INTRUspect

Version 1.0.0, 13th February 2017

Copyright © 2017 Mark G. Daniel
This program, comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or any later version.
http://www.gnu.org/licenses/gpl.txt

Contents




INTRUspect  (pronounced "in-truh-spect")  is an in-browser, real-time VMS intrusion database monitor.

INTRUspect should work with all relatively modern browsers. Developed against Chrome, Firefox, MSIE (10+), and Safari, on OS X and Windows platforms. It uses HTML5 elements and will not work with the HTML4 generation of browsers.

INTRUspect operates as a CGI web application and so is suitable for VMS Apache, OSU and WASD scripting. It can also run as a CGIplus and WebSocket application under WASD 10.1 or later, improving latency and performance.

INTRUspect caches entries as they present in the intrusion database and this is used to track some additional items (e.g. count delta). The cache also allows the item to be visible after the intrusion entry expires (or is manually deleted), providing a recent history.

Usage

INTRUspect is activated by accessing the URL for its script location. This is usually something like (and may well open INTRUspect on this system)
http://the.site.name/cgi-bin/intruspect
opening an in-line monitor, though can be a
a bookmarklet
opening a stand-alone window.

If intrusion records exist then INTRUspect opens displaying a relatively simple table of intrusion data. Many of these reflect the command-line SHOW INTRUSION data. Initial ordering of the table entries reflects the order of the system intrusion database at that time. Subsequent entires are added to the top of the table and so ordered from most to least recent. The following (contrived) example shows the essentials of the report and are described below.

The elements of intrusion data are described in the OpenVMS Guide to System Security (September 2003 edition referenced), Managing System Access chapter, Controlling the Login Process section, Detecting Intruders and Understanding The Intrusion Database subsections.

INTRUspect controls:

 top-left The unlabeled checkbox located in the top-left of the monitor displays a section allowing the URLs for multiple INTRUspect sites (one per line) to be configured into a single display. Do not try to mix http:// and https:// specifications in any combination; browsers often block content with mixed security domains. Note that MonDeSi, à la mode and INTRUspect URLs can be combined on the one display in either application, as well as DCLinabox terminal URLs.
 left Adjacent to the node name, the checkbox minimises the per-node display. When unchecked, provides a synopsis of the current INTRUspect data.
Collect Enables and disables data collection from the server.
Update Disabling display update retains the server connection but does not disturb the current report.
Purge Remove expired entries at history timeout. Uncheck to retain expired items indefinitely.
Geolocate See Geolocation.
Print the current report.
Zero and otherwise reset INTRUspect data.

INTRUspect tabled data comprises:

Type INTR[UDER] or SUSP[ECT]
Class NETW[ORK], TE[RM]_US[ER], TERM[INAL] or USER[NAME]
Node Clustered systems show the node name of the intrusion. Non-clustered systems do not show this item.
Network Commonly an IP address or host domain name. Can be a DECnet node name.
The Geolocate checkbox enabled displays geolocation data.
Source Additional information clarifying the originator of the authentication. This is often an application or facility, and is not always present.
Ident Additional information on the authentication source or username. Not always present.
Count The total number of failed authentication attemps.
Delta The number of recent failed attempts. This count continues as long as an additional failed attempt occured during the preceding 30 seconds.
Noticed Time a new record was noticed. Records existing at the start of processing are shown as initial. Shows the age of the entry following the time. (e.g. -05:34)
Expires When the current record is due for re-evaluation and/or removal. If expiry is still future the period is shown as a positive value (e.g. +10:08), and if already expired as a negative value (e.g. -03:54), with the expiry time struck-through (e.g. 13:50:15).
** The network, source and ident items are parsed from from the single SHOW INTRUSION Source datum.
  The elements of this are somewhat free-form, resulting in variability in parsed results.

From VMS V7.3 the default has been to maintain a cluster-wide intrusion database. Any single node will register intrusions from itself and any other node in a cluster.

Recently noticed entries are highlighted with a  green background  for 30 seconds.

Entries of type intruder (in contrast to suspect) are highlighted with a  red background. 

Entries with a changed count value are highlighted using a  yellow background  for 30 seconds.

Entries (manually) deleted before expiry are highlighted using the same yellow background for 30 seconds.

Expired entries (those no longer present in the system intrusion database) are highlighted using an  off-white background  and then with a  pale yellow background  for 15 seconds before being purged. Note that an expired entry can be reactivated, is then highlighted as recently noticed, and can show a higher count than the equivalent SHOW INTRUSION as the INTRUspect count is cumulative across those multiple activities.

Geolocation

INTRUspect can provide geolocation data for IP address information.

https://en.wikipedia.org/wiki/Geolocation

The Geolocate checkbox enables this facility, displaying location data between curly-braces for the network item, adjacent the host address/name. This is JavaScript enabled and is accessed by the client browser.

Two geolocation services are built-in and site-selectable using the configuration function configGeolocateService(). The default is freegeoip.net.

  • freegeoip.net  provides a public HTTP API for software developers to search the geolocation of IP addresses. It uses a database of IP addresses that are associated to cities along with other relevant information like time zone, latitude and longitude.

    Up to 10,000 queries per hour are allowed. Once this limit is reached, all client requests will result in HTTP 403, forbidden, until the per-hour quota elapses.

    The freegeoip web server is free and open source so if the public service limit is a problem, download it and run your own instance. The service host may be configured using configGeolocateFreeGeoIp(‘host’).

  • ip-api.com  provides free usage of its Geo IP API through multiple response formats.

    The system will begin refusing any IP address making more than 150 requests per minute. It is free to use ip-api.com for non-commercial use. Commercial use without prior approval is not permitted.

    Configure using configGeolocateService(geoLocateIpApi).

  • plus  is intended to provide a reasonably independent, site-specific and coded geolocation service.

    Configure using configGeolocateService(geoLocatePlus) which activates [.RUNTIME]GEOLOCATEPLUS.JS used to provide the site-coded geolocation service.

Installation

Is relatively straight-forward.

  • Obtain the kit from
    http://wasd.vsm.com.au/wasd/
  • The source, objects, and JavaScript should be UNZIPed.
    $ SET DEFAULT WASD_ROOT:[000000]
    $ UNZIP <location>:INTRUSPECTnnn.ZIP
    $ UNZIP <location>:INTRUSPECTnnn-<platform>.ZIP
    
  • Note that this performs a link-only build against the supplied object modules. Compilation is also available (just remove the LINK parameter).
    $ SET DEFAULT [.INTRUSPECT]
    $ @BUILD_INTRUSPECT LINK
    
  • Copy the application executable to the script location. For WASD this will be as follows:
    $ COPY WASD_EXE:INTRUSPECT.EXE CGI_EXE:
    

    OSU requires use of the INTRUSPECT.COM wrapper procedure.

  • Configure the application.

  • Edit the system startup to make the installed image and any logical name(s) persistent.
    $ INSTALL ADD CGI-BIN:[000000]INTRUSPECT.EXE /PRIVILEGE=(SECURITY,SYSPRV)
    

    The example INTRUSPECT_STARTUP.COM can assist with this.

Update

An update follows the above installation steps, generally without the need to configure the application or modify the startup procedures (though check the release notes for any modification requirements). Instead ...

  • INSTALL the new image
    $ INSTALL REPLACE CGI-BIN:[000000]INTRUSPECT.EXE
    

And remember that the more recent JavaScript will need to be (re)loaded into browsers (perhaps requiring browser cache clearing) and that a WASD CGIplus/WebSocket application will require any currently instantiated processes flushed with $ HTTPD/DO=DCL=DELETE (caution! - peremptorily removes all script processes).

Configuration

JavaScript and other resources located in the [.RUNTIME] subdirectory of the source code must be available to INTRUspect. These must be mapped into application web-space. For WASD this will be using a WASD_CONFIG_MAP rule similar to the following:

pass /intruspect/-/* /wasd_root/src/intruspect/runtime/*

WASD WebSocket access requires CGIplus. The script internally ensures this for the standard script activation path but this can also be implemented using a mapping rule.

redirect /cgi-bin/intruspect* ///cgiplus-bin/intruspect*
pass /intruspect/-/* /wasd_root/src/intruspect/runtime/*
...
exec+ /cgiplus-bin/* /cgi-bin/*

Script must be subject to authorisation or INTRUspect aborts. For WASD an authorisation rule such as the following might be used.

# WASD_CONFIG_AUTH
["System Admin"=SYSADMIN=ID]
/cgi*-bin/intruspect* r+w,https:
At the time of writing (early 2017) not all browsers (Chrome, Firefox and MSIE - not Opera or Safari) implement HTTP authorisation over WebSocket. WASD users employing WebSocket and authorisation are currently required to disable WebSocket for any other than these!

To disable WebSocket for all but selected user-agents define a multi-valued logical name with zero followed by values containing unique strings found in capable user-agent strings.

$ DEFINE /SYSTEM INTRUSPECT_WEBSOCKET 0,"Chrome","Firefox","MSIE"

Disabling WebSocket adds a little latency and server overhead to some actions but does not affect overall functionality.

Example Apache Config

Assumes APACHE$COMMON:[INTRUSPECT] and APACHE$COMMON:[CGI-BIN]INTRUSPECT.EXE.

Alias /intruspect/-/ "/apache$common/intruspect/runtime/"

<Location /cgi-bin/intruspect>
AuthType Basic
AuthName "OpenVMS authentication"
AuthUserOpenVMS On
require valid-user
</Location>

Intrusion Database

Very large intrusion databases can be expensive to process and transfer to the client. These are quite rare. There is a default limit of 250 records after which INTRUspect stops further record processing and alerts the client. The effective limit depends on the processing power of the server system and the network available between server and client. The actual limit may be adjusted up or down using the configRecordsMax(integer) configuration function.

Configuration File

The logical name INTRUSPECT_CONFIG locates the configuration file. It needs to be SYSTEM accessible.

$ DEFINE /SYSTEM INTRUSPECT_CONFIG HERE:[IT.IS]INTRASPECT.CONF

The file name can be anything but the content must be legal JavaScript. The content is incorporated into the client infrastructure and then executed (JavaScript interpreted) to provide any site configuration required. All configuration is performed by calling a JavaScript function with appropriate parameter(s).

Function Description Parameter(s) Default
configDeletedSecs() seconds a (manually) deleted record is highlighted <integer> 30
configDeltaSecs() seconds a record with inceasing count is highlighted <integer> 30
configHistorySecs() seconds an expired record remains visible
(when Purge is not checked)
<integer> 120
configFadingSecs() seconds an expired record is highlighted before removal <integer> 15
configForceXHR() force (WASD) to use XHR rather than WebSocket <boolean> false
configGeolocateService() function to use for geolocation
geoLocateFreeGeo
geoLocateIpApi
geoLocatePlus
geoLocateFreeGeo
configNotifySecs() seconds a new record is highlighted <integer> 30
configRecordsMax() maximum intrusion records processed <integer> 250
configUpdateSecs() interval at which server supplies intrusion data <integer> 2

JavaScript is used directly to maximise flexibility. An error in configuration (JavaScript) will be reported in a browser alert and INTRUspect will continue to initialise (sans the broken configuration).

NOTE: The configuration file is only read at the activation of the INTRUspect executable. When using CGIplus/WebSocket the script instance would need to be deleted to load another configuration.

Problems?

  • With the INTRUspect kit ... Mark.Daniel@wasd.vsm.com.au
  • The info-WASD mailing list

Releases

v1.0.0  13-FEB-2017
•  initial