search

f5devcentral / f5-security-hub-extension

An iControl LX Extension for publishing ASM logs to AWS Security Hub
MIT License
0 stars 0 forks source link

Failed to create logging profile #1

Open tkam8 opened 5 years ago

tkam8 commented 5 years ago
ISSUE TYPE
VERSION
f5-securityhub-0.9.3-1.noarch.rpm
BIGIP VERSION
# tmsh show sys ver

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.0.2
  Build       0.0.6
  Edition     Point Release 2
  Date        Tue Jan 16 08:46:28 PST 2018
SUMMARY

Seems the tmsh command that is being issued does not have the right syntax, so the logging profile does not get automatically created.

There is no "logger-type" property AFAICT. Checked the schema: (tmos)# help security log profile

STEPS TO REPRODUCE
  1. Download latest release 0.9.3, import into BIG-IP in iApps > Package Management LX
  2. monitor /var/log/restnoded/restnoded.log
EXPECTED RESULTS

logging profile automatically created

ACTUAL RESULTS

from /var/log/restnoded/restnoded.log

Sat, 25 May 2019 13:53:16 GMT - config: [RestWorker] /shared/securityhub has started. Name:SecurityHubWorker
Sat, 25 May 2019 13:53:16 GMT - fine: {"code":500,"message":"Invalid chunk size: '{'  ByteBuffer contents: 'HTTP/1.1 200 OK\r\nDate: Sat May 25 22:53:16 2019\r\nCache-Control: no-cache\r\nServer: f5.rest.RestServer\r\nConnection: keep-alive\r\nContent-Type: application/json\r\nAllow: \r\nX-F5-Config-Api-Status: 1907\r\nContent-Length: 1079\r\n\r\n{\"kind\":\"tm:util:bash:runstate\",\"command\":\"run\",\"utilCmdArgs\":\"-c \\\"tmsh create security log profile securityhub-logger application add { securityhub-logger-app { logger-type remote remote-storage remote format { field-delimiter , fields { attack_type blocking_exception_reason captcha_result client_type date_time dest_ip dest_port device_id geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated login_result management_ip_address method mobile_application_name mobile_application_version policy_apply_date policy_name protocol query_string request request_status response response_code route_domain session_id severity sig_ids sig_names sig_set_names src_port staged_sig_ids staged_sig_names staged_sig_set_names sub_violations support_id unit_hostname uri username violation_details violation_rating violations virus_name websocket_direction websocket_message_type x_forwarded_for_header_value  } } servers add { 127.0.0.1:8514 } format { field-format none } } }\\\"\",\"commandResult\":\"Syntax Error: \\\"logger-type\\\" unknown property\\n\"}'","referer":"/127.0.0.1:33100","restOperationId":1501805,"kind":":resterrorresponse"}
tkam8 commented 5 years ago

Testing on v14.1 shows no issue

tmsh show sys ver

Sys::Version Main Package Product BIG-IP Version 14.1.0.3 Build 0.0.6 Edition Point Release 3 Date Mon Mar 25 17:15:27 PDT 2019

/var/log/restnoded/restnoded.log

Sat, 25 May 2019 15:11:42 GMT - config: [RestWorker] /shared/securityhub has started. Name:SecurityHubWorker Sat, 25 May 2019 15:11:42 GMT - finest: [restnodedOdataAdapter] Forwarder notifyLost callback Sat, 25 May 2019 15:11:42 GMT - finest: [restnodedOdataAdapter] Forwarder notify callback: {"external":"/mgm t/shared/securityhub","internal":"/shared/securityhub","port":8105,"apiStatus":"NO_STATUS"} Sat, 25 May 2019 15:11:46 GMT - fine: {"kind":"tm:util:bash:runstate","command":"run","utilCmdArgs":"-c \"tm sh create security log profile securityhub-logger application add { securityhub-logger-app { logger-type rem ote remote-storage remote format { field-delimiter , fields { attack_type blocking_exception_reason captcha_ result client_type date_time dest_ip dest_port device_id geo_location http_class_name ip_address_intelligenc e ip_client ip_with_route_domain is_truncated login_result management_ip_address method mobile_application_n ame mobile_application_version policy_apply_date policy_name protocol query_string request request_status re sponse response_code route_domain session_id severity sig_ids sig_names sig_set_names src_port staged_sig_id s staged_sig_names staged_sig_set_names sub_violations support_id unit_hostname uri username violation_detai ls violation_rating violations virus_name websocket_direction websocket_message_type x_forwarded_for_header_ value } } servers add { 127.0.0.1:8514 } format { field-format none } } }\""}

# tmsh list security log profile securityhub-logger [api-status-warning] security/log/profile, properties : deprecated : application/local-storage security log profile securityhub-logger { application { securityhub-logger-app { format { fields { attack_type blocking_exception_reason captcha_result client_type date_time dest_ip dest_port device_id geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated login_result management_ip_address method mobile_application_name mobile_application_version policy_apply_date policy_name protocol query_string request request_status response response_code route_domain session_id severity sig_ids sig_names sig_set_names src_port staged_sig_ids staged_sig_names staged_sig_set_names sub_violations support_id unit_hostname uri username violation_details violation_rating violations virus_name websocket_direction websocket_message_type x_forwarded_for_header_value } } local-storage disabled logger-type remote remote-storage remote servers { 127.0.0.1:8514 { } } } } }

zinkem5 commented 5 years ago

This is a known issue with 13.1, workaround is to add the logging profile with this command, and restart restnoded:

create security log profile securityhub-logger application add { securityhub-logger-app { remote-storage remote format { field-delimiter , fields { attack_type blocking_exception_reason captcha_result client_type date_time dest_ip dest_port device_id geo_location http_class_name ip_address_intelligence ip_client ip_with_route_domain is_truncated login_result management_ip_address method mobile_application_name mobile_application_version policy_apply_date policy_name protocol query_string request request_status response response_code route_domain session_id severity sig_ids sig_names sig_set_names src_port staged_sig_ids staged_sig_names staged_sig_set_names sub_violations support_id unit_hostname uri username violation_details violation_rating violations virus_name websocket_direction websocket_message_type x_forwarded_for_header_value  } } servers add { 127.0.0.1:8514 } format { field-format none } } }

Fix pending in a future update.