2 common routines for audit logging
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * The json_object structure contains a boolean 'error'. This is set whenever
24 * an error is detected. All the library functions check this flag and return
25 * immediately if it is set.
27 * if (object->error) {
31 * This allows the operations to be sequenced naturally with out the clutter
32 * of error status checks.
34 * audit = json_new_object();
35 * json_add_version(&audit, OPERATION_MAJOR, OPERATION_MINOR);
36 * json_add_int(&audit, "statusCode", ret);
37 * json_add_string(&audit, "status", ldb_strerror(ret));
38 * json_add_string(&audit, "operation", operation);
39 * json_add_address(&audit, "remoteAddress", remote);
40 * json_add_sid(&audit, "userSid", sid);
41 * json_add_string(&audit, "dn", dn);
42 * json_add_guid(&audit, "transactionId", &ac->transaction_guid);
43 * json_add_guid(&audit, "sessionId", unique_session_token);
45 * The assumptions are that errors will be rare, and that the audit logging
46 * code should not cause failures. So errors are logged but processing
47 * continues on a best effort basis.
52 #include "librpc/ndr/libndr.h"
53 #include "lib/tsocket/tsocket.h"
54 #include "libcli/security/dom_sid.h"
55 #include "lib/messaging/messaging.h"
56 #include "auth/common_auth.h"
57 #include "audit_logging.h"
60 * @brief Get a human readable timestamp.
62 * Returns the current time formatted as
63 * "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
65 * The returned string is allocated by talloc in the supplied context.
66 * It is the callers responsibility to free it.
68 * @param mem_ctx talloc memory context that owns the returned string.
70 * @return a human readable time stamp.
73 char* audit_get_timestamp(TALLOC_CTX *frame)
75 char buffer[40]; /* formatted time less usec and timezone */
76 char tz[10]; /* formatted time zone */
77 struct tm* tm_info; /* current local time */
78 struct timeval tv; /* current system time */
79 int r; /* response code from gettimeofday */
80 char * ts; /* formatted time stamp */
82 r = gettimeofday(&tv, NULL);
84 DBG_ERR("Unable to get time of day: (%d) %s\n",
90 tm_info = localtime(&tv.tv_sec);
91 if (tm_info == NULL) {
92 DBG_ERR("Unable to determine local time\n");
96 strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
97 strftime(tz, sizeof(tz)-1, "%Z", tm_info);
98 ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
100 DBG_ERR("Out of memory formatting time stamp\n");
106 * @brief write an audit message to the audit logs.
108 * Write a human readable text audit message to the samba logs.
110 * @param prefix Text to be printed at the start of the log line
111 * @param message The content of the log line.
112 * @param debub_class The debug class to log the message with.
113 * @param debug_level The debug level to log the message with.
115 void audit_log_human_text(const char* prefix,
120 DEBUGC(debug_class, debug_level, ("%s %s\n", prefix, message));
125 * @brief write a json object to the samba audit logs.
127 * Write the json object to the audit logs as a formatted string
129 * @param prefix Text to be printed at the start of the log line
130 * @param message The content of the log line.
131 * @param debub_class The debug class to log the message with.
132 * @param debug_level The debug level to log the message with.
134 void audit_log_json(const char* prefix,
135 struct json_object* message,
139 TALLOC_CTX *ctx = talloc_new(NULL);
140 char *s = json_to_string(ctx, message);
141 DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", prefix, s));
146 * @brief get a connection to the messaging event server.
148 * Get a connection to the messaging event server registered by server_name.
150 * @param msg_ctx a valid imessaging_context.
151 * @param server_name name of messaging event server to connect to.
152 * @param server_id The event server details to populate
156 static NTSTATUS get_event_server(
157 struct imessaging_context *msg_ctx,
158 const char *server_name,
159 struct server_id *event_server)
162 TALLOC_CTX *frame = talloc_stackframe();
163 unsigned num_servers, i;
164 struct server_id *servers;
166 status = irpc_servers_byname(
173 if (!NT_STATUS_IS_OK(status)) {
175 "Failed to find '%s' registered on the message bus to "
176 "send JSON audit events to: %s\n",
184 * Select the first server that is listening, because we get
185 * connection refused as NT_STATUS_OBJECT_NAME_NOT_FOUND
188 for (i = 0; i < num_servers; i++) {
189 status = imessaging_send(
194 if (NT_STATUS_IS_OK(status)) {
195 *event_server = servers[i];
201 "Failed to find '%s' registered on the message bus to "
202 "send JSON audit events to: %s\n",
206 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
210 * @brief send an audit message to a messaging event server.
212 * Send the message to a registered and listening event server.
213 * Note: Any errors are logged, and the message is not sent. This is to ensure
214 * that a poorly behaved event server does not impact Samba.
216 * As it is possible to lose messages, especially during server
217 * shut down, currently this function is primarily intended for use
218 * in integration tests.
220 * @param msg_ctx an imessaging_context, can be NULL in which case no message
222 * @param server_name the naname of the event server to send the message to.
223 * @param messag_type A message type defined in librpc/idl/messaging.idl
224 * @param message The message to send.
227 void audit_message_send(
228 struct imessaging_context *msg_ctx,
229 const char *server_name,
230 uint32_t message_type,
231 struct json_object *message)
233 struct server_id event_server;
236 const char *message_string = NULL;
237 DATA_BLOB message_blob = data_blob_null;
238 TALLOC_CTX *ctx = talloc_new(NULL);
240 if (msg_ctx == NULL) {
241 DBG_DEBUG("No messaging context\n");
246 /* Need to refetch the address each time as the destination server may
247 * have disconnected and reconnected in the interim, in which case
248 * messages may get lost
250 status = get_event_server(msg_ctx, server_name, &event_server);
251 if (!NT_STATUS_IS_OK(status)) {
252 DBG_ERR("get_event_server for %s returned (%s)\n",
259 message_string = json_to_string(ctx, message);
260 message_blob = data_blob_string_const(message_string);
261 status = imessaging_send(
268 * If the server crashed, try to find it again
270 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
271 status = get_event_server(msg_ctx, server_name, &event_server);
272 if (!NT_STATUS_IS_OK(status)) {
273 DBG_ERR("get_event_server for %s returned (%s)\n",
289 * @brief Create a new struct json_object, wrapping a JSON Object.
291 * Create a new json object, the json_object wraps the underlying json
292 * implementations JSON Object representation.
294 * Free with a call to json_free_object, note that the jansson inplementation
295 * allocates memory with malloc and not talloc.
297 * @return a struct json_object, error will be set to true if the object
298 * could not be created.
301 struct json_object json_new_object(void) {
303 struct json_object object;
304 object.error = false;
306 object.root = json_object();
307 if (object.root == NULL) {
309 DBG_ERR("Unable to create json_object\n");
315 * @brief Create a new struct json_object wrapping a JSON Array.
317 * Create a new json object, the json_object wraps the underlying json
318 * implementations JSON Array representation.
320 * Free with a call to json_free_object, note that the jansson inplementation
321 * allocates memory with malloc and not talloc.
323 * @return a struct json_object, error will be set to true if the array
324 * could not be created.
327 struct json_object json_new_array(void) {
329 struct json_object array;
332 array.root = json_array();
333 if (array.root == NULL) {
335 DBG_ERR("Unable to create json_array\n");
342 * @brief free and invalidate a previously created JSON object.
344 * Release any resources owned by a json_object, and then mark the structure
345 * as invalid. It is safe to call this multiple times on an object.
348 void json_free(struct json_object *object)
350 if (object->root != NULL) {
351 json_decref(object->root);
354 object->error = true;
358 * @brief is the current JSON object invalid?
360 * Check the state of the object to determine if it is invalid.
362 * @return is the object valid?
365 bool json_is_invalid(struct json_object *object)
367 return object->error;
371 * @brief Add an integer value to a JSON object.
373 * Add an integer value named 'name' to the json object.
374 * In the event of an error object will be invalidated.
376 * @param object the JSON object to be updated.
377 * @param name the name of the value.
378 * @param value the value.
381 void json_add_int(struct json_object *object,
391 rc = json_object_set_new(object->root, name, json_integer(value));
393 DBG_ERR("Unable to set name [%s] value [%d]\n", name, value);
394 object->error = true;
399 * @brief Add a boolean value to a JSON object.
401 * Add a boolean value named 'name' to the json object.
402 * In the event of an error object will be invalidated.
404 * @param object the JSON object to be updated.
405 * @param name the name.
406 * @param value the value.
409 void json_add_bool(struct json_object *object,
419 rc = json_object_set_new(object->root, name, json_boolean(value));
421 DBG_ERR("Unable to set name [%s] value [%d]\n", name, value);
422 object->error = true;
428 * @brief Add a string value to a JSON object.
430 * Add a string value named 'name' to the json object.
431 * In the event of an error object will be invalidated.
433 * @param object the JSON object to be updated.
434 * @param name the name.
435 * @param value the value.
438 void json_add_string(struct json_object *object,
449 rc = json_object_set_new(
454 rc = json_object_set_new(object->root, name, json_null());
457 DBG_ERR("Unable to set name [%s] value [%s]\n", name, value);
458 object->error = true;
463 * @brief Assert that the current JSON object is an array.
465 * Check that the current object is a JSON array, and if not
466 * invalidate the object. We also log an error message as this indicates
467 * bug in the calling code.
469 * @param object the JSON object to be validated.
471 void json_assert_is_array(struct json_object *array) {
477 if (json_is_array(array->root) == false) {
478 DBG_ERR("JSON object is not an array\n");
485 * @brief Add a JSON object to a JSON object.
487 * Add a JSON object named 'name' to the json object.
488 * In the event of an error object will be invalidated.
490 * @param object the JSON object to be updated.
491 * @param name the name.
492 * @param value the value.
495 void json_add_object(struct json_object *object,
497 struct json_object *value)
506 if (value != NULL && value->error) {
507 object->error = true;
511 jv = value == NULL ? json_null() : value->root;
513 if (json_is_array(object->root)) {
514 rc = json_array_append_new(object->root, jv);
515 } else if (json_is_object(object->root)) {
516 rc = json_object_set_new(object->root, name, jv);
518 DBG_ERR("Invalid JSON object type\n");
519 object->error = true;
522 DBG_ERR("Unable to add object [%s]\n", name);
523 object->error = true;
528 * @brief Add a string to a JSON object, truncating if necessary.
531 * Add a string value named 'name' to the json object, the string will be
532 * truncated if it is more than len characters long. If len is 0 the value
533 * is encoded as a JSON null.
535 * In the event of an error object will be invalidated.
537 * @param object the JSON object to be updated.
538 * @param name the name.
539 * @param value the value.
540 * @param len the maximum number of characters to be copied.
543 void json_add_stringn(struct json_object *object,
554 if (value != NULL && len > 0) {
556 strncpy(buffer, value, len);
558 rc = json_object_set_new(object->root,
560 json_string(buffer));
562 rc = json_object_set_new(object->root, name, json_null());
565 DBG_ERR("Unable to set name [%s] value [%s]\n", name, value);
566 object->error = true;
571 * @brief Add a version object to a JSON object
573 * Add a version object to the JSON object
574 * "version":{"major":1, "minor":0}
576 * The version tag is intended to aid the processing of the JSON messages
577 * The major version number should change when an attribute is:
580 * - its meaning changes
581 * - its contents change format
582 * The minor version should change whenever a new attribute is added and for
583 * minor bug fixes to an attributes content.
585 * In the event of an error object will be invalidated.
587 * @param object the JSON object to be updated.
588 * @param major the major version number
589 * @param minor the minor version number
591 void json_add_version(struct json_object *object, int major, int minor)
593 struct json_object version = json_new_object();
594 json_add_int(&version, "major", major);
595 json_add_int(&version, "minor", minor);
596 json_add_object(object, "version", &version);
600 * @brief add an ISO 8601 timestamp to the object.
602 * Add the current date and time as a timestamp in ISO 8601 format
605 * "timestamp":"2017-03-06T17:18:04.455081+1300"
607 * In the event of an error object will be invalidated.
609 * @param object the JSON object to be updated.
611 void json_add_timestamp(struct json_object *object)
613 char buffer[40]; /* formatted time less usec and timezone */
614 char timestamp[65]; /* the formatted ISO 8601 time stamp */
615 char tz[10]; /* formatted time zone */
616 struct tm* tm_info; /* current local time */
617 struct timeval tv; /* current system time */
618 int r; /* response code from gettimeofday */
624 r = gettimeofday(&tv, NULL);
626 DBG_ERR("Unable to get time of day: (%d) %s\n",
629 object->error = true;
633 tm_info = localtime(&tv.tv_sec);
634 if (tm_info == NULL) {
635 DBG_ERR("Unable to determine local time\n");
636 object->error = true;
640 strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
641 strftime(tz, sizeof(tz)-1, "%z", tm_info);
649 json_add_string(object, "timestamp", timestamp);
654 *@brief Add a tsocket_address to a JSON object
656 * Add the string representation of a Samba tsocket_address to the object.
658 * "localAddress":"ipv6::::0"
660 * In the event of an error object will be invalidated.
662 * @param object the JSON object to be updated.
663 * @param name the name.
664 * @param address the tsocket_address.
667 void json_add_address(struct json_object *object,
669 const struct tsocket_address *address)
675 if (address == NULL) {
676 int rc = json_object_set_new(object->root, name, json_null());
678 DBG_ERR("Unable to set address [%s] to null\n", name);
679 object->error = true;
682 TALLOC_CTX *ctx = talloc_new(NULL);
685 s = tsocket_address_string(address, ctx);
686 json_add_string(object, name, s);
692 * @brief Add a formatted string representation of a sid to a json object.
694 * Add the string representation of a Samba sid to the object.
698 * In the event of an error object will be invalidated.
700 * @param object the JSON object to be updated.
701 * @param name the name.
705 void json_add_sid(struct json_object *object,
707 const struct dom_sid *sid)
714 int rc = json_object_set_new(object->root, name, json_null());
716 DBG_ERR("Unable to set SID [%s] to null\n", name);
717 object->error = true;
720 char sid_buf[DOM_SID_STR_BUFLEN];
722 dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
723 json_add_string(object, name, sid_buf);
728 * @brief Add a formatted string representation of a guid to a json object.
730 * Add the string representation of a Samba GUID to the object.
732 * "guid":"1fb9f2ee-2a4d-4bf8-af8b-cb9d4529a9ab"
734 * In the event of an error object will be invalidated.
736 * @param object the JSON object to be updated.
737 * @param name the name.
738 * @param guid the guid.
742 void json_add_guid(struct json_object *object,
744 const struct GUID *guid)
752 int rc = json_object_set_new(object->root, name, json_null());
754 DBG_ERR("Unable to set GUID [%s] to null\n", name);
755 object->error = true;
759 struct GUID_txt_buf guid_buff;
761 guid_str = GUID_buf_string(guid, &guid_buff);
762 json_add_string(object, name, guid_str);
768 * @brief Convert a JSON object into a string
770 * Convert the jsom object into a string suitable for printing on a log line,
771 * i.e. with no embedded line breaks.
773 * If the object is invalid it returns NULL.
775 * @param mem_ctx the talloc memory context owning the returned string
776 * @param object the json object.
778 * @return A string representation of the object or NULL if the object
781 char *json_to_string(TALLOC_CTX *mem_ctx,
782 struct json_object *object)
785 char *json_string = NULL;
792 * json_dumps uses malloc, so need to call free(json) to release
795 json = json_dumps(object->root, 0);
797 DBG_ERR("Unable to convert JSON object to string\n");
801 json_string = talloc_strdup(mem_ctx, json);
802 if (json_string == NULL) {
804 DBG_ERR("Unable to copy JSON object string to talloc string\n");
813 * @brief get a json array named "name" from the json object.
815 * Get the array attribute named name, creating it if it does not exist.
817 * @param object the json object.
818 * @param name the name of the array attribute
820 * @return The array object, will be created if it did not exist.
822 struct json_object json_get_array(struct json_object *object,
826 struct json_object array = json_new_array();
834 a = json_object_get(object->root, name);
838 json_array_extend(array.root, a);
844 * @brief get a json object named "name" from the json object.
846 * Get the object attribute named name, creating it if it does not exist.
848 * @param object the json object.
849 * @param name the name of the object attribute
851 * @return The object, will be created if it did not exist.
853 struct json_object json_get_object(struct json_object *object,
857 struct json_object o = json_new_object();
865 v = json_object_get(object->root, name);
869 json_object_update(o.root, v);