From a9459ab448d2452319ee4c65944a2a8d7e80d9b7 Mon Sep 17 00:00:00 2001 From: "Jeroen van Meeuwen (Kolab Systems)" Date: Tue, 20 Sep 2011 12:40:24 +0100 Subject: [PATCH] Enhance kolab_auth plugin with the ability to perform audit logging. Setting $rcmail_config['kolab_auth_auditlog'] increases all logging verbosity to the maximum, and logs the information on the session to a user + loginas specific directory if capable. --- plugins/kolab_auth/config.inc.php.dist | 3 + plugins/kolab_auth/kolab_auth.php | 108 ++++++++++++++++++++----- 2 files changed, 92 insertions(+), 19 deletions(-) diff --git a/plugins/kolab_auth/config.inc.php.dist b/plugins/kolab_auth/config.inc.php.dist index b874d258..ffdafa46 100644 --- a/plugins/kolab_auth/config.inc.php.dist +++ b/plugins/kolab_auth/config.inc.php.dist @@ -19,6 +19,9 @@ $rcmail_config['kolab_auth_email'] = 'email'; $rcmail_config['kolab_auth_admin_login'] = ''; $rcmail_config['kolab_auth_admin_password'] = ''; +// Enable audit logging for abuse of administrative privileges. +$rcmail_config['kolab_auth_auditlog'] = true; + // Administrative role field (from fieldmap configuration) which must be filled with // specified value which adds privilege to login as another user. $rcmail_config['kolab_auth_role'] = ''; diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php index 0b7ba1d0..30fab834 100644 --- a/plugins/kolab_auth/kolab_auth.php +++ b/plugins/kolab_auth/kolab_auth.php @@ -33,32 +33,96 @@ class kolab_auth extends rcube_plugin private $ldap; private $data = array(); - public function init() - { - $this->add_hook('authenticate', array($this, 'authenticate')); - $this->add_hook('user_create', array($this, 'user_create')); + public function init() + { + $rcmail = rcmail::get_instance(); + + $this->add_hook('authenticate', array($this, 'authenticate')); + $this->add_hook('user_create', array($this, 'user_create')); // Hooks related to "Login As" feature - $this->add_hook('template_object_loginform', array($this, 'login_form')); - $this->add_hook('imap_connect', array($this, 'imap_connect')); - $this->add_hook('managesieve_connect', array($this, 'imap_connect')); - $this->add_hook('smtp_connect', array($this, 'smtp_connect')); - } + $this->add_hook('template_object_loginform', array($this, 'login_form')); + $this->add_hook('imap_connect', array($this, 'imap_connect')); + $this->add_hook('managesieve_connect', array($this, 'imap_connect')); + $this->add_hook('smtp_connect', array($this, 'smtp_connect')); + + $this->add_hook('write_log', array($this, 'write_log')); + + if ($rcmail->config->get('kolab_auth_auditlog', false)) { + $rcmail->config->set('debug_level', 1); + $rcmail->config->set('devel_mode', true); + $rcmail->config->set('smtp_log', true); + $rcmail->config->set('log_logins', true); + $rcmail->config->set('log_session', true); + $rcmail->config->set('sql_debug', true); + $rcmail->config->set('memcache_debug', true); + $rcmail->config->set('imap_debug', true); + $rcmail->config->set('ldap_debug', true); + $rcmail->config->set('smtp_debug', true); + + } + + } + + public function write_log($args) { + $rcmail = rcmail::get_instance(); + + if (!$rcmail->config->get('kolab_auth_auditlog', false)) { + return $args; + } + + $args['abort'] = true; + + if ($rcmail->config->get('log_driver') == 'syslog') { + $prio = $args['name'] == 'errors' ? LOG_ERR : LOG_INFO; + syslog($prio, $args['line']); + return $args; + } else { + $line = sprintf("[%s]: %s\n", $args['date'], $args['line']); + + // log_driver == 'file' is assumed here + $log_dir = $rcmail->config->get('log_dir', INSTALL_PATH . 'logs'); + + // Append original username + target username + if (!is_dir($log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']))) { + // Attempt to create the directory + if (@mkdir($log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']), 0750, true)) { + $log_dir = $log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']); + } + } else { + $log_dir = $log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']); + } + + // try to open specific log file for writing + $logfile = $log_dir.'/'.$args['name']; + + if ($fp = fopen($logfile, 'a')) { + fwrite($fp, $line); + fflush($fp); + fclose($fp); + return $args; + } + else + trigger_error("Error writing to log file $logfile; Please check permissions", E_USER_WARNING); + } + + return $args; + } /** * Sets defaults for new user. */ - public function user_create($args) - { - if (!empty($this->data['user_email'])) - $args['user_email'] = $this->data['user_email']; - if (!empty($this->data['user_name'])) - $args['user_name'] = $this->data['user_name']; - if (!empty($this->data['user_alias'])) - $args['user_alias'] = $this->data['user_alias']; + public function user_create($args) + { + if (!empty($this->data['user_email'])) + $args['user_email'] = $this->data['user_email']; + if (!empty($this->data['user_name'])) + $args['user_name'] = $this->data['user_name']; + if (!empty($this->data['user_alias'])) + $args['user_alias'] = $this->data['user_alias']; - return $args; - } + return $args; + } /** * Modifies login form adding additional "Login As" field @@ -202,6 +266,12 @@ class kolab_auth extends rcube_plugin if (!empty($origname)) { write_log('userlogins', sprintf('Admin login for %s by %s from %s', $args['user'], $origname, rcmail_remote_ip())); + + // If available, additionally mark the session to come from the + // original user. Useful for logging sessions of user A pretending + // to be user B. + $_SESSION['kolab_auth_admin'] = strtolower($origname); + } return $args;