Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
4-5
FireSIGHT System Remediation API Guide
Chapter 4 Working with the Remediation SDK
Notes for Remediation Program Developers
You declare the names of all remediation types in the
module.template
file, and associate remediation
types with each instance as you add the instance via the web interface. The remediation type that is
executed by the instance is recorded in the
executed by the instance is recorded in the
instance.config
file which is stored in the
instance.config
subdirectory described in
Understanding the Remediation Subsystem File Structure
The root directory of each remediation module is derived from the remediation module name and version
number, both of which are declared in the
number, both of which are declared in the
module.template
for
details on the elements of
module.template
.
If you install a module packaged in syslog.tgz with the name
syslog
and version
1.0
in
module.template
, the system puts the module in the following directory:
/var/sf/remediation/syslog_1.0
. That directory contains the
module.template
file and the
remediation program binary for the module.
When you add an instance of the remediation and name the instance
log_tokyo
, the system creates the
following directory:
/var/sf/remediation/syslog_1.0/log_tokyo
and places a file named
instance.conf
in it. The
instance.conf
file, which is in XML format, contains
the configuration information for the
log_tokyo
instance.
The following Linux command sequence illustrates the directory structure described above.
# cd /var/sf/remediations
# ls
NMap_perl_2.0 SetAttrib_1.0 cisco_pix_1.0
cisco_ios_router_1.0 syslog_perl_0.1
# cd syslog_perl_0.1
# ls
log_chicago log_tokyo module.template syslog.pl
# cd log_tokyo
# ls
# instance.conf
Note that the
instance.conf
file contains the name of the remediation type that the
log_tokyo
instance
runs. In the above example, the user who added the
log_tokyo
instance could have configured it to run
either remediation type defined for the syslog remediation module:
Simple_Notification
or
Complete_Notification
.
For details on the elements in the instance.conf XML file, see
Understanding the Remediation Program Workflow
When the Defense Center executes a remediation instance, the remediation daemon launches the
remediation program from the instance subdirectory and supplies data from the
remediation program from the instance subdirectory and supplies data from the
instance.conf
file to
the remediation program as command line arguments.
An example will illustrate the process. If a policy violation launches a syslog instance named
log_tokyo
,
which calls the remediation named Simple_Notification with a source IP address of 1.1.1.1 and a
destination IP address of 2.2.2.2, the Defense Center sets the working directory to
destination IP address of 2.2.2.2, the Defense Center sets the working directory to
/var/sf/remediations/Syslog_1.0/log_tokyo
(that is, the
instance.conf
subdirectory) and executes
the remediation binary,
syslog.pl
. The daemon’s command line syntax will be as follows:
../syslog.pl Simple_Notification 1.1.1.1 2.2.2.2
Note in particular that the
syslog.pl
executable is in the parent directory of the
instance.conf
subdirectory.