Attachment #754 for bug #125

View | Details | Raw Unified | Return to bug 125 | Differences between

and this patch




/* $Id$ */

/*
 * TODO
 *
 * - deal with overlap between this and sys_auth_allowed_user
 *   sys_auth_record_login and record_failed_login.
 *
 * - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
 */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#if defined(AUDIT_EVENTS) && defined(USE_BSM_AUDIT)

#ifndef AUE_openssh
# define AUE_openssh     32800
#endif

#include "ssh.h"
#include "log.h"
#include "auth.h"
#include "xmalloc.h"
#include "audit-bsm.h"

#ifndef HAVE_GETTEXT
# define gettext(a)	(a)
#endif

extern Authctxt *the_authctxt;

static char	sav_ttyn[512];
static char	sav_name[512];
static int	sav_port = -1;
static uid_t	sav_uid = -1;
static gid_t	sav_gid = -1;
static uint32_t	sav_machine[4] = { 0,0,0,0};
static uint32_t	sav_iptype = 0;
static char	sav_host[MAXHOSTNAMELEN];
static char	*sav_cmd = NULL;

void
audit_connection_from(const char *host, int port)
{
	int		i;
#if !defined(HAVE_GETAUDIT_ADDR)
	in_addr_t	ia;
#endif

	if (cannot_audit(0)) 
		return;

	/* save port */
	sav_port = port;
	debug3("BSM audit: sav_port=%d", sav_port);

	/* save host */
	(void) strlcpy(sav_host, host, sizeof(sav_host));
	debug3("BSM audit: sav_host=%s", sav_host);
	memset(sav_machine, 0, sizeof(sav_machine));
#if defined(HAVE_GETAUDIT_ADDR)
	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
#else
	ia = inet_addr(host);
	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
	sav_iptype = 0;			/* not used, but just in case */
#endif
	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
		debug3("BSM audit: sav_machine[%d]=%08lx",
		    i, (long)sav_machine[i]);
	}
}

void
audit_run_command(const char *command)
{
	if (cannot_audit(0))
		return;

	if (sav_cmd != NULL) {
		free(sav_cmd);
		sav_cmd = NULL;
	}
	sav_cmd = xstrdup(command);
	debug3("BSM audit: sav_cmd=%s", sav_cmd);
}

void
audit_save_ttyn(const char *ttyn)
{
	if (cannot_audit(0))
		return;

	(void) strlcpy(sav_ttyn, ttyn, sizeof(sav_ttyn));
	debug3("BSM audit: sav_ttyn=%s", sav_ttyn);
}

static void
solaris_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid;
	gid_t		gid;
	pid_t		pid;
	AuditInfoTermID	tid;

	uid = sav_uid;
	gid = sav_gid;
	pid = getpid();

	get_terminal_id(&tid);

	if (typ == 0)
		rc = 0;
	else
		rc = -1;

	sel = selected(sav_name, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;

	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	if (sav_cmd != NULL) {
		(void) au_write(ad, au_to_text(sav_cmd));
	}
	(void) au_write(ad, AUToReturnFunc(typ, rc));

	rc = au_close(ad, AU_TO_WRITE, event_no);
	if (rc < 0) {
		error("BSM audit: solaris_audit_record failed to write "
		    "\"%s\" record: %s", string, strerror(errno));
	}
}

static void
solaris_audit_session_setup(void)
{
	int	rc;
	struct AuditInfoStruct info;
	au_mask_t mask;
	struct AuditInfoStruct now;

	info.ai_auid = sav_uid;
	info.ai_asid = getpid();
	mask.am_success = 0;
	mask.am_failure = 0;

	(void) au_user_mask(sav_name, &mask);

	info.ai_mask.am_success  = mask.am_success;
	info.ai_mask.am_failure  = mask.am_failure;

	/* see if terminal id already set */
	if (GetAuditFunc(&now, sizeof(now)) < 0) {
		error("BSM audit: solaris_audit_session_setup: %s failed: %s",
		    GetAuditFuncText, strerror(errno));
	}

	debug("BSM solaris_audit_setup_session: calling get_terminal_id");
	get_terminal_id(&(info.ai_termid));

	rc = SetAuditFunc(&info, sizeof(info));
	if (rc < 0) {
		error("BSM audit: solaris_audit_session_setup: %s failed: %s",
		    SetAuditFuncText, strerror(errno));
	}
}


static void
get_terminal_id(AuditInfoTermID *tid)
{
#if defined(HAVE_GETAUDIT_ADDR)
	tid->at_port = sav_port;
	tid->at_type = sav_iptype;
	tid->at_addr[0] = sav_machine[0];
	tid->at_addr[1] = sav_machine[1];
	tid->at_addr[2] = sav_machine[2];
	tid->at_addr[3] = sav_machine[3];
#else
	tid->port = sav_port;
	tid->machine = sav_machine[0];
#endif
}

void
solaris_audit_bad_pw(const char *what)
{
	char    textbuf[BSM_TEXTBUFSZ];

	if (sav_uid == -1) {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid user name \"%s\""), sav_name);
		solaris_audit_record(3, textbuf, AUE_openssh);
	} else {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid %s for user %s"), what, sav_name);
		solaris_audit_record(4, textbuf, AUE_openssh);
	}
}

void
audit_event(enum audit_event_type event)
{
	char    textbuf[BSM_TEXTBUFSZ];

	if (cannot_audit(0))
		return;

	switch(event) {
	case LOGOUT:
		snprintf(textbuf, sizeof(textbuf),
			gettext("sshd logout %s"), sav_name);
		solaris_audit_record(0, textbuf, AUE_logout);
		break;

	case NOLOGIN:
		solaris_audit_record(1,
		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
		break;

	case LOGIN_EXCEED_MAXTRIES:
		snprintf(textbuf, sizeof(textbuf),
		    gettext("too many tries for user %s"), sav_name);
		solaris_audit_record(1, textbuf, AUE_openssh);
		break;

	case ROOT_NOT_CONSOLE:
		solaris_audit_record(2, gettext("not_console"), AUE_openssh);
		break;

	case LOGIN_SUCCESS:
		solaris_audit_session_setup();
		snprintf(textbuf, sizeof(textbuf),
		    gettext("successful login %s"), sav_name);
		solaris_audit_record(0, textbuf, AUE_openssh);
		break;

	case LOGIN_FAIL_BADPW:
		solaris_audit_bad_pw("password");
		break;

	case LOGIN_FAIL_KBDINT:
		solaris_audit_bad_pw("interactive password entry");
		break;

	case AUTH_FAILED:
		solaris_audit_bad_pw("authorization");
		break;

	case ILLEGAL_USER:
		/* not used */
		break;
	}
}

static int
selected(char *nam, uid_t uid, au_event_t event, int sf)
{
	int	rc, sorf;
	char	naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
	if (uid < 0) {
		rc = getacna(naflags, 256); /* get non-attrib flags */
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else {
		rc = au_user_mask(nam, &mask);
	}

	if (sf == 0) {
		sorf = AU_PRS_SUCCESS;
	} else {
		sorf = AU_PRS_FAILURE;
	}
	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);

	return rc;
}

# ifdef CUSTOM_FAILED_LOGIN
/* TODO */
void
record_failed_login(const char *user, const char *ttyname)
{
}
# endif

#endif /* BSM */




/* $Id$ */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#ifdef USE_BSM_AUDIT

#define AUE_openssh     32800

#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <bsm/audit_uevents.h>
#include <bsm/audit_record.h>
#include <locale.h>

#if defined(HAVE_GETAUDIT_ADDR)
#define	AuditInfoStruct		auditinfo_addr
#define AuditInfoTermID		au_tid_addr_t
#define GetAuditFunc(a,b)	getaudit_addr((a),(b))
#define GetAuditFuncText	"getaudit_addr"
#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
#define SetAuditFuncText	"setaudit_addr"
#define AUToSubjectFunc		au_to_subject_ex
#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
#else
#define	AuditInfoStruct		auditinfo
#define AuditInfoTermID		au_tid_t
#define GetAuditFunc(a,b)	getaudit(a)
#define GetAuditFuncText	"getaudit"
#define SetAuditFunc(a,b)	setaudit(a)
#define SetAuditFuncText	"setaudit"
#define AUToSubjectFunc		au_to_subject
#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
#endif

static void solaris_audit_record(int typ, char *string, au_event_t event_no);
static void solaris_audit_session_setup(void);
static int selected(char *nam, uid_t uid, au_event_t event, int sf);

static void get_terminal_id(AuditInfoTermID *tid);

extern int	cannot_audit(int);
extern void	aug_init(void);
extern dev_t	aug_get_port(void);
extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
extern void	aug_save_auid(au_id_t);
extern void	aug_save_uid(uid_t);
extern void	aug_save_euid(uid_t);
extern void	aug_save_gid(gid_t);
extern void	aug_save_egid(gid_t);
extern void	aug_save_pid(pid_t);
extern void	aug_save_asid(au_asid_t);
extern void	aug_save_tid(dev_t, unsigned int);
extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
extern int	aug_save_me(void);
extern int	aug_save_namask(void);
extern void	aug_save_event(au_event_t);
extern void	aug_save_sorf(int);
extern void	aug_save_text(char *);
extern void	aug_save_text1(char *);
extern void	aug_save_text2(char *);
extern void	aug_save_na(int);
extern void	aug_save_user(char *);
extern void	aug_save_path(char *);
extern int	aug_save_policy(void);
extern void	aug_save_afunc(int (*)(int));
extern int	aug_audit(void);
extern int	aug_na_selected(void);
extern int	aug_selected(void);
extern int	aug_daemon_session(void);

#endif

Lines 203-208 OpenSSH contains no GPL code. Link Here

(-)LICENCE (+1 lines)
203	Wayne Schroeder	203	Wayne Schroeder
204	William Jones	204	William Jones
205	Darren Tucker	205	Darren Tucker
		206	Sun Microsystems
206		207
207	* Redistribution and use in source and binary forms, with or without	208	* Redistribution and use in source and binary forms, with or without
208	* modification, are permitted provided that the following conditions	209	* modification, are permitted provided that the following conditions





Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

	32800:AUE_openssh:OpenSSH login:lo

If the contrib/buildpkg.sh script is used, the included postinstall
script will add the line for you.

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, change the value of
AUE_openssh in openbsd-compat/bsd-solaris.h and rebuild.


$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $

Return to bug 125

Added Link Here

(-)audit-bsm.c (+324 lines)
1	/* $Id$ */
2
3	/*
4	* TODO
5	*
6	* - deal with overlap between this and sys_auth_allowed_user
7	* sys_auth_record_login and record_failed_login.
8	*
9	* - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
10	*/
11
12	/*
13	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
14	* Use is subject to license terms.
15	*
16	*
17	* Redistribution and use in source and binary forms, with or without
18	* modification, are permitted provided that the following conditions
19	* are met:
20	* 1. Redistributions of source code must retain the above copyright
21	* notice, this list of conditions and the following disclaimer.
22	* 2. Redistributions in binary form must reproduce the above copyright
23	* notice, this list of conditions and the following disclaimer in the
24	* documentation and/or other materials provided with the distribution.
25	*
26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	*
37	*/
38	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
39
40	#include "includes.h"
41	#if defined(AUDIT_EVENTS) && defined(USE_BSM_AUDIT)
42
43	#ifndef AUE_openssh
44	# define AUE_openssh 32800
45	#endif
46
47	#include "ssh.h"
48	#include "log.h"
49	#include "auth.h"
50	#include "xmalloc.h"
51	#include "audit-bsm.h"
52
53	#ifndef HAVE_GETTEXT
54	# define gettext(a) (a)
55	#endif
56
57	extern Authctxt *the_authctxt;
58
59	static char sav_ttyn[512];
60	static char sav_name[512];
61	static int sav_port = -1;
62	static uid_t sav_uid = -1;
63	static gid_t sav_gid = -1;
64	static uint32_t sav_machine[4] = { 0,0,0,0};
65	static uint32_t sav_iptype = 0;
66	static char sav_host[MAXHOSTNAMELEN];
67	static char *sav_cmd = NULL;
68
69	void
70	audit_connection_from(const char *host, int port)
71	{
72	int i;
73	#if !defined(HAVE_GETAUDIT_ADDR)
74	in_addr_t ia;
75	#endif
76
77	if (cannot_audit(0))
78	return;
79
80	/* save port */
81	sav_port = port;
82	debug3("BSM audit: sav_port=%d", sav_port);
83
84	/* save host */
85	(void) strlcpy(sav_host, host, sizeof(sav_host));
86	debug3("BSM audit: sav_host=%s", sav_host);
87	memset(sav_machine, 0, sizeof(sav_machine));
88	#if defined(HAVE_GETAUDIT_ADDR)
89	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
90	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
91	#else
92	ia = inet_addr(host);
93	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
94	sav_iptype = 0; /* not used, but just in case */
95	#endif
96	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
97	debug3("BSM audit: sav_machine[%d]=%08lx",
98	i, (long)sav_machine[i]);
99	}
100	}
101
102	void
103	audit_run_command(const char *command)
104	{
105	if (cannot_audit(0))
106	return;
107
108	if (sav_cmd != NULL) {
109	free(sav_cmd);
110	sav_cmd = NULL;
111	}
112	sav_cmd = xstrdup(command);
113	debug3("BSM audit: sav_cmd=%s", sav_cmd);
114	}
115
116	void
117	audit_save_ttyn(const char *ttyn)
118	{
119	if (cannot_audit(0))
120	return;
121
122	(void) strlcpy(sav_ttyn, ttyn, sizeof(sav_ttyn));
123	debug3("BSM audit: sav_ttyn=%s", sav_ttyn);
124	}
125
126	static void
127	solaris_audit_record(int typ, char *string, au_event_t event_no)
128	{
129	int ad, rc, sel;
130	uid_t uid;
131	gid_t gid;
132	pid_t pid;
133	AuditInfoTermID tid;
134
135	uid = sav_uid;
136	gid = sav_gid;
137	pid = getpid();
138
139	get_terminal_id(&tid);
140
141	if (typ == 0)
142	rc = 0;
143	else
144	rc = -1;
145
146	sel = selected(sav_name, uid, event_no, rc);
147	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
148	if (!sel)
149	return;
150
151	ad = au_open();
152
153	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
154	pid, pid, &tid));
155	(void) au_write(ad, au_to_text(string));
156	if (sav_cmd != NULL) {
157	(void) au_write(ad, au_to_text(sav_cmd));
158	}
159	(void) au_write(ad, AUToReturnFunc(typ, rc));
160
161	rc = au_close(ad, AU_TO_WRITE, event_no);
162	if (rc < 0) {
163	error("BSM audit: solaris_audit_record failed to write "
164	"\"%s\" record: %s", string, strerror(errno));
165	}
166	}
167
168	static void
169	solaris_audit_session_setup(void)
170	{
171	int rc;
172	struct AuditInfoStruct info;
173	au_mask_t mask;
174	struct AuditInfoStruct now;
175
176	info.ai_auid = sav_uid;
177	info.ai_asid = getpid();
178	mask.am_success = 0;
179	mask.am_failure = 0;
180
181	(void) au_user_mask(sav_name, &mask);
182
183	info.ai_mask.am_success = mask.am_success;
184	info.ai_mask.am_failure = mask.am_failure;
185
186	/* see if terminal id already set */
187	if (GetAuditFunc(&now, sizeof(now)) < 0) {
188	error("BSM audit: solaris_audit_session_setup: %s failed: %s",
189	GetAuditFuncText, strerror(errno));
190	}
191
192	debug("BSM solaris_audit_setup_session: calling get_terminal_id");
193	get_terminal_id(&(info.ai_termid));
194
195	rc = SetAuditFunc(&info, sizeof(info));
196	if (rc < 0) {
197	error("BSM audit: solaris_audit_session_setup: %s failed: %s",
198	SetAuditFuncText, strerror(errno));
199	}
200	}
201
202
203	static void
204	get_terminal_id(AuditInfoTermID *tid)
205	{
206	#if defined(HAVE_GETAUDIT_ADDR)
207	tid->at_port = sav_port;
208	tid->at_type = sav_iptype;
209	tid->at_addr[0] = sav_machine[0];
210	tid->at_addr[1] = sav_machine[1];
211	tid->at_addr[2] = sav_machine[2];
212	tid->at_addr[3] = sav_machine[3];
213	#else
214	tid->port = sav_port;
215	tid->machine = sav_machine[0];
216	#endif
217	}
218
219	void
220	solaris_audit_bad_pw(const char *what)
221	{
222	char textbuf[BSM_TEXTBUFSZ];
223
224	if (sav_uid == -1) {
225	(void) snprintf(textbuf, sizeof (textbuf),
226	gettext("invalid user name \"%s\""), sav_name);
227	solaris_audit_record(3, textbuf, AUE_openssh);
228	} else {
229	(void) snprintf(textbuf, sizeof (textbuf),
230	gettext("invalid %s for user %s"), what, sav_name);
231	solaris_audit_record(4, textbuf, AUE_openssh);
232	}
233	}
234
235	void
236	audit_event(enum audit_event_type event)
237	{
238	char textbuf[BSM_TEXTBUFSZ];
239
240	if (cannot_audit(0))
241	return;
242
243	switch(event) {
244	case LOGOUT:
245	snprintf(textbuf, sizeof(textbuf),
246	gettext("sshd logout %s"), sav_name);
247	solaris_audit_record(0, textbuf, AUE_logout);
248	break;
249
250	case NOLOGIN:
251	solaris_audit_record(1,
252	gettext("logins disabled by /etc/nologin"), AUE_openssh);
253	break;
254
255	case LOGIN_EXCEED_MAXTRIES:
256	snprintf(textbuf, sizeof(textbuf),
257	gettext("too many tries for user %s"), sav_name);
258	solaris_audit_record(1, textbuf, AUE_openssh);
259	break;
260
261	case ROOT_NOT_CONSOLE:
262	solaris_audit_record(2, gettext("not_console"), AUE_openssh);
263	break;
264
265	case LOGIN_SUCCESS:
266	solaris_audit_session_setup();
267	snprintf(textbuf, sizeof(textbuf),
268	gettext("successful login %s"), sav_name);
269	solaris_audit_record(0, textbuf, AUE_openssh);
270	break;
271
272	case LOGIN_FAIL_BADPW:
273	solaris_audit_bad_pw("password");
274	break;
275
276	case LOGIN_FAIL_KBDINT:
277	solaris_audit_bad_pw("interactive password entry");
278	break;
279
280	case AUTH_FAILED:
281	solaris_audit_bad_pw("authorization");
282	break;
283
284	case ILLEGAL_USER:
285	/* not used */
286	break;
287	}
288	}
289
290	static int
291	selected(char *nam, uid_t uid, au_event_t event, int sf)
292	{
293	int rc, sorf;
294	char naflags[512];
295	struct au_mask mask;
296
297	mask.am_success = mask.am_failure = 0;
298	if (uid < 0) {
299	rc = getacna(naflags, 256); /* get non-attrib flags */
300	if (rc == 0)
301	(void) getauditflagsbin(naflags, &mask);
302	} else {
303	rc = au_user_mask(nam, &mask);
304	}
305
306	if (sf == 0) {
307	sorf = AU_PRS_SUCCESS;
308	} else {
309	sorf = AU_PRS_FAILURE;
310	}
311	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);
312
313	return rc;
314	}
315
316	# ifdef CUSTOM_FAILED_LOGIN
317	/* TODO */
318	void
319	record_failed_login(const char user, const char ttyname)
320	{
321	}
322	# endif
323
324	#endif /* BSM */

Added Link Here

(-)audit-bsm.h (+98 lines)
1	/* $Id$ */
2
3	/*
4	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
5	* Use is subject to license terms.
6	*
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	* 1. Redistributions of source code must retain the above copyright
12	* notice, this list of conditions and the following disclaimer.
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27	*
28	*/
29	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
30
31	#include "includes.h"
32	#ifdef USE_BSM_AUDIT
33
34	#define AUE_openssh 32800
35
36	#include <bsm/audit.h>
37	#include <bsm/libbsm.h>
38	#include <bsm/audit_uevents.h>
39	#include <bsm/audit_record.h>
40	#include <locale.h>
41
42	#if defined(HAVE_GETAUDIT_ADDR)
43	#define AuditInfoStruct auditinfo_addr
44	#define AuditInfoTermID au_tid_addr_t
45	#define GetAuditFunc(a,b) getaudit_addr((a),(b))
46	#define GetAuditFuncText "getaudit_addr"
47	#define SetAuditFunc(a,b) setaudit_addr((a),(b))
48	#define SetAuditFuncText "setaudit_addr"
49	#define AUToSubjectFunc au_to_subject_ex
50	#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
51	#else
52	#define AuditInfoStruct auditinfo
53	#define AuditInfoTermID au_tid_t
54	#define GetAuditFunc(a,b) getaudit(a)
55	#define GetAuditFuncText "getaudit"
56	#define SetAuditFunc(a,b) setaudit(a)
57	#define SetAuditFuncText "setaudit"
58	#define AUToSubjectFunc au_to_subject
59	#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
60	#endif
61
62	static void solaris_audit_record(int typ, char *string, au_event_t event_no);
63	static void solaris_audit_session_setup(void);
64	static int selected(char *nam, uid_t uid, au_event_t event, int sf);
65
66	static void get_terminal_id(AuditInfoTermID *tid);
67
68	extern int cannot_audit(int);
69	extern void aug_init(void);
70	extern dev_t aug_get_port(void);
71	extern int aug_get_machine(char , u_int32_t , u_int32_t *);
72	extern void aug_save_auid(au_id_t);
73	extern void aug_save_uid(uid_t);
74	extern void aug_save_euid(uid_t);
75	extern void aug_save_gid(gid_t);
76	extern void aug_save_egid(gid_t);
77	extern void aug_save_pid(pid_t);
78	extern void aug_save_asid(au_asid_t);
79	extern void aug_save_tid(dev_t, unsigned int);
80	extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
81	extern int aug_save_me(void);
82	extern int aug_save_namask(void);
83	extern void aug_save_event(au_event_t);
84	extern void aug_save_sorf(int);
85	extern void aug_save_text(char *);
86	extern void aug_save_text1(char *);
87	extern void aug_save_text2(char *);
88	extern void aug_save_na(int);
89	extern void aug_save_user(char *);
90	extern void aug_save_path(char *);
91	extern int aug_save_policy(void);
92	extern void aug_save_afunc(int (*)(int));
93	extern int aug_audit(void);
94	extern int aug_na_selected(void);
95	extern int aug_selected(void);
96	extern int aug_daemon_session(void);
97
98	#endif

Lines 23-30 openssl-devel, zlib, minres, minires-dev Link Here

(-)README.platform (-3 / +15 lines)
23		23
24	Solaris	24	Solaris
25	-------	25	-------
26	Currently, sshd does not support BSM auditting. This can show up as errors	26	If you enable BSM auditing on Solaris, you need to update audit_event(4)
27	when editting cron entries via crontab. See.	27	for praudit(1m) to give sensible output. The following line needs to be
28	http://bugzilla.mindrot.org/show_bug.cgi?id=125	28	added to /etc/security/audit_event:
		29
		30	32800:AUE_openssh:OpenSSH login:lo
		31
		32	If the contrib/buildpkg.sh script is used, the included postinstall
		33	script will add the line for you.
		34
		35	The BSM audit event range available for third party TCB applications is
		36	32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
		37	There is no official registry of 3rd party event numbers, so if this
		38	number is already in use on your system, change the value of
		39	AUE_openssh in openbsd-compat/bsd-solaris.h and rebuild.
		40
29		41
30	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $	42	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $