logstash_auditor 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +1 -2
- data/lib/logstash_auditor/auditor.rb +24 -84
- data/lib/logstash_auditor/version.rb +1 -1
- data/logstash_auditor.gemspec +2 -1
- data/sanity/sanity.rb +3 -4
- metadata +16 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 030aece775d1f1ce076e855a14509541b9033677
|
|
4
|
+
data.tar.gz: 7b324939d42281d8081c63fc2c34fcfa827b0024
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8ddc607e7296a894cea671daba9408a25dc6782634f9256b7bba979ec3a2960a7ec7ad69658f3ddef78242d8dd34db7a6eabfe956f19c2c676ba5f73fa6f8665
|
|
7
|
+
data.tar.gz: e6b6cfa9edfda84fd7d70ec929bdf1c906bea5eb3c0b0535d3cdbc0a017560c64dcc7e42dc5e15b4ba536a59ed11eac8e1b3b81a6ca9e7bcab835d15bcc13c8b
|
data/README.md
CHANGED
|
@@ -50,14 +50,13 @@ Initialize and configure the auditor so:
|
|
|
50
50
|
@iut = LogstashAuditor::LogstashAuditor.new
|
|
51
51
|
@logstash_configuration =
|
|
52
52
|
{ "host_url" => "http://localhost:8080",
|
|
53
|
-
"use_ssl" => false,
|
|
54
53
|
"username" => "something",
|
|
55
54
|
"password" => "something",
|
|
56
55
|
"timeout" => 3}
|
|
57
56
|
@iut.configure(@valid_logstash_configuration)
|
|
58
57
|
```
|
|
59
58
|
|
|
60
|
-
Audit using the API methods, e.g.:
|
|
59
|
+
Audit using the inherited API methods, e.g.:
|
|
61
60
|
|
|
62
61
|
```
|
|
63
62
|
@iut.event(flow_id, "This is a test event")
|
|
@@ -1,105 +1,45 @@
|
|
|
1
|
-
require 'json'
|
|
2
1
|
require "net/http"
|
|
3
|
-
require "
|
|
2
|
+
require "soar_auditor_api"
|
|
4
3
|
|
|
5
4
|
module LogstashAuditor
|
|
6
|
-
class LogstashAuditor
|
|
7
|
-
attr_reader :has_been_configured
|
|
8
|
-
attr_reader :configuration
|
|
5
|
+
class LogstashAuditor < SoarAuditorApi::SoarAuditorAPI
|
|
9
6
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
raise ArgumentError, "No configuration provided" if configuration == nil
|
|
16
|
-
raise ArgumentError, "Invalid configuration provided" unless configuration_is_good(configuration)
|
|
17
|
-
|
|
18
|
-
@configuration = configuration
|
|
19
|
-
@has_been_configured = true
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
def debug(data)
|
|
23
|
-
event(data)
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
def info(data)
|
|
27
|
-
event(data)
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
def error(data)
|
|
31
|
-
event(data)
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
def warn(data)
|
|
35
|
-
event(data)
|
|
36
|
-
end
|
|
37
|
-
|
|
38
|
-
def fatal(data)
|
|
39
|
-
event(data)
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
def <<(data)
|
|
43
|
-
event(data)
|
|
7
|
+
#inversion of control method required by the SoarAuditorAPI
|
|
8
|
+
def configuration_is_valid(configuration)
|
|
9
|
+
required_parameters = ["host_url", "username", "password"]
|
|
10
|
+
required_parameters.each { |parameter| return false unless configuration.include?(parameter) }
|
|
11
|
+
return true
|
|
44
12
|
end
|
|
45
13
|
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
14
|
+
#inversion of control method required by the SoarAuditorAPI
|
|
15
|
+
def audit(audit_data)
|
|
16
|
+
request = create_request(audit_data)
|
|
17
|
+
http = create_http_transport
|
|
18
|
+
send_request_to_server(http, request)
|
|
49
19
|
end
|
|
50
20
|
|
|
51
21
|
private
|
|
52
22
|
|
|
53
|
-
def
|
|
23
|
+
def create_http_transport
|
|
54
24
|
uri = URI.parse(@configuration["host_url"])
|
|
55
25
|
http = Net::HTTP.new(uri.host, uri.port)
|
|
26
|
+
http.use_ssl = true if uri.is_a?(URI::HTTPS)
|
|
56
27
|
http.read_timeout = @configuration["timeout"]
|
|
57
28
|
http.open_timeout = @configuration["timeout"]
|
|
29
|
+
return http
|
|
30
|
+
end
|
|
58
31
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
62
|
-
end
|
|
63
|
-
|
|
64
|
-
request = Net::HTTP::Post.new(uri.request_uri, initheader = {'Content-Type' =>'application/json'})
|
|
32
|
+
def create_request(audit_data)
|
|
33
|
+
request = Net::HTTP::Post.new("/", initheader = {'Content-Type' => 'application/json'})
|
|
65
34
|
request.basic_auth(@configuration["username"], @configuration["password"])
|
|
66
|
-
request.body =
|
|
67
|
-
|
|
68
|
-
response = http.request(request)
|
|
69
|
-
|
|
70
|
-
case response.code
|
|
71
|
-
when "200"
|
|
72
|
-
return :success
|
|
73
|
-
when "401"
|
|
74
|
-
puts "Authorization failure contacting to logstash"
|
|
75
|
-
else
|
|
76
|
-
puts "Failure " + response.code + " communicating with logstash"
|
|
77
|
-
end
|
|
78
|
-
return :failure
|
|
35
|
+
request.body = audit_data
|
|
36
|
+
return request
|
|
79
37
|
end
|
|
80
38
|
|
|
81
|
-
def
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
end
|
|
86
|
-
unless configuration.include?("use_ssl")
|
|
87
|
-
puts "Parameter use_ssl not provided in configuration"
|
|
88
|
-
return false
|
|
89
|
-
end
|
|
90
|
-
unless configuration.include?("username")
|
|
91
|
-
puts "Parameter username not provided in configuration"
|
|
92
|
-
return false
|
|
93
|
-
end
|
|
94
|
-
unless configuration.include?("password")
|
|
95
|
-
puts "Parameter password not provided in configuration"
|
|
96
|
-
return false
|
|
97
|
-
end
|
|
98
|
-
unless configuration.include?("timeout")
|
|
99
|
-
puts "Parameter timeout not provided in configuration"
|
|
100
|
-
return false
|
|
101
|
-
end
|
|
102
|
-
return true
|
|
39
|
+
def send_request_to_server(http, request)
|
|
40
|
+
response = http.request(request) rescue nil
|
|
41
|
+
raise StandardError, 'Failed to create connection' if response.nil?
|
|
42
|
+
raise StandardError, "Server rejected post with error code #{response.code}" unless response.code == "200"
|
|
103
43
|
end
|
|
104
44
|
end
|
|
105
45
|
end
|
data/logstash_auditor.gemspec
CHANGED
data/sanity/sanity.rb
CHANGED
|
@@ -5,16 +5,15 @@ class Main
|
|
|
5
5
|
@iut = LogstashAuditor::LogstashAuditor.new
|
|
6
6
|
@valid_logstash_configuration =
|
|
7
7
|
{ "host_url" => "http://localhost:8080",
|
|
8
|
-
"
|
|
9
|
-
"
|
|
10
|
-
"password" => "something",
|
|
8
|
+
"username" => "auditorusername",
|
|
9
|
+
"password" => "auditorpassword",
|
|
11
10
|
"timeout" => 3}
|
|
12
11
|
@iut.configure(@valid_logstash_configuration)
|
|
13
12
|
|
|
14
13
|
require 'digest'
|
|
15
14
|
flow_id = Digest::SHA256.hexdigest("#{Time.now.to_i}#{rand(4000000)}")
|
|
16
15
|
|
|
17
|
-
@iut.
|
|
16
|
+
@iut.warn(flow_id, "This is a test event")
|
|
18
17
|
end
|
|
19
18
|
end
|
|
20
19
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash_auditor
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Barney de Villiers
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-05-
|
|
11
|
+
date: 2016-05-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -94,6 +94,20 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '2'
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: soar_auditor_api
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - "~>"
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: '0.0'
|
|
104
|
+
type: :runtime
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - "~>"
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: '0.0'
|
|
97
111
|
description: Logstash implementation of SOAR architecture auditing allowing easy publishing
|
|
98
112
|
of events to a centralized logstash collection engine
|
|
99
113
|
email:
|