From baf297f4a45531fae65e11cf68ea75b2ffb85ca2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 15 Jan 2024 10:30:35 +0100 Subject: [PATCH] Reformat Zeek scripts with `zeek-script`. --- auxil/format-zeek-script | 13 +++++++++---- scripts/framework/main.zeek | 31 +++++++++++++++---------------- scripts/table/files.zeek | 12 ++++++------ scripts/table/processes.zeek | 12 ++++++------ scripts/table/sockets.zeek | 12 ++++++------ scripts/table/ssh.zeek | 34 +++++++++++++++++----------------- scripts/table/system-logs.zeek | 12 ++++++------ scripts/table/users.zeek | 12 ++++++------ tests/zeek-agent/hello.zeek | 12 ++++++------ 9 files changed, 77 insertions(+), 73 deletions(-) diff --git a/auxil/format-zeek-script b/auxil/format-zeek-script index 40be9c2..e645b2d 100755 --- a/auxil/format-zeek-script +++ b/auxil/format-zeek-script @@ -1,7 +1,12 @@ -#! /bin/sh +#! /usr/bin/env bash -type -P zeek-script >/dev/null 2>&1 || exit 0 +type zeek-script >/dev/null 2>&1 || exit 0 -for i in $@; do - zeek-script format ${i} >${i}.tmp && mv -f ${i}.tmp ${i} +rc=0 + +for i in "$@"; do + zeek-script format -ir "${i}" 2>&1 | grep -v '0 errors' + test "${PIPESTATUS[0]}" -ne 0 && rc=1 done + +exit ${rc} diff --git a/scripts/framework/main.zeek b/scripts/framework/main.zeek index ee575c5..058a0ff 100644 --- a/scripts/framework/main.zeek +++ b/scripts/framework/main.zeek @@ -86,10 +86,10 @@ export { ## Expiration interval for an agent's state after not hearing from it ## anymore. (Note that this should be longer than the agent's hello interval.) - option agent_timeout = 10 mins; + option agent_timeout = 10mins; ## Interval to broadcast ``hello`` events to all connected agents. - option hello_interval = 60 secs; + option hello_interval = 60secs; @if ( Version::number < 50000 ) ## If non-zero and we are on Zeek < 5.0, listen on this port for @@ -155,7 +155,7 @@ function log_update(agent_id: string, type_: string) # Callers guarantee that the ID is in the table. local agent = agents[agent_id]; - local log: Info = [$ts=network_time(), $type_=type_, $hid=agent_id]; + local log: Info = [ $ts=network_time(), $type_=type_, $hid=agent_id ]; local hello = agent$hello; @@ -183,7 +183,7 @@ function log_update(agent_id: string, type_: string) function agent_expired(t: table[string] of Agent, agent_id: string): interval { log_update(agent_id, "offline"); - return 0 secs; + return 0secs; } function make_topic(qstate: QueryState, agent_id: string): string @@ -225,8 +225,8 @@ function send_query_to_all_agents(query_id: string) function send_hello_to_agent(agent_id: string) { - local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(), - $version_number=Version::number, $package_version=package_version]; + local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(), + $version_number=Version::number, $package_version=package_version ]; local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance, hello); Broker::publish(fmt("/zeek-agent/query/host/%s", agent_id), ev); @@ -234,8 +234,8 @@ function send_hello_to_agent(agent_id: string) function send_hello_to_all_agents() { - local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(), - $version_number=Version::number, $package_version=package_version]; + local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(), + $version_number=Version::number, $package_version=package_version ]; local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance, hello); Broker::publish("/zeek-agent/query/group/all", ev); @@ -265,8 +265,8 @@ function cancel(query_id: string) function query(query: Query, scope: Scope, target: string): string { local query_id = unique_id("za_"); - queries[query_id] = [$query_id=query_id, $scope=scope, $target=target, - $query=query]; + queries[query_id] = [ $query_id=query_id, $scope=scope, $target=target, + $query=query ]; send_query_to_all_agents(query_id); return query_id; @@ -347,14 +347,13 @@ event send_zeek_hello() event zeek_init() &priority=100 { zeek_instance = unique_id("zeek_"); - Log::create_stream(LOG, [$columns=Info, $path="zeek-agent", - $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $path="zeek-agent", $policy=log_policy ]); if ( file_size(package_version_file) > 0 ) - Input::add_event([$source=package_version_file, $reader=Input::READER_RAW, + Input::add_event([ $source=package_version_file, $reader=Input::READER_RAW, $mode=Input::MANUAL, $name="package_version", $fields=PackageVersionLine, $ev=package_version_line, - $want_record=F]); + $want_record=F ]); } event zeek_init() &priority=-10 @@ -415,8 +414,8 @@ event ZeekAgentAPI::agent_hello_v1(ctx: ZeekAgent::Context, } else { - agents[agent_id] = [$last_seen=network_time(), $hello_id=ctx$query_id, - $hello=columns]; + agents[agent_id] = [ $last_seen=network_time(), $hello_id=ctx$query_id, + $hello=columns ]; log_update(agent_id, "join"); send_hello_to_agent(agent_id); send_all_queries_to_agent(agent_id); diff --git a/scripts/table/files.zeek b/scripts/table/files.zeek index a07e0ee..3b31c91 100644 --- a/scripts/table/files.zeek +++ b/scripts/table/files.zeek @@ -5,7 +5,7 @@ export { const paths_to_watch = set("/etc/*", "/etc/*/*") &redef; ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -53,15 +53,15 @@ event zeek_init() return; local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); - Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [$name="default", $path="zeek-agent-files", - $field_name_map=field_name_map]); + Log::add_filter(LOG, [ $name="default", $path="zeek-agent-files", + $field_name_map=field_name_map ]); for ( p in paths_to_watch ) { local stmt = fmt("SELECT * FROM files_list(\"%s\")", p); - ZeekAgent::query([$sql_stmt=stmt, $event_=query_result, - $schedule_=query_interval, $subscription=subscription]); + ZeekAgent::query([ $sql_stmt=stmt, $event_=query_result, + $schedule_=query_interval, $subscription=subscription ]); } } diff --git a/scripts/table/processes.zeek b/scripts/table/processes.zeek index 8c37052..13cb890 100644 --- a/scripts/table/processes.zeek +++ b/scripts/table/processes.zeek @@ -2,7 +2,7 @@ module ZeekAgent_Processes; export { ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -47,12 +47,12 @@ event ZeekAgent_Processes::query_result(ctx: ZeekAgent::Context, event zeek_init() { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); - Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [$name="default", $path="zeek-agent-processes", - $field_name_map=field_name_map]); + Log::add_filter(LOG, [ $name="default", $path="zeek-agent-processes", + $field_name_map=field_name_map ]); - ZeekAgent::query([$sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes", + ZeekAgent::query([ $sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes", $event_=query_result, $schedule_=query_interval, - $subscription=subscription]); + $subscription=subscription ]); } diff --git a/scripts/table/sockets.zeek b/scripts/table/sockets.zeek index 49df943..290c8b8 100644 --- a/scripts/table/sockets.zeek +++ b/scripts/table/sockets.zeek @@ -2,7 +2,7 @@ module ZeekAgent_Sockets; export { ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -49,11 +49,11 @@ event ZeekAgent_Sockets::query_result(ctx: ZeekAgent::Context, columns: Columns) event zeek_init() { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); - Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [$name="default", $path="zeek-agent-sockets", - $field_name_map=field_name_map]); + Log::add_filter(LOG, [ $name="default", $path="zeek-agent-sockets", + $field_name_map=field_name_map ]); - ZeekAgent::query([$sql_stmt="SELECT * FROM sockets", $event_=query_result, - $schedule_=query_interval, $subscription=subscription]); + ZeekAgent::query([ $sql_stmt="SELECT * FROM sockets", $event_=query_result, + $schedule_=query_interval, $subscription=subscription ]); } diff --git a/scripts/table/ssh.zeek b/scripts/table/ssh.zeek index 0d4296a..a1f329e 100644 --- a/scripts/table/ssh.zeek +++ b/scripts/table/ssh.zeek @@ -6,13 +6,12 @@ export { "/etc/ssh/sshd_config.d/*"); ## Paths to find `authorized_keys` files in. - option key_paths_to_watch: table[string] of set[string] = { - ["linux"] = set("/home/*/.ssh/authorized_keys"), - ["darwin"] = set("/Users/*/.ssh/authorized_keys") - }; + option key_paths_to_watch: table[string] of set[string] = { [ "linux" ] = set( + "/home/*/.ssh/authorized_keys"), [ "darwin" ] = set( + "/Users/*/.ssh/authorized_keys") }; ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -95,19 +94,20 @@ event zeek_init() { local field_name_map_configs = ZeekAgent::log_column_map(ColumnsConfigs, "columns."); - Log::create_stream(LOG_CONFIGS, [$columns=InfoConfigs, - $policy=log_policy_configs]); + Log::create_stream(LOG_CONFIGS, [ $columns=InfoConfigs, + $policy=log_policy_configs ]); Log::remove_default_filter(LOG_CONFIGS); - Log::add_filter(LOG_CONFIGS, [$name="default", $path="zeek-agent-ssh-configs", - $field_name_map=field_name_map_configs]); + Log::add_filter(LOG_CONFIGS, [ $name="default", + $path="zeek-agent-ssh-configs", + $field_name_map=field_name_map_configs ]); for ( p in config_paths_to_watch ) { local stmt_configs = fmt("SELECT * FROM files_columns(\"%s\", \"$1:text,$2:text\")", p); - ZeekAgent::query([$sql_stmt=stmt_configs, $event_=query_result_configs, + ZeekAgent::query([ $sql_stmt=stmt_configs, $event_=query_result_configs, $schedule_=query_interval, - $subscription=subscription]); + $subscription=subscription ]); } } @@ -115,21 +115,21 @@ event zeek_init() { local field_name_map_keys = ZeekAgent::log_column_map(ColumnsKeys, "columns."); - Log::create_stream(LOG_KEYS, [$columns=InfoKeys, $policy=log_policy_keys]); + Log::create_stream(LOG_KEYS, [ $columns=InfoKeys, $policy=log_policy_keys ]); Log::remove_default_filter(LOG_KEYS); - Log::add_filter(LOG_KEYS, [$name="default", + Log::add_filter(LOG_KEYS, [ $name="default", $path="zeek-agent-ssh-authorized-keys", - $field_name_map=field_name_map_keys]); - + $field_name_map=field_name_map_keys ]); for ( platform in key_paths_to_watch ) { for ( path in key_paths_to_watch[platform] ) { local stmt_keys = fmt("SELECT * FROM files_lines(\"%s\")", path); - ZeekAgent::query([$sql_stmt=stmt_keys, $event_=query_result_keys, + ZeekAgent::query([ $sql_stmt=stmt_keys, $event_=query_result_keys, $schedule_=query_interval, - $subscription=subscription], ZeekAgent::Group, platform); + $subscription=subscription ], + ZeekAgent::Group, platform); } } } diff --git a/scripts/table/system-logs.zeek b/scripts/table/system-logs.zeek index a26664c..f8b8ed9 100644 --- a/scripts/table/system-logs.zeek +++ b/scripts/table/system-logs.zeek @@ -2,7 +2,7 @@ module ZeekAgent_SystemLogs; export { ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -40,13 +40,13 @@ event ZeekAgent_SystemLogs::query_result(ctx: ZeekAgent::Context, event zeek_init() { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); - Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [$name="default", $path="zeek-agent-system-logs", - $field_name_map=field_name_map]); + Log::add_filter(LOG, [ $name="default", $path="zeek-agent-system-logs", + $field_name_map=field_name_map ]); - ZeekAgent::query([$sql_stmt="SELECT * FROM system_logs_events", + ZeekAgent::query([ $sql_stmt="SELECT * FROM system_logs_events", $event_=query_result, $schedule_=query_interval, $subscription=ZeekAgent::Events, $requires_tables=set( - "system_logs_events")]); + "system_logs_events") ]); } diff --git a/scripts/table/users.zeek b/scripts/table/users.zeek index 20924c9..7cb87d8 100644 --- a/scripts/table/users.zeek +++ b/scripts/table/users.zeek @@ -2,7 +2,7 @@ module ZeekAgent_Users; export { ## Query frequency. - option query_interval = 30 secs; + option query_interval = 30secs; ## Subscription type option subscription = ZeekAgent::Differences; @@ -49,11 +49,11 @@ event ZeekAgent_Users::query_result(ctx: ZeekAgent::Context, columns: Columns) event zeek_init() { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); - Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); + Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [$name="default", $path="zeek-agent-users", - $field_name_map=field_name_map]); + Log::add_filter(LOG, [ $name="default", $path="zeek-agent-users", + $field_name_map=field_name_map ]); - ZeekAgent::query([$sql_stmt="SELECT * FROM users", $event_=query_result, - $schedule_=query_interval, $subscription=subscription]); + ZeekAgent::query([ $sql_stmt="SELECT * FROM users", $event_=query_result, + $schedule_=query_interval, $subscription=subscription ]); } diff --git a/tests/zeek-agent/hello.zeek b/tests/zeek-agent/hello.zeek index a3dac9d..4ff690d 100644 --- a/tests/zeek-agent/hello.zeek +++ b/tests/zeek-agent/hello.zeek @@ -14,15 +14,15 @@ global n = 0; event send_hello() { # We simulate an agent here by faking a corresponding "hello" event. - local ctx: ZeekAgent::Context = [$agent_id="fake_agent", - $query_id="fake_query", $host_time=network_time()]; + local ctx: ZeekAgent::Context = [ $agent_id="fake_agent", + $query_id="fake_query", $host_time=network_time() ]; if ( ++n < 3 ) { - local hello: ZeekAgentAPI::AgentHelloV1 = [$agent_id="fake_agent", - $instance_id="fake_instance"]; + local hello: ZeekAgentAPI::AgentHelloV1 = [ $agent_id="fake_agent", + $instance_id="fake_instance" ]; event ZeekAgentAPI::agent_hello_v1(ctx, hello); - schedule 0.1 secs { send_hello() }; + schedule 0.1secs { send_hello() }; } else { @@ -33,5 +33,5 @@ event send_hello() event zeek_init() { - schedule 0 secs { send_hello() }; + schedule 0secs { send_hello() }; }