kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-31 18:55:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5844133aba405eadd6ed76516596a606e74baa15
asterisk/tests/test_security_events.c

627 lines
17 KiB
C
Raw Normal View History

Add an API for reporting security events, and a security event logging module. This commit introduces the security events API. This API is to be used by Asterisk components to report events that have security implications. A simple example is when a connection is made but fails authentication. These events can be used by external tools manipulate firewall rules or something similar after detecting unusual activity based on security events. Inside of Asterisk, the events go through the ast_event API. This means that they have a binary encoding, and it is easy to write code to subscribe to these events and do something with them. One module is provided that is a subscriber to these events - res_security_log. This module turns security events into a parseable text format and sends them to the "security" logger level. Using logger.conf, these log entries may be sent to a file, or to syslog. One service, AMI, has been fully updated for reporting security events. AMI was chosen as it was a fairly straight forward service to convert. The next target will be chan_sip. That will be more complicated and will be done as its own project as the next phase of security events work. For more information on the security events framework, see the documentation generated from doc/tex/. "make asterisk.pdf" Review: https://reviewboard.asterisk.org/r/273/ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@206021 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2009-07-11 19:15:03 +00:00
/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 2009, Digium, Inc.
*
* Russell Bryant <russell@digium.com>
*
* See http://www.asterisk.org for more information about
* the Asterisk project. Please do not directly contact
* any of the maintainers of this project for assistance;
* the project provides a web site, mailing lists and IRC
* channels for your use.
*
* This program is free software, distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree.
*/
/*! \file
*
* \brief Test security event generation
*
* \author Russell Bryant <russell@digium.com>
*/
/*** MODULEINFO
Test modules should depend on the TEST_FRAMEWORK flag git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@338555 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2011-09-29 21:12:21 +00:00
<depend>TEST_FRAMEWORK</depend>
Flag test modules as 'core' Review: https://reviewboard.asterisk.org/r/1369/ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@332176 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2011-08-16 20:10:13 +00:00
<support_level>core</support_level>
Add an API for reporting security events, and a security event logging module. This commit introduces the security events API. This API is to be used by Asterisk components to report events that have security implications. A simple example is when a connection is made but fails authentication. These events can be used by external tools manipulate firewall rules or something similar after detecting unusual activity based on security events. Inside of Asterisk, the events go through the ast_event API. This means that they have a binary encoding, and it is easy to write code to subscribe to these events and do something with them. One module is provided that is a subscriber to these events - res_security_log. This module turns security events into a parseable text format and sends them to the "security" logger level. Using logger.conf, these log entries may be sent to a file, or to syslog. One service, AMI, has been fully updated for reporting security events. AMI was chosen as it was a fairly straight forward service to convert. The next target will be chan_sip. That will be more complicated and will be done as its own project as the next phase of security events work. For more information on the security events framework, see the documentation generated from doc/tex/. "make asterisk.pdf" Review: https://reviewboard.asterisk.org/r/273/ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@206021 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2009-07-11 19:15:03 +00:00
***/
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/module.h"
#include "asterisk/cli.h"
#include "asterisk/utils.h"
#include "asterisk/security_events.h"
static void evt_gen_failed_acl(void);
static void evt_gen_inval_acct_id(void);
static void evt_gen_session_limit(void);
static void evt_gen_mem_limit(void);
static void evt_gen_load_avg(void);
static void evt_gen_req_no_support(void);
static void evt_gen_req_not_allowed(void);
static void evt_gen_auth_method_not_allowed(void);
static void evt_gen_req_bad_format(void);
static void evt_gen_successful_auth(void);
static void evt_gen_unexpected_addr(void);
static void evt_gen_chal_resp_failed(void);
static void evt_gen_inval_password(void);
typedef void (*evt_generator)(void);
static const evt_generator evt_generators[AST_SECURITY_EVENT_NUM_TYPES] = {
[AST_SECURITY_EVENT_FAILED_ACL] = evt_gen_failed_acl,
[AST_SECURITY_EVENT_INVAL_ACCT_ID] = evt_gen_inval_acct_id,
[AST_SECURITY_EVENT_SESSION_LIMIT] = evt_gen_session_limit,
[AST_SECURITY_EVENT_MEM_LIMIT] = evt_gen_mem_limit,
[AST_SECURITY_EVENT_LOAD_AVG] = evt_gen_load_avg,
[AST_SECURITY_EVENT_REQ_NO_SUPPORT] = evt_gen_req_no_support,
[AST_SECURITY_EVENT_REQ_NOT_ALLOWED] = evt_gen_req_not_allowed,
[AST_SECURITY_EVENT_AUTH_METHOD_NOT_ALLOWED] = evt_gen_auth_method_not_allowed,
[AST_SECURITY_EVENT_REQ_BAD_FORMAT] = evt_gen_req_bad_format,
[AST_SECURITY_EVENT_SUCCESSFUL_AUTH] = evt_gen_successful_auth,
[AST_SECURITY_EVENT_UNEXPECTED_ADDR] = evt_gen_unexpected_addr,
[AST_SECURITY_EVENT_CHAL_RESP_FAILED] = evt_gen_chal_resp_failed,
[AST_SECURITY_EVENT_INVAL_PASSWORD] = evt_gen_inval_password,
};
static void evt_gen_failed_acl(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_failed_acl failed_acl_event = {
.common.event_type = AST_SECURITY_EVENT_FAILED_ACL,
.common.version = AST_SECURITY_EVENT_FAILED_ACL_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "Username",
.common.session_id = "Session123",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.acl_name = "TEST_ACL",
};
inet_aton("192.168.1.1", &sin_local.sin_addr);
sin_local.sin_port = htons(12121);
inet_aton("192.168.1.2", &sin_remote.sin_addr);
sin_remote.sin_port = htons(12345);
ast_security_event_report(AST_SEC_EVT(&failed_acl_event));
}
static void evt_gen_inval_acct_id(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_inval_acct_id inval_acct_id = {
.common.event_type = AST_SECURITY_EVENT_INVAL_ACCT_ID,
.common.version = AST_SECURITY_EVENT_INVAL_ACCT_ID_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "FakeUser",
.common.session_id = "Session456",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
};
inet_aton("10.1.2.3", &sin_local.sin_addr);
sin_local.sin_port = htons(4321);
inet_aton("10.1.2.4", &sin_remote.sin_addr);
sin_remote.sin_port = htons(1234);
ast_security_event_report(AST_SEC_EVT(&inval_acct_id));
}
static void evt_gen_session_limit(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_session_limit session_limit = {
.common.event_type = AST_SECURITY_EVENT_SESSION_LIMIT,
.common.version = AST_SECURITY_EVENT_SESSION_LIMIT_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "Jenny",
.common.session_id = "8675309",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TLS,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TLS,
},
};
inet_aton("10.5.4.3", &sin_local.sin_addr);
sin_local.sin_port = htons(4444);
inet_aton("10.5.4.2", &sin_remote.sin_addr);
sin_remote.sin_port = htons(3333);
ast_security_event_report(AST_SEC_EVT(&session_limit));
}
static void evt_gen_mem_limit(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_mem_limit mem_limit = {
.common.event_type = AST_SECURITY_EVENT_MEM_LIMIT,
.common.version = AST_SECURITY_EVENT_MEM_LIMIT_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "Felix",
.common.session_id = "Session2604",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
};
inet_aton("10.10.10.10", &sin_local.sin_addr);
sin_local.sin_port = htons(555);
inet_aton("10.10.10.12", &sin_remote.sin_addr);
sin_remote.sin_port = htons(5656);
ast_security_event_report(AST_SEC_EVT(&mem_limit));
}
static void evt_gen_load_avg(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_load_avg load_avg = {
.common.event_type = AST_SECURITY_EVENT_LOAD_AVG,
.common.version = AST_SECURITY_EVENT_LOAD_AVG_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "GuestAccount",
.common.session_id = "XYZ123",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
};
inet_aton("10.11.12.13", &sin_local.sin_addr);
sin_local.sin_port = htons(9876);
inet_aton("10.12.11.10", &sin_remote.sin_addr);
sin_remote.sin_port = htons(9825);
ast_security_event_report(AST_SEC_EVT(&load_avg));
}
static void evt_gen_req_no_support(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_req_no_support req_no_support = {
.common.event_type = AST_SECURITY_EVENT_REQ_NO_SUPPORT,
.common.version = AST_SECURITY_EVENT_REQ_NO_SUPPORT_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "George",
.common.session_id = "asdkl23478289lasdkf",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.request_type = "MakeMeDinner",
};
inet_aton("10.110.120.130", &sin_local.sin_addr);
sin_local.sin_port = htons(9888);
inet_aton("10.120.110.100", &sin_remote.sin_addr);
sin_remote.sin_port = htons(9777);
ast_security_event_report(AST_SEC_EVT(&req_no_support));
}
static void evt_gen_req_not_allowed(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_req_not_allowed req_not_allowed = {
.common.event_type = AST_SECURITY_EVENT_REQ_NOT_ALLOWED,
.common.version = AST_SECURITY_EVENT_REQ_NOT_ALLOWED_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "George",
.common.session_id = "alksdjf023423h4lka0df",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.request_type = "MakeMeBreakfast",
.request_params = "BACONNNN!",
};
inet_aton("10.110.120.130", &sin_local.sin_addr);
sin_local.sin_port = htons(9888);
inet_aton("10.120.110.100", &sin_remote.sin_addr);
sin_remote.sin_port = htons(9777);
ast_security_event_report(AST_SEC_EVT(&req_not_allowed));
}
static void evt_gen_auth_method_not_allowed(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_auth_method_not_allowed auth_method_not_allowed = {
.common.event_type = AST_SECURITY_EVENT_AUTH_METHOD_NOT_ALLOWED,
.common.version = AST_SECURITY_EVENT_AUTH_METHOD_NOT_ALLOWED_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "Bob",
.common.session_id = "010101010101",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.auth_method = "PlainText"
};
inet_aton("10.110.120.135", &sin_local.sin_addr);
sin_local.sin_port = htons(8754);
inet_aton("10.120.110.105", &sin_remote.sin_addr);
sin_remote.sin_port = htons(8745);
ast_security_event_report(AST_SEC_EVT(&auth_method_not_allowed));
}
static void evt_gen_req_bad_format(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_req_bad_format req_bad_format = {
.common.event_type = AST_SECURITY_EVENT_REQ_BAD_FORMAT,
.common.version = AST_SECURITY_EVENT_REQ_BAD_FORMAT_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "Larry",
.common.session_id = "838383fhfhf83hf8h3f8h",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.request_type = "CheeseBurger",
.request_params = "Onions,Swiss,MotorOil",
};
inet_aton("10.110.220.230", &sin_local.sin_addr);
sin_local.sin_port = htons(1212);
inet_aton("10.120.210.200", &sin_remote.sin_addr);
sin_remote.sin_port = htons(2121);
ast_security_event_report(AST_SEC_EVT(&req_bad_format));
}
static void evt_gen_successful_auth(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_successful_auth successful_auth = {
.common.event_type = AST_SECURITY_EVENT_SUCCESSFUL_AUTH,
.common.version = AST_SECURITY_EVENT_SUCCESSFUL_AUTH_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "ValidUser",
.common.session_id = "Session456",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
};
inet_aton("10.1.2.3", &sin_local.sin_addr);
sin_local.sin_port = htons(4321);
inet_aton("10.1.2.4", &sin_remote.sin_addr);
sin_remote.sin_port = htons(1234);
ast_security_event_report(AST_SEC_EVT(&successful_auth));
}
static void evt_gen_unexpected_addr(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct sockaddr_in sin_expected = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_unexpected_addr unexpected_addr = {
.common.event_type = AST_SECURITY_EVENT_UNEXPECTED_ADDR,
.common.version = AST_SECURITY_EVENT_UNEXPECTED_ADDR_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "CoolUser",
.common.session_id = "Session789",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
.expected_addr = {
.sin = &sin_expected,
.transport = AST_SECURITY_EVENT_TRANSPORT_UDP,
},
};
inet_aton("10.1.2.3", &sin_local.sin_addr);
sin_local.sin_port = htons(4321);
inet_aton("10.1.2.4", &sin_remote.sin_addr);
sin_remote.sin_port = htons(1234);
inet_aton("10.1.2.5", &sin_expected.sin_addr);
sin_expected.sin_port = htons(2343);
ast_security_event_report(AST_SEC_EVT(&unexpected_addr));
}
static void evt_gen_chal_resp_failed(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_chal_resp_failed chal_resp_failed = {
.common.event_type = AST_SECURITY_EVENT_CHAL_RESP_FAILED,
.common.version = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "SuperDuperUser",
.common.session_id = "Session1231231231",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.challenge = "8adf8a9sd8fas9df23ljk4",
.response = "9u3jlaksdjflakjsdfoi23",
.expected_response = "oiafaljhadf9834luahk3k",
};
inet_aton("10.1.2.3", &sin_local.sin_addr);
sin_local.sin_port = htons(4321);
inet_aton("10.1.2.4", &sin_remote.sin_addr);
sin_remote.sin_port = htons(1234);
ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
}
static void evt_gen_inval_password(void)
{
struct sockaddr_in sin_local = {
.sin_family = AF_INET
};
struct sockaddr_in sin_remote = {
.sin_family = AF_INET
};
struct timeval session_tv = ast_tvnow();
struct ast_security_event_inval_password inval_password = {
.common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD,
.common.version = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
.common.service = "TEST",
.common.module = AST_MODULE,
.common.account_id = "AccountIDGoesHere",
.common.session_id = "SessionIDGoesHere",
.common.session_tv = &session_tv,
.common.local_addr = {
.sin = &sin_local,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
.common.remote_addr = {
.sin = &sin_remote,
.transport = AST_SECURITY_EVENT_TRANSPORT_TCP,
},
};
inet_aton("10.200.100.30", &sin_local.sin_addr);
sin_local.sin_port = htons(4321);
inet_aton("10.200.100.40", &sin_remote.sin_addr);
sin_remote.sin_port = htons(1234);
ast_security_event_report(AST_SEC_EVT(&inval_password));
}
static void gen_events(struct ast_cli_args *a)
{
unsigned int i;
ast_cli(a->fd, "Generating some security events ...\n");
for (i = 0; i < ARRAY_LEN(evt_generators); i++) {
const char *event_type = ast_security_event_get_name(i);
if (!evt_generators[i]) {
ast_cli(a->fd, "*** No event generator for event type '%s' ***\n",
event_type);
continue;
}
ast_cli(a->fd, "Generating a '%s' security event ...\n", event_type);
evt_generators[i]();
}
ast_cli(a->fd, "Security event generation complete.\n");
}
static char *handle_cli_sec_evt_test(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
{
switch (cmd) {
case CLI_INIT:
e->command = "securityevents test generation";
e->usage = ""
"Usage: securityevents test generation"
"";
return NULL;
case CLI_GENERATE:
return NULL;
case CLI_HANDLER:
gen_events(a);
return CLI_SUCCESS;
}
return CLI_FAILURE;
}
static struct ast_cli_entry cli_sec_evt[] = {
AST_CLI_DEFINE(handle_cli_sec_evt_test, "Test security event generation"),
};
static int unload_module(void)
{
return ast_cli_unregister_multiple(cli_sec_evt, ARRAY_LEN(cli_sec_evt));
}
static int load_module(void)
{
int res;
res = ast_cli_register_multiple(cli_sec_evt, ARRAY_LEN(cli_sec_evt));
return res ? AST_MODULE_LOAD_DECLINE : AST_MODULE_LOAD_SUCCESS;
}
AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "Test Security Event Generation");
Reference in New Issue Copy Permalink