def build_santa_conf(all_probes): """ Build the santa conf, the probe lookup dict and the list of santa probes. The santa conf is the source of the json document that is sent to the santa client when it connects to zentral. It is a list of all the rules found in all the configured probes. The lookup dict is used when we process a santa event to find the probes that, because of the set of santa rules they contain, are responsible for its processing. Once we have the probes, we can trigger all the configured actions. The list of santa probes is a list of (probe_name, probe_d) tupes. """ rules = [] lookup_d = {} probes = [] for probe_name, probe_d in all_probes.items(): santa_l = probe_d.get('santa', None) if not santa_l: continue probes.append((probe_name, probe_d)) rules.extend(santa_l) for santa_r in santa_l: lookup_d.setdefault(santa_r["sha256"], []).append(probe_d.copy()) probes.sort() return {'rules': rules}, lookup_d, probes
def build_osquery_conf(all_probes): schedule = {DEFAULT_ZENTRAL_INVENTORY_QUERY: {'query': "SELECT 'os_version' as table_name, name, major, minor, " "patch, build from os_version;" "SELECT 'system_info' as table_name, " "computer_name, hostname, hardware_model, hardware_serial, " "cpu_type, cpu_subtype, cpu_brand, cpu_physical_cores, " "cpu_logical_cores, physical_memory from system_info", 'snapshot': True, 'interval': 600}} file_paths = {} probes = [] # probes with an osquery section event_type_probes = [] # probes without an osquery section but with a match on the event type for probe_name, probe_d in all_probes.items(): osquery_d = probe_d.get('osquery', None) if not osquery_d: if test_probe_event_type(probe_d, 'osquery'): event_type_probes.append((probe_name, probe_d)) continue # check and fix existing metadata_filters metadata_filters = probe_d.get('metadata_filters', None) if not metadata_filters: probe_d['metadata_filters'] = [{'type': 'osquery_result'}] else: for metadata_filter in metadata_filters: if metadata_filter.setdefault('type', "osquery_result") != "osquery_result": # problem ImproperlyConfigured("Osquery probe %s with wrong type metadata_filter %s" % (probe_d.get('name', '?'), metadata_filter['type'])) probes.append((probe_name, probe_d)) for idx, osquery_query in enumerate(osquery_d.get('schedule', [])): osquery_query_key = '%s_%d' % (probe_name, idx) osquery_query = osquery_query.copy() osquery_query.pop('key', None) if osquery_query_key in schedule: raise ImproperlyConfigured('Query key {} already in schedule'.format(osquery_query_key)) schedule[osquery_query_key] = osquery_query for category, paths in osquery_d.get('file_paths', {}).items(): if category in file_paths: raise ImproperlyConfigured('File path category {} not unique'.format(category)) file_paths[category] = paths osquery_conf = {'schedule': schedule, 'file_paths': file_paths} probes.sort() return osquery_conf, probes, event_type_probes
def build_santa_conf(all_probes): """ Build the santa conf, the probe lookup dict and the list of santa probes. The santa conf is the source of the json document that is sent to the santa client when it connects to zentral. It is a list of all the rules found in all the configured probes. The lookup dict is used when we process a santa event to find the probes that, because of the set of santa rules they contain, are responsible for its processing. Once we have the probes, we can trigger all the configured actions. The list of santa probes is a list of (probe_name, probe_d) tupes. """ rules = [] lookup_d = {} probes = [] # probes with a santa section event_type_probes = [] # probes without a santa section but with a match on the event type for probe_name, probe_d in all_probes.items(): santa_l = probe_d.get('santa', None) if not santa_l: if test_probe_event_type(probe_d, "santa"): event_type_probes.append((probe_name, probe_d)) continue # check and fix existing metadata_filters metadata_filters = probe_d.get('metadata_filters', None) if not metadata_filters: probe_d['metadata_filters'] = [{'type': 'santa_event'}] else: for metadata_filter in metadata_filters: if metadata_filter.setdefault('type', "santa_event") != "santa_event": # problem ImproperlyConfigured("Santa probe %s with wrong type metadata_filter %s" % (probe_d.get('name', '?'), metadata_filter['type'])) probes.append((probe_name, probe_d)) rules.extend(santa_l) for santa_r in santa_l: lookup_d.setdefault(santa_r["sha256"], []).append(probe_d.copy()) probes.sort() return {'rules': rules}, lookup_d, probes, event_type_probes
def build_osquery_conf(all_probes): schedule = {} file_paths = {} probes = [] for probe_name, probe_d in all_probes.items(): osquery_d = probe_d.get('osquery', None) if not osquery_d: continue probes.append((probe_name, probe_d)) for idx, osquery_query in enumerate(osquery_d.get('schedule', [])): osquery_query_key = '%s_%d' % (probe_name, idx) osquery_query = osquery_query.copy() osquery_query.pop('key', None) schedule[osquery_query_key] = osquery_query for category, paths in osquery_d.get('file_paths', {}).items(): if category in file_paths: raise ImproperlyConfigured('File path category %s not unique', category) file_paths[category] = paths osquery_conf = {'schedule': schedule, 'file_paths': file_paths} probes.sort() return osquery_conf, probes
def build_munki_conf(all_probes): event_type_probes = [] # probes with a match on the event type for probe_name, probe_d in all_probes.items(): if test_probe_event_type(probe_d, 'munki'): event_type_probes.append((probe_name, probe_d)) return event_type_probes
def get_probe(self, **kwargs): # TODO log(1) for probe_name, probe_d in probes.items(): if probe_name == kwargs['probe_key']: return probe_d break