Feature: Sicherheit Tab - SSH Login Audit + Session History

This commit is contained in:
cynfo3000 2026-03-04 23:16:18 +01:00
parent 57a5a3d3ee
commit 06189a1468
4 changed files with 401 additions and 0 deletions

254
agent/collector/security.go Normal file
View File

@ -0,0 +1,254 @@
package collector
import (
"bufio"
"fmt"
"os"
"os/exec"
"regexp"
"sort"
"strings"
"time"
)
type LoginEvent struct {
Timestamp string `json:"timestamp"`
User string `json:"user"`
Source string `json:"source"`
Port string `json:"port"`
Method string `json:"method"`
Status string `json:"status"`
Key string `json:"key,omitempty"`
}
type Session struct {
User string `json:"user"`
TTY string `json:"tty"`
From string `json:"from"`
Login string `json:"login"`
Logout string `json:"logout"`
Duration string `json:"duration"`
}
type SecuritySummary struct {
TotalAccepted int `json:"total_accepted"`
TotalFailed int `json:"total_failed"`
UniqueIPs int `json:"unique_ips"`
UniqueUsers int `json:"unique_users"`
LastLogin string `json:"last_login"`
}
type SecurityData struct {
SSHLogins []LoginEvent `json:"ssh_logins"`
WebGUILogins []LoginEvent `json:"webgui_logins"`
Sessions []Session `json:"sessions"`
Summary SecuritySummary `json:"summary"`
}
var (
reAccepted = regexp.MustCompile(`Accepted\s+(publickey|password)\s+for\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
reFailed = regexp.MustCompile(`Failed\s+password\s+for\s+(?:invalid user\s+)?(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
reInvalid = regexp.MustCompile(`Invalid user\s+(\S+)\s+from\s+(\S+)\s+port\s+(\d+)`)
// Syslog with ISO 8601 after priority: <NN>2024-01-15T10:30:00+01:00 ...
reTimestamp = regexp.MustCompile(`^<\d+>(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[^\s]*)`)
// BSD syslog: Jan 15 10:30:00
reBSDTimestamp = regexp.MustCompile(`^<\d+>\s*([A-Z][a-z]{2}\s+\d+\s+\d{2}:\d{2}:\d{2})`)
)
func CollectSecurity() *SecurityData {
data := &SecurityData{
SSHLogins: []LoginEvent{},
WebGUILogins: []LoginEvent{},
Sessions: []Session{},
}
// Collect audit log files
logFiles := []string{"/var/log/audit/latest.log"}
now := time.Now()
for i := 0; i < 7; i++ {
d := now.AddDate(0, 0, -i)
logFiles = append(logFiles, fmt.Sprintf("/var/log/audit/audit_%s.log", d.Format("20060102")))
}
seen := make(map[string]bool)
for _, path := range logFiles {
events := parseAuditLog(path)
for _, e := range events {
key := e.Timestamp + e.User + e.Source + e.Port + e.Status
if !seen[key] {
seen[key] = true
data.SSHLogins = append(data.SSHLogins, e)
}
}
}
// Sort by timestamp descending, limit to 100
sort.Slice(data.SSHLogins, func(i, j int) bool {
return data.SSHLogins[i].Timestamp > data.SSHLogins[j].Timestamp
})
if len(data.SSHLogins) > 100 {
data.SSHLogins = data.SSHLogins[:100]
}
// Collect sessions
data.Sessions = collectSessions()
// Build summary
ips := make(map[string]bool)
users := make(map[string]bool)
for _, e := range data.SSHLogins {
if e.Status == "accepted" {
data.Summary.TotalAccepted++
} else {
data.Summary.TotalFailed++
}
if e.Source != "" {
ips[e.Source] = true
}
if e.User != "" {
users[e.User] = true
}
}
data.Summary.UniqueIPs = len(ips)
data.Summary.UniqueUsers = len(users)
if len(data.SSHLogins) > 0 {
data.Summary.LastLogin = data.SSHLogins[0].Timestamp
}
return data
}
func parseAuditLog(path string) []LoginEvent {
f, err := os.Open(path)
if err != nil {
return nil
}
defer f.Close()
var events []LoginEvent
scanner := bufio.NewScanner(f)
// Increase buffer for long lines
scanner.Buffer(make([]byte, 0, 64*1024), 256*1024)
for scanner.Scan() {
line := scanner.Text()
// Extract timestamp
ts := extractTimestamp(line)
if m := reAccepted.FindStringSubmatch(line); m != nil {
events = append(events, LoginEvent{
Timestamp: ts,
User: m[2],
Source: m[3],
Port: m[4],
Method: m[1],
Status: "accepted",
})
} else if m := reFailed.FindStringSubmatch(line); m != nil {
events = append(events, LoginEvent{
Timestamp: ts,
User: m[1],
Source: m[2],
Port: m[3],
Method: "password",
Status: "failed",
})
} else if m := reInvalid.FindStringSubmatch(line); m != nil {
events = append(events, LoginEvent{
Timestamp: ts,
User: m[1],
Source: m[2],
Port: m[3],
Method: "invalid_user",
Status: "failed",
})
}
}
return events
}
func extractTimestamp(line string) string {
if m := reTimestamp.FindStringSubmatch(line); m != nil {
return m[1]
}
if m := reBSDTimestamp.FindStringSubmatch(line); m != nil {
// Parse BSD timestamp and add current year
t, err := time.Parse("Jan 2 15:04:05", m[1])
if err == nil {
t = t.AddDate(time.Now().Year(), 0, 0)
return t.Format(time.RFC3339)
}
return m[1]
}
return ""
}
func collectSessions() []Session {
out, err := exec.Command("/usr/bin/last", "-100").Output()
if err != nil {
return nil
}
var sessions []Session
for _, line := range strings.Split(string(out), "\n") {
line = strings.TrimSpace(line)
if line == "" || strings.HasPrefix(line, "wtmp") || strings.HasPrefix(line, "utx.log") {
continue
}
fields := strings.Fields(line)
if len(fields) < 4 {
continue
}
s := Session{
User: fields[0],
TTY: fields[1],
}
// Determine if there's a "from" field (IP or hostname)
idx := 2
if len(fields) > 4 && !isMonth(fields[2]) {
s.From = fields[2]
idx = 3
}
// Rest is login time, logout, duration
rest := strings.Join(fields[idx:], " ")
// Try to extract login/logout/duration from the rest
if dashIdx := strings.Index(rest, " - "); dashIdx >= 0 {
s.Login = strings.TrimSpace(rest[:dashIdx])
after := rest[dashIdx+3:]
if parenIdx := strings.Index(after, "("); parenIdx >= 0 {
s.Logout = strings.TrimSpace(after[:parenIdx])
dur := after[parenIdx:]
dur = strings.Trim(dur, "()")
s.Duration = dur
} else {
s.Logout = strings.TrimSpace(after)
}
} else {
s.Login = rest
if strings.Contains(rest, "still logged in") {
s.Logout = "still logged in"
}
}
sessions = append(sessions, s)
}
return sessions
}
func isMonth(s string) bool {
months := []string{"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}
for _, m := range months {
if s == m {
return true
}
}
return false
}

View File

@ -127,6 +127,7 @@ func sendHeartbeat(c *client.Client, agentID string) error {
updates := collector.CollectUpdates() updates := collector.CollectUpdates()
cronJobs := collector.CollectCron() cronJobs := collector.CollectCron()
license := collector.CollectLicense() license := collector.CollectLicense()
security := collector.CollectSecurity()
req := map[string]interface{}{ req := map[string]interface{}{
"agent_id": agentID, "agent_id": agentID,
@ -167,6 +168,7 @@ func sendHeartbeat(c *client.Client, agentID string) error {
"updates": updates, "updates": updates,
"cron_jobs": cronJobs, "cron_jobs": cronJobs,
"license": license, "license": license,
"security": security,
}, },
} }

View File

@ -24,6 +24,7 @@ type SystemData struct {
License *LicenseInfo `json:"license,omitempty"` License *LicenseInfo `json:"license,omitempty"`
Proxmox map[string]interface{} `json:"proxmox,omitempty"` Proxmox map[string]interface{} `json:"proxmox,omitempty"`
Backups map[string]interface{} `json:"backups,omitempty"` Backups map[string]interface{} `json:"backups,omitempty"`
Security *SecurityInfo `json:"security,omitempty"`
} }
type LicenseInfo struct { type LicenseInfo struct {
@ -181,6 +182,40 @@ type CronJob struct {
Schedule string `json:"schedule"` Schedule string `json:"schedule"`
} }
type SecurityInfo struct {
SSHLogins []SecurityLoginEvent `json:"ssh_logins"`
WebGUILogins []SecurityLoginEvent `json:"webgui_logins"`
Sessions []SecuritySession `json:"sessions"`
Summary SecuritySummary `json:"summary"`
}
type SecurityLoginEvent struct {
Timestamp string `json:"timestamp"`
User string `json:"user"`
Source string `json:"source"`
Port string `json:"port"`
Method string `json:"method"`
Status string `json:"status"`
Key string `json:"key,omitempty"`
}
type SecuritySession struct {
User string `json:"user"`
TTY string `json:"tty"`
From string `json:"from"`
Login string `json:"login"`
Logout string `json:"logout"`
Duration string `json:"duration"`
}
type SecuritySummary struct {
TotalAccepted int `json:"total_accepted"`
TotalFailed int `json:"total_failed"`
UniqueIPs int `json:"unique_ips"`
UniqueUsers int `json:"unique_users"`
LastLogin string `json:"last_login"`
}
// HeartbeatRequest // HeartbeatRequest
type HeartbeatRequest struct { type HeartbeatRequest struct {
AgentID string `json:"agent_id"` AgentID string `json:"agent_id"`

View File

@ -19,6 +19,7 @@ const allTabs = [
{ id: 'dhcp', label: 'DHCP', platforms: ['freebsd'] }, { id: 'dhcp', label: 'DHCP', platforms: ['freebsd'] },
{ id: 'certs', label: 'Zertifikate', platforms: ['freebsd'] }, { id: 'certs', label: 'Zertifikate', platforms: ['freebsd'] },
{ id: 'updates', label: 'Updates', platforms: ['freebsd'] }, { id: 'updates', label: 'Updates', platforms: ['freebsd'] },
{ id: 'security', label: 'Sicherheit', platforms: ['freebsd'] },
{ id: 'backups', label: 'Backups' }, { id: 'backups', label: 'Backups' },
{ id: 'agent', label: 'Agent' }, { id: 'agent', label: 'Agent' },
] ]
@ -126,6 +127,8 @@ export default function AgentPanel({ agentId, customers, onClose, onReload }) {
<CertsTab sys={sys} /> <CertsTab sys={sys} />
) : tab === 'updates' ? ( ) : tab === 'updates' ? (
<UpdatesTab agentId={agentId} /> <UpdatesTab agentId={agentId} />
) : tab === 'security' ? (
<SecurityTab sys={sys} />
) : tab === 'backups' ? ( ) : tab === 'backups' ? (
platform === 'linux' ? <PVEBackupsTab sys={sys} /> : <BackupsTab agentId={agentId} /> platform === 'linux' ? <PVEBackupsTab sys={sys} /> : <BackupsTab agentId={agentId} />
) : tab === 'agent' ? ( ) : tab === 'agent' ? (
@ -1384,6 +1387,113 @@ function PVEBackupsTab({ sys }) {
) )
} }
function SecurityTab({ sys }) {
const sec = sys?.security
if (!sec) return <div className="text-gray-500">Keine Sicherheitsdaten verfuegbar</div>
const summary = sec.summary || {}
const logins = sec.ssh_logins || []
const sessions = sec.sessions || []
const cards = [
{ label: 'Akzeptiert', value: summary.total_accepted || 0, color: 'text-green-400' },
{ label: 'Abgelehnt', value: summary.total_failed || 0, color: 'text-red-400' },
{ label: 'Eindeutige IPs', value: summary.unique_ips || 0, color: 'text-blue-400' },
{ label: 'Letzter Login', value: summary.last_login ? new Date(summary.last_login).toLocaleString('de-DE') : '-', color: 'text-gray-300', small: true },
]
return (
<div className="space-y-4">
{/* Summary Cards */}
<div className="grid grid-cols-2 md:grid-cols-4 gap-3">
{cards.map((c, i) => (
<div key={i} className="bg-gray-800/50 rounded-lg border border-gray-700/50 p-3">
<div className="text-gray-500 text-xs mb-1">{c.label}</div>
<div className={`${c.small ? 'text-sm' : 'text-xl font-bold'} ${c.color}`}>{c.value}</div>
</div>
))}
</div>
{/* SSH Logins */}
<div>
<h3 className="text-sm font-medium text-gray-400 mb-2">SSH-Logins</h3>
{logins.length === 0 ? (
<div className="text-gray-500 text-sm">Keine SSH-Login-Events</div>
) : (
<div className="bg-gray-800/50 rounded-lg border border-gray-700/50 overflow-hidden">
<table className="w-full text-xs">
<thead>
<tr className="text-left text-gray-500 border-b border-gray-700">
<th className="px-3 py-2">Zeitstempel</th>
<th className="px-3 py-2">User</th>
<th className="px-3 py-2">Quell-IP</th>
<th className="px-3 py-2">Port</th>
<th className="px-3 py-2">Methode</th>
<th className="px-3 py-2">Status</th>
</tr>
</thead>
<tbody className="divide-y divide-gray-700/50">
{logins.map((e, i) => (
<tr key={i}>
<td className="px-3 py-1.5 text-gray-400">{e.timestamp ? new Date(e.timestamp).toLocaleString('de-DE') : '-'}</td>
<td className="px-3 py-1.5 text-white">{e.user}</td>
<td className="px-3 py-1.5 text-gray-300 font-mono">{e.source}</td>
<td className="px-3 py-1.5 text-gray-400">{e.port}</td>
<td className="px-3 py-1.5">
<span className="px-1.5 py-0.5 bg-gray-700 rounded text-gray-400 text-xs">{e.method}</span>
</td>
<td className="px-3 py-1.5">
<span className="flex items-center gap-1.5">
<span className={`w-1.5 h-1.5 rounded-full ${e.status === 'accepted' ? 'bg-green-400' : 'bg-red-400'}`} />
<span className={e.status === 'accepted' ? 'text-green-400' : 'text-red-400'}>{e.status}</span>
</span>
</td>
</tr>
))}
</tbody>
</table>
</div>
)}
</div>
{/* Sessions */}
<div>
<h3 className="text-sm font-medium text-gray-400 mb-2">Sessions</h3>
{sessions.length === 0 ? (
<div className="text-gray-500 text-sm">Keine Sessions</div>
) : (
<div className="bg-gray-800/50 rounded-lg border border-gray-700/50 overflow-hidden">
<table className="w-full text-xs">
<thead>
<tr className="text-left text-gray-500 border-b border-gray-700">
<th className="px-3 py-2">User</th>
<th className="px-3 py-2">TTY</th>
<th className="px-3 py-2">Von</th>
<th className="px-3 py-2">Login</th>
<th className="px-3 py-2">Logout</th>
<th className="px-3 py-2">Dauer</th>
</tr>
</thead>
<tbody className="divide-y divide-gray-700/50">
{sessions.map((s, i) => (
<tr key={i}>
<td className="px-3 py-1.5 text-white">{s.user}</td>
<td className="px-3 py-1.5 text-gray-400 font-mono">{s.tty}</td>
<td className="px-3 py-1.5 text-gray-300 font-mono">{s.from || '-'}</td>
<td className="px-3 py-1.5 text-gray-400">{s.login}</td>
<td className="px-3 py-1.5 text-gray-400">{s.logout || '-'}</td>
<td className="px-3 py-1.5 text-gray-400">{s.duration || '-'}</td>
</tr>
))}
</tbody>
</table>
</div>
)}
</div>
</div>
)
}
function BackupsTab({ agentId }) { function BackupsTab({ agentId }) {
const [backups, setBackups] = useState([]) const [backups, setBackups] = useState([])
const [loading, setLoading] = useState(true) const [loading, setLoading] = useState(true)