Django审计
django-audit-wazuh的Python项目详细描述
Django审计Wazuh
审计应用程序,尽可能简单,有一个良好的日志记录系统的安全目的。 您将有一个json文件可以由Wazuh或OSSEC这样的SIEM处理。在
特点
- 登录、注销和暴力尝试。在
托多
- 其他关键django.安全消息,需要用正常的单元测试进行更多测试。在
设置
pip install django-audit
# or
pip install git+https://github.com/peppelinux/django-audit.git
配置
在settings.py
中:
- 在
INSTALLED_APPS
中添加“auditing” - 添加一个中间件,如下所示(不是必需的!)在
- 配置日志记录如下
结果
您将得到一个文件,其中包含json格式的所有相关事件,比如
{"timestamp": "2020-04-21 13:05:01,238", "msg": "Django Login failed", "username": "dsfsdf", "url": "http://localhost:8000/gestionelogin/?next=/gestione", "data.srcip": "127.0.0.1", "path": "/gestionelogin/?next=/gestione", "Content-Length": "132", "Content-Type": "application/x-www-form-urlencoded", "Host": "localhost:8000", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Origin": "http://localhost:8000", "Connection": "keep-alive", "Referer": "http://localhost:8000/gestionelogin/?next=/gestione", "Cookie": "csrftoken=pTG3UCHtiE0q4PNectVIH4hbezbqL2O2tvWx97rY8zwOxigSzG9unl2tqELzMhpM; cookieconsent_status=dismiss", "Upgrade-Insecure-Requests": "1", "level": "WARNING", "name": "auditing", "path": "__init__.py.login_failed_logger:23", "@source":"django-audit"}
{"timestamp": "2020-04-21 13:05:33,521", "msg": "Django Login successful", "username": "wert", "url": "http://localhost:8000/gestionelogin/?next=/gestione", "data.srcip": "127.0.0.1", "path": "/gestionelogin/?next=/gestione", "Content-Length": "131", "Content-Type": "application/x-www-form-urlencoded", "Host": "localhost:8000", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Origin": "http://localhost:8000", "Connection": "keep-alive", "Referer": "http://localhost:8000/gestionelogin/?next=/gestione", "Cookie": "csrftoken=pTG3UCHtiE0q4PNectVIH4hbezbqL2O2tvWx97rY8zwOxigSzG9unl2tqELzMhpM; cookieconsent_status=dismiss", "Upgrade-Insecure-Requests": "1", "level": "INFO", "name": "auditing", "path": "__init__.py.login_logger:16", "@source":"django-audit"}
{"timestamp": "2020-04-21 13:05:36,582", "msg": "Django Logout successful", "username": "wert", "url": "http://localhost:8000/gestionelogout/", "data.srcip": "127.0.0.1", "path": "/gestionelogout/", "Content-Type": "text/plain", "Host": "localhost:8000", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Referer": "http://localhost:8000/gestione", "Cookie": "csrftoken=e50mIQ4NWKYjDKBKA9a1iFufQuRv2W8LKAWnIjm4meXhiCSWPHzxfkrllMeNVqDR; cookieconsent_status=dismiss; sessionid=cxu3hfono6t6p1dl70q80836pe292ri3", "Upgrade-Insecure-Requests": "1", "level": "INFO", "name": "auditing", "path": "__init__.py.logout_logger:30", "@source":"django-audit"}
调谐
审计中间件可以记录http请求和它的后续响应之间的所有内容。 这些是可重载的设置变量
# for i in http.HTTPStatus: print(i, i.value)
AUDIT_RESPONSE_HTTPCODES = getattr(settings,
'AUDIT_RESPONSE_HTTPCODES',
[i.value for i in http.HTTPStatus if i not in (200,201,202,301,302)])
# prevents to read the password in clear
AUDIT_REQUEST_POST_IGNORED = ('password', )
Wazuh配置
- 在
复制
在wazuh-ruleset/27081-django_decoders.xml
的内容到/var/ossec/etc/decoders/local_decoder.xml
- 在
复制
在wazuh-ruleset/27081-django_rules.xml
中wazuh-ruleset/27081-django_rules.xml
的内容。在 - 在
使用
在/var/ossec/bin/ossec-logtest
测试触发器,在stdin中复制一条日志行并查看事件。在 - 在
创建一个名为
django
的代理组
在/var/ossec/bin/agent_groups -a -g django
- 在
按此方式编辑代理组配置
/var/ossec/etc/shared/django/agent.conf
在<localfile> <location>ABSOLUTE_PATH_TO_YOUR_DJANGO_AUDIT_LOG.json</location> <log_format>json</log_format> <label key="@source">django-audit</label> </localfile>
- 在
将代理添加到此组
在/var/ossec/bin/agent_groups -a -i 014 -g django
- 在
同步时控制
在/var/ossec/bin/agent_groups -S -i 014
- 在
重新启动Wazuh管理器以重新加载规则集
在service wazuh-manager restart
GeoIP公司
在wazuh管理器上,编辑/usr/share/filebeat/module/wazuh/alerts/incente/管道.json在处理器中添加新的IP字段以及其他地理位置字段:
{
"geoip": {
"field": "srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
我们现在需要删除当前的管道。在Kibana中,点击扳手图标进入devtools。然后执行以下操作:
DELETE _ingest/pipeline/filebeat-7.6.2-wazuh-alerts-pipeline
我们在wazuh manager中重新启动Filebeat:
systemctl restart filebeat
许可证
阿帕奇
作者
朱塞佩·德马尔科giuseppe.demarco@unical.it
学分
Garrlab Wazuh SIEM船员
- 项目
标签: