Issue 205 - Switch the sshd monitor to the new parser output

trink · trink · commit 16ab01faf506 · 2018-01-25T15:01:46.000-08:00
diff --git a/moz_security/CMakeLists.txt b/moz_security/CMakeLists.txt
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 cmake_minimum_required(VERSION 3.0)
-project(moz-security VERSION 0.0.5 LANGUAGES C)
+project(moz-security VERSION 0.0.6 LANGUAGES C)
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Mozilla Infrastructure Security Analysis")
 include(sandbox_module)
 
diff --git a/moz_security/sandboxes/heka/analysis/moz_security_sshd_login_monitor.lua b/moz_security/sandboxes/heka/analysis/moz_security_sshd_login_monitor.lua
@@ -33,10 +33,10 @@ local msg = {
 }
 
 function process_message()
-    local user    = read_message("Fields[remote_user]")
-    local ip      = read_message("Fields[remote_addr]")
-    local city    = read_message("Fields[remote_addr_city]")
-    local country = read_message("Fields[remote_addr_country]")
+    local user    = read_message("Fields[user]")
+    local ip      = read_message("Fields[ssh_remote_ipaddr]")
+    local city    = read_message("Fields[ssh_remote_ipaddr_city]")
+    local country = read_message("Fields[ssh_remote_ipaddr_country]")
 
     msg.Fields[2].value    = string.format("%s logged into bastion from %s", user, ip)
     -- If we also have city and country information, append that to the message
diff --git a/moz_security/tests/hindsight/run/analysis/sshd_login_monitor.cfg b/moz_security/tests/hindsight/run/analysis/sshd_login_monitor.cfg
@@ -1,4 +1,4 @@
 filename = "moz_security_sshd_login_monitor.lua"
-message_matcher = "Logger == 'input.syslog' && Fields[programname] == 'sshd' && Fields[sshd_authmsg] == 'Accepted'"
+message_matcher = "Logger == 'input.syslog' && Fields[programname] == 'sshd' && Fields[authmsg] == 'Accepted'"
 ticker_interval = 0
 process_message_inject_limit = 1
diff --git a/moz_security/tests/hindsight/run/input/generate_sshd.lua b/moz_security/tests/hindsight/run/input/generate_sshd.lua
@@ -18,19 +18,19 @@ local msg = {
     Timestamp = nil,
     Logger = "input.syslog",
     Fields = {
-        programname     = "sshd",
-        sshd_authmsg    = "Accepted",
-        remote_user     = "",
-        remote_addr     = ""
+        programname         = "sshd",
+        authmsg             = "Accepted",
+        user                = "",
+        ssh_remote_ipaddr   = ""
     }
 }
 
 function process_message()
     for i,v in ipairs(tests) do
         msg.Uuid = v[1]
-        msg.Fields.remote_user = v[2]
-        msg.Fields.remote_addr = v[3]
-        geo.add_geoip(msg, "remote_addr")
+        msg.Fields.user = v[2]
+        msg.Fields.ssh_remote_ipaddr = v[3]
+        geo.add_geoip(msg, "ssh_remote_ipaddr")
         inject_message(msg)
     end
     return 0
