Wodle: AWS CloudTrail

[snaow]

This PR adds a native way for ingesting AWS CloudTrail logs.
Logs are fetched in JSON format from the bucket and they are sent to Wazuh socket.

Requirements

• Wazuh >= 3.2
• Python >= 2.7
• Pip (yum install python-pip / apt-get install python-pip)
• Boto3 (pip install boto3)

Docs

• TBA

Configuration sample

<wodle name="aws-cloudtrail">
  <disabled>no</disabled>
  <bucket>wazuh-cloudtrail</bucket>
  <access_key>xxxxx</access_key>
  <secret_key>xxxxx</secret_key>
  <remove_from_bucket>no</remove_from_bucket>
  <interval>5m</interval>
  <run_on_start>no</run_on_start>
</wodle>

Parameters

• bucket (mandatory): AWS S3 Bucket where CloudTrail logs are stored.
• remove_from_bucket (mandatory): Remove files from S3 Bucket once processed.
• interval (mandatory): Time interval for fetching the logs from the bucket. Min allowed: 5 minutes.
• run_on_start (mandatory): Trigger an scan every time the agent/manager is restarted.
• access_key (optional): Access key for AWS account.
• secret_key (optional): Secret key for AWS account.

Applies to

The plugin can be used both in agent and manager, it can be used as well in centralized configuration (agent.conf).

Alert example

{
  "timestamp": "2018-01-10T11:47:43+0100",
  "rule": {
    "level": 3,
    "description": "Amazon: signin.amazonaws.com - ConsoleLogin - User Login Success.",
    "id": "80253",
    "firedtimes": 4,
    "mail": false,
    "groups": [
      "amazon",
      "authentication_success"
    ],
    "pci_dss": [
      "10.2.5"
    ]
  },
  "agent": {
    "id": "001",
    "name": "ubuntu16"
  },
  "manager": {
    "name": "centos7"
  },
  "id": "1515581263.101057",
  "decoder": {
    "name": "json"
  },
  "data": {
    "aws": {
      "eventVersion": "1.05",
      "eventID": "05bdd76d-7af1-4b90-a8d1-b845c7c10745",
      "eventTime": "2018-01-10T10:36:55Z",
      "log_file": "166157441623_CloudTrail_us-east-1_20180110T1040Z_likYD05FxO4GlAnC.json.gz",
      "additionalEventData": {
        "MFAUsed": "No",
        "LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
        "MobileVersion": "No"
      },
      "eventType": "AwsConsoleSignIn",
      "responseElements": {
        "ConsoleLogin": "Success"
      },
      "awsRegion": "us-east-1",
      "eventName": "ConsoleLogin",
      "userIdentity": {
        "userName": "username",
        "type": "IAMUser",
        "arn": "arn:aws:iam::166157111111:user/username",
        "principalId": "AIDAJV5U2JQLSQDXXX",
        "accountId": "166XXXXXXX"
      },
      "eventSource": "signin.amazonaws.com",
      "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
      "sourceIPAddress": "2.000.000.000",
      "recipientAccountId": "166157xxxxx"
    },
    "integration": "aws"
  },
  "location": "Wazuh-AWS"
}

Logs samples

2018/01/10 18:46:06 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started
2018/01/10 18:46:07 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.

Tests

1. Wrong credentials via wodle parameters
2. Wrong credentials via Boto3 parameters/methods (http://boto3.readthedocs.io/en/latest/guide/configuration.html#configuring-credentials)
3. Missing dependencies: Pip, Boto3.
4. No internet connection
5. Wrong permissions in IAM Role/User/Policy.
6. Rules/CDB Lists matching