annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents 663e5d923ef0
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1009
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local dm_load = require "util.datamanager".load;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local dm_store = require "util.datamanager".store;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local datetime = require "util.datetime".datetime;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local do_store = module:get_option_boolean(module:get_name().."_persist", false);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local function note_cert_digest(event)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local session, remote_host, cert = event.session, event.host, event.cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 if not (remote_host and cert and cert.digest) then return end;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local digest = cert:digest(digest_algo);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local chain_status = session.cert_chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 local identity_status = session.cert_identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19
1091
79ef0427765f mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents: 1009
diff changeset
20 module:log("info", "%s has a %s %s certificate with %s: %s",
79ef0427765f mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents: 1009
diff changeset
21 remote_host,
1009
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 chain_status == "valid" and "trusted" or "untrusted",
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 identity_status or "invalid",
1091
79ef0427765f mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents: 1009
diff changeset
24 digest_algo:upper(),
1009
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 digest:upper():gsub("..",":%0"):sub(2));
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 if do_store then
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 digest = digest_algo..":"..digest;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 this_cert.last = datetime();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 this_cert.times = this_cert.times + 1;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 seen_certs[digest] = this_cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 chain_status = chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 identity_status = identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 dm_store(remote_host, local_host, "s2s_certs", seen_certs);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40
1787
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
41 if module.wrap_event then
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
42 -- 0.10
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data)
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
44 local ret = handlers(event_name, event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
45 note_cert_digest(event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
46 return ret;
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
47 end);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
48 else
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
49 -- 0.9
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
50 module:hook("s2s-check-certificate", note_cert_digest, 1000);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents: 1091
diff changeset
51 end
1009
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 --[[
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 function module.add_host(module)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 module:hook("s2s-check-certificate", note_cert_digest, 1000);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 ]]