-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathuser.go
144 lines (134 loc) · 5.83 KB
/
user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
// Copyright 2020 Joakim Kennedy. All rights reserved. Use of
// this source code is governed by the included BSD license.
package stix2
import (
"fmt"
"strings"
)
// UserAccount object represents an instance of any type of user account,
// including but not limited to operating system, device, messaging service,
// and social media platform accounts. As all properties of this object are
// optional, at least one of the properties defined below MUST be included when
// using this object.
type UserAccount struct {
STIXCyberObservableObject
// UserID specifies the identifier of the account. The format of the
// identifier depends on the system the user account is maintained in, and
// may be a numeric ID, a GUID, an account name, an email address, etc. The
// UserID property should be populated with whatever field is the unique
// identifier for the system the account is a member of. For example, on
// UNIX systems it would be populated with the UID.
UserID string `json:"user_id,omitempty"`
// Credential specifies a cleartext credential. This is only intended to be
// used in capturing metadata from malware analysis (e.g., a hard-coded
// domain administrator password that the malware attempts to use for
// lateral movement) and SHOULD NOT be used for sharing of PII.
Credential string `json:"credential,omitempty"`
// AccountLogin specifies the account login string, used in cases where the
// UserID property specifies something other than what a user would type
// when they login.
//
// For example, in the case of a Unix account with UserID 0, the account_login
// might be “root”.
AccountLogin string `json:"account_login,omitempty"`
// AccountType specifies the type of the account.
AccountType string `json:"account_type,omitempty"`
// DisplayName specifies the display name of the account, to be shown in
// user interfaces, if applicable.
DisplayName string `json:"display_name,omitempty"`
// IsServiceAccount indicates that the account is associated with a network
// service or system process (daemon), not a specific individual.
IsServiceAccount bool `json:"is_service_account,omitempty"`
// IsPrivileged specifies that the account has elevated privileges (i.e.,
// in the case of root on Unix or the Windows Administrator account).
IsPrivileged bool `json:"is_privileged,omitempty"`
// CanEscalatePrivs specifies that the account has the ability to escalate
// privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin
// account)
CanEscalatePrivs bool `json:"can_escalate_privs,omitempty"`
// IsDisabled specifies if the account is disabled.
IsDisabled bool `json:"is_disabled,omitempty"`
// AccountCreated specifies when the account was created.
AccountCreated *Timestamp `json:"account_created,omitempty"`
// AccountExpires specifies the expiration date of the account.
AccountExpires *Timestamp `json:"account_expires,omitempty"`
// CredentialLastChanged specifies when the account credential was last
// changed.
CredentialLastChanged *Timestamp `json:"credential_last_changed,omitempty"`
// AccountFirstLogin specifies when the account was first accessed.
AccountFirstLogin *Timestamp `json:"account_first_login,omitempty"`
// AccountLastLogin specifies when the account was last accessed.
AccountLastLogin *Timestamp `json:"account_last_login,omitempty"`
}
func (o *UserAccount) MarshalJSON() ([]byte, error) {
return marshalToJSONHelper(o)
}
// UNIXAccountExtension returns the Unix account extension for the object or
// nil.
func (n *UserAccount) UNIXAccountExtension() *UNIXAccountExtension {
data, ok := n.Extensions[ExtUnixAccount]
if !ok {
return nil
}
return data.(*UNIXAccountExtension)
}
// NewUserAccount creates a new UserAccount object.
func NewUserAccount(opts ...STIXOption) (*UserAccount, error) {
if len(opts) == 0 {
return nil, ErrPropertyMissing
}
base := newSTIXCyberObservableObject(TypeUserAccount)
obj := &UserAccount{
STIXCyberObservableObject: base,
}
err := applyOptions(obj, opts)
idContri := make([]string, 0, 3)
if obj.AccountType != "" {
idContri = append(idContri, fmt.Sprintf(`"%s"`, obj.AccountType))
}
if obj.UserID != "" {
idContri = append(idContri, fmt.Sprintf(`"%s"`, obj.UserID))
}
if obj.AccountLogin != "" {
idContri = append(idContri, fmt.Sprintf(`"%s"`, obj.AccountLogin))
}
obj.ID = NewObservableIdentifier(fmt.Sprintf("[%s]", strings.Join(idContri, ",")), TypeUserAccount)
return obj, err
}
const (
// AccountFacebook specifies a Facebook account.
AccountFacebook string = "facebook"
// AccountLdap specifies an LDAP account.
AccountLdap string = "ldap"
// AccountNis specifies a NIS account
AccountNis string = "nis"
// AccountOpenid specifies an OpenID account.
AccountOpenid string = "openid"
// AccountRadius specifies a RADIUS account.
AccountRadius string = "radius"
// AccountSkype specifies a Skype account.
AccountSkype string = "skype"
// AccountTacacs specifies a TACACS account.
AccountTacacs string = "tacacs"
// AccountTwitter specifies a Twitter account.
AccountTwitter string = "twitter"
// AccountUnix specifies a POSIX account.
AccountUnix string = "unix"
// AccountWindowsLocal specifies a Windows local account.
AccountWindowsLocal string = "windows-local"
// AccountWindowsDomain specifies a Windows domain account.
AccountWindowsDomain string = "windows-domain"
)
// UNIXAccountExtension specifies a default extension for capturing the
// additional information for an account on a UNIX system.
type UNIXAccountExtension struct {
// GID specifies the primary group ID of the account.
GID int64 `json:"gid,omitempty"`
// Groups specifies a list of names of groups that the account is a member
// of.
Groups []string `json:"groups,omitempty"`
// Home specifies the home directory of the account.
Home string `json:"home_dir,omitempty"`
// Shell specifies the account’s command shell.
Shell string `json:"shell,omitempty"`
}