#!/bin/sh # cerberus-logging – Log-in logging extension for cerberus # # Copyright © 2014, 2015 Mattias Andrée (maandree@member.fsf.org) # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # Login username, client hostname if non-local, ttyname, cerberus-hook and PID username= hostname= ttyname="$(tty <&2 | cut -d / -f 1,2 --complement)" hook="${1}" pid=$PPID if [ ! "${LOGIN_PID}" = "" ]; then pid="${LOGIN_PID}" fi # Remove the hookname from $@ shift 1 # Parse the command line, excluding the hookname # This is the arguments cerberus was spawned with hostname_on_next=0 dash=0 for arg in "$@"; do if [ "${arg}" = "" ]; then true elif [ "${arg::1}" = "-" ] && [ ${dash} = 0 ]; then arg="${arg:1}" while [ ! "${arg}" = "" ]; do c="${arg::1}" arg="${arg:1}" if [ "${c}" = "h" ]; then # hostname if [ ! "${arg}" = "" ]; then hostname="${arg}" else hostname_on_next=1 fi break elif [ "${c}" = "f" ]; then # force if [ ! "${arg}" = "" ]; then username="${arg}" fi break elif [ "${c}" = "-" ]; then # username dash=1 break fi done elif [ ${hostname_on_next} = 1 ]; then hostname="${arg}" hostname_on_next=0 else username="${arg}" fi done user="${username}" # Execute a program only if it exists try () { if hash "${1}" 2>/dev/null; then "$@" fi } # Call logging programs (those that exists) for a successful login action log_login () { # This is useful if you want to print the last logging. # log-login-lastlog updates the entry in lastlog so it is helpful # to be able to print the log entry before the is updated. Its lets # you add a script named .prelogin in your home directory that # contains the following code, to print the last login information: # echo 'Last login:' ; lastlog --user $USER | tail -n 1 script="$(getent passwd | grep "^${user}:" | cut -d : -f 6)/.prelogin" if [ -x "${script}" ]; then su -c "${script}" -- "${user}" fi try log-login-utmp "$@" try log-login-audit "$@" try log-login-lastlog "$@" try log-login-syslog "$@" } # Call logging programs (those that exists) for a logout action log_logout () { true } # Call logging programs (those that exists) for a failed login action log_denied () { try log-login-btmp "$@" try log-login-audit "$@" try log-login-syslog "$@" } # Figure out the actionname action="${hook}" if [ "${hook}" = denied ]; then action=failed fi # Preprend options to values action=--action="${action}" username=--username="${username}" ttyname=--ttyname="${ttyname}" pid=--pid="${pid}" # Call the logging programs if [ "${hook}" = login ] || [ "${hook}" = logout ] || [ "${hook}" = denied ]; then if [ "${hostname}" = "" ]; then "log_${hook}" "${action}" "${username}" "${ttyname}" "${pid}" else "log_${hook}" "${action}" "${username}" "${ttyname}" "${pid}" --hostname="${hostname}" fi fi