1263970Sdes/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */ 2218767Sdes 3218767Sdes/* 4218767Sdes * Copyright 2010 Red Hat, Inc. All rights reserved. 5218767Sdes * Use is subject to license terms. 6218767Sdes * 7218767Sdes * Redistribution and use in source and binary forms, with or without 8218767Sdes * modification, are permitted provided that the following conditions 9218767Sdes * are met: 10218767Sdes * 1. Redistributions of source code must retain the above copyright 11218767Sdes * notice, this list of conditions and the following disclaimer. 12218767Sdes * 2. Redistributions in binary form must reproduce the above copyright 13218767Sdes * notice, this list of conditions and the following disclaimer in the 14218767Sdes * documentation and/or other materials provided with the distribution. 15218767Sdes * 16218767Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17218767Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18218767Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19218767Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20218767Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21218767Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22218767Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23218767Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24218767Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25218767Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26218767Sdes * 27218767Sdes * Red Hat author: Jan F. Chadima <jchadima@redhat.com> 28218767Sdes */ 29218767Sdes 30218767Sdes#include "includes.h" 31218767Sdes#if defined(USE_LINUX_AUDIT) 32218767Sdes#include <libaudit.h> 33218767Sdes#include <unistd.h> 34218767Sdes#include <string.h> 35218767Sdes 36218767Sdes#include "log.h" 37218767Sdes#include "audit.h" 38218767Sdes#include "canohost.h" 39218767Sdes 40218767Sdesconst char* audit_username(void); 41218767Sdes 42218767Sdesint 43218767Sdeslinux_audit_record_event(int uid, const char *username, 44218767Sdes const char *hostname, const char *ip, const char *ttyn, int success) 45218767Sdes{ 46218767Sdes int audit_fd, rc, saved_errno; 47218767Sdes 48218767Sdes audit_fd = audit_open(); 49218767Sdes if (audit_fd < 0) { 50218767Sdes if (errno == EINVAL || errno == EPROTONOSUPPORT || 51218767Sdes errno == EAFNOSUPPORT) 52218767Sdes return 1; /* No audit support in kernel */ 53218767Sdes else 54218767Sdes return 0; /* Must prevent login */ 55218767Sdes } 56218767Sdes rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 57218767Sdes NULL, "login", username ? username : "(unknown)", 58218767Sdes username == NULL ? uid : -1, hostname, ip, ttyn, success); 59218767Sdes saved_errno = errno; 60218767Sdes close(audit_fd); 61218767Sdes /* 62218767Sdes * Do not report error if the error is EPERM and sshd is run as non 63218767Sdes * root user. 64218767Sdes */ 65218767Sdes if ((rc == -EPERM) && (geteuid() != 0)) 66218767Sdes rc = 0; 67218767Sdes errno = saved_errno; 68218767Sdes return (rc >= 0); 69218767Sdes} 70218767Sdes 71218767Sdes/* Below is the sshd audit API code */ 72218767Sdes 73218767Sdesvoid 74218767Sdesaudit_connection_from(const char *host, int port) 75218767Sdes{ 76218767Sdes} 77218767Sdes /* not implemented */ 78218767Sdes 79218767Sdesvoid 80218767Sdesaudit_run_command(const char *command) 81218767Sdes{ 82218767Sdes /* not implemented */ 83218767Sdes} 84218767Sdes 85218767Sdesvoid 86218767Sdesaudit_session_open(struct logininfo *li) 87218767Sdes{ 88218767Sdes if (linux_audit_record_event(li->uid, NULL, li->hostname, 89218767Sdes NULL, li->line, 1) == 0) 90218767Sdes fatal("linux_audit_write_entry failed: %s", strerror(errno)); 91218767Sdes} 92218767Sdes 93218767Sdesvoid 94218767Sdesaudit_session_close(struct logininfo *li) 95218767Sdes{ 96218767Sdes /* not implemented */ 97218767Sdes} 98218767Sdes 99218767Sdesvoid 100218767Sdesaudit_event(ssh_audit_event_t event) 101218767Sdes{ 102218767Sdes switch(event) { 103218767Sdes case SSH_AUTH_SUCCESS: 104218767Sdes case SSH_CONNECTION_CLOSE: 105218767Sdes case SSH_NOLOGIN: 106218767Sdes case SSH_LOGIN_EXCEED_MAXTRIES: 107218767Sdes case SSH_LOGIN_ROOT_DENIED: 108218767Sdes break; 109218767Sdes 110218767Sdes case SSH_AUTH_FAIL_NONE: 111218767Sdes case SSH_AUTH_FAIL_PASSWD: 112218767Sdes case SSH_AUTH_FAIL_KBDINT: 113218767Sdes case SSH_AUTH_FAIL_PUBKEY: 114218767Sdes case SSH_AUTH_FAIL_HOSTBASED: 115218767Sdes case SSH_AUTH_FAIL_GSSAPI: 116218767Sdes case SSH_INVALID_USER: 117218767Sdes linux_audit_record_event(-1, audit_username(), NULL, 118218767Sdes get_remote_ipaddr(), "sshd", 0); 119218767Sdes break; 120218767Sdes 121218767Sdes default: 122218767Sdes debug("%s: unhandled event %d", __func__, event); 123218767Sdes } 124218767Sdes} 125218767Sdes 126218767Sdes#endif /* USE_LINUX_AUDIT */ 127