Created a rules class to contain the rule generation logic.

May need to create a second class for the elastalert rules which contains the elastalert/templates/config.yaml.erb boilerplate
This commit is contained in:
ts
2020-01-15 16:17:53 +00:00
parent ba8d406d01
commit a9a4259221
4 changed files with 69 additions and 17 deletions

52
lib/helpers/rules.rb Normal file
View File

@@ -0,0 +1,52 @@
require_relative './print.rb'
class Rules
# Generate audit and alerting rules
# @type current valid values are ['elastalert', 'auditbeat']
def self.generate_rules(type, mod)
rules = []
if type == 'elastalert'
mod.goals.keys.each do |key|
case key
when 'read_file'
when 'write_file'
when 'access_account'
else
end
end
elsif type == 'auditbeat'
mod.goals.keys.each do |key|
case key
when 'read_file'
# Generate auditbeat read_file rules based on paths
read_files = mod.goals[key]
read_files.each do |path|
rules << greedy_auditbeat_rule(path, 'r')
end
when 'write_file'
# TODO: do something
read_files = mod.goals[key]
read_files.each do |path|
rules << greedy_auditbeat_rule(path, 'w')
end
when 'access_account'
else
Print.err('Unknown goal type')
raise
end
end
else
Print.err("Error, no valid rule type specified")
raise
end
rules.join("\n")
end
# Generates a greedy read or write rule for auditbeat (e.g. /home/user/file_name resolves to /home)
def self.greedy_auditbeat_rule(path, r_w)
base_path = path.split('/')[0..1].join('/') + '/'
key = base_path.gsub(/[^A-Za-z0-9\-\_]/, '')
"-w #{base_path} -p -#{r_w} -k #{key}"
end
end

View File

@@ -1,5 +1,6 @@
require 'erb'
require_relative '../helpers/constants.rb'
require_relative '../helpers/rules.rb'
require_relative 'xml_scenario_generator.rb'
require_relative 'xml_marker_generator.rb'
require_relative 'ctfd_generator.rb'
@@ -109,11 +110,18 @@ class ProjectFilesCreator
end
end
# Create auto-grading rules file from goals for each VM
rules_file = "#{path}/modules/auditbeat/files/secgen_rules_file.yaml"
Print.std "Creating Autograding rules file: #{rules_file}"
template_based_file_write(GRADING_RULES_TEMPLATE_FILE , rules_file)
# TODO: Need to create elastalert audit rules.yaml also
# Create auto-grading config files
# auditbeat_rules_file = "#{path}/modules/auditbeat/files/secgen_rules_file.yaml" -- TODO: Add me back in once the rules look correct
@rule_type = 'auditbeat'
auditbeat_rules_file = "#{path}/auditbeat_rules_file.yaml"
Print.std "Creating client side auditing rules: #{auditbeat_rules_file}"
template_based_file_write(GRADING_RULES_TEMPLATE_FILE, auditbeat_rules_file)
@rule_type = 'elastalert'
elastalert_rules_file = "#{path}/elastalert_rules_file.yaml"
Print.std "Creating server side alerting rules: #{auditbeat_rules_file}"
template_based_file_write(GRADING_RULES_TEMPLATE_FILE, elastalert_rules_file)
end

View File

@@ -1,14 +1,6 @@
<% require './lib/helpers/rules'-%>
<% @currently_processing_system.module_selections.each do |module_selection| -%>
<% if module_selection.goals != [] -%>
<% if module_selection.goals['read_file'] -%>
<% module_selection.goals['read_file'].each do |rf_path| -%>
<%= "-w #{rf_path} -p -r -k #{module_selection.get_unique_rule_id(@options[:prefix], @currently_processing_system.name, 'rf', rf_path)}" %>
<% end -%>
<% end -%>
<%# if module_selection.goals['access_account'] -%>
<%# module_selection.goals['access_account'].each do |aa_value| -%>
<%#= ""-%>
<%# end -%>
<%# end -%>
<% if module_selection.goals != {} -%>
<%= Rules.generate_rules(@rule_type, module_selection) %>
<% end -%>
<% end -%>

View File

@@ -5,7 +5,7 @@ rules_folder: /opt/elastalert/rules/
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
seconds: 2
seconds: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time