def run_command(agent_list=None, command=None, arguments=None, custom=False): """Run AR command in a specific agent :param agent_list: Run AR command in the agent. :param command: Command running in the agent. If this value starts by !, then it refers to a script name instead of a command name :param custom: Whether the specified command is a custom command or not :param arguments: Command arguments :return: AffectedItemsWazuhResult. """ msg_queue = active_response.create_message(command=command, arguments=arguments, custom=custom) oq = OssecQueue(common.ARQUEUE) result = AffectedItemsWazuhResult( none_msg='Could not send command to any agent', some_msg='Could not send command to some agents', all_msg='Command sent to all agents') for agent_id in agent_list: try: active_response.send_command(msg_queue, oq, agent_id) result.affected_items.append(agent_id) result.total_affected_items += 1 except WazuhException as e: result.add_failed_item(id_=agent_id, error=e) oq.close() return result
def send_ar_message(agent_id: str = '', oq: OssecQueue = None, command: str = '', arguments: list = None, custom: bool = False, alert: dict = None) -> None: """Send the active response message to the agent. Parameters ---------- agent_id : str ID specifying the agent where the msg_queue will be sent to. oq : OssecQueue OssecQueue used for the active response messages. command : str Command running in the agents. If this value starts with !, then it refers to a script name instead of a command name. custom : bool Whether the specified command is a custom command or not. arguments : list Command arguments. alert : dict Alert information depending on the AR executed. Raises ------ WazuhError(1651) If the agent with ID agent_id is not active. """ # Agent basic information agent_info = Agent(agent_id).get_basic_information() # Check if agent is active if agent_info['status'].lower() != 'active': raise WazuhError(1651, extra_message='{0}'.format(agent_info['status'])) # Once we know the agent is active, store version agent_version = agent_info['version'] # Check if AR is enabled agent_conf = Agent(agent_id).getconfig('com', 'active-response', agent_version) if agent_conf['active-response']['disabled'] == 'yes': raise WazuhError(1750) # Create classic msg or JSON msg depending on the agent version if WazuhVersion(agent_version) >= WazuhVersion(common.AR_LEGACY_VERSION): msg_queue = create_json_message(command=command, arguments=arguments, alert=alert) else: msg_queue = create_message(command=command, arguments=arguments, custom=custom) oq.send_msg_to_agent(msg=msg_queue, agent_id=agent_id, msg_type=OssecQueue.AR_TYPE)
def test_OssecQueue_close(mock_close, mock_conn): """Tests OssecQueue.close function works""" queue = OssecQueue('test_path') queue.close() mock_conn.assert_called_once_with('test_path') mock_close.assert_called_once_with()
def test_OssecQueue_protected_send_ko(mock_send, mock_conn): """Tests OssecQueue._send function exceptions works""" queue = OssecQueue('test_path') with pytest.raises(WazuhException, match=".* 1011 .*"): queue._send('msg') mock_conn.assert_called_with('test_path')
def test_OssecQueue_send_msg_to_agent_ko(mock_send, mock_conn, msg, agent_id, msg_type, expected_exception): """Tests OssecQueue.send_msg_to_agent function exception works""" queue = OssecQueue('test_path') with pytest.raises(WazuhException, match=f'.* {expected_exception} .*'): queue.send_msg_to_agent(msg, agent_id, msg_type) mock_conn.assert_called_once_with('test_path')
def test_OssecQueue_send_msg_to_agent(mock_send, mock_conn, msg, agent_id, msg_type): """Tests OssecQueue.send_msg_to_agent function works""" queue = OssecQueue('test_path') response = queue.send_msg_to_agent(msg, agent_id, msg_type) assert isinstance(response, str) mock_conn.assert_called_once_with('test_path')
def test_OssecQueue_protected_connect(mock_set, mock_conn): """Tests OssecQueue._connect function works""" OssecQueue('test_path') with patch('wazuh.core.ossec_queue.socket.socket.getsockopt', return_value=1): OssecQueue('test_path') mock_conn.assert_called_with('test_path') mock_set.assert_called_once_with(1, 7, 6400)
def run_command(agent_list: list = None, command: str = '', arguments: list = None, custom: bool = False, alert: dict = None) -> AffectedItemsWazuhResult: """Run AR command in a specific agent. Parameters ---------- agent_list : list Agents list that will run the AR command. command : str Command running in the agents. If this value starts with !, then it refers to a script name instead of a command name. custom : bool Whether the specified command is a custom command or not. arguments : list Command arguments. alert : dict Alert information depending on the AR executed. Returns ------- AffectedItemsWazuhResult. """ result = AffectedItemsWazuhResult( all_msg='AR command was sent to all agents', some_msg='AR command was not sent to some agents', none_msg='AR command was not sent to any agent') if agent_list: oq = OssecQueue(common.ARQUEUE) system_agents = get_agents_info() for agent_id in agent_list: try: if agent_id not in system_agents: raise WazuhResourceNotFound(1701) if agent_id == "000": raise WazuhError(1703) active_response.send_ar_message(agent_id, oq, command, arguments, custom, alert) result.affected_items.append(agent_id) result.total_affected_items += 1 except WazuhException as e: result.add_failed_item(id_=agent_id, error=e) oq.close() return result
def run(agent_list=None): """Run syscheck scan. :param agent_list: Run syscheck in the agent. :return: AffectedItemsWazuhResult. """ result = AffectedItemsWazuhResult(all_msg='Syscheck scan was restarted on returned agents', some_msg='Syscheck scan was not restarted on some agents', none_msg='No syscheck scan was restarted') for agent_id in agent_list: try: agent_info = Agent(agent_id).get_basic_information() agent_status = agent_info.get('status', 'N/A') if agent_status.lower() != 'active': result.add_failed_item( id_=agent_id, error=WazuhError(1601, extra_message='Status - {}'.format(agent_status))) else: oq = OssecQueue(common.ARQUEUE) oq.send_msg_to_agent(OssecQueue.HC_SK_RESTART, agent_id) result.affected_items.append(agent_id) oq.close() except WazuhError as e: result.add_failed_item(id_=agent_id, error=e) result.affected_items = sorted(result.affected_items, key=int) result.total_affected_items = len(result.affected_items) return result
def test_OssecQueue_protected_send(mock_conn, send_response, error): """Tests OssecQueue._send function works""" queue = OssecQueue('test_path') with patch('socket.socket.send', return_value=send_response): if error: with pytest.raises(WazuhException, match=".* 1011 .*"): queue._send('msg') else: queue._send('msg') mock_conn.assert_called_with('test_path')
def test_OssecQueue_protected_connect_ko(mock_conn): """Tests OssecQueue._connect function exceptions works""" with pytest.raises(WazuhException, match=".* 1010 .*"): OssecQueue('test_path')
def test_OssecQueue__init__(mock_conn): """Tests OssecQueue.__init__ function works""" OssecQueue('test_path') mock_conn.assert_called_once_with()