Annotate

mod_audit_auth/mod_audit_auth.lua @ 5941:5c4e102e2563 default tip

mod_pubsub_serverinfo: fix bool logic when reading config
author Guus der Kinderen <guus.der.kinderen@gmail.com>
date Mon, 03 Jun 2024 12:52:26 +0200
parent 5930:cc30c4b5f006
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
1 local cache = require "util.cache";
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
2 local jid = require "util.jid";
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
3 local st = require "util.stanza";
5735
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4933
diff changeset
4
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
5 module:depends("audit");
4933
08dea42a302a mod_audit*: fix luacheck warnings
Jonas Schäfer <jonas@wielicki.name>
parents: 4932
diff changeset
6 -- luacheck: read globals module.audit
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
7
5771
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
8 local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true);
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
9 local cache_size = module:get_option_number("audit_auth_cache_size", 128);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
10 local repeat_failure_timeout = module:get_option_number("audit_auth_repeat_failure_timeout");
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
11 local repeat_success_timeout = module:get_option_number("audit_auth_repeat_success_timeout");
5771
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
12
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
13 local failure_cache = cache.new(cache_size);
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 module:hook("authentication-failure", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15 local session = event.session;
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
16
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
17 local username = session.sasl_handler.username;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
18 if repeat_failure_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
19 local cache_key = ("%s\0%s"):format(username, session.ip);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
20 local last_failure = failure_cache:get(cache_key);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
21 local now = os.time();
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
22 if last_failure and (now - last_failure) > repeat_failure_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
23 return;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
24 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
25 failure_cache:set(cache_key, now);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
26 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
27
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
28 module:audit(jid.join(username, module.host), "authentication-failure", {
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
29 session = session;
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
30 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
31 end)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
32
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
33 local success_cache = cache.new(cache_size);
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
34 module:hook("authentication-success", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
35 local session = event.session;
5771
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
36 if only_passwords and session.sasl_handler.fast then
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
37 return;
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
38 end
5930
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
39
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
40 local username = session.sasl_handler.username;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
41 if repeat_success_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
42 local cache_key = ("%s\0%s"):format(username, session.ip);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
43 local last_success = success_cache:get(cache_key);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
44 local now = os.time();
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
45 if last_success and (now - last_success) > repeat_success_timeout then
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
46 return;
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
47 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
48 success_cache:set(cache_key, now);
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
49 end
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
50
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
51 module:audit(jid.join(username, module.host), "authentication-success", {
cc30c4b5f006 mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents: 5803
diff changeset
52 session = session;
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
53 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
54 end)
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
55
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
56 module:hook("client_management/new-client", function (event)
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
57 local session, client = event.session, event.client;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
58
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
59 local client_info = st.stanza("client", { id = client.id });
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
60
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
61 if client.user_agent then
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
62 local user_agent = st.stanza("user-agent", { xmlns = "urn:xmpp:sasl:2" })
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
63 if client.user_agent.software then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
64 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version });
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
65 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
66 if client.user_agent.device then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
67 user_agent:text_tag("device", client.user_agent.device);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
68 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
69 if client.user_agent.uri then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
70 user_agent:text_tag("uri", client.user_agent.uri);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
71 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
72 client_info:add_child(user_agent);
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
73 end
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
74
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
75 if client.legacy then
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
76 client_info:text_tag("legacy");
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
77 end
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
78
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
79 module:audit(jid.join(session.username, module.host), "new-client", {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
80 session = session;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
81 custom = {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
82 };
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
83 });
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
84 end);