2 common routines for audit logging
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "librpc/ndr/libndr.h"
28 #include "lib/tsocket/tsocket.h"
29 #include "libcli/security/dom_sid.h"
30 #include "lib/messaging/messaging.h"
31 #include "auth/common_auth.h"
32 #include "audit_logging.h"
35 * @brief Get a human readable timestamp.
37 * Returns the current time formatted as
38 * "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
40 * The returned string is allocated by talloc in the supplied context.
41 * It is the callers responsibility to free it.
43 * @param mem_ctx talloc memory context that owns the returned string.
45 * @return a human readable time stamp, or NULL in the event of an error.
48 char* audit_get_timestamp(TALLOC_CTX *frame)
50 char buffer[40]; /* formatted time less usec and timezone */
51 char tz[10]; /* formatted time zone */
52 struct tm* tm_info; /* current local time */
53 struct timeval tv; /* current system time */
54 int ret; /* response code */
55 char * ts; /* formatted time stamp */
57 ret = gettimeofday(&tv, NULL);
59 DBG_ERR("Unable to get time of day: (%d) %s\n",
65 tm_info = localtime(&tv.tv_sec);
66 if (tm_info == NULL) {
67 DBG_ERR("Unable to determine local time\n");
71 strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
72 strftime(tz, sizeof(tz)-1, "%Z", tm_info);
73 ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
75 DBG_ERR("Out of memory formatting time stamp\n");
81 * @brief write an audit message to the audit logs.
83 * Write a human readable text audit message to the samba logs.
85 * @param prefix Text to be printed at the start of the log line
86 * @param message The content of the log line.
87 * @param debub_class The debug class to log the message with.
88 * @param debug_level The debug level to log the message with.
90 void audit_log_human_text(const char* prefix,
95 DEBUGC(debug_class, debug_level, ("%s %s\n", prefix, message));
100 * Constant for empty json object initialisation
102 const struct json_object json_empty_object = {.valid = false, .root = NULL};
104 * @brief write a json object to the samba audit logs.
106 * Write the json object to the audit logs as a formatted string
108 * @param prefix Text to be printed at the start of the log line
109 * @param message The content of the log line.
110 * @param debub_class The debug class to log the message with.
111 * @param debug_level The debug level to log the message with.
113 void audit_log_json(const char* prefix,
114 struct json_object* message,
118 TALLOC_CTX *ctx = NULL;
121 if (json_is_invalid(message)) {
122 DBG_ERR("Invalid JSON object, unable to log\n");
126 ctx = talloc_new(NULL);
127 s = json_to_string(ctx, message);
129 DBG_ERR("json_to_string for (%s) returned NULL, "
130 "JSON audit message could not written\n",
135 DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", prefix, s));
140 * @brief get a connection to the messaging event server.
142 * Get a connection to the messaging event server registered by server_name.
144 * @param msg_ctx a valid imessaging_context.
145 * @param server_name name of messaging event server to connect to.
146 * @param server_id The event server details to populate
150 static NTSTATUS get_event_server(
151 struct imessaging_context *msg_ctx,
152 const char *server_name,
153 struct server_id *event_server)
156 TALLOC_CTX *frame = talloc_stackframe();
157 unsigned num_servers, i;
158 struct server_id *servers;
160 status = irpc_servers_byname(
167 if (!NT_STATUS_IS_OK(status)) {
169 "Failed to find '%s' registered on the message bus to "
170 "send JSON audit events to: %s\n",
178 * Select the first server that is listening, because we get
179 * connection refused as NT_STATUS_OBJECT_NAME_NOT_FOUND
182 for (i = 0; i < num_servers; i++) {
183 status = imessaging_send(
188 if (NT_STATUS_IS_OK(status)) {
189 *event_server = servers[i];
195 "Failed to find '%s' registered on the message bus to "
196 "send JSON audit events to: %s\n",
200 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
204 * @brief send an audit message to a messaging event server.
206 * Send the message to a registered and listening event server.
207 * Note: Any errors are logged, and the message is not sent. This is to ensure
208 * that a poorly behaved event server does not impact Samba.
210 * As it is possible to lose messages, especially during server
211 * shut down, currently this function is primarily intended for use
212 * in integration tests.
214 * @param msg_ctx an imessaging_context, can be NULL in which case no message
216 * @param server_name the naname of the event server to send the message to.
217 * @param messag_type A message type defined in librpc/idl/messaging.idl
218 * @param message The message to send.
221 void audit_message_send(
222 struct imessaging_context *msg_ctx,
223 const char *server_name,
224 uint32_t message_type,
225 struct json_object *message)
227 struct server_id event_server = {};
230 const char *message_string = NULL;
231 DATA_BLOB message_blob = data_blob_null;
232 TALLOC_CTX *ctx = NULL;
234 if (json_is_invalid(message)) {
235 DBG_ERR("Invalid JSON object, unable to send\n");
238 if (msg_ctx == NULL) {
239 DBG_DEBUG("No messaging context\n");
243 /* Need to refetch the address each time as the destination server may
244 * have disconnected and reconnected in the interim, in which case
245 * messages may get lost
247 status = get_event_server(msg_ctx, server_name, &event_server);
248 if (!NT_STATUS_IS_OK(status)) {
253 message_string = json_to_string(ctx, message);
254 message_blob = data_blob_string_const(message_string);
255 status = imessaging_send(
262 * If the server crashed, try to find it again
264 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
265 status = get_event_server(msg_ctx, server_name, &event_server);
266 if (!NT_STATUS_IS_OK(status)) {
280 * @brief Create a new struct json_object, wrapping a JSON Object.
282 * Create a new json object, the json_object wraps the underlying json
283 * implementations JSON Object representation.
285 * Free with a call to json_free_object, note that the jansson inplementation
286 * allocates memory with malloc and not talloc.
288 * @return a struct json_object, valid will be set to false if the object
289 * could not be created.
292 struct json_object json_new_object(void) {
294 struct json_object object = json_empty_object;
296 object.root = json_object();
297 if (object.root == NULL) {
298 object.valid = false;
299 DBG_ERR("Unable to create JSON object\n");
307 * @brief Create a new struct json_object wrapping a JSON Array.
309 * Create a new json object, the json_object wraps the underlying json
310 * implementations JSON Array representation.
312 * Free with a call to json_free_object, note that the jansson inplementation
313 * allocates memory with malloc and not talloc.
315 * @return a struct json_object, error will be set to true if the array
316 * could not be created.
319 struct json_object json_new_array(void) {
321 struct json_object array = json_empty_object;
323 array.root = json_array();
324 if (array.root == NULL) {
326 DBG_ERR("Unable to create JSON array\n");
335 * @brief free and invalidate a previously created JSON object.
337 * Release any resources owned by a json_object, and then mark the structure
338 * as invalid. It is safe to call this multiple times on an object.
341 void json_free(struct json_object *object)
343 if (object->root != NULL) {
344 json_decref(object->root);
347 object->valid = false;
351 * @brief is the current JSON object invalid?
353 * Check the state of the object to determine if it is invalid.
355 * @return is the object valid?
358 bool json_is_invalid(const struct json_object *object)
360 return !object->valid;
364 * @brief Add an integer value to a JSON object.
366 * Add an integer value named 'name' to the json object.
368 * @param object the JSON object to be updated.
369 * @param name the name of the value.
370 * @param value the value.
372 * @return 0 the operation was successful
373 * -1 the operation failed
376 int json_add_int(struct json_object *object, const char *name, const int value)
379 json_t *integer = NULL;
381 if (json_is_invalid(object)) {
382 DBG_ERR("Unable to add int [%s] value [%d], "
383 "target object is invalid\n",
389 integer = json_integer(value);
390 if (integer == NULL) {
391 DBG_ERR("Unable to create integer value [%s] value [%d]\n",
397 ret = json_object_set_new(object->root, name, integer);
399 json_decref(integer);
400 DBG_ERR("Unable to add int [%s] value [%d]\n", name, value);
406 * @brief Add a boolean value to a JSON object.
408 * Add a boolean value named 'name' to the json object.
410 * @param object the JSON object to be updated.
411 * @param name the name.
412 * @param value the value.
414 * @return 0 the operation was successful
415 * -1 the operation failed
418 int json_add_bool(struct json_object *object,
424 if (json_is_invalid(object)) {
425 DBG_ERR("Unable to add boolean [%s] value [%d], "
426 "target object is invalid\n",
432 ret = json_object_set_new(object->root, name, json_boolean(value));
434 DBG_ERR("Unable to add boolean [%s] value [%d]\n", name, value);
440 * @brief Add a string value to a JSON object.
442 * Add a string value named 'name' to the json object.
444 * @param object the JSON object to be updated.
445 * @param name the name.
446 * @param value the value.
448 * @return 0 the operation was successful
449 * -1 the operation failed
452 int json_add_string(struct json_object *object,
458 if (json_is_invalid(object)) {
459 DBG_ERR("Unable to add string [%s], target object is invalid\n",
464 json_t *string = json_string(value);
465 if (string == NULL) {
466 DBG_ERR("Unable to add string [%s], "
467 "could not create string object\n",
471 ret = json_object_set_new(object->root, name, string);
474 DBG_ERR("Unable to add string [%s]\n", name);
478 ret = json_object_set_new(object->root, name, json_null());
480 DBG_ERR("Unable to add null string [%s]\n", name);
488 * @brief Assert that the current JSON object is an array.
490 * Check that the current object is a JSON array, and if not
491 * invalidate the object. We also log an error message as this indicates
492 * bug in the calling code.
494 * @param object the JSON object to be validated.
496 void json_assert_is_array(struct json_object *array) {
498 if (json_is_invalid(array)) {
502 if (json_is_array(array->root) == false) {
503 DBG_ERR("JSON object is not an array\n");
504 array->valid = false;
510 * @brief Add a JSON object to a JSON object.
512 * Add a JSON object named 'name' to the json object.
514 * @param object the JSON object to be updated.
515 * @param name the name.
516 * @param value the value.
518 * @return 0 the operation was successful
519 * -1 the operation failed
522 int json_add_object(struct json_object *object,
524 struct json_object *value)
529 if (value != NULL && json_is_invalid(value)) {
530 DBG_ERR("Invalid JSON object [%s] supplied\n", name);
533 if (json_is_invalid(object)) {
534 DBG_ERR("Unable to add object [%s], target object is invalid\n",
539 jv = value == NULL ? json_null() : value->root;
541 if (json_is_array(object->root)) {
542 ret = json_array_append_new(object->root, jv);
543 } else if (json_is_object(object->root)) {
544 ret = json_object_set_new(object->root, name, jv);
546 DBG_ERR("Invalid JSON object type\n");
550 DBG_ERR("Unable to add object [%s]\n", name);
556 * @brief Add a string to a JSON object, truncating if necessary.
559 * Add a string value named 'name' to the json object, the string will be
560 * truncated if it is more than len characters long. If len is 0 the value
561 * is encoded as a JSON null.
564 * @param object the JSON object to be updated.
565 * @param name the name.
566 * @param value the value.
567 * @param len the maximum number of characters to be copied.
569 * @return 0 the operation was successful
570 * -1 the operation failed
573 int json_add_stringn(struct json_object *object,
580 if (json_is_invalid(object)) {
581 DBG_ERR("Unable to add string [%s], target object is invalid\n",
586 if (value != NULL && len > 0) {
587 json_t *string = NULL;
590 strncpy(buffer, value, len);
593 string = json_string(buffer);
594 if (string == NULL) {
595 DBG_ERR("Unable to add string [%s], "
596 "could not create string object\n",
600 ret = json_object_set_new(object->root, name, string);
603 DBG_ERR("Unable to add string [%s]\n", name);
607 ret = json_object_set_new(object->root, name, json_null());
609 DBG_ERR("Unable to add null string [%s]\n", name);
617 * @brief Add a version object to a JSON object
619 * Add a version object to the JSON object
620 * "version":{"major":1, "minor":0}
622 * The version tag is intended to aid the processing of the JSON messages
623 * The major version number should change when an attribute is:
626 * - its meaning changes
627 * - its contents change format
628 * The minor version should change whenever a new attribute is added and for
629 * minor bug fixes to an attributes content.
632 * @param object the JSON object to be updated.
633 * @param major the major version number
634 * @param minor the minor version number
636 * @return 0 the operation was successful
637 * -1 the operation failed
639 int json_add_version(struct json_object *object, int major, int minor)
642 struct json_object version;
644 if (json_is_invalid(object)) {
645 DBG_ERR("Unable to add version, target object is invalid\n");
649 version = json_new_object();
650 if (json_is_invalid(&version)) {
651 DBG_ERR("Unable to add version, failed to create object\n");
654 ret = json_add_int(&version, "major", major);
659 ret = json_add_int(&version, "minor", minor);
664 ret = json_add_object(object, "version", &version);
673 * @brief add an ISO 8601 timestamp to the object.
675 * Add the current date and time as a timestamp in ISO 8601 format
678 * "timestamp":"2017-03-06T17:18:04.455081+1300"
681 * @param object the JSON object to be updated.
683 * @return 0 the operation was successful
684 * -1 the operation failed
686 int json_add_timestamp(struct json_object *object)
688 char buffer[40]; /* formatted time less usec and timezone */
689 char timestamp[65]; /* the formatted ISO 8601 time stamp */
690 char tz[10]; /* formatted time zone */
691 struct tm* tm_info; /* current local time */
692 struct timeval tv; /* current system time */
693 int r; /* response code from gettimeofday */
694 int ret; /* return code from json operations */
696 if (json_is_invalid(object)) {
697 DBG_ERR("Unable to add time stamp, target object is invalid\n");
701 r = gettimeofday(&tv, NULL);
703 DBG_ERR("Unable to get time of day: (%d) %s\n",
709 tm_info = localtime(&tv.tv_sec);
710 if (tm_info == NULL) {
711 DBG_ERR("Unable to determine local time\n");
715 strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
716 strftime(tz, sizeof(tz)-1, "%z", tm_info);
724 ret = json_add_string(object, "timestamp", timestamp);
726 DBG_ERR("Unable to add time stamp to JSON object\n");
732 *@brief Add a tsocket_address to a JSON object
734 * Add the string representation of a Samba tsocket_address to the object.
736 * "localAddress":"ipv6::::0"
739 * @param object the JSON object to be updated.
740 * @param name the name.
741 * @param address the tsocket_address.
743 * @return 0 the operation was successful
744 * -1 the operation failed
747 int json_add_address(struct json_object *object,
749 const struct tsocket_address *address)
753 if (json_is_invalid(object)) {
754 DBG_ERR("Unable to add address [%s], "
755 "target object is invalid\n",
760 if (address == NULL) {
761 ret = json_object_set_new(object->root, name, json_null());
763 DBG_ERR("Unable to add null address [%s]\n", name);
767 TALLOC_CTX *ctx = talloc_new(NULL);
771 DBG_ERR("Out of memory adding address [%s]\n", name);
775 s = tsocket_address_string(address, ctx);
777 DBG_ERR("Out of memory adding address [%s]\n", name);
781 ret = json_add_string(object, name, s);
784 "Unable to add address [%s] value [%s]\n", name, s);
794 * @brief Add a formatted string representation of a sid to a json object.
796 * Add the string representation of a Samba sid to the object.
801 * @param object the JSON object to be updated.
802 * @param name the name.
805 * @return 0 the operation was successful
806 * -1 the operation failed
809 int json_add_sid(struct json_object *object,
811 const struct dom_sid *sid)
815 if (json_is_invalid(object)) {
816 DBG_ERR("Unable to add SID [%s], "
817 "target object is invalid\n",
823 ret = json_object_set_new(object->root, name, json_null());
825 DBG_ERR("Unable to add null SID [%s]\n", name);
829 struct dom_sid_buf sid_buf;
831 ret = json_add_string(
832 object, name, dom_sid_str_buf(sid, &sid_buf));
834 DBG_ERR("Unable to add SID [%s] value [%s]\n",
844 * @brief Add a formatted string representation of a guid to a json object.
846 * Add the string representation of a Samba GUID to the object.
848 * "guid":"1fb9f2ee-2a4d-4bf8-af8b-cb9d4529a9ab"
851 * @param object the JSON object to be updated.
852 * @param name the name.
853 * @param guid the guid.
855 * @return 0 the operation was successful
856 * -1 the operation failed
860 int json_add_guid(struct json_object *object,
862 const struct GUID *guid)
867 if (json_is_invalid(object)) {
868 DBG_ERR("Unable to add GUID [%s], "
869 "target object is invalid\n",
875 ret = json_object_set_new(object->root, name, json_null());
877 DBG_ERR("Unable to add null GUID [%s]\n", name);
882 struct GUID_txt_buf guid_buff;
884 guid_str = GUID_buf_string(guid, &guid_buff);
885 ret = json_add_string(object, name, guid_str);
887 DBG_ERR("Unable to guid GUID [%s] value [%s]\n",
897 * @brief Convert a JSON object into a string
899 * Convert the jsom object into a string suitable for printing on a log line,
900 * i.e. with no embedded line breaks.
902 * If the object is invalid it logs an error and returns NULL.
904 * @param mem_ctx the talloc memory context owning the returned string
905 * @param object the json object.
907 * @return A string representation of the object or NULL if the object
910 char *json_to_string(TALLOC_CTX *mem_ctx, const struct json_object *object)
913 char *json_string = NULL;
915 if (json_is_invalid(object)) {
916 DBG_ERR("Invalid JSON object, unable to convert to string\n");
920 if (object->root == NULL) {
925 * json_dumps uses malloc, so need to call free(json) to release
928 json = json_dumps(object->root, 0);
930 DBG_ERR("Unable to convert JSON object to string\n");
934 json_string = talloc_strdup(mem_ctx, json);
935 if (json_string == NULL) {
937 DBG_ERR("Unable to copy JSON object string to talloc string\n");
946 * @brief get a json array named "name" from the json object.
948 * Get the array attribute named name, creating it if it does not exist.
950 * @param object the json object.
951 * @param name the name of the array attribute
953 * @return The array object, will be created if it did not exist.
955 struct json_object json_get_array(struct json_object *object, const char *name)
958 struct json_object array = json_empty_object;
962 if (json_is_invalid(object)) {
963 DBG_ERR("Invalid JSON object, unable to get array [%s]\n",
969 array = json_new_array();
970 if (json_is_invalid(&array)) {
971 DBG_ERR("Unable to create new array for [%s]\n", name);
975 a = json_object_get(object->root, name);
980 ret = json_array_extend(array.root, a);
982 DBG_ERR("Unable to get array [%s]\n", name);
991 * @brief get a json object named "name" from the json object.
993 * Get the object attribute named name, creating it if it does not exist.
995 * @param object the json object.
996 * @param name the name of the object attribute
998 * @return The object, will be created if it did not exist.
1000 struct json_object json_get_object(struct json_object *object, const char *name)
1003 struct json_object o = json_new_object();
1007 if (json_is_invalid(object)) {
1008 DBG_ERR("Invalid JSON object, unable to get object [%s]\n",
1014 v = json_object_get(object->root, name);
1018 ret = json_object_update(o.root, v);
1020 DBG_ERR("Unable to get object [%s]\n", name);
git.samba.org / samba.git / blob