def dns_resolution(system_id): """ Check the DNS name resolution. """ using_proxy = False dns_lookup = 'data.alienvault.com' (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: return (False, "Error translating system id to ip") (success, data) = get_av_config(system_ip, {'update_update_proxy': ''}) if not success: return (False, "Error getting proxy configuration") if 'update_update_proxy' not in data: return (False, "Error getting proxy dns. 'update_proxy_key_not_found'") using_proxy = data['update_update_proxy'] !='disabled' if using_proxy: (success, data) = get_av_config(system_ip, {'update_update_proxy_dns': ''}) if not success: return (False, "Error getting proxy dns") if 'update_update_proxy_dns' not in data: return (False, "Error getting proxy dns. 'update_update_proxy_dns not found'") dns_lookup = data['update_update_proxy_dns'] (success, data) = ansiblemethods.system.network.resolve_dns_name(system_ip, dns_lookup) if not success: return (False, "Error resolving DNS name") return (True, data)
def get_system_config_general(system_id, no_cache=False): (success, system_ip) = ret = get_system_ip_from_system_id(system_id) if not success: return ret (success, config_values) = get_av_config(system_ip, {'general_admin_dns': '', 'general_admin_gateway': '', 'general_admin_ip': '', 'general_admin_netmask': '', 'general_hostname': '', 'general_interface': '', 'general_mailserver_relay': '', 'general_mailserver_relay_passwd': '', 'general_mailserver_relay_port': '', 'general_mailserver_relay_user': '', 'general_ntp_server': '', 'general_profile': '', 'firewall_active': '', 'update_update_proxy': '', 'update_update_proxy_dns': '', 'update_update_proxy_pass': '', 'update_update_proxy_port': '', 'update_update_proxy_user': '', 'vpn_vpn_infraestructure': '' }) if not success: api_log.error("system: get_config_general error: " + str(config_values)) return (False, "Cannot get general configuration info %s" % str(config_values)) return (True, config_values)
def get_system_config_general(system_id, no_cache=False): (success, system_ip) = ret = get_system_ip_from_system_id(system_id) if not success: return ret (success, config_values) = get_av_config( system_ip, { "general_admin_dns": "", "general_admin_gateway": "", "general_admin_ip": "", "general_admin_netmask": "", "general_hostname": "", "general_interface": "", "general_mailserver_relay": "", "general_mailserver_relay_passwd": "", "general_mailserver_relay_port": "", "general_mailserver_relay_user": "", "general_ntp_server": "", "general_profile": "", "firewall_active": "", "update_update_proxy": "", "update_update_proxy_dns": "", "update_update_proxy_pass": "", "update_update_proxy_port": "", "update_update_proxy_user": "", }, ) if not success: api_log.error("system: get_config_general error: " + str(config_values)) return (False, "Cannot get general configuration info %s" % str(config_values)) return (True, config_values)
def get_system_config_alienvault(system_id, no_cache=False): (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: return (False, system_ip) (success, config_values) = get_av_config( system_ip, { 'framework_framework_ip': '', 'sensor_detectors': '', 'sensor_interfaces': '', 'sensor_mservers': '', 'sensor_netflow': '', 'sensor_networks': '', 'server_server_ip': '', 'server_alienvault_ip_reputation': '', 'ha_ha_virtual_ip': '', 'ha_ha_role': '', }) if not success: api_log.error("system: get_config_alienvault error: " + str(config_values)) return (False, "Cannot get AlienVault configuration info %s" % str(config_values)) return (True, config_values)
def get_system_config_alienvault(system_id, no_cache=False): (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: return (False, system_ip) (success, config_values) = get_av_config( system_ip, { "framework_framework_ip": "", "sensor_detectors": "", "sensor_interfaces": "", "sensor_mservers": "", "sensor_netflow": "", "sensor_networks": "", "server_server_ip": "", "server_alienvault_ip_reputation": "", "ha_ha_virtual_ip": "", "ha_ha_role": "", }, ) if not success: api_log.error("system: get_config_alienvault error: " + str(config_values)) return (False, "Cannot get AlienVault configuration info %s" % str(config_values)) return (True, config_values)
def get_system_config_general(system_id, no_cache=False): (success, system_ip) = ret = get_system_ip_from_system_id(system_id) if not success: return ret (success, config_values) = get_av_config( system_ip, { 'general_admin_dns': '', 'general_admin_gateway': '', 'general_admin_ip': '', 'general_admin_netmask': '', 'general_hostname': '', 'general_interface': '', 'general_mailserver_relay': '', 'general_mailserver_relay_passwd': '', 'general_mailserver_relay_port': '', 'general_mailserver_relay_user': '', 'general_ntp_server': '', 'general_profile': '', 'firewall_active': '', 'update_update_proxy': '', 'update_update_proxy_dns': '', 'update_update_proxy_pass': '', 'update_update_proxy_port': '', 'update_update_proxy_user': '' }) if not success: api_log.error("system: get_config_general error: " + str(config_values)) return (False, "Cannot get general configuration info %s" % str(config_values)) return (True, config_values)
def start(self): self.remove_monitor_data() rc, system_list = get_systems() if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: # Use ansible to get the DNS config. result, ansible_output = get_av_config(system_ip, {'general_admin_dns': ''}) logger.info("DNS returned from ossim_setup.conf %s" % str(ansible_output)) if result: dnslist = [] if 'general_admin_dns' in ansible_output: dnslist = ansible_output['general_admin_dns'].split(',') count = 0 for ip in dnslist: r = dns_is_external(ip) if r == -2: count += 1 elif r == -1: logger.error( "Bad data in admin_dns field of ossim_setup.conf: " + str(ip)) # logger.info("DNS IP count = " + str(count)) if count == len(dnslist): admin_dns_msg = "Warning: All DNS configured are externals" self.save_data( system_id, ComponentTypes.SYSTEM, self.get_json_message({ 'admin_dns': admin_dns_msg, 'internal_dns': False })) else: self.save_data( system_id, ComponentTypes.SYSTEM, self.get_json_message({ 'admin_dns': 'DNS ok. You have at least one internal DNS', 'internal_dns': True })) else: if not self.save_data( system_id, ComponentTypes.SYSTEM, self.get_json_message( { 'admin_dns': 'Error: %s' % str(ansible_output), 'internal_dns': True })): logger.error("Can't save monitor info") return True
def get_iface_list(system_ip): """Returns the interface list for a given ip""" dresult = {} host_list = [] host_list.append(system_ip) response = ansible.run_module(host_list, "av_setup", "") if system_ip in response['dark']: return (False, "Error getting interfaces: " + response['dark'][system_ip]['msg']) else: # Get admin network information. data_to_retrieve = {'general_interface': '', 'sensor_interfaces': ''} success, av_config_response = get_av_config(system_ip, data_to_retrieve) if not success: return False, "Error trying to read administrative interface: %s" % str( av_config_response) admin_interface = av_config_response.get('general_interface', '') sensor_interfaces = av_config_response.get('sensor_interfaces', '') # Check for the promisc flag for iface in response['contacted'][system_ip]['ansible_facts'][ 'ansible_interfaces']: #This only works on Linux iface_data = response['contacted'][system_ip]['ansible_facts'][ 'ansible_' + iface] dresult[iface] = {'promisc': iface_data['promisc']} if iface_data.has_key('ipv4'): dresult[iface]['ipv4'] = copy.deepcopy(iface_data['ipv4']) dresult[iface]['role'] = 'disabled' if iface != 'lo': # Is this the admin interface? if iface == admin_interface: dresult[iface]['role'] = 'admin' # Is this a monitoring interface? elif iface in sensor_interfaces: dresult[iface]['role'] = 'monitoring' # Is this a log management interface? elif iface_data['active'] == True and 'ipv4' in iface_data: dresult[iface]['role'] = 'log_management' return (True, dresult)
def ansible_check_insecure_vpn(system_ip): """ Check if a VPN is insecure: Logjam vulnerability (CVE-2015-4000) @param system_ip The system IP where we're going to check if the vulnerability is present """ #First we get the VPN config. success, vpn_config = get_av_config(system_ip, {'vpn_config': ''}) if success: for iface, config in vpn_config['vpn_config'].items(): #Check that the VPN is enabled and we are the VPN server if config['enabled'] == 'yes' and config['role'] == 'server': #If this file is present then we are vulnerable. file_name = "/etc/openvpn/AVinfrastructure/keys/dh1024.pem" if file_exist(system_ip, file_name): return True else: raise APICannotRetrieveOssimSetup(system_ip, str(vpn_config)) return False
def get_iface_list(system_ip): """Returns the interface list for a given ip""" dresult = {} host_list = [] host_list.append(system_ip) response = ansible.run_module(host_list, "av_setup", "") if system_ip in response["dark"]: return (False, "Error getting interfaces: " + response["dark"][system_ip]["msg"]) else: # Get admin network information. data_to_retrieve = {"general_interface": "", "sensor_interfaces": ""} success, av_config_response = get_av_config(system_ip, data_to_retrieve) if not success: return False, "Error trying to read administrative interface: %s" % str(av_config_response) admin_interface = av_config_response.get("general_interface", "") sensor_interfaces = av_config_response.get("sensor_interfaces", "") # Check for the promisc flag for iface in response["contacted"][system_ip]["ansible_facts"]["ansible_interfaces"]: # This only works on Linux iface_data = response["contacted"][system_ip]["ansible_facts"]["ansible_" + iface] dresult[iface] = {"promisc": iface_data["promisc"]} if iface_data.has_key("ipv4"): dresult[iface]["ipv4"] = copy.deepcopy(iface_data["ipv4"]) dresult[iface]["role"] = "disabled" if iface != "lo": # Is this the admin interface? if iface == admin_interface: dresult[iface]["role"] = "admin" # Is this a monitoring interface? elif iface in sensor_interfaces: dresult[iface]["role"] = "monitoring" # Is this a log management interface? elif iface_data["active"] == True and "ipv4" in iface_data: dresult[iface]["role"] = "log_management" return (True, dresult)
def get_iface_list(system_ip): """Returns the interface list for a given ip""" dresult = {} host_list = [] host_list.append(system_ip) response = ansible.run_module(host_list, "av_setup", "") if system_ip in response['dark']: return (False, "Error getting interfaces: " + response['dark'][system_ip]['msg']) else: # Get admin network information. data_to_retrieve = {'general_interface': '', 'sensor_interfaces': ''} success, av_config_response = get_av_config(system_ip, data_to_retrieve) if not success: return False, "Error trying to read administrative interface: %s" % str(av_config_response) admin_interface = av_config_response.get('general_interface', '') sensor_interfaces = av_config_response.get('sensor_interfaces', '') # Check for the promisc flag for iface in response['contacted'][system_ip]['ansible_facts']['ansible_interfaces']: #This only works on Linux iface_data = response['contacted'][system_ip]['ansible_facts']['ansible_' + iface] dresult[iface] = {'promisc': iface_data['promisc']} if iface_data.has_key('ipv4'): dresult[iface]['ipv4'] = copy.deepcopy(iface_data['ipv4']) dresult[iface]['role'] = 'disabled' if iface != 'lo': # Is this the admin interface? if iface == admin_interface: dresult[iface]['role'] = 'admin' # Is this a monitoring interface? elif iface in sensor_interfaces: dresult[iface]['role'] = 'monitoring' # Is this a log management interface? elif iface_data['active'] == True and 'ipv4' in iface_data: dresult[iface]['role'] = 'log_management' return (True, dresult)
def backup_configuration_for_system_id(system_id='local', method="auto"): """ Task to run configuration backup for system """ result, system_ip = get_system_ip_from_system_id(system_id) if not result: return False # If system_id is remote sensor - we need to get server IP to fetch correct backup password. server_ip = system_ip if not is_local(system_id): conf_key = 'server_server_ip' _, data = get_av_config(system_ip, {conf_key: True}) server_ip = data.get(conf_key, system_ip) success, msg = make_system_backup(system_id=system_id, backup_type='configuration', rotate=False, retry=False, method=method, backup_pass=ansible_get_backup_config_pass(server_ip)) return success, msg
def start(self): self.remove_monitor_data() rc, system_list = get_systems() if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: # Use ansible to get the DNS config. result, ansible_output = get_av_config(system_ip, {'general_admin_dns': ''}) logger.info("DNS returned from ossim_setup.conf %s" % str(ansible_output)) if result: dnslist = [] if 'general_admin_dns' in ansible_output: dnslist = ansible_output['general_admin_dns'].split(',') count = 0 for ip in dnslist: r = dns_is_external(ip) if r == -2: count += 1 elif r == -1: logger.error("Bad data in admin_dns field of ossim_setup.conf: " + str(ip)) # logger.info("DNS IP count = " + str(count)) if count == len(dnslist): admin_dns_msg = "Warning: All DNS configured are externals" self.save_data(system_id, ComponentTypes.SYSTEM, self.get_json_message( {'admin_dns': admin_dns_msg, 'internal_dns': False})) else: self.save_data(system_id, ComponentTypes.SYSTEM, self.get_json_message({'admin_dns': 'DNS ok. You have at least one internal DNS', 'internal_dns': True})) else: if not self.save_data(system_id, ComponentTypes.SYSTEM, self.get_json_message({'admin_dns': 'Error: %s' % str(ansible_output), 'internal_dns': True})): logger.error("Can't save monitor info") return True
def backup_configuration_for_system_id(system_id='local', method="auto"): """ Task to run configuration backup for system """ result, system_ip = get_system_ip_from_system_id(system_id) if not result: return False # If system_id is remote sensor - we need to get server IP to fetch correct backup password. server_ip = system_ip if not is_local(system_id): conf_key = 'server_server_ip' _, data = get_av_config(system_ip, {conf_key: True}) server_ip = data.get(conf_key, system_ip) success, msg = make_system_backup( system_id=system_id, backup_type='configuration', rotate=False, retry=False, method=method, backup_pass=ansible_get_backup_config_pass(server_ip)) return success, msg
def get_system_sensor_configuration(system_id): (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: return (False, system_ip) (success, config_values) = get_av_config( system_ip, { "sensor_asec": "", "sensor_detectors": "", "sensor_interfaces": "", "sensor_mservers": "", "sensor_netflow": "", "sensor_networks": "", "sensor_monitors": "", }, ) if not success: api_log.error("system: get_config_alienvault error: " + str(config_values)) return (False, "Cannot get AlienVault configuration info %s" % str(config_values)) return (True, config_values)
def get_system_sensor_configuration(system_id): (success, system_ip) = get_system_ip_from_system_id(system_id) if not success: return (False, system_ip) (success, config_values) = get_av_config( system_ip, { 'sensor_asec': '', 'sensor_detectors': '', 'sensor_interfaces': '', 'sensor_mservers': '', 'sensor_netflow': '', 'sensor_networks': '', 'sensor_monitors': '', }) if not success: api_log.error("system: get_config_alienvault error: " + str(config_values)) return (False, "Cannot get AlienVault configuration info %s" % str(config_values)) return (True, config_values)