def dns_resolution(system_id):
"""
Check the DNS name resolution.
"""
using_proxy = False
dns_lookup = 'data.alienvault.com'
(success, system_ip) = get_system_ip_from_system_id(system_id)
if not success:
return (False, "Error translating system id to ip")
(success, data) = get_av_config(system_ip, {'update_update_proxy': ''})
if not success:
return (False, "Error getting proxy configuration")
if 'update_update_proxy' not in data:
return (False, "Error getting proxy dns. 'update_proxy_key_not_found'")
using_proxy = data['update_update_proxy'] !='disabled'
if using_proxy:
(success, data) = get_av_config(system_ip, {'update_update_proxy_dns': ''})
if not success:
return (False, "Error getting proxy dns")
if 'update_update_proxy_dns' not in data:
return (False, "Error getting proxy dns. 'update_update_proxy_dns not found'")
dns_lookup = data['update_update_proxy_dns']
(success, data) = ansiblemethods.system.network.resolve_dns_name(system_ip, dns_lookup)
if not success:
return (False, "Error resolving DNS name")
return (True, data)
def get_system_config_general(system_id, no_cache=False):
(success, system_ip) = ret = get_system_ip_from_system_id(system_id)
if not success:
return ret
(success, config_values) = get_av_config(system_ip, {'general_admin_dns': '',
'general_admin_gateway': '',
'general_admin_ip': '',
'general_admin_netmask': '',
'general_hostname': '',
'general_interface': '',
'general_mailserver_relay': '',
'general_mailserver_relay_passwd': '',
'general_mailserver_relay_port': '',
'general_mailserver_relay_user': '',
'general_ntp_server': '',
'general_profile': '',
'firewall_active': '',
'update_update_proxy': '',
'update_update_proxy_dns': '',
'update_update_proxy_pass': '',
'update_update_proxy_port': '',
'update_update_proxy_user': '',
'vpn_vpn_infraestructure': ''
})
if not success:
api_log.error("system: get_config_general error: " + str(config_values))
return (False, "Cannot get general configuration info %s" % str(config_values))
return (True, config_values)
def get_system_config_general(system_id, no_cache=False):
(success, system_ip) = ret = get_system_ip_from_system_id(system_id)
if not success:
return ret
(success, config_values) = get_av_config(
system_ip,
{
"general_admin_dns": "",
"general_admin_gateway": "",
"general_admin_ip": "",
"general_admin_netmask": "",
"general_hostname": "",
"general_interface": "",
"general_mailserver_relay": "",
"general_mailserver_relay_passwd": "",
"general_mailserver_relay_port": "",
"general_mailserver_relay_user": "",
"general_ntp_server": "",
"general_profile": "",
"firewall_active": "",
"update_update_proxy": "",
"update_update_proxy_dns": "",
"update_update_proxy_pass": "",
"update_update_proxy_port": "",
"update_update_proxy_user": "",
},
)
if not success:
api_log.error("system: get_config_general error: " + str(config_values))
return (False, "Cannot get general configuration info %s" % str(config_values))
return (True, config_values)
def get_system_config_alienvault(system_id, no_cache=False):
(success, system_ip) = get_system_ip_from_system_id(system_id)
if not success:
return (False, system_ip)
(success, config_values) = get_av_config(
system_ip, {
'framework_framework_ip': '',
'sensor_detectors': '',
'sensor_interfaces': '',
'sensor_mservers': '',
'sensor_netflow': '',
'sensor_networks': '',
'server_server_ip': '',
'server_alienvault_ip_reputation': '',
'ha_ha_virtual_ip': '',
'ha_ha_role': '',
})
if not success:
api_log.error("system: get_config_alienvault error: " +
str(config_values))
return (False, "Cannot get AlienVault configuration info %s" %
str(config_values))
return (True, config_values)
def get_system_config_alienvault(system_id, no_cache=False):
(success, system_ip) = get_system_ip_from_system_id(system_id)
if not success:
return (False, system_ip)
(success, config_values) = get_av_config(
system_ip,
{
"framework_framework_ip": "",
"sensor_detectors": "",
"sensor_interfaces": "",
"sensor_mservers": "",
"sensor_netflow": "",
"sensor_networks": "",
"server_server_ip": "",
"server_alienvault_ip_reputation": "",
"ha_ha_virtual_ip": "",
"ha_ha_role": "",
},
)
if not success:
api_log.error("system: get_config_alienvault error: " + str(config_values))
return (False, "Cannot get AlienVault configuration info %s" % str(config_values))
return (True, config_values)
def get_system_config_general(system_id, no_cache=False):
(success, system_ip) = ret = get_system_ip_from_system_id(system_id)
if not success:
return ret
(success, config_values) = get_av_config(
system_ip, {
'general_admin_dns': '',
'general_admin_gateway': '',
'general_admin_ip': '',
'general_admin_netmask': '',
'general_hostname': '',
'general_interface': '',
'general_mailserver_relay': '',
'general_mailserver_relay_passwd': '',
'general_mailserver_relay_port': '',
'general_mailserver_relay_user': '',
'general_ntp_server': '',
'general_profile': '',
'firewall_active': '',
'update_update_proxy': '',
'update_update_proxy_dns': '',
'update_update_proxy_pass': '',
'update_update_proxy_port': '',
'update_update_proxy_user': ''
})
if not success:
api_log.error("system: get_config_general error: " +
str(config_values))
return (False, "Cannot get general configuration info %s" %
str(config_values))
return (True, config_values)
def start(self):
self.remove_monitor_data()
rc, system_list = get_systems()
if not rc:
logger.error("Can't retrieve systems..%s" % str(system_list))
return False
for (system_id, system_ip) in system_list:
# Use ansible to get the DNS config.
result, ansible_output = get_av_config(system_ip,
{'general_admin_dns': ''})
logger.info("DNS returned from ossim_setup.conf %s" %
str(ansible_output))
if result:
dnslist = []
if 'general_admin_dns' in ansible_output:
dnslist = ansible_output['general_admin_dns'].split(',')
count = 0
for ip in dnslist:
r = dns_is_external(ip)
if r == -2:
count += 1
elif r == -1:
logger.error(
"Bad data in admin_dns field of ossim_setup.conf: "
+ str(ip))
# logger.info("DNS IP count = " + str(count))
if count == len(dnslist):
admin_dns_msg = "Warning: All DNS configured are externals"
self.save_data(
system_id, ComponentTypes.SYSTEM,
self.get_json_message({
'admin_dns': admin_dns_msg,
'internal_dns': False
}))
else:
self.save_data(
system_id, ComponentTypes.SYSTEM,
self.get_json_message({
'admin_dns':
'DNS ok. You have at least one internal DNS',
'internal_dns': True
}))
else:
if not self.save_data(
system_id, ComponentTypes.SYSTEM,
self.get_json_message(
{
'admin_dns': 'Error: %s' % str(ansible_output),
'internal_dns': True
})):
logger.error("Can't save monitor info")
return True
def get_iface_list(system_ip):
"""Returns the interface list for a given ip"""
dresult = {}
host_list = []
host_list.append(system_ip)
response = ansible.run_module(host_list, "av_setup", "")
if system_ip in response['dark']:
return (False, "Error getting interfaces: " +
response['dark'][system_ip]['msg'])
else:
# Get admin network information.
data_to_retrieve = {'general_interface': '', 'sensor_interfaces': ''}
success, av_config_response = get_av_config(system_ip,
data_to_retrieve)
if not success:
return False, "Error trying to read administrative interface: %s" % str(
av_config_response)
admin_interface = av_config_response.get('general_interface', '')
sensor_interfaces = av_config_response.get('sensor_interfaces', '')
# Check for the promisc flag
for iface in response['contacted'][system_ip]['ansible_facts'][
'ansible_interfaces']:
#This only works on Linux
iface_data = response['contacted'][system_ip]['ansible_facts'][
'ansible_' + iface]
dresult[iface] = {'promisc': iface_data['promisc']}
if iface_data.has_key('ipv4'):
dresult[iface]['ipv4'] = copy.deepcopy(iface_data['ipv4'])
dresult[iface]['role'] = 'disabled'
if iface != 'lo':
# Is this the admin interface?
if iface == admin_interface:
dresult[iface]['role'] = 'admin'
# Is this a monitoring interface?
elif iface in sensor_interfaces:
dresult[iface]['role'] = 'monitoring'
# Is this a log management interface?
elif iface_data['active'] == True and 'ipv4' in iface_data:
dresult[iface]['role'] = 'log_management'
return (True, dresult)
def ansible_check_insecure_vpn(system_ip):
""" Check if a VPN is insecure: Logjam vulnerability (CVE-2015-4000)
@param system_ip The system IP where we're going to check if the vulnerability is present
"""
#First we get the VPN config.
success, vpn_config = get_av_config(system_ip, {'vpn_config': ''})
if success:
for iface, config in vpn_config['vpn_config'].items():
#Check that the VPN is enabled and we are the VPN server
if config['enabled'] == 'yes' and config['role'] == 'server':
#If this file is present then we are vulnerable.
file_name = "/etc/openvpn/AVinfrastructure/keys/dh1024.pem"
if file_exist(system_ip, file_name):
return True
else:
raise APICannotRetrieveOssimSetup(system_ip, str(vpn_config))
return False
def ansible_check_insecure_vpn(system_ip):
""" Check if a VPN is insecure: Logjam vulnerability (CVE-2015-4000)
@param system_ip The system IP where we're going to check if the vulnerability is present
"""
#First we get the VPN config.
success, vpn_config = get_av_config(system_ip, {'vpn_config': ''})
if success:
for iface, config in vpn_config['vpn_config'].items():
#Check that the VPN is enabled and we are the VPN server
if config['enabled'] == 'yes' and config['role'] == 'server':
#If this file is present then we are vulnerable.
file_name = "/etc/openvpn/AVinfrastructure/keys/dh1024.pem"
if file_exist(system_ip, file_name):
return True
else:
raise APICannotRetrieveOssimSetup(system_ip, str(vpn_config))
return False
def get_iface_list(system_ip):
"""Returns the interface list for a given ip"""
dresult = {}
host_list = []
host_list.append(system_ip)
response = ansible.run_module(host_list, "av_setup", "")
if system_ip in response["dark"]:
return (False, "Error getting interfaces: " + response["dark"][system_ip]["msg"])
else:
# Get admin network information.
data_to_retrieve = {"general_interface": "", "sensor_interfaces": ""}
success, av_config_response = get_av_config(system_ip, data_to_retrieve)
if not success:
return False, "Error trying to read administrative interface: %s" % str(av_config_response)
admin_interface = av_config_response.get("general_interface", "")
sensor_interfaces = av_config_response.get("sensor_interfaces", "")
# Check for the promisc flag
for iface in response["contacted"][system_ip]["ansible_facts"]["ansible_interfaces"]:
# This only works on Linux
iface_data = response["contacted"][system_ip]["ansible_facts"]["ansible_" + iface]
dresult[iface] = {"promisc": iface_data["promisc"]}
if iface_data.has_key("ipv4"):
dresult[iface]["ipv4"] = copy.deepcopy(iface_data["ipv4"])
dresult[iface]["role"] = "disabled"
if iface != "lo":
# Is this the admin interface?
if iface == admin_interface:
dresult[iface]["role"] = "admin"
# Is this a monitoring interface?
elif iface in sensor_interfaces:
dresult[iface]["role"] = "monitoring"
# Is this a log management interface?
elif iface_data["active"] == True and "ipv4" in iface_data:
dresult[iface]["role"] = "log_management"
return (True, dresult)
def get_iface_list(system_ip):
"""Returns the interface list for a given ip"""
dresult = {}
host_list = []
host_list.append(system_ip)
response = ansible.run_module(host_list, "av_setup", "")
if system_ip in response['dark']:
return (False, "Error getting interfaces: " + response['dark'][system_ip]['msg'])
else:
# Get admin network information.
data_to_retrieve = {'general_interface': '', 'sensor_interfaces': ''}
success, av_config_response = get_av_config(system_ip, data_to_retrieve)
if not success:
return False, "Error trying to read administrative interface: %s" % str(av_config_response)
admin_interface = av_config_response.get('general_interface', '')
sensor_interfaces = av_config_response.get('sensor_interfaces', '')
# Check for the promisc flag
for iface in response['contacted'][system_ip]['ansible_facts']['ansible_interfaces']:
#This only works on Linux
iface_data = response['contacted'][system_ip]['ansible_facts']['ansible_' + iface]
dresult[iface] = {'promisc': iface_data['promisc']}
if iface_data.has_key('ipv4'):
dresult[iface]['ipv4'] = copy.deepcopy(iface_data['ipv4'])
dresult[iface]['role'] = 'disabled'
if iface != 'lo':
# Is this the admin interface?
if iface == admin_interface:
dresult[iface]['role'] = 'admin'
# Is this a monitoring interface?
elif iface in sensor_interfaces:
dresult[iface]['role'] = 'monitoring'
# Is this a log management interface?
elif iface_data['active'] == True and 'ipv4' in iface_data:
dresult[iface]['role'] = 'log_management'
return (True, dresult)
def backup_configuration_for_system_id(system_id='local', method="auto"):
""" Task to run configuration backup for system """
result, system_ip = get_system_ip_from_system_id(system_id)
if not result:
return False
# If system_id is remote sensor - we need to get server IP to fetch correct backup password.
server_ip = system_ip
if not is_local(system_id):
conf_key = 'server_server_ip'
_, data = get_av_config(system_ip, {conf_key: True})
server_ip = data.get(conf_key, system_ip)
success, msg = make_system_backup(system_id=system_id,
backup_type='configuration',
rotate=False,
retry=False,
method=method,
backup_pass=ansible_get_backup_config_pass(server_ip))
return success, msg
def start(self):
self.remove_monitor_data()
rc, system_list = get_systems()
if not rc:
logger.error("Can't retrieve systems..%s" % str(system_list))
return False
for (system_id, system_ip) in system_list:
# Use ansible to get the DNS config.
result, ansible_output = get_av_config(system_ip, {'general_admin_dns': ''})
logger.info("DNS returned from ossim_setup.conf %s" % str(ansible_output))
if result:
dnslist = []
if 'general_admin_dns' in ansible_output:
dnslist = ansible_output['general_admin_dns'].split(',')
count = 0
for ip in dnslist:
r = dns_is_external(ip)
if r == -2:
count += 1
elif r == -1:
logger.error("Bad data in admin_dns field of ossim_setup.conf: " + str(ip))
# logger.info("DNS IP count = " + str(count))
if count == len(dnslist):
admin_dns_msg = "Warning: All DNS configured are externals"
self.save_data(system_id, ComponentTypes.SYSTEM,
self.get_json_message(
{'admin_dns': admin_dns_msg,
'internal_dns': False}))
else:
self.save_data(system_id, ComponentTypes.SYSTEM,
self.get_json_message({'admin_dns': 'DNS ok. You have at least one internal DNS',
'internal_dns': True}))
else:
if not self.save_data(system_id, ComponentTypes.SYSTEM,
self.get_json_message({'admin_dns': 'Error: %s' % str(ansible_output),
'internal_dns': True})):
logger.error("Can't save monitor info")
return True
def backup_configuration_for_system_id(system_id='local', method="auto"):
""" Task to run configuration backup for system """
result, system_ip = get_system_ip_from_system_id(system_id)
if not result:
return False
# If system_id is remote sensor - we need to get server IP to fetch correct backup password.
server_ip = system_ip
if not is_local(system_id):
conf_key = 'server_server_ip'
_, data = get_av_config(system_ip, {conf_key: True})
server_ip = data.get(conf_key, system_ip)
success, msg = make_system_backup(
system_id=system_id,
backup_type='configuration',
rotate=False,
retry=False,
method=method,
backup_pass=ansible_get_backup_config_pass(server_ip))
return success, msg
def get_system_sensor_configuration(system_id):
(success, system_ip) = get_system_ip_from_system_id(system_id)
if not success:
return (False, system_ip)
(success, config_values) = get_av_config(
system_ip,
{
"sensor_asec": "",
"sensor_detectors": "",
"sensor_interfaces": "",
"sensor_mservers": "",
"sensor_netflow": "",
"sensor_networks": "",
"sensor_monitors": "",
},
)
if not success:
api_log.error("system: get_config_alienvault error: " + str(config_values))
return (False, "Cannot get AlienVault configuration info %s" % str(config_values))
return (True, config_values)
def get_system_sensor_configuration(system_id):
(success, system_ip) = get_system_ip_from_system_id(system_id)
if not success:
return (False, system_ip)
(success, config_values) = get_av_config(
system_ip, {
'sensor_asec': '',
'sensor_detectors': '',
'sensor_interfaces': '',
'sensor_mservers': '',
'sensor_netflow': '',
'sensor_networks': '',
'sensor_monitors': '',
})
if not success:
api_log.error("system: get_config_alienvault error: " +
str(config_values))
return (False, "Cannot get AlienVault configuration info %s" %
str(config_values))
return (True, config_values)
