#define PAM_VERSION LIBPAM_VERSION_STRING
-static const char *pam_get_item_service(pam_handle_t *pamh);
-static const char *pam_get_item_user(pam_handle_t *pamh);
-static const char *pam_get_item_user_prompt(pam_handle_t *pamh);
-static const char *pam_get_item_tty(pam_handle_t *pamh);
-static const char *pam_get_item_ruser(pam_handle_t *pamh);
-static const char *pam_get_item_rhost(pam_handle_t *pamh);
-
-static int setup_analyzer(idmef_analyzer_t *analyzer);
-static void pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval);
-static int pam_alert_prelude_init(pam_handle_t *pamh, int authval);
-static int generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data);
-
-
-/*******************
- * some syslogging *
- *******************/
-static void
-_pam_log(int err, const char *format, ...)
-{
- va_list args;
- va_start(args, format);
-
-#ifdef MAIN
- vfprintf(stderr,format,args);
- fprintf(stderr,"\n");
-#else
- openlog("libpam", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- closelog();
-#endif
- va_end(args);
-}
static const char *
pam_get_item_service(pam_handle_t *pamh)
{
- const char *service = NULL;
+ const void *service = NULL;
- pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
+ pam_get_item(pamh, PAM_SERVICE, &service);
- return (const char *)service;
+ return service;
}
static const char *
pam_get_item_user(pam_handle_t *pamh)
{
- const char *user = NULL;
+ const void *user = NULL;
- pam_get_item(pamh, PAM_USER, (const void **)&user);
+ pam_get_item(pamh, PAM_USER, &user);
- return (const char *)user;
+ return user;
}
static const char *
pam_get_item_user_prompt(pam_handle_t *pamh)
{
- const char *user_prompt = NULL;
+ const void *user_prompt = NULL;
- pam_get_item(pamh, PAM_USER_PROMPT, (const void **)&user_prompt);
+ pam_get_item(pamh, PAM_USER_PROMPT, &user_prompt);
- return (const char *)user_prompt;
+ return user_prompt;
}
static const char *
pam_get_item_tty(pam_handle_t *pamh)
{
- const char *tty = NULL;
+ const void *tty = NULL;
- pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+ pam_get_item(pamh, PAM_TTY, &tty);
- return (const char *)tty;
+ return tty;
}
static const char *
pam_get_item_ruser(pam_handle_t *pamh)
{
- const char *ruser = NULL;
+ const void *ruser = NULL;
- pam_get_item(pamh, PAM_RUSER, (const void **)&ruser);
+ pam_get_item(pamh, PAM_RUSER, &ruser);
- return (const char *)ruser;
+ return ruser;
}
static const char *
pam_get_item_rhost(pam_handle_t *pamh)
{
- const char *rhost = NULL;
-
- pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
-
- return (const char *)rhost;
-}
-
-/*****************************************************************
- * Returns a string concerning the authentication value provided *
- *****************************************************************/
-static const char *
-pam_get_alert_description(int authval)
-{
- const char *retstring = NULL;
-
- switch(authval) {
- case PAM_SUCCESS:
- retstring = "Authentication success";
- break;
- case PAM_OPEN_ERR:
- retstring = "dlopen() failure when dynamically loading a service module";
- break;
- case PAM_SYMBOL_ERR:
- retstring = "Symbol not found";
- break;
- case PAM_SERVICE_ERR:
- retstring = "Error in service module";
- break;
- case PAM_SYSTEM_ERR:
- retstring = "System error";
- break;
- case PAM_BUF_ERR:
- retstring = "Memory buffer error";
- break;
- case PAM_PERM_DENIED:
- retstring = "Permission denied";
- break;
- case PAM_AUTH_ERR:
- retstring = "Authentication failure";
- break;
- case PAM_CRED_INSUFFICIENT:
- retstring = "Can not access authentication data due to insufficient credentials";
- break;
- case PAM_AUTHINFO_UNAVAIL:
- retstring = "Underlying authentication service can not retrieve authenticaiton information";
- break;
- case PAM_USER_UNKNOWN:
- retstring = "User not known to the underlying authentication module";
- break;
- case PAM_MAXTRIES:
- retstring = "An authentication service has maintained a retry count which has been reached. No further retries should be attempted";
- break;
- case PAM_NEW_AUTHTOK_REQD:
- retstring = "New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged";
- break;
- case PAM_ACCT_EXPIRED:
- retstring = "User account has expired";
- break;
- case PAM_SESSION_ERR:
- retstring = "Can not make/remove an entry for the specified session";
- break;
- case PAM_CRED_UNAVAIL:
- retstring = "Underlying authentication service can not retrieve user credentials unavailable";
- break;
- case PAM_CRED_EXPIRED:
- retstring = "User credentials expired";
- break;
- case PAM_CRED_ERR:
- retstring = "Failure setting user credentials";
- break;
- case PAM_NO_MODULE_DATA:
- retstring = "No module specific data is present";
- break;
- case PAM_CONV_ERR:
- retstring = "Conversation error";
- break;
- case PAM_AUTHTOK_ERR:
- retstring = "Authentication token manipulation error";
- break;
- case PAM_AUTHTOK_RECOVER_ERR:
- retstring = "Authentication information cannot be recovered";
- break;
- case PAM_AUTHTOK_LOCK_BUSY:
- retstring = "Authentication token lock busy";
- break;
- case PAM_AUTHTOK_DISABLE_AGING:
- retstring = "Authentication token aging disabled";
- break;
- case PAM_TRY_AGAIN:
- retstring = "Preliminary check by password service";
- break;
- case PAM_IGNORE:
- retstring = "Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient";
- break;
- case PAM_ABORT:
- retstring = "Critical error (?module fail now request)";
- break;
- case PAM_AUTHTOK_EXPIRED:
- retstring = "User's authentication token has expired";
- break;
- case PAM_MODULE_UNKNOWN:
- retstring = "Module is not known";
- break;
- case PAM_BAD_ITEM:
- retstring = "Bad item passed to pam_*_item()";
- break;
- case PAM_CONV_AGAIN:
- retstring = "Conversation function is event driven and data is not available yet";
- break;
- case PAM_INCOMPLETE:
- retstring = "Please call this function again to complete authentication stack. Before calling again, verify that conversation is completed";
- break;
-
- default:
- retstring = "Authentication Failure!. You should not see this message.";
- }
+ const void *rhost = NULL;
- return retstring;
+ pam_get_item(pamh, PAM_RHOST, &rhost);
+ return rhost;
}
/* Courteously stolen from prelude-lml */
static int
-generate_additional_data(idmef_alert_t *alert, const char *meaning, const char *data)
+generate_additional_data(idmef_alert_t *alert, const char *meaning,
+ const char *data)
{
int ret;
prelude_string_t *str;
ret = idmef_additional_data_new_meaning(adata, &str);
if ( ret < 0 )
return ret;
-
+
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 )
return ret;
return idmef_additional_data_set_string_ref(adata, data);
}
-extern void
-prelude_send_alert(pam_handle_t *pamh, int authval)
-{
-
- int ret;
-
- prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG);
-
- ret = pam_alert_prelude_init(pamh, authval);
- if ( ret < 0 )
- _pam_log(LOG_WARNING,
- "No prelude alert sent");
-
- prelude_deinit();
-
-}
-
-static int
+static int
setup_analyzer(idmef_analyzer_t *analyzer)
{
int ret;
prelude_string_t *string;
-
+
ret = idmef_analyzer_new_model(analyzer, &string);
if ( ret < 0 )
goto err;
goto err;
prelude_string_set_constant(string, PAM_VERSION);
-
+
return 0;
err:
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: IDMEF error: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
-static void
+static void
pam_alert_prelude(const char *msg, void *data, pam_handle_t *pamh, int authval)
{
int ret;
idmef_assessment_t *assessment;
idmef_node_t *node;
idmef_analyzer_t *analyzer;
-
+
ret = idmef_message_new(&idmef);
- if ( ret < 0 )
+ if ( ret < 0 )
goto err;
ret = idmef_message_new_alert(idmef, &alert);
goto err;
idmef_alert_set_create_time(alert, clienttime);
- idmef_alert_set_analyzer(alert,
- idmef_analyzer_ref(prelude_client_get_analyzer(client)),
+ idmef_alert_set_analyzer(alert,
+ idmef_analyzer_ref(prelude_client_get_analyzer(client)),
0);
/**********
ret = prelude_string_new(&str);
if ( ret < 0 )
goto err;
-
+
ret = prelude_string_set_ref(str, pam_get_item_ruser(pamh));
if ( ret < 0 )
goto err;
- idmef_user_id_set_name(user_id, str);
+ idmef_user_id_set_name(user_id, str);
}
/* END */
/* BEGIN: Adds TTY infos */
ret = prelude_string_set_ref(str, pam_get_item_service(pamh));
if ( ret < 0 )
goto err;
-
+
idmef_process_set_name(process, str);
}
/* END */
if ( ret < 0 )
goto err;
- idmef_user_id_set_name(user_id, str);
+ idmef_user_id_set_name(user_id, str);
}
/* END */
/* BEGIN: Short description of the alert */
if ( ret < 0 )
goto err;
- ret = prelude_string_set_ref(str,
- authval == PAM_SUCCESS ?
+ ret = prelude_string_set_ref(str,
+ authval == PAM_SUCCESS ?
"Authentication Success" : "Authentication Failure");
if ( ret < 0 )
goto err;
if ( ret < 0 )
goto err;
- ret = prelude_string_set_ref(str,
- pam_get_alert_description(authval));
+ ret = prelude_string_set_ref(str, pam_strerror (pamh, authval));
if ( ret < 0 )
goto err;
/* END */
/* BEGIN: Adding additional data */
if ( pam_get_item_user_prompt(pamh) ) {
- ret = generate_additional_data(alert, "Local User Prompt",
+ ret = generate_additional_data(alert, "Local User Prompt",
pam_get_item_user_prompt(pamh));
if ( ret < 0 )
goto err;
/* END */
prelude_client_send_idmef(client, idmef);
-
+
if ( idmef )
idmef_message_destroy(idmef);
return;
err:
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: IDMEF error: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
-
+
if ( idmef )
idmef_message_destroy(idmef);
ret = prelude_init(NULL, NULL);
if ( ret < 0 ) {
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: Unable to initialize the Prelude library: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
ret = prelude_client_new(&client, DEFAULT_ANALYZER_NAME);
if ( ! client ) {
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: Unable to create a prelude client object: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
ret = setup_analyzer(prelude_client_get_analyzer(client));
if ( ret < 0 ) {
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: Unable to setup analyzer: %s\n",
prelude_strsource(ret), prelude_strerror(ret));
ret = prelude_client_start(client);
if ( ret < 0 ) {
- _pam_log(LOG_WARNING,
+ _pam_system_log(LOG_WARNING,
"%s: Unable to initialize prelude client: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
-
+
prelude_client_destroy(client, PRELUDE_CLIENT_EXIT_STATUS_FAILURE);
return -1;
return 0;
}
+extern void
+prelude_send_alert(pam_handle_t *pamh, int authval)
+{
+
+ int ret;
+
+ prelude_log_set_flags(PRELUDE_LOG_FLAGS_SYSLOG);
+
+ ret = pam_alert_prelude_init(pamh, authval);
+ if ( ret < 0 )
+ _pam_system_log(LOG_WARNING,
+ "No prelude alert sent");
+
+ prelude_deinit();
+
+}
+
#endif /* PRELUDE */
projects / linux-pam / commitdiff