Command Line Utilities (CLI)
awp-mirror-update
Atomic OSSEC local mirror CLI: /etc/cron.daily/awp-mirror-update. This utility is responsible for maintaining the local agent software mirror on the hub server. By default it will run automatically run daily.
Requires
Internet access to updates.atomicorp.com
Cron (for automatic updates)
Configuration
File: /etc/asl/awp-mirror.conf
DISABLED=no : Enable/Disable mirror updates (default: enabled)
AIX=1 : Enable/Disable AIX agent mirrors (default: enabled)
AMZN=1 : Enable/Disable Amazon agent mirrors (default: enabled)
DEBIAN=1 : Enable/Disable Debian agent mirrors (default: enabled)
EL5=1 : Enable/Disable RHEL/Centos 5 agent mirrors (default: enabled)
EL6=1 : Enable/Disable RHEL/Centos 6 agent mirrors (default: enabled)
EL7=1 : Enable/Disable RHEL/Centos 7 agent mirrors (default: enabled)
EL8=1 : Enable/Disable RHEL/Rocky/Centos 8 agent mirrors (default: enabled)
SUSE=1 : Enable/Disable OpenSuSE agent mirrors (default: enabled)
OSX=1 : Enable/Disable Apple OSX agent mirrors (default: enabled)
SOLARIS=1 : Enable/Disable Solaris agent mirrors (default: enabled)
UBUNTU=1 : Enable/Disable Ubuntu agent mirrors (default: enabled)
WINDOWS=1 : Enable/Disable Windows agent mirrors (default: enabled)
DEBUG=0 : Enable/Disable debug output (default: disabled)
Usage
/etc/cron.daily/awp-mirror-update
agent_cleanup.sh
Bulk remove agents that are in Disconnected, or a Never Connected state.
Usage
agent_cleanup.sh d - Remove all agents in a Disconnected state
agent_cleanup.sh nc - Remove all agents in a Never Connected state
agent-expire.sh
Bulk remove agents that have not been connected in <X> days.
Usage
agent-expire.sh <days>
agent-expre.sh <days> –force : remove with no input
agent-group-sort.sh
List all agents in a particular group
Usage
agent-group-sort.sh <grouplist> <agent_control output>
–show-agent List agents in CSV
aum
aum -command [parameter] [-command [parameter]]
Commands:
-ck, -list Check for available updates
-u, -upgrade Download updates
-uf Download and apply updates
-f Along with -u or -upgrade, apply updates
-h Display this help menu
-debug # Debug level (0 - 4)
awp
Atomic Protector usage:
General Syntax:
awp -command [parameter] [-command [parameter]]
Commands:
--acl-get Display current access control list settings
--acl-add Add IP(s) to ACL
Example(s):
--acl-add 1.2.3.4[,1.2.3.5,...]
--acl-remove Remove IP(s) from ACL
Example(s):
--acl-remove 1.2.3.4[,1.2.3.5,...]
--active-response-add Adds a new active response section to Ossec Configuration
Examples(s):
--active-response-add <identifier>=<entry>[ <identifier>=<entry> ...]
(Identifiers): command, location, timeout, rulesid, repeatedoffenders, disabled, agentid, rulesgroup, level
--aws-credentials Creates aws credentials file for interaction with aws
Example:
--aws-credentials <access_key_id> <access_key_pass>
--aws-state_query Updates the state of your aws inventory. (Must have credentials set up)
Example:
--aws-state-query
--blocklist-remove, -ub Remove IP(s) from the blocklist
Examples(s):
--blocklist-remove 1.2.3.4[,1.2.3.5,...]
--blocklist-clear Remove all currently blocked IP(s)
--blocklist-rebuild Rebuild the blocklist from the current day's data.
--denylist-get Display current denylisted IP(s)
-bl --denylist --denylist-add Add IP(s) to the denylist
Example(s):
-bl 1.2.3.4[,1.2.3.5,...]
-bl 1.2.3.4[,1.2.3.5,...] "Comment text"
-bl 1.2.3.4[,1.2.3.5,...] username "Comment text"
--denylist-remove Remove IP(s) from the denylist
Examples(s):
--denylist-remove 1.2.3.4[,1.2.3.5,...]
-ck --check --list Display available updates
--clientapi-get Display current clientapi settings
--connections Display current connections to machine
--country-codes-get Display a list of country codes and their respective country
--domain-denylist-get Display currently denylisted domains
--domain-denylist --domain-denylist-add Add a domain to spam denylist
Example(s):
--domain-denylist-add foo.com[,bar.com,...]
--domain-denylist-remove Remove a domain from malware denylist
Example(s):
--domain-denylist-remove foo.com[,bar.com,...]
--debug Display/modify debug level for AWP
Example(s):
--debug (display the current debug level)
--debug <int> (set the debug level)
-f --fix Fix and Repair mode
--false-positive-report Report an alert as a false positive
Example(s):
--false-positive-report
--false-negative-report Report an alert as a false negative
Example(s):
--false-negative-report
--file-integrity-get --fim-get Display current file integrity settings
--file-integrity-detail-get Retrieve package information associated with a file
Example(s):
--file-integrity-detail-get <filename>
--firewall-start Start the AWP firewall
--firewall-stop Stop the AWP firewall
--firewall-restart Restart the AWP firewall
--firewall-get Display current firewall settings
--geo-denylist-get Display currently blocked countries
--geo-denylist-add
--geo-denylist-remove
-h --help Display this help menu
--malware-detection-get Display current malware detection settings
--malware-history-detail-get
--no_color Disable colors in output
--rules-user-get Display current user WAF and HIDS rules
--rule-modify Adjust rule level, log alert, email alert, and active response
Example(s):
--rule-modify 123456[,123457,...] [0-15] (yes|no) (yes|no) (yes|no)
--rule-level Modify rule level
Example(s):
--rule-level 123456[,123457,...] [0-15]
--rule-log Turn rule logging on/off
Example(s):
--rule-log 123456[,123457,...] (yes|no|1|0|on|off)
--rule-email Turn rule email alert on/off
Example(s):
--rule-email 123456[,123457,...] (yes|no|1|0|on|off)
--rule-ar Turn rule active response on/off
Example(s):
--rule-ar 123456[,123457,...] (yes|no|1|0|on|off)
--rule-disable Disable modsec rule(s) by signature ID
Example(s):
--rule-disable 123456[,123457,...]
--rule-disable-vhost Disable modsec rule(s) by vhost(s)
Example(s):
--rule-disable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
NOTE: Each rule id will be disabled on each vhost
--rule-enable Enable modsec rule(s) by signature ID
Example(s):
--rule-disable 123456[,123457,...]
--rule-enable-vhost Enable modsec rule(s) by vhost(s)
Example(s):
--rule-enable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
NOTE: Each rule id will be enabled on each vhost
--rule-reset Remove user rule modifications
-s --scan Run a system scan
Example(s):
-s (run a full system scan in non-fix mode)
-s ossec,clamav (run only the ossec and clamav sections of the scan)
-s -f (run a full system scan in fix mode)
--show-alert Show alert details
Example(s):
--show-alert <path>
--status,-v Display miscellaneous system info (OS, Kernel, etc.)
--system-monitor Display AWP resource usage statistics
--twaf-get Display current TWAF settings
--vuln-db-get Display vulnerability database details (key, threat level, score)
--vuln-get Display current system vulnerabilities
--update -u Update system packages and component rules
Example(s):
-u (download and apply system updates only where outdated)
-u -f (force system updates)
-u --upgrade-channel (download and apply updates from specified upgrade channel)
--upgrade-channel Select channel to apply updates from
--waf-enable-vhost --waf-disable-vhost
--web-user-add Add a user for the AWP web console
Example(s):
--web-user-add <username> <passwd> <email> <group_id>
--web-user-get Display list of current web console users
--web-user-remove Remove a user from the AWP web console
Example(s):
--web-user-remove <username>
--web-user-modify
Example(s):
--web-user-modify <name> <password> (change password for username)
--web-user-modify <name> <password> <email> (change password and email for username)
--web-user-modify <name> <password> <email> <gid> (change password, email, and gid for username)
--accesslist-get Display all currently accesslisted IPs
-wl --accesslist --accesslist-add Add an IP to the accesslist
Example(s):
-wl 1.2.3.4[,1.2.3.5,...]
-wl 1.2.3.4[,1.2.3.5,...] "Comment text"
-wl 1.2.3.4[,1.2.3.5,...] username "Comment text"
--accesslist-remove Remove an IP from the accesslist
Example(s):
--accesslist-remove 1.2.3.4[,1.2.3.5,...]
awp-add-user
All interactions are prompted within the program when run.
-h
Display help.
awp_firewall
Accepted usages:
1) awp_firewall -start
2) awp_firewall -restart
3) awp_firewall -stop
4) awp_firewall (-h|-help)
awp_indexgen
Generate index data
awp_indexgen
-f force generation
awp_jsongen
Convert ossec alerts.log data to alerts.json format.
awp-remove-user
Remove Atomic OSSEC web users
awps
Usage of awps:
-op
Operation to perform.
Allowed values:
vuln : internal usage, regenerates vulnerability json files
stats : aggregate and display event statistics
agent_group_list : list available agent groups
rule_group_list : list available rule groups
group_rule_ilst : list rules in specified -rule-group(s)
-agent-group
An agent group to limit the results to.
Multiple usages of -agent-group=x are allowed.
If no agents or groups are specified, all groups will be included.
-agent
An agent id to include in the results.
Multiple usages of -agent=x are allowed.
If no agents or groups are specified, all will be included.
-rule-group
An ossec rule group to limit the results to.
Multiple usages of -rule-group=x are allowed.
If no rules or groups specified, all groups will be included.
-rule
A rule id to include in the results.
Multiple usages of -rule=x are allowed.
If no rules or groups are specified, all will be included.
-stats-days
Number of days over which to caluclate the stats averages.
Default: 1, Max: 180
-j
Render output as json.
Applies only to -op=stats
-h
Display help.
Ex:
./awps -op=stats -agent-group=MyAgents
compliance-control.sh
/var/awp/bin/compliance-control.sh Usage:
Enable/Disable Compliance testing for maintenance:
/var/awp/bin/compliance-control.sh <enable|disable> global - Disable Compliance tests globally
/var/awp/bin/compliance-control.sh <enable|disable> <groupname> - Disable Compliance tests for group
/var/awp/bin/compliance-control.sh list - List all Compliance tests groups
/var/awp/bin/compliance-control.sh status - Show Compliance tests status
Show Status
/var/awp/bin/compliance-control.sh status
Show groups
/var/awp/bin/compliance-control.sh list
fim-control.sh
/var/awp/bin/fim-control.sh Usage:
Enable/Disable FIM for maintenance:
/var/awp/bin/fim-control.sh <enable|disable> global - Disable FIM globally
/var/awp/bin/fim-control.sh <enable|disable> <groupname> - Disable FIM for group
/var/awp/bin/fim-control.sh list - List all FIM groups
/var/awp/bin/fim-control.sh status - Show FIM status
Show Status
/var/awp/bin/fim-control.sh status
Show groups
/var/awp/bin/fim-control.sh list
host-query.sh
Simple search for host Process, Package, or port information.
key_util.sh
Remove IP address pinning from client.keys
malware-scan
Atomicorp Malware Scan CLI
Version: 0.1
Usage: /var/awp/bin/malware-scan -a|-g group|-i id -s <path>|-u|-x
example: /var/awp/bin/malware-scan -a -s /etc
Command line paramenters
Target requires one of the following
-a All agents
-g <group> All agents in group <group>
-i <id> Specified Agent ID
Action requires one of the following
-s <path> malware scan <path>
-u update signatures
-x initialize scanner (first time setup)
rpmfix.sh
Simple RPM database repair utility
setup
Atomic OSSEC configuration utility
show_invalid_agents.sh
List Invalid agents