- (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.h

configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem support, based on patches from Tomas Mraz and jchadima at redhat.
author: Darren Tucker <dtucker@zip.com.au> 2011-01-17 21:15:27 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2011-01-17 21:15:27 +1100
commit: ea52a829699e981a58a69a77342e7ca3715a5f5b (patch)
tree: 425c4f3bbd3c691479e707431e0caf8458573b97 /audit-linux.c
parent: 263d43d2a58f0fc4cf211808410560c8c3e451d2 (diff)
1 files changed, 126 insertions, 0 deletions
diff --git a/audit-linux.c b/audit-linux.c
new file mode 100644
index 000000000..b3ee2f4da
--- /dev/null
+++ b/audit-linux.c
@@ -0,0 +1,126 @@
+/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */
+/*
+ * Copyright 2010 Red Hat, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
+ */
+#include "includes.h"
+#if defined(USE_LINUX_AUDIT)
+#include <libaudit.h>
+#include <unistd.h>
+#include <string.h>
+#include "log.h"
+#include "audit.h"
+#include "canohost.h"
+const char* audit_username(void);
+int
+linux_audit_record_event(int uid, const char *username,
+    const char *hostname, const char *ip, const char *ttyn, int success)
+{
+        int audit_fd, rc, saved_errno;
+        audit_fd = audit_open();
+        if (audit_fd < 0) {
+                if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+                    errno == EAFNOSUPPORT)
+                        return 1; /* No audit support in kernel */
+                else
+                        return 0; /* Must prevent login */
+        }
+        rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+            NULL, "login", username ? username : "(unknown)",
+            username == NULL ? uid : -1, hostname, ip, ttyn, success);
+        saved_errno = errno;
+        close(audit_fd);
+        /*
+         * Do not report error if the error is EPERM and sshd is run as non
+         * root user.
+         */
+        if ((rc == -EPERM) && (geteuid() != 0))
+                rc = 0;
+        errno = saved_errno;
+        return (rc >= 0);
+}
+/* Below is the sshd audit API code */
+void
+audit_connection_from(const char *host, int port)
+{
+}
+        /* not implemented */
+void
+audit_run_command(const char *command)
+{
+        /* not implemented */
+}
+void
+audit_session_open(struct logininfo *li)
+{
+        if (linux_audit_record_event(li->uid, NULL, li->hostname,
+            NULL, li->line, 1) == 0)
+                fatal("linux_audit_write_entry failed: %s", strerror(errno));
+}
+void
+audit_session_close(struct logininfo *li)
+{
+        /* not implemented */
+}
+void
+audit_event(ssh_audit_event_t event)
+{
+        switch(event) {
+        case SSH_AUTH_SUCCESS:
+        case SSH_CONNECTION_CLOSE:
+        case SSH_NOLOGIN:
+        case SSH_LOGIN_EXCEED_MAXTRIES:
+        case SSH_LOGIN_ROOT_DENIED:
+                break;
+        case SSH_AUTH_FAIL_NONE:
+        case SSH_AUTH_FAIL_PASSWD:
+        case SSH_AUTH_FAIL_KBDINT:
+        case SSH_AUTH_FAIL_PUBKEY:
+        case SSH_AUTH_FAIL_HOSTBASED:
+        case SSH_AUTH_FAIL_GSSAPI:
+        case SSH_INVALID_USER:
+                linux_audit_record_event(-1, audit_username(), NULL,
+                        get_remote_ipaddr(), "sshd", 0);
+                break;
+        default:
+                debug("%s: unhandled event %d", __func__, event);
+        }
+}
+#endif /* USE_LINUX_AUDIT */
author	Darren Tucker <dtucker@zip.com.au>	2011-01-17 21:15:27 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2011-01-17 21:15:27 +1100
commit	ea52a829699e981a58a69a77342e7ca3715a5f5b (patch)
tree	425c4f3bbd3c691479e707431e0caf8458573b97 /audit-linux.c
parent	263d43d2a58f0fc4cf211808410560c8c3e451d2 (diff)

diff --git a/audit-linux.c b/audit-linux.c new file mode 100644 index 000000000..b3ee2f4da --- /dev/null +++ b/audit-linux.c
@@ -0,0 +1,126 @@
	1	/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */
	2
	3	/*
	4	* Copyright 2010 Red Hat, Inc. All rights reserved.
	5	* Use is subject to license terms.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*
	27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
	28	*/
	29
	30	#include "includes.h"
	31	#if defined(USE_LINUX_AUDIT)
	32	#include <libaudit.h>
	33	#include <unistd.h>
	34	#include <string.h>
	35
	36	#include "log.h"
	37	#include "audit.h"
	38	#include "canohost.h"
	39
	40	const char* audit_username(void);
	41
	42	int
	43	linux_audit_record_event(int uid, const char *username,
	44	const char hostname, const char ip, const char *ttyn, int success)
	45	{
	46	int audit_fd, rc, saved_errno;
	47
	48	audit_fd = audit_open();
	49	if (audit_fd < 0) {
	50	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
	51	errno == EAFNOSUPPORT)
	52	return 1; /* No audit support in kernel */
	53	else
	54	return 0; /* Must prevent login */
	55	}
	56	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
	57	NULL, "login", username ? username : "(unknown)",
	58	username == NULL ? uid : -1, hostname, ip, ttyn, success);
	59	saved_errno = errno;
	60	close(audit_fd);
	61	/*
	62	* Do not report error if the error is EPERM and sshd is run as non
	63	* root user.
	64	*/
	65	if ((rc == -EPERM) && (geteuid() != 0))
	66	rc = 0;
	67	errno = saved_errno;
	68	return (rc >= 0);
	69	}
	70
	71	/* Below is the sshd audit API code */
	72
	73	void
	74	audit_connection_from(const char *host, int port)
	75	{
	76	}
	77	/* not implemented */
	78
	79	void
	80	audit_run_command(const char *command)
	81	{
	82	/* not implemented */
	83	}
	84
	85	void
	86	audit_session_open(struct logininfo *li)
	87	{
	88	if (linux_audit_record_event(li->uid, NULL, li->hostname,
	89	NULL, li->line, 1) == 0)
	90	fatal("linux_audit_write_entry failed: %s", strerror(errno));
	91	}
	92
	93	void
	94	audit_session_close(struct logininfo *li)
	95	{
	96	/* not implemented */
	97	}
	98
	99	void
	100	audit_event(ssh_audit_event_t event)
	101	{
	102	switch(event) {
	103	case SSH_AUTH_SUCCESS:
	104	case SSH_CONNECTION_CLOSE:
	105	case SSH_NOLOGIN:
	106	case SSH_LOGIN_EXCEED_MAXTRIES:
	107	case SSH_LOGIN_ROOT_DENIED:
	108	break;
	109
	110	case SSH_AUTH_FAIL_NONE:
	111	case SSH_AUTH_FAIL_PASSWD:
	112	case SSH_AUTH_FAIL_KBDINT:
	113	case SSH_AUTH_FAIL_PUBKEY:
	114	case SSH_AUTH_FAIL_HOSTBASED:
	115	case SSH_AUTH_FAIL_GSSAPI:
	116	case SSH_INVALID_USER:
	117	linux_audit_record_event(-1, audit_username(), NULL,
	118	get_remote_ipaddr(), "sshd", 0);
	119	break;
	120
	121	default:
	122	debug("%s: unhandled event %d", __func__, event);
	123	}
	124	}
	125
	126	#endif /* USE_LINUX_AUDIT */