From fc5af435da83ae77d43295b5f2b45e3d6a3a9a91 Mon Sep 17 00:00:00 2001 From: Isaiah Becker-Mayer Date: Wed, 9 Nov 2022 16:24:36 -0800 Subject: [PATCH] Shared Directory Audit Events (#1290) --- .../src/Audit/EventList/EventTypeCell.tsx | 6 + .../__snapshots__/Audit.story.test.tsx.snap | 226 +++++++++++++++++- .../teleport/src/Audit/fixtures/index.ts | 108 +++++++++ .../teleport/src/services/audit/makeEvent.ts | 36 +++ .../teleport/src/services/audit/types.ts | 62 +++++ 5 files changed, 436 insertions(+), 2 deletions(-) diff --git a/web/packages/teleport/src/Audit/EventList/EventTypeCell.tsx b/web/packages/teleport/src/Audit/EventList/EventTypeCell.tsx index 792126182ff74..722367dc1d832 100644 --- a/web/packages/teleport/src/Audit/EventList/EventTypeCell.tsx +++ b/web/packages/teleport/src/Audit/EventList/EventTypeCell.tsx @@ -156,6 +156,12 @@ const EventIconMap: Record = { [eventCodes.DESKTOP_SESSION_ENDED]: Icons.Desktop, [eventCodes.DESKTOP_CLIPBOARD_SEND]: Icons.Clipboard, [eventCodes.DESKTOP_CLIPBOARD_RECEIVE]: Icons.Clipboard, + [eventCodes.DESKTOP_SHARED_DIRECTORY_START]: Icons.FolderShared, + [eventCodes.DESKTOP_SHARED_DIRECTORY_START_FAILURE]: Icons.FolderShared, + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ]: Icons.FolderShared, + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ_FAILURE]: Icons.FolderShared, + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE]: Icons.FolderShared, + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE_FAILURE]: Icons.FolderShared, [eventCodes.MFA_DEVICE_ADD]: Icons.Info, [eventCodes.MFA_DEVICE_DELETE]: Icons.Info, [eventCodes.BILLING_CARD_CREATE]: Icons.CreditCardAlt2, diff --git a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap index cb8976de5cf2c..d32c8f05b81b3 100644 --- a/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap +++ b/web/packages/teleport/src/Audit/__snapshots__/Audit.story.test.tsx.snap @@ -358,12 +358,12 @@ exports[`list of all events 1`] = ` - - 141 + 147 of - 141 + 147 + + + + +
+ + Directory Sharing Write +
+ + + User [joe] wrote [734] bytes to file [powershell-scripts/domain-controller.ps1] in shared directory [windows-server-2012-shared] on desktop [ec2-54-162-177-255.compute-1.amazonaws.com:3389] + + + 2022-10-21T23:19:34.519058Z + + + + + + + +
+ + Directory Sharing Read Failed +
+ + + User [joe] failed to read [734] bytes from file [powershell-scripts/domain-controller.ps1] in shared directory [windows-server-2012-shared] on desktop [ec2-54-162-177-255.compute-1.amazonaws.com:3389] + + + 2022-10-21T23:07:36.496189Z + + + + + + + +
+ + Directory Sharing Read +
+ + + User [joe] read [734] bytes from file [powershell-scripts/domain-controller.ps1] in shared directory [windows-server-2012-shared] on desktop [ec2-54-162-177-255.compute-1.amazonaws.com:3389] + + + 2022-10-21T23:07:36.496189Z + + + + + + + +
+ + Directory Sharing Start Failed +
+ + + User [joe] failed to start sharing directory [windows-server-2012-shared] to desktop [ec2-54-162-177-255.compute-1.amazonaws.com:3389] + + + 2022-10-21T22:36:27.314409Z + + + + + + + +
+ + Directory Sharing Started +
+ + + User [joe] started sharing directory [windows-server-2012-shared] to desktop [ec2-54-162-177-255.compute-1.amazonaws.com:3389] + + + 2022-10-21T22:36:27.314409Z + + + + + `User [${user}] sent ${length} bytes of clipboard data to desktop [${desktop_addr}]`, }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_START]: { + type: 'desktop.directory.share', + desc: 'Directory Sharing Started', + format: ({ user, desktop_addr, directory_name }) => + `User [${user}] started sharing directory [${directory_name}] to desktop [${desktop_addr}]`, + }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_START_FAILURE]: { + type: 'desktop.directory.share', + desc: 'Directory Sharing Start Failed', + format: ({ user, desktop_addr, directory_name }) => + `User [${user}] failed to start sharing directory [${directory_name}] to desktop [${desktop_addr}]`, + }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ]: { + type: 'desktop.directory.read', + desc: 'Directory Sharing Read', + format: ({ user, desktop_addr, directory_name, file_path, length }) => + `User [${user}] read [${length}] bytes from file [${file_path}] in shared directory [${directory_name}] on desktop [${desktop_addr}]`, + }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ_FAILURE]: { + type: 'desktop.directory.read', + desc: 'Directory Sharing Read Failed', + format: ({ user, desktop_addr, directory_name, file_path, length }) => + `User [${user}] failed to read [${length}] bytes from file [${file_path}] in shared directory [${directory_name}] on desktop [${desktop_addr}]`, + }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE]: { + type: 'desktop.directory.write', + desc: 'Directory Sharing Write', + format: ({ user, desktop_addr, directory_name, file_path, length }) => + `User [${user}] wrote [${length}] bytes to file [${file_path}] in shared directory [${directory_name}] on desktop [${desktop_addr}]`, + }, + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE_FAILURE]: { + type: 'desktop.directory.write', + desc: 'Directory Sharing Write Failed', + format: ({ user, desktop_addr, directory_name, file_path, length }) => + `User [${user}] failed to write [${length}] bytes to file [${file_path}] in shared directory [${directory_name}] on desktop [${desktop_addr}]`, + }, [eventCodes.X11_FORWARD]: { type: 'x11-forward', desc: 'X11 Forwarding Requested', diff --git a/web/packages/teleport/src/services/audit/types.ts b/web/packages/teleport/src/services/audit/types.ts index 7985886c39bc5..aba07c61c5ca0 100644 --- a/web/packages/teleport/src/services/audit/types.ts +++ b/web/packages/teleport/src/services/audit/types.ts @@ -97,6 +97,12 @@ export const eventCodes = { DESKTOP_SESSION_ENDED: 'TDP01I', DESKTOP_CLIPBOARD_SEND: 'TDP02I', DESKTOP_CLIPBOARD_RECEIVE: 'TDP03I', + DESKTOP_SHARED_DIRECTORY_START: 'TDP04I', + DESKTOP_SHARED_DIRECTORY_START_FAILURE: 'TDP04W', + DESKTOP_SHARED_DIRECTORY_READ: 'TDP05I', + DESKTOP_SHARED_DIRECTORY_READ_FAILURE: 'TDP05W', + DESKTOP_SHARED_DIRECTORY_WRITE: 'TDP06I', + DESKTOP_SHARED_DIRECTORY_WRITE_FAILURE: 'TDP06W', EXEC_FAILURE: 'T3002E', EXEC: 'T3002I', GITHUB_CONNECTOR_CREATED: 'T8000I', @@ -931,6 +937,62 @@ export type RawEvents = { windows_domain: string; } >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_START]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_START, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + } + >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_START_FAILURE]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_START_FAILURE, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + } + >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_READ, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + file_path: string; + length: number; + } + >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_READ_FAILURE]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_READ_FAILURE, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + file_path: string; + length: number; + } + >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + file_path: string; + length: number; + } + >; + [eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE_FAILURE]: RawEvent< + typeof eventCodes.DESKTOP_SHARED_DIRECTORY_WRITE_FAILURE, + { + desktop_addr: string; + directory_name: string; + windows_domain: string; + file_path: string; + length: number; + } + >; [eventCodes.UNKNOWN]: RawEvent< typeof eventCodes.UNKNOWN, {