mirrors
/
sudo
mirror of https://github.com/sudo-project/sudo.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
sudo/plugins/audit_json/audit_json.c

744 lines
20 KiB
C
Raw Permalink Blame History

/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
*/
#include <config.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STDBOOL_H
# include <stdbool.h>
#else
# include <compat/stdbool.h>
#endif /* HAVE_STDBOOL_H */
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
#include <time.h>
#include <pathnames.h>
#include <sudo_compat.h>
#include <sudo_conf.h>
#include <sudo_debug.h>
#include <sudo_dso.h>
#include <sudo_fatal.h>
#include <sudo_gettext.h>
#include <sudo_json.h>
#include <sudo_plugin.h>
#include <sudo_util.h>
static int audit_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER;
static sudo_conv_t audit_conv;
static sudo_printf_t audit_printf;
static struct audit_state {
int submit_optind;
char uuid_str[37];
bool accepted;
FILE *log_fp;
char *logfile;
char * const * settings;
char * const * user_info;
char * const * submit_argv;
char * const * submit_envp;
} state = { -1 };
/* Filter out entries in settings[] that are not really options. */
const char * const settings_filter[] = {
"debug_flags",
"max_groups",
"network_addrs",
"plugin_dir",
"plugin_path",
"progname",
NULL
};
static int
audit_json_open(unsigned int version, sudo_conv_t conversation,
sudo_printf_t plugin_printf, char * const settings[],
char * const user_info[], int submit_optind, char * const submit_argv[],
char * const submit_envp[], char * const plugin_options[],
const char **errstr)
{
struct sudo_conf_debug_file_list debug_files =
TAILQ_HEAD_INITIALIZER(debug_files);
struct sudo_debug_file *debug_file;
const char *cp, *plugin_path = NULL;
unsigned char uuid[16];
char * const *cur;
mode_t oldmask;
int fd, ret = -1;
debug_decl_vars(audit_json_open, SUDO_DEBUG_PLUGIN);
audit_conv = conversation;
audit_printf = plugin_printf;
/*
* Stash initial values.
*/
state.submit_optind = submit_optind;
state.settings = settings;
state.user_info = user_info;
state.submit_argv = submit_argv;
state.submit_envp = submit_envp;
/* Initialize the debug subsystem. */
for (cur = settings; (cp = *cur) != NULL; cur++) {
if (strncmp(cp, "debug_flags=", sizeof("debug_flags=") - 1) == 0) {
cp += sizeof("debug_flags=") - 1;
if (sudo_debug_parse_flags(&debug_files, cp) == -1)
goto oom;
continue;
}
if (strncmp(cp, "plugin_path=", sizeof("plugin_path=") - 1) == 0) {
plugin_path = cp + sizeof("plugin_path=") - 1;
continue;
}
}
if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) {
audit_debug_instance =
sudo_debug_register(plugin_path, NULL, NULL, &debug_files, -1);
if (audit_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) {
*errstr = U_("unable to initialize debugging");
goto bad;
}
sudo_debug_enter(__func__, __FILE__, __LINE__, sudo_debug_subsys);
}
/* Create a UUID for this command for use with audit records. */
sudo_uuid_create(uuid);
if (sudo_uuid_to_string(uuid, state.uuid_str, sizeof(state.uuid_str)) == NULL) {
*errstr = U_("unable to generate UUID");
goto bad;
}
/* Parse plugin_options to check for logfile option. */
if (plugin_options != NULL) {
for (cur = plugin_options; (cp = *cur) != NULL; cur++) {
if (strncmp(cp, "logfile=", sizeof("logfile=") - 1) == 0) {
state.logfile = strdup(cp + sizeof("logfile=") - 1);
if (state.logfile == NULL)
goto oom;
}
}
}
if (state.logfile == NULL) {
if (asprintf(&state.logfile, "%s/sudo_audit.json", _PATH_SUDO_LOGDIR) == -1)
goto oom;
}
/* open log file */
/* TODO: support pipe */
oldmask = umask(S_IRWXG|S_IRWXO);
fd = open(state.logfile, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
(void)umask(oldmask);
if (fd == -1 || (state.log_fp = fdopen(fd, "w")) == NULL) {
*errstr = U_("unable to open audit system");
if (fd != -1)
close(fd);
goto bad;
}
ret = 1;
goto done;
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
*errstr = U_("unable to allocate memory");
bad:
if (state.log_fp != NULL) {
fclose(state.log_fp);
state.log_fp = NULL;
}
done:
while ((debug_file = TAILQ_FIRST(&debug_files))) {
TAILQ_REMOVE(&debug_files, debug_file, entries);
free(debug_file->debug_file);
free(debug_file->debug_flags);
free(debug_file);
}
debug_return_int(ret);
}
static bool
add_key_value(struct json_container *jsonc, const char *str)
{
struct json_value json_value;
const char *cp, *errstr;
char name[256];
size_t len;
debug_decl(add_key_value, SUDO_DEBUG_PLUGIN);
if ((cp = strchr(str, '=')) == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"ignoring bad command info string \"%s\"", str);
debug_return_bool(false);
}
len = (size_t)(cp - str);
cp++;
/* Variable name currently limited to 256 chars */
if (len >= sizeof(name)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"ignoring long command info name \"%.*s\"", (int)len, str);
debug_return_bool(false);
}
memcpy(name, str, len);
name[len] = '\0';
/* Check for bool or number. */
json_value.type = JSON_NULL;
switch (cp[0]) {
case '0':
if (cp[1] == '\0') {
/* Only treat a plain "0" as number 0. */
json_value.u.number = 0;
json_value.type = JSON_NUMBER;
}
break;
case '+': case '-':
if (cp[1] == '0') {
/* Encode octal numbers as strings. */
break;
}
FALLTHROUGH;
case '1': case '2': case '3': case '4': case '5':
case '6': case '7': case '8': case '9':
json_value.u.number = sudo_strtonum(cp, INT_MIN, INT_MAX, &errstr);
if (errstr == NULL)
json_value.type = JSON_NUMBER;
break;
case 't':
if (strcmp(cp, "true") == 0) {
json_value.type = JSON_BOOL;
json_value.u.boolean = true;
}
break;
case 'f':
if (strcmp(cp, "false") == 0) {
json_value.type = JSON_BOOL;
json_value.u.boolean = false;
}
break;
}
/* Default to string type. */
if (json_value.type == JSON_NULL) {
json_value.type = JSON_STRING;
json_value.u.string = cp;
}
debug_return_bool(sudo_json_add_value(jsonc, name, &json_value));
}
static bool
add_array(struct json_container *jsonc, const char *name, char * const * array)
{
const char *cp;
struct json_value json_value;
debug_decl(add_array, SUDO_DEBUG_PLUGIN);
if (!sudo_json_open_array(jsonc, name))
debug_return_bool(false);
while ((cp = *array) != NULL) {
json_value.type = JSON_STRING;
json_value.u.string = cp;
if (!sudo_json_add_value(jsonc, name, &json_value))
debug_return_bool(false);
array++;
}
if (!sudo_json_close_array(jsonc))
debug_return_bool(false);
debug_return_bool(true);
}
static bool
filter_key_value(const char *kv, const char * const * filter)
{
const char * const *cur;
const char *cp;
size_t namelen;
if (filter != NULL) {
namelen = strcspn(kv, "=");
for (cur = filter; (cp = *cur) != NULL; cur++) {
if (strncmp(kv, cp, namelen) == 0 && cp[namelen] == '\0')
return true;
}
}
return false;
}
static bool
add_key_value_object(struct json_container *jsonc, const char *name,
char * const * array, const char * const * filter)
{
char * const *cur;
const char *cp;
bool empty = false;
debug_decl(add_key_value_object, SUDO_DEBUG_PLUGIN);
if (filter != NULL) {
/* Avoid printing an empty object if everything is filtered. */
empty = true;
for (cur = array; (cp = *cur) != NULL; cur++) {
if (!filter_key_value(cp, filter)) {
empty = false;
break;
}
}
}
if (!empty) {
if (!sudo_json_open_object(jsonc, name))
goto bad;
for (cur = array; (cp = *cur) != NULL; cur++) {
if (filter_key_value(cp, filter))
continue;
if (!add_key_value(jsonc, cp))
goto bad;
}
if (!sudo_json_close_object(jsonc))
goto bad;
}
debug_return_bool(true);
bad:
debug_return_bool(false);
}
static bool
add_timestamp(struct json_container *jsonc, struct timespec *ts)
{
struct json_value json_value;
time_t secs = ts->tv_sec;
char timebuf[1024];
struct tm gmt;
size_t len;
debug_decl(add_timestamp, SUDO_DEBUG_PLUGIN);
if (gmtime_r(&secs, &gmt) == NULL)
debug_return_bool(false);
if (!sudo_json_open_object(jsonc, "timestamp"))
debug_return_bool(false);
json_value.type = JSON_NUMBER;
json_value.u.number = ts->tv_sec;
if (!sudo_json_add_value(jsonc, "seconds", &json_value))
debug_return_bool(false);
json_value.type = JSON_NUMBER;
json_value.u.number = ts->tv_nsec;
if (!sudo_json_add_value(jsonc, "nanoseconds", &json_value))
debug_return_bool(false);
timebuf[sizeof(timebuf) - 1] = '\0';
len = strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", &gmt);
if (len != 0 && timebuf[sizeof(timebuf) - 1] == '\0'){
json_value.type = JSON_STRING;
json_value.u.string = timebuf;
if (!sudo_json_add_value(jsonc, "iso8601", &json_value))
debug_return_bool(false);
}
timebuf[sizeof(timebuf) - 1] = '\0';
len = strftime(timebuf, sizeof(timebuf), "%a %b %e %H:%M:%S %Z %Y", &gmt);
if (len != 0 && timebuf[sizeof(timebuf) - 1] == '\0'){
json_value.type = JSON_STRING;
json_value.u.string = timebuf;
if (!sudo_json_add_value(jsonc, "localtime", &json_value))
debug_return_bool(false);
}
if (!sudo_json_close_object(jsonc))
debug_return_bool(false);
debug_return_bool(true);
}
static int
audit_write_json(struct json_container * restrict jsonc)
{
struct stat sb;
int ret = -1;
debug_decl(audit_write_json, SUDO_DEBUG_PLUGIN);
if (!sudo_lock_file(fileno(state.log_fp), SUDO_LOCK)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to lock %s", state.logfile);
goto done;
}
/* Note: assumes file ends in "\n}\n" */
if (fstat(fileno(state.log_fp), &sb) == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to stat %s", state.logfile);
goto done;
}
if (sb.st_size == 0) {
/* New file */
putc('{', state.log_fp);
} else if (fseeko(state.log_fp, -3, SEEK_END) == 0) {
/* Continue file, overwrite the final "\n}\n" */
putc(',', state.log_fp);
} else {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO,
"unable to seek %s", state.logfile);
goto done;
}
fputs(sudo_json_get_buf(jsonc), state.log_fp);
fputs("\n}\n", state.log_fp);
fflush(state.log_fp);
(void)sudo_lock_file(fileno(state.log_fp), SUDO_UNLOCK);
/* TODO: undo partial record on error */
if (!ferror(state.log_fp))
ret = true;
done:
debug_return_int(ret);
}
static int
audit_write_exit_record(int exit_status, int error)
{
struct json_container jsonc;
struct json_value json_value;
struct timespec now;
int ret = -1;
debug_decl(audit_write_exit_record, SUDO_DEBUG_PLUGIN);
if (sudo_gettime_real(&now) == -1) {
sudo_warn("%s", U_("unable to read the clock"));
goto done;
}
if (!sudo_json_init(&jsonc, 4, false, false, false))
goto oom;
if (!sudo_json_open_object(&jsonc, "exit"))
goto oom;
/* Write UUID */
json_value.type = JSON_STRING;
json_value.u.string = state.uuid_str;
if (!sudo_json_add_value(&jsonc, "uuid", &json_value))
goto oom;
/* Write time stamp */
if (!add_timestamp(&jsonc, &now))
goto oom;
if (error != 0) {
/* Error executing command */
json_value.type = JSON_STRING;
json_value.u.string = strerror(error);
if (!sudo_json_add_value(&jsonc, "error", &json_value))
goto oom;
} else {
if (WIFEXITED(exit_status)) {
/* Command exited normally. */
json_value.type = JSON_NUMBER;
json_value.u.number = WEXITSTATUS(exit_status);
if (!sudo_json_add_value(&jsonc, "exit_value", &json_value))
goto oom;
} else if (WIFSIGNALED(exit_status)) {
/* Command killed by signal. */
char signame[SIG2STR_MAX];
int signo = WTERMSIG(exit_status);
if (signo <= 0 || sig2str(signo, signame) == -1) {
json_value.type = JSON_NUMBER;
json_value.u.number = signo;
if (!sudo_json_add_value(&jsonc, "signal", &json_value))
goto oom;
} else {
json_value.type = JSON_STRING;
json_value.u.string = signame; // -V507
if (!sudo_json_add_value(&jsonc, "signal", &json_value))
goto oom;
}
/* Core dump? */
json_value.type = JSON_BOOL;
json_value.u.boolean = WCOREDUMP(exit_status);
if (!sudo_json_add_value(&jsonc, "dumped_core", &json_value))
goto oom;
/* Exit value */
json_value.type = JSON_NUMBER;
json_value.u.number = WTERMSIG(exit_status) | 128;
if (!sudo_json_add_value(&jsonc, "exit_value", &json_value))
goto oom;
}
}
if (!sudo_json_close_object(&jsonc))
goto oom;
ret = audit_write_json(&jsonc);
sudo_json_free(&jsonc);
done:
debug_return_int(ret);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
sudo_json_free(&jsonc);
debug_return_int(-1);
}
static int
audit_write_record(const char *audit_str, const char *plugin_name,
unsigned int plugin_type, const char *reason, char * const command_info[],
char * const run_argv[], char * const run_envp[])
{
struct json_container jsonc;
struct json_value json_value;
struct timespec now;
int ret = -1;
debug_decl(audit_write_record, SUDO_DEBUG_PLUGIN);
if (sudo_gettime_real(&now) == -1) {
sudo_warn("%s", U_("unable to read the clock"));
goto done;
}
if (!sudo_json_init(&jsonc, 4, false, false, false))
goto oom;
if (!sudo_json_open_object(&jsonc, audit_str))
goto oom;
json_value.type = JSON_STRING;
json_value.u.string = plugin_name;
if (!sudo_json_add_value(&jsonc, "plugin_name", &json_value))
goto oom;
switch (plugin_type) {
case SUDO_FRONT_END:
json_value.u.string = "front-end";
break;
case SUDO_POLICY_PLUGIN:
json_value.u.string = "policy";
break;
case SUDO_IO_PLUGIN:
json_value.u.string = "io";
break;
case SUDO_APPROVAL_PLUGIN:
json_value.u.string = "approval";
break;
case SUDO_AUDIT_PLUGIN:
json_value.u.string = "audit";
break;
default:
json_value.u.string = "unknown";
break;
}
json_value.type = JSON_STRING;
if (!sudo_json_add_value(&jsonc, "plugin_type", &json_value))
goto oom;
/* error and reject audit events usually contain a reason. */
if (reason != NULL) {
json_value.type = JSON_STRING;
json_value.u.string = reason;
if (!sudo_json_add_value(&jsonc, "reason", &json_value))
goto oom;
}
json_value.type = JSON_STRING;
json_value.u.string = state.uuid_str;
if (!sudo_json_add_value(&jsonc, "uuid", &json_value))
goto oom;
if (!add_timestamp(&jsonc, &now))
goto oom;
/* Write key=value objects. */
if (state.settings != NULL) {
if (!add_key_value_object(&jsonc, "options", state.settings, settings_filter))
goto oom;
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
"missing settings list");
}
if (state.user_info != NULL) {
if (!add_key_value_object(&jsonc, "user_info", state.user_info, NULL))
goto oom;
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
"missing user_info list");
}
if (command_info != NULL) {
if (!add_key_value_object(&jsonc, "command_info", command_info, NULL))
goto oom;
}
/* Write submit_optind before submit_argv */
json_value.type = JSON_NUMBER;
json_value.u.number = state.submit_optind;
if (!sudo_json_add_value(&jsonc, "submit_optind", &json_value))
goto oom;
if (state.submit_argv != NULL) {
if (!add_array(&jsonc, "submit_argv", state.submit_argv))
goto oom;
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
"missing submit_argv array");
}
if (state.submit_envp != NULL) {
if (!add_array(&jsonc, "submit_envp", state.submit_envp))
goto oom;
} else {
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
"missing submit_envp array");
}
if (run_argv != NULL) {
if (!add_array(&jsonc, "run_argv", run_argv))
goto oom;
}
if (run_envp != NULL) {
if (!add_array(&jsonc, "run_envp", run_envp))
goto oom;
}
if (!sudo_json_close_object(&jsonc))
goto oom;
ret = audit_write_json(&jsonc);
sudo_json_free(&jsonc);
done:
debug_return_int(ret);
oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
sudo_json_free(&jsonc);
debug_return_int(-1);
}
static int
audit_json_accept(const char *plugin_name, unsigned int plugin_type,
char * const command_info[], char * const run_argv[],
char * const run_envp[], const char **errstr)
{
int ret;
debug_decl(audit_json_accept, SUDO_DEBUG_PLUGIN);
/* Ignore the extra accept event from the sudo front-end. */
if (plugin_type == SUDO_FRONT_END)
debug_return_int(true);
state.accepted = true;
ret = audit_write_record("accept", plugin_name, plugin_type, NULL,
command_info, run_argv, run_envp);
debug_return_int(ret);
}
static int
audit_json_reject(const char *plugin_name, unsigned int plugin_type,
const char *reason, char * const command_info[], const char **errstr)
{
int ret;
debug_decl(audit_json_reject, SUDO_DEBUG_PLUGIN);
ret = audit_write_record("reject", plugin_name, plugin_type,
reason, command_info, NULL, NULL);
debug_return_int(ret);
}
static int
audit_json_error(const char *plugin_name, unsigned int plugin_type,
const char *reason, char * const command_info[], const char **errstr)
{
int ret;
debug_decl(audit_json_error, SUDO_DEBUG_PLUGIN);
ret = audit_write_record("error", plugin_name, plugin_type,
reason, command_info, NULL, NULL);
debug_return_int(ret);
}
static void
audit_json_close(int status_type, int status)
{
debug_decl(audit_json_close, SUDO_DEBUG_PLUGIN);
switch (status_type) {
case SUDO_PLUGIN_NO_STATUS:
break;
case SUDO_PLUGIN_WAIT_STATUS:
audit_write_exit_record(status, 0);
break;
case SUDO_PLUGIN_EXEC_ERROR:
audit_write_exit_record(0, status);
break;
case SUDO_PLUGIN_SUDO_ERROR:
audit_write_record("error", "sudo", 0, strerror(status),
NULL, NULL, NULL);
break;
default:
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unexpected status type %d, value %d", status_type, status);
break;
}
free(state.logfile);
if (state.log_fp != NULL)
fclose(state.log_fp);
debug_return;
}
static int
audit_json_show_version(int verbose)
{
debug_decl(audit_json_show_version, SUDO_DEBUG_PLUGIN);
audit_printf(SUDO_CONV_INFO_MSG, "JSON audit plugin version %s\n",
PACKAGE_VERSION);
debug_return_int(true);
}
sudo_dso_public struct audit_plugin audit_json = {
SUDO_AUDIT_PLUGIN,
SUDO_API_VERSION,
audit_json_open,
audit_json_close,
audit_json_accept,
audit_json_reject,
audit_json_error,
audit_json_show_version,
NULL, /* register_hooks */
NULL /* deregister_hooks */
};
Reference in New Issue View Git Blame Copy Permalink