#!/bin/sh # cerberus-logging – Log-in logging extension for cerberus # # Copyright © 2014, 2015 Mattias Andrée (m@maandree.se) # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # Login username, client hostname if non-local, ttyname, cerberus-hook and PID username= hostname= ttyname="$(tty <&2 | sed 's:^/dev/::')" hook="${1}" pid=$PPID if test -n "${LOGIN_PID}"; then pid="${LOGIN_PID}" fi # Remove the hookname from $@ shift 1 # Parse the command line, excluding the hookname # This is the arguments cerberus was spawned with hostname_on_next=0 dash=0 for arg in "$@"; do if test -z "${arg}"; then : elif test "${arg::1}" = "-" && test ${dash} = 0; then arg="${arg:1}" while test -n "${arg}"; do c="${arg::1}" arg="${arg:1}" if test "${c}" = h; then # hostname if test -n "${arg}"; then hostname="${arg}" else hostname_on_next=1 fi break elif test "${c}" = f; then # force if test -n "${arg}"; then username="${arg}" fi break elif test "${c}" = '-'; then # username dash=1 break fi done elif test ${hostname_on_next} = 1; then hostname="${arg}" hostname_on_next=0 else username="${arg}" fi done user="${username}" # Execute a program only if it exists try () { if command -v -- "${1}" >/dev/null 2>&1; then "$@" fi } # Call logging programs (those that exist) for a successful login action log_login () { # This is useful if you want to print the last logging. # log-login-lastlog updates the entry in lastlog so it is helpful # to be able to print the log entry before it is updated. This lets # you add a script named .prelogin in your home directory that # contains the following code, to print the last login information: # echo 'Last login:' ; lastlog --user $USER | tail -n 1 script="$(getent passwd | grep "^${user}:" | cut -d : -f 6)/.prelogin" if test -x "${script}"; then su -c "${script}" -- "${user}" fi try log-login-utmp "$@" try log-login-audit "$@" try log-login-lastlog "$@" try log-login-syslog "$@" } # Call logging programs (those that exist) for a logout action log_logout () { : } # Call logging programs (those that exist) for a failed login action log_denied () { try log-login-btmp "$@" try log-login-audit "$@" try log-login-syslog "$@" } # Figure out the actionname action="${hook}" if test "${hook}" = denied; then action=failed fi # Prepend options to values action=--action="${action}" username=--username="${username}" ttyname=--ttyname="${ttyname}" pid=--pid="${pid}" # Call the logging programs if test "${hook}" = login || test "${hook}" = logout || test "${hook}" = denied; then if test -z "${hostname}"; then "log_${hook}" "${action}" "${username}" "${ttyname}" "${pid}" else "log_${hook}" "${action}" "${username}" "${ttyname}" "${pid}" --hostname="${hostname}" fi fi