Convert ssh access config to json

2018-10-22 19:31:50 -05:00 · 2018-10-22 19:31:50 -05:00 · c479d33c47
--- a/alerts/ssh_access_signreleng.conf
+++ b/alerts/ssh_access_signreleng.conf
@ -1,4 +0,0 @@
-[options]
-hostfilter = (host1|host2.*).*
-ircchannel = #somechannel
-exclusions = [{"summary":"someuser", "details.sourceipaddress": "4.5.6.7"}, {"summary":"anotheruser", "details.sourceipaddress": "8.9.10.11"}]
--- a/alerts/ssh_access_signreleng.json
+++ b/alerts/ssh_access_signreleng.json
@ -0,0 +1,8 @@
+{
+    "hostfilter": "(host1|host2.*).*",
+    "ircchannel": "#somechannel",
+    "exclusions": [
+        {"summary":"someuser", "details.sourceipaddress": "4.5.6.7"},
+        {"summary":"anotheruser", "details.sourceipaddress": "8.9.10.11"}
+    ]
+}
--- a/alerts/ssh_access_signreleng.py
+++ b/alerts/ssh_access_signreleng.py
@ -8,28 +8,25 @@
 from lib.alerttask import AlertTask
 from mozdef_util.query_models import SearchQuery, TermMatch, PhraseMatch, QueryStringMatch
 import re
-import json


 class AlertAuthSignRelengSSH(AlertTask):
    def main(self):
        search_query = SearchQuery(minutes=15)

-        self.parse_config('ssh_access_signreleng.conf', ['hostfilter', 'ircchannel', 'exclusions'])
+        self.config = self.parse_json_alert_config('ssh_access_signreleng.json')

-        if self.config.ircchannel == '':
-            self.config.ircchannel = None
-
-        exclusions = json.loads(self.config.exclusions)
+        if self.config['ircchannel'] == '':
+            self.config['ircchannel'] = None

        search_query.add_must([
            TermMatch('tags', 'releng'),
            TermMatch('details.program', 'sshd'),
-            QueryStringMatch('hostname: /{}/'.format(self.config.hostfilter)),
+            QueryStringMatch('hostname: /{}/'.format(self.config['hostfilter'])),
            PhraseMatch('summary', 'Accepted publickey for ')
        ])

-        for exclusion in exclusions:
+        for exclusion in self.config['exclusions']:
            exclusion_query = None
            for key, value in exclusion.iteritems():
                phrase_exclusion = PhraseMatch(key, value)
@ -67,4 +64,4 @@ class AlertAuthSignRelengSSH(AlertTask):
            targetuser = groups[0]

        summary = 'SSH login from {0} on {1} as user {2}'.format(sourceipaddress, targethost, targetuser)
-        return self.createAlertDict(summary, category, tags, [event], severity, ircchannel=self.config.ircchannel)
+        return self.createAlertDict(summary, category, tags, [event], severity, ircchannel=self.config['ircchannel'])