def ossec_get_check(system_ip, check_type, agent_ip="", agent_name=""):
"""This function checks whether an ossec check has been made or not"""
script_second_parameter = ""
if check_type not in ["lastip", "lastscan"]:
return False, "Invalid check type. Allowed values are [lastip, syscheck, rootcheck]"
if check_type == 'lastip':
if re.match(r"[a-zA-Z0-9_\-\(\)]+", agent_name) is None:
return False, r"Invalid agent name. Allowed characters are [^a-zA-Z0-9_\-()]+"
script_second_parameter = agent_name
else:
if not is_valid_ipv4(agent_ip):
return False, "Invalid ossec agent ip. Allowed format is: xxx.yyy.zzz.ddd"
script_second_parameter = agent_ip
try:
if check_type == "lastscan":
# We need to exec TWO results
result_dict = {}
command = "/usr/share/ossim/scripts/ossec_check.sh %s %s" % ("lastscan", script_second_parameter)
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout'].split("\n")
if script_return_code != 0:
return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str(response)
if len(script_output) != 2: #IP not found
return True, {'syscheck':'','rootcheck':''}
matched_object = re.match(r"!(?P<start_time>\d{10})!(?P<end_time>\d{10}) Starting \S+ scan.", script_output[0])
last_syscheck = ""
if matched_object is not None:
last_syscheck = matched_object.groupdict()['start_time']
result_dict['syscheck'] = last_syscheck
matched_object = re.match(r"!(?P<start_time>\d{10})!(?P<end_time>\d{10}) Starting \S+ scan.", script_output[1])
last_rootcheck = ""
if matched_object is not None:
last_rootcheck = matched_object.groupdict()['start_time']
result_dict['rootcheck'] = last_rootcheck
data = result_dict
if check_type == "lastip":
command = "/usr/share/ossim/scripts/ossec_check.sh %s %s" % (check_type, script_second_parameter)
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str(response)
if not is_valid_ipv4(script_output):#IP not found
return True, ""
data = script_output
except Exception as err:
return False, "[ossec_get_check] Something wrong happened while running ansible command -> '%s'" % str(err)
return True, data
def ossec_create_preconfigured_agent(sensor_ip,
agent_id,
agent_type="windows",
destination_path=""):
"""Creates a preconfigured agent on the given sensor
:param sensor_ip: The sensor ip where you want to create the preconfigured agent
:param agent_id: The agent id for which you want to generate a preconfigured executable.
It had to be registered previously on ossec-server
:agent_type: The agent type to be generated (unix, windows)
:destination_path: Local path where the binary should be copied"""
generated_agent_path = ""
if agent_type not in ["unix", "windows"]:
return False, "Invalid agent type. Allowed values are [unix, windows]"
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/usr/share/ossim/scripts/ossec-download-agent.sh %s %s" % (
agent_id, agent_type)
response = _ansible.run_module(host_list=[sensor_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(sensor_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][sensor_ip]['rc'])
script_stdout = response['contacted'][sensor_ip]['stdout']
if script_return_code != 0:
return False, "An error occurred while generating the ossec agent. Script return code is %s. Output: %s" % (
script_return_code, script_stdout)
# unix agent generation is not available. The script should fail before arrive to this point
if agent_type == "windows":
generated_agent_path = "/usr/share/ossec-generator/agents/ossec_installer_%s.exe" % agent_id
# We have to copy the remote binary to our local system.
if not os.path.exists(destination_path):
return False, "Destination folder doesn't exists"
response = _ansible.run_module(
host_list=[sensor_ip],
module="fetch",
args="dest=%s src=%s flat=yes" %
(destination_path, generated_agent_path),
use_sudo=True)
result, msg = ansible_is_valid_response(sensor_ip, response)
if not result:
return False, "Something wrong happen while fetching the file %s" % msg
except Exception as err:
return False, "An error occurred while generating the ossec agent. %s" % str(
err)
return True, "%sossec_installer_%s.exe" % (destination_path, agent_id)
def system_reboot_needed(system_ip):
"""
Check if the system needs to be rebooted after an update.
Args:
system_ip (str): The system ip where the procedure must be run
Returns:
'True' if the system needs to be rebooted, 'False' otherwise.
"""
# Check parameters
if not system_ip:
return False, "[system_reboot_needed] Invalid parameters"
response = ansible.run_module(host_list=[system_ip],
module="av_system_reboot_needed",
use_sudo=True,
args={})
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
return False, "[system_reboot_needed] Something went wrong: %s" % msg
try:
needs_reboot = response['contacted'][system_ip]['data']
except Exception, e:
return False, "[system_reboot_needed] Something went wrong: %s" % str(
e)
def ansible_launch_compliance_procedure(system_ip):
""" Launch compliance procedure
Args:
system_ip (str): The system ip where the procedure must be run
Returns:
success (bool): True if procedure launched OK. False elsewhere.
"""
# Check parameters
if not system_ip:
return False, "[ansible_launch_compliance_procedure] Invalid parameters"
cmd_args = "echo 'CALL compliance_aggregate();' | /usr/bin/ossim-db"
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo=True,
args=cmd_args)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
return False, "[ansible_launch_compliance_procedure] Failed to launch compliance procedure: %s" % msg
if response['contacted'][system_ip]['stderr']:
return False, "[ansible_launch_compliance_procedure] Error in compliance procedure: %s" % response[
'contacted'][system_ip]['stderr']
return True, "[ansible_launch_compliance_procedure] Compliance procedure launch OK"
def ansible_download_release_info(system_ip):
"""Download release notes from alienvault.com
Args:
system_ip (str): ip of the host where we will download
the release info file
Returns:
success (bool): True if successful, False otherwise
msg (str): success/error message
"""
try:
args = "url=http://data.alienvault.com/alienvault5/RELEASES/release_info " + \
"dest=/var/alienvault force=yes"
response = ansible.run_module(host_list=[system_ip],
module="get_url",
use_sudo=True,
args=args)
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
msg = response['contacted'][system_ip]['msg']
except Exception as err:
error_msg = "[ansible_download_release_info] An error occurred " + \
"while retrieving the release info <%s>" % str(err)
api_log.error(error_msg)
return False, error_msg
return success, msg
def ansible_get_update_info(system_ip):
"""Retrieves information about the system packages.
Args:
system_ip(str): IP of the system of which we want info
Returns:
success(Boolean), msg(str): A tuple containing the result of the query
and the data
"""
try:
response = ansible.run_module(host_list=[system_ip],
module="av_update_info",
use_sudo=True,
args={})
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
msg = response['contacted'][system_ip]['data']
except Exception as err:
error_msg = "[get_packages_info] An error occurred while " + \
"retrieving the system's package info <%s>" % str(err)
api_log.error(error_msg)
return False, error_msg
return success, msg
def ansible_get_process_pid(system_ip, ps_filter):
"""Check whether a process is running or not
Args:
system_ip(str): The system IP where we would like to run the ps filter
ps_filter(str): Filter to grep the ps aux command
Returns:
(boolean,int): A tuple containing whether the operation was well or not
and the PID of the process running that meet the filter
(0 = not running)
"""
try:
cmd = ('ps aux | grep \"%s\" | grep -v grep | '
'grep -v tail | tr -s \" \" | cut -d \" \" -f 2 | '
'head -n 1' % str(re.escape(ps_filter)))
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo="True",
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error("[ansible_get_process_pid] Error: %s" % str(msg))
return False, 0
pid = response['contacted'][system_ip]['stdout']
if pid:
pid = int(pid)
else:
pid = 0
except Exception as exc:
api_log.error("[ansible_get_process_pid] Error: %s" % str(exc))
return False, 0
return success, pid
def ansible_pgrep(system_ip, pgrep_filter="''"):
"""
Launch a pgrep in system :system_ip: with filter
:pgrep_filter: matched against all the command line (-f).
Return a tuple list with (pid,command line for each filter)
"""
result = []
try:
cmd = "/usr/bin/pgrep -a -f '%s'" % pgrep_filter
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo=True,
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error("[ansible_pgrep] Error: %s" % str(msg))
return False, str(msg)
if response['contacted'][system_ip]['stdout'] != '':
data = response['contacted'][system_ip]['stdout'].split("\n")
else:
data = []
result = [tuple(x.split(" ", 1)) for x in data]
except Exception as exc:
api_log.error("[ansible_pgrep] Error: %s" % str(exc))
return False, str(exc)
return True, result
def ansible_check_if_process_is_running(system_ip, ps_filter):
"""Check whether a process is running or not
Args:
system_ip(str): The system IP where we would like to run the ps filter
ps_filter(str): Filter to grep the ps aux command
Returns:
(boolean,int): A tuple containing whether the operation was well or not
and the number the process running that meet the filter
"""
try:
rc = 0
cmd = 'ps aux | grep "%s" | grep -v grep | ' \
'grep -v tail | wc -l' % re.escape(ps_filter)
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo="True",
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
return False, msg
rc = int(response['contacted'][system_ip]['stdout'])
except Exception as exc:
api_log.error("ansible_check_if_process_is_running: <%s>" % str(exc))
return False, 0
return success, rc
def ansible_remove_certificates(system_ip, system_id_to_remove):
"""Removes all the ssh certificates data:
:param system_ip: The system ip where you want to remove the keys
:param system_id_to_remove: The system_id of the system you want
to remove."""
try:
command = "rm -r /var/ossim/ssl/%s || true" % system_id_to_remove
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
error_msg = "Something wrong happened while removing " + \
"the ssl folder: "
error_msg = error_msg + "%s" % str(msg)
return False, error_msg
return_code = int(response['contacted'][system_ip]['rc'])
output_error = response['contacted'][system_ip]['stderr']
if return_code != 0:
error_msg = "Something wrong happened while removing " + \
"the ssl folder: %s" % str(output_error)
return False, error_msg
except Exception as err:
error_msg = "Something wrong happened while removing the ssl folder: "
error_msg = error_msg + "%s" % str(err)
return False, error_msg
return True, ""
def ansible_resend_alarms(system_ip, alarms):
if alarms:
chunk_size = 10
for alarm_chunk in [
alarms[x:x + chunk_size]
for x in xrange(0, len(alarms), chunk_size)
]:
# alarm_chunks are 10 alarms
# event_id = str(uuid.UUID(alarm))
events = "\n".join(map(lambda x: str(uuid.UUID(x)), alarm_chunk))
api_log.info(
"[ansible_resend_alarms] Resending event '%s' to server '%s'" %
(str(events), system_ip))
cmd = "echo -e \"%s\" | nc 127.0.0.1 40004 -w1" % events
#api_log.debug("Remote command: %s " % cmd)
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=cmd)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error(
"[ansible_resend_alarms] Can't resend to '%s' event_id '%s'.Bailing out"
% (system_ip, event_id))
return False, str(err)
return True, ''
def ansible_get_child_alarms(system_ip, delay=1, delta=3):
"""
Get the alarms from remote system
"""
cmd = "echo \"select hex(event_id), timestamp, hex(backlog_id) FROM alarm WHERE status='closed' AND timestamp between DATE_SUB(utc_timestamp(), " \
"interval %u hour) AND DATE_SUB(utc_timestamp(), interval %u hour) UNION select hex(event_id), timestamp, hex(backlog_id) " \
"FROM alarm WHERE status='open' AND " \
"timestamp between DATE_SUB(utc_timestamp(), interval %u hour) AND DATE_SUB(utc_timestamp(), interval %u hour) ORDER BY timestamp DESC;\" | ossim-db " % (
delta + delay, delay, delta + delay, delay)
api_log.debug("Query: %s" % cmd)
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=cmd)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
return False, "[ansible_get_child_alarms] Can't retrieve remote alarms (%s) : %s" % (
system_ip, msg)
data = []
try:
output = str(response['contacted'][system_ip]['stdout'])
split = output.splitlines() # Discard first line
if split:
for line in split[1:]: # Omit header
(event_id, timestamp, backlog_id) = line.split('\t')
data.append(event_id)
except KeyError:
api_log.error(
"[ansible_get_child_alarms] Bad response from child server: %s"
& str(output))
return False, "[ansible_get_child_alarms] Bad response from child server"
return True, data
def ossec_add_agentless(system_ip, host=None, user=None, password=None, supassword=None):
"""
Add a agentless monitoring system
@param system_ip Sensor IP where we're going to modify the ossec configuration
@param host we're going to add
@param user user we use to connect to host
@param password password for user
@param supassword optional password use.
"""
if not (host and user and password):
api_log.error("[ossec_add_agentless] Missing mandatory parameter: Host, user or password (%s, %s, %s)" % (host, user, password))
return (False, "[ossec_add_agentless] Missing mandatory parameter: Host, user or password (%s, %s, %s)" % (host, user, password))
try:
command = "/var/ossec/agentless/register_host.sh add %s@%s %s %s" % (user, host, password, supassword if supassword != None else '')
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_add_agentless] Something wrong happened while running ansible command ->'%s'" % str(response)
return True, script_output
except Exception as err:
return False, "[ossec_control] Something wrong happened while running ansible command -> '%s'" % str(err)
def ossec_get_syscheck(system_ip, agent_id):
"""
Retrieves the modified files detected by the agent (/var/ossec/bin/syscheck_control -s -i <agent_id>
:param system_ip: IP of the sensor
:param agent_id: Agent id, must be \d{1,4}
:return (success, data) where success is True in success, False otherwise. Data is a list of modified files
"""
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/var/ossec/bin/syscheck_control -s -i %s " % agent_id
response = _ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_syscheck] Something wrong happened while running ansible command %s" % str(
response['contacted'][system_ip])
output = {}
index = 0
for line in script_output.split("\n"):
if line != '':
output[index] = line
index += 1
except Exception as err:
return False, "[ossec_get_syscheck] Something wrong happened while running ansible command %s" % str(
err)
return (True, output) # Ignore the header and return the list
def ansible_get_asynchronous_command_log_file(system_ip, log_file):
"""Retrieves the asynchronous command log file
Args:
system_ip(str): The system IP where we would like to run
rc_file(str): The return code file
Returns:
(boolean,int): A tuple containing whether the operation was well
"""
reg = r"/tmp/system_(update|update_feed|update_uc|reconfigure)_\d{10}\.\d{2}\.log"
if re.match(reg, log_file) is None:
return False, "Invalid return code file"
try:
destination_path = "/tmp/ansible/logs/"
response = ansible.run_module(host_list=[system_ip], module="fetch", args="dest=%s src=%s flat=yes" % (destination_path, log_file), use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result or not 'dest' in response['contacted'][system_ip]:
return False, "Something wrong happen while fetching the return code file: %s" % msg
# The content of the return code file should be a number.
# The content of the return code file should be 0 for success.
rc_file_path = response['contacted'][system_ip]['dest']
if not os.path.exists(rc_file_path):
return False, "The local return code file doesn't exist"
except Exception as err:
return False, "An error occurred while retrieving the return code file <%s>" % str(err)
return True, rc_file_path
def ossec_get_syscheck(system_ip, agent_id):
"""
Retrieves the modified files detected by the agent (/var/ossec/bin/syscheck_control -s -i <agent_id>
:param system_ip: IP of the sensor
:param agent_id: Agent id, must be \d{1,4}
:return (success, data) where success is True in success, False otherwise. Data is a list of modified files
"""
status, msg = is_valid_agent_id(agent_id)
if not status:
return False, msg
try:
command = "/var/ossec/bin/syscheck_control -s -i %s " % agent_id
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_syscheck] Something wrong happened while running ansible command %s" % str(response['contacted'][system_ip])
output = {}
index = 0
for line in script_output.split("\n"):
if line != '':
output[index] = line
index += 1
except Exception as err:
return False, make_err_message("[ossec_get_syscheck]", DEFAULT_ERR_MSG, str(err))
return True, output # Ignore the header and return the list
def ossec_rootcheck(system_ip, agent_id=""):
"""
@param system_ip: System ip from we're going to get the logs
@param agent_id: Agent_id
"""
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/usr/share/ossim/scripts/ossec-rootcheck.sh %s" % agent_id
response = _ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_rootcheck] Something wrong happened while running ansible command %s" % str(
response)
except Exception as err:
return False, "[ossec_rootcheck] Something wrong happened while running ansible command %s" % str(
err)
#Splitting by char an empty string returns [''] and we need []
output = script_output.split("\n") if script_output else []
return (True, output)
def get_logfiles_for_host(system_ip, host_ips):
"""Returns a list of log files where the host ip have been found
Args:
system_ip(str): System IP
host_ips(): list of hosts
Returns:
On success, it returns a hash table with the correct values, otherwise it returns
an empty dict
Note:
DEPRECATED (Not used)
"""
logfiles = []
try:
grep_filter = "|".join(ip for ip in host_ips)
command = """executable=/bin/bash grep --exclude=\*.{tar.gz,dat,gz} -rIEo '%s' /var/log/ | sort -u """ % grep_filter
response = ansible.run_module(host_list=[system_ip], module="shell", args=command)
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
response = response['contacted'][system_ip]['stdout'].split('\n')
for line in response:
splitted_line = line.split(':')
if len(splitted_line) != 2:
continue
log_filename = splitted_line[0]
if log_filename not in logfiles:
logfiles.append(log_filename)
except Exception, e:
api_log.error("get_logfiles_for_host: %s, r: %s" % (str(e), response))
def rsync(local_ip, src, dest):
""" Rsync pull remote file to local path
:param remote_ip: The system ip where the remote file is
:param remote_file_path: Path to remote file
:param local_ip: The local system ip
:param local_file_path: Path to local file
:returns True if the file was fetched, False elsewhere
"""
# Check parameters
if not all((local_ip, src, dest)):
return False, "Invalid parameters: {}".format(locals())
ssh_key_file = '/var/ossim/ssl/local/private/cakey_avapi.pem'
# Use -i option to know if the file has changed
# To avoid warning massage in ansible output "-q" key has been added:
# u'stderr': u"Warning: Permanently added '192.168.87.198' (RSA) to the list of known hosts.",
rsync_command = 'rsync -aizPe "ssh -q -o UserKnownHostsFile=/dev/null ' \
'-o StrictHostKeyChecking=no -i {}" {} {}'.format(ssh_key_file, src, dest)
# Rsync pull remote file
try:
response = ansible.run_module(host_list=[local_ip], module='command', args=rsync_command, use_sudo=False)
except Exception as e:
return False, "Ansible Error: An error occurred while rsyncing file(s): {}".format(e)
success, msg = ansible_is_valid_response(local_ip, response)
if not success or response['contacted'][local_ip]['stderr'] != '':
return success, "Could't retrieve file"
elif response['contacted'][local_ip]['stdout'] == '':
return False, "File(s) already in sync"
else:
return success, "File(s) synced"
def get_network_devices_for_sensor(sensor_ip):
"""Returns the list of devices logging to alienvault-sensor
Args:
sensor_ip (str): Sensor IP
Returns:
On success, it returns a hash table with device_id:device_ip, otherwise it returns
an empty dict
"""
dev_hash = {}
try:
command = "grep cpe /etc/ossim/agent/config.yml | sed 's/.*device: \([^,]*\), device_id: \([^,]*\).*/\\2:\\1/g'"
response = ansible.run_module([sensor_ip],
module="shell",
args=command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if success:
response = response['contacted'][sensor_ip]['stdout'].split('\n')
for i in response:
if i and ':' in i:
k, v = i.split(':')
if k and v and k not in dev_hash.keys():
dev_hash[k] = v
except Exception, e:
api_log.error("[get_network_devices_for_sensor error]: %s, %s" %
(str(e), traceback.format_exc()))
def get_devices_logging(system_ip):
"""Returns the list of devices logging to alienvault-sensor
Args:
system_ip (str): System IP
Returns:
On success, it returns a hash table with the correct values, otherwise it returns
an empty dict
"""
# Added #10576
device_hash = {}
try:
command = """find /var/log/alienvault/devices/* -type d -exec basename {} \;"""
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=command)
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
response = response['contacted'][system_ip]['stdout'].split('\n')
for device in response:
device_hash[device] = [
"/var/log/alienvault/devices/%s/%s.log" % (device, device)
]
except Exception, e:
api_log.error("get_hosts_in_syslog error: %s, %s" %
(str(e), traceback.format_exc()))
def ossec_get_ossec_agent_detail(system_ip, agent_id):
"""Retrieves information about the given agent id
:param system_ip: System ip The ip of the sensor we are going to consult
:param agent_id: Agent_id
:return (success,data) where success is True on success False otherwise
"""
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/var/ossec/bin/agent_control -i %s -s" % agent_id
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_ossec_agent_detail] Something wrong happened while running ansible command %s" % str(script_output)
output = []
for line in script_output.split("\n"):
if line != '':
output.append(line)
except Exception as err:
return False, "[ossec_get_ossec_agent_detail] Something wrong happened while running ansible command %s" % str(err)
return (True, output)
def ansible_pgrep(system_ip, pgrep_filter="''"):
"""
Launch a pgrep in system :system_ip: with filter
:pgrep_filter: matched against all the command line (-f).
Return a tuple list with (pid,command line for each filter)
"""
result = []
try:
cmd = "/usr/bin/pgrep -a -f '%s'" % pgrep_filter
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo=True,
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error("[ansible_pgrep] Error: %s" % str(msg))
return False, str(msg)
if response['contacted'][system_ip]['stdout'] != '':
data = response['contacted'][system_ip]['stdout'].split("\n")
else:
data = []
result = [tuple(x.split(" ", 1)) for x in data]
except Exception as exc:
api_log.error("[ansible_pgrep] Error: %s" % str(exc))
return False, str(exc)
return True, result
def ansible_purge_logs(system_ip, log_type):
"""
Delete update/reconfigure log files older than a year
Args:
system_ip(str): System IP
log_type (str): reconfigure or update
Returns:
success (bool): OK/ERROR
msg (str): info message
"""
if not (system_ip or log_type):
return False, "[ansible_purge_logs]: Missing arguments"
response = ansible.run_module(host_list=[system_ip],
module="av_purge_logs",
use_sudo=True,
args="log_type=%s" % log_type)
success, msg = ansible_is_valid_response(system_ip, response)
if success:
if response['contacted'][system_ip]['changed']:
api_log.info(response['contacted'][system_ip]['msg'])
return True, "[ansible_purge_logs] Purge logs OK"
return False, "[ansible_purge_logs] Purge logs error: %s"
def ansible_get_child_alarms(system_ip, delay=1, delta=3):
"""
Get the alarms from remote system
"""
cmd = "echo \"select hex(event_id), timestamp, hex(backlog_id) FROM alarm WHERE status='closed' AND timestamp between DATE_SUB(utc_timestamp(), " \
"interval %u hour) AND DATE_SUB(utc_timestamp(), interval %u hour) UNION select hex(event_id), timestamp, hex(backlog_id) " \
"FROM alarm WHERE status='open' AND " \
"timestamp between DATE_SUB(utc_timestamp(), interval %u hour) AND DATE_SUB(utc_timestamp(), interval %u hour) ORDER BY timestamp DESC;\" | ossim-db " % (
delta + delay, delay, delta + delay, delay)
api_log.debug("Query: %s" % cmd)
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=cmd)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
return False, "[ansible_get_child_alarms] Can't retrieve remote alarms (%s) : %s" % (system_ip, msg)
data = []
try:
output = str(response['contacted'][system_ip]['stdout'])
split = output.splitlines() # Discard first line
if split:
for line in split[1:]: # Omit header
(event_id, timestamp, backlog_id) = line.split('\t')
data.append(event_id)
except KeyError:
api_log.error("[ansible_get_child_alarms] Bad response from child server: %s" & str(output))
return False, "[ansible_get_child_alarms] Bad response from child server"
return True, data
def ansible_remove_certificates(system_ip, system_id_to_remove):
"""Removes all the ssh certificates data:
:param system_ip: The system ip where you want to remove the keys
:param system_id_to_remove: The system_id of the system you want
to remove."""
try:
command = "rm -r /var/ossim/ssl/%s || true" % system_id_to_remove
response = ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
error_msg = "Something wrong happened while removing " + \
"the ssl folder: "
error_msg = error_msg + "%s" % str(msg)
return False, error_msg
return_code = int(response['contacted'][system_ip]['rc'])
output_error = response['contacted'][system_ip]['stderr']
if return_code != 0:
error_msg = "Something wrong happened while removing " + \
"the ssl folder: %s" % str(output_error)
return False, error_msg
except Exception as err:
error_msg = "Something wrong happened while removing the ssl folder: "
error_msg = error_msg + "%s" % str(err)
return False, error_msg
return True, ""
def ansible_check_if_process_is_running(system_ip, ps_filter):
"""Check whether a process is running or not
Args:
system_ip(str): The system IP where we would like to run the ps filter
ps_filter(str): Filter to grep the ps aux command
Returns:
(boolean,int): A tuple containing whether the operation was well or not
and the number the process running that meet the filter
"""
try:
rc = 0
cmd = 'ps aux | grep "%s" | grep -v grep | ' \
'grep -v tail | wc -l' % re.escape(ps_filter)
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo="True",
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
return False, msg
rc = int(response['contacted'][system_ip]['stdout'])
except Exception as exc:
api_log.error("ansible_check_if_process_is_running: <%s>" % str(exc))
return False, 0
return success, rc
def ossec_get_ossec_agent_detail(system_ip, agent_id):
"""Retrieves information about the given agent id
:param system_ip: System ip The ip of the sensor we are going to consult
:param agent_id: Agent_id
:return (success,data) where success is True on success False otherwise
"""
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/var/ossec/bin/agent_control -i %s -s" % agent_id
response = _ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_ossec_agent_detail] Something wrong happened while running ansible command %s" % str(
script_output)
output = []
for line in script_output.split("\n"):
if line != '':
output.append(line)
except Exception as err:
return False, "[ossec_get_ossec_agent_detail] Something wrong happened while running ansible command %s" % str(
err)
return (True, output)
def ossec_get_agentless_list(system_ip):
"""Retrieves the list of configured agentless
:param system_ip: System ip The ip of the sensor we are going to consult
:return (success,data) where success is True on success False otherwise
"""
try:
#command = "/var/ossec/agentless/register_host.sh list"
command = "cat /var/ossec/agentless/.passlist || true"
response = _ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_agentless_list] Something wrong happened while running ansible command %s" % str(
response)
output = {}
for line in script_output.split("\n"):
if line != '' and line.find("Available host") < 0:
parts = line.split('|')
if len(parts) == 3:
output[parts[0]] = {'pass': parts[1], 'ppass': parts[2]}
except Exception as err:
return False, "[ossec_get_agentless_list] Something wrong happened while running ansible command %s" % str(
err)
return (True, output)
def ossec_get_configuration_rule(system_ip,
rule_filename,
destination_path=""):
#file name validation:
if not re.match(r'[A-Za-z0-9_\-]+\.xml', rule_filename):
return False, "Invalid rule filename <%s> " % str(rule_filename)
try:
ossec_rule_path = "/var/ossec/rules/%s" % rule_filename
if not os.path.exists(destination_path):
return False, "Destination folder doesn't exists"
# From ansible doc: Recursive fetching may be supported in a later release.
response = _ansible.run_module(
host_list=[system_ip],
module="fetch",
args="dest=%s src=%s flat=yes fail_on_missing=yes" %
(destination_path, ossec_rule_path),
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, str(msg)
success, result = set_ossec_file_permissions(destination_path +
rule_filename)
if not success:
return False, str(result)
except Exception as err:
return False, "[ossec_get_configuration_rule] Something wrong happened while running ansible command %s" % str(
err)
return True, destination_path + rule_filename
def ansible_nmap_get_scan_progress(sensor_ip, task_id):
"""Retrieves the scan progress
Args:
sensor_ip: the sensor ip where the scan is running
task_id: The task id to identify the scan progress.
Returns:
success (boolean): True or False
data(dict) {"scanned_hosts":-1, "target_number":-1}
"""
data = {"scanned_hosts": -1, "target_number": -1}
try:
scan_file = "/tmp/{0}.scan".format(task_id)
targets_file = "/tmp/{0}.targets".format(task_id)
command = "wc -l {0} {1} | head -2 | awk '{2}' | xargs".format(scan_file, targets_file, '{print $1}')
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
raise Exception("Invalid response {0}".format(msg))
if response['contacted'][sensor_ip]['stdout'] != '':
(shosts, nhosts) = response['contacted'][sensor_ip]['stdout'].split(' ', 1)
data['scanned_hosts'] = int(shosts)
data['target_number'] = int(nhosts)
except Exception as exc:
raise
return data
def ansible_get_update_info(system_ip):
"""Retrieves information about the system packages.
Args:
system_ip(str): IP of the system of which we want info
Returns:
success(Boolean), msg(str): A tuple containing the result of the query
and the data
"""
try:
response = ansible.run_module(host_list=[system_ip],
module="av_update_info",
use_sudo=True,
args={})
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
msg = response['contacted'][system_ip]['data']
except Exception as err:
error_msg = "[get_packages_info] An error occurred while " + \
"retrieving the system's package info <%s>" % str(err)
api_log.error(error_msg)
return False, error_msg
return success, msg
def ansible_nmap_get_scan_progress(sensor_ip, task_id):
"""Retrieves the scan progress
Args:
sensor_ip: the sensor ip where the scan is running
task_id: The task id to identify the scan progress.
Returns:
success (boolean): True or False
data(dict) {"scanned_hosts":-1, "target_number":-1}
"""
data = {"scanned_hosts": -1, "target_number": -1}
try:
scan_file = "/tmp/{0}.scan".format(task_id)
targets_file = "/tmp/{0}.targets".format(task_id)
command = "wc -l {0} {1} | head -2 | awk '{2}' | xargs".format(
scan_file, targets_file, '{print $1}')
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
raise Exception("Invalid response {0}".format(msg))
if response['contacted'][sensor_ip]['stdout'] != '':
(shosts,
nhosts) = response['contacted'][sensor_ip]['stdout'].split(
' ', 1)
data['scanned_hosts'] = int(shosts)
data['target_number'] = int(nhosts)
except Exception as exc:
raise
return data
def ansible_download_release_info(system_ip):
"""Download release notes from alienvault.com
Args:
system_ip (str): ip of the host where we will download
the release info file
Returns:
success (bool): True if successful, False otherwise
msg (str): success/error message
"""
try:
args = "url=http://data.alienvault.com/alienvault5/RELEASES/release_info " + \
"dest=/var/alienvault force=yes"
response = ansible.run_module(host_list=[system_ip],
module="get_url",
use_sudo=True,
args=args)
(success, msg) = ansible_is_valid_response(system_ip, response)
if success:
msg = response['contacted'][system_ip]['msg']
except Exception as err:
error_msg = "[ansible_download_release_info] An error occurred " + \
"while retrieving the release info <%s>" % str(err)
api_log.error(error_msg)
return False, error_msg
return success, msg
def get_system_id(system_ip):
""" Returns the system Id from a given ip
@param system_ip: the host system ip
"""
host_list = []
host_list.append(system_ip)
uuid_regex = re.compile('^[a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12}$')
# 1- Try alienvault-system-id
response = ansible.run_module([system_ip], "command", "/usr/bin/alienvault-system-id")
success, msg = ansible_is_valid_response(system_ip, response)
if success:
system_id = response['contacted'][system_ip]['stdout']
# 2- When error, try the old way
else:
# 2.1- Read center file
(success, system_id) = read_file(system_ip, "/etc/alienvault-center/alienvault-center-uuid")
if not success:
# 2.2- Call ansible method
response = ansible.run_module(host_list, "av_setup", "filter=ansible_product_uuid")
if system_ip in response['dark']:
return (False, "[get_system_id]: " + response['dark'][system_ip]['msg'])
else:
if system_ip in response['contacted']:
system_id = response['contacted'][system_ip]['ansible_facts']['ansible_product_uuid'].lower()
else:
return (False, "[get_system_id]: Error getting system ID")
# Check the system_id is valid
if not system_id or not uuid_regex.match(system_id):
return (False, "[get_system_id]: Error getting system ID")
return (True, system_id)
def ossec_get_agentless_list(system_ip):
"""Retrieves the list of configured agentless
:param system_ip: System ip The ip of the sensor we are going to consult
:return (success,data) where success is True on success False otherwise
"""
try:
#command = "/var/ossec/agentless/register_host.sh list"
command = "cat /var/ossec/agentless/.passlist || true"
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
if script_return_code != 0:
return False, "[ossec_get_agentless_list] Something wrong happened while running ansible command %s" % str(response)
output = {}
for line in script_output.split("\n"):
if line != '' and line.find("Available host") < 0:
parts = line.split('|')
if len(parts)==3:
output[parts[0]] = {'pass':parts[1],'ppass':parts[2]}
except Exception as err:
return False, "[ossec_get_agentless_list] Something wrong happened while running ansible command %s" % str(err)
return (True, output)
def ansible_purge_logs(system_ip, log_type):
"""
Delete update/reconfigure log files older than a year
Args:
system_ip(str): System IP
log_type (str): reconfigure or update
Returns:
success (bool): OK/ERROR
msg (str): info message
"""
if not (system_ip or log_type):
return False, "[ansible_purge_logs]: Missing arguments"
response = ansible.run_module(host_list=[system_ip],
module="av_purge_logs",
use_sudo=True,
args="log_type=%s" % log_type)
success, msg = ansible_is_valid_response(system_ip, response)
if success:
if response['contacted'][system_ip]['changed']:
api_log.info(response['contacted'][system_ip]['msg'])
return True, "[ansible_purge_logs] Purge logs OK"
return False, "[ansible_purge_logs] Purge logs error: %s"
def ansible_get_process_pid(system_ip, ps_filter):
"""Check whether a process is running or not
Args:
system_ip(str): The system IP where we would like to run the ps filter
ps_filter(str): Filter to grep the ps aux command
Returns:
(boolean,int): A tuple containing whether the operation was well or not
and the PID of the process running that meet the filter
(0 = not running)
"""
try:
cmd = ('ps aux | grep \"%s\" | grep -v grep | '
'grep -v tail | tr -s \" \" | cut -d \" \" -f 2 | '
'head -n 1' % str(re.escape(ps_filter)))
response = ansible.run_module(host_list=[system_ip],
module="shell",
use_sudo="True",
args=cmd)
(success, msg) = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error("[ansible_get_process_pid] Error: %s" % str(msg))
return False, 0
pid = response['contacted'][system_ip]['stdout']
if pid:
pid = int(pid)
else:
pid = 0
except Exception as exc:
api_log.error("[ansible_get_process_pid] Error: %s" % str(exc))
return False, 0
return success, pid
def ossec_get_available_agents(system_ip,
op_ossec='list_available_agents',
agent_id=''):
"""
@param system_ip: System ip of the sensor we're going to check
@param op_ossec: Operation. One in list_available_agents, list_online_agents,
restart_agent, integrity_check
@param agent_id: Agent id, we need it in the restar_agent or integrity_check
"""
AgentParams = namedtuple('AgentParams',
['agent_id', 'ansible_args', 'proc_func'])
ops = {
'list_available_agents':
AgentParams(False, 'command=agent_control list_available_agents=true',
_ossec_parse_agent_list),
'list_online_agents':
AgentParams(False, 'command=agent_control list_online_agents=true',
_ossec_parse_agent_list),
'restart_agent':
AgentParams(True, 'command=agent_control restart_agent=%s', None),
'integrity_check':
AgentParams(True, 'command=agent_control integrity_check=%s', None),
}
try:
if op_ossec not in ops.keys():
return (False,
"[ossec_get_available_agents] Bad op '%s'" % op_ossec)
ansp = ops[op_ossec]
if ansp.agent_id:
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return (False,
"[ossec_get_available_Agents] Bad agent_id '%s'" %
agent_id)
args = ansp.ansible_args % agent_id
else:
args = ansp.ansible_args
# Run module
response = _ansible.run_module(host_list=[system_ip],
module='ossec_agent',
args=args,
use_sudo=True)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
return False, msg
# Now check the 'rc' field
ans_rc = response['contacted'][system_ip]['rc']
if ans_rc != 0:
return False, "[ossec_get_available_agents] Error: %s" % response[
'contacted'][system_ip]['data']
# The msg field doesn't work in this case. The data is in 'data'
if ansp.proc_func != None:
data = ansp.proc_func(response['contacted'][system_ip]['data'])
else:
data = response['contacted'][system_ip]['data']
# I need to make some process if list_available_agents or list_online_agents are called
except Exception as err:
return False, "[ossec_get_available_agents] Something wrong happened while running ansible command %s" % str(
err)
return True, data
def ansible_get_backup_list(target=None):
args = {"backup_type": "%s" % "configuration"}
response = ansible.run_module([target], "av_get_backup_files", args)
success, msg = ansible_is_valid_response(target, response)
if not success:
return False, "Cannot retrieve the list of backups"
return success, response['contacted'][target]['data']
def ansible_get_backup_list(target=None):
args = {"backup_type": "%s" % "configuration"}
response = ansible.run_module([target], "av_get_backup_files", args)
success, msg = ansible_is_valid_response(target, response)
if not success:
return False, "Cannot retrieve the list of backups"
return success, response['contacted'][target]['data']
def ansible_get_hostname(system_ip):
""" Returns the system hostname from a given ip
@param system_ip: the host system ip
"""
response = ansible.run_module([system_ip], "av_setup", "filter=ansible_hostname")
if not ansible_is_valid_response(system_ip, response):
return (False, "Something wrong happend getting the system hostname")
hostname = response['contacted'][system_ip]['ansible_facts']['ansible_hostname']
return (True, hostname)
def ossec_get_status(system_ip):
try:
response = _ansible.run_module(host_list=[system_ip], module="av_ossec_status", args="", use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
data = response['contacted'][system_ip]['data']
except Exception as err:
return False, "[ossec_get_status] Something wrong happened while running ansible command -> '%s'" % str(err)
return True, data
def ossec_control(system_ip, operation, option):
"""Interface with the ossec-control binary"""
# TODO: This can be implemented as a module as well
if operation not in ["start", "stop", "restart", "enable", "disable", "status"]:
return False, "Invalid operation. Allowed values are: ['start','stop','restart','enable','disable','status']"
if operation == "enable" or operation == "disable":
if option not in ["client-syslog", "agentless", "debug"]:
return False, "Invalid option. Allowed values are: ['client-syslog','agentless','debug']"
try:
# Note:
# if you run the following command:
# >>> ansible <yourip> -m shell -a "/var/ossec/bin/ossec-control restart " -s
# ps output:
# avapi 12326 1.6 0.1 63308 14512 pts/2 S+ 02:17 0:00 /usr/share/alienvault/api_core/bin/python /usr/share/alienvault/api_core/bin/ansible <yourip> -m command -a /var/ossec/bin/ossec-control restart -s
# root 12349 0.2 0.0 0 0 pts/7 Z+ 02:17 0:00 [ossec-control] <defunct>
#
# The ossec-control becomes a defunct process. We've to investigate this in deep
# I think it's something related with the way ossec-control script works with the restart command
# The workaround is to redirect the standard output and error to /dev/null
data = {}
command = "/var/ossec/bin/ossec-control %s" % operation
if operation in ["enable", "disable"]:
command = "/var/ossec/bin/ossec-control %s %s" % (operation, option)
if operation == "restart":
command += " > /dev/null 2>&1"
response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
#status operation can return !=0. If one of the ossec process is not running the rc >0
if script_return_code != 0 and operation != "status":
return False, "[ossec_control] Something wrong happened while running ansible command ->'%s'" % str(response)
data['stdout'] = script_output
result, msg = ossec_get_status(system_ip)
if not result:
return False, "[ossec-control] Error getting the ossec status -> '%s'" % msg
data.update(msg)
except Exception as err:
return False, "[ossec_control] Something wrong happened while running ansible command -> '%s'" % str(err)
if operation in ["status"]:
# remove ossec string
data['raw_output_status'] = data['raw_output_status'].replace('ossec-', '')
data['stdout'] = data['stdout'].replace('ossec-', '')
for key, value in data['general_status'].items():
new_key = key.replace('ossec-', '')
data['general_status'][new_key] = value
del data['general_status'][key]
return True, data
def ossec_put_configuration_rule_file(system_ip, local_rule_filename, remote_rule_name):
try:
ossec_rule_path = "/var/ossec/alienvault/rules/%s" % remote_rule_name
cmd_args = "src=%s dest=%s force=yes owner=root group=ossec mode=644" % (local_rule_filename, ossec_rule_path)
response = _ansible.run_module(host_list=[system_ip], module="copy", args=cmd_args, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, str(msg)
except Exception as err:
return False, "[ossec_get_configuration_rule] Something wrong happened while running ansible command %s" % str(err)
return True, "Done"
def ansible_get_hostname(system_ip):
""" Returns the system hostname from a given ip
@param system_ip: the host system ip
"""
response = ansible.run_module([system_ip], "av_setup",
"filter=ansible_hostname")
if not ansible_is_valid_response(system_ip, response):
return (False, "Something wrong happend getting the system hostname")
hostname = response['contacted'][system_ip]['ansible_facts'][
'ansible_hostname']
return (True, hostname)
def ossec_control(system_ip, operation, option):
"""Interface with the ossec-control binary"""
# TODO: This can be implemented as a module as well
if operation not in [
"start", "stop", "restart", "enable", "disable", "status"
]:
return False, "Invalid operation. Allowed values are: ['start','stop','restart','enable','disable','status']"
if operation == "enable" or operation == "disable":
if option not in ["client-syslog", "agentless", "debug"]:
return False, "Invalid option. Allowed values are: ['client-syslog','agentless','debug']"
try:
# Note:
# if you run the following command:
# >>> ansible <yourip> -m shell -a "/var/ossec/bin/ossec-control restart " -s
# ps output:
# avapi 12326 1.6 0.1 63308 14512 pts/2 S+ 02:17 0:00 /usr/share/alienvault/api_core/bin/python /usr/share/alienvault/api_core/bin/ansible <yourip> -m command -a /var/ossec/bin/ossec-control restart -s
# root 12349 0.2 0.0 0 0 pts/7 Z+ 02:17 0:00 [ossec-control] <defunct>
#
# The ossec-control becomes a defunct process. We've to investigate this in deep
# I think it's something related with the way ossec-control script works with the restart command
# The workaround is to redirect the standard output and error to /dev/null
data = {}
command = "/var/ossec/bin/ossec-control %s" % operation
if operation in ["enable", "disable"]:
command = "/var/ossec/bin/ossec-control %s %s" % (operation,
option)
if operation == "restart":
command += " > /dev/null 2>&1"
response = _ansible.run_module(host_list=[system_ip],
module="shell",
args=command,
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][system_ip]['rc'])
script_output = response['contacted'][system_ip]['stdout']
#status operation can return !=0. If one of the ossec process is not running the rc >0
if script_return_code != 0 and operation != "status":
return False, "[ossec_control] Something wrong happened while running ansible command ->'%s'" % str(
response)
data['stdout'] = script_output
result, msg = ossec_get_status(system_ip)
if not result:
return False, "[ossec-control] Error getting the ossec status -> '%s'" % msg
data.update(msg)
except Exception as err:
return False, "[ossec_control] Something wrong happened while running ansible command -> '%s'" % str(
err)
return True, data
def ansible_nmap_purge_scan_files(sensor_ip, task_id):
"""Removes the files used during the scan"""
try:
command = "rm -rf /tmp/{0}*".format(task_id)
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
api_log.error("[ansible_nmap_purge_scan_files] Error: %s" % str(msg))
return False, str(msg)
except Exception as exc:
api_log.error("[ansible_nmap_purge_scan_files] Error: %s" % str(exc))
return False, str(exc)
return True, ""
def ansible_get_sensor_plugins(system_ip):
""" Get the plugins of a sensor
Args:
system_ip
Returns
Dictionary with the plugins available and enable on the sensor:
{'enabled': {'monitor': <list of monitor plugins enabled>,
'detector': <list of detector plugins enabled>,
'device': {<device_id>: <list of plugins enabled in the device>}},
'plugins': { <plugin_name>: {"cfg_version": <cfg version>,
"last_modification": <last modification>,
"legacy": <bool>,
"model": <model>,
"name": <name>,
"path": <plugin full file path>,
"per_asset": <bool>,
"plugin_id": <plugin_id>,
"shipped": <bool>,
"type": <detector|monitor>,
"vendor": <vendor>,
"source": <source>,
"location": <location>,
"version": <version>}}}
"""
response = ansible.run_module([system_ip], "av_plugins", "")
if not ansible_is_valid_response(system_ip, response):
raise APICannotGetSensorPlugins(
log="[ansible_get_sensor_plugins] {0}".format(response))
try:
plugins = response['contacted'][system_ip]['data']
# Fugly hack to replace ossec and suricata references in enabled plugins
plugins['enabled']['detectors'] = ["AlienVault_NIDS" if p == "suricata" else p for p in plugins['enabled']['detectors']]
plugins['enabled']['detectors'] = ["AlienVault_HIDS" if p == "ossec-single-line" else p for p in plugins['enabled']['detectors']]
plugins['enabled']['detectors'] = ["AlienVault_HIDS-IDM" if p == "ossec-idm-single-line" else p for p in plugins['enabled']['detectors']]
plugins['enabled']['detectors'] = ["availability_monitoring" if p == "nagios" else p for p in plugins['enabled']['detectors']]
for asset_id in plugins['enabled']['devices']:
plugins['enabled']['devices'][asset_id] = ["availability_monitoring" if p == "nagios" else p for p in plugins['enabled']['devices'][asset_id]]
# Fugly hack to replace ossec and suricata references in available plugins
plugins['plugins']['AlienVault_NIDS'] = plugins['plugins'].pop('suricata')
plugins['plugins']['AlienVault_HIDS'] = plugins['plugins'].pop('ossec-single-line')
plugins['plugins']['AlienVault_HIDS-IDM'] = plugins['plugins'].pop('ossec-idm-single-line')
plugins['plugins']['availability_monitoring'] = plugins['plugins'].pop('nagios')
except KeyError:
raise APICannotGetSensorPlugins(
log="[ansible_get_sensor_plugins] {0}".format(response))
return plugins
def ansible_nmap_stop(sensor_ip, task_id):
"""Stops the given scan"""
try:
pid_file = "/tmp/{0}.scan.pid".format(task_id)
command = "kill -9 $(cat {0})".format(pid_file)
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
api_log.error("[ansible_nmap_stop] Error: %s" % str(msg))
return False, str(msg)
except Exception as exc:
api_log.error("[ansible_nmap_stop] Error: %s" % str(exc))
return False, str(exc)
return True, ""
def ansible_nmap_stop(sensor_ip, task_id):
"""Stops the given scan"""
try:
pid_file = "/tmp/{0}.scan.pid".format(task_id)
command = "kill -9 $(cat {0})".format(pid_file)
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
api_log.error("[ansible_nmap_stop] Error: %s" % str(msg))
return False, str(msg)
except Exception as exc:
api_log.error("[ansible_nmap_stop] Error: %s" % str(exc))
return False, str(exc)
return True, ""
def ossec_get_status(system_ip):
try:
response = _ansible.run_module(host_list=[system_ip],
module="av_ossec_status",
args="",
use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, msg
data = response['contacted'][system_ip]['data']
except Exception as err:
return False, "[ossec_get_status] Something wrong happened while running ansible command -> '%s'" % str(
err)
return True, data
def ansible_nmap_purge_scan_files(sensor_ip, task_id):
"""Removes the files used during the scan"""
try:
command = "rm -rf /tmp/{0}*".format(task_id)
response = ansible.run_module([sensor_ip], "shell", command)
(success, msg) = ansible_is_valid_response(sensor_ip, response)
if not success:
api_log.error("[ansible_nmap_purge_scan_files] Error: %s" %
str(msg))
return False, str(msg)
except Exception as exc:
api_log.error("[ansible_nmap_purge_scan_files] Error: %s" % str(exc))
return False, str(exc)
return True, ""
def ansible_get_system_info(system_ip):
""" Returns: Info from a given ip:
- the system id
- the system hostname
- the system alienvault profile
- the server_id
@param system_ip: the host system ip
"""
response = ansible.run_module([system_ip], "av_system_info", args="", use_sudo=True)
success, msg = ansible_is_valid_response(system_ip, response)
if not success:
api_log.error(msg)
return (False, "Something wrong happend getting the system data")
return (True, response['contacted'][system_ip]['data'])
def ossec_get_agentless_passlist(system_ip, destination_path=""):
try:
agentless_passfile = "/var/ossec/agentless/.passlist"
# From ansible doc: Recursive fetching may be supported in a later release.
response = _ansible.run_module(host_list=[system_ip], module="fetch", args="dest=%s src=%s flat=yes fail_on_missing=yes" % (destination_path, agentless_passfile), use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, str(msg)
success, result = set_ossec_file_permissions(destination_path)
if not success:
return False, str(result)
except Exception as err:
return False, "[ossec_get_configuration_rule] Something wrong happened while running ansible command %s" % str(err)
return True, destination_path
def ossec_create_preconfigured_agent(sensor_ip, agent_id, agent_type="windows", destination_path=""):
"""Creates a preconfigured agent on the given sensor
:param sensor_ip: The sensor ip where you want to create the preconfigured agent
:param agent_id: The agent id for which you want to generate a preconfigured executable.
It had to be registered previously on ossec-server
:agent_type: The agent type to be generated (unix, windows)
:destination_path: Local path where the binary should be copied"""
generated_agent_path = ""
if agent_type not in ["unix", "windows"]:
return False, "Invalid agent type. Allowed values are [unix, windows]"
if re.match(r"^[0-9]{1,4}$", agent_id) is None:
return False, "Invalid agent ID. The agent ID has to be 1-4 digital characters"
try:
command = "/usr/share/ossim/scripts/ossec-download-agent.sh %s %s" % (agent_id, agent_type)
response = _ansible.run_module(host_list=[sensor_ip], module="shell", args=command, use_sudo=True)
result, msg = ansible_is_valid_response(sensor_ip, response)
if not result:
return False, msg
script_return_code = int(response['contacted'][sensor_ip]['rc'])
script_stdout = response['contacted'][sensor_ip]['stdout']
if script_return_code != 0:
return False, "An error occurred while generating the ossec agent. Script return code is %s. Output: %s" % (script_return_code, script_stdout)
# unix agent generation is not available. The script should fail before arrive to this point
if agent_type == "windows":
generated_agent_path = "/usr/share/ossec-generator/agents/ossec_installer_%s.exe" % agent_id
# We have to copy the remote binary to our local system.
if not os.path.exists(destination_path):
return False, "Destination folder doesn't exists"
response = _ansible.run_module(host_list=[sensor_ip], module="fetch", args="dest=%s src=%s flat=yes" % (destination_path, generated_agent_path), use_sudo=True)
result, msg = ansible_is_valid_response(sensor_ip, response)
if not result:
return False, "Something wrong happen while fetching the file %s" % msg
except Exception as err:
return False, "An error occurred while generating the ossec agent. %s" % str(err)
return True, "%sossec_installer_%s.exe" % (destination_path, agent_id)
def ossec_put_agentless_passlist(system_ip, local_passfile):
"""
Return the passlist agentless file
"""
try:
agentless_passfile = "/var/ossec/agentless/.passlist"
cmd_args = "src=%s dest=%s force=yes owner=root group=ossec mode=644" % (local_passfile, agentless_passfile)
response = _ansible.run_module(host_list=[system_ip], module="copy", args=cmd_args, use_sudo=True)
result, msg = ansible_is_valid_response(system_ip, response)
if not result:
return False, str(msg)
except Exception as err:
return False, "[ossec_get_configuration_rule] Something wrong happened while running ansible command %s" % str(err)
return True, "Done"