Ejemplo n.º 1
0
            row["ready"] = i.status.container_statuses[0].ready
            row["pod-ip"] = i.status.host_ip

            if (i.status.container_statuses[0].state.running != "None"):
                row["status"] = "Running"
            elif (i.status.container_statuses[0].state.terminated != "None"):
                row["status"] = "Terminated"
            else:
                row["status"] = "Waiting"

            row["restarts"] = i.status.container_statuses[0].restart_count

            created = i.metadata.creation_timestamp
            now = datetime.now(timezone.utc)
            diff = now - created
            row["age"] = str(diff.days) + "d"

            images = 0
            for c in i.status.container_statuses:
                images += 1

            row["num_images"] = images

            query_data.append(row)

        return query_data


if __name__ == "__main__":
    osquery.start_extension(name="k8s", version="1.0.0")
        command = "/usr/share/cb/cbstats"
        args = "--metrics=" + metrics
        query_data = []
        host_name = socket.gethostname()

        if(not os.path.exists(command)):
            return query_data
        try:
            p = subprocess.Popen([command, args], stdout=subprocess.PIPE)
            resp = p.communicate()[0]
        except Exception as _e:
            return query_data

        for line in resp.split("\n"):
            if(line == '' or len(line.split('.')) < 2):
                continue
            row = {}
            _tmp, val = line.split(":")
            top, met = _tmp.split(".")[0], _tmp.split(".")[1]
            row["host"] = host_name
            row["topic"] = top
            row["metric"] = met
            row["value"] = val.strip()
            query_data.append(row)

        return query_data

if __name__ == "__main__":
    osquery.start_extension(name="cbstats",
                            version="0.0.2",)
Ejemplo n.º 3
0
                return False
        return True

    @staticmethod
    def is_valid_protocol(protocol):
        """
        :param protocol:
        :return:
        Validates if protocol is valid or not for iptable.
        """
        return protocol in ["tcp", "udp", "icmp", "all"]

    def execute_subprocess_command(self):
        """
        :return:
        Execute iptable rule on the machine.
        """
        command = ["iptables"]
        for key, _ in IPTableRule.ALLOWED_IP_TABLE_KEY_VALUE.items():
            if key in self.arguments.keys():
                command.extend([key, self.arguments[key]])
        p = subprocess.Popen(command,
                             stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)
        out, err = p.communicate()
        return [out, err]


if __name__ == "__main__":
    osquery.start_extension(name="active_response_extension", version="1.0.0")
Ejemplo n.º 4
0
        row["RunTime in Sec"] = json_obj['runtime_s']
        row["RunTime in MS"] = json_obj['runtime_ms']
        query_data.append(row)
        return query_data

@osquery.register_plugin
class vimInfoData(osquery.TablePlugin):
    def name(self):
        return "viminfodata"
    def columns(self):
        return [
                osquery.TableColumn(name="Config File", type=osquery.STRING),
                osquery.TableColumn(name="Plugin Manager", type=osquery.STRING),
                osquery.TableColumn(name="Plugins Count", type=osquery.STRING),
                osquery.TableColumn(name="Extension Socket", type=osquery.STRING),
        ]
    def generate(self, context):
        query_data = []
        home = expanduser("~")
        input_file = open(home + '/.vim-info/vimInfo.json')
        json_obj = json.load(input_file)
        row = {}
        row["Config File"] = json_obj['config_file']
        row["Plugin Manager"] = json_obj['plugin_manager']
        row["Plugins Count"] = json_obj['plugins_count']
        row["Extension Socket"] = json_obj['socket']
        query_data.append(row);
        return query_data;
if __name__ == "__main__":
    osquery.start_extension(name="vim_info", version="1.0.0")
Ejemplo n.º 5
0
                row["location"] = str(response['location'])
                row["st"] = str(response['st'])
                row["usn"] = str(response['usn'])
                return row
    return


@osquery.register_plugin

class MyTablePlugin(osquery.TablePlugin):
    def name(self):
        return "detect_ssdp"

    def columns(self):
        return [
            osquery.TableColumn(name="ssdp_ip", type=osquery.STRING),
            osquery.TableColumn(name="location", type=osquery.STRING),
            osquery.TableColumn(name="st", type=osquery.STRING),
            osquery.TableColumn(name="usn", type=osquery.STRING)
        ]

    def generate(self, context):
        query_data = []
        r = discover()
        if r is not None:
            query_data.append(r)
        return query_data

if __name__ == "__main__":
    osquery.start_extension(name="ssdp_extension", version="0.1")
Ejemplo n.º 6
0
    def name(self):
        return "vim_filemarks_history"

    def columns(self):
        return [
            osquery.TableColumn(name="Time", type=osquery.STRING),
            osquery.TableColumn(name="File's path", type=osquery.STRING),
            osquery.TableColumn(name="Filename", type=osquery.STRING),
            osquery.TableColumn(name="Position row", type=osquery.STRING),
            osquery.TableColumn(name="Position column", type=osquery.STRING)
        ]

    def generate(self, context):
        query_data = []
        home = expanduser("~")
        input_file = open(home + '/vim_fm_history.json')
        json_array = json.load(input_file)
        for item in json_array:
            row = {}
            row["Time"] = item['time']
            row["File's path"] = item['path']
            row["Filename"] = item['filename']
            row["Position row"] = item['row']
            row["Position column"] = item['column']
            query_data.append(row)
        return query_data


if __name__ == "__main__":
    osquery.start_extension(name="history", version="1.0.0")
Ejemplo n.º 7
0
            tpl = communityid.FlowTuple.make_tcp(src_ip, dst_ip, src_port, dst_port)
            community_id = cid.calc(tpl)
        elif protocol == 17:
            tpl = communityid.FlowTuple.make_udp(src_ip, dst_ip, src_port, dst_port)
            community_id = cid.calc(tpl)
        else:
            print ( f"[-] - {datetime.now()} - Protocol not supported - \
                src_ip: {src_ip} - \
                src_port:{src_port} - \
                dst_ip: {dst_ip} - \
                dst_port:{dst_port} - \
                Protocol: {protocol}" )
        

        # Render table
        row = {
            "src_ip": src_ip,
            "src_port": src_port,
            "dst_ip": dst_ip,
            "dst_port": dst_port,
            "protocol": protocol,
            "community_id": community_id,
        }
        query_data.append(row)        
        return query_data

    

if __name__ == "__main__":
    osquery.start_extension(name="community_id_extension", version="1.0.0")