@gazzehamine/armada-watch-agent 1.4.3 → 1.4.5

package/dist/collector.js

@@ -10,11 +10,14 @@ exports.collectDockerContainers = collectDockerContainers;
 exports.collectNginxMetrics = collectNginxMetrics;
 exports.collectPM2Processes = collectPM2Processes;
 exports.collectSSLCertificates = collectSSLCertificates;
+exports.collectSystemdServices = collectSystemdServices;
+exports.collectSecurityData = collectSecurityData;
 const systeminformation_1 = __importDefault(require("systeminformation"));
 const os_1 = __importDefault(require("os"));
 const fs_1 = __importDefault(require("fs"));
 const child_process_1 = require("child_process");
 const util_1 = require("util");
+const security_1 = require("./security");
 const execAsync = (0, util_1.promisify)(child_process_1.exec);
 let lastNetworkStats = null;
 let lastDiskStats = null;
@@ -383,3 +386,167 @@ async function collectSSLCertificates() {
         return certificates;
     }
 }
+/**
+ * Collect systemd service information with auto-discovery
+ */
+async function collectSystemdServices() {
+    try {
+        // Check if systemd is available
+        try {
+            await execAsync('which systemctl');
+        }
+        catch (error) {
+            // systemd not available (e.g., not a Linux system or using a different init system)
+            return [];
+        }
+        const services = [];
+        // Common services to monitor
+        const COMMON_SERVICES = [
+            'nginx', 'apache2', 'httpd', // Web servers
+            'docker', 'containerd', // Containers
+            'postgresql', 'mysql', 'mariadb', // Databases
+            'mongodb', 'redis', 'memcached',
+            'ssh', 'sshd', // System services
+        ];
+        // Get all PM2 services (pm2-*)
+        let pm2Services = [];
+        try {
+            const { stdout } = await execAsync('systemctl list-units --type=service --all --no-pager --no-legend | grep "pm2-"');
+            if (stdout) {
+                pm2Services = stdout
+                    .split('\n')
+                    .filter(line => line.trim())
+                    .map(line => line.split(/\s+/)[0].replace('.service', ''));
+            }
+        }
+        catch (error) {
+            // No PM2 services or error listing them
+        }
+        // Get all failed services
+        let failedServices = [];
+        try {
+            const { stdout } = await execAsync('systemctl list-units --type=service --state=failed --no-pager --no-legend');
+            if (stdout) {
+                failedServices = stdout
+                    .split('\n')
+                    .filter(line => line.trim())
+                    .map(line => line.split(/\s+/)[0].replace('.service', ''));
+            }
+        }
+        catch (error) {
+            // No failed services or error listing them
+        }
+        // Combine all services to monitor (remove duplicates)
+        const servicesToMonitor = Array.from(new Set([...COMMON_SERVICES, ...pm2Services, ...failedServices]));
+        // Collect info for each service
+        for (const serviceName of servicesToMonitor) {
+            try {
+                const serviceInfo = await getServiceInfo(serviceName);
+                if (serviceInfo) {
+                    services.push(serviceInfo);
+                }
+            }
+            catch (error) {
+                // Service doesn't exist or error getting info, skip it
+                continue;
+            }
+        }
+        return services;
+    }
+    catch (error) {
+        console.error('Error collecting systemd services:', error);
+        return [];
+    }
+}
+/**
+ * Get detailed information for a single systemd service
+ */
+async function getServiceInfo(serviceName) {
+    try {
+        // Get detailed service properties
+        const { stdout } = await execAsync(`systemctl show ${serviceName}.service --no-pager`, { timeout: 5000 });
+        // Parse the output into key-value pairs
+        const props = {};
+        stdout.split('\n').forEach(line => {
+            const [key, ...valueParts] = line.split('=');
+            if (key && valueParts.length > 0) {
+                props[key.trim()] = valueParts.join('=').trim();
+            }
+        });
+        // Check if service exists
+        if (props.LoadState === 'not-found') {
+            return null;
+        }
+        // Extract service information
+        const activeState = props.ActiveState || 'unknown';
+        const subState = props.SubState || 'unknown';
+        const unitFileState = props.UnitFileState || 'unknown';
+        const enabled = ['enabled', 'enabled-runtime', 'static'].includes(unitFileState);
+        // Parse timestamps
+        const activeEnterTimestamp = props.ActiveEnterTimestamp ? new Date(props.ActiveEnterTimestamp).getTime() : 0;
+        const now = Date.now();
+        // Calculate uptime (in seconds)
+        let uptime = 0;
+        if (activeState === 'active' && activeEnterTimestamp > 0) {
+            uptime = Math.floor((now - activeEnterTimestamp) / 1000);
+        }
+        // Get restart count
+        const restartCount = parseInt(props.NRestarts || '0', 10);
+        // Get main PID
+        const mainPID = parseInt(props.MainPID || '0', 10);
+        // Get CPU and Memory usage
+        let cpuPercent = 0;
+        let memoryBytes = 0;
+        if (mainPID > 0) {
+            try {
+                // Use ps to get CPU and memory for the main PID
+                const { stdout: psOutput } = await execAsync(`ps -p ${mainPID} -o %cpu=,%mem=,rss= --no-headers`, { timeout: 2000 });
+                if (psOutput) {
+                    const parts = psOutput.trim().split(/\s+/);
+                    if (parts.length >= 3) {
+                        cpuPercent = parseFloat(parts[0]) || 0;
+                        // RSS is in KB, convert to bytes
+                        memoryBytes = (parseInt(parts[2], 10) || 0) * 1024;
+                    }
+                }
+            }
+            catch (error) {
+                // Process might have ended, use 0 values
+            }
+        }
+        return {
+            name: serviceName,
+            status: activeState,
+            subState: subState,
+            enabled: enabled,
+            uptime: uptime,
+            startedAt: activeEnterTimestamp,
+            restartCount: restartCount,
+            cpuPercent: cpuPercent,
+            memoryBytes: memoryBytes,
+            pid: mainPID,
+        };
+    }
+    catch (error) {
+        // Service doesn't exist or error getting info
+        return null;
+    }
+}
+/**
+ * Collect security monitoring data
+ */
+async function collectSecurityData() {
+    try {
+        const securityData = await (0, security_1.collectAllSecurityMetrics)();
+        return securityData;
+    }
+    catch (error) {
+        console.error('Error collecting security data:', error);
+        return {
+            failedLogins: null,
+            openPorts: [],
+            fileIntegrity: [],
+            userAudit: null,
+        };
+    }
+}

package/dist/index.js

@@ -77,6 +77,7 @@ async function sendMetrics() {
         const dockerContainers = await (0, collector_1.collectDockerContainers)();
         const pm2Processes = await (0, collector_1.collectPM2Processes)();
         const nginxMetrics = await (0, collector_1.collectNginxMetrics)();
+        const systemdServices = await (0, collector_1.collectSystemdServices)();
         // Check if it's time to refresh SSL certificates (every 5 minutes)
         const now = Date.now();
         const shouldCheckSSL = (now - lastSSLCheckTime) >= SSL_CHECK_INTERVAL;
@@ -97,6 +98,7 @@ async function sendMetrics() {
             dockerContainers,
             pm2Processes: pm2Processes.length > 0 ? pm2Processes : undefined,
             nginxMetrics: nginxMetrics || undefined,
+            systemdServices: systemdServices.length > 0 ? systemdServices : undefined,
             // Always send SSL certificates if we have them (from startup or last check)
             sslCertificates: lastSSLCertificates.length > 0 ? lastSSLCertificates : undefined,
         };
@@ -105,7 +107,8 @@ async function sendMetrics() {
         });
         const pm2Info = pm2Processes.length > 0 ? ` | PM2: ${pm2Processes.length}` : '';
         const nginxInfo = nginxMetrics ? ` | Nginx: ${nginxMetrics.activeConnections} conn` : '';
-        console.log(`✓ Metrics sent successfully - CPU: ${metrics.cpuUsage.toFixed(1)}% | Memory: ${metrics.memoryUsage.toFixed(1)}%${pm2Info}${nginxInfo}`);
+        const systemdInfo = systemdServices.length > 0 ? ` | Services: ${systemdServices.length}` : '';
+        console.log(`✓ Metrics sent successfully - CPU: ${metrics.cpuUsage.toFixed(1)}% | Memory: ${metrics.memoryUsage.toFixed(1)}%${pm2Info}${nginxInfo}${systemdInfo}`);
     }
     catch (error) {
         if (axios_1.default.isAxiosError(error)) {

package/dist/security/failed-logins.js

@@ -0,0 +1,135 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectFailedLogins = collectFailedLogins;
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const fs_1 = __importDefault(require("fs"));
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * Collect failed login attempts from auth.log
+ */
+async function collectFailedLogins() {
+    try {
+        // Check which log file exists
+        const authLogPath = await getAuthLogPath();
+        if (!authLogPath) {
+            return null; // No auth logs available
+        }
+        // Read last 1000 lines from auth log
+        const { stdout } = await execAsync(`tail -n 1000 ${authLogPath}`, { timeout: 5000 });
+        const lines = stdout.split('\n');
+        const failedAttempts = [];
+        const now = Date.now();
+        const oneHourAgo = now - (60 * 60 * 1000);
+        const oneDayAgo = now - (24 * 60 * 60 * 1000);
+        for (const line of lines) {
+            // Match SSH failed password attempts
+            // Example: "Jan 21 12:00:00 hostname sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 54321 ssh2"
+            const sshFailedMatch = line.match(/(\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}).*sshd.*Failed password for (?:invalid user )?(\w+) from ([\d.]+) port (\d+)/);
+            if (sshFailedMatch) {
+                const [, dateStr, username, ip, port] = sshFailedMatch;
+                const timestamp = parseAuthLogDate(dateStr);
+                failedAttempts.push({
+                    timestamp,
+                    username,
+                    ipAddress: ip,
+                    port: parseInt(port, 10),
+                    method: 'ssh',
+                });
+            }
+            // Match authentication failure
+            const authFailureMatch = line.match(/(\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}).*authentication failure.*user=(\w+).*rhost=([\d.]+)/);
+            if (authFailureMatch) {
+                const [, dateStr, username, ip] = authFailureMatch;
+                const timestamp = parseAuthLogDate(dateStr);
+                failedAttempts.push({
+                    timestamp,
+                    username,
+                    ipAddress: ip,
+                    port: 0,
+                    method: 'auth',
+                });
+            }
+        }
+        // Calculate statistics
+        const last24hAttempts = failedAttempts.filter(a => a.timestamp.getTime() > oneDayAgo);
+        const lastHourAttempts = failedAttempts.filter(a => a.timestamp.getTime() > oneHourAgo);
+        // Count by IP
+        const ipCounts = new Map();
+        for (const attempt of last24hAttempts) {
+            ipCounts.set(attempt.ipAddress, (ipCounts.get(attempt.ipAddress) || 0) + 1);
+        }
+        // Count by username
+        const userCounts = new Map();
+        for (const attempt of last24hAttempts) {
+            userCounts.set(attempt.username, (userCounts.get(attempt.username) || 0) + 1);
+        }
+        // Get top attackers
+        const topAttackers = Array.from(ipCounts.entries())
+            .map(([ip, count]) => ({ ip, count }))
+            .sort((a, b) => b.count - a.count)
+            .slice(0, 10);
+        // Get top targeted users
+        const topTargetedUsers = Array.from(userCounts.entries())
+            .map(([username, count]) => ({ username, count }))
+            .sort((a, b) => b.count - a.count)
+            .slice(0, 10);
+        return {
+            totalFailures: failedAttempts.length,
+            last24h: last24hAttempts.length,
+            lastHour: lastHourAttempts.length,
+            uniqueIPs: ipCounts.size,
+            topAttackers,
+            topTargetedUsers,
+            recentAttempts: lastHourAttempts.slice(0, 50), // Last 50 attempts in the hour
+        };
+    }
+    catch (error) {
+        console.error('Error collecting failed logins:', error);
+        return null;
+    }
+}
+/**
+ * Get the path to the auth log file
+ */
+async function getAuthLogPath() {
+    // Try Ubuntu/Debian path
+    if (fs_1.default.existsSync('/var/log/auth.log')) {
+        try {
+            await fs_1.default.promises.access('/var/log/auth.log', fs_1.default.constants.R_OK);
+            return '/var/log/auth.log';
+        }
+        catch {
+            return null; // Not readable
+        }
+    }
+    // Try RHEL/CentOS path
+    if (fs_1.default.existsSync('/var/log/secure')) {
+        try {
+            await fs_1.default.promises.access('/var/log/secure', fs_1.default.constants.R_OK);
+            return '/var/log/secure';
+        }
+        catch {
+            return null; // Not readable
+        }
+    }
+    return null;
+}
+/**
+ * Parse auth.log date format (without year)
+ * Example: "Jan 21 12:00:00"
+ */
+function parseAuthLogDate(dateStr) {
+    const currentYear = new Date().getFullYear();
+    const dateWithYear = `${dateStr} ${currentYear}`;
+    // Parse the date
+    const date = new Date(dateWithYear);
+    // If the parsed date is in the future, it's probably from last year
+    if (date > new Date()) {
+        date.setFullYear(currentYear - 1);
+    }
+    return date;
+}

package/dist/security/file-integrity.js

@@ -0,0 +1,101 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectFileIntegrity = collectFileIntegrity;
+exports.hasFileChanged = hasFileChanged;
+const crypto_1 = require("crypto");
+const fs_1 = __importDefault(require("fs"));
+const promises_1 = require("fs/promises");
+// Files to monitor (world-readable files only)
+const MONITORED_FILES = [
+    '/etc/passwd',
+    '/etc/group',
+    '/etc/hosts',
+    '/etc/hostname',
+    '/etc/ssh/sshd_config', // May or may not be readable
+];
+/**
+ * Collect file integrity information
+ */
+async function collectFileIntegrity() {
+    const files = [];
+    for (const filePath of MONITORED_FILES) {
+        try {
+            // Check if file exists and is readable
+            if (!fs_1.default.existsSync(filePath)) {
+                continue;
+            }
+            await fs_1.default.promises.access(filePath, fs_1.default.constants.R_OK);
+            // Get file stats
+            const stats = await (0, promises_1.stat)(filePath);
+            // Read file content
+            const content = await fs_1.default.promises.readFile(filePath);
+            // Calculate SHA-256 hash
+            const hash = (0, crypto_1.createHash)('sha256').update(content).digest('hex');
+            // Get file permissions in octal format
+            const permissions = (stats.mode & parseInt('777', 8)).toString(8);
+            // Get owner/group (requires parsing ls -l output or using uid/gid)
+            const { owner, group } = await getFileOwnership(filePath);
+            files.push({
+                path: filePath,
+                hash,
+                lastModified: stats.mtime,
+                size: stats.size,
+                permissions,
+                owner,
+                group,
+            });
+        }
+        catch (error) {
+            // File not readable or doesn't exist, skip it
+            continue;
+        }
+    }
+    return files;
+}
+/**
+ * Get file ownership information
+ */
+async function getFileOwnership(filePath) {
+    try {
+        const stats = await (0, promises_1.stat)(filePath);
+        // Try to resolve UID/GID to names
+        try {
+            const { exec } = require('child_process');
+            const { promisify } = require('util');
+            const execAsync = promisify(exec);
+            const { stdout } = await execAsync(`ls -ld ${filePath}`);
+            const parts = stdout.trim().split(/\s+/);
+            if (parts.length >= 3) {
+                return {
+                    owner: parts[2] || stats.uid.toString(),
+                    group: parts[3] || stats.gid.toString(),
+                };
+            }
+        }
+        catch {
+            // Fallback to numeric IDs
+        }
+        return {
+            owner: stats.uid.toString(),
+            group: stats.gid.toString(),
+        };
+    }
+    catch (error) {
+        return {
+            owner: 'unknown',
+            group: 'unknown',
+        };
+    }
+}
+/**
+ * Check if file has been modified (compare with baseline)
+ */
+function hasFileChanged(current, baseline) {
+    if (!baseline) {
+        return false; // No baseline to compare
+    }
+    return current.hash !== baseline.hash;
+}

package/dist/security/index.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectUserAudit = exports.hasFileChanged = exports.collectFileIntegrity = exports.isExpectedPort = exports.getPortDescription = exports.collectOpenPorts = exports.collectFailedLogins = void 0;
+exports.collectAllSecurityMetrics = collectAllSecurityMetrics;
+// Export all security collectors
+const failed_logins_1 = require("./failed-logins");
+Object.defineProperty(exports, "collectFailedLogins", { enumerable: true, get: function () { return failed_logins_1.collectFailedLogins; } });
+const open_ports_1 = require("./open-ports");
+Object.defineProperty(exports, "collectOpenPorts", { enumerable: true, get: function () { return open_ports_1.collectOpenPorts; } });
+Object.defineProperty(exports, "getPortDescription", { enumerable: true, get: function () { return open_ports_1.getPortDescription; } });
+Object.defineProperty(exports, "isExpectedPort", { enumerable: true, get: function () { return open_ports_1.isExpectedPort; } });
+const file_integrity_1 = require("./file-integrity");
+Object.defineProperty(exports, "collectFileIntegrity", { enumerable: true, get: function () { return file_integrity_1.collectFileIntegrity; } });
+Object.defineProperty(exports, "hasFileChanged", { enumerable: true, get: function () { return file_integrity_1.hasFileChanged; } });
+const user_audit_1 = require("./user-audit");
+Object.defineProperty(exports, "collectUserAudit", { enumerable: true, get: function () { return user_audit_1.collectUserAudit; } });
+/**
+ * Collect all security metrics
+ */
+async function collectAllSecurityMetrics() {
+    const [failedLogins, openPorts, fileIntegrity, userAudit] = await Promise.all([
+        (0, failed_logins_1.collectFailedLogins)().catch(() => null),
+        (0, open_ports_1.collectOpenPorts)().catch(() => []),
+        (0, file_integrity_1.collectFileIntegrity)().catch(() => []),
+        (0, user_audit_1.collectUserAudit)().catch(() => null),
+    ]);
+    return {
+        failedLogins,
+        openPorts,
+        fileIntegrity,
+        userAudit,
+    };
+}

package/dist/security/open-ports.js

@@ -0,0 +1,169 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectOpenPorts = collectOpenPorts;
+exports.getPortDescription = getPortDescription;
+exports.isExpectedPort = isExpectedPort;
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * Collect open/listening ports
+ */
+async function collectOpenPorts() {
+    try {
+        // Use ss command (modern replacement for netstat)
+        // -tuln: tcp, udp, listening, numeric
+        const { stdout } = await execAsync('ss -tuln', { timeout: 5000 });
+        const lines = stdout.split('\n');
+        const ports = [];
+        for (const line of lines) {
+            // Skip header and empty lines
+            if (!line || line.startsWith('Netid') || line.startsWith('State')) {
+                continue;
+            }
+            // Parse ss output
+            // Format: Netid  State   Recv-Q Send-Q   Local Address:Port   Peer Address:Port
+            // Example: tcp    LISTEN  0      128      0.0.0.0:22             0.0.0.0:*
+            const parts = line.trim().split(/\s+/);
+            if (parts.length < 5) {
+                continue;
+            }
+            const [netid, state, , , localAddr] = parts;
+            // Parse protocol
+            let protocol;
+            if (netid.startsWith('tcp')) {
+                protocol = 'tcp';
+            }
+            else if (netid.startsWith('udp')) {
+                protocol = 'udp';
+            }
+            else {
+                continue; // Skip other protocols
+            }
+            // Parse local address and port
+            const lastColon = localAddr.lastIndexOf(':');
+            if (lastColon === -1) {
+                continue;
+            }
+            const address = localAddr.substring(0, lastColon);
+            const portStr = localAddr.substring(lastColon + 1);
+            const port = parseInt(portStr, 10);
+            if (isNaN(port)) {
+                continue;
+            }
+            ports.push({
+                port,
+                protocol,
+                state: state || 'LISTEN',
+                localAddress: address,
+            });
+        }
+        // Sort by port number
+        return ports.sort((a, b) => a.port - b.port);
+    }
+    catch (error) {
+        console.error('Error collecting open ports:', error);
+        // Fallback to netstat if ss is not available
+        try {
+            return await collectOpenPortsNetstat();
+        }
+        catch (fallbackError) {
+            console.error('Error with netstat fallback:', fallbackError);
+            return [];
+        }
+    }
+}
+/**
+ * Fallback to netstat if ss is not available
+ */
+async function collectOpenPortsNetstat() {
+    const { stdout } = await execAsync('netstat -tuln', { timeout: 5000 });
+    const lines = stdout.split('\n');
+    const ports = [];
+    for (const line of lines) {
+        // Skip header and empty lines
+        if (!line || line.startsWith('Active') || line.startsWith('Proto')) {
+            continue;
+        }
+        // Parse netstat output
+        // Format: Proto Recv-Q Send-Q Local Address           Foreign Address         State
+        // Example: tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
+        const parts = line.trim().split(/\s+/);
+        if (parts.length < 4) {
+            continue;
+        }
+        const [proto, , , localAddr, , state] = parts;
+        // Parse protocol
+        let protocol;
+        if (proto.startsWith('tcp')) {
+            protocol = 'tcp';
+        }
+        else if (proto.startsWith('udp')) {
+            protocol = 'udp';
+        }
+        else {
+            continue;
+        }
+        // Parse local address and port
+        const lastColon = localAddr.lastIndexOf(':');
+        if (lastColon === -1) {
+            continue;
+        }
+        const address = localAddr.substring(0, lastColon);
+        const portStr = localAddr.substring(lastColon + 1);
+        const port = parseInt(portStr, 10);
+        if (isNaN(port)) {
+            continue;
+        }
+        ports.push({
+            port,
+            protocol,
+            state: state || 'LISTEN',
+            localAddress: address,
+        });
+    }
+    return ports.sort((a, b) => a.port - b.port);
+}
+/**
+ * Get common port descriptions
+ */
+function getPortDescription(port) {
+    const commonPorts = {
+        20: 'FTP Data',
+        21: 'FTP Control',
+        22: 'SSH',
+        23: 'Telnet',
+        25: 'SMTP',
+        53: 'DNS',
+        80: 'HTTP',
+        110: 'POP3',
+        143: 'IMAP',
+        443: 'HTTPS',
+        465: 'SMTPS',
+        587: 'SMTP Submission',
+        993: 'IMAPS',
+        995: 'POP3S',
+        3000: 'Development Server',
+        3306: 'MySQL',
+        5432: 'PostgreSQL',
+        6379: 'Redis',
+        8080: 'HTTP Alternate',
+        8443: 'HTTPS Alternate',
+        27017: 'MongoDB',
+    };
+    return commonPorts[port] || 'Unknown';
+}
+/**
+ * Check if a port is considered "expected"
+ */
+function isExpectedPort(port) {
+    const expectedPorts = [
+        22, // SSH
+        80, // HTTP
+        443, // HTTPS
+        3000, // Common dev server
+        4000, // Backend API
+        8080, // HTTP alternate
+    ];
+    return expectedPorts.includes(port);
+}

package/dist/security/user-audit.js

@@ -0,0 +1,206 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.collectUserAudit = collectUserAudit;
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const fs_1 = __importDefault(require("fs"));
+const execAsync = (0, util_1.promisify)(child_process_1.exec);
+/**
+ * Collect user audit information
+ */
+async function collectUserAudit() {
+    const users = await collectUsers();
+    const activeSessions = await collectActiveSessions();
+    const humanUsers = users.filter(u => !u.isSystemUser);
+    const systemUsers = users.filter(u => u.isSystemUser);
+    return {
+        totalUsers: users.length,
+        humanUsers: humanUsers.length,
+        systemUsers: systemUsers.length,
+        users,
+        activeSessions,
+    };
+}
+/**
+ * Parse /etc/passwd to get user information
+ */
+async function collectUsers() {
+    try {
+        const passwdContent = await fs_1.default.promises.readFile('/etc/passwd', 'utf-8');
+        const lines = passwdContent.split('\n').filter(l => l.trim());
+        const users = [];
+        for (const line of lines) {
+            // Format: username:x:uid:gid:comment:home:shell
+            const parts = line.split(':');
+            if (parts.length < 7)
+                continue;
+            const [username, , uidStr, gidStr, , homeDir, shell] = parts;
+            const uid = parseInt(uidStr, 10);
+            const gid = parseInt(gidStr, 10);
+            // Get user's groups
+            const groups = await getUserGroups(username);
+            users.push({
+                username,
+                uid,
+                gid,
+                shell,
+                homeDir,
+                groups,
+                isSystemUser: uid < 1000,
+            });
+        }
+        return users;
+    }
+    catch (error) {
+        console.error('Error collecting users:', error);
+        return [];
+    }
+}
+/**
+ * Get groups for a user
+ */
+async function getUserGroups(username) {
+    try {
+        const { stdout } = await execAsync(`groups ${username}`, { timeout: 2000 });
+        // Output format: "username : group1 group2 group3"
+        const parts = stdout.trim().split(':');
+        if (parts.length < 2)
+            return [];
+        return parts[1].trim().split(/\s+/);
+    }
+    catch (error) {
+        return [];
+    }
+}
+/**
+ * Get currently active login sessions
+ */
+async function collectActiveSessions() {
+    try {
+        // Use 'w' command to get active sessions
+        // Output format:
+        // USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
+        // ubuntu   pts/0    192.168.1.100    10:30    0.00s  0.01s  0.00s w
+        const { stdout } = await execAsync('w -h', { timeout: 2000 });
+        const lines = stdout.split('\n').filter(l => l.trim());
+        const sessions = [];
+        for (const line of lines) {
+            const parts = line.trim().split(/\s+/);
+            if (parts.length < 4)
+                continue;
+            const [username, terminal, from, loginTimeStr, idleStr] = parts;
+            // Parse login time
+            const loginTime = parseLoginTime(loginTimeStr);
+            // Parse idle time
+            const idle = parseIdleTime(idleStr || '0');
+            sessions.push({
+                username,
+                from: from === '-' ? 'local' : from,
+                loginTime,
+                terminal,
+                idle,
+            });
+        }
+        return sessions;
+    }
+    catch (error) {
+        console.error('Error collecting active sessions:', error);
+        // Fallback to 'who' command
+        try {
+            return await collectActiveSessionsWho();
+        }
+        catch {
+            return [];
+        }
+    }
+}
+/**
+ * Fallback using 'who' command
+ */
+async function collectActiveSessionsWho() {
+    const { stdout } = await execAsync('who', { timeout: 2000 });
+    const lines = stdout.split('\n').filter(l => l.trim());
+    const sessions = [];
+    for (const line of lines) {
+        // Format: ubuntu   pts/0        2026-01-21 10:30 (192.168.1.100)
+        const match = line.match(/^(\S+)\s+(\S+)\s+(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2})\s*\(?([\d.]*)\)?/);
+        if (match) {
+            const [, username, terminal, timeStr, from] = match;
+            const loginTime = new Date(timeStr);
+            sessions.push({
+                username,
+                from: from || 'local',
+                loginTime,
+                terminal,
+                idle: 0,
+            });
+        }
+    }
+    return sessions;
+}
+/**
+ * Parse login time from 'w' command output
+ * Formats: "10:30" (today), "21Jan24" (specific date), "5days" (days ago)
+ */
+function parseLoginTime(timeStr) {
+    const now = new Date();
+    // Format: HH:MM (today)
+    if (timeStr.includes(':')) {
+        const [hours, minutes] = timeStr.split(':').map(Number);
+        const loginTime = new Date();
+        loginTime.setHours(hours, minutes, 0, 0);
+        return loginTime;
+    }
+    // Format: DDMmmYY (specific date)
+    if (timeStr.length >= 7) {
+        // Parse date like "21Jan24"
+        const day = parseInt(timeStr.substring(0, 2), 10);
+        const monthStr = timeStr.substring(2, 5);
+        const year = 2000 + parseInt(timeStr.substring(5), 10);
+        const months = {
+            Jan: 0, Feb: 1, Mar: 2, Apr: 3, May: 4, Jun: 5,
+            Jul: 6, Aug: 7, Sep: 8, Oct: 9, Nov: 10, Dec: 11,
+        };
+        const month = months[monthStr];
+        if (month !== undefined) {
+            return new Date(year, month, day);
+        }
+    }
+    // Format: "5days" (days ago)
+    if (timeStr.includes('day')) {
+        const days = parseInt(timeStr, 10);
+        const loginTime = new Date();
+        loginTime.setDate(loginTime.getDate() - days);
+        return loginTime;
+    }
+    // Default to now
+    return now;
+}
+/**
+ * Parse idle time from 'w' command output
+ * Formats: "0.00s", "1:30", "5days"
+ */
+function parseIdleTime(idleStr) {
+    if (idleStr.includes('s')) {
+        // Seconds
+        return parseFloat(idleStr);
+    }
+    if (idleStr.includes(':')) {
+        // Minutes:seconds
+        const [mins, secs] = idleStr.split(':').map(Number);
+        return mins * 60 + (secs || 0);
+    }
+    if (idleStr.includes('day')) {
+        // Days
+        const days = parseInt(idleStr, 10);
+        return days * 24 * 60 * 60;
+    }
+    if (idleStr.includes('m')) {
+        // Minutes
+        return parseInt(idleStr, 10) * 60;
+    }
+    return 0;
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@gazzehamine/armada-watch-agent",
-  "version": "1.4.3",
-  "description": "Monitoring agent for Armada Watch - EC2 instance monitoring with SSL, PM2, and Nginx monitoring",
+  "version": "1.4.5",
+  "description": "Monitoring agent for Armada Watch - EC2 instance monitoring with SSL, PM2, Nginx, Systemd, and Security monitoring",
   "main": "dist/index.js",
   "bin": {
     "armada-watch-agent": "dist/index.js"