1221420Sdes/* $Id: audit.c,v 1.6 2011/01/17 10:15:30 dtucker Exp $ */ 2146998Sdes 3146998Sdes/* 4146998Sdes * Copyright (c) 2004, 2005 Darren Tucker. All rights reserved. 5146998Sdes * 6146998Sdes * Redistribution and use in source and binary forms, with or without 7146998Sdes * modification, are permitted provided that the following conditions 8146998Sdes * are met: 9146998Sdes * 1. Redistributions of source code must retain the above copyright 10146998Sdes * notice, this list of conditions and the following disclaimer. 11146998Sdes * 2. Redistributions in binary form must reproduce the above copyright 12146998Sdes * notice, this list of conditions and the following disclaimer in the 13146998Sdes * documentation and/or other materials provided with the distribution. 14146998Sdes * 15146998Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16146998Sdes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17146998Sdes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18146998Sdes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19146998Sdes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20146998Sdes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21146998Sdes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22146998Sdes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23146998Sdes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24146998Sdes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25146998Sdes */ 26146998Sdes 27146998Sdes#include "includes.h" 28146998Sdes 29162852Sdes#include <stdarg.h> 30162852Sdes#include <string.h> 31162852Sdes 32146998Sdes#ifdef SSH_AUDIT_EVENTS 33146998Sdes 34146998Sdes#include "audit.h" 35146998Sdes#include "log.h" 36162852Sdes#include "key.h" 37162852Sdes#include "hostfile.h" 38146998Sdes#include "auth.h" 39146998Sdes 40146998Sdes/* 41146998Sdes * Care must be taken when using this since it WILL NOT be initialized when 42146998Sdes * audit_connection_from() is called and MAY NOT be initialized when 43146998Sdes * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using. 44146998Sdes */ 45146998Sdesextern Authctxt *the_authctxt; 46146998Sdes 47146998Sdes/* Maybe add the audit class to struct Authmethod? */ 48146998Sdesssh_audit_event_t 49146998Sdesaudit_classify_auth(const char *method) 50146998Sdes{ 51146998Sdes if (strcmp(method, "none") == 0) 52146998Sdes return SSH_AUTH_FAIL_NONE; 53146998Sdes else if (strcmp(method, "password") == 0) 54146998Sdes return SSH_AUTH_FAIL_PASSWD; 55146998Sdes else if (strcmp(method, "publickey") == 0 || 56146998Sdes strcmp(method, "rsa") == 0) 57146998Sdes return SSH_AUTH_FAIL_PUBKEY; 58146998Sdes else if (strncmp(method, "keyboard-interactive", 20) == 0 || 59146998Sdes strcmp(method, "challenge-response") == 0) 60146998Sdes return SSH_AUTH_FAIL_KBDINT; 61146998Sdes else if (strcmp(method, "hostbased") == 0 || 62146998Sdes strcmp(method, "rhosts-rsa") == 0) 63146998Sdes return SSH_AUTH_FAIL_HOSTBASED; 64146998Sdes else if (strcmp(method, "gssapi-with-mic") == 0) 65146998Sdes return SSH_AUTH_FAIL_GSSAPI; 66146998Sdes else 67146998Sdes return SSH_AUDIT_UNKNOWN; 68146998Sdes} 69146998Sdes 70146998Sdes/* helper to return supplied username */ 71146998Sdesconst char * 72146998Sdesaudit_username(void) 73146998Sdes{ 74146998Sdes static const char unknownuser[] = "(unknown user)"; 75146998Sdes static const char invaliduser[] = "(invalid user)"; 76146998Sdes 77146998Sdes if (the_authctxt == NULL || the_authctxt->user == NULL) 78146998Sdes return (unknownuser); 79146998Sdes if (!the_authctxt->valid) 80146998Sdes return (invaliduser); 81146998Sdes return (the_authctxt->user); 82146998Sdes} 83146998Sdes 84146998Sdesconst char * 85146998Sdesaudit_event_lookup(ssh_audit_event_t ev) 86146998Sdes{ 87146998Sdes int i; 88146998Sdes static struct event_lookup_struct { 89146998Sdes ssh_audit_event_t event; 90146998Sdes const char *name; 91146998Sdes } event_lookup[] = { 92146998Sdes {SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"}, 93146998Sdes {SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"}, 94146998Sdes {SSH_AUTH_SUCCESS, "AUTH_SUCCESS"}, 95146998Sdes {SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"}, 96146998Sdes {SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"}, 97146998Sdes {SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"}, 98146998Sdes {SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"}, 99146998Sdes {SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"}, 100146998Sdes {SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"}, 101146998Sdes {SSH_INVALID_USER, "INVALID_USER"}, 102146998Sdes {SSH_NOLOGIN, "NOLOGIN"}, 103146998Sdes {SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"}, 104146998Sdes {SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"}, 105146998Sdes {SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"} 106146998Sdes }; 107146998Sdes 108146998Sdes for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++) 109146998Sdes if (event_lookup[i].event == ev) 110146998Sdes break; 111146998Sdes return(event_lookup[i].name); 112146998Sdes} 113146998Sdes 114146998Sdes# ifndef CUSTOM_SSH_AUDIT_EVENTS 115146998Sdes/* 116146998Sdes * Null implementations of audit functions. 117146998Sdes * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled. 118146998Sdes */ 119146998Sdes 120146998Sdes/* 121146998Sdes * Called after a connection has been accepted but before any authentication 122146998Sdes * has been attempted. 123146998Sdes */ 124146998Sdesvoid 125146998Sdesaudit_connection_from(const char *host, int port) 126146998Sdes{ 127146998Sdes debug("audit connection from %s port %d euid %d", host, port, 128149749Sdes (int)geteuid()); 129146998Sdes} 130146998Sdes 131146998Sdes/* 132146998Sdes * Called when various events occur (see audit.h for a list of possible 133146998Sdes * events and what they mean). 134146998Sdes */ 135146998Sdesvoid 136146998Sdesaudit_event(ssh_audit_event_t event) 137146998Sdes{ 138146998Sdes debug("audit event euid %d user %s event %d (%s)", geteuid(), 139146998Sdes audit_username(), event, audit_event_lookup(event)); 140146998Sdes} 141146998Sdes 142146998Sdes/* 143146998Sdes * Called when a user session is started. Argument is the tty allocated to 144146998Sdes * the session, or NULL if no tty was allocated. 145146998Sdes * 146146998Sdes * Note that this may be called multiple times if multiple sessions are used 147146998Sdes * within a single connection. 148146998Sdes */ 149146998Sdesvoid 150221420Sdesaudit_session_open(struct logininfo *li) 151146998Sdes{ 152221420Sdes const char *t = li->line ? li->line : "(no tty)"; 153146998Sdes 154146998Sdes debug("audit session open euid %d user %s tty name %s", geteuid(), 155149749Sdes audit_username(), t); 156146998Sdes} 157146998Sdes 158146998Sdes/* 159146998Sdes * Called when a user session is closed. Argument is the tty allocated to 160146998Sdes * the session, or NULL if no tty was allocated. 161146998Sdes * 162146998Sdes * Note that this may be called multiple times if multiple sessions are used 163146998Sdes * within a single connection. 164146998Sdes */ 165146998Sdesvoid 166221420Sdesaudit_session_close(struct logininfo *li) 167146998Sdes{ 168221420Sdes const char *t = li->line ? li->line : "(no tty)"; 169146998Sdes 170146998Sdes debug("audit session close euid %d user %s tty name %s", geteuid(), 171149749Sdes audit_username(), t); 172146998Sdes} 173146998Sdes 174146998Sdes/* 175146998Sdes * This will be called when a user runs a non-interactive command. Note that 176146998Sdes * it may be called multiple times for a single connection since SSH2 allows 177146998Sdes * multiple sessions within a single connection. 178146998Sdes */ 179146998Sdesvoid 180146998Sdesaudit_run_command(const char *command) 181146998Sdes{ 182146998Sdes debug("audit run command euid %d user %s command '%.200s'", geteuid(), 183146998Sdes audit_username(), command); 184146998Sdes} 185146998Sdes# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ 186146998Sdes#endif /* SSH_AUDIT_EVENTS */ 187