From 6d1a0c07f3077b58852c4c7b433debe74f4b4b02 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 26 Mar 2020 22:29:37 -0400 Subject: [PATCH] Support Dell RSA SecureID --- docs/sources/Dell_RSA/index.md | 55 ++++++ mkdocs.yml | 1 + .../etc/conf.d/filters/dell/rsa_secureid.conf | 5 + package/etc/conf.d/filters/infoblox/ddi.conf | 1 - .../log_paths/lp-dell_rsa_secureid.conf.tmpl | 128 +++++++++++++ .../splunk_index.csv.example | 1 + .../vendor_product_by_source.conf.example | 4 + .../vendor_product_by_source.csv.example | 1 + tests/test_dell_rsa_secureid.py | 170 ++++++++++++++++++ 9 files changed, 365 insertions(+), 1 deletion(-) create mode 100644 docs/sources/Dell_RSA/index.md create mode 100644 package/etc/conf.d/filters/dell/rsa_secureid.conf create mode 100644 package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl create mode 100644 tests/test_dell_rsa_secureid.py diff --git a/docs/sources/Dell_RSA/index.md b/docs/sources/Dell_RSA/index.md new file mode 100644 index 0000000..e442ae0 --- /dev/null +++ b/docs/sources/Dell_RSA/index.md @@ -0,0 +1,55 @@ +# Vendor - Dell RSA + + +## Product - SecureID + +| Ref | Link | +|----------------|---------------------------------------------------------------------------------------------------------| +| Splunk Add-on | https://splunkbase.splunk.com/app/2958/ | +| Product Manual | http://docs.splunk.com/Documentation/AddOns/latest/RSASecurID/About | + + +### Sourcetypes + +| sourcetype | notes | +|----------------|---------------------------------------------------------------------------------------------------------| +| rsa:securid:syslog | Catch all used if a more specific source type can not be identified | +| rsa:securid:admin:syslog | None | +| rsa:securid:runtime:syslog | None | rsa:securid:system:syslog | None | +| nix:syslog | None | + +### Sourcetype and Index Configuration + +| key | sourcetype | index | notes | +|----------------|----------------|----------------|----------------| +| dell_rsa_secureid | all | netauth | none | +| dell_rsa_secureid | nix:syslog | osnix | uses os_nix key of not configured bye host/ip/port | + +### Filter type + +Must be identified by host or ip assignment. Update the filter `f_dell_rsa_secureid` or configure a dedicated port as required + +NOTE: Java trace and exception will default to sc4s:fallback if the host/ip filter or port is not configured + +### Setup and Configuration + +* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. +* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source. +* Refer to the admin manual for specific details of configuration + +### Options + +| Variable | default | description | +|----------------|----------------|----------------| +| SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +| SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | +| SC4S_ARCHIVE_DELL_RSA_SECUREID | no | Enable archive to disk for this specific source | +| SC4S_DEST_DELL_RSA_SECUREID_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | + +### Verification + +An active device will generate frequent events. Use the following search to validate events are present per source device + +``` +index= sourcetype=DELL_RSA_SECUREID:*| stats count by host +``` diff --git a/mkdocs.yml b/mkdocs.yml index f9d264e..9fdee03 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -19,6 +19,7 @@ nav: - Citrix: sources/Citrix/index.md - "Common Event Format": sources/CommonEventFormat/index.md - CyberArk: sources/CyberArk/index.md + - "Dell RSA": sources/Dell_RSA/index.md - Forcepoint: sources/Forcepoint/index.md - Fortinet: sources/Fortinet/index.md - Imperva: sources/Imperva/index.md diff --git a/package/etc/conf.d/filters/dell/rsa_secureid.conf b/package/etc/conf.d/filters/dell/rsa_secureid.conf new file mode 100644 index 0000000..d94c864 --- /dev/null +++ b/package/etc/conf.d/filters/dell/rsa_secureid.conf @@ -0,0 +1,5 @@ +filter f_dell_rsa_secureid { + message('\.com\.rsa\.') + or + match("^dell_rsa_secureid", value("fields.sc4s_vendor_product")); +}; \ No newline at end of file diff --git a/package/etc/conf.d/filters/infoblox/ddi.conf b/package/etc/conf.d/filters/infoblox/ddi.conf index f131781..6080c5b 100644 --- a/package/etc/conf.d/filters/infoblox/ddi.conf +++ b/package/etc/conf.d/filters/infoblox/ddi.conf @@ -1,4 +1,3 @@ filter f_infoblox { match("^infoblox", value("fields.sc4s_vendor_product")); - }; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl new file mode 100644 index 0000000..2b9467f --- /dev/null +++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl @@ -0,0 +1,128 @@ +# DELL_RSA_SECUREID +{{- /* The following provides a unique port source configuration if env var(s) are set */}} +{{- $context := dict "port_id" "DELL_RSA_SECUREID" "parser" "rfc3164" }} +{{- tmpl.Exec "t/source_network.t" $context }} + +log { + junction { +{{- if or (or (getenv (print "SC4S_LISTEN_DELL_RSA_SECUREID_TCP_PORT")) (getenv (print "SC4S_LISTEN_DELL_RSA_SECUREID_UDP_PORT"))) (getenv (print "SC4S_LISTEN_DELL_RSA_SECUREID_TLS_PORT")) }} + channel { + # Listen on the specified dedicated port(s) for DELL_RSA_SECUREID traffic + source (s_DELL_RSA_SECUREID); + flags (final); + }; +{{- end}} + channel { + # Listen on the default port (typically 514) for DELL_RSA_SECUREID traffic + source (s_DEFAULT); + filter(f_is_rfc3164); + filter(f_dell_rsa_secureid); + flags(final); + }; + }; + if { + filter{ + message('\.com\.rsa\.'); + }; + parser { + #basic parsing + + #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it. + csv-parser( + columns("time","ms","HOST","type") + prefix(".rsa.") + delimiters(',') + ); + #2012/04/10 04:39:55 + #parse the date + date-parser-nofilter(format( + '%Y-%m-%d %H:%M:%S,%f') + template("${.rsa.time},${.rsa.ms}") + ); + }; + if { + filter{match('audit\.admin' value('.rsa.type'))}; + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("rsa:securid:admin:syslog"), index("netauth")) + }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; + } elif { + filter{match('system\.com\.rsa|,\s+system\.erationsconsole' value('.rsa.type'))}; + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("rsa:securid:system:syslog"), index("netauth")) + }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; + } elif { + filter{match('audit\.runtime\.com\.rsa' value('.rsa.type'))}; + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("rsa:securid:runtime:syslog"), index("netauth")) + }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; + } else { + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("rsa:securid:syslog"), index("netauth")) + }; + parser { p_add_context_splunk(key("dell_rsa_secureid")); }; + }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; + } elif { + filter{ + program('...*') + and not program('at') + and not program('Caused') + }; + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}")) + }; + parser { p_add_context_splunk(key("nix_syslog")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; + } else { + parser { + grouping-by( + scope(host) + key('x') + timeout(1) + aggregate( + value("MESSAGE" "$(implode '\n' $(context-values ${LEGACY_MSGHDR}${MESSAGE}))") + ) + ); + }; + rewrite { + set("dell_rsa_secureid", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("rsa:securid:trace"), index("netauth")); + }; + parser { p_add_context_splunk(key("nix_syslog")); }; + parser (compliance_meta_by_source); + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; + + }; + + +{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_DELL_RSA_SECUREID_HEC" "no")) }} + destination(d_hec); +{{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_DELL_RSA_SECUREID" "no")) }} + destination(d_archive); +{{- end}} + +{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} + {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + +{{- if (print (getenv "SC4S_DEST_DELL_RSA_SECUREID_ALTERNATES")) }} + {{ getenv "SC4S_DEST_DELL_RSA_SECUREID_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); +{{- end }} + + flags(flow-control,final); +}; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 5b598ff..6208569 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -21,6 +21,7 @@ #cisco_ise,index,netauth #cisco_nx_os,index,netops #cisco_ucm,index,main +#dell_rsa_secureid,index,netauth #citrix_netscaler,index,netfw #local_example,index,main #forcepoint_webprotect,index,netproxy diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index 9d73d47..9ccf5a4 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -15,6 +15,10 @@ filter f_citrix_netscaler { host("test_ctitrixns-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; +filter f_dell_rsa_secureid { + host("test_rsasecureid*" type(glob)) + #or netmask(xxx.xxx.xxx.xxx/xx) +}; filter f_juniper_idp { host("jnpidp-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 38524ee..f49188e 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -3,6 +3,7 @@ f_brocade_syslog,sc4s_vendor_product,"brocade_syslog" f_catch_first,sc4s_vendor_product,"catch_first" f_cisco_meraki,sc4s_vendor_product,"cisco_meraki" f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" +f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid" f_infoblox,sc4s_vendor_product,"infoblox" f_juniper_nsm,sc4s_vendor_product,"juniper_nsm" f_juniper_nsm_idp,sc4s_vendor_product,"juniper_nsm_idp" diff --git a/tests/test_dell_rsa_secureid.py b/tests/test_dell_rsa_secureid.py new file mode 100644 index 0000000..a67f34a --- /dev/null +++ b/tests/test_dell_rsa_secureid.py @@ -0,0 +1,170 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * +from .timeutils import * + +import pytest + +env = Environment() + + +# <14>Mar 25 15:09:33 {{ host }} 2020-03-25 15:09:33,503, {{ host }}.example.net, audit.admin.com.rsa.authmgr.internal.admin.principalmgt.impl.AMPrincipalAdministrationImpl, INFO, +# <11>Mar 25 15:04:54 {{ host }} 2020-03-25 15:04:54,485, {{ host }}.example.net, system.com.rsa.ims.configuration.impl.AuthorizationEnabledConfigurationServiceImpl, ERROR, xxxxx,xxxxx,10.0.0.1,10.0.0.1,CONF_READ,16153,FAIL,INSUFFICIENT_PRIVILEGE,xxxx-fnIz0FpnFNO0,xxxxx,xxx,xxx,xxxx,xxx,xxxx,0000-Global-0000,auth_manager.dashboard.hide.grpagent,,,,, +# <14>Mar 25 15:09:14 {{ host }} 2020-03-25 15:09:14,094, {{ host }}.example.net, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, xxxxx,xxxxx,10.0.0.1,10.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,xxxx-Dnj467rNRh++,xxxx,xxx,xxxx,xxx,xxx,xxx,xxxx,946367dcb9f859941af8aee9b2462acc,10.0.0.1,hst-xxxxx.example.net,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,,,,,xxxxxxx,xxxxxxxx8632,, + + +testdata_admin = [ + "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, audit.admin.com.rsa.authmgr.internal.admin.principalmgt.impl.AMPrincipalAdministrationImpl, INFO,", +] +@pytest.mark.parametrize("event", testdata_admin) +def test_dell_rsa_secureid_admin( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): + host = "test_rsasecureid-" + get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + rsatime = dt.strftime("%H:%M:%S,%f") + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host, date=date, rsatime=rsatime) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netauth _time={{ epoch }} sourcetype="rsa:securid:admin:syslog" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +testdata_system = [ + "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, system.com.rsa.ims.configuration.impl.AuthorizationEnabledConfigurationServiceImpl, ERROR, xxxxx,xxxxx,10.0.0.1,10.0.0.1,CONF_READ,16153,FAIL,INSUFFICIENT_PRIVILEGE,xxxx-fnIz0FpnFNO0,xxxxx,xxx,xxx,xxxx,xxx,xxxx,0000-Global-0000,auth_manager.dashboard.hide.grpagent,,,,,", +] +@pytest.mark.parametrize("event", testdata_system) +def test_dell_rsa_secureid_system( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): + host = "test_rsasecureid-" + get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + rsatime = dt.strftime("%H:%M:%S,%f") + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host, date=date, rsatime=rsatime) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netauth _time={{ epoch }} sourcetype="rsa:securid:system:syslog" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +testdata_runtime = [ + "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, xxxxx,xxxxx,10.0.0.1,10.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,xxxx-Dnj467rNRh++,xxxx,xxx,xxxx,xxx,xxx,xxx,xxxx,946367dcb9f859941af8aee9b2462acc,10.0.0.1,hst-xxxxx.example.net,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,,,,,xxxxxxx,xxxxxxxx8632,,", +] +@pytest.mark.parametrize("event", testdata_runtime) +def test_dell_rsa_secureid_runtime( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): + host = "test_rsasecureid-" + get_host_key + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + rsatime = dt.strftime("%H:%M:%S,%f") + + # Tune time functions + epoch = epoch[:-7] + + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host, date=date, rsatime=rsatime) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netauth _time={{ epoch }} sourcetype="rsa:securid:runtime:syslog" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_dell_rsa_secureid_trace( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): + host = "test_rsasecureid-" + get_host_key + + events = [ + '{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.', + '{{ mark }}{{ bsd }} {{ host }} at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)', + '{{ mark }}{{ bsd }} {{ host }} at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)', + '{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:138)', + '{{ mark }}{{ bsd }} {{ host }} at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)', + '{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)', + '{{ mark }}{{ bsd }} {{ host }} at org.postgresql.core.v3.SimpleParameterList.setStringParameter(SimpleParameterList.java:118)', + '{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.', + '{{ mark }}{{ bsd }} {{ host }} at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)', + '{{ mark }}{{ bsd }} {{ host }} at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)', + '{{ mark }}{{ bsd }} {{ host }} at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)', + '{{ mark }}{{ bsd }} {{ host }} at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:652)', + '{{ mark }}{{ bsd }} {{ host }} at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)', + '{{ mark }}{{ bsd }} {{ host }} at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)', + '{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:531)', + '{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)', + ] + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + rsatime = dt.strftime("%H:%M:%S,%f") + + # Tune time functions + epoch = epoch[:-7] + for event in events: + mt = env.from_string(event + "\n") + message = mt.render(mark="<166>", bsd=bsd, host=host, date=date, rsatime=rsatime) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search index=netauth _time={{ epoch }} sourcetype="rsa:securid:trace" (host="{{ host }}" OR "{{ host }}")' + ) + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount >0 \ No newline at end of file