Listen for events and forward to external security scanning services.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

security_group_events.go 2.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081
  1. package main
  2. import (
  3. "encoding/json"
  4. "fmt"
  5. "os"
  6. "strings"
  7. )
  8. // EventSecurityGroupRuleChange is the event processor class for all changes to
  9. // security groups. This includes additions and deletions. This must conform
  10. // to the EventProcessor interface (see events.go).
  11. type EventSecurityGroupRuleChange struct {
  12. ChangeType string
  13. }
  14. // FillExtraData takes a security group change and enriches it with additional
  15. // information about the affected IP addresses using the
  16. // OpenStackActionInterface getPortList function.
  17. func (s EventSecurityGroupRuleChange) FillExtraData(e *Event, openstack OpenStackActioner) error {
  18. // PopulateIps: This function returns a map of security group to array of IP addresses for all ports in the specified tenantID.
  19. err := openstack.Connect(e.EventData.TenantID, e.EventData.UserName)
  20. if err != nil {
  21. return err
  22. }
  23. // Make port list request to neutron
  24. resultMap := openstack.GetPortList()
  25. resultIPAddresses := make(map[string][]string)
  26. for _, ipMap := range resultMap {
  27. resultIPAddresses[ipMap.securityGroup] = append(resultIPAddresses[ipMap.securityGroup], ipMap.ipAddress)
  28. }
  29. e.IPs = resultIPAddresses
  30. return nil
  31. }
  32. // FormatLogs takes the accumulated event data and composes the JSON message to
  33. // be logged.
  34. func (s EventSecurityGroupRuleChange) FormatLogs(e *Event, scannedIPAddresses []string) ([]string, error) {
  35. var es osSecurityGroupRuleChange
  36. var logLines []string
  37. if e == nil {
  38. return logLines, fmt.Errorf("Event must not be nil")
  39. }
  40. if err := json.Unmarshal(e.RawData, &es); err != nil {
  41. return logLines, err
  42. }
  43. hostName, err := os.Hostname()
  44. if err != nil {
  45. return nil, err
  46. }
  47. es.Payload.ChangeType = s.ChangeType
  48. es.Payload.SourceType = OselVersion
  49. es.Payload.SourceMessageBus = hostName
  50. es.Payload.QualysScanID = e.QualysScanID
  51. es.Payload.QualysScanError = e.QualysScanError
  52. affectedIPArray := e.IPs[es.Payload.SecurityGroupRule.SecurityGroupID]
  53. qualysScanJoin := fmt.Sprintf("|%s|", strings.Join(scannedIPAddresses, "|"))
  54. for _, affectedIPAddr := range affectedIPArray {
  55. es.Payload.QualysScanID = ""
  56. es.Payload.QualysScanError = ""
  57. if strings.Index(qualysScanJoin, fmt.Sprintf("|%s|", affectedIPAddr)) > -1 {
  58. es.Payload.QualysScanID = e.QualysScanID
  59. es.Payload.QualysScanError = e.QualysScanError
  60. } else {
  61. es.Payload.QualysScanID = ""
  62. es.Payload.QualysScanError = "Not scanned by Qualys"
  63. }
  64. es.Payload.AffectedIPAddr = affectedIPAddr
  65. jsonLine, err := json.Marshal(es.Payload)
  66. if err != nil {
  67. return nil, err
  68. }
  69. logLines = append(logLines, string(jsonLine))
  70. }
  71. return logLines, nil
  72. }