logstash_auditor 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +10 -0
- data/README.md +28 -17
- data/docker-compose-isolated.yml +21 -0
- data/docker-compose.yml +28 -0
- data/lib/logstash_auditor/version.rb +1 -1
- data/logstash_auditor.gemspec +1 -0
- data/retry.sh +23 -0
- data/sanity/sanity.rb +1 -1
- metadata +21 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cf167e8f8c9c9fa493029eb5e3ac225f881bf02b
|
|
4
|
+
data.tar.gz: 7d90420e878b53fbf68401d8d59a98156c63019b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 303aedb8e9b885c357a381628b76b575ed10742973437de563cbb2a3078eddc46de7e52daa04a7c788a41bcae477f32823921bb27014b702cba200e2ec56b179
|
|
7
|
+
data.tar.gz: cc271f17337a7a4e48d31c4fdfc3cdec7a4b8963771d1c1615eadfa0f75ca2927e51f4da372369c4b94b9df7550552852a03cc279938c8e64850dcd49ed551b1
|
data/Dockerfile
ADDED
data/README.md
CHANGED
|
@@ -32,6 +32,25 @@ Or install it yourself as:
|
|
|
32
32
|
The logstash server must be configured using the configuration in the folder spec/support/logstash_conf.d and spec/support/certificates.
|
|
33
33
|
This configuration is used by the docker image during the TDD tests which ensures that this gem and the server configuration is compatible.
|
|
34
34
|
|
|
35
|
+
## Testing for CI purposes
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
#!/bin/bash
|
|
39
|
+
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
|
40
|
+
source retry.sh
|
|
41
|
+
export UID
|
|
42
|
+
retry 3 docker-compose down
|
|
43
|
+
retry 3 docker-compose build --force-rm --no-cache
|
|
44
|
+
|
|
45
|
+
set -e
|
|
46
|
+
retry 3 docker-compose -f docker-compose-isolated.yml run --rm test
|
|
47
|
+
EXIT_CODE=$?
|
|
48
|
+
set +e
|
|
49
|
+
|
|
50
|
+
docker-compose down
|
|
51
|
+
exit $EXIT_CODE
|
|
52
|
+
```
|
|
53
|
+
|
|
35
54
|
## Testing
|
|
36
55
|
|
|
37
56
|
Behavioural driven testing can be performed by testing against a local ELK docker image.
|
|
@@ -42,31 +61,23 @@ First you need to generate the certificates needed for authenticating the client
|
|
|
42
61
|
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
|
43
62
|
```
|
|
44
63
|
|
|
45
|
-
|
|
64
|
+
Then perform the tests:
|
|
46
65
|
|
|
47
66
|
```bash
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
bundle exec rspec -cfd spec/*
|
|
67
|
+
./spec/support/certificates/setup_certificates_for_logstash_testing.sh
|
|
68
|
+
export UID
|
|
69
|
+
docker-compose down
|
|
70
|
+
docker-compose build --force-rm --no-cache
|
|
71
|
+
docker-compose -f docker-compose-isolated.yml run --rm test
|
|
72
|
+
docker-compose down
|
|
55
73
|
```
|
|
56
74
|
|
|
57
75
|
Note that in order to ensure that the processing has occurred on Elastic Search
|
|
58
76
|
there is a 2 second delay between each event submission request and the search request
|
|
59
77
|
|
|
60
|
-
Debugging the docker image:
|
|
61
|
-
```bash
|
|
62
|
-
docker exec -it elk_test_service bash
|
|
63
|
-
docker stop elk_test_service
|
|
64
|
-
docker rm -f elk_test_service
|
|
65
|
-
```
|
|
66
|
-
|
|
67
78
|
Manual sending of an audit event to docker ELK stack:
|
|
68
79
|
```bash
|
|
69
|
-
curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:
|
|
80
|
+
curl -iv -E ./spec/support/certificates/selfsigned/selfsigned_registered.cert.pem --key ./spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem https://localhost:8080 -d "{\"audit_message\":\"bla\",\"audit_something_else\":\"foo\"}" --insecure
|
|
70
81
|
```
|
|
71
82
|
|
|
72
83
|
View the audit events created on the Kibana interface:
|
|
@@ -82,7 +93,7 @@ Initialize and configure the auditor so:
|
|
|
82
93
|
```ruby
|
|
83
94
|
@iut = LogstashAuditor::LogstashAuditor.new
|
|
84
95
|
@logstash_configuration =
|
|
85
|
-
{ "host_url" => "http://localhost:
|
|
96
|
+
{ "host_url" => "http://localhost:8080",
|
|
86
97
|
"username" => "auditorusername",
|
|
87
98
|
"password" => "auditorpassword",
|
|
88
99
|
"timeout" => 3}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
version: '2.0'
|
|
2
|
+
services:
|
|
3
|
+
elk_test_service:
|
|
4
|
+
image: sebp/elk:es234_l234_k453
|
|
5
|
+
expose:
|
|
6
|
+
- "9300"
|
|
7
|
+
- "9200"
|
|
8
|
+
- "5000"
|
|
9
|
+
- "5044"
|
|
10
|
+
- "5601"
|
|
11
|
+
- "8080"
|
|
12
|
+
volumes:
|
|
13
|
+
- ./spec/support/logstash_conf.d:/etc/logstash/conf.d
|
|
14
|
+
- ./spec/support/certificates:/etc/logstash/certs
|
|
15
|
+
test:
|
|
16
|
+
build: .
|
|
17
|
+
command: /bin/bash -c 'sleep 30; bundle exec rspec -cfd spec/*'
|
|
18
|
+
volumes:
|
|
19
|
+
- .:/usr/local/src/
|
|
20
|
+
links:
|
|
21
|
+
- elk_test_service
|
data/docker-compose.yml
ADDED
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
version: '2.0'
|
|
2
|
+
services:
|
|
3
|
+
elk_test_service:
|
|
4
|
+
image: sebp/elk:es234_l234_k453
|
|
5
|
+
expose:
|
|
6
|
+
- "9300"
|
|
7
|
+
- "9200"
|
|
8
|
+
- "5000"
|
|
9
|
+
- "5044"
|
|
10
|
+
- "5601"
|
|
11
|
+
- "8080"
|
|
12
|
+
ports:
|
|
13
|
+
- "9300:9300"
|
|
14
|
+
- "9200:9200"
|
|
15
|
+
- "5000:5000"
|
|
16
|
+
- "5044:5044"
|
|
17
|
+
- "5601:5601"
|
|
18
|
+
- "8080:8080"
|
|
19
|
+
volumes:
|
|
20
|
+
- ./spec/support/logstash_conf.d:/etc/logstash/conf.d
|
|
21
|
+
- ./spec/support/certificates:/etc/logstash/certs
|
|
22
|
+
test:
|
|
23
|
+
build: .
|
|
24
|
+
command: /bin/bash -c 'sleep 30; bundle exec rspec -cfd spec/*'
|
|
25
|
+
volumes:
|
|
26
|
+
- .:/usr/local/src/
|
|
27
|
+
links:
|
|
28
|
+
- elk_test_service
|
data/logstash_auditor.gemspec
CHANGED
|
@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
|
|
|
25
25
|
spec.add_development_dependency "byebug", "~> 9"
|
|
26
26
|
spec.add_development_dependency "elasticsearch", "~> 1"
|
|
27
27
|
spec.add_development_dependency "soar_auditing_format", "~> 0.0.5"
|
|
28
|
+
spec.add_development_dependency "soar_json_auditing_format", "~> 0.0.2"
|
|
28
29
|
|
|
29
30
|
spec.add_dependency "http", "~> 2"
|
|
30
31
|
spec.add_dependency "soar_auditor_api", "~> 1.0"
|
data/retry.sh
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
|
|
3
|
+
# Retries a command on failure.
|
|
4
|
+
# $1 - the max number of attempts
|
|
5
|
+
# $2... - the command to run
|
|
6
|
+
retry() {
|
|
7
|
+
local -r -i max_attempts="$1"; shift
|
|
8
|
+
local -r cmd="$@"
|
|
9
|
+
local -i attempt_num=1
|
|
10
|
+
local -i cmd_exit_code=0
|
|
11
|
+
until eval $cmd
|
|
12
|
+
do
|
|
13
|
+
cmd_exit_code=$?
|
|
14
|
+
if (( attempt_num == max_attempts ))
|
|
15
|
+
then
|
|
16
|
+
echo "Attempt $attempt_num failed with code $cmd_exit_code and there are no more attempts left!"
|
|
17
|
+
exit $cmd_exit_code
|
|
18
|
+
else
|
|
19
|
+
echo "Attempt $attempt_num failed with code $cmd_exit_code! Trying again in $attempt_num seconds..."
|
|
20
|
+
sleep $(( attempt_num++ ))
|
|
21
|
+
fi
|
|
22
|
+
done
|
|
23
|
+
}
|
data/sanity/sanity.rb
CHANGED
|
@@ -6,7 +6,7 @@ require 'securerandom'
|
|
|
6
6
|
class Main
|
|
7
7
|
def test_sanity
|
|
8
8
|
@iut = LogstashAuditor::LogstashAuditor.new
|
|
9
|
-
@logstash_configuration = { "host_url" => "https://localhost:
|
|
9
|
+
@logstash_configuration = { "host_url" => "https://localhost:8080",
|
|
10
10
|
"certificate" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.cert.pem"),
|
|
11
11
|
"private_key" => File.read("../spec/support/certificates/selfsigned/selfsigned_registered.private.nopass.pem"),
|
|
12
12
|
"timeout" => 3}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash_auditor
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.1.
|
|
4
|
+
version: 1.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Barney de Villiers
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-05-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -94,6 +94,20 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: 0.0.5
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: soar_json_auditing_format
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - "~>"
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: 0.0.2
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - "~>"
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: 0.0.2
|
|
97
111
|
- !ruby/object:Gem::Dependency
|
|
98
112
|
name: http
|
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -134,16 +148,20 @@ files:
|
|
|
134
148
|
- ".rspec"
|
|
135
149
|
- ".ruby-gemset"
|
|
136
150
|
- ".ruby-version"
|
|
151
|
+
- Dockerfile
|
|
137
152
|
- Gemfile
|
|
138
153
|
- LICENSE.txt
|
|
139
154
|
- README.md
|
|
140
155
|
- Rakefile
|
|
141
156
|
- bin/console
|
|
142
157
|
- bin/setup
|
|
158
|
+
- docker-compose-isolated.yml
|
|
159
|
+
- docker-compose.yml
|
|
143
160
|
- lib/logstash_auditor.rb
|
|
144
161
|
- lib/logstash_auditor/auditor.rb
|
|
145
162
|
- lib/logstash_auditor/version.rb
|
|
146
163
|
- logstash_auditor.gemspec
|
|
164
|
+
- retry.sh
|
|
147
165
|
- sanity/.ruby-gemset
|
|
148
166
|
- sanity/.ruby-version
|
|
149
167
|
- sanity/Gemfile
|
|
@@ -168,7 +186,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
168
186
|
version: '0'
|
|
169
187
|
requirements: []
|
|
170
188
|
rubyforge_project:
|
|
171
|
-
rubygems_version: 2.
|
|
189
|
+
rubygems_version: 2.4.8
|
|
172
190
|
signing_key:
|
|
173
191
|
specification_version: 4
|
|
174
192
|
summary: Logstash implementation of SOAR architecture auditing
|