Go to Qiita Advent Calendar 2024 Top
LoginSignup
3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@NSO-KC

OCIでコンソールログインを検知する

Last updated at Posted at 2019-10-07

やったこと

デフォルトで取得されてる監査ログからEvent使ってメール通知をやりたかったが、イベントタイプに監査っぽいのがない!ので、ociコマンドと使って日次バッチ的にログイン履歴を取得する方法に方向転換。

事前に必要なもの

ocicli

この記事を参考にインストール
コマンドライン(CLI)でOCIを操作する - Oracle Cloud Infrastructureアドバンスド

##jq
普通に# yum install jq

コマンド(bash前提)

・本日のコンソール・ログイン履歴を出力するコマンド

$ TENANCY_ID=ocid1.tenancy.oc1..aaaxxxxxx # 自身のテナントIDを入力
$ START_DAY=$(date '+%Y-%m-%d 00:00')
$ END_DAY=$(date -d '1 days' '+%Y-%m-%d 00:00')

※oci cliの接続先リージョンをホームリージョンに設定しないと、ログオンの監査レコードを取得できない
※[追記] JSONフォーマットが変更になったっぽく、以下のコマンドでは整形出来なくなった
$ oci audit event list  --start-time "${START_DAY}" --end-time "${END_DAY}" --all -c ${TENANCY_ID} --query 'data[?"event-source"==`IdentitySignOn`]' |jq -r '["event-source","event-name","user-name","event-time","response-status","request-origin"] ,(. [] | [."event-source",."event-name",."user-name",."event-time",."response-status",."request-origin"] )|@csv'~~

"event-source","event-name","user-name","event-time","response-status","request-origin"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T00:03:03.629000+00:00","200","xx.xxx.xx.xxx"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T01:21:02.032000+00:00","401","xx.xxx.xx.xxx"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T01:21:25.495000+00:00","200","xx.xxx.xx.xxx"
"IdentitySignOn","FederatedInteractiveLoginAttempt","","2019-10-07T02:32:01.625000+00:00","200","xx.xxx.xx.xxx"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T05:47:34.890000+00:00","200","xx.xxx.xx.xxx"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T05:47:58.850000+00:00","200","xx.xxx.xx.xxx"
"IdentitySignOn","InteractiveLogin","xxuser_namexx","2019-10-07T05:58:33.618000+00:00","200","xx.xxx.xx.xxx"

※ociコマンドで本日分のログイン履歴をjsonで取り出して、jqでcsvに整形
※xxuser_namexxは、実際はログインユーザ名が表示される。IDCSからのログイン(FederatedInteractiveLoginAttempt)の場合は出力されない。
※ステータスコードが200じゃない場合は、ログイン失敗(試した限り)

※[追記] 2019.11現在、以下のコマンドで取得できることを確認
oci audit event list  --start-time "${START_DAY}" --end-time "${END_DAY}" --all -c ${TENANCY_ID} \
 --query 'data[?"source"==`IdentitySignOn`]' \
  |jq -r '["event-time","source","event-name","principal-name","ip-address","status"],
   (. [] |[ ."event-time"
           ,."source" 
           ,(."data"."event-name")
           ,(."data"."identity"."principal-name")
           ,(."data"."identity"."ip-address")
           ,(."data"."response"."status")]
    ) |@csv'
"2019-11-04T11:04:07.845000+00:00","IdentitySignOn","InteractiveLogin","xxuser_namexx","xx.xxx.xx.xxx","200"
"2019-11-04T12:20:03.218000+00:00","IdentitySignOn","InteractiveLogin","xxuser_namexx","xx.xxx.xx.xxx","200"

結論

レコードの有無を判断して、検知はできそう。ほんとはEventで簡単に実装したい。

3
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?