1226046Sdes/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ 2218767Sdes 3218767Sdes/* 4218767Sdes * Copyright 2010 Red Hat, Inc. All rights reserved. 5218767Sdes * Use is subject to license terms. 6218767Sdes * 7218767Sdes * Redistribution and use in source and binary forms, with or without 8218767Sdes * modification, are permitted provided that the following conditions 9218767Sdes * are met: 10218767Sdes * 1. Redistributions of source code must retain the above copyright 11218767Sdes * notice, this list of conditions and the following disclaimer. 12218767Sdes * 2. Redistributions in binary form must reproduce the above copyright 13218767Sdes * notice, this list of conditions and the following disclaimer in the 14218767Sdes * documentation and/or other materials provided with the distribution. 15218767Sdes * 16218767Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17218767Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18218767Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19218767Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20218767Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21218767Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22218767Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23218767Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24218767Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25218767Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26218767Sdes * 27218767Sdes * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 28218767Sdes */ 29218767Sdes 30218767Sdes#include "includes.h" 31218767Sdes#if defined(USE_LINUX_AUDIT) 32218767Sdes#include <libaudit.h> 33218767Sdes#include <unistd.h> 34218767Sdes#include <string.h> 35218767Sdes 36218767Sdes#include "log.h" 37218767Sdes#include "audit.h" 38218767Sdes#include "canohost.h" 39323124Sdes#include "packet.h" 40218767Sdes 41323124Sdesconst char *audit_username(void); 42218767Sdes 43218767Sdesint 44323124Sdeslinux_audit_record_event(int uid, const char *username, const char *hostname, 45323124Sdes const char *ip, const char *ttyn, int success) 46218767Sdes{ 47218767Sdes int audit_fd, rc, saved_errno; 48218767Sdes 49323124Sdes if ((audit_fd = audit_open()) < 0) { 50218767Sdes if (errno == EINVAL || errno == EPROTONOSUPPORT || 51218767Sdes errno == EAFNOSUPPORT) 52218767Sdes return 1; /* No audit support in kernel */ 53218767Sdes else 54218767Sdes return 0; /* Must prevent login */ 55218767Sdes } 56218767Sdes rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 57218767Sdes NULL, "login", username ? username : "(unknown)", 58218767Sdes username == NULL ? uid : -1, hostname, ip, ttyn, success); 59218767Sdes saved_errno = errno; 60218767Sdes close(audit_fd); 61323124Sdes 62218767Sdes /* 63218767Sdes * Do not report error if the error is EPERM and sshd is run as non 64218767Sdes * root user. 65218767Sdes */ 66218767Sdes if ((rc == -EPERM) && (geteuid() != 0)) 67218767Sdes rc = 0; 68218767Sdes errno = saved_errno; 69323124Sdes 70323124Sdes return rc >= 0; 71218767Sdes} 72218767Sdes 73218767Sdes/* Below is the sshd audit API code */ 74218767Sdes 75218767Sdesvoid 76218767Sdesaudit_connection_from(const char *host, int port) 77218767Sdes{ 78323124Sdes /* not implemented */ 79323121Sdes} 80218767Sdes 81218767Sdesvoid 82218767Sdesaudit_run_command(const char *command) 83218767Sdes{ 84218767Sdes /* not implemented */ 85218767Sdes} 86218767Sdes 87218767Sdesvoid 88218767Sdesaudit_session_open(struct logininfo *li) 89218767Sdes{ 90323124Sdes if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 91323124Sdes li->line, 1) == 0) 92218767Sdes fatal("linux_audit_write_entry failed: %s", strerror(errno)); 93218767Sdes} 94218767Sdes 95218767Sdesvoid 96218767Sdesaudit_session_close(struct logininfo *li) 97218767Sdes{ 98218767Sdes /* not implemented */ 99218767Sdes} 100218767Sdes 101218767Sdesvoid 102218767Sdesaudit_event(ssh_audit_event_t event) 103218767Sdes{ 104323124Sdes struct ssh *ssh = active_state; /* XXX */ 105323124Sdes 106218767Sdes switch(event) { 107218767Sdes case SSH_AUTH_SUCCESS: 108218767Sdes case SSH_CONNECTION_CLOSE: 109218767Sdes case SSH_NOLOGIN: 110218767Sdes case SSH_LOGIN_EXCEED_MAXTRIES: 111218767Sdes case SSH_LOGIN_ROOT_DENIED: 112218767Sdes break; 113218767Sdes case SSH_AUTH_FAIL_NONE: 114218767Sdes case SSH_AUTH_FAIL_PASSWD: 115218767Sdes case SSH_AUTH_FAIL_KBDINT: 116218767Sdes case SSH_AUTH_FAIL_PUBKEY: 117218767Sdes case SSH_AUTH_FAIL_HOSTBASED: 118218767Sdes case SSH_AUTH_FAIL_GSSAPI: 119218767Sdes case SSH_INVALID_USER: 120218767Sdes linux_audit_record_event(-1, audit_username(), NULL, 121323124Sdes ssh_remote_ipaddr(ssh), "sshd", 0); 122218767Sdes break; 123218767Sdes default: 124218767Sdes debug("%s: unhandled event %d", __func__, event); 125323124Sdes break; 126218767Sdes } 127218767Sdes} 128218767Sdes#endif /* USE_LINUX_AUDIT */ 129