github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/plugins/pam/uidmonitorpam.go (about) 1 package main 2 3 /* 4 #cgo LDFLAGS: -lpam -fPIC 5 #include <security/pam_appl.h> 6 #include <stdlib.h> 7 char *get_user(pam_handle_t *pamh); 8 char *get_ruser(pam_handle_t *pamh); 9 char *get_rhost(pam_handle_t *pamh); 10 char *get_service(pam_handle_t *pam_h); 11 void initLog() ; 12 int is_system_user(char *user); 13 int is_root(char *user); 14 */ 15 import "C" 16 import ( 17 "fmt" 18 "log/syslog" 19 "os" 20 "os/user" 21 22 "go.aporeto.io/trireme-lib/common" 23 "go.aporeto.io/trireme-lib/monitor/remoteapi/client" 24 ) 25 26 func getGroupList(username string) ([]string, error) { 27 slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam") 28 defer func() { 29 _ = slog.Close() 30 }() 31 userhdl, err := user.Lookup(username) 32 if err != nil { 33 return nil, err 34 } 35 gids, err := userhdl.GroupIds() 36 if err != nil { 37 return nil, err 38 } 39 groups := make([]string, len(gids)) 40 index := 0 41 for _, gid := range gids { 42 grphdl, err := user.LookupGroupId(gid) 43 if err != nil { 44 continue 45 } 46 groups[index] = "groupname=" + grphdl.Name 47 index++ 48 49 } 50 return groups[:index], nil 51 } 52 53 // nolint 54 //export pam_sm_open_session 55 func pam_sm_open_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int { 56 C.initLog() 57 user := C.get_user(pamh) 58 service := C.get_service(pamh) 59 metadatamap := []string{} 60 userstring := "user=" + C.GoString(user) 61 metadatamap = append(metadatamap, userstring) 62 if groups, err := getGroupList(C.GoString(user)); err == nil { 63 metadatamap = append(metadatamap, groups...) 64 } 65 66 if service != nil { 67 metadatamap = append(metadatamap, "SessionType="+C.GoString(service)) 68 } else { 69 metadatamap = append(metadatamap, "SessionType=login") 70 } 71 72 request := &common.EventInfo{ 73 PUType: common.UIDLoginPU, 74 PUID: C.GoString(user), 75 Name: "login-" + C.GoString(user), 76 PID: int32(os.Getpid()), 77 Tags: metadatamap, 78 EventType: "start", 79 } 80 81 if C.is_root(user) == 1 { 82 //Do nothing this is login shell account 83 } else { 84 //Do something 85 slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam") 86 defer func() { 87 _ = slog.Close() 88 }() 89 90 client, err := client.NewClient(common.TriremeSocket) 91 if err != nil { 92 return C.PAM_SUCCESS 93 } 94 95 slog.Alert("Calling Trireme") // nolit 96 if err := client.SendRequest(request); err != nil { 97 err = fmt.Errorf("Policy Server call failed %s", err) 98 _ = slog.Alert(err.Error()) 99 return C.PAM_SESSION_ERR 100 } 101 } 102 return C.PAM_SUCCESS 103 } 104 105 // nolint 106 //export pam_sm_close_session 107 func pam_sm_close_session(pamh *C.pam_handle_t, flags, argc int, argv **C.char) C.int { 108 slog, _ := syslog.New(syslog.LOG_ALERT|syslog.LOG_AUTH, "mypam") 109 slog.Alert("pam_sm_close_session") // nolint 110 slog.Close() // nolint 111 return C.PAM_SUCCESS 112 } 113 114 func main() { 115 }