diff options
| author | Zhanna Tsitkov <tsitkova@mit.edu> | 2013-07-20 15:47:42 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2013-10-04 20:25:49 -0400 |
| commit | 1003f0173f266a6428ccf2c89976f0029d3ee831 (patch) | |
| tree | a845ce60636aca59e80f4db95e4b6ec82788081c | |
| parent | b6d5e3af806bb60c37a831a72eff3e7e99bea6e9 (diff) | |
| download | krb5-1003f0173f266a6428ccf2c89976f0029d3ee831.tar.gz krb5-1003f0173f266a6428ccf2c89976f0029d3ee831.tar.xz krb5-1003f0173f266a6428ccf2c89976f0029d3ee831.zip | |
KDC Audit infrastructure and plugin implementation
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
29 files changed, 2770 insertions, 7 deletions
diff --git a/src/Makefile.in b/src/Makefile.in index 11f167a6c..a8bc990a1 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -9,6 +9,9 @@ mydir=. # plugins/authdata/greet SUBDIRS=util include lib \ @sam2_plugin@ \ + plugins/audit \ + plugins/audit/test \ + @audit_plugin@ \ plugins/kadm5_hook/test \ plugins/hostrealm/test \ plugins/localauth/test \ diff --git a/src/configure.in b/src/configure.in index 81c684d16..a4bf31aa8 100644 --- a/src/configure.in +++ b/src/configure.in @@ -135,6 +135,30 @@ if test "$withval" = yes; then AC_DEFINE(KRBCONF_VAGUE_ERRORS,1,[Define if the KDC should return only vague error codes to clients]) fi +# Check which (if any) audit plugin to build +audit_plugin="" +AC_ARG_ENABLE([audit-plugin], +AC_HELP_STRING([--enable-audit-plugin=IMPL], + [use audit plugin @<:@ do not use audit @:>@]), , enableval=no) +if test "$enableval" != no; then + case "$enableval" in + simple) + # if audit_log_user_message is found, we assume + # that audit_open and audit_close are also defined. + AC_CHECK_LIB(audit, audit_log_user_message, + [AUDIT_IMPL_LIBS=-laudit + K5_GEN_MAKEFILE(plugins/audit/simple) + audit_plugin=plugins/audit/simple ], + AC_MSG_ERROR([libaudit not found or undefined symbol audit_log_user_message])) + ;; + *) + AC_MSG_ERROR([Unknown audit plugin implementation $enableval.]) + ;; + esac +fi +AC_SUBST(AUDIT_IMPL_LIBS) +AC_SUBST(audit_plugin) + # WITH_CRYPTO_IMPL CRYPTO_IMPL="builtin" @@ -1362,6 +1386,8 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/localauth/test plugins/kadm5_hook/test plugins/pwqual/test + plugins/audit + plugins/audit/test plugins/kdb/db2 plugins/kdb/db2/libdb2 plugins/kdb/db2/libdb2/hash diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 2eda47cf3..623f09e65 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1077,7 +1077,8 @@ struct plugin_interface { #define PLUGIN_INTERFACE_CCSELECT 4 #define PLUGIN_INTERFACE_LOCALAUTH 5 #define PLUGIN_INTERFACE_HOSTREALM 6 -#define PLUGIN_NUM_INTERFACES 7 +#define PLUGIN_INTERFACE_AUDIT 7 +#define PLUGIN_NUM_INTERFACES 8 /* Retrieve the plugin module of type interface_id and name modname, * storing the result into module. */ diff --git a/src/include/krb5/audit_plugin.h b/src/include/krb5/audit_plugin.h new file mode 100644 index 000000000..b6e90649a --- /dev/null +++ b/src/include/krb5/audit_plugin.h @@ -0,0 +1,270 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/krb5/audit_plugin.h - Audit plugin interface */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* + * NOTE: This is a private interface and may change incompatibly + * between versions. + */ +/* + * Declarations for KDC audit plugin module implementers. Audit modules allow + * the KDC to produce log output or audit records in any desired form. + * + * The audit interface has a single supported major version, which is 1. Major + * version 1 has a current minor version of 1. Audit modules should define a + * function named audit_<modulename>_initvt, matching the signature: + * + * krb5_error_code + * audit_modname_initvt(krb5_context context, int maj_ver, int min_ver, + * krb5_plugin_vtable vtable); + * + * The initvt function should: + * + * - Check that the supplied maj_ver number is supported by the module, or + * return KRB5_PLUGIN_VER_NOTSUPP if it is not. + * + * - Cast the vtable pointer as appropriate for the interface and maj_ver: + * maj_ver == 1: Cast to krb5_audit_vtable + * + * - Initialize the methods of the vtable, stopping as appropriate for the + * supplied min_ver. Optional methods may be left uninitialized. + * + * Memory for the vtable is allocated by the caller, not by the module. + */ + +#ifndef KRB5_AU_PLUGIN_H_INCLUDED +#define KRB5_AU_PLUGIN_H_INCLUDED +#include <krb5/krb5.h> + +/** KDC processing steps */ +#define AUTHN_REQ_CL 1 /**< Authenticate request and client */ +#define SRVC_PRINC 2 /**< Determine service principal */ +#define VALIDATE_POL 3 /**< Validate local and protocol policies */ +#define ISSUE_TKT 4 /**< Issue ticket */ +#define ENCR_REP 5 /**< Encrypt reply */ + +/** Types of violations */ +#define PROT_CONSTRAINT 1 /**< Protocol constraint */ +#define LOCAL_POLICY 2 /**< Local policy violation */ + +#define REQID_LEN 32 /* Size of the alpha-numeric request ID */ + +/** KDC audit state structure and declarations */ +typedef struct _krb5_audit_state { + krb5_kdc_req *request; + krb5_kdc_rep *reply; + krb5_address *cl_addr; /**< client address */ + krb5_ui_4 cl_port; /**< client port */ + int stage; /**< step in KDC processing */ + const char *status; /**< KDC status message */ + char *tkt_in_id; /**< primary (TGT) ticket ID */ + char *tkt_out_id; /**< derived (service or referral TGT) ticket ID */ + /** for s4u2proxy - evidence ticket ID; for u2u - second ticket ID */ + char *evid_tkt_id; + char req_id[REQID_LEN]; /**< request ID */ + krb5_data *cl_realm; /**< referrals: remote client's realm */ + krb5_principal s4u2self_user; /**< impersonated user */ + int violation; /**< local or protocol policy problem */ +} krb5_audit_state; + +/** An abstract type for audit module data. */ +typedef struct krb5_audit_moddata_st *krb5_audit_moddata; + +/* + * Mandatory: + * - krb5_audit_open_fn, + * Open connection to the audit system and initialize audit module data. If + * the underlying (OS or third party) audit facility fails to open, no + * auditable KDC events should be recorded. + */ +typedef krb5_error_code +(*krb5_audit_open_fn)(krb5_audit_moddata *auctx); + +/* + * Mandatory: + * - krb5_audit_close_fn. + * Close connection to the underlying audit system. + */ +typedef krb5_error_code +(*krb5_audit_close_fn)(krb5_audit_moddata auctx); + +/** + * Log KDC-start event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Success/failure of the event being audited + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_kdc_start_fn)(krb5_audit_moddata auctx, krb5_boolean ev_success); + +/** + * Log KDC-stop event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Success/failure of the event being audited + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_kdc_stop_fn)(krb5_audit_moddata auctx, krb5_boolean ev_success); + +/** + * Log AS exchange event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Success/failure of the event being audited + * @param [in] state AS-request related auditable information + * + * The @a state provides the following data: + * - Full information about KDC request, assigned request ID, client address + * and port, and stage of the AS exchange + * - If available, the information about the encryption types of the short- and + * long-term keys, non-local client's referral realm, KDC status, the TGT + * and its ticket ID + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_as_req_fn)(krb5_audit_moddata auctx, + krb5_boolean ev_success, krb5_audit_state *state); + +/** + * Log TGS exchange event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Success/failure of the event being audited + * @param [in] state TGS-request related auditable information + * + * The @a state provides the following data: + * - Full information about KDC request, assigned request ID, primary ticket + * ID, client address and port, and stage of the TGS exchange + * - If available, the information about the encryption types of the short- and + * long-term keys, KDC status, KDC reply, and the output ticket ID + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_tgs_req_fn)(krb5_audit_moddata auctx, + krb5_boolean ev_success, krb5_audit_state *state); + +/** + * Log S4U2SELF event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Report on success or failure + * @param [in] state s4u2self related auditable information + * + * The @a state provides the following data: + * - Full information about KDC request, assigned request ID, client address + * and port, and stage of the TGS exchange + * - Requesting server's TGT ID, impersonated user principal name, and service + * "to self" ticket or referral TGT ID + * - If available, KDC status, local policy violation or S4U protocol + * constraints + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_s4u2self_fn)(krb5_audit_moddata auctx, + krb5_boolean ev_success, krb5_audit_state *state); + +/** + * Log S4U2PROXY event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Report on success or failure + * @param [in] state s4u2proxy related auditable information + * + * The @a state provides the following data: + * - Full information about request, assigned request ID, client address and + * port, and stage of the TGS exchange + * - Requesting server's TGT ID, delegated user principal name, and evidence + * ticket ID + * - If available, KDC status, local policy violation or S4U protocol + * constraints + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_s4u2proxy_fn)(krb5_audit_moddata auctx, + krb5_boolean ev_success, krb5_audit_state *state); + +/** + * Log U2U event. + * + * @param [in] auctx Audit context + * @param [in] ev_success Report on success or failure + * @param [in] state user-to-user related auditable information + * + * The @a state provides the following data: + * - Full information about request, assigned request ID, client address and + * port, and stage of the TGS exchange, + * - Requestor's TGT ID, service ticket ID, and client's principal name in the + * second ticket + * - If available, KDC status + * + * @note Optional. + * + * @retval 0 Success; otherwise - Kerberos error codes + */ +typedef krb5_error_code +(*krb5_audit_u2u_fn)(krb5_audit_moddata auctx, + krb5_boolean ev_success, krb5_audit_state *state); + +/* vtable declaration */ +typedef struct krb5_audit_vtable_st { + /* Mandatory: name of module. */ + char *name; + krb5_audit_open_fn open; + krb5_audit_close_fn close; + krb5_audit_kdc_start_fn kdc_start; + krb5_audit_kdc_stop_fn kdc_stop; + krb5_audit_as_req_fn as_req; + krb5_audit_tgs_req_fn tgs_req; + krb5_audit_s4u2self_fn tgs_s4u2self; + krb5_audit_s4u2proxy_fn tgs_s4u2proxy; + krb5_audit_u2u_fn tgs_u2u; +} *krb5_audit_vtable; + +#endif /* KRB5_AU_PLUGIN_H_INCLUDED */ diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 1b3b19b2c..1591e9ab0 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -22,6 +22,7 @@ SRCS= \ $(srcdir)/extern.c \ $(srcdir)/replay.c \ $(srcdir)/kdc_authdata.c \ + $(srcdir)/kdc_audit.c \ $(srcdir)/kdc_transit.c \ $(srcdir)/tgs_policy.c @@ -40,6 +41,7 @@ OBJS= \ extern.o \ replay.o \ kdc_authdata.o \ + kdc_audit.o \ kdc_transit.o \ tgs_policy.o diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 036840739..268d4f452 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -2,8 +2,8 @@ /* kdc/do_as_req.c */ /* * Portions Copyright (C) 2007 Apple Inc. - * Copyright 1990,1991,2007,2008,2009 by the Massachusetts Institute of Technology. - * All Rights Reserved. + * Copyright 1990, 1991, 2007, 2008, 2009, 2013 by the Massachusetts Institute + * of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -68,6 +68,7 @@ #endif /* HAVE_NETINET_IN_H */ #include "kdc_util.h" +#include "kdc_audit.h" #include "policy.h" #include <kadm5/admin.h> #include "adm_proto.h" @@ -121,6 +122,7 @@ struct as_req_state { krb5_error_code preauth_err; kdc_realm_t *active_realm; + krb5_audit_state *au_state; }; static void @@ -137,6 +139,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) loop_respond_fn oldrespond; void *oldarg; kdc_realm_t *kdc_active_realm = state->active_realm; + krb5_audit_state *au_state = state->au_state; assert(state); oldrespond = state->respond; @@ -145,6 +148,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) if (errcode) goto egress; + au_state->stage = ENCR_REP; + if ((errcode = validate_forwardable(state->request, *state->client, *state->server, state->kdc_time, &state->status))) { @@ -277,6 +282,14 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->status = "ENCRYPTING_TICKET"; goto egress; } + + errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, + &au_state->tkt_out_id); + if (errcode) { + state->status = "GENERATE_TICKET_ID"; + goto egress; + } + state->ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state->rstate, state->request, @@ -332,6 +345,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) egress: if (errcode != 0) assert (state->status != 0); + + au_state->status = state->status; + au_state->reply = &state->reply; + kau_as_req(kdc_context, + (errcode || state->preauth_err) ? FALSE : TRUE, au_state); + kau_free_kdc_req(au_state); + free_padata_context(kdc_context, state->pa_context); if (as_encrypting_key) krb5_free_keyblock(kdc_context, as_encrypting_key); @@ -456,6 +476,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_data encoded_req_body; krb5_enctype useenctype; struct as_req_state *state; + krb5_audit_state *au_state = NULL; state = k5alloc(sizeof(*state), &errcode); if (state == NULL) { @@ -472,13 +493,29 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, errcode = kdc_make_rstate(kdc_active_realm, &state->rstate); if (errcode != 0) { (*respond)(arg, errcode, NULL); + free(state); return; } + + /* Initialize audit state. */ + errcode = kau_init_kdc_req(kdc_context, state->request, from, &au_state); + if (errcode) { + (*respond)(arg, errcode, NULL); + kdc_free_rstate(state->rstate); + free(state); + return; + } + state->au_state = au_state; + if (state->request->msg_type != KRB5_AS_REQ) { state->status = "msg_type mismatch"; errcode = KRB5_BADMSGTYPE; goto errout; } + + /* Seed the audit trail with the request ID and basic information. */ + kau_as_req(kdc_context, TRUE, au_state); + if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; @@ -500,6 +537,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } } + au_state->request = state->request; state->rock.request = state->request; state->rock.inner_body = state->inner_body; state->rock.rstate = state->rstate; @@ -559,10 +597,13 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (!is_local_principal(kdc_active_realm, state->client->princ)) { /* Entry is a referral to another realm */ state->status = "REFERRAL"; + au_state->cl_realm = &state->client->princ->realm; errcode = KRB5KDC_ERR_WRONG_REALM; goto errout; } + au_state->stage = SRVC_PRINC; + if (!state->request->server) { state->status = "NULL_SERVER"; errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; @@ -593,6 +634,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + au_state->stage = VALIDATE_POL; + if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) { state->status = "TIMEOFDAY"; goto errout; @@ -609,6 +652,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + au_state->stage = ISSUE_TKT; + /* * Select the keytype for the ticket session key. */ diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index dada37530..c12de2b3e 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1,8 +1,8 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* kdc/do_tgs_req.c - KDC Routines to deal with TGS_REQ's */ /* - * Copyright 1990,1991,2001,2007,2008,2009 by the Massachusetts Institute of Technology. - * All Rights Reserved. + * Copyright 1990, 1991, 2001, 2007, 2008, 2009, 2013 by the Massachusetts + * Institute of Technology. All Rights Reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -63,6 +63,7 @@ #endif #include "kdc_util.h" +#include "kdc_audit.h" #include "policy.h" #include "extern.h" #include "adm_proto.h" @@ -135,6 +136,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_data scratch; krb5_pa_data **e_data = NULL; kdc_realm_t *kdc_active_realm = NULL; + krb5_audit_state *au_state = NULL; memset(&reply, 0, sizeof(reply)); memset(&reply_encpart, 0, sizeof(reply_encpart)); @@ -163,6 +165,16 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_free_kdc_req(handle->kdc_err_context, request); return errcode; } + + /* Initialize audit state. */ + errcode = kau_init_kdc_req(kdc_context, request, from, &au_state); + if (errcode) { + krb5_free_kdc_req(handle->kdc_err_context, request); + return errcode; + } + /* Seed the audit trail with the request ID and basic information. */ + kau_tgs_req(kdc_context, TRUE, au_state); + errcode = kdc_process_tgs_req(kdc_active_realm, request, from, pkt, &header_ticket, &krbtgt, &tgskey, &subkey, &pa_tgs_req); @@ -179,6 +191,13 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, status="UNEXPECTED NULL in header_ticket"; goto cleanup; } + errcode = kau_make_tkt_id(kdc_context, header_ticket, + &au_state->tkt_in_id); + if (errcode) { + status = "GENERATE_TICKET_ID"; + goto cleanup; + } + scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; errcode = kdc_find_fast(&request, &scratch, subkey, @@ -188,6 +207,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, goto cleanup; } + /* Ignore (for now) the request modification due to FAST processing. */ + au_state->request = request; + /* * Pointer to the encrypted part of the header ticket, which may be * replaced to point to the encrypted part of the evidence ticket @@ -202,6 +224,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, * decrypted with the session key. */ + au_state->stage = SRVC_PRINC; + /* XXX make sure server here has the proper realm...taken from AP_REQ header? */ @@ -222,6 +246,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, is_referral = is_cross_tgs_principal(server->princ) && !krb5_principal_compare(kdc_context, request->server, server->princ); + au_state->stage = VALIDATE_POL; + if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { status = "TIME_OF_DAY"; goto cleanup; @@ -232,6 +258,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, kdc_time, &status, &e_data))) { if (!status) status = "UNKNOWN_REASON"; + if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) + au_state->violation = PROT_CONSTRAINT; errcode = retval + ERROR_TABLE_BASE_krb5; goto cleanup; } @@ -250,6 +278,16 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, &s4u_x509_user, &client, &status); + if (s4u_x509_user != NULL || errcode != 0) { + if (s4u_x509_user != NULL) + au_state->s4u2self_user = s4u_x509_user->user_id.user; + if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION) + au_state->violation = PROT_CONSTRAINT; + au_state->status = status; + kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); + au_state->s4u2self_user = NULL; + } + if (errcode) goto cleanup; if (s4u_x509_user != NULL) { @@ -263,6 +301,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } } + /* Deal with user-to-user and constrained delegation */ errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags, &stkt_server, &status); if (errcode) @@ -277,6 +316,19 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_ticket->enc_part2->client, request->server, &status); + if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION) + au_state->violation = PROT_CONSTRAINT; + else if (errcode) + au_state->violation = LOCAL_POLICY; + au_state->status = status; + retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx], + &au_state->evid_tkt_id); + if (retval) { + status = "GENERATE_TICKET_ID"; + errcode = retval; + goto cleanup; + } + kau_s4u2proxy(kdc_context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; @@ -293,6 +345,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } else assert(stkt_server == NULL); + au_state->stage = ISSUE_TKT; + errcode = gen_session_key(kdc_active_realm, request, server, &session_key, &status); if (errcode) @@ -621,6 +675,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, !isflagset(enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) { errcode = KRB5KDC_ERR_POLICY; status = "BAD_TRANSIT"; + au_state->violation = LOCAL_POLICY; goto cleanup; } @@ -643,11 +698,14 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, altcprinc = client2; errcode = KRB5KDC_ERR_SERVER_NOMATCH; status = "2ND_TKT_MISMATCH"; + au_state->status = status; + kau_u2u(kdc_context, FALSE, au_state); goto cleanup; } ticket_kvno = 0; ticket_reply.enc_part.enctype = t2enc->session->enctype; + kau_u2u(kdc_context, TRUE, au_state); st_idx++; } else { ticket_kvno = server_key->key_data_kvno; @@ -663,6 +721,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ + au_state->stage = ENCR_REP; reply.msg_type = KRB5_TGS_REP; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && krb5int_find_pa_data(kdc_context, request->padata, @@ -675,8 +734,11 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, &reply_encpart); if (errcode) { status = "KDC_RETURN_S4U2SELF_PADATA"; - goto cleanup; + au_state->status = status; } + kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); + if (errcode) + goto cleanup; } reply.client = enc_tkt_reply.client; @@ -730,6 +792,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, goto cleanup; } + errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id); + if (errcode) { + status = "GENERATE_TICKET_ID"; + goto cleanup; + } + if (kdc_fast_hide_client(state)) reply.client = (krb5_principal)krb5_anonymous_principal(); errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, @@ -757,6 +825,13 @@ cleanup: krb5_free_keyblock(kdc_context, reply_key); if (errcode) emsg = krb5_get_error_message (kdc_context, errcode); + + au_state->status = status; + if (!errcode) + au_state->reply = &reply; + kau_tgs_req(kdc_context, errcode ? FALSE : TRUE, au_state); + kau_free_kdc_req(au_state); + log_tgs_req(kdc_context, from, request, &reply, cprinc, sprinc, altcprinc, authtime, c_flags, status, errcode, emsg); diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c new file mode 100644 index 000000000..c9a7f9f9d --- /dev/null +++ b/src/kdc/kdc_audit.c @@ -0,0 +1,331 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kdc_audit.c - Interface for KDC audit plugins. */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "kdc_util.h" +#include "kdc_audit.h" +/* for krb5_klog_syslog */ +#include <syslog.h> +#include "adm_proto.h" + +struct audit_module_handle_st { + struct krb5_audit_vtable_st vt; + krb5_audit_moddata auctx; +}; +typedef struct audit_module_handle_st *audit_module_handle; + +static audit_module_handle *handles = NULL; + +static void +free_handles(audit_module_handle *list) +{ + audit_module_handle *hp, hdl; + + if (list == NULL) + return; + + for (hp = list; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.close != NULL) + hdl->vt.close(hdl->auctx); + free(hdl); + } + free(list); +} + +/* + * Load all available audit plugin modules and prepare for logging. The list of + * modules is stored as an array in handles. Use unload_audit_modules() to free + * resources allocated by this function. + */ +krb5_error_code +load_audit_modules(krb5_context context) +{ + krb5_error_code ret = 0; + krb5_plugin_initvt_fn *modules = NULL, *mod; + struct krb5_audit_vtable_st vtable; + audit_module_handle *list = NULL, hdl = NULL; + krb5_audit_moddata auctx; + int count = 0; + + if (context == NULL || handles != NULL) + return EINVAL; + + /* Get audit plugin vtable. */ + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_AUDIT, &modules); + if (ret) + return ret; + + /* Allocate handle, initialize vtable. */ + for (count = 0; modules[count] != NULL; count++); + list = k5calloc(count + 1, sizeof(*list), &ret); + if (list == NULL) + goto cleanup; + count = 0; + for (mod = modules; *mod != NULL; mod++) { + hdl = k5alloc(sizeof(*hdl), &ret); + if (hdl == NULL) + goto cleanup; + ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&hdl->vt); + if (ret) { + free(hdl); + hdl = NULL; + continue; + } + + vtable = hdl->vt; + if (vtable.open != NULL) { + ret = vtable.open(&auctx); + if (ret) { + krb5_klog_syslog(LOG_ERR, + _("audit plugin %s failed to open. error=%i"), + vtable.name, ret); + goto cleanup; + } + hdl->auctx = auctx; + } + list[count++] = hdl; + list[count] = NULL; + hdl = NULL; + } + list[count] = NULL; + handles = list; + list = NULL; + ret = 0; + +cleanup: + free(hdl); + k5_plugin_free_modules(context, modules); + free_handles(list); + return ret; +} + +/* Free resources allocated by load_audit_modules() function. */ +void +unload_audit_modules(krb5_context context) +{ + free_handles(handles); +} + +/* + * Write the output ticket ID into newly-allocated buffer. + * Returns 0 on success. + */ +krb5_error_code +kau_make_tkt_id(krb5_context context, + const krb5_ticket *ticket, char **out) +{ + krb5_error_code ret = 0; + char *hash = NULL, *ptr; + krb5_checksum cksum; + unsigned int i; + + *out = NULL; + + if (ticket == NULL) + return EINVAL; + + ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0, + &ticket->enc_part.ciphertext, &cksum); + if (ret) + return ret; + + hash = k5alloc(cksum.length * 2 + 1, &ret); + if (hash != NULL) { + for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2) + snprintf(ptr, 3, "%02X", cksum.contents[i]); + *ptr = '\0'; + *out = hash; + } + krb5_free_checksum_contents(context, &cksum); + + return 0; +} + +/* + * Create and initialize krb5_audit_state structure. + * Returns 0 on success. + */ +krb5_error_code +kau_init_kdc_req(krb5_context context, + krb5_kdc_req *request, const krb5_fulladdr *from, + krb5_audit_state **state_out) +{ + krb5_error_code ret = 0; + krb5_audit_state *state = NULL; + + state = k5calloc(1, sizeof(*state), &ret); + if (state == NULL) + return ret; + + state->request = request; + state->cl_addr = from->address; + state->cl_port = from->port; + state->stage = AUTHN_REQ_CL; + ret = krb5int_random_string(context, state->req_id, + sizeof(state->req_id)); + if (ret) { + free(state); + return ret; + } + *state_out = state; + + return 0; +} + +/* Free resources allocated by kau_init_kdc_req() and kau_make_tkt_id() + * routines. */ +void +kau_free_kdc_req(krb5_audit_state *state) +{ + free(state->tkt_in_id); + free(state->tkt_out_id); + free(state->evid_tkt_id); + free(state); +} + +/* Call the KDC start/stop audit plugin entry points. */ + +void +kau_kdc_stop(krb5_context context, const krb5_boolean ev_success) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.kdc_stop != NULL) + hdl->vt.kdc_stop(hdl->auctx, ev_success); + } +} + +void +kau_kdc_start(krb5_context context, const krb5_boolean ev_success) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.kdc_start != NULL) + hdl->vt.kdc_start(hdl->auctx, ev_success); + } +} + +/* Call the AS-REQ audit plugin entry point. */ +void +kau_as_req(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.as_req != NULL) + hdl->vt.as_req(hdl->auctx, ev_success, state); + } +} + +/* Call the TGS-REQ audit plugin entry point. */ +void +kau_tgs_req(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.tgs_req != NULL) + hdl->vt.tgs_req(hdl->auctx, ev_success, state); + } +} + +/* Call the S4U2Self audit plugin entry point. */ +void +kau_s4u2self(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.tgs_s4u2self != NULL) + hdl->vt.tgs_s4u2self(hdl->auctx, ev_success, state); + } +} + +/* Call the S4U2Proxy audit plugin entry point. */ +void +kau_s4u2proxy(krb5_context context,const krb5_boolean ev_success, + krb5_audit_state *state) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.tgs_s4u2proxy != NULL) + hdl->vt.tgs_s4u2proxy(hdl->auctx, ev_success, state); + } +} + +/* Call the U2U audit plugin entry point. */ +void +kau_u2u(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state) +{ + audit_module_handle *hp, hdl; + + if (handles == NULL) + return; + + for (hp = handles; *hp != NULL; hp++) { + hdl = *hp; + if (hdl->vt.tgs_u2u != NULL) + hdl->vt.tgs_u2u(hdl->auctx, ev_success, state); + } +} diff --git a/src/kdc/kdc_audit.h b/src/kdc/kdc_audit.h new file mode 100644 index 000000000..c2f2e2177 --- /dev/null +++ b/src/kdc/kdc_audit.h @@ -0,0 +1,82 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/kdc_audit.h - KDC-facing API for audit */ +/* + * Copyright 2013 by the Massachusetts Institute of Technology. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef KRB5_KDC_AUDIT__ +#define KRB5_KDC_AUDIT__ + +#include <krb5/krb5.h> +#include <net-server.h> +#include <krb5/audit_plugin.h> + +krb5_error_code load_audit_modules(krb5_context context); +void unload_audit_modules(krb5_context context); + +/* Utilities */ + +krb5_error_code +kau_make_tkt_id(krb5_context context, + const krb5_ticket *ticket, char **out); + +krb5_error_code +kau_init_kdc_req(krb5_context context, krb5_kdc_req *request, + const krb5_fulladdr *from, krb5_audit_state **au_state); + +void kau_free_kdc_req(krb5_audit_state *state); + +/* KDC-facing audit API */ + +void +kau_kdc_start(krb5_context context, const krb5_boolean ev_success); + +void +kau_kdc_stop(krb5_context context, const krb5_boolean ev_success); + +void +kau_as_req(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state); + +void +kau_tgs_req(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state); + +void +kau_s4u2self(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state); + +void +kau_s4u2proxy(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state); + +void +kau_u2u(krb5_context context, const krb5_boolean ev_success, + krb5_audit_state *state); + +#endif /* KRB5_KDC_AUDIT__ */ diff --git a/src/kdc/main.c b/src/kdc/main.c index 950fa41d7..0f5961acb 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -38,6 +38,7 @@ #include <kadm5/admin.h> #include "adm_proto.h" #include "kdc_util.h" +#include "kdc_audit.h" #include "extern.h" #include "kdc5_err.h" #include "kdb_kt.h" @@ -1044,15 +1045,26 @@ int main(int argc, char **argv) /* We get here only in a worker child process; re-initialize realms. */ initialize_realms(kcontext, argc, argv); } + + /* Initialize audit system and audit KDC startup. */ + retval = load_audit_modules(kcontext); + if (retval) { + kdc_err(kcontext, retval, _("while loading audit plugin module(s)")); + finish_realms(); + return 1; + } krb5_klog_syslog(LOG_INFO, _("commencing operation")); if (nofork) fprintf(stderr, _("%s: starting...\n"), kdc_progname); + kau_kdc_start(kcontext, TRUE); verto_run(ctx); loop_free(ctx); + kau_kdc_stop(kcontext, TRUE); krb5_klog_syslog(LOG_INFO, _("shutting down")); unload_preauth_plugins(kcontext); unload_authdata_plugins(kcontext); + unload_audit_modules(kcontext); krb5_klog_close(kcontext); finish_realms(); if (shandle.kdc_realmlist) diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c index 57ee1c116..9bb5d54fa 100644 --- a/src/lib/krb5/krb/plugin.c +++ b/src/lib/krb5/krb/plugin.c @@ -54,7 +54,8 @@ const char *interface_names[] = { "kdcpreauth", "ccselect", "localauth", - "hostrealm" + "hostrealm", + "audit" }; /* Return the context's interface structure for id, or NULL if invalid. */ diff --git a/src/plugins/audit/Makefile.in b/src/plugins/audit/Makefile.in new file mode 100644 index 000000000..812af60af --- /dev/null +++ b/src/plugins/audit/Makefile.in @@ -0,0 +1,22 @@ +mydir=plugins$(S)audit +BUILDTOP=$(REL)..$(S).. + +STLIBOBJS=kdc_j_encode.o +LIBOBJS=$(OUTPRE)kdc_j_encode.$(OBJEXT) +SRCS=kdc_j_encode.c + +AUJENC_HDR=$(BUILDTOP)$(S)include$(S)kdc_j_encode.h + +all-unix:: all-libobjs includes + +clean-unix:: clean-libobjs + $(RM) $(AUJENC_HDR) + +includes:: $(AUJENC_HDR) +depend:: $(AUJENC_HDR) + +$(AUJENC_HDR): $(srcdir)/kdc_j_encode.h + $(RM) $@ + $(CP) $(srcdir)/kdc_j_encode.h $@ + +@libobj_frag@ diff --git a/src/plugins/audit/deps b/src/plugins/audit/deps new file mode 100644 index 000000000..e2efc8450 --- /dev/null +++ b/src/plugins/audit/deps @@ -0,0 +1,15 @@ +# +# Generated makefile dependencies follow. +# +kdc_j_encode.so kdc_j_encode.po $(OUTPRE)kdc_j_encode.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/audit_plugin.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + j_dict.h kdc_j_encode.c kdc_j_encode.h diff --git a/src/plugins/audit/j_dict.h b/src/plugins/audit/j_dict.h new file mode 100644 index 000000000..2ca48b05b --- /dev/null +++ b/src/plugins/audit/j_dict.h @@ -0,0 +1,88 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* j_dict.h - Dictionary file for json implementation of audit system */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef KRB5_J_DICT_H_INCLUDED +#define KRB5_J_DICT_H_INCLUDED + +/* Dictionary for KDC events */ +#define AU_STAGE "stage" +#define AU_EVENT_NAME "event_name" +#define AU_EVENT_STATUS "event_success" +#define AU_TKT_IN_ID "tkt_in_id" +#define AU_TKT_OUT_ID "tkt_out_id" +#define AU_REQ_ID "req_id" +#define AU_KDC_STATUS "kdc_status" +#define AU_FROMPORT "fromport" +#define AU_FROMADDR "fromaddr" +#define AU_TYPE "type" /* used by fromaddr */ +#define AU_IPV4 "ipv4" /* used by fromaddr */ +#define AU_SESS_ETYPE "sess_etype" +#define AU_SRV_ETYPE "srv_etype" +#define AU_REP_ETYPE "rep_etype" +#define AU_REALM "realm" +#define AU_LENGTH "length" +#define AU_COMPONENTS "components" +#define AU_TKT_RENEWED "tkt_renewed" +#define AU_TKT_VALIDATED "tkt_validated" +/* referrals */ +#define AU_CREF_REALM "clreferral_realm" +/* request */ +#define AU_REQ_KDC_OPTIONS "req.kdc_options" +#define AU_REQ_SERVER "req.server" +#define AU_REQ_CLIENT "req.client" +#define AU_REQ_AVAIL_ETYPES "req.avail_etypes" +#define AU_EVIDENCE_TKT "evidence_tkt" +#define AU_REQ_ADDRESSES "req.addresses" +#define AU_REQ_TKT_START "req.tkt_start" +#define AU_REQ_TKT_END "req.tkt_end" +#define AU_REQ_TKT_RENEW_TILL "req.tkt_renew_till" +#define AU_REQ_PA_TYPE "req.pa_type" +/* reply */ +#define AU_REP_TICKET "rep.ticket" +#define AU_REP_PA_TYPE "rep.pa_type" +/* ticket */ +#define AU_SNAME "sname" +#define AU_CNAME "cname" +#define AU_FLAGS "flags" +#define AU_START "start" +#define AU_END "end" +#define AU_RENEW_TILL "renew_till" +#define AU_AUTHTIME "authtime" +#define AU_TR_CONTENTS "tr_contents" +#define AU_CADDRS "caddrs" +/* S4U and U2U */ +#define AU_VIOLATION "violation" /* policy or protocol restrictions */ +#define AU_REQ_S4U2S_USER "s4u2self_user" +#define AU_REQ_S4U2P_USER "s4u2proxy_user" +#define AU_REQ_U2U_USER "u2u_user" +#define AU_EVIDENCE_TKT_ID "evidence_tkt_id" /* 2nd ticket in s4u2proxy req */ +#endif /* KRB5_J_DICT_H_INCLUDED */ diff --git a/src/plugins/audit/kdc_j_encode.c b/src/plugins/audit/kdc_j_encode.c new file mode 100755 index 000000000..da5a9d839 --- /dev/null +++ b/src/plugins/audit/kdc_j_encode.c @@ -0,0 +1,934 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/audit/kdc_j_encode.c - Utilities to json encode KDC audit stuff */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <syslog.h> +#include <k5-int.h> +#include <k5-json.h> +#include "kdc_j_encode.h" +#include "j_dict.h" +#include <krb5/audit_plugin.h> + +static krb5_error_code +string_to_value(const char *in, k5_json_object obj, const char *key); +static krb5_error_code +princ_to_value(krb5_principal princ, k5_json_object obj, const char *key); +static krb5_error_code +data_to_value(krb5_data *data, k5_json_object obj, const char *key); +static krb5_error_code +int32_to_value(krb5_int32 int32, k5_json_object obj, const char *key); +static krb5_error_code +bool_to_value(krb5_boolean b, k5_json_object obj, const char *key); +static krb5_error_code +addr_to_obj(krb5_address *a, k5_json_object obj); +static krb5_error_code +eventinfo_to_value(k5_json_object obj, const char *name, + const int stage, const krb5_boolean ev_success); +static krb5_error_code +addr_to_value(const krb5_address *address, k5_json_object obj, + const char *key); +static krb5_error_code +req_to_value(krb5_kdc_req *req, const krb5_boolean ev_success, + k5_json_object obj); +static krb5_error_code +rep_to_value(krb5_kdc_rep *rep, const krb5_boolean ev_success, + k5_json_object obj); +static krb5_error_code +tkt_to_value(krb5_ticket *tkt, k5_json_object obj, const char *key); +static char *map_patype(krb5_preauthtype pa_type); + +#define NULL_STATE "state is NULL" +#define T_RENEWED 1 +#define T_NOT_RENEWED 2 +#define T_VALIDATED 1 +#define T_NOT_VALIDATED 2 + +/* KDC server STOP. Returns 0 on success. */ +krb5_error_code +kau_j_kdc_stop(const krb5_boolean ev_success, char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + + *jout = NULL; + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + + /* Audit event_ID and ev_success. */ + ret = string_to_value("KDC_STOP", obj, AU_EVENT_NAME); + if (!ret) + ret = bool_to_value(ev_success, obj, AU_EVENT_STATUS); + if (!ret) + ret = k5_json_encode(obj, jout); + k5_json_release(obj); + + return ret; +} + +/* KDC server START. Returns 0 on success. */ +krb5_error_code +kau_j_kdc_start(const krb5_boolean ev_success, char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + + *jout = NULL; + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + + /* Audit event_ID and ev_success. */ + ret = string_to_value("KDC_START", obj, AU_EVENT_NAME); + if (!ret) + ret = bool_to_value(ev_success, obj, AU_EVENT_STATUS); + if (!ret) + ret = k5_json_encode(obj, jout); + k5_json_release(obj); + + return ret; +} + +/* AS-REQ. Returns 0 on success. */ +krb5_error_code +kau_j_as_req(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + + *jout = NULL; + + if (!state) { + *jout = NULL_STATE; + return 0; + } + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + /* Audit event_ID and ev_success. */ + ret = eventinfo_to_value(obj, "AS_REQ", state->stage, ev_success); + if (ret) + goto error; + /* TGT ticket ID */ + ret = string_to_value(state->tkt_out_id, obj, AU_TKT_OUT_ID); + if (ret) + goto error; + /* Request ID. */ + ret = string_to_value(state->req_id, obj, AU_REQ_ID); + if (ret) + goto error; + /* Client's port and address. */ + ret = int32_to_value(state->cl_port, obj, AU_FROMPORT); + if (ret) + goto error; + ret = addr_to_value(state->cl_addr, obj, AU_FROMADDR); + if (ret) + goto error; + /* KDC status msg */ + ret = string_to_value(state->status, obj, AU_KDC_STATUS); + if (ret) + goto error; + /* non-local client's referral realm. */ + ret = data_to_value(state->cl_realm, obj, AU_CREF_REALM); + if (ret) + goto error; + /* Request. */ + ret = req_to_value(state->request, ev_success, obj); + if (ret == ENOMEM) + goto error; + /* Reply/ticket info. */ + ret = rep_to_value(state->reply, ev_success, obj); + if (ret == ENOMEM) + goto error; + ret = k5_json_encode(obj, jout); + +error: + k5_json_release(obj); + return ret; +} + +/* TGS-REQ. Returns 0 on success. */ +krb5_error_code +kau_j_tgs_req(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + krb5_kdc_req *req = state->request; + int tkt_validated = 0, tkt_renewed = 0; + + *jout = NULL; + + if (!state) { + *jout = NULL_STATE; + return 0; + } + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + + /* Audit Event ID and ev_success. */ + ret = eventinfo_to_value(obj, "TGS_REQ", state->stage, ev_success); + if (ret) + goto error; + /* Primary and derived ticket IDs. */ + ret = string_to_value(state->tkt_in_id, obj, AU_TKT_IN_ID); + if (ret) + goto error; + ret = string_to_value(state->tkt_out_id, obj, AU_TKT_OUT_ID); + if (ret) + goto error; + /* Request ID */ + ret = string_to_value(state->req_id, obj, AU_REQ_ID); + if (ret) + goto error; + /* client’s address and port. */ + ret = int32_to_value(state->cl_port, obj, AU_FROMPORT); + if (ret) + goto error; + ret = addr_to_value(state->cl_addr, obj, AU_FROMADDR); + if (ret) + goto error; + /* Ticket was renewed, validated. */ + if ((ev_success == TRUE) && (req != NULL)) { + tkt_renewed = (req->kdc_options & KDC_OPT_RENEW) ? + T_RENEWED : T_NOT_RENEWED; + tkt_validated = (req->kdc_options & KDC_OPT_VALIDATE) ? + T_VALIDATED : T_NOT_VALIDATED; + } + ret = int32_to_value(tkt_renewed, obj, AU_TKT_RENEWED); + if (ret) + goto error; + ret = int32_to_value(tkt_validated, obj, AU_TKT_VALIDATED); + if (ret) + goto error; + /* KDC status msg, including "ISSUE". */ + ret = string_to_value(state->status, obj, AU_KDC_STATUS); + if (ret) + goto error; + /* request */ + ret = req_to_value(req, ev_success, obj); + if (ret == ENOMEM) + goto error; + /* reply/ticket */ + ret = rep_to_value(state->reply, ev_success, obj); + if (ret == ENOMEM) + goto error; + ret = k5_json_encode(obj, jout); + +error: + k5_json_release(obj); + return ret; +} + +/* S4U2Self protocol extension. Returns 0 on success. */ +krb5_error_code +kau_j_tgs_s4u2self(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + + *jout = NULL; + + if (!state) { + *jout = NULL_STATE; + return 0; + } + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + + /* Audit Event ID and ev_success. */ + ret = eventinfo_to_value(obj, "S4U2SELF", state->stage, ev_success); + if (ret) + goto error; + /* Front-end server's TGT ticket ID. */ + ret = string_to_value(state->tkt_in_id, obj, AU_TKT_IN_ID); + if (ret) + goto error; + /* service "to self" ticket or referral TGT ticket ID. */ + ret = string_to_value(state->tkt_out_id, obj, AU_TKT_OUT_ID); + if (ret) + goto error; + /* Request ID. */ + ret = string_to_value(state->req_id, obj, AU_REQ_ID); + if (ret) + goto error; + if (ev_success == FALSE) { + /* KDC status msg. */ + ret = string_to_value(state->status, obj, AU_KDC_STATUS); + if (ret) + goto error; + /* Local policy or S4U protocol constraints. */ + ret = int32_to_value(state->violation, obj, AU_VIOLATION); + if (ret) + goto error; + } + /* Impersonated user. */ + ret = princ_to_value(state->s4u2self_user, obj, AU_REQ_S4U2S_USER); + if (ret) + goto error; + + ret = k5_json_encode(obj, jout); + +error: + k5_json_release(obj); + return ret; +} + +/* S4U2Proxy protocol extension. Returns 0 on success. */ +krb5_error_code +kau_j_tgs_s4u2proxy(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + krb5_kdc_req *req = state->request; + + *jout = NULL; + + if (!state) { + *jout = NULL_STATE; + return 0; + } + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + + /* Audit Event ID and ev_success. */ + ret = eventinfo_to_value(obj, "S4U2PROXY", state->stage, ev_success); + if (ret) + goto error; + /* Front-end server's TGT ticket ID. */ + ret = string_to_value(state->tkt_in_id, obj, AU_TKT_IN_ID); + if (ret) + goto error; + /* Resource service or referral TGT ticket ID. */ + ret = string_to_value(state->tkt_out_id, obj, AU_TKT_OUT_ID); + if (ret) + goto error; + /* User's evidence ticket ID. */ + ret = string_to_value(state->evid_tkt_id, obj, AU_EVIDENCE_TKT_ID); + if (ret) + goto error; + /* Request ID. */ + ret = string_to_value(state->req_id, obj, AU_REQ_ID); + if (ret) + goto error; + + if (ev_success == FALSE) { + /* KDC status msg. */ + ret = string_to_value(state->status, obj, AU_KDC_STATUS); + if (ret) + goto error; + /* Local policy or S4U protocol constraints. */ + ret = int32_to_value(state->violation, obj, AU_VIOLATION); + if (ret) + goto error; + } + /* Delegated user. */ + if (req != NULL) { + ret = princ_to_value(req->second_ticket[0]->enc_part2->client, + obj, AU_REQ_S4U2P_USER); + if (ret) + goto error; + } + ret = k5_json_encode(obj, jout); + +error: + k5_json_release(obj); + return ret; +} + +/* U2U. Returns 0 on success. */ +krb5_error_code +kau_j_tgs_u2u(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout) +{ + krb5_error_code ret = 0; + k5_json_object obj = NULL; + krb5_kdc_req *req = state->request; + + if (!state) { + *jout = NULL_STATE; + return 0; + } + + *jout = NULL; + + /* Main object. */ + if (k5_json_object_create(&obj)) + return ENOMEM; + /* Audit Event ID and ev_success. */ + ret = eventinfo_to_value(obj, "U2U", state->stage, ev_success); + if (ret) + goto error; + /* Front-end server's TGT ticket ID. */ + ret = string_to_value(state->tkt_in_id, obj, AU_TKT_IN_ID); + if (ret) + goto error; + /* Service ticket ID. */ + ret = string_to_value(state->tkt_out_id, obj, AU_TKT_OUT_ID); + if (ret) + goto error; + /* Request ID. */ + ret = string_to_value(state->req_id, obj, AU_REQ_ID); + if (ret) + goto error; + + if (ev_success == FALSE) { + /* KDC status msg. */ + ret = string_to_value(state->status, obj, AU_KDC_STATUS); + if (ret) + goto error; + } + /* Client in the second ticket. */ + if (req != NULL) { + ret = princ_to_value(req->second_ticket[0]->enc_part2->client, + obj, AU_REQ_U2U_USER); + if (ret) + goto error; + } + /* Enctype of a session key of the second ticket. */ + ret = int32_to_value(req->second_ticket[0]->enc_part2->session->enctype, + obj, AU_SRV_ETYPE); + if (ret) + goto error; + + ret = k5_json_encode(obj, jout); + +error: + k5_json_release(obj); + return ret; +} + +/* Low level utilities */ + +/* Converts string into a property of a JSON object. Returns 0 on success.*/ +static krb5_error_code +string_to_value(const char *in, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_string str = NULL; + + if (in == NULL) + return 0; + + ret = k5_json_string_create(in, &str); + if (ret) + return ret; + ret = k5_json_object_set(obj, key, str); + k5_json_release(str); + + return ret; +} + +/* + * Converts a krb5_data struct into a property of a JSON object. + * (Borrowed from preauth_otp.c) + * Returns 0 on success. + */ +static krb5_error_code +data_to_value(krb5_data *data, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_string str = NULL; + + if (data == NULL || data->data == NULL || data->length < 1) + return 0; + + ret = k5_json_string_create_len(data->data, data->length, &str); + if (ret) + return ret; + ret = k5_json_object_set(obj, key, str); + k5_json_release(str); + + return ret; +} + +/* + * Converts krb5_int32 into a property of a JSON object. + * Returns 0 on success. + */ +static krb5_error_code +int32_to_value(krb5_int32 int32, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_number num = NULL; + + ret = k5_json_number_create(int32, &num); + if (ret) + return ENOMEM; + ret = k5_json_object_set(obj, key, num); + k5_json_release(num); + + return ret; +} + +/* + * Converts krb5_boolean into a property of a JSON object. + * Returns 0 on success. + */ +static krb5_error_code +bool_to_value(krb5_boolean in, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_bool b = 0; + + ret = k5_json_bool_create(in, &b); + if (ret) + return ENOMEM; + + ret = k5_json_object_set(obj, key, b); + k5_json_release(b); + + return ret; +} + +/* Wrapper-level utilities */ + +/* Wrapper for stage and event_status tags. Returns 0 on success. */ +static krb5_error_code +eventinfo_to_value(k5_json_object obj, const char *name, + const int stage, const krb5_boolean ev_success) +{ + krb5_error_code ret = 0; + + ret = string_to_value(name, obj, AU_EVENT_NAME); + if (ret) + return ret; + ret = int32_to_value(stage, obj, AU_STAGE); + if (!ret) + ret = bool_to_value(ev_success, obj, AU_EVENT_STATUS); + + return ret; +} + +/* + * Converts krb5_principal into a property of a JSON object. + * Returns 0 on success. + */ +static krb5_error_code +princ_to_value(krb5_principal princ, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_object tmp = NULL; + k5_json_array arr = NULL; + k5_json_string str = NULL; + int i = 0; + + if (princ == NULL || princ->data == NULL) + return 0; + + /* Main object. */ + if (k5_json_object_create(&tmp)) + return ENOMEM; + + ret = k5_json_array_create(&arr); + if (ret) + goto error; + for (i = 0; i < princ->length; i++) { + ret = k5_json_string_create_len((&princ->data[i])->data, + (&princ->data[i])->length, &str); + if (ret) + goto error; + ret = k5_json_array_add(arr, str); + k5_json_release(str); + if (ret) + goto error; + } + ret = k5_json_object_set(tmp, AU_COMPONENTS, arr); + if (ret) + goto error; + ret = data_to_value(&princ->realm, tmp, AU_REALM); + if (ret) + goto error; + ret = int32_to_value(princ->length, tmp, AU_LENGTH); + if (ret) + goto error; + ret = int32_to_value(princ->type, tmp, AU_TYPE); + if (ret) + goto error; + + ret = k5_json_object_set(obj, key, tmp); + +error: + k5_json_release(tmp); + k5_json_release(arr); + return ret; +} + +/* + * Helper for JSON encoding of krb5_address. + * Returns 0 on success. + */ +static krb5_error_code +addr_to_obj(krb5_address *a, k5_json_object obj) +{ + krb5_error_code ret = 0; + k5_json_number num = NULL; + k5_json_array arr = NULL; + int i; + + if (a == NULL || a->contents == NULL || a->length <= 0) + return 0; + + ret = int32_to_value(a->addrtype, obj, AU_TYPE); + if (ret) + goto error; + ret = int32_to_value(a->length, obj, AU_LENGTH); + if (ret) + goto error; + + if (a->addrtype == ADDRTYPE_INET) { + ret = k5_json_array_create(&arr); + if (ret) + goto error; + for (i = 0; i < (int)a->length; i++) { + ret = k5_json_number_create(a->contents[i], &num); + if (ret) + goto error; + ret = k5_json_array_add(arr, num); + k5_json_release(num); + if (ret) + goto error; + } + ret = k5_json_object_set(obj, AU_IPV4, arr); + if (ret) + goto error; + } + +error: + k5_json_release(arr); + return ret; +} + +/* + * Converts krb5_fulladdr into a property of a JSON object. + * Returns 0 on success. + */ +static krb5_error_code +addr_to_value(const krb5_address *address, k5_json_object obj, const char *key) +{ + krb5_error_code ret = 0; + k5_json_object addr_obj = NULL; + + if (address == NULL) + return 0; + + ret = k5_json_object_create(&addr_obj); + if (ret) + return ret; + ret = addr_to_obj((krb5_address *)address, addr_obj); + if (!ret) + ret = k5_json_object_set(obj, key, addr_obj); + k5_json_release(addr_obj); + + return ret; +} + +/* + * Helper for JSON encoding of krb5_kdc_req. + * Returns 0 on success. + */ +static krb5_error_code +req_to_value(krb5_kdc_req *req, const krb5_boolean ev_success, + k5_json_object obj) +{ + krb5_error_code ret = 0; + k5_json_number num = NULL; + k5_json_string str = NULL; + k5_json_object tmpa = NULL; + k5_json_array arr = NULL, arra = NULL, arrpa = NULL; + krb5_pa_data **padata; + int i = 0; + + if (req == NULL) + return 0; + + ret = princ_to_value(req->client, obj, AU_REQ_CLIENT); + if (ret) + goto error; + ret = princ_to_value(req->server, obj, AU_REQ_SERVER); + if (ret) + goto error; + + ret = int32_to_value(req->kdc_options, obj, AU_REQ_KDC_OPTIONS); + if (ret) + goto error; + ret = int32_to_value(req->from, obj, AU_REQ_TKT_START); + if (ret) + goto error; + ret = int32_to_value(req->till, obj, AU_REQ_TKT_END); + if (ret) + goto error; + ret = int32_to_value(req->rtime, obj, AU_REQ_TKT_RENEW_TILL); + if (ret) + goto error; + /* Available/requested enctypes. */ + ret = k5_json_array_create(&arr); + if (ret) + goto error; + for (i = 0; (i < req->nktypes); i++) { + if (req->ktype[i] > 0) { + ret = k5_json_number_create(req->ktype[i], &num); + if (ret) + goto error; + ret = k5_json_array_add(arr, num); + k5_json_release(num); + if (ret) + goto error; + } + } + ret = k5_json_object_set(obj, AU_REQ_AVAIL_ETYPES, arr); + if (ret) + goto error; + /* Pre-auth types. */ + if (ev_success == TRUE && req->padata) { + ret = k5_json_array_create(&arrpa); + if (ret) + goto error; + for (padata = req->padata; *padata; padata++) { + if (strlen(map_patype((*padata)->pa_type)) > 1) { + ret = k5_json_string_create(map_patype((*padata)->pa_type), + &str); + if (ret) + goto error; + ret = k5_json_array_add(arrpa, str); + k5_json_release(str); + if (ret) + goto error; + } + } + ret = k5_json_object_set(obj, AU_REQ_PA_TYPE, arrpa); + } + /* List of requested addresses. */ + if (req->addresses) { + ret = k5_json_array_create(&arra); + if (ret) + goto error; + for (i = 0; req->addresses[i] != NULL; i++) { + ret = k5_json_object_create(&tmpa); + if (ret) + goto error; + ret = addr_to_obj(req->addresses[i], tmpa); + if (ret) + goto error; + ret = k5_json_array_add(arra, tmpa); + k5_json_release(tmpa); + if (ret) + goto error; + } + ret = k5_json_object_set(obj, AU_REQ_ADDRESSES, arra); + if (ret) + goto error; + } +error: + k5_json_release(arr); + k5_json_release(arra); + k5_json_release(arrpa); + return ret; +} + +/* + * Helper for JSON encoding of krb5_kdc_rep. + * Returns 0 on success. + */ +static krb5_error_code +rep_to_value(krb5_kdc_rep *rep, const krb5_boolean ev_success, + k5_json_object obj) +{ + krb5_error_code ret = 0; + krb5_pa_data **padata; + k5_json_array arrpa = NULL; + k5_json_string str = NULL; + + if (rep == NULL) + return 0; + + if (ev_success == TRUE) { + ret = tkt_to_value(rep->ticket, obj, AU_REP_TICKET); + /* Enctype of the reply-encrypting key. */ + ret = int32_to_value(rep->enc_part.enctype, obj, AU_REP_ETYPE); + if (ret) + goto error; + } else { + + if (rep->padata) { + ret = k5_json_array_create(&arrpa); + if (ret) + goto error; + for (padata = rep->padata; *padata; padata++) { + if (strlen(map_patype((*padata)->pa_type)) > 1) { + ret = k5_json_string_create(map_patype((*padata)->pa_type), + &str); + if (ret) + goto error; + ret = k5_json_array_add(arrpa, str); + k5_json_release(str); + if (ret) + goto error; + } + } + } + ret = k5_json_object_set(obj, AU_REP_PA_TYPE, arrpa); + } +error: + k5_json_release(arrpa); + return ret; +} + +/* + * Converts krb5_ticket into a property of a JSON object. + * Returns 0 on success. + */ +static krb5_error_code +tkt_to_value(krb5_ticket *tkt, k5_json_object obj, + const char *key) +{ + krb5_error_code ret = 0; + k5_json_object tmp = NULL; + krb5_enc_tkt_part *part2 = NULL; + + if (tkt == NULL) + return 0; + + /* Main object. */ + if (k5_json_object_create(&tmp)) + return ENOMEM; + + /* + * CNAME - potentially redundant data... + * ...but it is part of the ticket. So, record it as such. + */ + ret = princ_to_value(tkt->server, tmp, AU_CNAME); + if (ret) + goto error; + ret = princ_to_value(tkt->server, tmp, AU_SNAME); + if (ret) + goto error; + /* Enctype of a long-term key of service. */ + if (tkt->enc_part.enctype) + ret = int32_to_value(tkt->enc_part.enctype, tmp, AU_SRV_ETYPE); + if (ret) + goto error; + if (tkt->enc_part2) + part2 = tkt->enc_part2; + if (part2) { + ret = princ_to_value(part2->client, tmp, AU_CNAME); + if (ret) + goto error; + ret = int32_to_value(part2->flags, tmp, AU_FLAGS); + if (ret) + goto error; + /* Chosen by KDC session key enctype (short-term key). */ + ret = int32_to_value(part2->session->enctype, tmp, AU_SESS_ETYPE); + if (ret) + goto error; + if (&part2->times) { + ret = int32_to_value(part2->times.starttime, tmp, AU_START); + if (ret) + goto error; + ret = int32_to_value(part2->times.endtime, tmp, AU_END); + if (ret) + goto error; + ret = int32_to_value(part2->times.renew_till, tmp, AU_RENEW_TILL); + if (ret) + goto error; + ret = int32_to_value(part2->times.authtime, tmp, AU_AUTHTIME); + if (ret) + goto error; + } + if (&part2->transited && &part2->transited.tr_contents && + part2->transited.tr_contents.length > 0) { + ret = data_to_value(&part2->transited.tr_contents, + tmp, AU_TR_CONTENTS); + if (ret) + goto error; + } + } /* part2 != NULL */ + + if (!ret) + ret = k5_json_object_set(obj, key, tmp); + +error: + k5_json_release(tmp); + return ret; +} + +/* Map preauth numeric type to the naming string. */ +struct _patype_str { + krb5_preauthtype id; + char *name; +}; +struct _patype_str patype_str[] = { + {KRB5_PADATA_ENC_TIMESTAMP, "ENC_TIMESTAMP"}, + {KRB5_PADATA_PW_SALT, "PW_SALT"}, + {KRB5_PADATA_ENC_UNIX_TIME, "ENC_UNIX_TIME"}, + {KRB5_PADATA_SAM_CHALLENGE, "SAM_CHALLENGE"}, + {KRB5_PADATA_SAM_RESPONSE, "SAM_RESPONSE"}, + {KRB5_PADATA_PK_AS_REQ_OLD, "PK_AS_REQ_OLD"}, + {KRB5_PADATA_PK_AS_REP_OLD, "PK_AS_REP_OLD"}, + {KRB5_PADATA_PK_AS_REQ, "PK_AS_REQ"}, + {KRB5_PADATA_PK_AS_REP, "PK_AS_REP"}, + {KRB5_PADATA_ETYPE_INFO2, "ETYPE_INFO2"}, + {KRB5_PADATA_SAM_CHALLENGE_2, "SAM_CHALLENGE_2"}, + {KRB5_PADATA_SAM_RESPONSE_2, "SAM_RESPONSE_2"}, + {KRB5_PADATA_PAC_REQUEST, "PAC_REQUEST"}, + {KRB5_PADATA_FOR_USER, "FOR_USER"}, + {KRB5_PADATA_S4U_X509_USER, "S4U_X509_USER"}, + {KRB5_PADATA_ENCRYPTED_CHALLENGE, "ENCRYPTED_CHALLENGE"}, + {KRB5_PADATA_OTP_CHALLENGE, "OTP_CHALLENGE"}, + {KRB5_PADATA_OTP_REQUEST, "OTP_REQUEST"}, + {KRB5_PADATA_OTP_PIN_CHANGE, "OTP_PIN_CHANGE"} +}; + + +static char * +map_patype(krb5_preauthtype pa_type) +{ + int i = 0; + int n = sizeof(patype_str)/sizeof(patype_str[0]); + + for (i = 0; i < n; i++) { + if (pa_type == patype_str[i].id) + return patype_str[i].name; + } + return ""; +} diff --git a/src/plugins/audit/kdc_j_encode.h b/src/plugins/audit/kdc_j_encode.h new file mode 100644 index 000000000..0c59adc0f --- /dev/null +++ b/src/plugins/audit/kdc_j_encode.h @@ -0,0 +1,66 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/audit/kdc_j_encode.h - Declarations for KDC audit json encoders */ +/* + * Copyright 2013 by the Massachusetts Institute of Technology. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef KRB5_KDC_J_ENCODE_H_INCLUDED +#define KRB5_KDC_J_ENCODE_H_INCLUDED + +#include <krb5/audit_plugin.h> + +/* Maximum length of the name of preauth type. */ +#define MAX_PATYPE_NAME_LEN 32 + +krb5_error_code +kau_j_kdc_stop(const krb5_boolean ev_success, char **jout); + +krb5_error_code +kau_j_kdc_start(const krb5_boolean ev_success, char **jout); + +krb5_error_code +kau_j_as_req(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout); + +krb5_error_code +kau_j_tgs_req(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout); + +krb5_error_code +kau_j_tgs_s4u2self(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout); + +krb5_error_code +kau_j_tgs_s4u2proxy(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout); + +krb5_error_code +kau_j_tgs_u2u(const krb5_boolean ev_success, krb5_audit_state *state, + char **jout); + +#endif /* KRB5_KDC_J_ENCODE_H_INCLUDED */ diff --git a/src/plugins/audit/libauditjenc.exports b/src/plugins/audit/libauditjenc.exports new file mode 100644 index 000000000..da7120fdd --- /dev/null +++ b/src/plugins/audit/libauditjenc.exports @@ -0,0 +1,7 @@ +kau_j_kdc_stop +kau_j_kdc_start +kau_j_as_req +kau_j_tgs_req +kau_j_tgs_s4u2self +kau_j_tgs_s4u2proxy +kau_j_tgs_u2u diff --git a/src/plugins/audit/simple/Makefile.in b/src/plugins/audit/simple/Makefile.in new file mode 100644 index 000000000..54961c459 --- /dev/null +++ b/src/plugins/audit/simple/Makefile.in @@ -0,0 +1,27 @@ +mydir=plugins$(S)audit$(S)simple +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=k5audit +LIBMAJOR=1 +LIBMINOR=1 +RELDIR=../plugins/audit/simple + +#Depends on libkrb5 and libkrb5support. +SHLIB_EXPDEPS= $(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS= $(KRB5_BASE_LIBS) + +STOBJLISTS= OBJS.ST ../OBJS.ST +STLIBOBJS= au_simple_main.o + +SRCS= $(srcdir)/au_simple_main.c + +all-unix:: all-liblinks +install-unix:: install-libs +clean-unix:: clean-liblinks clean-libs clean-libobjs + +clean:: + $(RM) au_simple_main.o kdc_j_encode.o + $(RM) lib$(LIBBASE)$(SO_EXT) + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/audit/simple/au_simple_main.c b/src/plugins/audit/simple/au_simple_main.c new file mode 100644 index 000000000..87a2c5564 --- /dev/null +++ b/src/plugins/audit/simple/au_simple_main.c @@ -0,0 +1,263 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/audit/au_simple_main.c - Sample Audit plugin implementation */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This is a demo implementation of Audit JSON-based module. + * It utilizes MIT Kerberos <kdc_j_encode.h> routines for JSON processing and + * the Fedora/Debian libaudit library for audit logs. + */ + +#include <k5-int.h> +#include <krb5/audit_plugin.h> +#include <libaudit.h> +#include <kdc_j_encode.h> + +krb5_error_code +audit_simple_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +struct krb5_audit_moddata_st { + int fd; +}; + +/* Open connection to the audit system. Returns 0 on success. */ +static krb5_error_code +open_au(krb5_audit_moddata *auctx_out) +{ + krb5_error_code ret; + int fd = 0; + krb5_audit_moddata auctx; + + auctx = k5calloc(1, sizeof(*auctx), &ret); + if (ret) + return ENOMEM; + fd = audit_open(); + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + auctx->fd = fd; + *auctx_out = auctx; + + return 0; +} + +/* Close connection to the audit system. Returns 0 on success. */ +static krb5_error_code +close_au(krb5_audit_moddata auctx) +{ + int fd = auctx->fd; + + audit_close(fd); + return 0; +} + +/* Log KDC-start event. Returns 0 on success. */ +static krb5_error_code +j_kdc_start(krb5_audit_moddata auctx, krb5_boolean ev_success) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_START; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_kdc_start(ev_success, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log KDC-stop event. Returns 0 on success. */ +static krb5_error_code +j_kdc_stop(krb5_audit_moddata auctx, krb5_boolean ev_success) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_END; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_kdc_stop(ev_success, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log AS_REQ event. Returns 0 on success */ +static krb5_error_code +j_as_req(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_AUTH; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_as_req(ev_success, state, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log TGS_REQ event. Returns 0 on success */ +static krb5_error_code +j_tgs_req(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_AUTH; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_tgs_req(ev_success, state, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log S4U2SELF event. Returns 0 on success */ +static krb5_error_code +j_tgs_s4u2self(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_AUTH; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_tgs_s4u2self(ev_success, state, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log S4U2PROXY event. Returns 0 on success */ +static krb5_error_code +j_tgs_s4u2proxy(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_AUTH; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_tgs_s4u2proxy(ev_success, state, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +/* Log user-to-user event. Returns 0 on success */ +static krb5_error_code +j_tgs_u2u(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + int local_type = AUDIT_USER_AUTH; + int fd = auctx->fd; + char *jout = NULL; + + if (fd < 0) + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + + ret = kau_j_tgs_u2u(ev_success, state, &jout); + if (ret) + return ret; + if (audit_log_user_message(fd, local_type, jout, + NULL, NULL, NULL, ev_success) <= 0) + ret = EIO; + free(jout); + return ret; +} + +krb5_error_code +audit_simple_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable) +{ + krb5_audit_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + + vt = (krb5_audit_vtable)vtable; + vt->name = "simple"; + vt->open = open_au; + vt->close = close_au; + vt->kdc_start = j_kdc_start; + vt->kdc_stop = j_kdc_stop; + vt->as_req = j_as_req; + vt->tgs_req = j_tgs_req; + vt->tgs_s4u2self = j_tgs_s4u2self; + vt->tgs_s4u2proxy = j_tgs_s4u2proxy; + vt->tgs_u2u = j_tgs_u2u; + return 0; +} diff --git a/src/plugins/audit/simple/deps b/src/plugins/audit/simple/deps new file mode 100644 index 000000000..84d4f044d --- /dev/null +++ b/src/plugins/audit/simple/deps @@ -0,0 +1,15 @@ +# +# Generated makefile dependencies follow. +# +au_simple_main.so au_simple_main.po $(OUTPRE)au_simple_main.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/kdc_j_encode.h \ + $(BUILDTOP)/include/krb5/audit_plugin.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + au_simple_main.c diff --git a/src/plugins/audit/simple/k5audit.exports b/src/plugins/audit/simple/k5audit.exports new file mode 100644 index 000000000..2070538b8 --- /dev/null +++ b/src/plugins/audit/simple/k5audit.exports @@ -0,0 +1 @@ +audit_simple_initvt diff --git a/src/plugins/audit/test/Makefile.in b/src/plugins/audit/test/Makefile.in new file mode 100644 index 000000000..130b0248c --- /dev/null +++ b/src/plugins/audit/test/Makefile.in @@ -0,0 +1,21 @@ +mydir=plugins$(S)audit$(S)test +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=k5audit_test +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/audit/test +# Depends on libkrb5 and libkrb5support. +SHLIB_EXPDEPS= $(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS= $(KRB5_BASE_LIBS) + +STOBJLISTS= OBJS.ST ../OBJS.ST +STLIBOBJS= au_test.o + +SRCS= $(srcdir)/au_test.c + +all-unix:: all-liblinks +clean-unix:: clean-liblinks clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/audit/test/au_test.c b/src/plugins/audit/test/au_test.c new file mode 100644 index 000000000..54bf564b1 --- /dev/null +++ b/src/plugins/audit/test/au_test.c @@ -0,0 +1,228 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/audit/au_test.c - Test Audit plugin implementation */ +/* + * Copyright (C) 2013 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ +/* + * This test is to verify the JSON-based KDC audit functionality. + * It utilized MIT Kerberos <kdc_j_encode.h> routines for JSON processing. + */ + +#include <k5-int.h> +#include <krb5/audit_plugin.h> +#include <kdc_j_encode.h> +#include "k5-thread.h" + +struct krb5_audit_moddata_st { + int au_fd; +}; + +krb5_error_code +audit_test_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +static FILE *au_fd; +static k5_mutex_t lock = K5_MUTEX_PARTIAL_INITIALIZER; + +/* Open connection to the audit system. Returns 0 on success. */ +static krb5_error_code +open_au(krb5_audit_moddata *auctx) +{ + au_fd = fopen("au.log", "a+"); + if ( au_fd < 0) { + return KRB5_PLUGIN_NO_HANDLE; /* audit module is unavailable */ + } + k5_mutex_init(&lock); + return 0; +} + +/* Close connection to the audit system. Returns 0. */ +static krb5_error_code +close_au(krb5_audit_moddata auctx) +{ + fclose(au_fd); + k5_mutex_destroy(&lock); + return 0; +} + +/* Log KDC-start event. Returns 0 on success. */ +static krb5_error_code +j_kdc_start(krb5_audit_moddata auctx, krb5_boolean ev_success) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_kdc_start(ev_success, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log KDC-stop event. Returns 0 on success. */ +static krb5_error_code +j_kdc_stop(krb5_audit_moddata auctx, krb5_boolean ev_success) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_kdc_stop(ev_success, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log AS_REQ event. Returns 0 on success. */ +static krb5_error_code +j_as_req(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_as_req(ev_success, state, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log TGS_REQ event. Returns 0 on success. */ +static krb5_error_code +j_tgs_req(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_tgs_req(ev_success, state, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log S4U2SELF event. Returns 0 on success. */ +static krb5_error_code +j_tgs_s4u2self(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_tgs_s4u2self(ev_success, state, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log S4U2PROXY event. Returns 0 on success. */ +static krb5_error_code +j_tgs_s4u2proxy(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_tgs_s4u2proxy(ev_success, state, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +/* Log user-to-user event. Returns 0 on success. */ +static krb5_error_code +j_tgs_u2u(krb5_audit_moddata auctx, krb5_boolean ev_success, + krb5_audit_state *state) +{ + krb5_error_code ret = 0; + char *jout = NULL; + + ret = kau_j_tgs_u2u(ev_success, state, &jout); + if (ret) + return ret; + k5_mutex_lock(&lock); + fprintf(au_fd,"%s\n", jout); + fflush(au_fd); + k5_mutex_unlock(&lock); + free(jout); + return ret; +} + +krb5_error_code +audit_test_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_audit_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + + vt = (krb5_audit_vtable)vtable; + vt->name = "test"; + + vt->open = open_au; + vt->close = close_au; + vt->kdc_start = j_kdc_start; + vt->kdc_stop = j_kdc_stop; + vt->as_req = j_as_req; + vt->tgs_req = j_tgs_req; + vt->tgs_s4u2self = j_tgs_s4u2self; + vt->tgs_s4u2proxy = j_tgs_s4u2proxy; + vt->tgs_u2u = j_tgs_u2u; + + return 0; +} diff --git a/src/plugins/audit/test/deps b/src/plugins/audit/test/deps new file mode 100644 index 000000000..f4f76aec7 --- /dev/null +++ b/src/plugins/audit/test/deps @@ -0,0 +1,14 @@ +# +# Generated makefile dependencies follow. +# +au_test.so au_test.po $(OUTPRE)au_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/kdc_j_encode.h $(BUILDTOP)/include/krb5/audit_plugin.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h au_test.c diff --git a/src/plugins/audit/test/k5audit_test.exports b/src/plugins/audit/test/k5audit_test.exports new file mode 100644 index 000000000..8f693632f --- /dev/null +++ b/src/plugins/audit/test/k5audit_test.exports @@ -0,0 +1 @@ +audit_test_initvt diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index 3525b48ad..d50d513ff 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -118,8 +118,13 @@ check-pytests:: t_init_creds t_localauth $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS) + $(RM) au.log + $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \ + -i au.log clean:: $(RM) gcred hist hrealm kdbtest plugorder responder $(RM) t_init_creds t_localauth krb5.conf kdc.conf $(RM) -rf kdc_realm/sandbox ldap + $(RM) au.log diff --git a/src/tests/au_dict.json b/src/tests/au_dict.json new file mode 100644 index 000000000..c0a6e6460 --- /dev/null +++ b/src/tests/au_dict.json @@ -0,0 +1,64 @@ +{ +"event_name":"", +"event_success":0, +"evidence_tkt_id":"", +"fromport":0, +"fromaddr":{ + "type":0, + "length":0, + "ipv4":[]}, +"kdc_status":"", +"rep_etype":0, +"rep.ticket":{ + "authtime":0, + "cname":{ + "components":[], + "realm":"", + "length":0, + "type":0}, + "end":0, + "flags":0, + "sess_etype":0, + "srv_etype":0, + "sname":{ + "components":[], + "realm":"", + "length":0, + "type":0}}, +"req.avail_etypes":[], +"req.client":{ + "components":[], + "realm":"", + "length":0, + "type":0}, +"req_id":"", +"req.kdc_options":0, +"req.pa_type":[] +"req.server":{ + "components":[], + "realm":"", + "length":0, + "type":0}, +"req.tkt_end":0, +"s4u2proxy_user":{ + "components":[], + "realm":"", + "length":0, + "type":0}, +"s4u2self_user":{ + "components":[], + "realm":"", + "length":0, + "type":0}, +"stage":1, +"tkt_in_id":"", +"tkt_renewed":0, +"tkt_out_id":"", +"tkt_validated":0, +"u2u_user":{ + "components":[], + "realm":"", + "length":0, + "type":0}, +"violation":0 +} diff --git a/src/tests/jsonwalker.py b/src/tests/jsonwalker.py new file mode 100644 index 000000000..265c69c70 --- /dev/null +++ b/src/tests/jsonwalker.py @@ -0,0 +1,113 @@ +#!/usr/bin/python + +import sys +try: + import cjson +except ImportError: + print "Warning: skipping audit log verification because the cjson module" \ + " is unavailable" + sys.exit(0) +from collections import defaultdict +from optparse import OptionParser + +class Parser(object): + DEFAULTS = {int:0, + str:'', + list:[]} + + def __init__(self, defconf=None): + self.defaults = None + if defconf is not None: + self.defaults = self.flatten(defconf) + + def run(self, logs, verbose=None): + result = self.parse(logs) + if len(result) != len(self.defaults): + diff = set(self.defaults.keys()).difference(result.keys()) + print 'Test failed.' + print 'The following attributes were not set:' + for it in diff: + print it + sys.exit(1) + + def flatten(self, defaults): + """ + Flattens pathes to attributes. + + Parameters + ---------- + defaults : a dictionaries populated with default values + + Returns : + dict : with flattened attributes + """ + result = dict() + for path,value in self._walk(defaults): + if path in result: + print 'Warning: attribute path %s already exists' % path + result[path] = value + + return result + + def parse(self, logs): + result = defaultdict(list) + for msg in logs: + # each message is treated as a dictionary of dictionaries + for a,v in self._walk(msg): + # see if path is registered in defaults + if a in self.defaults: + dv = self.defaults.get(a) + if dv is None: + # determine default value by type + if v is not None: + dv = self.DEFAULTS[type(v)] + else: + print 'Warning: attribute %s is set to None' % a + continue + # by now we have default value + if v != dv: + # test passed + result[a].append(v) + return result + + def _walk(self, adict): + """ + Generator that works through dictionary. + """ + for a,v in adict.iteritems(): + if isinstance(v,dict): + for (attrpath,u) in self._walk(v): + yield (a+'.'+attrpath,u) + else: + yield (a,v) + + +if __name__ == '__main__': + + parser = OptionParser() + parser.add_option("-i", "--logfile", dest="filename", + help="input log file in json fmt", metavar="FILE") + parser.add_option("-d", "--defaults", dest="defaults", + help="dictionary with defaults", metavar="FILE") + + (options, args) = parser.parse_args() + if options.filename is not None: + with open(options.filename, 'r') as f: + content = list() + for l in f: + content.append(cjson.decode(l.rstrip())) + f.close() + else: + print 'Input file in jason format is required' + exit() + + defaults = None + if options.defaults is not None: + with open(options.defaults, 'r') as f: + defaults = cjson.decode(f.read()) + f.close() + + # run test + p = Parser(defaults) + p.run(content) + exit() diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py new file mode 100644 index 000000000..0cf52543d --- /dev/null +++ b/src/tests/t_audit.py @@ -0,0 +1,31 @@ +#!/usr/bin/python +from k5test import * + +conf = {'plugins': {'audit': { + 'module': 'test:$plugins/audit/test/k5audit_test.so'}}} + +realm = K5Realm(krb5_conf=conf, get_creds=False) +realm.addprinc('target') +realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + realm.host_princ) + +# Make normal AS and TGS requests so they will be audited. +realm.kinit(realm.host_princ, flags=['-k', '-f']) +realm.run([kvno, 'target']) + +# Make S4U2Self and S4U2Proxy requests so they will be audited. The +# S4U2Proxy request is expected to fail. +out = realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'], + expected_code=1) +if 'NOT_ALLOWED_TO_DELEGATE' not in out: + fail('Unexpected error for S4U2Proxy') + +# Make a U2U request so it will be audited. +uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver') +uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient') +port_arg = str(realm.server_port()) +realm.start_server([uuserver, port_arg], 'Server started') +output = realm.run([uuclient, hostname, 'testing message', port_arg]) +if 'Hello' not in output: + fail('U2U request failed unexpectedly') + +success('Audit tests') |