Mozilla Security Authentication Events with IP and Geo-IP exclusion

For any messages matching the matcher, extract fields from the message and compare these fields against expected origin IP or origin Geo-IP configuration for a given user.

This module makes use of a user specification table, which is a configured list of known locations a given user will authenticate from. Locations can be specified as either IP subnets, or Geo-IP configurations of the form "City/Country Code".

For each event recieved, an alert is always generated that sends a message to the email address in default_email.

If the event also deviates from the user specification, the alert also submits an email to user_email. If the message has a time drift outside of the configured parameters, the message is only submitted to the drift_email recipient.

1. Sample Configuration

filename = "moz_security_auth_ip_geo.lua"
message_matcher = "Type ~= 'bastion.file.sshd'% && Fields[sshd_authmsg] == 'Accepted'"
ticker_interval = 0
process_message_inject_limit = 1

default_email = "foxsec-dump+OutOfHours@mozilla.com" -- required
-- user_email = "manatee-%s@moz-svc-ops.pagerduty.com" -- optional user specific email address
-- drift_email = "captainkirk@mozilla.com" -- optional drift message notification
-- acceptable_message_drift = 600 -- optional, defaults to 600 seconds if not specified

authhost_field = "Hostname" -- required, field to extract authenticating host from (destination host)
user_field = "Fields[user]" -- required, field to extract username from
srcip_field = "Fields[ssh_remote_ipaddr]" -- required, field to extract source IP from
geocity_field = "Fields[ssh_remote_ipaddr_city"] -- required, field to extract geo city
geocountry_field = "Fields[ssh_remote_ipaddr_country"] -- required, field to extract geo country

userspec = {
    riker = {
        ip = { "192.168.1.0/24", "10.0.0.0/24" },
        geo = { "Toronto/CA" }
    },
    worf = {
        geo = { "Milton/US" }
    },
    ipauthgeoany = { -- special key that applies to any user
        ip = "192.168.0.0/24"
    }
}

source code: moz_security_auth_ip_geo.lua

results matching ""

    No results matching ""