def build_santa_conf(all_probes):
"""
Build the santa conf, the probe lookup dict and the list of santa probes.
The santa conf is the source of the json document that is sent to the santa
client when it connects to zentral. It is a list of all the rules found in
all the configured probes.
The lookup dict is used when we process a santa event to find the probes
that, because of the set of santa rules they contain, are responsible for
its processing. Once we have the probes, we can trigger all the configured
actions.
The list of santa probes is a list of (probe_name, probe_d) tupes.
"""
rules = []
lookup_d = {}
probes = []
for probe_name, probe_d in all_probes.items():
santa_l = probe_d.get('santa', None)
if not santa_l:
continue
probes.append((probe_name, probe_d))
rules.extend(santa_l)
for santa_r in santa_l:
lookup_d.setdefault(santa_r["sha256"], []).append(probe_d.copy())
probes.sort()
return {'rules': rules}, lookup_d, probes
def build_osquery_conf(all_probes):
schedule = {DEFAULT_ZENTRAL_INVENTORY_QUERY: {'query': "SELECT 'os_version' as table_name, name, major, minor, "
"patch, build from os_version;"
"SELECT 'system_info' as table_name, "
"computer_name, hostname, hardware_model, hardware_serial, "
"cpu_type, cpu_subtype, cpu_brand, cpu_physical_cores, "
"cpu_logical_cores, physical_memory from system_info",
'snapshot': True,
'interval': 600}}
file_paths = {}
probes = [] # probes with an osquery section
event_type_probes = [] # probes without an osquery section but with a match on the event type
for probe_name, probe_d in all_probes.items():
osquery_d = probe_d.get('osquery', None)
if not osquery_d:
if test_probe_event_type(probe_d, 'osquery'):
event_type_probes.append((probe_name, probe_d))
continue
# check and fix existing metadata_filters
metadata_filters = probe_d.get('metadata_filters', None)
if not metadata_filters:
probe_d['metadata_filters'] = [{'type': 'osquery_result'}]
else:
for metadata_filter in metadata_filters:
if metadata_filter.setdefault('type', "osquery_result") != "osquery_result":
# problem
ImproperlyConfigured("Osquery probe %s with wrong type metadata_filter %s" %
(probe_d.get('name', '?'), metadata_filter['type']))
probes.append((probe_name, probe_d))
for idx, osquery_query in enumerate(osquery_d.get('schedule', [])):
osquery_query_key = '%s_%d' % (probe_name, idx)
osquery_query = osquery_query.copy()
osquery_query.pop('key', None)
if osquery_query_key in schedule:
raise ImproperlyConfigured('Query key {} already in schedule'.format(osquery_query_key))
schedule[osquery_query_key] = osquery_query
for category, paths in osquery_d.get('file_paths', {}).items():
if category in file_paths:
raise ImproperlyConfigured('File path category {} not unique'.format(category))
file_paths[category] = paths
osquery_conf = {'schedule': schedule,
'file_paths': file_paths}
probes.sort()
return osquery_conf, probes, event_type_probes
def build_santa_conf(all_probes):
"""
Build the santa conf, the probe lookup dict and the list of santa probes.
The santa conf is the source of the json document that is sent to the santa
client when it connects to zentral. It is a list of all the rules found in
all the configured probes.
The lookup dict is used when we process a santa event to find the probes
that, because of the set of santa rules they contain, are responsible for
its processing. Once we have the probes, we can trigger all the configured
actions.
The list of santa probes is a list of (probe_name, probe_d) tupes.
"""
rules = []
lookup_d = {}
probes = [] # probes with a santa section
event_type_probes = [] # probes without a santa section but with a match on the event type
for probe_name, probe_d in all_probes.items():
santa_l = probe_d.get('santa', None)
if not santa_l:
if test_probe_event_type(probe_d, "santa"):
event_type_probes.append((probe_name, probe_d))
continue
# check and fix existing metadata_filters
metadata_filters = probe_d.get('metadata_filters', None)
if not metadata_filters:
probe_d['metadata_filters'] = [{'type': 'santa_event'}]
else:
for metadata_filter in metadata_filters:
if metadata_filter.setdefault('type', "santa_event") != "santa_event":
# problem
ImproperlyConfigured("Santa probe %s with wrong type metadata_filter %s" %
(probe_d.get('name', '?'), metadata_filter['type']))
probes.append((probe_name, probe_d))
rules.extend(santa_l)
for santa_r in santa_l:
lookup_d.setdefault(santa_r["sha256"], []).append(probe_d.copy())
probes.sort()
return {'rules': rules}, lookup_d, probes, event_type_probes
def build_osquery_conf(all_probes):
schedule = {}
file_paths = {}
probes = []
for probe_name, probe_d in all_probes.items():
osquery_d = probe_d.get('osquery', None)
if not osquery_d:
continue
probes.append((probe_name, probe_d))
for idx, osquery_query in enumerate(osquery_d.get('schedule', [])):
osquery_query_key = '%s_%d' % (probe_name, idx)
osquery_query = osquery_query.copy()
osquery_query.pop('key', None)
schedule[osquery_query_key] = osquery_query
for category, paths in osquery_d.get('file_paths', {}).items():
if category in file_paths:
raise ImproperlyConfigured('File path category %s not unique', category)
file_paths[category] = paths
osquery_conf = {'schedule': schedule,
'file_paths': file_paths}
probes.sort()
return osquery_conf, probes
def build_munki_conf(all_probes):
event_type_probes = [] # probes with a match on the event type
for probe_name, probe_d in all_probes.items():
if test_probe_event_type(probe_d, 'munki'):
event_type_probes.append((probe_name, probe_d))
return event_type_probes
def get_probe(self, **kwargs):
# TODO log(1)
for probe_name, probe_d in probes.items():
if probe_name == kwargs['probe_key']:
return probe_d
break
