diff options
| author | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-28 02:22:34 +0200 |
|---|---|---|
| committer | Dominik Lisiak <dominik.lisiak@bemsoft.pl> | 2018-10-28 02:22:34 +0200 |
| commit | 9eafb6bca51a2a9d1875af3b65c090187e8303ab (patch) | |
| tree | 161139e94ea02827faa760a6fc70daf337f63d28 | |
| parent | Added CIS benchmarks. Improved profiles. (diff) | |
| download | ossec-9eafb6bca51a2a9d1875af3b65c090187e8303ab.tar.xz | |
Added config_profile and manage_agent commands.
| -rw-r--r-- | security/ossec-hids-local/files/ossec-hids.in | 202 |
1 files changed, 138 insertions, 64 deletions
diff --git a/security/ossec-hids-local/files/ossec-hids.in b/security/ossec-hids-local/files/ossec-hids.in index aaafb8c..4af1d93 100644 --- a/security/ossec-hids-local/files/ossec-hids.in +++ b/security/ossec-hids-local/files/ossec-hids.in @@ -53,33 +53,40 @@ ossec_local_time="/etc/localtime" extra_commands="status reload ossec_conf" case ${ossec_type} in server) - extra_commands="${extra_commands} agent_conf reset_counter" + extra_commands="${extra_commands} manage_agent reset_counter agent_conf" ;; agent) - extra_commands="${extra_commands} fetch_config reset_counter" + extra_commands="${extra_commands} manage_agent reset_counter config_profile fetch_config" ;; esac if [ -x "${ossec_conf_bin}" ]; then extra_commands="${extra_commands} merge_config" fi -start_cmd="ossec_hids_command start" -stop_cmd="ossec_hids_command stop" -restart_cmd="ossec_hids_command restart" -status_cmd="ossec_hids_command status" -reload_cmd="ossec_hids_command reload" -reset_counter_cmd="ossec_hids_reset_counter $2" -fetch_config_cmd="ossec_hids_command restart" -merge_config_cmd="ossec_hids_create_config force" -ossec_conf_cmd="ossec_hids_ossec_conf" -agent_conf_cmd="ossec_hids_agent_conf" - -start_precmd="ossec_hids_prepare" -restart_precmd="ossec_hids_prepare" -reload_precmd="ossec_hids_prepare" -fetch_config_precmd="ossec_hids_prepare" +ossec_rc_command=$1 +shift 1 + +start_cmd="ossec_hids_command start $@" +stop_cmd="ossec_hids_command stop $@" +restart_cmd="ossec_hids_command restart $@" +status_cmd="ossec_hids_command status $@" +reload_cmd="ossec_hids_command reload $@" +manage_agent_cmd="ossec_hids_manage_agent $@" +reset_counter_cmd="ossec_hids_reset_counter $@" +config_profile_cmd="ossec_hids_config_profile $@" +fetch_config_cmd="ossec_hids_fetch_config $@" +merge_config_cmd="ossec_hids_create_config force $@" +ossec_conf_cmd="ossec_hids_ossec_conf $@" +agent_conf_cmd="ossec_hids_agent_conf $@" + +start_precmd="ossec_hids_create_env && ossec_hids_create_config && ossec_hids_clean && ossec_hids_check" +restart_precmd="${start_precmd}" +reload_precmd="ossec_hids_create_env && ossec_hids_create_config" +config_profile_precmd="ossec_hids_check" +fetch_config_precmd="${start_precmd}" agent_ids_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*ID:[[:space:]]*([[:digit:]]+).*|\1|p'" +agent_names_cmd="${ossec_home}/bin/manage_agents -l | sed -En -e 's|.*Name:[[:space:]]*([^,]+).*|\1|p'" ossec_hids_create_file() { local path=$1 @@ -103,6 +110,12 @@ ossec_hids_check() { if [ ! -s "${ossec_client_keys}" ]; then echo "WARNING: There are is no client key imported - connection to server not possible." echo + else + if [ $(eval ${agent_ids_cmd} | wc -l) -gt 1 ]; then + echo "ERROR: There are multiple client keys imported - only one is allowed." + echo + return 1 + fi fi ;; esac @@ -110,6 +123,88 @@ ossec_hids_check() { return 0 } +ossec_hids_inline_content() { + local element="$1" + sed -En "s|.*<${element}>(.*)</${element}>.*|\1|p" +} + +ossec_hids_remove_comments() { + # Comments must be on separate lines i.e. not next to uncommented code + awk '/<!--/ {off=1} /-->/ {off=2} /([\s\S]*)/ {if (off==0) print; if (off==2) off=0}' +} + +ossec_hids_config_profile() { + if [ ! -f "${ossec_conf}" ]; then + echo -n "ERROR: The \"${ossec_conf}\" is missing." + if [ -x "${ossec_conf_bin}" ]; then + echo " Run:" + echo "$(realpath $0) merge_config" + else + echo + fi + echo + return 1 + fi + if [ ! -f "${agent_conf}" ]; then + echo "ERROR: The \"${agent_conf}\" is missing. Run:" + echo "$(realpath $0) fetch_config" + echo + return 1 + fi + + local os="FreeBSD" + local name=$(eval ${agent_names_cmd}) + + local server_profiles=`ossec_hids_remove_comments < "${agent_conf}" | sed -En \ + -e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+name=\"${name}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+os=\"${os}\"[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]+os=\"${os}\"[[:space:]]*>.*|\1|p" \ + -e "s|.*<agent_config[[:space:]]+name=\"${name}\"[[:space:]]+os=\"${os}\"[[:space:]]+profile=\"([^\"]+)\"[[:space:]]*>.*|\1|p" \ + | sort -u` + + local agent_profiles=$(ossec_hids_remove_comments < "${ossec_conf}" | ossec_hids_inline_content "config-profile" | sed -E 's|[[:space:]]*,[[:space:]]*| |g') + + local output="" + for server_profile in ${server_profiles}; do + local matching_profile="" + for agent_profile in ${agent_profiles}; do + if [ "${agent_profile}" == "${server_profile}" ]; then + matching_profile="${agent_profile}" + break + fi + done + if [ -n "${matching_profile}" ]; then + output="${output}(+) ${server_profile} +" + else + output="${output}(-) ${server_profile} +" + fi + done + for agent_profile in ${agent_profiles}; do + local matching_profile="" + for server_profile in ${server_profiles}; do + if [ "${server_profile}" == "${agent_profile}" ]; then + matching_profile="${server_profile}" + break + fi + done + if [ -z "${matching_profile}" ]; then + output="${output}(?) ${agent_profile} +" + fi + done + + echo -n "${output}" | sort -k 2 +} + ossec_hids_config_is_outdated() { local dst_file="$1" local src_dir="$2" @@ -184,17 +279,17 @@ ossec_hids_clean() { } ossec_hids_reset_counter() { - local reset_agent_id="$1" + local agent_name="$1" case ${ossec_type} in server) - if [ -z "${reset_agent_id}" ]; then - echo "ERROR: Please specify agent ID to reset counter for this agent or \"all\" to reset counters for all agents." + if [ -z "${agent_name}" ]; then + echo "ERROR: Specify agent name to reset counter for this agent or \"-\" to reset counters for all agents." echo return 1 fi local agent_counter=0 - if [ "${reset_agent_id}" == "all" ]; then + if [ "${agent_name}" == "-" ]; then ossec_hids_command stop sleep 1 echo @@ -204,16 +299,15 @@ ossec_hids_reset_counter() { fi done else - for agent_id in $(eval ${agent_ids_cmd}); do - if [ "${reset_agent_id}" == "${agent_id}" ]; then - if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then - ossec_hids_command stop - sleep 1 - echo - rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) - fi + local agent_id=`${ossec_home}/bin/manage_agents -l | sed -En -e "s|.*ID:[[:space:]]*([[:digit:]]+),[[:space:]]*Name:[[:space:]]${agent_name},.*|\1|p"` + if [ -n "${agent_id}" ]; then + if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then + ossec_hids_command stop + sleep 1 + echo + rm "${ossec_home}/queue/rids/${agent_id}" && agent_counter=$((agent_counter + 1)) fi - done + fi fi echo "Removed ${agent_counter} counter(s)." echo @@ -221,6 +315,7 @@ ossec_hids_reset_counter() { agent) local agent_counter=0 for agent_id in $(eval ${agent_ids_cmd}); do + # Should be executed only once if [ -e "${ossec_home}/queue/rids/${agent_id}" ]; then ossec_hids_command stop sleep 1 @@ -231,11 +326,6 @@ ossec_hids_reset_counter() { echo "Removed ${agent_counter} counter(s)." echo ;; - *) - echo "ERROR: Counters are only available for agent and server installations." - echo - return 1 - ;; esac return 0 @@ -262,9 +352,11 @@ ossec_hids_fetch_config() { if echo "${ossec_log_tail}" | grep -q "ERROR: Unable to send message to"; then echo "Check if your configuration contains the correct server address in \"server-ip\" option." echo - fi - if echo "${ossec_log_tail}" | grep -q "ERROR: Incorrectly formatted message from"; then + else local ossec_rc_path="$(realpath $0)" + echo "Is the imported agent key correct? To import it run:" + echo "${ossec_rc_path} manage_agent" + echo echo "If you are certain the imported agent key is correct then run:" echo "${ossec_rc_path} reset_counter" echo "${ossec_rc_path} fetch_config" @@ -274,7 +366,7 @@ ossec_hids_fetch_config() { echo "On the agent:" echo "${ossec_rc_path} reset_counter" echo "On the server:" - echo "${ossec_rc_path} reset_counter $(eval ${agent_ids_cmd})" + echo "${ossec_rc_path} reset_counter $(eval ${agent_names_cmd})" echo "${ossec_rc_path} start" echo "On the agent:" echo "${ossec_rc_path} fetch_config" @@ -289,6 +381,7 @@ ossec_hids_fetch_config() { if [ $((current_time - modification_time)) -gt ${ossec_hids_fetch_read_time} ]; then echo "Download finished." echo + ossec_hids_command restart || return 1 break; else echo "Download in progress..." @@ -307,30 +400,6 @@ ossec_hids_fetch_config() { return 0 } -ossec_hids_prepare() { - case ${rc_arg} in - start|restart) - ossec_hids_create_env && \ - ossec_hids_create_config && \ - ossec_hids_clean && \ - ossec_hids_check || return 1 - ;; - fetch_config) - ossec_hids_create_env && \ - ossec_hids_create_config && \ - ossec_hids_clean && \ - ossec_hids_fetch_config && \ - ossec_hids_check || return 1 - ;; - reload) - ossec_hids_create_env && \ - ossec_hids_create_config || return 1 - ;; - esac - - return 0 -} - ossec_hids_ossec_conf() { if [ -x "${ossec_conf_bin}" ]; then "${ossec_conf_bin}" @@ -347,9 +416,14 @@ ossec_hids_agent_conf() { fi } +ossec_hids_manage_agent() { + "${ossec_home}/bin/manage_agents" $@ + return $? +} + ossec_hids_command() { - "${ossec_home}/bin/ossec-control" "$1" + "${ossec_home}/bin/ossec-control" $1 return $? } -run_rc_command "$1" +run_rc_command "${ossec_rc_command}" |