Wednesday, December 02, 2015

On BI: Spring Tomcat Impersonation audit

The amount of intelligence you can pull from logs is unlimited. In a typical log like the below we see a session but we have no idea who is editing the employee. Furthermore the employee might be edited under impersonation.
2015-11-07 22:15:05,845 INFO [com.sample.web.filter.LoggingFilter doFilter] - 172.16.2.41 AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 /employee/204187 192.168.0.43
We can easily see filtering by the sessionid if a user was impersonated and list both the real user and the impersonated user with the below awk script:
#!/usr/bin/awk
# spring-impersonation-audit.awk
# author: Nestor Urquiza
# date: 20151123
# description: Lists users and impersonated users per request
{
if(!usernames[$8] && match($0,"login.*j_username")){
usernames[$8]=gensub(/^.*j_username=([^& ]*)[& ].*$/,"\\1","g");
}
sessionids[$9]=$8;
others[$9]=$1" "$2" "$7;
if(match($0,"switchUser.*j_username")){
impersonated[$8]=gensub(/^.*j_username=([^& ]*)[& ].*$/,"\\1","g");
}
if(match($0,"switchUserExit.*")){
impersonated[$8]="na";
}
if(impersonated[$8]){
impersonatedUserNames[$9]=impersonated[$8];
} else {
impersonatedUserNames[$9]="na";
}
}
END {
for(request in sessionids){
sessionid=sessionids[request];
if(usernames[sessionid]){
print others[request]" "sessionid" "usernames[sessionid]" "impersonatedUserNames[request]" "request;
}
}
}
We get now something like:
2015-11-07 22:15:05,845 192.168.0.43 AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 impersonator@sample.com impersonated@sample.com /employee/204187
Note that if you are logging all params as part of the URL regardless if it is POST or GET you could be saving a lot of time. If you are using JSON payload most likely things will get a little more complicated as you might want to extract specific fields from the payload but overall you could extract a lot of business intelligence from logs just using the veteran awk.

No comments:

Followers