summaryrefslogtreecommitdiff
path: root/monitor.c
diff options
context:
space:
mode:
Diffstat (limited to 'monitor.c')
-rw-r--r--monitor.c65
1 files changed, 65 insertions, 0 deletions
diff --git a/monitor.c b/monitor.c
index 00d4a785f..ce7784aa1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -143,6 +143,11 @@ int mm_answer_gss_userok(int, Buffer *);
143int mm_answer_gss_checkmic(int, Buffer *); 143int mm_answer_gss_checkmic(int, Buffer *);
144#endif 144#endif
145 145
146#ifdef AUDIT_EVENTS
147int mm_answer_audit_event(int, Buffer *);
148int mm_answer_audit_command(int, Buffer *);
149#endif
150
146static Authctxt *authctxt; 151static Authctxt *authctxt;
147static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 152static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
148 153
@@ -186,6 +191,9 @@ struct mon_table mon_dispatch_proto20[] = {
186 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 191 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
187 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 192 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
188#endif 193#endif
194#ifdef AUDIT_EVENTS
195 {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
196#endif
189#ifdef BSD_AUTH 197#ifdef BSD_AUTH
190 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, 198 {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
191 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond}, 199 {MONITOR_REQ_BSDAUTHRESPOND, MON_AUTH,mm_answer_bsdauthrespond},
@@ -211,6 +219,10 @@ struct mon_table mon_dispatch_postauth20[] = {
211 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 219 {MONITOR_REQ_PTY, 0, mm_answer_pty},
212 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, 220 {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
213 {MONITOR_REQ_TERM, 0, mm_answer_term}, 221 {MONITOR_REQ_TERM, 0, mm_answer_term},
222#ifdef AUDIT_EVENTS
223 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
224 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
225#endif
214 {0, 0, NULL} 226 {0, 0, NULL}
215}; 227};
216 228
@@ -239,6 +251,9 @@ struct mon_table mon_dispatch_proto15[] = {
239 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond}, 251 {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
240 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx}, 252 {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
241#endif 253#endif
254#ifdef AUDIT_EVENTS
255 {MONITOR_REQ_AUDIT_EVENT, 0, mm_answer_audit_event},
256#endif
242 {0, 0, NULL} 257 {0, 0, NULL}
243}; 258};
244 259
@@ -246,6 +261,10 @@ struct mon_table mon_dispatch_postauth15[] = {
246 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, 261 {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
247 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, 262 {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
248 {MONITOR_REQ_TERM, 0, mm_answer_term}, 263 {MONITOR_REQ_TERM, 0, mm_answer_term},
264#ifdef AUDIT_EVENTS
265 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
266 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
267#endif
249 {0, 0, NULL} 268 {0, 0, NULL}
250}; 269};
251 270
@@ -609,6 +628,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
609 if (options.use_pam) 628 if (options.use_pam)
610 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); 629 monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
611#endif 630#endif
631#ifdef AUDIT_EVENTS
632 monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_EVENT, 1);
633#endif
612 634
613 return (0); 635 return (0);
614} 636}
@@ -1491,6 +1513,49 @@ mm_answer_term(int sock, Buffer *req)
1491 exit(res); 1513 exit(res);
1492} 1514}
1493 1515
1516#ifdef AUDIT_EVENTS
1517/* Report that an audit event occurred */
1518int
1519mm_answer_audit_event(int socket, Buffer *m)
1520{
1521 ssh_audit_event_t event;
1522
1523 debug3("%s entering", __func__);
1524
1525 event = buffer_get_int(m);
1526 buffer_free(m);
1527 switch(event) {
1528 case AUTH_FAIL_PUBKEY:
1529 case AUTH_FAIL_HOSTBASED:
1530 case AUTH_FAIL_GSSAPI:
1531 case LOGIN_EXCEED_MAXTRIES:
1532 case LOGIN_ROOT_DENIED:
1533 case CONNECTION_CLOSE:
1534 audit_event(event);
1535 break;
1536 default:
1537 fatal("Audit event type %d not permitted", event);
1538 }
1539
1540 return (0);
1541}
1542
1543int
1544mm_answer_audit_command(int socket, Buffer *m)
1545{
1546 u_int len;
1547 char *cmd;
1548
1549 debug3("%s entering", __func__);
1550 cmd = buffer_get_string(m, &len);
1551 /* sanity check command, if so how? */
1552 audit_run_command(cmd);
1553 xfree(cmd);
1554 buffer_free(m);
1555 return (0);
1556}
1557#endif /* AUDIT_EVENTS */
1558
1494void 1559void
1495monitor_apply_keystate(struct monitor *pmonitor) 1560monitor_apply_keystate(struct monitor *pmonitor)
1496{ 1561{