From 75747824e9c7893b59319aede7101b2540957a1a Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Fri, 20 Sep 2024 09:49:48 +0200 Subject: [PATCH] Add tainted nextcloud-logs.yaml parser to crowdsec.service (#54) * Add tainted nextcloud-logs.yaml parser NethServer/dev#7018 --- imageroot/actions/create-module/90reload | 12 +++++++ imageroot/bin/expand-configuration | 6 +++- imageroot/tainted/nextcloud-logs.yaml | 41 ++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100755 imageroot/actions/create-module/90reload create mode 100644 imageroot/tainted/nextcloud-logs.yaml diff --git a/imageroot/actions/create-module/90reload b/imageroot/actions/create-module/90reload new file mode 100755 index 0000000..be1be98 --- /dev/null +++ b/imageroot/actions/create-module/90reload @@ -0,0 +1,12 @@ +#!/bin/bash + +# +# Copyright (C) 2024 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +set -e +exec 1>&2 # Send any output to stderr, to not alter the action response protocol + +# We have introduced a tainted configuration file, we need to reload the service +systemctl reload ${MODULE_ID}.service diff --git a/imageroot/bin/expand-configuration b/imageroot/bin/expand-configuration index a3dbc5a..d3ea478 100755 --- a/imageroot/bin/expand-configuration +++ b/imageroot/bin/expand-configuration @@ -6,10 +6,10 @@ # import os -import json import agent import agent.tasks import re +import shutil from jinja2 import Environment, FileSystemLoader, select_autoescape @@ -160,3 +160,7 @@ if whitelists: output = template.render(properties) with open("crowdsec_config/postoverflows/s01-whitelist/nethserver-postoverflows-whitelists.yaml","w") as f: f.write(output) + +## expand the tainted configuration files +os.makedirs("crowdsec_config/hub/parsers/s01-parse/crowdsecurity", exist_ok=True) +shutil.copyfile("../tainted/nextcloud-logs.yaml", "crowdsec_config/hub/parsers/s01-parse/crowdsecurity/nextcloud-logs.yaml") diff --git a/imageroot/tainted/nextcloud-logs.yaml b/imageroot/tainted/nextcloud-logs.yaml new file mode 100644 index 0000000..07fd872 --- /dev/null +++ b/imageroot/tainted/nextcloud-logs.yaml @@ -0,0 +1,41 @@ +--- +onsuccess: next_stage +filter: "Upper(evt.Parsed.program) == 'NEXTCLOUD-APP'" +name: crowdsecurity/nextcloud-logs +description: "Parse nextcloud logs" +pattern_syntax: + NEXTCLOUD_USER: '[a-zA-Z0-9\.\@\-\+_%]+' +nodes: + - grok: + pattern: 'Login failed: %{NEXTCLOUD_USER:target_user} \(Remote IP: %{IP:source_ip}\)' + apply_on: message + statics: + - meta: target_user + expression: "evt.Parsed.target_user" + - meta: log_type + value: nextcloud_failed_auth + - grok: + pattern: 'Bruteforce attempt from \\?"%{IP:source_ip}\\?" detected for action \\?"%{DATA:action}\\?"' + apply_on: message + statics: + - meta: action + expression: "evt.Parsed.action" + - meta: log_type + value: nextcloud_bruteforce_attempt + +#{"reqId":"dCA39mNG3NHLwbibVCFp","level":1,"time":"2023-02-14T17:28:33+00:00","remoteAddr":"172.18.0.200","user":"--","app":"core","method":"GET","url":"/","message":"Trusted domain error. \"172.18.0.200\" tried to access using \"kloot.ronsmans.eu\" as host.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0","version":"25.0.3.2","data":{"app":"core"}} + + - grok: + pattern: 'Trusted domain error. \\"%{IP:source_ip}\\".*' + apply_on: message + statics: + - meta: log_type + value: nextcloud_domain_error + +statics: + - meta: service + value: nextcloud + - meta: source_ip + expression: "evt.Parsed.source_ip" + - target: evt.StrTime + expression: "evt.Parsed.time_local"