From ff3ac6663a9755442ed9acca5cc02fb007f37ff6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Thu, 9 Jan 2025 17:15:28 +0100 Subject: [PATCH] allow to filter connections by username Added new rule operand 'user.name' to filter connections by username. More info #1236 --- daemon/rule/operator.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/daemon/rule/operator.go b/daemon/rule/operator.go index 4d539988..3ec8f2e7 100644 --- a/daemon/rule/operator.go +++ b/daemon/rule/operator.go @@ -5,6 +5,7 @@ import ( "fmt" "net" "os" + "os/user" "reflect" "regexp" "strconv" @@ -47,6 +48,7 @@ const ( OpProcessHashMD5 = Operand("process.hash.md5") OpProcessHashSHA1 = Operand("process.hash.sha1") OpUserID = Operand("user.id") + OpUserName = Operand("user.name") OpSrcIP = Operand("source.ip") OpSrcPort = Operand("source.port") OpDstIP = Operand("dest.ip") @@ -209,6 +211,15 @@ func (o *Operator) Compile() error { o.cb = o.cmpNetwork } } + if o.Operand == OpUserName && o.Type == Simple { + // TODO: allow regexps, take into account users from containers. + u, err := user.Lookup(o.Data) + if err != nil { + return fmt.Errorf("user.name Operand error: %s", err) + } + o.cb = o.simpleCmp + o.Data = u.Uid + } if o.Operand == OpDomainsLists { if o.Data == "" { return fmt.Errorf("Operand lists is empty, nothing to load: %s", o) @@ -382,7 +393,7 @@ func (o *Operator) Match(con *conman.Connection, hasChecksums bool) bool { return o.cb(con.DstHost) } else if o.Operand == OpIPLists { return o.cb(con.DstIP.String()) - } else if o.Operand == OpUserID { + } else if o.Operand == OpUserID || o.Operand == OpUserName { return o.cb(strconv.Itoa(con.Entry.UserId)) } else if o.Operand == OpDstNetwork { return o.cb(con.DstIP)