2017-02-23 13:50:14 +13:00
/*
Authentication and authorization logging
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2017
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
/*
* Debug log levels for authentication logging ( these both map to
* LOG_NOTICE in syslog )
*/
# define AUTH_FAILURE_LEVEL 2
2017-03-03 12:40:04 +13:00
# define AUTH_SUCCESS_LEVEL 3
# define AUTHZ_SUCCESS_LEVEL 4
2023-06-15 11:18:45 +12:00
# define KDC_AUTHZ_FAILURE_LEVEL 2
# define KDC_AUTHZ_SUCCESS_LEVEL 3
2017-03-03 12:40:04 +13:00
/* 5 is used for both authentication and authorization */
# define AUTH_ANONYMOUS_LEVEL 5
# define AUTHZ_ANONYMOUS_LEVEL 5
2017-02-23 13:50:14 +13:00
2017-03-06 16:16:51 +13:00
# define AUTHZ_JSON_TYPE "Authorization"
# define AUTH_JSON_TYPE "Authentication"
2023-06-15 11:18:45 +12:00
# define KDC_AUTHZ_JSON_TYPE "KDC Authorization"
2017-03-06 16:16:51 +13:00
/*
* JSON message version numbers
*
* If adding a field increment the minor version
* If removing or changing the format / meaning of a field
* increment the major version .
*/
# define AUTH_MAJOR 1
2023-06-15 17:07:05 +12:00
# define AUTH_MINOR 3
2017-03-06 16:16:51 +13:00
# define AUTHZ_MAJOR 1
2023-06-15 17:07:05 +12:00
# define AUTHZ_MINOR 2
2023-06-15 11:18:45 +12:00
# define KDC_AUTHZ_MAJOR 1
# define KDC_AUTHZ_MINOR 0
2017-03-06 16:16:51 +13:00
2017-02-23 13:50:14 +13:00
# include "includes.h"
# include "../lib/tsocket/tsocket.h"
# include "common_auth.h"
# include "lib/util/util_str_escape.h"
# include "libcli/security/dom_sid.h"
2017-03-03 12:40:04 +13:00
# include "libcli/security/security_token.h"
2017-03-07 16:50:38 +13:00
# include "librpc/gen_ndr/server_id.h"
# include "source4/lib/messaging/messaging.h"
# include "source4/lib/messaging/irpc.h"
# include "lib/util/server_id_db.h"
# include "lib/param/param.h"
2018-04-10 06:47:40 +12:00
# include "librpc/ndr/libndr.h"
2018-12-13 10:20:28 +13:00
# include "librpc/gen_ndr/windows_event_ids.h"
2018-04-10 11:45:32 +12:00
# include "lib/audit_logging/audit_logging.h"
2017-02-23 13:50:14 +13:00
2017-03-06 16:16:51 +13:00
/*
* Determine the type of the password supplied for the
* authorisation attempt .
*
*/
static const char * get_password_type ( const struct auth_usersupplied_info * ui ) ;
# ifdef HAVE_JANSSON
# include <jansson.h>
# include "system/time.h"
/*
2017-03-24 15:16:34 +13:00
* Write the json object to the debug logs .
2017-03-06 16:16:51 +13:00
*
*/
2017-03-24 15:18:46 +13:00
static void log_json ( struct imessaging_context * msg_ctx ,
2018-04-11 21:46:25 +02:00
struct loadparm_context * lp_ctx ,
2018-04-16 09:29:04 +12:00
struct json_object * object ,
2018-04-10 11:57:41 +12:00
int debug_class ,
int debug_level )
2017-03-06 16:16:51 +13:00
{
2018-12-13 13:53:08 +13:00
audit_log_json ( object , debug_class , debug_level ) ;
2018-04-11 21:46:25 +02:00
if ( msg_ctx & & lp_ctx & & lpcfg_auth_event_notification ( lp_ctx ) ) {
2018-04-10 11:45:32 +12:00
audit_message_send ( msg_ctx ,
AUTH_EVENT_NAME ,
MSG_AUTH_LOG ,
2018-05-17 08:03:00 +12:00
object ) ;
2017-03-06 16:16:51 +13:00
}
}
2018-12-13 14:46:31 +13:00
/*
* Determine the Windows logon type for the current authorisation attempt .
*
* Currently Samba only supports
*
* 2 Interactive A user logged on to this computer .
* 3 Network A user or computer logged on to this computer from
* the network .
* 8 NetworkCleartext A user logged on to this computer from the network .
* The user ' s password was passed to the authentication
* package in its unhashed form .
*
*/
static enum event_logon_type get_logon_type (
const struct auth_usersupplied_info * ui )
{
if ( ( ui - > logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED )
| | ( ui - > password_state = = AUTH_PASSWORD_PLAIN ) ) {
return EVT_LOGON_NETWORK_CLEAR_TEXT ;
} else if ( ui - > flags & USER_INFO_INTERACTIVE_LOGON ) {
return EVT_LOGON_INTERACTIVE ;
}
return EVT_LOGON_NETWORK ;
}
2017-03-06 16:16:51 +13:00
/*
* Write a machine parsable json formatted authentication log entry .
*
* IF removing or changing the format / meaning of a field please update the
* major version number AUTH_MAJOR
*
* IF adding a new field please update the minor version number AUTH_MINOR
*
2023-03-14 08:50:34 +01:00
* To process the resulting log lines from the command line use jq to
2017-03-06 16:16:51 +13:00
* parse the json .
*
2018-12-13 13:53:08 +13:00
* grep " ^ { " log file |
* jq - rc ' " \ (.timestamp) \t \ (.Authentication.status) \t
2017-03-06 16:16:51 +13:00
* \ ( . Authentication . clientDomain ) \ t
* \ ( . Authentication . clientAccount )
* \ t \ ( . Authentication . workstation )
* \ t \ ( . Authentication . remoteAddress )
* \ t \ ( . Authentication . localAddress ) " '
*/
static void log_authentication_event_json (
2018-04-10 11:57:41 +12:00
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
2018-06-10 13:00:34 +02:00
const struct timeval * start_time ,
2018-04-10 11:57:41 +12:00
const struct auth_usersupplied_info * ui ,
NTSTATUS status ,
const char * domain_name ,
const char * account_name ,
struct dom_sid * sid ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ,
2018-12-13 10:20:28 +13:00
enum event_id_type event_id ,
2018-04-10 11:57:41 +12:00
int debug_level )
2017-03-06 16:16:51 +13:00
{
2018-07-13 09:14:09 +12:00
struct json_object wrapper = json_empty_object ;
struct json_object authentication = json_empty_object ;
2023-06-15 17:07:05 +12:00
struct json_object client_policy = json_null_object ( ) ;
struct json_object server_policy = json_null_object ( ) ;
2019-02-01 09:40:10 +13:00
char logon_id [ 19 ] ;
2018-07-13 09:14:09 +12:00
int rc = 0 ;
2022-03-03 11:10:00 +01:00
const char * clientDomain = ui - > orig_client . domain_name ?
ui - > orig_client . domain_name :
ui - > client . domain_name ;
const char * clientAccount = ui - > orig_client . account_name ?
ui - > orig_client . account_name :
ui - > client . account_name ;
2018-04-10 11:45:32 +12:00
authentication = json_new_object ( ) ;
2018-07-13 09:14:09 +12:00
if ( json_is_invalid ( & authentication ) ) {
goto failure ;
}
rc = json_add_version ( & authentication , AUTH_MAJOR , AUTH_MINOR ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-12-13 10:20:28 +13:00
rc = json_add_int ( & authentication ,
" eventId " ,
event_id ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2019-02-01 09:40:10 +13:00
snprintf ( logon_id ,
sizeof ( logon_id ) ,
" % " PRIx64 " " ,
ui - > logon_id ) ;
rc = json_add_string ( & authentication , " logonId " , logon_id ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-12-13 14:46:31 +13:00
rc = json_add_int ( & authentication , " logonType " , get_logon_type ( ui ) ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-07-13 09:14:09 +12:00
rc = json_add_string ( & authentication , " status " , nt_errstr ( status ) ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_address ( & authentication , " localAddress " , ui - > local_host ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc =
json_add_address ( & authentication , " remoteAddress " , ui - > remote_host ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " serviceDescription " , ui - > service_description ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " authDescription " , ui - > auth_description ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
2022-03-03 11:10:00 +01:00
& authentication , " clientDomain " , clientDomain ) ;
2018-07-13 09:14:09 +12:00
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
2022-03-03 11:10:00 +01:00
& authentication , " clientAccount " , clientAccount ) ;
2018-07-13 09:14:09 +12:00
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " workstation " , ui - > workstation_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authentication , " becameAccount " , account_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authentication , " becameDomain " , domain_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_sid ( & authentication , " becameSid " , sid ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " mappedAccount " , ui - > mapped . account_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " mappedDomain " , ui - > mapped . domain_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authentication ,
" netlogonComputer " ,
ui - > netlogon_trust_account . computer_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authentication ,
" netlogonTrustAccount " ,
ui - > netlogon_trust_account . account_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2023-05-16 09:53:02 +12:00
rc = json_add_flags32 (
& authentication , " netlogonNegotiateFlags " ,
ui - > netlogon_trust_account . negotiate_flags ) ;
2018-07-13 09:14:09 +12:00
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_int ( & authentication ,
" netlogonSecureChannelType " ,
ui - > netlogon_trust_account . secure_channel_type ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_sid ( & authentication ,
" netlogonTrustAccountSid " ,
ui - > netlogon_trust_account . sid ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authentication , " passwordType " , get_password_type ( ui ) ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2023-06-15 17:07:05 +12:00
if ( client_audit_info ! = NULL ) {
client_policy = json_from_audit_info ( client_audit_info ) ;
if ( json_is_invalid ( & client_policy ) ) {
goto failure ;
}
}
rc = json_add_object ( & authentication , " clientPolicyAccessCheck " , & client_policy ) ;
if ( rc ! = 0 ) {
goto failure ;
}
if ( server_audit_info ! = NULL ) {
server_policy = json_from_audit_info ( server_audit_info ) ;
if ( json_is_invalid ( & server_policy ) ) {
goto failure ;
}
}
rc = json_add_object ( & authentication , " serverPolicyAccessCheck " , & server_policy ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-07-13 09:14:09 +12:00
wrapper = json_new_object ( ) ;
if ( json_is_invalid ( & wrapper ) ) {
goto failure ;
}
rc = json_add_timestamp ( & wrapper ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & wrapper , " type " , AUTH_JSON_TYPE ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_object ( & wrapper , AUTH_JSON_TYPE , & authentication ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2017-03-06 16:16:51 +13:00
2018-06-10 13:00:34 +02:00
/*
* While not a general - purpose profiling solution this will
* assist some to determine how long NTLM and KDC
* authentication takes once this process can handle it . This
* covers transactions elsewhere but not ( eg ) the delay while
* this is waiting unread on the input socket .
*/
if ( start_time ! = NULL ) {
struct timeval current_time = timeval_current ( ) ;
uint64_t duration = usec_time_diff ( & current_time ,
start_time ) ;
2018-07-13 09:14:09 +12:00
rc = json_add_int ( & authentication , " duration " , duration ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-06-10 13:00:34 +02:00
}
2018-04-11 21:46:25 +02:00
log_json ( msg_ctx ,
lp_ctx ,
2018-04-16 09:29:04 +12:00
& wrapper ,
2018-12-14 16:05:33 +13:00
DBGC_AUTH_AUDIT_JSON ,
2018-04-11 21:46:25 +02:00
debug_level ) ;
2018-04-16 09:29:04 +12:00
json_free ( & wrapper ) ;
2018-07-13 09:14:09 +12:00
return ;
failure :
2023-06-15 17:07:05 +12:00
json_free ( & server_policy ) ;
json_free ( & client_policy ) ;
2018-07-13 09:14:09 +12:00
/*
* On a failure authentication will not have been added to wrapper so it
* needs to be freed to avoid a leak .
*
*/
json_free ( & authentication ) ;
json_free ( & wrapper ) ;
DBG_ERR ( " Failed to write authentication event JSON log message \n " ) ;
2017-03-06 16:16:51 +13:00
}
/*
* Log details of a successful authorization to a service ,
* in a machine parsable json format
*
* IF removing or changing the format / meaning of a field please update the
* major version number AUTHZ_MAJOR
*
* IF adding a new field please update the minor version number AUTHZ_MINOR
*
2023-03-14 08:50:34 +01:00
* To process the resulting log lines from the command line use jq to
2017-03-06 16:16:51 +13:00
* parse the json .
*
2018-12-13 13:53:08 +13:00
* grep " ^ { " log_file | \
2017-03-06 16:16:51 +13:00
* jq - rc ' " \ (.timestamp) \t
* \ ( . Authorization . domain ) \ t
* \ ( . Authorization . account ) \ t
* \ ( . Authorization . remoteAddress ) " '
*
*/
static void log_successful_authz_event_json (
2018-04-10 11:57:41 +12:00
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
const char * service_description ,
const char * auth_type ,
const char * transport_protection ,
struct auth_session_info * session_info ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ,
2018-04-10 11:57:41 +12:00
int debug_level )
2017-03-06 16:16:51 +13:00
{
2018-07-13 09:14:09 +12:00
struct json_object wrapper = json_empty_object ;
struct json_object authorization = json_empty_object ;
2023-06-15 17:07:05 +12:00
struct json_object client_policy = json_null_object ( ) ;
struct json_object server_policy = json_null_object ( ) ;
2018-07-13 09:14:09 +12:00
int rc = 0 ;
2017-03-06 16:16:51 +13:00
2018-04-10 11:45:32 +12:00
authorization = json_new_object ( ) ;
2018-07-13 09:14:09 +12:00
if ( json_is_invalid ( & authorization ) ) {
goto failure ;
}
rc = json_add_version ( & authorization , AUTHZ_MAJOR , AUTHZ_MINOR ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_address ( & authorization , " localAddress " , local ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_address ( & authorization , " remoteAddress " , remote ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " serviceDescription " , service_description ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " authType " , auth_type ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " domain " , session_info - > info - > domain_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " account " , session_info - > info - > account_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_sid (
2022-12-16 12:08:41 +13:00
& authorization , " sid " , & session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ) ;
2018-07-13 09:14:09 +12:00
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_guid (
& authorization , " sessionId " , & session_info - > unique_session_token ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " logonServer " , session_info - > info - > logon_server ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " transportProtection " , transport_protection ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2023-05-16 09:53:02 +12:00
rc = json_add_flags32 ( & authorization , " accountFlags " , session_info - > info - > acct_flags ) ;
2018-07-13 09:14:09 +12:00
if ( rc ! = 0 ) {
goto failure ;
}
2023-06-15 17:07:05 +12:00
if ( client_audit_info ! = NULL ) {
client_policy = json_from_audit_info ( client_audit_info ) ;
if ( json_is_invalid ( & client_policy ) ) {
goto failure ;
}
}
rc = json_add_object ( & authorization , " clientPolicyAccessCheck " , & client_policy ) ;
if ( rc ! = 0 ) {
goto failure ;
}
if ( server_audit_info ! = NULL ) {
server_policy = json_from_audit_info ( server_audit_info ) ;
if ( json_is_invalid ( & server_policy ) ) {
goto failure ;
}
}
rc = json_add_object ( & authorization , " serverPolicyAccessCheck " , & server_policy ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2018-07-13 09:14:09 +12:00
wrapper = json_new_object ( ) ;
if ( json_is_invalid ( & wrapper ) ) {
goto failure ;
}
rc = json_add_timestamp ( & wrapper ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & wrapper , " type " , AUTHZ_JSON_TYPE ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_object ( & wrapper , AUTHZ_JSON_TYPE , & authorization ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2017-03-06 16:16:51 +13:00
2017-03-24 15:18:46 +13:00
log_json ( msg_ctx ,
2018-04-11 21:46:25 +02:00
lp_ctx ,
2018-04-16 09:29:04 +12:00
& wrapper ,
2018-12-14 16:05:33 +13:00
DBGC_AUTH_AUDIT_JSON ,
2017-03-06 16:16:51 +13:00
debug_level ) ;
2018-04-16 09:29:04 +12:00
json_free ( & wrapper ) ;
2018-07-13 09:14:09 +12:00
return ;
failure :
2023-06-15 17:07:05 +12:00
json_free ( & server_policy ) ;
json_free ( & client_policy ) ;
2018-07-13 09:14:09 +12:00
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak .
*
*/
json_free ( & authorization ) ;
json_free ( & wrapper ) ;
DBG_ERR ( " Unable to log Authentication event JSON audit message \n " ) ;
2017-03-06 16:16:51 +13:00
}
2023-06-15 11:18:45 +12:00
/*
* Log details of an authorization to a service , in a machine parsable json
* format
*
* IF removing or changing the format / meaning of a field please update the
* major version number KDC_AUTHZ_MAJOR
*
* IF adding a new field please update the minor version number KDC_AUTHZ_MINOR
*
* To process the resulting log lines from the command line use jq to
* parse the json .
*
* grep " ^ { " log_file | \
* jq - rc ' " \ (.timestamp) \t
* \ ( . " KDC Authorization " . domain ) \ t
* \ ( . " KDC Authorization " . account ) \ t
* \ ( . " KDC Authorization " . remoteAddress ) " '
*
*/
static void log_authz_event_json (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * server_audit_info ,
2023-06-15 11:18:45 +12:00
const char * service_description ,
const char * auth_type ,
const char * domain_name ,
const char * account_name ,
const struct dom_sid * sid ,
const char * logon_server ,
const struct timeval authtime ,
NTSTATUS status ,
int debug_level )
{
struct json_object wrapper = json_empty_object ;
struct json_object authorization = json_empty_object ;
2023-06-15 17:07:05 +12:00
struct json_object server_policy = json_null_object ( ) ;
2023-06-15 11:18:45 +12:00
int rc = 0 ;
authorization = json_new_object ( ) ;
if ( json_is_invalid ( & authorization ) ) {
goto failure ;
}
rc = json_add_version ( & authorization , KDC_AUTHZ_MAJOR , KDC_AUTHZ_MINOR ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " status " , nt_errstr ( status ) ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_address ( & authorization , " localAddress " , local ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_address ( & authorization , " remoteAddress " , remote ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string (
& authorization , " serviceDescription " , service_description ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " authType " , auth_type ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " domain " , domain_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " account " , account_name ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_sid ( & authorization , " sid " , sid ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & authorization , " logonServer " , logon_server ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_time ( & authorization , " authTime " , authtime ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2023-06-15 17:07:05 +12:00
if ( server_audit_info ! = NULL ) {
server_policy = json_from_audit_info ( server_audit_info ) ;
if ( json_is_invalid ( & server_policy ) ) {
goto failure ;
}
}
rc = json_add_object ( & authorization , " serverPolicyAccessCheck " , & server_policy ) ;
if ( rc ! = 0 ) {
goto failure ;
}
2023-06-15 11:18:45 +12:00
wrapper = json_new_object ( ) ;
if ( json_is_invalid ( & wrapper ) ) {
goto failure ;
}
rc = json_add_timestamp ( & wrapper ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_string ( & wrapper , " type " , KDC_AUTHZ_JSON_TYPE ) ;
if ( rc ! = 0 ) {
goto failure ;
}
rc = json_add_object ( & wrapper , KDC_AUTHZ_JSON_TYPE , & authorization ) ;
if ( rc ! = 0 ) {
goto failure ;
}
log_json ( msg_ctx ,
lp_ctx ,
& wrapper ,
DBGC_AUTH_AUDIT_JSON ,
debug_level ) ;
json_free ( & wrapper ) ;
return ;
failure :
2023-06-15 17:07:05 +12:00
json_free ( & server_policy ) ;
2023-06-15 11:18:45 +12:00
/*
* On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak .
*/
json_free ( & authorization ) ;
json_free ( & wrapper ) ;
DBG_ERR ( " Unable to log KDC Authorization event JSON audit message \n " ) ;
}
2017-03-06 16:16:51 +13:00
# else
2017-03-24 15:18:46 +13:00
static void log_no_json ( struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx )
{
if ( msg_ctx & & lp_ctx & & lpcfg_auth_event_notification ( lp_ctx ) ) {
static bool auth_event_logged = false ;
if ( auth_event_logged = = false ) {
auth_event_logged = true ;
2018-04-10 11:57:41 +12:00
DBG_ERR ( " auth event notification = true but Samba was "
" not compiled with jansson \n " ) ;
2017-03-24 15:18:46 +13:00
}
} else {
static bool json_logged = false ;
if ( json_logged = = false ) {
json_logged = true ;
2018-04-10 11:57:41 +12:00
DBG_NOTICE ( " JSON auth logs not available unless "
" compiled with jansson \n " ) ;
2017-03-24 15:18:46 +13:00
}
}
}
2017-03-06 16:16:51 +13:00
static void log_authentication_event_json (
2018-04-10 11:57:41 +12:00
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
2018-06-10 13:00:34 +02:00
const struct timeval * start_time ,
2018-04-10 11:57:41 +12:00
const struct auth_usersupplied_info * ui ,
NTSTATUS status ,
const char * domain_name ,
const char * account_name ,
struct dom_sid * sid ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ,
2018-12-13 10:20:28 +13:00
enum event_id_type event_id ,
2018-04-10 11:57:41 +12:00
int debug_level )
2017-03-06 16:16:51 +13:00
{
2017-03-24 15:18:46 +13:00
log_no_json ( msg_ctx , lp_ctx ) ;
2017-03-06 16:16:51 +13:00
}
static void log_successful_authz_event_json (
2018-04-10 11:57:41 +12:00
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
const char * service_description ,
const char * auth_type ,
const char * transport_protection ,
struct auth_session_info * session_info ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info ,
2018-04-10 11:57:41 +12:00
int debug_level )
2017-03-06 16:16:51 +13:00
{
2017-03-24 15:18:46 +13:00
log_no_json ( msg_ctx , lp_ctx ) ;
2017-03-06 16:16:51 +13:00
}
2023-06-15 11:18:45 +12:00
static void log_authz_event_json (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * server_audit_info ,
2023-06-15 11:18:45 +12:00
const char * service_description ,
const char * auth_type ,
const char * domain_name ,
const char * account_name ,
const struct dom_sid * sid ,
const char * logon_server ,
const struct timeval authtime ,
NTSTATUS status ,
int debug_level )
{
log_no_json ( msg_ctx , lp_ctx ) ;
}
2017-03-06 16:16:51 +13:00
# endif
2017-03-01 15:06:25 +13:00
/*
* Determine the type of the password supplied for the
* authorisation attempt .
*
*/
static const char * get_password_type ( const struct auth_usersupplied_info * ui )
{
const char * password_type = NULL ;
2017-02-21 14:07:54 +13:00
if ( ui - > password_type ! = NULL ) {
password_type = ui - > password_type ;
2017-07-10 07:48:08 +12:00
} else if ( ui - > auth_description ! = NULL & &
strncmp ( " ServerAuthenticate " , ui - > auth_description , 18 ) = = 0 )
{
if ( ui - > netlogon_trust_account . negotiate_flags
& NETLOGON_NEG_SUPPORTS_AES ) {
password_type = " HMAC-SHA256 " ;
} else if ( ui - > netlogon_trust_account . negotiate_flags
& NETLOGON_NEG_STRONG_KEYS ) {
password_type = " HMAC-MD5 " ;
} else {
password_type = " DES " ;
}
2017-02-21 14:07:54 +13:00
} else if ( ui - > password_state = = AUTH_PASSWORD_RESPONSE & &
( ui - > logon_parameters & MSV1_0_ALLOW_MSVCHAPV2 ) & &
ui - > password . response . nt . length = = 24 ) {
2017-03-01 15:06:25 +13:00
password_type = " MSCHAPv2 " ;
} else if ( ( ui - > logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED )
| | ( ui - > password_state = = AUTH_PASSWORD_PLAIN ) ) {
password_type = " Plaintext " ;
} else if ( ui - > password_state = = AUTH_PASSWORD_HASH ) {
password_type = " Supplied-NT-Hash " ;
} else if ( ui - > password_state = = AUTH_PASSWORD_RESPONSE
& & ui - > password . response . nt . length > 24 ) {
password_type = " NTLMv2 " ;
} else if ( ui - > password_state = = AUTH_PASSWORD_RESPONSE
& & ui - > password . response . nt . length = = 24 ) {
password_type = " NTLMv1 " ;
} else if ( ui - > password_state = = AUTH_PASSWORD_RESPONSE
& & ui - > password . response . lanman . length = = 24 ) {
password_type = " LANMan " ;
} else if ( ui - > password_state = = AUTH_PASSWORD_RESPONSE
& & ui - > password . response . nt . length = = 0
& & ui - > password . response . lanman . length = = 0 ) {
password_type = " No-Password " ;
}
return password_type ;
}
2017-02-23 13:50:14 +13:00
/*
2017-03-06 16:16:51 +13:00
* Write a human readable authentication log entry .
2017-02-23 13:50:14 +13:00
*
*/
2017-03-06 16:16:51 +13:00
static void log_authentication_event_human_readable (
2018-04-10 11:57:41 +12:00
const struct auth_usersupplied_info * ui ,
NTSTATUS status ,
const char * domain_name ,
const char * account_name ,
struct dom_sid * sid ,
int debug_level )
2017-02-23 13:50:14 +13:00
{
TALLOC_CTX * frame = NULL ;
const char * ts = NULL ; /* formatted current time */
char * remote = NULL ; /* formatted remote host */
char * local = NULL ; /* formatted local host */
char * nl = NULL ; /* NETLOGON details if present */
char * trust_computer_name = NULL ;
char * trust_account_name = NULL ;
char * logon_line = NULL ;
2017-03-01 15:06:25 +13:00
const char * password_type = NULL ;
2022-03-03 11:10:00 +01:00
const char * clientDomain = ui - > orig_client . domain_name ?
ui - > orig_client . domain_name :
ui - > client . domain_name ;
const char * clientAccount = ui - > orig_client . account_name ?
ui - > orig_client . account_name :
ui - > client . account_name ;
2017-02-23 13:50:14 +13:00
frame = talloc_stackframe ( ) ;
2017-03-24 11:33:51 +13:00
password_type = get_password_type ( ui ) ;
2017-02-23 13:50:14 +13:00
/* Get the current time */
2018-04-10 11:45:32 +12:00
ts = audit_get_timestamp ( frame ) ;
2017-02-23 13:50:14 +13:00
/* Only log the NETLOGON details if they are present */
if ( ui - > netlogon_trust_account . computer_name | |
ui - > netlogon_trust_account . account_name ) {
trust_computer_name = log_escape ( frame ,
ui - > netlogon_trust_account . computer_name ) ;
trust_account_name = log_escape ( frame ,
ui - > netlogon_trust_account . account_name ) ;
nl = talloc_asprintf ( frame ,
" NETLOGON computer [%s] trust account [%s] " ,
trust_computer_name , trust_account_name ) ;
}
remote = tsocket_address_string ( ui - > remote_host , frame ) ;
2017-03-24 11:33:51 +13:00
local = tsocket_address_string ( ui - > local_host , frame ) ;
2017-02-23 13:50:14 +13:00
if ( NT_STATUS_IS_OK ( status ) ) {
2018-10-18 06:08:19 +02:00
struct dom_sid_buf sid_buf ;
2017-02-23 13:50:14 +13:00
logon_line = talloc_asprintf ( frame ,
" became [%s] \\ [%s] [%s]. " ,
log_escape ( frame , domain_name ) ,
log_escape ( frame , account_name ) ,
2018-10-18 06:08:19 +02:00
dom_sid_str_buf ( sid , & sid_buf ) ) ;
2017-02-23 13:50:14 +13:00
} else {
2017-03-06 16:16:51 +13:00
logon_line = talloc_asprintf (
frame ,
" mapped to [%s] \\ [%s]. " ,
log_escape ( frame , ui - > mapped . domain_name ) ,
log_escape ( frame , ui - > mapped . account_name ) ) ;
2017-02-23 13:50:14 +13:00
}
2017-03-24 11:33:51 +13:00
DEBUGC ( DBGC_AUTH_AUDIT , debug_level ,
( " Auth: [%s,%s] user [%s] \\ [%s] "
2017-03-01 15:06:25 +13:00
" at [%s] with [%s] status [%s] "
2017-02-23 13:50:14 +13:00
" workstation [%s] remote host [%s] "
" %s local host [%s] "
" %s \n " ,
ui - > service_description ,
ui - > auth_description ,
2022-03-03 11:10:00 +01:00
log_escape ( frame , clientDomain ) ,
log_escape ( frame , clientAccount ) ,
2017-02-23 13:50:14 +13:00
ts ,
2017-03-01 15:06:25 +13:00
password_type ,
2017-03-24 11:33:51 +13:00
nt_errstr ( status ) ,
2017-02-23 13:50:14 +13:00
log_escape ( frame , ui - > workstation_name ) ,
remote ,
logon_line ,
local ,
nl ? nl : " "
2018-04-10 11:57:41 +12:00
) ) ;
2017-02-23 13:50:14 +13:00
talloc_free ( frame ) ;
}
2017-03-01 12:18:49 +13:00
/*
2017-03-06 16:16:51 +13:00
* Log details of an authentication attempt .
* Successful and unsuccessful attempts are logged .
2017-03-01 12:18:49 +13:00
*
2017-03-06 16:16:51 +13:00
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authentication events over the message bus .
*/
2018-04-10 11:57:41 +12:00
void log_authentication_event (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
2018-06-10 13:00:34 +02:00
const struct timeval * start_time ,
2018-04-10 11:57:41 +12:00
const struct auth_usersupplied_info * ui ,
NTSTATUS status ,
const char * domain_name ,
const char * account_name ,
2023-06-15 17:07:05 +12:00
struct dom_sid * sid ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info )
2017-03-06 16:16:51 +13:00
{
/* set the log level */
int debug_level = AUTH_FAILURE_LEVEL ;
2018-12-13 10:20:28 +13:00
enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON ;
2017-03-06 16:16:51 +13:00
if ( NT_STATUS_IS_OK ( status ) ) {
debug_level = AUTH_SUCCESS_LEVEL ;
2018-12-13 10:20:28 +13:00
event_id = EVT_ID_SUCCESSFUL_LOGON ;
2017-03-06 16:16:51 +13:00
if ( dom_sid_equal ( sid , & global_sid_Anonymous ) ) {
debug_level = AUTH_ANONYMOUS_LEVEL ;
}
}
2017-03-24 11:33:51 +13:00
if ( CHECK_DEBUGLVLC ( DBGC_AUTH_AUDIT , debug_level ) ) {
2017-03-06 16:16:51 +13:00
log_authentication_event_human_readable ( ui ,
status ,
domain_name ,
account_name ,
sid ,
debug_level ) ;
}
2017-03-24 11:33:51 +13:00
if ( CHECK_DEBUGLVLC ( DBGC_AUTH_AUDIT_JSON , debug_level ) | |
2017-03-24 15:18:46 +13:00
( msg_ctx & & lp_ctx & & lpcfg_auth_event_notification ( lp_ctx ) ) ) {
2018-06-10 13:00:34 +02:00
log_authentication_event_json ( msg_ctx ,
lp_ctx ,
start_time ,
2017-03-24 15:18:46 +13:00
ui ,
2017-03-06 16:16:51 +13:00
status ,
domain_name ,
account_name ,
sid ,
2023-06-15 17:07:05 +12:00
client_audit_info ,
server_audit_info ,
2018-12-13 10:20:28 +13:00
event_id ,
2017-03-06 16:16:51 +13:00
debug_level ) ;
}
}
/*
* Log details of a successful authorization to a service ,
* in a human readable format .
2017-03-01 12:18:49 +13:00
*
*/
2017-03-06 16:16:51 +13:00
static void log_successful_authz_event_human_readable (
2018-04-10 11:57:41 +12:00
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
const char * service_description ,
const char * auth_type ,
struct auth_session_info * session_info ,
int debug_level )
2017-03-01 12:18:49 +13:00
{
TALLOC_CTX * frame = NULL ;
2017-03-01 15:06:25 +13:00
const char * ts = NULL ; /* formatted current time */
2017-03-01 12:18:49 +13:00
char * remote_str = NULL ; /* formatted remote host */
char * local_str = NULL ; /* formatted local host */
2018-10-26 08:25:14 +02:00
struct dom_sid_buf sid_buf ;
2017-03-01 12:18:49 +13:00
frame = talloc_stackframe ( ) ;
/* Get the current time */
2018-04-10 11:45:32 +12:00
ts = audit_get_timestamp ( frame ) ;
2017-03-01 12:18:49 +13:00
remote_str = tsocket_address_string ( remote , frame ) ;
2017-03-24 11:33:51 +13:00
local_str = tsocket_address_string ( local , frame ) ;
2017-03-01 12:18:49 +13:00
2017-03-24 11:33:51 +13:00
DEBUGC ( DBGC_AUTH_AUDIT , debug_level ,
( " Successful AuthZ: [%s,%s] user [%s] \\ [%s] [%s] "
2017-03-01 12:18:49 +13:00
" at [%s] "
" Remote host [%s] "
" local host [%s] \n " ,
service_description ,
2017-03-01 16:00:03 +13:00
auth_type ,
2017-03-01 12:18:49 +13:00
log_escape ( frame , session_info - > info - > domain_name ) ,
log_escape ( frame , session_info - > info - > account_name ) ,
2022-12-16 12:08:41 +13:00
dom_sid_str_buf ( & session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ,
2018-10-26 08:25:14 +02:00
& sid_buf ) ,
2017-03-01 12:18:49 +13:00
ts ,
remote_str ,
local_str ) ) ;
talloc_free ( frame ) ;
}
2017-03-06 16:16:51 +13:00
/*
* Log details of a successful authorization to a service .
*
* Only successful authorizations are logged . For clarity :
* - NTLM bad passwords will be recorded by log_authentication_event
* - Kerberos decrypt failures need to be logged in gensec_gssapi et al
*
* The service may later refuse authorization due to an ACL .
*
* NOTE : msg_ctx and lp_ctx is optional , but when supplied allows streaming the
* authentication events over the message bus .
*/
2018-04-10 11:57:41 +12:00
void log_successful_authz_event (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
const char * service_description ,
const char * auth_type ,
const char * transport_protection ,
2023-06-15 17:07:05 +12:00
struct auth_session_info * session_info ,
const struct authn_audit_info * client_audit_info ,
const struct authn_audit_info * server_audit_info )
2017-03-06 16:16:51 +13:00
{
int debug_level = AUTHZ_SUCCESS_LEVEL ;
/* set the log level */
if ( security_token_is_anonymous ( session_info - > security_token ) ) {
debug_level = AUTH_ANONYMOUS_LEVEL ;
}
2017-03-24 11:33:51 +13:00
if ( CHECK_DEBUGLVLC ( DBGC_AUTH_AUDIT , debug_level ) ) {
2017-03-06 16:16:51 +13:00
log_successful_authz_event_human_readable ( remote ,
local ,
service_description ,
auth_type ,
session_info ,
debug_level ) ;
}
2017-03-24 11:33:51 +13:00
if ( CHECK_DEBUGLVLC ( DBGC_AUTH_AUDIT_JSON , debug_level ) | |
2017-03-24 15:18:46 +13:00
( msg_ctx & & lp_ctx & & lpcfg_auth_event_notification ( lp_ctx ) ) ) {
log_successful_authz_event_json ( msg_ctx , lp_ctx ,
remote ,
2017-03-06 16:16:51 +13:00
local ,
service_description ,
auth_type ,
transport_protection ,
session_info ,
2023-06-15 17:07:05 +12:00
client_audit_info ,
server_audit_info ,
2017-03-06 16:16:51 +13:00
debug_level ) ;
}
}
2023-06-15 11:18:45 +12:00
/*
* Log details of an authorization to a service .
*
* NOTE : msg_ctx and lp_ctx are optional , but when supplied , allow streaming the
* authorization events over the message bus .
*/
void log_authz_event (
struct imessaging_context * msg_ctx ,
struct loadparm_context * lp_ctx ,
const struct tsocket_address * remote ,
const struct tsocket_address * local ,
2023-06-15 17:07:05 +12:00
const struct authn_audit_info * server_audit_info ,
2023-06-15 11:18:45 +12:00
const char * service_description ,
const char * auth_type ,
const char * domain_name ,
const char * account_name ,
const struct dom_sid * sid ,
const char * logon_server ,
const struct timeval authtime ,
NTSTATUS status )
{
/* set the log level */
int debug_level = KDC_AUTHZ_FAILURE_LEVEL ;
if ( NT_STATUS_IS_OK ( status ) ) {
debug_level = KDC_AUTHZ_SUCCESS_LEVEL ;
}
if ( CHECK_DEBUGLVLC ( DBGC_AUTH_AUDIT_JSON , debug_level ) | |
( msg_ctx & & lp_ctx & & lpcfg_auth_event_notification ( lp_ctx ) ) ) {
log_authz_event_json ( msg_ctx , lp_ctx ,
remote ,
local ,
2023-06-15 17:07:05 +12:00
server_audit_info ,
2023-06-15 11:18:45 +12:00
service_description ,
auth_type ,
domain_name ,
account_name ,
sid ,
logon_server ,
authtime ,
status ,
debug_level ) ;
}
}