logstash_auditor 0.0.19 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +7 -0
- data/README.md +17 -11
- data/lib/logstash_auditor/auditor.rb +30 -8
- data/lib/logstash_auditor/version.rb +1 -1
- data/sanity/Gemfile +1 -1
- data/sanity/sanity.rb +4 -5
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3ed5b6819284fdb6fa9261a6fa3ff3bff44934a7
|
4
|
+
data.tar.gz: b1f6b5ddec3302de7d5a840a51c95ab451e8d340
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cd8eb41de82e38b1c8b6e54dca071e70553acdf7a0c3ea78e45fd8f4b4c28bcc1432a20ffdb0421134c5daefcfb2cb728abcc7df7c4c9ba0481d3d80df89883a
|
7
|
+
data.tar.gz: a9f780c3e1b2502887b8873ddb7e0ebc33c7130b8f10443301a8b7971d91d03c9fbb2243927e52b71e1edd8322c7522597d0a5ec6ce4db6430bfe22f44e8f20f
|
data/.gitignore
CHANGED
@@ -47,3 +47,10 @@ build/
|
|
47
47
|
|
48
48
|
# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
|
49
49
|
.rvmrc
|
50
|
+
|
51
|
+
/spec/support/certificates/**/*.pem
|
52
|
+
/spec/support/certificates/**/*.pkcs12
|
53
|
+
/spec/support/certificates/**/index*
|
54
|
+
/spec/support/certificates/**/serial*
|
55
|
+
/spec/support/certificates/**/crlnumber
|
56
|
+
/spec/support/certificates/**/*.jks
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# LogstashAuditor
|
2
2
|
|
3
|
-
This gem provides the logstash auditor that can be plugged into the SOAR architecture.
|
3
|
+
This gem provides the logstash auditor that can be plugged into the SOAR architecture. The auditor supports basic and certifcate based authentication to the logstash http input. Privacy can be ensured by simply using an tls tunnel.
|
4
4
|
|
5
5
|
## State of the API
|
6
6
|
|
@@ -25,14 +25,20 @@ Or install it yourself as:
|
|
25
25
|
|
26
26
|
## Configuration of Logstash Server
|
27
27
|
|
28
|
-
The logstash server must be configured using the configuration in the folder spec/support/logstash_conf.d
|
28
|
+
The logstash server must be configured using the configuration in the folder spec/support/logstash_conf.d and spec/support/certificates.
|
29
29
|
This configuration is used by the docker image during the TDD tests which ensures that this gem and the server configuration is compatible.
|
30
30
|
|
31
31
|
## Testing
|
32
32
|
|
33
|
-
Behavioural driven testing can be performed by testing against a local ELK docker image
|
33
|
+
Behavioural driven testing can be performed by testing against a local ELK docker image.
|
34
34
|
|
35
|
-
|
35
|
+
First you need to generate the certificates needed for authenticating the client to the server and the server itself.
|
36
|
+
|
37
|
+
$ ./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
38
|
+
|
39
|
+
Start a docker container with the ELK stack:
|
40
|
+
|
41
|
+
$ docker run -d --name elk_test_service -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -v $(pwd)/spec/support/certificates:/etc/logstash/certs -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8081:8080 sebp/elk
|
36
42
|
|
37
43
|
Wait about 30 seconds for image to fire up. Then perform the tests:
|
38
44
|
|
@@ -41,14 +47,14 @@ Wait about 30 seconds for image to fire up. Then perform the tests:
|
|
41
47
|
Note that in order to ensure that the processing has occurred on Elastic Search
|
42
48
|
there is a 2 second delay between each event submission request and the search request
|
43
49
|
|
44
|
-
Afterwards destroy the running docker image as follows:
|
45
|
-
$ sudo docker ps
|
46
|
-
$ sudo docker stop <CONTAINER_ID>
|
47
|
-
|
48
50
|
Debugging the docker image:
|
49
|
-
$
|
50
|
-
$
|
51
|
-
$
|
51
|
+
$ docker exec -it elk_test_service bash
|
52
|
+
$ docker stop elk_test_service
|
53
|
+
$ docker rm -f elk_test_service
|
54
|
+
|
55
|
+
Manual sending of an audit event to docker ELK stack:
|
56
|
+
|
57
|
+
$ curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8081 -d "message=soar_logstash_test" --insecure
|
52
58
|
|
53
59
|
## Usage
|
54
60
|
|
@@ -6,36 +6,58 @@ module LogstashAuditor
|
|
6
6
|
|
7
7
|
#inversion of control method required by the AuditorAPI
|
8
8
|
def configuration_is_valid?(configuration)
|
9
|
-
|
10
|
-
|
11
|
-
return true
|
9
|
+
basic_auth_configuration_valid?(configuration) or
|
10
|
+
certificate_auth_configuration_valid?(configuration)
|
12
11
|
end
|
13
12
|
|
14
13
|
#inversion of control method required by the AuditorAPI
|
15
14
|
def audit(audit_data)
|
16
15
|
request = create_request(audit_data)
|
17
|
-
http
|
16
|
+
http = create_http_transport
|
18
17
|
send_request_to_server(http, request)
|
19
18
|
end
|
20
19
|
|
21
20
|
private
|
22
21
|
|
22
|
+
def basic_auth_configuration_valid?(configuration)
|
23
|
+
required_parameters = ['host_url', 'username', 'password']
|
24
|
+
required_parameters.each { |parameter| return false unless configuration.include?(parameter) }
|
25
|
+
return true
|
26
|
+
end
|
27
|
+
|
28
|
+
def certificate_auth_configuration_valid?(configuration)
|
29
|
+
required_parameters = ['host_url', 'public_key', 'private_key']
|
30
|
+
required_parameters.each { |parameter| return false unless configuration.include?(parameter) }
|
31
|
+
return true
|
32
|
+
end
|
33
|
+
|
23
34
|
def create_http_transport
|
24
|
-
uri = URI.parse(@configuration[
|
35
|
+
uri = URI.parse(@configuration['host_url'])
|
25
36
|
http = Net::HTTP.new(uri.host, uri.port)
|
26
37
|
http.use_ssl = true if uri.is_a?(URI::HTTPS)
|
27
|
-
http.read_timeout = @configuration[
|
28
|
-
http.open_timeout = @configuration[
|
38
|
+
http.read_timeout = @configuration['timeout']
|
39
|
+
http.open_timeout = @configuration['timeout']
|
40
|
+
add_certificate_authentication(http) if certificate_auth_configuration_valid?(@configuration)
|
29
41
|
return http
|
30
42
|
end
|
31
43
|
|
44
|
+
def add_certificate_authentication(http)
|
45
|
+
http.cert = OpenSSL::X509::Certificate.new(@configuration['public_key'])
|
46
|
+
http.key = OpenSSL::PKey::RSA.new(@configuration['private_key'])
|
47
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
48
|
+
end
|
49
|
+
|
32
50
|
def create_request(audit_data)
|
33
51
|
request = Net::HTTP::Post.new("/", initheader = {'Content-Type' => 'text/plain'})
|
34
|
-
request
|
52
|
+
add_basic_auth(request) if @configuration['username'] and @configuration['password']
|
35
53
|
request.body = audit_data
|
36
54
|
return request
|
37
55
|
end
|
38
56
|
|
57
|
+
def add_basic_auth(request)
|
58
|
+
request.basic_auth(@configuration['username'], @configuration['password'])
|
59
|
+
end
|
60
|
+
|
39
61
|
def send_request_to_server(http, request)
|
40
62
|
response = http.request(request) rescue nil
|
41
63
|
raise StandardError, 'Failed to create connection' if response.nil?
|
data/sanity/Gemfile
CHANGED
data/sanity/sanity.rb
CHANGED
@@ -6,11 +6,10 @@ require 'securerandom'
|
|
6
6
|
class Main
|
7
7
|
def test_sanity
|
8
8
|
@iut = LogstashAuditor::LogstashAuditor.new
|
9
|
-
@logstash_configuration =
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
"timeout" => 3}
|
9
|
+
@logstash_configuration = { "host_url" => "https://localhost:8081",
|
10
|
+
"public_key" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.cert.pem"),
|
11
|
+
"private_key" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem"),
|
12
|
+
"timeout" => 3}
|
14
13
|
@iut.configure(@logstash_configuration)
|
15
14
|
@iut.set_audit_level(:debug)
|
16
15
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash_auditor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Barney de Villiers
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-08-31 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|