fix: [userLogin] Do not consider all login as login from the SYSTEM

ADMIN anymore

Due to the change in the misp-zmq, `misp_json_user` only contain the
information that a user has logged in, the user always being the same.

The code now records user logins from the audit channel `misp_json_audit`.
pull/68/head
Sami Mokaddem 2018-10-01 13:28:27 +02:00
parent 52219856b9
commit b76a9cd082
4 changed files with 31 additions and 8 deletions

View File

@ -27,7 +27,7 @@ class Users_helper:
logging.basicConfig(filename=logPath, filemode='a', level=logging.INFO) logging.basicConfig(filename=logPath, filemode='a', level=logging.INFO)
self.logger = logging.getLogger(__name__) self.logger = logging.getLogger(__name__)
def add_user_login(self, timestamp, org): def add_user_login(self, timestamp, org, email=''):
timestampDate = datetime.datetime.fromtimestamp(float(timestamp)) timestampDate = datetime.datetime.fromtimestamp(float(timestamp))
timestampDate_str = util.getDateStrFormat(timestampDate) timestampDate_str = util.getDateStrFormat(timestampDate)

View File

@ -464,6 +464,10 @@ def getUserLogins():
data = users_helper.getUserLoginsForPunchCard(date, org) data = users_helper.getUserLoginsForPunchCard(date, org)
return jsonify(data) return jsonify(data)
@app.route("/_getAllLoggedOrg")
def getAllLoggedOrg():
return jsonify(users_helper.getAllOrg())
@app.route("/_getTopOrglogin") @app.route("/_getTopOrglogin")
def getTopOrglogin(): def getTopOrglogin():
try: try:

View File

@ -201,7 +201,7 @@ small {
var url_getTopOrglogin = "{{ url_for('getTopOrglogin') }}"; var url_getTopOrglogin = "{{ url_for('getTopOrglogin') }}";
var url_getLoginVSCOntribution = "{{ url_for('getLoginVSCOntribution') }}"; var url_getLoginVSCOntribution = "{{ url_for('getLoginVSCOntribution') }}";
var url_getUserLoginsAndContribOvertime = "{{ url_for('getUserLoginsAndContribOvertime') }}"; var url_getUserLoginsAndContribOvertime = "{{ url_for('getUserLoginsAndContribOvertime') }}";
var url_getTypeaheadData = "{{ url_for('getAllOrg') }}"; var url_getTypeaheadData = "{{ url_for('getAllLoggedOrg') }}";
/* DATA FROM CONF */ /* DATA FROM CONF */

View File

@ -74,10 +74,28 @@ def getFields(obj, fields):
## HANDLERS ## ## HANDLERS ##
############## ##############
def handler_log(zmq_name, jsonevent): def handler_skip(zmq_name, jsonevent):
logger.info('Log not processed') logger.info('Log not processed')
return return
def handler_audit(zmq_name, jsondata):
action = jsondata.get('action', None)
jsonlog = jsondata.get('Log', None)
if action is None or jsonlog is None:
return
# consider login operations
if action == 'log': # audit is related to log
logAction = jsonlog.get('action', None)
if logAction == 'login': # only consider user login
timestamp = int(time.time())
email = jsonlog.get('email', '')
org = jsonlog.get('org', '')
users_helper.add_user_login(timestamp, org, email)
else:
pass
def handler_dispatcher(zmq_name, jsonObj): def handler_dispatcher(zmq_name, jsonObj):
if "Event" in jsonObj: if "Event" in jsonObj:
handler_event(zmq_name, jsonObj) handler_event(zmq_name, jsonObj)
@ -87,15 +105,15 @@ def handler_keepalive(zmq_name, jsonevent):
to_push = [ jsonevent['uptime'] ] to_push = [ jsonevent['uptime'] ]
live_helper.publish_log(zmq_name, 'Keepalive', to_push) live_helper.publish_log(zmq_name, 'Keepalive', to_push)
# Login are no longer pushed by `misp_json_user`, but by `misp_json_audit`
def handler_user(zmq_name, jsondata): def handler_user(zmq_name, jsondata):
logger.info('Handling user') logger.info('Handling user')
action = jsondata['action'] action = jsondata['action']
json_user = jsondata['User'] json_user = jsondata['User']
json_org = jsondata['Organisation'] json_org = jsondata['Organisation']
org = json_org['name'] org = json_org['name']
if action == 'login': #only consider user login if action == 'edit': #only consider user login
timestamp = int(time.time()) pass
users_helper.add_user_login(timestamp, org)
else: else:
pass pass
@ -264,10 +282,11 @@ dico_action = {
"misp_json_attribute": handler_attribute, "misp_json_attribute": handler_attribute,
"misp_json_object": handler_object, "misp_json_object": handler_object,
"misp_json_sighting": handler_sighting, "misp_json_sighting": handler_sighting,
"misp_json_organisation": handler_log, "misp_json_organisation": handler_skip,
"misp_json_user": handler_user, "misp_json_user": handler_user,
"misp_json_conversation": handler_conversation, "misp_json_conversation": handler_conversation,
"misp_json_object_reference": handler_log, "misp_json_object_reference": handler_skip,
"misp_json_audit": handler_audit,
} }