def update_host_net_reference(hostid=None): """ Update host_net_reference table with hosts data. Modified to only update host provided. This query locks the asset db, if you have a large number of assets this can cause issues when adding hosts. Will default to previous behavior if no host is passed. """ # Original Query query = ("REPLACE INTO host_net_reference " "SELECT host.id, net_id FROM host, host_ip, net_cidrs " "WHERE host.id = host_ip.host_id AND host_ip.ip >= net_cidrs.begin AND host_ip.ip <= net_cidrs.end") # Check if hostid is passed and valid, if yes modify original query if hostid is not None and is_valid_uuid(hostid): query += " AND host.id = unhex(\'%s\')" % get_hex_string_from_uuid(hostid) try: db.session.begin() db.session.connection(mapper=Host_Net_Reference).execute(query) db.session.commit() except Exception as err_detail: db.session.rollback() api_log.error("There was a problem while updating host net reference: %s" % str(err_detail)) return False return True
def get_sensor_by_sensor_id(sensor_id): """Returns a Sensor object given a Sensor ID""" try: # Getting Sensor ID for local system if sensor_id.lower() == 'local': (success, system_id) = get_system_id_from_local() if not success: raise APICannotResolveLocalSystemID() (success, local_sensor_id) = get_sensor_id_from_system_id(system_id) if success and local_sensor_id: sensor_id = local_sensor_id if not is_valid_uuid(sensor_id): raise APICannotResolveSensorID(sensor_id) # Getting sensor information success = True sensor_id_bin = get_bytes_from_uuid(sensor_id.lower()) data = db.session.query(Sensor).filter(Sensor.id == sensor_id_bin).one() except NoResultFound: success = False data = "No sensor found with the given ID" except MultipleResultsFound: success = False data = "More than one sensor found with the given ID" except Exception as ex: db.session.rollback() success = False data = "Something wrong happen while retrieving the sensor {0}".format(ex) return success, data
def update_host_net_reference(hostid=None): """ Update host_net_reference table with hosts data. Modified to only update host provided. This query locks the asset db, if you have a large number of assets this can cause issues when adding hosts. Will default to previous behavior if no host is passed. """ # Original Query query = ( "REPLACE INTO host_net_reference " "SELECT host.id, net_id FROM host, host_ip, net_cidrs " "WHERE host.id = host_ip.host_id AND host_ip.ip >= net_cidrs.begin AND host_ip.ip <= net_cidrs.end" ) # Check if hostid is passed and valid, if yes modify original query if hostid is not None and is_valid_uuid(hostid): query += " AND host.id = unhex(\'%s\')" % get_hex_string_from_uuid( hostid) try: db.session.begin() db.session.connection(mapper=Host_Net_Reference).execute(query) db.session.commit() except Exception as err_detail: db.session.rollback() api_log.error( "There was a problem while updating host net reference: %s" % str(err_detail)) return False return True
def get_sensor_by_sensor_id(sensor_id): """Returns a Sensor object given a Sensor ID""" try: # Getting Sensor ID for local system if sensor_id.lower() == 'local': (success, system_id) = get_system_id_from_local() if not success: raise APICannotResolveLocalSystemID() (success, local_sensor_id) = get_sensor_id_from_system_id(system_id) if success and local_sensor_id: sensor_id = local_sensor_id if not is_valid_uuid(sensor_id): raise APICannotResolveSensorID(sensor_id) # Getting sensor information success = True sensor_id_bin = get_bytes_from_uuid(sensor_id.lower()) data = db.session.query(Sensor).filter( Sensor.id == sensor_id_bin).one() except NoResultFound: success = False data = "No sensor found with the given ID" except MultipleResultsFound: success = False data = "More than one sensor found with the given ID" except Exception as ex: db.session.rollback() success = False data = "Something wrong happen while retrieving the sensor {0}".format( ex) return success, data
def ossec_win_deploy(sensor_id, asset_id, windows_ip, windows_username, windows_password, windows_domain, agent_id=None): """ Deploy HIDS agent on a Windows System Args: sensor_id(str): Sensor ID asset_id(str): Asset ID windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent) windows_username(str) : Windows Username windows_password(str) : Windows Password windows_domain(str) : Windows Domain agent_id(str) : Agent ID Returns: True if HIDS agent was properly deployed Raises: APICannotResolveAssetID APICannotCreateHIDSAgent APICannotGetHIDSAgentByAsset APICannotResolveSensorID APICannotDeployHIDSAgent APIInvalidDeploymentIP APIInvalidWindowsUsername APIInvalidWindowsPassword APIInvalidAgentID """ # Setting default values agent_name = None sensor_ip = None sensor_name = None asset_name = None try: # Validate deployment parameters if not is_valid_uuid(asset_id): raise APICannotResolveAssetID(asset_id) if not is_valid_ipv4(windows_ip): raise APIInvalidDeploymentIP(windows_ip) if not is_valid_windows_user(windows_username): raise APIInvalidWindowsUsername(windows_username) if not is_valid_user_password(windows_password): raise APIInvalidWindowsPassword() if agent_id and not is_valid_ossec_agent_id(agent_id): raise APIInvalidAgentID(agent_id) # Getting Sensor Information (success, sensor) = get_sensor_by_sensor_id(sensor_id) if not success: raise APICannotResolveSensorID(sensor_id) sensor_id = get_uuid_string_from_bytes(sensor.id) sensor_id = sensor_id.replace('-', '').upper() sensor_ip = get_ip_str_from_bytes(sensor.ip) sensor_name = sensor.name # Getting agent related to assets hids_agents = get_hids_agents_by_asset(asset_id, sensor_id) # Getting asset info asset_name = get_name_by_host_id(asset_id) if len(hids_agents) == 0: # Creating agent if doesn't exists agent_name = asset_name (success, data) = apimethod_ossec_add_new_agent(sensor_id, agent_name, windows_ip, asset_id) if not success: raise APICannotCreateHIDSAgent(agent_name, sensor_id) else: agent_id = data else: # Getting agent information if agent_id: agent_key = sensor_id + '#' + agent_id else: agent_key = hids_agents.keys().pop(0) if agent_key in hids_agents: agent_name = hids_agents[agent_key].get('name') agent_id = hids_agents[agent_key].get('id') else: raise APICannotGetHIDSAgentByAsset(asset_id) # Deploy HIDS Agent ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name, windows_ip, windows_username, windows_domain, windows_password) if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[ sensor_ip]['failures'] == 0: # No error, update agent status in database time.sleep(2) (success, data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id) if success: agent_info = data[0].split(',') agent_status = agent_info[3] update_hids_agent_status(agent_id, sensor_id, agent_status) else: ans_last_error = "" if ansible_result[sensor_ip]['unreachable'] == 1: ans_last_error = "System is unreachable" elif 'msg' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['msg'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['msg'] elif 'stderr' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['stderr'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['stderr'] elif 'stdout' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['stdout'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['stdout'] error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format( ans_last_error) raise APICannotDeployHIDSAgent(error_msg) res = True message = 'HIDS agent successfully deployed' except APICannotDeployHIDSAgent as err: message = str(err) res = False except Exception as err: message = str(err) logger.error(message) res = False # Create message in Message Center mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031" additional_info = { "asset_id": asset_id, "sensor_id": sensor_id, "agent_id": agent_id, "asset_name": asset_name, "asset_ip": windows_ip, "sensor_ip": sensor_ip, "sensor_name": sensor_name, "agent_name": agent_name, "deploy_status": message } additional_info = json.dumps(additional_info) insert_current_status_message(mc_id, asset_id, "host", additional_info) return res, message
def create_host(ips, sensor_id, hostname='', fqdns='', asset_value=2, threshold_c=30, threshold_a=30, alert=0, persistence=0, nat=None, rrd_profile=None, descr='', lat=0, lon=0, icon=None, country=None, external_host=0, permissions=0, av_component=0, output='str', refresh=False): """ Creates a new host in the database Args: Host data Return: Tuple (boolean, msg) - boolean indicates whether the operation was successful or not - msg will be the host ID, or the error string otherwise """ if len(ips) == 0: return False, "At least one IP is required" succes, ctx = get_sensor_ctx_by_sensor_id(sensor_id) if not is_valid_uuid(ctx): return False, "ctx is not a valid canonical uuid" ctx = get_bytes_from_uuid(ctx) host_id = str(uuid.uuid4()) if hostname == '': hostname = "Host-%s" % (ips[0].replace(".", "-")) try: db.session.begin() for host_ip in ips: host_ip_object = Host_Ip(host_id=get_bytes_from_uuid(host_id), ip=get_ip_bin_from_str(host_ip), mac=None, interface=None) db.session.merge(host_ip_object) host = Host(id=get_bytes_from_uuid(host_id), ctx=ctx, hostname=hostname, fqdns=fqdns, asset=asset_value, threshold_c=threshold_c, threshold_a=threshold_a, alert=alert, persistence=persistence, nat=nat, rrd_profile=rrd_profile, descr=descr, lat=lat, lon=lon, icon=icon, country=country, external_host=external_host, permissions=permissions, av_component=av_component) db.session.merge(host) hs_reference = Host_Sensor_Reference(host_id=get_bytes_from_uuid(host_id), sensor_id=get_bytes_from_uuid(sensor_id)) db.session.merge(hs_reference) db.session.commit() except Exception, msg: db.session.rollback() message = "There was a problem adding new Host %s to the database: %s" % (hostname, str(msg)) api_log.error(message) return False, message
def ossec_win_deploy(sensor_id, asset_id, windows_ip, windows_username, windows_password, windows_domain, agent_id=None): """ Deploy HIDS agent on a Windows System Args: sensor_id(str): Sensor ID asset_id(str): Asset ID windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent) windows_username(str) : Windows Username windows_password(str) : Windows Password windows_domain(str) : Windows Domain agent_id(str) : Agent ID Returns: True if HIDS agent was properly deployed Raises: APICannotResolveAssetID APICannotCreateHIDSAgent APICannotGetHIDSAgentByAsset APICannotResolveSensorID APICannotDeployHIDSAgent APIInvalidDeploymentIP APIInvalidWindowsUsername APIInvalidWindowsPassword APIInvalidAgentID """ # Setting default values agent_name = None sensor_ip = None sensor_name = None asset_name = None try: # Validate deployment parameters if not is_valid_uuid(asset_id): raise APICannotResolveAssetID(asset_id) if not is_valid_ipv4(windows_ip): raise APIInvalidDeploymentIP(windows_ip) if not is_valid_windows_user(windows_username): raise APIInvalidWindowsUsername(windows_username) if not is_valid_user_password(windows_password): raise APIInvalidWindowsPassword() if agent_id and not is_valid_ossec_agent_id(agent_id): raise APIInvalidAgentID(agent_id) # Getting Sensor Information (success, sensor) = get_sensor_by_sensor_id(sensor_id) if not success: raise APICannotResolveSensorID(sensor_id) sensor_id = get_uuid_string_from_bytes(sensor.id) sensor_id = sensor_id.replace('-', '').upper() sensor_ip = get_ip_str_from_bytes(sensor.ip) sensor_name = sensor.name # Getting agent related to assets hids_agents = get_hids_agents_by_asset(asset_id, sensor_id) # Getting asset info asset_name = get_name_by_host_id(asset_id) if len(hids_agents) == 0: # Creating agent if doesn't exists agent_name = asset_name (success, data) = apimethod_ossec_add_new_agent(sensor_id, agent_name, windows_ip, asset_id) if not success: raise APICannotCreateHIDSAgent(agent_name, sensor_id) else: agent_id = data else: # Getting agent information if agent_id: agent_key = sensor_id + '#' + agent_id else: agent_key = hids_agents.keys().pop(0) if agent_key in hids_agents: agent_name = hids_agents[agent_key].get('name') agent_id = hids_agents[agent_key].get('id') else: raise APICannotGetHIDSAgentByAsset(asset_id) # Deploy HIDS Agent ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name, windows_ip, windows_username, windows_domain, windows_password) if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[sensor_ip]['failures'] == 0: # No error, update agent status in database time.sleep(2) (success, data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id) if success: agent_info = data[0].split(',') agent_status = agent_info[3] update_hids_agent_status(agent_id, sensor_id, agent_status) else: ans_last_error = "" if ansible_result[sensor_ip]['unreachable'] == 1: ans_last_error = "System is unreachable" elif 'msg' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['msg']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['msg'] elif 'stderr' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stderr']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stderr'] elif 'stdout' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stdout']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stdout'] error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format(ans_last_error) raise APICannotDeployHIDSAgent(error_msg) res = True message = 'HIDS agent successfully deployed' except APICannotDeployHIDSAgent as err: message = str(err) res = False except Exception as err: message = str(err) logger.error(message) res = False # Create message in Message Center mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031" additional_info = { "asset_id": asset_id, "sensor_id": sensor_id, "agent_id": agent_id, "asset_name": asset_name, "asset_ip": windows_ip, "sensor_ip": sensor_ip, "sensor_name": sensor_name, "agent_name": agent_name, "deploy_status": message } additional_info = json.dumps(additional_info) insert_current_status_message(mc_id, asset_id, "host", additional_info) return res, message
def update_system_hids_agents(system_id): """" Update information about HIDS agents connected to a system @param system_id: system_id of the sensor to update """ # Getting system information success, system_info = get_system_info(system_id) # Getting sensor ID if success: sensor_id = system_info['sensor_id'] else: raise APICannotRetrieveSystem(system_id) stored_agents = get_hids_agents_by_sensor(sensor_id) success, agents = ossec_get_available_agents( sensor_id=sensor_id, op_ossec='list_available_agents', agent_id='') if not success: raise APICannotRunHIDSCommand(sensor_id, 'list_available_agents') added_agents = [ agent_id for agent_id in agents.keys() if agent_id not in stored_agents ] present_agents = [ agent_id for agent_id in agents.keys() if agent_id in stored_agents ] deleted_agents = [ agent for agent in stored_agents if agent not in agents.keys() ] # Add new agents to database for agent_id in added_agents: try: agent = agents[agent_id] add_hids_agent(agent_id=agent_id, sensor_id=sensor_id, agent_name=agent['name'], agent_ip=agent['ip'], agent_status=agent['status']) except APIException as e: logger.error("Error adding hids agent: {0}".format(e)) not_linked_assets = 0 refresh_idm = False # Update agent status and check asset_id in database for agent_id in present_agents: try: # Update HIDS agent status update_hids_agent_status(agent_id=agent_id, sensor_id=sensor_id, agent_status=agents[agent_id]['status']) agent_data = get_hids_agent_by_sensor(sensor_id, agent_id) # Check HIDS agent asset id if agent_data['host_id'] == '': # Try to update HIDS agent asset id linked_assets = get_linked_assets() agent_ip_cidr = agent_data['ip_cidr'] asset_id = None # Getting current IP if agent_ip_cidr == '127.0.0.1': # Special case: Local agent agent_ip_cidr = system_info['ha_ip'] if system_info[ 'ha_ip'] else system_info['admin_ip'] elif agent_ip_cidr.lower() == 'any' or agent_ip_cidr.lower( ) == '0.0.0.0' or (is_valid_ipv4_cidr(agent_ip_cidr) and agent_ip_cidr.find('/') != -1): # DHCP environments (Get the latest IP) success, agent_ip_cidr = ossec_get_check( sensor_id, agent_data['name'], "lastip") # Search asset_id if is_valid_ipv4(agent_ip_cidr): success, sensor_ctx = get_sensor_ctx_by_sensor_id( sensor_id) if success: success, asset_id = get_host_id_by_ip_ctx( agent_ip_cidr, sensor_ctx, output='str') if not is_valid_uuid(asset_id): success, new_asset_id = create_host([agent_ip_cidr], sensor_id) if is_valid_uuid(new_asset_id): asset_id = new_asset_id refresh_idm = True # Linking asset to agent if is_valid_uuid(asset_id) and asset_id not in linked_assets: update_asset_id(sensor_id=sensor_id, agent_id=agent_id, asset_id=asset_id) linked_assets[asset_id] = { 'ha_id': agent_id, 'sensor_id': sensor_id } else: not_linked_assets += 1 except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) # Remove deleted agents from database for agent_id in deleted_agents: try: delete_hids_agent(agent_id, sensor_id) except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) return not_linked_assets, refresh_idm