Skip to content

Commit

Permalink
added auto adding agent to Wazuh group
Browse files Browse the repository at this point in the history
  • Loading branch information
pyToshka committed Feb 7, 2023
1 parent 90aac13 commit 826dcbe
Show file tree
Hide file tree
Showing 13 changed files with 269 additions and 290 deletions.
28 changes: 3 additions & 25 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,30 +1,8 @@
.idea/
__pycache__/
*.py[cod]
*$py.class
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
Makefile
Dockerfile
README.md
docker-compose.yaml
entrypoint.sh
test.py
register_agent.py__
wazuh-daemonset.yaml
tmp/
.git/
.github
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,11 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality


# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
Expand All @@ -61,7 +61,7 @@ jobs:
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,4 @@ src/
register_agent.py__
test.py
docker-compose.yaml
tmp/
29 changes: 7 additions & 22 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: f95941eae9e108e2124c55ad97475aada32bba8d
rev: v4.4.0
hooks:
- id: check-yaml
- id: end-of-file-fixer
Expand All @@ -9,21 +9,14 @@ repos:
- id: check-merge-conflict
- id: mixed-line-ending
args: [--fix=lf]

- repo: https://github.com/ambv/black
rev: b1d060101626aa1c332f52e4bdf0ae5e4cc07990
hooks:
- id: black
- repo: https://github.com/ambv/black
rev: b1d060101626aa1c332f52e4bdf0ae5e4cc07990
rev: 23.1.0
hooks:
- id: black
language_version: python3.8
- repo: https://github.com/motet-a/jinjalint
rev: '01e0a4d8f1ee775aee00eb9d715eff2b4cc49e4d'
hooks:
- id: jinjalint
- repo: https://github.com/pre-commit/pygrep-hooks
rev: c1fb376edcbd404e10c835f3b420c10503593d58 # Use the ref you want to point at
rev: v1.10.0
hooks:
- id: python-use-type-annotations
- id: python-check-blanket-noqa
Expand All @@ -32,23 +25,19 @@ repos:
- id: rst-backticks
- id: text-unicode-replacement-char
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 2.1.5 # or specific git tag
rev: 3.0.0
hooks:
- id: bundler-audit
- id: check-mailmap
- id: fasterer
- id: forbid-binary
- id: git-check
- id: markdownlint
- id: reek
- id: require-ascii
- id: rubocop
- id: script-must-have-extension
- id: script-must-not-have-extension
- id: shellcheck
- id: shfmt
- repo: https://github.com/jorisroovers/gitlint
rev: '1a0ed8d03ac002f74f1b33706d509dcb4425ab4d'
rev: 'v0.19.0dev'
hooks:
- id: gitlint
- repo: local
Expand All @@ -60,10 +49,6 @@ repos:
entry: flake8
types: [python]
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety
rev: 7fdb07b03cb7103198eb13a614de75725cfd2feb
rev: 'v1.3.1'
hooks:
- id: python-safety-dependencies-check
- repo: https://github.com/PyCQA/bandit
rev: '2bd1ffaae1b83102af8587dcbeecd0b402dbec4e'
hooks:
- id: bandit
27 changes: 15 additions & 12 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,34 +1,37 @@
FROM bitnami/minideb:latest-amd64 as builder
COPY requirements.txt /tmp
RUN install_packages python3-pip python3-setuptools python3-dev gcc && \
python3 -m pip wheel -w /tmp/wheel -r /tmp/requirements.txt

FROM bitnami/minideb:latest-amd64
LABEL maintainer="[email protected]"
LABEL version="4.3.9"
LABEL version="4.3.10"
LABEL description="Wazuh Docker Agent"
ARG AGENT_VERSION="4.3.10-1"
ENV JOIN_MANAGER_MASTER_HOST=""
ENV JOIN_MANAGER_WORKER_HOST=""
ENV VIRUS_TOTAL_KEY=""
ENV JOIN_MANAGER_PROTOCOL="https"
ENV JOIN_MANAGER_USER = ""
ENV JOIN_MANAGER_PASSWORD=""
ENV JOIN_MANAGER_API_PORT="55000"
ENV HEALTH_CHECK_PROCESSES=""
ENV FLASK_APP="register_agent.py"
ENV FLASK_ENV="development"
ENV FLASK_DEBUG=0
ENV FLASK_BIND=0.0.0.0
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
RUN install_packages \
procps curl apt-transport-https gnupg2 inotify-tools python3-docker python3-pip python3-setuptools python3-dev gcc && \
procps curl apt-transport-https gnupg2 inotify-tools python3-docker python3-setuptools python3-pip && \
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
install_packages wazuh-agent && \
install_packages wazuh-agent=${AGENT_VERSION} && \
echo "deb http://security.debian.org/debian-security stretch/updates main" >> /etc/apt/sources.list && \
mkdir -p /usr/share/man/man1 && \
install_packages openjdk-8-jdk
COPY . /var/ossec/

COPY *.py *.jinja2 /var/ossec/
WORKDIR /var/ossec/
RUN pip3 --no-cache-dir install -r /var/ossec/requirements.txt && \
rm -rf /var/ossec/requirements.txt && \
COPY --from=builder /tmp/wheel /tmp/wheel
RUN pip3 install --no-index /tmp/wheel/*.whl && \
chmod +x /var/ossec/deregister_agent.py && \
chmod +x /var/ossec/register_agent.py && \
apt-get remove --purge -y python3-dev gcc && \
apt-get clean autoclean && \
apt-get autoremove -y && \
rm -rf /var/lib/{apt,dpkg,cache,log}/ && \
Expand Down
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
VERSION ?= v4.0.4
VERSION ?= v4.3.10

all: docker

Expand All @@ -12,3 +12,6 @@ docker-run:
docker-push:
docker push kennyopennix/wazuh-agent:latest && \
docker push kennyopennix/wazuh-agent:$(VERSION)

docker-buildx:
docker buildx build --push -t kennyopennix/wazuh-agent:$(VERSION) --cache-to type=local,dest=./tmp/ --cache-from type=local,src=./tmp/ .
48 changes: 18 additions & 30 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,42 +8,34 @@ solution for threat detection, integrity monitoring, incident response and compl

Wazuh Agent as Docker Image with auto registration on Wazuh server.

As well as local docker You can deploy the image to Kubernetes as DaemonSet.
Current implementation could be run as standalone docker container as well as Kubernete DaemonSet

Agent version is `v4.3.10`


Current agent version is `4.3.9`

## Structure

`register_agent.py` - Simple script for auto register docker based agent
`register_agent.py` - Auto register docker based agent

`cleanup_agents.py` - Cleanup disconnected or never connected agents older than n days

`deregister_agent.py` - Simple de-registration of agent
`deregister_agent.py` - De-registration of agent

## Environments

`JOIN_MANAGER_PROTOCOL` - http or https, default `https`

`JOIN_MANAGER_MASTER_HOST` - Ip address or Domain name of Wazuh server

`JOIN_MANAGER_WORKER_HOST` - Ip address or Domain name of Wazuh worker

`JOIN_MANAGER_USER` - Username for authorization on Wazuh server

`JOIN_MANAGER_PASSWORD` - Password for authorization

`JOIN_MANAGER_API_PORT` - Wazuh server api port, default `55000`

`JOIN_MANAGER_PORT` - Wazuh server port for communication between agent and server,
defaul `1514`

`NODE_NAME` - Node name if not present image will use `HOSTNAME` system variable

`HEALTH_CHECK_PROCESSES` - process list for health checks determinate by comma

`VIRUS_TOTAL_KEY` - Api key for VirusTotal integration

`FLASK_DEBUG` - Switch on Flask debug, default `0`
| Name | Type | Description | Default | Required |
| -------------------------- | -------- | ------------------------------------------------------------ | --------- | -------- |
| `JOIN_MANAGER_PROTOCOL` | `string` | Http or https protocol for Wazuh restapi connection | `https` | `Yes` |
| `JOIN_MANAGER_MASTER_HOST` | `string` | Ip address or Domain name of Wazuh server using for restapi calls | `None` | `Yes` |
| `JOIN_MANAGER_WORKER_HOST` | `string` | Ip address or Domain name of Wazuh worker for agent connection, if using ALL in One installation the same value as for `JOIN_MANAGER_MASTER_HOST` | `None` | `Yes` |
| `JOIN_MANAGER_USER` | `string` | Username for Wazuh API autorization | `None` | `Yes` |
| `JOIN_MANAGER_PASSWORD` | `string` | Password for Wazuh API autorization | `None` | `Yes` |
| `JOIN_MANAGER_API_PORT` | `string` | Port where the Wazuh API listened | `55000` | `Yes` |
| `JOIN_MANAGER_PORT` | `string` | Wazuh server port for communication between agent and server | `1514` | `Yes` |
| `NODE_NAME` | `string` | Node name if not present image will use `HOSTNAME` system variable | `None` | `No` |
| `VIRUS_TOTAL_KEY` | `string` | Api key for VirusTotal integration | `None` | `No` |
| `WAZUH_GROUPS` | `string` | Group(s) name comma separated for auto adding agent, | `default` | `No` |

## Run as docker image

Expand Down Expand Up @@ -82,8 +74,6 @@ env:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: WAZUH_GROUPS
value: default
- name: JOIN_MANAGER_USER
valueFrom:
secretKeyRef:
Expand All @@ -98,8 +88,6 @@ env:
value: "55000"
- name: JOIN_MANAGER_PORT
value: "1514"
- name: HEALTH_CHECK_PROCESSES
value: "ossec-execd,ossec-syscheckd,ossec-logcollector,wazuh-modulesd,ossec-authd"

```

Expand Down
24 changes: 13 additions & 11 deletions cleanup_agents.py
Original file line number Diff line number Diff line change
@@ -1,14 +1,9 @@
import json
import os
import sys
from subprocess import PIPE, Popen # nosec
from base64 import b64encode

import psutil
import urllib3
from base64 import b64encode
from flask import Flask
from healthcheck import HealthCheck, EnvironmentDump
from jinja2 import Template
from loguru import logger

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Expand Down Expand Up @@ -55,17 +50,23 @@ def req(method, resource, data=None):
res_json = r.json()

except Exception as exception:
logger.error(f"Error: {resource}")
logger.error(f"Error: {resource} {exception}")
sys.exit(1)

return code, res_json


def cleanup_agent(older_than):
status_code, response = req("delete",
f"agents?pretty=true&older_than={older_than}&agents_list=all&status=never_connected,disconnected")
def cleanup_agent(older):
status_code, response = req(
"delete",
f"agents?pretty=true&older_than={older}&agents_list=all&status=never_connected,"
f"disconnected",
)
for items in response["data"]["affected_items"]:
status_code, response = req("delete", f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all")
status_code, response = req(
"delete",
f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all",
)
msg = json.dumps(response, indent=4, sort_keys=True)
code = f"Status: {status_code} - {code_desc(status_code)}"
logger.error(f"INFO - DELETE AGENT:\n{code}\n{msg}")
Expand All @@ -81,6 +82,7 @@ def cleanup_agent(older_than):
node_name = os.environ.get("NODE_NAME")
older_than = os.environ.get("OLDER_THAN")
login_endpoint = "security/user/authenticate"
verify = False
base_url = f"{protocol}://{host}:{port}"
login_url = f"{protocol}://{host}:{port}/{login_endpoint}"
auth = f"{user}:{password}".encode()
Expand Down
25 changes: 14 additions & 11 deletions deregister_agent.py
Original file line number Diff line number Diff line change
@@ -1,14 +1,9 @@
import json
import os
import sys
from subprocess import PIPE, Popen # nosec
from base64 import b64encode

import psutil
import urllib3
from base64 import b64encode
from flask import Flask
from healthcheck import HealthCheck, EnvironmentDump
from jinja2 import Template
from loguru import logger

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
Expand Down Expand Up @@ -53,7 +48,7 @@ def req(method, resource, data=None):
res_json = r.json()

except Exception as exception:
logger.error(f"Error: {resource}")
logger.error(f"Error: {resource} {exception}")
sys.exit(1)

return code, res_json
Expand All @@ -62,14 +57,22 @@ def req(method, resource, data=None):
def delete_agent(agt_name):
status_code, response = req("get", f"agents?pretty=true&q=name={agt_name}")
for items in response["data"]["affected_items"]:
status_code, response = req("delete", f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all")
status_code, response = req(
"delete",
f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all",
)
msg = json.dumps(response, indent=4, sort_keys=True)
code = f"Status: {status_code} - {code_desc(status_code)}"
logger.error(f"INFO - DELETE AGENT:\n{code}\n{msg}")
status_code, response = req("delete",
"agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected")
status_code, response = req(
"delete",
"agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected",
)
for items in response["data"]["affected_items"]:
status_code, response = req("delete", f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all")
status_code, response = req(
"delete",
f"agents?pretty=true&older_than=0s&agents_list={items['id']}&status=all",
)
msg = json.dumps(response, indent=4, sort_keys=True)
code = f"Status: {status_code} - {code_desc(status_code)}"
logger.error(f"INFO - DELETE AGENT:\n{code}\n{msg}")
Expand Down
Loading

0 comments on commit 826dcbe

Please sign in to comment.