void
KeychainAuthLogger::writeCommon()
{
writeSubject();
writeToken(au_to_text(sysKCAuthStr), sysKCAuthStr);
writeToken(au_to_text(mDatabase.c_str()), "keychain");
writeToken(au_to_text(mItem.c_str()), "keychain item");
}
void
AuthMechLogger::writeCommon()
{
writeSubject();
writeToken(au_to_text(mRight.c_str()), "right");
if (true == mEvaluatingMechanism)
{
string tmpStr = mechStr; // mechStr includes a trailing space
tmpStr += mCurrentMechanism;
writeToken(au_to_text(tmpStr.c_str()), "mechanism");
}
}
void
RightAuthenticationLogger::logFailure(uid_t authenticator, const char *targetName)
{
if (false == open())
return;
writeCommon();
writeToken(au_to_arg32(1, authenticatorStr, authenticator), "authenticator");
if (NULL == targetName)
writeToken(au_to_text(unknownUserStr), "target username");
else
writeToken(au_to_text(targetName), "target username");
// @@@ EAUTH more appropriate, but !defined for _POSIX_C_SOURCE
writeReturn(EPERM, errAuthorizationDenied);
close();
}
void
bsm_audit_failure(char **exec_args, char const *const fmt, va_list ap)
{
auditinfo_addr_t ainfo_addr;
auditinfo_t ainfo;
char text[256];
token_t *tok;
long au_cond;
au_id_t auid;
pid_t pid;
int aufd;
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT)
pid = getpid();
/*
* If we are not auditing, don't cut an audit record; just return.
*/
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
if (errno == AUDIT_NOT_CONFIGURED)
debug_return;
error(1, _("Could not determine audit condition"));
}
if (au_cond == AUC_NOAUDIT)
debug_return;
if (!audit_sudo_selected(1))
debug_return;
if (getauid(&auid) < 0)
error(1, _("getauid: failed"));
if ((aufd = au_open()) == -1)
error(1, _("au_open: failed"));
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) {
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo_addr.ai_termid);
} else if (errno == ENOSYS) {
if (getaudit(&ainfo) < 0)
error(1, _("getaudit: failed"));
tok = au_to_subject(auid, geteuid(), getegid(), getuid(),
getuid(), pid, pid, &ainfo.ai_termid);
} else
error(1, _("getaudit: failed"));
if (tok == NULL)
error(1, _("au_to_subject: failed"));
au_write(aufd, tok);
tok = au_to_exec_args(exec_args);
if (tok == NULL)
error(1, _("au_to_exec_args: failed"));
au_write(aufd, tok);
(void) vsnprintf(text, sizeof(text), fmt, ap);
tok = au_to_text(text);
if (tok == NULL)
error(1, _("au_to_text: failed"));
au_write(aufd, tok);
tok = au_to_return32(EPERM, 1);
if (tok == NULL)
error(1, _("au_to_return32: failed"));
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_sudo) == -1)
error(1, _("unable to commit audit record"));
debug_return;
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
int ad, rc, sel;
uid_t uid = -1;
gid_t gid = -1;
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
if (the_authctxt != NULL && the_authctxt->valid) {
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
rc = (typ == 0) ? 0 : -1;
sel = selected(the_authctxt->user, uid, event_no, rc);
debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
if (!sel)
return; /* audit event does not match mask, do not write */
debug3("BSM audit: writing audit new record");
ad = au_open();
(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
pid, pid, &tid));
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
rc = au_close(ad, AU_TO_WRITE, event_no);
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
}
void
RightAuthenticationLogger::logLeastPrivilege(uid_t userId, bool isAuthorizingUser)
{
if (false == open())
return;
writeCommon();
writeToken(au_to_text(leastPrivStr), leastPrivStr);
writeReturn(0, 0);
close();
}
void
RightAuthenticationLogger::logAuthorizationResult(const char *client, const char *authCreator, int errcode)
{
if (false == open())
return;
writeCommon();
string tmpStr(clientStr);
tmpStr += client ? client : unknownClientStr;
writeToken(au_to_text(tmpStr.c_str()), "Authorization client");
tmpStr.clear();
tmpStr = authCreatorStr;
tmpStr += authCreator ? authCreator : unknownAuthCreatorStr;
writeToken(au_to_text(tmpStr.c_str()), "Authorization creator");
if (errAuthorizationSuccess == errcode)
writeReturn(0, 0);
else
writeReturn(EPERM, errcode);
close();
}
static void
generate_text_record(const char *directory, const char *record_filename)
{
token_t *text_token;
text_token = au_to_text(text_token_text);
if (text_token == NULL)
err(EX_UNAVAILABLE, "au_to_text");
write_record(directory, record_filename, text_token, AUE_NULL);
}
static void
generate_text_token(const char *directory, const char *token_filename)
{
token_t *text_token;
text_token = au_to_text(text_token_text);
if (text_token == NULL)
err(EX_UNAVAILABLE, "au_to_text");
write_token(directory, token_filename, text_token);
}
void
AuthMechLogger::logInterrupt(const char *msg)
{
if (false == open())
return;
writeCommon();
if (msg)
writeToken(au_to_text(msg), "interrupt");
writeReturn(0, 0);
close();
}
void
AuditLogger::logFailure(const char *errMsg, int errcode)
{
if (false == open())
return;
writeCommon();
if (errMsg)
writeToken(au_to_text(errMsg), "evaluation error");
writeReturn(EPERM, errcode);
close();
}
/*
* The following tokens are included in the audit record for failed
* login attempts: header, subject, text, return.
*/
void
au_login_fail(const char *errmsg, int na)
{
token_t *tok;
int aufd;
int au_cond;
uid_t uid;
gid_t gid;
pid_t pid = getpid();
/* If we are not auditing, don't cut an audit record; just return. */
if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
if (errno == ENOSYS)
return;
errx(1, "could not determine audit condition");
}
if (au_cond == AUC_NOAUDIT)
return;
if ((aufd = au_open()) == -1)
errx(1, "audit error: au_open() failed");
if (na) {
/*
* Non attributable event. Assuming that login is not called
* within a user's session => auid,asid == -1.
*/
if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1,
pid, -1, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
} else {
/* We know the subject -- so use its value instead. */
uid = pwd->pw_uid;
gid = pwd->pw_gid;
if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
gid, pid, pid, &tid)) == NULL)
errx(1, "audit error: au_to_subject32() failed");
}
au_write(aufd, tok);
/* Include the error message. */
if ((tok = au_to_text(errmsg)) == NULL)
errx(1, "audit error: au_to_text() failed");
au_write(aufd, tok);
if ((tok = au_to_return32(1, errno)) == NULL)
errx(1, "audit error: au_to_return32() failed");
au_write(aufd, tok);
if (au_close(aufd, 1, AUE_login) == -1)
errx(1, "audit error: au_close() was not committed");
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes failure; use audit_write_success_self() otherwise.
*
* XXX This should let the caller pass an error return value rather than
* hard-coding -1.
*/
int
audit_write_failure_self(short event_code, char *errmsg, int errret)
{
char *func = "audit_write_failure_self()";
token_t *subject, *errtok;
if ((subject = au_to_me()) == NULL) {
syslog(LOG_ERR, "%s: au_to_me() failed", func);
return (kAUMakeSubjectTokErr);
}
/* tokenize and save the error message */
if ((errtok = au_to_text(errmsg)) == NULL) {
au_free_token(subject);
syslog(LOG_ERR, "%s: au_to_text() failed", func);
return (kAUMakeTextTokErr);
}
return (audit_write(event_code, subject, errtok, -1, errret));
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
int ad, rc, sel;
uid_t uid = -1;
gid_t gid = -1;
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
if (the_authctxt != NULL && the_authctxt->valid) {
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
rc = (typ == 0) ? 0 : -1;
sel = selected(the_authctxt->user, uid, event_no, rc);
debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
if (!sel)
return; /* audit event does not match mask, do not write */
debug3("BSM audit: writing audit new record");
ad = au_open();
(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
pid, pid, &tid));
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
#ifdef BROKEN_BSM_API
/* The last argument is the event modifier flags. For
some seemingly undocumented reason it was added in
Solaris 11. */
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
rc = au_close(ad, AU_TO_WRITE, event_no);
#endif
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
}
/*
* Same caveats as audit_write(). In addition, this function explicitly
* assumes failure; use audit_write_success() otherwise.
*
* XXX This should let the caller pass an error return value rather than
* hard-coding -1.
*/
int
audit_write_failure(short event_code, char *errmsg, int errcode,
au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid)
{
char *func = "audit_write_failure()";
token_t *subject, *errtok;
subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
if (subject == NULL)
{
syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
return kAUMakeSubjectTokErr;
}
/* tokenize and save the error message */
if ((errtok = au_to_text(errmsg)) == NULL)
{
syslog(LOG_ERR, "%s: au_to_text() failed", func);
return kAUMakeTextTokErr;
}
return audit_write(event_code, subject, errtok, -1, errcode);
}
/*
* au_to_data
* returns:
* pointer to au_membuf chain containing a data token.
*/
token_t *
au_to_data(char unit_print, char unit_type, char unit_count, char *p)
{
adr_t adr; /* adr memory stream header */
token_t *m; /* au_membuf pointer */
char data_header = AUT_DATA; /* header for this token */
ASSERT(p != NULL);
ASSERT(unit_count != 0);
switch (unit_type) {
case AUR_SHORT:
if (sizeof (short) * unit_count >= AU_BUFSIZE)
return (au_to_text("au_to_data: unit count too big"));
break;
case AUR_INT32:
if (sizeof (int32_t) * unit_count >= AU_BUFSIZE)
return (au_to_text("au_to_data: unit count too big"));
break;
case AUR_INT64:
if (sizeof (int64_t) * unit_count >= AU_BUFSIZE)
return (au_to_text("au_to_data: unit count too big"));
break;
case AUR_BYTE:
default:
#ifdef _CHAR_IS_UNSIGNED
if (sizeof (char) * unit_count >= AU_BUFSIZE)
return (au_to_text("au_to_data: unit count too big"));
#endif
/*
* we used to check for this:
* sizeof (char) * (int)unit_count >= AU_BUFSIZE).
* but the compiler is smart enough to see that
* will never be >= AU_BUFSIZE, since that's 128
* and unit_count maxes out at 127 (signed char),
* and complain.
*/
break;
}
m = au_getclr();
adr_start(&adr, memtod(m, char *));
adr_char(&adr, &data_header, 1);
adr_char(&adr, &unit_print, 1);
adr_char(&adr, &unit_type, 1);
adr_char(&adr, &unit_count, 1);
switch (unit_type) {
case AUR_SHORT:
adr_short(&adr, (short *)p, unit_count);
break;
case AUR_INT32:
adr_int32(&adr, (int32_t *)p, unit_count);
break;
case AUR_INT64:
adr_int64(&adr, (int64_t *)p, unit_count);
break;
case AUR_BYTE:
default:
adr_char(&adr, p, unit_count);
break;
}
m->len = adr_count(&adr);
return (m);
}
/*
* General purpose audit submission mechanism for userspace.
*/
int
audit_submit(short au_event, au_id_t auid, char status,
int reterr, const char *fmt, ...)
{
char text[MAX_AUDITSTRING_LEN];
token_t *token;
int acond;
va_list ap;
pid_t pid;
int error, afd, subj_ex;
struct auditinfo ai;
struct auditinfo_addr aia;
au_tid_t atid;
if (audit_get_cond(&acond) != 0) {
/*
* If auditon(2) returns ENOSYS, then audit has not been
* compiled into the kernel, so just return.
*/
if (errno == ENOSYS)
return (0);
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: auditon failed: %s",
strerror(errno));
errno = error;
return (-1);
}
if (acond == AUC_NOAUDIT)
return (0);
afd = au_open();
if (afd < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: au_open failed: %s",
strerror(errno));
errno = error;
return (-1);
}
/*
* Try to use getaudit_addr(2) first. If this kernel does not support
* it, then fall back on to getaudit(2).
*/
subj_ex = 0;
error = getaudit_addr(&aia, sizeof(aia));
if (error < 0 && errno == ENOSYS) {
error = getaudit(&ai);
if (error < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
strerror(errno));
errno = error;
return (-1);
}
/*
* Convert this auditinfo_t to an auditinfo_addr_t to make the
* following code less complicated wrt to preselection and
* subject token generation.
*/
aia.ai_auid = ai.ai_auid;
aia.ai_mask = ai.ai_mask;
aia.ai_asid = ai.ai_asid;
aia.ai_termid.at_type = AU_IPv4;
aia.ai_termid.at_addr[0] = ai.ai_termid.machine;
aia.ai_termid.at_port = ai.ai_termid.port;
} else if (error < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: getaudit_addr failed: %s",
strerror(errno));
errno = error;
return (-1);
}
/*
* NB: We should be performing pre-selection here now that we have the
* masks for this process.
*/
if (aia.ai_termid.at_type == AU_IPv6)
subj_ex = 1;
pid = getpid();
if (subj_ex == 0) {
atid.port = aia.ai_termid.at_port;
atid.machine = aia.ai_termid.at_addr[0];
token = au_to_subject32(auid, geteuid(), getegid(),
getuid(), getgid(), pid, pid, &atid);
} else
token = au_to_subject_ex(auid, geteuid(), getegid(),
getuid(), getgid(), pid, pid, &aia.ai_termid);
if (token == NULL) {
syslog(LOG_AUTH | LOG_ERR,
"audit: unable to build subject token");
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = EPERM;
return (-1);
}
if (au_write(afd, token) < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR,
"audit: au_write failed: %s", strerror(errno));
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = error;
return (-1);
}
if (fmt != NULL) {
va_start(ap, fmt);
(void) vsnprintf(text, MAX_AUDITSTRING_LEN, fmt, ap);
va_end(ap);
token = au_to_text(text);
if (token == NULL) {
syslog(LOG_AUTH | LOG_ERR,
"audit: failed to generate text token");
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = EPERM;
return (-1);
}
if (au_write(afd, token) < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR,
"audit: au_write failed: %s", strerror(errno));
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = error;
return (-1);
}
}
token = au_to_return32(au_errno_to_bsm(status), reterr);
if (token == NULL) {
syslog(LOG_AUTH | LOG_ERR,
"audit: unable to build return token");
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = EPERM;
return (-1);
}
if (au_write(afd, token) < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR,
"audit: au_write failed: %s", strerror(errno));
(void) au_close(afd, AU_TO_NO_WRITE, au_event);
errno = error;
return (-1);
}
if (au_close(afd, AU_TO_WRITE, au_event) < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: record not committed");
errno = error;
return (-1);
}
return (0);
}
void
RightAuthenticationLogger::writeCommon()
{
writeSubject();
writeToken(au_to_text(mRight.c_str()), "right");
}
/*
* Check if the specified event is selected (enabled) for auditing.
* Returns 1 if the event is selected, 0 if not and -1 on failure.
*/
static int
selected(char *username, uid_t uid, au_event_t event, int sf)
{
int rc, sorf;
char naflags[512];
struct au_mask mask;
mask.am_success = mask.am_failure = 0;
#if __APPLE__
if (uid == (uid_t)-1) {
#else
if (uid < 0) {
#endif
/* get flags for non-attributable (to a real user) events */
rc = getacna(naflags, sizeof(naflags));
if (rc == 0)
(void) getauditflagsbin(naflags, &mask);
} else
rc = au_user_mask(username, &mask);
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
}
static void
bsm_audit_record(int typ, char *string, au_event_t event_no)
{
int ad, rc, sel;
uid_t uid = -1;
gid_t gid = -1;
pid_t pid = getpid();
AuditInfoTermID tid = ssh_bsm_tid;
if (the_authctxt == NULL) {
error("BSM audit: audit record internal error (NULL ctxt)");
abort();
}
if (the_authctxt->valid) {
uid = the_authctxt->pw->pw_uid;
gid = the_authctxt->pw->pw_gid;
}
rc = (typ == 0) ? 0 : -1;
sel = selected(the_authctxt->user, uid, event_no, rc);
debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
if (!sel)
return; /* audit event does not match mask, do not write */
debug3("BSM audit: writing audit new record");
ad = au_open();
(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
pid, pid, &tid));
(void) au_write(ad, au_to_text(string));
(void) au_write(ad, AUToReturnFunc(typ, rc));
#ifdef BROKEN_BSM_API
/* The last argument is the event modifier flags. For
some seemingly undocumented reason it was added in
Solaris 11. */
rc = au_close(ad, AU_TO_WRITE, event_no, 0);
#else
rc = au_close(ad, AU_TO_WRITE, event_no);
#endif
if (rc < 0)
error("BSM audit: %s failed to write \"%s\" record: %s",
__func__, string, strerror(errno));
}
/*
* audit_audit:
* Cut and audit record if it is selected.
* Return 0, if successfully written.
* Return 0, if not written, and not expected to write.
* Return -1, if not written because of unexpected error.
*/
int
audit_audit(door_data_t *door_dp)
{
int ad;
if (can_audit() == 0) {
return (0);
}
if (door_dp->audit_na) {
if (!audit_na_selected(door_dp)) {
return (0);
}
} else if (!audit_selected(door_dp)) {
return (0);
}
if ((ad = au_open()) == -1) {
return (-1);
}
(void) au_write(ad, au_to_subject_ex(door_dp->audit_auid,
door_dp->audit_euid,
door_dp->audit_egid,
door_dp->audit_uid, door_dp->audit_gid, door_dp->audit_pid,
door_dp->audit_asid, &door_dp->audit_tid));
if (is_system_labeled())
(void) au_write(ad, au_to_mylabel());
if (door_dp->audit_policy & AUDIT_GROUP) {
int ng;
int maxgrp = getgroups(0, NULL);
gid_t *grplst = alloca(maxgrp * sizeof (gid_t));
if ((ng = getgroups(maxgrp, grplst))) {
(void) au_write(ad, au_to_newgroups(ng, grplst));
}
}
if (strlen(door_dp->audit_text) != 0) {
(void) au_write(ad, au_to_text(door_dp->audit_text));
}
if (strlen(door_dp->audit_text1) != 0) {
(void) au_write(ad, au_to_text(door_dp->audit_text1));
}
if (door_dp->audit_path != NULL) {
(void) au_write(ad, au_to_path(door_dp->audit_path));
}
#ifdef _LP64
(void) au_write(ad, au_to_return64((door_dp->audit_sorf == 0) ? 0 : -1,
(int64_t)door_dp->audit_sorf));
#else
(void) au_write(ad, au_to_return32((door_dp->audit_sorf == 0) ? 0 : -1,
(int32_t)door_dp->audit_sorf));
#endif
if (au_close(ad, 1, door_dp->audit_event) < 0) {
(void) au_close(ad, 0, 0);
return (-1);
}
return (0);
}
static void
generate_record(
char *locuser, /* username of local user */
int err, /* error status */
/* (=0 success, >0 error code) */
char *msg) /* error message */
{
int rd; /* audit record descriptor */
char buf[256]; /* temporary buffer */
uid_t uid;
gid_t gid;
uid_t ruid; /* real uid */
gid_t rgid; /* real gid */
pid_t pid;
struct passwd *pwd;
uid_t ceuid; /* current effective uid */
struct auditinfo_addr info;
if (cannot_audit(0)) {
return;
}
pwd = getpwnam(locuser);
if (pwd == NULL) {
uid = (uid_t)-1;
gid = (gid_t)-1;
} else {
uid = pwd->pw_uid;
gid = pwd->pw_gid;
}
ceuid = geteuid(); /* save current euid */
(void) seteuid(0); /* change to root so you can audit */
/* determine if we're preselected */
if (!selected(uid, locuser, AUE_ftpd, err)) {
(void) seteuid(ceuid);
return;
}
ruid = getuid(); /* get real uid */
rgid = getgid(); /* get real gid */
pid = getpid();
/* see if terminal id already set */
if (getaudit_addr(&info, sizeof (info)) < 0) {
perror("getaudit");
}
rd = au_open();
/* add subject token */
(void) au_write(rd, au_to_subject_ex(uid, uid, gid,
ruid, rgid, pid, pid, &info.ai_termid));
if (is_system_labeled())
(void) au_write(rd, au_to_mylabel());
/* add return token */
errno = 0;
if (err) {
/* add reason for failure */
if (err == UNKNOWN_USER)
(void) snprintf(buf, sizeof (buf),
"%s %s", msg, locuser);
else
(void) snprintf(buf, sizeof (buf), "%s", msg);
(void) au_write(rd, au_to_text(buf));
#ifdef _LP64
(void) au_write(rd, au_to_return64(-1, (int64_t)err));
#else
(void) au_write(rd, au_to_return32(-1, (int32_t)err));
#endif
} else {
#ifdef _LP64
(void) au_write(rd, au_to_return64(0, (int64_t)0));
#else
(void) au_write(rd, au_to_return32(0, (int32_t)0));
#endif
}
/* write audit record */
if (au_close(rd, 1, AUE_ftpd) < 0) {
(void) au_close(rd, 0, 0);
}
(void) seteuid(ceuid);
}
