From d7bcb9b580799a504a51295bed7757e65a1f75d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 26 Sep 2018 18:12:25 +0200 Subject: [PATCH 1/7] Added osquery icon --- public/img/icons/osquery.png | Bin 0 -> 1718 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 public/img/icons/osquery.png diff --git a/public/img/icons/osquery.png b/public/img/icons/osquery.png new file mode 100644 index 0000000000000000000000000000000000000000..df0f91050db12cbcdc5e04189937d3aba14c68a5 GIT binary patch literal 1718 zcmZ`&2~<-@6rF@6A&8)aEfolXL~0cSSY%NU1OzmQAfl&-ny?B{fe?1E5ZMudfKX+( zh!Vx69;+xQJt%G6um=%qEBg``PzXuLkMcX5SW5BqpP4`J-FM%+Z|2X>^YPxMK_C$T z02-biuD)<3&riG(e7iQ}cfv(E+?nAFz?CBP4=k1WV6cZT1At^20O^?kAP`Cy0uV|u4YZCxif1e$@-OiMwkYh@=X|6#p*P%b2MlaQ(REj;smkdZ#JWFte z`%iFwT_7xg3kWn6-~#fh`xCM_v9SUbRH9@<3kWt>qb=vqdcOEX&RALY2s@||gTbib zm)DodU=f0vrjE9WzK$8(0v4+b`Fc8L<+(yd{Uuro_j7P@SBp8&hMgGbtv-=EDmaB+ zJM(X=FoeY_K}9OX?r=yG)x>UbqR|%?k<12oj1W}9DnsVtXiL-l?#gpVNqXiBIP3vx zL08etlKvGm2+9{OCl4Pn10e4g`E+0tEf0HbiWoOF}`E*8H_6%2*JCj2Y$En1|b8-`uV?;=v z7!k*-FnflFMhfyvDXT~(WHWvaK4-A6|7j2;$g<*bu``*R1ZB}tUQ|Z%6v8_?D?jqO zC}Z%XJsEDeAvMwpQ^FXRUkNV;)6>;?x9x+#ZfQWb53zkpTIInm zTvvSHsrxqsb2p#iKGGE)zS-ZIcs;J(|NOH&|5XEhDHMyp&NuxqG<&D@-R<6(R;Mw! zotUvE-pHZm zt&NpSBqOf6jiy#}&fDx3quJjpu25RKCWXOSGtRBT__4RHh|q3Z){Aw(ktt99OwucG zbMfg&2Qqk_GG91ZE|S)`Cc+!*z8PNX;X z_+?6(ZFKPUz5wI8_nT5@^sjdXRd|waTrkY+^hxxpEejZ6h(xoj7PqrxdyILSp`%I7 zP|U62i{XZ;Q$bx0nD*mm@2YFv{b<#5l3qoStKYnVZxxt~h%33cDM_F{T52)3T7?uc zlv4ZZGS2wmtdMFPc+fFzZd$VqxF6^gL}$S3N9DTh<%Y1hq4vR?P`Cgqx~1(py4^Y} zo86Wh?XADIx1@hXx3Z_xgWGF&{wLv3R7gZv(*Gx{tX?gG2?p~Deoy+v2D73=EuuK#m6MxDkOVy4yj?H4FnNCi{VmVA literal 0 HcmV?d00001 From 5c3b693ac5ea744457bf53f35559cd2462aa43f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 26 Sep 2018 18:12:45 +0200 Subject: [PATCH 2/7] Added osquery view --- .../templates/overview/overview-osquery.html | 39 +++++++++++++++++++ .../templates/overview/overview-welcome.html | 5 +++ public/templates/overview/overview.head | 1 + public/templates/overview/overview.jade | 1 + 4 files changed, 46 insertions(+) create mode 100644 public/templates/overview/overview-osquery.html diff --git a/public/templates/overview/overview-osquery.html b/public/templates/overview/overview-osquery.html new file mode 100644 index 0000000000..f3c5e29c36 --- /dev/null +++ b/public/templates/overview/overview-osquery.html @@ -0,0 +1,39 @@ + + +
+ + + Alerts over time + + + + +
+ +
+ + + Most common packs + + + + + + + Top 5 rules + + + + +
+ +
+ + + Alerts evolution - Top 5 agents + + + + +
+ \ No newline at end of file diff --git a/public/templates/overview/overview-welcome.html b/public/templates/overview/overview-welcome.html index 008c172294..43f6632a2f 100644 --- a/public/templates/overview/overview-welcome.html +++ b/public/templates/overview/overview-welcome.html @@ -75,6 +75,11 @@

Auditing and Policy Monitoring

title="'CIS-CAT'" switch-tab="switchTab('ciscat')" current-tab="'ciscat'" description="TabDescription.ciscat.description" > + diff --git a/public/templates/overview/overview.head b/public/templates/overview/overview.head index 978a39b3fc..38b4e487bc 100644 --- a/public/templates/overview/overview.head +++ b/public/templates/overview/overview.head @@ -74,6 +74,7 @@ {{ tabNames['audit'] }} {{ tabNames['oscap'] }} {{ tabNames['ciscat'] }} + {{ tabNames['osquery'] }} diff --git a/public/templates/overview/overview.jade b/public/templates/overview/overview.jade index 9a6a69dc21..9e1f339edf 100644 --- a/public/templates/overview/overview.jade +++ b/public/templates/overview/overview.jade @@ -11,4 +11,5 @@ include ./overview-pci.html include ./overview-gdpr.html include ./overview-aws.html include ./overview-virustotal.html +include ./overview-osquery.html include ../footer.foot From b8831d050ab933dea3f80c72c45fff3275b5e784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 26 Sep 2018 18:13:14 +0200 Subject: [PATCH 3/7] Added osquery - overview logic (in progress) --- public/controllers/overview/index.js | 2 +- public/factories/tab-visualizations.js | 3 +- public/services/common-data.js | 7 +- server/integration-files/known-fields.js | 18 +++++ .../visualizations/overview/index.js | 4 +- .../overview/overview-osquery.js | 78 +++++++++++++++++++ server/reporting/tab-description.js | 4 + 7 files changed, 110 insertions(+), 6 deletions(-) create mode 100644 server/integration-files/visualizations/overview/overview-osquery.js diff --git a/public/controllers/overview/index.js b/public/controllers/overview/index.js index f93beccc71..e6a22e3207 100644 --- a/public/controllers/overview/index.js +++ b/public/controllers/overview/index.js @@ -64,7 +64,7 @@ app.controller('overviewController', function( tabVisualizations.assign('overview'); $scope.hostMonitoringTabs = ['general', 'fim', 'aws']; - $scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat']; + $scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat', 'osquery']; $scope.securityTabs = ['vuls', 'virustotal']; $scope.complianceTabs = ['pci', 'gdpr']; diff --git a/public/factories/tab-visualizations.js b/public/factories/tab-visualizations.js index 6664221898..2c593d80df 100644 --- a/public/factories/tab-visualizations.js +++ b/public/factories/tab-visualizations.js @@ -39,7 +39,8 @@ export class TabVisualizations { pci: 6, gdpr: 6, aws: 6, - virustotal: 7 + virustotal: 7, + osquery: 4 }; this.tabVisualizations = {}; diff --git a/public/services/common-data.js b/public/services/common-data.js index 925798a66b..ae336750cd 100644 --- a/public/services/common-data.js +++ b/public/services/common-data.js @@ -98,19 +98,20 @@ export class CommonData { pci: { group: 'pci_dss' }, gdpr: { group: 'gdpr' }, aws: { group: 'amazon' }, - virustotal: { group: 'virustotal' } + virustotal: { group: 'virustotal' }, + osquery: { group: 'osquery' } }; const filters = []; const isCluster = this.appState.getClusterInfo().status == 'enabled'; - filters.push( + /*filters.push( filterHandler.managerQuery( isCluster ? this.appState.getClusterInfo().cluster : this.appState.getClusterInfo().manager, isCluster ) - ); + );*/ if (tab !== 'general') { if (tab === 'pci') { diff --git a/server/integration-files/known-fields.js b/server/integration-files/known-fields.js index d516dfe6aa..13d10d7b77 100644 --- a/server/integration-files/known-fields.js +++ b/server/integration-files/known-fields.js @@ -5143,5 +5143,23 @@ export const knownFields = [ searchable: true, aggregatable: true, readFromDocValues: true + }, + { + name: 'data.osquery.pack', + type: 'string', + count: 0, + scripted: false, + searchable: true, + aggregatable: true, + readFromDocValues: true + }, + { + name: 'data.osquery.action', + type: 'string', + count: 0, + scripted: false, + searchable: true, + aggregatable: true, + readFromDocValues: true } ]; diff --git a/server/integration-files/visualizations/overview/index.js b/server/integration-files/visualizations/overview/index.js index a19eb6faaf..88a9825b4e 100644 --- a/server/integration-files/visualizations/overview/index.js +++ b/server/integration-files/visualizations/overview/index.js @@ -20,6 +20,7 @@ import gdpr from './overview-gdpr'; import pm from './overview-pm'; import virustotal from './overview-virustotal'; import vuls from './overview-vuls'; +import osquery from './overview-osquery'; export { audit, @@ -32,5 +33,6 @@ export { gdpr, pm, virustotal, - vuls + vuls, + osquery }; diff --git a/server/integration-files/visualizations/overview/overview-osquery.js b/server/integration-files/visualizations/overview/overview-osquery.js new file mode 100644 index 0000000000..2ed2baf7a2 --- /dev/null +++ b/server/integration-files/visualizations/overview/overview-osquery.js @@ -0,0 +1,78 @@ +/* + * Wazuh app - Module for Overview/Osquery visualizations + * Copyright (C) 2018 Wazuh, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Find more information about this on the LICENSE file. + */ +export default [ + { + _id: 'Wazuh-App-Overview-Osquery-Alerts-over-time', + _type: 'visualization', + _source: { + title: 'Alerts over time', + visState: + '{"title":"Alerts over time","type":"area","params":{"type":"area","grid":{"categoryLines":false,"style":{"color":"#eee"}},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":true,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":100},"title":{}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"area","mode":"stacked","data":{"label":"Count","id":"1"},"drawLinesBetweenPoints":true,"showCircles":true,"interpolate":"linear","valueAxis":"ValueAxis-1"}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Overview-Osquery-Most-common-packs', + _type: 'visualization', + _source: { + title: 'Most common packs', + visState: + '{"title":"Most common packs","type":"pie","params":{"type":"pie","addTooltip":true,"addLegend":true,"legendPosition":"right","isDonut":true,"labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"data.osquery.pack","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing"}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"language":"lucene","query":""},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Overview-Osquery-Top-5-rules', + _type: 'visualization', + _source: { + title: 'Top 5 rules', + visState: + '{"title":"Top 5 rules","type":"table","params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"sort":{"columnIndex":null,"direction":null},"showTotal":false,"totalFunc":"sum"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"rule.id","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule ID"}},{"id":"3","enabled":true,"type":"terms","schema":"bucket","params":{"field":"rule.description","size":1,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Description"}}]}', + uiStateJSON: + '{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Overview-Osquery-Alerts-evolution-Top-5-agents', + _type: 'visualization', + _source: { + title: 'Alerts evolution - Top 5 agents', + visState: + '{"title":"Alerts evolution - Top 5 agents","type":"area","params":{"type":"area","grid":{"categoryLines":false,"style":{"color":"#eee"}},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":true,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":100},"title":{}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"area","mode":"stacked","data":{"label":"Count","id":"1"},"drawLinesBetweenPoints":true,"showCircles":true,"interpolate":"linear","valueAxis":"ValueAxis-1"}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}},{"id":"3","enabled":true,"type":"terms","schema":"group","params":{"field":"agent.name","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing"}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + } +]; diff --git a/server/reporting/tab-description.js b/server/reporting/tab-description.js index b79cd802af..8a67e454e3 100644 --- a/server/reporting/tab-description.js +++ b/server/reporting/tab-description.js @@ -74,5 +74,9 @@ export const TabDescription = { title: 'Configuration', description: 'Check the current agent configuration remotely applied by its group.' + }, + osquery: { + title: 'Osquery', + description: 'Osquery can be used to expose an operating system as a high-performance relational database.' } }; From a3ff83910c5d765dd59418266eaba6f79106ef6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Sat, 29 Sep 2018 12:36:26 +0200 Subject: [PATCH 4/7] Metrics for osquery --- public/controllers/overview/index.js | 14 ++++++-------- public/factories/tab-visualizations.js | 2 +- public/templates/overview/overview-osquery.html | 11 +++++++++++ public/utils/overview-metrics.js | 8 +++++++- .../visualizations/overview/overview-osquery.js | 15 +++++++++++++++ 5 files changed, 40 insertions(+), 10 deletions(-) diff --git a/public/controllers/overview/index.js b/public/controllers/overview/index.js index e6a22e3207..fd66ef9d37 100644 --- a/public/controllers/overview/index.js +++ b/public/controllers/overview/index.js @@ -21,7 +21,8 @@ import { metricsVulnerability, metricsScap, metricsCiscat, - metricsVirustotal + metricsVirustotal, + metricsOsquery } from '../../utils/overview-metrics'; import { queryConfig } from '../../services/query-config'; @@ -98,6 +99,9 @@ app.controller('overviewController', function( case 'virustotal': createMetrics(metricsVirustotal); break; + case 'osquery': + createMetrics(metricsOsquery); + break; } } }; @@ -253,10 +257,6 @@ app.controller('overviewController', function( $scope.wzMonitoringEnabled = !!configuration['wazuh.monitoring.enabled']; - if (!$scope.wzMonitoringEnabled) { - await getSummary(); - } - return; } catch (error) { $scope.wzMonitoringEnabled = true; @@ -270,9 +270,7 @@ app.controller('overviewController', function( $scope.switchTab($scope.tab, true); - if ($scope.tab && $scope.tab === 'welcome') { - await getSummary(); - } + await getSummary(); if (!$scope.$$phase) $scope.$digest(); diff --git a/public/factories/tab-visualizations.js b/public/factories/tab-visualizations.js index 2c593d80df..529368b582 100644 --- a/public/factories/tab-visualizations.js +++ b/public/factories/tab-visualizations.js @@ -40,7 +40,7 @@ export class TabVisualizations { gdpr: 6, aws: 6, virustotal: 7, - osquery: 4 + osquery: 5 }; this.tabVisualizations = {}; diff --git a/public/templates/overview/overview-osquery.html b/public/templates/overview/overview-osquery.html index f3c5e29c36..179362106d 100644 --- a/public/templates/overview/overview-osquery.html +++ b/public/templates/overview/overview-osquery.html @@ -1,4 +1,15 @@ +
+ + +
Agents reporting Osquery events: of {{ agentsCountTotal }}
+ + +
+ +
+ +
diff --git a/public/utils/overview-metrics.js b/public/utils/overview-metrics.js index 94e0e24cc6..4a6393ade5 100644 --- a/public/utils/overview-metrics.js +++ b/public/utils/overview-metrics.js @@ -69,6 +69,11 @@ const metricsVirustotal = { virusTotal: '[vis-id="\'Wazuh-App-Overview-Virustotal-Total\'"]' }; +// Metrics OSQuery +const metricsOsquery = { + osqueryAgentsReporting: + '[vis-id="\'Wazuh-App-Overview-Osquery-Agents-reporting\'"]' +}; export default { metricsGeneral, @@ -76,5 +81,6 @@ export default { metricsVulnerability, metricsScap, metricsCiscat, - metricsVirustotal + metricsVirustotal, + metricsOsquery }; diff --git a/server/integration-files/visualizations/overview/overview-osquery.js b/server/integration-files/visualizations/overview/overview-osquery.js index 2ed2baf7a2..b748441dcf 100644 --- a/server/integration-files/visualizations/overview/overview-osquery.js +++ b/server/integration-files/visualizations/overview/overview-osquery.js @@ -74,5 +74,20 @@ export default [ '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' } } + }, + { + _id: 'Wazuh-App-Overview-Osquery-Agents-reporting', + _type: 'visualization', + _source: { + title: 'Agents reporting', + "visState": "{\"title\":\"Agents reporting\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"agent.id\"}}]}", + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } } ]; From a23da835f41ccebba9d190f5bd509aadbdc9d773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 3 Oct 2018 11:43:16 +0200 Subject: [PATCH 5/7] Added extensions logic for Osquery --- config.yml | 1 + public/controllers/agent/agents.js | 2 +- public/controllers/settings/index.js | 2 ++ public/services/resolves/get-config.js | 1 + public/services/resolves/settings-wizard.js | 3 ++- public/templates/agents/agents-osquery.html | 3 +++ public/templates/agents/agents-welcome.html | 5 +++++ public/templates/agents/agents.head | 5 +++-- .../templates/overview/overview-welcome.html | 2 +- public/templates/overview/overview.head | 2 +- .../settings/settings-extensions.html | 20 +++++++++++++++++++ 11 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 public/templates/agents/agents-osquery.html diff --git a/config.yml b/config.yml index c03f1121d7..c7a1035859 100644 --- a/config.yml +++ b/config.yml @@ -44,6 +44,7 @@ #extensions.ciscat : false #extensions.aws : false #extensions.virustotal: false +#extensions.osquery : false # # ---------------------------------- Time out ---------------------------------- # diff --git a/public/controllers/agent/agents.js b/public/controllers/agent/agents.js index 7b62695729..69624a2e2e 100644 --- a/public/controllers/agent/agents.js +++ b/public/controllers/agent/agents.js @@ -98,7 +98,7 @@ class AgentsController { this.tabVisualizations.assign('agents'); this.$scope.hostMonitoringTabs = ['general', 'fim', 'syscollector']; - this.$scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat']; + this.$scope.systemAuditTabs = ['pm', 'audit', 'oscap', 'ciscat', 'osquery']; this.$scope.securityTabs = ['vuls', 'virustotal']; this.$scope.complianceTabs = ['pci', 'gdpr']; diff --git a/public/controllers/settings/index.js b/public/controllers/settings/index.js index c4d990c6d1..7c7cd9c909 100644 --- a/public/controllers/settings/index.js +++ b/public/controllers/settings/index.js @@ -288,6 +288,7 @@ app.controller('settingsController', function( tmpData.extensions.ciscat = config['extensions.ciscat']; tmpData.extensions.aws = config['extensions.aws']; tmpData.extensions.virustotal = config['extensions.virustotal']; + tmpData.extensions.osquery = config['extensions.osquery']; const checkData = await testAPI.check(tmpData); @@ -573,6 +574,7 @@ app.controller('settingsController', function( $scope.extensions.ciscat = config['extensions.ciscat']; $scope.extensions.aws = config['extensions.aws']; $scope.extensions.virustotal = config['extensions.virustotal']; + $scope.extensions.osquery = config['extensions.osquery']; } else { $scope.extensions = appState.getExtensions( JSON.parse(appState.getCurrentAPI()).id diff --git a/public/services/resolves/get-config.js b/public/services/resolves/get-config.js index c9c101a2f9..f28b13de00 100644 --- a/public/services/resolves/get-config.js +++ b/public/services/resolves/get-config.js @@ -25,6 +25,7 @@ export async function getWzConfig($q, genericReq, errorHandler, wazuhConfig) { 'extensions.ciscat': false, 'extensions.aws': false, 'extensions.virustotal': false, + 'extensions.osquery': false, timeout: 8000, 'wazuh.shards': 1, 'wazuh.replicas': 1, diff --git a/public/services/resolves/settings-wizard.js b/public/services/resolves/settings-wizard.js index cca4688d57..28adce7a4d 100644 --- a/public/services/resolves/settings-wizard.js +++ b/public/services/resolves/settings-wizard.js @@ -122,7 +122,8 @@ export function settingsWizard( oscap: config['extensions.oscap'], ciscat: config['extensions.ciscat'], aws: config['extensions.aws'], - virustotal: config['extensions.virustotal'] + virustotal: config['extensions.virustotal'], + osquery: config['extensions.osquery'] }; appState.setExtensions(currentApi, extensions); } diff --git a/public/templates/agents/agents-osquery.html b/public/templates/agents/agents-osquery.html new file mode 100644 index 0000000000..67e25969eb --- /dev/null +++ b/public/templates/agents/agents-osquery.html @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/public/templates/agents/agents-welcome.html b/public/templates/agents/agents-welcome.html index 9bc5e20713..b2d6c1c5da 100644 --- a/public/templates/agents/agents-welcome.html +++ b/public/templates/agents/agents-welcome.html @@ -122,6 +122,11 @@

Auditing and Policy Monitoring

title="'CIS-CAT'" switch-tab="switchTab('ciscat')" current-tab="'ciscat'" description="TabDescription.ciscat.description" > +
diff --git a/public/templates/agents/agents.head b/public/templates/agents/agents.head index 9ba7918a0c..cddefad5f9 100644 --- a/public/templates/agents/agents.head +++ b/public/templates/agents/agents.head @@ -132,7 +132,7 @@ {{ tabNames['audit'] }} {{ tabNames['oscap'] }} {{ tabNames['ciscat'] }} - + {{ tabNames['osquery'] }} + diff --git a/public/templates/overview/overview-welcome.html b/public/templates/overview/overview-welcome.html index 26bb1ec653..e05b4e2881 100644 --- a/public/templates/overview/overview-welcome.html +++ b/public/templates/overview/overview-welcome.html @@ -76,7 +76,7 @@

Auditing and Policy Monitoring

description="TabDescription.ciscat.description" > diff --git a/public/templates/overview/overview.head b/public/templates/overview/overview.head index 619514c7f7..69b6279927 100644 --- a/public/templates/overview/overview.head +++ b/public/templates/overview/overview.head @@ -65,7 +65,7 @@ + + + + {{ tabNames['osquery'] }} + +
+

Osquery can be used to expose an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.

+
+ +
+ +
+ + + + More info + + + + From 0560162bcd03350d605d1edccdec495cd4e97efb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 3 Oct 2018 15:13:49 +0200 Subject: [PATCH 6/7] Added Osquery agents --- public/controllers/agent/agents.js | 4 +- public/factories/tab-visualizations.js | 3 +- public/templates/agents/agents-osquery.html | 43 +++++++++ public/templates/agents/agents.jade | 1 + .../visualizations/agents/agents-osquery.js | 94 +++++++++++++++++++ .../visualizations/agents/index.js | 3 +- 6 files changed, 143 insertions(+), 5 deletions(-) create mode 100644 server/integration-files/visualizations/agents/agents-osquery.js diff --git a/public/controllers/agent/agents.js b/public/controllers/agent/agents.js index 69624a2e2e..1df972e2dd 100644 --- a/public/controllers/agent/agents.js +++ b/public/controllers/agent/agents.js @@ -299,9 +299,7 @@ class AgentsController { !force; this.$scope.tab = tab; - if (this.$scope.tab === 'configuration') { - this.firstLoad(); - } else { + if (this.$scope.tab !== 'configuration') { this.$scope.switchSubtab( 'panels', true, diff --git a/public/factories/tab-visualizations.js b/public/factories/tab-visualizations.js index 529368b582..103e36adb5 100644 --- a/public/factories/tab-visualizations.js +++ b/public/factories/tab-visualizations.js @@ -24,7 +24,8 @@ export class TabVisualizations { gdpr: 3, pci: 3, virustotal: 6, - configuration: 0 + configuration: 0, + osquery: 5 }; this.overview = { diff --git a/public/templates/agents/agents-osquery.html b/public/templates/agents/agents-osquery.html index 67e25969eb..b48ccaefb2 100644 --- a/public/templates/agents/agents-osquery.html +++ b/public/templates/agents/agents-osquery.html @@ -1,3 +1,46 @@ +
+ + + Most common Osquery packs being used + + + + + + + Evolution of Osquery events per pack over time + + + + +
+
+ + + Most common Osquery actions + + + + + + + + Most common rules + + + + +
+ +
+ + + Evolution of Osquery events over time + + + + +
\ No newline at end of file diff --git a/public/templates/agents/agents.jade b/public/templates/agents/agents.jade index a6c33bd67f..61faa680ff 100644 --- a/public/templates/agents/agents.jade +++ b/public/templates/agents/agents.jade @@ -11,5 +11,6 @@ include ./agents-pci.html include ./agents-gdpr.html include ./agents-virustotal.html include ./agents-syscollector.html +include ./agents-osquery.html include ../management/configuration/agent-configuration.jade include ../footer.foot diff --git a/server/integration-files/visualizations/agents/agents-osquery.js b/server/integration-files/visualizations/agents/agents-osquery.js new file mode 100644 index 0000000000..a7b307aa7e --- /dev/null +++ b/server/integration-files/visualizations/agents/agents-osquery.js @@ -0,0 +1,94 @@ +/* + * Wazuh app - Module for Agents/Osquery visualizations + * Copyright (C) 2018 Wazuh, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * Find more information about this on the LICENSE file. + */ +export default [ + { + _id: 'Wazuh-App-Agents-Osquery-monst-common-rules-being-fired', + _type: 'visualization', + _source: { + title: 'Most common rules being fired', + visState: + '{"title":"Most common rules being fired","type":"table","params":{"perPage":10,"showPartialRows":false,"showMetricsAtAllLevels":false,"sort":{"columnIndex":null,"direction":null},"showTotal":false,"totalFunc":"sum"},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"bucket","params":{"field":"rule.id","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Rule ID"}},{"id":"3","enabled":true,"type":"terms","schema":"bucket","params":{"field":"rule.description","size":1,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing","customLabel":"Description"}}]}', + uiStateJSON: + '{"vis":{"params":{"sort":{"columnIndex":null,"direction":null}}}}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Agents-Osquery-top-5-packs-being-used', + _type: 'visualization', + _source: { + title: 'Top 5 packs being used', + visState: + '{"title":"Top 5 packs being used","type":"pie","params":{"type":"pie","addTooltip":true,"addLegend":true,"legendPosition":"right","isDonut":true,"labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"data.osquery.pack","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing"}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Agents-Osquery-most-common-osquery-actions', + _type: 'visualization', + _source: { + title: 'Most common Osquery actions', + visState: + '{"title":"Most common Osquery actions","type":"pie","params":{"type":"pie","addTooltip":true,"addLegend":true,"legendPosition":"right","isDonut":true,"labels":{"show":false,"values":true,"last_level":true,"truncate":100}},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"segment","params":{"field":"data.osquery.action","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing"}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Agents-Osquery-events-per-pack-over-time', + _type: 'visualization', + _source: { + title: 'Events per pack over time', + visState: + '{"title":"Events per pack over time","type":"line","params":{"type":"line","grid":{"categoryLines":false,"style":{"color":"#eee"}},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":true,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":100},"title":{}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"line","mode":"normal","data":{"label":"Count","id":"1"},"valueAxis":"ValueAxis-1","drawLinesBetweenPoints":true,"showCircles":true}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"terms","schema":"group","params":{"field":"data.osquery.pack","size":5,"order":"desc","orderBy":"1","otherBucket":false,"otherBucketLabel":"Other","missingBucket":false,"missingBucketLabel":"Missing"}},{"id":"3","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + }, + { + _id: 'Wazuh-App-Agents-Osquery-events-over-time', + _type: 'visualization', + _source: { + title: 'Osquery events over time', + visState: + '{"title":"Osquery events over time","type":"area","params":{"type":"area","grid":{"categoryLines":false,"style":{"color":"#eee"}},"categoryAxes":[{"id":"CategoryAxis-1","type":"category","position":"bottom","show":true,"style":{},"scale":{"type":"linear"},"labels":{"show":true,"truncate":100},"title":{}}],"valueAxes":[{"id":"ValueAxis-1","name":"LeftAxis-1","type":"value","position":"left","show":true,"style":{},"scale":{"type":"linear","mode":"normal"},"labels":{"show":true,"rotate":0,"filter":false,"truncate":100},"title":{"text":"Count"}}],"seriesParams":[{"show":"true","type":"area","mode":"stacked","data":{"label":"Count","id":"1"},"drawLinesBetweenPoints":true,"showCircles":true,"interpolate":"linear","valueAxis":"ValueAxis-1"}],"addTooltip":true,"addLegend":true,"legendPosition":"right","times":[],"addTimeMarker":false},"aggs":[{"id":"1","enabled":true,"type":"count","schema":"metric","params":{}},{"id":"2","enabled":true,"type":"date_histogram","schema":"segment","params":{"field":"@timestamp","interval":"auto","customInterval":"2h","min_doc_count":1,"extended_bounds":{}}}]}', + uiStateJSON: '{}', + description: '', + version: 1, + kibanaSavedObjectMeta: { + searchSourceJSON: + '{"index":"wazuh-alerts","query":{"query":"","language":"lucene"},"filter":[]}' + } + } + } +]; diff --git a/server/integration-files/visualizations/agents/index.js b/server/integration-files/visualizations/agents/index.js index 90031d50c3..762ce03b1a 100644 --- a/server/integration-files/visualizations/agents/index.js +++ b/server/integration-files/visualizations/agents/index.js @@ -19,5 +19,6 @@ import gdpr from './agents-gdpr'; import pm from './agents-pm'; import virustotal from './agents-virustotal'; import vuls from './agents-vuls'; +import osquery from './agents-osquery'; -export { audit, fim, general, oscap, ciscat, pci, gdpr, pm, virustotal, vuls }; +export { audit, fim, general, oscap, ciscat, pci, gdpr, pm, virustotal, vuls, osquery }; From 887a660a93de7e27f954b7fce3e263f33b02836c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs=20=C3=81ngel?= Date: Wed, 3 Oct 2018 15:21:42 +0200 Subject: [PATCH 7/7] Restored manager query filter --- public/services/common-data.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/services/common-data.js b/public/services/common-data.js index bf110560e1..128711e013 100644 --- a/public/services/common-data.js +++ b/public/services/common-data.js @@ -104,14 +104,14 @@ export class CommonData { const filters = []; const isCluster = this.appState.getClusterInfo().status == 'enabled'; - /*filters.push( + filters.push( filterHandler.managerQuery( isCluster ? this.appState.getClusterInfo().cluster : this.appState.getClusterInfo().manager, isCluster ) - );*/ + ); if (tab !== 'general') { if (tab === 'pci') {