LCOV - code coverage report
Current view: top level - auth - auth_log.c (source / functions) Hit Total Coverage
Test: coverage report for abartlet/fix-coverage dd10fb34 Lines: 202 315 64.1 %
Date: 2021-09-23 10:06:22 Functions: 7 11 63.6 %

          Line data    Source code
       1             : /*
       2             : 
       3             :    Authentication and authorization logging
       4             : 
       5             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
       6             : 
       7             :    This program is free software; you can redistribute it and/or modify
       8             :    it under the terms of the GNU General Public License as published by
       9             :    the Free Software Foundation; either version 3 of the License, or
      10             :    (at your option) any later version.
      11             : 
      12             :    This program is distributed in the hope that it will be useful,
      13             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :    GNU General Public License for more details.
      16             : 
      17             :    You should have received a copy of the GNU General Public License
      18             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      19             : */
      20             : 
      21             : /*
      22             :  * Debug log levels for authentication logging (these both map to
      23             :  * LOG_NOTICE in syslog)
      24             :  */
      25             : #define AUTH_FAILURE_LEVEL 2
      26             : #define AUTH_SUCCESS_LEVEL 3
      27             : #define AUTHZ_SUCCESS_LEVEL 4
      28             : 
      29             : /* 5 is used for both authentication and authorization */
      30             : #define AUTH_ANONYMOUS_LEVEL 5
      31             : #define AUTHZ_ANONYMOUS_LEVEL 5
      32             : 
      33             : #define AUTHZ_JSON_TYPE "Authorization"
      34             : #define AUTH_JSON_TYPE  "Authentication"
      35             : 
      36             : /*
      37             :  * JSON message version numbers
      38             :  *
      39             :  * If adding a field increment the minor version
      40             :  * If removing or changing the format/meaning of a field
      41             :  * increment the major version.
      42             :  */
      43             : #define AUTH_MAJOR 1
      44             : #define AUTH_MINOR 2
      45             : #define AUTHZ_MAJOR 1
      46             : #define AUTHZ_MINOR 1
      47             : 
      48             : #include "includes.h"
      49             : #include "../lib/tsocket/tsocket.h"
      50             : #include "common_auth.h"
      51             : #include "lib/util/util_str_escape.h"
      52             : #include "libcli/security/dom_sid.h"
      53             : #include "libcli/security/security_token.h"
      54             : #include "librpc/gen_ndr/server_id.h"
      55             : #include "source4/lib/messaging/messaging.h"
      56             : #include "source4/lib/messaging/irpc.h"
      57             : #include "lib/util/server_id_db.h"
      58             : #include "lib/param/param.h"
      59             : #include "librpc/ndr/libndr.h"
      60             : #include "librpc/gen_ndr/windows_event_ids.h"
      61             : #include "lib/audit_logging/audit_logging.h"
      62             : 
      63             : /*
      64             :  * Determine the type of the password supplied for the
      65             :  * authorisation attempt.
      66             :  *
      67             :  */
      68             : static const char* get_password_type(const struct auth_usersupplied_info *ui);
      69             : 
      70             : #ifdef HAVE_JANSSON
      71             : 
      72             : #include <jansson.h>
      73             : #include "system/time.h"
      74             : 
      75             : /*
      76             :  * Write the json object to the debug logs.
      77             :  *
      78             :  */
      79       68596 : static void log_json(struct imessaging_context *msg_ctx,
      80             :                      struct loadparm_context *lp_ctx,
      81             :                      struct json_object *object,
      82             :                      int debug_class,
      83             :                      int debug_level)
      84             : {
      85       68596 :         audit_log_json(object, debug_class, debug_level);
      86       68596 :         if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
      87       68596 :                 audit_message_send(msg_ctx,
      88             :                                    AUTH_EVENT_NAME,
      89             :                                    MSG_AUTH_LOG,
      90             :                                    object);
      91             :         }
      92       68596 : }
      93             : 
      94             : /*
      95             :  * Determine the Windows logon type for the current authorisation attempt.
      96             :  *
      97             :  * Currently Samba only supports
      98             :  *
      99             :  * 2 Interactive      A user logged on to this computer.
     100             :  * 3 Network          A user or computer logged on to this computer from
     101             :  *                    the network.
     102             :  * 8 NetworkCleartext A user logged on to this computer from the network.
     103             :  *                    The user's password was passed to the authentication
     104             :  *                    package in its unhashed form.
     105             :  *
     106             :  */
     107       37214 : static enum event_logon_type get_logon_type(
     108             :         const struct auth_usersupplied_info *ui)
     109             : {
     110       39182 :         if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
     111       39123 :            || (ui->password_state == AUTH_PASSWORD_PLAIN)) {
     112          59 :                 return EVT_LOGON_NETWORK_CLEAR_TEXT;
     113       39123 :         } else if (ui->flags & USER_INFO_INTERACTIVE_LOGON) {
     114         534 :                 return EVT_LOGON_INTERACTIVE;
     115             :         }
     116       36621 :         return EVT_LOGON_NETWORK;
     117             : }
     118             : 
     119             : /*
     120             :  * Write a machine parsable json formatted authentication log entry.
     121             :  *
     122             :  * IF removing or changing the format/meaning of a field please update the
     123             :  *    major version number AUTH_MAJOR
     124             :  *
     125             :  * IF adding a new field please update the minor version number AUTH_MINOR
     126             :  *
     127             :  *  To process the resulting log lines from the commend line use jq to
     128             :  *  parse the json.
     129             :  *
     130             :  *  grep "^  {" log file |
     131             :  *  jq -rc '"\(.timestamp)\t\(.Authentication.status)\t
     132             :  *           \(.Authentication.clientDomain)\t
     133             :  *           \(.Authentication.clientAccount)
     134             :  *           \t\(.Authentication.workstation)
     135             :  *           \t\(.Authentication.remoteAddress)
     136             :  *           \t\(.Authentication.localAddress)"'
     137             :  */
     138       39182 : static void log_authentication_event_json(
     139             :         struct imessaging_context *msg_ctx,
     140             :         struct loadparm_context *lp_ctx,
     141             :         const struct timeval *start_time,
     142             :         const struct auth_usersupplied_info *ui,
     143             :         NTSTATUS status,
     144             :         const char *domain_name,
     145             :         const char *account_name,
     146             :         struct dom_sid *sid,
     147             :         enum event_id_type event_id,
     148             :         int debug_level)
     149             : {
     150       39182 :         struct json_object wrapper = json_empty_object;
     151       39182 :         struct json_object authentication = json_empty_object;
     152             :         char negotiate_flags[11];
     153             :         char logon_id[19];
     154       39182 :         int rc = 0;
     155             : 
     156       39182 :         authentication = json_new_object();
     157       39182 :         if (json_is_invalid(&authentication)) {
     158           0 :                 goto failure;
     159             :         }
     160       39182 :         rc = json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
     161       39182 :         if (rc != 0) {
     162           0 :                 goto failure;
     163             :         }
     164       39182 :         rc = json_add_int(&authentication,
     165             :                           "eventId",
     166             :                           event_id);
     167       39182 :         if (rc != 0) {
     168           0 :                 goto failure;
     169             :         }
     170       41150 :         snprintf(logon_id,
     171             :                  sizeof( logon_id),
     172             :                  "%"PRIx64"",
     173        3440 :                  ui->logon_id);
     174       39182 :         rc = json_add_string(&authentication, "logonId", logon_id);
     175       39182 :         if (rc != 0) {
     176           0 :                 goto failure;
     177             :         }
     178       39182 :         rc = json_add_int(&authentication, "logonType", get_logon_type(ui));
     179       39182 :         if (rc != 0) {
     180           0 :                 goto failure;
     181             :         }
     182       39182 :         rc = json_add_string(&authentication, "status", nt_errstr(status));
     183       39182 :         if (rc != 0) {
     184           0 :                 goto failure;
     185             :         }
     186       39182 :         rc = json_add_address(&authentication, "localAddress", ui->local_host);
     187       39182 :         if (rc != 0) {
     188           0 :                 goto failure;
     189             :         }
     190       35742 :         rc =
     191       39182 :             json_add_address(&authentication, "remoteAddress", ui->remote_host);
     192       39182 :         if (rc != 0) {
     193           0 :                 goto failure;
     194             :         }
     195       39182 :         rc = json_add_string(
     196        3440 :             &authentication, "serviceDescription", ui->service_description);
     197       39182 :         if (rc != 0) {
     198           0 :                 goto failure;
     199             :         }
     200       39182 :         rc = json_add_string(
     201        3440 :             &authentication, "authDescription", ui->auth_description);
     202       39182 :         if (rc != 0) {
     203           0 :                 goto failure;
     204             :         }
     205       39182 :         rc = json_add_string(
     206        3440 :             &authentication, "clientDomain", ui->client.domain_name);
     207       39182 :         if (rc != 0) {
     208           0 :                 goto failure;
     209             :         }
     210       39182 :         rc = json_add_string(
     211        3440 :             &authentication, "clientAccount", ui->client.account_name);
     212       39182 :         if (rc != 0) {
     213           0 :                 goto failure;
     214             :         }
     215       39182 :         rc = json_add_string(
     216        3440 :             &authentication, "workstation", ui->workstation_name);
     217       39182 :         if (rc != 0) {
     218           0 :                 goto failure;
     219             :         }
     220       39182 :         rc = json_add_string(&authentication, "becameAccount", account_name);
     221       39182 :         if (rc != 0) {
     222           0 :                 goto failure;
     223             :         }
     224       39182 :         rc = json_add_string(&authentication, "becameDomain", domain_name);
     225       39182 :         if (rc != 0) {
     226           0 :                 goto failure;
     227             :         }
     228       39182 :         rc = json_add_sid(&authentication, "becameSid", sid);
     229       39182 :         if (rc != 0) {
     230           0 :                 goto failure;
     231             :         }
     232       39182 :         rc = json_add_string(
     233        3440 :             &authentication, "mappedAccount", ui->mapped.account_name);
     234       39182 :         if (rc != 0) {
     235           0 :                 goto failure;
     236             :         }
     237       39182 :         rc = json_add_string(
     238        3440 :             &authentication, "mappedDomain", ui->mapped.domain_name);
     239       39182 :         if (rc != 0) {
     240           0 :                 goto failure;
     241             :         }
     242       39182 :         rc = json_add_string(&authentication,
     243             :                              "netlogonComputer",
     244        3440 :                              ui->netlogon_trust_account.computer_name);
     245       39182 :         if (rc != 0) {
     246           0 :                 goto failure;
     247             :         }
     248       39182 :         rc = json_add_string(&authentication,
     249             :                              "netlogonTrustAccount",
     250        3440 :                              ui->netlogon_trust_account.account_name);
     251       39182 :         if (rc != 0) {
     252           0 :                 goto failure;
     253             :         }
     254       41150 :         snprintf(negotiate_flags,
     255             :                  sizeof( negotiate_flags),
     256             :                  "0x%08X",
     257        3440 :                  ui->netlogon_trust_account.negotiate_flags);
     258       39182 :         rc = json_add_string(
     259             :             &authentication, "netlogonNegotiateFlags", negotiate_flags);
     260       39182 :         if (rc != 0) {
     261           0 :                 goto failure;
     262             :         }
     263       39182 :         rc = json_add_int(&authentication,
     264             :                           "netlogonSecureChannelType",
     265       39182 :                           ui->netlogon_trust_account.secure_channel_type);
     266       39182 :         if (rc != 0) {
     267           0 :                 goto failure;
     268             :         }
     269       39182 :         rc = json_add_sid(&authentication,
     270             :                           "netlogonTrustAccountSid",
     271       39182 :                           ui->netlogon_trust_account.sid);
     272       39182 :         if (rc != 0) {
     273           0 :                 goto failure;
     274             :         }
     275       39182 :         rc = json_add_string(
     276             :             &authentication, "passwordType", get_password_type(ui));
     277       39182 :         if (rc != 0) {
     278           0 :                 goto failure;
     279             :         }
     280             : 
     281       39182 :         wrapper = json_new_object();
     282       39182 :         if (json_is_invalid(&wrapper)) {
     283           0 :                 goto failure;
     284             :         }
     285       39182 :         rc = json_add_timestamp(&wrapper);
     286       39182 :         if (rc != 0) {
     287           0 :                 goto failure;
     288             :         }
     289       39182 :         rc = json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
     290       39182 :         if (rc != 0) {
     291           0 :                 goto failure;
     292             :         }
     293       39182 :         rc = json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
     294       39182 :         if (rc != 0) {
     295           0 :                 goto failure;
     296             :         }
     297             : 
     298             :         /*
     299             :          * While not a general-purpose profiling solution this will
     300             :          * assist some to determine how long NTLM and KDC
     301             :          * authentication takes once this process can handle it.  This
     302             :          * covers transactions elsewhere but not (eg) the delay while
     303             :          * this is waiting unread on the input socket.
     304             :          */
     305       39182 :         if (start_time != NULL) {
     306       36327 :                 struct timeval current_time = timeval_current();
     307       36327 :                 uint64_t duration =  usec_time_diff(&current_time,
     308             :                                                     start_time);
     309       36327 :                 rc = json_add_int(&authentication, "duration", duration);
     310       36327 :                 if (rc != 0) {
     311           0 :                         goto failure;
     312             :                 }
     313             :         }
     314             : 
     315       39182 :         log_json(msg_ctx,
     316             :                  lp_ctx,
     317             :                  &wrapper,
     318             :                  DBGC_AUTH_AUDIT_JSON,
     319             :                  debug_level);
     320       39182 :         json_free(&wrapper);
     321       39182 :         return;
     322           0 : failure:
     323             :         /*
     324             :          * On a failure authentication will not have been added to wrapper so it
     325             :          * needs to be freed to avoid a leak.
     326             :          *
     327             :          */
     328           0 :         json_free(&authentication);
     329           0 :         json_free(&wrapper);
     330           0 :         DBG_ERR("Failed to write authentication event JSON log message\n");
     331             : }
     332             : 
     333             : /*
     334             :  * Log details of a successful authorization to a service,
     335             :  * in a machine parsable json format
     336             :  *
     337             :  * IF removing or changing the format/meaning of a field please update the
     338             :  *    major version number AUTHZ_MAJOR
     339             :  *
     340             :  * IF adding a new field please update the minor version number AUTHZ_MINOR
     341             :  *
     342             :  *  To process the resulting log lines from the commend line use jq to
     343             :  *  parse the json.
     344             :  *
     345             :  *  grep "^  {" log_file |\
     346             :  *  jq -rc '"\(.timestamp)\t
     347             :  *           \(.Authorization.domain)\t
     348             :  *           \(.Authorization.account)\t
     349             :  *           \(.Authorization.remoteAddress)"'
     350             :  *
     351             :  */
     352       29414 : static void log_successful_authz_event_json(
     353             :         struct imessaging_context *msg_ctx,
     354             :         struct loadparm_context *lp_ctx,
     355             :         const struct tsocket_address *remote,
     356             :         const struct tsocket_address *local,
     357             :         const char *service_description,
     358             :         const char *auth_type,
     359             :         const char *transport_protection,
     360             :         struct auth_session_info *session_info,
     361             :         int debug_level)
     362             : {
     363       29414 :         struct json_object wrapper = json_empty_object;
     364       29414 :         struct json_object authorization = json_empty_object;
     365             :         char account_flags[11];
     366       29414 :         int rc = 0;
     367             : 
     368       29414 :         authorization = json_new_object();
     369       29414 :         if (json_is_invalid(&authorization)) {
     370           0 :                 goto failure;
     371             :         }
     372       29414 :         rc = json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
     373       29414 :         if (rc != 0) {
     374           0 :                 goto failure;
     375             :         }
     376       29414 :         rc = json_add_address(&authorization, "localAddress", local);
     377       29414 :         if (rc != 0) {
     378           0 :                 goto failure;
     379             :         }
     380       29414 :         rc = json_add_address(&authorization, "remoteAddress", remote);
     381       29414 :         if (rc != 0) {
     382           0 :                 goto failure;
     383             :         }
     384       29414 :         rc = json_add_string(
     385             :             &authorization, "serviceDescription", service_description);
     386       29414 :         if (rc != 0) {
     387           0 :                 goto failure;
     388             :         }
     389       29414 :         rc = json_add_string(&authorization, "authType", auth_type);
     390       29414 :         if (rc != 0) {
     391           0 :                 goto failure;
     392             :         }
     393       29414 :         rc = json_add_string(
     394       29414 :             &authorization, "domain", session_info->info->domain_name);
     395       29414 :         if (rc != 0) {
     396           0 :                 goto failure;
     397             :         }
     398       29414 :         rc = json_add_string(
     399       29414 :             &authorization, "account", session_info->info->account_name);
     400       29414 :         if (rc != 0) {
     401           0 :                 goto failure;
     402             :         }
     403       29414 :         rc = json_add_sid(
     404       29414 :             &authorization, "sid", &session_info->security_token->sids[0]);
     405       29414 :         if (rc != 0) {
     406           0 :                 goto failure;
     407             :         }
     408       29414 :         rc = json_add_guid(
     409       29414 :             &authorization, "sessionId", &session_info->unique_session_token);
     410       29414 :         if (rc != 0) {
     411           0 :                 goto failure;
     412             :         }
     413       29414 :         rc = json_add_string(
     414       29414 :             &authorization, "logonServer", session_info->info->logon_server);
     415       29414 :         if (rc != 0) {
     416           0 :                 goto failure;
     417             :         }
     418       29414 :         rc = json_add_string(
     419             :             &authorization, "transportProtection", transport_protection);
     420       29414 :         if (rc != 0) {
     421           0 :                 goto failure;
     422             :         }
     423             : 
     424       30914 :         snprintf(account_flags,
     425             :                  sizeof(account_flags),
     426             :                  "0x%08X",
     427       29414 :                  session_info->info->acct_flags);
     428       29414 :         rc = json_add_string(&authorization, "accountFlags", account_flags);
     429       29414 :         if (rc != 0) {
     430           0 :                 goto failure;
     431             :         }
     432             : 
     433       29414 :         wrapper = json_new_object();
     434       29414 :         if (json_is_invalid(&wrapper)) {
     435           0 :                 goto failure;
     436             :         }
     437       29414 :         rc = json_add_timestamp(&wrapper);
     438       29414 :         if (rc != 0) {
     439           0 :                 goto failure;
     440             :         }
     441       29414 :         rc = json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
     442       29414 :         if (rc != 0) {
     443           0 :                 goto failure;
     444             :         }
     445       29414 :         rc = json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization);
     446       29414 :         if (rc != 0) {
     447           0 :                 goto failure;
     448             :         }
     449             : 
     450       29414 :         log_json(msg_ctx,
     451             :                  lp_ctx,
     452             :                  &wrapper,
     453             :                  DBGC_AUTH_AUDIT_JSON,
     454             :                  debug_level);
     455       29414 :         json_free(&wrapper);
     456       29414 :         return;
     457           0 : failure:
     458             :         /*
     459             :          * On a failure authorization will not have been added to wrapper so it
     460             :          * needs to be freed to avoid a leak.
     461             :          *
     462             :          */
     463           0 :         json_free(&authorization);
     464           0 :         json_free(&wrapper);
     465           0 :         DBG_ERR("Unable to log Authentication event JSON audit message\n");
     466             : }
     467             : 
     468             : #else
     469             : 
     470           0 : static void log_no_json(struct imessaging_context *msg_ctx,
     471             :                         struct loadparm_context *lp_ctx)
     472             : {
     473           0 :         if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
     474             :                 static bool auth_event_logged = false;
     475           0 :                 if (auth_event_logged == false) {
     476           0 :                         auth_event_logged = true;
     477           0 :                         DBG_ERR("auth event notification = true but Samba was "
     478             :                                 "not compiled with jansson\n");
     479             :                 }
     480             :         } else {
     481             :                 static bool json_logged = false;
     482           0 :                 if (json_logged == false) {
     483           0 :                         json_logged = true;
     484           0 :                         DBG_NOTICE("JSON auth logs not available unless "
     485             :                                    "compiled with jansson\n");
     486             :                 }
     487             :         }
     488             : 
     489           0 :         return;
     490             : }
     491             : 
     492           0 : static void log_authentication_event_json(
     493             :         struct imessaging_context *msg_ctx,
     494             :         struct loadparm_context *lp_ctx,
     495             :         const struct timeval *start_time,
     496             :         const struct auth_usersupplied_info *ui,
     497             :         NTSTATUS status,
     498             :         const char *domain_name,
     499             :         const char *account_name,
     500             :         struct dom_sid *sid,
     501             :         enum event_id_type event_id,
     502             :         int debug_level)
     503             : {
     504           0 :         log_no_json(msg_ctx, lp_ctx);
     505           0 :         return;
     506             : }
     507             : 
     508           0 : static void log_successful_authz_event_json(
     509             :         struct imessaging_context *msg_ctx,
     510             :         struct loadparm_context *lp_ctx,
     511             :         const struct tsocket_address *remote,
     512             :         const struct tsocket_address *local,
     513             :         const char *service_description,
     514             :         const char *auth_type,
     515             :         const char *transport_protection,
     516             :         struct auth_session_info *session_info,
     517             :         int debug_level)
     518             : {
     519           0 :         log_no_json(msg_ctx, lp_ctx);
     520           0 :         return;
     521             : }
     522             : 
     523             : #endif
     524             : 
     525             : /*
     526             :  * Determine the type of the password supplied for the
     527             :  * authorisation attempt.
     528             :  *
     529             :  */
     530       39182 : static const char* get_password_type(const struct auth_usersupplied_info *ui)
     531             : {
     532             : 
     533       39182 :         const char *password_type = NULL;
     534             : 
     535       39182 :         if (ui->password_type != NULL) {
     536       17000 :                 password_type = ui->password_type;
     537       39557 :         } else if (ui->auth_description != NULL &&
     538       21004 :                    strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
     539             :         {
     540        4305 :                 if (ui->netlogon_trust_account.negotiate_flags
     541        1707 :                     & NETLOGON_NEG_SUPPORTS_AES) {
     542         652 :                         password_type = "HMAC-SHA256";
     543        1660 :                 } else if (ui->netlogon_trust_account.negotiate_flags
     544         961 :                            & NETLOGON_NEG_STRONG_KEYS) {
     545         564 :                         password_type = "HMAC-MD5";
     546             :                 } else {
     547         317 :                         password_type = "DES";
     548             :                 }
     549       36309 :         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE &&
     550       19282 :                    (ui->logon_parameters & MSV1_0_ALLOW_MSVCHAPV2) &&
     551           7 :                    ui->password.response.nt.length == 24) {
     552           7 :                 password_type = "MSCHAPv2";
     553       19878 :         } else if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
     554       19819 :                    || (ui->password_state == AUTH_PASSWORD_PLAIN)) {
     555          59 :                 password_type = "Plaintext";
     556       19819 :         } else if (ui->password_state == AUTH_PASSWORD_HASH) {
     557         534 :                 password_type = "Supplied-NT-Hash";
     558       19285 :         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
     559       19268 :                    && ui->password.response.nt.length > 24) {
     560       13377 :                 password_type = "NTLMv2";
     561        4754 :         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
     562        4737 :                    && ui->password.response.nt.length == 24) {
     563        2901 :                 password_type = "NTLMv1";
     564        1853 :         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
     565        1836 :                    && ui->password.response.lanman.length == 24) {
     566         897 :                 password_type = "LANMan";
     567         956 :         } else if (ui->password_state == AUTH_PASSWORD_RESPONSE
     568         939 :                    && ui->password.response.nt.length == 0
     569         703 :                    && ui->password.response.lanman.length == 0) {
     570         500 :                 password_type = "No-Password";
     571             :         }
     572       39182 :         return password_type;
     573             : }
     574             : 
     575             : /*
     576             :  * Write a human readable authentication log entry.
     577             :  *
     578             :  */
     579           0 : static void log_authentication_event_human_readable(
     580             :         const struct auth_usersupplied_info *ui,
     581             :         NTSTATUS status,
     582             :         const char *domain_name,
     583             :         const char *account_name,
     584             :         struct dom_sid *sid,
     585             :         int debug_level)
     586             : {
     587           0 :         TALLOC_CTX *frame = NULL;
     588             : 
     589           0 :         const char *ts = NULL;             /* formatted current time      */
     590           0 :         char *remote = NULL;               /* formatted remote host       */
     591           0 :         char *local = NULL;                /* formatted local host        */
     592           0 :         char *nl = NULL;                   /* NETLOGON details if present */
     593           0 :         char *trust_computer_name = NULL;
     594           0 :         char *trust_account_name = NULL;
     595           0 :         char *logon_line = NULL;
     596           0 :         const char *password_type = NULL;
     597             : 
     598           0 :         frame = talloc_stackframe();
     599             : 
     600           0 :         password_type = get_password_type(ui);
     601             :         /* Get the current time */
     602           0 :         ts = audit_get_timestamp(frame);
     603             : 
     604             :         /* Only log the NETLOGON details if they are present */
     605           0 :         if (ui->netlogon_trust_account.computer_name ||
     606           0 :             ui->netlogon_trust_account.account_name) {
     607           0 :                 trust_computer_name = log_escape(frame,
     608           0 :                         ui->netlogon_trust_account.computer_name);
     609           0 :                 trust_account_name  = log_escape(frame,
     610           0 :                         ui->netlogon_trust_account.account_name);
     611           0 :                 nl = talloc_asprintf(frame,
     612             :                         " NETLOGON computer [%s] trust account [%s]",
     613             :                         trust_computer_name, trust_account_name);
     614             :         }
     615             : 
     616           0 :         remote = tsocket_address_string(ui->remote_host, frame);
     617           0 :         local = tsocket_address_string(ui->local_host, frame);
     618             : 
     619           0 :         if (NT_STATUS_IS_OK(status)) {
     620             :                 struct dom_sid_buf sid_buf;
     621             : 
     622           0 :                 logon_line = talloc_asprintf(frame,
     623             :                                              " became [%s]\\[%s] [%s].",
     624             :                                              log_escape(frame, domain_name),
     625             :                                              log_escape(frame, account_name),
     626             :                                              dom_sid_str_buf(sid, &sid_buf));
     627             :         } else {
     628           0 :                 logon_line = talloc_asprintf(
     629             :                                 frame,
     630             :                                 " mapped to [%s]\\[%s].",
     631           0 :                                 log_escape(frame, ui->mapped.domain_name),
     632           0 :                                 log_escape(frame, ui->mapped.account_name));
     633             :         }
     634             : 
     635           0 :         DEBUGC(DBGC_AUTH_AUDIT, debug_level,
     636             :                ("Auth: [%s,%s] user [%s]\\[%s]"
     637             :                 " at [%s] with [%s] status [%s]"
     638             :                 " workstation [%s] remote host [%s]"
     639             :                 "%s local host [%s]"
     640             :                 " %s\n",
     641             :                 ui->service_description,
     642             :                 ui->auth_description,
     643             :                 log_escape(frame, ui->client.domain_name),
     644             :                 log_escape(frame, ui->client.account_name),
     645             :                 ts,
     646             :                 password_type,
     647             :                 nt_errstr(status),
     648             :                 log_escape(frame, ui->workstation_name),
     649             :                 remote,
     650             :                 logon_line,
     651             :                 local,
     652             :                 nl ? nl : ""
     653             :         ));
     654             : 
     655           0 :         talloc_free(frame);
     656           0 : }
     657             : 
     658             : /*
     659             :  * Log details of an authentication attempt.
     660             :  * Successful and unsuccessful attempts are logged.
     661             :  *
     662             :  * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
     663             :  * authentication events over the message bus.
     664             :  */
     665       73852 : void log_authentication_event(
     666             :         struct imessaging_context *msg_ctx,
     667             :         struct loadparm_context *lp_ctx,
     668             :         const struct timeval *start_time,
     669             :         const struct auth_usersupplied_info *ui,
     670             :         NTSTATUS status,
     671             :         const char *domain_name,
     672             :         const char *account_name,
     673             :         struct dom_sid *sid)
     674             : {
     675             :         /* set the log level */
     676       73852 :         int debug_level = AUTH_FAILURE_LEVEL;
     677       73852 :         enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON;
     678             : 
     679       73852 :         if (NT_STATUS_IS_OK(status)) {
     680       64795 :                 debug_level = AUTH_SUCCESS_LEVEL;
     681       64795 :                 event_id = EVT_ID_SUCCESSFUL_LOGON;
     682       64795 :                 if (dom_sid_equal(sid, &global_sid_Anonymous)) {
     683         393 :                         debug_level = AUTH_ANONYMOUS_LEVEL;
     684             :                 }
     685             :         }
     686             : 
     687       73852 :         if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) {
     688           0 :                 log_authentication_event_human_readable(ui,
     689             :                                                         status,
     690             :                                                         domain_name,
     691             :                                                         account_name,
     692             :                                                         sid,
     693             :                                                         debug_level);
     694             :         }
     695       75820 :         if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
     696       56149 :             (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
     697       39182 :                 log_authentication_event_json(msg_ctx,
     698             :                                               lp_ctx,
     699             :                                               start_time,
     700             :                                               ui,
     701             :                                               status,
     702             :                                               domain_name,
     703             :                                               account_name,
     704             :                                               sid,
     705             :                                               event_id,
     706             :                                               debug_level);
     707             :         }
     708       73852 : }
     709             : 
     710             : 
     711             : 
     712             : /*
     713             :  * Log details of a successful authorization to a service,
     714             :  * in a human readable format.
     715             :  *
     716             :  */
     717           0 : static void log_successful_authz_event_human_readable(
     718             :         const struct tsocket_address *remote,
     719             :         const struct tsocket_address *local,
     720             :         const char *service_description,
     721             :         const char *auth_type,
     722             :         struct auth_session_info *session_info,
     723             :         int debug_level)
     724             : {
     725           0 :         TALLOC_CTX *frame = NULL;
     726             : 
     727           0 :         const char *ts = NULL;       /* formatted current time      */
     728           0 :         char *remote_str = NULL;     /* formatted remote host       */
     729           0 :         char *local_str = NULL;      /* formatted local host        */
     730             :         struct dom_sid_buf sid_buf;
     731             : 
     732           0 :         frame = talloc_stackframe();
     733             : 
     734             :         /* Get the current time */
     735           0 :         ts = audit_get_timestamp(frame);
     736             : 
     737           0 :         remote_str = tsocket_address_string(remote, frame);
     738           0 :         local_str = tsocket_address_string(local, frame);
     739             : 
     740           0 :         DEBUGC(DBGC_AUTH_AUDIT, debug_level,
     741             :                ("Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]"
     742             :                 " at [%s]"
     743             :                 " Remote host [%s]"
     744             :                 " local host [%s]\n",
     745             :                 service_description,
     746             :                 auth_type,
     747             :                 log_escape(frame, session_info->info->domain_name),
     748             :                 log_escape(frame, session_info->info->account_name),
     749             :                 dom_sid_str_buf(&session_info->security_token->sids[0],
     750             :                                 &sid_buf),
     751             :                 ts,
     752             :                 remote_str,
     753             :                 local_str));
     754             : 
     755           0 :         talloc_free(frame);
     756           0 : }
     757             : 
     758             : /*
     759             :  * Log details of a successful authorization to a service.
     760             :  *
     761             :  * Only successful authorizations are logged.  For clarity:
     762             :  * - NTLM bad passwords will be recorded by log_authentication_event
     763             :  * - Kerberos decrypt failures need to be logged in gensec_gssapi et al
     764             :  *
     765             :  * The service may later refuse authorization due to an ACL.
     766             :  *
     767             :  * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
     768             :  * authentication events over the message bus.
     769             :  */
     770       76347 : void log_successful_authz_event(
     771             :         struct imessaging_context *msg_ctx,
     772             :         struct loadparm_context *lp_ctx,
     773             :         const struct tsocket_address *remote,
     774             :         const struct tsocket_address *local,
     775             :         const char *service_description,
     776             :         const char *auth_type,
     777             :         const char *transport_protection,
     778             :         struct auth_session_info *session_info)
     779             : {
     780       76347 :         int debug_level = AUTHZ_SUCCESS_LEVEL;
     781             : 
     782             :         /* set the log level */
     783       76347 :         if (security_token_is_anonymous(session_info->security_token)) {
     784        8931 :                 debug_level = AUTH_ANONYMOUS_LEVEL;
     785             :         }
     786             : 
     787       76347 :         if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT, debug_level)) {
     788           0 :                 log_successful_authz_event_human_readable(remote,
     789             :                                                           local,
     790             :                                                           service_description,
     791             :                                                           auth_type,
     792             :                                                           session_info,
     793             :                                                           debug_level);
     794             :         }
     795       77847 :         if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
     796       49227 :             (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
     797       29414 :                 log_successful_authz_event_json(msg_ctx, lp_ctx,
     798             :                                                 remote,
     799             :                                                 local,
     800             :                                                 service_description,
     801             :                                                 auth_type,
     802             :                                                 transport_protection,
     803             :                                                 session_info,
     804             :                                                 debug_level);
     805             :         }
     806       76347 : }

Generated by: LCOV version 1.13