Perl | James Labocki's Blog

Posts Tagged ‘perl’

Splunk to Jira for PCI

Wednesday, February 25th, 2009

PCI DSS 10.6 requires that logs are reviewed on a daily basis. If the proper alerting mechanisms are in place you can bypass the need to look through thousands of lines of logs, but you still need a trail of what actions are taken after an alert is received.

PCI DSS 10.6

10.6
Are logs for all system components reviewed at least daily? Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.

I am using XMLRPC and a perl script to automatically create issues in Jira when a Splunk alert is triggered. Although you can use Splunk to perform log review by tagging events I thought it would be more beneficial to use our currently installed work flow system so that we don’t have to allow everyone to log into Splunk and we could use some of the other features inside of Jira as well. So what do you need to do to make this work?

1. Install necessary CPAN modules (assuming you already have perl) on your splunk server.

#cpan -e cpan> install XMLRPC::Lite ... cpan> install Data::Dumper ...

1.b Enable XMLRPC in Jira under administration -> Plugins -> RPC Plugin.

2. Copy the following script in $SPLUNK_HOME/bin/scripts/openJiraTicket.pl

#!/usr/bin/perl # # * Your search can trigger a shell script. # * Specify the name of the shell script to run. # * Place the script in $SPLUNK_HOME/bin/scripts. # * Command line arguments passed to the script are: # * $0 = script name. # * $1 = number of events returned. # * $2 = search terms. # * $3 = fully qualified query string. # * $4 = name of saved splunk. # * $5 = trigger reason (i.e. "The number of events was greater than 1"). # * $6 = link to saved search. # * $7 = a list of tags belonging to this saved search. # * $8 = file where the results for this search are stored (contains raw results). use strict; use warnings; # use XMLRPC::Lite; use Data::Dumper; # my $summary = $ARGV[3]; my $description = "An alert was triggered in splunk with the following information:" . "\n\nSearch String: " . $ARGV[1] . "\nNumber of Results:" . $ARGV[0] . "\nAlert Name:" . $ARGV[3] . "\nReason Alarm Triggered:" . $ARGV[4] . "\n\nLink to Search:" . $ARGV[5]; # my $jira = XMLRPC::Lite->proxy('http://jira.domain.com:8080/rpc/xmlrpc'); my $auth = $jira->call("jira1.login", "username", "password")->result(); my $call = $jira->call("jira1.createIssue", $auth, { 'project' => 'AI', 'type' => 30, 'summary' => $summary, 'description' => $description, 'assignee' => 'usertoassignto', }); my $fault = $call->fault(); if (defined $fault) { die $call->faultstring(); } else { print "issue created:\n"; print Dumper($call->result()); } $jira->call("jira1.logout", $auth);

3. Add a new input to your savedsearches.conf file in $SPLUNK_HOME/etc/system/local/savedsearches.conf. Note the action_script is set to openJiraTicket.pl which means whenever the relation field is met the script openJiraTicket.pl will be executed.

[PCIDSS-10_3_4-LinuxFailedLogins] action_email = linux.admins@domain.com action_rss = 0 action_script = openJiraTicket.pl counttype = number of events enableSched = 1 quantity = 0 relation = greater than role = productionLinux schedule = 0 * * * * search = index=production pam_unix failure startminutesago=60 sendresults = 1 userid = myuser

4. Now create a few failed login attempts via ssh to a server that is logging to Splunk and you should see an issue get opened in Jira by Splunk.

Some other enhancements that can be made to this setup are:

1. Creating an event inside of Splunk itself when the issue is opened in Jira. Then log when the Jira ticket is closed to Splunk as well and measure the variance in time of the opening and closing of issues as a KPI of the operations staff.

2. Extend the functionality of the perl script with an array (or maybe use sqlite) to match the alert name in Splunk to a component in Jira. This would allow you to compartmentalize the alerts into groups in Jira (i.e windows in one component, linux in another, network in another, etc).

3. Use encrypted password in the perl script and use XMLRPC over ssl. I will be doing this shortly. A quick howto

Encrypt your password file
openssl rand 32 -out key.temp openssl des3 -e -pass file:key.temp -in passwd -out passwd.enc openssl des3 -d pass file:key.dec -in passwd.enc -out passwd.dec openssl des3 -d -pass file:key.dec -in passwd.enc -out passwd.dec openssl des3 -d -pass file:key.temp -in passwd.enc -out passwd.dec

Unencrypt your password from within the script using the key. I learned chomp is VERY important
if ($enpasswd) { $passwd = `openssl des3 -d -pass file:/etc/pki/tls/private/dbi.key -in $enpasswd |awk NF`; chomp($passwd); }

Tags: alerting, jira, open issue, pci, perl, splunk, xmlrpc
Posted in Linux, Scripting, Technology | No Comments »

Audit Database Activity with Splunk or Syslog

Friday, February 20th, 2009

Here are the steps I took to audit database activity and get the data into Splunk. You could technically send this to any log repository capable of listening on a TCP socket. The challenge is that many RDBMS don’t allow you to get database information. Oracle is notorious for this (because they want you to purchase Database Vault). Of course if you don’t have money (like me) for that you can use this solution. You really need three things:

1. Install DBI and Oracle:DBD on the host that will be polling the database.
2. Grant a user who will run the script SELECT on dba_audit_trail table (or whatever table you want to poll and pull into splunk).
3. Setup the perl script with the proper inputs and encrypt the password file for no plain text on the file system.

1. Install DBD::Oracle on 64-bit Linux and Oracle 11g

DBD::Oracle 1.21 to install on a 64-bit Linux OS against the Oracle 11 full client. As root, we downloaded DBD::Oracle from CPAN.

# perl -MCPAN -eshell cpan> install DBI cpan> get DBD::Oracle ... # cd /root/.cpan/build/DBD-Oracle-1.21 # export ORACLE_HOME=actual value of Oracle Home # export ORACLE_SID=actual value of ORACLE_SID # export ORACLE_USERID=working ORACLE_USERID # export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME # perl Makefile.PL ... # make ... # make test ... # make install

Now you can install the dbipoll perl script.

Generate a random key, encode a file with it, and then decode a file with it. Useful to generate a password, encrypt it and then get rid of the plain text password inside scripts.

openssl rand 32 -out key.temp openssl des3 -e -pass file:key.temp -in passwd -out passwd.enc openssl des3 -d pass file:key.dec -in passwd.enc -out passwd.dec openssl des3 -d -pass file:key.dec -in passwd.enc -out passwd.dec openssl des3 -d -pass file:key.temp -in passwd.enc -out passwd.dec

Verify you are running encrypted. Add the following temporarily to your sqlnet.ora

TRACE_DIRECTORY_CLIENT=/ora-main/app/oracle/product/11.1.0.6/db/network/trace #TRACE_FILE_CLIENT=client TRACE_LEVEL_CLIENT=16

Inspect the trace for encryption

[root@mymachine trace]# cat cli_9668.trc |grep encry (2863411744) [13-FEB-2009 15:37:50:911] naeshow: These are the encryption algorithms that the client will accept: (2863411744) [13-FEB-2009 15:37:50:911] naeshow: Choice 0: no algorithm; encryption inactive service: encryption (2863411744) [13-FEB-2009 15:37:50:934] na_info: Oracle Advanced Security: encryption service for Linux: Version 11.1.0.6.0 - Production service: encryption (2863411744) [13-FEB-2009 15:37:50:935] nacomps: service encryption (2863411744) [13-FEB-2009 15:37:50:940] nacomus: service encryption service: encryption service: encryption (2863411744) [13-FEB-2009 15:37:50:952] naeecom: The server chose the 'RC4_256' encryption algorithm (2863411744) [13-FEB-2009 15:37:50:952] na_tns: encryption is active, using RC4_256

Note the last two lines indicating we are encrypted.

Here is the dbipoll.pl script.

#!/usr/bin/perl # # # Now accepts arguments for countkey, table, and columns. # countkey will ideally be a timestamp field, such as EXTENDED_TIMESTAMP in AUD$. # # Need to deal with the following variations... # 1 - Oracle local # 2 - Oracle remote # 3 - mysql local # 4 - mysql remote # 5 - Sybase local # 6 - Sybase remote # # Oracle connect string: $dbh = DBI->connect("dbi:Oracle:host=$server;sid=$db;port=$dbport", $user, $passwd); # Oracle connect string without env vars: $dbh = DBI->connect( "dbi:Oracle:$db", $username, $passwd ) # mysql connect string: $dbh = DBI->connect("dbi:mysql:database=$db\;host=$server;port=$dbport","$user","$passwd"); # Sybase connect string: $dbh = DBI->connect("dbi:sybase", $username, $password, $db); use IO::Socket; use strict; use DBI; use Getopt::Long; use Sys::Syslog; # our ($server,$db,$table,$columns,$user,$enpasswd,$passwd,$dbtype,$tcphost,$tcpport, $countfile,$countkey,$ofile,$dbport,$baseconnect,$dbh); # GetOptions( "dbtype=s" =>\$dbtype, # Type of DB (Oracle, MySQL, etc.) "server=s" =>\$server, # IP address of database server. "dbport=s" =>\$dbport, # Port for connecting to remote DB. "db=s" =>\$db, # Database to retriever records from. "user=s" =>\$user, # DB username. "password=s" =>\$passwd, # Unencrypted password. "xpassword=s" =>\$enpasswd, # Encrypted password. "table=s" =>\$table, # Table to retrieve from. "columns=s" =>\$columns, # Columns to fetch. "tcphost=s" =>\$tcphost, # Splunk server IP. "tcpport=s" =>\$tcpport, # Splunk tcp listener port. "countfile=s" =>\$countfile, # File to store row count status. "countkey=s" =>\$countkey, # Field to use as count value "o=s" =>\$ofile, # File for output (default is stdout). ); # # Deal with encrypted passwords first... if (!$passwd) { if ($enpasswd) { $passwd = `openssl des3 -d -pass file:/etc/pki/tls/private/dbi.key -in $enpasswd |awk NF`; chomp($passwd); } } # if ($dbtype =~ /oracle/i) { $ENV{'DBI_DRIVER'} = "Oracle"; $dbtype = "Oracle"; $dbh->{InactiveDestroy} = 1; #$baseconnect = DBI->connect("dbi:$dbtype:$db"); if (!$dbport) { # Assume a local DB. $dbh = DBI->connect("dbi:$dbtype:$db", "$user", "$passwd") || die( $DBI::errstr . "\n" ); # } else { if (!$passwd) { $dbh = DBI->connect("dbi:Oracle:host=$server;sid=$db;port=$dbport", $user) || die( $DBI::errstr . "\n" ); } else { $dbh = DBI->connect("dbi:Oracle:host=$server;sid=$db;port=$dbport", $user, $passwd) || die( $DBI::errstr . "\n" ); } } # } if ($dbtype =~ /mysql/i) { $ENV{'DBI_DRIVER'} = "mysql"; $dbtype = "mysql"; #$baseconnect = DBI->connect("dbi:$dbtype:database=$db;host=$server"); if (!$dbport) { # Assume a local DB. $dbh = DBI->connect("dbi:$dbtype:host=$server;database=$db","$user","$passwd") || die( $DBI::errstr . "\n" ); #$dbh = $baseconnect . "$user" . "$passwd"; } else { if (!$passwd) { $dbh = DBI->connect("dbi:$dbtype:database=$db;host=$server;port=$dbport","$user") || die( $DBI::errstr . "\n" ); } else { $dbh = DBI->connect("dbi:$dbtype:database=$db;host=$server;port=$dbport","$user","$passwd") || die( $DBI::errstr . "\n" ); } } # } if (($dbtype =~ /sybase/i) && (!$ENV{'SYBASE'})) { $ENV{'SYBASE'} = '/usr/local/freetds'; $ENV{'DSQUERY'} = "$server"; $dbtype = "sybase"; #$baseconnect = DBI->connect("dbi:$dbtype", "$db"); if (!$dbport) { # Assume a local DB. $dbh = DBI->connect("dbi:$dbtype:database=$db","$user","$passwd") || die( $DBI::errstr . "\n" ); } else { if (!$passwd) { $dbh = DBI->connect("dbi:$dbtype:database=$db;port=$dbport","$user") || die( $DBI::errstr . "\n" ); } else { $dbh = DBI->connect("dbi:$dbtype:database=$db;port=$dbport","$user","$passwd") || die( $DBI::errstr . "\n" ); } } } my $sth; if ( -f $countfile) { # Compare vs. file with saved count open (CF, "<$countfile"); my $filecount = readline CF; chomp $filecount; close (CF); # Adding an ORDER BY clause here may be a requirement $sth = $dbh->prepare("SELECT $columns FROM $table where $countkey > \'$filecount\' order by $countkey"); } else { $sth = $dbh->prepare("SELECT $columns FROM $table order by $countkey"); } # our $handle; if (($tcphost) && ($tcpport)) { # Send directly to splunk server... # Create tcp socket to send the data to the splunk server my $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $tcphost, PeerPort => $tcpport, Type => SOCK_STREAM) or die "cannot connect to tcp daemon on $tcphost"; $remote->autoflush(1); $handle = $remote; #$target = "\$remote"; } elsif ($ofile) { # Write to local outfile... open (OFILE, ">$ofile"); $handle = *OFILE; #$target = *OFILE; } else { # send to stdout open (STDOUT, ">&1"); $handle = *STDOUT; #$target = *STDOUT; } # # Get some Rows... $sth->execute or die $sth->errstr; open (CF, ">$countfile"); while(my $hash_ref = $sth->fetchrow_hashref) { my $output = ""; my $lastrow; foreach my $key (keys(%$hash_ref)) { my $str = $hash_ref->{$key}; if ($key ne "EXTENDED_TIMESTAMP") { if ($str =~ /"/) { (my $xstr = $str) =~ s/"/\\"/g; $str = "\"$xstr\""; } else { $str = "\"$str\"" if ($str =~ / /); $str = "\"$str\"" if ($str =~ /,/); } $output = $output . $key . "=" . $str . ","; } if ($key eq "EXTENDED_TIMESTAMP") { # if ($key eq "TO_CHAR(EXTENDED_TIMESTAMP,'MM/DD/YYYYHH24:MI:SS')") { $str =~ s/\"//g; $lastrow = $str; #if (lc($str) eq lc($countkey)); } # } chop($output); # Update countfile # Where did we leave off?... *CF->autoflush(1); seek(CF,0,0); print CF "$lastrow\n"; # # And send them somewhere. print $handle $output . "\n"; } # $sth->finish(); $dbh->disconnect; # close (CF); close $handle;

Now schedule this to run (I just wrote a wrapper script in ksh exporting the variables to be safe).

#!/usr/bin/ksh # export ORACLE_HOME=/ora-main/app/oracle/product/11.1.0.6/db export ORACLE_SID=rmdev1 export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$ORACLE_HOME # /usr/bin/dbipoll.pl -dbtype=oracle -server=servername -dbport=1521 -db=development -user=splunk -xpassword=/etc/dbipasswd -table=dba_audit_trail -columns="OS_PROCESS,OS_USERNAME,USERNAME,USERHOST,ACTION,ACTION_NAME,TRANSACTIONID,SCN,SQL_BIND,SQL_TEXT,TO_CHAR(EXTENDED_TIMESTAMP,'MM/DD/YYYY HH24:MI:SS'),EXTENDED_TIMESTAMP" -countfile="/app/oracle/product/monitor/countfile" -countkey="EXTENDED_TIMESTAMP" -tcphost=splunkserver -tcpport=9094

Of course you will also need to setup a tcp input port on your splunk server. Once you have all that in place you can run the following query to see what hosts are performing the largest amount of actions on the database and what users are running the majority of actions on the database. I have removed hostnames and usernames legends from the following for security.

index=indexname sourcetype=databasesource | timechart count(USERNAME) by USERNAME

index=indexname sourcetype=databasesource |timechart count(USERHOST) by USERHOST

You can also use this to setup alerts if any users runs an update on a database (useful to catch those sneaky developers).

Tags: audit, database, Linux, oracle, perl, splunk, syslog
Posted in Linux, Scripting, Technology | 1 Comment »

James Labocki’s Blog

Posts Tagged ‘perl’

Splunk to Jira for PCI

Audit Database Activity with Splunk or Syslog

Categories

Archives

Blogroll

Meta

Activity Feed