rs3gw 0.2.1

High-Performance AI/HPC Object Storage Gateway powered by scirs2-io
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

//! Security event detection via pattern matching.

use super::types::{AuditAction, AuditEvent, SecuritySeverity};
use chrono::Utc;
use std::collections::{HashMap, VecDeque};
use std::sync::Arc;
use tokio::sync::RwLock;

// Type aliases for complex types
type FailedAuthMap = Arc<RwLock<HashMap<String, VecDeque<chrono::DateTime<Utc>>>>>;
type AccessPatternMap = Arc<RwLock<HashMap<String, VecDeque<(chrono::DateTime<Utc>, String)>>>>;

/// Security event detected by the detector
#[derive(Debug, Clone)]
pub struct SecurityEvent {
    pub event_type: String,
    pub severity: SecuritySeverity,
    pub description: String,
    pub related_events: Vec<String>,
}

/// Security event detector using pattern matching
pub struct SecurityEventDetector {
    // Track failed auth attempts per IP
    failed_auth_attempts: FailedAuthMap,

    // Track unusual access patterns
    access_patterns: AccessPatternMap,
}

impl SecurityEventDetector {
    pub fn new() -> Self {
        Self {
            failed_auth_attempts: Arc::new(RwLock::new(HashMap::new())),
            access_patterns: Arc::new(RwLock::new(HashMap::new())),
        }
    }

    /// Detect security events from an audit event
    pub async fn detect(&self, event: &AuditEvent) -> Option<SecurityEvent> {
        // Detect multiple failed authentication attempts
        if event.action == AuditAction::AuthFailure {
            if let Some(ip) = &event.source_ip {
                return self.detect_brute_force(ip, event).await;
            }
        }

        // Detect privilege escalation
        if event.action == AuditAction::ModifyPermissions
            || event.action == AuditAction::PutBucketPolicy
        {
            return Some(SecurityEvent {
                event_type: "privilege_escalation_attempt".to_string(),
                severity: SecuritySeverity::High,
                description: format!("User {} attempted to modify permissions", event.actor),
                related_events: vec![event.event_id.clone()],
            });
        }

        // Detect unusual access patterns
        if matches!(
            event.action,
            AuditAction::GetObject | AuditAction::DeleteObject
        ) {
            return self.detect_unusual_access(&event.actor, event).await;
        }

        None
    }

    /// Detect brute force authentication attempts
    async fn detect_brute_force(&self, ip: &str, event: &AuditEvent) -> Option<SecurityEvent> {
        let mut attempts = self.failed_auth_attempts.write().await;
        let entry = attempts.entry(ip.to_string()).or_insert_with(VecDeque::new);

        // Add current attempt
        entry.push_back(event.timestamp);

        // Remove attempts older than 5 minutes
        let cutoff = Utc::now() - chrono::Duration::minutes(5);
        while let Some(front) = entry.front() {
            if front < &cutoff {
                entry.pop_front();
            } else {
                break;
            }
        }

        // Check if we have more than 5 failed attempts in 5 minutes
        if entry.len() >= 5 {
            return Some(SecurityEvent {
                event_type: "brute_force_attack".to_string(),
                severity: SecuritySeverity::Critical,
                description: format!("Multiple failed authentication attempts from IP {}", ip),
                related_events: vec![event.event_id.clone()],
            });
        }

        None
    }

    /// Detect unusual access patterns
    async fn detect_unusual_access(
        &self,
        actor: &str,
        event: &AuditEvent,
    ) -> Option<SecurityEvent> {
        let mut patterns = self.access_patterns.write().await;
        let entry = patterns
            .entry(actor.to_string())
            .or_insert_with(VecDeque::new);

        // Add current access
        entry.push_back((event.timestamp, event.resource.clone()));

        // Remove accesses older than 1 minute
        let cutoff = Utc::now() - chrono::Duration::minutes(1);
        while let Some((timestamp, _)) = entry.front() {
            if timestamp < &cutoff {
                entry.pop_front();
            } else {
                break;
            }
        }

        // Check if we have more than 100 accesses in 1 minute (potential data exfiltration)
        if entry.len() >= 100 {
            return Some(SecurityEvent {
                event_type: "unusual_access_pattern".to_string(),
                severity: SecuritySeverity::Medium,
                description: format!("User {} made {} accesses in 1 minute", actor, entry.len()),
                related_events: vec![event.event_id.clone()],
            });
        }

        None
    }
}

impl Default for SecurityEventDetector {
    fn default() -> Self {
        Self::new()
    }
}