logstash_auditor 1.0.1 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1e0fd6676dbd7bd6b2049f89f663176671632706
4
- data.tar.gz: b595f455e1be70f9794aabfe557fde24f52c821b
3
+ metadata.gz: 2ab15fbb437df572cc228b13e35469d7a2800946
4
+ data.tar.gz: c8078a1bfc77a5c22d55f8ab544831392d3a3799
5
5
  SHA512:
6
- metadata.gz: 43bdd4f0b32ed2eb4ec328ce9705724cc77ea640adb8e337a4afcd2328982459c28a697fc1baddbea5282ad1b4c51a1a575b5e2ca81f06594ad6902352814722
7
- data.tar.gz: a1fc333997aac59cae05e55b35cd5afaccc1b657df3d5033c7188b3cc55bae2caa4853aaa0937b939f331913010c4691d374cf60c778eafbfc293247d8475547
6
+ metadata.gz: cce478ec437587c1a5bcff5214f96e52bd207037289fb21d01402a4f0a781200bb62647d09b693ad08c65e61ba68a9b3ce288519d9ddc0305c3f3f08cc95ca0f
7
+ data.tar.gz: e961399424d11bc91aad6b8216e2deed082148179f31b8d87f7a404f5b9709294d074380247e703652e5f0d52789667630e7e461714ca5015e11a9ed62cbbcef
data/README.md CHANGED
@@ -17,11 +17,15 @@ gem 'logstash_auditor'
17
17
 
18
18
  And then execute:
19
19
 
20
- $ bundle
20
+ ```bash
21
+ bundle
22
+ ```
21
23
 
22
24
  Or install it yourself as:
23
25
 
24
- $ gem install logstash_auditor
26
+ ```bash
27
+ gem install logstash_auditor
28
+ ```
25
29
 
26
30
  ## Configuration of Logstash Server
27
31
 
@@ -34,27 +38,42 @@ Behavioural driven testing can be performed by testing against a local ELK docke
34
38
 
35
39
  First you need to generate the certificates needed for authenticating the client to the server and the server itself.
36
40
 
37
- $ ./spec/support/certificates/setup_certificates_for_logstash_testing.sh
41
+ ```bash
42
+ ./spec/support/certificates/setup_certificates_for_logstash_testing.sh
43
+ ```
38
44
 
39
45
  Start a docker container with the ELK stack:
40
46
 
41
- $ docker run -d --name elk_test_service -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -v $(pwd)/spec/support/certificates:/etc/logstash/certs -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8081:8080 sebp/elk
47
+ ```bash
48
+ docker run -d --name elk_test_service -v $(pwd)/spec/support/logstash_conf.d:/etc/logstash/conf.d -v $(pwd)/spec/support/certificates:/etc/logstash/certs -p 9300:9300 -p 9200:9200 -p 5000:5000 -p 5044:5044 -p 5601:5601 -p 8081:8080 sebp/elk:es234_l234_k453
49
+ ```
42
50
 
43
51
  Wait about 30 seconds for image to fire up. Then perform the tests:
44
52
 
45
- $ bundle exec rspec -cfd spec/*
53
+ ```bash
54
+ bundle exec rspec -cfd spec/*
55
+ ```
46
56
 
47
57
  Note that in order to ensure that the processing has occurred on Elastic Search
48
58
  there is a 2 second delay between each event submission request and the search request
49
59
 
50
60
  Debugging the docker image:
51
- $ docker exec -it elk_test_service bash
52
- $ docker stop elk_test_service
53
- $ docker rm -f elk_test_service
61
+ ```bash
62
+ docker exec -it elk_test_service bash
63
+ docker stop elk_test_service
64
+ docker rm -f elk_test_service
65
+ ```
54
66
 
55
67
  Manual sending of an audit event to docker ELK stack:
68
+ ```bash
69
+ curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8081 -d "message=soar_logstash_test" --insecure
70
+ ```
56
71
 
57
- $ curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8081 -d "message=soar_logstash_test" --insecure
72
+ View the audit events created on the Kibana interface:
73
+
74
+ ```bash
75
+ http://localhost:5601/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15m,mode:quick,to:now))&_a=(columns:!(_source),index:'*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'*')),sort:!('@timestamp',desc))
76
+ ```
58
77
 
59
78
  ## Usage
60
79
 
@@ -10,6 +10,11 @@ module LogstashAuditor
10
10
  certificate_auth_configuration_valid?(configuration)
11
11
  end
12
12
 
13
+ #inversion of control method required by the AuditorAPI
14
+ def prefer_direct_call?
15
+ false
16
+ end
17
+
13
18
  #inversion of control method required by the AuditorAPI
14
19
  def audit(audit_data)
15
20
  request = create_request(audit_data)
@@ -1,3 +1,3 @@
1
1
  module LogstashAuditor
2
- VERSION = "1.0.1"
2
+ VERSION = "1.1.0"
3
3
  end
@@ -27,6 +27,6 @@ Gem::Specification.new do |spec|
27
27
  spec.add_development_dependency "soar_auditing_format", "~> 0.0.5"
28
28
 
29
29
  spec.add_dependency "http", "~> 2"
30
- spec.add_dependency "soar_auditor_api", "~> 0.0.12"
30
+ spec.add_dependency "soar_auditor_api", "~> 1.0"
31
31
 
32
32
  end
data/sanity/Gemfile CHANGED
@@ -1,4 +1,4 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
- gem 'logstash_auditor', "~> 1.0.1"
3
+ gem 'logstash_auditor', path: '../'
4
4
  gem "soar_auditing_format", "~> 0.0.5"
data/sanity/sanity.rb CHANGED
@@ -16,6 +16,12 @@ class Main
16
16
  my_optional_operation_field = SoarAuditingFormatter::Formatter.optional_field_format("operation", "Http.Get")
17
17
  my_optional_method_name_field = SoarAuditingFormatter::Formatter.optional_field_format("method", "#{self.class}::#{__method__}::#{__LINE__}")
18
18
  @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"#{my_optional_method_name_field}#{my_optional_operation_field} test message with optional fields"))
19
+
20
+ my_optional_analytics_field = SoarAuditingFormatter::Formatter.optional_field_format("soar_time_value", rand() * 10)
21
+ @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"#{my_optional_analytics_field}test message with analytics field"))
22
+
23
+ @iut.debug(SoarAuditingFormatter::Formatter.format(:debug,'my-sanity-service-id',SecureRandom.hex(32),Time.now.iso8601(3),"test message without analytics field"))
24
+
19
25
  end
20
26
  end
21
27
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash_auditor
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.1
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Barney de Villiers
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-09-02 00:00:00.000000000 Z
11
+ date: 2017-02-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -114,14 +114,14 @@ dependencies:
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 0.0.12
117
+ version: '1.0'
118
118
  type: :runtime
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 0.0.12
124
+ version: '1.0'
125
125
  description: Logstash implementation of SOAR architecture auditing allowing easy publishing
126
126
  of events to a centralized logstash collection engine
127
127
  email:
@@ -134,7 +134,6 @@ files:
134
134
  - ".rspec"
135
135
  - ".ruby-gemset"
136
136
  - ".ruby-version"
137
- - ".travis.yml"
138
137
  - Gemfile
139
138
  - LICENSE.txt
140
139
  - README.md
@@ -169,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
169
168
  version: '0'
170
169
  requirements: []
171
170
  rubyforge_project:
172
- rubygems_version: 2.4.8
171
+ rubygems_version: 2.5.1
173
172
  signing_key:
174
173
  specification_version: 4
175
174
  summary: Logstash implementation of SOAR architecture auditing
data/.travis.yml DELETED
@@ -1,4 +0,0 @@
1
- language: ruby
2
- rvm:
3
- - 2.2.2
4
- before_install: gem install bundler -v 1.11.2