Add an API for reporting security events, and a security event logging module.

This commit introduces the security events API.  This API is to be used by
Asterisk components to report events that have security implications.
A simple example is when a connection is made but fails authentication.  These
events can be used by external tools manipulate firewall rules or something
similar after detecting unusual activity based on security events.

Inside of Asterisk, the events go through the ast_event API.  This means that
they have a binary encoding, and it is easy to write code to subscribe to these
events and do something with them.

One module is provided that is a subscriber to these events - res_security_log.
This module turns security events into a parseable text format and sends them
to the "security" logger level.  Using logger.conf, these log entries may be
sent to a file, or to syslog.

One service, AMI, has been fully updated for reporting security events.
AMI was chosen as it was a fairly straight forward service to convert.
The next target will be chan_sip.  That will be more complicated and will
be done as its own project as the next phase of security events work.

For more information on the security events framework, see the documentation
generated from doc/tex/.  "make asterisk.pdf"

Review: https://reviewboard.asterisk.org/r/273/


git-svn-id: http://svn.digium.com/svn/asterisk/trunk@206021 f38db490-d61c-443f-a65b-d21fe96a405b

1 files changed, 163 insertions, 0 deletions

diff --git a/res/res_security_log.c b/res/res_security_log.c
new file mode 100644
index 000000000..2e3d4af52
--- /dev/null
+++ b/res/res_security_log.c
@@ -0,0 +1,163 @@
+/*
+ * Asterisk -- An open source telephony toolkit.
+ *
+ * Copyright (C) 2009, Digium, Inc.
+ *
+ * Russell Bryant <russell@digium.com>
+ *
+ * See http://www.asterisk.org for more information about
+ * the Asterisk project. Please do not directly contact
+ * any of the maintainers of this project for assistance;
+ * the project provides a web site, mailing lists and IRC
+ * channels for your use.
+ *
+ * This program is free software, distributed under the terms of
+ * the GNU General Public License Version 2. See the LICENSE file
+ * at the top of the source tree.
+ */
+
+/*!
+ * \file
+ *
+ * \author Russell Bryant <russell@digium.com>
+ *
+ * \brief Security Event Logging
+ *
+ * \todo Make informational security events optional
+ * \todo Escape quotes in string payload IE contents
+ */
+
+#include "asterisk.h"
+
+ASTERISK_FILE_VERSION(__FILE__, "$Revision$");
+
+#include "asterisk/module.h"
+#include "asterisk/logger.h"
+#include "asterisk/event.h"
+#include "asterisk/threadstorage.h"
+#include "asterisk/strings.h"
+#include "asterisk/security_events.h"
+
+static const char LOG_SECURITY_NAME[] = "SECURITY";
+
+static int LOG_SECURITY;
+
+static struct ast_event_sub *security_event_sub;
+
+AST_THREADSTORAGE(security_event_buf);
+static const size_t SECURITY_EVENT_BUF_INIT_LEN = 256;
+
+enum ie_required {
+	NOT_REQUIRED,
+	REQUIRED
+};
+
+static int ie_is_present(const struct ast_event *event,
+		const enum ast_event_ie_type ie_type)
+{
+	return (ast_event_get_ie_raw(event, ie_type) != NULL);
+}
+
+static void append_ie(struct ast_str **str, const struct ast_event *event,
+		const enum ast_event_ie_type ie_type, enum ie_required required)
+{
+	if (!required && !ie_is_present(event, ie_type)) {
+		/* Optional IE isn't present.  Ignore. */
+		return;
+	}
+
+	/* At this point, it _better_ be there! */
+	ast_assert(ie_is_present(event, ie_type));
+
+	switch (ast_event_get_ie_pltype(ie_type)) {
+	case AST_EVENT_IE_PLTYPE_UINT:
+		ast_str_append(str, 0, ",%s=\"%u\"",
+				ast_event_get_ie_type_name(ie_type),
+				ast_event_get_ie_uint(event, ie_type));
+		break;
+	case AST_EVENT_IE_PLTYPE_STR:
+		ast_str_append(str, 0, ",%s=\"%s\"",
+				ast_event_get_ie_type_name(ie_type),
+				ast_event_get_ie_str(event, ie_type));
+		break;
+	case AST_EVENT_IE_PLTYPE_BITFLAGS:
+		ast_str_append(str, 0, ",%s=\"%u\"",
+				ast_event_get_ie_type_name(ie_type),
+				ast_event_get_ie_bitflags(event, ie_type));
+		break;
+	case AST_EVENT_IE_PLTYPE_UNKNOWN:
+	case AST_EVENT_IE_PLTYPE_EXISTS:
+	case AST_EVENT_IE_PLTYPE_RAW:
+		ast_log(LOG_WARNING, "Unexpected payload type for IE '%s'\n",
+				ast_event_get_ie_type_name(ie_type));
+		break;
+	}
+}
+
+static void append_ies(struct ast_str **str, const struct ast_event *event,
+		const struct ast_security_event_ie_type *ies, enum ie_required required)
+{
+	unsigned int i;
+
+	for (i = 0; ies[i].ie_type != AST_EVENT_IE_END; i++) {
+		append_ie(str, event, ies[i].ie_type, required);
+	}
+}
+
+static void security_event_cb(const struct ast_event *event, void *data)
+{
+	struct ast_str *str;
+	enum ast_security_event_type event_type;
+
+	if (!(str = ast_str_thread_get(&security_event_buf,
+			SECURITY_EVENT_BUF_INIT_LEN))) {
+		return;
+	}
+
+	/* Note that the event type is guaranteed to be valid here. */
+	event_type = ast_event_get_ie_uint(event, AST_EVENT_IE_SECURITY_EVENT);
+	ast_assert(event_type >= 0 && event_type < AST_SECURITY_EVENT_NUM_TYPES);
+
+	ast_str_set(&str, 0, "%s=\"%s\"",
+			ast_event_get_ie_type_name(AST_EVENT_IE_SECURITY_EVENT),
+			ast_security_event_get_name(event_type));
+
+	append_ies(&str, event,
+			ast_security_event_get_required_ies(event_type), REQUIRED);
+	append_ies(&str, event,
+			ast_security_event_get_optional_ies(event_type), NOT_REQUIRED);
+
+	ast_log_dynamic_level(LOG_SECURITY, "%s\n", ast_str_buffer(str));
+}
+
+static int load_module(void)
+{
+	if ((LOG_SECURITY = ast_logger_register_level(LOG_SECURITY_NAME)) == -1) {
+		return AST_MODULE_LOAD_DECLINE;
+	}
+
+	if (!(security_event_sub = ast_event_subscribe(AST_EVENT_SECURITY,
+			security_event_cb, "Security Event Logger",
+			NULL, AST_EVENT_IE_END))) {
+		ast_logger_unregister_level(LOG_SECURITY_NAME);
+		LOG_SECURITY = -1;
+		return AST_MODULE_LOAD_DECLINE;
+	}
+
+	ast_verb(3, "Security Logging Enabled\n");
+
+	return AST_MODULE_LOAD_SUCCESS;
+}
+
+static int unload_module(void)
+{
+	if (security_event_sub) {
+		security_event_sub = ast_event_unsubscribe(security_event_sub);
+	}
+
+	ast_verb(3, "Security Logging Disabled\n");
+
+	return 0;
+}
+
+AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "Security Event Logging");