logstash_auditor 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Dockerfile +10 -0
- data/README.md +28 -17
- data/docker-compose-isolated.yml +21 -0
- data/docker-compose.yml +28 -0
- data/lib/logstash_auditor/version.rb +1 -1
- data/logstash_auditor.gemspec +1 -0
- data/retry.sh +23 -0
- data/sanity/sanity.rb +1 -1
- metadata +21 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cf167e8f8c9c9fa493029eb5e3ac225f881bf02b
|
4
|
+
data.tar.gz: 7d90420e878b53fbf68401d8d59a98156c63019b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 303aedb8e9b885c357a381628b76b575ed10742973437de563cbb2a3078eddc46de7e52daa04a7c788a41bcae477f32823921bb27014b702cba200e2ec56b179
|
7
|
+
data.tar.gz: cc271f17337a7a4e48d31c4fdfc3cdec7a4b8963771d1c1615eadfa0f75ca2927e51f4da372369c4b94b9df7550552852a03cc279938c8e64850dcd49ed551b1
|
data/Dockerfile
ADDED
data/README.md
CHANGED
@@ -32,6 +32,25 @@ Or install it yourself as:
|
|
32
32
|
The logstash server must be configured using the configuration in the folder spec/support/logstash_conf.d and spec/support/certificates.
|
33
33
|
This configuration is used by the docker image during the TDD tests which ensures that this gem and the server configuration is compatible.
|
34
34
|
|
35
|
+
## Testing for CI purposes
|
36
|
+
|
37
|
+
```bash
|
38
|
+
#!/bin/bash
|
39
|
+
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
40
|
+
source retry.sh
|
41
|
+
export UID
|
42
|
+
retry 3 docker-compose down
|
43
|
+
retry 3 docker-compose build --force-rm --no-cache
|
44
|
+
|
45
|
+
set -e
|
46
|
+
retry 3 docker-compose -f docker-compose-isolated.yml run --rm test
|
47
|
+
EXIT_CODE=$?
|
48
|
+
set +e
|
49
|
+
|
50
|
+
docker-compose down
|
51
|
+
exit $EXIT_CODE
|
52
|
+
```
|
53
|
+
|
35
54
|
## Testing
|
36
55
|
|
37
56
|
Behavioural driven testing can be performed by testing against a local ELK docker image.
|
@@ -42,31 +61,23 @@ First you need to generate the certificates needed for authenticating the client
|
|
42
61
|
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
43
62
|
```
|
44
63
|
|
45
|
-
|
64
|
+
Then perform the tests:
|
46
65
|
|
47
66
|
```bash
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
bundle exec rspec -cfd spec/*
|
67
|
+
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
68
|
+
export UID
|
69
|
+
docker-compose down
|
70
|
+
docker-compose build --force-rm --no-cache
|
71
|
+
docker-compose -f docker-compose-isolated.yml run --rm test
|
72
|
+
docker-compose down
|
55
73
|
```
|
56
74
|
|
57
75
|
Note that in order to ensure that the processing has occurred on Elastic Search
|
58
76
|
there is a 2 second delay between each event submission request and the search request
|
59
77
|
|
60
|
-
Debugging the docker image:
|
61
|
-
```bash
|
62
|
-
docker exec -it elk_test_service bash
|
63
|
-
docker stop elk_test_service
|
64
|
-
docker rm -f elk_test_service
|
65
|
-
```
|
66
|
-
|
67
78
|
Manual sending of an audit event to docker ELK stack:
|
68
79
|
```bash
|
69
|
-
curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:
|
80
|
+
curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8080 -d "{\"audit_message\":\"bla\",\"audit_something_else\":\"foo\"}" --insecure
|
70
81
|
```
|
71
82
|
|
72
83
|
View the audit events created on the Kibana interface:
|
@@ -82,7 +93,7 @@ Initialize and configure the auditor so:
|
|
82
93
|
```ruby
|
83
94
|
@iut = LogstashAuditor::LogstashAuditor.new
|
84
95
|
@logstash_configuration =
|
85
|
-
{ "host_url" => "http://localhost:
|
96
|
+
{ "host_url" => "http://localhost:8080",
|
86
97
|
"username" => "auditorusername",
|
87
98
|
"password" => "auditorpassword",
|
88
99
|
"timeout" => 3}
|
@@ -0,0 +1,21 @@
|
|
1
|
+
version: '2.0'
|
2
|
+
services:
|
3
|
+
elk_test_service:
|
4
|
+
image: sebp/elk:es234_l234_k453
|
5
|
+
expose:
|
6
|
+
- "9300"
|
7
|
+
- "9200"
|
8
|
+
- "5000"
|
9
|
+
- "5044"
|
10
|
+
- "5601"
|
11
|
+
- "8080"
|
12
|
+
volumes:
|
13
|
+
- ./spec/support/logstash_conf.d:/etc/logstash/conf.d
|
14
|
+
- ./spec/support/certificates:/etc/logstash/certs
|
15
|
+
test:
|
16
|
+
build: .
|
17
|
+
command: /bin/bash -c 'sleep 30; bundle exec rspec -cfd spec/*'
|
18
|
+
volumes:
|
19
|
+
- .:/usr/local/src/
|
20
|
+
links:
|
21
|
+
- elk_test_service
|
data/docker-compose.yml
ADDED
@@ -0,0 +1,28 @@
|
|
1
|
+
version: '2.0'
|
2
|
+
services:
|
3
|
+
elk_test_service:
|
4
|
+
image: sebp/elk:es234_l234_k453
|
5
|
+
expose:
|
6
|
+
- "9300"
|
7
|
+
- "9200"
|
8
|
+
- "5000"
|
9
|
+
- "5044"
|
10
|
+
- "5601"
|
11
|
+
- "8080"
|
12
|
+
ports:
|
13
|
+
- "9300:9300"
|
14
|
+
- "9200:9200"
|
15
|
+
- "5000:5000"
|
16
|
+
- "5044:5044"
|
17
|
+
- "5601:5601"
|
18
|
+
- "8080:8080"
|
19
|
+
volumes:
|
20
|
+
- ./spec/support/logstash_conf.d:/etc/logstash/conf.d
|
21
|
+
- ./spec/support/certificates:/etc/logstash/certs
|
22
|
+
test:
|
23
|
+
build: .
|
24
|
+
command: /bin/bash -c 'sleep 30; bundle exec rspec -cfd spec/*'
|
25
|
+
volumes:
|
26
|
+
- .:/usr/local/src/
|
27
|
+
links:
|
28
|
+
- elk_test_service
|
data/logstash_auditor.gemspec
CHANGED
@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
|
|
25
25
|
spec.add_development_dependency "byebug", "~> 9"
|
26
26
|
spec.add_development_dependency "elasticsearch", "~> 1"
|
27
27
|
spec.add_development_dependency "soar_auditing_format", "~> 0.0.5"
|
28
|
+
spec.add_development_dependency "soar_json_auditing_format", "~> 0.0.2"
|
28
29
|
|
29
30
|
spec.add_dependency "http", "~> 2"
|
30
31
|
spec.add_dependency "soar_auditor_api", "~> 1.0"
|
data/retry.sh
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
# Retries a command on failure.
|
4
|
+
# $1 - the max number of attempts
|
5
|
+
# $2... - the command to run
|
6
|
+
retry() {
|
7
|
+
local -r -i max_attempts="$1"; shift
|
8
|
+
local -r cmd="$@"
|
9
|
+
local -i attempt_num=1
|
10
|
+
local -i cmd_exit_code=0
|
11
|
+
until eval $cmd
|
12
|
+
do
|
13
|
+
cmd_exit_code=$?
|
14
|
+
if (( attempt_num == max_attempts ))
|
15
|
+
then
|
16
|
+
echo "Attempt $attempt_num failed with code $cmd_exit_code and there are no more attempts left!"
|
17
|
+
exit $cmd_exit_code
|
18
|
+
else
|
19
|
+
echo "Attempt $attempt_num failed with code $cmd_exit_code! Trying again in $attempt_num seconds..."
|
20
|
+
sleep $(( attempt_num++ ))
|
21
|
+
fi
|
22
|
+
done
|
23
|
+
}
|
data/sanity/sanity.rb
CHANGED
@@ -6,7 +6,7 @@ require 'securerandom'
|
|
6
6
|
class Main
|
7
7
|
def test_sanity
|
8
8
|
@iut = LogstashAuditor::LogstashAuditor.new
|
9
|
-
@logstash_configuration = { "host_url" => "https://localhost:
|
9
|
+
@logstash_configuration = { "host_url" => "https://localhost:8080",
|
10
10
|
"certificate" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.cert.pem"),
|
11
11
|
"private_key" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem"),
|
12
12
|
"timeout" => 3}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash_auditor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Barney de Villiers
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-05-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -94,6 +94,20 @@ dependencies:
|
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: 0.0.5
|
97
|
+
- !ruby/object:Gem::Dependency
|
98
|
+
name: soar_json_auditing_format
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
100
|
+
requirements:
|
101
|
+
- - "~>"
|
102
|
+
- !ruby/object:Gem::Version
|
103
|
+
version: 0.0.2
|
104
|
+
type: :development
|
105
|
+
prerelease: false
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
107
|
+
requirements:
|
108
|
+
- - "~>"
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: 0.0.2
|
97
111
|
- !ruby/object:Gem::Dependency
|
98
112
|
name: http
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
@@ -134,16 +148,20 @@ files:
|
|
134
148
|
- ".rspec"
|
135
149
|
- ".ruby-gemset"
|
136
150
|
- ".ruby-version"
|
151
|
+
- Dockerfile
|
137
152
|
- Gemfile
|
138
153
|
- LICENSE.txt
|
139
154
|
- README.md
|
140
155
|
- Rakefile
|
141
156
|
- bin/console
|
142
157
|
- bin/setup
|
158
|
+
- docker-compose-isolated.yml
|
159
|
+
- docker-compose.yml
|
143
160
|
- lib/logstash_auditor.rb
|
144
161
|
- lib/logstash_auditor/auditor.rb
|
145
162
|
- lib/logstash_auditor/version.rb
|
146
163
|
- logstash_auditor.gemspec
|
164
|
+
- retry.sh
|
147
165
|
- sanity/.ruby-gemset
|
148
166
|
- sanity/.ruby-version
|
149
167
|
- sanity/Gemfile
|
@@ -168,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
168
186
|
version: '0'
|
169
187
|
requirements: []
|
170
188
|
rubyforge_project:
|
171
|
-
rubygems_version: 2.
|
189
|
+
rubygems_version: 2.4.8
|
172
190
|
signing_key:
|
173
191
|
specification_version: 4
|
174
192
|
summary: Logstash implementation of SOAR architecture auditing
|