def _get_requirement(offset, limit, sort, search, requirement):
"""
Get the requirements used in the rules
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
:param search: Looks for items with the specified string.
:param requirement: requirement to get (pci or dgpr)
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
if requirement != 'pci' and requirement != 'gdpr':
raise OssecAPIException(1205, requirement)
req = list({req for rule in Rule.get_rules(limit=None)['items'] for req in rule.to_dict()[requirement]})
if search:
req = search_array(req, search['value'], search['negation'])
if sort:
req = sort_array(req, order=sort['order'])
else:
req = sort_array(req)
return {'items': cut_array(req, offset, limit), 'totalItems': len(req)}
def get_decoders_files(status=None,
path=None,
file=None,
offset=0,
limit=common.database_limit,
sort=None,
search=None):
"""
Gets a list of the available decoder files.
:param status: Filters by status: enabled, disabled, all.
:param path: Filters by path.
:param file: Filters by filename.
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
:param search: Looks for items with the specified string.
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
status = Decoder.__check_status(status)
ruleset_conf = configuration.get_ossec_conf(section='rules')
if not ruleset_conf:
raise OssecAPIException(1500)
tmp_data = []
tags = ['decoder']
exclude_filenames = []
for tag in tags:
if tag in ruleset_conf:
item_status = Decoder.S_ENABLED
if type(ruleset_conf[tag]) is list:
items = ruleset_conf[tag]
else:
items = [ruleset_conf[tag]]
for item in items:
if '/' in item:
item_split = item.split('/')
item_name = item_split[-1]
item_dir = "{0}/{1}".format(common.ossec_path,
"/".join(item_split[:-1]))
else:
item_name = item
item_dir = "{0}/{1}".format(common.ruleset_rules_path,
item)
tmp_data.append({
'file': item_name,
'path': item_dir,
'status': item_status
})
tag = 'decoder_dir'
if tag in ruleset_conf:
if type(ruleset_conf[tag]) is list:
items = ruleset_conf[tag]
else:
items = [ruleset_conf[tag]]
for item_dir in items:
all_decoders = "{0}/{1}/*.xml".format(common.ossec_path,
item_dir)
for item in glob(all_decoders):
item_split = item.split('/')
item_name = item_split[-1]
item_dir = "/".join(item_split[:-1])
if item_name in exclude_filenames:
item_status = Decoder.S_DISABLED
else:
item_status = Decoder.S_ENABLED
tmp_data.append({
'file': item_name,
'path': item_dir,
'status': item_status
})
data = list(tmp_data)
for d in tmp_data:
if status and status != 'all' and status != d['status']:
data.remove(d)
continue
if path and path != d['path']:
data.remove(d)
continue
if file and file != d['file']:
data.remove(d)
continue
if search:
data = search_array(data, search['value'], search['negation'])
if sort:
data = sort_array(data, sort['fields'], sort['order'])
else:
data = sort_array(data, ['file'], 'asc')
return {
'items': cut_array(data, offset, limit),
'totalItems': len(data)
}
def get_decoders(status=None,
path=None,
file=None,
name=None,
parents=False,
offset=0,
limit=common.database_limit,
sort=None,
search=None):
"""
Gets a list of available decoders.
:param status: Filters by status: enabled, disabled, all.
:param path: Filters by path.
:param file: Filters by file.
:param name: Filters by name.
:param parents: Just parent decoders.
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
:param search: Looks for items with the specified string.
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
status = Decoder.__check_status(status)
all_decoders = []
for decoder_file in Decoder.get_decoders_files(status=status,
limit=None)['items']:
if glob(decoder_file['path']):
all_decoders.extend(
Decoder.__load_decoders_from_file(decoder_file['file'],
decoder_file['path'],
decoder_file['status']))
if not all_decoders:
if (glob(common.default_decoder_xml)):
all_decoders.extend(
Decoder.__load_decoders_from_file(
"decoder.xml", common.default_decoder_xml,
Decoder.S_ENABLED))
if (glob(common.custom_decoder_xml)):
all_decoders.extend(
Decoder.__load_decoders_from_file(
"local_decoder.xml", common.custom_decoder_xml,
Decoder.S_ENABLED))
decoders = list(all_decoders)
for d in all_decoders:
if path and path != d.path:
decoders.remove(d)
continue
if file and file != d.file:
decoders.remove(d)
continue
if name and name != d.name:
decoders.remove(d)
continue
if parents and 'parent' in d.details:
decoders.remove(d)
continue
if search:
decoders = search_array(decoders, search['value'],
search['negation'])
if sort:
decoders = sort_array(decoders, sort['fields'], sort['order'],
Decoder.SORT_FIELDS)
else:
decoders = sort_array(decoders, ['file', 'position'], 'asc')
return {
'items': cut_array(decoders, offset, limit),
'totalItems': len(decoders)
}
def get_rules(status=None, group=None, pci=None, gdpr=None, path=None, file=None, id=None, level=None, offset=0, limit=common.database_limit, sort=None, search=None):
"""
Gets a list of rules.
:param status: Filters by status: enabled, disabled, all.
:param group: Filters by group.
:param pci: Filters by pci requirement.
:param gdpr: Filter by gdpr requirement.
:param file: Filters by file of the rule.
:param path: Filters by file of the path.
:param id: Filters by rule ID.
:param level: Filters by level. It can be an integer or an range (i.e. '2-4' that means levels from 2 to 4).
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
:param search: Looks for items with the specified string.
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
all_rules = []
if level:
levels = level.split('-')
if len(levels) < 0 or len(levels) > 2:
raise OssecAPIException(1203)
for rule_file in Rule.get_rules_files(status=status, limit=None)['items']:
all_rules.extend(Rule.__load_rules_from_file(rule_file['file'], rule_file['path'], rule_file['status']))
rules = list(all_rules)
for r in all_rules:
if group and group not in r.groups:
rules.remove(r)
continue
elif pci and pci not in r.pci:
rules.remove(r)
continue
elif gdpr and gdpr not in r.gdpr:
rules.remove(r)
continue
elif path and path != r.path:
rules.remove(r)
continue
elif file and file != r.file:
rules.remove(r)
continue
elif id and int(id) != r.id:
rules.remove(r)
continue
elif level:
if len(levels) == 1:
if int(levels[0]) != r.level:
rules.remove(r)
continue
elif not (int(levels[0]) <= r.level <= int(levels[1])):
rules.remove(r)
continue
if search:
rules = search_array(rules, search['value'], search['negation'])
if sort:
rules = sort_array(rules, sort['fields'], sort['order'], Rule.SORT_FIELDS)
else:
rules = sort_array(rules, ['id'], 'asc')
return {'items': cut_array(rules, offset, limit), 'totalItems': len(rules)}
def ossec_log(type_log='all',
category='all',
months=3,
offset=0,
limit=common.database_limit,
sort=None,
search=None):
"""
Gets logs from ossec.log.
:param type_log: Filters by log type: all, error or info.
:param category: Filters by log category (i.e. ossec-remoted).
:param months: Returns logs of the last n months. By default is 3 months.
:param offset: First item to return.
:param limit: Maximum number of items to return.
:param sort: Sorts the items. Format: {"fields":["field1","field2"],"order":"asc|desc"}.
:param search: Looks for items with the specified string.
:return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
"""
logs = []
first_date = previous_month(months)
statfs_error = "ERROR: statfs('******') produced error: No such file or directory"
for line in tail(common.ossec_log, 2000):
log_fields = __get_ossec_log_fields(line)
if log_fields:
log_date, log_category, level, description = log_fields
if log_date < first_date:
continue
if category != 'all':
if log_category:
if log_category != category:
continue
else:
continue
log_line = {
'timestamp': str(log_date),
'tag': log_category,
'level': level,
'description': description
}
if type_log == 'all':
logs.append(log_line)
elif type_log.lower() == level.lower():
if "ERROR: statfs(" in line:
if statfs_error in logs:
continue
else:
logs.append(statfs_error)
else:
logs.append(log_line)
else:
continue
else:
if logs != []:
logs[-1]['description'] += "\n" + line
if search:
logs = search_array(logs, search['value'], search['negation'])
if sort:
if sort['fields']:
logs = sort_array(logs,
order=sort['order'],
sort_by=sort['fields'])
else:
logs = sort_array(logs, order=sort['order'], sort_by=['timestamp'])
else:
logs = sort_array(logs, order='desc', sort_by=['timestamp'])
return {'items': cut_array(logs, offset, limit), 'totalItems': len(logs)}