ArcSight Logger Installed (Linux)

2013-08-13T00:00:00
ID ARCSIGHT_LOGGER_INSTALLED_LINUX.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2013-08-13T00:00:00

Description

ArcSight Logger is installed on the remote host. ArcSight Logger is used to collect and manage logs.

                                        
                                            #TRUSTED a9632ab8cf64605cea6d33c2824174afefed38cf9bf6e8d5340440329ad9bb8fc023e9387f7b99464c45767b685588b63a6057d13ebaa5bb6ba2a092f0e62586a8c4c98e5430514f059ffe468ca92e9062dd021fb7351a49462882bd609370b0ce4a48cc11389fcbfcf2847958c414e2983d3e59f24e3d809320a32fe9e4a32387c526842350b75b232765082d027e45458e603724806db316234426ee527ddd6ec586a29ecd0c8a65743d68eac10a5b43313d796059338b0e4bdb6795629116223f5c17b5d864c6da826f3a01226ccbaed3faaa6a51b5647d9ee1cb8c79f0099dca37caaf6fd00600fb63debc83789dd429a51cb3094cd0fd659cfe603139585b03babdaf33d91b74db90a0366605458ca8cfb61248741932a49ce6cc52a620432fbec2f3b8892ac0822d21b2c3fe0eac99904f7540e3e1a2a2c73070081d20f15c0a3da7a92fbb1fef6432ee8e6a26e530725c6c1737efdda903a29c347dfb4b46f80633f91d7db25df8af614ed421ba04a5cc59cc6473c64493b5c138b25e5eb0cc6cc4327211f0d71b16919c7cfb2d7ad2ae7e98c4e6822d7dd0643603bfe0f9a965ef6c8ec1c66cdcbf8dcf6640a1f4b6b6e28e21576c8282daefffb420865f64967501be1710092d0cec5af64b624ea6eb946a916d70de01d6c1b2ba7ba11f996903e9d0d4ce26addec407f4c99db235848b5e079358a6c96633d7a516
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69446);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2019/11/22");

  script_name(english:"ArcSight Logger Installed (Linux)");
  script_summary(english:"Looks for log files containing version information.");

  script_set_attribute(attribute:"synopsis", value:
"A log collection and management system is installed on the remote
Linux host.");
  script_set_attribute(attribute:"description", value:
"ArcSight Logger is installed on the remote host. ArcSight Logger is
used to collect and manage logs.");
  # http://www8.hp.com/ca/en/software-solutions/software.html?compURI=1314386#.Ug5u237YUzk
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?84aa80ae");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");
  script_set_attribute(attribute:"agent", value:"unix");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:arcsight_logger");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_keys("HostLevelChecks/proto", "Host/local_checks_enabled", "Host/uname");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");

app = 'ArcSight Logger';

if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if ("Linux" >!< get_kb_item_or_exit("Host/uname"))
  audit(AUDIT_OS_NOT, "Linux");

proto = get_kb_item_or_exit('HostLevelChecks/proto');
get_kb_item_or_exit("Host/local_checks_enabled");

# Do not run against Windows
# It's not supported
os = get_kb_item('Host/OS');
if (isnull(os) || 'Linux' >!< os)
  audit(AUDIT_OS_NOT, "a Linux OS");

if (proto == 'local')
  info_t = INFO_LOCAL;
else if (proto == 'ssh')
{
  info_t = INFO_SSH;
  ret = ssh_open_connection();
  if (!ret) audit(AUDIT_FN_FAIL, 'ssh_open_connection');
}
else
  exit(0, 'This plugin only attempts to run commands locally or via SSH, and neither is available against the remote host.');

ver_ui_map = make_array(
  '5.3.1.0',      '5.3 SP1', # Less detail from install-log files
  '5.3.1.6838.0', '5.3 SP1'  # More detail from log files
);

default_as_logger_path = "/opt/current/arcsight/";
version = NULL;
appears_to_be_installed = FALSE;

# Use only default install location files for now
files_and_patterns = make_array(
  '/opt/UninstallerData/installvariables.properties',            '"PRODUCT_VERSION_NUMBER="',
  default_as_logger_path + 'logger/logs/logger_server.out.log', '"\\[INFO \\] Version "',
  default_as_logger_path + 'logger/logs/logger_server.log*',     '"\\[INFO \\]\\[Server\\]\\[go\\]\\[main\\] Version "',
  default_as_logger_path + 'logger/logs/logger_processor.log*',  '"\\[INFO \\]\\[LoggerProcessors\\]\\[go\\]\\[main\\] Version "',
  default_as_logger_path + 'logger/logs/logger_receiver.log*',   '"\\[INFO \\]\\[LoggerReceivers\\]\\[go\\]\\[main\\] Version "'
);

output = info_send_cmd(cmd:"test -d " + default_as_logger_path + " && echo OK");
if ( "OK" >!< output )
{
  if(info_t == INFO_SSH) ssh_close_connection();
  audit(AUDIT_NOT_INST, app);
}

# Look into each potential data file on the target
foreach ver_file (keys(files_and_patterns))
{
  temp_version = "";

  # logger_server.out.log uses a text-based day-of-week and thus, skip sorting date
  # The other files use a fully number-based date and thus, look at them all and sort on date
  if (".out." >< ver_file)
    output = info_send_cmd(cmd:"grep -h " + files_and_patterns[ver_file]  + " " + ver_file + " | tail -n 1");
  else
    output = info_send_cmd(cmd:"grep -h " + files_and_patterns[ver_file]  + " " + ver_file + " | sort | tail -n 1");

  res = egrep(string:output, pattern:str_replace(string:files_and_patterns[ver_file], find:'"', replace:""));

  if (!strlen(res))
    continue;
  else
    appears_to_be_installed = TRUE;

  res = chomp(res);

  if ("properties" >< ver_file)
    temp_version = res - "PRODUCT_VERSION_NUMBER=";
  else
  {
    matches = pregmatch(string:res, pattern:" Version ([0-9.]+)");
    if (!isnull(matches))
      temp_version = matches[1];
  }

  # Keep most detailed version number
  if (max_index(split(temp_version, sep:".")) > max_index(split(version, sep:".")))
    version = temp_version;
}

if(info_t == INFO_SSH) ssh_close_connection();

if (appears_to_be_installed && isnull(version))
  version = 'unknown';

if (!isnull(version))
{
  set_kb_item(name:'hp/arcsight_logger/path', value:default_as_logger_path);
  set_kb_item(name:'hp/arcsight_logger/ver', value:version);

  # If we have user-friendly version string, store it
  if (!isnull(ver_ui_map[version]))
  {
    display_version = ver_ui_map[version] + " (" + version + ")";
    set_kb_item(name:'hp/arcsight_logger/display_ver', value:display_version);
  }
  else display_version = version;

  register_install(
    app_name:app,
    path:default_as_logger_path,
    version:version,
    display_version:display_version,
    cpe:"cpe:/a:hp:arcsight_logger");

  report_installs(app_name:app);
  exit(0);
}
audit(AUDIT_NOT_INST, app);