1
/*
2
 * TODO
3
 *
4
 * - deal with overlap between this and sys_auth_allowed_user
5
 *   sys_auth_record_login and record_failed_login.
6
 */
7

8
/*
9
 * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
10
 * Use is subject to license terms.
11
 *
12
 * Redistribution and use in source and binary forms, with or without
13
 * modification, are permitted provided that the following conditions
14
 * are met:
15
 * 1. Redistributions of source code must retain the above copyright
16
 *    notice, this list of conditions and the following disclaimer.
17
 * 2. Redistributions in binary form must reproduce the above copyright
18
 *    notice, this list of conditions and the following disclaimer in the
19
 *    documentation and/or other materials provided with the distribution.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31
 *
32
 */
33
/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
34

35
#include "includes.h"
36
#if defined(USE_BSM_AUDIT)
37

38
#include <sys/types.h>
39

40
#include <errno.h>
41
#include <netdb.h>
42
#include <stdarg.h>
43
#include <string.h>
44
#include <unistd.h>
45

46
#ifdef BROKEN_BSM_API
47
#include <libscf.h>
48
#endif
49

50
#include "ssh.h"
51
#include "log.h"
52
#include "hostfile.h"
53
#include "auth.h"
54
#include "xmalloc.h"
55

56
#ifndef AUE_openssh
57
# define AUE_openssh     32800
58
#endif
59
#include <bsm/audit.h>
60
#include <bsm/libbsm.h>
61
#include <bsm/audit_uevents.h>
62
#include <bsm/audit_record.h>
63
#include <locale.h>
64

65
#if defined(HAVE_GETAUDIT_ADDR)
66
#define	AuditInfoStruct		auditinfo_addr
67
#define AuditInfoTermID		au_tid_addr_t
68
#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
69
#define SetAuditFuncText	"setaudit_addr"
70
#define AUToSubjectFunc		au_to_subject_ex
71
#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
72
#else
73
#define	AuditInfoStruct		auditinfo
74
#define AuditInfoTermID		au_tid_t
75
#define SetAuditFunc(a,b)	setaudit(a)
76
#define SetAuditFuncText	"setaudit"
77
#define AUToSubjectFunc		au_to_subject
78
#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
79
#endif
80

81
#ifndef cannot_audit
82
extern int	cannot_audit(int);
83
#endif
84
extern void	aug_init(void);
85
extern void	aug_save_auid(au_id_t);
86
extern void	aug_save_uid(uid_t);
87
extern void	aug_save_euid(uid_t);
88
extern void	aug_save_gid(gid_t);
89
extern void	aug_save_egid(gid_t);
90
extern void	aug_save_pid(pid_t);
91
extern void	aug_save_asid(au_asid_t);
92
extern void	aug_save_tid(dev_t, unsigned int);
93
extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
94
extern int	aug_save_me(void);
95
extern int	aug_save_namask(void);
96
extern void	aug_save_event(au_event_t);
97
extern void	aug_save_sorf(int);
98
extern void	aug_save_text(char *);
99
extern void	aug_save_text1(char *);
100
extern void	aug_save_text2(char *);
101
extern void	aug_save_na(int);
102
extern void	aug_save_user(char *);
103
extern void	aug_save_path(char *);
104
extern int	aug_save_policy(void);
105
extern void	aug_save_afunc(int (*)(int));
106
extern int	aug_audit(void);
107
extern int	aug_na_selected(void);
108
extern int	aug_selected(void);
109
extern int	aug_daemon_session(void);
110

111
#ifndef HAVE_GETTEXT
112
# define gettext(a)	(a)
113
#endif
114

115
extern Authctxt *the_authctxt;
116
static AuditInfoTermID ssh_bsm_tid;
117

118
#ifdef BROKEN_BSM_API
119
/* For some reason this constant is no longer defined
120
   in Solaris 11. */
121
#define BSM_TEXTBUFSZ 256
122
#endif
123

124
/* Below is the low-level BSM interface code */
125

126
/*
127
 * aug_get_machine is only required on IPv6 capable machines, we use a
128
 * different mechanism in audit_connection_from() for IPv4-only machines.
129
 * getaudit_addr() is only present on IPv6 capable machines.
130
 */
131
#if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
132
extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
133
#else
134
static int
135
aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
136
{
137
	struct addrinfo *ai; 
138
	struct sockaddr_in *in4;
139
	struct sockaddr_in6 *in6;
140
	int ret = 0, r;
141

142
	if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
143
		error("BSM audit: getaddrinfo failed for %.100s: %.100s", host,
144
		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
145
		return -1;
146
	}
147
	
148
	switch (ai->ai_family) {
149
	case AF_INET:
150
		in4 = (struct sockaddr_in *)ai->ai_addr;
151
		*type = AU_IPv4;
152
		memcpy(addr, &in4->sin_addr, sizeof(struct in_addr));
153
		break;
154
#ifdef AU_IPv6
155
	case AF_INET6: 
156
		in6 = (struct sockaddr_in6 *)ai->ai_addr;
157
		*type = AU_IPv6;
158
		memcpy(addr, &in6->sin6_addr, sizeof(struct in6_addr));
159
		break;
160
#endif
161
	default:
162
		error("BSM audit: unknown address family for %.100s: %d",
163
		    host, ai->ai_family);
164
		ret = -1;
165
	}
166
	freeaddrinfo(ai);
167
	return ret;
168
}
169
#endif
170

171
#ifdef BROKEN_BSM_API
172
/*
173
  In Solaris 11 the audit daemon has been moved to SMF. In the process
174
  they simply dropped getacna() from the API, since it read from a now
175
  non-existent config file. This function re-implements getacna() to
176
  read from the SMF repository instead.
177
 */
178
int
179
getacna(char *auditstring, int len)
180
{
181
	scf_handle_t *handle = NULL;
182
	scf_property_t *property = NULL;
183
	scf_value_t *value = NULL;
184
	int ret = 0;
185

186
	/*
187
	 * The man page for getacna on Solaris 10 states we should return -2
188
	 * in case of error and set errno to indicate the error. We don't
189
	 * bother with errno here, though, since the only use of this function
190
	 * below doesn't check for errors anyway.
191
	*/
192
	handle = scf_handle_create(SCF_VERSION);
193
	if (handle == NULL) 
194
		return -2;
195

196
	ret = scf_handle_bind(handle);
197
	if (ret == -1) 
198
		return -2;
199

200
	property = scf_property_create(handle);
201
	if (property == NULL) 
202
		return -2;
203

204
	ret = scf_handle_decode_fmri(handle, 
205
	    "svc:/system/auditd:default/:properties/preselection/naflags",
206
	    NULL, NULL, NULL, NULL, property, 0);
207
	if (ret == -1) 
208
		return -2;
209

210
	value = scf_value_create(handle);
211
	if (value == NULL) 
212
		return -2;
213

214
	ret = scf_property_get_value(property, value);
215
	if (ret == -1) 
216
		return -2;
217

218
	ret = scf_value_get_astring(value, auditstring, len);
219
	if (ret == -1) 
220
		return -2;
221

222
	scf_value_destroy(value);
223
	scf_property_destroy(property);
224
	scf_handle_destroy(handle);
225

226
	return 0;
227
}
228
#endif
229

230
/*
231
 * Check if the specified event is selected (enabled) for auditing.
232
 * Returns 1 if the event is selected, 0 if not and -1 on failure.
233
 */
234
static int
235
selected(char *username, uid_t uid, au_event_t event, int sf)
236
{
237
	int rc, sorf;
238
	char naflags[512];
239
	struct au_mask mask;
240

241
	mask.am_success = mask.am_failure = 0;
242
	if (uid < 0) {
243
		/* get flags for non-attributable (to a real user) events */
244
		rc = getacna(naflags, sizeof(naflags));
245
		if (rc == 0)
246
			(void) getauditflagsbin(naflags, &mask);
247
	} else
248
		rc = au_user_mask(username, &mask);
249

250
	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
251
	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
252
}
253

254
static void
255
bsm_audit_record(int typ, char *string, au_event_t event_no)
256
{
257
	int		ad, rc, sel;
258
	uid_t		uid = -1;
259
	gid_t		gid = -1;
260
	pid_t		pid = getpid();
261
	AuditInfoTermID	tid = ssh_bsm_tid;
262

263
	if (the_authctxt != NULL && the_authctxt->valid) {
264
		uid = the_authctxt->pw->pw_uid;
265
		gid = the_authctxt->pw->pw_gid;
266
	}
267

268
	rc = (typ == 0) ? 0 : -1;
269
	sel = selected(the_authctxt->user, uid, event_no, rc);
270
	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
271
	if (!sel)
272
		return;	/* audit event does not match mask, do not write */
273

274
	debug3("BSM audit: writing audit new record");
275
	ad = au_open();
276

277
	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
278
	    pid, pid, &tid));
279
	(void) au_write(ad, au_to_text(string));
280
	(void) au_write(ad, AUToReturnFunc(typ, rc));
281

282
#ifdef BROKEN_BSM_API
283
	/*
284
	 * The last argument is the event modifier flags. For some seemingly
285
	 * undocumented reason it was added in Solaris 11.
286
	 */
287
	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
288
#else
289
	rc = au_close(ad, AU_TO_WRITE, event_no);
290
#endif
291

292
	if (rc < 0)
293
		error("BSM audit: %s failed to write \"%s\" record: %s",
294
		    __func__, string, strerror(errno));
295
}
296

297
static void
298
bsm_audit_session_setup(void)
299
{
300
	int rc;
301
	struct AuditInfoStruct info;
302
	au_mask_t mask;
303

304
	if (the_authctxt == NULL) {
305
		error("BSM audit: session setup internal error (NULL ctxt)");
306
		return;
307
	}
308

309
	if (the_authctxt->valid)
310
		info.ai_auid = the_authctxt->pw->pw_uid;
311
	else
312
		info.ai_auid = -1;
313
	info.ai_asid = getpid();
314
	mask.am_success = 0;
315
	mask.am_failure = 0;
316

317
	(void) au_user_mask(the_authctxt->user, &mask);
318

319
	info.ai_mask.am_success  = mask.am_success;
320
	info.ai_mask.am_failure  = mask.am_failure;
321

322
	info.ai_termid = ssh_bsm_tid;
323

324
	rc = SetAuditFunc(&info, sizeof(info));
325
	if (rc < 0)
326
		error("BSM audit: %s: %s failed: %s", __func__,
327
		    SetAuditFuncText, strerror(errno));
328
}
329

330
static void
331
bsm_audit_bad_login(const char *what)
332
{
333
	char textbuf[BSM_TEXTBUFSZ];
334

335
	if (the_authctxt->valid) {
336
		(void) snprintf(textbuf, sizeof (textbuf),
337
			gettext("invalid %s for user %s"),
338
			    what, the_authctxt->user);
339
		bsm_audit_record(4, textbuf, AUE_openssh);
340
	} else {
341
		(void) snprintf(textbuf, sizeof (textbuf),
342
			gettext("invalid user name \"%s\""),
343
			    the_authctxt->user);
344
		bsm_audit_record(3, textbuf, AUE_openssh);
345
	}
346
}
347

348
/* Below is the sshd audit API code */
349

350
void
351
audit_connection_from(const char *host, int port)
352
{
353
	AuditInfoTermID *tid = &ssh_bsm_tid;
354
	char buf[1024];
355

356
	if (cannot_audit(0))
357
		return;
358
	debug3("BSM audit: connection from %.100s port %d", host, port);
359

360
	/* populate our terminal id structure */
361
#if defined(HAVE_GETAUDIT_ADDR)
362
	tid->at_port = (dev_t)port;
363
	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
364
	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
365
	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
366
	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
367
#else
368
	/* this is used on IPv4-only machines */
369
	tid->port = (dev_t)port;
370
	tid->machine = inet_addr(host);
371
	snprintf(buf, sizeof(buf), "%08x", tid->machine);
372
	debug3("BSM audit: machine ID %s", buf);
373
#endif
374
}
375

376
void
377
audit_run_command(const char *command)
378
{
379
	/* not implemented */
380
}
381

382
void
383
audit_session_open(struct logininfo *li)
384
{
385
	/* not implemented */
386
}
387

388
void
389
audit_session_close(struct logininfo *li)
390
{
391
	/* not implemented */
392
}
393

394
void
395
audit_event(struct ssh *ssh, ssh_audit_event_t event)
396
{
397
	char    textbuf[BSM_TEXTBUFSZ];
398
	static int logged_in = 0;
399
	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
400

401
	if (cannot_audit(0))
402
		return;
403

404
	switch(event) {
405
	case SSH_AUTH_SUCCESS:
406
		logged_in = 1;
407
		bsm_audit_session_setup();
408
		snprintf(textbuf, sizeof(textbuf),
409
		    gettext("successful login %s"), user);
410
		bsm_audit_record(0, textbuf, AUE_openssh);
411
		break;
412

413
	case SSH_CONNECTION_CLOSE:
414
		/*
415
		 * We can also get a close event if the user attempted auth
416
		 * but never succeeded.
417
		 */
418
		if (logged_in) {
419
			snprintf(textbuf, sizeof(textbuf),
420
			    gettext("sshd logout %s"), the_authctxt->user);
421
			bsm_audit_record(0, textbuf, AUE_logout);
422
		} else {
423
			debug("%s: connection closed without authentication",
424
			    __func__);
425
		}
426
		break;
427

428
	case SSH_NOLOGIN:
429
		bsm_audit_record(1,
430
		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
431
		break;
432

433
	case SSH_LOGIN_EXCEED_MAXTRIES:
434
		snprintf(textbuf, sizeof(textbuf),
435
		    gettext("too many tries for user %s"), the_authctxt->user);
436
		bsm_audit_record(1, textbuf, AUE_openssh);
437
		break;
438

439
	case SSH_LOGIN_ROOT_DENIED:
440
		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
441
		break;
442

443
	case SSH_AUTH_FAIL_PASSWD:
444
		bsm_audit_bad_login("password");
445
		break;
446

447
	case SSH_AUTH_FAIL_KBDINT:
448
		bsm_audit_bad_login("interactive password entry");
449
		break;
450

451
	default:
452
		debug("%s: unhandled event %d", __func__, event);
453
	}
454
}
455
#endif /* BSM */
456

457