summaryrefslogtreecommitdiffstats
path: root/libpam/pam_audit.c
diff options
context:
space:
mode:
Diffstat (limited to 'libpam/pam_audit.c')
-rw-r--r--libpam/pam_audit.c242
1 files changed, 242 insertions, 0 deletions
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
new file mode 100644
index 0000000..97a9a92
--- /dev/null
+++ b/libpam/pam_audit.c
@@ -0,0 +1,242 @@
+/* pam_audit.c -- Instrumentation code for Linux Auditing System */
+
+/* (C) 2005-2006 Red Hat, Inc. -- Licensing details are in the COPYING
+ file accompanying the Linux-PAM source distribution.
+
+ Authors:
+ Steve Grubb <sgrubb@redhat.com> */
+
+#include "pam_private.h"
+#include "pam_modutil_private.h"
+
+#ifdef HAVE_LIBAUDIT
+#include <stdio.h>
+#include <syslog.h>
+#include <libaudit.h>
+#include <pwd.h>
+#include <netdb.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+#define PAMAUDIT_LOGGED 1
+
+static int
+_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
+ const char *message, const char *grantors, int retval)
+{
+ static int old_errno = -1;
+ int rc = -ENOMEM;
+ char *buf;
+ const char *grantors_field = " grantors=";
+
+ if (grantors == NULL) {
+ grantors = "";
+ grantors_field = "";
+ }
+
+ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
+ free(buf);
+ }
+
+ /* libaudit sets errno to his own negative error code. This can be
+ an official errno number, but must not. It can also be a audit
+ internal error code. Which makes errno useless :-((. Try the
+ best to fix it. */
+ errno = -rc;
+
+ pamh->audit_state |= PAMAUDIT_LOGGED;
+
+ if (rc < 0) {
+ if (rc == -EPERM)
+ return 0;
+ if (errno != old_errno) {
+ old_errno = errno;
+ pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m");
+ }
+ }
+ return rc;
+}
+
+static int
+_pam_audit_open(pam_handle_t *pamh)
+{
+ int audit_fd;
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* You get these error codes only when the kernel doesn't have
+ * audit compiled in. */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return -2;
+
+ /* this should only fail in case of extreme resource shortage,
+ * need to prevent login in that case for CAPP compliance.
+ */
+ pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m");
+ return -1;
+ }
+
+ return audit_fd;
+}
+
+static int
+_pam_list_grantors(struct handler *hlist, int retval, char **list)
+{
+ *list = NULL;
+
+ if (retval == PAM_SUCCESS) {
+ struct handler *h;
+ char *p = NULL;
+ size_t len = 0;
+
+ for (h = hlist; h != NULL; h = h->next) {
+ if (h->grantor) {
+ len += strlen(h->mod_name) + 1;
+ }
+ }
+
+ if (len == 0) {
+ return 0;
+ }
+
+ *list = malloc(len);
+ if (*list == NULL) {
+ return -1;
+ }
+
+ for (h = hlist; h != NULL; h = h->next) {
+ if (h->grantor) {
+ if (p == NULL) {
+ p = *list;
+ } else {
+ p = stpcpy(p, ",");
+ }
+
+ p = stpcpy(p, h->mod_name);
+ }
+ }
+ }
+
+ return 0;
+}
+
+int
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
+{
+ const char *message;
+ int type;
+ int audit_fd;
+ char *grantors;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+ return PAM_SYSTEM_ERR;
+ } else if (audit_fd == -2) {
+ return retval;
+ }
+
+ switch (action) {
+ case PAM_AUTHENTICATE:
+ message = "authentication";
+ type = AUDIT_USER_AUTH;
+ break;
+ case PAM_OPEN_SESSION:
+ message = "session_open";
+ type = AUDIT_USER_START;
+ break;
+ case PAM_CLOSE_SESSION:
+ message = "session_close";
+ type = AUDIT_USER_END;
+ break;
+ case PAM_ACCOUNT:
+ message = "accounting";
+ type = AUDIT_USER_ACCT;
+ break;
+ case PAM_CHAUTHTOK:
+ message = "chauthtok";
+ type = AUDIT_USER_CHAUTHTOK;
+ break;
+ case PAM_SETCRED:
+ message = "setcred";
+ if (flags & PAM_ESTABLISH_CRED)
+ type = AUDIT_CRED_ACQ;
+ else if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED))
+ type = AUDIT_CRED_REFR;
+ else if (flags & PAM_DELETE_CRED)
+ type = AUDIT_CRED_DISP;
+ else
+ type = AUDIT_USER_ERR;
+ break;
+ case _PAM_ACTION_DONE:
+ message = "bad_ident";
+ type = AUDIT_USER_ERR;
+ break;
+ default:
+ message = "UNKNOWN";
+ type = AUDIT_USER_ERR;
+ pam_syslog(pamh, LOG_CRIT, "_pam_auditlog() should never get here");
+ retval = PAM_SYSTEM_ERR;
+ }
+
+ if (_pam_list_grantors(h, retval, &grantors) < 0) {
+ /* allocation failure */
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
+ retval = PAM_SYSTEM_ERR;
+ }
+
+ if (_pam_audit_writelog(pamh, audit_fd, type, message,
+ grantors ? grantors : "?", retval) < 0)
+ retval = PAM_SYSTEM_ERR;
+
+ free(grantors);
+
+ audit_close(audit_fd);
+ return retval;
+}
+
+int
+_pam_audit_end(pam_handle_t *pamh, int status UNUSED)
+{
+ if (! (pamh->audit_state & PAMAUDIT_LOGGED)) {
+ /* PAM library is being shut down without any of the auditted
+ * stacks having been run. Assume that this is sshd faking
+ * things for an unknown user.
+ */
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
+ }
+
+ return 0;
+}
+
+int
+pam_modutil_audit_write(pam_handle_t *pamh, int type,
+ const char *message, int retval)
+{
+ int audit_fd;
+ int rc;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+ return PAM_SYSTEM_ERR;
+ } else if (audit_fd == -2) {
+ return retval;
+ }
+
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
+
+ audit_close(audit_fd);
+
+ return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS;
+}
+
+#else
+int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED,
+ const char *message UNUSED, int retval UNUSED)
+{
+ return PAM_SUCCESS;
+}
+#endif /* HAVE_LIBAUDIT */