def read_ossec_conf(section=None, field=None, raw=False):
""" Wrapper for get_ossec_conf
:param section: Filters by section (i.e. rules).
:param field: Filters by field in section (i.e. included).
:return: AffectedItemsWazuhResult.
"""
result = AffectedItemsWazuhResult(
all_msg=f"Configuration was successfully read"
f"{' in specified node' if node_id != 'manager' else ''}",
some_msg='Could not read configuration in some nodes',
none_msg=f"Could not read configuration"
f"{' in specified node' if node_id != 'manager' else ''}")
try:
if raw:
with open(common.ossec_conf) as f:
return f.read()
result.affected_items.append(
get_ossec_conf(section=section, field=field))
except WazuhError as e:
result.add_failed_item(id_=node_id, error=e)
result.total_affected_items = len(result.affected_items)
return result
def get_decoders_files(status=None, relative_dirname=None, filename=None, offset=0, limit=common.database_limit,
sort_by=None, sort_ascending=True, search_text=None, complementary_search=False,
search_in_fields=None):
"""Gets a list of the available decoder files.
:param status: Filters by status: enabled, disabled, all.
:param relative_dirname: Filters by relative dirname.
:param filename: List of filenames to filter by.
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort_by: Fields to sort the items by
:param sort_ascending: Sort in ascending (true) or descending (false) order
:param search_text: Text to search
:param complementary_search: Find items without the text to search
:param search_in_fields: Fields to search in
:return: AffectedItemsWazuhResult
"""
result = AffectedItemsWazuhResult(none_msg='No decoder files were returned',
some_msg='Some decoder files were not returned',
all_msg='All decoder files were returned')
status = check_status(status)
ruleset_conf = configuration.get_ossec_conf(section='ruleset')['ruleset']
if not ruleset_conf:
raise WazuhInternalError(1500)
decoders_files = list()
tags = ['decoder_include', 'decoder_exclude', 'decoder_dir']
if isinstance(filename, list):
for f in filename:
decoders_files.extend(format_rule_decoder_file(
ruleset_conf, {'status': status, 'relative_dirname': relative_dirname, 'filename': f},
tags))
else:
decoders_files = format_rule_decoder_file(
ruleset_conf,
{'status': status, 'relative_dirname': relative_dirname, 'filename': filename},
tags)
data = process_array(decoders_files, search_text=search_text, search_in_fields=search_in_fields,
complementary_search=complementary_search, sort_by=sort_by, sort_ascending=sort_ascending,
offset=offset, limit=limit)
result.affected_items = data['items']
result.total_affected_items = data['totalItems']
return result
def test_get_ossec_conf():
with patch('wazuh.core.configuration.load_wazuh_xml',
return_value=Exception):
with pytest.raises(WazuhError, match=".* 1101 .*"):
configuration.get_ossec_conf()
with pytest.raises(WazuhError, match=".* 1102 .*"):
configuration.get_ossec_conf(section='noexists',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
with pytest.raises(WazuhError, match=".* 1106 .*"):
configuration.get_ossec_conf(section='remote',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
with pytest.raises(WazuhError, match=".* 1103 .*"):
configuration.get_ossec_conf(section='integration',
field='error',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
assert configuration.get_ossec_conf(conf_file=os.path.join(
parent_directory, tmp_path, 'configuration/ossec.conf')).to_dict(
)['result']['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='cluster',
conf_file=os.path.join(parent_directory,
tmp_path, 'configuration/ossec.conf')).to_dict(
)['result']['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='cluster',
field='name',
conf_file=os.path.join(parent_directory,
tmp_path, 'configuration/ossec.conf')).to_dict(
)['result']['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='integration',
field='node',
conf_file=os.path.join(parent_directory, tmp_path,
'configuration/ossec.conf')
).to_dict()['result']['integration'][0]['node'] == 'wazuh-worker'
def read_cluster_config(config_file=common.ossec_conf) -> typing.Dict:
"""Read cluster configuration from ossec.conf.
If some fields are missing in the ossec.conf cluster configuration, they are replaced
with default values.
If there is no cluster configuration at all, the default configuration is marked as disabled.
Parameters
----------
config_file : str
Path to configuration file.
Returns
-------
config_cluster : dict
Dictionary with cluster configuration.
"""
cluster_default_configuration = {
'disabled': False,
'node_type': 'master',
'name': 'wazuh',
'node_name': 'node01',
'key': '',
'port': 1516,
'bind_addr': '0.0.0.0',
'nodes': ['NODE_IP'],
'hidden': 'no'
}
try:
config_cluster = get_ossec_conf(section='cluster',
conf_file=config_file)['cluster']
except WazuhException as e:
if e.code == 1106:
# If no cluster configuration is present in ossec.conf, return default configuration but disabling it.
cluster_default_configuration['disabled'] = True
return cluster_default_configuration
else:
raise WazuhError(3006, extra_message=e.message)
except Exception as e:
raise WazuhError(3006, extra_message=str(e))
# If any value is missing from user's cluster configuration, add the default one.
for value_name in set(cluster_default_configuration.keys()) - set(
config_cluster.keys()):
config_cluster[value_name] = cluster_default_configuration[value_name]
if isinstance(config_cluster['port'],
str) and not config_cluster['port'].isdigit():
raise WazuhError(3004,
extra_message="Cluster port must be an integer.")
config_cluster['port'] = int(config_cluster['port'])
if config_cluster['disabled'] == 'no':
config_cluster['disabled'] = False
elif config_cluster['disabled'] == 'yes':
config_cluster['disabled'] = True
elif not isinstance(config_cluster['disabled'], bool):
raise WazuhError(
3004,
extra_message=
"Allowed values for 'disabled' field are 'yes' and 'no'. Found: '{}'"
.format(config_cluster['disabled']))
if config_cluster['node_type'] == 'client':
logger.info("Deprecated node type 'client'. Using 'worker' instead.")
config_cluster['node_type'] = 'worker'
return config_cluster
def _expand_resource(resource):
"""This function expand a specified resource depending of it type.
:param resource: Resource to be expanded
:return expanded_resource: Returns the result of the resource expansion
"""
name, attribute, value = resource.split(':')
resource_type = ':'.join([name, attribute])
# This is the special case, expand_group can receive * or the name of the group. That's why it' s always called
if resource_type == 'agent:group':
return expand_group(value)
# We need to transform the wildcard * to the resource of the system
if value == '*':
if resource_type == 'agent:id':
return get_agents_info()
elif resource_type == 'group:id':
return get_groups()
elif resource_type == 'role:id':
with RolesManager() as rm:
roles = rm.get_roles()
return {str(role_id.id) for role_id in roles}
elif resource_type == 'policy:id':
with PoliciesManager() as pm:
policies = pm.get_policies()
return {str(policy_id.id) for policy_id in policies}
elif resource_type == 'user:id':
users_system = set()
with AuthenticationManager() as auth:
users = auth.get_users()
for user in users:
users_system.add(user['user_id'])
return users_system
elif resource_type == 'rule:id':
with RulesManager() as rum:
rules = rum.get_rules()
return {str(rule_id.id) for rule_id in rules}
elif resource_type == 'rule:file':
tags = ['rule_include', 'rule_exclude', 'rule_dir']
format_rules = format_rule_decoder_file(
get_ossec_conf(section='ruleset')['ruleset'], {
'status': Status.S_ALL.value,
'relative_dirname': None,
'filename': None
}, tags)
return {rule['filename'] for rule in format_rules}
elif resource_type == 'decoder:file':
tags = ['decoder_include', 'decoder_exclude', 'decoder_dir']
format_decoders = format_rule_decoder_file(
get_ossec_conf(section='ruleset')['ruleset'], {
'status': Status.S_ALL.value,
'relative_dirname': None,
'filename': None
}, tags)
return {decoder['filename'] for decoder in format_decoders}
elif resource_type == 'list:path':
return {
os.path.join(cdb_list['relative_dirname'],
cdb_list['filename'])
for cdb_list in iterate_lists(only_names=True)
}
elif resource_type == 'node:id':
return set(cluster_nodes.get())
elif resource_type == 'file:path':
return get_files()
elif resource_type == '*:*': # Resourceless
return {'*'}
return set()
# We return the value casted to set
else:
return {value}
def read_cluster_config(config_file=common.ossec_conf) -> typing.Dict:
"""
Reads the cluster configuration
:return: Dictionary with cluster configuration.
"""
cluster_default_configuration = {
'disabled': False,
'node_type': 'master',
'name': 'wazuh',
'node_name': 'node01',
'key': '',
'port': 1516,
'bind_addr': '0.0.0.0',
'nodes': ['NODE_IP'],
'hidden': 'no'
}
try:
config_cluster = get_ossec_conf(section='cluster',
conf_file=config_file)['cluster']
except WazuhException as e:
if e.code == 1106:
# if no cluster configuration is present in ossec.conf, return default configuration but disabling it.
cluster_default_configuration['disabled'] = True
return cluster_default_configuration
else:
raise WazuhError(3006, extra_message=e.message)
except Exception as e:
raise WazuhError(3006, extra_message=str(e))
# if any value is missing from user's cluster configuration, add the default one:
for value_name in set(cluster_default_configuration.keys()) - set(
config_cluster.keys()):
config_cluster[value_name] = cluster_default_configuration[value_name]
if isinstance(config_cluster['port'],
str) and not config_cluster['port'].isdigit():
raise WazuhError(3004,
extra_message="Cluster port must be an integer.")
config_cluster['port'] = int(config_cluster['port'])
if config_cluster['disabled'] == 'no':
config_cluster['disabled'] = False
elif config_cluster['disabled'] == 'yes':
config_cluster['disabled'] = True
elif not isinstance(config_cluster['disabled'], bool):
raise WazuhError(
3004,
extra_message=
"Allowed values for 'disabled' field are 'yes' and 'no'. Found: '{}'"
.format(config_cluster['disabled']))
# if config_cluster['node_name'].upper() == '$HOSTNAME':
# # The HOSTNAME environment variable is not always available in os.environ so use socket.gethostname() instead
# config_cluster['node_name'] = gethostname()
# if config_cluster['node_name'].upper() == '$NODE_NAME':
# if 'NODE_NAME' in environ:
# config_cluster['node_name'] = environ['NODE_NAME']
# else:
# raise WazuhException(3006, 'Unable to get the $NODE_NAME environment variable')
# if config_cluster['node_type'].upper() == '$NODE_TYPE':
# if 'NODE_TYPE' in environ:
# config_cluster['node_type'] = environ['NODE_TYPE']
# else:
# raise WazuhException(3006, 'Unable to get the $NODE_TYPE environment variable')
if config_cluster['node_type'] == 'client':
logger.info("Deprecated node type 'client'. Using 'worker' instead.")
config_cluster['node_type'] = 'worker'
return config_cluster
def test_get_ossec_conf():
with patch('wazuh.core.configuration.load_wazuh_xml',
return_value=Exception):
with pytest.raises(WazuhError, match=".* 1101 .*"):
configuration.get_ossec_conf()
with patch('wazuh.core.configuration.load_wazuh_xml',
return_value=Exception):
with pytest.raises(SystemExit) as pytest_wrapped_e:
configuration.get_ossec_conf(from_import=True)
assert pytest_wrapped_e.type == SystemExit
assert pytest_wrapped_e.value.code == 0
with pytest.raises(WazuhError, match=".* 1102 .*"):
configuration.get_ossec_conf(section='noexists',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
with pytest.raises(WazuhError, match=".* 1106 .*"):
configuration.get_ossec_conf(section='remote',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
with pytest.raises(WazuhError, match=".* 1103 .*"):
configuration.get_ossec_conf(section='integration',
field='error',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))
assert configuration.get_ossec_conf(conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='cluster',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='cluster',
field='name',
conf_file=os.path.join(
parent_directory, tmp_path,
'configuration/ossec.conf'))['cluster']['name'] == 'wazuh'
assert configuration.get_ossec_conf(
section='integration',
field='node',
conf_file=os.path.join(parent_directory, tmp_path,
'configuration/ossec.conf')
)['integration'][0]['node'] == 'wazuh-worker'
