ossec

package
v0.6.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 15, 2021 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Overview

see: https://documentation.wazuh.com/4.0/development/message-format.html

Index

Constants

View Source 
const (
	// EncryptionMethodBlowFish use BlowFish for transprot encryption
	EncryptionMethodBlowFish = EncryptionMethod(0)
	// EncryptionMethodAES use AES for transprot encryption
	EncryptionMethodAES = EncryptionMethod(1)
	// maximum number of messages that can be send ber second (500 is the hard limit on the server - be gentle  )
	SendRateLimit = 450

	// time between server pings
	PingIntervall = 60
)
View Source 
const (
	CONTROL_HEADER     = "#!-"
	EXECD_HEADER       = "execd "
	FILE_UPDATE_HEADER = CONTROL_HEADER + "up file "
	FILE_CLOSE_HEADER  = CONTROL_HEADER + "close file "
	HC_STARTUP         = "agent startup "
	HC_ACK             = CONTROL_HEADER + "agent ack "
	HC_SK_DB_COMPLETED = "syscheck-db-completed"
	HC_SK_RESTART      = "syscheck restart"
	HC_REQUEST         = "req "
	HC_FIM_DB_SFS      = "fim-db-start-first-scan"
	HC_FIM_DB_EFS      = "fim-db-end-first-scan"
	HC_FIM_DB_SS       = "fim-db-start-scan"
	HC_FIM_DB_ES       = "fim-db-end-scan"
	CFGA_DB_DUMP       = "sca-dump"
	HC_SK              = "syscheck "
	HC_FIM_FILE        = "fim_file "
	HC_FIM_REGISTRY    = "fim_registry "

	LOCALFILE_MQ = '1'
	SYSLOG_MQ    = '2'
	HOSTINFO_MQ  = '3'
	SECURE_MQ    = '4'
	SYSCHECK_MQ  = '8'
	ROOTCHECK_MQ = '9'

	ReadWaitTimeout      = time.Duration(30 * time.Second)
	ReadImmediateTimeout = time.Duration(1 * time.Second)
)

Variables

This section is empty.

Functions

func PKCS7Padding added in v0.6.0 

func PKCS7Padding(ciphertext []byte, blockSize int) []byte

Use PKCS7 to fill, IOS is also 7

func PKCS7UnPadding added in v0.6.0 

func PKCS7UnPadding(origData []byte) []byte

Types

type AgentKey 

type AgentKey struct {
	AgentID         string
	AgentName       string
	AgentKey        string
	AgentHashedKey  string
	AgentAllowedIPs string
	AgentIP         string
}

AgentKey a single key entry

func ParseAgentKey 

func ParseAgentKey(line string) (*AgentKey, error)

ParseAgentKey parse a single key entry line

func RegisterAgent added in v0.3.0 

func RegisterAgent(cfg *EnrollmentConfig) (*AgentKey, error)

RegisterAgent register an agent via the AuthD Service

func (*AgentKey) WriteAgentKey added in v0.6.1 

func (a *AgentKey) WriteAgentKey(filename string) error

type AgentKeyMap 

type AgentKeyMap map[string]*AgentKey

AgentKeyMap map of agents in agents key file

func GetAgentKeyMap added in v0.3.5 

func GetAgentKeyMap(filename string) (AgentKeyMap, error)

GetAgentKeyMap read from Environment and if not found there, try default file

func LoadAgentKeyMap 

func LoadAgentKeyMap(filename string) (AgentKeyMap, error)

LoadAgentKeyMap read all agent infos from a file (/var/ossec/etc/client.keys)

type AgentOption 

type AgentOption func(*Client) error

AgentOption allows setting custom parameters during construction

func WithAgentAllowedIPs 

func WithAgentAllowedIPs(allowedIPs string) AgentOption

WithAgentAllowedIPs which IPs are allwed

func WithAgentIP 

func WithAgentIP(agentIP string) AgentOption

WithAgentIP use specific Agent IP in messages

func WithBasePath added in v0.5.0 

func WithBasePath(basePath string) AgentOption

WithBasePath use specific where to cache downloaded files

func WithClientName added in v0.3.5 

func WithClientName(clientName string) AgentOption

WithClientName use a custom client name

func WithClientVersion added in v0.3.5 

func WithClientVersion(clientVersion string) AgentOption

WithClientVersion use a custom client version

func WithContext 

func WithContext(ctx context.Context) AgentOption

WithContext use a custom context

func WithEncryptionMethod 

func WithEncryptionMethod(encryptionMethod EncryptionMethod) AgentOption

WithEncryptionMethod specify encryption method to use

func WithPort 

func WithPort(port uint16) AgentOption

WithPort use specific port

func WithTCP 

func WithTCP(tcp bool) AgentOption

WithTCP use TCP as Transport

func WithUDP 

func WithUDP(udp bool) AgentOption

WithUDP use UDP as Transport

func WithZapLogger 

func WithZapLogger(logger *zap.Logger) AgentOption

WithZapLogger use a custom logger

type AgentShutDownEvent added in v0.6.1 

type AgentShutDownEvent struct {
}

type Client 

type Client struct {
	*AgentKey
	Server string
	Port   uint16
	UDP    bool

	EncryptionMethod EncryptionMethod
	ClientName       string
	ClientVersion    string

	RemoteFiles       map[string]RemoteFileInfo
	CurrentRemoteFile *RemoteFileInfo
	// contains filtered or unexported fields
}

Client allowes to handshake with the server to reach a pending state (which allowes the agent to become a group member)

func NewAgent 

func NewAgent(server string, agentID string, agentName string, agentKey string, opts ...AgentOption) (*Client, error)

NewAgent create a new Agent for the target server

func (*Client) AgentLoop 

func (a *Client) AgentLoop(ctx context.Context, closeOnError bool) (chan *QueuePosting, chan interface{}, error)

AgentLoop Process messages and keep track of connection status

func (*Client) Close 

func (a *Client) Close() error

Close closes the connection. Any blocked Read or Write operations will be unblocked and return errors.

func (*Client) Connect 

func (a *Client) Connect(isStartup bool) error

Connect connect and do a handshake

func (*Client) IsConencted added in v0.5.0 

func (a *Client) IsConencted() bool

func (*Client) PingServer 

func (a *Client) PingServer() error

PingServer send a single ping to the server

func (*Client) ReadServerResponse added in v0.6.0 

func (a *Client) ReadServerResponse(timeout time.Duration) error

ReadServerResponse read next message

func (*Client) SendMessage 

func (a *Client) SendMessage(msg string, readTimeout time.Duration) error

SendMessage send a message and wait for an answer

func (*Client) WriteMessage 

func (a *Client) WriteMessage(msg string) error

WriteMessage without waiting for an answerr a message and wait for an answer

type ClientConfig 

type ClientConfig struct {
	XMLName xml.Name `xml:"client"`

	// Address specifies the IP address or the hostname of the Wazuh manager.
	Address string `xml:"server>address,omitempty"`

	// Port sSpecifies the port to send events to on the manager. This must match the associated listening port configured on the Wazuh manager.
	Port uint16 `xml:"server>port,omitempty"`

	// Protocol specifies the protocol to use when connecting to the manager.
	Protocol string `xml:"server>protocol,omitempty"`

	// MaxRetries number of connection retries.
	MaxRetries uint16 `xml:"server>max_retries,omitempty"`

	// RetryInterval Time interval between connection attempts (seconds).
	RetryInterval uint16 `xml:"server>retry_interval,omitempty"`

	// ConfigProfile specifies the agent.conf profile(s) to be used by the agent.
	ConfigProfile string `xml:"config-profile,omitempty"`

	// NotifyTime specifies the time in seconds between agent checkins to the manager. More frequent checkins speed up dissemination of an updated agent.conf file to the agents, but may also put an undo load on the manager if there are a large number of agents.
	NotifyTime uint16 `xml:"notify_time,omitempty"`

	// TimeReconnect specifies the time in seconds before a reconnection is attempted. This should be set to a higher number than the notify_time parameter.
	TimeReconnect uint16 `xml:"time-reconnect,omitempty"`

	// LocalIP specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces.
	LocalIP string `xml:"local_ip,omitempty"`

	//  AutoRestart toggles on and off the automatic restart of agents when a new valid configuration is received from the manager.
	AutoRestart ConvertibleBoolean `xml:"auto_restart,omitempty"`

	// CryptoMethod choose the encryption of the messages that the agent sends to the manager.
	CryptoMethod string `xml:"crypto_method,omitempty"`
}

ClientConfig see: https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/client.html

func LoadClientConfig 

func LoadClientConfig(filename string) (*ClientConfig, error)

LoadClientConfig Load the client configuration from a fole

func NewClientConfig 

func NewClientConfig() *ClientConfig

NewClientConfig new client config with default values set

type ConvertibleBoolean 

type ConvertibleBoolean bool

ConvertibleBoolean xml bool values (0,no,false / 1,yes,true)

func (*ConvertibleBoolean) UnmarshalText added in v0.3.5 

func (bit *ConvertibleBoolean) UnmarshalText(data []byte) error

UnmarshalJSON convert string to boolean

type CorruptMessage added in v0.5.0 

type CorruptMessage struct {
	// contains filtered or unexported fields
}

func NewCorruptMessage added in v0.5.0 

func NewCorruptMessage(typ string) CorruptMessage

func (CorruptMessage) Error added in v0.5.0 

func (cme CorruptMessage) Error() string

type EncryptionMethod 

type EncryptionMethod int

EncryptionMethod supported transport encryption

type EnrollmentConfig added in v0.3.0 

type EnrollmentConfig struct {
	// Manager's direction or ip address
	ManagerName string
	// Port Manager's port
	Port int
	// (optional) Name of the agent. In case of NULL enrollment message will send local hostname
	AgentName string
	AgentID   string
	AgentIP   string
	// IP address or CIDR of the agent. In case of null the manager will use the source ip
	SenderIP string
	// Forces manager to use source ip
	UseSrcIP bool
	// password verification
	AuthPass string
	// Agent Key (null if not used)
	AgentKey string
	// Agent Certificate
	AgentCert stringMap
	// CA Certificate to verify server (null if not used)
	CACert string

	Groups []string
	// contains filtered or unexported fields
}

EnrollmentConfig enrolment configuration

func NewEnrollmentConfig added in v0.3.0 

func NewEnrollmentConfig() (*EnrollmentConfig, error)

NewEnrollmentConfig initialize new enrolment config

func (*EnrollmentConfig) SetLogger added in v0.6.1 

func (c *EnrollmentConfig) SetLogger(logger *zap.Logger)

type Event 

type Event struct {
	IntegrationEvent
	Event string `json:"Wodle event,omitempty"`
}

Event static structured event data user, srcip, dstip, srcport, dstport, protocol, action, id, url, data, extra_data, status, system_name https://documentation.wazuh.com/4.0/user-manual/ruleset/dynamic-fields.html https://github.com/wazuh/wazuh/blob/master/src/analysisd/decoders/plugins/json_decoder.c

type FileUpdatedEvent added in v0.6.1 

type FileUpdatedEvent struct {
	FileInfo *RemoteFileInfo
}

type InitInfo 

type InitInfo struct {
	Directory string          `json:"Directory"`
	Name      string          `json:"Name"`
	Version   *semver.Version `json:"Version"`
	Revision  uint            `json:"Revision"`
	Date      time.Time       `json:"Date"`
	Type      string          `json:"Type"`
	// contains filtered or unexported fields
}

InitInfo information gathered from ossec-init.conf 

var LocalInitInfo *InitInfo

LocalInitInfo contains the init info of the locally installed OSSEC

func DefaultInintInfo added in v0.3.1 

func DefaultInintInfo() *InitInfo

DefaultInintInfo Create a default Info

func NewInitInfo 

func NewInitInfo() (*InitInfo, error)

NewInitInfo read InitInfo from default location

func ReadInitInfo 

func ReadInitInfo(file io.Reader) (*InitInfo, error)

ReadInitInfo read InitInfo from file

func (*InitInfo) Get 

func (i *InitInfo) Get(key string) (string, bool)

Get retreive raw data

type IntegrationEvent 

type IntegrationEvent struct {
	Integration string          `json:"integration,omitempty"`
	Meta        IntegrationMeta `json:"meta,omitempty"`
}

IntegrationEvent basic integration message

type IntegrationMeta 

type IntegrationMeta struct {
	//	InputType       string      `json:"input>type,omitempty"`
	//	DecoderName     string      `json:"decoder>name,omitempty"`
	ID               string      `json:"id,omitempty"`
	URL              string      `json:"url,omitempty"`
	User             string      `json:"user,omitempty"`
	SourceUser       string      `json:"srcuser,omitempty"`
	SourceIP         *net.IP     `json:"srcip,omitempty"`
	SourcePort       *uint       `json:"srcport,omitempty"`
	DestinationIP    *net.IP     `json:"dstip,omitempty"`
	DestinationGeoIP string      `json:"dstgeoip,omitempty"`
	DestinationUser  string      `json:"dstuser,omitempty"`
	DestinationPort  *uint       `json:"dstport,omitempty"`
	Protocol         string      `json:"protocol,omitempty"`
	Action           string      `json:"action,omitempty"`
	Status           string      `json:"status,omitempty"`
	SystemName       string      `json:"systemname,omitempty"`
	ExtraData        interface{} `json:"extra_data,omitempty"`
}

IntegrationMeta standard metadata

type LocalConfig 

type LocalConfig struct {
	XMLName      xml.Name     `xml:"ossec_config"`
	ClientConfig ClientConfig `xml:"client"`
}

LocalConfig see https://documentation.wazuh.com/4.0/user-manual/reference/ossec-conf/index.html

type Queue 

type Queue struct {
	TargetQueue rune
	AgentName   string
	Type        string
	QueuePath   string
	InitInfo    *InitInfo
	Logger      *zap.Logger
	// contains filtered or unexported fields
}

Queue helper to create a custom wodle

func NewQueue 

func NewQueue(typ string, opts ...QueueOption) (*Queue, error)

NewQueue create new wodle

func (*Queue) AgentLoop 

func (w *Queue) AgentLoop(ctx context.Context, closeOnError bool) (chan *QueuePosting, chan interface{}, error)

AgentLoop process incoming messages

func (*Queue) DebugMessage 

func (w *Queue) DebugMessage(msg string) error

DebugMessage send a debug event

func (*Queue) SendMessage 

func (w *Queue) SendMessage(event interface{}, location string, programName string) error

SendMessage send a single message to the agent´s queue

type QueueError added in v0.4.0 

type QueueError struct {
	Operation  string
	InnerError error
}

func NewQueueError added in v0.4.0 

func NewQueueError(operation string, innerError error) QueueError

func (QueueError) Error added in v0.4.0 

func (m QueueError) Error() string

type QueueOption 

type QueueOption func(*Queue) error

QueueOption allows setting custom parameters during construction

func WithInitInfo 

func WithInitInfo(initInfo *InitInfo) QueueOption

WithInitInfo use a custom context

func WithQueueLogger 

func WithQueueLogger(logger *zap.Logger) QueueOption

WithQueueLogger use a custom logger

func WithQueuePath 

func WithQueuePath(path string) QueueOption

WithQueuePath use a custom queue path

func WithTargetQueue 

func WithTargetQueue(queue rune) QueueOption

WithTargetQueue use a custom target queue

type QueuePosting 

type QueuePosting struct {
	Location    string
	ProgramName string
	TargetQueue rune
	Timestamp   time.Time
	Raw         interface{}
}

QueuePosting a massage for the queue

type RemoteFileInfo added in v0.6.0 

type RemoteFileInfo struct {
	Filename string
	Hash     string
	Content  *bytes.Buffer
}

type WithLoggin 

type WithLoggin struct {
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.