Wazuh Ruby Client

License: MIT Yard Docs

A Ruby client for the wazuh APIs.

Installation

Add this line to your application's Gemfile:

gem 'wazuh-ruby-client'

Usage

Wazuh.configure do |config|
  config.endpoint = "https://wazuh.local:55000"
  config.basic_user = "foo"
  config.basic_password = "bar"
  config.verify_ssl = false
  # if you are using the Wazuh version 4
  # config.api_version = 4
end

client = Wazuh::Client.new
client.all_agents
# => {"error"=>0, "data"=>{"items"=>[{"os"=>{"arch"=>"x86_64", "codename"=>"Xenial Xerus", "major"=>"16", "minor"=>"04", "name"=>"Ubuntu", "platform"=>"ubuntu", "uname"=>"Linux |wazuh-manager-master-0 |4.14.138+ |#1 SMP Tue Sep 3 02:58:08 PDT 2019 |x86_64", "version"=>"16.04.6 LTS"}, "status"=>"Active", "name"=>"wazuh-manager-master-0", "registerIP"=>"127.0.0.1", "manager"=>"wazuh-manager-master-0", "dateAdd"=>"2020-01-07 16:13:05", "ip"=>"127.0.0.1", "node_name"=>"wazuh-manager-master", "version"=>"Wazuh v3.11.1", "lastKeepAlive"=>"9999-12-31 23:59:59", "id"=>"000"}], "totalItems"=>1}}

Authorization

Set basic_user and basic_password for basic authentication.
If you using self-signed certificate, verify_ssl must be set to false .

Wazuh.configure do |config|
  config.endpoint = "https://wazuh.local:55000"
  config.basic_user = "foo"
  config.basic_password = "bar"
  config.verify_ssl = false
end

If you are using client certificate authentication, set client_key and client_cert .

require 'openssl'

Wazuh.configure do |config|
  config.endpoint = "https://wazuh.local:55000"
  config.client_key = OpenSSL::PKey::RSA.new(File.read("./wazuh.key"))
  config.client_cert = OpenSSL::X509::Certificate.new(File.read("./wazuh.crt"))
end

Global Settings

The following global settings are supported via Wazuh.configure .

setting description
user_agent User-Agent
ca_file CA file (if use Client Certificate Authentication and specify CA file)
client_cert Client certificate (if use Client Certificate Authentication)
client_key Client Key (if use Client Certificate Authentication)
basic_user Basic Authentication user name
basic_password Basic Authentication password
verify_ssl Skip the SSL/TLS verify
logger loggeer object
endpoint Wazuh API endpoint URL
ignore_env_proxy Ignores ENV proxy settings
api_version Wazuh API Version (3 or 4)

Agents

Get all agents list.

> client.all_agents
=> [
      {
        :os=>{
          :arch=>"x86_64",
          :codename=>"Xenial Xerus",
          :major=>"16",
          :minor=>"04",
          :name=>"Ubuntu",
          :platform=>"ubuntu",
          :uname=>"Linux |wazuh-manager |4.15.0-60-generic |#67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 |x86_64",
          :version=>"16.04.6 LTS"
        },
        :manager=>"wazuh-manager",
        :id=>"000",
        :registerIP=>"127.0.0.1",
        :name=>"wazuh-manager",
        :version=>"Wazuh v3.11.0",
        :ip=>"127.0.0.1",
        :dateAdd=>"2020-01-27 17:02:18",
        :status=>"Active",
        :lastKeepAlive=>"9999-12-31 23:59:59",
        :node_name=>"wazuh-master-1"
      },
      ...
  ]

> agents.first.os.name
=> "Ubuntu"

> agents.first.id
=> "000"

filter by options. (see https://mrtc0.github.io/wazuh-ruby-client/Wazuh/Api/Endpoints/Agents.html#all_agents-instance_method )

# Filter by status is active
> client.all_agents({ status: 'active' })
# Filter by agent os.name is ubuntu
> client.all_agents({ 'os.name' => 'ubuntu' })

Syscollector

List agent's packages.

> client.packages('000').map { |package| package.name }
=> ["python-apt-common",
 "python-idna",
 "libedit2",
 "libncurses5",
 "libpam-runtime",
 "python3.5",
 "libgsasl7",
 "vim-tiny",
 ...

List agents' processes.

> client.packages('000').map { |package| package.name }
=> ["entrypoint.sh",
 "my_init",
 "syslog-ng",
 "runsvdir",
 "runsv",
 ...

Vulnerability

> client.vulnerabilities('000')
=> [{:architecture=>"amd64", :cve=>"CVE-2016-4802", :name=>"curl", :version=>"7.47.0-1ubuntu2.14"}, {:architecture=>"amd64", :cve=>"CVE-2016-8620", :name=>"curl", :version=>"7.47.0-1ubun...

Other

wazuh-ruby-client is supports some of the Wazuh API.
The v4 API is not yet supported.

  • [x] Active Response
  • [x] Agents
  • [x] Cache
  • [x] Ciscat
  • [x] Cluster
  • [x] Decoders
  • [x] Experimental
  • [ ] Groups
  • [x] Lists
  • [ ] Logtest
  • [ ] Mitre
  • [x] Manager
  • [x] Rootcheck
  • [x] Rules
  • [ ] Security
  • [x] Security Configuration Assessment
  • [x] Summary
  • [x] Syscheck
  • [x] Syscollector
  • [ ] Tasks
  • [x] Vulnerability

Refer to the document of wazuh-ruby-client and Wazuh API Reference for the list of all available methods.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/mrtc0/wazuh-ruby-client.

Copyright (c) 2015-2019, Kohei Morita

This project is licensed under the MIT License .