1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth: Add functionality to log client and server policy information

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-06-15 17:07:05 +12:00 committed by Andrew Bartlett
parent f9c55b84ef
commit ca9d27ae99
17 changed files with 159 additions and 26 deletions

View File

@ -44,9 +44,9 @@
* increment the major version. * increment the major version.
*/ */
#define AUTH_MAJOR 1 #define AUTH_MAJOR 1
#define AUTH_MINOR 2 #define AUTH_MINOR 3
#define AUTHZ_MAJOR 1 #define AUTHZ_MAJOR 1
#define AUTHZ_MINOR 1 #define AUTHZ_MINOR 2
#define KDC_AUTHZ_MAJOR 1 #define KDC_AUTHZ_MAJOR 1
#define KDC_AUTHZ_MINOR 0 #define KDC_AUTHZ_MINOR 0
@ -149,11 +149,15 @@ static void log_authentication_event_json(
const char *domain_name, const char *domain_name,
const char *account_name, const char *account_name,
struct dom_sid *sid, struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
enum event_id_type event_id, enum event_id_type event_id,
int debug_level) int debug_level)
{ {
struct json_object wrapper = json_empty_object; struct json_object wrapper = json_empty_object;
struct json_object authentication = json_empty_object; struct json_object authentication = json_empty_object;
struct json_object client_policy = json_null_object();
struct json_object server_policy = json_null_object();
char logon_id[19]; char logon_id[19];
int rc = 0; int rc = 0;
const char *clientDomain = ui->orig_client.domain_name ? const char *clientDomain = ui->orig_client.domain_name ?
@ -285,6 +289,30 @@ static void log_authentication_event_json(
goto failure; goto failure;
} }
if (client_audit_info != NULL) {
client_policy = json_from_audit_info(client_audit_info);
if (json_is_invalid(&client_policy)) {
goto failure;
}
}
rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy);
if (rc != 0) {
goto failure;
}
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
wrapper = json_new_object(); wrapper = json_new_object();
if (json_is_invalid(&wrapper)) { if (json_is_invalid(&wrapper)) {
goto failure; goto failure;
@ -327,6 +355,8 @@ static void log_authentication_event_json(
json_free(&wrapper); json_free(&wrapper);
return; return;
failure: failure:
json_free(&server_policy);
json_free(&client_policy);
/* /*
* On a failure authentication will not have been added to wrapper so it * On a failure authentication will not have been added to wrapper so it
* needs to be freed to avoid a leak. * needs to be freed to avoid a leak.
@ -365,10 +395,14 @@ static void log_successful_authz_event_json(
const char *auth_type, const char *auth_type,
const char *transport_protection, const char *transport_protection,
struct auth_session_info *session_info, struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
int debug_level) int debug_level)
{ {
struct json_object wrapper = json_empty_object; struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object; struct json_object authorization = json_empty_object;
struct json_object client_policy = json_null_object();
struct json_object server_policy = json_null_object();
int rc = 0; int rc = 0;
authorization = json_new_object(); authorization = json_new_object();
@ -431,6 +465,30 @@ static void log_successful_authz_event_json(
goto failure; goto failure;
} }
if (client_audit_info != NULL) {
client_policy = json_from_audit_info(client_audit_info);
if (json_is_invalid(&client_policy)) {
goto failure;
}
}
rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy);
if (rc != 0) {
goto failure;
}
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
wrapper = json_new_object(); wrapper = json_new_object();
if (json_is_invalid(&wrapper)) { if (json_is_invalid(&wrapper)) {
goto failure; goto failure;
@ -456,6 +514,8 @@ static void log_successful_authz_event_json(
json_free(&wrapper); json_free(&wrapper);
return; return;
failure: failure:
json_free(&server_policy);
json_free(&client_policy);
/* /*
* On a failure authorization will not have been added to wrapper so it * On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak. * needs to be freed to avoid a leak.
@ -490,6 +550,7 @@ static void log_authz_event_json(
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
const struct tsocket_address *remote, const struct tsocket_address *remote,
const struct tsocket_address *local, const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *domain_name, const char *domain_name,
@ -502,6 +563,7 @@ static void log_authz_event_json(
{ {
struct json_object wrapper = json_empty_object; struct json_object wrapper = json_empty_object;
struct json_object authorization = json_empty_object; struct json_object authorization = json_empty_object;
struct json_object server_policy = json_null_object();
int rc = 0; int rc = 0;
authorization = json_new_object(); authorization = json_new_object();
@ -554,6 +616,18 @@ static void log_authz_event_json(
goto failure; goto failure;
} }
if (server_audit_info != NULL) {
server_policy = json_from_audit_info(server_audit_info);
if (json_is_invalid(&server_policy)) {
goto failure;
}
}
rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy);
if (rc != 0) {
goto failure;
}
wrapper = json_new_object(); wrapper = json_new_object();
if (json_is_invalid(&wrapper)) { if (json_is_invalid(&wrapper)) {
goto failure; goto failure;
@ -579,6 +653,7 @@ static void log_authz_event_json(
json_free(&wrapper); json_free(&wrapper);
return; return;
failure: failure:
json_free(&server_policy);
/* /*
* On a failure authorization will not have been added to wrapper so it * On a failure authorization will not have been added to wrapper so it
* needs to be freed to avoid a leak. * needs to be freed to avoid a leak.
@ -619,6 +694,8 @@ static void log_authentication_event_json(
const char *domain_name, const char *domain_name,
const char *account_name, const char *account_name,
struct dom_sid *sid, struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
enum event_id_type event_id, enum event_id_type event_id,
int debug_level) int debug_level)
{ {
@ -634,6 +711,8 @@ static void log_successful_authz_event_json(
const char *auth_type, const char *auth_type,
const char *transport_protection, const char *transport_protection,
struct auth_session_info *session_info, struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info,
int debug_level) int debug_level)
{ {
log_no_json(msg_ctx, lp_ctx); log_no_json(msg_ctx, lp_ctx);
@ -644,6 +723,7 @@ static void log_authz_event_json(
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
const struct tsocket_address *remote, const struct tsocket_address *remote,
const struct tsocket_address *local, const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *domain_name, const char *domain_name,
@ -813,7 +893,9 @@ void log_authentication_event(
NTSTATUS status, NTSTATUS status,
const char *domain_name, const char *domain_name,
const char *account_name, const char *account_name,
struct dom_sid *sid) struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info)
{ {
/* set the log level */ /* set the log level */
int debug_level = AUTH_FAILURE_LEVEL; int debug_level = AUTH_FAILURE_LEVEL;
@ -845,6 +927,8 @@ void log_authentication_event(
domain_name, domain_name,
account_name, account_name,
sid, sid,
client_audit_info,
server_audit_info,
event_id, event_id,
debug_level); debug_level);
} }
@ -918,7 +1002,9 @@ void log_successful_authz_event(
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *transport_protection, const char *transport_protection,
struct auth_session_info *session_info) struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info)
{ {
int debug_level = AUTHZ_SUCCESS_LEVEL; int debug_level = AUTHZ_SUCCESS_LEVEL;
@ -944,6 +1030,8 @@ void log_successful_authz_event(
auth_type, auth_type,
transport_protection, transport_protection,
session_info, session_info,
client_audit_info,
server_audit_info,
debug_level); debug_level);
} }
} }
@ -959,6 +1047,7 @@ void log_authz_event(
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
const struct tsocket_address *remote, const struct tsocket_address *remote,
const struct tsocket_address *local, const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *domain_name, const char *domain_name,
@ -980,6 +1069,7 @@ void log_authz_event(
log_authz_event_json(msg_ctx, lp_ctx, log_authz_event_json(msg_ctx, lp_ctx,
remote, remote,
local, local,
server_audit_info,
service_description, service_description,
auth_type, auth_type,
domain_name, domain_name,

View File

@ -177,6 +177,7 @@ struct auth4_context {
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus. * authentication events over the message bus.
*/ */
struct authn_audit_info;
void log_authentication_event(struct imessaging_context *msg_ctx, void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
const struct timeval *start_time, const struct timeval *start_time,
@ -184,7 +185,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx,
NTSTATUS status, NTSTATUS status,
const char *domain_name, const char *domain_name,
const char *account_name, const char *account_name,
struct dom_sid *sid); struct dom_sid *sid,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info);
/* /*
* Log details of a successful authorization to a service. * Log details of a successful authorization to a service.
@ -206,7 +209,9 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx,
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *transport_protection, const char *transport_protection,
struct auth_session_info *session_info); struct auth_session_info *session_info,
const struct authn_audit_info *client_audit_info,
const struct authn_audit_info *server_audit_info);
/* /*
* Log details of an authorization to a service. * Log details of an authorization to a service.
@ -219,6 +224,7 @@ void log_authz_event(
struct loadparm_context *lp_ctx, struct loadparm_context *lp_ctx,
const struct tsocket_address *remote, const struct tsocket_address *remote,
const struct tsocket_address *local, const struct tsocket_address *local,
const struct authn_audit_info *server_audit_info,
const char *service_description, const char *service_description,
const char *auth_type, const char *auth_type,
const char *domain_name, const char *domain_name,

View File

@ -242,7 +242,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec
service_description, service_description,
final_auth_type, final_auth_type,
transport_protection, transport_protection,
session_info); session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
} }

View File

@ -59,8 +59,8 @@ HRES_SEC_E_INVALID_TOKEN = 0x80090308
HRES_SEC_E_LOGON_DENIED = 0x8009030C HRES_SEC_E_LOGON_DENIED = 0x8009030C
AUTHN_VERSION = {'major': 1, 'minor': 2} AUTHN_VERSION = {'major': 1, 'minor': 3}
AUTHZ_VERSION = {'major': 1, 'minor': 1} AUTHZ_VERSION = {'major': 1, 'minor': 2}
KDC_AUTHZ_VERSION = {'major': 1, 'minor': 0} KDC_AUTHZ_VERSION = {'major': 1, 'minor': 0}

View File

@ -319,7 +319,9 @@ NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
nt_status, nt_status,
server_info->info3->base.logon_domain.string, server_info->info3->base.logon_domain.string,
server_info->info3->base.account_name.string, server_info->info3->base.account_name.string,
&sid); &sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
DEBUG(server_info->guest ? 5 : 2, DEBUG(server_info->guest ? 5 : 2,
("check_ntlm_password: %sauthentication for user " ("check_ntlm_password: %sauthentication for user "
@ -354,7 +356,9 @@ fail:
nt_status, nt_status,
NULL, NULL,
NULL, NULL,
NULL); NULL,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
ZERO_STRUCTP(pserver_info); ZERO_STRUCTP(pserver_info);

View File

@ -549,7 +549,9 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
user_info->service_description, user_info->service_description,
user_info->auth_description, user_info->auth_description,
AUTHZ_TRANSPORT_PROTECTION_SMB, AUTHZ_TRANSPORT_PROTECTION_SMB,
*session_info); *session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
return nt_status; return nt_status;
} }

View File

@ -126,7 +126,9 @@ void dcesrv_log_successful_authz(
"DCE/RPC", "DCE/RPC",
auth_type, auth_type,
transport_protection, transport_protection,
auth->session_info); auth->session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
auth->auth_audited = true; auth->auth_audited = true;

View File

@ -2178,7 +2178,9 @@ static void log_authentication(
result, result,
base_info != NULL ? base_info->logon_domain.string : "", base_info != NULL ? base_info->logon_domain.string : "",
base_info != NULL ? base_info->account_name.string : "", base_info != NULL ? base_info->account_name.string : "",
sid); sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
TALLOC_FREE(ui); TALLOC_FREE(ui);
} }

View File

@ -404,7 +404,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
state->auth_ctx->lp_ctx, state->auth_ctx->lp_ctx,
&state->auth_ctx->start_time, &state->auth_ctx->start_time,
state->user_info, status, state->user_info, status,
NULL, NULL, NULL); NULL, NULL, NULL,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
tevent_req_received(req); tevent_req_received(req);
return status; return status;
} }
@ -421,7 +423,9 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
state->user_info, status, state->user_info, status,
state->user_info_dc->info->domain_name, state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name, state->user_info_dc->info->account_name,
&state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid); &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
/* Release our handle to state->user_info_dc. */ /* Release our handle to state->user_info_dc. */
*user_info_dc = talloc_reparent(state, mem_ctx, state->user_info_dc); *user_info_dc = talloc_reparent(state, mem_ctx, state->user_info_dc);

View File

@ -115,7 +115,9 @@ _PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
log_authentication_event(msg, lp_ctx, log_authentication_event(msg, lp_ctx,
&state->auth_context->start_time, &state->auth_context->start_time,
user_info, status, user_info, status,
NULL, NULL, NULL); NULL, NULL, NULL,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
} }
if (tevent_req_nterror(req, status)) { if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev); return tevent_req_post(req, ev);
@ -190,7 +192,9 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
"LDAP", "LDAP",
"simple bind", "simple bind",
transport_protection, transport_protection,
state->session_info); state->session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
tevent_req_done(req); tevent_req_done(req);
} }

View File

@ -3247,7 +3247,9 @@ static int check_password_restrictions_and_log(struct setup_password_fields_io *
status, status,
domain_name, domain_name,
io->u.sAMAccountName, io->u.sAMAccountName,
io->u.account_sid); io->u.account_sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
} }
return ret; return ret;

View File

@ -622,6 +622,7 @@ static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *k
kdc_db_ctx->lp_ctx, kdc_db_ctx->lp_ctx,
remote_host, remote_host,
NULL /* local */, NULL /* local */,
NULL /* server_audit_info */,
r->sname, r->sname,
"TGS-REQ with Ticket-Granting Ticket", "TGS-REQ with Ticket-Granting Ticket",
domain_name, domain_name,
@ -911,7 +912,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
status, status,
domain_name, domain_name,
account_name, account_name,
sid); sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) { if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
/* /*
* If we're running under make test * If we're running under make test
@ -951,7 +954,9 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
&ui, &ui,
NT_STATUS_NO_SUCH_USER, NT_STATUS_NO_SUCH_USER,
NULL, NULL, NULL, NULL,
NULL); NULL,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
TALLOC_FREE(frame); TALLOC_FREE(frame);
break; break;
} }

View File

@ -1596,7 +1596,9 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
"LDAP", "LDAP",
"no bind", "no bind",
transport_protection, transport_protection,
call->conn->session_info); call->conn->session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
call->conn->authz_logged = true; call->conn->authz_logged = true;
} }

View File

@ -667,7 +667,9 @@ void log_successful_dcesrv_authz_event(
"DCE/RPC", "DCE/RPC",
auth_type, auth_type,
transport_protection, transport_protection,
auth->session_info); auth->session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
auth->auth_audited = true; auth->auth_audited = true;
} }

View File

@ -839,7 +839,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(
status, status,
lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx), lpcfg_workgroup(dce_call->conn->dce_ctx->lp_ctx),
trust_account_in_db, trust_account_in_db,
sid); sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
return status; return status;
} }

View File

@ -81,7 +81,9 @@ static void log_password_change_event(struct imessaging_context *msg_ctx,
status, status,
ui.mapped.domain_name, ui.mapped.domain_name,
ui.mapped.account_name, ui.mapped.account_name,
sid); sid,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
} }
/* /*
samr_ChangePasswordUser samr_ChangePasswordUser

View File

@ -61,7 +61,9 @@ void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req,
"SMB", "SMB",
"bare-NTLM", "bare-NTLM",
AUTHZ_TRANSPORT_PROTECTION_SMB, AUTHZ_TRANSPORT_PROTECTION_SMB,
session_info); session_info,
NULL /* client_audit_info */,
NULL /* server_audit_info */);
talloc_free(frame); talloc_free(frame);
return; return;