async def send(self, msg_bytes, header_format=None):
"""Add a header to the message and sends it to the socket. Returns that message.
Parameters
----------
msg_bytes : byte
A set of bytes to be send.
header_format : str, optional
Format of the header to be packed in the message.
Raises
------
WazuhException(1105)
If the `msg_bytes` type is not bytes.
WazuhException(1014)
If the message length was 0.
"""
if not isinstance(msg_bytes, bytes):
raise WazuhException(1105, "Type must be bytes")
msg_length = len(msg_bytes)
data = pack(header_format,
msg_length) + msg_bytes if header_format else msg_bytes
self.transport.write(data)
if self.is_connection_lost():
await self.close()
raise WazuhException(1014, "Socket connection was closed")
if msg_length == 0:
raise WazuhException(1014, "Number of sent bytes is 0")
return data
def test_wazuh_exception__or__():
"""Check that WazuhException's | operator performs the join of dapi errors properly."""
excp1 = WazuhException(1308)
excp1._dapi_errors = {'test1': 'test error'}
excp2 = WazuhException(1308)
excp2._dapi_errors = {'test2': 'test error'}
excp3 = excp2 | excp1
assert excp3._dapi_errors == {'test1': 'test error', 'test2': 'test error'}
def send(self, msg_bytes, header_format="<I"):
if not isinstance(msg_bytes, bytes):
raise WazuhException(1105, "Type must be bytes")
try:
sent = self.s.send(pack(header_format, len(msg_bytes)) + msg_bytes)
if sent == 0:
raise WazuhException(1014, "Number of sent bytes is 0")
return sent
except Exception as e:
raise WazuhException(1014, str(e))
def _add_limit_to_query(self):
if self.limit:
if self.limit > database_limit:
raise WazuhException(1405, str(self.limit))
# We add offset and limit only to the inner SELECT (subquery)
self.query += ' LIMIT :inner_limit OFFSET :inner_offset'
self.request['inner_offset'] = self.offset
self.request['inner_limit'] = self.limit
self.request['offset'] = 0
self.request['limit'] = 0
elif self.limit == 0: # 0 is not a valid limit
raise WazuhException(1406)
def receive(self, header_format="<I", header_size=4):
try:
size = unpack(header_format, self.s.recv(header_size, socket.MSG_WAITALL))[0]
return self.s.recv(size, socket.MSG_WAITALL)
except Exception as e:
raise WazuhException(1014, str(e))
async def test_WorkerHandler_sync_integrity():
worker_handler = get_worker_handler()
worker_handler.cluster_items = {
'intervals': {
'worker': {
'sync_integrity': 1
}
}
}
worker_handler.connected = True
with patch('wazuh.core.cluster.common.Handler.send_request',
new=AsyncMock(return_value=b'True')):
with patch('asyncio.sleep', side_effect=TimeoutError()):
with pytest.raises(TimeoutError):
await worker_handler.sync_integrity()
with patch('time.time', side_effect=WazuhException(1001)):
with patch('asyncio.sleep', side_effect=TimeoutError()):
with pytest.raises(WazuhException, match=r'.* 1001 .*'):
await worker_handler.sync_integrity()
with patch('time.time', side_effect=TimeoutError()):
with patch('asyncio.sleep', side_effect=TimeoutError()):
with pytest.raises(TimeoutError):
await worker_handler.sync_integrity()
async def test_SyncWorker(create_log, caplog):
async def check_message(mock, expected_message):
with patch('wazuh.core.cluster.common.Handler.send_request', new=AsyncMock(return_value=mock)):
with caplog.at_level(logging.DEBUG):
await sync_worker.sync()
assert caplog.records[-1].message == expected_message
worker_handler = get_worker_handler()
sync_worker = worker.SyncWorker(cmd=b'testing', files_to_sync={'files': ['testing']}, files_metadata={'testing': '0'},
logger=logger, worker=worker_handler)
send_request_mock = KeyError(1)
await check_message(mock=send_request_mock, expected_message=f"Error asking for permission: 1")
await check_message(mock=b'False', expected_message="Master didnt grant permission to synchronize")
await check_message(mock=b'True', expected_message="Worker files sent to master")
error = WazuhException(1001)
with patch('wazuh.core.cluster.common.Handler.send_request', new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file', new=AsyncMock(side_effect=error)):
await sync_worker.sync()
assert 'Error sending files information' in caplog.records[-1].message
error = KeyError(1)
with patch('wazuh.core.cluster.common.Handler.send_request', new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file', new=AsyncMock(side_effect=error)):
await sync_worker.sync()
assert 'Error sending files information' in caplog.records[-1].message
def receive(self, header_format="<I", header_size=4, raw=False):
response = loads(OssecSocket.receive(self, header_format=header_format, header_size=header_size).decode())
if not raw:
if 'error' in response.keys():
if response['error'] != 0:
raise WazuhException(response['error'], response['message'], cmd_error=True)
return response['data']
else:
return response
def _filter_status(self, filter_status):
partial = "SELECT {0} AS status, date_first, date_last, log, pci_dss, cis FROM pm_event AS t WHERE " \
"date_last {1} (SELECT date_last-86400 FROM pm_event WHERE log = 'Ending rootcheck scan.')"
log_not_in = ") WHERE log NOT IN ('Starting rootcheck scan.', 'Ending rootcheck scan.', " \
"'Starting syscheck scan.', 'Ending syscheck scan.'"
if filter_status['value'] == 'all':
self.query += partial.format("'outstanding'", '>') + " UNION " + partial.format("'solved'", '<=') + log_not_in
elif filter_status['value'] == 'outstanding':
self.query += partial.format("'outstanding'", '>') + log_not_in
elif filter_status['value'] == 'solved':
self.query += partial.format("'solved'", '<=') + log_not_in
else:
raise WazuhException(1603, filter_status['value'])
def get_cluster_items():
try:
here = os.path.abspath(os.path.dirname(__file__))
with open(os.path.join(common.ossec_path, here, 'cluster.json')) as f:
cluster_items = json.load(f)
list(
map(
lambda x: setitem(x, 'permissions',
int(x['permissions'], base=0)),
filter(lambda x: 'permissions' in x,
cluster_items['files'].values())))
return cluster_items
except Exception as e:
raise WazuhException(3005, str(e))
async def test_SyncWorker():
def get_last_logger_line():
return subprocess.check_output(['tail', '-1', current_path_logger])
async def check_message(mock, expected_message):
with patch('wazuh.core.cluster.common.Handler.send_request',
new=AsyncMock(return_value=mock)):
await sync_worker.sync()
assert get_last_logger_line().decode() == expected_message
worker_handler = get_worker_handler()
sync_worker = worker.SyncWorker(cmd=b'testing',
files_to_sync={'files': ['testing']},
checksums={'testing': '0'},
logger=logger,
worker=worker_handler)
send_request_mock = KeyError(1)
await check_message(
mock=send_request_mock,
expected_message=f"ERROR:wazuh:Error asking for permission: "
f"{str(send_request_mock)}\n")
await check_message(
mock=b'False',
expected_message=
"INFO:wazuh:Master didnt grant permission to synchronize\n")
await check_message(
mock=b'True',
expected_message="INFO:wazuh:Worker files sent to master\n")
error = WazuhException(1001)
with patch('wazuh.core.cluster.common.Handler.send_request',
new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file',
new=AsyncMock(side_effect=error)):
await sync_worker.sync()
assert b'ERROR:wazuh:Error sending files information' in get_last_logger_line(
)
error = KeyError(1)
with patch('wazuh.core.cluster.common.Handler.send_request',
new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file',
new=AsyncMock(side_effect=error)):
await sync_worker.sync()
assert b'ERROR:wazuh:Error sending files information' in get_last_logger_line(
)
os.remove(current_path_logger)
async def connect(self, path_to_socket):
"""Establish connection with the socket and creates both Transport and Protocol objects to operate with it.
Parameters
----------
path_to_socket : str
Path where the socket is located.
Raises
------
WazuhException(1013)
If the connection with the socket can't be established.
"""
try:
self.s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
self.s.connect(path_to_socket)
self.loop = asyncio.get_running_loop()
self.transport, self.protocol = await self.loop.create_connection(
lambda: WazuhAsyncProtocol(self.loop), sock=self.s)
except (socket.error, FileNotFoundError) as e:
raise WazuhException(1013, str(e))
except (AttributeError, ValueError, OSError) as e:
self.s.close()
raise WazuhException(1013, str(e))
async def test_SyncWorker(create_log, caplog):
worker_handler = get_worker_handler()
sync_worker = worker.SyncFiles(cmd=b'testing', logger=logger, worker=worker_handler)
error = WazuhException(1001)
with patch('wazuh.core.cluster.common.Handler.send_request', new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file', new=AsyncMock(side_effect=error)):
await sync_worker.sync(files_to_sync={'files': ['testing']}, files_metadata={'testing': '0'})
assert 'Error sending zip file' in caplog.records[-1].message
error = KeyError(1)
with patch('wazuh.core.cluster.common.Handler.send_request', new=AsyncMock(return_value=b'True')):
with patch('wazuh.core.cluster.common.Handler.send_file', new=AsyncMock(side_effect=error)):
await sync_worker.sync(files_to_sync={'files': ['testing']}, files_metadata={'testing': '0'})
assert 'Error sending zip file' in caplog.records[-1].message
async def receive(self, header_size=None):
"""Return the content of the socket.
Parameters
----------
header_size : int
Size of the header to be extracted from the message received.
Raises
------
WazuhException(1014)
If there is no connection with the socket.
"""
try:
await self.protocol.on_data_received
return self.protocol.get_data()[header_size:] if header_size else self.protocol.get_data()
except Exception as e:
self.transport.close()
raise WazuhException(1014, str(e))
async def receive(self, header_size=None):
"""Get the data from the socket and converts it to JSON.
Parameters
----------
header_size : int
Size of the header to be extracted from the message received.
Raises
------
WazuhException
If the message obtained from the socket was an error message."""
response = await WazuhAsyncSocket.receive(self, header_size)
response = loads(response.decode())
if 'error' in response.keys():
if response['error'] != 0:
raise WazuhException(response['error'], response['message'], cmd_error=True)
else:
return response['data']
def overwrite_or_create_files(filename: str, data: Dict):
"""
Updates a file coming from the master
:param filename: Filename to update
:param data: File metadata such as modification time, whether it's a merged file or not, etc.
:return: None
"""
full_filename_path = common.ossec_path + filename
if os.path.basename(filename) == 'client.keys':
self._check_removed_agents("{}{}".format(zip_path, filename),
logger)
if data['merged']: # worker nodes can only receive agent-groups files
if data['merge-type'] == 'agent-info':
logger.warning("Agent status received in a worker node")
raise WazuhException(3011)
for name, content, _ in wazuh.core.cluster.cluster.unmerge_agent_info(
'agent-groups', zip_path, filename):
full_unmerged_name = os.path.join(common.ossec_path, name)
tmp_unmerged_path = full_unmerged_name + '.tmp'
with open(tmp_unmerged_path, 'wb') as f:
f.write(content)
safe_move(tmp_unmerged_path,
full_unmerged_name,
permissions=self.cluster_items['files'][
data['cluster_item_key']]['permissions'],
ownership=(common.ossec_uid(),
common.ossec_gid()))
else:
if not os.path.exists(os.path.dirname(full_filename_path)):
utils.mkdir_with_mode(os.path.dirname(full_filename_path))
safe_move("{}{}".format(zip_path, filename),
full_filename_path,
permissions=self.cluster_items['files'][
data['cluster_item_key']]['permissions'],
ownership=(common.ossec_uid(), common.ossec_gid()))
async def test_RetrieveAndSendToMaster(caplog):
async def check_message(expected_messages, *args, **kwargs):
with caplog.at_level(logging.DEBUG):
await sync_worker.retrieve_and_send(*args, **kwargs)
for i, expected_message in enumerate(expected_messages):
assert expected_message in caplog.records[-(i + 1)].message
worker_handler = get_worker_handler()
# Test if data_retriever exceptions are handled
sync_worker = worker.RetrieveAndSendToMaster(
worker=worker_handler,
destination_daemon='test',
logger=logger,
data_retriever=lambda: exec('raise(WazuhException(1000))'))
await check_message(expected_messages=[
"Error obtaining data: Error 1000 - Wazuh Internal Error",
"Obtaining data to be sent to master's test."
])
# Test params used in data_retriever are correct
data_mock = MagicMock()
sync_worker = worker.RetrieveAndSendToMaster(worker=worker_handler,
destination_daemon='test',
logger=logger,
data_retriever=data_mock)
await check_message(expected_messages=[], command='global sql test')
data_mock.assert_called_once_with(command='global sql test')
# Test expected exception is raised when calling LocalClient.execute().
sync_worker = worker.RetrieveAndSendToMaster(
worker=worker_handler,
destination_daemon='test',
logger=logger,
data_retriever=lambda: ['test'])
with patch('wazuh.core.cluster.local_client.LocalClient.execute',
side_effect=WazuhException(1000)):
await check_message(expected_messages=[
"Finished sending information to test in",
"Error sending information to test: Error 1000 - Wazuh Internal Error"
])
# Test successful workflow for 2 chunks
sync_worker = worker.RetrieveAndSendToMaster(
worker=worker_handler,
destination_daemon='test',
logger=logger,
msg_format='test_format {payload}',
data_retriever=lambda: ['test1', 'test2'])
with patch('wazuh.core.cluster.local_client.LocalClient.execute',
return_value='ok') as mock_lc:
await check_message(expected_messages=[
"Finished sending information to test in",
"Master's test response: ok.", "Master's test response: ok.",
"Starting to send information to test."
])
calls = [
call(
command=b'sendasync',
data=b'{"daemon_name": "test", "message": "test_format test1"}',
wait_for_complete=False),
call(
command=b'sendasync',
data=b'{"daemon_name": "test", "message": "test_format test2"}',
wait_for_complete=False)
]
mock_lc.assert_has_calls(calls)
# Test unsuccessful workflow for 1 chunks
sync_worker = worker.RetrieveAndSendToMaster(
worker=worker_handler,
destination_daemon='test',
logger=logger,
expected_res='test_res',
n_retries=1,
data_retriever=lambda: ['test1'],
cmd=b'sync_a_m_w')
with patch('wazuh.core.cluster.local_client.LocalClient.execute',
return_value='ok') as mock_lc:
with patch('wazuh.core.cluster.common.Handler.send_request',
return_value='ok'):
await check_message(expected_messages=[
"Finished sending information to test in",
"Master response for b'sync_a_m_w_e' command: ok",
"Master's test response: ok.",
"Error sending chunk to master's test. Response does not start with"
" test_res (Response: ok). Retrying... 0",
"Master's test response: ok.",
"Starting to send information to test.",
"Master response for b'sync_a_m_w_s' command: ok",
"Obtained 1 chunks of data to be sent.",
"Obtaining data to be sent to master's test."
])
calls = [
call(command=b'sendasync',
data=b'{"daemon_name": "test", "message": "test1"}',
wait_for_complete=False),
call(command=b'sendasync',
data=b'{"daemon_name": "test", "message": "test1"}',
wait_for_complete=False)
]
mock_lc.assert_has_calls(calls)
def _connect(self):
try:
self.s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
self.s.connect(self.path)
except Exception as e:
raise WazuhException(1013, str(e))
Wazuh is a python package to manage OSSEC.
"""
__version__ = '4.0.0'
msg = "\n\nPython 2.7 or newer not found."
msg += "\nUpdate it or set the path to a valid version. Example:"
msg += "\n export PATH=$PATH:/opt/rh/python27/root/usr/bin"
msg += "\n export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/rh/python27/root/usr/lib64"
try:
from sys import version_info as python_version
if python_version.major < 2 or (python_version.major == 2
and python_version.minor < 7):
raise WazuhException(999, msg)
except Exception as e:
raise WazuhException(999, msg)
class Wazuh:
"""
Basic class to set up OSSEC directories
"""
def __init__(self):
"""
Initialize basic information and directories.
:return:
"""
self.version = common.wazuh_version
else:
invalid_option("Missing agent ID or group.")
else:
invalid_option("Bad argument combination.")
if __name__ == "__main__":
logger = logging.basicConfig(level=logging.INFO,
format='%(levelname)s: %(message)s')
try:
cluster_config = read_config()
executable_name = "agent_groups"
master_ip = cluster_config['nodes'][0]
if cluster_config['node_type'] != 'master' and not cluster_config[
'disabled']:
raise WazuhException(3019, {
"EXECUTABLE_NAME": executable_name,
"MASTER_IP": master_ip
})
main()
except WazuhException as e:
print("Error {0}: {1}".format(e.code, e.message))
if debug:
raise
except Exception as e:
print("Internal error: {0}".format(str(e)))
if debug:
raise
def main():
# Capture Ctrl + C
signal(SIGINT, signal_handler)
# Check arguments
if args.list_outdated:
list_outdated()
exit(0)
if not args.agent:
arg_parser.print_help()
exit(0)
if args.silent:
args.debug = False
use_http = False
if args.http:
use_http = True
agent = Agent(id=args.agent)
agent.load_info_from_db()
agent_info = "{0}/queue/agent-info/{1}-{2}".format(common.ossec_path,
agent.name,
agent.registerIP)
if not os.path.isfile(agent_info):
raise WazuhException(1720)
# Evaluate if the version is correct
if args.version is not None:
pattern = re.compile("v[0-9]+\.[0-9]+\.[0-9]+")
if not pattern.match(args.version):
raise WazuhException(1733,
"Version received: {0}".format(args.version))
if args.chunk_size is not None:
if args.chunk_size < 1 or args.chunk_size > 64000:
raise WazuhException(1744,
"Chunk defined: {0}".format(args.chunk_size))
# Custom WPK file
if args.file:
upgrade_command_result = agent.upgrade_custom(
file_path=args.file,
installer=args.execute if args.execute else "upgrade.sh",
debug=args.debug,
show_progress=print_progress if not args.silent else None,
chunk_size=args.chunk_size,
rl_timeout=-1 if args.timeout == None else args.timeout)
if not args.silent:
if not args.debug:
print("\n{0}... Please wait.".format(upgrade_command_result))
else:
print(upgrade_command_result)
counter = 0
agent_info_stat = os.stat(agent_info).st_mtime
sleep(10)
while agent_info_stat == os.stat(
agent_info).st_mtime and counter < common.agent_info_retries:
sleep(common.agent_info_sleep)
counter = counter + 1
if agent_info_stat == os.stat(agent_info).st_mtime:
raise WazuhException(1716,
"Timeout waiting for agent reconnection.")
upgrade_result = agent.upgrade_result(debug=args.debug)
if not args.silent:
print(upgrade_result)
# WPK upgrade file
else:
prev_ver = agent.version
upgrade_command_result = agent.upgrade(
wpk_repo=args.repository,
debug=args.debug,
version=args.version,
force=args.force,
show_progress=print_progress if not args.silent else None,
chunk_size=args.chunk_size,
rl_timeout=-1 if args.timeout == None else args.timeout,
use_http=use_http)
if not args.silent:
if not args.debug:
print("\n{0}... Please wait.".format(upgrade_command_result))
else:
print(upgrade_command_result)
counter = 0
agent_info_stat = os.stat(agent_info).st_mtime
while agent_info_stat == os.stat(
agent_info).st_mtime and counter < common.agent_info_retries:
sleep(common.agent_info_sleep)
counter = counter + 1
if agent_info_stat == os.stat(agent_info).st_mtime:
raise WazuhException(1716,
"Timeout waiting for agent reconnection.")
sleep(10)
upgrade_result = agent.upgrade_result(debug=args.debug)
if not args.silent:
if not args.debug:
agent.load_info_from_db()
print("Agent upgraded: {0} -> {1}".format(
prev_ver, agent.version))
else:
print(upgrade_result)
def test_wazuh_exception__deepcopy__():
"""Check that WazuhException's __deepcopy__ magic method works properly."""
excp1 = WazuhException(1308)
excp2 = excp1.__deepcopy__()
assert excp1 == excp2 and excp1 is not excp2
def remove_bulk_agents(agent_ids_list: KeysView, logger):
"""
Removes files created by agents in worker nodes. This function doesn't remove agents from client.keys since the
client.keys file is overwritten by the master node.
:param agent_ids_list: List of agents ids to remove.
:param logger: Logger to use
:return: None.
"""
def remove_agent_file_type(agent_files: List[str]):
"""
Removes files if they exist
:param agent_files: Path regexes of the files to remove
:return: None
"""
for filetype in agent_files:
filetype_glob = filetype.format(ossec_path=common.ossec_path,
id='*',
name='*',
ip='*')
filetype_agent = {
filetype.format(ossec_path=common.ossec_path,
id=a['id'],
name=a['name'],
ip=a['ip'])
for a in agent_info
}
for agent_file in set(
glob.iglob(filetype_glob)) & filetype_agent:
logger.debug2("Removing {}".format(agent_file))
if os.path.isdir(agent_file):
shutil.rmtree(agent_file)
else:
os.remove(agent_file)
if not agent_ids_list:
return # the function doesn't make sense if there is no agents to remove
logger.info("Removing files from {} agents".format(
len(agent_ids_list)))
logger.debug("Agents to remove: {}".format(', '.join(agent_ids_list)))
# the agents must be removed in groups of 997: 999 is the limit of SQL variables per query. Limit and offset are
# always included in the SQL query, so that leaves 997 variables as limit.
for agents_ids_sublist in itertools.zip_longest(*itertools.repeat(
iter(agent_ids_list), 997),
fillvalue='0'):
agents_ids_sublist = list(
filter(lambda x: x != '0', agents_ids_sublist))
# Get info from DB
agent_info = Agent.get_agents_overview(q=",".join(
["id={}".format(i) for i in agents_ids_sublist]),
select=['ip', 'id', 'name'],
limit=None)['items']
logger.debug2("Removing files from agents {}".format(
', '.join(agents_ids_sublist)))
files_to_remove = [
'{ossec_path}/queue/agent-info/{name}-{ip}',
'{ossec_path}/queue/rootcheck/({name}) {ip}->rootcheck',
'{ossec_path}/queue/diff/{name}',
'{ossec_path}/queue/agent-groups/{id}',
'{ossec_path}/queue/rids/{id}',
'{ossec_path}/var/db/agents/{name}-{id}.db'
]
remove_agent_file_type(files_to_remove)
logger.debug2("Removing agent group assigments from database")
# remove agent from groups
db_global = glob.glob(common.database_path_global)
if not db_global:
raise WazuhException(1600)
conn = Connection(db_global[0])
agent_ids_db = {
'id_agent{}'.format(i): int(i)
for i in agents_ids_sublist
}
conn.execute(
'delete from belongs where {}'.format(' or '.join([
'id_agent = :{}'.format(i) for i in agent_ids_db.keys()
])), agent_ids_db)
conn.commit()
# Tell wazuhbd to delete agent database
wdb_conn = WazuhDBConnection()
wdb_conn.delete_agents_db(agents_ids_sublist)
logger.info("Agent files removed")