Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
4-6
FireSIGHT System Remediation API Guide
Chapter 4 Working with the Remediation SDK
Notes for Remediation Program Developers
When the command runs in this way, the
syslog.pl
binary can load the information in
instance.conf
file because it is in the current directory. If the binary needs to load any modules or other files in the
parent directory (
parent directory (
/var/sf/remediations/Syslog_1.0
in this case), the code must explicitly load them
from the parent directory; that is, it must provide a path starting with "
../
". Otherwise the binary will
not be able to find the files that it needs.
In Perl, you can also deal with this issue using the
lib()
function as follows:
use lib(“../”);
Your program must be able to open, read, parse, and close the
instance.conf
file.
The Order of Command Line Parameters
When the remediation daemon passes event data to your remediation module, it passes the name of the
remediation followed by the correlation event data in the order in which the fields are specified in
remediation followed by the correlation event data in the order in which the fields are specified in
module.template
. In
module.template
, each field to be passed to your module is declared using the
<
pe_item>
tag.
If a
pe_item
is set to optional in
module.template
and is undefined (meaning there is no value for the
specific
pe_item
), the remediation daemon passes “undefined” or null to your module. If
pe_item
is set
to required in
module.template
but is undefined, the remediation daemon logs a message to the
remediation log stating that no value is available, and does not execute your remediation module binary.
You can view the remediation log in the web interface where it is called the Table View of Remediations.
See the FireSIGHT System User Guide for details on how to access and use this view.
You can view the remediation log in the web interface where it is called the Table View of Remediations.
See the FireSIGHT System User Guide for details on how to access and use this view.
Handling Undefined Data Elements
The remediation daemon handles undefined data items differently, depending on whether an item is
marked as
marked as
optional
or
required
in
module.template
. Undefined means that the Defense Center
database has no value for the item. The daemon’s processing is as follows:
•
If the undefined
pe_item
is set to
optional
in
module.template
, the daemon passes “undefined” or
null to your module.
•
If the undefined
pe_item
is set to
required
in
module.template
, the daemon does not execute the
remediation and logs a message to the remediation log stating that no value is available.
Handling Return Codes
The Defense Center waits for a return code for each instance and records the code in the remediation log.
For information on predefined and custom return codes, see
For information on predefined and custom return codes, see
The Table View of Remediations in the web interface of the Defense Center displays the results of each
launched remediation. See the FireSIGHT System User Guide for information on accessing and using the
Table View of Remediations.
launched remediation. See the FireSIGHT System User Guide for information on accessing and using the
Table View of Remediations.