Example #1
def last_scan(agent_id):
    Gets the last scan of the agent.

    :param agent_id: Agent ID.
    :return: Dictionary: end, start.
    Agent(agent_id).get_basic_information()  # check if the agent exists
    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents,
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    data = {}
    # end time
    query = "SELECT max(date_last) FROM pm_event WHERE log = 'Ending rootcheck scan.'"
    time = conn.fetch()
    data['end'] = datetime.utcfromtimestamp(time).strftime(
        "%Y-%m-%d %H:%M:%S") if time is not None else "ND"
    # start time
    query = "SELECT max(date_last) FROM pm_event WHERE log = 'Starting rootcheck scan.'"
    time = conn.fetch()
    data['start'] = datetime.utcfromtimestamp(time).strftime(
        "%Y-%m-%d %H:%M:%S") if time is not None else "ND"

    return data
Example #2
def get_cis_local(agent_id=None,
    query = "SELECT {0} FROM pm_event WHERE cis IS NOT NULL"
    fields = {}
    request = {}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents,
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " cis LIKE :search"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items
    conn.execute(query.format('COUNT(DISTINCT cis)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        if sort['fields']:
            allowed_sort_fields = fields.keys()
            # Check if every element in sort['fields'] is in allowed_sort_fields
            if not set(sort['fields']).issubset(allowed_sort_fields):
                uncorrect_fields = map(
                    lambda x: str(x),
                    set(sort['fields']) - set(allowed_sort_fields))
                raise WazuhException(
                    1403, 'Allowed sort fields: {0}. Fields: {1}'.format(
                        allowed_sort_fields, uncorrect_fields))

            query += ' ORDER BY cis ' + sort['order']
            query += ' ORDER BY cis {0}'.format(sort['order'])
        query += ' ORDER BY cis ASC'

    if limit:
        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

    conn.execute(query.format('DISTINCT cis'), request)

    data['items'] = []
    for tuple in conn:

    return data
Example #3
    def get_agents_summary():
        Counts the number of agents by status.

        :return: Dictionary with keys: total, Active, Disconnected, Never connected

        db_global = glob(common.database_path_global)
        if not db_global:
            raise WazuhException(1600)

        conn = Connection(db_global[0])

        # Query
        query_all = "SELECT COUNT(*) FROM agent"

        query = "SELECT COUNT(*) FROM agent WHERE {0}"
        request = {}
        query_active = query.format(
            '(last_keepalive >= :time_active or id = 0)')
        query_disconnected = query.format('last_keepalive < :time_active')
        query_never = query.format('last_keepalive IS NULL AND id != 0')

        limit_seconds = 600 * 3 + 30
        result = datetime.now() - timedelta(seconds=limit_seconds)
        request['time_active'] = result.strftime('%Y-%m-%d %H:%M:%S')

        total = conn.fetch()[0]

        conn.execute(query_active, request)
        active = conn.fetch()[0]

        conn.execute(query_disconnected, request)
        disconnected = conn.fetch()[0]

        conn.execute(query_never, request)
        never = conn.fetch()[0]

        return {
            'Total': total,
            'Active': active,
            'Disconnected': disconnected,
            'Never connected': never
Example #4
def get_cis(agent_id=None, offset=0, limit=common.database_limit, sort=None, search=None):
    Get all the CIS requirements used in the rootchecks of the agent.

    :param agent_id: Agent ID.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    query = "SELECT {0} FROM pm_event WHERE cis IS NOT NULL"
    fields = {}
    request = {}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents, agent_id))
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " cis LIKE :search"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items
    conn.execute(query.format('COUNT(DISTINCT cis)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        allowed_sort_fields = fields.keys()
        for sf in sort['fields']:
            if sf not in allowed_sort_fields:
                raise WazuhException(1403, 'Allowed sort fields: {0}. Field: {1}'.format(allowed_sort_fields, sf))
        query += ' ORDER BY cis ' + sort['order']
        query += ' ORDER BY cis ASC'

    query += ' LIMIT :offset,:limit'
    request['offset'] = offset
    request['limit'] = limit

    conn.execute(query.format('DISTINCT cis'), request)

    data['items'] = []
    for tuple in conn:

    return data
Example #5
def get_cis(agent_id=None, offset=0, limit=common.database_limit, sort=None, search=None):
    Get all the CIS requirements used in the rootchecks of the agent.

    :param agent_id: Agent ID.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    query = "SELECT {0} FROM pm_event WHERE cis IS NOT NULL"
    fields = {}
    request = {}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents, agent_id))
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " cis LIKE :search"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items
    conn.execute(query.format('COUNT(DISTINCT cis)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        allowed_sort_fields = fields.keys()
        for sf in sort['fields']:
            if sf not in allowed_sort_fields:
                raise WazuhException(1403, 'Allowed sort fields: {0}. Field: {1}'.format(allowed_sort_fields, sf))
        query += ' ORDER BY cis ' + sort['order']
        query += ' ORDER BY cis ASC'

    query += ' LIMIT :offset,:limit'
    request['offset'] = offset
    request['limit'] = limit

    conn.execute(query.format('DISTINCT cis'), request)

    data['items'] = []
    for tuple in conn:

    return data
Example #6
    def get_agents_summary():
        Counts the number of agents by status.

        :return: Dictionary with keys: total, Active, Disconnected, Never connected

        db_global = glob(common.database_path_global)
        if not db_global:
            raise WazuhException(1600)

        conn = Connection(db_global[0])

        # Query
        query_all = "SELECT COUNT(*) FROM agent"

        query = "SELECT COUNT(*) FROM agent WHERE {0}"
        request = {}
        query_active = query.format('(last_keepalive >= :time_active or id = 0)')
        query_disconnected = query.format('last_keepalive < :time_active')
        query_never = query.format('last_keepalive IS NULL AND id != 0')

        limit_seconds = 600*3 + 30
        result = datetime.now() - timedelta(seconds=limit_seconds)
        request['time_active'] = result.strftime('%Y-%m-%d %H:%M:%S')

        total = conn.fetch()[0]

        conn.execute(query_active, request)
        active = conn.fetch()[0]

        conn.execute(query_disconnected, request)
        disconnected = conn.fetch()[0]

        conn.execute(query_never, request)
        never = conn.fetch()[0]

        return {'Total': total, 'Active': active, 'Disconnected': disconnected, 'Never connected': never}
Example #7
def get_all_groups(offset=0,
    Gets the existing groups.

    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
    def get_hash(file, hash_algorithm='md5'):
        filename = "{0}/{1}".format(common.shared_path, file)

        # check hash algorithm
            algorithm_list = hashlib.algorithms_available
        except Exception as e:
            algorithm_list = hashlib.algorithms

        if not hash_algorithm in algorithm_list:
            raise WazuhException(
                1723, "Available algorithms are {0}.".format(algorithm_list))

        hashing = hashlib.new(hash_algorithm)

            with open(filename, 'rb') as f:
        except IOError:
            return None

        return hashing.hexdigest()

    # Connect DB
    db_global = glob(common.database_path_global)
    if not db_global:
        raise WazuhException(1600)

    conn = Connection(db_global[0])
    query = "SELECT {0} FROM agent WHERE `group` = :group_id"

    # Group names
    data = []
    for entry in listdir(common.shared_path):
        full_entry = path.join(common.shared_path, entry)
        if not path.isdir(full_entry):

        # Group count
        request = {'group_id': entry}
        conn.execute(query.format('COUNT(*)'), request)

        # merged.mg and agent.conf sum
        merged_sum = get_hash(entry + "/merged.mg")
        conf_sum = get_hash(entry + "/agent.conf")

        item = {'count': conn.fetch()[0], 'name': entry}

        if merged_sum:
            item['merged_sum'] = merged_sum

        if conf_sum:
            item['conf_sum'] = conf_sum


    if search:
        data = search_array(data,

    if sort:
        data = sort_array(data, sort['fields'], sort['order'])
        data = sort_array(data, ['name'])

    return {'items': cut_array(data, offset, limit), 'totalItems': len(data)}
Example #8
def print_db(agent_id=None,
    Returns a list of events from the database.

    :param agent_id: Agent ID.
    :param status: Filters by status: outstanding, solved, all.
    :param pci: Filters by PCI DSS requirement.
    :param cis: Filters by CIS.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents,
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    request = {}
    fields = {
        'status': 'status',
        'event': 'log',
        'oldDay': 'date_first',
        'readDay': 'date_last'

    partial = """SELECT {0} AS status, date_first, date_last, log, pci_dss, cis
        FROM pm_event AS t
        WHERE date_last {1} (SELECT datetime(date_last, '-86400 seconds') FROM pm_event WHERE log = 'Ending rootcheck scan.')"""

    if status == 'all':
        query = "SELECT {0} FROM (" + partial.format("'outstanding'", '>') + ' UNION ' + partial.format("'solved'", '<=') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"
    elif status == 'outstanding':
        query = "SELECT {0} FROM (" + partial.format("'outstanding'", '>') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"
    elif status == 'solved':
        query = "SELECT {0} FROM (" + partial.format("'solved'", '<=') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"

    if pci:
        query += ' AND pci_dss = :pci'
        request['pci'] = pci

    if cis:
        query += ' AND cis = :cis'
        request['cis'] = cis

    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(
            x + ' LIKE :search'
            for x in ('status', 'date_first', 'date_last', 'log')) + ")"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items

    conn.execute(query.format('COUNT(*)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        if sort['fields']:
            allowed_sort_fields = fields.keys()
            # Check if every element in sort['fields'] is in allowed_sort_fields
            if not set(sort['fields']).issubset(allowed_sort_fields):
                uncorrect_fields = list(
                    map(lambda x: str(x),
                        set(sort['fields']) - set(allowed_sort_fields)))
                raise WazuhException(
                    1403, 'Allowed sort fields: {0}. Fields: {1}'.format(
                        allowed_sort_fields, uncorrect_fields))

            query += ' ORDER BY ' + ','.join([
                '{0} {1}'.format(fields[i], sort['order'])
                for i in sort['fields']
            query += ' ORDER BY date_last {0}'.format(sort['order'])
        query += ' ORDER BY date_last DESC'

    if limit:
        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

    select = ["status", "date_first", "date_last", "log", "pci_dss", "cis"]

    conn.execute(query.format(','.join(select)), request)

    data['items'] = []
    for tuple in conn:
        data_tuple = {}

        if tuple[0] != None:
            data_tuple['status'] = tuple[0]
        if tuple[1] != None:
            data_tuple['oldDay'] = tuple[1]
        if tuple[2] != None:
            data_tuple['readDay'] = tuple[2]
        if tuple[3] != None:
            data_tuple['event'] = tuple[3]
        if tuple[4] != None:
            data_tuple['pci'] = tuple[4]
        if tuple[5] != None:
            data_tuple['cis'] = tuple[5]


    return data
Example #9
def get_agent_group(group_id,
    Gets the agents in a group

    :param group_id: Group ID.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connect DB
    db_global = glob(common.database_path_global)
    if not db_global:
        raise WazuhException(1600)

    conn = Connection(db_global[0])
    valid_select_fiels = [
        "id", "name", "ip", "last_keepalive", "os_name", "os_version",
        "os_platform", "os_uname", "version", "config_sum", "merged_sum",
    search_fields = {"id", "name", "os_name"}

    # Init query
    query = "SELECT {0} FROM agent WHERE `group` = :group_id"
    fields = {'id': 'id', 'name': 'name'}  # field: db_column
    request = {'group_id': group_id}

    # Select
    if select:
        if not set(select['fields']).issubset(valid_select_fiels):
            uncorrect_fields = map(
                lambda x: str(x),
                set(select['fields']) - set(valid_select_fiels))
            raise WazuhException(1724, "Allowed select fields: {0}. Fields {1}".\
                    format(valid_select_fiels, uncorrect_fields))
        select_fields = select['fields']
        select_fields = valid_select_fiels

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(x + ' LIKE :search'
                                    for x in search_fields) + " )"
        request['search'] = '%{0}%'.format(
            int(search['value']) if search['value'].isdigit(
            ) else search['value'])

    # Count
    conn.execute(query.format('COUNT(*)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        if sort['fields']:
            allowed_sort_fields = select_fields
            # Check if every element in sort['fields'] is in allowed_sort_fields.
            if not set(sort['fields']).issubset(allowed_sort_fields):
                raise WazuhException(1403, 'Allowed sort fields: {0}. Fields: {1}'.\
                    format(allowed_sort_fields, sort['fields']))

            order_str_fields = [
                '{0} {1}'.format(fields[i], sort['order'])
                for i in sort['fields']
            query += ' ORDER BY ' + ','.join(order_str_fields)
            query += ' ORDER BY id {0}'.format(sort['order'])
        query += ' ORDER BY id ASC'

    if limit:
        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

    # Data query
    conn.execute(query.format(','.join(select_fields)), request)

    non_nested = [{field:tuple_elem for field,tuple_elem \
            in zip(select_fields, tuple) if tuple_elem} for tuple in conn]
    map(lambda x: setitem(x, 'id', str(x['id']).zfill(3)), non_nested)

    data['items'] = [plain_dict_to_nested_dict(d, ['os']) for d in non_nested]

    return data
Example #10
class WazuhDBQuery(object):
    This class describes a database query for wazuh
    def __init__(self,
        Wazuh DB Query constructor

        :param offset: First item to return.
        :param limit: Maximum number of items to return.
        :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
        :param select: Select fields to return. Format: {"fields":["field1","field2"]}.
        :param filters: Defines field filters required by the user. Format: {"field1":"value1", "field2":["value2","value3"]}
        :param query: query to filter in database. Format: field operator value.
        :param search: Looks for items with the specified string. Format: {"fields": ["field1","field2"]}
        :param table: table to do the query
        :param fields: all available fields
        :param default_sort_field: by default, return elements sorted by this field
        :param db_path: database path
        :param default_sort_order: by default, return elements sorted in this order
        :param min_select_fields: fields that must be always be selected because they're necessary to compute other fields
        :param count: whether to compute totalItems or not
        :param date_fields: database fields that represent a date
        :param get_data: whether to return data or not
        self.offset = offset
        self.limit = limit
        self.table = table
        self.sort = sort
        self.search = search
        self.select = None if not select else select.copy()
        self.fields = fields.copy()
        self.query = self._default_query()
        self.request = {}
        self.default_sort_field = default_sort_field
        self.default_sort_order = default_sort_order
        self.query_filters = []
        self.count = count
        self.data = get_data
        self.total_items = 0
        self.min_select_fields = min_select_fields
        self.query_operators = {
            "=": "=",
            "!=": "!=",
            "<": "<",
            ">": ">",
            "~": 'LIKE'
        self.query_separators = {',': 'OR', ';': 'AND', '': ''}
        # To correctly turn a query into SQL, a regex is used. This regex will extract all necessary information:
        # For example, the following regex -> (name!=wazuh;id>5),group=webserver <- would return 3 different matches:
        #   (name != wazuh ;
        #    id   > 5      ),
        #    group=webserver
        self.query_regex = re.compile(
            r'(\()?' +  # A ( character.
            r'([\w.]+)' +  # Field name: name of the field to look on DB
            '([' + ''.join(self.query_operators.keys()) +
            "]{1,2})" +  # Operator: looks for =, !=, <, > or ~.
            r"([\w _\-\.:/']+)" +  # Value: A string.
            r"(\))?" +  # A ) character
            "([" + ''.join(self.query_separators.keys()) +
            "])?"  # Separator: looks for ;, , or nothing.
        self.date_regex = re.compile(r"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}")
        self.date_fields = date_fields
        self.extra_fields = extra_fields
        self.q = query
        self.legacy_filters = filters
        self.inverse_fields = {v: k for k, v in self.fields.items()}
        if db_path:
            if not glob.glob(db_path):
                raise WazuhException(1600)
            self.conn = Connection(db_path)

    def _add_limit_to_query(self):
        if self.limit:
            if self.limit > common.maximum_database_limit:
                raise WazuhException(1405, str(self.limit))
            self.query += ' LIMIT :offset,:limit'
            self.request['offset'] = self.offset
            self.request['limit'] = self.limit
        elif self.limit == 0:  # 0 is not a valid limit
            raise WazuhException(1406)

    def _sort_query(self, field):
        return '{} {}'.format(self.fields[field], self.sort['order'])

    def _add_sort_to_query(self):
        if self.sort:
            if self.sort['fields']:
                sort_fields, allowed_sort_fields = set(
                    self.sort['fields']), set(self.fields.keys())
                # check every element in sort['fields'] is in allowed_sort_fields
                if not sort_fields.issubset(allowed_sort_fields):
                    raise WazuhException(
                        1403, "Allowerd sort fields: {}. Fields: {}".format(
                            ', '.join(sort_fields - allowed_sort_fields)))
                self.query += ' ORDER BY ' + ','.join(
                    [self._sort_query(i) for i in sort_fields])
                self.query += ' ORDER BY {0} {1}'.format(
                    self.default_sort_field, self.sort['order'])
            self.query += ' ORDER BY {0} {1}'.format(self.default_sort_field,

    def _add_search_to_query(self):
        if self.search:
            self.query += " AND NOT" if bool(
                self.search['negation']) else ' AND'
            self.query += " (" + " OR ".join(
                f'({x.split(" as ")[0]} LIKE :search AND {x.split(" as ")[0]} IS NOT NULL)'
                for x in self.fields.values()) + ')'
            self.query = self.query.replace('WHERE  AND', 'WHERE')
            self.request['search'] = "%{0}%".format(self.search['value'])

    def _parse_select_filter(self, select_fields):
        if select_fields:
            set_select_fields = set(select_fields['fields'])
            set_fields_keys = set(self.fields.keys()) - self.extra_fields
            if not set_select_fields.issubset(set_fields_keys):
                raise WazuhException(1724, "Allowed select fields: {0}. Fields {1}". \
                                     format(', '.join(self.fields.keys()), ', '.join(set_select_fields - set_fields_keys)))

            select_fields['fields'] = set_select_fields
            select_fields = {'fields': set(self.fields.keys())}

        return select_fields

    def _add_select_to_query(self):
        self.select = self._parse_select_filter(self.select)

    def _parse_query(self):
        A query has the following pattern: field operator value separator field operator value...
        An example of query: status=never connected;name!=pepe
            * Field must be a database field (it must be contained in self.fields variable)
            * operator must be one of = != < >
            * value can be anything
            * Separator can be either ; for 'and' or , for 'or'.

        :return: A list with processed query (self.fields)
        if not self.query_regex.match(self.q):
            raise WazuhException(1407, self.q)

        level = 0
        for open_level, field, operator, value, close_level, separator in self.query_regex.findall(
            if field not in self.fields.keys():
                raise WazuhException(
                    1408, "Available fields: {}. Field: {}".format(
                        ', '.join(self.fields), field))
            if operator not in self.query_operators:
                raise WazuhException(
                    1409, "Valid operators: {}. Used operator: {}".format(
                        ', '.join(self.query_operators), operator))

            if open_level:
                level += 1
            if close_level:
                level -= 1

            if not self._pass_filter(value):
                op_index = len(
                        filter(lambda x: field in x['field'],
                    None if value == "null" else value,
                    '{}${}'.format(field, op_index),

    def _parse_legacy_filters(self):
        Parses legacy filters.
        # some legacy filters can contain multiple values to filter separated by commas. That must split in a list.
        legacy_filters_as_list = {
            name: value.split(',') if isinstance(value, str) else
            (value if isinstance(value, list) else [value])
            for name, value in self.legacy_filters.items()
        # each filter is represented using a dictionary containing the following fields:
        #   * Value     -> Value to filter by
        #   * Field     -> Field to filter by. Since there can be multiple filters over the same field, a numeric ID
        #                  must be added to the field name.
        #   * Operator  -> Operator to use in the database query. In legacy filters the only available one is =.
        #   * Separator -> Logical operator used to join queries. In legacy filters, the AND operator is used when
        #                  different fields are filtered and the OR operator is used when filtering by the same field
        #                  multiple times.
        #   * Level     -> The level defines the number of parenthesis the query has. In legacy filters, no
        #                  parenthesis are used except when filtering over the same field.
        self.query_filters += [{
            'value': None if subvalue == "null" else subvalue,
            'field': '{}${}'.format(name, i),
            'operator': '=',
            'separator': 'OR' if len(value) > 1 else 'AND',
            'level': 0 if i == len(value) - 1 else 1
        } for name, value in legacy_filters_as_list.items()
                               for subvalue, i in zip(value, range(len(value)))
                               if not self._pass_filter(subvalue)]
        if self.query_filters:
            # if only traditional filters have been defined, remove last AND from the query.
            self.query_filters[-1]['separator'] = '' if not self.q else 'AND'

    def _parse_filters(self):
        if self.legacy_filters:
        if self.q:
        if self.search or self.query_filters:
            self.query += " WHERE " if 'WHERE' not in self.query else ' AND '

    def _process_filter(self, field_name, field_filter, q_filter):
        if field_name == "status":
        elif field_name in self.date_fields and not self.date_regex.match(
            # filter a date, but only if it is in timeframe format.
            # If it matches the same format as DB (YYYY-MM-DD hh:mm:ss), filter directly by value (next if cond).
            self._filter_date(q_filter, field_name)
            if q_filter['value'] is not None:
                self.request[field_filter] = q_filter[
                    'value'] if field_name != "version" else re.sub(
                        r'([a-zA-Z])([v])', r'\1 \2', q_filter['value'])
                if q_filter['operator'] == 'LIKE':
                    self.request[field_filter] = "%{}%".format(
                self.query += '{} {} :{}'.format(
                    self.fields[field_name].split(' as ')[0],
                    q_filter['operator'], field_filter)
                if not field_filter.isdigit():
                    # filtering without being uppercase/lowercase sensitive
                    self.query += ' COLLATE NOCASE'
                self.query += '{} IS null'.format(self.fields[field_name])

    def _add_filters_to_query(self):
        curr_level = 0
        for q_filter in self.query_filters:
            field_name = q_filter['field'].split('$', 1)[0]
            field_filter = q_filter['field'].replace('.', '_')

            self.query += '((' if curr_level < q_filter['level'] else '('

            self._process_filter(field_name, field_filter, q_filter)

            self.query += ('))' if curr_level > q_filter['level'] else
                           ')') + ' {} '.format(q_filter['separator'])
            curr_level = q_filter['level']

    def _get_total_items(self):
        self.total_items = self.conn.fetch()[0]

    def _get_data(self):
                map(lambda x: f"{self.fields[x]} as '{x}'",
                    self.select['fields'] | self.min_select_fields))),

    def _format_data_into_dictionary(self):
        return {
            'items': [{
                key: value
                for key, value in zip(
                    self.select['fields'] | self.min_select_fields, db_tuple)
                if value is not None
            } for db_tuple in self.conn],

    def _filter_status(self, status_filter):
        raise NotImplementedError

    def _filter_date(self, date_filter, filter_db_name):
        # date_filter['value'] can be either a timeframe or a date in format %Y-%m-%d %H:%M:%S
        if date_filter['value'].isdigit() or re.match(r'\d+[dhms]',
            query_operator = '>' if date_filter[
                'operator'] == '<' or date_filter['operator'] == '=' else '<'
            self.request[date_filter['field']] = get_timeframe_in_seconds(
            self.query += "({0} IS NOT NULL AND CAST(strftime('%s', {0}) AS INTEGER) {1}" \
                          " CAST(strftime('%s', 'now', 'localtime') AS INTEGER) - :{2}) ".format(self.fields[filter_db_name],
        elif re.match(r'\d{4}-\d{2}-\d{2}', date_filter['value']):
            self.query += "{0} IS NOT NULL AND {0} {1} :{2}".format(
                self.fields[filter_db_name], date_filter['operator'],
            self.request[date_filter['field']] = date_filter['value']
            raise WazuhException(1412, date_filter['value'])

    def run(self):
        Builds the query and runs it on the database

        if self.count:
        if self.data:
            return self._format_data_into_dictionary()

    def reset(self):
        Resets query to its initial value. Useful when doing several requests to the same DB.
        self.query = self._default_query()
        self.query_filters = []
        self.select['fields'] -= self.extra_fields

    def _default_query(self):
        :return: The default query
        return "SELECT {0} FROM " + self.table

    def _default_count_query(self):
        return "COUNT(*)"

    def _pass_filter(db_filter):
        return db_filter == "all"
Example #11
def print_db(agent_id=None, status='all', pci=None, cis=None, offset=0, limit=common.database_limit, sort=None, search=None):
    Returns a list of events from the database.

    :param agent_id: Agent ID.
    :param status: Filters by status: outstanding, solved, all.
    :param pci: Filters by PCI DSS requirement.
    :param cis: Filters by CIS.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents, agent_id))
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    request = {}
    fields = {'status': 'status', 'event': 'log', 'oldDay': 'date_first', 'readDay': 'date_last'}

    partial = """SELECT {0} AS status, date_first, date_last, log, pci_dss, cis
        FROM pm_event AS t
        WHERE date_last {1} (SELECT datetime(date_last, '-86400 seconds') FROM pm_event WHERE log = 'Ending rootcheck scan.')"""

    if status == 'all':
        query = "SELECT {0} FROM (" + partial.format("'outstanding'", '>') + ' UNION ' + partial.format("'solved'", '<=') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"
    elif status == 'outstanding':
        query = "SELECT {0} FROM (" + partial.format("'outstanding'", '>') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"
    elif status == 'solved':
        query = "SELECT {0} FROM (" + partial.format("'solved'", '<=') + \
            ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', 'Starting syscheck scan.', 'Ending syscheck scan.')"

    if pci:
        query += ' AND pci_dss = :pci'
        request['pci'] = pci

    if cis:
        query += ' AND cis = :cis'
        request['cis'] = cis

    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(x + ' LIKE :search' for x in ('status', 'date_first', 'date_last', 'log')) + ")"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items

    conn.execute(query.format('COUNT(*)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting

    if sort:
        allowed_sort_fields = fields.keys()
        for sf in sort['fields']:
            if sf not in allowed_sort_fields:
                raise WazuhException(1403, 'Allowed sort fields: {0}. Field: {1}'.format(allowed_sort_fields, sf))
        query += ' ORDER BY ' + ','.join(['{0} {1}'.format(fields[i], sort['order']) for i in sort['fields']])
        query += ' ORDER BY date_last DESC'

    query += ' LIMIT :offset,:limit'
    request['offset'] = offset
    request['limit'] = limit

    select = ["status", "date_first", "date_last", "log", "pci_dss", "cis"]

    conn.execute(query.format(','.join(select)), request)

    data['items'] = []
    for tuple in conn:
        data_tuple = {}

        if tuple[0] != None:
            data_tuple['status'] = tuple[0]
        if tuple[1] != None:
            data_tuple['oldDay'] = tuple[1]
        if tuple[2] != None:
            data_tuple['readDay'] = tuple[2]
        if tuple[3] != None:
            data_tuple['event'] = tuple[3]
        if tuple[4] != None:
            data_tuple['pci'] = tuple[4]
        if tuple[5] != None:
            data_tuple['cis'] = tuple[5]


    return data
Example #12
    def get_agents_overview(status="all",
        Gets a list of available agents with basic attributes.

        :param status: Filters by agent status: Active, Disconnected or Never connected.
        :param offset: First item to return.
        :param limit: Maximum number of items to return.
        :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
        :param search: Looks for items with the specified string.
        :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

        db_global = glob(common.database_path_global)
        if not db_global:
            raise WazuhException(1600)

        conn = Connection(db_global[0])

        # Query
        query = "SELECT {0} FROM agent"
        fields = {
            'id': 'id',
            'name': 'name',
            'ip': 'ip',
            'status': 'last_keepalive'
        select = ["id", "name", "ip", "last_keepalive"]
        request = {}

        if status != "all":
            limit_seconds = 600 * 3 + 30
            result = datetime.now() - timedelta(seconds=limit_seconds)
            request['time_active'] = result.strftime('%Y-%m-%d %H:%M:%S')

            if status.lower() == 'active':
                query += ' AND (last_keepalive >= :time_active or id = 0)'
            elif status.lower() == 'disconnected':
                query += ' AND last_keepalive < :time_active'
            elif status.lower() == "never connected":
                query += ' AND last_keepalive IS NULL AND id != 0'

        # Search
        if search:
            query += " AND NOT" if bool(search['negation']) else ' AND'
            query += " (" + " OR ".join(x + ' LIKE :search'
                                        for x in ('id', 'name', 'ip')) + " )"
            request['search'] = '%{0}%'.format(search['value'])

        if "FROM agent AND" in query:
            query = query.replace("FROM agent AND", "FROM agent WHERE")

        # Count
        conn.execute(query.format('COUNT(*)'), request)
        data = {'totalItems': conn.fetch()[0]}

        # Sorting
        if sort:
            allowed_sort_fields = fields.keys()
            for sf in sort['fields']:
                if sf not in allowed_sort_fields:
                    raise WazuhException(
                        1403, 'Allowed sort fields: {0}. Field: {1}'.format(
                            allowed_sort_fields, sf))

            order_str_fields = []
            for i in sort['fields']:
                # Order by status ASC is the same that order by last_keepalive DESC.
                if i == 'status':
                    if sort['order'] == 'asc':
                        str_order = "desc"
                        str_order = "asc"
                    str_order = sort['order']
                order_str_fields.append('{0} {1}'.format(fields[i], str_order))

            if sort['fields']:
                query += ' ORDER BY ' + ','.join(order_str_fields)
            query += ' ORDER BY id ASC'

        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

        conn.execute(query.format(','.join(select)), request)

        data['items'] = []

        for tuple in conn:
            data_tuple = {}

            if tuple[0] != None:
                data_tuple['id'] = str(tuple[0]).zfill(3)
            if tuple[1] != None:
                data_tuple['name'] = tuple[1]
            if tuple[2] != None:
                data_tuple['ip'] = tuple[2]

            if tuple[3] != None:
                lastKeepAlive = tuple[3]
                lastKeepAlive = 0

            if data_tuple['id'] == "000":
                data_tuple['status'] = "Active"
                data_tuple['ip'] = ''
                data_tuple['status'] = Agent.calculate_status(lastKeepAlive)


        return data
Example #13
def files(agent_id=None, event=None, filename=None, filetype='file', md5=None, sha1=None, hash=None, summary=False, offset=0, limit=common.database_limit, sort=None, search=None):
    Return a list of files from the database that match the filters

    :param agent_id: Agent ID.
    :param event: Filters by event: added, readded, modified, deleted.
    :param filename: Filters by filename.
    :param filetype: Filters by filetype: file or registry.
    :param md5: Filters by md5 hash.
    :param sha1: Filters by sha1 hash.
    :param hash: Filters by md5 or sha1 hash.
    :param summary: Returns a summary grouping by filename.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents, agent_id))
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    agent_os = Agent(agent_id).get_basic_information()['os']

    if "windows" in agent_os.lower():
        windows_agent = True
        windows_agent = False

    fields = {'scanDate': 'date', 'modificationDate': 'mtime', 'file': 'path', 'size': 'size', 'user': '******', 'group': 'gname'}

    # Query
    query = "SELECT {0} FROM fim_event, fim_file WHERE fim_event.id_file = fim_file.id AND fim_file.type = :filetype"
    request = {'filetype': filetype}

    if event:
        query += ' AND fim_event.type = :event'
        request['event'] = event

    if filename:
        query += ' AND path = :filename'
        request['filename'] = filename

    if md5:
        query += ' AND md5 = :md5'
        request['md5'] = md5

    if sha1:
        query += ' AND sha1 = :sha1'
        request['sha1'] = sha1

    if hash:
        query += ' AND (md5 = :hash OR sha1 = :hash)'
        request['hash'] = hash

    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(x + ' LIKE :search' for x in ('path', "date", 'size', 'md5', 'sha1', 'uname', 'gname', 'inode', 'perm')) + " )"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items
    if summary:
        query += ' group by path'
        conn.execute("SELECT COUNT(*) FROM ({0}) AS TEMP".format(query.format("max(date)")), request)
        conn.execute(query.format('COUNT(*)'), request)

    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        allowed_sort_fields = fields.keys()
        for sf in sort['fields']:
            if sf not in allowed_sort_fields:
                raise WazuhException(1403, 'Allowed sort fields: {0}. Field: {1}'.format(allowed_sort_fields, sf))

        query += ' ORDER BY ' + ','.join(['{0} {1}'.format(fields[i], sort['order']) for i in sort['fields']])
        query += ' ORDER BY date DESC'

    query += ' LIMIT :offset,:limit'
    request['offset'] = offset
    request['limit'] = limit

    if summary:
        select = ["max(date)", "mtime", "fim_event.type", "path"]
        select = ["date", "mtime", "fim_event.type", "path", "size", "perm", "uid", "gid", "md5", "sha1", "uname", "gname", "inode"]

    conn.execute(query.format(','.join(select)), request)

    data['items'] = []

    for tuple in conn:
        data_tuple = {}

        if tuple[0] != None:
            data_tuple['scanDate'] = tuple[0]
        if tuple[1] != None:
            data_tuple['modificationDate'] = tuple[1]  # modificationDate
            data_tuple['modificationDate'] = tuple[0]  # scanDate
        if tuple[2] != None:
            data_tuple['event'] = tuple[2]
        if tuple[3] != None:
            data_tuple['file'] = tuple[3]

        if not summary:
                permissions = filemode(int(tuple[5], 8))
            except TypeError:
                permissions = None

            if tuple[4] != None:
                data_tuple['size'] = tuple[4]
            if tuple[8] != None:
                data_tuple['md5'] = tuple[8]
            if tuple[9] != None:
                data_tuple['sha1'] = tuple[9]
            if tuple[12] != None:
                data_tuple['inode'] = tuple[12]

            if not windows_agent:
                if tuple[6] != None:
                    data_tuple['uid'] = tuple[6]
                if tuple[7] != None:
                    data_tuple['gid'] = tuple[7]

                if tuple[10] != None:
                    data_tuple['user'] = tuple[10]
                if tuple[11] != None:
                    data_tuple['group'] = tuple[11]

                if tuple[5] != None:
                    data_tuple['octalMode'] = tuple[5]
                if permissions:
                    data_tuple['permissions'] = permissions


    return data
Example #14
def get_agents_without_group(offset=0,
    Gets the agents in a group

    :param group_id: Group ID.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connect DB
    db_global = glob(common.database_path_global)
    if not db_global:
        raise WazuhException(1600)

    conn = Connection(db_global[0])
    valid_select_fiels = {
        "id", "name", "ip", "last_keepalive", "os_name", "os_version",
        "os_platform", "os_uname", "version", "config_sum", "merged_sum",
        "manager_host", "status"
    # fields like status need to retrieve others to be properly computed.
    dependent_select_fields = {'status': {'last_keepalive', 'version'}}
    search_fields = {"id", "name", "os_name"}

    # Init query
    query = "SELECT {0} FROM agent WHERE `group` IS NULL AND id != 0"
    fields = {'id': 'id', 'name': 'name'}  # field: db_column
    request = {}

    # Select
    if select:
        select_fields_param = set(select['fields'])

        if not select_fields_param.issubset(valid_select_fiels):
            uncorrect_fields = select_fields_param - valid_select_fiels
            raise WazuhException(1724, "Allowed select fields: {0}. Fields {1}".\
                    format(', '.join(list(valid_select_fiels)), ', '.join(uncorrect_fields)))

        select_fields = select_fields_param
        select_fields = valid_select_fiels

    # add dependent select fields to the database select query
    db_select_fields = set()
    for dependent, dependent_fields in dependent_select_fields.items():
        if dependent in select_fields:
            db_select_fields |= dependent_fields
    db_select_fields |= (select_fields - set(dependent_select_fields.keys()))

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(x + ' LIKE :search'
                                    for x in search_fields) + " )"
        request['search'] = '%{0}%'.format(
            int(search['value']) if search['value'].isdigit(
            ) else search['value'])

    # Count
    conn.execute(query.format('COUNT(*)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        if sort['fields']:
            allowed_sort_fields = db_select_fields
            # Check if every element in sort['fields'] is in allowed_sort_fields.
            if not set(sort['fields']).issubset(allowed_sort_fields):
                raise WazuhException(1403, 'Allowed sort fields: {0}. Fields: {1}'.\
                    format(allowed_sort_fields, sort['fields']))

            order_str_fields = [
                '{0} {1}'.format(fields[i], sort['order'])
                for i in sort['fields']
            query += ' ORDER BY ' + ','.join(order_str_fields)
            query += ' ORDER BY id {0}'.format(sort['order'])
        query += ' ORDER BY id ASC'

    if limit:
        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

    # Data query
    conn.execute(query.format(','.join(db_select_fields)), request)

    non_nested = [{field:tuple_elem for field,tuple_elem \
            in zip(db_select_fields, tuple) if tuple_elem} for tuple in conn]

    if 'id' in select_fields:
        map(lambda x: setitem(x, 'id', str(x['id']).zfill(3)), non_nested)

    if 'status' in select_fields:
                lambda x: setitem(
                    x, 'status',
                    Agent.calculate_status(x['last_keepalive'], x['version'] ==
                                           None)), non_nested)
        except KeyError:

    # return only the fields requested by the user (saved in select_fields) and not the dependent ones
    non_nested = [{k: v
                   for k, v in d.items() if k in select_fields}
                  for d in non_nested]

    data['items'] = [plain_dict_to_nested_dict(d, ['os']) for d in non_nested]

    return data
Example #15
def files(agent_id=None,
    Return a list of files from the database that match the filters

    :param agent_id: Agent ID.
    :param event: Filters by event: added, readded, modified, deleted.
    :param filename: Filters by filename.
    :param filetype: Filters by filetype: file or registry.
    :param md5: Filters by md5 hash.
    :param sha1: Filters by sha1 hash.
    :param hash: Filters by md5 or sha1 hash.
    :param summary: Returns a summary grouping by filename.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connection
    db_agent = glob('{0}/{1}-*.db'.format(common.database_path_agents,
    if not db_agent:
        raise WazuhException(1600)
        db_agent = db_agent[0]

    conn = Connection(db_agent)

    agent_info = Agent(agent_id).get_basic_information()
    if 'os' in agent_info and 'platform' in agent_info['os']:
        if agent_info['os']['platform'].lower() == 'windows':
            windows_agent = True
            windows_agent = False
        # We do not know if it is a windows or linux agent.
        # It is set to windows agent in order to avoid wrong data (uid, gid, ...)
        windows_agent = True

    fields = {
        'scanDate': 'date',
        'modificationDate': 'mtime',
        'file': 'path',
        'size': 'size',
        'user': '******',
        'group': 'gname'

    # Query
    query = "SELECT {0} FROM fim_event, fim_file WHERE fim_event.id_file = fim_file.id AND fim_file.type = :filetype"
    request = {'filetype': filetype}

    if event:
        query += ' AND fim_event.type = :event'
        request['event'] = event

    if filename:
        query += ' AND path = :filename'
        request['filename'] = filename

    if md5:
        query += ' AND md5 = :md5'
        request['md5'] = md5

    if sha1:
        query += ' AND sha1 = :sha1'
        request['sha1'] = sha1

    if hash:
        query += ' AND (md5 = :hash OR sha1 = :hash)'
        request['hash'] = hash

    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " (" + " OR ".join(
            x + ' LIKE :search'
            for x in ('path', "date", 'size', 'md5', 'sha1', 'uname', 'gname',
                      'inode', 'perm')) + " )"
        request['search'] = '%{0}%'.format(search['value'])

    # Total items
    if summary:
        query += ' group by path'
            "SELECT COUNT(*) FROM ({0}) AS TEMP".format(
                query.format("max(date)")), request)
        conn.execute(query.format('COUNT(*)'), request)

    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        allowed_sort_fields = fields.keys()
        for sf in sort['fields']:
            if sf not in allowed_sort_fields:
                raise WazuhException(
                    1403, 'Allowed sort fields: {0}. Field: {1}'.format(
                        allowed_sort_fields, sf))

        query += ' ORDER BY ' + ','.join([
            '{0} {1}'.format(fields[i], sort['order']) for i in sort['fields']
        query += ' ORDER BY date DESC'

    query += ' LIMIT :offset,:limit'
    request['offset'] = offset
    request['limit'] = limit

    if summary:
        select = ["max(date)", "mtime", "fim_event.type", "path"]
        select = [
            "date", "mtime", "fim_event.type", "path", "size", "perm", "uid",
            "gid", "md5", "sha1", "uname", "gname", "inode"

    conn.execute(query.format(','.join(select)), request)

    data['items'] = []

    for tuple in conn:
        data_tuple = {}

        if tuple[0] != None:
            data_tuple['scanDate'] = tuple[0]
        if tuple[1] != None:
            data_tuple['modificationDate'] = tuple[1]  # modificationDate
            data_tuple['modificationDate'] = tuple[0]  # scanDate
        if tuple[2] != None:
            data_tuple['event'] = tuple[2]
        if tuple[3] != None:
            data_tuple['file'] = tuple[3]

        if not summary:
                permissions = filemode(int(tuple[5], 8))
            except TypeError:
                permissions = None

            if tuple[4] != None:
                data_tuple['size'] = tuple[4]
            if tuple[8] != None:
                data_tuple['md5'] = tuple[8]
            if tuple[9] != None:
                data_tuple['sha1'] = tuple[9]
            if tuple[12] != None:
                data_tuple['inode'] = tuple[12]

            if not windows_agent:
                if tuple[6] != None:
                    data_tuple['uid'] = tuple[6]
                if tuple[7] != None:
                    data_tuple['gid'] = tuple[7]

                if tuple[10] != None:
                    data_tuple['user'] = tuple[10]
                if tuple[11] != None:
                    data_tuple['group'] = tuple[11]

                if tuple[5] != None:
                    data_tuple['octalMode'] = tuple[5]
                if permissions:
                    data_tuple['permissions'] = permissions


    return data
Example #16
def get_all_groups_sql(offset=0,
    Gets the existing groups.

    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
    :param search: Looks for items with the specified string.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

    # Connect DB
    db_global = glob(common.database_path_global)
    if not db_global:
        raise WazuhException(1600)

    conn = Connection(db_global[0])

    # Init query
    query = "SELECT DISTINCT {0} FROM agent WHERE `group` IS NOT null"
    fields = {'name': 'group'}  # field: db_column
    select = ["`group`"]
    request = {}

    # Search
    if search:
        query += " AND NOT" if bool(search['negation']) else ' AND'
        query += " ( `group` LIKE :search )"
        request['search'] = '%{0}%'.format(search['value'])

    # Count
    conn.execute(query.format('COUNT(DISTINCT `group`)'), request)
    data = {'totalItems': conn.fetch()[0]}

    # Sorting
    if sort:
        if sort['fields']:
            allowed_sort_fields = fields.keys()
            # Check if every element in sort['fields'] is in allowed_sort_fields.
            if not set(sort['fields']).issubset(allowed_sort_fields):
                raise WazuhException(
                    1403, 'Allowed sort fields: {0}. Fields: {1}'.format(
                        allowed_sort_fields, sort['fields']))

            order_str_fields = [
                '`{0}` {1}'.format(fields[i], sort['order'])
                for i in sort['fields']
            query += ' ORDER BY ' + ','.join(order_str_fields)
            query += ' ORDER BY `group` {0}'.format(sort['order'])
        query += ' ORDER BY `group` ASC'

    if limit:
        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

    # Data query
    conn.execute(query.format(','.join(select)), request)

    data['items'] = []

    for tuple in conn:
        if tuple[0] != None:

    return data
Example #17
    def get_agents_overview(status="all", offset=0, limit=common.database_limit, sort=None, search=None):
        Gets a list of available agents with basic attributes.

        :param status: Filters by agent status: Active, Disconnected or Never connected.
        :param offset: First item to return.
        :param limit: Maximum number of items to return.
        :param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
        :param search: Looks for items with the specified string.
        :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}

        db_global = glob(common.database_path_global)
        if not db_global:
            raise WazuhException(1600)

        conn = Connection(db_global[0])

        # Query
        query = "SELECT {0} FROM agent"
        fields = {'id': 'id', 'name': 'name', 'ip': 'ip', 'status': 'last_keepalive'}
        select = ["id", "name", "ip", "last_keepalive"]
        request = {}

        if status != "all":
            limit_seconds = 600*3 + 30
            result = datetime.now() - timedelta(seconds=limit_seconds)
            request['time_active'] = result.strftime('%Y-%m-%d %H:%M:%S')

            if status.lower() == 'active':
                query += ' AND (last_keepalive >= :time_active or id = 0)'
            elif status.lower() == 'disconnected':
                query += ' AND last_keepalive < :time_active'
            elif status.lower() == "never connected":
                query += ' AND last_keepalive IS NULL AND id != 0'

        # Search
        if search:
            query += " AND NOT" if bool(search['negation']) else ' AND'
            query += " (" + " OR ".join(x + ' LIKE :search' for x in ('id', 'name', 'ip')) + " )"
            request['search'] = '%{0}%'.format(search['value'])

        if "FROM agent AND" in query:
            query = query.replace("FROM agent AND", "FROM agent WHERE")

        # Count
        conn.execute(query.format('COUNT(*)'), request)
        data = {'totalItems': conn.fetch()[0]}

        # Sorting
        if sort:
            allowed_sort_fields = fields.keys()
            for sf in sort['fields']:
                if sf not in allowed_sort_fields:
                    raise WazuhException(1403, 'Allowed sort fields: {0}. Field: {1}'.format(allowed_sort_fields, sf))

            order_str_fields = []
            for i in sort['fields']:
                # Order by status ASC is the same that order by last_keepalive DESC.
                if i == 'status':
                    if sort['order'] == 'asc':
                        str_order = "desc"
                        str_order = "asc"
                    str_order = sort['order']
                order_str_fields.append('{0} {1}'.format(fields[i], str_order))

            if sort['fields']:
                query += ' ORDER BY ' + ','.join(order_str_fields)
            query += ' ORDER BY id ASC'

        query += ' LIMIT :offset,:limit'
        request['offset'] = offset
        request['limit'] = limit

        conn.execute(query.format(','.join(select)), request)

        data['items'] = []

        for tuple in conn:
            data_tuple = {}

            if tuple[0] != None:
                data_tuple['id'] = str(tuple[0]).zfill(3)
            if tuple[1] != None:
                data_tuple['name'] = tuple[1]
            if tuple[2] != None:
                data_tuple['ip'] = tuple[2]

            if tuple[3] != None:
                lastKeepAlive = tuple[3]
                lastKeepAlive = 0

            if data_tuple['id'] == "000":
                data_tuple['status'] = "Active"
                data_tuple['ip'] = ''
                data_tuple['status'] = Agent.calculate_status(lastKeepAlive)


        return data