ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-04 20:14:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

enh: move unexpected-sudo messages from security to code-warning type

Browse source
This commit is contained in:
Stéphane Lesimple 2021-02-15 11:36:31 +00:00 committed by Stéphane Lesimple
parent e760cf6142
commit 488ec6382e
1 changed files with 4 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
lib/perl/OVH/Bastion/allowkeeper.inc
View file

@ -787,11 +787,7 @@ sub is_admin { ## no critic(Subroutines::RequireArgUnpacking)
# only legit case is if we have osh.pl under sudo because of an admin (adminSudo / ssh-as), check this
if (not OVH::Bastion::is_admin(account => $ENV{'SUDO_USER'}, sudo => 1)) {
OVH::Bastion::syslogFormatted(
criticity => 'info',
type => 'security',
fields => [['type', 'unexpected-sudo'], ['account', $params{'account'}], ['plugin', 'is_admin'], ['params', join(" ", @_)],]
);
warn_syslog("is_admin(): wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'} . " from account ".$params{'account'});
return R('ERR_SECURITY_VIOLATION', msg => "Wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'});
}
}
@ -821,11 +817,7 @@ sub is_super_owner { ## no critic(Subroutines::RequireArgUnpacking)
# only legit case is if we have osh.pl under sudo because of an admin (adminSudo / ssh-as), check this
if (not OVH::Bastion::is_admin(account => $ENV{'SUDO_USER'}, sudo => 1)) {
OVH::Bastion::syslogFormatted(
criticity => 'info',
type => 'security',
fields => [['type', 'unexpected-sudo'], ['account', $params{'account'}], ['plugin', 'is_super_owner'], ['params', join(" ", @_)],]
);
warn_syslog("is_super_owner(): wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'} . " from account ".$params{'account'});
return R('ERR_SECURITY_VIOLATION', msg => "Wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'});
}
}
@ -856,11 +848,7 @@ sub is_auditor { ## no critic(Subroutines::RequireArgUnpacking)
# only legit case is if we have osh.pl under sudo because of an admin (adminSudo / ssh-as), check this
if (not OVH::Bastion::is_admin(account => $ENV{'SUDO_USER'}, sudo => 1)) {
OVH::Bastion::syslogFormatted(
criticity => 'info',
type => 'security',
fields => [['type', 'unexpected-sudo'], ['account', $params{'account'}], ['plugin', 'is_auditor'], ['params', join(" ", @_)],]
);
warn_syslog("is_auditor(): wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'} . " from account ".$params{'account'});
return R('ERR_SECURITY_VIOLATION', msg => "Wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'});
}
}
@ -889,11 +877,7 @@ sub _has_group_role { ## no critic(Subroutines::RequireArgUnpacking)
# only legit case is if we have osh.pl under sudo because of an admin (adminSudo / ssh-as), check this
if (not OVH::Bastion::is_admin(account => $ENV{'SUDO_USER'}, sudo => 1)) {
OVH::Bastion::syslogFormatted(
criticity => 'info',
type => 'security',
fields => [['type', 'unexpected-sudo'], ['account', $params{'account'}], ['plugin', '_has_group_role'], ['params', join(" ", @_)],]
);
warn_syslog("_has_group_role(): wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'} . " from account ".$params{'account'});
return R('ERR_SECURITY_VIOLATION', msg => "Wasn't expected to be called under sudo, but was, with user " . $ENV{'SUDO_USER'});
}
}