You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
182 lines
5.3 KiB
182 lines
5.3 KiB
'''
|
|
This is only a sample authentication script, and is NOT SUPPORTED by Splunk.
|
|
|
|
For the most basic example of how to use scripted auth, please see dumbScripted.py
|
|
This script serves as an example of how to interact between splunkd and PAM.
|
|
|
|
Splunk will call this script to obtain several pieces of information.
|
|
The information returned should be passed after "--status=success" over stdout.
|
|
You must return --status==success for any successful call, otherwise Splunk
|
|
assumes the call failed.
|
|
|
|
Function breakdown
|
|
Required:
|
|
userLogin : will be called on userLogin into splunk.
|
|
getUserInfo : Get information about a particular user. ( username, realname, roles )
|
|
getUsers : Get a list of all users available.
|
|
|
|
Optional Calls :
|
|
getSearchFilter : return a search filter for a given user. Called when the user searches.
|
|
|
|
|
|
N.B.
|
|
This script is not fully feature complete. It places all users at the admin level.
|
|
If you wish to place users at different Role level you will have to modify the script
|
|
to return the right role on depending on the user.
|
|
'''
|
|
|
|
# commonAuthBase contains constants and a basic mapping framework for users.
|
|
# plus any common imports to all scripts.
|
|
from commonAuth import *
|
|
from userMapping import *
|
|
import os
|
|
|
|
|
|
isMac = 0
|
|
|
|
'''
|
|
This function will be called when a user enters their credentials in the login page in UI.
|
|
Input:
|
|
--username=<user> --password=<pass>
|
|
Output:
|
|
On Success:
|
|
--status=success
|
|
On Failure:
|
|
Anything but --status=success
|
|
'''
|
|
def userLogin( infoIn ):
|
|
command = []
|
|
if isMac:
|
|
command = ['dirt', '-u', str(infoIn['username']), '-p', str(infoIn['password'])]
|
|
else:
|
|
command = ['/path/to/pamauth', str(infoIn['username'])]
|
|
|
|
# our check with pam is done with a setuid program called pamauth
|
|
proc = subprocess.Popen( command,
|
|
stdin=subprocess.PIPE,
|
|
stdout=subprocess.PIPE
|
|
)
|
|
|
|
output = proc.communicate( infoIn['password'] )
|
|
|
|
retCode = proc.wait()
|
|
|
|
if retCode != 0:
|
|
print(FAILED)
|
|
return
|
|
|
|
if isMac:
|
|
if output[0].find('Call to checkpw(): Success') != -1:
|
|
print(SUCCESS)
|
|
else:
|
|
print(FAILED)
|
|
return
|
|
|
|
# Not mac and we got a good return code: success
|
|
print(SUCCESS)
|
|
|
|
|
|
'''
|
|
This function prints out the details of the userId supplied.
|
|
Input :
|
|
--username=<user>
|
|
Output:
|
|
--status=success --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role> Note roles delimited by :
|
|
'''
|
|
def getUserInfo( infoIn ):
|
|
roleList = getUsersRole( infoIn['username'] )
|
|
|
|
outStr = SUCCESS + " --userInfo=" + infoIn["username"] + ";" + infoIn["username"] + ";" + infoIn["username"] + ";"
|
|
for roleItem in roleList:
|
|
outStr = outStr + roleItem + ":"
|
|
|
|
print(outStr)
|
|
|
|
|
|
|
|
|
|
'''
|
|
This function gets all the users in the system that scripted auth will work for.
|
|
Input :
|
|
N/A
|
|
Output :
|
|
--status=success --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role> --userInfo=<userId>;<username>;<realname>;<role>:<role>:<role> ...
|
|
'''
|
|
def getUsers( infoIn ):
|
|
# just going to use /etc/passwd here but you may use any method you wish.
|
|
FILE = open("/etc/passwd" ,"r")
|
|
fileLines = FILE.readlines()
|
|
|
|
outStr = SUCCESS
|
|
|
|
if isMac:
|
|
for line in fileLines:
|
|
userBits = line.split( ":" )
|
|
if len( userBits ) < 4:
|
|
continue
|
|
realname = userBits[4]
|
|
if realname == "" :
|
|
realname = userBits[0]
|
|
|
|
username = userBits[0]
|
|
if not username.startswith( '_' ):
|
|
outStr = outStr + " --userInfo=" + str(userBits[2]) + ';' + str(userBits[0]) + ";" + str(realname) + ";"
|
|
roleList = getUsersRole( userBits[0] )
|
|
for roleItem in roleList:
|
|
outStr = outStr + roleItem + ":"
|
|
|
|
else:
|
|
for line in fileLines:
|
|
userBits = line.split( ":" )
|
|
if userBits[6].find( '/bin/bash' ) != -1:
|
|
realname = userBits[4]
|
|
if realname == "" :
|
|
realname = userBits[0]
|
|
# userId username realName
|
|
outStr = outStr + " --userInfo=" + str(userBits[2]) + ';' + str(userBits[0]) + ";" + str(realname) + ";"
|
|
|
|
roleList = getUsersRole( userBits[0] )
|
|
for roleItem in roleList:
|
|
outStr = outStr + roleItem + ":"
|
|
|
|
|
|
print(outStr)
|
|
|
|
|
|
|
|
'''
|
|
Gets the search filter for a given user.
|
|
You must have the flag scriptSearchFilters set to 1 on the config for this function to be used.
|
|
Input :
|
|
--username=<username>
|
|
Output:
|
|
--search_filter=<filter>
|
|
|
|
'''
|
|
def getSearchFilter( infoIn ):
|
|
filters = getUsersFilters( infoIn['username'])
|
|
outStr = SUCCESS
|
|
|
|
for i in filters:
|
|
outStr = outStr + " --search_filter=" + str(i)
|
|
|
|
print(outStr)
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
callName = sys.argv[1]
|
|
dictIn = readInputs()
|
|
|
|
returnDict = {}
|
|
if callName == "userLogin":
|
|
userLogin( dictIn )
|
|
elif callName == "getUsers":
|
|
getUsers( dictIn )
|
|
elif callName == "getUserInfo":
|
|
getUserInfo( dictIn )
|
|
elif callName == "getSearchFilter":
|
|
getSearchFilter( dictIn )
|
|
else:
|
|
print("ERROR unknown function call: " + callName)
|