1 /* 2 * Copyright 2010 Red Hat, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 26 */ 27 28 #include "includes.h" 29 #if defined(USE_LINUX_AUDIT) 30 #include <libaudit.h> 31 #include <unistd.h> 32 #include <string.h> 33 34 #include "log.h" 35 #include "audit.h" 36 #include "canohost.h" 37 #include "packet.h" 38 39 const char *audit_username(void); 40 41 int 42 linux_audit_record_event(int uid, const char *username, const char *hostname, 43 const char *ip, const char *ttyn, int success) 44 { 45 int audit_fd, rc, saved_errno; 46 47 if ((audit_fd = audit_open()) < 0) { 48 if (errno == EINVAL || errno == EPROTONOSUPPORT || 49 errno == EAFNOSUPPORT) 50 return 1; /* No audit support in kernel */ 51 else 52 return 0; /* Must prevent login */ 53 } 54 if (hostname != NULL && strcmp(hostname, "UNKNOWN") == 0) 55 hostname = NULL; 56 rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 57 NULL, "login", username ? username : "(unknown)", 58 username == NULL ? uid : -1, hostname, ip, ttyn, success); 59 saved_errno = errno; 60 close(audit_fd); 61 62 /* 63 * Do not report error if the error is EPERM and sshd is run as non 64 * root user. 65 */ 66 if ((rc == -EPERM) && (geteuid() != 0)) 67 rc = 0; 68 errno = saved_errno; 69 70 return rc >= 0; 71 } 72 73 /* Below is the sshd audit API code */ 74 75 void 76 audit_connection_from(const char *host, int port) 77 { 78 /* not implemented */ 79 } 80 81 void 82 audit_run_command(const char *command) 83 { 84 /* not implemented */ 85 } 86 87 void 88 audit_session_open(struct logininfo *li) 89 { 90 if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 91 li->line, 1) == 0) 92 fatal("linux_audit_write_entry failed: %s", strerror(errno)); 93 } 94 95 void 96 audit_session_close(struct logininfo *li) 97 { 98 /* not implemented */ 99 } 100 101 void 102 audit_event(struct ssh *ssh, ssh_audit_event_t event) 103 { 104 switch(event) { 105 case SSH_AUTH_SUCCESS: 106 case SSH_CONNECTION_CLOSE: 107 case SSH_NOLOGIN: 108 case SSH_LOGIN_EXCEED_MAXTRIES: 109 case SSH_LOGIN_ROOT_DENIED: 110 break; 111 case SSH_AUTH_FAIL_NONE: 112 case SSH_AUTH_FAIL_PASSWD: 113 case SSH_AUTH_FAIL_KBDINT: 114 case SSH_AUTH_FAIL_PUBKEY: 115 case SSH_AUTH_FAIL_HOSTBASED: 116 case SSH_AUTH_FAIL_GSSAPI: 117 case SSH_INVALID_USER: 118 linux_audit_record_event(-1, audit_username(), NULL, 119 ssh_remote_ipaddr(ssh), "sshd", 0); 120 break; 121 default: 122 debug_f("unhandled event %d", event); 123 break; 124 } 125 } 126 #endif /* USE_LINUX_AUDIT */ 127