Drive/roundcubemail-plugins-kolab
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enhance kolab_auth plugin with the ability to perform audit logging.

Browse source 
Setting $rcmail_config['kolab_auth_auditlog'] increases all logging
verbosity to the maximum, and logs the information on the session
to a user + loginas specific directory if capable.
This commit is contained in:
Jeroen van Meeuwen (Kolab Systems) 2011-09-20 12:40:24 +01:00
parent 5e44a620f2
commit a9459ab448
2 changed files with 92 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
plugins/kolab_auth/config.inc.php.dist
View file

@ -19,6 +19,9 @@ $rcmail_config['kolab_auth_email'] = 'email';
$rcmail_config['kolab_auth_admin_login'] = '';
$rcmail_config['kolab_auth_admin_password'] = '';
// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;
// Administrative role field (from fieldmap configuration) which must be filled with
// specified value which adds privilege to login as another user.
$rcmail_config['kolab_auth_role'] = '';

70
plugins/kolab_auth/kolab_auth.php
View file

@ -35,6 +35,8 @@ class kolab_auth extends rcube_plugin
public function init()
{
$rcmail = rcmail::get_instance();
$this->add_hook('authenticate', array($this, 'authenticate'));
$this->add_hook('user_create', array($this, 'user_create'));
@ -43,6 +45,68 @@ class kolab_auth extends rcube_plugin
$this->add_hook('imap_connect', array($this, 'imap_connect'));
$this->add_hook('managesieve_connect', array($this, 'imap_connect'));
$this->add_hook('smtp_connect', array($this, 'smtp_connect'));
$this->add_hook('write_log', array($this, 'write_log'));
if ($rcmail->config->get('kolab_auth_auditlog', false)) {
$rcmail->config->set('debug_level', 1);
$rcmail->config->set('devel_mode', true);
$rcmail->config->set('smtp_log', true);
$rcmail->config->set('log_logins', true);
$rcmail->config->set('log_session', true);
$rcmail->config->set('sql_debug', true);
$rcmail->config->set('memcache_debug', true);
$rcmail->config->set('imap_debug', true);
$rcmail->config->set('ldap_debug', true);
$rcmail->config->set('smtp_debug', true);
}
}
public function write_log($args) {
$rcmail = rcmail::get_instance();
if (!$rcmail->config->get('kolab_auth_auditlog', false)) {
return $args;
}
$args['abort'] = true;
if ($rcmail->config->get('log_driver') == 'syslog') {
$prio = $args['name'] == 'errors' ? LOG_ERR : LOG_INFO;
syslog($prio, $args['line']);
return $args;
} else {
$line = sprintf("[%s]: %s\n", $args['date'], $args['line']);
// log_driver == 'file' is assumed here
$log_dir = $rcmail->config->get('log_dir', INSTALL_PATH . 'logs');
// Append original username + target username
if (!is_dir($log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']))) {
// Attempt to create the directory
if (@mkdir($log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']), 0750, true)) {
$log_dir = $log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']);
}
} else {
$log_dir = $log_dir.'/'.strtolower($_SESSION['kolab_auth_admin']).'/'.strtolower($_SESSION['username']);
}
// try to open specific log file for writing
$logfile = $log_dir.'/'.$args['name'];
if ($fp = fopen($logfile, 'a')) {
fwrite($fp, $line);
fflush($fp);
fclose($fp);
return $args;
}
else
trigger_error("Error writing to log file $logfile; Please check permissions", E_USER_WARNING);
}
return $args;
}
/**
@ -202,6 +266,12 @@ class kolab_auth extends rcube_plugin
if (!empty($origname)) {
write_log('userlogins', sprintf('Admin login for %s by %s from %s',
$args['user'], $origname, rcmail_remote_ip()));
// If available, additionally mark the session to come from the
// original user. Useful for logging sessions of user A pretending
// to be user B.
$_SESSION['kolab_auth_admin'] = strtolower($origname);
}
return $args;