From 269a1ea1c80a855d1eb74fccba6dd5c75947c5d2 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Thu, 3 Feb 2005 00:20:53 +1100
Subject:  - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c
 monitor.c    monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug
 #125:    (first stage) Add audit instrumentation to sshd, currently disabled
 by    default.  with suggestions from and djm@

---
 auth.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

(limited to 'auth.c')

diff --git a/auth.c b/auth.c
index b6c00c12..bbf3a54a 100644
--- a/auth.c
+++ b/auth.c
@@ -51,6 +51,7 @@ RCSID("$OpenBSD: auth.c,v 1.57 2005/01/22 08:17:59 dtucker Exp $");
 #include "bufaux.h"
 #include "packet.h"
 #include "loginrec.h"
+#include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
@@ -251,6 +252,44 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 		record_failed_login(authctxt->user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef AUDIT_EVENTS
+	if (authenticated == 0 && !authctxt->postponed) {
+		ssh_audit_event_t event;
+
+		debug3("audit failed auth attempt, method %s euid %d",
+		    method, (int)geteuid());
+		/*
+		 * Because the auth loop is used in both monitor and slave,
+		 * we must be careful to send each event only once and with
+		 * enough privs to write the event.
+		 */
+		event = audit_classify_auth(method);
+		switch(event) {
+		case AUTH_FAIL_NONE:
+		case AUTH_FAIL_PASSWD:
+		case AUTH_FAIL_KBDINT:
+			if (geteuid() == 0)
+				audit_event(event);
+			break;
+		case AUTH_FAIL_PUBKEY:
+		case AUTH_FAIL_HOSTBASED:
+		case AUTH_FAIL_GSSAPI:
+			/*
+			 * This is required to handle the case where privsep
+			 * is enabled but it's root logging in, since
+			 * use_privsep won't be cleared until after a
+			 * successful login.
+			 */
+			if (geteuid() == 0)
+				audit_event(event);
+			else
+				PRIVSEP(audit_event(event));
+			break;
+		default:
+			error("unknown authentication audit event %d", event);
+		}
+	}
+#endif
 }
 
 /*
@@ -476,6 +515,9 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
+#ifdef AUDIT_EVENTS
+		audit_event(INVALID_USER);
+#endif /* AUDIT_EVENTS */
 		return (NULL);
 	}
 	if (!allowed_user(pw))
-- 
cgit v1.2.3