Template school jumpserver security operation and maintenance audit screen

2022 year 6 month 21 Japan ,DataEase Open source data visual analysis platform release Template Market （https://dataease.io/templates/）. The template market is designed to DataEase Users provide professional services 、 beautiful 、 Dashboard template ready to use , It is convenient for users to select the corresponding dashboard template according to their own business needs and usage scenarios , And easily make your own dashboard on the basis of high-quality templates .

from 2022 year 7 Month begins , We will share with you the selected templates of the month , And the Application Tutorial of selected templates , At the same time, it is synchronized for the majority of users DataEase New situation in the template Market .

7 Monthly selected templates

The selected template recommended for you this month is JumpServer Security operation and maintenance audit screen .

JumpServer yes FIT2CLOUD Feizhiyun's open source fortress machine , It is the world's first fully open source 、 accord with 4A Standardized operation and maintenance safety audit system .JumpServer The security operation and maintenance audit screen is mainly through IT Visual display of operation and maintenance data indicators , So that business personnel can quickly receive operation and maintenance statistics , So as to strengthen the operation and maintenance security control and regular operation and maintenance audit , Better operation and maintenance , Increase energy and efficiency for work .

1. Large screen information

■ Product version number ：JumpServer Open source fortress machine is based on v2.20.2 edition ,DataEase The open source data visualization analysis platform is based on v1.11.1 edition .

■ According to the use scenarios and personnel oriented of the security operation and maintenance audit screen , A total of 11 Indicators , The specific indicators are as follows ：

2. Large screen display

Template application

Next , We will explain in detail how to apply the security operation and maintenance audit large screen template .

1. Template download

First , Get into DataEase Template Market homepage , Find the operation and maintenance security audit screen . The address of the template market is ：
https://dataease.io/templates/. For quick retrieval , Keyword search or classification switching can be performed , You can quickly find the large screen template you want .

Click on “ Operation and maintenance security audit screen ” The dashboard template enters the details interface . Click on “ download ” Button to download the template to the local .

2. Template import

Enter your own DataEase Systematic “ instrument panel ” Module , As shown in the following figure “ Import template ” To create a new dashboard , Click on “ Upload template ” Button , Choose to use “ Template Market ” Download the template file of the operation and maintenance security audit screen .

After the import is successful, as shown in the figure below , Components of the template 、 style 、 Background and dashboard data are brought into the new dashboard .

In addition to the above , You can also upload the template to DataEase Of “ Template Management ” In the function module , Select... When creating a new dashboard “ Reuse templates ” Options can be .

3. Access data sources

DataEase Support multiple databases as data sources ,JumpServer It uses MySQL database , Enter the corresponding information here , create data source .

4. Add dataset

stay “ Data sets ” Design module , You can select the database added in the previous step from the data source , Select the corresponding table in the database as a dataset , Set the synchronization mode . Here you need to know the data type saved in each table , Easy to add corresponding data .

The datasets added here are SQL Data sets , For specific adding methods, please refer to DataEase Official documents ：
https://dataease.io/docs/user_manual/dataset_configuration/dataset_SQL/.

The following figure is a screenshot of all data sets involved .

Specific data sets used SQL The statement is as follows ：

① Online conversation

■ Indicator description ： Query the number of sessions currently in progress .

■ Index caliber ： Take the total number of current sessions that have not ended .

■ SQL sentence ：

select count(1) ' Number of online sessions ' from terminal_session
where is_finished = false

② Total users

■ Indicator description ： Total number of query users .

■ Index caliber ： Take the total number of users whose roles are not used internally in the system .

■ SQL sentence ：

select count(*) ' Total users ' from users_user where role <> 'App'

③ Total assets

■ Indicator description ： Query the resource quantity of all organizations .

■ Index caliber ： Take the current total assets .

■ SQL sentence ：

select count(1) ' Total assets ' from assets_asset

④ user / Asset activity

■ Indicator description ： Query recent user activity 、 Asset activity 、 History of online conversations .

■ Index caliber ： Recent user activity is close 7 Total number of users logged in in days ; Asset activity is close 7 The total number of assets that have generated sessions in days ; The history of online conversation is close 7 Total number of sessions generated in days .

■ SQL sentence ：

select u.` date `,u.` Number of active users `,a.` Number of active assets `,s.` Number of sessions ` from
(select count(distinct user_id) ' Number of active users ', d ' date '
    from (select DATE_FORMAT(date_start, '%Y-%m-%d') d, user_id from terminal_session where date_start > DATE_SUB(CURDATE(), INTERVAL 7 DAY))t group by d ORDER BY d DESC LIMIT 7) u
    left join (select count(distinct asset_id) ' Number of active assets ', d ' date ' from (select DATE_FORMAT(date_start, '%Y-%m-%d') d, asset_id from terminal_session where date_start > DATE_SUB(CURDATE(), INTERVAL 7 DAY))t group by d ORDER BY d DESC LIMIT 7) a
on u.` date ` = a.` date `
    left join (select d ' date ', count(1) ' Number of sessions ' from ( select DATE_FORMAT(date_start, '%Y-%m-%d') d from terminal_session where date_start > DATE_SUB(CURDATE(), INTERVAL 7 DAY)) t group by d ORDER BY d DESC LIMIT 7) s
on u.` date ` = s.` date `

⑤ High risk command statistics

■ Indicator description ： Inquire about high-risk orders .

■ Index caliber ： The risk level of high-risk orders is not equal to 0 The data of , That is, the number of regular expression hits filtered by the command .

■ SQL sentence ：

SELECT * FROM terminal_command WHERE risk_level != 0;

⑥ Asset activity （ near 30 God ）

■ Indicator description ： Query near 30 Days of asset activity .

■ Index caliber ： Get close to 30 The birth of heaven has ended SSH Total assets of the session , And display in groups according to the organization name .

■ SQL sentence ：

select o.name ' organization ' , count(count_num ) ' Activity level '
from orgs_organization o
join
(SELECT
asset, count(*) count_num,
REPLACE(org_id,'-','') org_id
FROM
terminal_session t
WHERE
t.is_finished = 1
and t.protocol='ssh'
AND datediff( NOW(), t.date_end ) <= 30
GROUP BY
org_id, asset) terminal on o.id=terminal.org_id
group by o.name

⑦ Proportion of assets of each organization

■ Indicator description ： Query the number of servers in all organizations .

■ Index caliber ： Take the assets of each organization , Group by organization .

■ SQL sentence ：

SELECT t.NAME, COUNT( * ) AS  Number of servers 
FROM assets_asset a, orgs_organization t
WHERE LEFT ( a.org_id, 8 ) = LEFT ( t.id, 8 )
GROUP BY t.NAME ORDER BY  Number of servers  DESC

⑧ Login status of all users in the last day

■ Indicator description ： Number of user logins in recent day .

■ Index caliber ： Take the login times of all users in the recent day , Grouped by user name and sorted in descending order by login times .

■ SQL sentence ：

select name  user name ,login_time  Login times  from (
SELECT
uu.name name,
count( * ) AS login_time
FROM
audits_userloginlog aul
left join users_user uu
on aul.username = uu.username
WHERE
TO_DAYS( now( ) ) - TO_DAYS( datetime ) <= 1
GROUP BY
aul.username
)t
where name is not null
ORDER BY
login_time DESC

⑨ The ranking of all users' login in the recent week

■ Indicator description ： Query the login times of all users in the recent week .

■ Index caliber ： Take the login times of all users in the past seven days , Grouped by user name and sorted in descending order by login times .

■ SQL sentence ：

SELECT
(select name from users_user uu where uu.username = au.username) as name,
count( * ) AS  Login times 
FROM
audits_userloginlog au
WHERE
TO_DAYS( now( ) ) - TO_DAYS( datetime ) <= 7
GROUP BY
username
ORDER BY
 Login times  DESC

⑩ Asset login last day TOP 5

■ Indicator description ： Query the number of times the asset has been accessed in the last day .

■ Index caliber ： Get the number of logins of assets in one day , In descending order of login times .

■ SQL sentence ：

SELECT
asset,
assets_asset.ip,
COUNT( * ) AS  Login times 
FROM
terminal_session
left join assets_asset
on replace(terminal_session.asset_id, '-', '') = assets_asset.id
WHERE
TO_DAYS( now( ) ) - TO_DAYS( date_end ) <= 1
GROUP BY
asset
ORDER BY
 Login times  DESC

⑪ Asset login ranking in the recent week

■ Indicator description ： Query the login times of all assets in the recent week .

■ Index caliber ： Get the login times of all assets in the past seven days , And in descending order of login times .

■ SQL sentence ：

SELECT
asset,
assets_asset.ip as ip,
COUNT( * ) AS  Login times 
FROM
terminal_session
left join assets_asset
on replace(terminal_session.asset_id, '-', '') = assets_asset.id
WHERE
TO_DAYS( now( ) ) - TO_DAYS( date_end ) <= 7
GROUP BY
asset
ORDER BY
 Login times  DESC

5. Data substitution

Next , Replace the data set associated with the view with its own actual data .

6. matters needing attention

① Category axis / Dimension field is missing

Because sensitive information such as personnel name is involved in the template design stage , Therefore, a new desensitization field is created in the dataset . In this way, when users replace datasets, the situation shown in the red box in the following figure will appear in the data dimension area . Here it is , You can delete the red box indicator , hold “ user name ” The field can be directly dragged into the position shown .

② After replacing the fields , The dimension field is too long, resulting in incomplete chart display

When the situation shown in the above figure occurs , There are two solutions , As follows ：

Scheme 1 ： Do data interception for existing fields . Refer to for specific operation steps DataEase Official documents “ New calculated field ” part ：

https://dataease.io/docs/user_manual/dataset_design/#24;

Option two ： Replace the display field with IP Field .

7. Final effect

Go through the above steps , You can get your own operation and maintenance security audit screen .