1 /* 2 * Copyright 2010 Red Hat, Inc. All rights reserved. 3 * Use is subject to license terms. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * 25 * Red Hat author: Jan F. Chadima <jchadima (at) redhat.com> 26 */ 27 28 #include "includes.h" 29 #if defined(USE_LINUX_AUDIT) 30 #include <libaudit.h> 31 #include <unistd.h> 32 #include <string.h> 33 34 #include "log.h" 35 #include "audit.h" 36 #include "canohost.h" 37 #include "packet.h" 38 39 const char *audit_username(void); 40 41 int 42 linux_audit_record_event(int uid, const char *username, const char *hostname, 43 const char *ip, const char *ttyn, int success) 44 { 45 int audit_fd, rc, saved_errno; 46 47 if ((audit_fd = audit_open()) < 0) { 48 if (errno == EINVAL || errno == EPROTONOSUPPORT || 49 errno == EAFNOSUPPORT) 50 return 1; /* No audit support in kernel */ 51 else 52 return 0; /* Must prevent login */ 53 } 54 rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, 55 NULL, "login", username ? username : "(unknown)", 56 username == NULL ? uid : -1, hostname, ip, ttyn, success); 57 saved_errno = errno; 58 close(audit_fd); 59 60 /* 61 * Do not report error if the error is EPERM and sshd is run as non 62 * root user. 63 */ 64 if ((rc == -EPERM) && (geteuid() != 0)) 65 rc = 0; 66 errno = saved_errno; 67 68 return rc >= 0; 69 } 70 71 /* Below is the sshd audit API code */ 72 73 void 74 audit_connection_from(const char *host, int port) 75 { 76 /* not implemented */ 77 } 78 79 void 80 audit_run_command(const char *command) 81 { 82 /* not implemented */ 83 } 84 85 void 86 audit_session_open(struct logininfo *li) 87 { 88 if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL, 89 li->line, 1) == 0) 90 fatal("linux_audit_write_entry failed: %s", strerror(errno)); 91 } 92 93 void 94 audit_session_close(struct logininfo *li) 95 { 96 /* not implemented */ 97 } 98 99 void 100 audit_event(ssh_audit_event_t event) 101 { 102 struct ssh *ssh = active_state; /* XXX */ 103 104 switch(event) { 105 case SSH_AUTH_SUCCESS: 106 case SSH_CONNECTION_CLOSE: 107 case SSH_NOLOGIN: 108 case SSH_LOGIN_EXCEED_MAXTRIES: 109 case SSH_LOGIN_ROOT_DENIED: 110 break; 111 case SSH_AUTH_FAIL_NONE: 112 case SSH_AUTH_FAIL_PASSWD: 113 case SSH_AUTH_FAIL_KBDINT: 114 case SSH_AUTH_FAIL_PUBKEY: 115 case SSH_AUTH_FAIL_HOSTBASED: 116 case SSH_AUTH_FAIL_GSSAPI: 117 case SSH_INVALID_USER: 118 linux_audit_record_event(-1, audit_username(), NULL, 119 ssh_remote_ipaddr(ssh), "sshd", 0); 120 break; 121 default: 122 debug("%s: unhandled event %d", __func__, event); 123 break; 124 } 125 } 126 #endif /* USE_LINUX_AUDIT */ 127
