Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New call to edit files (rules, decoders, lists and ossec.conf) #299

Merged
merged 17 commits into from
Feb 1, 2019
Merged

New call to edit files (rules, decoders, lists and ossec.conf) #299

merged 17 commits into from
Feb 1, 2019

Conversation

druizz90
Copy link
Contributor

@druizz90 druizz90 commented Jan 28, 2019
edited by crd1985
Loading

Hi team,

This PR is closes #283. I added two calls for getting and editing files (rules, decoders, lists and ossec.conf).

The last commit I added closes #302.

Below there are some examples:

# cat rules.xml 
<!-- Local rules -->

<!-- Modify it at your will. -->

<!-- Example -->
<group name="local,">

  <!--
   NEW RULE 
   -->
   <rule id="100001111" level="5">
     <if_sid>5716</if_sid>
     <srcip>1.1.1.1</srcip>
     <description>sshd: authentication failed from IP 1.1.1.1.</description>
     <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
   </rule>
</group>

# curl -u foo:bar -X POST -H "Content-type:application/xml" -d @/home/druizz/rules.xml "http://localhost:55000/manager/files?path=etc/rules/new_rules.xml"
{"error":0,"data":"File updated successfully"}

# curl -u foo:bar -X GET "http://localhost:55000/manager/files?path=etc/rules/new_rules.xml"   
{"error":0,"data":"  <!-- Local rules -->\n  <!-- Modify it at your will. -->\n  <!-- Example -->\n  <group name=\"local,\">\n    <!--   NEW RULE    -->\n    <rule id=\"100001111\" level=\"5\">\n      <if_sid>5716</if_sid>\n      <srcip>1.1.1.1</srcip>\n      <description>sshd: authentication failed from IP 1.1.1.1.</description>\n      <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>\n    </rule>\n  </group>\n"}

# cat /var/ossec/etc/rules/new_rules.xml 
  <!-- Local rules -->
  <!-- Modify it at your will. -->
  <!-- Example -->
  <group name="local,">
    <!--   NEW RULE    -->
    <rule id="100001111" level="5">
      <if_sid>5716</if_sid>
      <srcip>1.1.1.1</srcip>
      <description>sshd: authentication failed from IP 1.1.1.1.</description>
      <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
    </rule>
  </group>
# cat decoders.xml  
<!-- NEW Local Decoders -->

<!-- Modify it at your will. -->

<decoder name="local_decoder_example">
    <program_name>NEW DECODER</program_name>
</decoder>

# curl -u foo:bar -X POST -H 'Content-type: application/xml' -d @/home/druizz/decoders.xml "http://localhost:55000/manager/files?path=etc/decoders/new_decoders.xml"   
{"error":0,"data":"File updated successfully"}

# curl -u foo:bar -X GET "http://localhost:55000/manager/files?path=etc/decoders/new_decoders.xml"                                                           
{"error":0,"data":"  <!-- NEW Local Decoders -->\n  <!-- Modify it at your will. -->\n  <decoder name=\"local_decoder_example\">\n    <program_name>NEW DECODER</program_name>\n  </decoder>\n"}

# cat /var/ossec/etc/decoders/new_decoders.xml 
  <!-- NEW Local Decoders -->
  <!-- Modify it at your will. -->
  <decoder name="local_decoder_example">
    <program_name>NEW DECODER</program_name>
  </decoder>
# cat list.txt                                                                                                                                                          
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command

# curl -u foo:bar -X POST -H "Content-type:application/octet-stream" --data-binary @/home/druizz/list.txt "http://localhost:55000/manager/files?path=etc/lists/new_list"
{"error":0,"data":"File updated successfully"}

# curl -u foo:bar -X GET "http://localhost:55000/manager/files?path=etc/lists/new_list"                                                                      
{"error":0,"data":"audit-wazuh-w:write\naudit-wazuh-r:read\naudit-wazuh-a:attribute\naudit-wazuh-x:execute\naudit-wazuh-c:command\n"}

# cat /var/ossec/etc/lists/new_list
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command

Best regards,

Demetrio.

druizz90 added 14 commits January 22, 2019 11:47
@druizz90 druizz90 self-assigned this Jan 28, 2019
@druizz90 druizz90 mentioned this pull request Jan 28, 2019
Merged
@crd1985
Copy link
Contributor

crd1985 commented Jan 28, 2019

Hi,
could you provide some tests trying relative paths and non-utf8 encoded files?
I would like to guarantee the API does not crash in these specific cases and avoid some security risks.
Thanks!

@druizz90
Copy link
Contributor Author

druizz90 commented Jan 29, 2019
edited
Loading

Hi,

This is an example using a file with latin1 encoding with non common symbols:

# cat test_no_utf8 
<!-- NEW Local Decoders -->

<!-- Modify it at your will. -->

<decoder name="local_decoder_example">
    <program_name>ÃdasdfdfweóñNEW DECODER</program_name>
</decoder>

# curl -u foo:bar -X POST -H 'Content-type: application/xml' -d @/home/druizz/test_no_utf8 "http://localhost:55000/manager/files?path=etc/decoders/new_decoders.xml"
{"error":0,"data":"File updated successfully"}

# curl -u foo:bar -X GET "http://localhost:55000/manager/files?path=etc/decoders/new_decoders.xml"
{"error":0,"data":"  <!-- NEW Local Decoders -->\n  <!-- Modify it at your will. -->\n  <decoder name=\"local_decoder_example\">\n    <program_name>ÃdasdfdfweóñNEW DECODER</program_name>\n  </decoder>\n"}

# cat /var/ossec/etc/decoders/new_decoders.xml
  <!-- NEW Local Decoders -->
  <!-- Modify it at your will. -->
  <decoder name="local_decoder_example">
    <program_name>ÃdasdfdfweóñNEW DECODER</program_name>
  </decoder>

This is other example with a wrong path parameter:

curl -u foo:bar -X POST -H 'Content-type: application/xml' -d @/home/druizz/test_no_utf8 "http://localhost:55000/manager/files?path=etc/directory/new_decoders.xml"
{"error":704,"message":"Invalid path"}

@druizz90
Copy link
Contributor Author

druizz90 commented Feb 1, 2019

Unit tests

python3 -m pytest -v
================================================ test session starts =================================================
platform linux -- Python 3.6.3, pytest-4.2.0, py-1.7.0, pluggy-0.8.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: wazuh/framework, inifile:
collected 2 items

tests/test_manager.py::TestManager::test_get_file PASSED                                                       [ 50%]
tests/test_manager.py::TestManager::test_upload_file PASSED                                                    [100%]

Mocha tests

$ mocha test/test_manager.js

  Manager

POST/manager/files
      ✓ Upload rules (239ms)
      ✓ Upload decoder (234ms)
      ✓ Upload list (259ms)
      ✓ Upload malformed list
      ✓ Upload malformed rule
      ✓ Upload malformed decoder
      ✓ Upload malformed list
    /manager/files
      ✓ Request rules (228ms)
      ✓ Request decoders (249ms)
      ✓ Request lists (231ms)
      ✓ Request wrong path 1
      ✓ Request wrong path 2
      ✓ Request wrong path 3
      ✓ Request unexisting file (257ms)

@crd1985 crd1985 merged commit deda74c into 3.9 Feb 1, 2019
@crd1985 crd1985 deleted the dev-3.9-edit-ruleset-api branch February 1, 2019 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crd1985 crd1985 crd1985 approved these changes

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees

@druizz90 druizz90

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@druizz90 @crd1985