- (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c

monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: (first stage) Add audit instrumentation to sshd, currently disabled by default. with suggestions from and djm@
author: Darren Tucker <dtucker@zip.com.au> 2005-02-03 00:20:53 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-02-03 00:20:53 +1100
commit: 269a1ea1c80a855d1eb74fccba6dd5c75947c5d2 (patch)
tree: 2c3ece8547de7552c4c78337607a1a387decd797 /monitor.c
parent: 2fba993080eba14e339d6a6666ee79580ee20f97 (diff)
1 files changed, 65 insertions, 0 deletions
diff --git a/monitor.c b/monitor.c
index 00d4a785f..ce7784aa1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
 #endif
+#ifdef AUDIT_EVENTS
+int mm_answer_audit_event(int, Buffer *);
+int mm_answer_audit_command(int, Buffer *);
+#endif
 static Authctxt *authctxt;
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
+#ifdef AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
+#endif
 #ifdef BSD_AUTH
    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
    {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = {
    {MONITOR_REQ_PTY, 0, mm_answer_pty},
    {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
    {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
+#endif
    {0, 0, NULL}
 };
@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] = {
    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
 #endif
+#ifdef AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
+#endif
    {0, 0, NULL}
 };
@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = {
    {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
    {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
    {MONITOR_REQ_TERM, 0, mm_answer_term},
+#ifdef AUDIT_EVENTS
+    {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
+#endif
    {0, 0, NULL}
 };
@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        if (options.use_pam)
                monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
 #endif
+#ifdef AUDIT_EVENTS
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1);
+#endif
        return (0);
 }
@@ -1491,6 +1513,49 @@ mm_answer_term(int sock, Buffer *req)
        exit(res);
 }
+#ifdef AUDIT_EVENTS
+/* Report that an audit event occurred */
+int
+mm_answer_audit_event(int socket, Buffer *m)
+{
+        ssh_audit_event_t event;
+        debug3("%s entering", __func__);
+        event = buffer_get_int(m);
+        buffer_free(m);
+        switch(event) {
+        case AUTH_FAIL_PUBKEY:
+        case AUTH_FAIL_HOSTBASED:
+        case AUTH_FAIL_GSSAPI:
+        case LOGIN_EXCEED_MAXTRIES:
+        case LOGIN_ROOT_DENIED:
+        case CONNECTION_CLOSE:
+                audit_event(event);
+                break;
+        default:
+                fatal("Audit event type %d not permitted", event);
+        }
+        return (0);
+}
+int
+mm_answer_audit_command(int socket, Buffer *m)
+{
+        u_int len;
+        char *cmd;
+        debug3("%s entering", __func__);
+        cmd = buffer_get_string(m, &len);
+        /* sanity check command, if so how? */
+        audit_run_command(cmd);
+        xfree(cmd);
+        buffer_free(m);
+        return (0);
+}
+#endif /* AUDIT_EVENTS */
 void
 monitor_apply_keystate(struct monitor *pmonitor)
 {
author	Darren Tucker <dtucker@zip.com.au>	2005-02-03 00:20:53 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-02-03 00:20:53 +1100
commit	269a1ea1c80a855d1eb74fccba6dd5c75947c5d2 (patch)
tree	2c3ece8547de7552c4c78337607a1a387decd797 /monitor.c
parent	2fba993080eba14e339d6a6666ee79580ee20f97 (diff)

diff --git a/monitor.c b/monitor.c index 00d4a785f..ce7784aa1 100644 --- a/monitor.c +++ b/monitor.c
@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
143	int mm_answer_gss_checkmic(int, Buffer *);	143	int mm_answer_gss_checkmic(int, Buffer *);
144	#endif	144	#endif
145		145
		146	#ifdef AUDIT_EVENTS
		147	int mm_answer_audit_event(int, Buffer *);
		148	int mm_answer_audit_command(int, Buffer *);
		149	#endif
		150
146	static Authctxt *authctxt;	151	static Authctxt *authctxt;
147	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */	152	static BIGNUM ssh1_challenge = NULL; / used for ssh1 rsa auth */
148		153
@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = {
186	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	191	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
187	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	192	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
188	#endif	193	#endif
		194	#ifdef AUDIT_EVENTS
		195	{MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
		196	#endif
189	#ifdef BSD_AUTH	197	#ifdef BSD_AUTH
190	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	198	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
191	{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},	199	{MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = {
211	{MONITOR_REQ_PTY, 0, mm_answer_pty},	219	{MONITOR_REQ_PTY, 0, mm_answer_pty},
212	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},	220	{MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
213	{MONITOR_REQ_TERM, 0, mm_answer_term},	221	{MONITOR_REQ_TERM, 0, mm_answer_term},
		222	#ifdef AUDIT_EVENTS
		223	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		224	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
		225	#endif
214	{0, 0, NULL}	226	{0, 0, NULL}
215	};	227	};
216		228
@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] = {
239	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},	251	{MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
240	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},	252	{MONITOR_REQ_PAM_FREE_CTX, MON_ONCE\|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
241	#endif	253	#endif
		254	#ifdef AUDIT_EVENTS
		255	{MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
		256	#endif
242	{0, 0, NULL}	257	{0, 0, NULL}
243	};	258	};
244		259
@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = {
246	{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},	261	{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
247	{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},	262	{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
248	{MONITOR_REQ_TERM, 0, mm_answer_term},	263	{MONITOR_REQ_TERM, 0, mm_answer_term},
		264	#ifdef AUDIT_EVENTS
		265	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		266	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
		267	#endif
249	{0, 0, NULL}	268	{0, 0, NULL}
250	};	269	};
251		270
@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
609	if (options.use_pam)	628	if (options.use_pam)
610	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);	629	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
611	#endif	630	#endif
		631	#ifdef AUDIT_EVENTS
		632	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1);
		633	#endif
612		634
613	return (0);	635	return (0);
614	}	636	}
@@ -1491,6 +1513,49 @@ mm_answer_term(int sock, Buffer *req)
1491	exit(res);	1513	exit(res);
1492	}	1514	}
1493		1515
		1516	#ifdef AUDIT_EVENTS
		1517	/* Report that an audit event occurred */
		1518	int
		1519	mm_answer_audit_event(int socket, Buffer *m)
		1520	{
		1521	ssh_audit_event_t event;
		1522
		1523	debug3("%s entering", __func__);
		1524
		1525	event = buffer_get_int(m);
		1526	buffer_free(m);
		1527	switch(event) {
		1528	case AUTH_FAIL_PUBKEY:
		1529	case AUTH_FAIL_HOSTBASED:
		1530	case AUTH_FAIL_GSSAPI:
		1531	case LOGIN_EXCEED_MAXTRIES:
		1532	case LOGIN_ROOT_DENIED:
		1533	case CONNECTION_CLOSE:
		1534	audit_event(event);
		1535	break;
		1536	default:
		1537	fatal("Audit event type %d not permitted", event);
		1538	}
		1539
		1540	return (0);
		1541	}
		1542
		1543	int
		1544	mm_answer_audit_command(int socket, Buffer *m)
		1545	{
		1546	u_int len;
		1547	char *cmd;
		1548
		1549	debug3("%s entering", __func__);
		1550	cmd = buffer_get_string(m, &len);
		1551	/* sanity check command, if so how? */
		1552	audit_run_command(cmd);
		1553	xfree(cmd);
		1554	buffer_free(m);
		1555	return (0);
		1556	}
		1557	#endif /* AUDIT_EVENTS */
		1558
1494	void	1559	void
1495	monitor_apply_keystate(struct monitor *pmonitor)	1560	monitor_apply_keystate(struct monitor *pmonitor)
1496	{	1561	{