def get_firewall_credentials(session_key):
"""Given a splunk session_key returns a clear text user name
and password from a splunk password container"""
try:
# Get all credentials
logger.debug("Getting firewall credentials from Splunk")
entities = entity.getEntities(['admin', 'passwords'],
namespace=APPNAME,
owner='nobody',
sessionKey=session_key)
accounts = entity.getEntities(['admin', 'Splunk_TA_paloalto_account'],
namespace=APPNAME,
owner='nobody',
sessionKey=session_key)
except Exception as e:
exit_with_error("Could not get %s credentials from splunk. \
Error: %s" % (APPNAME, str(e)))
# Check for username and passwords
for i, c in accounts.items():
if i.lower() == 'firewall' or i.lower() == 'panorama':
username = accounts[i]['username']
for i, c in entities.items():
if c['username'] == 'Firewall``splunk_cred_sep``1':
logger.debug('Match found for firewall credentials')
clear_password = json.loads(c['clear_password'])
password = clear_password['password']
if username and password:
logger.debug('Credentials have been found')
return username, password
else:
raise NoCredentialsFound("No credentials have been found")
def getCapabilities4User(user=None, session_key=None):
roles = []
capabilities = []
# Get user info
if user is not None:
userDict = en.getEntities('authentication/users/%s' % (user),
count=-1,
sessionKey=session_key)
for stanza, settings in userDict.items():
if stanza == user:
for key, val in settings.items():
if key == 'roles':
roles = val
# Get capabilities
for role in roles:
roleDict = en.getEntities('authorization/roles/%s' % (role),
count=-1,
sessionKey=session_key)
for stanza, settings in roleDict.items():
if stanza == role:
for key, val in settings.items():
if key == 'capabilities' or key == 'imported_capabilities':
capabilities.extend(val)
return capabilities
def getCapabilities4User(user=None, session_key=None):
roles = []
capabilities = []
## Get user info
if user is not None:
logger.info('Retrieving role(s) for current user: %s' % (user))
userDict = en.getEntities('authentication/users/%s' % (user), count=-1, sessionKey=session_key)
for stanza, settings in userDict.items():
if stanza == user:
for key, val in settings.items():
if key == 'roles':
logger.info('Successfully retrieved role(s) for user: %s' % (user))
roles = val
## Get capabilities
for role in roles:
logger.info('Retrieving capabilities for current user: %s' % (user))
roleDict = en.getEntities('authorization/roles/%s' % (role), count=-1, sessionKey=session_key)
for stanza, settings in roleDict.items():
if stanza == role:
for key, val in settings.items():
if key == 'capabilities' or key =='imported_capabilities':
logger.info('Successfully retrieved %s for user: %s' % (key, user))
capabilities.extend(val)
return capabilities
def get_firewall_credentials(session_key):
"""Given a splunk session_key returns a clear text user name
and password from a splunk password container"""
try:
# Get all credentials
logger.debug("Getting firewall credentials from Splunk")
entities = entity.getEntities(['admin', 'passwords'],
namespace=APPNAME, owner='nobody',
sessionKey=session_key)
accounts = entity.getEntities(['admin', 'Splunk_TA_paloalto_account'],
namespace=APPNAME, owner='nobody',
sessionKey=session_key)
except Exception as e:
exit_with_error("Could not get %s credentials from splunk. \
Error: %s" % (APPNAME, str(e)))
# Check for username and passwords
for i, c in accounts.items():
if i.lower() == 'firewall' or i.lower() == 'panorama':
username = accounts[i]['username']
for i, c in entities.items():
if c['username'] == 'Firewall``splunk_cred_sep``1':
logger.debug('Match found for firewall credentials')
clear_password = json.loads(c['clear_password'])
password = clear_password['password']
if username and password:
logger.debug('Credentials have been found')
return username, password
else:
raise NoCredentialsFound("No credentials have been found")
def getCapabilities4User(user=None, session_key=None):
"""
Get the capabilities for the given user.
"""
roles = []
capabilities = []
# Get user info
if user is not None:
logger.info('Retrieving role(s) for current user: %s' % (user))
userDict = entity.getEntities('authentication/users/%s' % (user), count=-1, sessionKey=session_key)
for stanza, settings in userDict.items():
if stanza == user:
for key, val in settings.items():
if key == 'roles':
logger.info('Successfully retrieved role(s) for user: %s' % (user))
roles = val
# Get capabilities
for role in roles:
logger.info('Retrieving capabilities for current user: %s' % (user))
roleDict = entity.getEntities('authorization/roles/%s' % (role), count=-1, sessionKey=session_key)
for stanza, settings in roleDict.items():
if stanza == role:
for key, val in settings.items():
if key == 'capabilities' or key =='imported_capabilities':
logger.info('Successfully retrieved %s for user: %s' % (key, user))
capabilities.extend(val)
return capabilities
def reloadConf(self, procInputs=[], scriptInputs=[]): for procInput in procInputs: en.getEntities( procInput, sessionKey = self.getSessionKey() ) #TODO: Handle restart of individual cripted for scriptInput in scriptInputs: en.getEntities( scriptInput, sessionKey = self.getSessionKey() )
def search(token, srch=None, sort='seed'):
if srch:
return entity.getEntities(ENTITY_PATH, namespace=APP_NAME,
owner='nobody', sessionKey=token,
sort_key=sort, search=srch)
else:
return entity.getEntities(ENTITY_PATH, namespace=APP_NAME,
owner='nobody', sessionKey=token,
sort_key=sort)
def search(token, srch=None, sort='seed'):
if srch:
return entity.getEntities(ENTITY_PATH,
namespace=APP_NAME,
owner='nobody',
sessionKey=token,
sort_key=sort,
search=srch)
else:
return entity.getEntities(ENTITY_PATH,
namespace=APP_NAME,
owner='nobody',
sessionKey=token,
sort_key=sort)
def getParsedView(self, namespace, refresh, rawxml, viewid, viewdigest):
with self.views_lock:
entry = self.digest_to_view_map.get(viewdigest)
if entry:
self.touchCacheEntry(viewdigest)
# Cache hit!
return entry
if len(rawxml) == 0:
# Only do a single viewstate GET for each batch of cache misses.
rawxml.update(en.getEntities(VIEW_ENTITY_CLASS,
namespace=namespace,
refresh=refresh,
count=-1))
parsed_view = None
try:
viewobj = rawxml.get(viewid)
if not viewobj:
# This view's digest appeared in an earlier GET, but it no
# longer exists now that we are trying to fetch its contents.
# It has probably been deleted or re-permissioned. Ignore it.
return None
native_view = viewconf.loads(viewobj.get('eai:data'), viewid, isStorm=splunk.util.normalizeBoolean(cherrypy.config.get('storm_enabled')))
parsed_view = self._generateViewRoster(viewid, native_view, viewobj.getFullPath())
with self.views_lock:
self.digest_to_view_map[viewdigest] = parsed_view
self.touchCacheEntry(viewdigest)
self.evictLeastRecentlyUsed()
logger.info('Populate cache for view "%s" (%s) with digest %s, making cache_size=%s' % (viewid, namespace, viewdigest, len(self.digest_to_view_map)))
except Exception, e:
logger.error('Error loading view "%s"' % viewid)
logger.exception(e)
def get_credentials(session_key, owner, namespace):
"""
:param session_key:
:return: AWS Keys
"""
import os, sys, logging as logger
logger.basicConfig(level=logger.INFO,
format='%(asctime)s %(levelname)s %(message)s',
filename=os.path.join(os.environ['SPLUNK_HOME'], 'var',
'log', 'splunk',
'trusted_advisor.log'),
filemode='a')
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'],
namespace=namespace,
owner=owner,
sessionKey=session_key)
except Exception as unknown_exception:
raise Exception("Could not get %s credentials from splunk. Error: %s" %
("AWS_Trusted_Advisor", str(unknown_exception)))
# grab first set of credentials
if entities:
for i, stanza in entities.items():
if stanza['eai:acl']['app'] == namespace:
cred = json.loads(stanza['clear_password'])
return cred['aws_access_key'], cred['aws_secret_key']
else:
message = 'No credentials have been found. Please set them up in your AWS console.'
make_error_message(message, session_key, 'common.py')
sys.exit(0)
def get_wildfire_apikey(session_key):
"""Given a splunk session_key returns a clear
text API Key from a splunk password container"""
try:
logger.debug("Getting wildfire apikey from Splunk")
entities = entity.getEntities(['admin', 'passwords'],
namespace=APPNAME, owner='nobody',
sessionKey=session_key)
except Exception as e:
entities = {}
exit_with_error("Could not get %s credentials from splunk."
"Error: %s" % (APPNAME, str(e)))
try:
clear_password = json.loads(entities['__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings:additional_parameters``splunk_cred_sep``1:']['clear_password'])
api_key = clear_password['wildfire_api_key']
logger.debug('WildFire API key exists')
return api_key
except KeyError:
logger.info(
"There are Palo Alto Networks WildFire malware events, "
"but no WildFire API Key found, please set the API key "
"in the Splunk_TA_paloalto Add-on Configuration dashboard.")
exit_with_error("No WildFire API key is set, "
"set apikey in Add-on configuration.",
log_error=False,
log_traceback=False)
except (ValueError, TypeError):
exit_with_error("Problem getting WildFire API Key from JSON returned by Splunk password API")
def _set_user_directory(self, sessionKey, user, post_data):
logger.debug("START _set_user_directory()")
required = ['user_directory']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: {}".format(missing), http.client.BAD_REQUEST)
user_directory = post_data.pop('user_directory')
if user_directory in [ 'both', 'builtin', 'alert_manager']:
logger.info("Set active user directory to {}".format(user_directory))
config = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
settings = dict(config['settings'])
if 'eai:acl' in settings:
del settings['eai:acl']
settings['user_directories'] = user_directory
logger.debug("settings: {}".format(settings))
uri = '/servicesNS/nobody/alert_manager/admin/alert_manager/settings?{}'.format(urllib.parse.urlencode(settings))
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, method='POST')
logger.info("User Directory changed. Response: {}".format(serverResponse))
return self.response('User Directory successfully changed', http.client.OK)
else:
msg = 'Invalid user_directory parameter provided!'
logger.exception(msg)
return self.response(msg, http.client.INTERNAL_SERVER_ERROR)
def getIPSCredentials(sessionKey, host):
try:
#adding count='-1' as parameter per ADDON-3724
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME,
owner='nobody',
sessionKey=sessionKey,
count='-1')
except:
exception = traceback.format_exc()
exception = re.sub(r"[\r\n]+", " ", exception)
logger('Could not get IPS ' + host + ' credentials from splunk: ' +
exception)
time.sleep(300)
sys.exit()
for i, c in entities.items():
if c['realm'] == host:
return c['username'], c['clear_password']
logger('No credentials for IPS ' + host + ' were found!')
# This appears to sleep 5 minutes and then quit because it does sleep 5 minutes and then quit.
# ...Yet this script is called every 1 second IF it is not running, so this sleep actually
# delays the next instantiation by 5 minutes
time.sleep(300)
sys.exit()
def validateLocalClusterArgs(self, conf):
import util
uri = util.getProperty(self.callerArgs, 'uri', conf)
if not self._isLocalURI(uri):
raise HcException(HCERR0503, {
'name': 'uri',
'value': uri,
'accepted_values': 'file://<path>'
})
import os.path
if not os.path.isdir(uri[7:]):
raise HcException(HCERR0502, {
'name': 'uri',
'value': uri,
'error': 'path does not exist'
})
import splunk.entity as en
clusters = en.getEntities('admin/conf-clusters',
search='uri=file://*',
namespace=self.appName,
owner=self.userName,
sessionKey=self.getSessionKey())
for name, obj in clusters.items():
if name != self.callerArgs.id and obj['uri'].rstrip(
'/') == uri.rstrip('/'):
raise HcException(HCERR1515, {'path': uri, 'cluster': name})
def index(self, one, two, three=None, four=None, **kw):
'''Returns a list of entities assuming the standard entity paths, omitting the /services path prefix.'''
resp = []
try:
if 'owner' not in kw:
kw['owner'] = cherrypy.session['user'].get('name')
entity_path = '/'.join(
[seg for seg in [one, two, three, four] if seg is not None])
entities = entity.getEntities(
entity_path,
sessionKey=cherrypy.session['sessionKey'],
**entity.entityParams(**kw))
# This is set to support pagination in non search result lists.
# This same hack is used in JobManager, it should probably be removed by
# implementing a standard non-job entity, like an EntityContext to compliment
# the SearchContext. TODO: research this more.
cherrypy.response.headers[
'X-Splunk-List-Length'] = entities.totalResults
except (splunk.ResourceNotFound, splunk.RESTException), e:
logger.warn(
'Splunk could not find entities at "%s". Error message: %s' %
(entity_path, str(e)))
return resp
def get_credetials(self, username=None, app="-"):
if app in [None, '', '-']:
script_dir = os.path.dirname(os.path.abspath(__file__))
splunk_paths = self.give_splunk_paths(script_dir)
app = splunk_paths['app_name']
try:
# list all credentials available
entities = entity.getEntities(['admin', 'passwords'],
namespace=app,
owner='nobody',
sessionKey=self.sessionKey)
self.logger.debug("entities: " + str(entities))
except Exception:
self.logger.exception("Could not get " + str(app) +
" credentials from splunk.")
found = 0
# make a dict when the correct info is found
for i, c in entities.items():
if c['username'] == username:
credentials = {c['username']: c['clear_password']}
password = credentials[username]
found = 1
break
if found == 0:
password = "******"
return password
def run():
logger.debug("start running.")
config = get_config()
logger.debug("config = %s" % config)
try:
servers = en.getEntities(["admin","opcservers"], sessionKey=config["session_key"], hostPath=config["server_uri"])
logger.debug("servers = %s" % servers)
except Exception as ex:
logger.critical("%ss" % ex)
server = servers[config["server"]]
logger.debug("server = %s" % server)
opcserver = dict( dcomhost = server["dcomhost"], domain = server["domain"], user = server["user"], password = server["password"],
progid = server["progid"], clsid = server["clsid"])
measures = dict( items = config["measures"], duration = config["duration"],
polltime = config["polltime"], collector = config["collector"], writer = config["writer"], parameters = config.get("parameters", ""))
logger.debug("Measured server = %s." % opcserver)
logger.debug("Measuring the items = %s." % measures)
try:
msg = opc.runMeasure(opcserver, measures)
logger.debug("Measuring is done [%s]." % msg)
except Exception as ex:
logger.critical("Request error as ex = %s" % ex)
def get_app_credentials(self, session_key, owner, namespace):
"""
:param session_key:
:return: AWS Keys
"""
import os, sys, logging as logger
logger.basicConfig(level=logger.INFO,
format='%(asctime)s %(levelname)s %(message)s',
filename=os.path.join(
os.environ['SPLUNK_HOME'], 'var', 'log',
'splunk',
'ta_aws_surface_aws_surface_cloudtrail.log'),
filemode='a')
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'],
namespace=namespace,
owner='-',
sessionKey=session_key,
count=0)
except Exception as unknown_exception:
raise Exception(
"Could not get %s credentials from splunk. Error: %s" %
("AWS_Trusted_Advisor", str(unknown_exception)))
# grab first set of credentials
if entities:
for i, stanza in entities.items():
if stanza['eai:acl']['app'] == namespace:
# cred = stanza['clear_password']
yield stanza
else:
message = 'No credentials have been found. Please set them up in your AWS console.'
logger.warning(message, session_key, 'common.py')
def get_credentials(app, session_key):
try:
# list all credentials
entities = en.getEntities(['admin', 'passwords'],
namespace=app,
owner='nobody',
sessionKey=session_key)
except Exception as e:
raise Exception("Could not get %s credentials from Splunk. Error: %s" %
(app, str(e)))
credentials = []
for id, c in list(entities.items()): # pylint: disable=unused-variable
# c.keys() = ['clear_password', 'password', 'username', 'realm', 'eai:acl', 'encr_password']
if c['eai:acl']['app'] == app:
credentials.append({
'realm': c["realm"],
'username': c["username"],
"password": c["clear_password"]
})
if len(credentials) > 0:
return credentials
else:
raise Exception("No credentials have been found")
def getCredentials(sessionKey):
myapp = 'BTHomeHub'
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
except Exception, e:
raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
def getCredentials(sessionKey, host):
myapp = __file__.split(os.sep)[-3]
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
except Exception, e:
logging.error("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
def get_wildfire_apikey(session_key):
"""Given a splunk session_key returns a clear
text API Key from a splunk password container"""
try:
logger.debug("Getting wildfire apikey from Splunk")
entities = entity.getEntities(['admin', 'passwords'],
namespace=APPNAME,
owner='nobody',
sessionKey=session_key)
except Exception as e:
entities = {}
exit_with_error("Could not get %s credentials from splunk."
"Error: %s" % (APPNAME, str(e)))
try:
clear_password = json.loads(entities[
'__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings:additional_parameters``splunk_cred_sep``1:']
['clear_password'])
api_key = clear_password['wildfire_api_key']
logger.debug('WildFire API key exists')
return api_key
except KeyError:
logger.info(
"There are Palo Alto Networks WildFire malware events, "
"but no WildFire API Key found, please set the API key "
"in the Splunk_TA_paloalto Add-on Configuration dashboard.")
exit_with_error(
"No WildFire API key is set, "
"set apikey in Add-on configuration.",
log_error=False,
log_traceback=False)
except (ValueError, TypeError):
exit_with_error(
"Problem getting WildFire API Key from JSON returned by Splunk password API"
)
def get_wildfire_apikey(self):
"""Given a splunk session_key returns a clear
text API Key from a splunk password container"""
try:
self.logger.debug("Getting wildfire apikey from Splunk")
entities = entity.getEntities(['admin', 'passwords'],
namespace=self.APPNAME,
owner='nobody',
sessionKey=self.session_key)
except Exception as e:
self.exit_with_error("Could not get %s credentials from splunk. \
Error: %s" % (self.APPNAME, str(e)))
if ('__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings:additional_parameters``splunk_cred_sep``1:'
in entities):
clear_password = json.loads(entities[
'__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings:additional_parameters``splunk_cred_sep``1:']
['clear_password'])
if 'wildfire_api_key' in clear_password:
api_key = clear_password['wildfire_api_key']
self.logger.debug('Password exist')
return api_key
else:
self.exit_with_error("No Wildfire API key is set, "
"set apikey in App configuration.")
else:
self.logger.warn(
"There are Palo Alto Networks WildFire malware events, "
"but no WildFire API Key found, please set the API key "
"in the Splunk_TA_paloalto App set up page")
self.exit_with_error("No Wildfire API key is set, "
"set apikey in App configuration.")
def _validateURI(self, uri):
if len(self.clusters) == 0:
msg = None
#1. hit the clusters endpoint
import splunk.entity as entity
logger.error("Namespace: {}".format(self.namespace))
logger.error("Owner: {}".format(self.owner))
logger.error("sessionKey: {}".format(self.sessionKey))
logger.error("Splunk Debug is here first")
try:
self.clusters = entity.getEntities('admin/conf-clusters', namespace=self.namespace, owner=self.owner, sessionKey=self.sessionKey)
logger.error(self.clusters)
except Exception as e:
logger.exception('Failed to get entities admin/conf-clusters')
msg = str(e)
if isinstance(e, splunk.RESTException):
msg = e.get_extended_message_text()
if msg != None:
raise HcException(HCERR2002, {'entity_path':'admin/conf-clusters', 'search':'', 'uri':'', 'error':msg})
found = False
for name, cluster in self.clusters.items():
cluster_uri = cluster.get('uri', '')
if cluster_uri == '':
continue
if not uri.startswith(cluster_uri):
continue
found = True
break
if not found:
raise HcException(HCERR1005, {'uri':uri})
def get_data(self, eai_path, root, msg=None, **kwargs):
entity_path = eai_path
if len(root) > 0:
entity_path = '/'.join([eai_path, root])
try:
entities = en.getEntities(entity_path, sessionKey=cherrypy.session['sessionKey'], **kwargs)
except splunk.RESTException, e:
if e.statusCode == 401:
err = _('Client is not authenticated.')
return (None, (err,400))
elif e.statusCode == 403:
err = _('You are not authorized to perform this action.')
return (None, (err,400))
else:
err = _('Unable to open the selected path. Path doesn\'t exist or access is denied.')
if not msg and len(root)>0:
# return error and the root nodes
logger.warn('%s %s' % (err, e.get_extended_message_text()))
return self.get_data(eai_path, '', msg=err, **kwargs)
else:
# if root node can't be accessed, just display the message
return (None, err)
def load_protected_items_str(self, realms=None):
reload(entity)
storage = self.STORAGE_PATH
app = self.app_name
owner = self.STORAGE_OWNER
# BUG !
# если не задать search=, то вернутся записи от всех приложений, но расшифроваться не смогут и упадут
ee = entity.getEntities(storage,
search=None,
namespace=app,
owner=owner,
sessionKey=self.session_key)
result = []
for full_key, e in ee.items():
if realms is not None and e[self.ENTITY_FIELD_REALM] not in realms:
continue
if self.ENTITY_FIELD_REALM not in e.properties:
raise ProtectedStoreError(
'Password cant be decrypted (usually after splunk upgrade)'
)
item = {
'realm': e[self.ENTITY_FIELD_REALM],
'key': e[self.ENTITY_FIELD_KEY],
'value': e[self.ENTITY_FIELD_VALUE]
}
result.append(item)
return result
def getEntities(entityPath,
namespace=None,
owner=None,
sessionKey=None,
count=None,
offset=0,
hostPath=None,
available=True):
conns = en.getEntities(entityPath,
namespace=namespace,
owner=owner,
count=count,
offset=offset,
sessionKey=sessionKey,
hostPath=hostPath)
for name in conns:
params = conns[name].properties
if available:
for n, v in params.items():
if n in ["disabled"] or n.endswith(".disabled"):
if v in ["-1"] or util.normalizeBoolean(v):
del conns[name]
return conns
def set_user_directory(self, user_directory, **kwargs):
logger.info("Set active user directory to %s" % user_directory)
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
config = entity.getEntities('configs/alert_manager',
count=-1,
sessionKey=sessionKey)
settings = dict(config['settings'])
if 'eai:acl' in settings:
del settings['eai:acl']
settings['user_directories'] = user_directory
logger.debug("settings: %s" % settings)
uri = '/servicesNS/nobody/alert_manager/admin/alert_manager/settings?%s' % urllib.urlencode(
settings)
serverResponse, serverContent = rest.simpleRequest(
uri, sessionKey=sessionKey, method='POST')
logger.debug("Active directory changed. Response: %s" % serverResponse)
return 'Ok'
def get_credential(self, username):
'''
Searches passwords using username and returns tuple of username and password if credentials are found else tuple of empty string
:param username: Username used to search credentials.
:return: username, password
'''
# list all credentials
entities = entity.getEntities(["admin", "passwords"],
search=APP_NAME,
count=-1,
namespace=APP_NAME,
owner="nobody",
sessionKey=self.session_key)
# return first set of credentials
for _, value in list(entities.items()):
# if str(value["eai:acl"]["app"]) == APP_NAME and value["username"] == username:
if value['username'].partition(
'`')[0] == username and not value.get(
'clear_password', '`').startswith('`'):
try:
return json.loads(
value.get('clear_password', '{}').replace("'", '"'))
except:
return value.get('clear_password', '')
def get_proxies(session_key):
import splunk.entity as entity
util_logger.debug("Getting proxy settings")
myapp = 'pyden-manager'
user = ""
password = ""
util_logger.debug("Getting proxy password")
try:
entities = entity.getEntities(['admin', 'passwords'],
namespace=myapp,
owner='nobody',
sessionKey=session_key)
except Exception as e:
util_logger.error("Could not obtain proxy credentials")
raise Exception("Could not get %s credentials from splunk. Error: %s" %
(myapp, str(e)))
for i, c in entities.items():
user, password = c['username'], c['clear_password']
auth = "%s:%s@" % (user, password) if user else ""
proxy = load_pyden_config()[0].get('appsettings', 'proxy')
proxies = {
"http": "http://%s%s/" % (auth, proxy),
"https": "https://%s%s/" % (auth, proxy)
} if proxy else {}
return proxies
def getExistingExtractions(self, constraint=None):
search = "type=inline"
if constraint != None:
search = "%s AND %s" % (search, constraint)
entities = en.getEntities('data/props/extractions', namespace=self._namespace, owner=self._owner,
search=search, count=-1, sessionKey=self._sessionKey)
return entities
def get(view, viewstate_id, namespace, owner):
'''
Returns a viewstate object that defines a param set
'''
logger.debug('get - view=%s viewstate_id=%s namespace=%s owner=%s' %
(view, viewstate_id, namespace, owner))
altView = view
# empty viewstate means default sticky state
if viewstate_id == None:
viewstate_id = CURRENT_VIEWSTATE_KEY
# otherwise check if viewstate is absolute
else:
altView, viewstate_id = parseViewstateHash(viewstate_id)
logger.debug("Found altView: %s viewstate_id: %s" %
(altView, viewstate_id))
# construct proper stanza search string
if altView == None:
stanzaSearch = buildStanzaName(view, viewstate_id)
else:
# altView can only be None if a viewstate_id was defined
# but no view was found when parseViewstateHash was run,
# thus we almost always get here.
stanzaSearch = buildStanzaName(altView, viewstate_id)
# 1) Two part strategy, first try to get the viewstate by name. This usually works.
# 2) If nothing is returned, run the search in case a generic viewstate
# is provided.
#
# This turns 1 request into 2 in some edge cases but for 90% of the issues I found
# it eliminated the slower search requests viewstate was previously making.
try:
matchingStanzas = en.getEntities('/'.join(
[VIEWSTATE_ENTITY_CLASS, stanzaSearch]),
namespace=namespace,
owner=owner)
except splunk.ResourceNotFound, e:
matchingStanzas = en.getEntities(VIEWSTATE_ENTITY_CLASS,
namespace=namespace,
owner=owner,
search="name=%s" % stanzaSearch)
def getExistingExtractions(self, constraint=None):
search = "type=inline"
if constraint != None:
search = "%s AND %s" % (search, constraint)
entities = en.getEntities('data/props/extractions', namespace=self._namespace, owner=self._owner,
search=search, count=-1, sessionKey=self._sessionKey)
return entities
def getCredentials(sessionKey):
myapp = 'tanium'
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp,
owner='nobody', sessionKey=sessionKey)
except Exception, e:
raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
def getCredentials():
myapp = 'GoogleGeoCode'
entities = entity.getEntities(['admin','passwords'], namespace=myapp, owner='nobody',sessionKey=sessionKey)
# return first set of credentials
for i,c in entities.items():
username=c['username']
password=c['clear_password']
return password
def _config_dict(session_key, attempt=0):
"""
:param session_key: A session key for calls to Splunk functions.
:param attempt: The number of the attempt to get the dictionary.
Defaults to 0.
:return: A dictionary containing Splunk config info.
"""
if attempt > 19 or not session_key:
return {}
try:
# list all credentials
password_entities = entity.getEntities(['admin', 'passwords'], namespace='code42',
owner='nobody', sessionKey=session_key)
config_console_entities = entity.getEntities(['code42', 'config', 'console'], namespace='code42',
owner='nobody', sessionKey=session_key)
config_script_entities = entity.getEntities(['code42', 'config', 'script'], namespace='code42',
owner='nobody', sessionKey=session_key)
except Exception as exception:
raise Exception("Could not get code42 credentials from splunk. Error: %s" % (str(exception)))
config = {}
try:
result = [item for _, item in password_entities.items() if 'username' in item and 'clear_password' in item][0]
config['username'] = result['username']
config['password'] = result['clear_password']
result = [item for _, item in config_console_entities.items() if 'hostname' in item and 'port' in item][0]
config['hostname'] = result['hostname']
config['port'] = result['port']
config['verify_ssl'] = result['verify_ssl'] == 'true'
config['collect_analytics'] = result['collect_analytics'] == 'true'
result = [item for _, item in config_script_entities.items() if 'devices' in item][0]
config['devices'] = result['devices']
except IndexError:
pass
keys = ['username', 'password', 'hostname', 'verify_ssl', 'port', 'devices']
all_in_config = all([(key in config) for key in keys])
if not all_in_config:
time.sleep(1)
return _config_dict(session_key, attempt + 1)
else:
return config
def load_db(config):
ents = en.getEntities(["admin","conf-inputs"], namespace="splunk-demo-opcda", owner="nobody", sessionKey=config["session_key"], hostPath=config["server_uri"])
# logger.debug("%s" % ents)
for dbn, dbv in [(n, v) for n, v in ents.items() if n.startswith("database://")]:
name = dbn.replace("database://", "")
logger.debug("name=%s" % name)
logger.debug("values=%s" % dbv)
jdbc.updateDatabase(name, dbv["dburl"], dbv["jdbcdriver"], dbv["user"], dbv["password"], dbv["parameters"])
def execute():
import crawl_factory
results = []
try:
args = { 'add-all':'fail'} ## 'name':'file_crawler'}
keywords, options = splunk.Intersplunk.getKeywordsAndOptions()
args.update(options)
results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
results = [] # we don't care about incoming results
sessionKey = settings.get("sessionKey", None)
owner = settings.get("owner", None)
namespace = settings.get("namespace", None)
########TEST#####################
# sessionKey = splunk.auth.getSessionKey('admin', 'changeme')
########TEST####################
mgr = CrawlerManager(sessionKey, owner, namespace, args)
if len(keywords) == 0:
logger.warn("No crawl type specified. Defaulting to crawling 'files'.")
keywords = ["files"]
# name = args['name']
# add crawler for each keyword
for name in keywords:
crawler = crawl_factory.getCrawler(name, mgr, args)
if crawler == None:
splunk.Intersplunk.generateErrorResults("Unknown crawler '%s'. Legal values are: %s" % (name, crawl_factory.getCrawlerNames()))
return
mgr.addCrawler(crawler)
# do crawl
actions = mgr.execute()
monitors = en.getEntities('/data/inputs/monitor', sessionKey=sessionKey, owner=owner, namespace=namespace)
# convert actions to results -- just a dictionary of attributes
for action in actions:
result = action.getAttrs()
status = "not_added"
try:
if not action.valid(sessionKey, owner, namespace, monitors):
status = "added"
except:
status = "unknown"
result['status'] = status
results.append(result)
# outputresults
splunk.Intersplunk.outputResults(results)
except Exception, e:
import traceback
stack = traceback.format_exc()
splunk.Intersplunk.generateErrorResults(str(e))
logger.error(str(e) + ". Traceback: " + str(stack))
def _buildConfDict(self):
"""Build configuration dictionary that we will use """
if self.splunkEmbedded and not STANDALONE:
self.logger.info('Retrieving eventgen configurations from /configs/eventgen')
self._confDict = entity.getEntities('configs/eventgen', count=-1, sessionKey=self.sessionKey)
else:
self.logger.info('Retrieving eventgen configurations with ConfigParser()')
# We assume we're in a bin directory and that there are default and local directories
conf = ConfigParser()
# Make case sensitive
conf.optionxform = str
currentdir = os.getcwd()
# If we're running standalone (and thusly using configParser)
# only pick up eventgen-standalone.conf.
conffiles = [ ]
if len(sys.argv) > 1:
if len(sys.argv[1]) > 0:
if os.path.exists(sys.argv[1]):
conffiles = [os.path.join(self.grandparentdir, 'default', 'eventgen.conf'),
sys.argv[1]]
if len(conffiles) == 0:
conffiles = [os.path.join(self.grandparentdir, 'default', 'eventgen.conf'),
os.path.join(self.grandparentdir, 'local', 'eventgen.conf')]
self.logger.debug('Reading configuration files for non-splunkembedded: %s' % conffiles)
conf.read(conffiles)
sections = conf.sections()
ret = { }
orig = { }
for section in sections:
ret[section] = dict(conf.items(section))
# For compatibility with Splunk's configs, need to add the app name to an eai:acl key
ret[section]['eai:acl'] = { 'app': self.grandparentdir.split(os.sep)[-1] }
# orig[section] = dict(conf.items(section))
# ret[section] = { }
# for item in orig[section]:
# results = re.match('(token\.\d+)\.(\w+)', item)
# if results != None:
# ret[section][item] = orig[section][item]
# else:
# if item.lower() in [x.lower() for x in self._validSettings]:
# newitem = self._validSettings[[x.lower() for x in self._validSettings].index(item.lower())]
# ret[section][newitem] = orig[section][item]
self._confDict = ret
# Have to look in the data structure before normalization between what Splunk returns
# versus what ConfigParser returns.
logobj = logging.getLogger('eventgen')
if self._confDict['global']['debug'].lower() == 'true' \
or self._confDict['global']['debug'].lower() == '1':
logobj.setLevel(logging.DEBUG)
if self._confDict['global']['verbose'].lower() == 'true' \
or self._confDict['global']['verbose'].lower() == '1':
logobj.setLevel(logging.DEBUGV)
self.logger.debug("ConfDict returned %s" % pprint.pformat(dict(self._confDict)))
def get_firewall_apikey(session_key):
"""Given a splunk session_key returns a clear text API Key from a splunk password container"""
try:
entities = entity.getEntities(['admin', 'passwords'], namespace=APPNAME, owner='nobody', sessionKey=session_key)
except Exception as e:
exit_with_error("Could not get %s credentials from splunk. Error: %s" % (APPNAME, str(e)))
for i, c in entities.items():
if c['username'] == 'firewall_api_key':
return c['clear_password']
raise NoCredentialsFound
def execute():
results = []
try:
results, dummyresults, settings = si.getOrganizedResults()
# default values
args = {"namespace": "search"}
# get commandline args
keywords, options = si.getKeywordsAndOptions()
# override default args with settings from search kernel
args.update(settings)
# override default args with commandline args
args.update(options)
sessionKey = args.get("sessionKey", None)
owner = args.get("owner", "admin")
namespace = args.get("namespace", None)
if namespace.lower() == "none":
namespace = None
messages = {}
if sessionKey == None:
# this shouldn't happen, but it's useful for testing.
try:
sessionKey = sa.getSessionKey("admin", "changeme")
si.addWarnMessage(
messages, "No session given to 'tune' command. Using default admin account and password."
)
except splunk.AuthenticationFailed, e:
si.addErrorMessage(messages, "No session given to 'tune' command.")
return
if len(keywords) != 1:
usage()
# e.g., '/data/inputs/monitor'
entity = keywords[0]
logger.info("Entity: %s Args: %s" % (entity, args))
results = [] # we don't care about incoming results
try:
entitys = en.getEntities(entity, sessionKey=sessionKey, owner=owner, namespace=namespace, count=-1)
for name, entity in entitys.items():
try:
myapp = entity["eai:acl"]["app"]
if namespace != None and myapp != namespace:
continue
except:
continue # if no eai:acl/app, filter out
result = entityToResult(name, entity)
results.append(result)
except splunk.ResourceNotFound, e2:
pass
def save_risks(self, contents, **kwargs):
logger.info("Saving risks...")
user = cherrypy.session['user']['name']
sessionKey = cherrypy.session.get('sessionKey')
splunk.setDefault('sessionKey', sessionKey)
config = {}
config['index'] = 'risks'
restconfig = entity.getEntities('configs/risk_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
logger.debug("Global settings: %s" % config)
# Parse the JSON
parsed_contents = json.loads(contents)
logger.debug("Contents: %s" % contents)
for entry in parsed_contents:
if '_key' in entry and entry['_key'] != None:
uri = '/servicesNS/nobody/risk_manager/storage/collections/data/risks/' + entry['_key']
# Get current risk
serverResponse, risk = rest.simpleRequest(uri, sessionKey=sessionKey)
logger.debug("Current risk: %s" % risk)
risk = json.loads(risk)
# Update risk if score has changed
if int(risk['risk_score']) != int(entry['risk_score']):
logger.info("Updating risk_object_type=%s risk_object=%s to score=%s." % (entry['risk_object_type'], entry['risk_object'], entry['risk_score']))
del entry['_key']
if 'risk_id' in risk:
entry['risk_id'] = risk['risk_id']
else:
entry['risk_id'] = str(uuid.uuid4())
risk['risk_id'] = entry['risk_id']
entryStr = json.dumps(entry)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=entryStr)
logger.debug("Updated entry. serverResponse was ok")
now = datetime.datetime.now().isoformat()
event = 'time="%s" risk_id="%s" action="update_risk_score" alert="Risk Score Tuner" user="******" risk_object_type="%s" risk_object="%s" risk_score="%s" previous_risk_score="%s"' % (now, risk['risk_id'], user, entry['risk_object_type'], entry['risk_object'], entry['risk_score'], risk['risk_score'])
logger.debug("Event will be: %s" % event)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'risk_scoring', source = 'helpers.py', index = config['index'])
else:
logger.info("Won't update risk_object_type=%s risk_object=%s, since score didn't change." % (entry['risk_object_type'], entry['risk_object']))
return 'Done'
def getWildFireAPIKey(sessionKey):
'''Given a splunk sesionKey returns a clear text API Key from a splunk password container'''
# this is the folder name for the app and not the app's common name
myapp = 'SplunkforPaloAltoNetworks'
try:
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
except Exception, e:
stack = traceback.format_exc()
logger.warn(stack)
logger.warn("entity exception")
raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
def all(self):
app, user = self._namespace_and_owner()
return en.getEntities(self._endpoint,
namespace=app,
owner=user,
sessionKey=self.getSessionKey(),
count=self.maxCount+self.posOffset,
sort_key=self.sortByKey,
sort_dir=self.getSortDir(),
offset=self.posOffset)
def _write_log_entry(self, sessionKey, user, post_data):
logger.debug("START _write_log_entry()")
required = ['incident_id', 'log_action', 'origin']
missing = [r for r in required if r not in post_data]
if missing:
return self.response("Missing required arguments: %s" % missing, httplib.BAD_REQUEST)
incident_id = post_data.pop('incident_id')
log_action = post_data.pop('log_action')
comment = post_data.get('comment', '')
origin = post_data.get('origin', '')
severity = post_data.get('severity', 'INFO')
owner = post_data.get('owner', '')
previous_owner = post_data.get('previous_owner', '')
status = post_data.get('status', '')
previous_status = post_data.get('status', '')
job_id = post_data.get('job_id', '')
result_id = post_data.get('result_id', '')
now = datetime.datetime.now().isoformat()
# Get Index
config = {}
config['index'] = 'main'
restconfig = entity.getEntities('configs/alert_manager', count=-1, sessionKey=sessionKey)
if len(restconfig) > 0:
if 'index' in restconfig['settings']:
config['index'] = restconfig['settings']['index']
comment = comment.replace('\n', '<br />').replace('\r', '')
event_id = hashlib.md5(incident_id + now).hexdigest()
event = ''
if (log_action == "comment"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" comment="%s"' % (now, severity, origin, event_id, user, incident_id, comment)
elif (log_action == "change"):
event = 'time=%s severity="%s" origin="%s" event_id="%s" user="******" action="comment" incident_id="%s" job_id="%s" result_id="%s" status="%s" previous_status="%s"' % (now, severity, origin, event_id, user, incident_id, job_id, result_id, status, previous_status)
logger.debug("Event will be: %s" % event)
event = event.encode('utf8')
try:
splunk.setDefault('sessionKey', sessionKey)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'helper.py', index = config['index'])
return self.response('Action logged', httplib.OK)
except Exception as e:
msg = 'Unhandled Exception: {}'.format(str(e))
logger.exception(msg)
return self.response(msg, httplib.INTERNAL_SERVER_ERROR)
def all(self):
return en.getEntities(
self._endpoint,
namespace="-",
owner="-",
sessionKey=self.getSessionKey(),
count=self.maxCount + self.posOffset,
sort_key=self.sortByKey,
sort_dir=self.getSortDir(),
offset=self.posOffset,
)
def _getAllAppData(self):
output = {}
try:
# don't need to worry about dict vs list here since the names of apps should be unique
apps = en.getEntities('apps/local', search=['disabled=false','visible=true'], count=-1, namespace="-")
for key, app in apps.iteritems():
output[key] = {}
output[key]['label'] = _(app.get('label',''))
except splunk.ResourceNotFound:
logger.error("Unable to retrieve apps/local/-")
return output
def getCredentials(self,sessionKey):
"""
Splunk provided code for grabbing username/passwords during setup.
"""
myapp = 'pulse_for_aws_cloudwatch'
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp,
owner='nobody', sessionKey=sessionKey)
except Exception, e:
raise Exception("Could not get %s credentials from splunk. Error: %s"
% (myapp, str(e)))
def get_firewall_credentials(session_key):
"""Given a splunk session_key returns a clear text user name and password from a splunk password container"""
try:
# Get all credentials
logger.debug("Getting firewall credentials from Splunk")
entities = entity.getEntities(['admin', 'passwords'], namespace=APPNAME, owner='nobody', sessionKey=session_key)
except Exception as e:
exit_with_error("Could not get %s credentials from splunk. Error: %s" % (APPNAME, str(e)))
# return first set of credentials
for i, c in entities.items():
if c['username'] != 'wildfire_api_key':
return c['username'], c['clear_password']
raise NoCredentialsFound("No credentials have been found")
def get_wildfire_apikey(session_key):
"""Given a splunk session_key returns a clear text API Key from a splunk password container"""
try:
entities = entity.getEntities(['admin', 'passwords'], namespace=APPNAME, owner='nobody', sessionKey=session_key)
except Exception as e:
exit_with_error("Could not get %s credentials from splunk. Error: %s" % (APPNAME, str(e)))
# return first set of credentials
for i, c in entities.items():
if c['username'] == 'wildfire_api_key':
return c['clear_password']
logger.warn(
"There are Palo Alto Networks WildFire malware events, but no WildFire API Key found, please set the API key in the SplunkforPaloAltoNetworks App set up page")
exit_with_error("No Wildfire API key is set, set apikey in App configuration.")
def handleList(self, confInfo):
ent = en.getEntities(ENDPOINT, namespace=self.appName, owner=self.userName, sessionKey=self.getSessionKey())
for name, obj in ent.items():
confItem = confInfo[name]
for key, val in obj.items():
confItem[key] = str(val)
acl = {}
for k, v in obj[admin.EAI_ENTRY_ACL].items():
if None != v:
acl[k] = v
confItem.setMetadata(admin.EAI_ENTRY_ACL, acl)
def get(view, viewstate_id, namespace, owner):
'''
Returns a viewstate object that defines a param set
'''
logger.debug('get - view=%s viewstate_id=%s namespace=%s owner=%s' % (view, viewstate_id, namespace, owner))
altView = view
# empty viewstate means default sticky state
if viewstate_id == None:
viewstate_id = CURRENT_VIEWSTATE_KEY
# otherwise check if viewstate is absolute
else:
altView, viewstate_id = parseViewstateHash(viewstate_id)
logger.debug("Found altView: %s viewstate_id: %s" % (altView, viewstate_id))
# construct proper stanza search string
if altView == None:
stanzaSearch = buildStanzaName(view, viewstate_id)
else:
# altView can only be None if a viewstate_id was defined
# but no view was found when parseViewstateHash was run,
# thus we almost always get here.
stanzaSearch = buildStanzaName(altView, viewstate_id)
# 1) Two part strategy, first try to get the viewstate by name. This usually works.
# 2) If nothing is returned, run the search in case a generic viewstate
# is provided.
#
# This turns 1 request into 2 in some edge cases but for 90% of the issues I found
# it eliminated the slower search requests viewstate was previously making.
try:
matchingStanzas = en.getEntities('/'.join([VIEWSTATE_ENTITY_CLASS, stanzaSearch]), namespace=namespace, owner=owner)
except splunk.ResourceNotFound, e:
matchingStanzas = en.getEntities(VIEWSTATE_ENTITY_CLASS, namespace=namespace, owner=owner, search="name=%s" % stanzaSearch)
def readConfCtx(self, confName):
"""
This version of readConf should only be used when you're sure there's an
appropriate handler for it. Basically, something at /configs/conf-<name>.
"""
app = self.context != CONTEXT_NONE and self.appName or "-"
user = self.context == CONTEXT_APP_AND_USER and self.userName or "-"
retDict = {}
path = "configs/conf-%s" % confName
thing=en.getEntities(path, sessionKey=self.getSessionKey(), namespace=app, owner=user, count=-1)
for s in thing:
retDict[s] = {}
retDict[s].update(thing[s].items())
return retDict
def getIPSCredentials(sessionKey,host):
try:
entities = entity.getEntities(['storage', 'passwords'], namespace=APPNAME, owner='nobody', sessionKey=sessionKey)
except:
exception = traceback.format_exc().splitlines()[-1]
logger('Could not get IPS ' + host + ' credentials from splunk: ' + exception)
time.sleep(300)
sys.exit()
for i, c in entities.items():
if c['realm'] == host:
return c['username'], c['clear_password']
logger('No credentials for IPS ' + host + ' were found!')
time.sleep(300)
sys.exit()
def getPassword(self, sessionkey):
import splunk.entity as entity
import urllib
if len(sessionkey) == 0:
raise Exception, "No session key provided"
if len(self.username) == 0:
raise Exception, "No username provided"
if len(self.app) == 0:
raise Exception, "No app provided"
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=self.app, owner='nobody', sessionKey=sessionkey)
except Exception, e:
raise Exception, "Could not get %s credentials from splunk. Error: %s" % (self.app, str(e))
