feat: implement MFA-based sudo approval system

.goreleaser.yaml

@@ -67,12 +67,16 @@ nfpms:
           - sqlite3
           - nftables | iptables
         file_name_template: '{{ .PackageName }}_{{ trimprefix .Version "v" }}_{{ .Os }}_{{ .Arch }}'
+        suggests:
+          - alpamon-pam
       rpm:
         dependencies:
           - zip
           - sqlite
           - nftables | iptables
         file_name_template: '{{ .PackageName }}-{{ trimprefix .Version "v" }}-1.{{ .Os }}.{{ .Arch }}'
+        suggests:
+          - alpamon-pam
 
 changelog:
   sort: asc

Dockerfiles/ubuntu/22.04/Dockerfile

@@ -1,10 +1,11 @@
 FROM golang:1.23 AS builder
 
-# Set golang env
+# Automatically set GOARCH to the build-time architecture
+ARG TARGETARCH
 ENV GO111MODULE=on \
     CGO_ENABLED=0 \
     GOOS=linux \
-    GOARCH=amd64
+    GOARCH=${TARGETARCH:-amd64}
 
 WORKDIR /build
 
@@ -18,7 +19,15 @@ RUN go build -o alpamon ./cmd/alpamon/main.go
 
 FROM ubuntu:22.04
 
-RUN apt-get update && apt-get install -y --no-install-recommends systemd ca-certificates
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    systemd \
+    ca-certificates \
+    sudo \
+    vim \
+    build-essential \
+    libpam0g-dev \
+    libjansson-dev
 
 WORKDIR /usr/local/alpamon
 

Dockerfiles/ubuntu/22.04/entrypoint.sh

@@ -19,4 +19,9 @@ EOL
 echo -e "\nThe following configuration file is being used:\n"
 cat /etc/alpamon/alpamon.conf
 
+echo "[entrypoint] creating /var/run/alpamon..."
+mkdir -p /var/run/alpamon
+chown root:root /var/run/alpamon
+chmod 750 /var/run/alpamon
+
 exec /usr/local/alpamon/alpamon

README.md

@@ -28,16 +28,45 @@ Download the latest `alpamon` directly from our releases page or install it usin
 ```bash
 curl -s https://packagecloud.io/install/repositories/alpacax/alpamon/script.deb.sh?any=true | sudo bash
 
+# Install alpamon (includes PAM module by default)
 sudo apt-get install alpamon
+
+# Install without PAM module
+sudo apt-get install alpamon --no-install-recommends
 ```
 
 #### CentOS and RHEL
 ```bash
 curl -s https://packagecloud.io/install/repositories/alpacax/alpamon/script.rpm.sh?any=true | sudo bash
 
+# Install alpamon (includes PAM module by default)
 sudo yum install alpamon
+
+# Install without PAM module
+sudo yum install alpamon --setopt=install_weak_deps=False
+```
+
+### PAM Module
+
+By default, `alpamon` installation includes the `alpamon-pam` package, which provides PAM (Pluggable Authentication Modules) integration for advanced authentication features:
+- **pam_alpamon.so**: Verifies Alpacon users during sudo authentication
+- **alpacon_approval.so**: Handles sudo command approval requests
+
+#### Configuration
+After installation, configure PAM and sudo to enable the authentication features:
+
+1. Add to `/etc/pam.d/sudo`:
+```
+auth [user_unknown=ignore auth_err=die success=done default=bad] pam_alpamon.so
+```
+
+2. Add to `/etc/sudo.conf`:
+```
+Plugin approval_plugin alpacon_approval.so
 ```
 
+**Note**: The Alpamon service must be running with socket at `/var/run/alpamon/auth.sock` for PAM authentication to work.
+
 ### macOS
 
 #### Clone the source code

cmd/alpamon/command/root.go

@@ -99,25 +99,32 @@ func runAgent() {
 		metricCollector.Start()
 	}
 
-	// Websocket Client
+	// Websocket Client (Backhaul - commands, sessions)
 	wsClient := runner.NewWebsocketClient(session)
 	go wsClient.RunForever(ctx)
 
+	// Control Client (Control - sudo approval)
+	controlClient := runner.NewControlClient()
+	go controlClient.RunForever(ctx)
+
+	authManager := runner.GetAuthManager(controlClient)
+	go authManager.Start(ctx)
+
 	for {
 		select {
 		case <-ctx.Done():
 			log.Info().Msg("Received termination signal. Shutting down...")
-			gracefulShutdown(metricCollector, wsClient, logRotate, logServer, pidFilePath)
+			gracefulShutdown(metricCollector, wsClient, controlClient, authManager, logRotate, logServer, pidFilePath)
 			return
 		case <-wsClient.ShutDownChan:
 			log.Info().Msg("Shutdown command received. Shutting down...")
 			cancel()
-			gracefulShutdown(metricCollector, wsClient, logRotate, logServer, pidFilePath)
+			gracefulShutdown(metricCollector, wsClient, controlClient, authManager, logRotate, logServer, pidFilePath)
 			return
 		case <-wsClient.RestartChan:
 			log.Info().Msg("Restart command received. Restarting...")
 			cancel()
-			gracefulShutdown(metricCollector, wsClient, logRotate, logServer, pidFilePath)
+			gracefulShutdown(metricCollector, wsClient, controlClient, authManager, logRotate, logServer, pidFilePath)
 			restartAgent()
 			return
 		case <-wsClient.CollectorRestartChan:
@@ -142,13 +149,19 @@ func restartAgent() {
 	}
 }
 
-func gracefulShutdown(collector *collector.Collector, wsClient *runner.WebsocketClient, logRotate *lumberjack.Logger, logServer *logger.LogServer, pidPath string) {
+func gracefulShutdown(collector *collector.Collector, wsClient *runner.WebsocketClient, controlClient *runner.ControlClient, authManager *runner.AuthManager, logRotate *lumberjack.Logger, logServer *logger.LogServer, pidPath string) {
 	if collector != nil {
 		collector.Stop()
 	}
 	if wsClient != nil {
 		wsClient.Close()
 	}
+	if controlClient != nil {
+		controlClient.Close()
+	}
+	if authManager != nil {
+		authManager.Stop()
+	}
 	if logServer != nil {
 		logServer.Stop()
 	}

configs/tmpfile.conf

@@ -2,4 +2,5 @@ d   /etc/alpamon                    0700    root root - -
 f   /etc/alpamon/alpamon.conf       0600    root root - -
 d   /var/lib/alpamon                0750    root root - -
 f   /var/lib/alpamon/alpamon.db     0750    root root - -
-d   /var/log/alpamon                0750    root root - -
+d   /var/log/alpamon                0750    root root - -
+d   /var/run/alpamon                0750    root root - -