1 /* 2 * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25 #include "includes.h" 26 27 #include <stdarg.h> 28 #include <string.h> 29 30 #ifdef SSH_AUDIT_EVENTS 31 32 #include "audit.h" 33 #include "log.h" 34 #include "key.h" 35 #include "hostfile.h" 36 #include "auth.h" 37 38 /* 39 * Care must be taken when using this since it WILL NOT be initialized when 40 * audit_connection_from() is called and MAY NOT be initialized when 41 * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. 42 */ 43 extern Authctxt *the_authctxt; 44 45 /* Maybe add the audit class to struct Authmethod? */ 46 ssh_audit_event_t 47 audit_classify_auth(const char *method) 48 { 49 if (strcmp(method, "none") == 0) 50 return SSH_AUTH_FAIL_NONE; 51 else if (strcmp(method, "password") == 0) 52 return SSH_AUTH_FAIL_PASSWD; 53 else if (strcmp(method, "publickey") == 0 || 54 strcmp(method, "rsa") == 0) 55 return SSH_AUTH_FAIL_PUBKEY; 56 else if (strncmp(method, "keyboard-interactive", 20) == 0 || 57 strcmp(method, "challenge-response") == 0) 58 return SSH_AUTH_FAIL_KBDINT; 59 else if (strcmp(method, "hostbased") == 0 || 60 strcmp(method, "rhosts-rsa") == 0) 61 return SSH_AUTH_FAIL_HOSTBASED; 62 else if (strcmp(method, "gssapi-with-mic") == 0) 63 return SSH_AUTH_FAIL_GSSAPI; 64 else 65 return SSH_AUDIT_UNKNOWN; 66 } 67 68 /* helper to return supplied username */ 69 const char * 70 audit_username(void) 71 { 72 static const char unknownuser[] = "(unknown user)"; 73 static const char invaliduser[] = "(invalid user)"; 74 75 if (the_authctxt == NULL || the_authctxt->user == NULL) 76 return (unknownuser); 77 if (!the_authctxt->valid) 78 return (invaliduser); 79 return (the_authctxt->user); 80 } 81 82 const char * 83 audit_event_lookup(ssh_audit_event_t ev) 84 { 85 int i; 86 static struct event_lookup_struct { 87 ssh_audit_event_t event; 88 const char *name; 89 } event_lookup[] = { 90 {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, 91 {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, 92 {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, 93 {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, 94 {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, 95 {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, 96 {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, 97 {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, 98 {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, 99 {SSH_INVALID_USER, "INVALID_USER"}, 100 {SSH_NOLOGIN, "NOLOGIN"}, 101 {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, 102 {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, 103 {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} 104 }; 105 106 for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) 107 if (event_lookup[i].event == ev) 108 break; 109 return(event_lookup[i].name); 110 } 111 112 # ifndef CUSTOM_SSH_AUDIT_EVENTS 113 /* 114 * Null implementations of audit functions. 115 * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. 116 */ 117 118 /* 119 * Called after a connection has been accepted but before any authentication 120 * has been attempted. 121 */ 122 void 123 audit_connection_from(const char *host, int port) 124 { 125 debug("audit connection from %s port %d euid %d", host, port, 126 (int)geteuid()); 127 } 128 129 /* 130 * Called when various events occur (see audit.h for a list of possible 131 * events and what they mean). 132 */ 133 void 134 audit_event(ssh_audit_event_t event) 135 { 136 debug("audit event euid %d user %s event %d (%s)", geteuid(), 137 audit_username(), event, audit_event_lookup(event)); 138 } 139 140 /* 141 * Called when a user session is started. Argument is the tty allocated to 142 * the session, or NULL if no tty was allocated. 143 * 144 * Note that this may be called multiple times if multiple sessions are used 145 * within a single connection. 146 */ 147 void 148 audit_session_open(struct logininfo *li) 149 { 150 const char *t = li->line ? li->line : "(no tty)"; 151 152 debug("audit session open euid %d user %s tty name %s", geteuid(), 153 audit_username(), t); 154 } 155 156 /* 157 * Called when a user session is closed. Argument is the tty allocated to 158 * the session, or NULL if no tty was allocated. 159 * 160 * Note that this may be called multiple times if multiple sessions are used 161 * within a single connection. 162 */ 163 void 164 audit_session_close(struct logininfo *li) 165 { 166 const char *t = li->line ? li->line : "(no tty)"; 167 168 debug("audit session close euid %d user %s tty name %s", geteuid(), 169 audit_username(), t); 170 } 171 172 /* 173 * This will be called when a user runs a non-interactive command. Note that 174 * it may be called multiple times for a single connection since SSH2 allows 175 * multiple sessions within a single connection. 176 */ 177 void 178 audit_run_command(const char *command) 179 { 180 debug("audit run command euid %d user %s command '%.200s'", geteuid(), 181 audit_username(), command); 182 } 183 # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ 184 #endif /* SSH_AUDIT_EVENTS */ 185