1 /* $Id: audit.c,v 1.5 2006/09/01 05:38:36 djm Exp $ */ 2 3 /* 4 * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #include <stdarg.h> 30 #include <string.h> 31 32 #ifdef SSH_AUDIT_EVENTS 33 34 #include "audit.h" 35 #include "log.h" 36 #include "key.h" 37 #include "hostfile.h" 38 #include "auth.h" 39 40 /* 41 * Care must be taken when using this since it WILL NOT be initialized when 42 * audit_connection_from() is called and MAY NOT be initialized when 43 * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. 44 */ 45 extern Authctxt *the_authctxt; 46 47 /* Maybe add the audit class to struct Authmethod? */ 48 ssh_audit_event_t 49 audit_classify_auth(const char *method) 50 { 51 if (strcmp(method, "none") == 0) 52 return SSH_AUTH_FAIL_NONE; 53 else if (strcmp(method, "password") == 0) 54 return SSH_AUTH_FAIL_PASSWD; 55 else if (strcmp(method, "publickey") == 0 || 56 strcmp(method, "rsa") == 0) 57 return SSH_AUTH_FAIL_PUBKEY; 58 else if (strncmp(method, "keyboard-interactive", 20) == 0 || 59 strcmp(method, "challenge-response") == 0) 60 return SSH_AUTH_FAIL_KBDINT; 61 else if (strcmp(method, "hostbased") == 0 || 62 strcmp(method, "rhosts-rsa") == 0) 63 return SSH_AUTH_FAIL_HOSTBASED; 64 else if (strcmp(method, "gssapi-with-mic") == 0) 65 return SSH_AUTH_FAIL_GSSAPI; 66 else 67 return SSH_AUDIT_UNKNOWN; 68 } 69 70 /* helper to return supplied username */ 71 const char * 72 audit_username(void) 73 { 74 static const char unknownuser[] = "(unknown user)"; 75 static const char invaliduser[] = "(invalid user)"; 76 77 if (the_authctxt == NULL || the_authctxt->user == NULL) 78 return (unknownuser); 79 if (!the_authctxt->valid) 80 return (invaliduser); 81 return (the_authctxt->user); 82 } 83 84 const char * 85 audit_event_lookup(ssh_audit_event_t ev) 86 { 87 int i; 88 static struct event_lookup_struct { 89 ssh_audit_event_t event; 90 const char *name; 91 } event_lookup[] = { 92 {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, 93 {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, 94 {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, 95 {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, 96 {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, 97 {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, 98 {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, 99 {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, 100 {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, 101 {SSH_INVALID_USER, "INVALID_USER"}, 102 {SSH_NOLOGIN, "NOLOGIN"}, 103 {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, 104 {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, 105 {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} 106 }; 107 108 for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) 109 if (event_lookup[i].event == ev) 110 break; 111 return(event_lookup[i].name); 112 } 113 114 # ifndef CUSTOM_SSH_AUDIT_EVENTS 115 /* 116 * Null implementations of audit functions. 117 * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. 118 */ 119 120 /* 121 * Called after a connection has been accepted but before any authentication 122 * has been attempted. 123 */ 124 void 125 audit_connection_from(const char *host, int port) 126 { 127 debug("audit connection from %s port %d euid %d", host, port, 128 (int)geteuid()); 129 } 130 131 /* 132 * Called when various events occur (see audit.h for a list of possible 133 * events and what they mean). 134 */ 135 void 136 audit_event(ssh_audit_event_t event) 137 { 138 debug("audit event euid %d user %s event %d (%s)", geteuid(), 139 audit_username(), event, audit_event_lookup(event)); 140 } 141 142 /* 143 * Called when a user session is started. Argument is the tty allocated to 144 * the session, or NULL if no tty was allocated. 145 * 146 * Note that this may be called multiple times if multiple sessions are used 147 * within a single connection. 148 */ 149 void 150 audit_session_open(const char *ttyn) 151 { 152 const char *t = ttyn ? ttyn : "(no tty)"; 153 154 debug("audit session open euid %d user %s tty name %s", geteuid(), 155 audit_username(), t); 156 } 157 158 /* 159 * Called when a user session is closed. Argument is the tty allocated to 160 * the session, or NULL if no tty was allocated. 161 * 162 * Note that this may be called multiple times if multiple sessions are used 163 * within a single connection. 164 */ 165 void 166 audit_session_close(const char *ttyn) 167 { 168 const char *t = ttyn ? ttyn : "(no tty)"; 169 170 debug("audit session close euid %d user %s tty name %s", geteuid(), 171 audit_username(), t); 172 } 173 174 /* 175 * This will be called when a user runs a non-interactive command. Note that 176 * it may be called multiple times for a single connection since SSH2 allows 177 * multiple sessions within a single connection. 178 */ 179 void 180 audit_run_command(const char *command) 181 { 182 debug("audit run command euid %d user %s command '%.200s'", geteuid(), 183 audit_username(), command); 184 } 185 # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ 186 #endif /* SSH_AUDIT_EVENTS */ 187