contrib/ansible/warden-filer-receiver/defaults/main.yml

 ---
 server_admin: "{{ root@inventory_hostname }}"
 warden_filer_bin_path: /opt/warden-filer
+warden_filer_lib_path: /var/lib/warden_filer
+warden_filer_run_path: /run/warden_filer
 warden_client_cert_path: /etc/ssl/certs/warden.cert.pem
 warden_client_key_path: /etc/ssl/private/warden.key.pem
 warden_client_id_store: /var/lib/warden_filer/warden_filer.id

contrib/ansible/warden-filer-receiver/tasks/main.yml

 ---
 - name: Checkout Warden repository
   git:
-    repo: https://homeproj.cesnet.cz/git/warden.git/
+    repo: https://gitlab.cesnet.cz/713/warden/warden.git
     version: warden-client-3.0-beta3
     dest: /tmp/warden_client_repository
 
+- name: Create bin dir for warden_filer
+  file:
+    path: "{{ warden_filer_bin_path }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+
+- name: Create lib and run dir for warden_filer
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ warden_filer_uid }}"
+    group: "{{ warden_filer_gid }}"
+    mode: "755"
+  with_items: 
+    - "{{ warden_filer_lib_path }}"
+    - "{{ warden_filer_run_path }}"
+
 - name: Install Filer binaries
   copy:
-    src: "/tmp/warden_client_repository/{{ src }}"
-    dest: "{{ warden_filer_bin_path }}/{{ dest }}"
+    remote_src: true
+    src: "/tmp/warden_client_repository/{{ item.src }}"
+    dest: "{{ warden_filer_bin_path }}/{{ item.dest }}"
+    mode: "755"
   with_items:
     - src: warden_client/warden_client.py
       dest: warden_client.py
@@ -17,15 +38,26 @@
     - src: warden_filer/check_file_count
       dest: check_file_count
 
+- name: Link Filer binary to /usr/local/bin
+  file:
+    src: "{{ warden_filer_bin_path }}/warden_filer.py"
+    dest: "/usr/local/bin/warden_filer.py"
+    state: link
+    owner: root
+    group: root
+    mode: "755"
+
 - name: Install Warden Filer config
   template:
     src: "{{ item }}"
     dest: "/{{ item }}"
   with_items:
     - etc/warden_filer.cfg
-    - etc/defaults/warden_filer_receiver
+    - etc/default/warden_filer_receiver
 
 - name: Install Warden Filer init script
   copy:
+    remote_src: true
     src: /tmp/warden_client_repository/warden_filer/warden_filer_receiver
     dest: /etc/init.d/warden_filer_receiver
+    mode: "755"

contrib/ansible/warden-server/tasks/main.yml

 ---
 - name: Checkout Warden repository
   git:
-    repo: https://homeproj.cesnet.cz/git/warden.git/
+    repo: https://gitlab.cesnet.cz/713/warden/warden.git
     version: warden-server-3.0-beta3
     dest: /tmp/warden_server_repository
 

contrib/banner/banner.py

@@ -22,10 +22,7 @@ def main(args):
     banners = [{'name': banner_name_en, 'database' : "Database Size:", 'events' : "Number of Events:", 'senders' : "Number of Senders:", 'receivers' : "Number of Receivers:", 'created' : "Banner Created:"}, {'name': banner_name_cz, 'database' : "Velikost databáze:", 'events' : "Suma všech událostí:", 'senders' : "Odesílající klienti:", 'receivers' : "Přijímající klienti:", 'created' : "Banner vytvořen:"}]
 
     # We have DB credentials
-    user = "warden"
-    password = "w4rd3n&u53r"
-    database = "warden3"
-    host = "localhost"
+    host, database, user, password = sys.argv[1:]
 
     db = MySQLdb.connect(host = host, user = user, passwd = password, db = database)
     cursor = db.cursor()

contrib/map/frontend/warden-map.html

@@ -20,7 +20,7 @@
 <script src="https://d3js.org/d3.v3.min.js"></script>
 <script src="https://d3js.org/topojson.v1.min.js"></script>
 <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
-<script src="./js/datamaps.world.hires.min.js"></script>
+<script src="./js/datamaps.world.min.js"></script>
 <script src="./js/warden-map.js"></script>
 
 <!--

warden_client/README

@@ -53,7 +53,7 @@ C.1. Event description format
    IDEA - Intrusion Detection Extensible Alert, flexible extensible format
 for security events, see:
 
-   https://csirt.cesnet.cz/IDEA
+   https://idea.cesnet.cz/
 
 C.2. Event serial ID
 

warden_filer/warden_filer.py

@@ -470,6 +470,18 @@ def get_configs():
 
 
 
+def get_uid_gid(str_id, get_nam_func):
+    if str_id:
+        try:
+            id = int(str_id)
+        except ValueError:
+            id = get_nam_func(str_id)[2]
+    else:
+        id = None
+    return id
+
+
+
 if __name__ == "__main__":
 
     args = get_args()
@@ -482,12 +494,17 @@ if __name__ == "__main__":
 
     try:
         if args.daemon:
+            from pwd import getpwnam
+            from grp import getgrnam
+            uid = get_uid_gid(fconfig.get("uid"), getpwnam)
+            gid = get_uid_gid(fconfig.get("gid"), getgrnam)
+
             daemonize(
                 work_dir = fconfig.get("work_dir", "."),
                 chroot_dir = fconfig.get("chroot_dir"),
                 umask = fconfig.get("umask"),
-                uid = fconfig.get("uid"),
-                gid = fconfig.get("gid"),
+                uid = uid,
+                gid = gid,
                 pidfile = args.pid_file,
                 files_preserve = get_logger_files(wclient.logger),
                 signals = {

warden_ra/warden_ra.py

@@ -23,9 +23,6 @@ import subprocess
 import shlex
 import tempfile
 import M2Crypto
-# *ph* server vulnerable to logjam, local openssl too new, use hammer to disable Diffie-Helmann
-import ssl
-ssl._DEFAULT_CIPHERS += ":!DH"
 
 import ejbcaws
 
@@ -253,7 +250,13 @@ class EjbcaRegistry(OpenSSLRegistry):
             subjectDN = self.subject_dn_template % client.name
         )
         edata["subjectAltName"] = ",".join(("RFC822NAME=%s" % a for a in client.admins))
-        edata["status"] = self.status_str_to_ejbca.get(client.status, edata["status"])
+        try:
+            edata["status"] = self.status_str_to_ejbca.get(client.status)
+        except KeyError:
+            # Unknown status - either came from EJBCA and translated to
+            # "Other", or something wrong came in later. Let's just
+            # keep original EJBCA status unchanged.
+            pass
         if client.pwd:
             edata["password"] = client.pwd
             edata["clearPwd"] = True

warden_server/test_warden_server.py

@@ -8,11 +8,15 @@ import sys
 import warnings
 from os import path
 from copy import deepcopy
-import unittest2 as unittest
 import MySQLdb as my
 from warden_server import build_server
 import warden_server
 
+if sys.version_info >= (3, 10):
+    import unittest
+else:
+    import unittest2 as unittest
+
 if sys.version_info[0] >= 3:
     from io import StringIO
 else:
@@ -408,8 +412,9 @@ def init_user():
     conn = None
     try:
         conn = my.connect(user='root', passwd=getpass.getpass('Enter MySQL Root password:'))
-        with conn as cur:   # Not a canonical connector implementation, for sure
-            cur.execute("GRANT SELECT, INSERT, UPDATE, CREATE, DELETE, DROP ON *.* TO %s@'localhost' IDENTIFIED BY %s", (USER, PASSWORD))
+        with conn.cursor() as cur:
+            cur.execute("CREATE USER IF NOT EXISTS %s@'localhost' IDENTIFIED BY %s", (USER, PASSWORD))
+            cur.execute("GRANT SELECT, INSERT, UPDATE, CREATE, DELETE, DROP ON *.* TO %s@'localhost'", (USER,))
         conn.commit()
         print("DB User set up successfuly")
     except my.OperationalError as ex:

warden_server/warden_server.py

@@ -493,7 +493,7 @@ class MySQL(ObjectBase):
 
         with io.open(tagmap_filename, "r", encoding="utf-8") as tagmap_fd:
             self.tagmap = json.load(tagmap_fd)
-            self.tagmap_other = self.catmap["Other"]    # Catch error soon, avoid lookup later
+            self.tagmap_other = self.tagmap["Other"]    # Catch error soon, avoid lookup later
 
         self.con = None
 
@@ -714,10 +714,11 @@ class MySQL(ObjectBase):
         if group or nogroup:
             subquery = []
             for name in (group or nogroup):
-                subquery.append("c.name = %s")      # exact client
+                escaped_name = name.replace('&', '&&').replace("_", "&_").replace("%", "&%")  # escape for LIKE
+                subquery.append("c.name = %s")                                # exact client
                 params.append(name)
-                subquery.append("c.name LIKE %s")   # whole subtree
-                params.append(name + ".%")
+                subquery.append("c.name LIKE CONCAT(%s, '.%%') ESCAPE '&'")   # whole subtree
+                params.append(escaped_name)
 
             query.append(" AND %s (%s)" % (self._get_not(group), " OR ".join(subquery)))
 
@@ -1095,6 +1096,7 @@ class WardenHandler(ObjectBase):
 
         if self.get_events_limit:
             count = min(count, self.get_events_limit)
+        count = max(0, count)
 
         res = self.db.fetch_events(self.req.client, id, count, cat, nocat, tag, notag, group, nogroup)