From fd87fec36cc8231ccd68c7a90acc8746446ecdda Mon Sep 17 00:00:00 2001
From: Jakub Cegan <cegan@ics.muni.cz>
Date: Thu, 19 Sep 2013 20:38:21 +0200
Subject: [PATCH] spojeni watchdogu a serveru
* zapojeni wardenWatchdog do adresarove struktury serveru
* uprava cest
* pridani odkazu do dokumentace
---
src/contrib/wardenWatchdog/wardenWatchdog.pl | 54 -----
src/warden-server/bin/wardenWatchdog.pl | 223 +++---------------
src/warden-server/doc/README | 204 ++++++++--------
.../doc}/README.wardenWatchdog | 6 +-
.../etc}/WardenWatchdog.conf | 0
.../lib}/WardenWatchdog.pm | 4 +-
.../lib}/WardenWatchdog.t | 0
7 files changed, 147 insertions(+), 344 deletions(-)
delete mode 100755 src/contrib/wardenWatchdog/wardenWatchdog.pl
rename src/{contrib/wardenWatchdog => warden-server/doc}/README.wardenWatchdog (93%)
rename src/{contrib/wardenWatchdog => warden-server/etc}/WardenWatchdog.conf (100%)
rename src/{contrib/wardenWatchdog => warden-server/lib}/WardenWatchdog.pm (99%)
rename src/{contrib/wardenWatchdog => warden-server/lib}/WardenWatchdog.t (100%)
diff --git a/src/contrib/wardenWatchdog/wardenWatchdog.pl b/src/contrib/wardenWatchdog/wardenWatchdog.pl
deleted file mode 100755
index c653534..0000000
--- a/src/contrib/wardenWatchdog/wardenWatchdog.pl
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/usr/bin/perl
-#
-# wardenWatchdog.pl
-#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
-#
-# Use of this source is governed by a BSD-style license, see LICENSE file.
-
-use strict;
-use warnings;
-
-use Getopt::Long;
-use FindBin;
-FindBin::again();
-
-use lib "$FindBin::Bin";
-use WardenWatchdog;
-
-#-------------------------------------------------------------------------------
-# help
-#
-# Just print help and exit.
-#
-# Input: -
-#
-# Output: -
-#
-# Return:
-# On Success (1)
-#-------------------------------------------------------------------------------
-sub help
-{
- my $help =" USAGE: ./wardenWatchdog.pl -c '/path/WardenWatchdog.conf' -i 7
-
- OPTIONS
- -c conf configuration file name and path
- -i interval interval in days from now back to the past
-";
- print $help;
- return 1;
-}
-
-my ($help, $config, $interval);
-if (@ARGV < 3 || defined($help) || !GetOptions('help|?|h' => \$help, 'c|conf=s' => \$config, 'i|interval=i' => \$interval)) {
- help();
-}
-else {
- my ($rc,$err) = WardenWatchdog::run($config,$interval);
- if(!$rc) {
- print "WardenWatchdog error: $err";
- }
-}
-
-1;
diff --git a/src/warden-server/bin/wardenWatchdog.pl b/src/warden-server/bin/wardenWatchdog.pl
index aeadb19..e706e68 100755
--- a/src/warden-server/bin/wardenWatchdog.pl
+++ b/src/warden-server/bin/wardenWatchdog.pl
@@ -1,207 +1,54 @@
#!/usr/bin/perl
#
-# WardenWatchdog.pl
+# wardenWatchdog.pl
#
-# Copyright (C) 2011-2013 Cesnet z.s.p.o
+# Copyright (C) 2011-2012 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
-
-use WardenConf;
use strict;
use warnings;
-use DBI;
-use DBD::mysql;
-use DateTime;
-#use Email::Simple;
-use Sys::Hostname;
-use Text::Wrap;
-use Data::Dumper;
-
-sub sendmailWrapper{
- my $message = shift;
-
- if(open(my $sendmail, '|/usr/sbin/sendmail -oi -t')){
- print $sendmail $message;
- close $sendmail;
- return 1;
- } else {
- return (0, "Sending email failed: $!");
- }
-}
-
-# Array of hashes
-#{query => ; text => ; contact => }
-
-# Get clients admins
-sub sendReport{
- my $input_data = shift;
- my $contact = $$input_data{'contact'};
- my $domain = $$input_data{'domain'};
- my $text = $$input_data{'text'};
-
- my $from_hostname;
- my $message;
-
- if(!($contact)){
- return (0, "Empty 'To' email header!\n");
- }
-
- $domain =~ s/\./\./;
-
- eval{
- $from_hostname = hostname();
- if(!($from_hostname =~ m/$domain/gi)){
- $from_hostname .= $domain;
- }
- };
- if($@){
- return (0, "Can't retrive hostname for 'From' header!\n");
- }
+use Getopt::Long;
+use FindBin qw($RealBin);
+FindBin::again();
+use lib "$RealBin/../lib";
+use WardenWatchdog;
- eval{
- #$message = Email::Simple->create(
- #header => [
- #To => $contact,
- #From => 'warden_watchdog@'.$from_hostname,
- #Subject => 'Kotrola stavu udalosti na Wardenu'],
- #body => fill('','',$text));
- };
- if($@){
- return (0, "Can't create email message\n");
- }
- print "== $contact ==\n$text\n";
- my ($rc, $err) = 1;#sendmailWrapper($message->as_string);
- if(!$rc){
- return (0, $err);
- }
+#-------------------------------------------------------------------------------
+# help
+#
+# Just print help and exit.
+#
+# Input: -
+#
+# Output: -
+#
+# Return:
+# On Success (1)
+#-------------------------------------------------------------------------------
+sub help
+{
+ my $help =" USAGE: ./wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7
+
+ OPTIONS
+ -c conf configuration file name and path
+ -i interval interval in days from now back to the past
+";
+ print $help;
return 1;
}
-sub connect_to_DB {
-
- my $dbPlatform = 'mysql';
- my $dbName = 'warden';
- my $dbHostname = 'localhost';
- my $dbUser = 'root';
- my $dbPasswd = 'w4rd3n&r00t';
-
- my $dbhRef = shift;
- my $dbh;
-
- if($dbh = DBI->connect( "dbi:$dbPlatform:database=$dbName;host=$dbHostname", $dbUser, $dbPasswd, {RaiseError => 1, mysql_auto_reconnect => 1})){
- $$dbhRef = $dbh;
- return 1;
- }
- else{
- return (0,"Cannot connect to database! ".DBI->errstr);
- }
+my ($help, $config, $interval);
+if (@ARGV < 3 || defined($help) || !GetOptions('help|?|h' => \$help, 'c|conf=s' => \$config, 'i|interval=i' => \$interval)) {
+ help();
}
-
-sub sendQuery{
-
- my $configRef = shift;
- my $eventsRef = shift;
-
- my @config = @{$configRef};
- my %bad_events;
- my ($rc,$err);
- my $dbh;
-
- my $i = 0;
- # connect to DB
- ($rc,$err) = connect_to_DB(\$dbh);
- if (!$rc){
- return (0, $err);
- }
-
- while ($i < scalar(@config)) {
- my $contact;
-
- # run DB query -> requestor, client name
- my $sth;
- if (defined($config[$i]{query})){
- $sth = $dbh->prepare($config[$i]{query});
- }
- else{
- return (0, "No query availble\n");
- }
-
- if (!($sth->execute)){
- return (0, "Couldn't get data from my database: $sth->errstr\n");
- };
-
- my @result;
- while(@result = $sth->fetchrow()){
- if (defined($config[$i]{contact})){
- $contact = $config[$i]{contact};
- }
- else{
- $contact = "from_db\@$result[0]";
- }
- $bad_events{$contact} .= $config[$i]{text} . "DB INFO: ". join(', ',@result) ."\n";
- }
- $sth->finish;
- $i++;
- }
- # disconnect to DB
- $dbh->disconnect;
-
- %$eventsRef = %bad_events;
-
- return 1;
-}
-
-
-sub run{
-
- my $domain = shift;
- my $period = shift;
-
- my $date;
-
- eval{
- my $dt = DateTime->now();
- $dt = DateTime->now()->subtract(days => $period);
- $date = $dt->date();
- };
- if($@){
- print "Warden watchdog - can't work with date\n";
- #syslog("err|Warden watchdog - can't work with date\n");
- }
-
- my @configuration = (
- {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Hey, this is test of warning for admin!\n"},
- {query => "SELECT requestor FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Hey, this is test of warning!\n", contact => 'warden-administrator@cesnet.cz'});
-
- $Text::Wrap::columns = 80;
-
-
- my %bad_events;
-
- my $i = 0;
- while ($i < scalar(@configuration)) {
- my ($rc,$err) = sendQuery(\@configuration,\%bad_events);
- if (!$rc){
- print "Warden watchdog - $err\n";
- #syslog("err|Warden watchdog - $err\n");
- }
- $i++;
- }
-
- while (my ($contact, $text) = each(%bad_events)){
- my %input = (contact => $contact, domain => $domain, text => $text);
- my ($rc,$err) = sendReport(\%input);
- if (!$rc){
- # TODO syslog
- print $err;
- #syslog("err|Warden client - networkReporter $err\n");
- }
- print "\n\n";
+else {
+ my ($rc,$err) = WardenWatchdog::run($config,$interval);
+ if(!$rc) {
+ print "WardenWatchdog error: $err";
}
}
-run('warden-dev.cesnet.cz',7);
1;
diff --git a/src/warden-server/doc/README b/src/warden-server/doc/README
index ec2d8c7..7f86cc1 100644
--- a/src/warden-server/doc/README
+++ b/src/warden-server/doc/README
@@ -17,73 +17,73 @@ Content
A. Overall Information
1. About Warden System
-
+
Warden is a client-server architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast way.
-
+
This package contains the Warden server.
2. Version
-
+
2.2 (2013-??-??)
-
+
3. Package structure
-
+
warden-server/
bin/
- getClients.pl
- getStatus.pl
- registerReceiver.pl
- registerSender.pl
- unregisterClients.pl
+ getClients.pl
+ getStatus.pl
+ registerReceiver.pl
+ registerSender.pl
+ unregisterClients.pl
doc/
- AUTHORS
+ AUTHORS
CHANGELOG
- INSTALL
- LICENSE
- README
- UNINSTALL
- UPDATE
- warden.mysql
- warden21to22.patch
+ INSTALL
+ LICENSE
+ README
+ UNINSTALL
+ UPDATE
+ warden.mysql
+ warden21to22.patch
etc/
- package_version
+ package_version
warden-apache.conf
- warden-server.conf
+ warden-server.conf
lib/
- Warden.pm
- WardenCommon.pm
- Warden/
- ApacheDispatch.pm
+ Warden.pm
+ WardenCommon.pm
+ Warden/
+ ApacheDispatch.pm
uninstall.sh
--------------------------------------------------------------------------------
B. Installation Dependencies
-
+
1. Applications:
- Perl >= 5.10.1
- MySQL >= 5.1.63
- Apache >= 2.2.14
+ Perl >= 5.10.1
+ MySQL >= 5.1.63
+ Apache >= 2.2.14
2. Perl modules:
- SOAP::Lite >= 0.712
- SOAP::Transport::HTTP >= 0.712
- DBI >= 1.612
- DBD::mysql >= 4.016
- Format::Human::Bytes >= 0.05
- Sys::Syslog >= 0.27
- File::Basename >= 2.77
- Net::CIDR::Lite >= 0.21
- DateTime >= 0.61
- Getopt::Std >= 1.06
- Switch >= 2.14
- IO::Socket::SSL >= 1.66
- MIME::Base64 >= 3.08
- Crypt::X509 >= 0.40
- Carp >= 1.11
+ SOAP::Lite >= 0.712
+ SOAP::Transport::HTTP >= 0.712
+ DBI >= 1.612
+ DBD::mysql >= 4.016
+ Format::Human::Bytes >= 0.05
+ Sys::Syslog >= 0.27
+ File::Basename >= 2.77
+ Net::CIDR::Lite >= 0.21
+ DateTime >= 0.61
+ Getopt::Std >= 1.06
+ Switch >= 2.14
+ IO::Socket::SSL >= 1.66
+ MIME::Base64 >= 3.08
+ Crypt::X509 >= 0.40
+ Carp >= 1.11
--------------------------------------------------------------------------------
@@ -97,34 +97,34 @@ C. Installation
$ tar xzvf warden-server-2.2.tar.gz
- 3. Run install.sh.
-
+ 3. Run install.sh.
+
Default installation directory is /opt/warden-server/
-
+
For more information about install.sh options run install.sh -h
Usage: $ ./install.sh [-d <directory>] [-k <ssl_key_file>]
[-c <ssl_cert_file>] [-a <ssl_ca_file>] [-hV]"
- -d <directory> installation directory (default: /opt)
- -k <ssl_key_file> SSL certificate key file path
- -c <ssl_cert_file> SSL certificate file path
- -a <ssl_ca_file> CA certificate file path
- -h print this help
- -V print script version number and exit
-
+ -d <directory> installation directory (default: /opt)
+ -k <ssl_key_file> SSL certificate key file path
+ -c <ssl_cert_file> SSL certificate file path
+ -a <ssl_ca_file> CA certificate file path
+ -h print this help
+ -V print script version number and exit
+
Example: # ./install.sh -d /opt -k /etc/ssl/private/server.key
- -c /etc/ssl/certs/server.pem
- -a /etc/ssl/certs/bundle.pem
+ -c /etc/ssl/certs/server.pem
+ -a /etc/ssl/certs/bundle.pem
You must be root for running this script.
4. Configuration files
-
+
You are advised to check configuration file warden-apache.conf and
warden-server.conf in warden-server/etc/ directory after installation.
For more information about post-installation steps see INSTALL file in
'doc' directory.
-
+
SOAP protocol is used for handling communication between server and clients.
Therefore, correct URI of Warden server must be set.
@@ -138,40 +138,40 @@ C. Installation
The Warden server configuration file contains:
- BASEDIR - base directory of the Warden server
- e.g. /opt/warden-server/
+ BASEDIR - base directory of the Warden server
+ e.g. /opt/warden-server/
- SYSLOG - enable/disable syslog logging
- e.g. 1
+ SYSLOG - enable/disable syslog logging
+ e.g. 1
- SYSLOG_VERBOSE - enable/disable logging in verbose mode (stack info added)
- e.g. 1
+ SYSLOG_VERBOSE - enable/disable logging in verbose mode (stack info added)
+ e.g. 1
- SYSLOG_FACILITY - syslog facility
- e.g. local7
+ SYSLOG_FACILITY - syslog facility
+ e.g. local7
- DB_NAME - MySQL database name of Warden server
- e.g. warden
+ DB_NAME - MySQL database name of Warden server
+ e.g. warden
- DB_USER - MySQL database user of Warden server
- e.g. warden
+ DB_USER - MySQL database user of Warden server
+ e.g. warden
- DB_PASS - MySQL database password of Warden server
+ DB_PASS - MySQL database password of Warden server
- DB_HOST - MySQL database host
- e.g. localhost
+ DB_HOST - MySQL database host
+ e.g. localhost
- MAX_EVENTS_LIMIT - server limit of maximum number of events that can be
+ MAX_EVENTS_LIMIT - server limit of maximum number of events that can be
delivered to one client in one batch
- e.g. 1000000
+ e.g. 1000000
VALID_STRINGS - validation hash containing allowed event attributes
- e.g.
+ e.g.
- %VALID_STRINGS = (
- 'type' => ['portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other'],
- 'source_type' => ['IP', 'URL', 'Reply-To:']
- );
+ %VALID_STRINGS = (
+ 'type' => ['portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other'],
+ 'source_type' => ['IP', 'URL', 'Reply-To:']
+ );
b) warden-apache.conf
@@ -194,7 +194,7 @@ C. Installation
PerlSwitches -I <path_to_warden_server_libs>
<Location /Warden>
- SetHandler perl-script
+ SetHandler perl-script
PerlHandler Warden::ApacheDispatch
SSLOptions +StdEnvVars
</Location>
@@ -204,9 +204,9 @@ C. Installation
D. Update
For update of the Warden server package from local machine use update.sh.
-
+
Default destination directory is /opt/warden-server/.
-
+
For more information about update.sh options run update.sh -h
Usage: $ ./update.sh [-d <directory>] [-hV]
@@ -226,9 +226,9 @@ D. Update
E. Uninstallation
For uninstallation of the Warden server package from local machine use uninstall.sh.
-
+
Default uninstallation directory is /opt/warden-server/.
-
+
For more information about uninstall.sh options run uninstall.sh -h
Usage: $ ./uninstall.sh [-d <directory>] [-hV]
@@ -248,23 +248,29 @@ E. Uninstallation
F. Miscellaneous
1. Error Messages
-
+
Error messages of the server functions are sent via Syslog.
Default is local7 facility.
2. Firewall Settings
-
+
Make sure that the TCP port listed in /etc/apache2/sites-enables/default(-ssl)
is allowed on your firewall.
3. Privileges
-
+
The Warden server runs only under root privileges.
4. Known Issues
No issues are known.
+ 5. Database checks
+
+ If you want apply an offline checks to your received data health, you can use
+ the wardenWatchdog.pl script. You can found the documentation in a separate
+ README.wardenWatchdog file.
+
--------------------------------------------------------------------------------
G. Registration of Clients
@@ -281,14 +287,14 @@ G. Registration of Clients
1. Register Sender
- New sender clients are registered in Warden system via registerSender.pl.
-
+ New sender clients are registered in Warden system via registerSender.pl.
+
Following attributes must be provided in order to register new client
successfully:
-
+
hostname - hostname of the client,
requestor - organization or authorized person who demands new
- client registration,
+ client registration,
service - name of the service of a new registered client,
description_tags - tags describing the nature of the service,
ip_net_client - CIDR the client is only allowed to communicate from,
@@ -298,17 +304,17 @@ G. Registration of Clients
2. Register Receiver
- New receiver clients are registered in Warden system via
+ New receiver clients are registered in Warden system via
registerReceiver.pl.
-
+
Following attributes must be provided in order to register new client
successfully:
-
+
hostname - hostname of the client,
requestor - organization or authorized person who demands new
- client registration,
+ client registration,
type - the type of events the client wish to receive or '_any_'
- for receiving of all types of events,
+ for receiving of all types of events,
receive_own_events - boolean value describing if events originating from
the same CIDR will be sent to the client,
ip_net_client - CIDR the client is only allowed to communicate from,
@@ -318,7 +324,7 @@ G. Registration of Clients
3. Unregister Client
- In the Warden system, already registered clients can be unregistered
+ In the Warden system, already registered clients can be unregistered
via unregisterClient.pl.
Following attribute must be provided in order to unregister existing client
@@ -344,13 +350,13 @@ H. Status Info
1. Get Status
- Function getStatus is accessible via getStatus.pl. Function has no input
+ Function getStatus is accessible via getStatus.pl. Function has no input
parameters and returns info about the Warden server, its DB status and
event's statistics of active registered senders.
2. Get Clients
- Function getClients is accessible via getClients.pl. Function has no input
+ Function getClients is accessible via getClients.pl. Function has no input
parameters and returns detailed information about all registered clients.
--------------------------------------------------------------------------------
diff --git a/src/contrib/wardenWatchdog/README.wardenWatchdog b/src/warden-server/doc/README.wardenWatchdog
similarity index 93%
rename from src/contrib/wardenWatchdog/README.wardenWatchdog
rename to src/warden-server/doc/README.wardenWatchdog
index f54e354..dbc09b9 100644
--- a/src/contrib/wardenWatchdog/README.wardenWatchdog
+++ b/src/warden-server/doc/README.wardenWatchdog
@@ -75,7 +75,11 @@ D. Application run
from now to the past. Warden database check from config will be then run in
this defined time interval.
- USAGE: ./wardenWatchdog.pl -c '/path/WardenWatchdog.conf' -i 7
+ USAGE:
+ ./wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7
+
+ CRON USAGE:
+ 33 00 * * * /full/path/watchdog/wardenWatchdog.pl -c /path/WardenWatchdog.conf -i 7 >> err.txt
--------------------------------------------------------------------------------
diff --git a/src/contrib/wardenWatchdog/WardenWatchdog.conf b/src/warden-server/etc/WardenWatchdog.conf
similarity index 100%
rename from src/contrib/wardenWatchdog/WardenWatchdog.conf
rename to src/warden-server/etc/WardenWatchdog.conf
diff --git a/src/contrib/wardenWatchdog/WardenWatchdog.pm b/src/warden-server/lib/WardenWatchdog.pm
similarity index 99%
rename from src/contrib/wardenWatchdog/WardenWatchdog.pm
rename to src/warden-server/lib/WardenWatchdog.pm
index 5b92657..c6f94de 100644
--- a/src/contrib/wardenWatchdog/WardenWatchdog.pm
+++ b/src/warden-server/lib/WardenWatchdog.pm
@@ -140,14 +140,14 @@ sub connectToDB
my $db_conf = shift;
my $dbh_ref = shift;
- my $dn_platform = $$db_conf{'platform'};
+ my $db_platform = $$db_conf{'platform'};
my $db_name = $$db_conf{'name'};
my $db_hostname = $$db_conf{'hostname'};
my $db_user = $$db_conf{'user'};
my $db_passwd = $$db_conf{'passwd'};
my $dbh;
- if($dbh = DBI->connect( "dbi:$dn_platform:database=$db_name;host=$db_hostname", $db_user, $db_passwd, {mysql_auto_reconnect => 1})) {
+ if($dbh = DBI->connect( "dbi:$db_platform:database=$db_name;host=$db_hostname", $db_user, $db_passwd, {mysql_auto_reconnect => 1})) {
$$dbh_ref = $dbh;
return (1);
}
diff --git a/src/contrib/wardenWatchdog/WardenWatchdog.t b/src/warden-server/lib/WardenWatchdog.t
similarity index 100%
rename from src/contrib/wardenWatchdog/WardenWatchdog.t
rename to src/warden-server/lib/WardenWatchdog.t
--
GitLab