[thirdparty/openssh-portable.git] / audit.c

/*
 * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include <stdarg.h>
#include <string.h>
#include <unistd.h>

#ifdef SSH_AUDIT_EVENTS

#include "audit.h"
#include "log.h"
#include "hostfile.h"
#include "auth.h"

/*
 * Care must be taken when using this since it WILL NOT be initialized when
 * audit_connection_from() is called and MAY NOT be initialized when
 * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
 */
extern Authctxt *the_authctxt;

/* Maybe add the audit class to struct Authmethod? */
ssh_audit_event_t
audit_classify_auth(const char *method)
{
	if (strcmp(method, "none") == 0)
		return SSH_AUTH_FAIL_NONE;
	else if (strcmp(method, "password") == 0)
		return SSH_AUTH_FAIL_PASSWD;
	else if (strcmp(method, "publickey") == 0 ||
	    strcmp(method, "rsa") == 0)
		return SSH_AUTH_FAIL_PUBKEY;
	else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
	    strcmp(method, "challenge-response") == 0)
		return SSH_AUTH_FAIL_KBDINT;
	else if (strcmp(method, "hostbased") == 0 ||
	    strcmp(method, "rhosts-rsa") == 0)
		return SSH_AUTH_FAIL_HOSTBASED;
	else if (strcmp(method, "gssapi-with-mic") == 0)
		return SSH_AUTH_FAIL_GSSAPI;
	else
		return SSH_AUDIT_UNKNOWN;
}

/* helper to return supplied username */
const char *
audit_username(void)
{
	static const char unknownuser[] = "(unknown user)";
	static const char invaliduser[] = "(invalid user)";

	if (the_authctxt == NULL || the_authctxt->user == NULL)
		return (unknownuser);
	if (!the_authctxt->valid)
		return (invaliduser);
	return (the_authctxt->user);
}

const char *
audit_event_lookup(ssh_audit_event_t ev)
{
	int i;
	static struct event_lookup_struct {
		ssh_audit_event_t event;
		const char *name;
	} event_lookup[] = {
		{SSH_LOGIN_EXCEED_MAXTRIES,	"LOGIN_EXCEED_MAXTRIES"},
		{SSH_LOGIN_ROOT_DENIED,		"LOGIN_ROOT_DENIED"},
		{SSH_AUTH_SUCCESS,		"AUTH_SUCCESS"},
		{SSH_AUTH_FAIL_NONE,		"AUTH_FAIL_NONE"},
		{SSH_AUTH_FAIL_PASSWD,		"AUTH_FAIL_PASSWD"},
		{SSH_AUTH_FAIL_KBDINT,		"AUTH_FAIL_KBDINT"},
		{SSH_AUTH_FAIL_PUBKEY,		"AUTH_FAIL_PUBKEY"},
		{SSH_AUTH_FAIL_HOSTBASED,	"AUTH_FAIL_HOSTBASED"},
		{SSH_AUTH_FAIL_GSSAPI,		"AUTH_FAIL_GSSAPI"},
		{SSH_INVALID_USER,		"INVALID_USER"},
		{SSH_NOLOGIN,			"NOLOGIN"},
		{SSH_CONNECTION_CLOSE,		"CONNECTION_CLOSE"},
		{SSH_CONNECTION_ABANDON,	"CONNECTION_ABANDON"},
		{SSH_AUDIT_UNKNOWN,		"AUDIT_UNKNOWN"}
	};

	for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
		if (event_lookup[i].event == ev)
			break;
	return(event_lookup[i].name);
}

# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
 * Null implementations of audit functions.
 * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
 */

/*
 * Called after a connection has been accepted but before any authentication
 * has been attempted.
 */
void
audit_connection_from(const char *host, int port)
{
	debug("audit connection from %s port %d euid %d", host, port,
	    (int)geteuid());
}

/*
 * Called when various events occur (see audit.h for a list of possible
 * events and what they mean).
 */
void
audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
	debug("audit event euid %d user %s event %d (%s)", geteuid(),
	    audit_username(), event, audit_event_lookup(event));
}

/*
 * Called when a user session is started.  Argument is the tty allocated to
 * the session, or NULL if no tty was allocated.
 *
 * Note that this may be called multiple times if multiple sessions are used
 * within a single connection.
 */
void
audit_session_open(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session open euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);
}

/*
 * Called when a user session is closed.  Argument is the tty allocated to
 * the session, or NULL if no tty was allocated.
 *
 * Note that this may be called multiple times if multiple sessions are used
 * within a single connection.
 */
void
audit_session_close(struct logininfo *li)
{
	const char *t = li->line ? li->line : "(no tty)";

	debug("audit session close euid %d user %s tty name %s", geteuid(),
	    audit_username(), t);
}

/*
 * This will be called when a user runs a non-interactive command.  Note that
 * it may be called multiple times for a single connection since SSH2 allows
 * multiple sessions within a single connection.
 */
void
audit_run_command(const char *command)
{
	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
}
# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
Commit	Line	Data
b15931ae DT	1	/*
	2	* Copyright (c) 2004, 2005 Darren Tucker. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
ded319cc DM	27	#include <stdarg.h>
ded319cc DM	28	#include <string.h>
30a2c213	29	#include <unistd.h>
ded319cc	30
2e0cf0dc	31	#ifdef SSH_AUDIT_EVENTS
b15931ae DT	32
	33	#include "audit.h"
	34	#include "log.h"
79ba868f	35	#include "hostfile.h"
b15931ae DT	36	#include "auth.h"
	37
	38	/*
	39	* Care must be taken when using this since it WILL NOT be initialized when
	40	* audit_connection_from() is called and MAY NOT be initialized when
	41	* audit_event(CONNECTION_ABANDON) is called. Test for NULL before using.
	42	*/
	43	extern Authctxt *the_authctxt;
	44
	45	/* Maybe add the audit class to struct Authmethod? */
	46	ssh_audit_event_t
	47	audit_classify_auth(const char *method)
	48	{
	49	if (strcmp(method, "none") == 0)
2e0cf0dc	50	return SSH_AUTH_FAIL_NONE;
b15931ae	51	else if (strcmp(method, "password") == 0)
2e0cf0dc	52	return SSH_AUTH_FAIL_PASSWD;
b15931ae DT	53	else if (strcmp(method, "publickey") == 0 \|\|
b15931ae DT	54	strcmp(method, "rsa") == 0)
2e0cf0dc	55	return SSH_AUTH_FAIL_PUBKEY;
b15931ae DT	56	else if (strncmp(method, "keyboard-interactive", 20) == 0 \|\|
b15931ae DT	57	strcmp(method, "challenge-response") == 0)
2e0cf0dc	58	return SSH_AUTH_FAIL_KBDINT;
b15931ae DT	59	else if (strcmp(method, "hostbased") == 0 \|\|
b15931ae DT	60	strcmp(method, "rhosts-rsa") == 0)
2e0cf0dc	61	return SSH_AUTH_FAIL_HOSTBASED;
b15931ae	62	else if (strcmp(method, "gssapi-with-mic") == 0)
2e0cf0dc	63	return SSH_AUTH_FAIL_GSSAPI;
b15931ae	64	else
2e0cf0dc	65	return SSH_AUDIT_UNKNOWN;
b15931ae DT	66	}
	67
	68	/* helper to return supplied username */
	69	const char *
	70	audit_username(void)
	71	{
	72	static const char unknownuser[] = "(unknown user)";
	73	static const char invaliduser[] = "(invalid user)";
	74
	75	if (the_authctxt == NULL \|\| the_authctxt->user == NULL)
	76	return (unknownuser);
	77	if (!the_authctxt->valid)
	78	return (invaliduser);
	79	return (the_authctxt->user);
	80	}
	81
	82	const char *
	83	audit_event_lookup(ssh_audit_event_t ev)
	84	{
	85	int i;
	86	static struct event_lookup_struct {
	87	ssh_audit_event_t event;
	88	const char *name;
	89	} event_lookup[] = {
2e0cf0dc DT	90	{SSH_LOGIN_EXCEED_MAXTRIES, "LOGIN_EXCEED_MAXTRIES"},
	91	{SSH_LOGIN_ROOT_DENIED, "LOGIN_ROOT_DENIED"},
	92	{SSH_AUTH_SUCCESS, "AUTH_SUCCESS"},
	93	{SSH_AUTH_FAIL_NONE, "AUTH_FAIL_NONE"},
	94	{SSH_AUTH_FAIL_PASSWD, "AUTH_FAIL_PASSWD"},
	95	{SSH_AUTH_FAIL_KBDINT, "AUTH_FAIL_KBDINT"},
	96	{SSH_AUTH_FAIL_PUBKEY, "AUTH_FAIL_PUBKEY"},
	97	{SSH_AUTH_FAIL_HOSTBASED, "AUTH_FAIL_HOSTBASED"},
	98	{SSH_AUTH_FAIL_GSSAPI, "AUTH_FAIL_GSSAPI"},
	99	{SSH_INVALID_USER, "INVALID_USER"},
	100	{SSH_NOLOGIN, "NOLOGIN"},
	101	{SSH_CONNECTION_CLOSE, "CONNECTION_CLOSE"},
	102	{SSH_CONNECTION_ABANDON, "CONNECTION_ABANDON"},
	103	{SSH_AUDIT_UNKNOWN, "AUDIT_UNKNOWN"}
b15931ae DT	104	};
b15931ae DT	105
2e0cf0dc	106	for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
b15931ae DT	107	if (event_lookup[i].event == ev)
	108	break;
	109	return(event_lookup[i].name);
	110	}
	111
2e0cf0dc	112	# ifndef CUSTOM_SSH_AUDIT_EVENTS
b15931ae DT	113	/*
b15931ae DT	114	* Null implementations of audit functions.
2e0cf0dc	115	* These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
b15931ae DT	116	*/
	117
	118	/*
	119	* Called after a connection has been accepted but before any authentication
	120	* has been attempted.
	121	*/
	122	void
	123	audit_connection_from(const char *host, int port)
	124	{
	125	debug("audit connection from %s port %d euid %d", host, port,
b6f72f52	126	(int)geteuid());
b15931ae DT	127	}
	128
	129	/*
	130	* Called when various events occur (see audit.h for a list of possible
	131	* events and what they mean).
	132	*/
	133	void
9b655dc9	134	audit_event(struct ssh *ssh, ssh_audit_event_t event)
b15931ae DT	135	{
	136	debug("audit event euid %d user %s event %d (%s)", geteuid(),
	137	audit_username(), event, audit_event_lookup(event));
	138	}
	139
	140	/*
	141	* Called when a user session is started. Argument is the tty allocated to
	142	* the session, or NULL if no tty was allocated.
	143	*
	144	* Note that this may be called multiple times if multiple sessions are used
	145	* within a single connection.
	146	*/
	147	void
ea52a829	148	audit_session_open(struct logininfo *li)
b15931ae	149	{
ea52a829	150	const char *t = li->line ? li->line : "(no tty)";
b15931ae DT	151
b15931ae DT	152	debug("audit session open euid %d user %s tty name %s", geteuid(),
b6f72f52	153	audit_username(), t);
b15931ae DT	154	}
	155
	156	/*
	157	* Called when a user session is closed. Argument is the tty allocated to
	158	* the session, or NULL if no tty was allocated.
	159	*
	160	* Note that this may be called multiple times if multiple sessions are used
	161	* within a single connection.
	162	*/
	163	void
ea52a829	164	audit_session_close(struct logininfo *li)
b15931ae	165	{
ea52a829	166	const char *t = li->line ? li->line : "(no tty)";
b15931ae DT	167
b15931ae DT	168	debug("audit session close euid %d user %s tty name %s", geteuid(),
b6f72f52	169	audit_username(), t);
b15931ae DT	170	}
	171
	172	/*
	173	* This will be called when a user runs a non-interactive command. Note that
	174	* it may be called multiple times for a single connection since SSH2 allows
	175	* multiple sessions within a single connection.
	176	*/
	177	void
	178	audit_run_command(const char *command)
	179	{
	180	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	181	audit_username(), command);
	182	}
2e0cf0dc DT	183	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
2e0cf0dc DT	184	#endif /* SSH_AUDIT_EVENTS */