diff --git a/pandora_console/extensions/grafana/query.php b/pandora_console/extensions/grafana/query.php index 3c7a843542..ac54d98161 100644 --- a/pandora_console/extensions/grafana/query.php +++ b/pandora_console/extensions/grafana/query.php @@ -23,6 +23,9 @@ if ($headers['Authorization']) { list($user, $password) = explode(':', base64_decode($headers['Authorization'])); + // Prevent sql injection. + $user = mysqli_real_escape_string($config['dbconnection'], $user); + // Check user login $user_in_db = process_user_login($user, $password, true); diff --git a/pandora_console/extensions/grafana/search.php b/pandora_console/extensions/grafana/search.php index 9193dd290e..82b670398b 100644 --- a/pandora_console/extensions/grafana/search.php +++ b/pandora_console/extensions/grafana/search.php @@ -24,6 +24,9 @@ if ($headers['Authorization']) { list($user, $password) = explode(':', base64_decode($headers['Authorization'])); + // Prevent sql injection. + $user = mysqli_real_escape_string($config['dbconnection'], $user); + // Check user login $user_in_db = process_user_login($user, $password, true); diff --git a/pandora_console/extras/mr/68.sql b/pandora_console/extras/mr/68.sql index db168d5c22..67ce78c9bc 100644 --- a/pandora_console/extras/mr/68.sql +++ b/pandora_console/extras/mr/68.sql @@ -56,5 +56,7 @@ ADD COLUMN `id_agent_data` int not null default 0 AFTER `script_type`; ALTER TABLE `tusuario` CHANGE COLUMN `metaconsole_data_section` `metaconsole_data_section` TEXT NOT NULL DEFAULT '' ; ALTER TABLE `tmensajes` ADD COLUMN `icon_notification` VARCHAR(250) NULL DEFAULT NULL AFTER `url`; +UPDATE `tncm_template` SET `vendors` = CONCAT('["', TRIM(BOTH '"' FROM TRIM(BOTH ']' FROM TRIM(BOTH '[' FROM vendors))), '"]'), `models` = CONCAT('["', TRIM(BOTH '"' FROM TRIM(BOTH ']' FROM TRIM(BOTH '[' FROM models))), '"]'); +UPDATE `tncm_agent_data_template` SET `vendors` = CONCAT('["', TRIM(BOTH '"' FROM TRIM(BOTH ']' FROM TRIM(BOTH '[' FROM vendors))), '"]'), `models` = CONCAT('["', TRIM(BOTH '"' FROM TRIM(BOTH ']' FROM TRIM(BOTH '[' FROM models))), '"]'); COMMIT; \ No newline at end of file diff --git a/pandora_console/general/header.php b/pandora_console/general/header.php index 5ad89d8d31..35b994fead 100644 --- a/pandora_console/general/header.php +++ b/pandora_console/general/header.php @@ -1021,11 +1021,14 @@ echo sprintf('
', $menuTypeClass); modal: { title: "", cancel: '', - ok: '' + ok: '', + overlay: true, + overlayExtraClass: 'welcome-overlay', }, onshow: { page: 'include/ajax/welcome_window', method: 'loadWelcomeWindow', + width: 1000, }, oncancel: { page: 'include/ajax/welcome_window', @@ -1043,6 +1046,34 @@ echo sprintf('
', $menuTypeClass); } }) } + }, + onload: () => { + $(document).ready(function () { + var buttonpane = $("div[aria-describedby='welcome_modal_window'] .ui-dialog-buttonpane.ui-widget-content.ui-helper-clearfix"); + $(buttonpane).append(` +
+ + +
+ `); + + var closeWizard = $("button.close-wizard-button"); + + $(closeWizard).click(function (e) { + var close = $("div[aria-describedby='welcome_modal_window'] button.sub.ok.submit-next.ui-button"); + var cancel = $("div[aria-describedby='welcome_modal_window'] button.sub.upd.submit-cancel.ui-button"); + var checkbox = $("div[aria-describedby='welcome_modal_window'] .welcome-wizard-do-not-show:checked").length; + + if (checkbox === 1) { + $(cancel).click(); + } else { + $(close).click() + } + }); + }); } }); }); diff --git a/pandora_console/godmode/agentes/agent_manager.php b/pandora_console/godmode/agentes/agent_manager.php index 80a480dd12..283610e06a 100644 --- a/pandora_console/godmode/agentes/agent_manager.php +++ b/pandora_console/godmode/agentes/agent_manager.php @@ -507,14 +507,16 @@ if (enterprise_installed()) { // Read configuration file. $files = config_agents_get_agent_config_filenames($id_agente); $file_name = $files['conf']; - $agent_config = file_get_contents($file_name); - $encoding = 'UTF-8'; - $agent_config_utf8 = mb_convert_encoding($agent_config, 'UTF-8', $encoding); - if ($agent_config_utf8 !== false) { - $agent_config = $agent_config_utf8; - } + if (empty($file_name) === false) { + $agent_config = file_get_contents($file_name); + $encoding = 'UTF-8'; + $agent_config_utf8 = mb_convert_encoding($agent_config, 'UTF-8', $encoding); + if ($agent_config_utf8 !== false) { + $agent_config = $agent_config_utf8; + } - $broker = str_contains($agent_config, '#broker active'); + $broker = str_contains($agent_config, '#broker active'); + } } if ($broker === false) { diff --git a/pandora_console/godmode/agentes/module_manager.php b/pandora_console/godmode/agentes/module_manager.php index b4cd0e2351..c3772c00d3 100644 --- a/pandora_console/godmode/agentes/module_manager.php +++ b/pandora_console/godmode/agentes/module_manager.php @@ -575,7 +575,7 @@ $where = sprintf('delete_pending = 0 AND id_agente = %s', $id_agente); $search_string_entities = io_safe_input($search_string); $basic_where = sprintf( - "(REPLACE(nombre, ' ', ' ') LIKE '%%%s%%' OR REPLACE(nombre, ' ', ' ') LIKE '%%%s%%' OR REPLACE(descripcion, ' ', ' ') LIKE '%%%s%%' OR REPLACE(descripcion, ' ', ' ') LIKE '%%%s%%') AND", + "(nombre LIKE '%%%s%%' OR nombre LIKE '%%%s%%' OR descripcion LIKE '%%%s%%' OR descripcion LIKE '%%%s%%') AND", $search_string, $search_string_entities, $search_string, diff --git a/pandora_console/godmode/menu.php b/pandora_console/godmode/menu.php index a77e63b95b..3505e7cf2c 100644 --- a/pandora_console/godmode/menu.php +++ b/pandora_console/godmode/menu.php @@ -518,7 +518,18 @@ if ($access_console_node === true) { } -if ((bool) check_acl($config['id_user'], 0, 'PM') === true || (bool) check_acl($config['id_user'], 0, 'DM') === true) { +if ((bool) check_acl($config['id_user'], 0, 'AW') === true) { + $show_ipam = false; + $ipam = db_get_all_rows_sql('SELECT users_operator FROM tipam_network'); + foreach ($ipam as $row) { + if (str_contains($row['users_operator'], '-1') || str_contains($row['users_operator'], $config['id_user'])) { + $show_ipam = true; + break; + } + } +} + +if ((bool) check_acl($config['id_user'], 0, 'PM') === true || (bool) check_acl($config['id_user'], 0, 'DM') === true || $show_ipam === true) { $menu_godmode['gextensions']['text'] = __('Admin tools'); $menu_godmode['gextensions']['sec2'] = 'godmode/extensions'; $menu_godmode['gextensions']['id'] = 'god-extensions'; @@ -535,8 +546,6 @@ if ((bool) check_acl($config['id_user'], 0, 'PM') === true || (bool) check_acl($ $sub['tools/diagnostics']['text'] = __('Diagnostic info'); $sub['tools/diagnostics']['id'] = 'diagnostic_info'; enterprise_hook('omnishell'); - enterprise_hook('ipam_submenu'); - $sub['godmode/setup/news']['text'] = __('Site news'); $sub['godmode/setup/news']['id'] = 'site_news'; } @@ -558,9 +567,15 @@ if ((bool) check_acl($config['id_user'], 0, 'PM') === true || (bool) check_acl($ } } - $sub['godmode/events/configuration_sounds']['text'] = __('Acoustic console setup'); - $sub['godmode/events/configuration_sounds']['id'] = 'Acoustic console setup'; - $sub['godmode/events/configuration_sounds']['pages'] = ['godmode/events/configuration_sounds']; + if (((bool) check_acl($config['id_user'], 0, 'PM') === true && $access_console_node === true) || $show_ipam === true) { + enterprise_hook('ipam_submenu'); + } + + if ((bool) check_acl($config['id_user'], 0, 'PM') === true || (bool) check_acl($config['id_user'], 0, 'DM') === true) { + $sub['godmode/events/configuration_sounds']['text'] = __('Acoustic console setup'); + $sub['godmode/events/configuration_sounds']['id'] = 'Acoustic console setup'; + $sub['godmode/events/configuration_sounds']['pages'] = ['godmode/events/configuration_sounds']; + } $menu_godmode['gextensions']['sub'] = $sub; } @@ -638,16 +653,18 @@ if ($access_console_node === true) { } // Complete the submenu. - $extension_view = []; - $extension_view['godmode/extensions']['id'] = 'extension_manager_view'; - $extension_view['godmode/extensions']['text'] = __('Extension manager view'); - $extension_submenu = array_merge($extension_view, $sub2); + if (users_is_admin($config['id_user']) === true) { + $extension_view = []; + $extension_view['godmode/extensions']['id'] = 'extension_manager_view'; + $extension_view['godmode/extensions']['text'] = __('Extension manager view'); + $extension_submenu = array_merge($extension_view, $sub2); - $sub['godmode/extensions']['sub2'] = $extension_submenu; - $sub['godmode/extensions']['text'] = __('Extension manager'); - $sub['godmode/extensions']['id'] = 'extension_manager'; - $sub['godmode/extensions']['type'] = 'direct'; - $sub['godmode/extensions']['subtype'] = 'nolink'; + $sub['godmode/extensions']['sub2'] = $extension_submenu; + $sub['godmode/extensions']['text'] = __('Extension manager'); + $sub['godmode/extensions']['id'] = 'extension_manager'; + $sub['godmode/extensions']['type'] = 'direct'; + $sub['godmode/extensions']['subtype'] = 'nolink'; + } if (is_array($menu_godmode['gextensions']['sub']) === true) { $submenu = array_merge($menu_godmode['gextensions']['sub'], $sub); diff --git a/pandora_console/godmode/setup/setup_general.php b/pandora_console/godmode/setup/setup_general.php index 46a91e27c6..3366fcc6f8 100644 --- a/pandora_console/godmode/setup/setup_general.php +++ b/pandora_console/godmode/setup/setup_general.php @@ -960,60 +960,6 @@ echo ''.__('Mail configuration').''; ); echo ''; - - - /** - * Print the modal window for the summary of each alerts group - * - * @param string $id Id. - * - * @return void - */ - function print_email_test_modal_window($id) - { - // Email config table. - $table_mail_test = new stdClass(); - $table_mail_test->width = '100%'; - $table_mail_test->class = 'filter-table-adv'; - $table_mail_test->data = []; - - $table_mail_test->data[0][] = html_print_label_input_block( - __('Address'), - html_print_input_text( - 'email_test_address', - '', - '', - 35, - 100, - true - ) - ); - - $table_mail_test->data[1][] = '  Email could not be sent'; - - // $table_mail_test->colspan[2][0] = 2; - $submitButton = html_print_div( - [ - 'class' => 'action-buttons-right-forced', - 'content' => html_print_button( - __('Send'), - 'email_test', - false, - '', - [ - 'icon' => 'cog', - 'mode' => 'mini', - ], - true - ), - ], - true - ); - - echo ''; - } - - ?> diff --git a/pandora_console/update_manager_client/lib/UpdateManager/Client.php b/pandora_console/update_manager_client/lib/UpdateManager/Client.php index 0931297fdc..5431c0b58c 100644 --- a/pandora_console/update_manager_client/lib/UpdateManager/Client.php +++ b/pandora_console/update_manager_client/lib/UpdateManager/Client.php @@ -2383,7 +2383,7 @@ class Client // Retrieve package from UMS. $this->notify(0, 'Downloading server update '.$version); - $this->post( + $package = $this->post( [ 'action' => 'get_server_package', 'arguments' => ['version' => $version], @@ -2407,6 +2407,11 @@ class Client return false; } + if (empty($package) === true) { + $this->lastError = 'Error on Package from UMS'; + return false; + } + if ($this->propagateUpdates === true) { $this->saveSignature( $signature, diff --git a/pandora_server/conf/tentacle_server.conf.new b/pandora_server/conf/tentacle_server.conf.new index 1acf082ca2..a7cec8fd2c 100644 --- a/pandora_server/conf/tentacle_server.conf.new +++ b/pandora_server/conf/tentacle_server.conf.new @@ -5,10 +5,10 @@ # Tentacle have IANA assigned port tpc/41121 as official port. ########################################################################## -# [-a] IPv4 address to listen on. Several IPs cam be selected separating if by comma. +# [-a] IPv4 address to listen on. Several IP adresses can be selected separated by commas. addresses 0.0.0.0 -# [-p] Port to listen on +# [-p] Port number to listen on. port 41121 # [-c] Maximum number of simultaneous connections @@ -17,19 +17,19 @@ port 41121 # [-d] Run as daemon. 1 true, 0 false daemon 1 -# [-i] Enable insecure mode -# insecure 0 +# [-I] Enable insecure mode. 1 true, 0 false. +#insecure 0 -# Filters (regexp:dir;regexp:dir...) +# [-i] Filters (regexp:dir;regexp:dir...). filters .*\.conf:conf;.*\.md5:md5;.*\.zip:collections;.*\.lock:trans;.*\.rcmd:commands # [-m] Maximum file size allowed by the server in bytes -#max_size 2000000 +# max_size 2000000 -# [-o] Accept files with a repeated name +# [-o] Accept files with a repeated name. 1 true, 0 false. # overwrite 0 -# [-q] Do not output error messages. +# [-q] No output error messages. 1 true, 0 false. # quiet 0 # [-r] Number of retries for socket read/write operations @@ -38,10 +38,10 @@ filters .*\.conf:conf;.*\.md5:md5;.*\.zip:collections;.*\.lock:trans;.*\.rcmd:co # [-s] Storage directory directory /var/spool/pandora/data_in -# [-b] Address to proxy client requests to +# [-b] IP address proxy client requests to. # proxy_ip 127.0.0.1 -# [-g] Port to proxy client requests to +# [-g] Port number proxy client requests to. # proxy_port 41121 # [-t] Timeout for socket read/write operations in seconds @@ -71,5 +71,5 @@ log_file /dev/null # [-w] SSL password. Set to 1 to ask for password by command line # ssl_password 0 -# [-T] Use libwrap library (Authen::Libwrap perl module) +# [-T] Use libwrap library (Authen::Libwrap perl module). 1 true, 0 false. # use_libwrap 0 \ No newline at end of file diff --git a/pandora_server/util/pandora_manage.pl b/pandora_server/util/pandora_manage.pl index 583fee59af..56024e660e 100755 --- a/pandora_server/util/pandora_manage.pl +++ b/pandora_server/util/pandora_manage.pl @@ -145,12 +145,12 @@ sub help_screen{ help_screen_line('--agent_update_custom_fields', ' ', "Update an agent custom field. The fields can be \n\t the following: Serial number, Department ... and types can be 0 text and 1 combo "); print "\nMODULES:\n\n" unless $param ne ''; - help_screen_line('--create_data_module', " [ \n\t \n\t \n\t \n\t \n\t ]", 'Add data server module to agent'); - help_screen_line('--create_web_module', " [ \n\t \n\t \n\t \n\t \n\t \n\t ].\n\t The valid data types are web_data, web_proc, web_content_data or web_content_string", 'Add web server module to agent'); - help_screen_line('--create_network_module', " \n\t [ \n\t \n\t \n\t \n\t \n\t ]", 'Add not snmp network module to agent'); + help_screen_line('--create_data_module', " [ \n\t \n\t \n\t \n\t \n\t ]", 'Add data server module to agent'); + help_screen_line('--create_web_module', " [ \n\t \n\t \n\t \n\t \n\t \n\t ].\n\t The valid data types are web_data, web_proc, web_content_data or web_content_string", 'Add web server module to agent'); + help_screen_line('--create_network_module', " \n\t [ \n\t \n\t \n\t \n\t \n\t ]", 'Add not snmp network module to agent'); help_screen_line('--create_snmp_module', " \n\t [ \n\t \n\t \n\t \n\t \n\t ] - \n\t \n\t ]", 'Add snmp network module to agent'); - help_screen_line('--create_plugin_module', " \n\t [ \n\t \n\t \n\t \n\t \n\t \n\t ]", 'Add plug-in module to agent'); + \n\t \n\t ]", 'Add snmp network module to agent'); + help_screen_line('--create_plugin_module', " \n\t [ \n\t \n\t \n\t \n\t \n\t \n\t ]", 'Add plug-in module to agent'); help_screen_line('--get_module_group', '[]', 'Dysplay all module groups'); help_screen_line('--create_module_group', ''); help_screen_line('--module_group_synch', " []", 'Synchronize metaconsole module groups'); @@ -1655,21 +1655,21 @@ sub cli_create_data_module($) { $min,$max,$post_process, $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $definition_file, $configuration_data, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown); + $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown, $warning_time); if ($in_policy == 0) { ($module_name, $module_type, $agent_name, $description, $module_group, $min,$max,$post_process, $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $definition_file, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, - $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown) = @ARGV[2..32]; + $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout,$warning_inverse, $critical_inverse, + $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown, $warning_time) = @ARGV[2..33]; } else { ($policy_name, $module_name, $module_type, $description, $module_group, $min,$max,$post_process, $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $configuration_data, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $ignore_unknown) = @ARGV[2..32]; + $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $ignore_unknown, $warning_time) = @ARGV[2..33]; } my $module_name_def; @@ -1887,6 +1887,7 @@ sub cli_create_data_module($) { $parameters{'warning_instructions'} = $warning_instructions unless !defined ($warning_instructions); $parameters{'unknown_instructions'} = $unknown_instructions unless !defined ($unknown_instructions); $parameters{'ignore_unknown'} = $ignore_unknown unless !defined ($ignore_unknown); + $parameters{'warning_time'} = $warning_time unless !defined ($warning_time); if ($in_policy == 0) { if (defined $use_alias and $use_alias eq 'use_alias') { @@ -1918,7 +1919,7 @@ sub cli_create_web_module($) { $critical_max, $history_data, $retries, $requests, $agent_browser_id, $auth_server, $auth_realm, $definition_file, $proxy_url, $proxy_auth_login, $proxy_auth_password, $configuration_data, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown); + $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown, $warning_time); if ($in_policy == 0) { ($module_name, $module_type, $agent_name, $description, $module_group, @@ -1926,7 +1927,7 @@ sub cli_create_web_module($) { $critical_max, $history_data, $retries, $requests, $agent_browser_id, $auth_server, $auth_realm, $definition_file, $proxy_url, $proxy_auth_login, $proxy_auth_password, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown) = @ARGV[2..40]; + $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $use_alias, $ignore_unknown, $warning_time) = @ARGV[2..41]; } else { ($policy_name, $module_name, $module_type, $description, $module_group, @@ -1934,7 +1935,7 @@ sub cli_create_web_module($) { $critical_max, $history_data, $retries, $requests, $agent_browser_id, $auth_server, $auth_realm, $configuration_data, $proxy_url, $proxy_auth_login, $proxy_auth_password, $warning_str, $critical_str, $enable_unknown_events, $ff_threshold, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $ff_timeout, - $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $ignore_unknown) = @ARGV[2..39]; + $warning_inverse, $critical_inverse, $critical_instructions, $warning_instructions, $unknown_instructions, $ignore_unknown, $warning_time) = @ARGV[2..40]; } my $module_name_def; @@ -2163,7 +2164,7 @@ sub cli_create_web_module($) { $parameters{'ip_target'} = $auth_server unless !defined ($auth_server); $parameters{'snmp_community'} = $auth_realm unless !defined ($auth_realm); $parameters{'ignore_unknown'} = $ignore_unknown unless !defined ($ignore_unknown); - + $parameters{'warning_time'} = $warning_time unless !defined ($warning_time); if ($in_policy == 0) { @@ -2365,7 +2366,7 @@ sub cli_create_network_module($) { $module_group, $min, $max, $post_process, $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries, $critical_instructions, - $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown); + $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time); if ($in_policy == 0) { ($module_name, $module_type, $agent_name, $module_address, $module_port, $description, @@ -2373,7 +2374,7 @@ sub cli_create_network_module($) { $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries,$critical_instructions, $warning_instructions, $unknown_instructions, - $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown) = @ARGV[2..34]; + $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time) = @ARGV[2..35]; } else { ($policy_name, $module_name, $module_type, $module_port, $description, @@ -2381,7 +2382,7 @@ sub cli_create_network_module($) { $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries, $critical_instructions, $warning_instructions, $unknown_instructions, - $warning_inverse, $critical_inverse, $ignore_unknown) = @ARGV[2..34]; + $warning_inverse, $critical_inverse, $ignore_unknown, $warning_time) = @ARGV[2..35]; } my $module_name_def; @@ -2518,7 +2519,7 @@ sub cli_create_network_module($) { $parameters{'critical_inverse'} = $critical_inverse unless !defined ($critical_inverse); $parameters{'warning_inverse'} = $warning_inverse unless !defined ($warning_inverse); $parameters{'ignore_unknown'} = $ignore_unknown unless !defined ($ignore_unknown); - + $parameters{'warning_time'} = $warning_time unless !defined ($warning_time); if ($in_policy == 0) { if (defined $use_alias and $use_alias eq 'use_alias') { @@ -2550,7 +2551,7 @@ sub cli_create_snmp_module($) { $warning_max, $critical_min, $critical_max, $history_data, $snmp3_priv_method, $snmp3_priv_pass, $snmp3_sec_level, $snmp3_auth_method, $snmp3_auth_user, $snmp3_auth_pass, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown); + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time); if ($in_policy == 0) { ($module_name, $module_type, $agent_name, $module_address, $module_port, $version, $community, @@ -2558,7 +2559,7 @@ sub cli_create_snmp_module($) { $warning_max, $critical_min, $critical_max, $history_data, $snmp3_priv_method, $snmp3_priv_pass, $snmp3_sec_level, $snmp3_auth_method, $snmp3_auth_user, $snmp3_auth_pass, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown) = @ARGV[2..43]; + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time) = @ARGV[2..44]; } else { ($policy_name, $module_name, $module_type, $module_port, $version, $community, @@ -2566,7 +2567,7 @@ sub cli_create_snmp_module($) { $warning_max, $critical_min, $critical_max, $history_data, $snmp3_priv_method, $snmp3_priv_pass, $snmp3_sec_level, $snmp3_auth_method, $snmp3_auth_user, $snmp3_auth_pass, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, $retries, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $ignore_unknown) = @ARGV[2..41]; + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $ignore_unknown, $warning_time) = @ARGV[2..42]; } my $module_name_def; @@ -2708,7 +2709,8 @@ sub cli_create_snmp_module($) { $parameters{'critical_inverse'} = $critical_inverse unless !defined ($critical_inverse); $parameters{'warning_inverse'} = $warning_inverse unless !defined ($warning_inverse); $parameters{'ignore_unknown'} = $ignore_unknown unless !defined ($ignore_unknown); - + $parameters{'warning_time'} = $warning_time unless !defined ($warning_time); + if ($in_policy == 0) { if (defined $use_alias and $use_alias eq 'use_alias') { foreach my $id (@id_agents) { @@ -2736,7 +2738,7 @@ sub cli_create_plugin_module($) { $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown); + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time); if ($in_policy == 0) { ($module_name, $module_type, $agent_name, $module_address, $module_port, $plugin_name, @@ -2744,7 +2746,7 @@ sub cli_create_plugin_module($) { $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown) = @ARGV[2..37]; + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $use_alias, $ignore_unknown, $warning_time) = @ARGV[2..38]; } else { ($policy_name, $module_name, $module_type, $module_port, $plugin_name, @@ -2752,7 +2754,7 @@ sub cli_create_plugin_module($) { $interval, $warning_min, $warning_max, $critical_min, $critical_max, $history_data, $ff_threshold, $warning_str, $critical_str, $enable_unknown_events, $each_ff, $ff_threshold_normal, $ff_threshold_warning, $ff_threshold_critical, $timeout, - $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $ignore_unknown) = @ARGV[2..35]; + $critical_instructions, $warning_instructions, $unknown_instructions, $warning_inverse, $critical_inverse, $ignore_unknown, $warning_time) = @ARGV[2..36]; } my $module_name_def; @@ -2909,7 +2911,8 @@ sub cli_create_plugin_module($) { $parameters{'critical_inverse'} = $critical_inverse unless !defined ($critical_inverse); $parameters{'warning_inverse'} = $warning_inverse unless !defined ($warning_inverse); $parameters{'ignore_unknown'} = $ignore_unknown unless !defined ($ignore_unknown); - + $parameters{'warning_time'} = $warning_time unless !defined ($warning_time); + if ($in_policy == 0) { if (defined $use_alias and $use_alias eq 'use_alias') { foreach my $id (@id_agents) { @@ -7816,7 +7819,7 @@ sub pandora_manage_main ($$$) { cli_delete_agent(); } elsif ($param eq '--create_data_module') { - param_check($ltotal, 31, 24); + param_check($ltotal, 32, 25); cli_create_data_module(0); } elsif ($param eq '--create_web_module') { @@ -7845,7 +7848,7 @@ sub pandora_manage_main ($$$) { cli_create_snmp_module(0); } elsif ($param eq '--create_plugin_module') { - param_check($ltotal, 37, 20); + param_check($ltotal, 38, 21); cli_create_plugin_module(0); } elsif ($param eq '--delete_module') { @@ -8034,7 +8037,7 @@ sub pandora_manage_main ($$$) { cli_create_policy(); } elsif ($param eq '--create_policy_data_module') { - param_check($ltotal, 30, 21); + param_check($ltotal, 31, 22); cli_create_data_module(1); } elsif ($param eq '--create_policy_web_module') { @@ -8050,7 +8053,7 @@ sub pandora_manage_main ($$$) { cli_create_snmp_module(1); } elsif ($param eq '--create_policy_plugin_module') { - param_check($ltotal, 35, 19); + param_check($ltotal, 36, 20); cli_create_plugin_module(1); } elsif ($param eq '--create_alert_template') { diff --git a/tentacle/conf/tentacle_server.conf.new b/tentacle/conf/tentacle_server.conf.new index 1acf082ca2..390369995f 100644 --- a/tentacle/conf/tentacle_server.conf.new +++ b/tentacle/conf/tentacle_server.conf.new @@ -72,4 +72,10 @@ log_file /dev/null # ssl_password 0 # [-T] Use libwrap library (Authen::Libwrap perl module) -# use_libwrap 0 \ No newline at end of file +# use_libwrap 0 + +# [-z] Restrict to a specific ssl version +# ssl_version TLSv1_3 + +# [-u] Restrict to a specific ssl cipher +# ssl_cipher AES256-SHA diff --git a/tentacle/tentacle_server b/tentacle/tentacle_server index 6d503e0053..b6d6ae7b08 100755 --- a/tentacle/tentacle_server +++ b/tentacle/tentacle_server @@ -187,6 +187,12 @@ my $t_proxy_ip = undef; # Port to proxy client requests to my $t_proxy_port = 41121; +# Allowed SSL Cipher +my $t_ssl_cipher= ''; + +# Allowed SSL Version +my $t_ssl_version= ''; + # Proxy socket my $t_proxy_socket; @@ -230,7 +236,7 @@ sub print_help { print ("\t-p port\t\tPort to listen on (default $t_port).\n"); print ("\t-q\t\tQuiet. Do now print error messages.\n"); print ("\t-r number\tNumber of retries for network opertions (default $t_retries).\n"); - print ("\t-S (install|uninstall|run) Manage the win32 service.\n"); + print ("\t-S \t\t(install|uninstall|run) Manage the win32 service.\n"); print ("\t-t time\t\tTime-out for network operations in seconds (default ${t_timeout}s).\n"); print ("\t-v\t\tBe verbose (display errors).\n"); print ("\t-V\t\tBe verbose on hard way (display errors and other info).\n"); @@ -239,7 +245,9 @@ sub print_help { print ("\t-b ip_address\tProxy requests to the given address.\n"); print ("\t-g port\t\tProxy requests to the given port.\n"); print ("\t-T\t\tEnable tcpwrappers support.\n"); - print ("\t \t\t(To use this option, 'Authen::Libwrap' should be installed.)\n\n"); + print ("\t \t\t(To use this option, 'Authen::Libwrap' should be installed.)\n"); + print ("\t-z\t\tRestrict to a specific SSL Version.\n"); + print ("\t-u\t\tRestrict to a specific SSL Cipher.\n\n"); } ################################################################################ @@ -287,7 +295,7 @@ sub parse_options { my @t_addresses_tmp; # Get options - if (getopts ('a:b:c:de:f:F:g:hIi:k:l:m:op:qr:s:S:t:TvVwx:', \%opts) == 0 || defined ($opts{'h'})) { + if (getopts ('a:b:c:de:f:F:g:hIi:k:l:m:op:qr:s:S:t:TvVwx:z:u:', \%opts) == 0 || defined ($opts{'h'})) { print_help (); exit 1; } @@ -547,6 +555,18 @@ sub parse_options { } } + # Specific SSL Version + $token_value = get_config_value($opts{'z'}, $CONF->{'ssl_version'}); + if (defined ($token_value)) { + $t_ssl_version = $token_value; + } + + # Specific SSL Cipher + $token_value = get_config_value($opts{'u'}, $CONF->{'ssl_cipher'}); + if (defined ($token_value)) { + $t_ssl_cipher = $token_value; + } + # Win32 service management if (defined ($opts{'S'})) { my $service_action = $opts{'S'}; @@ -788,13 +808,19 @@ sub stop_server { sub start_ssl { my $err; + my %ssl_args = ( + SSL_cert_file => $t_ssl_cert, + SSL_key_file => $t_ssl_key, + SSL_passwd_cb => sub {return $t_ssl_pwd}, + SSL_server => 1, + SSL_cipher_list => $t_ssl_cipher // '', + SSL_version => $t_ssl_version // '', + ); + if ($t_ssl_ca eq '') { IO::Socket::SSL->start_SSL ( $t_client_socket, - SSL_cert_file => $t_ssl_cert, - SSL_key_file => $t_ssl_key, - SSL_passwd_cb => sub {return $t_ssl_pwd}, - SSL_server => 1, + %ssl_args, # Verify peer SSL_verify_mode => 0x01, ); @@ -802,11 +828,8 @@ sub start_ssl { else { IO::Socket::SSL->start_SSL ( $t_client_socket, + %ssl_args, SSL_ca_file => $t_ssl_ca, - SSL_cert_file => $t_ssl_cert, - SSL_key_file => $t_ssl_key, - SSL_passwd_cb => sub {return $t_ssl_pwd}, - SSL_server => 1, # Fail verification if no peer certificate exists SSL_verify_mode => 0x03, ); @@ -820,6 +843,7 @@ sub start_ssl { print_log ("SSL started for " . $t_client_socket->sockhost ()); } + ################################################################################ ## SUB accept_connections ## Manage incoming connections.