1
/*
2
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
3
 * Use is subject to license terms.
4
 *
5
 * Redistribution and use in source and binary forms, with or without
6
 * modification, are permitted provided that the following conditions
7
 * are met:
8
 * 1. Redistributions of source code must retain the above copyright
9
 *    notice, this list of conditions and the following disclaimer.
10
 * 2. Redistributions in binary form must reproduce the above copyright
11
 *    notice, this list of conditions and the following disclaimer in the
12
 *    documentation and/or other materials provided with the distribution.
13
 *
14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
 *
25
 * Red Hat author: Jan F. Chadima <[email protected]>
26
 */
27

28
#include "includes.h"
29
#if defined(USE_LINUX_AUDIT)
30
#include <libaudit.h>
31
#include <unistd.h>
32
#include <string.h>
33

34
#include "log.h"
35
#include "audit.h"
36
#include "canohost.h"
37
#include "packet.h"
38

39
const char *audit_username(void);
40

41
int
42
linux_audit_record_event(int uid, const char *username, const char *hostname,
43
    const char *ip, const char *ttyn, int success)
44
{
45
	int audit_fd, rc, saved_errno;
46

47
	if ((audit_fd = audit_open()) < 0) {
48
		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
49
		    errno == EAFNOSUPPORT)
50
			return 1; /* No audit support in kernel */
51
		else
52
			return 0; /* Must prevent login */
53
	}
54
	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
55
	    NULL, "login", username ? username : "(unknown)",
56
	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
57
	saved_errno = errno;
58
	close(audit_fd);
59

60
	/*
61
	 * Do not report error if the error is EPERM and sshd is run as non
62
	 * root user.
63
	 */
64
	if ((rc == -EPERM) && (geteuid() != 0))
65
		rc = 0;
66
	errno = saved_errno;
67

68
	return rc >= 0;
69
}
70

71
/* Below is the sshd audit API code */
72

73
void
74
audit_connection_from(const char *host, int port)
75
{
76
	/* not implemented */
77
}
78

79
void
80
audit_run_command(const char *command)
81
{
82
	/* not implemented */
83
}
84

85
void
86
audit_session_open(struct logininfo *li)
87
{
88
	if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL,
89
	    li->line, 1) == 0)
90
		fatal("linux_audit_write_entry failed: %s", strerror(errno));
91
}
92

93
void
94
audit_session_close(struct logininfo *li)
95
{
96
	/* not implemented */
97
}
98

99
void
100
audit_event(struct ssh *ssh, ssh_audit_event_t event)
101
{
102
	switch(event) {
103
	case SSH_AUTH_SUCCESS:
104
	case SSH_CONNECTION_CLOSE:
105
	case SSH_NOLOGIN:
106
	case SSH_LOGIN_EXCEED_MAXTRIES:
107
	case SSH_LOGIN_ROOT_DENIED:
108
		break;
109
	case SSH_AUTH_FAIL_NONE:
110
	case SSH_AUTH_FAIL_PASSWD:
111
	case SSH_AUTH_FAIL_KBDINT:
112
	case SSH_AUTH_FAIL_PUBKEY:
113
	case SSH_AUTH_FAIL_HOSTBASED:
114
	case SSH_AUTH_FAIL_GSSAPI:
115
	case SSH_INVALID_USER:
116
		linux_audit_record_event(-1, audit_username(), NULL,
117
		    ssh_remote_ipaddr(ssh), "sshd", 0);
118
		break;
119
	default:
120
		debug("%s: unhandled event %d", __func__, event);
121
		break;
122
	}
123
}
124
#endif /* USE_LINUX_AUDIT */
125

126