1218767Sdes/* 2218767Sdes * Copyright 2010 Red Hat, Inc. All rights reserved. 3218767Sdes * Use is subject to license terms. 4218767Sdes * 5218767Sdes * Redistribution and use in source and binary forms, with or without 6218767Sdes * modification, are permitted provided that the following conditions 7218767Sdes * are met: 8218767Sdes * 1. Redistributions of source code must retain the above copyright 9218767Sdes * notice, this list of conditions and the following disclaimer. 10218767Sdes * 2. Redistributions in binary form must reproduce the above copyright 11218767Sdes * notice, this list of conditions and the following disclaimer in the 12218767Sdes * documentation and/or other materials provided with the distribution. 13218767Sdes * 14218767Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15218767Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16218767Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17218767Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18218767Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19218767Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20218767Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21218767Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22218767Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23218767Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24218767Sdes * 25218767Sdes * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 26218767Sdes */ 27218767Sdes 28218767Sdes#include "includes.h" 29218767Sdes#if defined(USE_LINUX_AUDIT) 30218767Sdes#include <libaudit.h> 31218767Sdes#include <unistd.h> 32218767Sdes#include <string.h> 33218767Sdes 34218767Sdes#include "log.h" 35218767Sdes#include "audit.h" 36218767Sdes#include "canohost.h" 37323129Sdes#include "packet.h" 38218767Sdes 39323129Sdesconst char *audit_username(void); 40218767Sdes 41218767Sdesint 42323129Sdeslinux_audit_record_event(int uid, const char *username, const char *hostname, 43323129Sdes const char *ip, const char *ttyn, int success) 44218767Sdes{ 45218767Sdes int audit_fd, rc, saved_errno; 46218767Sdes 47323129Sdes if ((audit_fd = audit_open()) < 0) { 48218767Sdes if (errno == EINVAL || errno == EPROTONOSUPPORT || 49218767Sdes errno == EAFNOSUPPORT) 50218767Sdes return 1; /* No audit support in kernel */ 51218767Sdes else 52218767Sdes return 0; /* Must prevent login */ 53218767Sdes } 54218767Sdes rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 55218767Sdes NULL, "login", username ? username : "(unknown)", 56218767Sdes username == NULL ? uid : -1, hostname, ip, ttyn, success); 57218767Sdes saved_errno = errno; 58218767Sdes close(audit_fd); 59323129Sdes 60218767Sdes /* 61218767Sdes * Do not report error if the error is EPERM and sshd is run as non 62218767Sdes * root user. 63218767Sdes */ 64218767Sdes if ((rc == -EPERM) && (geteuid() != 0)) 65218767Sdes rc = 0; 66218767Sdes errno = saved_errno; 67323129Sdes 68323129Sdes return rc >= 0; 69218767Sdes} 70218767Sdes 71218767Sdes/* Below is the sshd audit API code */ 72218767Sdes 73218767Sdesvoid 74218767Sdesaudit_connection_from(const char *host, int port) 75218767Sdes{ 76323129Sdes /* not implemented */ 77218767Sdes} 78218767Sdes 79218767Sdesvoid 80218767Sdesaudit_run_command(const char *command) 81218767Sdes{ 82218767Sdes /* not implemented */ 83218767Sdes} 84218767Sdes 85218767Sdesvoid 86218767Sdesaudit_session_open(struct logininfo *li) 87218767Sdes{ 88323129Sdes if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 89323129Sdes li->line, 1) == 0) 90218767Sdes fatal("linux_audit_write_entry failed: %s", strerror(errno)); 91218767Sdes} 92218767Sdes 93218767Sdesvoid 94218767Sdesaudit_session_close(struct logininfo *li) 95218767Sdes{ 96218767Sdes /* not implemented */ 97218767Sdes} 98218767Sdes 99218767Sdesvoid 100218767Sdesaudit_event(ssh_audit_event_t event) 101218767Sdes{ 102323129Sdes struct ssh *ssh = active_state; /* XXX */ 103323129Sdes 104218767Sdes switch(event) { 105218767Sdes case SSH_AUTH_SUCCESS: 106218767Sdes case SSH_CONNECTION_CLOSE: 107218767Sdes case SSH_NOLOGIN: 108218767Sdes case SSH_LOGIN_EXCEED_MAXTRIES: 109218767Sdes case SSH_LOGIN_ROOT_DENIED: 110218767Sdes break; 111218767Sdes case SSH_AUTH_FAIL_NONE: 112218767Sdes case SSH_AUTH_FAIL_PASSWD: 113218767Sdes case SSH_AUTH_FAIL_KBDINT: 114218767Sdes case SSH_AUTH_FAIL_PUBKEY: 115218767Sdes case SSH_AUTH_FAIL_HOSTBASED: 116218767Sdes case SSH_AUTH_FAIL_GSSAPI: 117218767Sdes case SSH_INVALID_USER: 118218767Sdes linux_audit_record_event(-1, audit_username(), NULL, 119323129Sdes ssh_remote_ipaddr(ssh), "sshd", 0); 120218767Sdes break; 121218767Sdes default: 122218767Sdes debug("%s: unhandled event %d", __func__, event); 123323129Sdes break; 124218767Sdes } 125218767Sdes} 126218767Sdes#endif /* USE_LINUX_AUDIT */ 127