Mozilla Security Authentication Events with IP and Geo-IP exclusion
For any messages matching the matcher, extract fields from the message and compare these fields against expected origin IP or origin Geo-IP configuration for a given user.
This module makes use of a user specification table, which is a configured list of known locations a given user will authenticate from. Locations can be specified as either IP subnets, or Geo-IP configurations of the form "City/Country Code".
For each event recieved, an alert is always generated that sends a message to the email address in default_email.
If the event also deviates from the user specification, the alert also submits an email to user_email. If the message has a time drift outside of the configured parameters, the message is only submitted to the drift_email recipient.
1. Sample Configuration
filename = "moz_security_auth_ip_geo.lua"
message_matcher = "Type ~= 'bastion.file.sshd'% && Fields[sshd_authmsg] == 'Accepted'"
ticker_interval = 0
process_message_inject_limit = 1
default_email = "foxsec-dump+OutOfHours@mozilla.com" -- required
-- user_email = "manatee-%s@moz-svc-ops.pagerduty.com" -- optional user specific email address
-- drift_email = "captainkirk@mozilla.com" -- optional drift message notification
-- acceptable_message_drift = 600 -- optional, defaults to 600 seconds if not specified
authhost_field = "Hostname" -- required, field to extract authenticating host from (destination host)
user_field = "Fields[user]" -- required, field to extract username from
srcip_field = "Fields[ssh_remote_ipaddr]" -- required, field to extract source IP from
geocity_field = "Fields[ssh_remote_ipaddr_city"] -- required, field to extract geo city
geocountry_field = "Fields[ssh_remote_ipaddr_country"] -- required, field to extract geo country
userspec = {
riker = {
ip = { "192.168.1.0/24", "10.0.0.0/24" },
geo = { "Toronto/CA" }
},
worf = {
geo = { "Milton/US" }
},
ipauthgeoany = { -- special key that applies to any user
ip = "192.168.0.0/24"
}
}
source code: moz_security_auth_ip_geo.lua