def __init__(self, conf_file, splunkd_uri, session_key, appname=None):
if appname is None:
appname = utils.get_appname_from_path(op.abspath(__file__))
self._conf_file = conf.conf_file2name(conf_file)
self._conf_mgr = conf.ConfManager(splunkd_uri, session_key, app_name=appname)
self._cred_mgr = cred.CredentialManager(
splunkd_uri, session_key, app=appname, owner="nobody", realm=appname
)
self._keys = None
def get_configs(self):
meta_configs, stanza_configs = self.get_modinput_configs()
self.meta_configs = meta_configs
self.stanza_configs = stanza_configs
self.cred_manager = cred.CredentialManager(meta_configs["session_key"],
meta_configs["server_uri"])
self.app_dir = util.get_app_path(op.abspath(__file__))
self.app = op.basename(self.app_dir)
return meta_configs, stanza_configs
def _decrypt_username_password(self, confDict):
try:
if confDict.get("symantec_ep_proxy") is not None:
account = confDict["symantec_ep_proxy"]
is_encrypted = all(account.get(k, None) == self.encrypted for k in ("proxy_username", "proxy_password"))
if is_encrypted:
cred_mgr = cred.CredentialManager(session_key=self.getSessionKey(),
app=self.appName, splunkd_uri=scc.getMgmtUri())
user_creds = cred_mgr.get_clear_password("symantec_ep_proxy")
account["proxy_username"] = user_creds["symantec_ep_proxy"]["proxy_username"]
account["proxy_password"] = user_creds["symantec_ep_proxy"]["proxy_password"]
except Exception:
logger.error("decryption error.")
logger.error(traceback.format_exc())
def handleEdit(self, confInfo):
args = self.callerArgs.data
for key, val in args.items():
if val[0] is None:
val[0] = ''
conf_mgr = conf.ConfManager(splunkd_uri=scc.getMgmtUri(),
session_key=self.getSessionKey(),
app_name=self.appName,
owner='-')
success = False
if self.callerArgs.id == 'okta_loglevel':
loglevel_stanza = {}
loglevel = args['loglevel'][0]
loglevel_stanza['loglevel'] = loglevel
success = conf_mgr.update_stanza('okta', 'okta_loglevel',
loglevel_stanza)
elif self.callerArgs.id == 'okta_proxy':
proxy_stanza = {}
proxy_enabled = args['proxy_enabled'][0]
proxy_stanza['proxy_enabled'] = proxy_enabled
if proxy_enabled.lower().strip() in ("1", "true", "yes", "t", "y"):
proxy_port = args['proxy_port'][0].strip()
proxy_url = args['proxy_url'][0].strip()
proxy_type = args['proxy_type'][0]
proxy_rdns = args['proxy_rdns'][0]
# Validate args
if proxy_url != '' and proxy_port == '':
raise admin.ArgValidationException(
"Port should not be blank")
if proxy_url == '' and proxy_port != '':
raise admin.ArgValidationException(
"URL should not be blank")
if proxy_port != '' and not proxy_port.isdigit():
raise admin.ArgValidationException("Port should be digit")
# Proxy is enabled, but proxy url or port is empty
if proxy_url == '' or proxy_port == '':
raise admin.ArgValidationException(
"URL and port should not be blank")
# Password is filled but username is empty
if args['proxy_password'][0] != '' and args['proxy_username'][
0] == '':
raise admin.ArgValidationException(
"Username should not be blank")
if proxy_type not in ('http', 'http_no_tunnel', 'socks4',
'socks5'):
raise admin.ArgValidationException(
"Unsupported proxy type")
confDict = self.readConf("okta")
self._decrypt_username_password(confDict)
proxy = confDict['okta_proxy']
proxy_stanza['proxy_url'] = proxy_url
proxy_stanza['proxy_port'] = proxy_port
proxy_stanza['proxy_type'] = proxy_type
proxy_stanza['proxy_rdns'] = proxy_rdns
cred_mgr = cred.CredentialManager(
session_key=self.getSessionKey(),
app=self.appName,
splunkd_uri=scc.getMgmtUri())
proxy_username = args['proxy_username'][0].strip()
proxy_password = args['proxy_username'][0].strip()
if not proxy_username:
try:
result = cred_mgr.delete('__Splunk_TA_okta_proxy__')
logger.info("Update result:" + str(result))
except Exception:
logger.warn("ERROR in deleting cred stanza")
logger.warn(traceback.format_exc())
elif proxy_password != '' or \
proxy['proxy_username'] != proxy_username:
stanza = {}
proxy = {
'proxy_username': proxy_username,
'proxy_password': proxy_password
}
stanza['__Splunk_TA_okta_proxy__'] = proxy
try:
result = cred_mgr.update(stanza)
logger.info("Update result:" + str(result))
except Exception:
logger.error("ERROR in creating cred stanza")
logger.error(traceback.format_exc())
raise admin.HandlerSetupException(
"fail to encrypt proxy username and password.")
if proxy_password != '' or proxy_username != '':
proxy_stanza['proxy_username'] = self.encrypted
proxy_stanza['proxy_password'] = self.encrypted
else:
proxy_stanza['proxy_username'] = ''
proxy_stanza['proxy_password'] = ''
success = conf_mgr.update_stanza('okta', 'okta_proxy',
proxy_stanza)
elif self.callerArgs.id == 'okta_server':
okta_server_stanza = {}
custom_cmd_enabled = args['custom_cmd_enabled'][0]
okta_server_stanza['custom_cmd_enabled'] = custom_cmd_enabled
if custom_cmd_enabled.lower().strip() in ("1", "true", "yes", "t",
"y"):
okta_server_url = args['okta_server_url'][0].strip()
okta_server_token = args['okta_server_token'][0].strip()
if okta_server_url != '' and okta_server_token == '':
raise admin.ArgValidationException(
"token should not be blank")
if okta_server_token != '' and okta_server_url == '':
raise admin.ArgValidationException(
"server url should not be blank")
confDict = self.readConf('okta')
okta_server = confDict['okta_server']
cred_mgr = cred.CredentialManager(
session_key=self.getSessionKey(),
app=self.appName,
splunkd_uri=scc.getMgmtUri())
if not okta_server_url:
try:
result = cred_mgr.delete('__Splunk_TA_okta_server__')
logger.info("Update result:" + str(result))
except Exception:
logger.warn("ERROR in deleting cred stanza")
logger.warn(traceback.format_exc())
elif okta_server_token != '' or \
okta_server['okta_server_url'] != okta_server_url:
stanza = {}
okta_server_info = {
'okta_server_url': okta_server_url,
'okta_server_token': okta_server_token
}
stanza['__Splunk_TA_okta_server__'] = okta_server_info
try:
result = cred_mgr.update(stanza)
logger.info("Update result:" + str(result))
except Exception:
logger.error("ERROR in creating cred stanza")
logger.error(traceback.format_exc())
raise admin.HandlerSetupException(
"fail to encrypt okta server url and token.")
if okta_server_url != '' or okta_server_token != '':
okta_server_stanza['okta_server_url'] = okta_server_url
okta_server_stanza['okta_server_token'] = self.encrypted
else:
okta_server_stanza['okta_server_url'] = ''
okta_server_stanza['okta_server_token'] = ''
success = conf_mgr.update_stanza('okta', 'okta_server',
okta_server_stanza)
if not success:
logger.error("ERROR in writing okta conf file.")
raise admin.HandlerSetupException(
"fail to store data into okta.conf file.")
def run():
logger.info("Script input start.")
logger.info("Start reading session key")
if sys.stdin.closed:
return
session_key = sys.stdin.read()
logger.info("End reading session key")
splunkd_uri = "https://localhost:8089/"
server_info = sc.ServerInfo(splunkd_uri, session_key)
if not server_info.is_shc_member() or server_info.is_captain():
logger.info(
"This is a single instance or cluster captain. Run the malare_category_update."
)
app_name = "Splunk_TA_symantec-ep"
conf_name = "symantec_ep"
stanza = "symantec_ep_proxy"
base_url = "http://www.symantec.com/xml/rss/azlistings.jsp"
encrypted = "******"
conf_manager = conf.ConfManager(splunkd_uri=splunkd_uri,
session_key=session_key,
owner='-',
app_name=app_name)
conf_manager.reload_conf(conf_name)
stanza_obj = conf_manager.get_conf(conf_name, stanza)
config = {
"username": "",
"password": "",
"proxy_url": "",
"proxy_port": "",
"proxy_username": "",
"proxy_password": "",
}
if stanza_obj["proxy_enabled"] == '1':
config["proxy_url"] = stanza_obj["proxy_url"]
config["proxy_port"] = int(stanza_obj["proxy_port"])
is_encrypted = all(
stanza_obj.get(k, None) == "******"
for k in ("proxy_username", "proxy_password"))
if is_encrypted:
logger.info("Decrypting")
cred_mgr = cred.CredentialManager(session_key=session_key,
app=app_name,
splunkd_uri=splunkd_uri)
user_creds = cred_mgr.get_clear_password("symantec_ep_proxy")
proxy_username = user_creds["symantec_ep_proxy"][
"proxy_username"]
proxy_password = user_creds["symantec_ep_proxy"][
"proxy_password"]
config["proxy_username"] = proxy_username
config["proxy_password"] = proxy_password
else:
if stanza_obj["proxy_username"] is not None and stanza_obj[
"proxy_password"] is not None:
logger.info("Encrypting")
config["proxy_username"] = stanza_obj["proxy_username"]
config["proxy_password"] = stanza_obj["proxy_password"]
cred_mgr = cred.CredentialManager(session_key=session_key,
app=app_name,
splunkd_uri=splunkd_uri)
try:
new_stanza = {}
proxy = {
'proxy_username': config["proxy_username"],
'proxy_password': config["proxy_password"]
}
new_stanza['symantec_ep_proxy'] = proxy
result = cred_mgr.update(new_stanza)
logger.info("Update result:" + str(result))
proxy_stanza = config.copy()
proxy_stanza['proxy_username'] = encrypted
proxy_stanza['proxy_password'] = encrypted
success = conf_manager.update_stanza(
'symantec_ep', 'symantec_ep_proxy', proxy_stanza)
if not success:
logger.error(
"ERROR in writing symantec_ep conf file.")
except Exception:
logger.error("ERROR in updating cred stanza")
logger.error(traceback.format_exc())
try:
try:
http = rest.build_http_connection(config, timeout=60)
except Exception:
logger.error("ERROR in building connection")
return
if http is not None:
url_list = construct_url(base_url)
item_list = extract_xml(http, url_list)
file_name = os.path.join(os.environ['SPLUNK_HOME'], 'etc',
'apps', app_name, 'lookups',
'symantec_ep_malware_categories.csv')
save_lookup_file(file_name, item_list)
logger.info("Start the SPL")
request_url = splunkd_uri + "services/search/jobs/export"
logger.info("Start the SPL")
args = {
"search":
"|inputlookup symantec_ep_malware_category_lookup|outputlookup symantec_ep_malware_category_lookup",
"output_mode": "raw"
}
response, _ = rest.splunkd_request(splunkd_uri=request_url,
data=args,
session_key=session_key,
method='POST')
if response.status not in (200, 201):
logger.error("The SPL is not executed corretcly.")
else:
logger.info("The SPL is executed correctly.")
else:
logger.error("Failed to create http object.")
except Exception:
logger.error("ERROR in updating malware category lookup table.")
else:
logger.info(
"This is not the cluster captain. Do not run the malare_category_update."
)
def handleEdit(self, confInfo):
args = self.callerArgs.data
for key, val in args.items():
if val[0] is None:
val[0] = ''
proxy_stanza = {}
proxy_port = args['proxy_port'][0]
proxy_enabled = args['proxy_enabled'][0]
proxy_url = args['proxy_url'][0]
# Validate args
if proxy_url != '' and proxy_port == '':
raise admin.ArgValidationException("Port should not be blank")
if proxy_url == '' and proxy_port != '':
raise admin.ArgValidationException("URL should not be blank")
if proxy_port != '' and not proxy_port.isdigit():
raise admin.ArgValidationException("Port should be digit")
# Proxy is enabled, but proxy url or port is empty
if proxy_enabled == '1' and (proxy_url == '' or proxy_port == ''):
raise admin.ArgValidationException("URL and port should not be blank")
# Password is filled but username is empty
if args['proxy_password'][0] != '' and args['proxy_username'][0] == '':
raise admin.ArgValidationException("Username should not be blank")
confDict = self.readConf("symantec_ep")
self._decrypt_username_password(confDict)
proxy = confDict['symantec_ep_proxy']
proxy_stanza['proxy_enabled'] = proxy_enabled
proxy_stanza['proxy_url'] = proxy_url
proxy_stanza['proxy_port'] = proxy_port
if args['proxy_password'][0] != '' or proxy['proxy_username'] != args['proxy_username'][0]:
stanza = {}
proxy = {'proxy_username': args['proxy_username'][0], 'proxy_password': args['proxy_password'][0]}
stanza['symantec_ep_proxy'] = proxy
cred_mgr = cred.CredentialManager(session_key=self.getSessionKey(),
app=self.appName, splunkd_uri=scc.getMgmtUri())
try:
result = cred_mgr.update(stanza)
logger.info("Update result:"+str(result))
except Exception:
logger.error("ERROR in creating cred stanza")
logger.error(traceback.format_exc())
if args['proxy_password'][0] != '' or args['proxy_username'][0] != '':
proxy_stanza['proxy_username'] = self.encrypted
proxy_stanza['proxy_password'] = self.encrypted
else:
proxy_stanza['proxy_username'] = ''
proxy_stanza['proxy_password'] = ''
conf_mgr = conf.ConfManager(splunkd_uri=scc.getMgmtUri(), session_key=self.getSessionKey(),
app_name=self.appName, owner='-')
success = conf_mgr.update_stanza('symantec_ep', 'symantec_ep_proxy', proxy_stanza)
if not success:
logger.error("ERROR in writing symantec_ep conf file.")