xref: /freebsd/crypto/openssh/audit-linux.c (revision 19261079b74319502c6ffa1249920079f0f69a72) 
14a421b63SDag-Erling Smørgrav /*
24a421b63SDag-Erling Smørgrav  * Copyright 2010 Red Hat, Inc.  All rights reserved.
34a421b63SDag-Erling Smørgrav  * Use is subject to license terms.
44a421b63SDag-Erling Smørgrav  *
54a421b63SDag-Erling Smørgrav  * Redistribution and use in source and binary forms, with or without
64a421b63SDag-Erling Smørgrav  * modification, are permitted provided that the following conditions
74a421b63SDag-Erling Smørgrav  * are met:
84a421b63SDag-Erling Smørgrav  * 1. Redistributions of source code must retain the above copyright
94a421b63SDag-Erling Smørgrav  *    notice, this list of conditions and the following disclaimer.
104a421b63SDag-Erling Smørgrav  * 2. Redistributions in binary form must reproduce the above copyright
114a421b63SDag-Erling Smørgrav  *    notice, this list of conditions and the following disclaimer in the
124a421b63SDag-Erling Smørgrav  *    documentation and/or other materials provided with the distribution.
134a421b63SDag-Erling Smørgrav  *
144a421b63SDag-Erling Smørgrav  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
154a421b63SDag-Erling Smørgrav  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
164a421b63SDag-Erling Smørgrav  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
174a421b63SDag-Erling Smørgrav  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
184a421b63SDag-Erling Smørgrav  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
194a421b63SDag-Erling Smørgrav  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
204a421b63SDag-Erling Smørgrav  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
214a421b63SDag-Erling Smørgrav  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
224a421b63SDag-Erling Smørgrav  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
234a421b63SDag-Erling Smørgrav  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
244a421b63SDag-Erling Smørgrav  *
254a421b63SDag-Erling Smørgrav  * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
264a421b63SDag-Erling Smørgrav  */
274a421b63SDag-Erling Smørgrav 
284a421b63SDag-Erling Smørgrav #include "includes.h"
294a421b63SDag-Erling Smørgrav #if defined(USE_LINUX_AUDIT)
304a421b63SDag-Erling Smørgrav #include <libaudit.h>
314a421b63SDag-Erling Smørgrav #include <unistd.h>
324a421b63SDag-Erling Smørgrav #include <string.h>
334a421b63SDag-Erling Smørgrav 
344a421b63SDag-Erling Smørgrav #include "log.h"
354a421b63SDag-Erling Smørgrav #include "audit.h"
364a421b63SDag-Erling Smørgrav #include "canohost.h"
37076ad2f8SDag-Erling Smørgrav #include "packet.h"
384a421b63SDag-Erling Smørgrav 
394a421b63SDag-Erling Smørgrav const char *audit_username(void);
404a421b63SDag-Erling Smørgrav 
414a421b63SDag-Erling Smørgrav int
linux_audit_record_event(int uid,const char * username,const char * hostname,const char * ip,const char * ttyn,int success)42076ad2f8SDag-Erling Smørgrav linux_audit_record_event(int uid, const char *username, const char *hostname,
43076ad2f8SDag-Erling Smørgrav     const char *ip, const char *ttyn, int success)
444a421b63SDag-Erling Smørgrav {
454a421b63SDag-Erling Smørgrav 	int audit_fd, rc, saved_errno;
464a421b63SDag-Erling Smørgrav 
47076ad2f8SDag-Erling Smørgrav 	if ((audit_fd = audit_open()) < 0) {
484a421b63SDag-Erling Smørgrav 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
494a421b63SDag-Erling Smørgrav 		    errno == EAFNOSUPPORT)
504a421b63SDag-Erling Smørgrav 			return 1; /* No audit support in kernel */
514a421b63SDag-Erling Smørgrav 		else
524a421b63SDag-Erling Smørgrav 			return 0; /* Must prevent login */
534a421b63SDag-Erling Smørgrav 	}
544a421b63SDag-Erling Smørgrav 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
554a421b63SDag-Erling Smørgrav 	    NULL, "login", username ? username : "(unknown)",
564a421b63SDag-Erling Smørgrav 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
574a421b63SDag-Erling Smørgrav 	saved_errno = errno;
584a421b63SDag-Erling Smørgrav 	close(audit_fd);
59076ad2f8SDag-Erling Smørgrav 
604a421b63SDag-Erling Smørgrav 	/*
614a421b63SDag-Erling Smørgrav 	 * Do not report error if the error is EPERM and sshd is run as non
624a421b63SDag-Erling Smørgrav 	 * root user.
634a421b63SDag-Erling Smørgrav 	 */
644a421b63SDag-Erling Smørgrav 	if ((rc == -EPERM) && (geteuid() != 0))
654a421b63SDag-Erling Smørgrav 		rc = 0;
664a421b63SDag-Erling Smørgrav 	errno = saved_errno;
67076ad2f8SDag-Erling Smørgrav 
68076ad2f8SDag-Erling Smørgrav 	return rc >= 0;
694a421b63SDag-Erling Smørgrav }
704a421b63SDag-Erling Smørgrav 
714a421b63SDag-Erling Smørgrav /* Below is the sshd audit API code */
724a421b63SDag-Erling Smørgrav 
734a421b63SDag-Erling Smørgrav void
audit_connection_from(const char * host,int port)744a421b63SDag-Erling Smørgrav audit_connection_from(const char *host, int port)
754a421b63SDag-Erling Smørgrav {
764a421b63SDag-Erling Smørgrav 	/* not implemented */
77076ad2f8SDag-Erling Smørgrav }
784a421b63SDag-Erling Smørgrav 
794a421b63SDag-Erling Smørgrav void
audit_run_command(const char * command)804a421b63SDag-Erling Smørgrav audit_run_command(const char *command)
814a421b63SDag-Erling Smørgrav {
824a421b63SDag-Erling Smørgrav 	/* not implemented */
834a421b63SDag-Erling Smørgrav }
844a421b63SDag-Erling Smørgrav 
854a421b63SDag-Erling Smørgrav void
audit_session_open(struct logininfo * li)864a421b63SDag-Erling Smørgrav audit_session_open(struct logininfo *li)
874a421b63SDag-Erling Smørgrav {
88076ad2f8SDag-Erling Smørgrav 	if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL,
89076ad2f8SDag-Erling Smørgrav 	    li->line, 1) == 0)
904a421b63SDag-Erling Smørgrav 		fatal("linux_audit_write_entry failed: %s", strerror(errno));
914a421b63SDag-Erling Smørgrav }
924a421b63SDag-Erling Smørgrav 
934a421b63SDag-Erling Smørgrav void
audit_session_close(struct logininfo * li)944a421b63SDag-Erling Smørgrav audit_session_close(struct logininfo *li)
954a421b63SDag-Erling Smørgrav {
964a421b63SDag-Erling Smørgrav 	/* not implemented */
974a421b63SDag-Erling Smørgrav }
984a421b63SDag-Erling Smørgrav 
994a421b63SDag-Erling Smørgrav void
audit_event(struct ssh * ssh,ssh_audit_event_t event)100*19261079SEd Maste audit_event(struct ssh *ssh, ssh_audit_event_t event)
1014a421b63SDag-Erling Smørgrav {
1024a421b63SDag-Erling Smørgrav 	switch(event) {
1034a421b63SDag-Erling Smørgrav 	case SSH_AUTH_SUCCESS:
1044a421b63SDag-Erling Smørgrav 	case SSH_CONNECTION_CLOSE:
1054a421b63SDag-Erling Smørgrav 	case SSH_NOLOGIN:
1064a421b63SDag-Erling Smørgrav 	case SSH_LOGIN_EXCEED_MAXTRIES:
1074a421b63SDag-Erling Smørgrav 	case SSH_LOGIN_ROOT_DENIED:
1084a421b63SDag-Erling Smørgrav 		break;
1094a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_NONE:
1104a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_PASSWD:
1114a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_KBDINT:
1124a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_PUBKEY:
1134a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_HOSTBASED:
1144a421b63SDag-Erling Smørgrav 	case SSH_AUTH_FAIL_GSSAPI:
1154a421b63SDag-Erling Smørgrav 	case SSH_INVALID_USER:
1164a421b63SDag-Erling Smørgrav 		linux_audit_record_event(-1, audit_username(), NULL,
117076ad2f8SDag-Erling Smørgrav 		    ssh_remote_ipaddr(ssh), "sshd", 0);
1184a421b63SDag-Erling Smørgrav 		break;
1194a421b63SDag-Erling Smørgrav 	default:
1204a421b63SDag-Erling Smørgrav 		debug("%s: unhandled event %d", __func__, event);
121076ad2f8SDag-Erling Smørgrav 		break;
1224a421b63SDag-Erling Smørgrav 	}
1234a421b63SDag-Erling Smørgrav }
1244a421b63SDag-Erling Smørgrav #endif /* USE_LINUX_AUDIT */
125