-
Notifications
You must be signed in to change notification settings - Fork 51
/
uidmonitorpam.go
115 lines (103 loc) · 2.65 KB
/
uidmonitorpam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package main
/*
#cgo LDFLAGS: -lpam -fPIC
#include <security/pam_appl.h>
#include <stdlib.h>
char *get_user(pam_handle_t *pamh);
char *get_ruser(pam_handle_t *pamh);
char *get_rhost(pam_handle_t *pamh);
char *get_service(pam_handle_t *pam_h);
void initLog() ;
int is_system_user(char *user);
int is_root(char *user);
*/
import "C"
import (
"fmt"
"log/syslog"
"os"
"os/user"
"go.aporeto.io/trireme-lib/common"
"go.aporeto.io/trireme-lib/monitor/remoteapi/client"
)
func getGroupList(username string) ([]string, error) {
slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
defer func() {
_ = slog.Close()
}()
userhdl, err := user.Lookup(username)
if err != nil {
return nil, err
}
gids, err := userhdl.GroupIds()
if err != nil {
return nil, err
}
groups := make([]string, len(gids))
index := 0
for _, gid := range gids {
grphdl, err := user.LookupGroupId(gid)
if err != nil {
continue
}
groups[index] = "groupname=" + grphdl.Name
index++
}
return groups[:index], nil
}
// nolint
//export pam_sm_open_session
func pam_sm_open_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int {
C.initLog()
user := C.get_user(pamh)
service := C.get_service(pamh)
metadatamap := []string{}
userstring := "user=" + C.GoString(user)
metadatamap = append(metadatamap, userstring)
if groups, err := getGroupList(C.GoString(user)); err == nil {
metadatamap = append(metadatamap, groups...)
}
if service != nil {
metadatamap = append(metadatamap, "SessionType="+C.GoString(service))
} else {
metadatamap = append(metadatamap, "SessionType=login")
}
request := &common.EventInfo{
PUType: common.UIDLoginPU,
PUID: C.GoString(user),
Name: "login-" + C.GoString(user),
PID: int32(os.Getpid()),
Tags: metadatamap,
EventType: "start",
}
if C.is_root(user) == 1 {
//Do nothing this is login shell account
} else {
//Do something
slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
defer func() {
_ = slog.Close()
}()
client, err := client.NewClient(common.TriremeSocket)
if err != nil {
return C.PAM_SUCCESS
}
slog.Alert("Calling Trireme") // nolit
if err := client.SendRequest(request); err != nil {
err = fmt.Errorf("Policy Server call failed %s", err)
_ = slog.Alert(err.Error())
return C.PAM_SESSION_ERR
}
}
return C.PAM_SUCCESS
}
// nolint
//export pam_sm_close_session
func pam_sm_close_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int {
slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam")
slog.Alert("pam_sm_close_session") // nolint
slog.Close() // nolint
return C.PAM_SUCCESS
}
func main() {
}