Attachment #800 for bug #125

View | Details | Raw Unified | Return to bug 125 | Differences between

and this patch

Lines 203-208 OpenSSH contains no GPL code. Link Here

(-)LICENCE (+1 lines)
203	Wayne Schroeder	203	Wayne Schroeder
204	William Jones	204	William Jones
205	Darren Tucker	205	Darren Tucker
		206	Sun Microsystems
206		207
207	* Redistribution and use in source and binary forms, with or without	208	* Redistribution and use in source and binary forms, with or without
208	* modification, are permitted provided that the following conditions	209	* modification, are permitted provided that the following conditions

Lines 85-91 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-1 / +2 lines)
85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
86	auth-krb5.o \	86	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o \	87	auth2-gss.o gss-serv.o gss-serv-krb5.o \
88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o	88	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
		89	audit.o audit-bsm.o
89		90
90	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out	91	MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
91	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5	92	MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5





Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output.  The following line needs to be
added to /etc/security/audit_event:

	32800:AUE_openssh:OpenSSH login:lo

If the contrib/buildpkg.sh script is used, the included postinstall
script will add the line for you.

The BSM audit event range available for third party TCB applications is
32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
There is no official registry of 3rd party event numbers, so if this
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.


$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $




/* $Id$ */

/*
 * TODO
 *
 * - deal with overlap between this and sys_auth_allowed_user
 *   sys_auth_record_login and record_failed_login.
 *
 * - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
 */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#if defined(USE_BSM_AUDIT)

#ifndef AUE_openssh
# define AUE_openssh     32800
#endif

#include "ssh.h"
#include "log.h"
#include "auth.h"
#include "xmalloc.h"
#include "audit-bsm.h"

#ifndef HAVE_GETTEXT
# define gettext(a)	(a)
#endif

extern Authctxt *the_authctxt;

static int	sav_port = -1;
static uint32_t	sav_machine[4] = { 0,0,0,0};
static uint32_t	sav_iptype = 0;
static char	sav_host[MAXHOSTNAMELEN];
static char	*sav_cmd = NULL;

void
audit_connection_from(const char *host, int port)
{
	int		i;
#if !defined(HAVE_GETAUDIT_ADDR)
	in_addr_t	ia;
#endif

	if (cannot_audit(0))
		return;

	/* save port */
	sav_port = port;
	debug3("BSM audit: sav_port=%d", sav_port);

	/* save host */
	(void) strlcpy(sav_host, host, sizeof(sav_host));
	debug3("BSM audit: sav_host=%s", sav_host);
	memset(sav_machine, 0, sizeof(sav_machine));
#if defined(HAVE_GETAUDIT_ADDR)
	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
#else
	ia = inet_addr(host);
	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
	sav_iptype = 0;			/* not used, but just in case */
#endif
	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
		debug3("BSM audit: sav_machine[%d]=%08lx",
		    i, (long)sav_machine[i]);
	}
}

void
audit_run_command(const char *command)
{
	if (cannot_audit(0))
		return;

	if (sav_cmd != NULL) {
		free(sav_cmd);
		sav_cmd = NULL;
	}
	sav_cmd = xstrdup(command);
	debug3("BSM audit: sav_cmd=%s", sav_cmd);
}

void
audit_session_open(const char *ttyn)
{
	/* not implemented */
}

void
audit_session_close(const char *ttyn)
{
	/* not implemented */
}

static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
	int		ad, rc, sel;
	uid_t		uid = -1;
	gid_t		gid = -1;
	pid_t		pid = getpid();
	AuditInfoTermID	tid;

	if (the_authctxt->valid) {
		uid = the_authctxt->pw->pw_uid;
		gid = the_authctxt->pw->pw_gid;
	}
	get_terminal_id(&tid);

	if (typ == 0)
		rc = 0;
	else
		rc = -1;

	sel = selected(the_authctxt->user, uid, event_no, rc);
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
	if (!sel)
		return;

	ad = au_open();

	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
	    pid, pid, &tid));
	(void) au_write(ad, au_to_text(string));
	if (sav_cmd != NULL) {
		(void) au_write(ad, au_to_text(sav_cmd));
	}
	(void) au_write(ad, AUToReturnFunc(typ, rc));

	rc = au_close(ad, AU_TO_WRITE, event_no);
	if (rc < 0) {
		error("BSM audit: %s failed to write \"%s\" record: %s",
		    __func__, string, strerror(errno));
	}
}

static void
bsm_audit_session_setup(void)
{
	int	rc;
	struct AuditInfoStruct info;
	au_mask_t mask;
	struct AuditInfoStruct now;

	if (the_authctxt->valid)
		info.ai_auid = the_authctxt->pw->pw_uid;
	else
		info.ai_auid = -1;
	info.ai_asid = getpid();
	mask.am_success = 0;
	mask.am_failure = 0;

	(void) au_user_mask(the_authctxt->user, &mask);

	info.ai_mask.am_success  = mask.am_success;
	info.ai_mask.am_failure  = mask.am_failure;

	/* see if terminal id already set */
	if (GetAuditFunc(&now, sizeof(now)) < 0) {
		error("BSM audit: %s: %s failed: %s", __func__,
		    GetAuditFuncText, strerror(errno));
	}

	debug("%s: calling get_terminal_id", __func__);
	get_terminal_id(&(info.ai_termid));

	rc = SetAuditFunc(&info, sizeof(info));
	if (rc < 0) {
		error("BSM audit: %s: %s failed: %s", __func__,
		    SetAuditFuncText, strerror(errno));
	}
}


static void
get_terminal_id(AuditInfoTermID *tid)
{
#if defined(HAVE_GETAUDIT_ADDR)
	tid->at_port = sav_port;
	tid->at_type = sav_iptype;
	tid->at_addr[0] = sav_machine[0];
	tid->at_addr[1] = sav_machine[1];
	tid->at_addr[2] = sav_machine[2];
	tid->at_addr[3] = sav_machine[3];
#else
	tid->port = sav_port;
	tid->machine = sav_machine[0];
#endif
}

static void
bsm_audit_bad_login(const char *what)
{
	char    textbuf[BSM_TEXTBUFSZ];

	if (the_authctxt->valid) {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid %s for user %s"),
			    what, the_authctxt->user);
		bsm_audit_record(4, textbuf, AUE_openssh);
	} else {
		(void) snprintf(textbuf, sizeof (textbuf),
			gettext("invalid user name \"%s\""),
			    the_authctxt->user);
		bsm_audit_record(3, textbuf, AUE_openssh);
	}
}

void
audit_event(ssh_audit_event_t event)
{
	char    textbuf[BSM_TEXTBUFSZ];
	static int logged_in = 0;
	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";

	if (cannot_audit(0))
		return;

	switch(event) {
	case AUTH_SUCCESS:
		logged_in = 1;
		bsm_audit_session_setup();
		snprintf(textbuf, sizeof(textbuf),
		    gettext("successful login %s"), user);
		bsm_audit_record(0, textbuf, AUE_openssh);
		break;

	case CONNECTION_CLOSE:
		/*
		 * We can also get a close event if the user attempted auth
		 * but never succeeded.
		 */
		if (logged_in) {
			snprintf(textbuf, sizeof(textbuf),
			    gettext("sshd logout %s"), the_authctxt->user);
			bsm_audit_record(0, textbuf, AUE_logout);
		} else {
			debug("%s: connection closed without authentication",
			    __func__);
		}
		break;

	case NOLOGIN:
		bsm_audit_record(1,
		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
		break;

	case LOGIN_EXCEED_MAXTRIES:
		snprintf(textbuf, sizeof(textbuf),
		    gettext("too many tries for user %s"), the_authctxt->user);
		bsm_audit_record(1, textbuf, AUE_openssh);
		break;

	case LOGIN_ROOT_DENIED:
		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
		break;

	case AUTH_FAIL_PASSWD:
		bsm_audit_bad_login("password");
		break;

	case AUTH_FAIL_KBDINT:
		bsm_audit_bad_login("interactive password entry");
		break;

#if 0
	case AUTH_FAILED:
		bsm_audit_bad_login("authorization");
		break;
#endif

	default:
		debug("%s: unhandled event %d", __func__, event);
	}
}

static int
selected(char *nam, uid_t uid, au_event_t event, int sf)
{
	int	rc, sorf;
	char	naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
	if (uid < 0) {
		rc = getacna(naflags, 256); /* get non-attrib flags */
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else {
		rc = au_user_mask(nam, &mask);
	}

	if (sf == 0) {
		sorf = AU_PRS_SUCCESS;
	} else {
		sorf = AU_PRS_FAILURE;
	}
	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);

	return rc;
}
#endif /* BSM */




/* $Id$ */

/*
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */

#include "includes.h"
#ifdef USE_BSM_AUDIT

#define AUE_openssh     32800

#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <bsm/audit_uevents.h>
#include <bsm/audit_record.h>
#include <locale.h>

#if defined(HAVE_GETAUDIT_ADDR)
#define	AuditInfoStruct		auditinfo_addr
#define AuditInfoTermID		au_tid_addr_t
#define GetAuditFunc(a,b)	getaudit_addr((a),(b))
#define GetAuditFuncText	"getaudit_addr"
#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
#define SetAuditFuncText	"setaudit_addr"
#define AUToSubjectFunc		au_to_subject_ex
#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
#else
#define	AuditInfoStruct		auditinfo
#define AuditInfoTermID		au_tid_t
#define GetAuditFunc(a,b)	getaudit(a)
#define GetAuditFuncText	"getaudit"
#define SetAuditFunc(a,b)	setaudit(a)
#define SetAuditFuncText	"setaudit"
#define AUToSubjectFunc		au_to_subject
#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
#endif

static void bsm_audit_record(int typ, char *string, au_event_t event_no);
static void bsm_audit_session_setup(void);
static int selected(char *nam, uid_t uid, au_event_t event, int sf);

static void get_terminal_id(AuditInfoTermID *tid);

extern int	cannot_audit(int);
extern void	aug_init(void);
extern dev_t	aug_get_port(void);
extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
extern void	aug_save_auid(au_id_t);
extern void	aug_save_uid(uid_t);
extern void	aug_save_euid(uid_t);
extern void	aug_save_gid(gid_t);
extern void	aug_save_egid(gid_t);
extern void	aug_save_pid(pid_t);
extern void	aug_save_asid(au_asid_t);
extern void	aug_save_tid(dev_t, unsigned int);
extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
extern int	aug_save_me(void);
extern int	aug_save_namask(void);
extern void	aug_save_event(au_event_t);
extern void	aug_save_sorf(int);
extern void	aug_save_text(char *);
extern void	aug_save_text1(char *);
extern void	aug_save_text2(char *);
extern void	aug_save_na(int);
extern void	aug_save_user(char *);
extern void	aug_save_path(char *);
extern int	aug_save_policy(void);
extern void	aug_save_afunc(int (*)(int));
extern int	aug_audit(void);
extern int	aug_na_selected(void);
extern int	aug_selected(void);
extern int	aug_daemon_session(void);

#endif

Lines 877-882 AC_ARG_WITH(libedit, Link Here

(-)configure.ac (+17 lines)
877	fi ]	877	fi ]
878	)	878	)
879		879
		880	BSM_MSG="no"
		881	AC_ARG_WITH(bsmaudit,
		882	[ --with-bsmaudit Enable BSM audit support],
		883	[ if test "x$withval" != "no" ; then
		884	dnl Checks for headers, libs and functions
		885	AC_CHECK_HEADERS(bsm/audit.h, [],
		886	[AC_MSG_ERROR(BSM enabled and bsm/audit.h not found)])
		887	AC_CHECK_LIB(bsm, getaudit, [],
		888	[AC_MSG_ERROR(BSM enabled and required library not found)])
		889	AC_CHECK_FUNCS(getaudit getaudit_addr gettext, [],
		890	[AC_MSG_ERROR(BSM enabled and required function not found)])
		891	AC_DEFINE(USE_BSM_AUDIT, [], [Use BSM auditting])
		892	fi ]
		893	)
		894
880	dnl Checks for library functions. Please keep in alphabetical order	895	dnl Checks for library functions. Please keep in alphabetical order
881	AC_CHECK_FUNCS(\	896	AC_CHECK_FUNCS(\
882	arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \	897	arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \
Lines 1779-1784 fi Link Here
1779	TYPE_SOCKLEN_T	1794	TYPE_SOCKLEN_T
1780		1795
1781	AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])	1796	AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
		1797
		1798	AC_CHECK_TYPES(in_addr_t,,,[#include <netinet/in.h>])
1782		1799
1783	AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [	1800	AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
1784	AC_TRY_COMPILE(	1801	AC_TRY_COMPILE(

Lines 288-293 struct sockaddr_un { Link Here

(-)defines.h (+9 lines)
288	};	288	};
289	#endif /* HAVE_SYS_UN_H */	289	#endif /* HAVE_SYS_UN_H */
290		290
		291	#ifndef HAVE_IN_ADDR_T
		292	typedef u_int32_t in_addr_t;
		293	#endif
		294
291	#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)	295	#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
292	#define _STRUCT_WINSIZE	296	#define _STRUCT_WINSIZE
293	struct winsize {	297	struct winsize {
Lines 528-533 struct winsize { Link Here
528		532
529	#ifndef GETPGRP_VOID	533	#ifndef GETPGRP_VOID
530	# define getpgrp() getpgrp(0)	534	# define getpgrp() getpgrp(0)
		535	#endif
		536
		537	#ifdef USE_BSM_AUDIT
		538	# define AUDIT_EVENTS
		539	# define CUSTOM_AUDIT_EVENTS
531	#endif	540	#endif
532		541
533	/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */	542	/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */

Return to bug 125

Lines 23-30 openssl-devel, zlib, minres, minires-dev Link Here

(-)README.platform (-3 / +15 lines)
23		23
24	Solaris	24	Solaris
25	-------	25	-------
26	Currently, sshd does not support BSM auditting. This can show up as errors	26	If you enable BSM auditing on Solaris, you need to update audit_event(4)
27	when editting cron entries via crontab. See.	27	for praudit(1m) to give sensible output. The following line needs to be
28	http://bugzilla.mindrot.org/show_bug.cgi?id=125	28	added to /etc/security/audit_event:
		29
		30	32800:AUE_openssh:OpenSSH login:lo
		31
		32	If the contrib/buildpkg.sh script is used, the included postinstall
		33	script will add the line for you.
		34
		35	The BSM audit event range available for third party TCB applications is
		36	32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
		37	There is no official registry of 3rd party event numbers, so if this
		38	number is already in use on your system, you may change it at build time
		39	by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
		40
29		41
30	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $	42	$Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $

Added Link Here

(-)audit-bsm.c (+331 lines)
1	/* $Id$ */
2
3	/*
4	* TODO
5	*
6	* - deal with overlap between this and sys_auth_allowed_user
7	* sys_auth_record_login and record_failed_login.
8	*
9	* - check the HAVE_GETAUDIT_ADDR replacement code for IPv6 safety.
10	*/
11
12	/*
13	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
14	* Use is subject to license terms.
15	*
16	*
17	* Redistribution and use in source and binary forms, with or without
18	* modification, are permitted provided that the following conditions
19	* are met:
20	* 1. Redistributions of source code must retain the above copyright
21	* notice, this list of conditions and the following disclaimer.
22	* 2. Redistributions in binary form must reproduce the above copyright
23	* notice, this list of conditions and the following disclaimer in the
24	* documentation and/or other materials provided with the distribution.
25	*
26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	*
37	*/
38	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
39
40	#include "includes.h"
41	#if defined(USE_BSM_AUDIT)
42
43	#ifndef AUE_openssh
44	# define AUE_openssh 32800
45	#endif
46
47	#include "ssh.h"
48	#include "log.h"
49	#include "auth.h"
50	#include "xmalloc.h"
51	#include "audit-bsm.h"
52
53	#ifndef HAVE_GETTEXT
54	# define gettext(a) (a)
55	#endif
56
57	extern Authctxt *the_authctxt;
58
59	static int sav_port = -1;
60	static uint32_t sav_machine[4] = { 0,0,0,0};
61	static uint32_t sav_iptype = 0;
62	static char sav_host[MAXHOSTNAMELEN];
63	static char *sav_cmd = NULL;
64
65	void
66	audit_connection_from(const char *host, int port)
67	{
68	int i;
69	#if !defined(HAVE_GETAUDIT_ADDR)
70	in_addr_t ia;
71	#endif
72
73	if (cannot_audit(0))
74	return;
75
76	/* save port */
77	sav_port = port;
78	debug3("BSM audit: sav_port=%d", sav_port);
79
80	/* save host */
81	(void) strlcpy(sav_host, host, sizeof(sav_host));
82	debug3("BSM audit: sav_host=%s", sav_host);
83	memset(sav_machine, 0, sizeof(sav_machine));
84	#if defined(HAVE_GETAUDIT_ADDR)
85	(void) aug_get_machine(sav_host, &sav_machine[0], &sav_iptype);
86	debug3("BSM audit: sav_iptype=%ld", (long)sav_iptype);
87	#else
88	ia = inet_addr(host);
89	memcpy(&sav_machine[0], &ia, sizeof(sav_machine[0]));
90	sav_iptype = 0; /* not used, but just in case */
91	#endif
92	for (i = 0; i < sizeof(sav_machine) / sizeof(sav_machine[0]); i++) {
93	debug3("BSM audit: sav_machine[%d]=%08lx",
94	i, (long)sav_machine[i]);
95	}
96	}
97
98	void
99	audit_run_command(const char *command)
100	{
101	if (cannot_audit(0))
102	return;
103
104	if (sav_cmd != NULL) {
105	free(sav_cmd);
106	sav_cmd = NULL;
107	}
108	sav_cmd = xstrdup(command);
109	debug3("BSM audit: sav_cmd=%s", sav_cmd);
110	}
111
112	void
113	audit_session_open(const char *ttyn)
114	{
115	/* not implemented */
116	}
117
118	void
119	audit_session_close(const char *ttyn)
120	{
121	/* not implemented */
122	}
123
124	static void
125	bsm_audit_record(int typ, char *string, au_event_t event_no)
126	{
127	int ad, rc, sel;
128	uid_t uid = -1;
129	gid_t gid = -1;
130	pid_t pid = getpid();
131	AuditInfoTermID tid;
132
133	if (the_authctxt->valid) {
134	uid = the_authctxt->pw->pw_uid;
135	gid = the_authctxt->pw->pw_gid;
136	}
137	get_terminal_id(&tid);
138
139	if (typ == 0)
140	rc = 0;
141	else
142	rc = -1;
143
144	sel = selected(the_authctxt->user, uid, event_no, rc);
145	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
146	if (!sel)
147	return;
148
149	ad = au_open();
150
151	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
152	pid, pid, &tid));
153	(void) au_write(ad, au_to_text(string));
154	if (sav_cmd != NULL) {
155	(void) au_write(ad, au_to_text(sav_cmd));
156	}
157	(void) au_write(ad, AUToReturnFunc(typ, rc));
158
159	rc = au_close(ad, AU_TO_WRITE, event_no);
160	if (rc < 0) {
161	error("BSM audit: %s failed to write \"%s\" record: %s",
162	__func__, string, strerror(errno));
163	}
164	}
165
166	static void
167	bsm_audit_session_setup(void)
168	{
169	int rc;
170	struct AuditInfoStruct info;
171	au_mask_t mask;
172	struct AuditInfoStruct now;
173
174	if (the_authctxt->valid)
175	info.ai_auid = the_authctxt->pw->pw_uid;
176	else
177	info.ai_auid = -1;
178	info.ai_asid = getpid();
179	mask.am_success = 0;
180	mask.am_failure = 0;
181
182	(void) au_user_mask(the_authctxt->user, &mask);
183
184	info.ai_mask.am_success = mask.am_success;
185	info.ai_mask.am_failure = mask.am_failure;
186
187	/* see if terminal id already set */
188	if (GetAuditFunc(&now, sizeof(now)) < 0) {
189	error("BSM audit: %s: %s failed: %s", __func__,
190	GetAuditFuncText, strerror(errno));
191	}
192
193	debug("%s: calling get_terminal_id", __func__);
194	get_terminal_id(&(info.ai_termid));
195
196	rc = SetAuditFunc(&info, sizeof(info));
197	if (rc < 0) {
198	error("BSM audit: %s: %s failed: %s", __func__,
199	SetAuditFuncText, strerror(errno));
200	}
201	}
202
203
204	static void
205	get_terminal_id(AuditInfoTermID *tid)
206	{
207	#if defined(HAVE_GETAUDIT_ADDR)
208	tid->at_port = sav_port;
209	tid->at_type = sav_iptype;
210	tid->at_addr[0] = sav_machine[0];
211	tid->at_addr[1] = sav_machine[1];
212	tid->at_addr[2] = sav_machine[2];
213	tid->at_addr[3] = sav_machine[3];
214	#else
215	tid->port = sav_port;
216	tid->machine = sav_machine[0];
217	#endif
218	}
219
220	static void
221	bsm_audit_bad_login(const char *what)
222	{
223	char textbuf[BSM_TEXTBUFSZ];
224
225	if (the_authctxt->valid) {
226	(void) snprintf(textbuf, sizeof (textbuf),
227	gettext("invalid %s for user %s"),
228	what, the_authctxt->user);
229	bsm_audit_record(4, textbuf, AUE_openssh);
230	} else {
231	(void) snprintf(textbuf, sizeof (textbuf),
232	gettext("invalid user name \"%s\""),
233	the_authctxt->user);
234	bsm_audit_record(3, textbuf, AUE_openssh);
235	}
236	}
237
238	void
239	audit_event(ssh_audit_event_t event)
240	{
241	char textbuf[BSM_TEXTBUFSZ];
242	static int logged_in = 0;
243	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
244
245	if (cannot_audit(0))
246	return;
247
248	switch(event) {
249	case AUTH_SUCCESS:
250	logged_in = 1;
251	bsm_audit_session_setup();
252	snprintf(textbuf, sizeof(textbuf),
253	gettext("successful login %s"), user);
254	bsm_audit_record(0, textbuf, AUE_openssh);
255	break;
256
257	case CONNECTION_CLOSE:
258	/*
259	* We can also get a close event if the user attempted auth
260	* but never succeeded.
261	*/
262	if (logged_in) {
263	snprintf(textbuf, sizeof(textbuf),
264	gettext("sshd logout %s"), the_authctxt->user);
265	bsm_audit_record(0, textbuf, AUE_logout);
266	} else {
267	debug("%s: connection closed without authentication",
268	__func__);
269	}
270	break;
271
272	case NOLOGIN:
273	bsm_audit_record(1,
274	gettext("logins disabled by /etc/nologin"), AUE_openssh);
275	break;
276
277	case LOGIN_EXCEED_MAXTRIES:
278	snprintf(textbuf, sizeof(textbuf),
279	gettext("too many tries for user %s"), the_authctxt->user);
280	bsm_audit_record(1, textbuf, AUE_openssh);
281	break;
282
283	case LOGIN_ROOT_DENIED:
284	bsm_audit_record(2, gettext("not_console"), AUE_openssh);
285	break;
286
287	case AUTH_FAIL_PASSWD:
288	bsm_audit_bad_login("password");
289	break;
290
291	case AUTH_FAIL_KBDINT:
292	bsm_audit_bad_login("interactive password entry");
293	break;
294
295	#if 0
296	case AUTH_FAILED:
297	bsm_audit_bad_login("authorization");
298	break;
299	#endif
300
301	default:
302	debug("%s: unhandled event %d", __func__, event);
303	}
304	}
305
306	static int
307	selected(char *nam, uid_t uid, au_event_t event, int sf)
308	{
309	int rc, sorf;
310	char naflags[512];
311	struct au_mask mask;
312
313	mask.am_success = mask.am_failure = 0;
314	if (uid < 0) {
315	rc = getacna(naflags, 256); /* get non-attrib flags */
316	if (rc == 0)
317	(void) getauditflagsbin(naflags, &mask);
318	} else {
319	rc = au_user_mask(nam, &mask);
320	}
321
322	if (sf == 0) {
323	sorf = AU_PRS_SUCCESS;
324	} else {
325	sorf = AU_PRS_FAILURE;
326	}
327	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);
328
329	return rc;
330	}
331	#endif /* BSM */

Added Link Here

(-)audit-bsm.h (+98 lines)
1	/* $Id$ */
2
3	/*
4	* Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
5	* Use is subject to license terms.
6	*
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	* 1. Redistributions of source code must retain the above copyright
12	* notice, this list of conditions and the following disclaimer.
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27	*
28	*/
29	/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
30
31	#include "includes.h"
32	#ifdef USE_BSM_AUDIT
33
34	#define AUE_openssh 32800
35
36	#include <bsm/audit.h>
37	#include <bsm/libbsm.h>
38	#include <bsm/audit_uevents.h>
39	#include <bsm/audit_record.h>
40	#include <locale.h>
41
42	#if defined(HAVE_GETAUDIT_ADDR)
43	#define AuditInfoStruct auditinfo_addr
44	#define AuditInfoTermID au_tid_addr_t
45	#define GetAuditFunc(a,b) getaudit_addr((a),(b))
46	#define GetAuditFuncText "getaudit_addr"
47	#define SetAuditFunc(a,b) setaudit_addr((a),(b))
48	#define SetAuditFuncText "setaudit_addr"
49	#define AUToSubjectFunc au_to_subject_ex
50	#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
51	#else
52	#define AuditInfoStruct auditinfo
53	#define AuditInfoTermID au_tid_t
54	#define GetAuditFunc(a,b) getaudit(a)
55	#define GetAuditFuncText "getaudit"
56	#define SetAuditFunc(a,b) setaudit(a)
57	#define SetAuditFuncText "setaudit"
58	#define AUToSubjectFunc au_to_subject
59	#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
60	#endif
61
62	static void bsm_audit_record(int typ, char *string, au_event_t event_no);
63	static void bsm_audit_session_setup(void);
64	static int selected(char *nam, uid_t uid, au_event_t event, int sf);
65
66	static void get_terminal_id(AuditInfoTermID *tid);
67
68	extern int cannot_audit(int);
69	extern void aug_init(void);
70	extern dev_t aug_get_port(void);
71	extern int aug_get_machine(char , u_int32_t , u_int32_t *);
72	extern void aug_save_auid(au_id_t);
73	extern void aug_save_uid(uid_t);
74	extern void aug_save_euid(uid_t);
75	extern void aug_save_gid(gid_t);
76	extern void aug_save_egid(gid_t);
77	extern void aug_save_pid(pid_t);
78	extern void aug_save_asid(au_asid_t);
79	extern void aug_save_tid(dev_t, unsigned int);
80	extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
81	extern int aug_save_me(void);
82	extern int aug_save_namask(void);
83	extern void aug_save_event(au_event_t);
84	extern void aug_save_sorf(int);
85	extern void aug_save_text(char *);
86	extern void aug_save_text1(char *);
87	extern void aug_save_text2(char *);
88	extern void aug_save_na(int);
89	extern void aug_save_user(char *);
90	extern void aug_save_path(char *);
91	extern int aug_save_policy(void);
92	extern void aug_save_afunc(int (*)(int));
93	extern int aug_audit(void);
94	extern int aug_na_selected(void);
95	extern int aug_selected(void);
96	extern int aug_daemon_session(void);
97
98	#endif