1 /* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ 2 3 /* 4 * Copyright 2010 Red Hat, Inc. All rights reserved. 5 * Use is subject to license terms. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 * 27 * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 28 */ 29 30 #include "includes.h" 31 #if defined(USE_LINUX_AUDIT) 32 #include <libaudit.h> 33 #include <unistd.h> 34 #include <string.h> 35 36 #include "log.h" 37 #include "audit.h" 38 #include "canohost.h" 39 #include "packet.h" 40 41 const char *audit_username(void); 42 43 int 44 linux_audit_record_event(int uid, const char *username, const char *hostname, 45 const char *ip, const char *ttyn, int success) 46 { 47 int audit_fd, rc, saved_errno; 48 49 if ((audit_fd = audit_open()) < 0) { 50 if (errno == EINVAL || errno == EPROTONOSUPPORT || 51 errno == EAFNOSUPPORT) 52 return 1; /* No audit support in kernel */ 53 else 54 return 0; /* Must prevent login */ 55 } 56 rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 57 NULL, "login", username ? username : "(unknown)", 58 username == NULL ? uid : -1, hostname, ip, ttyn, success); 59 saved_errno = errno; 60 close(audit_fd); 61 62 /* 63 * Do not report error if the error is EPERM and sshd is run as non 64 * root user. 65 */ 66 if ((rc == -EPERM) && (geteuid() != 0)) 67 rc = 0; 68 errno = saved_errno; 69 70 return rc >= 0; 71 } 72 73 /* Below is the sshd audit API code */ 74 75 void 76 audit_connection_from(const char *host, int port) 77 { 78 /* not implemented */ 79 } 80 81 void 82 audit_run_command(const char *command) 83 { 84 /* not implemented */ 85 } 86 87 void 88 audit_session_open(struct logininfo *li) 89 { 90 if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 91 li->line, 1) == 0) 92 fatal("linux_audit_write_entry failed: %s", strerror(errno)); 93 } 94 95 void 96 audit_session_close(struct logininfo *li) 97 { 98 /* not implemented */ 99 } 100 101 void 102 audit_event(ssh_audit_event_t event) 103 { 104 struct ssh *ssh = active_state; /* XXX */ 105 106 switch(event) { 107 case SSH_AUTH_SUCCESS: 108 case SSH_CONNECTION_CLOSE: 109 case SSH_NOLOGIN: 110 case SSH_LOGIN_EXCEED_MAXTRIES: 111 case SSH_LOGIN_ROOT_DENIED: 112 break; 113 case SSH_AUTH_FAIL_NONE: 114 case SSH_AUTH_FAIL_PASSWD: 115 case SSH_AUTH_FAIL_KBDINT: 116 case SSH_AUTH_FAIL_PUBKEY: 117 case SSH_AUTH_FAIL_HOSTBASED: 118 case SSH_AUTH_FAIL_GSSAPI: 119 case SSH_INVALID_USER: 120 linux_audit_record_event(-1, audit_username(), NULL, 121 ssh_remote_ipaddr(ssh), "sshd", 0); 122 break; 123 default: 124 debug("%s: unhandled event %d", __func__, event); 125 break; 126 } 127 } 128 #endif /* USE_LINUX_AUDIT */ 129