void
audit_connection_from(const char *host, int port)
{
AuditInfoTermID *tid = &ssh_bsm_tid;
char buf[1024];
if (cannot_audit(0))
return;
debug3("BSM audit: connection from %.100s port %d", host, port);
/* populate our terminal id structure */
#if defined(HAVE_GETAUDIT_ADDR)
tid->at_port = (dev_t)port;
aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
#else
/* this is used on IPv4-only machines */
tid->port = (dev_t)port;
tid->machine = inet_addr(host);
snprintf(buf, sizeof(buf), "%08x", tid->machine);
debug3("BSM audit: machine ID %s", buf);
#endif
}
int
audit_settid(int fd)
{
struct sockaddr_in6 peer;
struct sockaddr_in6 sock;
int peerlen = sizeof (peer);
int socklen = sizeof (sock);
int rv;
if (cannot_audit(0)) {
return (0);
}
/* get peer name */
if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
< 0) {
return (1);
}
/* get sock name */
if (getsockname(fd, (struct sockaddr *)&sock, (socklen_t *)&socklen)
< 0) {
return (1);
}
if (peer.sin6_family == AF_INET6)
rv = do_ipv6_address(&peer, &sock);
else
rv = do_ipv4_address((struct sockaddr_in *)&peer,
(struct sockaddr_in *)&sock);
return (rv);
}
int
audit_crontab_delete(char *path, int sorf)
{
int r = 0;
if (cannot_audit(0)) {
return (0);
} else {
char *anc_name;
anc_name = audit_cron_make_anc_name(path);
if (anc_name != NULL) {
r = unlink(anc_name);
free(anc_name);
} else
r = -1;
aug_init();
(void) aug_save_me();
aug_save_path(path);
aug_save_event(AUE_crontab_delete);
aug_save_sorf(sorf);
if (aug_audit() != 0)
return (-1);
return (r);
}
}
void
audit_ftpd_logout(void)
{
int rd; /* audit record descriptor */
uid_t euid;
gid_t egid;
uid_t uid;
gid_t gid;
pid_t pid;
struct auditinfo_addr info;
if (cannot_audit(0)) {
return;
}
(void) priv_set(PRIV_ON, PRIV_EFFECTIVE, PRIV_PROC_AUDIT, NULL);
/* see if terminal id already set */
if (getaudit_addr(&info, sizeof (info)) < 0) {
perror("getaudit");
}
/* determine if we're preselected */
if (au_preselect(AUE_ftpd_logout, &info.ai_mask, AU_PRS_SUCCESS,
AU_PRS_USECACHE) == 0) {
(void) priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_PROC_AUDIT,
NULL);
return;
}
euid = geteuid();
egid = getegid();
uid = getuid();
gid = getgid();
pid = getpid();
rd = au_open();
/* add subject token */
(void) au_write(rd, au_to_subject_ex(info.ai_auid, euid,
egid, uid, gid, pid, pid, &info.ai_termid));
if (is_system_labeled())
(void) au_write(rd, au_to_mylabel());
/* add return token */
errno = 0;
#ifdef _LP64
(void) au_write(rd, au_to_return64(0, (int64_t)0));
#else
(void) au_write(rd, au_to_return32(0, (int32_t)0));
#endif
/* write audit record */
if (au_close(rd, 1, AUE_ftpd_logout) < 0) {
(void) au_close(rd, 0, 0);
}
(void) priv_set(PRIV_OFF, PRIV_EFFECTIVE, PRIV_PROC_AUDIT, NULL);
}
void
audit_ftpd_no_anon(void)
{
if (cannot_audit(0)) {
return;
}
generate_record("", NO_ANONYMOUS, dgettext(bsm_dom, "no anonymous"));
}
void
audit_ftpd_failure(char *uname)
{
if (cannot_audit(0)) {
return;
}
generate_record(uname, MISC_FAILURE, dgettext(bsm_dom, "misc failure"));
}
void
audit_ftpd_unknown(char *uname)
{
if (cannot_audit(0)) {
return;
}
(void) strncpy(luser, uname, LOGNAME_MAX);
generate_record(luser, UNKNOWN_USER, dgettext(bsm_dom, "unknown user"));
}
void
audit_ftpd_bad_pw(char *uname)
{
if (cannot_audit(0)) {
return;
}
(void) strncpy(luser, uname, LOGNAME_MAX);
generate_record(luser, BAD_PASSWD, dgettext(bsm_dom, "bad password"));
}
void
audit_ftpd_success(char *uname)
{
if (cannot_audit(0)) {
return;
}
(void) strncpy(luser, uname, LOGNAME_MAX);
generate_record(luser, 0, "");
}
void
audit_ftpd_excluded(char *uname)
{
if (cannot_audit(0)) {
return;
}
(void) strncpy(luser, uname, LOGNAME_MAX);
generate_record(luser, EXCLUDED_USER, dgettext(bsm_dom,
"excluded user"));
}
static void
common_audit(
au_event_t event, /* audit event */
struct in_addr *r_addr, /* remote ipv4 addr */
in_port_t r_port, /* remote port */
in_port_t l_port, /* local port */
char *cname, /* client principal name */
char *sname, /* requested service name */
int sorf) /* flag for success or failure */
{
auditinfo_t ai;
dev_t port = 0;
uint32_t machine;
char text_buf[512];
dprintf(("common_audit() start\n"));
/* if auditing turned off, then don't do anything */
if (cannot_audit(0))
return;
(void) aug_save_namask();
if (getaudit(&ai)) {
perror("krb5kdc");
return;
}
aug_save_auid(ai.ai_auid); /* Audit ID */
aug_save_uid(getuid()); /* User ID */
aug_save_euid(geteuid()); /* Effective User ID */
aug_save_gid(getgid()); /* Group ID */
aug_save_egid(getegid()); /* Effective Group ID */
aug_save_pid(getpid()); /* process ID */
aug_save_asid(getpid()); /* session ID */
aug_save_event(event);
aug_save_sorf(sorf);
(void) snprintf(text_buf, sizeof (text_buf), "Client: %s",
AUD_NULL_STR(cname));
aug_save_text1(text_buf);
(void) snprintf(text_buf, sizeof (text_buf), "Service: %s",
AUD_NULL_STR(sname));
aug_save_text2(text_buf);
dprintf(("audit_krb5kdc: r_port=%d, l_port=%d\n", r_port, l_port));
port = (htons(r_port)<<16 | htons(l_port));
machine = r_addr ? (uint32_t)r_addr->s_addr : 0;
aug_save_tid_ex(port, &machine, AU_IPv4);
(void) aug_audit();
}
/* ARGSUSED */
int
audit_shutdown_setup(int argc, char **argv)
{
dprintf(("audit_shutdown_setup()\n"));
if (cannot_audit(0)) {
return (0);
}
(void) aug_init();
aug_save_event(AUE_shutdown_solaris);
(void) aug_save_me();
return (0);
}
int
audit_crontab_not_allowed(uid_t ruid, char *user) {
struct passwd pwd;
char buffer[PWD_BUFFER_SIZE];
int rc = 0; /* 0 == allow */
if (!cannot_audit(0)) { /* allow access if audit off */
if (getpwnam_r(user, &pwd, buffer, PWD_BUFFER_SIZE) == NULL) {
rc = 1; /* deny access if invalid */
} else if (ruid == pwd.pw_uid)
rc = 0; /* editing his own crontab */
else
rc = audit_crontab_process_not_audited();
}
return (rc);
}
int
audit_inetd_config(void)
{
struct au_event_ent *ee;
/*
* If auditing is turned off, then don't do anything.
* Especially don't return an error
*/
if (auditingisoff = cannot_audit(0)) {
return (0);
}
aug_save_event(AUE_inetd_connect);
if (cacheauevent(&ee, AUE_inetd_connect) != 1)
return (1);
eventclass = ee->ae_class;
return (0);
}
void
audit_event(ssh_audit_event_t event)
{
char textbuf[BSM_TEXTBUFSZ];
static int logged_in = 0;
const char *user = the_authctxt ? the_authctxt->user : "******";
if (cannot_audit(0))
return;
switch(event) {
case SSH_AUTH_SUCCESS:
logged_in = 1;
bsm_audit_session_setup();
snprintf(textbuf, sizeof(textbuf),
gettext("successful login %s"), user);
bsm_audit_record(0, textbuf, AUE_openssh);
break;
case SSH_CONNECTION_CLOSE:
/*
* We can also get a close event if the user attempted auth
* but never succeeded.
*/
if (logged_in) {
snprintf(textbuf, sizeof(textbuf),
gettext("sshd logout %s"), the_authctxt->user);
bsm_audit_record(0, textbuf, AUE_logout);
} else {
debug("%s: connection closed without authentication",
__func__);
}
break;
case SSH_NOLOGIN:
bsm_audit_record(1,
gettext("logins disabled by /etc/nologin"), AUE_openssh);
break;
case SSH_LOGIN_EXCEED_MAXTRIES:
snprintf(textbuf, sizeof(textbuf),
gettext("too many tries for user %s"), the_authctxt->user);
bsm_audit_record(1, textbuf, AUE_openssh);
break;
case SSH_LOGIN_ROOT_DENIED:
bsm_audit_record(2, gettext("not_console"), AUE_openssh);
break;
case SSH_AUTH_FAIL_PASSWD:
bsm_audit_bad_login("password");
break;
case SSH_AUTH_FAIL_KBDINT:
bsm_audit_bad_login("interactive password entry");
break;
default:
debug("%s: unhandled event %d", __func__, event);
}
}
static void
generate_record(
char *locuser, /* username of local user */
int err, /* error status */
/* (=0 success, >0 error code) */
char *msg) /* error message */
{
int rd; /* audit record descriptor */
char buf[256]; /* temporary buffer */
uid_t uid;
gid_t gid;
uid_t ruid; /* real uid */
gid_t rgid; /* real gid */
pid_t pid;
struct passwd *pwd;
uid_t ceuid; /* current effective uid */
struct auditinfo_addr info;
if (cannot_audit(0)) {
return;
}
pwd = getpwnam(locuser);
if (pwd == NULL) {
uid = (uid_t)-1;
gid = (gid_t)-1;
} else {
uid = pwd->pw_uid;
gid = pwd->pw_gid;
}
ceuid = geteuid(); /* save current euid */
(void) seteuid(0); /* change to root so you can audit */
/* determine if we're preselected */
if (!selected(uid, locuser, AUE_ftpd, err)) {
(void) seteuid(ceuid);
return;
}
ruid = getuid(); /* get real uid */
rgid = getgid(); /* get real gid */
pid = getpid();
/* see if terminal id already set */
if (getaudit_addr(&info, sizeof (info)) < 0) {
perror("getaudit");
}
rd = au_open();
/* add subject token */
(void) au_write(rd, au_to_subject_ex(uid, uid, gid,
ruid, rgid, pid, pid, &info.ai_termid));
if (is_system_labeled())
(void) au_write(rd, au_to_mylabel());
/* add return token */
errno = 0;
if (err) {
/* add reason for failure */
if (err == UNKNOWN_USER)
(void) snprintf(buf, sizeof (buf),
"%s %s", msg, locuser);
else
(void) snprintf(buf, sizeof (buf), "%s", msg);
(void) au_write(rd, au_to_text(buf));
#ifdef _LP64
(void) au_write(rd, au_to_return64(-1, (int64_t)err));
#else
(void) au_write(rd, au_to_return32(-1, (int32_t)err));
#endif
} else {
#ifdef _LP64
(void) au_write(rd, au_to_return64(0, (int64_t)0));
#else
(void) au_write(rd, au_to_return32(0, (int32_t)0));
#endif
}
/* write audit record */
if (au_close(rd, 1, AUE_ftpd) < 0) {
(void) au_close(rd, 0, 0);
}
(void) seteuid(ceuid);
}
int
audit_crontab_modify(char *path, char *tmp_path, int sorf)
{
int r, create = 0;
char *diffs = NULL;
if (cannot_audit(0)) {
return (0);
} else {
au_event_t event;
char *anc_name;
auditinfo_addr_t ai;
if (getaudit_addr(&ai, sizeof (ai))) {
return (-1);
}
r = audit_crontab_get_diffs(path, tmp_path, &diffs);
if (r == AUDIT_GET_DIFFS_NO_DIFFS) {
return (0);
}
if (diffs != NULL && r != AUDIT_GET_DIFFS_ERR) {
aug_save_text(diffs);
free(diffs);
}
if (r == AUDIT_GET_DIFFS_NO_CRONTAB) {
create = 1;
if (diffs == NULL)
aug_save_text("");
}
/*
* create an ancilary file if audit characteristics exist
* else delete an ancilary if if one exists
*/
anc_name = audit_cron_make_anc_name(path);
if (anc_name == NULL)
r = -1;
else if (audit_crontab_process_not_audited()) {
(void) unlink(anc_name);
free(anc_name);
} else {
r = audit_cron_setinfo(anc_name, &ai);
free(anc_name);
}
aug_init();
aug_save_auid(ai.ai_auid);
aug_save_euid(geteuid());
aug_save_egid(getegid());
aug_save_uid(getuid());
aug_save_gid(getgid());
aug_save_pid(getpid());
aug_save_asid(ai.ai_asid);
aug_save_tid_ex(ai.ai_termid.at_port, ai.ai_termid.at_addr,
ai.ai_termid.at_type);
aug_save_path(path);
event = (create) ? AUE_crontab_create : AUE_crontab_mod;
aug_save_event(event);
aug_save_sorf(sorf);
if (aug_audit() != 0)
return (-1);
return (r);
}
}
