auth_ip_geo: add global whitelist support

Aaron Meihm · Aaron Meihm · commit b175347fcf59 · 2018-04-16T16:48:16.000-05:00
diff --git a/moz_security/sandboxes/heka/analysis/moz_security_auth_ip_geo.lua b/moz_security/sandboxes/heka/analysis/moz_security_auth_ip_geo.lua
@@ -36,6 +36,19 @@ user_field = "Fields[user]" -- required, field to extract username from
 srcip_field = "Fields[ssh_remote_ipaddr]" -- required, field to extract source IP from
 geocity_field = "Fields[ssh_remote_ipaddr_city"] -- required, field to extract geo city
 geocountry_field = "Fields[ssh_remote_ipaddr_country"] -- required, field to extract geo country
+
+userspec = {
+    riker = {
+        ip = { "192.168.1.0/24", "10.0.0.0/24" },
+        geo = { "Toronto/CA" }
+    },
+    worf = {
+        geo = { "Milton/US" }
+    },
+    ipauthgeoany = { -- special key that applies to any user
+        ip = "192.168.0.0/24"
+    }
+}
 ```
 --]]
 --
@@ -99,6 +112,15 @@ function check_geo(city, country, spec)
 end
 
 
+function check_spec(spec, srcip, geocity, geocountry)
+    if not spec then return false end
+
+    if check_ip(srcip, spec) then return true end
+    if check_geo(geocity, geocountry, spec) then return true end
+    return false
+end
+
+
 function process_message()
     local ts = math.floor(read_message("Timestamp") / 1e9)
     local hn = read_message(authhost_field) or "unknown"
@@ -113,15 +135,22 @@ function process_message()
     local geocountry = read_message(geocountry_field)
 
     local spec = userspec[user]
+    local matchanyspec = userspec.authipgeoany
 
     local escalate = false
-    if spec then
-        local ipok = check_ip(srcip, spec)
-        if not ipok then
-            local geook = check_geo(geocity, geocountry, spec)
-            if not geook then escalate = true end
+    local matchanymatch = false
+    if not check_spec(spec, srcip, geocity, geocountry) then
+        matchanymatch = true
+        if not check_spec(matchanyspec, srcip, geocity, geocountry) then
+            matchanymatch = false
+            escalate = true
         end
     end
+    -- If escalate is true here, no spec matched. It's possible this is a case where
+    -- the user had no spec configured, and no matchany matched either. If this is the case,
+    -- toggle escalated off and we will generate an alert indicating no specification was
+    -- found for the user.
+    if escalate and not userspec[user] then escalate = false end
 
     -- At this point, we know if the event should be escalated or not. First, update
     -- the alert message with the default information since we always send there.
@@ -142,7 +171,7 @@ function process_message()
             msg.Fields[3].value[2] = string.format(string.format("<%s>", user_email), user)
         end
         msg.Payload = "Escalation flag set, authentication source does not match user specification\n"
-    elseif not spec then
+    elseif not spec and not matchanymatch then
         msg.Fields[2].value = "NOSPEC " .. msg.Fields[2].value
         msg.Payload = "No user specification present for comparison against authentication\n"
     end
diff --git a/moz_security/tests/integration/analysis_auth_ip_geo/run/analysis/auth_ip_geo_3.cfg b/moz_security/tests/integration/analysis_auth_ip_geo/run/analysis/auth_ip_geo_3.cfg
@@ -0,0 +1,27 @@
+filename = "moz_security_auth_ip_geo.lua"
+message_matcher = "Logger == 'generate_auth_3' && Fields[programname] == 'sshd' && Fields[authmsg] == 'Accepted'"
+ticker_interval = 0
+process_message_inject_limit = 1
+
+default_email = "foxsec-dump+OutOfHours@mozilla.com"
+user_email = "manatee-%s@moz-svc-ops.pagerduty.com"
+
+authhost_field = "Hostname"
+user_field = "Fields[user]"
+srcip_field = "Fields[ssh_remote_ipaddr]"
+geocity_field = "Fields[ssh_remote_ipaddr_city]"
+geocountry_field = "Fields[ssh_remote_ipaddr_country]"
+
+userspec = {
+    q = {
+        ip = { "127.0.0.1" }
+    },
+    riker = {
+        ip = { "192.168.1.0/24" },
+        geo = { "Toronto/CA" }
+    },
+    authipgeoany = {
+        ip = { "10.0.0.1/32" },
+        geo = { "Milton/US" }
+    }
+}
diff --git a/moz_security/tests/integration/analysis_auth_ip_geo/run/input/generate_auth.lua b/moz_security/tests/integration/analysis_auth_ip_geo/run/input/generate_auth.lua
@@ -25,6 +25,12 @@ local test = {
         { "sshd", "Accepted publickey for riker from 192.168.1.2 port 4242 ssh2", sdec, 0 },
         { "sshd", "Accepted publickey for riker from 216.160.83.56 port 4242 ssh2", sdec, -1000 },
         { "sshd", "Accepted publickey for worf from 216.160.83.56 port 4242 ssh2", sdec, 1000 },
+    },
+    {
+        { "sshd", "Accepted publickey for riker from 10.0.0.1 port 4242 ssh2", sdec, 0 },
+        { "sshd", "Accepted publickey for riker from 216.160.83.56 port 4242 ssh2", sdec, 0 },
+        { "sshd", "Accepted publickey for troi from 192.168.1.2 port 4242 ssh2", sdec, 0 },
+        { "sshd", "Accepted publickey for troi from 10.0.0.1 port 4242 ssh2", sdec, 0 },
     }
 }
 
diff --git a/moz_security/tests/integration/analysis_auth_ip_geo/run/output/auth_ip_geo_verification.lua b/moz_security/tests/integration/analysis_auth_ip_geo/run/output/auth_ip_geo_verification.lua
@@ -58,11 +58,34 @@ local results = {
             recipients = { "<captainkirk@mozilla.com>" },
             payload = "^Generated by integration_test, event timestamp %d+-%d+-%d+ %d+:%d+:%d+\n" ..
                 "WARNING, unacceptable drift"
-        }
+        },
+    },
+    {
+        {
+            summary    = "riker authentication bastion.host from 10.0.0.1",
+            recipients = { "<foxsec-dump+OutOfHours@mozilla.com>" },
+            payload = "^Generated by integration_test, event timestamp %d+-%d+-%d+ %d+:%d+:%d+\n$"
+        },
+        {
+            summary    = "riker authentication bastion.host from 216.160.83.56 (Milton, US)",
+            recipients = { "<foxsec-dump+OutOfHours@mozilla.com>" },
+            payload = "^Generated by integration_test, event timestamp %d+-%d+-%d+ %d+:%d+:%d+\n$"
+        },
+        {
+            summary    = "NOSPEC troi authentication bastion.host from 192.168.1.2",
+            recipients = { "<foxsec-dump+OutOfHours@mozilla.com>" },
+            payload = "^No user specification present for comparison against authentication\n" ..
+                "Generated by integration_test, event timestamp %d+-%d+-%d+ %d+:%d+:%d+\n$"
+        },
+        {
+            summary    = "troi authentication bastion.host from 10.0.0.1",
+            recipients = { "<foxsec-dump+OutOfHours@mozilla.com>" },
+            payload = "^Generated by integration_test, event timestamp %d+-%d+-%d+ %d+:%d+:%d+\n$"
+        },
     }
 }
 
-local cnt = { 1, 1 }
+local cnt = { 1, 1, 1 }
 
 function process_message()
     local summary    = read_message("Fields[summary]") or error("no summary field")

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,12 @@ local test = {`
`25`	`25`	`{ "sshd", "Accepted publickey for riker from 192.168.1.2 port 4242 ssh2", sdec, 0 },`
`26`	`26`	`{ "sshd", "Accepted publickey for riker from 216.160.83.56 port 4242 ssh2", sdec, -1000 },`
`27`	`27`	`{ "sshd", "Accepted publickey for worf from 216.160.83.56 port 4242 ssh2", sdec, 1000 },`
	`28`	`+ },`
	`29`	`+ {`
	`30`	`+ { "sshd", "Accepted publickey for riker from 10.0.0.1 port 4242 ssh2", sdec, 0 },`
	`31`	`+ { "sshd", "Accepted publickey for riker from 216.160.83.56 port 4242 ssh2", sdec, 0 },`
	`32`	`+ { "sshd", "Accepted publickey for troi from 192.168.1.2 port 4242 ssh2", sdec, 0 },`
	`33`	`+ { "sshd", "Accepted publickey for troi from 10.0.0.1 port 4242 ssh2", sdec, 0 },`
`28`	`34`	`}`
`29`	`35`	`}`
`30`	`36`