Merge pull request #21 from mumrik58/feature/sudo_and_su

Feature/sudo and su
woblerr · Nov 16, 2024 · 637cb74 · 637cb74
2 parents 66c3c0c + 82f2522
commit 637cb74
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -55,6 +55,11 @@ authlog_events_total{cityName="Beijing",countryName="China",countyISOCode="CN",e
 |invalidUser|`Invalid user (?P<user>.*) from (?P<ipAddress>.*) port`|
 |notAllowedUser|`User (?P<user>.*) from (?P<ipAddress>.*) not allowed because`|
 |connectionClosed|`Connection closed by authenticating user (?P<user>.*) (?P<ipAddress>.*) port`|
+|sudoIncorrectPasswordAttempts|`[ ]+(?P<user>.*) : (?P<attempts>\\d+) incorrect password attempts ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)`|
+|sudoNotInSudoers|`[ ]+(?P<user>.*) : user NOT in sudoers ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)`|
+|sudoSucceeded|`[ ]+(?P<user>.*) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)`|
+|suSucceeded|`\\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+)`|
+|suFailed|`FAILED SU \\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+)`|
 
 ## Getting Started
 

diff --git a/promexporter/parser.go b/promexporter/parser.go
@@ -12,11 +12,16 @@ import (
 var (
 	authLinePrefix  = "^(?P<date>[A-Z][a-z]{2}\\s+\\d{1,2}) (?P<time>(\\d{2}:?){3}) (?P<host>[a-zA-Z0-9_\\-\\.]+) (?P<ident>[a-zA-Z0-9_\\-]+)(\\[(?P<pid>\\d+)\\])?: "
 	authLineRegexps = map[string]*regexp.Regexp{
-		"authAccepted":     regexp.MustCompile(authLinePrefix + "Accepted (password|publickey) for (?P<user>.*) from (?P<ipAddress>.*) port"),
-		"authFailed":       regexp.MustCompile(authLinePrefix + "Failed (password|publickey) for (invalid user )?(?P<user>.*) from (?P<ipAddress>.*) port"),
-		"invalidUser":      regexp.MustCompile(authLinePrefix + "Invalid user (?P<user>.*) from (?P<ipAddress>.*) port"),
-		"notAllowedUser":   regexp.MustCompile(authLinePrefix + "User (?P<user>.*) from (?P<ipAddress>.*) not allowed because"),
-		"connectionClosed": regexp.MustCompile(authLinePrefix + "Connection closed by authenticating user (?P<user>.*) (?P<ipAddress>.*) port"),
+		"authAccepted":                  regexp.MustCompile(authLinePrefix + "Accepted (password|publickey) for (?P<user>.*) from (?P<ipAddress>.*) port"),
+		"authFailed":                    regexp.MustCompile(authLinePrefix + "Failed (password|publickey) for (invalid user )?(?P<user>.*) from (?P<ipAddress>.*) port"),
+		"invalidUser":                   regexp.MustCompile(authLinePrefix + "Invalid user (?P<user>.*) from (?P<ipAddress>.*) port"),
+		"notAllowedUser":                regexp.MustCompile(authLinePrefix + "User (?P<user>.*) from (?P<ipAddress>.*) not allowed because"),
+		"connectionClosed":              regexp.MustCompile(authLinePrefix + "Connection closed by authenticating user (?P<user>.*) (?P<ipAddress>.*) port"),
+		"sudoIncorrectPasswordAttempts": regexp.MustCompile(authLinePrefix + "[ ]+(?P<user>.*) : (?P<attempts>\\d+) incorrect password attempts ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)"),
+		"sudoNotInSudoers":              regexp.MustCompile(authLinePrefix + "[ ]+(?P<user>.*) : user NOT in sudoers ; TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)"),
+		"sudoSucceeded":                 regexp.MustCompile(authLinePrefix + "[ ]+(?P<user>.*) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>.+) ; USER=(?P<user_as>.*) ; COMMAND=(?P<command>.*)"),
+		"suSucceeded":                   regexp.MustCompile(authLinePrefix + "\\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+)"),
+		"suFailed":                      regexp.MustCompile(authLinePrefix + "FAILED SU \\(to (?P<user_as>.*)\\) (?P<user>.*) on (?P<tty>[^ ]+)"),
 	}
 	authVentsMetric = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "authlog_events_total",

diff --git a/test_data/auth.log b/test_data/auth.log
@@ -63,3 +63,15 @@ Aug 30 15:11:35 hostname sshd[11944]: pam_unix(sshd:auth): authentication failur
 Aug 30 15:11:36 hostname sshd[11944]: Failed password for invalid user root from 123.123.12.12 port 46680 ssh2
 Apr 30 15:25:05 hostname sshd[11947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.123.12.123  user=root
 Apr 30 15:25:06 hostname sshd[11947]: Failed password for root from 123.123.12.123 port 35449 ssh2
+Apr 30 15:35:06 hostname sudo: pam_unix(sudo:auth): authentication failure; logname=testuser uid=1000 euid=0 tty=/dev/pts/0 ruser=testuser rhost=  user=testuser
+Apr 30 15:35:33 hostname sudo:  testuser : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/ls
+Apr 30 15:40:33 hostname sudo: testuser : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/ls
+Apr 30 16:47:24 hostname sudo:     root : TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/su
+Apr 30 16:47:24 hostname sudo: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
+Apr 30 16:47:24 hostname su: (to root) testuser on pts/0
+Apr 30 16:47:24 hostname su: pam_unix(su:session): session opened for user root by testuser(uid=0)
+Apr 30 16:52:59 hostname su: pam_unix(su:auth): authentication failure; logname=testuser uid=1000 euid=0 tty=pts/0 ruser=testuser rhost=  user=root
+Apr 30 16:53:02 hostname su: FAILED SU (to root) testuser on pts/0
+Apr 30 17:52:46 hostname sudo:     root : TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/ls
+Apr 30 17:52:46 hostname sudo: pam_unix(sudo:session): session opened for user root by testuser(uid=0)
+Apr 30 17:52:46 hostname sudo: pam_unix(sudo:session): session closed for user root