From 4cf38628fb09658a73ac8899e642a394368dbc3d Mon Sep 17 00:00:00 2001 From: Guillaume Bougard Date: Thu, 4 Jul 2024 17:43:33 +0200 Subject: [PATCH] feat: Add support for Cortex XDR Antivirus on linux --- Changes | 2 +- .../Task/Inventory/Linux/AntiVirus/Cortex.pm | 82 +++++++++++++++++++ .../antivirus/cortex-xdr-8.2.1.120305-info | 5 ++ .../cortex-xdr-8.2.1.120305-info-query | 5 ++ .../cortex-xdr-8.2.1.120305-runtime-query | 8 ++ t/tasks/inventory/linux/antivirus/cortex.t | 38 +++++++++ 6 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm create mode 100644 resources/linux/antivirus/cortex-xdr-8.2.1.120305-info create mode 100644 resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query create mode 100644 resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query create mode 100644 t/tasks/inventory/linux/antivirus/cortex.t diff --git a/Changes b/Changes index e63c1384d..6b6188523 100644 --- a/Changes +++ b/Changes @@ -15,7 +15,7 @@ inventory: * fix #565: Add support for Cortex XDR Antivirus on windows. This is also an attempt to start antivirus support on Windows Server based on service detection. -* Add support for Cortex XDR Antivirus on MacOSX +* Add support for Cortex XDR Antivirus on MacOSX and linux * fix #700: Add TacticalRMM Remote_Mgmt module for windows netdiscovery/netinventory: diff --git a/lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm b/lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm new file mode 100644 index 000000000..85848b20d --- /dev/null +++ b/lib/GLPI/Agent/Task/Inventory/Linux/AntiVirus/Cortex.pm @@ -0,0 +1,82 @@ +package GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex; + +use strict; +use warnings; + +use parent 'GLPI::Agent::Task::Inventory::Module'; + +use GLPI::Agent::Tools; + +my $command = '/opt/traps/bin/cytool'; + +sub isEnabled { + return canRun($command); +} + +sub doInventory { + my (%params) = @_; + + my $inventory = $params{inventory}; + my $logger = $params{logger}; + + my $antivirus = _getCortex(logger => $logger); + if ($antivirus) { + $inventory->addEntry( + section => 'ANTIVIRUS', + entry => $antivirus + ); + + $logger->debug2("Added $antivirus->{NAME}".($antivirus->{VERSION}? " v$antivirus->{VERSION}":"")) + if $logger; + } +} + +sub _getCortex { + my (%params) = @_; + + my $antivirus = { + COMPANY => "Palo Alto Networks", + NAME => "Cortex XDR", + ENABLED => 0, + }; + + # Support file case for unittests if basefile is provided + if (empty($params{basefile})) { + $params{command} = "\"$command\" info"; + } else { + $params{file} = $params{basefile}."-info"; + } + my $version = getFirstMatch( + pattern => qr/^Cortex XDR .* ([0-9.]+)$/, + %params + ); + $antivirus->{VERSION} = $version if $version; + + # Support file case for unittests if basefile is provided + if (empty($params{basefile})) { + $params{command} = "\"$command\" info query"; + } else { + $params{file} = $params{basefile}."-info-query"; + } + my $base_version = getFirstMatch( + pattern => qr/^Content Version:\s+(\S+)$/i, + %params + ); + $antivirus->{BASE_VERSION} = $base_version if $base_version; + + # Support file case for unittests if basefile is provided + if (empty($params{basefile})) { + $params{command} = "\"$command\" runtime query"; + } else { + $params{file} = $params{basefile}."-runtime-query"; + } + my $status = getFirstMatch( + pattern => qr/^\s*pmd\s+\S+\s+\S+\s+(\S+)\s/i, + %params + ); + $antivirus->{ENABLED} = 1 if $status && $status =~ /^Running$/i; + + return $antivirus; +} + +1; diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info new file mode 100644 index 000000000..df09af6c4 --- /dev/null +++ b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info @@ -0,0 +1,5 @@ +Cortex XDR (R) supervisor tool 8.2.1.120305 +(c) Palo Alto Networks, Inc. All rights reserved + +General Cortex XDR information + diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query new file mode 100644 index 000000000..2f9df733f --- /dev/null +++ b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-info-query @@ -0,0 +1,5 @@ +Content Type: 1270 +Content Build: 120305 +Content Version: 1270-120305 +Event Log: 1 + diff --git a/resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query new file mode 100644 index 000000000..320a9afa3 --- /dev/null +++ b/resources/linux/antivirus/cortex-xdr-8.2.1.120305-runtime-query @@ -0,0 +1,8 @@ + Name PID User Status Command + pmd 1092 root Running /opt/traps/bin/pmd + clad 1716 cortexu+ Running /opt/traps/analyzerd/clad + dypd 1707 root Running /opt/traps/bin/dypdng + spmd 1732 cortexu+ Running /opt/traps/analyzerd/spmd + lted 1862 cortexu+ Running /opt/traps/python/payload/lted + pyxd 1288 root Running /opt/traps/python/payload/pyxd + diff --git a/t/tasks/inventory/linux/antivirus/cortex.t b/t/tasks/inventory/linux/antivirus/cortex.t new file mode 100644 index 000000000..e18b64027 --- /dev/null +++ b/t/tasks/inventory/linux/antivirus/cortex.t @@ -0,0 +1,38 @@ +#!/usr/bin/perl + +use strict; +use warnings; +use lib 't/lib'; + +use Test::Deep; +use Test::Exception; +use Test::More; +use Test::NoWarnings; + +use GLPI::Test::Inventory; +use GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex; + +my %av_tests = ( + 'cortex-xdr-8.2.1.120305' => { + COMPANY => "Palo Alto Networks", + NAME => "Cortex XDR", + ENABLED => 1, + VERSION => "8.2.1.120305", + BASE_VERSION => "1270-120305", + }, +); + +plan tests => + (2 * scalar keys %av_tests) + + 1; + +my $inventory = GLPI::Test::Inventory->new(); + +foreach my $test (keys %av_tests) { + my $base_file = "resources/linux/antivirus/$test"; + my $antivirus = GLPI::Agent::Task::Inventory::Linux::AntiVirus::Cortex::_getCortex(basefile => $base_file); + cmp_deeply($antivirus, $av_tests{$test}, "$test: parsing"); + lives_ok { + $inventory->addEntry(section => 'ANTIVIRUS', entry => $antivirus); + } "$test: registering"; +}