-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsignal.cpp
More file actions
126 lines (115 loc) · 4.11 KB
/
Copy pathsignal.cpp
File metadata and controls
126 lines (115 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#include "signal.hpp"
#include <optional>
namespace loglens {
namespace {
std::string event_id_for(const Event& event) {
return "line:" + std::to_string(event.line_number);
}
struct SignalMapping {
AuthSignalKind signal_kind = AuthSignalKind::Unknown;
bool counts_as_attempt_evidence = false;
bool counts_as_terminal_auth_failure = false;
bool counts_as_sudo_burst_evidence = false;
};
std::optional<SignalMapping> signal_mapping_for_event(const Event& event, const AuthSignalConfig& config) {
switch (event.event_type) {
case EventType::SshFailedPassword:
return SignalMapping{
AuthSignalKind::SshFailedPassword,
config.ssh_failed_password.counts_as_attempt_evidence,
config.ssh_failed_password.counts_as_terminal_auth_failure,
false};
case EventType::SshInvalidUser:
return SignalMapping{
AuthSignalKind::SshInvalidUser,
config.ssh_invalid_user.counts_as_attempt_evidence,
config.ssh_invalid_user.counts_as_terminal_auth_failure,
false};
case EventType::SshFailedPublicKey:
return SignalMapping{
AuthSignalKind::SshFailedPublicKey,
config.ssh_failed_publickey.counts_as_attempt_evidence,
config.ssh_failed_publickey.counts_as_terminal_auth_failure,
false};
case EventType::SshFailedKeyboardInteractive:
return SignalMapping{
AuthSignalKind::SshFailedKeyboardInteractive,
config.ssh_failed_keyboard_interactive.counts_as_attempt_evidence,
config.ssh_failed_keyboard_interactive.counts_as_terminal_auth_failure,
false};
case EventType::SshMaxAuthTries:
return SignalMapping{
AuthSignalKind::SshMaxAuthTries,
config.ssh_max_auth_tries.counts_as_attempt_evidence,
config.ssh_max_auth_tries.counts_as_terminal_auth_failure,
false};
case EventType::PamAuthFailure:
return SignalMapping{
AuthSignalKind::PamAuthFailure,
config.pam_auth_failure.counts_as_attempt_evidence,
config.pam_auth_failure.counts_as_terminal_auth_failure,
false};
case EventType::SudoCommand:
return SignalMapping{
AuthSignalKind::SudoCommand,
false,
false,
true};
case EventType::SessionOpened:
if (event.program == "pam_unix(sudo:session)") {
return SignalMapping{
AuthSignalKind::SudoSessionOpened,
false,
false,
false};
}
return std::nullopt;
case EventType::SudoAuthFailure:
return SignalMapping{
AuthSignalKind::SudoAuthFailure,
false,
false,
false};
case EventType::SudoPolicyDenied:
return SignalMapping{
AuthSignalKind::SudoPolicyDenied,
false,
false,
false};
case EventType::SuAuthFailure:
return SignalMapping{
AuthSignalKind::SuAuthFailure,
false,
false,
false};
case EventType::Unknown:
case EventType::SshAcceptedPassword:
case EventType::SshAcceptedPublicKey:
case EventType::SshAcceptedKeyboardInteractive:
default:
return std::nullopt;
}
}
} // namespace
std::vector<AuthSignal> build_auth_signals(const std::vector<Event>& events, const AuthSignalConfig& config) {
std::vector<AuthSignal> signals;
signals.reserve(events.size());
for (const auto& event : events) {
const auto mapping = signal_mapping_for_event(event, config);
if (!mapping.has_value()) {
continue;
}
signals.push_back(AuthSignal{
event.timestamp,
event.source_ip,
event.username,
mapping->signal_kind,
mapping->counts_as_attempt_evidence,
mapping->counts_as_terminal_auth_failure,
mapping->counts_as_sudo_burst_evidence,
event.line_number,
event_id_for(event)});
}
return signals;
}
} // namespace loglens