Feature: Sicherheit Tab - SSH Login Audit + Session History
This commit is contained in:
parent
57a5a3d3ee
commit
06189a1468
254
agent/collector/security.go
Normal file
254
agent/collector/security.go
Normal file
@ -0,0 +1,254 @@
|
||||
package collector
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"regexp"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
type LoginEvent struct {
|
||||
Timestamp string `json:"timestamp"`
|
||||
User string `json:"user"`
|
||||
Source string `json:"source"`
|
||||
Port string `json:"port"`
|
||||
Method string `json:"method"`
|
||||
Status string `json:"status"`
|
||||
Key string `json:"key,omitempty"`
|
||||
}
|
||||
|
||||
type Session struct {
|
||||
User string `json:"user"`
|
||||
TTY string `json:"tty"`
|
||||
From string `json:"from"`
|
||||
Login string `json:"login"`
|
||||
Logout string `json:"logout"`
|
||||
Duration string `json:"duration"`
|
||||
}
|
||||
|
||||
type SecuritySummary struct {
|
||||
TotalAccepted int `json:"total_accepted"`
|
||||
TotalFailed int `json:"total_failed"`
|
||||
UniqueIPs int `json:"unique_ips"`
|
||||
UniqueUsers int `json:"unique_users"`
|
||||
LastLogin string `json:"last_login"`
|
||||
}
|
||||
|
||||
type SecurityData struct {
|
||||
SSHLogins []LoginEvent `json:"ssh_logins"`
|
||||
WebGUILogins []LoginEvent `json:"webgui_logins"`
|
||||
Sessions []Session `json:"sessions"`
|
||||
Summary SecuritySummary `json:"summary"`
|
||||
}
|
||||
|
||||
var (
|
||||
reAccepted = regexp.MustCompile(`Accepted\s+(publickey|password)\s+for\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
|
||||
reFailed = regexp.MustCompile(`Failed\s+password\s+for\s+(?:invalid user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
|
||||
reInvalid = regexp.MustCompile(`Invalid user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
|
||||
// Syslog with ISO 8601 after priority: <NN>2024-01-15T10:30:00+01:00 ...
|
||||
reTimestamp = regexp.MustCompile(`^<\d+>(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[^\s]*)`)
|
||||
// BSD syslog: Jan 15 10:30:00
|
||||
reBSDTimestamp = regexp.MustCompile(`^<\d+>\s*([A-Z][a-z]{2}\s+\d+\s+\d{2}:\d{2}:\d{2})`)
|
||||
)
|
||||
|
||||
func CollectSecurity() *SecurityData {
|
||||
data := &SecurityData{
|
||||
SSHLogins: []LoginEvent{},
|
||||
WebGUILogins: []LoginEvent{},
|
||||
Sessions: []Session{},
|
||||
}
|
||||
|
||||
// Collect audit log files
|
||||
logFiles := []string{"/var/log/audit/latest.log"}
|
||||
now := time.Now()
|
||||
for i := 0; i < 7; i++ {
|
||||
d := now.AddDate(0, 0, -i)
|
||||
logFiles = append(logFiles, fmt.Sprintf("/var/log/audit/audit_%s.log", d.Format("20060102")))
|
||||
}
|
||||
|
||||
seen := make(map[string]bool)
|
||||
for _, path := range logFiles {
|
||||
events := parseAuditLog(path)
|
||||
for _, e := range events {
|
||||
key := e.Timestamp + e.User + e.Source + e.Port + e.Status
|
||||
if !seen[key] {
|
||||
seen[key] = true
|
||||
data.SSHLogins = append(data.SSHLogins, e)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Sort by timestamp descending, limit to 100
|
||||
sort.Slice(data.SSHLogins, func(i, j int) bool {
|
||||
return data.SSHLogins[i].Timestamp > data.SSHLogins[j].Timestamp
|
||||
})
|
||||
if len(data.SSHLogins) > 100 {
|
||||
data.SSHLogins = data.SSHLogins[:100]
|
||||
}
|
||||
|
||||
// Collect sessions
|
||||
data.Sessions = collectSessions()
|
||||
|
||||
// Build summary
|
||||
ips := make(map[string]bool)
|
||||
users := make(map[string]bool)
|
||||
for _, e := range data.SSHLogins {
|
||||
if e.Status == "accepted" {
|
||||
data.Summary.TotalAccepted++
|
||||
} else {
|
||||
data.Summary.TotalFailed++
|
||||
}
|
||||
if e.Source != "" {
|
||||
ips[e.Source] = true
|
||||
}
|
||||
if e.User != "" {
|
||||
users[e.User] = true
|
||||
}
|
||||
}
|
||||
data.Summary.UniqueIPs = len(ips)
|
||||
data.Summary.UniqueUsers = len(users)
|
||||
if len(data.SSHLogins) > 0 {
|
||||
data.Summary.LastLogin = data.SSHLogins[0].Timestamp
|
||||
}
|
||||
|
||||
return data
|
||||
}
|
||||
|
||||
func parseAuditLog(path string) []LoginEvent {
|
||||
f, err := os.Open(path)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
defer f.Close()
|
||||
|
||||
var events []LoginEvent
|
||||
scanner := bufio.NewScanner(f)
|
||||
// Increase buffer for long lines
|
||||
scanner.Buffer(make([]byte, 0, 64*1024), 256*1024)
|
||||
|
||||
for scanner.Scan() {
|
||||
line := scanner.Text()
|
||||
|
||||
// Extract timestamp
|
||||
ts := extractTimestamp(line)
|
||||
|
||||
if m := reAccepted.FindStringSubmatch(line); m != nil {
|
||||
events = append(events, LoginEvent{
|
||||
Timestamp: ts,
|
||||
User: m[2],
|
||||
Source: m[3],
|
||||
Port: m[4],
|
||||
Method: m[1],
|
||||
Status: "accepted",
|
||||
})
|
||||
} else if m := reFailed.FindStringSubmatch(line); m != nil {
|
||||
events = append(events, LoginEvent{
|
||||
Timestamp: ts,
|
||||
User: m[1],
|
||||
Source: m[2],
|
||||
Port: m[3],
|
||||
Method: "password",
|
||||
Status: "failed",
|
||||
})
|
||||
} else if m := reInvalid.FindStringSubmatch(line); m != nil {
|
||||
events = append(events, LoginEvent{
|
||||
Timestamp: ts,
|
||||
User: m[1],
|
||||
Source: m[2],
|
||||
Port: m[3],
|
||||
Method: "invalid_user",
|
||||
Status: "failed",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return events
|
||||
}
|
||||
|
||||
func extractTimestamp(line string) string {
|
||||
if m := reTimestamp.FindStringSubmatch(line); m != nil {
|
||||
return m[1]
|
||||
}
|
||||
if m := reBSDTimestamp.FindStringSubmatch(line); m != nil {
|
||||
// Parse BSD timestamp and add current year
|
||||
t, err := time.Parse("Jan 2 15:04:05", m[1])
|
||||
if err == nil {
|
||||
t = t.AddDate(time.Now().Year(), 0, 0)
|
||||
return t.Format(time.RFC3339)
|
||||
}
|
||||
return m[1]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func collectSessions() []Session {
|
||||
out, err := exec.Command("/usr/bin/last", "-100").Output()
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
var sessions []Session
|
||||
for _, line := range strings.Split(string(out), "\n") {
|
||||
line = strings.TrimSpace(line)
|
||||
if line == "" || strings.HasPrefix(line, "wtmp") || strings.HasPrefix(line, "utx.log") {
|
||||
continue
|
||||
}
|
||||
|
||||
fields := strings.Fields(line)
|
||||
if len(fields) < 4 {
|
||||
continue
|
||||
}
|
||||
|
||||
s := Session{
|
||||
User: fields[0],
|
||||
TTY: fields[1],
|
||||
}
|
||||
|
||||
// Determine if there's a "from" field (IP or hostname)
|
||||
idx := 2
|
||||
if len(fields) > 4 && !isMonth(fields[2]) {
|
||||
s.From = fields[2]
|
||||
idx = 3
|
||||
}
|
||||
|
||||
// Rest is login time, logout, duration
|
||||
rest := strings.Join(fields[idx:], " ")
|
||||
|
||||
// Try to extract login/logout/duration from the rest
|
||||
if dashIdx := strings.Index(rest, " - "); dashIdx >= 0 {
|
||||
s.Login = strings.TrimSpace(rest[:dashIdx])
|
||||
after := rest[dashIdx+3:]
|
||||
if parenIdx := strings.Index(after, "("); parenIdx >= 0 {
|
||||
s.Logout = strings.TrimSpace(after[:parenIdx])
|
||||
dur := after[parenIdx:]
|
||||
dur = strings.Trim(dur, "()")
|
||||
s.Duration = dur
|
||||
} else {
|
||||
s.Logout = strings.TrimSpace(after)
|
||||
}
|
||||
} else {
|
||||
s.Login = rest
|
||||
if strings.Contains(rest, "still logged in") {
|
||||
s.Logout = "still logged in"
|
||||
}
|
||||
}
|
||||
|
||||
sessions = append(sessions, s)
|
||||
}
|
||||
|
||||
return sessions
|
||||
}
|
||||
|
||||
func isMonth(s string) bool {
|
||||
months := []string{"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}
|
||||
for _, m := range months {
|
||||
if s == m {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
@ -127,6 +127,7 @@ func sendHeartbeat(c *client.Client, agentID string) error {
|
||||
updates := collector.CollectUpdates()
|
||||
cronJobs := collector.CollectCron()
|
||||
license := collector.CollectLicense()
|
||||
security := collector.CollectSecurity()
|
||||
|
||||
req := map[string]interface{}{
|
||||
"agent_id": agentID,
|
||||
@ -167,6 +168,7 @@ func sendHeartbeat(c *client.Client, agentID string) error {
|
||||
"updates": updates,
|
||||
"cron_jobs": cronJobs,
|
||||
"license": license,
|
||||
"security": security,
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
@ -24,6 +24,7 @@ type SystemData struct {
|
||||
License *LicenseInfo `json:"license,omitempty"`
|
||||
Proxmox map[string]interface{} `json:"proxmox,omitempty"`
|
||||
Backups map[string]interface{} `json:"backups,omitempty"`
|
||||
Security *SecurityInfo `json:"security,omitempty"`
|
||||
}
|
||||
|
||||
type LicenseInfo struct {
|
||||
@ -181,6 +182,40 @@ type CronJob struct {
|
||||
Schedule string `json:"schedule"`
|
||||
}
|
||||
|
||||
type SecurityInfo struct {
|
||||
SSHLogins []SecurityLoginEvent `json:"ssh_logins"`
|
||||
WebGUILogins []SecurityLoginEvent `json:"webgui_logins"`
|
||||
Sessions []SecuritySession `json:"sessions"`
|
||||
Summary SecuritySummary `json:"summary"`
|
||||
}
|
||||
|
||||
type SecurityLoginEvent struct {
|
||||
Timestamp string `json:"timestamp"`
|
||||
User string `json:"user"`
|
||||
Source string `json:"source"`
|
||||
Port string `json:"port"`
|
||||
Method string `json:"method"`
|
||||
Status string `json:"status"`
|
||||
Key string `json:"key,omitempty"`
|
||||
}
|
||||
|
||||
type SecuritySession struct {
|
||||
User string `json:"user"`
|
||||
TTY string `json:"tty"`
|
||||
From string `json:"from"`
|
||||
Login string `json:"login"`
|
||||
Logout string `json:"logout"`
|
||||
Duration string `json:"duration"`
|
||||
}
|
||||
|
||||
type SecuritySummary struct {
|
||||
TotalAccepted int `json:"total_accepted"`
|
||||
TotalFailed int `json:"total_failed"`
|
||||
UniqueIPs int `json:"unique_ips"`
|
||||
UniqueUsers int `json:"unique_users"`
|
||||
LastLogin string `json:"last_login"`
|
||||
}
|
||||
|
||||
// HeartbeatRequest
|
||||
type HeartbeatRequest struct {
|
||||
AgentID string `json:"agent_id"`
|
||||
|
||||
@ -19,6 +19,7 @@ const allTabs = [
|
||||
{ id: 'dhcp', label: 'DHCP', platforms: ['freebsd'] },
|
||||
{ id: 'certs', label: 'Zertifikate', platforms: ['freebsd'] },
|
||||
{ id: 'updates', label: 'Updates', platforms: ['freebsd'] },
|
||||
{ id: 'security', label: 'Sicherheit', platforms: ['freebsd'] },
|
||||
{ id: 'backups', label: 'Backups' },
|
||||
{ id: 'agent', label: 'Agent' },
|
||||
]
|
||||
@ -126,6 +127,8 @@ export default function AgentPanel({ agentId, customers, onClose, onReload }) {
|
||||
<CertsTab sys={sys} />
|
||||
) : tab === 'updates' ? (
|
||||
<UpdatesTab agentId={agentId} />
|
||||
) : tab === 'security' ? (
|
||||
<SecurityTab sys={sys} />
|
||||
) : tab === 'backups' ? (
|
||||
platform === 'linux' ? <PVEBackupsTab sys={sys} /> : <BackupsTab agentId={agentId} />
|
||||
) : tab === 'agent' ? (
|
||||
@ -1384,6 +1387,113 @@ function PVEBackupsTab({ sys }) {
|
||||
)
|
||||
}
|
||||
|
||||
function SecurityTab({ sys }) {
|
||||
const sec = sys?.security
|
||||
if (!sec) return <div className="text-gray-500">Keine Sicherheitsdaten verfuegbar</div>
|
||||
|
||||
const summary = sec.summary || {}
|
||||
const logins = sec.ssh_logins || []
|
||||
const sessions = sec.sessions || []
|
||||
|
||||
const cards = [
|
||||
{ label: 'Akzeptiert', value: summary.total_accepted || 0, color: 'text-green-400' },
|
||||
{ label: 'Abgelehnt', value: summary.total_failed || 0, color: 'text-red-400' },
|
||||
{ label: 'Eindeutige IPs', value: summary.unique_ips || 0, color: 'text-blue-400' },
|
||||
{ label: 'Letzter Login', value: summary.last_login ? new Date(summary.last_login).toLocaleString('de-DE') : '-', color: 'text-gray-300', small: true },
|
||||
]
|
||||
|
||||
return (
|
||||
<div className="space-y-4">
|
||||
{/* Summary Cards */}
|
||||
<div className="grid grid-cols-2 md:grid-cols-4 gap-3">
|
||||
{cards.map((c, i) => (
|
||||
<div key={i} className="bg-gray-800/50 rounded-lg border border-gray-700/50 p-3">
|
||||
<div className="text-gray-500 text-xs mb-1">{c.label}</div>
|
||||
<div className={`${c.small ? 'text-sm' : 'text-xl font-bold'} ${c.color}`}>{c.value}</div>
|
||||
</div>
|
||||
))}
|
||||
</div>
|
||||
|
||||
{/* SSH Logins */}
|
||||
<div>
|
||||
<h3 className="text-sm font-medium text-gray-400 mb-2">SSH-Logins</h3>
|
||||
{logins.length === 0 ? (
|
||||
<div className="text-gray-500 text-sm">Keine SSH-Login-Events</div>
|
||||
) : (
|
||||
<div className="bg-gray-800/50 rounded-lg border border-gray-700/50 overflow-hidden">
|
||||
<table className="w-full text-xs">
|
||||
<thead>
|
||||
<tr className="text-left text-gray-500 border-b border-gray-700">
|
||||
<th className="px-3 py-2">Zeitstempel</th>
|
||||
<th className="px-3 py-2">User</th>
|
||||
<th className="px-3 py-2">Quell-IP</th>
|
||||
<th className="px-3 py-2">Port</th>
|
||||
<th className="px-3 py-2">Methode</th>
|
||||
<th className="px-3 py-2">Status</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody className="divide-y divide-gray-700/50">
|
||||
{logins.map((e, i) => (
|
||||
<tr key={i}>
|
||||
<td className="px-3 py-1.5 text-gray-400">{e.timestamp ? new Date(e.timestamp).toLocaleString('de-DE') : '-'}</td>
|
||||
<td className="px-3 py-1.5 text-white">{e.user}</td>
|
||||
<td className="px-3 py-1.5 text-gray-300 font-mono">{e.source}</td>
|
||||
<td className="px-3 py-1.5 text-gray-400">{e.port}</td>
|
||||
<td className="px-3 py-1.5">
|
||||
<span className="px-1.5 py-0.5 bg-gray-700 rounded text-gray-400 text-xs">{e.method}</span>
|
||||
</td>
|
||||
<td className="px-3 py-1.5">
|
||||
<span className="flex items-center gap-1.5">
|
||||
<span className={`w-1.5 h-1.5 rounded-full ${e.status === 'accepted' ? 'bg-green-400' : 'bg-red-400'}`} />
|
||||
<span className={e.status === 'accepted' ? 'text-green-400' : 'text-red-400'}>{e.status}</span>
|
||||
</span>
|
||||
</td>
|
||||
</tr>
|
||||
))}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
|
||||
{/* Sessions */}
|
||||
<div>
|
||||
<h3 className="text-sm font-medium text-gray-400 mb-2">Sessions</h3>
|
||||
{sessions.length === 0 ? (
|
||||
<div className="text-gray-500 text-sm">Keine Sessions</div>
|
||||
) : (
|
||||
<div className="bg-gray-800/50 rounded-lg border border-gray-700/50 overflow-hidden">
|
||||
<table className="w-full text-xs">
|
||||
<thead>
|
||||
<tr className="text-left text-gray-500 border-b border-gray-700">
|
||||
<th className="px-3 py-2">User</th>
|
||||
<th className="px-3 py-2">TTY</th>
|
||||
<th className="px-3 py-2">Von</th>
|
||||
<th className="px-3 py-2">Login</th>
|
||||
<th className="px-3 py-2">Logout</th>
|
||||
<th className="px-3 py-2">Dauer</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody className="divide-y divide-gray-700/50">
|
||||
{sessions.map((s, i) => (
|
||||
<tr key={i}>
|
||||
<td className="px-3 py-1.5 text-white">{s.user}</td>
|
||||
<td className="px-3 py-1.5 text-gray-400 font-mono">{s.tty}</td>
|
||||
<td className="px-3 py-1.5 text-gray-300 font-mono">{s.from || '-'}</td>
|
||||
<td className="px-3 py-1.5 text-gray-400">{s.login}</td>
|
||||
<td className="px-3 py-1.5 text-gray-400">{s.logout || '-'}</td>
|
||||
<td className="px-3 py-1.5 text-gray-400">{s.duration || '-'}</td>
|
||||
</tr>
|
||||
))}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
function BackupsTab({ agentId }) {
|
||||
const [backups, setBackups] = useState([])
|
||||
const [loading, setLoading] = useState(true)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user