1 /* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ 2 3 /* 4 * Copyright 2010 Red Hat, Inc. All rights reserved. 5 * Use is subject to license terms. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 * 27 * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 28 */ 29 30 #include "includes.h" 31 #if defined(USE_LINUX_AUDIT) 32 #include <libaudit.h> 33 #include <unistd.h> 34 #include <string.h> 35 36 #include "log.h" 37 #include "audit.h" 38 #include "canohost.h" 39 40 const char* audit_username(void); 41 42 int 43 linux_audit_record_event(int uid, const char *username, 44 const char *hostname, const char *ip, const char *ttyn, int success) 45 { 46 int audit_fd, rc, saved_errno; 47 48 audit_fd = audit_open(); 49 if (audit_fd < 0) { 50 if (errno == EINVAL || errno == EPROTONOSUPPORT || 51 errno == EAFNOSUPPORT) 52 return 1; /* No audit support in kernel */ 53 else 54 return 0; /* Must prevent login */ 55 } 56 rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 57 NULL, "login", username ? username : "(unknown)", 58 username == NULL ? uid : -1, hostname, ip, ttyn, success); 59 saved_errno = errno; 60 close(audit_fd); 61 /* 62 * Do not report error if the error is EPERM and sshd is run as non 63 * root user. 64 */ 65 if ((rc == -EPERM) && (geteuid() != 0)) 66 rc = 0; 67 errno = saved_errno; 68 return (rc >= 0); 69 } 70 71 /* Below is the sshd audit API code */ 72 73 void 74 audit_connection_from(const char *host, int port) 75 { 76 } 77 /* not implemented */ 78 79 void 80 audit_run_command(const char *command) 81 { 82 /* not implemented */ 83 } 84 85 void 86 audit_session_open(struct logininfo *li) 87 { 88 if (linux_audit_record_event(li->uid, NULL, li->hostname, 89 NULL, li->line, 1) == 0) 90 fatal("linux_audit_write_entry failed: %s", strerror(errno)); 91 } 92 93 void 94 audit_session_close(struct logininfo *li) 95 { 96 /* not implemented */ 97 } 98 99 void 100 audit_event(ssh_audit_event_t event) 101 { 102 switch(event) { 103 case SSH_AUTH_SUCCESS: 104 case SSH_CONNECTION_CLOSE: 105 case SSH_NOLOGIN: 106 case SSH_LOGIN_EXCEED_MAXTRIES: 107 case SSH_LOGIN_ROOT_DENIED: 108 break; 109 110 case SSH_AUTH_FAIL_NONE: 111 case SSH_AUTH_FAIL_PASSWD: 112 case SSH_AUTH_FAIL_KBDINT: 113 case SSH_AUTH_FAIL_PUBKEY: 114 case SSH_AUTH_FAIL_HOSTBASED: 115 case SSH_AUTH_FAIL_GSSAPI: 116 case SSH_INVALID_USER: 117 linux_audit_record_event(-1, audit_username(), NULL, 118 get_remote_ipaddr(), "sshd", 0); 119 break; 120 121 default: 122 debug("%s: unhandled event %d", __func__, event); 123 } 124 } 125 126 #endif /* USE_LINUX_AUDIT */ 127