source: trunk/third/openssh/audit.c @ 22570

Revision 22570, 5.6 KB checked in by ghudson, 18 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r22569, which included commits to RCS files with non-trunk default branches.
Line 
1/* $Id: audit.c,v 1.1.1.1 2006-11-30 21:21:08 ghudson Exp $ */
2
3/*
4 * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#ifdef SSH_AUDIT_EVENTS
30
31#include "audit.h"
32#include "log.h"
33#include "auth.h"
34
35/*
36 * Care must be taken when using this since it WILL NOT be initialized when
37 * audit_connection_from() is called and MAY NOT be initialized when
38 * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
39 */
40extern Authctxt *the_authctxt;
41
42/* Maybe add the audit class to struct Authmethod? */
43ssh_audit_event_t
44audit_classify_auth(const char *method)
45{
46        if (strcmp(method, "none") == 0)
47                return SSH_AUTH_FAIL_NONE;
48        else if (strcmp(method, "password") == 0)
49                return SSH_AUTH_FAIL_PASSWD;
50        else if (strcmp(method, "publickey") == 0 ||
51            strcmp(method, "rsa") == 0)
52                return SSH_AUTH_FAIL_PUBKEY;
53        else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
54            strcmp(method, "challenge-response") == 0)
55                return SSH_AUTH_FAIL_KBDINT;
56        else if (strcmp(method, "hostbased") == 0 ||
57            strcmp(method, "rhosts-rsa") == 0)
58                return SSH_AUTH_FAIL_HOSTBASED;
59        else if (strcmp(method, "gssapi-with-mic") == 0)
60                return SSH_AUTH_FAIL_GSSAPI;
61        else
62                return SSH_AUDIT_UNKNOWN;
63}
64
65/* helper to return supplied username */
66const char *
67audit_username(void)
68{
69        static const char unknownuser[] = "(unknown user)";
70        static const char invaliduser[] = "(invalid user)";
71
72        if (the_authctxt == NULL || the_authctxt->user == NULL)
73                return (unknownuser);
74        if (!the_authctxt->valid)
75                return (invaliduser);
76        return (the_authctxt->user);
77}
78
79const char *
80audit_event_lookup(ssh_audit_event_t ev)
81{
82        int i;
83        static struct event_lookup_struct {
84                ssh_audit_event_t event;
85                const char *name;
86        } event_lookup[] = {
87                {SSH_LOGIN_EXCEED_MAXTRIES,     "LOGIN_EXCEED_MAXTRIES"},
88                {SSH_LOGIN_ROOT_DENIED,         "LOGIN_ROOT_DENIED"},
89                {SSH_AUTH_SUCCESS,              "AUTH_SUCCESS"},
90                {SSH_AUTH_FAIL_NONE,            "AUTH_FAIL_NONE"},
91                {SSH_AUTH_FAIL_PASSWD,          "AUTH_FAIL_PASSWD"},
92                {SSH_AUTH_FAIL_KBDINT,          "AUTH_FAIL_KBDINT"},
93                {SSH_AUTH_FAIL_PUBKEY,          "AUTH_FAIL_PUBKEY"},
94                {SSH_AUTH_FAIL_HOSTBASED,       "AUTH_FAIL_HOSTBASED"},
95                {SSH_AUTH_FAIL_GSSAPI,          "AUTH_FAIL_GSSAPI"},
96                {SSH_INVALID_USER,              "INVALID_USER"},
97                {SSH_NOLOGIN,                   "NOLOGIN"},
98                {SSH_CONNECTION_CLOSE,          "CONNECTION_CLOSE"},
99                {SSH_CONNECTION_ABANDON,        "CONNECTION_ABANDON"},
100                {SSH_AUDIT_UNKNOWN,             "AUDIT_UNKNOWN"}
101        };
102
103        for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
104                if (event_lookup[i].event == ev)
105                        break;
106        return(event_lookup[i].name);
107}
108
109# ifndef CUSTOM_SSH_AUDIT_EVENTS
110/*
111 * Null implementations of audit functions.
112 * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
113 */
114
115/*
116 * Called after a connection has been accepted but before any authentication
117 * has been attempted.
118 */
119void
120audit_connection_from(const char *host, int port)
121{
122        debug("audit connection from %s port %d euid %d", host, port,
123            (int)geteuid());
124}
125
126/*
127 * Called when various events occur (see audit.h for a list of possible
128 * events and what they mean).
129 */
130void
131audit_event(ssh_audit_event_t event)
132{
133        debug("audit event euid %d user %s event %d (%s)", geteuid(),
134            audit_username(), event, audit_event_lookup(event));
135}
136
137/*
138 * Called when a user session is started.  Argument is the tty allocated to
139 * the session, or NULL if no tty was allocated.
140 *
141 * Note that this may be called multiple times if multiple sessions are used
142 * within a single connection.
143 */
144void
145audit_session_open(const char *ttyn)
146{
147        const char *t = ttyn ? ttyn : "(no tty)";
148
149        debug("audit session open euid %d user %s tty name %s", geteuid(),
150            audit_username(), t);
151}
152
153/*
154 * Called when a user session is closed.  Argument is the tty allocated to
155 * the session, or NULL if no tty was allocated.
156 *
157 * Note that this may be called multiple times if multiple sessions are used
158 * within a single connection.
159 */
160void
161audit_session_close(const char *ttyn)
162{
163        const char *t = ttyn ? ttyn : "(no tty)";
164
165        debug("audit session close euid %d user %s tty name %s", geteuid(),
166            audit_username(), t);
167}
168
169/*
170 * This will be called when a user runs a non-interactive command.  Note that
171 * it may be called multiple times for a single connection since SSH2 allows
172 * multiple sessions within a single connection.
173 */
174void
175audit_run_command(const char *command)
176{
177        debug("audit run command euid %d user %s command '%.200s'", geteuid(),
178            audit_username(), command);
179}
180# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
181#endif /* SSH_AUDIT_EVENTS */
Note: See TracBrowser for help on using the repository browser.