審計系統---堡壘機項目之表結構設計

【更多參考】 https://github.com/317828332/CrazyEye

缺點： 界面醜陋，

          只能追蹤命令，命令的解析還不是很完善，不能明瞭的展現

          對於文件的上傳[rz]，下載[sz]的內容沒法跟蹤[能夠限制cityhunter用戶不能使用這2個命令]。 vim裏面的文件能夠跟蹤，可是跟蹤並不完善[或者上傳的文件上傳到堡壘機，而後堡壘上傳到指點服務器，此時堡壘機也會有留檔，方便後期排查]。

          對於跟蹤的用戶，目前只能特定是omc，後面能夠更改Py代碼進行修改，判斷登陸的用戶後傳遞用戶過去，而後根據用戶登陸，

          暫未完成批量的處理

優勢：free

堡壘機項目之表結構設計

settings.py

INSTALLED_APPS = [
   ...
 'app01',   # 註冊app
]
MIDDLEWARE = [
...
# 'django.middleware.csrf.CsrfViewMiddleware',
      ...
]
ALLOWED_HOSTS = ["*"]    # Linux下啓動用0.0.0.0 添加訪問的host便可在Win7下訪問

STATICFILES_DIRS = (os.path.join(BASE_DIR, "statics"),)  # 現添加的配置,這裏是元組，注意逗號
TEMPLATES = [
   ...
   'DIRS': [os.path.join(BASE_DIR, 'templates')],
]
# 自定義帳戶生效
AUTH_USER_MODEL = "app01.UserProfile"   # app名.表名

# 監測腳本
SESSION_TRACKER_SCRIPT = "%s/backend/session_trackor.sh" %BASE_DIR
AUDIT_LOG_PATH = "%s/logs/audit" % BASE_DIR

admin.py

from django.contrib import admin
from django import forms
from django.contrib.auth.models import Group
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from django.contrib.auth.forms import ReadOnlyPasswordHashField

from app01 import models
class UserCreationForm(forms.ModelForm):
    """A form for creating new users. Includes all the required
    fields, plus a repeated password."""
    password1 = forms.CharField(label='Password', widget=forms.PasswordInput)
    password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)

    class Meta:
        model = models.UserProfile
        fields = ('email', 'name')

    def clean_password2(self):
        # Check that the two password entries match
        password1 = self.cleaned_data.get("password1")
        password2 = self.cleaned_data.get("password2")
        if password1 and password2 and password1 != password2:
            raise forms.ValidationError("Passwords don't match")
        return password2

    def save(self, commit=True):
        # Save the provided password in hashed format
        user = super(UserCreationForm, self).save(commit=False)
        user.set_password(self.cleaned_data["password1"])
        if commit:
            user.save()
        return user


class UserChangeForm(forms.ModelForm):
    """A form for updating users. Includes all the fields on
    the user, but replaces the password field with admin's
    password hash display field.
    """
    password = ReadOnlyPasswordHashField()

    class Meta:
        model = models.UserProfile
        fields = ('email', 'password', 'name', 'is_active', 'is_superuser')

    def clean_password(self):
        # Regardless of what the user provides, return the initial value.
        # This is done here, rather than on the field, because the
        # field does not have access to the initial value
        return self.initial["password"]


class UserProfileAdmin(BaseUserAdmin):
    # The forms to add and change user instances
    form = UserChangeForm
    add_form = UserCreationForm

    # The fields to be used in displaying the User model.
    # These override the definitions on the base UserAdmin
    # that reference specific fields on auth.User.
    list_display = ('email', 'name', "is_active", 'is_superuser')
    list_filter = ('is_superuser',) # 不添加會報錯，由於BaseAdmin裏面有一個list_filter字段，不覆蓋會報錯
    fieldsets = (
        (None, {'fields': ('email', 'password')}),
        ('Personal', {'fields': ('name',)}),
        ('Permissions', {'fields': ('is_superuser',"is_active","bind_hosts","host_groups","user_permissions","groups")}),
    )
    # add_fieldsets is not a standard ModelAdmin attribute. UserAdmin
    # overrides get_fieldsets to use this attribute when creating a user.
    add_fieldsets = (
        (None, {
            'classes': ('wide',),
            'fields': ('email', 'name', 'password1', 'password2')}
        ),
    )
    search_fields = ('email',)
    ordering = ('email',)
    filter_horizontal = ("bind_hosts","host_groups","user_permissions","groups")


class HostUserAdmin(admin.ModelAdmin):
    list_display = ('username','auth_type','password')

class SessionLogAdmin(admin.ModelAdmin):
    list_display = ('id','session_tag','user','bind_host','date')


admin.site.register(models.UserProfile, UserProfileAdmin)
admin.site.register(models.Host)
admin.site.register(models.HostGroup)
admin.site.register(models.HostUser,HostUserAdmin)
admin.site.register(models.BindHost)
admin.site.register(models.IDC)
admin.site.register(models.SessionLog,SessionLogAdmin)

models.py

from django.db import models
from django.contrib.auth.models import (
    BaseUserManager, AbstractBaseUser,PermissionsMixin
)
from django.utils.translation import ugettext_lazy as _
from django.utils.safestring import mark_safe
# Create your models here.


class Host(models.Model):
    """主機信息"""
    hostname = models.CharField(max_length=64)
    ip_addr = models.GenericIPAddressField(unique=True)
    port = models.PositiveIntegerField(default=22)
    idc = models.ForeignKey("IDC", on_delete=True)
    enabled = models.BooleanField(default=True)


    def __str__(self):
        return "%s(%s)"%(self.hostname,self.ip_addr)


class IDC(models.Model):
    """機房信息"""
    name = models.CharField(max_length=64,unique=True)
    def __str__(self):
        return self.name

class HostGroup(models.Model):
    """主機組"""
    name = models.CharField(max_length=64,unique=True)
    bind_hosts = models.ManyToManyField("BindHost",blank=True,)

    def __str__(self):
        return self.name


class UserProfileManager(BaseUserManager):
    def create_user(self, email, name, password=None):
        """
        Creates and saves a User with the given email, date of
        birth and password.
        """
        if not email:
            raise ValueError('Users must have an email address')

        user = self.model(
            email=self.normalize_email(email),
            name=name,
        )

        user.set_password(password)
        self.is_active = True
        user.save(using=self._db)
        return user

    def create_superuser(self,email, name, password):
        """
        Creates and saves a superuser with the given email, date of
        birth and password.
        """
        user = self.create_user(
            email,
            password=password,
            name=name,
        )
        user.is_active = True
        user.is_superuser = True
        #user.is_admin = True
        user.save(using=self._db)
        return user


class UserProfile(AbstractBaseUser,PermissionsMixin):
    """堡壘機帳號"""
    email = models.EmailField(
        verbose_name='email address',
        max_length=255,
        unique=True,
        null=True
    )
    password = models.CharField(_('password'), max_length=128,
                                help_text=mark_safe('''<a href='password/'>修改密碼</a>'''))
    name = models.CharField(max_length=32)
    is_active = models.BooleanField(default=True)
    #is_admin = models.BooleanField(default=False)

    bind_hosts = models.ManyToManyField("BindHost",blank=True)
    host_groups = models.ManyToManyField("HostGroup",blank=True)

    objects = UserProfileManager()

    USERNAME_FIELD = 'email'
    REQUIRED_FIELDS = ['name']

    def get_full_name(self):
        # The user is identified by their email address
        return self.email

    def get_short_name(self):
        # The user is identified by their email address
        return self.email

    def __str__(self):              # __unicode__ on Python 2
        return self.email  
    @property
    def is_staff(self):
        "Is the user a member of staff?"
        # Simplest possible answer: All admins are staff
        return self.is_active

class HostUser(models.Model):
    """主機登陸帳戶"""
    auth_type_choices = ((0,'ssh-password'),(1,'ssh-key'))
    auth_type = models.SmallIntegerField(choices=auth_type_choices,default=0)
    username = models.CharField(max_length=64)
    password = models.CharField(max_length=128,blank=True,null=True)
    def __str__(self):
        return "%s:%s" %(self.username,self.password)
    class Meta:
        unique_together = ('auth_type','username','password')

class BindHost(models.Model):
    """綁定主機和主機帳號"""
    host = models.ForeignKey("Host", on_delete=True)
    host_user = models.ForeignKey("HostUser", on_delete=True)
    def __str__(self):
        return "%s@%s"%(self.host,self.host_user)

    class Meta:
        unique_together = ('host', 'host_user')
class SessionLog(models.Model):
    """存儲session日誌"""
    # 堡壘機用戶  主機信息   惟一標示
    user = models.ForeignKey("UserProfile", on_delete=True)
    bind_host = models.ForeignKey("BindHost", on_delete=True)
    session_tag = models.CharField(max_length=128,unique=True)
    date = models.DateTimeField(auto_now_add=True)

    def __str__(self):
        return self.session_tag

更改db文件的權限，方便sessioni日誌的記錄

omc@omc-virtual-machine:~$  cd CityHunter/
omc@omc-virtual-machine:~$  chmod 777 db.sqlite3  【更改文件屬組爲cityhunber也能夠】

templates/index.html

     無

頁面顯示；

初始化數據庫

  python manage.py makemigrations
  python manage.py migrate

建立超級用戶

python manage.py createsuperuser

問題記錄：

1. 自定義帳戶生效：

  models.py

          class UserProfile(AbstractBaseUser,PermissionsMixin):

  settings.py

       # 自定義帳戶生效

        AUTH_USER_MODEL = "app01.UserProfile"   # app名.表名

        user.is_superuser = True   # 在用戶管理界面更改is_superuser=true解決

2. Superuser用戶登錄後無操做權限

class UserProfileManager(BaseUserManager):
        user.is_active = True
user.is_superuser = True

3.

問題現象：

問題解決：