• Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    Python
  • License
    GNU Affero Genera...
  • Created about 1 year ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

LDAP Watchdog: A real-time linux-compatible LDAP monitoring tool for detecting directory changes, providing visibility into additions, modifications, and deletions for administrators and security researchers.

LDAP Watchdog

Overview

LDAP Watchdog is a tool designed to monitor record changes in an LDAP directory in real-time. It provides a mechanism to track and visualize modifications, additions, and removals to user and group entries, allowing users to correlate expected changes with actual changes and identify potential security incidents. It was created with OpenLDAP and Linux in mind, however it may work in other implementations of LDAP. It is written in Python and only requires the ldap3 library.

If you're interesting in any of the following, then LDAP Watchdog is for you:

  • Know what's going on in your LDAP directory on-demand with Slack webhook integration.
  • See new hires, leavers, and promotions as they appear in LDAP.
  • Monitor when and what HR is doing.
  • Detect unauthorized changes in LDAP.
  • Monitor for accidentally leaked data.
  • Detect when users are logging in and out of LDAP.

In addition to monitoring for modifications, additions, and removals in an LDAP directory, it can be configured to ignore specific attributes, or even fine-tuned to ignore fine-grained attributes depending on their old/new values.

The changes that are monitored can either be forwarded to a slack webhook or output to the terminal (or both). Optional colored output is also supported.

Previously named LDAP-Stalker (because monitoring changes of an LDAP directory is an excellent way to stalk changes in a company: learn about promotions before they're announced, new hires, leavers, etc.), a blog post about the details and history of this project can be found here.

Examples (No Filtering)

Note: in the below examples, entryCSN and modifyTimestamp can be completely ignored by setting IGNORED_ATTRIBUTES = ['entryCSN', 'modifyTimestamp'].

Terminal (with color) output:

Example of the output from LDAP Watchdog

Slack output:

Example of the output from LDAP Watchdog in Slack

Features

  1. Real-time Monitoring: LDAP Watchdog continuously monitors an LDAP directory for changes in user and group entries.

  2. Change Comparison: The tool compares changes between consecutive LDAP searches, highlighting additions, modifications, and deletions.

  3. Control User Verification: LDAP Watchdog supports a control user mechanism, triggering an error if the control user's changes are not found.

  4. Flexible LDAP Filtering: Users can customize LDAP filtering using the SEARCH_FILTER parameter to focus on specific object classes or attributes.

  5. Slack Integration: Receive real-time notifications on Slack for added, modified, or deleted LDAP entries.

  6. Customizable Output: Console output provides clear and colored indications of additions, modifications, and deletions for easy visibility.

  7. Ignored Entries and Attributes: Users can specify UUIDs and attributes to be ignored during the comparison process.

  8. Conditional Ignored Attributes: Conditional filtering allows users to ignore specific attributes based on change type (additions, modifications, deletions).

Requirements

  • Python 3.
  • The ldap3 package (pip install ldap3). If using Slack a webhook, the requests package is also required (pip install requests).
  • Slack Webhook URL for notifications (optional).

Configuration

General Settings

  • CONTROL_UUID: UUID of a control user whose changes trigger an error if not found. If set, this user should always have some type of change when the LDAP directory is retrieved. At least one attribute must have changed.
  • CONTROL_USER_ATTRIBUTE: Specify a specific attribute to check for changes in the control user. If set, this attribute must have changed for the CONTROL_UUID user.
  • LDAP_SERVER: LDAP server URL.
  • BASE_DN: The base Distinguished Name for LDAP searches.
  • SEARCH_FILTER: LDAP filter for user and group entries.
  • SEARCH_ATTRIBUTE: List of attributes to retrieve during the LDAP search. ['*' '+'] is used by default to include operational attributes.
  • REFRESH_RATE: Time interval (in seconds) between consecutive LDAP searches.
  • LDAP_USERNAME: LDAP username for authentication. Leave empty for anonymous bind.
  • LDAP_PASSWORD: LDAP password for authentication. Leave empty for anonymous bind.
  • USE_SSL: Set to True to use SSL, False otherwise.
  • DISABLE_COLOR_OUTPUT: Set to True to disable color output.

Slack Integration

  • SLACK_BULLETPOINT: Bullet point used in Slack and console output.
  • SLACK_WEBHOOK: Set the Slack Webhook URL as an environment variable.

Ignored Entries and Attributes

  • IGNORED_UUIDS: List of UUIDs to be ignored during comparison.
  • IGNORED_ATTRIBUTES: List of attributes to be ignored during comparison.

Conditional Ignored Attributes

  • CONDITIONAL_IGNORED_ATTRIBUTES: Dictionary with attributes as keys and lists of values to ignore based on change type.

Example Configuration

CONTROL_UUID = 'a71c6e4c-8881-4a03-95bf-4fc25d5e6359' # The entryUUID of an entry in the directory which must always have some type of modification.
CONTROL_USER_ATTRIBUTE = '' # Specifically, if this is set, this is the attribute that must have changed.

LDAP_SERVER = 'ldaps://ldaps.intra.lan' # The LDAP(S) server.
BASE_DN = 'dc=mouse,dc=com' # The basename used by the directory.
SEARCH_FILTER = '(&(|(objectClass=inetOrgPerson)(objectClass=groupOfNames)))'
SEARCH_ATTRIBUTE = ['*', '+']  # replace with the attributes you want to retrieve

REFRESH_RATE = 60 # Refresh the directory every 60 seconds.

LDAP_USERNAME = 'Emily'
LDAP_PASSWORD = 'qwerty123'
USE_SSL = True

DISABLE_COLOR_OUTPUT = False
SLACK_BULLETPOINT = ' \u2022   ' # Prepend this to each change if sending notifications via Slack.

IGNORED_UUIDS = ['e191c564-6e6d-42c1-ae51-bda0509fe846', '8655e0d9-ecdc-46ce-ba42-1fa3dfbf5faa'] # Ignore any changes users with these UUIDs.
IGNORED_ATTRIBUTES = ['modifyTimestamp', 'phoneNumber', 'officeLocation', 'gecos'] # Ignore any modifications of these attributes. 

CONDITIONAL_IGNORED_ATTRIBUTES = {
  'objectClass': ['posixAccount'], # Ignore changes to the objectClass attribute if the new or old value is posixAccount.
  'memberOf': ['cn=mailing-list-user,ou=Accessgroups,dc=mouse,dc=com', 'cn=interns,ou=Accessgroups,dc=mouse,dc=com'], # Ignore changes to the memberOf attribute if the new or old value is either "cn=mailing-list-user,ou=Accessgroups,dc=mouse,dc=com" or "cn=interns,ou=Accessgroups,dc=mouse,dc=com".
  'organizationalStatus': ['researcher'], # Ignore changes to the organizationalStatus attribute if the new or old value is 'researcher'.
}

SLACK_WEBHOOK = os.getenv('SLACK_WEBHOOK_URL') # Use a Slack webhook, and retrieve it from the environmental value.

Usage

  1. Set the required configuration in the script.
  2. Run the script using python3 ldap-watchdog.py.

The script will continuously monitor the LDAP directory, compare changes, and report them to both the console and Slack.

Note: Ensure that the necessary libraries are installed (ldap3, and requests if using a Slack webhook) and that you have the required permissions to access the LDAP server.

Installation

In addition to running the script manually, a small debian-based installation script install.sh is provided which when run as root, will install a systemd service to run the script in the background and log the output. The script is installed as /usr/local/bin/ldap-watchdog.py, logs are stored in /var/log/ldap-watchdog.log and /var/log/ldap-watchdog-error.log, and a logrotate configuration file is created in /etc/logrotate.d/ldap-watchdog.

An optional first parameter of the installation script can define the SLACK_WEBHOOK_URL environmental variable:

$ sudo ./install.sh "https://hooks.slack.com/services/[...]"
ldap-watchdog has been installed, the service is started, and log rotation is set up.

Limitations

  1. The CONDITIONAL_IGNORED_ATTRIBUTES configuration may unfortunately hide important changes that are not intended to be hidden. This may happen if an attribute has a single value which is changed. This is because CONDITIONAL_IGNORED_ATTRIBUTES will hide changes to the attribute both when the value is changed to as well as from the ignored value; for example, if a user is a memberOf cn=mailing-list-user,ou=Accessgroups,dc=mouse,dc=com which gets changed to cn=super-administrator,ou=Accessgroups,dc=mouse,dc=com, it will be missed.
  2. Similar to #1, there is no real way to determine whether a change is really a change in some cases, or a removal and then addition in the same time. In theory, it doesn't really matter, however it's important to note.

License

This project is licensed under GPL3.0.

More Repositories

1

SSH-Snake

SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
Shell
1,954
star
2

Squid-Security-Audit

A detailed repository of vulnerabilities that I discovered in The Squid Caching Proxy.
20
star
3

AFLplusplus-Parallel-Gen

Generate and execute fuzzing campaign commands for AFL++ based on the recommended multi-core secondary fuzzer options.
Python
8
star
4

awk-compare

Compare awk versions side-by-side online with webassembly-compiled awk.
JavaScript
3
star
5

body

Print the middle lines of files. It's not cat, tail, or head: it's body.
Shell
2
star
6

SEC-Feed-Parser

Parse and understand SEC data from EDGAR.
Python
2
star
7

SEC-sec-incident-notifier

Automated discovery and AI-enhanced summarizing of 8-K Item 1.05 filings, with seamless Slack Webhook integration to ensure timely awareness of security incidents reported to the U.S. Securities and Exchange Commission.
Python
2
star
8

CCBot

Python3 script to periodically check and parse https://chromereleases.googleblog.com/ for any vulnerability announcements for Chrome/Chromium Desktop.
Python
1
star
9

RS-Account-Checker

An account checker/cracker for Runescape.
C
1
star
10

N2L

Historical URN Resolution (RFC 2141 and RFC 2169) Perl Script N2L and hdlres.c
Perl
1
star
11

privoxy

A heavily edited version of Privoxy intended for fuzzing.
1
star
12

captive-portal-unbinder

A shell script which automatically handles resolution of public-wifi captive portals, for whitelisting purposes on systems with restricted DNS/port-53 connection.
Shell
1
star