def ossec_get_check(system_ip, check_type, agent_ip="", agent_name=""): """This function checks whether an ossec check has been made or not""" script_second_parameter = "" if check_type not in ["lastip", "lastscan"]: return False, "Invalid check type. Allowed values are [lastip, syscheck, rootcheck]" if check_type == 'lastip': if re.match(r"[a-zA-Z0-9_\-\(\)]+", agent_name) is None: return False, r"Invalid agent name. Allowed characters are [^a-zA-Z0-9_\-()]+" script_second_parameter = agent_name else: if not is_valid_ipv4(agent_ip): return False, "Invalid ossec agent ip. Allowed format is: xxx.yyy.zzz.ddd" script_second_parameter = agent_ip try: if check_type == "lastscan": # We need to exec TWO results result_dict = {} command = "/usr/share/ossim/scripts/ossec_check.sh %s %s" % ("lastscan", script_second_parameter) response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True) result, msg = ansible_is_valid_response(system_ip, response) if not result: return False, msg script_return_code = int(response['contacted'][system_ip]['rc']) script_output = response['contacted'][system_ip]['stdout'].split("\n") if script_return_code != 0: return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str(response) if len(script_output) != 2: #IP not found return True, {'syscheck':'','rootcheck':''} matched_object = re.match(r"!(?P<start_time>\d{10})!(?P<end_time>\d{10}) Starting \S+ scan.", script_output[0]) last_syscheck = "" if matched_object is not None: last_syscheck = matched_object.groupdict()['start_time'] result_dict['syscheck'] = last_syscheck matched_object = re.match(r"!(?P<start_time>\d{10})!(?P<end_time>\d{10}) Starting \S+ scan.", script_output[1]) last_rootcheck = "" if matched_object is not None: last_rootcheck = matched_object.groupdict()['start_time'] result_dict['rootcheck'] = last_rootcheck data = result_dict if check_type == "lastip": command = "/usr/share/ossim/scripts/ossec_check.sh %s %s" % (check_type, script_second_parameter) response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True) result, msg = ansible_is_valid_response(system_ip, response) if not result: return False, msg script_return_code = int(response['contacted'][system_ip]['rc']) script_output = response['contacted'][system_ip]['stdout'] if script_return_code != 0: return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str(response) if not is_valid_ipv4(script_output):#IP not found return True, "" data = script_output except Exception as err: return False, "[ossec_get_check] Something wrong happened while running ansible command -> '%s'" % str(err) return True, data
def add_server(server_ip, password): """ Add a new system. """ if not is_valid_ipv4(server_ip): return False, "Invalid IP format: %s" % server_ip (success, local_system_id) = get_system_id_from_local() if not success: return success, "Error retrieving the local system id" (success, response) = ansible_add_system(local_system_id=local_system_id, remote_system_ip=server_ip, password=password) if not success: return success, "Cannot add the server to the system" trigger_success, msg = fire_trigger(system_ip="127.0.0.1", trigger="alienvault-add-server") if not trigger_success: api_log.error(msg) (success, response) = get_remote_server_id_from_server_ip(server_ip) return (success, response)
def ossec_add_new_agent(sensor_id): """ Call API method to run ossec_create_new_agent script """ agent_name = request.args.get('agent_name', None) agent_ip = request.args.get('agent_ip', None) asset_id = request.args.get('asset_id', None) # Check valid input valid_str = re.compile('^[-.\w]+$') if not valid_str.match(agent_name) or not (is_valid_ipv4(agent_ip) or is_valid_ipv4_cidr(agent_ip)): return make_bad_request("Invalid agent name or address") # Now call the api method to create the new agent - If everything is right it returns the agent id of the new agent (success, data) = api_ossec_add_new_agent(sensor_id, agent_name, agent_ip, asset_id) if not success: current_app.logger.error("ossec_agent: error creating new agent: " + str(data)) return make_error(data, 500) # Now we get the agent detail try: agent_id = data (success, data) = apimethod_ossec_get_agent_from_db(sensor_id, agent_id) except APIException as e: return make_error_from_exception(e) if success: return make_ok(agent_detail=data) else: return make_error(data, 500)
def ossec_add_new_agent(sensor_id): """ Call API method to run ossec_create_new_agent script """ agent_name = request.args.get('agent_name', None) agent_ip = request.args.get('agent_ip', None) # Check valid input valid_str = re.compile('^[-.\w]+$') if not valid_str.match(agent_name) or not (is_valid_ipv4(agent_ip) or is_valid_ipv4_cidr(agent_ip)): return make_bad_request("Invalid agent name or address") # Now call the api method to create the new agent - If everything is right it returns the agent id of the new agent (success, data) = api_ossec_add_new_agent(sensor_id, agent_name, agent_ip) if not success: current_app.logger.error("ossec_agent: error creating new agent: " + str(data)) return make_error(data, 500) # Now we get the agent detail to return it. (success, data) = apimethod_ossec_get_agent_detail(sensor_id, data) if success: return make_ok(agent_detail=data) else: return make_error(data, 500)
def db_system_update_admin_ip(system_id, admin_ip): if not is_valid_ipv4(admin_ip): api_log.error('Invalid admin_ip %s' % str(admin_ip)) return False, 'Invalid admin ip %s' % str(admin_ip) try: sp_call = sqltext( "CALL system_update('%s','','%s','','','','','','','')" % (system_id, admin_ip)) db.session.begin() result = db.session.connection(mapper=System).execute(sp_call) data = result.fetchall() db.session.commit() if len(data) <= 0: return False, "Something wrong happened while updating system info in the database: %s" % str( data) if str(data[0]).find("updated") < 0 and str( data[0]).find("created") < 0: return False, "Something wrong happened while updating system info in the database: %s" % str( data[0]) except Exception, e: api_log.error(str(e)) db.session.rollback() return False, 'Something wrong happened while updating system info in the database'
def add_system(): if not is_valid_ipv4(request.form['system_ip']): return make_bad_request("Bad system_ip: %s" % request.form['system_ip']) (success, system_data) = system.add_system_from_ip(request.form['system_ip'], request.form['password']) if not success: current_app.logger.error("system: add_system error: " + str(system_data)) return make_error(system_data, 500) return make_ok(**system_data)
def get_server_address_from_config(): """Returns the server_address parameter :returns the server ip address string or None when the ip is not a valid ip or a problem happen while getting it from the database """ try: result = None data = db.session.query(Config).filter(Config.conf == "server_address").one() if data.value is not None: if is_valid_ipv4(data.value): result = data.value except Exception as e: api_log.error("[get_server_address_from_config] {0}".format(str(e))) result = None return result
def get_server_address_from_config(): """Returns the server_address parameter :returns the server ip address string or None when the ip is not a valid ip or a problem happen while getting it from the database """ try: result = None data = db.session.query(Config).filter(Config.conf == 'server_address').one() if data.value is not None: if is_valid_ipv4(data.value): result = data.value except Exception as e: db.session.rollback() result = None return result
def get_server_address_from_config(): """Returns the server_address parameter :returns the server ip address string or None when the ip is not a valid ip or a problem happen while getting it from the database """ try: result = None data = db.session.query(Config).filter( Config.conf == 'server_address').one() if data.value is not None: if is_valid_ipv4(data.value): result = data.value except Exception as e: db.session.rollback() result = None return result
def ossec_delete_agentless(sensor_id): """ Call API method to run ossec_delete_agentless script """ agent_ip = request.args.get('agent_ip', None) # Check valid input if not is_valid_ipv4(agent_ip): return make_bad_request("Invalid agent IP") # Now call the api method to create the new agent (success, data) = api_ossec_delete_agentless(sensor_id, agent_ip) if not success: current_app.logger.error("ossec_agent: error deleting agentless queue: " + str(data)) return make_error(data, 500) return make_ok(messages=data)
def add_server(server_ip, password): """ Add a new system. """ if not is_valid_ipv4(server_ip): return False, "Invalid IP format: %s" % server_ip (success, local_system_id) = get_system_id_from_local() if not success: return success, "Error retrieving the local system id" (success, response) = ansible_add_system(local_system_id=local_system_id, remote_system_ip=server_ip, password=password) if not success: return success, "Cannot add the server to the system" (success, response) = get_remote_server_id_from_server_ip(server_ip) return (success, response)
def db_system_update_admin_ip(system_id, admin_ip): if not is_valid_ipv4(admin_ip): api_log.error('Invalid admin_ip %s' % str(admin_ip)) return False, 'Invalid admin ip %s' % str(admin_ip) try: sp_call = sqltext("CALL system_update('%s','','%s','','','','','','','')" % (system_id, admin_ip)) db.session.begin() result = db.session.connection(mapper=System).execute(sp_call) data = result.fetchall() db.session.commit() if len(data) <= 0: return False, "Something wrong happened while updating system info in the database: %s" % str(data) if str(data[0]).find("updated") < 0 and str(data[0]).find("created") < 0: return False, "Something wrong happened while updating system info in the database: %s" % str(data[0]) except Exception, e: api_log.error(str(e)) db.session.rollback() return False, 'Something wrong happened while updating system info in the database'
def get_ossec_check(sensor_id): """Creates a new preconfigured agent and return the local path :param sensor_id: Sensor id :param agent_id: Agent id. Must be a string that match [0-9]{1,4} :param agent_type: Type of agent to be generated. """ agent_ip = request.args.get("agent_ip", None) agent_name = request.args.get("agent_name", None) check_type = request.args.get("check_type", None) if check_type not in ["lastscan", "lastip"]: return make_bad_request("Invalid check_type value. Allowed values are(lastscan, lastip)") if check_type == 'lastip': if agent_name is None: return make_bad_request("Agent name not specified. Allowed characters are [^a-zA-Z0-9_\\-()]+") if re.match(r"[a-zA-Z0-9_\-\(\)]+", agent_name) is None: return make_bad_request("Invalid agent name. Allowed characters are [^a-zA-Z0-9_\\-()]+") elif not is_valid_ipv4(agent_ip): return make_bad_request("Invalid agent_ip value. It should be a valid IP v4 dotted address") (result, data) = ossec_get_check(sensor_id=sensor_id, agent_ip=agent_ip, agent_name=agent_name, check_type=check_type) if result: return make_ok(check=data) return make_error(data, 500)
def make_tunnel_with_vpn(system_ip, password): """Build the VPN tunnel with the given node""" if not is_valid_ipv4(system_ip): return False, "Invalid system ip: %s" % str(system_ip) success, own_server_id = get_server_id_from_local() if not success: error_msg = "Error while retrieving " + \ "server_id from local: %s" % str(own_server_id) return success, error_msg success, local_ip = get_system_ip_from_local() if not success: return success, "Cannot retrieve the local ip <%s>" % str(local_ip) success, data = ansible_make_tunnel_with_vpn( system_ip=system_ip, local_server_id=get_hex_string_from_uuid(own_server_id), password=password) if not success: return success, data print "Set VPN IP on the system table" new_node_vpn_ip = data['client_end_point1'] if new_node_vpn_ip is None: return False, "Cannot retrieve the new node VPN IP" print "New Node VPN IP %s" % new_node_vpn_ip success, data = get_system_id_from_system_ip(system_ip) if success: # If the system is not on the system table is doesn't matter success, data = set_system_vpn_ip(data, new_node_vpn_ip) if not success: return False, "Cannot set the new node vpn ip on the system table" flush_cache(namespace="support_tunnel") # Restart frameworkd print "Restarting ossim-framework" success, data = ansible_restart_frameworkd(system_ip=local_ip) if not success: print "Restarting %s ossim-framework failed (%s)" % (local_ip, data) return True, "VPN node successfully connected."
def make_tunnel_with_vpn(system_ip, password): """Build the VPN tunnel with the given node""" if not is_valid_ipv4(system_ip): return False, "Invalid system ip: %s" % str(system_ip) success, own_server_id = get_server_id_from_local() if not success: error_msg = "Error while retrieving " + \ "server_id from local: %s" % str(own_server_id) return success, error_msg success, local_ip = get_system_ip_from_local() if not success: return success, "Cannot retrieve the local ip <%s>" % str(local_ip) success, data = ansible_make_tunnel_with_vpn(system_ip=system_ip, local_server_id=get_hex_string_from_uuid(own_server_id), password=password) if not success: return success, data print "Set VPN IP on the system table" new_node_vpn_ip = data['client_end_point1'] if new_node_vpn_ip is None: return False, "Cannot retrieve the new node VPN IP" print "New Node VPN IP %s" % new_node_vpn_ip success, data = get_system_id_from_system_ip(system_ip) if success: # If the system is not on the system table is doesn't matter success, data = set_system_vpn_ip(data, new_node_vpn_ip) if not success: return False, "Cannot set the new node vpn ip on the system table" flush_cache(namespace="support_tunnel") # Restart frameworkd print "Restarting ossim-framework" success, data = ansible_restart_frameworkd(system_ip=local_ip) if not success: print "Restarting %s ossim-framework failed (%s)" % (local_ip, data) return True, "VPN node successfully connected."
def make_tunnel_with_vpn(system_ip,password): """Build the VPN tunnel with the given node""" if not is_valid_ipv4(system_ip): return False, "Invalid system ip: %s" % str(system_ip) success, own_server_id = get_server_id_from_local() if not success: return success, "Error while retrieving server_id from local: %s" % str(own_server_id) success, data = ansible_make_tunnel_with_vpn(system_ip=system_ip, local_server_id= get_hex_string_from_uuid(own_server_id), password=password) if not success: return success, data print "Set VPN IP on the system table" new_node_vpn_ip = data['client_end_point1'] if new_node_vpn_ip is None: return False, "Cannot retrieve the new node VPN IP" print "New Node VPN IP %s" % new_node_vpn_ip success, data = get_system_id_from_system_ip(system_ip) if success:# If the system is not on the system table is doesn't matter success, data = set_system_vpn_ip(data, new_node_vpn_ip) if not success: return False, "Cannot set the new node vpn ip on the system table" flush_cache(namespace="system") return True, "VPN node successfully connected."
def update_system_hids_agents(system_id): """" Update information about HIDS agents connected to a system @param system_id: system_id of the sensor to update """ # Getting system information success, system_info = get_system_info(system_id) # Getting sensor ID if success: sensor_id = system_info['sensor_id'] else: raise APICannotRetrieveSystem(system_id) stored_agents = get_hids_agents_by_sensor(sensor_id) success, agents = ossec_get_available_agents( sensor_id=sensor_id, op_ossec='list_available_agents', agent_id='') if not success: raise APICannotRunHIDSCommand(sensor_id, 'list_available_agents') added_agents = [ agent_id for agent_id in agents.keys() if agent_id not in stored_agents ] present_agents = [ agent_id for agent_id in agents.keys() if agent_id in stored_agents ] deleted_agents = [ agent for agent in stored_agents if agent not in agents.keys() ] # Add new agents to database for agent_id in added_agents: try: agent = agents[agent_id] add_hids_agent(agent_id=agent_id, sensor_id=sensor_id, agent_name=agent['name'], agent_ip=agent['ip'], agent_status=agent['status']) except APIException as e: logger.error("Error adding hids agent: {0}".format(e)) not_linked_assets = 0 refresh_idm = False # Update agent status and check asset_id in database for agent_id in present_agents: try: # Update HIDS agent status update_hids_agent_status(agent_id=agent_id, sensor_id=sensor_id, agent_status=agents[agent_id]['status']) agent_data = get_hids_agent_by_sensor(sensor_id, agent_id) # Check HIDS agent asset id if agent_data['host_id'] == '': # Try to update HIDS agent asset id linked_assets = get_linked_assets() agent_ip_cidr = agent_data['ip_cidr'] asset_id = None # Getting current IP if agent_ip_cidr == '127.0.0.1': # Special case: Local agent agent_ip_cidr = system_info['ha_ip'] if system_info[ 'ha_ip'] else system_info['admin_ip'] elif agent_ip_cidr.lower() == 'any' or agent_ip_cidr.lower( ) == '0.0.0.0' or (is_valid_ipv4_cidr(agent_ip_cidr) and agent_ip_cidr.find('/') != -1): # DHCP environments (Get the latest IP) success, agent_ip_cidr = ossec_get_check( sensor_id, agent_data['name'], "lastip") # Search asset_id if is_valid_ipv4(agent_ip_cidr): success, sensor_ctx = get_sensor_ctx_by_sensor_id( sensor_id) if success: success, asset_id = get_host_id_by_ip_ctx( agent_ip_cidr, sensor_ctx, output='str') if not is_valid_uuid(asset_id): success, new_asset_id = create_host([agent_ip_cidr], sensor_id) if is_valid_uuid(new_asset_id): asset_id = new_asset_id refresh_idm = True # Linking asset to agent if is_valid_uuid(asset_id) and asset_id not in linked_assets: update_asset_id(sensor_id=sensor_id, agent_id=agent_id, asset_id=asset_id) linked_assets[asset_id] = { 'ha_id': agent_id, 'sensor_id': sensor_id } else: not_linked_assets += 1 except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) # Remove deleted agents from database for agent_id in deleted_agents: try: delete_hids_agent(agent_id, sensor_id) except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) return not_linked_assets, refresh_idm
def get_host_fqdn(system_id): host_ip = request.form.get('host_ip') if not is_valid_ipv4(host_ip): return make_error("Invalid host IP address", 500) return make_ok(fqdn=get_fqdn_api(system_id, host_ip))
def start(self): try: self.remove_monitor_data() rc, system_list = get_systems(directly_connected=False) if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: success, sensor_id = get_sensor_id_from_system_id(system_id) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "get_sensor_id_from_system_id failed for system %s (%s)" % (system_ip, system_id)) sensor_id = None ha_name = None success, result = system_all_info(system_id, no_cache=True) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "system_all_info failed for system %s (%s)" % (system_ip, system_id)) continue if 'ha_status' in result: ha_name = 'active' if result[ 'ha_status'] == 'up' else 'passive' success, result = network_status(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "network_status failed for system %s (%s)" % (system_ip, system_id)) continue success, result = alienvault_status(system_id, no_cache=True) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "alienvault_status failed for system %s (%s)" % (system_ip, system_id)) continue success, result = status_tunnel(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoreInfo] " "status_tunnel failed for system %s (%s)" % (system_ip, system_id)) continue success, result = get_system_config_general(system_id, no_cache=True) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "get_system_config_general failed for system %s (%s)" % (system_ip, system_id)) continue hostname = result.get('general_hostname', None) if hostname is not None: success, hostname_old = db_get_hostname(system_id) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "db_get_hostname failed for system %s (%s)" % (system_ip, system_id)) continue if hostname == hostname_old: hostname = None # Getting config params from the system, # we do use this result var so do not change the order of the calls! success, config_alienvault = get_system_config_alienvault( system_id, no_cache=True) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] " "get_system_config_alienvault failed for system %s (%s)" % (system_ip, system_id)) continue ha_ip = None ha_role = None if 'ha_ha_virtual_ip' in config_alienvault: ha_ip = config_alienvault['ha_ha_virtual_ip'] if not is_valid_ipv4(ha_ip): ha_ip = None if 'ha_ha_role' in config_alienvault: ha_role = config_alienvault['ha_ha_role'] if ha_role not in ['master', 'slave']: ha_role = None # Update interfaces cache success, result = get_interfaces(system_id, no_cache=True) if not success: continue # Update system setup data cache success, result = system_get(system_id, no_cache=True) if not success: continue vpn_ip = None if "ansible_tun0" in result: try: vpn_ip = result['ansible_tun0']['ipv4']['address'] except Exception: vpn_ip = None # Sensor exclusive if sensor_id is not None and sensor_id != '': self.__update_sensor_properties( sensor_id=sensor_id, config_alienvault=config_alienvault) # Refresh sensor plugins cache try: get_sensor_plugins(sensor_id, no_cache=True) except APIException: logger.warning( "[MonitorRetrievesRemoteInfo] " "error getting plugins from sensor '{0}' {1}". format(sensor_id, system_ip)) if vpn_ip is not None: success, message = set_system_vpn_ip(system_id, vpn_ip) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_vpn_ip failed: %s" % message) if ha_role is not None: success, message = set_system_ha_role(system_id, ha_role) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_ha_role failed: %s" % message) else: success, message = set_system_ha_role(system_id, 'NULL') if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_ha_role failed: %s" % message) if ha_ip is not None: success, message = set_system_ha_ip(system_id, ha_ip) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_ha_ip: %s" % message) success, message = fix_system_references() if not success: logger.warning( "[MonitorRetrievesRemoteInfo] fix_system_references: %s" % message) if ha_name is not None: success, message = set_system_ha_name( system_id, ha_name) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_ha_name failed: %s" % message) else: success, message = set_system_ha_ip(system_id, '') if not success: logger.warning( "[MonitorRetrievesRemoteInfo] set_system_ha_ip failed: %s" % message) if hostname is not None: success, message = db_system_update_hostname( system_id, hostname) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] db_system_update_hostname failed: %s" % message) # Backups success, message = get_backup_list(system_id=system_id, backup_type="configuration", no_cache=True) if not success: logger.warning( "[MonitorRetrievesRemoteInfo] get_backup_list failed: %s" % message) except Exception as err: api_log.error( "Something wrong happened while running the MonitorRetrievesRemoteInfo monitor %s" % str(err)) return False return True
def start(self): try: self.remove_monitor_data() rc, system_list = get_systems() if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: success, sensor_id = get_sensor_id_from_system_id(system_id) if not success: continue success, result = get_plugins_from_yaml(sensor_id, no_cache=True) if not success: continue success, result = system_all_info(system_id, no_cache=True) if not success: continue success, result = network_status(system_id, no_cache=True) if not success: continue success, result = alienvault_status(system_id, no_cache=True) if not success: continue success, result = get_system_config_general(system_id, no_cache=True) if not success: continue #Getting config params from the system, we do use this result var so do not change the order of the calls! success, result = get_system_config_alienvault(system_id, no_cache=True) if not success: continue prads_enabled = False suricata_snort_enabled = False netflow_enabled = False ha_ip = None ha_role = None if 'sensor_detectors' in result: prads_enabled = True if 'prads' in result[ 'sensor_detectors'] else False suricata_snort_enabled = True if 'snort' in result[ 'sensor_detectors'] or 'suricata' in result[ 'sensor_detectors'] else False if 'sensor_netflow' in result: netflow_enabled = True if result[ 'sensor_netflow'] == 'yes' else False if 'ha_ha_virtual_ip' in result: ha_ip = result['ha_ha_virtual_ip'] if not is_valid_ipv4(ha_ip): ha_ip = None if 'ha_ha_role' in result: ha_role = result['ha_ha_role'] if ha_role not in ['master', 'slave']: ha_role = None success, result = get_interfaces(system_id, no_cache=True) if not success: continue success, result = system_get(system_id, no_cache=True) if not success: continue vpn_ip = None if "ansible_tun0" in result: try: vpn_ip = result['ansible_tun0']['ipv4']['address'] except: vpn_ip = None # TO DB; vpn_ip, netflow, active inventory, passive inventory # ha_ip success, message = set_sensor_properties_active_inventory( sensor_id, suricata_snort_enabled) if not success: continue success, message = set_sensor_properties_passive_inventory( sensor_id, prads_enabled) if not success: continue success, message = set_sensor_properties_netflow( sensor_id, netflow_enabled) if not success: continue if vpn_ip is not None: success, message = set_system_vpn_ip(system_id, vpn_ip) if not success: continue if ha_role is not None: success, message = set_system_ha_role(system_id, ha_role) if not success: continue if ha_ip is not None: success, message = set_system_ha_ip(system_id, ha_ip) if not success: continue except Exception as err: api_log.error( "Something wrong happened while running the MonitorRetrievesRemoteInfo monitor %s" % str(err)) return False return True
def start(self): try: self.remove_monitor_data() rc, system_list = get_systems(directly_connected=False) if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: success, sensor_id = get_sensor_id_from_system_id(system_id) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "get_sensor_id_from_system_id failed for system %s (%s)" % (system_ip, system_id)) sensor_id = None ha_name = None success, result = system_all_info(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "system_all_info failed for system %s (%s)" % (system_ip, system_id)) continue if 'ha_status' in result: ha_name = 'active' if result['ha_status'] == 'up' else 'passive' success, result = network_status(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "network_status failed for system %s (%s)" % (system_ip, system_id)) continue success, result = alienvault_status(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "alienvault_status failed for system %s (%s)" % (system_ip, system_id)) continue success, result = status_tunnel(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoreInfo] " "status_tunnel failed for system %s (%s)" % (system_ip, system_id)) continue success, result = get_system_config_general(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "get_system_config_general failed for system %s (%s)" % (system_ip, system_id)) continue hostname = result.get('general_hostname', None) if hostname is not None: success, hostname_old = db_get_hostname(system_id) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "db_get_hostname failed for system %s (%s)" % (system_ip, system_id)) continue if hostname == hostname_old: hostname = None # Getting config params from the system, # we do use this result var so do not change the order of the calls! success, config_alienvault = get_system_config_alienvault(system_id, no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] " "get_system_config_alienvault failed for system %s (%s)" % (system_ip, system_id)) continue ha_ip = None ha_role = None if 'ha_ha_virtual_ip' in config_alienvault: ha_ip = config_alienvault['ha_ha_virtual_ip'] if not is_valid_ipv4(ha_ip): ha_ip = None if 'ha_ha_role' in config_alienvault: ha_role = config_alienvault['ha_ha_role'] if ha_role not in ['master', 'slave']: ha_role = None # Update interfaces cache success, result = get_interfaces(system_id, no_cache=True) if not success: continue # Update system setup data cache success, result = system_get(system_id, no_cache=True) if not success: continue vpn_ip = None if "ansible_tun0" in result: try: vpn_ip = result['ansible_tun0']['ipv4']['address'] except Exception: vpn_ip = None # Sensor exclusive if sensor_id is not None and sensor_id != '': self.__update_sensor_properties(sensor_id=sensor_id, config_alienvault=config_alienvault) # Refresh sensor plugins cache try: get_sensor_plugins(sensor_id, no_cache=True) except APIException: logger.warning("[MonitorRetrievesRemoteInfo] " "error getting plugins from sensor '{0}' {1}".format(sensor_id, system_ip)) if vpn_ip is not None: success, message = set_system_vpn_ip(system_id, vpn_ip) if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_vpn_ip failed: %s" % message) if ha_role is not None: success, message = set_system_ha_role(system_id, ha_role) if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_ha_role failed: %s" % message) else: success, message = set_system_ha_role(system_id, 'NULL') if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_ha_role failed: %s" % message) if ha_ip is not None: success, message = set_system_ha_ip(system_id, ha_ip) if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_ha_ip: %s" % message) success, message = fix_system_references() if not success: logger.warning("[MonitorRetrievesRemoteInfo] fix_system_references: %s" % message) if ha_name is not None: success, message = set_system_ha_name(system_id, ha_name) if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_ha_name failed: %s" % message) else: success, message = set_system_ha_ip(system_id, '') if not success: logger.warning("[MonitorRetrievesRemoteInfo] set_system_ha_ip failed: %s" % message) if hostname is not None: success, message = db_system_update_hostname(system_id, hostname) if not success: logger.warning("[MonitorRetrievesRemoteInfo] db_system_update_hostname failed: %s" % message) # Backups success, message = get_backup_list(system_id=system_id, backup_type="configuration", no_cache=True) if not success: logger.warning("[MonitorRetrievesRemoteInfo] get_backup_list failed: %s" % message) except Exception as err: api_log.error("Something wrong happened while running the MonitorRetrievesRemoteInfo monitor %s" % str(err)) return False return True
def ossec_win_deploy(sensor_id, asset_id, windows_ip, windows_username, windows_password, windows_domain, agent_id=None): """ Deploy HIDS agent on a Windows System Args: sensor_id(str): Sensor ID asset_id(str): Asset ID windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent) windows_username(str) : Windows Username windows_password(str) : Windows Password windows_domain(str) : Windows Domain agent_id(str) : Agent ID Returns: True if HIDS agent was properly deployed Raises: APICannotResolveAssetID APICannotCreateHIDSAgent APICannotGetHIDSAgentByAsset APICannotResolveSensorID APICannotDeployHIDSAgent APIInvalidDeploymentIP APIInvalidWindowsUsername APIInvalidWindowsPassword APIInvalidAgentID """ # Setting default values agent_name = None sensor_ip = None sensor_name = None asset_name = None try: # Validate deployment parameters if not is_valid_uuid(asset_id): raise APICannotResolveAssetID(asset_id) if not is_valid_ipv4(windows_ip): raise APIInvalidDeploymentIP(windows_ip) if not is_valid_windows_user(windows_username): raise APIInvalidWindowsUsername(windows_username) if not is_valid_user_password(windows_password): raise APIInvalidWindowsPassword() if agent_id and not is_valid_ossec_agent_id(agent_id): raise APIInvalidAgentID(agent_id) # Getting Sensor Information (success, sensor) = get_sensor_by_sensor_id(sensor_id) if not success: raise APICannotResolveSensorID(sensor_id) sensor_id = get_uuid_string_from_bytes(sensor.id) sensor_id = sensor_id.replace('-', '').upper() sensor_ip = get_ip_str_from_bytes(sensor.ip) sensor_name = sensor.name # Getting agent related to assets hids_agents = get_hids_agents_by_asset(asset_id, sensor_id) # Getting asset info asset_name = get_name_by_host_id(asset_id) if len(hids_agents) == 0: # Creating agent if doesn't exists agent_name = asset_name (success, data) = apimethod_ossec_add_new_agent(sensor_id, agent_name, windows_ip, asset_id) if not success: raise APICannotCreateHIDSAgent(agent_name, sensor_id) else: agent_id = data else: # Getting agent information if agent_id: agent_key = sensor_id + '#' + agent_id else: agent_key = hids_agents.keys().pop(0) if agent_key in hids_agents: agent_name = hids_agents[agent_key].get('name') agent_id = hids_agents[agent_key].get('id') else: raise APICannotGetHIDSAgentByAsset(asset_id) # Deploy HIDS Agent ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name, windows_ip, windows_username, windows_domain, windows_password) if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[ sensor_ip]['failures'] == 0: # No error, update agent status in database time.sleep(2) (success, data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id) if success: agent_info = data[0].split(',') agent_status = agent_info[3] update_hids_agent_status(agent_id, sensor_id, agent_status) else: ans_last_error = "" if ansible_result[sensor_ip]['unreachable'] == 1: ans_last_error = "System is unreachable" elif 'msg' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['msg'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['msg'] elif 'stderr' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['stderr'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['stderr'] elif 'stdout' in ansible_result['alienvault']['lasterror'][ sensor_ip] and ansible_result['alienvault']['lasterror'][ sensor_ip]['stdout'] != "": ans_last_error = ansible_result['alienvault']['lasterror'][ sensor_ip]['stdout'] error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format( ans_last_error) raise APICannotDeployHIDSAgent(error_msg) res = True message = 'HIDS agent successfully deployed' except APICannotDeployHIDSAgent as err: message = str(err) res = False except Exception as err: message = str(err) logger.error(message) res = False # Create message in Message Center mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031" additional_info = { "asset_id": asset_id, "sensor_id": sensor_id, "agent_id": agent_id, "asset_name": asset_name, "asset_ip": windows_ip, "sensor_ip": sensor_ip, "sensor_name": sensor_name, "agent_name": agent_name, "deploy_status": message } additional_info = json.dumps(additional_info) insert_current_status_message(mc_id, asset_id, "host", additional_info) return res, message
def ossec_win_deploy(sensor_id, asset_id, windows_ip, windows_username, windows_password, windows_domain, agent_id=None): """ Deploy HIDS agent on a Windows System Args: sensor_id(str): Sensor ID asset_id(str): Asset ID windows_ip(str) : Deployment IP (where we are going to deploy the HIDS Agent) windows_username(str) : Windows Username windows_password(str) : Windows Password windows_domain(str) : Windows Domain agent_id(str) : Agent ID Returns: True if HIDS agent was properly deployed Raises: APICannotResolveAssetID APICannotCreateHIDSAgent APICannotGetHIDSAgentByAsset APICannotResolveSensorID APICannotDeployHIDSAgent APIInvalidDeploymentIP APIInvalidWindowsUsername APIInvalidWindowsPassword APIInvalidAgentID """ # Setting default values agent_name = None sensor_ip = None sensor_name = None asset_name = None try: # Validate deployment parameters if not is_valid_uuid(asset_id): raise APICannotResolveAssetID(asset_id) if not is_valid_ipv4(windows_ip): raise APIInvalidDeploymentIP(windows_ip) if not is_valid_windows_user(windows_username): raise APIInvalidWindowsUsername(windows_username) if not is_valid_user_password(windows_password): raise APIInvalidWindowsPassword() if agent_id and not is_valid_ossec_agent_id(agent_id): raise APIInvalidAgentID(agent_id) # Getting Sensor Information (success, sensor) = get_sensor_by_sensor_id(sensor_id) if not success: raise APICannotResolveSensorID(sensor_id) sensor_id = get_uuid_string_from_bytes(sensor.id) sensor_id = sensor_id.replace('-', '').upper() sensor_ip = get_ip_str_from_bytes(sensor.ip) sensor_name = sensor.name # Getting agent related to assets hids_agents = get_hids_agents_by_asset(asset_id, sensor_id) # Getting asset info asset_name = get_name_by_host_id(asset_id) if len(hids_agents) == 0: # Creating agent if doesn't exists agent_name = asset_name (success, data) = apimethod_ossec_add_new_agent(sensor_id, agent_name, windows_ip, asset_id) if not success: raise APICannotCreateHIDSAgent(agent_name, sensor_id) else: agent_id = data else: # Getting agent information if agent_id: agent_key = sensor_id + '#' + agent_id else: agent_key = hids_agents.keys().pop(0) if agent_key in hids_agents: agent_name = hids_agents[agent_key].get('name') agent_id = hids_agents[agent_key].get('id') else: raise APICannotGetHIDSAgentByAsset(asset_id) # Deploy HIDS Agent ansible_result = ansible_ossec_win_deploy(sensor_ip, agent_name, windows_ip, windows_username, windows_domain, windows_password) if ansible_result[sensor_ip]['unreachable'] == 0 and ansible_result[sensor_ip]['failures'] == 0: # No error, update agent status in database time.sleep(2) (success, data) = apimethod_ossec_get_agent_detail(sensor_id, agent_id) if success: agent_info = data[0].split(',') agent_status = agent_info[3] update_hids_agent_status(agent_id, sensor_id, agent_status) else: ans_last_error = "" if ansible_result[sensor_ip]['unreachable'] == 1: ans_last_error = "System is unreachable" elif 'msg' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['msg']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['msg'] elif 'stderr' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stderr']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stderr'] elif 'stdout' in ansible_result['alienvault']['lasterror'][sensor_ip] and ansible_result['alienvault']['lasterror'][sensor_ip]['stdout']!="": ans_last_error = ansible_result['alienvault']['lasterror'][sensor_ip]['stdout'] error_msg = 'HIDS Agent cannot be deployed. Reason: {0}'.format(ans_last_error) raise APICannotDeployHIDSAgent(error_msg) res = True message = 'HIDS agent successfully deployed' except APICannotDeployHIDSAgent as err: message = str(err) res = False except Exception as err: message = str(err) logger.error(message) res = False # Create message in Message Center mc_id = "00000000-0000-0000-0000-000000010033" if res is True else "00000000-0000-0000-0000-000000010031" additional_info = { "asset_id": asset_id, "sensor_id": sensor_id, "agent_id": agent_id, "asset_name": asset_name, "asset_ip": windows_ip, "sensor_ip": sensor_ip, "sensor_name": sensor_name, "agent_name": agent_name, "deploy_status": message } additional_info = json.dumps(additional_info) insert_current_status_message(mc_id, asset_id, "host", additional_info) return res, message
def update_system_hids_agents(system_id): """" Update information about HIDS agents connected to a system @param system_id: system_id of the sensor to update """ # Getting system information success, system_info = get_system_info(system_id) # Getting sensor ID if success: sensor_id = system_info['sensor_id'] else: raise APICannotRetrieveSystem(system_id) stored_agents = get_hids_agents_by_sensor(sensor_id) success, agents = ossec_get_available_agents(sensor_id=sensor_id, op_ossec='list_available_agents', agent_id='') if not success: raise APICannotRunHIDSCommand(sensor_id, 'list_available_agents') added_agents = [agent_id for agent_id in agents.keys() if agent_id not in stored_agents] present_agents = [agent_id for agent_id in agents.keys() if agent_id in stored_agents] deleted_agents = [agent for agent in stored_agents if agent not in agents.keys()] # Add new agents to database for agent_id in added_agents: try: agent = agents[agent_id] add_hids_agent(agent_id=agent_id, sensor_id=sensor_id, agent_name=agent['name'], agent_ip=agent['ip'], agent_status=agent['status']) except APIException as e: logger.error("Error adding hids agent: {0}".format(e)) not_linked_assets = 0 refresh_idm = False # Update agent status and check asset_id in database for agent_id in present_agents: try: # Update HIDS agent status update_hids_agent_status(agent_id=agent_id, sensor_id=sensor_id, agent_status=agents[agent_id]['status']) agent_data = get_hids_agent_by_sensor(sensor_id, agent_id) # Check HIDS agent asset id if agent_data['host_id'] == '': # Try to update HIDS agent asset id linked_assets = get_linked_assets() agent_ip_cidr = agent_data['ip_cidr'] asset_id = None # Getting current IP if agent_ip_cidr == '127.0.0.1': # Special case: Local agent agent_ip_cidr = system_info['ha_ip'] if system_info['ha_ip'] else system_info['admin_ip'] elif agent_ip_cidr.lower() == 'any' or agent_ip_cidr.lower() == '0.0.0.0' or ( is_valid_ipv4_cidr(agent_ip_cidr) and agent_ip_cidr.find('/') != -1): # DHCP environments (Get the latest IP) success, agent_ip_cidr = ossec_get_check(sensor_id, agent_data['name'], "lastip") # Search asset_id if is_valid_ipv4(agent_ip_cidr): success, sensor_ctx = get_sensor_ctx_by_sensor_id(sensor_id) if success: success, asset_id = get_host_id_by_ip_ctx(agent_ip_cidr, sensor_ctx, output='str') if not is_valid_uuid(asset_id): success, new_asset_id = create_host([agent_ip_cidr], sensor_id) if is_valid_uuid(new_asset_id): asset_id = new_asset_id refresh_idm = True # Linking asset to agent if is_valid_uuid(asset_id) and asset_id not in linked_assets: update_asset_id(sensor_id=sensor_id, agent_id=agent_id, asset_id=asset_id) linked_assets[asset_id] = {'ha_id': agent_id, 'sensor_id': sensor_id} else: not_linked_assets += 1 except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) # Remove deleted agents from database for agent_id in deleted_agents: try: delete_hids_agent(agent_id, sensor_id) except APIException as e: logger.error('[update_system_hids_agents]: {0}'.format(e)) return not_linked_assets, refresh_idm
def ossec_get_check(system_ip, check_type, agent_name=""): """This function checks whether an ossec check has been made or not""" if check_type not in ["lastip", "lastscan"]: return False, "Invalid check type. Allowed values are [lastip, syscheck, rootcheck]" if re.match(r"[a-zA-Z0-9_\-\(\)]+", agent_name) is None: return False, r"Invalid agent name. Allowed characters are [^a-zA-Z0-9_\-()]+" try: if check_type == "lastscan": # We need to exec TWO results result_dict = {} command = "/usr/share/ossim/scripts/ossec_check.sh %s '%s'" % ( "lastscan", agent_name) response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True) result, msg = ansible_is_valid_response(system_ip, response) if not result: return False, msg script_return_code = int(response['contacted'][system_ip]['rc']) script_output = response['contacted'][system_ip]['stdout'].split( "\n") if script_return_code != 0: return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str( response) if len(script_output) != 2: #IP not found return True, {'syscheck': '', 'rootcheck': ''} matched_object = re.match( r"Last syscheck scan started at: (?P<s_time>\d{10})", script_output[0]) last_syscheck = "" if matched_object is not None: last_syscheck = matched_object.groupdict()['s_time'] result_dict['syscheck'] = last_syscheck matched_object = re.match( r"Last rootcheck scan started at: (?P<r_time>\d{10})", script_output[1]) last_rootcheck = "" if matched_object is not None: last_rootcheck = matched_object.groupdict()['r_time'] result_dict['rootcheck'] = last_rootcheck data = result_dict if check_type == "lastip": command = "/usr/share/ossim/scripts/ossec_check.sh %s '%s'" % ( check_type, agent_name) response = _ansible.run_module(host_list=[system_ip], module="shell", args=command, use_sudo=True) result, msg = ansible_is_valid_response(system_ip, response) if not result: return False, msg script_return_code = int(response['contacted'][system_ip]['rc']) script_output = response['contacted'][system_ip]['stdout'] if script_return_code != 0: return False, "[ossec_get_check] Something wrong happened while running ansible command ->'%s'" % str( response) if not is_valid_ipv4(script_output): #IP not found return True, "" data = script_output except Exception as err: return False, "[ossec_get_check] Something wrong happened while running ansible command -> '%s'" % str( err) return True, data
def start(self): try: self.remove_monitor_data() rc, system_list = get_systems() if not rc: logger.error("Can't retrieve systems..%s" % str(system_list)) return False for (system_id, system_ip) in system_list: success, sensor_id = get_sensor_id_from_system_id(system_id) if not success: continue success, result = get_plugins_from_yaml(sensor_id, no_cache=True) if not success: continue success, result = system_all_info(system_id, no_cache=True) if not success: continue success, result = network_status(system_id, no_cache=True) if not success: continue success, result = alienvault_status(system_id, no_cache=True) if not success: continue success, result = get_system_config_general(system_id, no_cache=True) if not success: continue #Getting config params from the system, we do use this result var so do not change the order of the calls! success, result = get_system_config_alienvault(system_id, no_cache=True) if not success: continue prads_enabled = False suricata_snort_enabled = False netflow_enabled = False ha_ip = None ha_role = None if 'sensor_detectors' in result: prads_enabled = True if 'prads' in result['sensor_detectors'] else False suricata_snort_enabled = True if 'snort' in result['sensor_detectors'] or 'suricata' in result['sensor_detectors'] else False if 'sensor_netflow' in result: netflow_enabled = True if result['sensor_netflow'] == 'yes' else False if 'ha_ha_virtual_ip' in result: ha_ip = result['ha_ha_virtual_ip'] if not is_valid_ipv4(ha_ip): ha_ip = None if 'ha_ha_role' in result: ha_role = result['ha_ha_role'] if ha_role not in ['master', 'slave']: ha_role = None success, result = get_interfaces(system_id, no_cache=True) if not success: continue success, result = system_get(system_id, no_cache=True) if not success: continue vpn_ip = None if "ansible_tun0" in result: try: vpn_ip = result['ansible_tun0']['ipv4']['address'] except: vpn_ip = None # TO DB; vpn_ip, netflow, active inventory, passive inventory # ha_ip success, message = set_sensor_properties_active_inventory(sensor_id, suricata_snort_enabled) if not success: continue success, message = set_sensor_properties_passive_inventory(sensor_id, prads_enabled) if not success: continue success, message = set_sensor_properties_netflow(sensor_id, netflow_enabled) if not success: continue if vpn_ip is not None: success, message = set_system_vpn_ip(system_id, vpn_ip) if not success: continue if ha_role is not None: success, message = set_system_ha_role(system_id, ha_role) if not success: continue if ha_ip is not None: success, message = set_system_ha_ip(system_id, ha_ip) if not success: continue except Exception as err: api_log.error("Something wrong happened while running the MonitorRetrievesRemoteInfo monitor %s" % str(err)) return False return True