audit.c

   1 /*
   2  * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26
  27 #include <stdarg.h>
  28 #include <string.h>
  29 #include <unistd.h>
  30
  31 #ifdef SSH_AUDIT_EVENTS
  32
  33 #include "audit.h"
  34 #include "log.h"
  35 #include "hostfile.h"
  36 #include "auth.h"
  37
  38 /*
  39  * Care must be taken when using this since it WILL NOT be initialized when
  40  * audit_connection_from() is called and MAY NOT be initialized when
  41  * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
  42  */
  43 extern Authctxt *the_authctxt;
  44
  45 /* Maybe add the audit class to struct Authmethod? */
  46 ssh_audit_event_t
  47 audit_classify_auth(const char *method)
  48 {
  49         if (strcmp(method, "none") == 0)
  50                 return SSH_AUTH_FAIL_NONE;
  51         else if (strcmp(method, "password") == 0)
  52                 return SSH_AUTH_FAIL_PASSWD;
  53         else if (strcmp(method, "publickey") == 0 ||
  54             strcmp(method, "rsa") == 0)
  55                 return SSH_AUTH_FAIL_PUBKEY;
  56         else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
  57             strcmp(method, "challenge-response") == 0)
  58                 return SSH_AUTH_FAIL_KBDINT;
  59         else if (strcmp(method, "hostbased") == 0 ||
  60             strcmp(method, "rhosts-rsa") == 0)
  61                 return SSH_AUTH_FAIL_HOSTBASED;
  62         else if (strcmp(method, "gssapi-with-mic") == 0)
  63                 return SSH_AUTH_FAIL_GSSAPI;
  64         else
  65                 return SSH_AUDIT_UNKNOWN;
  66 }
  67
  68 /* helper to return supplied username */
  69 const char *
  70 audit_username(void)
  71 {
  72         static const char unknownuser[] = "(unknown user)";
  73         static const char invaliduser[] = "(invalid user)";
  74
  75         if (the_authctxt == NULL || the_authctxt->user == NULL)
  76                 return (unknownuser);
  77         if (!the_authctxt->valid)
  78                 return (invaliduser);
  79         return (the_authctxt->user);
  80 }
  81
  82 const char *
  83 audit_event_lookup(ssh_audit_event_t ev)
  84 {
  85         int i;
  86         static struct event_lookup_struct {
  87                 ssh_audit_event_t event;
  88                 const char *name;
  89         } event_lookup[] = {
  90                 {SSH_LOGIN_EXCEED_MAXTRIES,     "LOGIN_EXCEED_MAXTRIES"},
  91                 {SSH_LOGIN_ROOT_DENIED,         "LOGIN_ROOT_DENIED"},
  92                 {SSH_AUTH_SUCCESS,              "AUTH_SUCCESS"},
  93                 {SSH_AUTH_FAIL_NONE,            "AUTH_FAIL_NONE"},
  94                 {SSH_AUTH_FAIL_PASSWD,          "AUTH_FAIL_PASSWD"},
  95                 {SSH_AUTH_FAIL_KBDINT,          "AUTH_FAIL_KBDINT"},
  96                 {SSH_AUTH_FAIL_PUBKEY,          "AUTH_FAIL_PUBKEY"},
  97                 {SSH_AUTH_FAIL_HOSTBASED,       "AUTH_FAIL_HOSTBASED"},
  98                 {SSH_AUTH_FAIL_GSSAPI,          "AUTH_FAIL_GSSAPI"},
  99                 {SSH_INVALID_USER,              "INVALID_USER"},
 100                 {SSH_NOLOGIN,                   "NOLOGIN"},
 101                 {SSH_CONNECTION_CLOSE,          "CONNECTION_CLOSE"},
 102                 {SSH_CONNECTION_ABANDON,        "CONNECTION_ABANDON"},
 103                 {SSH_AUDIT_UNKNOWN,             "AUDIT_UNKNOWN"}
 104         };
 105
 106         for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
 107                 if (event_lookup[i].event == ev)
 108                         break;
 109         return(event_lookup[i].name);
 110 }
 111
 112 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 113 /*
 114  * Null implementations of audit functions.
 115  * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
 116  */
 117
 118 /*
 119  * Called after a connection has been accepted but before any authentication
 120  * has been attempted.
 121  */
 122 void
 123 audit_connection_from(const char *host, int port)
 124 {
 125         debug("audit connection from %s port %d euid %d", host, port,
 126             (int)geteuid());
 127 }
 128
 129 /*
 130  * Called when various events occur (see audit.h for a list of possible
 131  * events and what they mean).
 132  */
 133 void
 134 audit_event(struct ssh *ssh, ssh_audit_event_t event)
 135 {
 136         debug("audit event euid %d user %s event %d (%s)", geteuid(),
 137             audit_username(), event, audit_event_lookup(event));
 138 }
 139
 140 /*
 141  * Called when a user session is started.  Argument is the tty allocated to
 142  * the session, or NULL if no tty was allocated.
 143  *
 144  * Note that this may be called multiple times if multiple sessions are used
 145  * within a single connection.
 146  */
 147 void
 148 audit_session_open(struct logininfo *li)
 149 {
 150         const char *t = li->line ? li->line : "(no tty)";
 151
 152         debug("audit session open euid %d user %s tty name %s", geteuid(),
 153             audit_username(), t);
 154 }
 155
 156 /*
 157  * Called when a user session is closed.  Argument is the tty allocated to
 158  * the session, or NULL if no tty was allocated.
 159  *
 160  * Note that this may be called multiple times if multiple sessions are used
 161  * within a single connection.
 162  */
 163 void
 164 audit_session_close(struct logininfo *li)
 165 {
 166         const char *t = li->line ? li->line : "(no tty)";
 167
 168         debug("audit session close euid %d user %s tty name %s", geteuid(),
 169             audit_username(), t);
 170 }
 171
 172 /*
 173  * This will be called when a user runs a non-interactive command.  Note that
 174  * it may be called multiple times for a single connection since SSH2 allows
 175  * multiple sessions within a single connection.
 176  */
 177 void
 178 audit_run_command(const char *command)
 179 {
 180         debug("audit run command euid %d user %s command '%.200s'", geteuid(),
 181             audit_username(), command);
 182 }
 183 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 184 #endif /* SSH_AUDIT_EVENTS */