else
368 	/* this is used on IPv4-only machines */
369 	tid->port = (dev_t)port;
370 	tid->machine = inet_addr(host);
371 	snprintf(buf, sizeof(buf), "%08x", tid->machine);
372 	debug3("BSM audit: machine ID %s", buf);
373 #endif
374 }
375 
376 void
377 audit_run_command(const char *command)
378 {
379 	/* not implemented */
380 }
381 
382 void
383 audit_session_open(struct logininfo *li)
384 {
385 	/* not implemented */
386 }
387 
388 void
389 audit_session_close(struct logininfo *li)
390 {
391 	/* not implemented */
392 }
393 
394 void
395 audit_event(struct ssh *ssh, ssh_audit_event_t event)
396 {
397 	char    textbuf[BSM_TEXTBUFSZ];
398 	static int logged_in = 0;
399 	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
400 
401 	if (cannot_audit(0))
402 		return;
403 
404 	switch(event) {
405 	case SSH_AUTH_SUCCESS:
406 		logged_in = 1;
407 		bsm_audit_session_setup();
408 		snprintf(textbuf, sizeof(textbuf),
409 		    gettext("successful login %s"), user);
410 		bsm_audit_record(0, textbuf, AUE_openssh);
411 		break;
412 
413 	case SSH_CONNECTION_CLOSE:
414 		/*
415 		 * We can also get a close event if the user attempted auth
416 		 * but never succeeded.
417 		 */
418 		if (logged_in) {
419 			snprintf(textbuf, sizeof(textbuf),
420 			    gettext("sshd logout %s"), the_authctxt->user);
421 			bsm_audit_record(0, textbuf, AUE_logout);
422 		} else {
423 			debug("%s: connection closed without authentication",
424 			    __func__);
425 		}
426 		break;
427 
428 	case SSH_NOLOGIN:
429 		bsm_audit_record(1,
430 		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
431 		break;
432 
433 	case SSH_LOGIN_EXCEED_MAXTRIES:
434 		snprintf(textbuf, sizeof(textbuf),
435 		    gettext("too many tries for user %s"), the_authctxt->user);
436 		bsm_audit_record(1, textbuf, AUE_openssh);
437 		break;
438 
439 	case SSH_LOGIN_ROOT_DENIED:
440 		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
441 		break;
442 
443 	case SSH_AUTH_FAIL_PASSWD:
444 		bsm_audit_bad_login("password");
445 		break;
446 
447 	case SSH_AUTH_FAIL_KBDINT:
448 		bsm_audit_bad_login("interactive password entry");
449 		break;
450 
451 	default:
452 		debug("%s: unhandled event %d", __func__, event);
453 	}
454 }
455 #endif /* BSM */
456