Command Line Utilities (CLI)

awp-mirror-update

Atomic OSSEC local mirror CLI: /etc/cron.daily/awp-mirror-update. This utility is responsible for maintaining the local agent software mirror on the hub server. By default it will run automatically run daily.

Requires

  • Internet access to updates.atomicorp.com

  • Cron (for automatic updates)

Configuration

File: /etc/asl/awp-mirror.conf

DISABLED=no : Enable/Disable mirror updates (default: enabled)
AIX=1 : Enable/Disable AIX agent mirrors (default: enabled)
AMZN=1 : Enable/Disable Amazon agent mirrors (default: enabled)
DEBIAN=1 : Enable/Disable Debian agent mirrors (default: enabled)
EL5=1 : Enable/Disable RHEL/Centos 5 agent mirrors (default: enabled)
EL6=1 : Enable/Disable RHEL/Centos 6 agent mirrors (default: enabled)
EL7=1 : Enable/Disable RHEL/Centos 7 agent mirrors (default: enabled)
EL8=1 : Enable/Disable RHEL/Rocky/Centos 8 agent mirrors (default: enabled)
SUSE=1 : Enable/Disable OpenSuSE agent mirrors (default: enabled)
OSX=1 : Enable/Disable Apple OSX agent mirrors (default: enabled)
SOLARIS=1 : Enable/Disable Solaris agent mirrors (default: enabled)
UBUNTU=1 : Enable/Disable Ubuntu agent mirrors (default: enabled)
WINDOWS=1 : Enable/Disable Windows agent mirrors (default: enabled)
DEBUG=0 : Enable/Disable debug output (default: disabled)

Usage

/etc/cron.daily/awp-mirror-update

agent_cleanup.sh

Bulk remove agents that are in Disconnected, or a Never Connected state.

Usage

agent_cleanup.sh d - Remove all agents in a Disconnected state

agent_cleanup.sh nc - Remove all agents in a Never Connected state

agent-expire.sh

Bulk remove agents that have not been connected in <X> days.

Usage

agent-expire.sh <days>

agent-expre.sh <days> –force : remove with no input

agent-group-sort.sh

List all agents in a particular group

Usage

agent-group-sort.sh <grouplist> <agent_control output>

–show-agent List agents in CSV

aum

aum -command [parameter] [-command [parameter]]

Commands:
-ck, -list                  Check for available updates
-u, -upgrade                Download updates
-uf                         Download and apply updates
-f                          Along with -u or -upgrade, apply updates
-h                          Display this help menu
-debug #                    Debug level (0 - 4)

awp

Atomic Protector usage:

  General Syntax:
  awp -command [parameter] [-command [parameter]]

Commands:
--acl-get                                  Display current access control list settings

--acl-add                                  Add IP(s) to ACL
 Example(s):
  --acl-add 1.2.3.4[,1.2.3.5,...]

--acl-remove                               Remove IP(s) from ACL
 Example(s):
  --acl-remove 1.2.3.4[,1.2.3.5,...]

--active-response-add                                                                                    Adds a new active response section to Ossec Configuration
 Examples(s):
   --active-response-add <identifier>=<entry>[ <identifier>=<entry> ...]
         (Identifiers): command, location, timeout, rulesid, repeatedoffenders, disabled, agentid, rulesgroup, level

--aws-credentials                                                                                        Creates aws credentials file for interaction with aws
 Example:
 --aws-credentials <access_key_id> <access_key_pass>

--aws-state_query                                                                                        Updates the state of your aws inventory. (Must have credentials set up)
 Example:
 --aws-state-query

 --blocklist-remove, -ub                   Remove IP(s) from the blocklist
 Examples(s):
  --blocklist-remove 1.2.3.4[,1.2.3.5,...]

 --blocklist-clear                        Remove all currently blocked IP(s)

 --blocklist-rebuild                      Rebuild the blocklist from the current day's data.

--denylist-get                            Display current denylisted IP(s)

-bl --denylist --denylist-add            Add IP(s) to the denylist
 Example(s):
  -bl 1.2.3.4[,1.2.3.5,...]
  -bl 1.2.3.4[,1.2.3.5,...] "Comment text"
  -bl 1.2.3.4[,1.2.3.5,...] username "Comment text"

--denylist-remove                         Remove IP(s) from the denylist
 Examples(s):
  --denylist-remove 1.2.3.4[,1.2.3.5,...]

-ck --check --list                         Display available updates

--clientapi-get                            Display current clientapi settings

--connections                              Display current connections to machine

--country-codes-get                        Display a list of country codes and their respective country

--domain-denylist-get                     Display currently denylisted domains

--domain-denylist --domain-denylist-add  Add a domain to spam denylist
 Example(s):
  --domain-denylist-add foo.com[,bar.com,...]

--domain-denylist-remove                  Remove a domain from malware denylist
 Example(s):
  --domain-denylist-remove foo.com[,bar.com,...]

--debug                                    Display/modify debug level for AWP
 Example(s):
  --debug (display the current debug level)
  --debug <int> (set the debug level)

-f   --fix                                 Fix and Repair mode

--false-positive-report                    Report an alert as a false positive
 Example(s):
  --false-positive-report

--false-negative-report                    Report an alert as a false negative
 Example(s):
  --false-negative-report

--file-integrity-get --fim-get             Display current file integrity settings

--file-integrity-detail-get                Retrieve package information associated with a file
 Example(s):
  --file-integrity-detail-get <filename>

--firewall-start                           Start the AWP firewall

--firewall-stop                            Stop the AWP firewall

--firewall-restart                         Restart the AWP firewall

--firewall-get                             Display current firewall settings

--geo-denylist-get                        Display currently blocked countries

--geo-denylist-add

--geo-denylist-remove

-h --help                                  Display this help menu

--malware-detection-get                    Display current malware detection settings

--malware-history-detail-get

--no_color                                 Disable colors in output

--rules-user-get                           Display current user WAF and HIDS rules

--rule-modify                              Adjust rule level, log alert, email alert, and active response
Example(s):
  --rule-modify 123456[,123457,...] [0-15] (yes|no) (yes|no) (yes|no)

--rule-level                               Modify rule level
Example(s):
  --rule-level 123456[,123457,...] [0-15]

--rule-log                                 Turn rule logging on/off
Example(s):
  --rule-log 123456[,123457,...] (yes|no|1|0|on|off)

--rule-email                               Turn rule email alert on/off
Example(s):
  --rule-email 123456[,123457,...] (yes|no|1|0|on|off)

--rule-ar                                  Turn rule active response on/off
Example(s):
  --rule-ar 123456[,123457,...] (yes|no|1|0|on|off)

--rule-disable                             Disable modsec rule(s) by signature ID
 Example(s):
  --rule-disable 123456[,123457,...]

--rule-disable-vhost                       Disable modsec rule(s) by vhost(s)
 Example(s):
  --rule-disable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
  NOTE: Each rule id will be disabled on each vhost

--rule-enable                              Enable modsec rule(s) by signature ID
 Example(s):
  --rule-disable 123456[,123457,...]

--rule-enable-vhost                        Enable modsec rule(s) by vhost(s)
 Example(s):
  --rule-enable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
  NOTE: Each rule id will be enabled on each vhost

--rule-reset                               Remove user rule modifications

-s --scan                                  Run a system scan
 Example(s):
  -s                (run a full system scan in non-fix mode)
  -s ossec,clamav   (run only the ossec and clamav sections of the scan)
  -s -f             (run a full system scan in fix mode)

--show-alert                               Show alert details
 Example(s):
  --show-alert <path>

--status,-v                                Display miscellaneous system info (OS, Kernel, etc.)

--system-monitor                           Display AWP resource usage statistics

--twaf-get                                 Display current TWAF settings

--vuln-db-get                              Display vulnerability database details (key, threat level, score)

--vuln-get                                 Display current system vulnerabilities

--update -u                                Update system packages and component rules
 Example(s):
  -u                    (download and apply system updates only where outdated)
  -u -f                 (force system updates)
  -u --upgrade-channel  (download and apply updates from specified upgrade channel)

--upgrade-channel                          Select channel to apply updates from

--waf-enable-vhost --waf-disable-vhost

--web-user-add                             Add a user for the AWP web console
 Example(s):
  --web-user-add <username> <passwd> <email> <group_id>

--web-user-get                             Display list of current web console users

--web-user-remove                          Remove a user from the AWP web console
 Example(s):
  --web-user-remove <username>

--web-user-modify
 Example(s):
  --web-user-modify <name> <password>               (change password for username)
  --web-user-modify <name> <password> <email>       (change password and email for username)
  --web-user-modify <name> <password> <email> <gid> (change password, email, and gid for username)

--accesslist-get                            Display all currently accesslisted IPs

-wl --accesslist --accesslist-add            Add an IP to the accesslist
 Example(s):
  -wl 1.2.3.4[,1.2.3.5,...]
  -wl 1.2.3.4[,1.2.3.5,...] "Comment text"
  -wl 1.2.3.4[,1.2.3.5,...] username "Comment text"

--accesslist-remove                         Remove an IP from the accesslist
 Example(s):
  --accesslist-remove 1.2.3.4[,1.2.3.5,...]

awp-add-user

All interactions are prompted within the program when run.

  -h
        Display help.

awp_firewall

Accepted usages:
1) awp_firewall -start
2) awp_firewall -restart
3) awp_firewall -stop
4) awp_firewall (-h|-help)

awp_indexgen

Generate index data

awp_indexgen

  -f force generation

awp_jsongen

Convert ossec alerts.log data to alerts.json format.

awp-remove-user

Remove Atomic OSSEC web users

awps

Usage of awps:

  -op
        Operation to perform.
        Allowed values:
        vuln             : internal usage, regenerates vulnerability json files
        stats            : aggregate and display event statistics
        agent_group_list : list available agent groups
        rule_group_list  : list available rule groups
        group_rule_ilst  : list rules in specified -rule-group(s)

  -agent-group
        An agent group to limit the results to.
        Multiple usages of -agent-group=x are allowed.
        If no agents or groups are specified, all groups will be included.

  -agent
        An agent id to include in the results.
        Multiple usages of -agent=x are allowed.
        If no agents or groups are specified, all will be included.

  -rule-group
        An ossec rule group to limit the results to.
        Multiple usages of -rule-group=x are allowed.
        If no rules or groups specified, all groups will be included.

  -rule
        A rule id to include in the results.
        Multiple usages of -rule=x are allowed.
        If no rules or groups are specified, all will be included.

  -stats-days
        Number of days over which to caluclate the stats averages.
        Default: 1, Max: 180

  -j
        Render output as json.
        Applies only to -op=stats

  -h
        Display help.


Ex:
  ./awps -op=stats -agent-group=MyAgents

compliance-control.sh

/var/awp/bin/compliance-control.sh Usage:
   Enable/Disable Compliance testing for maintenance:
     /var/awp/bin/compliance-control.sh <enable|disable> global - Disable Compliance tests globally
     /var/awp/bin/compliance-control.sh <enable|disable> <groupname>  - Disable Compliance tests for group
     /var/awp/bin/compliance-control.sh list - List all Compliance tests groups
     /var/awp/bin/compliance-control.sh status - Show Compliance tests status

   Show Status
   /var/awp/bin/compliance-control.sh status

   Show groups
   /var/awp/bin/compliance-control.sh list

fim-control.sh

/var/awp/bin/fim-control.sh Usage:
   Enable/Disable FIM for maintenance:
     /var/awp/bin/fim-control.sh <enable|disable> global - Disable FIM globally
     /var/awp/bin/fim-control.sh <enable|disable> <groupname>  - Disable FIM for group
     /var/awp/bin/fim-control.sh list - List all FIM groups
     /var/awp/bin/fim-control.sh status - Show FIM status

   Show Status
   /var/awp/bin/fim-control.sh status

   Show groups
   /var/awp/bin/fim-control.sh list

host-query.sh

Simple search for host Process, Package, or port information.

key_util.sh

Remove IP address pinning from client.keys

malware-scan

Atomicorp Malware Scan CLI
Version: 0.1
Usage: /var/awp/bin/malware-scan -a|-g group|-i id -s <path>|-u|-x

  example: /var/awp/bin/malware-scan -a -s /etc


Command line paramenters

  Target requires one of the following
    -a                  All agents
    -g <group>          All agents in group <group>
    -i <id>             Specified Agent ID

  Action requires one of the following
    -s <path>           malware scan <path>
    -u                  update signatures
    -x                  initialize scanner (first time setup)

rpmfix.sh

Simple RPM database repair utility

setup

Atomic OSSEC configuration utility

show_invalid_agents.sh

List Invalid agents