# version 0.1
# script to make detailed decisions about user logins
#
# there are three levels of interest - 
# 	informational : general interest (say root) for account use
# 	suspicous : spesific accounts that you do not
# 	   expect to see and should know (such as 'lp')
#	dead_man_walkin : accounts that may represent former employies 
#	   or known bad entities.
#
# the choice to differentiate between the second and third may be gratuitious...
#
# the check_CN looks at user representations that are of the form:
# 	/DC=org/DC=doegrids/OU=People/CN=ACAC 144444
# so they do not fit in the general modelof userid
#

redef enum Notice += {
	UserSuspicous,		# a user is seen that should not normally be there
	UserDeadmanWalks,	# known bad user account, more dangerous than suspicous
	UserInfo,		# account assosciated with informational services
};

redef notice_action_filters += {
	[UserInfo] = file_notice,	# reduce the impact of this
};


global check_dead_man_walkin = T &redef; 
global check_user_list = T &redef;

const information_accounts = { "operator", } &redef;
const suspcous_accounts = { "lp", "toor", "admin", "test" } &redef;
const dead_man_list = { "jack", } &redef;

function informational_user(user: string) : bool
	{
	if ( user in information_accounts )
		return T;

	return F;
	}

function check_user(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string) : bool
	{

	# compare provided user with a list of potential bad accounts
	# see note above about hot-ids: this provides a little better 
	# flexability for general checking
	#

	if ( check_dead_man_walkin && account in dead_man_list )
		{
		NOTICE([$note=UserDeadmanWalks,
			$msg=fmt("%.6f  %s -> %s@%s Deadman Walkin! login",
				ts, orig_h, account, resp_h)]);

		return T;
		}

	if ( check_user_list && account in suspcous_accounts )
		{
		NOTICE([$note=UserSuspicous,
			$msg=fmt("%.6f  %s -> %s@%s suspicous user login",
				ts, orig_h, account, resp_h)]);
		}

	return F;
		
	}

#function check_CN(CN: string) : bool
#	{
#	}