Attachment #756 for bug #125

View | Details | Raw Unified | Return to bug 125 | Differences between

and this patch

Lines 203-208 OpenSSH contains no GPL code. Link Here

(-)LICENCE (+1 lines)
203	Wayne Schroeder	203	Wayne Schroeder
204	William Jones	204	William Jones
205	Darren Tucker	205	Darren Tucker
		206	Sun Microsystems
206		207
207	* Redistribution and use in source and binary forms, with or without	208	* Redistribution and use in source and binary forms, with or without
208	* modification, are permitted provided that the following conditions	209	* modification, are permitted provided that the following conditions





Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

	32800:AUE_openssh:OpenSSH login:lo

If the contrib/buildpkg.sh script is used, the included postinstall
script will add the line for you.

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.


$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $

Lines 874-879 AC_ARG_WITH(libedit, Link Here

(-)configure.ac (+16 lines)
874	fi ]	874	fi ]
875	)	875	)
876		876
		877	BSM_MSG="no"
		878	AC_ARG_WITH(bsmaudit,
		879	[ --with-bsmaudit Enable BSM audit support],
		880	[ if test "x$withval" != "no" ; then
		881	dnl Checks for headers, libs and functions
		882	AC_CHECK_HEADERS(bsm/audit.h, [],
		883	[AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)])
		884	AC_CHECK_LIB(bsm, getaudit, [],
		885	[AC_MSG_ERROR(BSM enabled and required library not found)])
		886	AC_CHECK_FUNCS(getaudit getaudit_addr gettext, [],
		887	[AC_MSG_ERROR(BSM enabled and required function not found)])
		888	fi ]
		889	)
		890
877	dnl Checks for library functions. Please keep in alphabetical order	891	dnl Checks for library functions. Please keep in alphabetical order
878	AC_CHECK_FUNCS(\	892	AC_CHECK_FUNCS(\
879	arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \	893	arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
Lines 1776-1781 fi Link Here
1776	TYPE_SOCKLEN_T	1790	TYPE_SOCKLEN_T
1777		1791
1778	AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])	1792	AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
		1793
		1794	AC_CHECK_TYPES(in_addr_t,,,[#include <netinet/in.h>])
1779		1795
1780	AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [	1796	AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
1781	AC_TRY_COMPILE(	1797	AC_TRY_COMPILE(




/* $Id$ */

/*
 * TODO
 *
 * - deal with overlap between this and sys_auth_allowed_user
 *   sys_auth_record_login and record_failed_login.
 *
 * - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
 */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#if defined(USE_BSM_AUDIT)

#ifndef AUE_openssh
# define AUE_openssh     32800
#endif

#include "ssh.h"
#include "log.h"
#include "auth.h"
#include "xmalloc.h"
#include "audit-bsm.h"

#ifndef HAVE_GETTEXT
# define gettext(a)	(a)
#endif

extern Authctxt *the_authctxt;

static char	sav_ttyn[512];
static int	sav_port = -1;
static uid_t	sav_uid = -1;
static gid_t	sav_gid = -1;
static uint32_t	sav_machine[4] = { 0,0,0,0};
static uint32_t	sav_iptype = 0;
static char	sav_host[MAXHOSTNAMELEN];
static char	*sav_cmd = NULL;

void
audit_connection_from(const char *host, int port)
{
	int		i;
#if !defined(HAVE_GETAUDIT_ADDR)
	in_addr_t	ia;
#endif

	if (cannot_audit(0)) 
		return;

	/* save port */
	sav_port = port;
	debug3("BSM audit: sav_port=%d", sav_port);

	/* save host */
	(void) strlcpy(sav_host, host, sizeof(sav_host));
	debug3("BSM audit: sav_host=%s", sav_host);
	memset(sav_machine, 0, sizeof(sav_machine));
#if defined(HAVE_GETAUDIT_ADDR)
	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
#else
	ia = inet_addr(host);
	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
	sav_iptype = 0;			/* not used, but just in case */
#endif
	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
		debug3("BSM audit: sav_machine[%d]=%08lx",
		    i, (long)sav_machine[i]);
	}
}

void
audit_run_command(const char *command)
{
	if (cannot_audit(0))
		return;

	if (sav_cmd != NULL) {
		free(sav_cmd);
		sav_cmd = NULL;
	}
	sav_cmd = xstrdup(command);
	debug3("BSM audit: sav_cmd=%s", sav_cmd);
}

void
audit_save_ttyn(const char *ttyn)
{
	if (cannot_audit(0))
		return;

	(void) strlcpy(sav_ttyn, ttyn, sizeof(sav_ttyn));
	debug3("BSM audit: sav_ttyn=%s", sav_ttyn);
}

static void
solaris_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid;
	gid_t		gid;
	pid_t		pid;
	AuditInfoTermID	tid;

	uid = sav_uid;
	gid = sav_gid;
	pid = getpid();

	get_terminal_id(&tid);

	if (typ == 0)
		rc = 0;
	else
		rc = -1;

	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;

	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	if (sav_cmd != NULL) {
		(void) au_write(ad, au_to_text(sav_cmd));
	}
	(void) au_write(ad, AUToReturnFunc(typ, rc));

	rc = au_close(ad, AU_TO_WRITE, event_no);
	if (rc < 0) {
		error("BSM audit: solaris_audit_record failed to write "
		    "\"%s\" record: %s", string, strerror(errno));
	}
}

static void
solaris_audit_session_setup(void)
{
	int	rc;
	struct AuditInfoStruct info;
	au_mask_t mask;
	struct AuditInfoStruct now;

	info.ai_auid = sav_uid;
	info.ai_asid = getpid();
	mask.am_success = 0;
	mask.am_failure = 0;

	(void) au_user_mask(the_authctxt->user, &mask);

	info.ai_mask.am_success  = mask.am_success;
	info.ai_mask.am_failure  = mask.am_failure;

	/* see if terminal id already set */
	if (GetAuditFunc(&now, sizeof(now)) < 0) {
		error("BSM audit: solaris_audit_session_setup: %s failed: %s",
		    GetAuditFuncText, strerror(errno));
	}

	debug("BSM solaris_audit_setup_session: calling get_terminal_id");
	get_terminal_id(&(info.ai_termid));

	rc = SetAuditFunc(&info, sizeof(info));
	if (rc < 0) {
		error("BSM audit: solaris_audit_session_setup: %s failed: %s",
		    SetAuditFuncText, strerror(errno));
	}
}


static void
get_terminal_id(AuditInfoTermID *tid)
{
#if defined(HAVE_GETAUDIT_ADDR)
	tid->at_port = sav_port;
	tid->at_type = sav_iptype;
	tid->at_addr[0] = sav_machine[0];
	tid->at_addr[1] = sav_machine[1];
	tid->at_addr[2] = sav_machine[2];
	tid->at_addr[3] = sav_machine[3];
#else
	tid->port = sav_port;
	tid->machine = sav_machine[0];
#endif
}

void
solaris_audit_bad_pw(const char *what)
{
	char    textbuf[BSM_TEXTBUFSZ];

	if (the_authctxt->valid) {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid %s for user %s"),
			    what, the_authctxt->user);
		solaris_audit_record(4, textbuf, AUE_openssh);
	} else {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid user name \"%s\""),
			    the_authctxt->user);
		solaris_audit_record(3, textbuf, AUE_openssh);
	}
}

void
audit_event(enum audit_event_type event)
{
	char    textbuf[BSM_TEXTBUFSZ];

	if (cannot_audit(0))
		return;

	switch(event) {
	case LOGOUT:
		snprintf(textbuf, sizeof(textbuf),
			gettext("sshd logout %s"), the_authctxt->user);
		solaris_audit_record(0, textbuf, AUE_logout);
		break;

	case NOLOGIN:
		solaris_audit_record(1,
		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
		break;

	case LOGIN_EXCEED_MAXTRIES:
		snprintf(textbuf, sizeof(textbuf),
		    gettext("too many tries for user %s"), the_authctxt->user);
		solaris_audit_record(1, textbuf, AUE_openssh);
		break;

	case ROOT_NOT_CONSOLE:
		solaris_audit_record(2, gettext("not_console"), AUE_openssh);
		break;

	case LOGIN_SUCCESS:
		solaris_audit_session_setup();
		snprintf(textbuf, sizeof(textbuf),
		    gettext("successful login %s"), the_authctxt->user);
		solaris_audit_record(0, textbuf, AUE_openssh);
		break;

	case LOGIN_FAIL_BADPW:
		solaris_audit_bad_pw("password");
		break;

	case LOGIN_FAIL_KBDINT:
		solaris_audit_bad_pw("interactive password entry");
		break;

	case AUTH_FAILED:
		solaris_audit_bad_pw("authorization");
		break;

	case INVALID_USER:
		/* not used */
		break;
	}
}

static int
selected(char *nam, uid_t uid, au_event_t event, int sf)
{
	int	rc, sorf;
	char	naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
	if (uid < 0) {
		rc = getacna(naflags, 256); /* get non-attrib flags */
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else {
		rc = au_user_mask(nam, &mask);
	}

	if (sf == 0) {
		sorf = AU_PRS_SUCCESS;
	} else {
		sorf = AU_PRS_FAILURE;
	}
	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);

	return rc;
}

# ifdef CUSTOM_FAILED_LOGIN
/* TODO */
void
record_failed_login(const char *user, const char *ttyname)
{
}
# endif

#endif /* BSM */




/* $Id$ */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#ifdef USE_BSM_AUDIT

#define AUE_openssh     32800

#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <bsm/audit_uevents.h>
#include <bsm/audit_record.h>
#include <locale.h>

#if defined(HAVE_GETAUDIT_ADDR)
#define	AuditInfoStruct		auditinfo_addr
#define AuditInfoTermID		au_tid_addr_t
#define GetAuditFunc(a,b)	getaudit_addr((a),(b))
#define GetAuditFuncText	"getaudit_addr"
#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
#define SetAuditFuncText	"setaudit_addr"
#define AUToSubjectFunc		au_to_subject_ex
#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
#else
#define	AuditInfoStruct		auditinfo
#define AuditInfoTermID		au_tid_t
#define GetAuditFunc(a,b)	getaudit(a)
#define GetAuditFuncText	"getaudit"
#define SetAuditFunc(a,b)	setaudit(a)
#define SetAuditFuncText	"setaudit"
#define AUToSubjectFunc		au_to_subject
#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
#endif

static void solaris_audit_record(int typ, char *string, au_event_t event_no);
static void solaris_audit_session_setup(void);
static int selected(char *nam, uid_t uid, au_event_t event, int sf);

static void get_terminal_id(AuditInfoTermID *tid);

extern int	cannot_audit(int);
extern void	aug_init(void);
extern dev_t	aug_get_port(void);
extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
extern void	aug_save_auid(au_id_t);
extern void	aug_save_uid(uid_t);
extern void	aug_save_euid(uid_t);
extern void	aug_save_gid(gid_t);
extern void	aug_save_egid(gid_t);
extern void	aug_save_pid(pid_t);
extern void	aug_save_asid(au_asid_t);
extern void	aug_save_tid(dev_t, unsigned int);
extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
extern int	aug_save_me(void);
extern int	aug_save_namask(void);
extern void	aug_save_event(au_event_t);
extern void	aug_save_sorf(int);
extern void	aug_save_text(char *);
extern void	aug_save_text1(char *);
extern void	aug_save_text2(char *);
extern void	aug_save_na(int);
extern void	aug_save_user(char *);
extern void	aug_save_path(char *);
extern int	aug_save_policy(void);
extern void	aug_save_afunc(int (*)(int));
extern int	aug_audit(void);
extern int	aug_na_selected(void);
extern int	aug_selected(void);
extern int	aug_daemon_session(void);

#endif

Lines 288-293 struct sockaddr_un { Link Here

(-)defines.h (+10 lines)
288	};	288	};
289	#endif /* HAVE_SYS_UN_H */	289	#endif /* HAVE_SYS_UN_H */
290		290
		291	#ifndef HAVE_IN_ADDR_T
		292	typedef u_int32_t in_addr_t;
		293	#endif
		294
291	#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)	295	#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
292	#define _STRUCT_WINSIZE	296	#define _STRUCT_WINSIZE
293	struct winsize {	297	struct winsize {
Lines 529-534 struct winsize { Link Here
529	#ifndef GETPGRP_VOID	533	#ifndef GETPGRP_VOID
530	# define getpgrp() getpgrp(0)	534	# define getpgrp() getpgrp(0)
531	#endif	535	#endif
		536
		537	#if defined(HAVE_BSM_AUDIT_H) && defined(HAVE_LIBBSM)
		538	# define USE_BSM_AUDIT
		539	# define CUSTOM_AUDIT_EVENTS
		540	#endif
		541	#define CUSTOM_FAILED_LOGIN
532		542
533	/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */	543	/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
534	#if !defined(OPENSSL_VERSION_NUMBER) \|\| (OPENSSL_VERSION_NUMBER < 0x0090600f)	544	#if !defined(OPENSSL_VERSION_NUMBER) \|\| (OPENSSL_VERSION_NUMBER < 0x0090600f)

Return to bug 125

Lines 23-30 openssl-devel, zlib, minres, minires-dev Link Here

(-)README.platform (-3 / +15 lines)
23		23
24	Solaris	24	Solaris
25	-------	25	-------
26	Currently, sshd does not support BSM auditting. This can show up as errors	26	If you enable BSM auditing on Solaris, you need to update audit_event(4)
27	when editting cron entries via crontab. See.	27	for praudit(1m) to give sensible output. The following line needs to be
28	http://bugzilla.mindrot.org/show_bug.cgi?id=125	28	added to /etc/security/audit_event:
		29
		30	32800:AUE_openssh:OpenSSH login:lo
		31
		32	If the contrib/buildpkg.sh script is used, the included postinstall
		33	script will add the line for you.
		34
		35	The BSM audit event range available for third party TCB applications is
		36	32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
		37	There is no official registry of 3rd party event numbers, so if this
		38	number is already in use on your system, you may change it at build time
		39	by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
		40
29		41
30	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $	42	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $

Added Link Here

(-)audit-bsm.c (+325 lines)
1	/* $Id$ */
2
3	/*
4	* TODO
5	*
6	* - deal with overlap between this and sys_auth_allowed_user
7	* sys_auth_record_login and record_failed_login.
8	*
9	* - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
10	*/
11
12	/*
13	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
14	* Use is subject to license terms.
15	*
16	*
17	* Redistribution and use in source and binary forms, with or without
18	* modification, are permitted provided that the following conditions
19	* are met:
20	* 1. Redistributions of source code must retain the above copyright
21	* notice, this list of conditions and the following disclaimer.
22	* 2. Redistributions in binary form must reproduce the above copyright
23	* notice, this list of conditions and the following disclaimer in the
24	* documentation and/or other materials provided with the distribution.
25	*
26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	*
37	*/
38	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
39
40	#include "includes.h"
41	#if defined(USE_BSM_AUDIT)
42
43	#ifndef AUE_openssh
44	# define AUE_openssh 32800
45	#endif
46
47	#include "ssh.h"
48	#include "log.h"
49	#include "auth.h"
50	#include "xmalloc.h"
51	#include "audit-bsm.h"
52
53	#ifndef HAVE_GETTEXT
54	# define gettext(a) (a)
55	#endif
56
57	extern Authctxt *the_authctxt;
58
59	static char sav_ttyn[512];
60	static int sav_port = -1;
61	static uid_t sav_uid = -1;
62	static gid_t sav_gid = -1;
63	static uint32_t sav_machine[4] = { 0,0,0,0};
64	static uint32_t sav_iptype = 0;
65	static char sav_host[MAXHOSTNAMELEN];
66	static char *sav_cmd = NULL;
67
68	void
69	audit_connection_from(const char *host, int port)
70	{
71	int i;
72	#if !defined(HAVE_GETAUDIT_ADDR)
73	in_addr_t ia;
74	#endif
75
76	if (cannot_audit(0))
77	return;
78
79	/* save port */
80	sav_port = port;
81	debug3("BSM audit: sav_port=%d", sav_port);
82
83	/* save host */
84	(void) strlcpy(sav_host, host, sizeof(sav_host));
85	debug3("BSM audit: sav_host=%s", sav_host);
86	memset(sav_machine, 0, sizeof(sav_machine));
87	#if defined(HAVE_GETAUDIT_ADDR)
88	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
89	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
90	#else
91	ia = inet_addr(host);
92	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
93	sav_iptype = 0; /* not used, but just in case */
94	#endif
95	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
96	debug3("BSM audit: sav_machine[%d]=%08lx",
97	i, (long)sav_machine[i]);
98	}
99	}
100
101	void
102	audit_run_command(const char *command)
103	{
104	if (cannot_audit(0))
105	return;
106
107	if (sav_cmd != NULL) {
108	free(sav_cmd);
109	sav_cmd = NULL;
110	}
111	sav_cmd = xstrdup(command);
112	debug3("BSM audit: sav_cmd=%s", sav_cmd);
113	}
114
115	void
116	audit_save_ttyn(const char *ttyn)
117	{
118	if (cannot_audit(0))
119	return;
120
121	(void) strlcpy(sav_ttyn, ttyn, sizeof(sav_ttyn));
122	debug3("BSM audit: sav_ttyn=%s", sav_ttyn);
123	}
124
125	static void
126	solaris_audit_record(int typ, char *string, au_event_t event_no)
127	{
128	int ad, rc, sel;
129	uid_t uid;
130	gid_t gid;
131	pid_t pid;
132	AuditInfoTermID tid;
133
134	uid = sav_uid;
135	gid = sav_gid;
136	pid = getpid();
137
138	get_terminal_id(&tid);
139
140	if (typ == 0)
141	rc = 0;
142	else
143	rc = -1;
144
145	sel = selected(the_authctxt->user, uid, event_no, rc);
146	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
147	if (!sel)
148	return;
149
150	ad = au_open();
151
152	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
153	pid, pid, &tid));
154	(void) au_write(ad, au_to_text(string));
155	if (sav_cmd != NULL) {
156	(void) au_write(ad, au_to_text(sav_cmd));
157	}
158	(void) au_write(ad, AUToReturnFunc(typ, rc));
159
160	rc = au_close(ad, AU_TO_WRITE, event_no);
161	if (rc < 0) {
162	error("BSM audit: solaris_audit_record failed to write "
163	"\"%s\" record: %s", string, strerror(errno));
164	}
165	}
166
167	static void
168	solaris_audit_session_setup(void)
169	{
170	int rc;
171	struct AuditInfoStruct info;
172	au_mask_t mask;
173	struct AuditInfoStruct now;
174
175	info.ai_auid = sav_uid;
176	info.ai_asid = getpid();
177	mask.am_success = 0;
178	mask.am_failure = 0;
179
180	(void) au_user_mask(the_authctxt->user, &mask);
181
182	info.ai_mask.am_success = mask.am_success;
183	info.ai_mask.am_failure = mask.am_failure;
184
185	/* see if terminal id already set */
186	if (GetAuditFunc(&now, sizeof(now)) < 0) {
187	error("BSM audit: solaris_audit_session_setup: %s failed: %s",
188	GetAuditFuncText, strerror(errno));
189	}
190
191	debug("BSM solaris_audit_setup_session: calling get_terminal_id");
192	get_terminal_id(&(info.ai_termid));
193
194	rc = SetAuditFunc(&info, sizeof(info));
195	if (rc < 0) {
196	error("BSM audit: solaris_audit_session_setup: %s failed: %s",
197	SetAuditFuncText, strerror(errno));
198	}
199	}
200
201
202	static void
203	get_terminal_id(AuditInfoTermID *tid)
204	{
205	#if defined(HAVE_GETAUDIT_ADDR)
206	tid->at_port = sav_port;
207	tid->at_type = sav_iptype;
208	tid->at_addr[0] = sav_machine[0];
209	tid->at_addr[1] = sav_machine[1];
210	tid->at_addr[2] = sav_machine[2];
211	tid->at_addr[3] = sav_machine[3];
212	#else
213	tid->port = sav_port;
214	tid->machine = sav_machine[0];
215	#endif
216	}
217
218	void
219	solaris_audit_bad_pw(const char *what)
220	{
221	char textbuf[BSM_TEXTBUFSZ];
222
223	if (the_authctxt->valid) {
224	(void) snprintf(textbuf, sizeof (textbuf),
225	gettext("invalid %s for user %s"),
226	what, the_authctxt->user);
227	solaris_audit_record(4, textbuf, AUE_openssh);
228	} else {
229	(void) snprintf(textbuf, sizeof (textbuf),
230	gettext("invalid user name \"%s\""),
231	the_authctxt->user);
232	solaris_audit_record(3, textbuf, AUE_openssh);
233	}
234	}
235
236	void
237	audit_event(enum audit_event_type event)
238	{
239	char textbuf[BSM_TEXTBUFSZ];
240
241	if (cannot_audit(0))
242	return;
243
244	switch(event) {
245	case LOGOUT:
246	snprintf(textbuf, sizeof(textbuf),
247	gettext("sshd logout %s"), the_authctxt->user);
248	solaris_audit_record(0, textbuf, AUE_logout);
249	break;
250
251	case NOLOGIN:
252	solaris_audit_record(1,
253	gettext("logins disabled by /etc/nologin"), AUE_openssh);
254	break;
255
256	case LOGIN_EXCEED_MAXTRIES:
257	snprintf(textbuf, sizeof(textbuf),
258	gettext("too many tries for user %s"), the_authctxt->user);
259	solaris_audit_record(1, textbuf, AUE_openssh);
260	break;
261
262	case ROOT_NOT_CONSOLE:
263	solaris_audit_record(2, gettext("not_console"), AUE_openssh);
264	break;
265
266	case LOGIN_SUCCESS:
267	solaris_audit_session_setup();
268	snprintf(textbuf, sizeof(textbuf),
269	gettext("successful login %s"), the_authctxt->user);
270	solaris_audit_record(0, textbuf, AUE_openssh);
271	break;
272
273	case LOGIN_FAIL_BADPW:
274	solaris_audit_bad_pw("password");
275	break;
276
277	case LOGIN_FAIL_KBDINT:
278	solaris_audit_bad_pw("interactive password entry");
279	break;
280
281	case AUTH_FAILED:
282	solaris_audit_bad_pw("authorization");
283	break;
284
285	case INVALID_USER:
286	/* not used */
287	break;
288	}
289	}
290
291	static int
292	selected(char *nam, uid_t uid, au_event_t event, int sf)
293	{
294	int rc, sorf;
295	char naflags[512];
296	struct au_mask mask;
297
298	mask.am_success = mask.am_failure = 0;
299	if (uid < 0) {
300	rc = getacna(naflags, 256); /* get non-attrib flags */
301	if (rc == 0)
302	(void) getauditflagsbin(naflags, &mask);
303	} else {
304	rc = au_user_mask(nam, &mask);
305	}
306
307	if (sf == 0) {
308	sorf = AU_PRS_SUCCESS;
309	} else {
310	sorf = AU_PRS_FAILURE;
311	}
312	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);
313
314	return rc;
315	}
316
317	# ifdef CUSTOM_FAILED_LOGIN
318	/* TODO */
319	void
320	record_failed_login(const char user, const char ttyname)
321	{
322	}
323	# endif
324
325	#endif /* BSM */

Added Link Here

(-)audit-bsm.h (+98 lines)
1	/* $Id$ */
2
3	/*
4	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
5	* Use is subject to license terms.
6	*
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	* 1. Redistributions of source code must retain the above copyright
12	* notice, this list of conditions and the following disclaimer.
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27	*
28	*/
29	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
30
31	#include "includes.h"
32	#ifdef USE_BSM_AUDIT
33
34	#define AUE_openssh 32800
35
36	#include <bsm/audit.h>
37	#include <bsm/libbsm.h>
38	#include <bsm/audit_uevents.h>
39	#include <bsm/audit_record.h>
40	#include <locale.h>
41
42	#if defined(HAVE_GETAUDIT_ADDR)
43	#define AuditInfoStruct auditinfo_addr
44	#define AuditInfoTermID au_tid_addr_t
45	#define GetAuditFunc(a,b) getaudit_addr((a),(b))
46	#define GetAuditFuncText "getaudit_addr"
47	#define SetAuditFunc(a,b) setaudit_addr((a),(b))
48	#define SetAuditFuncText "setaudit_addr"
49	#define AUToSubjectFunc au_to_subject_ex
50	#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
51	#else
52	#define AuditInfoStruct auditinfo
53	#define AuditInfoTermID au_tid_t
54	#define GetAuditFunc(a,b) getaudit(a)
55	#define GetAuditFuncText "getaudit"
56	#define SetAuditFunc(a,b) setaudit(a)
57	#define SetAuditFuncText "setaudit"
58	#define AUToSubjectFunc au_to_subject
59	#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
60	#endif
61
62	static void solaris_audit_record(int typ, char *string, au_event_t event_no);
63	static void solaris_audit_session_setup(void);
64	static int selected(char *nam, uid_t uid, au_event_t event, int sf);
65
66	static void get_terminal_id(AuditInfoTermID *tid);
67
68	extern int cannot_audit(int);
69	extern void aug_init(void);
70	extern dev_t aug_get_port(void);
71	extern int aug_get_machine(char , u_int32_t , u_int32_t *);
72	extern void aug_save_auid(au_id_t);
73	extern void aug_save_uid(uid_t);
74	extern void aug_save_euid(uid_t);
75	extern void aug_save_gid(gid_t);
76	extern void aug_save_egid(gid_t);
77	extern void aug_save_pid(pid_t);
78	extern void aug_save_asid(au_asid_t);
79	extern void aug_save_tid(dev_t, unsigned int);
80	extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
81	extern int aug_save_me(void);
82	extern int aug_save_namask(void);
83	extern void aug_save_event(au_event_t);
84	extern void aug_save_sorf(int);
85	extern void aug_save_text(char *);
86	extern void aug_save_text1(char *);
87	extern void aug_save_text2(char *);
88	extern void aug_save_na(int);
89	extern void aug_save_user(char *);
90	extern void aug_save_path(char *);
91	extern int aug_save_policy(void);
92	extern void aug_save_afunc(int (*)(int));
93	extern int aug_audit(void);
94	extern int aug_na_selected(void);
95	extern int aug_selected(void);
96	extern int aug_daemon_session(void);
97
98	#endif