zoukankan      html  css  js  c++  java
  • 审计系统---堡垒机项目之表结构设计

    【更多参考】 https://github.com/317828332/CrazyEye

    缺点: 界面丑陋,

              只能追踪命令,命令的解析还不是很完善,不能明了的展示

              对于文件的上传[rz],下载[sz]的内容无法跟踪[可以限制cityhunter用户不能使用这2个命令]。 vim里面的文件可以跟踪,但是跟踪并不完善[或者上传的文件上传到堡垒机,然后堡垒上传到指点服务器,此时堡垒机也会有留档,方便后期排查]。

              对于跟踪的用户,目前只能特定是omc,后面可以更改Py代码进行修改,判断登录的用户后传递用户过去,然后根据用户登录,

              暂未完成批量的处理

    优点:free

    堡垒机项目之表结构设计

    settings.py

    INSTALLED_APPS = [
       ...
     'app01',   # 注册app
    ]
    MIDDLEWARE = [
    ...
    # 'django.middleware.csrf.CsrfViewMiddleware',
          ...
    ]
    ALLOWED_HOSTS = ["*"]    # Linux下启动用0.0.0.0 添加访问的host即可在Win7下访问
    
    STATICFILES_DIRS = (os.path.join(BASE_DIR, "statics"),)  # 现添加的配置,这里是元组,注意逗号
    TEMPLATES = [
       ...
       'DIRS': [os.path.join(BASE_DIR, 'templates')],
    ]
    # 自定义账户生效
    AUTH_USER_MODEL = "app01.UserProfile"   # app名.表名
    
    # 监测脚本
    SESSION_TRACKER_SCRIPT = "%s/backend/session_trackor.sh" %BASE_DIR
    AUDIT_LOG_PATH = "%s/logs/audit" % BASE_DIR

    admin.py

    from django.contrib import admin
    from django import forms
    from django.contrib.auth.models import Group
    from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
    from django.contrib.auth.forms import ReadOnlyPasswordHashField
    
    from app01 import models
    class UserCreationForm(forms.ModelForm):
        """A form for creating new users. Includes all the required
        fields, plus a repeated password."""
        password1 = forms.CharField(label='Password', widget=forms.PasswordInput)
        password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)
    
        class Meta:
            model = models.UserProfile
            fields = ('email', 'name')
    
        def clean_password2(self):
            # Check that the two password entries match
            password1 = self.cleaned_data.get("password1")
            password2 = self.cleaned_data.get("password2")
            if password1 and password2 and password1 != password2:
                raise forms.ValidationError("Passwords don't match")
            return password2
    
        def save(self, commit=True):
            # Save the provided password in hashed format
            user = super(UserCreationForm, self).save(commit=False)
            user.set_password(self.cleaned_data["password1"])
            if commit:
                user.save()
            return user
    
    
    class UserChangeForm(forms.ModelForm):
        """A form for updating users. Includes all the fields on
        the user, but replaces the password field with admin's
        password hash display field.
        """
        password = ReadOnlyPasswordHashField()
    
        class Meta:
            model = models.UserProfile
            fields = ('email', 'password', 'name', 'is_active', 'is_superuser')
    
        def clean_password(self):
            # Regardless of what the user provides, return the initial value.
            # This is done here, rather than on the field, because the
            # field does not have access to the initial value
            return self.initial["password"]
    
    
    class UserProfileAdmin(BaseUserAdmin):
        # The forms to add and change user instances
        form = UserChangeForm
        add_form = UserCreationForm
    
        # The fields to be used in displaying the User model.
        # These override the definitions on the base UserAdmin
        # that reference specific fields on auth.User.
        list_display = ('email', 'name', "is_active", 'is_superuser')
        list_filter = ('is_superuser',) # 不添加会报错,因为BaseAdmin里面有一个list_filter字段,不覆盖会报错
        fieldsets = (
            (None, {'fields': ('email', 'password')}),
            ('Personal', {'fields': ('name',)}),
            ('Permissions', {'fields': ('is_superuser',"is_active","bind_hosts","host_groups","user_permissions","groups")}),
        )
        # add_fieldsets is not a standard ModelAdmin attribute. UserAdmin
        # overrides get_fieldsets to use this attribute when creating a user.
        add_fieldsets = (
            (None, {
                'classes': ('wide',),
                'fields': ('email', 'name', 'password1', 'password2')}
            ),
        )
        search_fields = ('email',)
        ordering = ('email',)
        filter_horizontal = ("bind_hosts","host_groups","user_permissions","groups")
    
    
    class HostUserAdmin(admin.ModelAdmin):
        list_display = ('username','auth_type','password')
    
    class SessionLogAdmin(admin.ModelAdmin):
        list_display = ('id','session_tag','user','bind_host','date')
    
    
    admin.site.register(models.UserProfile, UserProfileAdmin)
    admin.site.register(models.Host)
    admin.site.register(models.HostGroup)
    admin.site.register(models.HostUser,HostUserAdmin)
    admin.site.register(models.BindHost)
    admin.site.register(models.IDC)
    admin.site.register(models.SessionLog,SessionLogAdmin)

    models.py

    from django.db import models
    from django.contrib.auth.models import (
        BaseUserManager, AbstractBaseUser,PermissionsMixin
    )
    from django.utils.translation import ugettext_lazy as _
    from django.utils.safestring import mark_safe
    # Create your models here.
    
    
    class Host(models.Model):
        """主机信息"""
        hostname = models.CharField(max_length=64)
        ip_addr = models.GenericIPAddressField(unique=True)
        port = models.PositiveIntegerField(default=22)
        idc = models.ForeignKey("IDC", on_delete=True)
        enabled = models.BooleanField(default=True)
    
    
        def __str__(self):
            return "%s(%s)"%(self.hostname,self.ip_addr)
    
    
    class IDC(models.Model):
        """机房信息"""
        name = models.CharField(max_length=64,unique=True)
        def __str__(self):
            return self.name
    
    class HostGroup(models.Model):
        """主机组"""
        name = models.CharField(max_length=64,unique=True)
        bind_hosts = models.ManyToManyField("BindHost",blank=True,)
    
        def __str__(self):
            return self.name
    
    
    class UserProfileManager(BaseUserManager):
        def create_user(self, email, name, password=None):
            """
            Creates and saves a User with the given email, date of
            birth and password.
            """
            if not email:
                raise ValueError('Users must have an email address')
    
            user = self.model(
                email=self.normalize_email(email),
                name=name,
            )
    
            user.set_password(password)
            self.is_active = True
            user.save(using=self._db)
            return user
    
        def create_superuser(self,email, name, password):
            """
            Creates and saves a superuser with the given email, date of
            birth and password.
            """
            user = self.create_user(
                email,
                password=password,
                name=name,
            )
            user.is_active = True
            user.is_superuser = True
            #user.is_admin = True
            user.save(using=self._db)
            return user
    
    
    class UserProfile(AbstractBaseUser,PermissionsMixin):
        """堡垒机账号"""
        email = models.EmailField(
            verbose_name='email address',
            max_length=255,
            unique=True,
            null=True
        )
        password = models.CharField(_('password'), max_length=128,
                                    help_text=mark_safe('''<a href='password/'>修改密码</a>'''))
        name = models.CharField(max_length=32)
        is_active = models.BooleanField(default=True)
        #is_admin = models.BooleanField(default=False)
    
        bind_hosts = models.ManyToManyField("BindHost",blank=True)
        host_groups = models.ManyToManyField("HostGroup",blank=True)
    
        objects = UserProfileManager()
    
        USERNAME_FIELD = 'email'
        REQUIRED_FIELDS = ['name']
    
        def get_full_name(self):
            # The user is identified by their email address
            return self.email
    
        def get_short_name(self):
            # The user is identified by their email address
            return self.email
    
        def __str__(self):              # __unicode__ on Python 2
            return self.email  
        @property
        def is_staff(self):
            "Is the user a member of staff?"
            # Simplest possible answer: All admins are staff
            return self.is_active
    
    class HostUser(models.Model):
        """主机登录账户"""
        auth_type_choices = ((0,'ssh-password'),(1,'ssh-key'))
        auth_type = models.SmallIntegerField(choices=auth_type_choices,default=0)
        username = models.CharField(max_length=64)
        password = models.CharField(max_length=128,blank=True,null=True)
        def __str__(self):
            return "%s:%s" %(self.username,self.password)
        class Meta:
            unique_together = ('auth_type','username','password')
    
    class BindHost(models.Model):
        """绑定主机和主机账号"""
        host = models.ForeignKey("Host", on_delete=True)
        host_user = models.ForeignKey("HostUser", on_delete=True)
        def __str__(self):
            return "%s@%s"%(self.host,self.host_user)
    
        class Meta:
            unique_together = ('host', 'host_user')
    class SessionLog(models.Model):
        """存储session日志"""
        # 堡垒机用户  主机信息   唯一标示
        user = models.ForeignKey("UserProfile", on_delete=True)
        bind_host = models.ForeignKey("BindHost", on_delete=True)
        session_tag = models.CharField(max_length=128,unique=True)
        date = models.DateTimeField(auto_now_add=True)
    
        def __str__(self):
            return self.session_tag

    更改db文件的权限,方便sessioni日志的记录

    omc@omc-virtual-machine:~$  cd CityHunter/
    omc@omc-virtual-machine:~$  chmod 777 db.sqlite3  【更改文件属组为cityhunber也可以】

    image

    templates/index.html

         无

    页面显示;

    image

    image

    初始化数据库

      python manage.py makemigrations
      python manage.py migrate

    创建超级用户

    python manage.py createsuperuser

    image

    问题记录:

    1. 自定义账户生效:

      models.py

              class UserProfile(AbstractBaseUser,PermissionsMixin):

      settings.py

           # 自定义账户生效

            AUTH_USER_MODEL = "app01.UserProfile"   # app名.表名

            user.is_superuser = True   # 在用户管理界面更改is_superuser=true解决

    2. Superuser用户登陆后无操作权限

    image

    class UserProfileManager(BaseUserManager):
            user.is_active = True
    user.is_superuser = True

    3.

    问题现象:

    image

    问题解决:

    image

  • 相关阅读:
    递归实现随机数不重复问题
    今天写的一个工厂工具类
    Win7 x64 IIS运行ASP+Access故障完美解决方法(转)
    li中,标题和日期一排,且日期靠右
    [学习笔记] extends implements 的区别与联系 [转载]
    [学习笔记] vim使用大全 [转]
    MidPoint Displacement for Terrain Rendering
    CryEngine3 打造另一个真实世界
    Hello C++ AMP!
    DetailMap For Terrain Rendering
  • 原文地址:https://www.cnblogs.com/ftl1012/p/9458964.html
Copyright © 2011-2022 走看看