<script type="text/javascript" src='/ossim/ossec/js/agents.js'></script>
<script type="text/javascript" src="/ossim/js/greybox.js"></script>
<?php
require AV_MAIN_ROOT_PATH . '/host_report_menu.php';
?>
<script type="text/javascript">
function formatNmb(nNmb)
{
var sRes = "";
for (var j, i = nNmb.length - 1, j = 0; i >= 0; i--, j++)
{
sRes = nNmb.charAt(i) + ((j > 0) && (j % 3 == 0)? "<?php
echo Ossec_utilities::thousands_locale();
?>
": '') + sRes;
}
return sRes;
}
function showTooltip(x, y, contents)
{
$('<div id="tooltip" class="tooltipLabel"><span style="font-size:10px;">' + contents + '</span></div>').css({
position: 'absolute',
display: 'none',
top: y - 28,
left: x - 10,
* MA 02110-1301 USA
*
*
* On Debian GNU/Linux systems, the complete text of the GNU General
* Public License can be found in `/usr/share/common-licenses/GPL-2'.
*
* Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt
*
*/
require_once dirname(__FILE__) . '/conf/config.inc';
Session::logcheck('environment-menu', 'EventsHidsConfig');
//Current sensor
$sensor_id = $_SESSION['ossec_sensor'];
$db = new ossim_db();
$conn = $db->connect();
$s_data = Ossec_utilities::get_sensors($conn, $sensor_id);
$sensor_opt = $s_data['sensor_opt'];
$db->close();
//Check available sensors
if (!is_array($s_data['sensors']) || empty($s_data['sensors'])) {
$styles = 'width: 90%; text-align:left; margin: 50px auto;';
echo ossim_error(_('There is no sensor available'), AV_INFO, $styles);
exit;
}
$conf = $GLOBALS['CONF'];
$idm_enabled = $conf->get_conf('enable_idm');
$_SESSION['_idm'] = $idm_enabled;
session_write_close();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
$asset_sensors = Asset_host_sensors::get_sensors_by_id($conn, $asset_id);
$cnd_2 = empty($asset_sensors[$sensor_id]);
if ($cnd_1 || $cnd_2) {
$validation_errors['sensor_id'] = sprintf(_("Sensor %s not allowed. Please check with your account admin for more information"), Av_sensor::get_name_by_id($conn, $sensor_id));
} else {
$system_ids = Av_center::get_system_id_by_component($conn, $sensor_id);
$res = Av_center::get_system_info_by_id($conn, $system_ids['non-canonical']);
if ($res['status'] == 'success') {
//We use this function to calculate sensor name because in HA environments there are two systems for one Sensor ID
if (empty($res['data']['ha_ip'])) {
$sensor_name = $res['data']['name'];
} else {
$sensor_name = Av_sensor::get_name_by_id($conn, $sensor_id);
}
$sensor_ip = $res['data']['current_ip'];
if (Ossec_utilities::get_default_sensor_id() == $sensor_id && empty($res['data']['ha_ip'])) {
$sensor_ip = $res['data']['admin_ip'];
}
$sensor_ip_txt = $sensor_ip . ' [' . $sensor_name . ']';
}
//Getting Agent information
$_aux_agent = Asset_host::get_related_hids_agents($conn, $asset_id, $sensor_id);
$agent_key = md5(strtoupper($sensor_id) . '#' . $agent_id);
$agent = $_aux_agent[$agent_key];
if (empty($agent)) {
$validation_errors['agent_id'] = _('Error! Agent information cannot be retrieved from system');
} else {
$agent_descr = $agent['name'] . ' (' . $agent['ip_cidr'] . ')';
}
}
}
$title = $editable == TRUE ? _("Edit node: {$node_name} ") : _("Show node: {$node_name} ");
?>
<div id='edit_container'>
<table id='header_rule'>
<tbody>
<tr><td class='sec_title'><?php
echo $title;
?>
</td></tr>
</tbody>
</table>
<form name='form_m' id='form_m'>
<table class='er_container' id='erc1'>
<tbody id='erb_c1'>
<?php
echo Ossec_utilities::print_subheader('attributes', $editable);
$at_data = array('data' => $attributes, 'img_path' => 'images', 'is_editable' => $editable, 'lk_name' => $lk_name);
echo Ossec_utilities::print_attributes($at_data);
?>
</tbody>
</table>
<?php
echo Ossec_utilities::print_subfooter($sf_data, $editable);
?>
</form>
</div>
}
}
$ip_cidr = Asset_host_ips::valid_ip($agent_idm_ip) ? $agent_idm_ip : $agent['ip'];
}
$data = array();
if (!preg_match('/Never connected/i', $agent['status']) && Asset_host_ips::valid_ip($ip_cidr)) {
$data = Ossec_utilities::SIEM_trends_hids($conn, $ip_cidr);
}
$trend_plot = "<div style='color:gray; margin:15px; text-align:center;'>" . _('Trend chart not available') . "</div>";
if (is_array($data) && !empty($data)) {
$trend = '';
$max = 7;
for ($ii = $max - 1; $ii >= 0; $ii--) {
$d = gmdate("j M", $timetz - 86400 * $ii);
$trend[$d] = $data[$d] != '' ? $data[$d] : 0;
}
$i = 0;
foreach ($trend as $k => $v) {
$x[$k] = $i;
$i++;
}
$y = $trend;
$xticks = $x;
foreach ($trend as $k => $v) {
$xlabels[$k] = $k;
}
$trend_plot = "<div id='plotarea_" . $agent_id . "'>" . Ossec_utilities::plot_graphic('plotarea_' . $agent_id, 40, 250, $x, $y, $xticks, $xlabels, FALSE) . '</div>';
}
$db->close();
echo $trend_plot;
}
$data['status'] = 'error';
$data['data'] = _('Error! XML file not updated (1)');
echo json_encode($data);
} else {
$xml = new Xml_parser($lk_name);
$output = $xml->array2xml($tree);
$output = Ossec_utilities::formatOutput($output, $lk_name);
$output = utf8_decode($output);
try {
Ossec::set_rule_file($sensor_id, $file, $output);
$tree = Ossec::get_tree($sensor_id, $file);
$tree_json = Ossec_utilities::array2json($tree, $file);
$_SESSION['_tree_json'] = $tree_json;
$_SESSION['_tree'] = $tree;
} catch (Exception $e) {
$data['status'] = 'error';
$data['data'] = $e->getMessage();
}
}
}
if ($data['status'] == 'error') {
//Restore copy
@copy($path_tmp, $rule_file);
$_SESSION['_tree'] = $tree_cp;
$_SESSION['_tree_json'] = Ossec_utilities::array2json($tree_cp, $file);
} else {
$data['status'] = 'success';
$data['data'] = _('XML file update successfully') . '###' . base64_encode($tree_json);
echo json_encode($data);
}
@unlink($path_tmp);
*
* You should have received a copy of the GNU General Public License
* along with this package; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
* MA 02110-1301 USA
*
*
* On Debian GNU/Linux systems, the complete text of the GNU General
* Public License can be found in `/usr/share/common-licenses/GPL-2'.
*
* Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt
*
*/
require_once dirname(__FILE__) . '/../../conf/config.inc';
Session::logcheck('environment-menu', 'EventsHidsConfig');
//Get XML node
$lk_value = POST('lk_value');
$lk_name = $_SESSION['lk_name'];
$tree_lr = $_SESSION['_tree'];
$child = Ossec::get_child($tree_lr, $lk_name, $lk_value);
$rule = array('@attributes' => array($lk_name => '1'), '0' => array('rule' => $child['tree']));
if (!empty($child)) {
$xml_obj = new Xml_parser($lk_name);
$output = $xml_obj->array2xml($rule);
$data['status'] = 'success';
$data['data'] = Ossec_utilities::formatOutput($output, $lk_name);
} else {
$data['status'] = 'error';
$data['data'] = _('Error! Information not available');
}
echo json_encode($data);
ossim_valid($file, OSS_ALPHA, OSS_SCORE, OSS_DOT, 'illegal:' . _('File'));
if (!ossim_error()) {
$db = new ossim_db();
$conn = $db->connect();
if (!Ossec_utilities::is_sensor_allowed($conn, $sensor_id)) {
ossim_set_error(_('Error! Sensor not allowed'));
}
$db->close();
}
if (ossim_error()) {
$data['status'] = 'error';
$data['data'] = _('We found the followings errors:') . "<div style='padding-left: 15px; text-align:left;'>" . ossim_get_error_clean() . '</div>';
echo json_encode($data);
exit;
}
//Set current file
$_SESSION['_current_file'] = $file;
$_SESSION['lk_name'] = Ossec::get_key_name($file);
try {
$tree = Ossec::get_tree($sensor_id, $file);
$tree_json = Ossec_utilities::array2json($tree, $file);
$_SESSION['_tree_json'] = $tree_json;
$_SESSION['_tree'] = $tree;
$data['status'] = 'success';
$data['data'] = _('Click on a branch to display a node') . '###' . base64_encode($tree_json);
} catch (Exception $e) {
$data['status'] = 'error';
$data['data'] = $e->getMessage();
}
echo json_encode($data);
exit;
function get_sensor_id()
{
return Ossec_utilities::get_default_sensor_id();
}
$_REQUEST['ip_cidr'] = strtolower(REQUEST('ip_cidr'));
$ip_cidr = REQUEST('ip_cidr');
$validate = array('sensor_id' => array('validation' => "OSS_HEX", 'e_message' => 'illegal:' . _('Sensor ID')), 'asset_id' => array('validation' => "OSS_HEX", 'e_message' => 'illegal:' . _('Asset')), 'ip_cidr' => array('validation' => 'OSS_IP_ADDRCIDR', 'e_message' => 'illegal:' . _('IP/CIDR')));
if ($ip_cidr == 'any') {
$validate['ip_cidr'] = array('validation' => 'any', 'e_message' => 'illegal:' . _('IP/CIDR'));
}
$db = new ossim_db();
$conn = $db->connect();
//Check Token
if (!Token::verify('tk_f_agents', $token)) {
$error = Token::create_error_message();
Util::response_bad_request($error);
}
$validation_errors = validate_form_fields('POST', $validate);
//Extra validations
if (empty($validation_errors['sensor_id']) && !Ossec_utilities::is_sensor_allowed($conn, $sensor_id)) {
$validation_errors['sensor_id'] = sprintf(_("Sensor %s not allowed. Please check with your account admin for more information"), Av_sensor::get_name_by_id($conn, $sensor_id));
}
if (is_array($validation_errors) && !empty($validation_errors)) {
$error_msg = "<div style='text-align: left;'>" . _('The following errors occurred') . ":</div>\n <div style='padding-left:15px; text-align: left;'>" . implode('<br/>', $validation_errors) . "</div>";
$error = Token::create_error_message();
Util::response_bad_request($error_msg);
}
$warning_msg = '';
//Validate IP/CIDR
if ($ip_cidr != 'any' && $ip_cidr != '0.0.0.0/0') {
if (Asset_host_ips::valid_ip($ip_cidr)) {
//Agent IP/CIDR is an IP address
$asset_ips = Asset_host_ips::get_ips_to_string($conn, $asset_id);
if (preg_match('/' . $ip_cidr . '/', $asset_ips) == FALSE) {
$warning_msg = _('The asset IP and IP/CIDR do not match');
$conf_file = preg_replace($pattern, $replacement, $conf_file);
preg_match_all('/<\\s*syscheck\\s*>.*<\\/syscheck>/', $conf_file, $match);
$size_m = count($match[0]);
$unique_id = uniqid();
if ($size_m > 0) {
$pattern = trim($match[0][$ac_key]);
$copy_cf = str_replace($pattern, $unique_id, $copy_cf);
} else {
if (preg_match("/<\\s*agent_config\\s*>/", $copy_cf)) {
$copy_cf = preg_replace("/<\\/\\s*agent_config\\s*>/", "{$unique_id}</agent_config>", $copy_cf, 1);
} else {
$copy_cf = "<agent_config>{$unique_id}</agent_config>";
}
}
$copy_cf = preg_replace("/{$unique_id}/", $node_sys, $copy_cf);
$conf_data = Ossec_utilities::formatXmlString($copy_cf);
try {
$data = Ossec_agent::set_configuration_file($sensor_id, $conf_data);
} catch (Exception $e) {
$data['status'] = 'error';
$data['data'] = $e->getMessage();
}
echo json_encode($data);
} elseif ($tab == '#tab3') {
try {
$conf_data = html_entity_decode(base64_decode($_POST['data']), ENT_QUOTES, 'UTF-8');
$data = Ossec_agent::set_configuration_file($sensor_id, $conf_data);
} catch (Exception $e) {
$data['status'] = 'error';
$data['data'] = $e->getMessage();
}
$data['data'] = $validation_errors;
}
echo json_encode($data);
exit;
}
$validation_errors = validate_form_fields('POST', $validate);
if (is_array($validation_errors) && !empty($validation_errors)) {
Util::response_bad_request(implode('<br/>', $validation_errors));
}
if (POST('pass') != POST('passc')) {
Util::response_bad_request(_('Password fields are different'));
}
if (!empty($_POST['ppass']) && POST('ppass') != POST('ppassc')) {
Util::response_bad_request(_('Privileged Password fields are different'));
}
if (!Ossec_utilities::is_sensor_allowed($conn, POST('sensor'))) {
Util::response_bad_request(_('Error! Sensor not allowed'));
}
$entries = is_array(POST('entries')) ? POST('entries') : array();
foreach ($entries as $entry) {
ossim_valid($entry['id_type'], OSS_NOECHARS, OSS_SCORE, OSS_LETTER, 'illegal:' . _('Type'));
ossim_valid($entry['frequency'], OSS_DIGIT, 'illegal:' . _('frequency'));
ossim_valid($entry['state'], OSS_NOECHARS, OSS_SCORE, OSS_LETTER, 'illegal:' . _('State'));
ossim_valid($entry['arguments'], OSS_NOECHARS, OSS_TEXT, OSS_SPACE, OSS_AT, OSS_NULLABLE, OSS_PUNC_EXT, '\\`', '\\<', '\\>', 'illegal:' . _('Arguments'));
if (ossim_error()) {
Util::response_bad_request(ossim_get_error_clean());
}
}
$ip = POST('ip');
$sensor_id = POST('sensor');
$hostname = POST('hostname');
$os_windows = POST('os_windows');
break;
case 'deploy_agent':
$sensor_id = POST('sensor_id');
$ip_address = POST('ip_address');
$user = POST('user');
$pass = POST('pass');
$domain = POST('domain');
//Extra validations
if (empty($validation_errors)) {
//Checking Asset ID
if (Asset_host::is_allowed($conn, $asset_id) == FALSE) {
$validation_errors['asset_id'] = _('You do not have permission to deploy HIDS agent to this asset. Please check with your account admin for more information');
}
//Checking HIDS Sensor
$cnd_1 = Ossec_utilities::is_sensor_allowed($conn, $sensor_id) == FALSE;
$asset_sensors = Asset_host_sensors::get_sensors_by_id($conn, $asset_id);
$cnd_2 = empty($asset_sensors[$sensor_id]);
if ($cnd_1 || $cnd_2) {
$validation_errors['sensor_id'] = sprintf(_("Sensor %s not allowed. Please check with your account admin for more information"), Av_sensor::get_name_by_id($conn, $sensor_id));
}
//Checking IP Address
$aux_asset_ips = Asset_host_ips::get_ips_to_string($conn, $asset_id);
if (preg_match('/' . $ip_address . '/', $aux_asset_ips) == FALSE) {
$validation_errors['ip_address'] = _("The IP address you enter is not valid. Please check your asset and network settings and try again");
}
}
break;
case 'deploy_agentless':
/***********************************************
******************* TO DO ******************
*
*
* On Debian GNU/Linux systems, the complete text of the GNU General
* Public License can be found in `/usr/share/common-licenses/GPL-2'.
*
* Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt
*
*/
require_once dirname(__FILE__) . '/../../conf/config.inc';
Session::logcheck('environment-menu', 'EventsHidsConfig');
$sensor_id = POST('sensor_id');
ossim_valid($sensor_id, OSS_HEX, 'illegal:' . _('Sensor ID'));
if (!ossim_error()) {
$db = new ossim_db();
$conn = $db->connect();
if (!Ossec_utilities::is_sensor_allowed($conn, $sensor_id)) {
ossim_set_error(_('Error! Sensor not allowed'));
}
$db->close();
}
if (ossim_error()) {
echo '2###' . _('We found the followings errors') . ": <div style='padding-left: 15px; text-align:left;'>" . ossim_get_error_clean() . '</div>';
exit;
}
//Current sensor
$_SESSION['ossec_sensor'] = $sensor_id;
echo '1###';
try {
$rules = Ossec::get_rule_files($sensor_id, FALSE);
$options_e .= "<optgroup label='" . _('Editable rule file') . "'>\n";
$options_ne .= "<optgroup label='" . _('Rules files read-only') . "'>\n";
if (is_array($hids_agents) && !empty($hids_agents)) {
//Case 1: HIDS Agents was previously deployed
$hids_agent = array_pop($hids_agents);
$sensor_id = $hids_agent['sensor_id'];
$agent_id = $hids_agent['agent_id'];
if (Asset_host_ips::valid_ip($hids_agent['ip_cidr']) && array_key_exists($hids_agent['ip_cidr'], $aux_ip_address)) {
$ip_address = $hids_agent['ip_cidr'];
} else {
$ip_address = $default_ip_address;
}
} else {
//Case 2: Not HIDS Agent deployed
$asset_sensors = Asset_host_sensors::get_sensors_by_id($conn, $asset_id);
foreach ($asset_sensors as $asset_sensor_id => $s_data) {
//Checking HIDS Sensor
$cnd_1 = Ossec_utilities::is_sensor_allowed($conn, $asset_sensor_id) == TRUE;
$cnd_2 = !empty($asset_sensors[$asset_sensor_id]);
if ($cnd_1 && $cnd_2) {
$sensor_id = $asset_sensor_id;
break;
}
}
$agent_id = NULL;
$ip_address = $default_ip_address;
}
if ($sensor_id === NULL) {
$deployment_stats[$asset_id]['status'] = 'error';
$deployment_stats[$asset_id]['data'] = _('Error! No HIDS sensor related to asset');
continue;
}
$d_data = array('asset_id' => $asset_id, 'w_ip' => $ip_address, 'w_user' => $user, 'w_password' => $pass, 'w_domain' => $domain, 'agent_id' => $agent_id);
exit;
}
if (!Ossec::is_editable($file)) {
$data['status'] = 'error';
$data['data'] = _('Error! File not editable');
echo json_encode($data);
exit;
}
$_SESSION['_current_file'] = $file;
$lk_name = $_SESSION['lk_name'];
$new_xml_data = html_entity_decode(base64_decode($new_xml_data), ENT_QUOTES, 'UTF-8');
$xml_obj = new Xml_parser($lk_name);
$xml_obj->load_string($new_xml_data);
if ($xml_obj->errors['status'] == FALSE) {
$data['status'] = 'error';
$data['data'] = "<div id='parse_errors'>\n <span style='font-weight: bold;'>" . _('Data in XML file with wrong format') . " <a onclick=\"\$('#msg_errors').toggle();\"> [" . _('View errors') . "]</a></span>\n <br/><div id='msg_errors'>" . implode('', $xml_obj->errors['msg']) . "</div>\n </div>";
} else {
try {
Ossec::set_rule_file($sensor_id, $file, $new_xml_data);
$array_xml = $xml_obj->xml2array();
$tree_json = Ossec_utilities::array2json($array_xml, $file);
$_SESSION['_tree_json'] = $tree_json;
$_SESSION['_tree'] = $array_xml;
$data['data'] = _("{$file} updated successfully") . '###' . base64_encode($tree_json);
} catch (Exception $e) {
$data['status'] = 'error';
$data['data'] = $e->getMessage();
}
}
echo json_encode($data);
exit;
$agent_ip = POST('agent_ip');
$type = POST('os_type');
$sensor_id = POST('sensor_id');
$validate = array('sensor_id' => array('validation' => "OSS_HEX", 'e_message' => 'illegal:' . _('Sensor ID')), 'agent_ip' => array('validation' => 'OSS_IP_CIDR_0', 'e_message' => 'illegal:' . _('Agent IP')), 'os_type' => array('validation' => "'regex:unix|windows'", 'e_message' => 'illegal:' . _('OS Type')));
$validation_errors = validate_form_fields('POST', $validate);
//Get Sensor IP for selected sensor
if (empty($validation_errors)) {
$db = new ossim_db();
$conn = $db->connect();
if (!Ossec_utilities::is_sensor_allowed($conn, $sensor_id)) {
$validation_errors["sensor_id"] = _("Sensor not allowed");
} else {
$system_ids = Av_center::get_system_id_by_component($conn, $sensor_id);
$res = Av_center::get_system_info_by_id($conn, $system_ids['non-canonical']);
if ($res['status'] == 'success') {
if (!empty($res['data']['vpn_ip']) && Ossec_utilities::get_default_sensor_id() != $sensor_id) {
$sensor_ip = $res['data']['vpn_ip'];
$sensor_ip_txt = $res['data']['admin_ip'] . " [" . $res['data']['vpn_ip'] . "]";
} else {
$sensor_ip = $res['data']['admin_ip'];
$sensor_ip_txt = $sensor_ip;
}
}
$_SESSION['_ossec_os_type'] = $type;
}
$db->close();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>