def add_server(server_ip, password): """ Add a new system. """ if not is_valid_ipv4(server_ip): return False, "Invalid IP format: %s" % server_ip (success, local_system_id) = get_system_id_from_local() if not success: return success, "Error retrieving the local system id" (success, response) = ansible_add_system(local_system_id=local_system_id, remote_system_ip=server_ip, password=password) if not success: return success, "Cannot add the server to the system" trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-add-server") if not trigger_success: api_log.error(msg) (success, response) = get_remote_server_id_from_server_ip(server_ip) return (success, response)
def apimethod_add_sensor(sensor_id, password, ctx): if password is not None: (success, response) = add_sensor(sensor_id, password) if not success: raise APICannotAddSensor(sensor_id, log=str(response)) (success, job_id) = set_sensor_context(sensor_id, ctx) if not success: raise APICannotSetSensorContext(sensor_id) trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-new-sensor") if not trigger_success: api_log.error(msg) return job_id
def set_interfaces_roles(system_ip,interface_roles): """ Check the role of subset of intefaces in the system @param system_ip The system IP where we're going to operate @param inteface_roles A json describing each interface we're going to touch interface_role format: { "iface" : {"role":<role>, "ipaddress":<ipaddress>, "netmask":<netmask>}, ...} The possibles roles and params monitoring => no ipaddress and no netmask log_management => ipaddress and netmask must be present disable => no ipaddress and no netmask iface is the name of the network interface as configures (eth0, eth1, etc) iface SHOULD NOT BE the admin interface """ def get_admin_interface_from_current_status(current_status): for interface, interface_data in current_status.iteritems(): if interface_data['role'] == 'admin': return interface return None # check params if system_ip == "": return False, "The system_ip should be a valid IP Address" if not isinstance(interface_roles, dict): return False, "The interface_roles should be a dictionary" if len(interface_roles)<=0: return False, "Empty interface roles" # Retrieve the current status. rc, net_current_status = get_iface_list(system_ip) if not rc: return False, "We can't retrieve the current status of the network configuration: %s" % net_current_status # The management interface can't be set. admin_interface = get_admin_interface_from_current_status(net_current_status) if admin_interface is not None: if admin_interface in interface_roles.keys(): return False, "'%s' is the admin interface. You can't set the role" % admin_interface # Retrieve the network interface list from ansible facts response = ansible.run_module([system_ip], module="av_setup", args="filter=ansible_interfaces", use_sudo=True) if system_ip in response['dark']: return False, "We can't retrieve the current network interface list: %s" % response['dark'][system_ip] if response['contacted'][system_ip].get('Failed',False) is True: return False, "We can't retrieve the current network interface list: %s" % response['contacted'][system_ip] # Ok, now in response we have all systems interfaces returned by ansible # u'ansible_facts': {u'ansible_interfaces': [u'lo', u'bond0', u'eth2', u'eth1', u'eth0']}}}} # First verify that the admin iface is in the list system_interfaces = response['contacted'][system_ip]['ansible_facts']['ansible_interfaces'] if admin_interface not in system_interfaces: return False, "Internal error admin iface '%s' not in system interfaces '%s'" % \ (admin_interface, str(system_interfaces)) # Check that all ifaces are included in system_ifaces if not set(interface_roles.keys()).issubset(set(system_interfaces)): return False, "There are interfaces in the request that are not present in the system" # Retrieves the current [sensor]interfaces from ossim_setup.conf (success, sensor_ifaces) = get_sensor_interfaces(system_ip) if not success: return False, "Can't get current sensor interfaces" sensor_ifaces = sensor_ifaces['sensor_interfaces'] # Ok, now we must check that each param obeys the constrains # Retrieve the system configured interfaces (success,system_configured_ifaces) = get_conf_network_interfaces(system_ip, store_path=True) if not success: return False, "Can't retrieve the current configured interfaces" # Build a hash table with key=ethx and value False result_ifaces = dict([(x, False) for x in interface_roles.keys()]) old_sensor_ifaces = sensor_ifaces[:] # CLone, python use refs removed_interfaces = [] added_interfaces = [] # Before attempting to make changes we have to check if the result of the operation would be consistent future_net_status = net_current_status.copy() for iface, conf in interface_roles.items(): role = conf.get('role', None) netmask = conf.get('netmask', None) address = conf.get('ipaddress', None) if future_net_status.has_key(iface): if future_net_status[iface]['role'] != role: future_net_status[iface].pop('ipv4', None) # Clear the old IPv4 because we have change roles future_net_status[iface]['role'] = role # We need to clear all the info if we changed the role future_net_status[iface]['promisc'] = False if role == 'monitoring': future_net_status[iface]['promisc'] = True if role == 'log_management': ipconf = {'network': "", 'netmask': netmask, 'address': address} future_net_status[iface]['ipv4'] = ipconf admin_interfaces_future_net_status = [iface for iface, data in future_net_status.iteritems() if data['role'] is 'admin'] if len(admin_interfaces_future_net_status) > 1: return False, "The admin interface is: %s and it's not allowed to configure more than one %s" % ( admin_interface, admin_interfaces_future_net_status) ip_interfaces = [data['ipv4']['address'] for iface, data in future_net_status.iteritems() if 'ipv4' in data and data['ipv4']['address'] is not None and data['role'] is not 'disabled' and data['role'] is not 'monitoring'] if len(ip_interfaces) > len(set(ip_interfaces)): return False, "It's not allowed to have more than one interface with the same ip" for iface, conf in interface_roles.items(): role = conf.get('role', None) if role == "log_management": iface_netmask = conf.get('netmask', None) iface_address = conf.get('ipaddress', None) if iface_address is None: result_ifaces[iface] = (False, "In order to configure the given interface (%s) as a log management " "interface we need an IP address(%s)" % ( iface, iface_address)) continue if iface_netmask is None: result_ifaces[iface] = (False, "In order to configure the given interface (%s) as a log management " "interface we need a valid netmask (%s)" % ( iface, iface_netmask)) continue (success, result) = set_conf_iface(system_ip, iface, iface_address, iface_netmask) if not success: api_log.error("Can't configure iface '%s' msg: %s " % (iface, str(result))) result_ifaces[iface] = (False, "Can't configure iface '%s' msg: %s" % (iface, str(result))) continue result_ifaces[iface] = (True, "Configured in /etc/network/interfaces") added_interfaces.append(iface) if iface in sensor_ifaces: sensor_ifaces.remove(iface) elif role == 'disabled' or role == 'monitoring': # Check if the iface is in the if iface in system_configured_ifaces.keys(): # Down iface (success,result) = iface_debian_down(system_ip,[iface]) if not success: api_log.error("Can't bring down configured iface '%s' " % iface) result_ifaces[iface] = False,"Can't bring down configured iface '%s' " % iface continue (success,result) = delete_conf_iface (system_ip, iface) if not success: result_ifaces[iface] = (False, "Can't delete iface from /etc/network/interfaces msg: %s" % str(result)) continue removed_interfaces.append(iface) result_ifaces[iface] = (True, "Removed from /etc/network/interfaces") else: result_ifaces[iface] = (True, "Not in /etc/network/interfaces") if role == 'disabled': removed_interfaces.append(iface) if iface in sensor_ifaces: sensor_ifaces.remove(iface) else: added_interfaces.append(iface) if iface not in sensor_ifaces: sensor_ifaces.append(iface) else: return False, "Invalid Role (%s) for the interface %s" % (role, iface) # Here the code must be OK # How can we make and atomic "configuration" of this code # Now, check if we have to change the [sensor]interfaces # First, now ifdown (success,msg) = iface_down(system_ip, removed_interfaces) if not success: return False, "Something wrong has happened while setting down the interfaces %s" % msg # Give me up (success, msg) = iface_up(system_ip, added_interfaces) if not success: return False, "Something wrong has happened while setting up the interfaces %s" % msg if set(sensor_ifaces) != set(old_sensor_ifaces): # Set the ne sensors (success,msg) = set_sensor_interfaces(system_ip,",".join(sensor_ifaces)) if not success: return False, result_ifaces # Regenerate /etc/alienvault/network/interfaces # It should be done until all the interface management is ported to use lib av_config fire_trigger(system_ip=system_ip, trigger="alienvault-network-interfaces-migrate", execute_trigger=False) return True, result_ifaces
def apimethod_delete_system(system_id): success, local_system_id = get_system_id_from_local() if not success: error_msg = "Cannot retrieve the " + \ "local system id. %s" % str(local_system_id) return success, error_msg if system_id == 'local' or get_hex_string_from_uuid(local_system_id) == get_hex_string_from_uuid(system_id): error_msg = "You're trying to remove the local system, " + \ "which it's not allowed" return False, error_msg (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: error_msg = "Cannot retrieve the system ip " + \ "for the given system-id %s" % (str(system_ip)) return success, error_msg # Check whether the remote system is reachable or not: try: remote_system_is_reachable = ping_system(system_id, no_cache=True) except APIException: remote_system_is_reachable = False # We need to take the sensor_id from the database before removing it from the db (success_f, sensor_id) = get_sensor_id_from_system_id(system_id) # 1 - Remove it from the database success, msg = db_remove_system(system_id) if not success: error_msg = "Cannot remove the system " + \ "from the database <%s>" % str(msg) return success, error_msg # 2 - Remove the firewall rules. if success_f: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-del-sensor") if not trigger_success: api_log.error(msg) else: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-del-server") if not trigger_success: api_log.error(msg) # 3 - Remove the remote certificates # success, msg = ansible_remove_certificates(system_ip) # if not success: # return (success, # "Error while removing the remote certificates: %s" % str(msg)) # 4 - Remove the local certificates and keys success, local_ip = get_system_ip_from_local() if not success: error_msg = "Cannot retrieve the local ip " + \ "<%s>" % str(local_ip) return success, error_msg #Remove remote system certificates on the local system success, msg = ansible_remove_certificates(system_ip=local_ip, system_id_to_remove=system_id) if not success: return success, "Cannot remove the local certificates <%s>" % str(msg) # 5 - Remove it from the ansible inventory. try: aim = AnsibleInventoryManager() aim.delete_host(system_ip) aim.save_inventory() del aim except Exception as aim_error: error_msg = "Cannot remove the system from the " + \ "ansible inventory file " + \ "<%s>" % str(aim_error) return False, error_msg # 6 - Try to connect to the child and remove the parent # using it's server_id success, own_server_id = get_server_id_from_local() if not success: error_msg = "Cannot retrieve the server-id " + \ "from local <%s>" % str(msg) return success, error_msg if remote_system_is_reachable: success, msg = ansible_delete_parent_server(system_ip, own_server_id) if not success: error_msg = "Cannot delete parent server in child <%s>" % str(msg) return success, error_msg return True, "" msg = "The remote system is not reachable. " + \ "We had not been able to remove the parent configuration" return True, msg
def add_system_from_ip(system_ip, password, add_to_database=True): """ Add a new system using system ip. """ (success, local_system_id) = get_system_id_from_local() if not success: error_msg = "Something wrong happened retrieving " + \ "the local system id" return success, error_msg (success, response) = ansible_add_system(local_system_id=local_system_id, remote_system_ip=system_ip, password=password) if not success: api_log.error(response) return success, response (success, system_info) = ansible_get_system_info(system_ip) if not success: api_log.error(system_info) return success, "Something wrong happened getting the system info" sensor_id = None if 'server' in system_info['profile']: # - Do not add the child server when I'm myself if system_info['server_id'] != local_system_id: success, msg = add_child_server(system_ip, system_info['server_id']) if not success: api_log.error(str(msg)) error_msg = "Something wrong happened setting the child server" return False, error_msg if 'sensor' in system_info['profile']: if 'server' in system_info['profile'] and system_info['sensor_id']: # sensor and sensor profiles come with its own sensor_id sensor_id = system_info['sensor_id'] else: # get sensor_id from ip sensor_ip = system_ip if system_info['vpn_ip']: sensor_ip = system_info['vpn_ip'] (success, sensor_id) = get_sensor_id_from_sensor_ip(sensor_ip) if not success: api_log.error(str(sensor_id)) sensor_id = None system_info['sensor_id'] = sensor_id if not system_info['admin_ip']: system_info['admin_ip'] = system_ip if system_info['admin_ip'] != system_ip: # We're natted system_info['admin_ip'] = system_ip if add_to_database: profile_str = ','.join(system_info['profile']) (success, msg) = db_add_system(system_id=system_info['system_id'], name=system_info['hostname'], admin_ip=system_info['admin_ip'], vpn_ip=system_info['vpn_ip'], profile=profile_str, server_id=system_info['server_id'], sensor_id=system_info['sensor_id']) if not success: api_log.error(msg) error_msg = "Something wrong happened inserting " + \ "the system into the database" return (False, error_msg) else: result, _ = get_system_ip_from_system_id (system_info['system_id']) if not result: error_msg = "System was not inserted, cannot continue" return (False, error_msg) # Now that the system is in the database, check if it is a server and # open the firewall, if it is required. if 'server' in system_info['profile']: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-add-server") if not trigger_success: api_log.error(msg) (success, msg) = create_directory_for_ossec_remote(system_info['system_id']) if not success: api_log.error(msg) return (False, msg) return (True, system_info)
def apimethod_delete_system(system_id): success, local_system_id = get_system_id_from_local() if not success: error_msg = "Cannot retrieve the " + \ "local system id. %s" % str(local_system_id) return success, error_msg if system_id == 'local' or get_hex_string_from_uuid( local_system_id) == get_hex_string_from_uuid(system_id): error_msg = "You're trying to remove the local system, " + \ "which it's not allowed" return False, error_msg (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: error_msg = "Cannot retrieve the system ip " + \ "for the given system-id %s" % (str(system_ip)) return success, error_msg # Check whether the remote system is reachable or not: try: remote_system_is_reachable = ping_system(system_id, no_cache=True) except APIException: remote_system_is_reachable = False # We need to take the sensor_id from the database before removing it from the db (success_f, sensor_id) = get_sensor_id_from_system_id(system_id) # 1 - Remove it from the database success, msg = db_remove_system(system_id) if not success: error_msg = "Cannot remove the system " + \ "from the database <%s>" % str(msg) return success, error_msg # 2 - Remove the firewall rules. if success_f: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-del-sensor") if not trigger_success: api_log.error(msg) else: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-del-server") if not trigger_success: api_log.error(msg) # 3 - Remove the remote certificates # success, msg = ansible_remove_certificates(system_ip) # if not success: # return (success, # "Error while removing the remote certificates: %s" % str(msg)) # 4 - Remove the local certificates and keys success, local_ip = get_system_ip_from_local() if not success: error_msg = "Cannot retrieve the local ip " + \ "<%s>" % str(local_ip) return success, error_msg #Remove remote system certificates on the local system success, msg = ansible_remove_certificates(system_ip=local_ip, system_id_to_remove=system_id) if not success: return success, "Cannot remove the local certificates <%s>" % str(msg) # 5 - Remove it from the ansible inventory. try: aim = AnsibleInventoryManager() aim.delete_host(system_ip) aim.save_inventory() del aim except Exception as aim_error: error_msg = "Cannot remove the system from the " + \ "ansible inventory file " + \ "<%s>" % str(aim_error) return False, error_msg # 6 - Try to connect to the child and remove the parent # using it's server_id success, own_server_id = get_server_id_from_local() if not success: error_msg = "Cannot retrieve the server-id " + \ "from local <%s>" % str(msg) return success, error_msg if remote_system_is_reachable: success, msg = ansible_delete_parent_server(system_ip, own_server_id) if not success: error_msg = "Cannot delete parent server in child <%s>" % str(msg) return success, error_msg return True, "" msg = "The remote system is not reachable. " + \ "We had not been able to remove the parent configuration" return True, msg
def add_system_from_ip(system_ip, password, add_to_database=True): """ Add a new system using system ip. """ (success, local_system_id) = get_system_id_from_local() if not success: error_msg = "Something wrong happened retrieving " + \ "the local system id" return success, error_msg (success, response) = ansible_add_system(local_system_id=local_system_id, remote_system_ip=system_ip, password=password) if not success: api_log.error(response) return success, response (success, system_info) = ansible_get_system_info(system_ip) if not success: api_log.error(system_info) return success, "Something wrong happened getting the system info" sensor_id = None if 'server' in system_info['profile']: # - Do not add the child server when I'm myself if system_info['server_id'] != local_system_id: success, msg = add_child_server(system_ip, system_info['server_id']) if not success: api_log.error(str(msg)) error_msg = "Something wrong happened setting the child server" return False, error_msg if 'sensor' in system_info['profile']: if 'server' in system_info['profile'] and system_info['sensor_id']: # sensor and sensor profiles come with its own sensor_id sensor_id = system_info['sensor_id'] else: # get sensor_id from ip sensor_ip = system_ip if system_info['vpn_ip']: sensor_ip = system_info['vpn_ip'] (success, sensor_id) = get_sensor_id_from_sensor_ip(sensor_ip) if not success: api_log.error(str(sensor_id)) sensor_id = None system_info['sensor_id'] = sensor_id if not system_info['admin_ip']: system_info['admin_ip'] = system_ip if system_info['admin_ip'] != system_ip: # We're natted system_info['admin_ip'] = system_ip if add_to_database: profile_str = ','.join(system_info['profile']) (success, msg) = db_add_system(system_id=system_info['system_id'], name=system_info['hostname'], admin_ip=system_info['admin_ip'], vpn_ip=system_info['vpn_ip'], profile=profile_str, server_id=system_info['server_id'], sensor_id=system_info['sensor_id']) if not success: api_log.error(msg) error_msg = "Something wrong happened inserting " + \ "the system into the database" return (False, error_msg) else: result, _ = get_system_ip_from_system_id(system_info['system_id']) if not result: error_msg = "System was not inserted, cannot continue" return (False, error_msg) # Now that the system is in the database, check if it is a server and # open the firewall, if it is required. if 'server' in system_info['profile']: trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-add-server") if not trigger_success: api_log.error(msg) (success, msg) = create_directory_for_ossec_remote(system_info['system_id']) if not success: api_log.error(msg) return (False, msg) return (True, system_info)