From 9129b3a3e4470b4f5cc926e5cb2ce76b26430ab4 Mon Sep 17 00:00:00 2001 From: clairetest Date: Mon, 25 Mar 2019 16:23:23 -0700 Subject: [PATCH 1/2] sophos change for antimalware --- Makefile | 2 +- .../plugin/collectantimalwareinfo.rb | 3 + .../Antimalware/plugin/collectsophosinfo.rb | 309 ++++++++++++++++++ 3 files changed, 313 insertions(+), 1 deletion(-) create mode 100644 Providers/Modules/Plugins/Antimalware/plugin/collectsophosinfo.rb diff --git a/Makefile b/Makefile index 1226c9b5f..236d56b57 100644 --- a/Makefile +++ b/Makefile @@ -469,7 +469,7 @@ nxOMSGenerateInventoryMof: nxOMSPlugin: rm -rf output/staging; \ - VERSION="3.17"; \ + VERSION="3.18"; \ PROVIDERS="nxOMSPlugin"; \ STAGINGDIR="output/staging/$@/DSCResources"; \ cat Providers/Modules/$@.psd1 | sed "s@@$${VERSION}@" > intermediate/Modules/$@.psd1; \ diff --git a/Providers/Modules/Plugins/Antimalware/plugin/collectantimalwareinfo.rb b/Providers/Modules/Plugins/Antimalware/plugin/collectantimalwareinfo.rb index d4220c08e..c61556dbb 100644 --- a/Providers/Modules/Plugins/Antimalware/plugin/collectantimalwareinfo.rb +++ b/Providers/Modules/Plugins/Antimalware/plugin/collectantimalwareinfo.rb @@ -2,11 +2,14 @@ require 'securerandom' # SecureRandom.uuid require 'logger' require_relative 'collectmcafeeinfo' +require_relative 'collectsophosinfo' require_relative 'antimalwarecommon' ret = {} if McAfee.detect() ret = McAfee.getprotectionstatus() +elsif Sophos.detect() + ret = Sophos.getprotectionstatus() else ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::UnknownProtectionCode ($ThreatStatusRank, $ThreatStatus) = AntimalwareCommon::UnknownThreatCode diff --git a/Providers/Modules/Plugins/Antimalware/plugin/collectsophosinfo.rb b/Providers/Modules/Plugins/Antimalware/plugin/collectsophosinfo.rb new file mode 100644 index 000000000..f929b3a73 --- /dev/null +++ b/Providers/Modules/Plugins/Antimalware/plugin/collectsophosinfo.rb @@ -0,0 +1,309 @@ +require "rexml/document" +require "cgi" +require 'digest' +require 'json' +require 'date' +require 'time' +require 'logger' +require_relative 'antimalwarecommon' + +class Sophos + + def self.detect() + begin + sophosPath = "/opt/sophos-av/bin/savdstatus" + if !File.file?('/opt/sophos-av/bin/savdstatus') + #puts "Not able to find Sophos at default location" + findSophosCmd = `find / -iname savdstatus | grep /bin/savdstatus 2>&1`.lines.map(&:chomp) + if !$?.success? || findSophosCmd.nil? || findSophosCmd.empty? + #puts "Not able to find Sophos at custmize location, not able to find Sophos installed on the machine" + return false + else + #puts "Find sophosPath " + sophosPath + sophosPath = findSophosCmd[0] + end + end + + detectioncmd = `#{sophosPath} --version 2>&1`.lines.map(&:chomp) + #puts detectioncmd + if !$?.success? || detectioncmd.nil? || detectioncmd.empty? + #puts "Fail to run sophos version cmd" + return false + else + sophosInfo = detectioncmd[1].split(" = ") + sophosName = sophosInfo[0].strip + sophosVersion = sophosInfo[1].strip + #puts "sophosName " + sophosName + #puts "sophosVersion " + sophosVersion + if sophosName != "Sophos Anti-Virus" + #puts "Sophos Name is not Sophos Anti-Virus" + return false + elsif sophosVersion.split(".")[0].to_i < 9 + #puts "Sophos version is less than 9, please install latest Sophos" + return false + end + end + #puts "Sophos is detected on the machine at path " + sophosPath + return true + rescue => e + #puts "Getting exception when checking sophos is installed or not: " + e.message + return false + end + end + + def self.getprotectionstatus() + ret = {} + + sophosName = "Sophos Anti-Virus" + sophosVersion = "NA" + + lastUpdate = "NA" + lastUpdateTime = "NA" + buildRevision = "NA" + threatDetectionEngine = "NA" + threatData = "NA" + threatCount = "NA" + threatDataRelease = "NA" + + ondemandscan = "NA" + scheduledscan = "NA" + + rmsstatus = "NA" + onaccessscan = "NA" + liveprotection = "NA" + + scanDate = "" + protectionStatusDetails = "" + protectionStatusAlertArray = [] + protectionStatusDetailsArray = [] + + error = "" + + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::UnknownProtectionCode + ($ThreatStatusRank, $ThreatStatus) = AntimalwareCommon::UnknownThreatCode + + begin + sophosPath = "/opt/sophos-av/bin/savdstatus" + if !File.file?('/opt/sophos-av/bin/savdstatus') + findSophosCmd = `find / -iname savdstatus | grep /bin/savdstatus 2>&1`.lines.map(&:chomp) + if !$?.success? || findSophosCmd.nil? || findSophosCmd.empty? + error += "Getting issue when trying to find custmized sophos path, Sophos not detected; " + return + else + #puts "sophosPath " + sophosPath + sophosPath = findSophosCmd[0] + end + end + + detectioncmd = `LANG=en_US.UTF-8 #{sophosPath} --version 2>&1`.lines.map(&:chomp) + #puts detectioncmd + if !$?.success? || detectioncmd.nil? || detectioncmd.empty? + error += "Getting issue when running sophos version cmd; " + else + sophosInfo = detectioncmd[1].split(" = ") + #sophosName = sophosInfo[0] + sophosVersion = sophosInfo[1].strip + #puts "sophosName " + sophosName + #puts "sophosVersion " + sophosVersion + buildRevision = detectioncmd[2].split(" = ")[1].strip + threatDetectionEngine = detectioncmd[3].split(" = ")[1].strip + threatData = detectioncmd[4].split(" = ")[1].strip + threatCount = detectioncmd[5].split(" = ")[1].strip + threatDataRelease = detectioncmd[6].split(" = ")[1].split("UTC")[0].strip + lastUpdate = detectioncmd[7].split(" = ")[1].split("UTC")[0].strip + + #250 + #signature date + #threat release date + lastUpdate = Time.strptime(lastUpdate, '%a %d %b %Y %I:%M:%S %p') + threatDataRelease = Time.strptime(threatDataRelease, '%a %d %b %Y %I:%M:%S %p') + protectionStatusDetailsArray.push("buildRevision: " + buildRevision) + #puts "threatDetectionEngine " + threatDetectionEngine + protectionStatusDetailsArray.push("threatData: " + threatData) + protectionStatusDetailsArray.push("threatCount: " + threatCount) + #puts "threatDataRelease " + threatDataRelease.to_s + if (!threatDataRelease.nil? && threatDataRelease != "NA") + if (threatDataRelease < (Time.now - 30*24*3600).utc) + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Threat Data Release Update out of 30 days: " + threatDataRelease.to_s) + else + protectionStatusDetailsArray.push("Threat Data Release Update within 30 days: " + threatDataRelease.to_s) + end + else + error += "threat Data Release not found; " + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Threat Data Release not found: " + threatDataRelease) + end + + #puts "lastUpdate " + lastUpdate.to_s + if (!lastUpdate.nil? && lastUpdate != "NA") + if (lastUpdate < (Time.now - 7*24*3600).utc) + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Last Update out of 7 days: " + lastUpdate.to_s) + else + protectionStatusDetailsArray.push("Last Update within 7 days: " + lastUpdate.to_s) + end + else + error += "Last Update not found, running lastupdate cmd; " + lutcmd = `LANG=en_US.UTF-8 #{sophosPath} --lastupdate 2>&1`.lines.map(&:chomp) + #puts lutcmd + if !$?.success? || lutcmd.nil? || lutcmd.empty? + error += "Fail to run last update time cmd; " + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Last Update not when running last update cmd: " + lastUpdateTime) + else + lastUpdateTime = lutcmd[0].split("UTC")[0].strip + if(lastUpdateTime == "NA") or (lastUpdateTime.include? "Never updated") + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Last Update not found: " + lastUpdateTime) + else + lastUpdateTime = Time.strptime(lastUpdateTime, '%a %d %b %Y %I:%M:%S %p') + if (lastUpdateTime < (Time.now - 7*24*3600).utc) + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode + protectionStatusAlertArray.push("Last Update out of 7 days: " + lastUpdateTime.to_s) + else + protectionStatusDetailsArray.push("Last Update within 7 days: " + lastUpdateTime.to_s) + end + end + end + end + end + ############################# + + #270 + #on access scan + #live protection + + ################################################# + oascmd = `#{sophosPath} -v 2>&1`.lines.map(&:chomp) + #puts oascmd + if !$?.success? || oascmd.nil? || oascmd.empty? + error += "Fail to run On Access Scan cmd; " + else + onaccessscan = oascmd[0].strip + "; " + oascmd[1].strip + if(onaccessscan == "NA") or (onaccessscan.include? "On-access scanning is not running") + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode + protectionStatusAlertArray.push("On Access Scan is not running: " + onaccessscan) + else + protectionStatusDetailsArray.push(onaccessscan) + end + end + #puts onaccessscan + ########################### + sophosconfigpathArray = sophosPath.split("/") + sophosconfigpathArray[sophosconfigpathArray.length-1] = "savconfig" + sophosconfigpath = sophosconfigpathArray.join('/') + lpcmd = `#{sophosconfigpath} get LiveProtection 2>&1`.lines.map(&:chomp) + #puts lpcmd + if !$?.success? || lpcmd.nil? || lpcmd.empty? + error += "live protection cmd failed; " + else + liveProtection = lpcmd[0].strip + if(liveProtection == "NA") or (liveProtection != "enabled") + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode + protectionStatusAlertArray.push("liveProtection is not enabled: " + liveProtection) + else + protectionStatusDetailsArray.push("Live Protection is enabled") + end + end + #puts liveProtection + + #350 + #find scan date + #rms not connected + ############################# + rmscmd = `#{sophosPath} --rms 2>&1`.lines.map(&:chomp) + status = $? + #puts status + if rmscmd.nil? || rmscmd.empty? + error += "Fail to run Remote Management status cmd; " + else + rmsstatus = rmscmd[0].strip + if(rmsstatus == "NA") or (rmsstatus.include? "inactive") + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode + protectionStatusAlertArray.push("Remote Management status is not active: " + rmsstatus) + else + protectionStatusDetailsArray.push(rmsstatus) + end + end + #puts rmsstatus + + ############################# + + sophoslogArray = sophosPath.split("/") + sophoslogArray[sophoslogArray.length-1] = "savlog" + sophoslogpath = sophoslogArray.join('/') + + scancmd = `LANG=en_US.UTF-8 #{sophoslogpath} --maxage=7 | grep "scan finished" | tail -1 2>&1`.lines.map(&:chomp) + #puts scancmd + if !$?.success? || scancmd.nil? || scancmd.empty? + error += "on demand scan cmd failed; " + else + ondemandscan = scancmd[0].split("UTC: savscan.log")[0].strip + if(ondemandscan == "NA" || ondemandscan.nil? || ondemandscan.empty? ) + #puts "On demand scanDate within 7 days not found" + else + ondemandscan = Time.strptime(ondemandscan, '%a %d %b %Y %I:%M:%S %p') + end + end + #puts ondemandscan.to_s + ######################################### + scheduleScancmd = `LANG=en_US.UTF-8 #{sophoslogpath} --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1`.lines.map(&:chomp) + #puts scheduleScancmd + if !$?.success? || scheduleScancmd.nil? || scheduleScancmd.empty? + error += "on demand scan cmd failed; " + else + scheduledscan = scheduleScancmd[0].split("UTC: scheduled.scan.log")[0].strip + if(scheduledscan == "NA" || scheduledscan.nil? || scheduledscan.empty? ) + #puts "scheduled scanDate within 7 days not found" + else + scheduledscan = Time.strptime(scheduledscan, '%a %d %b %Y %I:%M:%S %p') + end + end + #puts scheduledscan.to_s + ############################# + if (scheduledscan == "NA" && ondemandscan == "NA") + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode + protectionStatusAlertArray.push("No On demand Scan or scheduled Scan found in past 7 days, please run an active scan") + else + if(ondemandscan != "NA") + scanDate = ondemandscan + protectionStatusDetailsArray.push("On Demand Scan Date: " + ondemandscan.to_s) + end + if(scheduledscan != "NA") + scanDate = scheduledscan + protectionStatusDetailsArray.push("On Access Scan Date: " + scheduledscan.to_s) + end + end + + if protectionStatusAlertArray.length == 0 + ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::RealTimeProtectionCode + protectionStatusDetails += "Sophos is running healthy. " + protectionStatusDetails += protectionStatusDetailsArray.join('; ') + else + protectionStatusDetails += protectionStatusDetailsArray.join('; ') + protectionStatusDetails += "; " + protectionStatusDetails += protectionStatusAlertArray.join('; ') + end + + rescue => e + error += "Getting exception when trying to find Sophos health info: " + e.message + " " + e.backtrace.inspect + ret["Error"] = error + end + ret["ProtectionStatusRank"] = $ProtectionStatusRank + ret["ProtectionStatus"] = $ProtectionStatus + ret["ProtectionStatusDetails"] = protectionStatusDetails + ret["DetectionId"] = SecureRandom.uuid + ret["Threat"] = "" + ret["ThreatStatusRank"] = $ThreatStatusRank + ret["ThreatStatus"] = $ThreatStatus + ret["ThreatStatusDetails"] = "Threat Status is currently not supported in Linux Sophos" + ret["Signature"] = (threatDetectionEngine.nil? || threatDetectionEngine.empty? || threatDetectionEngine == "NA")? "Signature version not found" : threatDetectionEngine + ret["ScanDate"] = scanDate + ret["DateCollected"] = DateTime.now.strftime("%m/%d/%Y %H:%M") + ret["Tool"] = sophosName + ret["AMProductVersion"] = (sophosVersion.nil? || sophosVersion.empty? || sophosVersion == "NA")? "Sophos version not found" : sophosVersion + return ret + + end +end \ No newline at end of file From 280d7b703c9be61840ef4ce0ee036e1203b57fff Mon Sep 17 00:00:00 2001 From: clairetest Date: Mon, 5 Aug 2019 12:45:03 -0700 Subject: [PATCH 2/2] update make file --- Makefile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Makefile b/Makefile index 902691da0..2d1fb34d9 100755 --- a/Makefile +++ b/Makefile @@ -472,11 +472,7 @@ nxOMSGenerateInventoryMof: nxOMSPlugin: rm -rf output/staging; \ -<<<<<<< HEAD - VERSION="3.18"; \ -======= VERSION="3.21"; \ ->>>>>>> master PROVIDERS="nxOMSPlugin"; \ STAGINGDIR="output/staging/$@/DSCResources"; \ cat Providers/Modules/$@.psd1 | sed "s@@$${VERSION}@" > intermediate/Modules/$@.psd1; \