1 |
/* |
2 |
* Copyright 2010 Red Hat, Inc. All rights reserved. |
3 |
* Use is subject to license terms. |
4 |
* |
5 |
* Redistribution and use in source and binary forms, with or without |
6 |
* modification, are permitted provided that the following conditions |
7 |
* are met: |
8 |
* 1. Redistributions of source code must retain the above copyright |
9 |
* notice, this list of conditions and the following disclaimer. |
10 |
* 2. Redistributions in binary form must reproduce the above copyright |
11 |
* notice, this list of conditions and the following disclaimer in the |
12 |
* documentation and/or other materials provided with the distribution. |
13 |
* |
14 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
15 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
16 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
17 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
18 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
19 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
20 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
21 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
22 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
23 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
24 |
* |
25 |
* Red Hat author: Jan F. Chadima <jchadima@redhat.com> |
26 |
*/ |
27 |
|
28 |
#include "includes.h" |
29 |
#if defined(USE_LINUX_AUDIT) |
30 |
#include <libaudit.h> |
31 |
#include <unistd.h> |
32 |
#include <string.h> |
33 |
|
34 |
#include "log.h" |
35 |
#include "audit.h" |
36 |
#include "canohost.h" |
37 |
#include "packet.h" |
38 |
|
39 |
const char *audit_username(void); |
40 |
|
41 |
int |
42 |
linux_audit_record_event(int uid, const char *username, const char *hostname, |
43 |
const char *ip, const char *ttyn, int success) |
44 |
{ |
45 |
int audit_fd, rc, saved_errno; |
46 |
|
47 |
if ((audit_fd = audit_open()) < 0) { |
48 |
if (errno == EINVAL || errno == EPROTONOSUPPORT || |
49 |
errno == EAFNOSUPPORT) |
50 |
return 1; /* No audit support in kernel */ |
51 |
else |
52 |
return 0; /* Must prevent login */ |
53 |
} |
54 |
rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, |
55 |
NULL, "login", username ? username : "(unknown)", |
56 |
username == NULL ? uid : -1, hostname, ip, ttyn, success); |
57 |
saved_errno = errno; |
58 |
close(audit_fd); |
59 |
|
60 |
/* |
61 |
* Do not report error if the error is EPERM and sshd is run as non |
62 |
* root user. |
63 |
*/ |
64 |
if ((rc == -EPERM) && (geteuid() != 0)) |
65 |
rc = 0; |
66 |
errno = saved_errno; |
67 |
|
68 |
return rc >= 0; |
69 |
} |
70 |
|
71 |
/* Below is the sshd audit API code */ |
72 |
|
73 |
void |
74 |
audit_connection_from(const char *host, int port) |
75 |
{ |
76 |
/* not implemented */ |
77 |
} |
78 |
|
79 |
void |
80 |
audit_run_command(const char *command) |
81 |
{ |
82 |
/* not implemented */ |
83 |
} |
84 |
|
85 |
void |
86 |
audit_session_open(struct logininfo *li) |
87 |
{ |
88 |
if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, |
89 |
li->line, 1) == 0) |
90 |
fatal("linux_audit_write_entry failed: %s", strerror(errno)); |
91 |
} |
92 |
|
93 |
void |
94 |
audit_session_close(struct logininfo *li) |
95 |
{ |
96 |
/* not implemented */ |
97 |
} |
98 |
|
99 |
void |
100 |
audit_event(ssh_audit_event_t event) |
101 |
{ |
102 |
struct ssh *ssh = active_state; /* XXX */ |
103 |
|
104 |
switch(event) { |
105 |
case SSH_AUTH_SUCCESS: |
106 |
case SSH_CONNECTION_CLOSE: |
107 |
case SSH_NOLOGIN: |
108 |
case SSH_LOGIN_EXCEED_MAXTRIES: |
109 |
case SSH_LOGIN_ROOT_DENIED: |
110 |
break; |
111 |
case SSH_AUTH_FAIL_NONE: |
112 |
case SSH_AUTH_FAIL_PASSWD: |
113 |
case SSH_AUTH_FAIL_KBDINT: |
114 |
case SSH_AUTH_FAIL_PUBKEY: |
115 |
case SSH_AUTH_FAIL_HOSTBASED: |
116 |
case SSH_AUTH_FAIL_GSSAPI: |
117 |
case SSH_INVALID_USER: |
118 |
linux_audit_record_event(-1, audit_username(), NULL, |
119 |
ssh_remote_ipaddr(ssh), "sshd", 0); |
120 |
break; |
121 |
default: |
122 |
debug("%s: unhandled event %d", __func__, event); |
123 |
break; |
124 |
} |
125 |
} |
126 |
#endif /* USE_LINUX_AUDIT */ |