logstash_auditor 0.0.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 3dd294589825e39ca26e59a6204bb9431b9d9fbb
4
+ data.tar.gz: 98defbe2db36aec15e75cc2dad37befe9368487e
5
+ SHA512:
6
+ metadata.gz: dfcb70d7dd0684918804948477e1902f219fdeb1cfef70130191e8348659eaf8ed9b1a25dd1fb2db2673c2758b36245e79e46b9ffb8b4e564087cd5834814672
7
+ data.tar.gz: 64c9352f29edb6c57d17426c22f1d4048082e7413acbfaef551a172f2f032a4fc7ebb20b6f7e66e4e0d5e190b20152d28af17e79d1f0eee98f545fbc0c3df743
data/.gitignore ADDED
@@ -0,0 +1,49 @@
1
+ .byebug_history
2
+ *tgz
3
+ left
4
+ test_tfa.sh
5
+ test_production.sh
6
+ iut-list
7
+ juddi-distro-*
8
+ *.swo
9
+ *.zip
10
+ *.tar.gz
11
+ *.swp
12
+ *.gem
13
+ *.rbc
14
+ /Gemfile.lock
15
+ /.config
16
+ /coverage/
17
+ /InstalledFiles
18
+ /pkg/
19
+ /spec/reports/
20
+ /spec/examples.txt
21
+ /test/tmp/
22
+ /test/version_tmp/
23
+ /tmp/
24
+ .DS_Store
25
+
26
+ ## Specific to RubyMotion:
27
+ .dat*
28
+ .repl_history
29
+ build/
30
+
31
+ ## Documentation cache and generated files:
32
+ /.yardoc/
33
+ /_yardoc/
34
+ /doc/
35
+ /rdoc/
36
+
37
+ ## Environment normalisation:
38
+ /.bundle/
39
+ /vendor/bundle
40
+ /lib/bundler/man/
41
+
42
+ # for a library or gem, you might want to ignore these files since the code is
43
+ # intended to run in multiple environments; otherwise, check them in:
44
+ # Gemfile.lock
45
+ # .ruby-version
46
+ # .ruby-gemset
47
+
48
+ # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
49
+ .rvmrc
data/.rspec ADDED
@@ -0,0 +1,2 @@
1
+ --format documentation
2
+ --color
data/.ruby-gemset ADDED
@@ -0,0 +1 @@
1
+ logstash_auditor
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ ruby-2.2
data/.travis.yml ADDED
@@ -0,0 +1,4 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.2.2
4
+ before_install: gem install bundler -v 1.11.2
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in logstash_auditor.gemspec
4
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2016 Barney de Villiers
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,133 @@
1
+ # LogstashAuditor
2
+
3
+ This gem provides the logstash auditor that can be plugged into the SOAR architecture.
4
+
5
+ ## State of the API
6
+
7
+ This auditor is to be extended with NFR support pending behavioural specifications.
8
+
9
+ ## Installation
10
+
11
+ Add this line to your application's Gemfile:
12
+
13
+ ```ruby
14
+ gem 'logstash_auditor'
15
+ ```
16
+
17
+ And then execute:
18
+
19
+ $ bundle
20
+
21
+ Or install it yourself as:
22
+
23
+ $ gem install logstash_auditor
24
+
25
+ ## Testing
26
+
27
+ Behavioural driven testing can be performed by testing against an ELK docker image:
28
+
29
+ $ sudo docker run -d -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8080:8080 sebp/elk
30
+
31
+ Wait about 30 seconds for image to fire up. Then perform the tests:
32
+
33
+ $ bundle exec rspec -cfd spec/*
34
+
35
+ Note that in order to ensure that the processing has occurred on Elastic Search
36
+ there is a 2 second delay between each event submission request and the search request
37
+
38
+ Afterwards destroy the running docker image as follows:
39
+ $ sudo docker ps
40
+ $ sudo docker stop <CONTAINER_ID>
41
+
42
+ Debugging the docker image:
43
+ $ sudo docker exec -it <CONTAINER_ID> bash
44
+
45
+ ## Usage
46
+
47
+
48
+ #TODO complete this section
49
+ #TODO Extend the LogstashAuditor::AuditingProviderAPI to create an auditing provider:
50
+
51
+ ```
52
+ class MyAuditingProvider < LogstashAuditor::AuditingProviderAPI
53
+ end
54
+ ```
55
+
56
+ Provide the required inversion of control method to configure (an) injected auditor(s):
57
+
58
+ ```
59
+ def configure_auditor(configuration = nil)
60
+ @auditor.configure(configuration)
61
+ end
62
+ ```
63
+
64
+ Initialize the provider so:
65
+
66
+ ```
67
+ auditor = MyAuditor.new
68
+ auditor_configuration = { 'some' => 'configuration' }
69
+ @iut = MyAuditingProvider.new(auditor, auditor_configuration)
70
+ ```
71
+
72
+ Audit using the API methods, e.g.:
73
+
74
+ ```
75
+ @iut.info("This is info")
76
+ @iut.debug(some_debug_object)
77
+ @iut.warn("Statistics show that dropped packets have increased to #{dropped}%")
78
+ @iut.error("Could not resend some dropped packets. They have been lost. All is still OK, I could compensate")
79
+ @iut.fatal("Unable to perform action, too many dropped packets. Functional degradation.")
80
+ @iut << 'Rack::CommonLogger requires this'
81
+ ```
82
+
83
+ The API also supports appending as below, enabling support, e.g. for Rack::CommonLogger, etc.:
84
+
85
+ ```
86
+ <<
87
+ ```
88
+
89
+ ## Detailed example
90
+
91
+ ```
92
+ require 'log4r'
93
+ require 'logstash_auditor'
94
+
95
+ class Log4rAuditingProvider < LogstashAuditor::AuditingProviderAPI
96
+ def configure_auditor(configuration = nil)
97
+ @auditor.outputters = configuration['outputter']
98
+ end
99
+ end
100
+
101
+ class Main
102
+ include Log4r
103
+
104
+ def test_sanity
105
+ auditor = Logger.new 'sanity'
106
+ auditor_configuration = { 'outputter' => Outputter.stdout }
107
+ @iut = Log4rAuditingProvider.new(auditor, auditor_configuration)
108
+
109
+ some_debug_object = 123
110
+ @iut.info("This is info")
111
+ @iut.debug(some_debug_object)
112
+ dropped = 95
113
+ @iut.warn("Statistics show that dropped packets have increased to #{dropped}%")
114
+ @iut.error("Could not resend some dropped packets. They have been lost. All is still OK, I could compensate")
115
+ @iut.fatal("Unable to perform action, too many dropped packets. Functional degradation.")
116
+ end
117
+ end
118
+
119
+ main = Main.new
120
+ main.test_sanity
121
+ ```
122
+
123
+ ## Contributing
124
+
125
+ Bug reports and feature requests are welcome by email to barney dot de dot villiers at hetzner dot co dot za. This gem is sponsored by Hetzner (Pty) Ltd (http://hetzner.co.za)
126
+
127
+ ## Notes
128
+
129
+ Though out of scope for the provider, auditors should take into account encoding, serialization, and other NFRs.
130
+
131
+ ## License
132
+
133
+ The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
data/Rakefile ADDED
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
data/bin/console ADDED
@@ -0,0 +1,16 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ $LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
4
+
5
+ require "bundler/setup"
6
+ require 'logstash_auditor'
7
+
8
+ # You can add fixtures and/or initialization code here to make experimenting
9
+ # with your gem easier. You can also use a different console, if you like.
10
+
11
+ # (If you use this, don't forget to add pry to your Gemfile!)
12
+ # require "pry"
13
+ # Pry.start
14
+
15
+ require "irb"
16
+ IRB.start
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,82 @@
1
+ require 'json'
2
+ require "net/http"
3
+ require "uri"
4
+
5
+ module LogstashAuditor
6
+ class LogstashAuditor
7
+ attr_reader :has_been_configured
8
+ attr_reader :configuration
9
+
10
+ def initialize
11
+ @has_been_configured = false
12
+ end
13
+
14
+ def configure(configuration = nil)
15
+ raise ArgumentError, "No configuration provided" if configuration == nil
16
+ raise ArgumentError, "Invalid configuration provided" unless configuration_is_good(configuration)
17
+
18
+ @configuration = configuration
19
+ @has_been_configured = true
20
+ end
21
+
22
+ def event(flow_id, message)
23
+ raise ArgumentError, "No flow id provided" if flow_id == nil
24
+ data = { "flow_id" => flow_id, "message" => message }
25
+ send_event( data )
26
+ end
27
+
28
+ private
29
+
30
+ def send_event(data)
31
+ uri = URI.parse(@configuration["host_url"])
32
+ http = Net::HTTP.new(uri.host, uri.port)
33
+ http.read_timeout = @configuration["timeout"]
34
+ http.open_timeout = @configuration["timeout"]
35
+
36
+ if @configuration["use_ssl"]
37
+ http.use_ssl = true
38
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
39
+ end
40
+
41
+ request = Net::HTTP::Post.new(uri.request_uri, initheader = {'Content-Type' =>'application/json'})
42
+ request.basic_auth(@configuration["username"], @configuration["password"])
43
+ request.body = data.to_json
44
+
45
+ response = http.request(request)
46
+
47
+ case response.code
48
+ when "200"
49
+ return :success
50
+ when "401"
51
+ puts "Authorization failure contacting to logstash"
52
+ else
53
+ puts "Failure " + response.code + " communicating with logstash"
54
+ end
55
+ return :failure
56
+ end
57
+
58
+ def configuration_is_good(configuration)
59
+ unless configuration.include?("host_url")
60
+ puts "Parameter host_url not provided in configuration"
61
+ return false
62
+ end
63
+ unless configuration.include?("use_ssl")
64
+ puts "Parameter use_ssl not provided in configuration"
65
+ return false
66
+ end
67
+ unless configuration.include?("username")
68
+ puts "Parameter username not provided in configuration"
69
+ return false
70
+ end
71
+ unless configuration.include?("password")
72
+ puts "Parameter password not provided in configuration"
73
+ return false
74
+ end
75
+ unless configuration.include?("timeout")
76
+ puts "Parameter timeout not provided in configuration"
77
+ return false
78
+ end
79
+ return true
80
+ end
81
+ end
82
+ end
@@ -0,0 +1,3 @@
1
+ module LogstashAuditor
2
+ VERSION = "0.0.2"
3
+ end
@@ -0,0 +1,5 @@
1
+ require 'logstash_auditor/version'
2
+ require 'logstash_auditor/auditor'
3
+
4
+ module LogstashAuditor
5
+ end
@@ -0,0 +1,30 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'logstash_auditor/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "logstash_auditor"
8
+ spec.version = LogstashAuditor::VERSION
9
+ spec.authors = ["Barney de Villiers"]
10
+ spec.email = ["barney.de.villiers@hetzner.co.za"]
11
+
12
+ spec.summary = %q{Logstash implementation of SOAR architecture auditing}
13
+ spec.description = %q{Logstash implementation of SOAR architecture auditing allowing easy publishing of events to a centralized logstash collection engine}
14
+ spec.homepage = "https://github.hetzner.co.za/hetznerZA/logstash_auditor"
15
+ spec.license = "MIT"
16
+
17
+ spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
18
+ spec.bindir = "exe"
19
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
20
+ spec.require_paths = ["lib"]
21
+
22
+ spec.add_development_dependency "bundler", "~> 1.11"
23
+ spec.add_development_dependency "rake", "~> 10.0"
24
+ spec.add_development_dependency "rspec", "~> 3.0"
25
+ spec.add_development_dependency "byebug", "~> 9"
26
+ spec.add_development_dependency "elasticsearch", "~> 1"
27
+
28
+ spec.add_dependency "http", "~> 2"
29
+
30
+ end
@@ -0,0 +1 @@
1
+ sanity
@@ -0,0 +1 @@
1
+ ruby-2.2
data/sanity/Gemfile ADDED
@@ -0,0 +1,7 @@
1
+ source 'https://rubygems.org'
2
+
3
+ gem 'byebug'
4
+ gem 'logstash_auditor', "~> 0.0.1"
5
+
6
+ gem 'http'
7
+ gem 'net'
data/sanity/sanity.rb ADDED
@@ -0,0 +1,24 @@
1
+ require 'logstash_auditor'
2
+ require 'digest'
3
+
4
+
5
+ class Main
6
+ def create_flow_id
7
+ return Digest::SHA256.hexdigest("#{Time.now.to_i}#{rand(4000000)}")
8
+ end
9
+
10
+ def test_sanity
11
+ @iut = LogstashAuditor::LogstashAuditor.new
12
+ @valid_logstash_configuration =
13
+ { "host_url" => "http://localhost:8080",
14
+ "use_ssl" => false,
15
+ "username" => "something",
16
+ "password" => "something",
17
+ "timeout" => 3}
18
+ @iut.configure(@valid_logstash_configuration)
19
+ @iut.event(create_flow_id, "This is a test event")
20
+ end
21
+ end
22
+
23
+ main = Main.new
24
+ main.test_sanity
metadata ADDED
@@ -0,0 +1,148 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash_auditor
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.2
5
+ platform: ruby
6
+ authors:
7
+ - Barney de Villiers
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2016-05-18 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '1.11'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '1.11'
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '10.0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '10.0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rspec
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '3.0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: byebug
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '9'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '9'
69
+ - !ruby/object:Gem::Dependency
70
+ name: elasticsearch
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '1'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '1'
83
+ - !ruby/object:Gem::Dependency
84
+ name: http
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - "~>"
88
+ - !ruby/object:Gem::Version
89
+ version: '2'
90
+ type: :runtime
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - "~>"
95
+ - !ruby/object:Gem::Version
96
+ version: '2'
97
+ description: Logstash implementation of SOAR architecture auditing allowing easy publishing
98
+ of events to a centralized logstash collection engine
99
+ email:
100
+ - barney.de.villiers@hetzner.co.za
101
+ executables: []
102
+ extensions: []
103
+ extra_rdoc_files: []
104
+ files:
105
+ - ".gitignore"
106
+ - ".rspec"
107
+ - ".ruby-gemset"
108
+ - ".ruby-version"
109
+ - ".travis.yml"
110
+ - Gemfile
111
+ - LICENSE.txt
112
+ - README.md
113
+ - Rakefile
114
+ - bin/console
115
+ - bin/setup
116
+ - lib/logstash_auditor.rb
117
+ - lib/logstash_auditor/auditor.rb
118
+ - lib/logstash_auditor/version.rb
119
+ - logstash_auditor.gemspec
120
+ - sanity/.ruby-gemset
121
+ - sanity/.ruby-version
122
+ - sanity/Gemfile
123
+ - sanity/sanity.rb
124
+ homepage: https://github.hetzner.co.za/hetznerZA/logstash_auditor
125
+ licenses:
126
+ - MIT
127
+ metadata: {}
128
+ post_install_message:
129
+ rdoc_options: []
130
+ require_paths:
131
+ - lib
132
+ required_ruby_version: !ruby/object:Gem::Requirement
133
+ requirements:
134
+ - - ">="
135
+ - !ruby/object:Gem::Version
136
+ version: '0'
137
+ required_rubygems_version: !ruby/object:Gem::Requirement
138
+ requirements:
139
+ - - ">="
140
+ - !ruby/object:Gem::Version
141
+ version: '0'
142
+ requirements: []
143
+ rubyforge_project:
144
+ rubygems_version: 2.4.8
145
+ signing_key:
146
+ specification_version: 4
147
+ summary: Logstash implementation of SOAR architecture auditing
148
+ test_files: []