15e8dbd04SDag-Erling Smørgrav /* 25e8dbd04SDag-Erling Smørgrav * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. 35e8dbd04SDag-Erling Smørgrav * 45e8dbd04SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 55e8dbd04SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 65e8dbd04SDag-Erling Smørgrav * are met: 75e8dbd04SDag-Erling Smørgrav * 1. Redistributions of source code must retain the above copyright 85e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer. 95e8dbd04SDag-Erling Smørgrav * 2. Redistributions in binary form must reproduce the above copyright 105e8dbd04SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer in the 115e8dbd04SDag-Erling Smørgrav * documentation and/or other materials provided with the distribution. 125e8dbd04SDag-Erling Smørgrav * 135e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 145e8dbd04SDag-Erling Smørgrav * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 155e8dbd04SDag-Erling Smørgrav * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 165e8dbd04SDag-Erling Smørgrav * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 175e8dbd04SDag-Erling Smørgrav * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 185e8dbd04SDag-Erling Smørgrav * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 195e8dbd04SDag-Erling Smørgrav * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 205e8dbd04SDag-Erling Smørgrav * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 215e8dbd04SDag-Erling Smørgrav * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 225e8dbd04SDag-Erling Smørgrav * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 235e8dbd04SDag-Erling Smørgrav */ 245e8dbd04SDag-Erling Smørgrav 255e8dbd04SDag-Erling Smørgrav #include "includes.h" 265e8dbd04SDag-Erling Smørgrav 27761efaa7SDag-Erling Smørgrav #include <stdarg.h> 28761efaa7SDag-Erling Smørgrav #include <string.h> 29*190cef3dSDag-Erling Smørgrav #include <unistd.h> 30761efaa7SDag-Erling Smørgrav 315e8dbd04SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS 325e8dbd04SDag-Erling Smørgrav 335e8dbd04SDag-Erling Smørgrav #include "audit.h" 345e8dbd04SDag-Erling Smørgrav #include "log.h" 35761efaa7SDag-Erling Smørgrav #include "hostfile.h" 365e8dbd04SDag-Erling Smørgrav #include "auth.h" 375e8dbd04SDag-Erling Smørgrav 385e8dbd04SDag-Erling Smørgrav /* 395e8dbd04SDag-Erling Smørgrav * Care must be taken when using this since it WILL NOT be initialized when 405e8dbd04SDag-Erling Smørgrav * audit_connection_from() is called and MAY NOT be initialized when 415e8dbd04SDag-Erling Smørgrav * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. 425e8dbd04SDag-Erling Smørgrav */ 435e8dbd04SDag-Erling Smørgrav extern Authctxt *the_authctxt; 445e8dbd04SDag-Erling Smørgrav 455e8dbd04SDag-Erling Smørgrav /* Maybe add the audit class to struct Authmethod? */ 465e8dbd04SDag-Erling Smørgrav ssh_audit_event_t 475e8dbd04SDag-Erling Smørgrav audit_classify_auth(const char *method) 485e8dbd04SDag-Erling Smørgrav { 495e8dbd04SDag-Erling Smørgrav if (strcmp(method, "none") == 0) 505e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_NONE; 515e8dbd04SDag-Erling Smørgrav else if (strcmp(method, "password") == 0) 525e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_PASSWD; 535e8dbd04SDag-Erling Smørgrav else if (strcmp(method, "publickey") == 0 || 545e8dbd04SDag-Erling Smørgrav strcmp(method, "rsa") == 0) 555e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_PUBKEY; 565e8dbd04SDag-Erling Smørgrav else if (strncmp(method, "keyboard-interactive", 20) == 0 || 575e8dbd04SDag-Erling Smørgrav strcmp(method, "challenge-response") == 0) 585e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_KBDINT; 595e8dbd04SDag-Erling Smørgrav else if (strcmp(method, "hostbased") == 0 || 605e8dbd04SDag-Erling Smørgrav strcmp(method, "rhosts-rsa") == 0) 615e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_HOSTBASED; 625e8dbd04SDag-Erling Smørgrav else if (strcmp(method, "gssapi-with-mic") == 0) 635e8dbd04SDag-Erling Smørgrav return SSH_AUTH_FAIL_GSSAPI; 645e8dbd04SDag-Erling Smørgrav else 655e8dbd04SDag-Erling Smørgrav return SSH_AUDIT_UNKNOWN; 665e8dbd04SDag-Erling Smørgrav } 675e8dbd04SDag-Erling Smørgrav 685e8dbd04SDag-Erling Smørgrav /* helper to return supplied username */ 695e8dbd04SDag-Erling Smørgrav const char * 705e8dbd04SDag-Erling Smørgrav audit_username(void) 715e8dbd04SDag-Erling Smørgrav { 725e8dbd04SDag-Erling Smørgrav static const char unknownuser[] = "(unknown user)"; 735e8dbd04SDag-Erling Smørgrav static const char invaliduser[] = "(invalid user)"; 745e8dbd04SDag-Erling Smørgrav 755e8dbd04SDag-Erling Smørgrav if (the_authctxt == NULL || the_authctxt->user == NULL) 765e8dbd04SDag-Erling Smørgrav return (unknownuser); 775e8dbd04SDag-Erling Smørgrav if (!the_authctxt->valid) 785e8dbd04SDag-Erling Smørgrav return (invaliduser); 795e8dbd04SDag-Erling Smørgrav return (the_authctxt->user); 805e8dbd04SDag-Erling Smørgrav } 815e8dbd04SDag-Erling Smørgrav 825e8dbd04SDag-Erling Smørgrav const char * 835e8dbd04SDag-Erling Smørgrav audit_event_lookup(ssh_audit_event_t ev) 845e8dbd04SDag-Erling Smørgrav { 855e8dbd04SDag-Erling Smørgrav int i; 865e8dbd04SDag-Erling Smørgrav static struct event_lookup_struct { 875e8dbd04SDag-Erling Smørgrav ssh_audit_event_t event; 885e8dbd04SDag-Erling Smørgrav const char *name; 895e8dbd04SDag-Erling Smørgrav } event_lookup[] = { 905e8dbd04SDag-Erling Smørgrav {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, 915e8dbd04SDag-Erling Smørgrav {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, 925e8dbd04SDag-Erling Smørgrav {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, 935e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, 945e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, 955e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, 965e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, 975e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, 985e8dbd04SDag-Erling Smørgrav {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, 995e8dbd04SDag-Erling Smørgrav {SSH_INVALID_USER, "INVALID_USER"}, 1005e8dbd04SDag-Erling Smørgrav {SSH_NOLOGIN, "NOLOGIN"}, 1015e8dbd04SDag-Erling Smørgrav {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, 1025e8dbd04SDag-Erling Smørgrav {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, 1035e8dbd04SDag-Erling Smørgrav {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} 1045e8dbd04SDag-Erling Smørgrav }; 1055e8dbd04SDag-Erling Smørgrav 1065e8dbd04SDag-Erling Smørgrav for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) 1075e8dbd04SDag-Erling Smørgrav if (event_lookup[i].event == ev) 1085e8dbd04SDag-Erling Smørgrav break; 1095e8dbd04SDag-Erling Smørgrav return(event_lookup[i].name); 1105e8dbd04SDag-Erling Smørgrav } 1115e8dbd04SDag-Erling Smørgrav 1125e8dbd04SDag-Erling Smørgrav # ifndef CUSTOM_SSH_AUDIT_EVENTS 1135e8dbd04SDag-Erling Smørgrav /* 1145e8dbd04SDag-Erling Smørgrav * Null implementations of audit functions. 1155e8dbd04SDag-Erling Smørgrav * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. 1165e8dbd04SDag-Erling Smørgrav */ 1175e8dbd04SDag-Erling Smørgrav 1185e8dbd04SDag-Erling Smørgrav /* 1195e8dbd04SDag-Erling Smørgrav * Called after a connection has been accepted but before any authentication 1205e8dbd04SDag-Erling Smørgrav * has been attempted. 1215e8dbd04SDag-Erling Smørgrav */ 1225e8dbd04SDag-Erling Smørgrav void 1235e8dbd04SDag-Erling Smørgrav audit_connection_from(const char *host, int port) 1245e8dbd04SDag-Erling Smørgrav { 1255e8dbd04SDag-Erling Smørgrav debug("audit connection from %s port %d euid %d", host, port, 1265e8dbd04SDag-Erling Smørgrav (int)geteuid()); 1275e8dbd04SDag-Erling Smørgrav } 1285e8dbd04SDag-Erling Smørgrav 1295e8dbd04SDag-Erling Smørgrav /* 1305e8dbd04SDag-Erling Smørgrav * Called when various events occur (see audit.h for a list of possible 1315e8dbd04SDag-Erling Smørgrav * events and what they mean). 1325e8dbd04SDag-Erling Smørgrav */ 1335e8dbd04SDag-Erling Smørgrav void 1345e8dbd04SDag-Erling Smørgrav audit_event(ssh_audit_event_t event) 1355e8dbd04SDag-Erling Smørgrav { 1365e8dbd04SDag-Erling Smørgrav debug("audit event euid %d user %s event %d (%s)", geteuid(), 1375e8dbd04SDag-Erling Smørgrav audit_username(), event, audit_event_lookup(event)); 1385e8dbd04SDag-Erling Smørgrav } 1395e8dbd04SDag-Erling Smørgrav 1405e8dbd04SDag-Erling Smørgrav /* 1415e8dbd04SDag-Erling Smørgrav * Called when a user session is started. Argument is the tty allocated to 1425e8dbd04SDag-Erling Smørgrav * the session, or NULL if no tty was allocated. 1435e8dbd04SDag-Erling Smørgrav * 1445e8dbd04SDag-Erling Smørgrav * Note that this may be called multiple times if multiple sessions are used 1455e8dbd04SDag-Erling Smørgrav * within a single connection. 1465e8dbd04SDag-Erling Smørgrav */ 1475e8dbd04SDag-Erling Smørgrav void 1484a421b63SDag-Erling Smørgrav audit_session_open(struct logininfo *li) 1495e8dbd04SDag-Erling Smørgrav { 1504a421b63SDag-Erling Smørgrav const char *t = li->line ? li->line : "(no tty)"; 1515e8dbd04SDag-Erling Smørgrav 1525e8dbd04SDag-Erling Smørgrav debug("audit session open euid %d user %s tty name %s", geteuid(), 1535e8dbd04SDag-Erling Smørgrav audit_username(), t); 1545e8dbd04SDag-Erling Smørgrav } 1555e8dbd04SDag-Erling Smørgrav 1565e8dbd04SDag-Erling Smørgrav /* 1575e8dbd04SDag-Erling Smørgrav * Called when a user session is closed. Argument is the tty allocated to 1585e8dbd04SDag-Erling Smørgrav * the session, or NULL if no tty was allocated. 1595e8dbd04SDag-Erling Smørgrav * 1605e8dbd04SDag-Erling Smørgrav * Note that this may be called multiple times if multiple sessions are used 1615e8dbd04SDag-Erling Smørgrav * within a single connection. 1625e8dbd04SDag-Erling Smørgrav */ 1635e8dbd04SDag-Erling Smørgrav void 1644a421b63SDag-Erling Smørgrav audit_session_close(struct logininfo *li) 1655e8dbd04SDag-Erling Smørgrav { 1664a421b63SDag-Erling Smørgrav const char *t = li->line ? li->line : "(no tty)"; 1675e8dbd04SDag-Erling Smørgrav 1685e8dbd04SDag-Erling Smørgrav debug("audit session close euid %d user %s tty name %s", geteuid(), 1695e8dbd04SDag-Erling Smørgrav audit_username(), t); 1705e8dbd04SDag-Erling Smørgrav } 1715e8dbd04SDag-Erling Smørgrav 1725e8dbd04SDag-Erling Smørgrav /* 1735e8dbd04SDag-Erling Smørgrav * This will be called when a user runs a non-interactive command. Note that 1745e8dbd04SDag-Erling Smørgrav * it may be called multiple times for a single connection since SSH2 allows 1755e8dbd04SDag-Erling Smørgrav * multiple sessions within a single connection. 1765e8dbd04SDag-Erling Smørgrav */ 1775e8dbd04SDag-Erling Smørgrav void 1785e8dbd04SDag-Erling Smørgrav audit_run_command(const char *command) 1795e8dbd04SDag-Erling Smørgrav { 1805e8dbd04SDag-Erling Smørgrav debug("audit run command euid %d user %s command '%.200s'", geteuid(), 1815e8dbd04SDag-Erling Smørgrav audit_username(), command); 1825e8dbd04SDag-Erling Smørgrav } 1835e8dbd04SDag-Erling Smørgrav # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ 1845e8dbd04SDag-Erling Smørgrav #endif /* SSH_AUDIT_EVENTS */ 185