def ossec_win_deploy(sensor_id,
asset_id,
windows_ip,
windows_username,
windows_password,
windows_domain,
agent_id=None):
""" Deploy HIDS agent on a Windows System
Args:
sensor_id(str): Sensor ID
asset_id(str): Asset ID
windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent)
windows_username(str) : Windows Username
windows_password(str) : Windows Password
windows_domain(str) : Windows Domain
agent_id(str) : Agent ID
Returns:
True if HIDS agent was properly deployed
Raises:
APICannotResolveAssetID
APICannotCreateHIDSAgent
APICannotGetHIDSAgentByAsset
APICannotResolveSensorID
APICannotDeployHIDSAgent
APIInvalidDeploymentIP
APIInvalidWindowsUsername
APIInvalidWindowsPassword
APIInvalidAgentID
"""
# Setting default values
agent_name = None
sensor_ip = None
sensor_name = None
asset_name = None
try:
# Validate deployment parameters
if not is_valid_uuid(asset_id):
raise APICannotResolveAssetID(asset_id)
if not is_valid_ipv4(windows_ip):
raise APIInvalidDeploymentIP(windows_ip)
if not is_valid_windows_user(windows_username):
raise APIInvalidWindowsUsername(windows_username)
if not is_valid_user_password(windows_password):
raise APIInvalidWindowsPassword()
if agent_id and not is_valid_ossec_agent_id(agent_id):
raise APIInvalidAgentID(agent_id)
# Getting Sensor Information
(success, sensor) = get_sensor_by_sensor_id(sensor_id)
if not success:
raise APICannotResolveSensorID(sensor_id)
sensor_id = get_uuid_string_from_bytes(sensor.id)
sensor_id = sensor_id.replace('-', '').upper()
sensor_ip = get_ip_str_from_bytes(sensor.ip)
sensor_name = sensor.name
# Getting agent related to assets
hids_agents = get_hids_agents_by_asset(asset_id, sensor_id)
# Getting asset info
asset_name = get_name_by_host_id(asset_id)
if len(hids_agents) == 0:
# Creating agent if doesn't exists
agent_name = asset_name
(success,
data) = apimethod_ossec_add_new_agent(sensor_id, agent_name,
windows_ip, asset_id)
if not success:
raise APICannotCreateHIDSAgent(agent_name, sensor_id)
else:
agent_id = data
else:
# Getting agent information
if agent_id:
agent_key = sensor_id + '#' + agent_id
else:
agent_key = hids_agents.keys().pop(0)
if agent_key in hids_agents:
agent_name = hids_agents[agent_key].get('name')
agent_id = hids_agents[agent_key].get('id')
else:
raise APICannotGetHIDSAgentByAsset(asset_id)
# Deploy HIDS Agent
ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name,
windows_ip, windows_username,
windows_domain,
windows_password)
if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[
sensor_ip]['failures'] == 0:
# No error, update agent status in database
time.sleep(2)
(success,
data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id)
if success:
agent_info = data[0].split(',')
agent_status = agent_info[3]
update_hids_agent_status(agent_id, sensor_id, agent_status)
else:
ans_last_error = ""
if ansible_result[sensor_ip]['unreachable'] == 1:
ans_last_error = "System is unreachable"
elif 'msg' in ansible_result['alienvault']['lasterror'][
sensor_ip] and ansible_result['alienvault']['lasterror'][
sensor_ip]['msg'] != "":
ans_last_error = ansible_result['alienvault']['lasterror'][
sensor_ip]['msg']
elif 'stderr' in ansible_result['alienvault']['lasterror'][
sensor_ip] and ansible_result['alienvault']['lasterror'][
sensor_ip]['stderr'] != "":
ans_last_error = ansible_result['alienvault']['lasterror'][
sensor_ip]['stderr']
elif 'stdout' in ansible_result['alienvault']['lasterror'][
sensor_ip] and ansible_result['alienvault']['lasterror'][
sensor_ip]['stdout'] != "":
ans_last_error = ansible_result['alienvault']['lasterror'][
sensor_ip]['stdout']
error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format(
ans_last_error)
raise APICannotDeployHIDSAgent(error_msg)
res = True
message = 'HIDS agent successfully deployed'
except APICannotDeployHIDSAgent as err:
message = str(err)
res = False
except Exception as err:
message = str(err)
logger.error(message)
res = False
# Create message in Message Center
mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031"
additional_info = {
"asset_id": asset_id,
"sensor_id": sensor_id,
"agent_id": agent_id,
"asset_name": asset_name,
"asset_ip": windows_ip,
"sensor_ip": sensor_ip,
"sensor_name": sensor_name,
"agent_name": agent_name,
"deploy_status": message
}
additional_info = json.dumps(additional_info)
insert_current_status_message(mc_id, asset_id, "host", additional_info)
return res, message
def update_system_hids_agents(system_id):
""""
Update information about HIDS agents connected to a system
@param system_id: system_id of the sensor to update
"""
# Getting system information
success, system_info = get_system_info(system_id)
# Getting sensor ID
if success:
sensor_id = system_info['sensor_id']
else:
raise APICannotRetrieveSystem(system_id)
stored_agents = get_hids_agents_by_sensor(sensor_id)
success, agents = ossec_get_available_agents(sensor_id=sensor_id,
op_ossec='list_available_agents',
agent_id='')
if not success:
raise APICannotRunHIDSCommand(sensor_id, 'list_available_agents')
added_agents = [agent_id for agent_id in agents.keys() if agent_id not in stored_agents]
present_agents = [agent_id for agent_id in agents.keys() if agent_id in stored_agents]
deleted_agents = [agent for agent in stored_agents if agent not in agents.keys()]
# Add new agents to database
for agent_id in added_agents:
try:
agent = agents[agent_id]
add_hids_agent(agent_id=agent_id,
sensor_id=sensor_id,
agent_name=agent['name'],
agent_ip=agent['ip'],
agent_status=agent['status'])
except APIException as e:
logger.error("Error adding hids agent: {0}".format(e))
not_linked_assets = 0
refresh_idm = False
# Update agent status and check asset_id in database
for agent_id in present_agents:
try:
# Update HIDS agent status
update_hids_agent_status(agent_id=agent_id,
sensor_id=sensor_id,
agent_status=agents[agent_id]['status'])
agent_data = get_hids_agent_by_sensor(sensor_id, agent_id)
# Check HIDS agent asset id
if agent_data['host_id'] == '':
# Try to update HIDS agent asset id
linked_assets = get_linked_assets()
agent_ip_cidr = agent_data['ip_cidr']
asset_id = None
# Getting current IP
if agent_ip_cidr == '127.0.0.1':
# Special case: Local agent
agent_ip_cidr = system_info['ha_ip'] if system_info['ha_ip'] else system_info['admin_ip']
elif agent_ip_cidr.lower() == 'any' or agent_ip_cidr.lower() == '0.0.0.0' or (
is_valid_ipv4_cidr(agent_ip_cidr) and agent_ip_cidr.find('/') != -1):
# DHCP environments (Get the latest IP)
success, agent_ip_cidr = ossec_get_check(sensor_id, agent_data['name'], "lastip")
# Search asset_id
if is_valid_ipv4(agent_ip_cidr):
success, sensor_ctx = get_sensor_ctx_by_sensor_id(sensor_id)
if success:
success, asset_id = get_host_id_by_ip_ctx(agent_ip_cidr, sensor_ctx, output='str')
if not is_valid_uuid(asset_id):
success, new_asset_id = create_host([agent_ip_cidr], sensor_id)
if is_valid_uuid(new_asset_id):
asset_id = new_asset_id
refresh_idm = True
# Linking asset to agent
if is_valid_uuid(asset_id) and asset_id not in linked_assets:
update_asset_id(sensor_id=sensor_id, agent_id=agent_id, asset_id=asset_id)
linked_assets[asset_id] = {'ha_id': agent_id, 'sensor_id': sensor_id}
else:
not_linked_assets += 1
except APIException as e:
logger.error('[update_system_hids_agents]: {0}'.format(e))
# Remove deleted agents from database
for agent_id in deleted_agents:
try:
delete_hids_agent(agent_id, sensor_id)
except APIException as e:
logger.error('[update_system_hids_agents]: {0}'.format(e))
return not_linked_assets, refresh_idm
def ossec_win_deploy(sensor_id, asset_id, windows_ip, windows_username, windows_password, windows_domain,
agent_id=None):
""" Deploy HIDS agent on a Windows System
Args:
sensor_id(str): Sensor ID
asset_id(str): Asset ID
windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent)
windows_username(str) : Windows Username
windows_password(str) : Windows Password
windows_domain(str) : Windows Domain
agent_id(str) : Agent ID
Returns:
True if HIDS agent was properly deployed
Raises:
APICannotResolveAssetID
APICannotCreateHIDSAgent
APICannotGetHIDSAgentByAsset
APICannotResolveSensorID
APICannotDeployHIDSAgent
APIInvalidDeploymentIP
APIInvalidWindowsUsername
APIInvalidWindowsPassword
APIInvalidAgentID
"""
# Setting default values
agent_name = None
sensor_ip = None
sensor_name = None
asset_name = None
try:
# Validate deployment parameters
if not is_valid_uuid(asset_id):
raise APICannotResolveAssetID(asset_id)
if not is_valid_ipv4(windows_ip):
raise APIInvalidDeploymentIP(windows_ip)
if not is_valid_windows_user(windows_username):
raise APIInvalidWindowsUsername(windows_username)
if not is_valid_user_password(windows_password):
raise APIInvalidWindowsPassword()
if agent_id and not is_valid_ossec_agent_id(agent_id):
raise APIInvalidAgentID(agent_id)
# Getting Sensor Information
(success, sensor) = get_sensor_by_sensor_id(sensor_id)
if not success:
raise APICannotResolveSensorID(sensor_id)
sensor_id = get_uuid_string_from_bytes(sensor.id)
sensor_id = sensor_id.replace('-', '').upper()
sensor_ip = get_ip_str_from_bytes(sensor.ip)
sensor_name = sensor.name
# Getting agent related to assets
hids_agents = get_hids_agents_by_asset(asset_id, sensor_id)
# Getting asset info
asset_name = get_name_by_host_id(asset_id)
if len(hids_agents) == 0:
# Creating agent if doesn't exists
agent_name = asset_name
(success, data) = apimethod_ossec_add_new_agent(sensor_id, agent_name, windows_ip, asset_id)
if not success:
raise APICannotCreateHIDSAgent(agent_name, sensor_id)
else:
agent_id = data
else:
# Getting agent information
if agent_id:
agent_key = sensor_id + '#' + agent_id
else:
agent_key = hids_agents.keys().pop(0)
if agent_key in hids_agents:
agent_name = hids_agents[agent_key].get('name')
agent_id = hids_agents[agent_key].get('id')
else:
raise APICannotGetHIDSAgentByAsset(asset_id)
# Deploy HIDS Agent
ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name, windows_ip, windows_username, windows_domain,
windows_password)
if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[sensor_ip]['failures'] == 0:
# No error, update agent status in database
time.sleep(2)
(success, data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id)
if success:
agent_info = data[0].split(',')
agent_status = agent_info[3]
update_hids_agent_status(agent_id, sensor_id, agent_status)
else:
ans_last_error = ""
if ansible_result[sensor_ip]['unreachable'] == 1:
ans_last_error = "System is unreachable"
elif 'msg' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['msg']!="":
ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['msg']
elif 'stderr' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stderr']!="":
ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stderr']
elif 'stdout' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stdout']!="":
ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stdout']
error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format(ans_last_error)
raise APICannotDeployHIDSAgent(error_msg)
res = True
message = 'HIDS agent successfully deployed'
except APICannotDeployHIDSAgent as err:
message = str(err)
res = False
except Exception as err:
message = str(err)
logger.error(message)
res = False
# Create message in Message Center
mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031"
additional_info = {
"asset_id": asset_id,
"sensor_id": sensor_id,
"agent_id": agent_id,
"asset_name": asset_name,
"asset_ip": windows_ip,
"sensor_ip": sensor_ip,
"sensor_name": sensor_name,
"agent_name": agent_name,
"deploy_status": message
}
additional_info = json.dumps(additional_info)
insert_current_status_message(mc_id, asset_id, "host", additional_info)
return res, message
def update_system_hids_agents(system_id):
""""
Update information about HIDS agents connected to a system
@param system_id: system_id of the sensor to update
"""
# Getting system information
success, system_info = get_system_info(system_id)
# Getting sensor ID
if success:
sensor_id = system_info['sensor_id']
else:
raise APICannotRetrieveSystem(system_id)
stored_agents = get_hids_agents_by_sensor(sensor_id)
success, agents = ossec_get_available_agents(
sensor_id=sensor_id, op_ossec='list_available_agents', agent_id='')
if not success:
raise APICannotRunHIDSCommand(sensor_id, 'list_available_agents')
added_agents = [
agent_id for agent_id in agents.keys() if agent_id not in stored_agents
]
present_agents = [
agent_id for agent_id in agents.keys() if agent_id in stored_agents
]
deleted_agents = [
agent for agent in stored_agents if agent not in agents.keys()
]
# Add new agents to database
for agent_id in added_agents:
try:
agent = agents[agent_id]
add_hids_agent(agent_id=agent_id,
sensor_id=sensor_id,
agent_name=agent['name'],
agent_ip=agent['ip'],
agent_status=agent['status'])
except APIException as e:
logger.error("Error adding hids agent: {0}".format(e))
not_linked_assets = 0
refresh_idm = False
# Update agent status and check asset_id in database
for agent_id in present_agents:
try:
# Update HIDS agent status
update_hids_agent_status(agent_id=agent_id,
sensor_id=sensor_id,
agent_status=agents[agent_id]['status'])
agent_data = get_hids_agent_by_sensor(sensor_id, agent_id)
# Check HIDS agent asset id
if agent_data['host_id'] == '':
# Try to update HIDS agent asset id
linked_assets = get_linked_assets()
agent_ip_cidr = agent_data['ip_cidr']
asset_id = None
# Getting current IP
if agent_ip_cidr == '127.0.0.1':
# Special case: Local agent
agent_ip_cidr = system_info['ha_ip'] if system_info[
'ha_ip'] else system_info['admin_ip']
elif agent_ip_cidr.lower() == 'any' or agent_ip_cidr.lower(
) == '0.0.0.0' or (is_valid_ipv4_cidr(agent_ip_cidr)
and agent_ip_cidr.find('/') != -1):
# DHCP environments (Get the latest IP)
success, agent_ip_cidr = ossec_get_check(
sensor_id, agent_data['name'], "lastip")
# Search asset_id
if is_valid_ipv4(agent_ip_cidr):
success, sensor_ctx = get_sensor_ctx_by_sensor_id(
sensor_id)
if success:
success, asset_id = get_host_id_by_ip_ctx(
agent_ip_cidr, sensor_ctx, output='str')
if not is_valid_uuid(asset_id):
success, new_asset_id = create_host([agent_ip_cidr],
sensor_id)
if is_valid_uuid(new_asset_id):
asset_id = new_asset_id
refresh_idm = True
# Linking asset to agent
if is_valid_uuid(asset_id) and asset_id not in linked_assets:
update_asset_id(sensor_id=sensor_id,
agent_id=agent_id,
asset_id=asset_id)
linked_assets[asset_id] = {
'ha_id': agent_id,
'sensor_id': sensor_id
}
else:
not_linked_assets += 1
except APIException as e:
logger.error('[update_system_hids_agents]: {0}'.format(e))
# Remove deleted agents from database
for agent_id in deleted_agents:
try:
delete_hids_agent(agent_id, sensor_id)
except APIException as e:
logger.error('[update_system_hids_agents]: {0}'.format(e))
return not_linked_assets, refresh_idm
