code42
diff --git a/‎.gitignore‎
Lines changed: 6 additions & 0 deletions b/‎.gitignore‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 181 additions & 0 deletions b/‎README.md‎
Lines changed: 181 additions & 0 deletions
diff --git a/‎aed_config.default.cfg‎
Lines changed: 21 additions & 0 deletions b/‎aed_config.default.cfg‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎c42seceventcli/aed/args.py‎
Lines changed: 139 additions & 0 deletions b/‎c42seceventcli/aed/args.py‎
Lines changed: 139 additions & 0 deletions
diff --git a/‎c42seceventcli/aed/cursor_store.py‎
Lines changed: 36 additions & 0 deletions b/‎c42seceventcli/aed/cursor_store.py‎
Lines changed: 36 additions & 0 deletions
@@ -1,6 +1,12 @@
+# Test config file
+*config.cfg
+
 # IDE files
 .idea/
 
+# Database files
+*.db
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
 
@@ -0,0 +1,181 @@
+# c42seceventcli - AED
+
+The c42seceventcli AED module contains a CLI tool for extracting AED events as well as an optional state manager 
+for recording timestamps. The state manager records timestamps so that on future runs,
+you only extract events you did not previously extract.
+
+## Requirements
+
+- Python 2.7.x or 3.5.0+
+- Code42 Server 6.8.x+
+
+## Installation
+Until we are able to put `py42` and `c42secevents` on PyPI, you will need to first install them manually.
+
+`py42` is available for download [here](https://confluence.corp.code42.com/pages/viewpage.action?pageId=61767969#py42%E2%80%93Code42PythonSDK-Downloads).
+For py42 installation instructions, see its [README](https://stash.corp.code42.com/projects/SH/repos/lib_c42_python_sdk/browse/README.md).
+
+`c42secevents` is available [here](https://confluence.corp.code42.com/display/LS/Security+Event+Extractor+-+Python).
+For `c42secevents` installation instructions, see its [README](https://stash.corp.code42.com/projects/INT/repos/security-event-extractor/browse/README.md).
+
+Once you've done that, install `c42seceventcli` using:
+
+```bash
+$ python setup.py install
+```
+
+## Usage
+
+A simple usage requires you to pass in your Code42 authority URL and username as arguments:
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com
+```
+        
+Another option is to put your Code42 authority URL and username (and other arguments) in a config file. 
+Use `default.config.cfg` as an example to make your own config file; it has all the supported arguments.
+The arguments in `default.config.cfg` mirror the CLI arguments.
+
+```buildoutcfg
+[Code42]
+c42_authority_url=https://example.authority.com
+c42_username=user@code42.com
+```
+
+Then, run the script as follows:
+
+```bash
+c42aed -c path/to/config
+```
+
+To use the state management service, simply provide the `-r` to the command line.
+`-r` is particularly useful if you wish to run this script on a recurring job:
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com -r
+```
+
+If you are using a config file with `-c`, set `record_cursor` to True:
+
+```buildoutcfg
+[Code42]
+c42_authority_url=https://example.authority.com
+c42_username=user@code42.com
+record_cursor=True
+```
+By excluding `-r`, future runs will not know about previous events you got, and 
+you will get all the events in the given time range (or default time range of 60 days back). 
+
+To clear the cursor:
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com -r --clear-cursor
+```
+There are two possible output formats.
+
+* CEF
+* JSON
+
+JSON is the default. To use CEF, use `-o CEF`:
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com -o CEF
+```
+
+Or if you are using a config file with `-c`:
+
+```buildoutcfg
+[Code42]
+c42_authority_url=https://example.authority.com
+c42_username=user@code42.com
+output_format=CEF
+```
+
+There are three possible destination types to use:
+
+* stdout 
+* file - writing to a file
+* server - transmitting to a server, such as syslog
+
+The program defaults to `stdout`. To use a file, use `--dest-type` and `--dest` this way:
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com --dest-type file --dest name-of-file.txt
+```
+
+To use a server destination (like syslog):
+
+```bash
+c42aed -s https://example.authority.com -u security.admin@example.com --dest-type server --dest https://syslog.example.com
+```
+
+Both `destination_type` and `destination` are possible fields in the config file as well.
+
+You can also use CLI arguments with config file arguments, but the program will favor the CLI arguments.
+
+If this is your first time running, you will be prompted for your Code42 password.
+
+If you get a keychain error when running this script, you may have to add a code signature:
+
+```bash
+codesign -f -s - $(which python)
+```
+
+All errors are sent to an error log file named `c42seceventcli_aed_errors.log` 
+located in your user directory under `.c42seceventcli/log`.
+
+Full usage:
+
+```
+usage: c42aed [-h] [--clear-cursor] [--reset-password] [-c CONFIG_FILE]
+              [-s C42_AUTHORITY_URL] [-u C42_USERNAME] [-b BEGIN_DATE] [-i]
+              [-o {CEF,JSON}]
+              [-t [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} ...]]]
+              [-d--debug] [--dest-type {stdout,file,server}]
+              [--dest DESTINATION] [--dest-port DESTINATION_PORT]
+              [--dest-protocol {TCP,UDP}] [-e END_DATE | -r]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --clear-cursor        Resets the stored cursor.
+  --reset-password      Clears stored password and prompts user for password.
+  -c CONFIG_FILE, --config-file CONFIG_FILE
+                        The path to the config file to use for the rest of the
+                        arguments.
+  -s C42_AUTHORITY_URL, --server C42_AUTHORITY_URL
+                        The full scheme, url and port of the Code42 server.
+  -u C42_USERNAME, --username C42_USERNAME
+                        The username of the Code42 API user.
+  -b BEGIN_DATE, --begin BEGIN_DATE
+                        The beginning of the date range in which to look for
+                        events, in YYYY-MM-DD UTC format OR a number (number
+                        of minutes ago).
+  -i, --ignore-ssl-errors
+                        Do not validate the SSL certificates of Code42
+                        servers.
+  -o {CEF,JSON}, --output-format {CEF,JSON}
+                        The format used for outputting events.
+  -t [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} ...]], --types [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} [{SharedViaLink,SharedToDomain,ApplicationRead,CloudStorage,RemovableMedia,IsPublic} ...]]
+                        To limit extracted events to those with given exposure
+                        types.
+  -d--debug             Turn on debug logging.
+  --dest-type {stdout,file,server}
+                        The type of destination to send output to.
+  --dest DESTINATION    Either a name of a local file or syslog host address.
+                        Ignored if destination type is 'stdout'.
+  --dest-port DESTINATION_PORT
+                        Port used when sending logs to server. Ignored if
+                        destination type is not 'server'.
+  --dest-protocol {TCP,UDP}
+                        Protocol used to send logs to server. Ignored if
+                        destination type is not 'server'.
+  -e END_DATE, --end END_DATE
+                        The end of the date range in which to look for events,
+                        in YYYY-MM-DD UTC format OR a number (number of
+                        minutes ago).
+  -r, --record-cursor   Only get events that were not previously retrieved.
+```
+
+# Known Issues
+
+Only the first 10,000 of each set of events containing the exact same insertion timestamp is reported.
@@ -0,0 +1,21 @@
+; OPTIONAL CONFIG FILE
+; Use this file as an example for which arguments the program accepts.
+; Make a copy of this file, edit it, and use with the `-c` flag:
+;       c42aed -c path/to/config
+; Some args may not apply, and you can remove what you do not need.
+; You can use this file together with CLI args if you want.
+
+[Code42]
+c42_authority_url=https://example.authority.com
+c42_username=user@code42.com
+begin_date=2019-01-01
+end_date=2019-02-02
+ignore_ssl_errors=False
+output_format=JSON
+record_cursor=False
+exposure_types=SharedViaLink, SharedToDomain, ApplicationRead, CloudStorage, RemovableMedia, IsPublic
+debug_mode=False
+destination_type=syslog
+destination=https://log.example.com
+destination_port=514
+destination_protocol=TCP
@@ -0,0 +1,139 @@
+from datetime import datetime, timedelta
+from argparse import ArgumentParser
+
+from c42seceventcli.common.cli_args import (
+    add_clear_cursor_arg,
+    add_reset_password_arg,
+    add_config_file_path_arg,
+    add_authority_host_address_arg,
+    add_username_arg,
+    add_begin_date_arg,
+    add_end_date_arg,
+    add_ignore_ssl_errors_arg,
+    add_output_format_arg,
+    add_record_cursor_arg,
+    add_exposure_types_arg,
+    add_debug_arg,
+    add_destination_type_arg,
+    add_destination_arg,
+    add_destination_port_arg,
+    add_destination_protocol_arg,
+)
+import c42seceventcli.common.util as common
+
+
+def get_args():
+    parser = _get_arg_parser()
+    cli_args = vars(parser.parse_args())
+    args = _union_cli_args_with_config_file_args(cli_args)
+    args.cli_parser = parser
+    args.verify_authority_arg()
+    args.verify_username_arg()
+    args.verify_destination_args()
+    return args
+
+
+def _get_arg_parser():
+    parser = ArgumentParser()
+
+    add_clear_cursor_arg(parser)
+    add_reset_password_arg(parser)
+    add_config_file_path_arg(parser)
+    add_authority_host_address_arg(parser)
+    add_username_arg(parser)
+    add_begin_date_arg(parser)
+    add_ignore_ssl_errors_arg(parser)
+    add_output_format_arg(parser)
+    add_exposure_types_arg(parser)
+    add_debug_arg(parser)
+    add_destination_type_arg(parser)
+    add_destination_arg(parser)
+    add_destination_port_arg(parser)
+    add_destination_protocol_arg(parser)
+
+    # Makes sure that you can't give both an end_timestamp and record_cursor
+    mutually_exclusive_timestamp_group = parser.add_mutually_exclusive_group()
+    add_end_date_arg(mutually_exclusive_timestamp_group)
+    add_record_cursor_arg(mutually_exclusive_timestamp_group)
+
+    return parser
+
+
+def _union_cli_args_with_config_file_args(cli_args):
+    config_args = _get_config_args(cli_args.get("config_file"))
+    args = AEDArgs()
+    keys = cli_args.keys()
+    for key in keys:
+        args.try_set(key, cli_args.get(key), config_args.get(key))
+
+    return args
+
+
+def _get_config_args(config_file_path):
+    try:
+        return common.get_config_args(config_file_path)
+    except IOError:
+        print("Path to config file {0} not found".format(config_file_path))
+        exit(1)
+
+
+class AEDArgs(common.SecArgs):
+    cli_parser = None
+    c42_authority_url = None
+    c42_username = None
+    begin_date = None
+    end_date = None
+    ignore_ssl_errors = False
+    output_format = "JSON"
+    record_cursor = False
+    exposure_types = None
+    debug_mode = False
+    destination_type = "stdout"
+    destination = None
+    destination_port = 514
+    destination_protocol = "TCP"
+    reset_password = False
+    clear_cursor = False
+
+    def __init__(self):
+        self.begin_date = AEDArgs._get_default_begin_date()
+        self.end_date = AEDArgs._get_default_end_date()
+
+    @staticmethod
+    def _get_default_begin_date():
+        default_begin_date = datetime.now() - timedelta(days=60)
+        return default_begin_date.strftime("%Y-%m-%d")
+
+    @staticmethod
+    def _get_default_end_date():
+        default_end_date = datetime.now()
+        return default_end_date.strftime("%Y-%m-%d")
+
+    def verify_authority_arg(self):
+        if self.c42_authority_url is None:
+            self._raise_value_error("Code42 authority host address not provided.")
+
+    def verify_username_arg(self):
+        if self.c42_username is None:
+            self._raise_value_error("Code42 username not provided.")
+
+    def verify_destination_args(self):
+        if self.destination_type == "stdout" and self.destination is not None:
+            msg = (
+                "Destination '{0}' not applicable for stdout. "
+                "Try removing '--dest' arg or change '--dest-type' to 'file' or 'server'."
+            )
+            msg = msg.format(self.destination)
+            self._raise_value_error(msg)
+
+        if self.destination_type == "file" and self.destination is None:
+            msg = "Missing file name. Try: '--dest path/to/file'."
+            self._raise_value_error(msg)
+
+        if self.destination_type == "server" and self.destination is None:
+            msg = "Missing server URL. Try: '--dest https://syslog.example.com'."
+            self._raise_value_error(msg)
+
+    def _raise_value_error(self, msg):
+        self.cli_parser.print_usage()
+        raise ValueError(msg)
@@ -0,0 +1,36 @@
+from c42seceventcli.common.cursor_store import SecurityEventCursorStore
+
+_INSERTION_TIMESTAMP_FIELD_NAME = u"insertionTimestamp"
+
+
+class AEDCursorStore(SecurityEventCursorStore):
+    _PRIMARY_KEY = 1
+
+    def __init__(self, db_file_path=None):
+        super(AEDCursorStore, self).__init__("aed_checkpoint", db_file_path)
+        if self._is_empty():
+            self._init_table()
+
+    def get_stored_insertion_timestamp(self):
+        rows = self._get(_INSERTION_TIMESTAMP_FIELD_NAME, self._PRIMARY_KEY)
+        if rows and rows[0]:
+            return rows[0][0]
+
+    def replace_stored_insertion_timestamp(self, new_insertion_timestamp):
+        self._set(
+            column_name=_INSERTION_TIMESTAMP_FIELD_NAME,
+            new_value=new_insertion_timestamp,
+            primary_key=self._PRIMARY_KEY,
+        )
+
+    def reset(self):
+        self._drop_table()
+        self._init_table()
+
+    def _init_table(self):
+        columns = "{0}, {1}".format(self._PRIMARY_KEY_COLUMN_NAME, _INSERTION_TIMESTAMP_FIELD_NAME)
+        create_table_query = "CREATE TABLE {0} ({1})".format(self._table_name, columns)
+        insert_query = "INSERT INTO {0} VALUES(?, null)".format(self._table_name)
+        with self._connection as conn:
+            conn.execute(create_table_query)
+            conn.execute(insert_query, (self._PRIMARY_KEY,))