Пример #1
0
def test_check_status(status, expected_result):
    """Test check_status rule core function."""
    try:
        result = rule.check_status(status)
        assert result == expected_result
    except WazuhError as e:
        assert e.code == expected_result.code
Пример #2
0
def get_rules_files(status=None, relative_dirname=None, filename=None, offset=0, limit=common.database_limit, sort_by=None,
                    sort_ascending=True, search_text=None, complementary_search=False, search_in_fields=None):
    """Gets a list of the rule files.

    :param status: Filters by status: enabled, disabled, all.
    :param relative_dirname: Filters by relative dirname.
    :param filename: List of filenames to filter by.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param sort_by: Fields to sort the items by
    :param sort_ascending: Sort in ascending (true) or descending (false) order
    :param search_text: Text to search
    :param complementary_search: Find items without the text to search
    :param search_in_fields: Fields to search in
    :return: AffectedItemsWazuhResult
    """
    result = AffectedItemsWazuhResult(none_msg='No rule files were returned',
                                      some_msg='Some rule files were not returned',
                                      all_msg='All rule files were returned')
    status = check_status(status)
    # Rules configuration
    ruleset_conf = configuration.get_ossec_conf(section='ruleset')
    if not ruleset_conf:
        raise WazuhError(1200)
    rules_files = list()
    tags = ['rule_include', 'rule_exclude', 'rule_dir']
    if isinstance(filename, list):
        for f in filename:
            rules_files.extend(
                format_rule_decoder_file(ruleset_conf['ruleset'],
                                         {'status': status, 'relative_dirname': relative_dirname, 'filename': f},
                                         tags))
    else:
        rules_files = format_rule_decoder_file(ruleset_conf['ruleset'],
                                               {'status': status, 'relative_dirname': relative_dirname, 'filename': filename},
                                               tags)

    data = process_array(rules_files, search_text=search_text, search_in_fields=search_in_fields,
                         complementary_search=complementary_search, sort_by=sort_by, sort_ascending=sort_ascending,
                         offset=offset, limit=limit)
    result.affected_items = data['items']
    result.total_affected_items = data['totalItems']

    return result
Пример #3
0
Файл: rule.py Проект: zWaR/wazuh
def get_rules(rule_ids=None,
              status=None,
              group=None,
              pci_dss=None,
              gpg13=None,
              gdpr=None,
              hipaa=None,
              nist_800_53=None,
              tsc=None,
              mitre=None,
              relative_dirname=None,
              filename=None,
              level=None,
              offset=0,
              limit=common.database_limit,
              select=None,
              sort_by=None,
              sort_ascending=True,
              search_text=None,
              complementary_search=False,
              search_in_fields=None,
              q=''):
    """Gets a list of rules.

    :param rule_ids: IDs of rules.
    :param status: Filters the rules by status.
    :param group: Filters the rules by group.
    :param pci_dss: Filters the rules by pci_dss requirement.
    :param gpg13: Filters the rules by gpg13 requirement.
    :param gdpr: Filters the rules by gdpr requirement.
    :param hipaa: Filters the rules by hipaa requirement.
    :param nist_800_53: Filters the rules by nist_800_53 requirement.
    :param tsc: Filters the rules by tsc requirement.
    :param mitre: Filters the rules by mitre attack ID.
    :param relative_dirname: Filters the relative dirname.
    :param filename: List of filenames to filter by.
    :param level: Filters the rules by level. level=2 or level=2-5.
    :param offset: First item to return.
    :param limit: Maximum number of items to return.
    :param select: List of selected fields to return
    :param sort_by: Fields to sort the items by
    :param sort_ascending: Sort in ascending (true) or descending (false) order
    :param search_text: Text to search
    :param complementary_search: Find items without the text to search
    :param search_in_fields: Fields to search in
    :param q: Defines query to filter.
    :return: Dictionary: {'items': array of items, 'totalItems': Number of items (without applying the limit)}
    """
    result = AffectedItemsWazuhResult(
        none_msg='No rule was returned',
        some_msg='Some rules were not returned',
        all_msg='All selected rules were returned')
    rules = list()
    if rule_ids is None:
        rule_ids = list()
    levels = None

    if level:
        levels = level.split('-')
        if len(levels) < 0 or len(levels) > 2:
            raise WazuhError(1203)

    for rule_file in get_rules_files(limit=None).affected_items:
        rules.extend(
            load_rules_from_file(rule_file['filename'],
                                 rule_file['relative_dirname'],
                                 rule_file['status']))

    status = check_status(status)
    status = ['enabled', 'disabled'] if status == 'all' else [status]
    parameters = {
        'groups': group,
        'pci_dss': pci_dss,
        'gpg13': gpg13,
        'gdpr': gdpr,
        'hipaa': hipaa,
        'nist_800_53': nist_800_53,
        'tsc': tsc,
        'mitre': mitre,
        'relative_dirname': relative_dirname,
        'filename': filename,
        'id': rule_ids,
        'level': levels,
        'status': status
    }
    original_rules = list(rules)
    no_existent_ids = rule_ids[:]
    for r in original_rules:
        if r['id'] in no_existent_ids:
            no_existent_ids.remove(r['id'])
        for key, value in parameters.items():
            if value:
                if key == 'level' and (len(value) == 1 and int(value[0]) != r['level'] or len(value) == 2
                                       and not int(value[0]) <= r['level'] <= int(value[1])) or \
                        (key == 'id' and r[key] not in value) or \
                        (key == 'filename' and r[key] not in filename) or \
                        (key == 'status' and r[key] not in value) or \
                        (not isinstance(value, list) and value not in r[key]):
                    rules.remove(r)
                    break

    for rule_id in no_existent_ids:
        result.add_failed_item(id_=rule_id, error=WazuhError(1208))

    data = process_array(rules,
                         search_text=search_text,
                         search_in_fields=search_in_fields,
                         complementary_search=complementary_search,
                         select=select,
                         sort_by=sort_by,
                         sort_ascending=sort_ascending,
                         allowed_sort_fields=SORT_FIELDS,
                         offset=offset,
                         limit=limit,
                         q=q,
                         required_fields=REQUIRED_FIELDS)
    result.affected_items = data['items']
    result.total_affected_items = data['totalItems']

    return result