feat: Add support for Cortex XDR Antivirus on linux

glpi-project · Jul 4, 2024 · 4cf3862 · 4cf3862
1 parent 1d25aa0
commit 4cf3862
Show file tree

Hide file tree

Showing 6 changed files with 139 additions and 1 deletion.
diff --git a/Changes b/Changes
@@ -15,7 +15,7 @@ inventory:
 * fix #565: Add support for Cortex XDR Antivirus on windows.
   This is also an attempt to start antivirus support on Windows Server based on
   service detection.
-* Add support for Cortex XDR Antivirus on MacOSX
+* Add support for Cortex XDR Antivirus on MacOSX and linux
 * fix #700: Add TacticalRMM Remote_Mgmt module for windows
 
 netdiscovery/netinventory:

diff --git a/lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm b/lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm
@@ -0,0 +1,82 @@
+package GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex;
+
+use strict;
+use warnings;
+
+use parent 'GLPI::Agent::Task::Inventory::Module';
+
+use GLPI::Agent::Tools;
+
+my $command = '/opt/traps/bin/cytool';
+
+sub isEnabled {
+    return canRun($command);
+}
+
+sub doInventory {
+    my (%params) = @_;
+
+    my $inventory = $params{inventory};
+    my $logger    = $params{logger};
+
+    my $antivirus = _getCortex(logger => $logger);
+    if ($antivirus) {
+        $inventory->addEntry(
+            section => 'ANTIVIRUS',
+            entry   => $antivirus
+        );
+
+        $logger->debug2("Added $antivirus->{NAME}".($antivirus->{VERSION}? " v$antivirus->{VERSION}":""))
+            if $logger;
+    }
+}
+
+sub _getCortex {
+    my (%params) = @_;
+
+    my $antivirus = {
+        COMPANY     => "Palo Alto Networks",
+        NAME        => "Cortex XDR",
+        ENABLED     => 0,
+    };
+
+    # Support file case for unittests if basefile is provided
+    if (empty($params{basefile})) {
+        $params{command} = "\"$command\" info";
+    } else {
+        $params{file} = $params{basefile}."-info";
+    }
+    my $version = getFirstMatch(
+        pattern => qr/^Cortex XDR .* ([0-9.]+)$/,
+        %params
+    );
+    $antivirus->{VERSION} = $version if $version;
+
+    # Support file case for unittests if basefile is provided
+    if (empty($params{basefile})) {
+        $params{command} = "\"$command\" info query";
+    } else {
+        $params{file} = $params{basefile}."-info-query";
+    }
+    my $base_version = getFirstMatch(
+        pattern => qr/^Content Version:\s+(\S+)$/i,
+        %params
+    );
+    $antivirus->{BASE_VERSION} = $base_version if $base_version;
+
+    # Support file case for unittests if basefile is provided
+    if (empty($params{basefile})) {
+        $params{command} = "\"$command\" runtime query";
+    } else {
+        $params{file} = $params{basefile}."-runtime-query";
+    }
+    my $status = getFirstMatch(
+        pattern => qr/^\s*pmd\s+\S+\s+\S+\s+(\S+)\s/i,
+        %params
+    );
+    $antivirus->{ENABLED} = 1 if $status && $status =~ /^Running$/i;
+
+    return $antivirus;
+}
+
+1;
diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info
@@ -0,0 +1,5 @@
+Cortex XDR (R) supervisor tool 8.2.1.120305
+(c) Palo Alto Networks, Inc. All rights reserved
+
+General Cortex XDR information
+
diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query
@@ -0,0 +1,5 @@
+Content Type: 1270
+Content Build: 120305
+Content Version: 1270-120305
+Event Log: 1
+
diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query
@@ -0,0 +1,8 @@
+              Name       PID           User                Status               Command
+               pmd      1092           root               Running               /opt/traps/bin/pmd
+              clad      1716       cortexu+               Running               /opt/traps/analyzerd/clad
+              dypd      1707           root               Running               /opt/traps/bin/dypdng
+              spmd      1732       cortexu+               Running               /opt/traps/analyzerd/spmd
+              lted      1862       cortexu+               Running               /opt/traps/python/payload/lted
+              pyxd      1288           root               Running               /opt/traps/python/payload/pyxd 
+
diff --git a/t/tasks/inventory/linux/antivirus/cortex.t b/t/tasks/inventory/linux/antivirus/cortex.t
@@ -0,0 +1,38 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use lib 't/lib';
+
+use Test::Deep;
+use Test::Exception;
+use Test::More;
+use Test::NoWarnings;
+
+use GLPI::Test::Inventory;
+use GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex;
+
+my %av_tests = (
+    'cortex-xdr-8.2.1.120305' => {
+        COMPANY         => "Palo Alto Networks",
+        NAME            => "Cortex XDR",
+        ENABLED         => 1,
+        VERSION         => "8.2.1.120305",
+        BASE_VERSION    => "1270-120305",
+    },
+);
+
+plan tests =>
+    (2 * scalar keys %av_tests) +
+    1;
+
+my $inventory = GLPI::Test::Inventory->new();
+
+foreach my $test (keys %av_tests) {
+    my $base_file = "resources/linux/antivirus/$test";
+    my $antivirus = GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex::_getCortex(basefile => $base_file);
+    cmp_deeply($antivirus, $av_tests{$test}, "$test: parsing");
+    lives_ok {
+        $inventory->addEntry(section => 'ANTIVIRUS', entry => $antivirus);
+    } "$test: registering";
+}