void audit_connection_from(const char *host, int port) { AuditInfoTermID *tid = &ssh_bsm_tid; char buf[1024]; if (cannot_audit(0)) return; debug3("BSM audit: connection from %.100s port %d", host, port); /* populate our terminal id structure */ #if defined(HAVE_GETAUDIT_ADDR) tid->at_port = (dev_t)port; aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type)); snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0], tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]); debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf); #else /* this is used on IPv4-only machines */ tid->port = (dev_t)port; tid->machine = inet_addr(host); snprintf(buf, sizeof(buf), "%08x", tid->machine); debug3("BSM audit: machine ID %s", buf); #endif }
int audit_settid(int fd) { struct sockaddr_in6 peer; struct sockaddr_in6 sock; int peerlen = sizeof (peer); int socklen = sizeof (sock); int rv; if (cannot_audit(0)) { return (0); } /* get peer name */ if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen) < 0) { return (1); } /* get sock name */ if (getsockname(fd, (struct sockaddr *)&sock, (socklen_t *)&socklen) < 0) { return (1); } if (peer.sin6_family == AF_INET6) rv = do_ipv6_address(&peer, &sock); else rv = do_ipv4_address((struct sockaddr_in *)&peer, (struct sockaddr_in *)&sock); return (rv); }
int audit_crontab_delete(char *path, int sorf) { int r = 0; if (cannot_audit(0)) { return (0); } else { char *anc_name; anc_name = audit_cron_make_anc_name(path); if (anc_name != NULL) { r = unlink(anc_name); free(anc_name); } else r = -1; aug_init(); (void) aug_save_me(); aug_save_path(path); aug_save_event(AUE_crontab_delete); aug_save_sorf(sorf); if (aug_audit() != 0) return (-1); return (r); } }
void audit_ftpd_logout(void) { int rd; /* audit record descriptor */ uid_t euid; gid_t egid; uid_t uid; gid_t gid; pid_t pid; struct auditinfo_addr info; if (cannot_audit(0)) { return; } (void) priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_PROC_AUDIT, NULL); /* see if terminal id already set */ if (getaudit_addr(&info, sizeof (info)) < 0) { perror("getaudit"); } /* determine if we're preselected */ if (au_preselect(AUE_ftpd_logout, &info.ai_mask, AU_PRS_SUCCESS, AU_PRS_USECACHE) == 0) { (void) priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_PROC_AUDIT, NULL); return; } euid = geteuid(); egid = getegid(); uid = getuid(); gid = getgid(); pid = getpid(); rd = au_open(); /* add subject token */ (void) au_write(rd, au_to_subject_ex(info.ai_auid, euid, egid, uid, gid, pid, pid, &info.ai_termid)); if (is_system_labeled()) (void) au_write(rd, au_to_mylabel()); /* add return token */ errno = 0; #ifdef _LP64 (void) au_write(rd, au_to_return64(0, (int64_t)0)); #else (void) au_write(rd, au_to_return32(0, (int32_t)0)); #endif /* write audit record */ if (au_close(rd, 1, AUE_ftpd_logout) < 0) { (void) au_close(rd, 0, 0); } (void) priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_PROC_AUDIT, NULL); }
void audit_ftpd_no_anon(void) { if (cannot_audit(0)) { return; } generate_record("", NO_ANONYMOUS, dgettext(bsm_dom, "no anonymous")); }
void audit_ftpd_failure(char *uname) { if (cannot_audit(0)) { return; } generate_record(uname, MISC_FAILURE, dgettext(bsm_dom, "misc failure")); }
void audit_ftpd_unknown(char *uname) { if (cannot_audit(0)) { return; } (void) strncpy(luser, uname, LOGNAME_MAX); generate_record(luser, UNKNOWN_USER, dgettext(bsm_dom, "unknown user")); }
void audit_ftpd_bad_pw(char *uname) { if (cannot_audit(0)) { return; } (void) strncpy(luser, uname, LOGNAME_MAX); generate_record(luser, BAD_PASSWD, dgettext(bsm_dom, "bad password")); }
void audit_ftpd_success(char *uname) { if (cannot_audit(0)) { return; } (void) strncpy(luser, uname, LOGNAME_MAX); generate_record(luser, 0, ""); }
void audit_ftpd_excluded(char *uname) { if (cannot_audit(0)) { return; } (void) strncpy(luser, uname, LOGNAME_MAX); generate_record(luser, EXCLUDED_USER, dgettext(bsm_dom, "excluded user")); }
static void common_audit( au_event_t event, /* audit event */ struct in_addr *r_addr, /* remote ipv4 addr */ in_port_t r_port, /* remote port */ in_port_t l_port, /* local port */ char *cname, /* client principal name */ char *sname, /* requested service name */ int sorf) /* flag for success or failure */ { auditinfo_t ai; dev_t port = 0; uint32_t machine; char text_buf[512]; dprintf(("common_audit() start\n")); /* if auditing turned off, then don't do anything */ if (cannot_audit(0)) return; (void) aug_save_namask(); if (getaudit(&ai)) { perror("krb5kdc"); return; } aug_save_auid(ai.ai_auid); /* Audit ID */ aug_save_uid(getuid()); /* User ID */ aug_save_euid(geteuid()); /* Effective User ID */ aug_save_gid(getgid()); /* Group ID */ aug_save_egid(getegid()); /* Effective Group ID */ aug_save_pid(getpid()); /* process ID */ aug_save_asid(getpid()); /* session ID */ aug_save_event(event); aug_save_sorf(sorf); (void) snprintf(text_buf, sizeof (text_buf), "Client: %s", AUD_NULL_STR(cname)); aug_save_text1(text_buf); (void) snprintf(text_buf, sizeof (text_buf), "Service: %s", AUD_NULL_STR(sname)); aug_save_text2(text_buf); dprintf(("audit_krb5kdc: r_port=%d, l_port=%d\n", r_port, l_port)); port = (htons(r_port)<<16 | htons(l_port)); machine = r_addr ? (uint32_t)r_addr->s_addr : 0; aug_save_tid_ex(port, &machine, AU_IPv4); (void) aug_audit(); }
/* ARGSUSED */ int audit_shutdown_setup(int argc, char **argv) { dprintf(("audit_shutdown_setup()\n")); if (cannot_audit(0)) { return (0); } (void) aug_init(); aug_save_event(AUE_shutdown_solaris); (void) aug_save_me(); return (0); }
int audit_crontab_not_allowed(uid_t ruid, char *user) { struct passwd pwd; char buffer[PWD_BUFFER_SIZE]; int rc = 0; /* 0 == allow */ if (!cannot_audit(0)) { /* allow access if audit off */ if (getpwnam_r(user, &pwd, buffer, PWD_BUFFER_SIZE) == NULL) { rc = 1; /* deny access if invalid */ } else if (ruid == pwd.pw_uid) rc = 0; /* editing his own crontab */ else rc = audit_crontab_process_not_audited(); } return (rc); }
int audit_inetd_config(void) { struct au_event_ent *ee; /* * If auditing is turned off, then don't do anything. * Especially don't return an error */ if (auditingisoff = cannot_audit(0)) { return (0); } aug_save_event(AUE_inetd_connect); if (cacheauevent(&ee, AUE_inetd_connect) != 1) return (1); eventclass = ee->ae_class; return (0); }
void audit_event(ssh_audit_event_t event) { char textbuf[BSM_TEXTBUFSZ]; static int logged_in = 0; const char *user = the_authctxt ? the_authctxt->user : "******"; if (cannot_audit(0)) return; switch(event) { case SSH_AUTH_SUCCESS: logged_in = 1; bsm_audit_session_setup(); snprintf(textbuf, sizeof(textbuf), gettext("successful login %s"), user); bsm_audit_record(0, textbuf, AUE_openssh); break; case SSH_CONNECTION_CLOSE: /* * We can also get a close event if the user attempted auth * but never succeeded. */ if (logged_in) { snprintf(textbuf, sizeof(textbuf), gettext("sshd logout %s"), the_authctxt->user); bsm_audit_record(0, textbuf, AUE_logout); } else { debug("%s: connection closed without authentication", __func__); } break; case SSH_NOLOGIN: bsm_audit_record(1, gettext("logins disabled by /etc/nologin"), AUE_openssh); break; case SSH_LOGIN_EXCEED_MAXTRIES: snprintf(textbuf, sizeof(textbuf), gettext("too many tries for user %s"), the_authctxt->user); bsm_audit_record(1, textbuf, AUE_openssh); break; case SSH_LOGIN_ROOT_DENIED: bsm_audit_record(2, gettext("not_console"), AUE_openssh); break; case SSH_AUTH_FAIL_PASSWD: bsm_audit_bad_login("password"); break; case SSH_AUTH_FAIL_KBDINT: bsm_audit_bad_login("interactive password entry"); break; default: debug("%s: unhandled event %d", __func__, event); } }
static void generate_record( char *locuser, /* username of local user */ int err, /* error status */ /* (=0 success, >0 error code) */ char *msg) /* error message */ { int rd; /* audit record descriptor */ char buf[256]; /* temporary buffer */ uid_t uid; gid_t gid; uid_t ruid; /* real uid */ gid_t rgid; /* real gid */ pid_t pid; struct passwd *pwd; uid_t ceuid; /* current effective uid */ struct auditinfo_addr info; if (cannot_audit(0)) { return; } pwd = getpwnam(locuser); if (pwd == NULL) { uid = (uid_t)-1; gid = (gid_t)-1; } else { uid = pwd->pw_uid; gid = pwd->pw_gid; } ceuid = geteuid(); /* save current euid */ (void) seteuid(0); /* change to root so you can audit */ /* determine if we're preselected */ if (!selected(uid, locuser, AUE_ftpd, err)) { (void) seteuid(ceuid); return; } ruid = getuid(); /* get real uid */ rgid = getgid(); /* get real gid */ pid = getpid(); /* see if terminal id already set */ if (getaudit_addr(&info, sizeof (info)) < 0) { perror("getaudit"); } rd = au_open(); /* add subject token */ (void) au_write(rd, au_to_subject_ex(uid, uid, gid, ruid, rgid, pid, pid, &info.ai_termid)); if (is_system_labeled()) (void) au_write(rd, au_to_mylabel()); /* add return token */ errno = 0; if (err) { /* add reason for failure */ if (err == UNKNOWN_USER) (void) snprintf(buf, sizeof (buf), "%s %s", msg, locuser); else (void) snprintf(buf, sizeof (buf), "%s", msg); (void) au_write(rd, au_to_text(buf)); #ifdef _LP64 (void) au_write(rd, au_to_return64(-1, (int64_t)err)); #else (void) au_write(rd, au_to_return32(-1, (int32_t)err)); #endif } else { #ifdef _LP64 (void) au_write(rd, au_to_return64(0, (int64_t)0)); #else (void) au_write(rd, au_to_return32(0, (int32_t)0)); #endif } /* write audit record */ if (au_close(rd, 1, AUE_ftpd) < 0) { (void) au_close(rd, 0, 0); } (void) seteuid(ceuid); }
int audit_crontab_modify(char *path, char *tmp_path, int sorf) { int r, create = 0; char *diffs = NULL; if (cannot_audit(0)) { return (0); } else { au_event_t event; char *anc_name; auditinfo_addr_t ai; if (getaudit_addr(&ai, sizeof (ai))) { return (-1); } r = audit_crontab_get_diffs(path, tmp_path, &diffs); if (r == AUDIT_GET_DIFFS_NO_DIFFS) { return (0); } if (diffs != NULL && r != AUDIT_GET_DIFFS_ERR) { aug_save_text(diffs); free(diffs); } if (r == AUDIT_GET_DIFFS_NO_CRONTAB) { create = 1; if (diffs == NULL) aug_save_text(""); } /* * create an ancilary file if audit characteristics exist * else delete an ancilary if if one exists */ anc_name = audit_cron_make_anc_name(path); if (anc_name == NULL) r = -1; else if (audit_crontab_process_not_audited()) { (void) unlink(anc_name); free(anc_name); } else { r = audit_cron_setinfo(anc_name, &ai); free(anc_name); } aug_init(); aug_save_auid(ai.ai_auid); aug_save_euid(geteuid()); aug_save_egid(getegid()); aug_save_uid(getuid()); aug_save_gid(getgid()); aug_save_pid(getpid()); aug_save_asid(ai.ai_asid); aug_save_tid_ex(ai.ai_termid.at_port, ai.ai_termid.at_addr, ai.ai_termid.at_type); aug_save_path(path); event = (create) ? AUE_crontab_create : AUE_crontab_mod; aug_save_event(event); aug_save_sorf(sorf); if (aug_audit() != 0) return (-1); return (r); } }