csu3_am335x/EVSE/GPL/linux-pam-1.5.2/libpam/pam_prelude.c

/*
 * pam_prelude.c -- prelude reporting
 * http://www.prelude-ids.org
 *
 * (C) Sebastien Tricaud 2005 <toady@gscore.org>
 */

#include <stdio.h>
#include <syslog.h>

#ifdef PRELUDE

#include <libprelude/prelude.h>
#include <libprelude/prelude-log.h>
#include <libprelude/idmef-message-print.h>

#include "pam_prelude.h"
#include "pam_private.h"


#define ANALYZER_CLASS "pam"
#define ANALYZER_MODEL "PAM"
#define ANALYZER_MANUFACTURER "Sebastien Tricaud, http://www.kernel.org/pub/linux/libs/pam/"

#define DEFAULT_ANALYZER_NAME "PAM"

static const char *
pam_get_item_service(const pam_handle_t *pamh)
{
        const void *service = NULL;

	pam_get_item(pamh, PAM_SERVICE, &service);

        return service;
}

static const char *
pam_get_item_user(const pam_handle_t *pamh)
{
        const void *user = NULL;

	pam_get_item(pamh, PAM_USER, &user);

        return user;
}

static const char *
pam_get_item_user_prompt(const pam_handle_t *pamh)
{
        const void *user_prompt = NULL;

	pam_get_item(pamh, PAM_USER_PROMPT, &user_prompt);

        return user_prompt;
}

static const char *
pam_get_item_tty(const pam_handle_t *pamh)
{
        const void *tty = NULL;

	pam_get_item(pamh, PAM_TTY, &tty);

        return tty;
}

static const char *
pam_get_item_ruser(const pam_handle_t *pamh)
{
        const void *ruser = NULL;

	pam_get_item(pamh, PAM_RUSER, &ruser);

        return ruser;
}

static const char *
pam_get_item_rhost(const pam_handle_t *pamh)
{
        const void *rhost = NULL;

	pam_get_item(pamh, PAM_RHOST, &rhost);

        return rhost;
}

/* Courteously stolen from prelude-lml */
static int
generate_additional_data(idmef_alert_t *alert, const char *meaning,
			 const char *data)
{
        int ret;
        prelude_string_t *str;
        idmef_additional_data_t *adata;

        ret = idmef_alert_new_additional_data(alert, &adata, -1);
        if ( ret < 0 )
                return ret;

        ret = idmef_additional_data_new_meaning(adata, &str);
        if ( ret < 0 )
                return ret;

        ret = prelude_string_set_ref(str, meaning);
        if ( ret < 0 )
                return ret;

        return idmef_additional_data_set_string_ref(adata, data);
}

static int
setup_analyzer(const pam_handle_t *pamh, idmef_analyzer_t *analyzer)
{
        int ret;
        prelude_string_t *string;

        ret = idmef_analyzer_new_model(analyzer, &string);
        if ( ret < 0 )
                goto err;
        prelude_string_set_constant(string, ANALYZER_MODEL);

	ret = idmef_analyzer_new_class(analyzer, &string);
        if ( ret < 0 )
                goto err;
        prelude_string_set_constant(string, ANALYZER_CLASS);

	ret = idmef_analyzer_new_manufacturer(analyzer, &string);
        if ( ret < 0 )
                goto err;
        prelude_string_set_constant(string, ANALYZER_MANUFACTURER);

	ret = idmef_analyzer_new_version(analyzer, &string);
        if ( ret < 0 )
                goto err;
        prelude_string_set_constant(string, PAM_VERSION);


        return 0;

 err:
        pam_syslog(pamh, LOG_WARNING,
                   "%s: IDMEF error: %s.\n",
                   prelude_strsource(ret), prelude_strerror(ret));

        return -1;
}

static void
pam_alert_prelude(const char *msg, void *data,
		  pam_handle_t *pamh, int authval)
{
        int ret;
        idmef_time_t *clienttime;
        idmef_alert_t *alert;
        prelude_string_t *str;
        idmef_message_t *idmef = NULL;
        idmef_classification_t *class;
        prelude_client_t *client = (prelude_client_t *)data;
        idmef_source_t *source;
        idmef_target_t *target;
        idmef_user_t *user;
        idmef_user_id_t *user_id;
        idmef_process_t *process;
        idmef_classification_t *classification;
        idmef_impact_t *impact;
        idmef_assessment_t *assessment;
        idmef_node_t *node;
	idmef_analyzer_t *analyzer;


        ret = idmef_message_new(&idmef);
        if ( ret < 0 )
                goto err;

        ret = idmef_message_new_alert(idmef, &alert);
        if ( ret < 0 )
                goto err;

        ret = idmef_alert_new_classification(alert, &class);
        if ( ret < 0 )
                goto err;

        ret = idmef_classification_new_text(class, &str);
        if ( ret < 0 )
                goto err;

        ret = prelude_string_new_ref(&str, msg);
        if ( ret < 0 )
                goto err;

        idmef_classification_set_text(class, str);

        ret = idmef_time_new_from_gettimeofday(&clienttime);
        if ( ret < 0 )
                goto err;
        idmef_alert_set_create_time(alert, clienttime);

        idmef_alert_set_analyzer(alert,
                                 idmef_analyzer_ref(prelude_client_get_analyzer(client)),
                                 0);

        /**********
         * SOURCE *
         **********/
        ret = idmef_alert_new_source(alert, &source, -1);
        if ( ret < 0 )
                goto err;

        /* BEGIN: Sets the user doing authentication stuff */
        ret = idmef_source_new_user(source, &user);
        if ( ret < 0 )
                goto err;
        idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);

        ret = idmef_user_new_user_id(user, &user_id, 0);
        if ( ret < 0 )
                goto err;
        idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_ORIGINAL_USER);

	if ( pam_get_item_ruser(pamh) ) {
	        ret = prelude_string_new(&str);
                if ( ret < 0 )
                        goto err;

	        ret = prelude_string_set_ref(str, pam_get_item_ruser(pamh));
                if ( ret < 0 )
                        goto err;

	        idmef_user_id_set_name(user_id, str);
	}
        /* END */
        /* BEGIN: Adds TTY infos */
	if ( pam_get_item_tty(pamh) ) {
	        ret = prelude_string_new(&str);
                if ( ret < 0 )
                        goto err;

	        ret = prelude_string_set_ref(str, pam_get_item_tty(pamh));
                if ( ret < 0 )
                        goto err;

                idmef_user_id_set_tty(user_id, str);
	}
        /* END */
        /* BEGIN: Sets the source node (rhost) */
        ret = idmef_source_new_node(source, &node);
        if ( ret < 0 )
                goto err;
        idmef_node_set_category(node, IDMEF_NODE_CATEGORY_HOSTS);

	if ( pam_get_item_rhost(pamh) ) {
	        ret = prelude_string_new(&str);
                if ( ret < 0 )
                        goto err;

		ret = prelude_string_set_ref(str, pam_get_item_rhost(pamh));
                if ( ret < 0 )
                        goto err;

		idmef_node_set_name(node, str);
	}
        /* END */
        /* BEGIN: Describe the service */
        ret = idmef_source_new_process(source, &process);
        if ( ret < 0 )
                goto err;
        idmef_process_set_pid(process, getpid());

	if ( pam_get_item_service(pamh) ) {
	        ret = prelude_string_new(&str);
                if ( ret < 0 )
                        goto err;

		ret = prelude_string_set_ref(str, pam_get_item_service(pamh));
                if ( ret < 0 )
                        goto err;

		idmef_process_set_name(process, str);
	}
        /* END */

        /**********
         * TARGET *
         **********/

        ret = idmef_alert_new_target(alert, &target, -1);
        if ( ret < 0 )
                goto err;


        /* BEGIN: Sets the target node  */
	analyzer = prelude_client_get_analyzer(client);
        if ( ! analyzer ) goto err;

	node = idmef_analyzer_get_node(analyzer);
        if ( ! node ) goto err;
	idmef_target_set_node(target, node);
	node = idmef_node_ref(node);
        if ( ! node ) goto err;
	/* END */
        /* BEGIN: Sets the user doing authentication stuff */
        ret = idmef_target_new_user(target, &user);
        if ( ret < 0 )
                goto err;
        idmef_user_set_category(user, IDMEF_USER_CATEGORY_APPLICATION);

        ret = idmef_user_new_user_id(user, &user_id, 0);
        if ( ret < 0 )
                goto err;
        idmef_user_id_set_type(user_id, IDMEF_USER_ID_TYPE_TARGET_USER);

	if ( pam_get_item_user(pamh) ) {
	        ret = prelude_string_new(&str);
                if ( ret < 0 )
                        goto err;

		ret = prelude_string_set_ref(str, pam_get_item_user(pamh));
                if ( ret < 0 )
                        goto err;

		idmef_user_id_set_name(user_id, str);
	}
        /* END */
        /* BEGIN: Short description of the alert */
        ret = idmef_alert_new_classification(alert, &classification);
        if ( ret < 0 )
                goto err;

        ret = prelude_string_new(&str);
        if ( ret < 0 )
                goto err;

        ret = prelude_string_set_ref(str,
                                     authval == PAM_SUCCESS ?
                                     "Authentication Success" : "Authentication Failure");
        if ( ret < 0 )
                goto err;

        idmef_classification_set_text(classification, str);
        /* END */
        /* BEGIN: Long description of the alert */
        ret = idmef_alert_new_assessment(alert, &assessment);
        if ( ret < 0 )
                goto err;

        ret = idmef_assessment_new_impact(assessment, &impact);
        if ( ret < 0 )
                goto err;

        ret = prelude_string_new(&str);
        if ( ret < 0 )
                goto err;

        ret = prelude_string_set_ref(str, pam_strerror (pamh, authval));
        if ( ret < 0 )
                goto err;

        idmef_impact_set_description(impact, str);
        /* END */
        /* BEGIN: Adding additional data */
	if ( pam_get_item_user_prompt(pamh) ) {
	        ret = generate_additional_data(alert, "Local User Prompt",
                                               pam_get_item_user_prompt(pamh));
                if ( ret < 0 )
                        goto err;
        }
        /* END */

        prelude_client_send_idmef(client, idmef);

        if ( idmef )
                idmef_message_destroy(idmef);

	return;
 err:
        pam_syslog(pamh, LOG_WARNING, "%s: IDMEF error: %s.\n",
                   prelude_strsource(ret), prelude_strerror(ret));

        if ( idmef )
                idmef_message_destroy(idmef);

}

static int
pam_alert_prelude_init(pam_handle_t *pamh, int authval)
{

        int ret;
        prelude_client_t *client = NULL;

        ret = prelude_init(NULL, NULL);
        if ( ret < 0 ) {
                pam_syslog(pamh, LOG_WARNING,
                         "%s: Unable to initialize the Prelude library: %s.\n",
                         prelude_strsource(ret), prelude_strerror(ret));
                return -1;
        }

        ret = prelude_client_new(&client, DEFAULT_ANALYZER_NAME);
        if ( ! client ) {
                pam_syslog(pamh, LOG_WARNING,
                         "%s: Unable to create a prelude client object: %s.\n",
                         prelude_strsource(ret), prelude_strerror(ret));

                return -1;
        }


        ret = setup_analyzer(pamh, prelude_client_get_analyzer(client));
        if ( ret < 0 ) {
                pam_syslog(pamh, LOG_WARNING,
                         "%s: Unable to setup analyzer: %s\n",
                         prelude_strsource(ret), prelude_strerror(ret));

		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);

		return -1;
        }

        ret = prelude_client_start(client);
        if ( ret < 0 ) {
                pam_syslog(pamh, LOG_WARNING,
                         "%s: Unable to initialize prelude client: %s.\n",
                         prelude_strsource(ret), prelude_strerror(ret));

		prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);

                return -1;
        }

        pam_alert_prelude("libpam alert" , client, pamh, authval);

	prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);

        return 0;
}

void
prelude_send_alert(pam_handle_t *pamh, int authval)
{

        int ret;

        prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG);

        ret = pam_alert_prelude_init(pamh, authval);
        if ( ret < 0 )
                pam_syslog(pamh, LOG_WARNING, "No prelude alert sent");

	prelude_deinit();

}

#endif /* PRELUDE */