security_collector.h

Go to the documentation of this file.

// BSD 3-Clause License
// Copyright (c) 2021-2025, 🍀☀🌕🌥 🌊
// See the LICENSE file in the project root for full license information.
 
#pragma once
 
#include <atomic>
#include <chrono>
#include <cstdint>
#include <memory>
#include <mutex>
#include <string>
#include <unordered_map>
#include <vector>
 
#include "../interfaces/metric_types_adapter.h"
#include "../plugins/collector_plugin.h"
 
namespace kcenon {
namespace monitoring {
 
enum class security_event_type {
    login_success = 1,     
    login_failure = 2,     
    logout = 3,            
    sudo_usage = 4,        
    permission_change = 5, 
    account_created = 6,   
    account_deleted = 7,   
    account_modified = 8,  
    session_start = 9,     
    session_end = 10,      
    unknown = 0            
};
 
inline std::string security_event_type_to_string(security_event_type type) {
    switch (type) {
        case security_event_type::login_success: return "LOGIN_SUCCESS";
        case security_event_type::login_failure: return "LOGIN_FAILURE";
        case security_event_type::logout: return "LOGOUT";
        case security_event_type::sudo_usage: return "SUDO_USAGE";
        case security_event_type::permission_change: return "PERMISSION_CHANGE";
        case security_event_type::account_created: return "ACCOUNT_CREATED";
        case security_event_type::account_deleted: return "ACCOUNT_DELETED";
        case security_event_type::account_modified: return "ACCOUNT_MODIFIED";
        case security_event_type::session_start: return "SESSION_START";
        case security_event_type::session_end: return "SESSION_END";
        default: return "UNKNOWN";
    }
}
 
struct security_event {
    security_event_type type{security_event_type::unknown}; 
    std::string username;           
    std::string source;             
    std::string message;            
    bool success{false};            
    std::chrono::system_clock::time_point timestamp; 
};
 
struct security_event_counts {
    uint64_t login_success{0};      
    uint64_t login_failure{0};      
    uint64_t logout{0};             
    uint64_t sudo_usage{0};         
    uint64_t permission_change{0};  
    uint64_t account_created{0};    
    uint64_t account_deleted{0};    
    uint64_t account_modified{0};   
    uint64_t unknown{0};            
 
    uint64_t get_count(security_event_type type) const {
        switch (type) {
            case security_event_type::login_success: return login_success;
            case security_event_type::login_failure: return login_failure;
            case security_event_type::logout: return logout;
            case security_event_type::sudo_usage: return sudo_usage;
            case security_event_type::permission_change: return permission_change;
            case security_event_type::account_created: return account_created;
            case security_event_type::account_deleted: return account_deleted;
            case security_event_type::account_modified: return account_modified;
            default: return unknown;
        }
    }
 
    void increment(security_event_type type) {
        switch (type) {
            case security_event_type::login_success: ++login_success; break;
            case security_event_type::login_failure: ++login_failure; break;
            case security_event_type::logout: ++logout; break;
            case security_event_type::sudo_usage: ++sudo_usage; break;
            case security_event_type::permission_change: ++permission_change; break;
            case security_event_type::account_created: ++account_created; break;
            case security_event_type::account_deleted: ++account_deleted; break;
            case security_event_type::account_modified: ++account_modified; break;
            default: ++unknown; break;
        }
    }
 
    uint64_t total() const {
        return login_success + login_failure + logout + sudo_usage +
               permission_change + account_created + account_deleted +
               account_modified + unknown;
    }
};
 
struct security_metrics {
    security_event_counts event_counts;              
    uint64_t active_sessions{0};                     
    std::vector<security_event> recent_events;       
    double events_per_second{0.0};                   
    bool metrics_available{false};                   
    std::chrono::system_clock::time_point timestamp; 
};
 
// Forward declaration
namespace platform {
class metrics_provider;
}  // namespace platform
 
class security_info_collector {
   public:
    security_info_collector();
    ~security_info_collector();
 
    // Non-copyable, non-moveable due to internal state
    security_info_collector(const security_info_collector&) = delete;
    security_info_collector& operator=(const security_info_collector&) = delete;
    security_info_collector(security_info_collector&&) = delete;
    security_info_collector& operator=(security_info_collector&&) = delete;
 
    bool is_security_monitoring_available() const;
 
    security_metrics collect_metrics();
 
    void set_max_recent_events(size_t max_events);
 
    void set_mask_pii(bool mask_pii);
 
   private:
    std::unique_ptr<platform::metrics_provider> provider_;
    size_t max_recent_events_{100};
    bool mask_pii_{false};
 
    std::string mask_username(const std::string& username) const;
};
 
class security_collector : public collector_plugin {
   public:
    security_collector();
    ~security_collector() = default;
 
    // Non-copyable, non-moveable due to internal state
    security_collector(const security_collector&) = delete;
    security_collector& operator=(const security_collector&) = delete;
    security_collector(security_collector&&) = delete;
    security_collector& operator=(security_collector&&) = delete;
 
    // collector_plugin interface implementation
    auto name() const -> std::string_view override { return "security_collector"; }
    auto collect() -> std::vector<metric> override;
    auto interval() const -> std::chrono::milliseconds override { return collection_interval_; }
    auto is_available() const -> bool override;
    bool is_healthy() const;
    auto get_metric_types() const -> std::vector<std::string> override;
 
    bool initialize(const std::unordered_map<std::string, std::string>& config) override;
 
 
    std::unordered_map<std::string, double> get_statistics() const override;
 
    security_metrics get_last_metrics() const;
 
    bool is_security_monitoring_available() const;
 
   private:
    std::unique_ptr<security_info_collector> collector_;
 
    // Configuration
    bool enabled_{true};
    bool mask_pii_{false};
    size_t max_recent_events_{100};
    double login_failure_rate_limit_{1000.0};
    std::chrono::milliseconds collection_interval_{std::chrono::seconds(60)};
 
    // Statistics
    mutable std::mutex stats_mutex_;
    std::atomic<size_t> collection_count_{0};
    std::atomic<size_t> collection_errors_{0};
    security_metrics last_metrics_;
 
    // Helper methods
    metric create_metric(const std::string& name, double value,
                         const std::unordered_map<std::string, std::string>& tags = {},
                         const std::string& unit = "") const;
    void add_security_metrics(std::vector<metric>& metrics,
                              const security_metrics& security_data);
};
 
}  // namespace monitoring
}  // namespace kcenon