Reformat Zeek scripts with zeek-script.

zeek-packages · Jan 15, 2024 · baf297f · baf297f
1 parent 98ceb67
commit baf297f
Show file tree

Hide file tree

Showing 9 changed files with 77 additions and 73 deletions.
diff --git a/auxil/format-zeek-script b/auxil/format-zeek-script
@@ -1,7 +1,12 @@
-#! /bin/sh
+#! /usr/bin/env bash
 
-type -P zeek-script >/dev/null 2>&1 || exit 0
+type zeek-script >/dev/null 2>&1 || exit 0
 
-for i in $@; do
-    zeek-script format ${i} >${i}.tmp && mv -f ${i}.tmp ${i}
+rc=0
+
+for i in "$@"; do
+    zeek-script format -ir "${i}" 2>&1 | grep -v '0 errors'
+    test "${PIPESTATUS[0]}" -ne 0 && rc=1
 done
+
+exit ${rc}
diff --git a/scripts/framework/main.zeek b/scripts/framework/main.zeek
@@ -86,10 +86,10 @@ export {
 
 	## Expiration interval for an agent's state after not hearing from it
 	## anymore. (Note that this should be longer than the agent's hello interval.)
-	option agent_timeout = 10 mins;
+	option agent_timeout = 10mins;
 
 	## Interval to broadcast ``hello`` events to all connected agents.
-	option hello_interval = 60 secs;
+	option hello_interval = 60secs;
 
 @if ( Version::number < 50000 )
 	## If non-zero and we are on Zeek < 5.0, listen on this port for
@@ -155,7 +155,7 @@ function log_update(agent_id: string, type_: string)
 	# Callers guarantee that the ID is in the table.
 	local agent = agents[agent_id];
 
-	local log: Info = [$ts=network_time(), $type_=type_, $hid=agent_id];
+	local log: Info = [ $ts=network_time(), $type_=type_, $hid=agent_id ];
 
 	local hello = agent$hello;
 
@@ -183,7 +183,7 @@ function log_update(agent_id: string, type_: string)
 function agent_expired(t: table[string] of Agent, agent_id: string): interval
 	{
 	log_update(agent_id, "offline");
-	return 0 secs;
+	return 0secs;
 	}
 
 function make_topic(qstate: QueryState, agent_id: string): string
@@ -225,17 +225,17 @@ function send_query_to_all_agents(query_id: string)
 
 function send_hello_to_agent(agent_id: string)
 	{
-	local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(),
-	    $version_number=Version::number, $package_version=package_version];
+	local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(),
+	    $version_number=Version::number, $package_version=package_version ];
 	local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance,
 	    hello);
 	Broker::publish(fmt("/zeek-agent/query/host/%s", agent_id), ev);
 	}
 
 function send_hello_to_all_agents()
 	{
-	local hello: ZeekAgentAPI::ZeekHelloV1 = [$version_string=zeek_version(),
-	    $version_number=Version::number, $package_version=package_version];
+	local hello: ZeekAgentAPI::ZeekHelloV1 = [ $version_string=zeek_version(),
+	    $version_number=Version::number, $package_version=package_version ];
 	local ev = Broker::make_event(ZeekAgentAPI::zeek_hello_v1, zeek_instance,
 	    hello);
 	Broker::publish("/zeek-agent/query/group/all", ev);
@@ -265,8 +265,8 @@ function cancel(query_id: string)
 function query(query: Query, scope: Scope, target: string): string
 	{
 	local query_id = unique_id("za_");
-	queries[query_id] = [$query_id=query_id, $scope=scope, $target=target,
-	    $query=query];
+	queries[query_id] = [ $query_id=query_id, $scope=scope, $target=target,
+	    $query=query ];
 
 	send_query_to_all_agents(query_id);
 	return query_id;
@@ -347,14 +347,13 @@ event send_zeek_hello()
 event zeek_init() &priority=100
 	{
 	zeek_instance = unique_id("zeek_");
-	Log::create_stream(LOG, [$columns=Info, $path="zeek-agent",
-	    $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $path="zeek-agent", $policy=log_policy ]);
 
 	if ( file_size(package_version_file) > 0 )
-		Input::add_event([$source=package_version_file, $reader=Input::READER_RAW,
+		Input::add_event([ $source=package_version_file, $reader=Input::READER_RAW,
 		    $mode=Input::MANUAL, $name="package_version",
 		    $fields=PackageVersionLine, $ev=package_version_line,
-		    $want_record=F]);
+		    $want_record=F ]);
 	}
 
 event zeek_init() &priority=-10
@@ -415,8 +414,8 @@ event ZeekAgentAPI::agent_hello_v1(ctx: ZeekAgent::Context,
 		}
 	else
 		{
-		agents[agent_id] = [$last_seen=network_time(), $hello_id=ctx$query_id,
-		    $hello=columns];
+		agents[agent_id] = [ $last_seen=network_time(), $hello_id=ctx$query_id,
+		    $hello=columns ];
 		log_update(agent_id, "join");
 		send_hello_to_agent(agent_id);
 		send_all_queries_to_agent(agent_id);

diff --git a/scripts/table/files.zeek b/scripts/table/files.zeek
@@ -5,7 +5,7 @@ export {
 	const paths_to_watch = set("/etc/*", "/etc/*/*") &redef;
 
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -53,15 +53,15 @@ event zeek_init()
 		return;
 
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-files",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-files",
+	    $field_name_map=field_name_map ]);
 
 	for ( p in paths_to_watch )
 		{
 		local stmt = fmt("SELECT * FROM files_list(\"%s\")", p);
-		ZeekAgent::query([$sql_stmt=stmt, $event_=query_result,
-		    $schedule_=query_interval, $subscription=subscription]);
+		ZeekAgent::query([ $sql_stmt=stmt, $event_=query_result,
+		    $schedule_=query_interval, $subscription=subscription ]);
 		}
 	}
diff --git a/scripts/table/processes.zeek b/scripts/table/processes.zeek
@@ -2,7 +2,7 @@ module ZeekAgent_Processes;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -47,12 +47,12 @@ event ZeekAgent_Processes::query_result(ctx: ZeekAgent::Context,
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-processes",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-processes",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes",
+	ZeekAgent::query([ $sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes",
 	    $event_=query_result, $schedule_=query_interval,
-	    $subscription=subscription]);
+	    $subscription=subscription ]);
 	}
diff --git a/scripts/table/sockets.zeek b/scripts/table/sockets.zeek
@@ -2,7 +2,7 @@ module ZeekAgent_Sockets;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -49,11 +49,11 @@ event ZeekAgent_Sockets::query_result(ctx: ZeekAgent::Context, columns: Columns)
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-sockets",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-sockets",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT * FROM sockets", $event_=query_result,
-	    $schedule_=query_interval, $subscription=subscription]);
+	ZeekAgent::query([ $sql_stmt="SELECT * FROM sockets", $event_=query_result,
+	    $schedule_=query_interval, $subscription=subscription ]);
 	}
diff --git a/scripts/table/ssh.zeek b/scripts/table/ssh.zeek
@@ -6,13 +6,12 @@ export {
 	    "/etc/ssh/sshd_config.d/*");
 
 	## Paths to find `authorized_keys` files in.
-	option key_paths_to_watch: table[string] of set[string] = {
-		["linux"] = set("/home/*/.ssh/authorized_keys"),
-		["darwin"] = set("/Users/*/.ssh/authorized_keys")
-	};
+	option key_paths_to_watch: table[string] of set[string] = { [ "linux" ] = set(
+	    "/home/*/.ssh/authorized_keys"), [ "darwin" ] = set(
+	    "/Users/*/.ssh/authorized_keys") };
 
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -95,41 +94,42 @@ event zeek_init()
 		{
 		local field_name_map_configs = ZeekAgent::log_column_map(ColumnsConfigs,
 		    "columns.");
-		Log::create_stream(LOG_CONFIGS, [$columns=InfoConfigs,
-		    $policy=log_policy_configs]);
+		Log::create_stream(LOG_CONFIGS, [ $columns=InfoConfigs,
+		    $policy=log_policy_configs ]);
 		Log::remove_default_filter(LOG_CONFIGS);
-		Log::add_filter(LOG_CONFIGS, [$name="default", $path="zeek-agent-ssh-configs",
-		    $field_name_map=field_name_map_configs]);
+		Log::add_filter(LOG_CONFIGS, [ $name="default",
+		    $path="zeek-agent-ssh-configs",
+		    $field_name_map=field_name_map_configs ]);
 
 		for ( p in config_paths_to_watch )
 			{
 			local stmt_configs = fmt("SELECT * FROM files_columns(\"%s\", \"$1:text,$2:text\")",
 			    p);
-			ZeekAgent::query([$sql_stmt=stmt_configs, $event_=query_result_configs,
+			ZeekAgent::query([ $sql_stmt=stmt_configs, $event_=query_result_configs,
 			    $schedule_=query_interval,
-			    $subscription=subscription]);
+			    $subscription=subscription ]);
 			}
 		}
 
 	if ( |key_paths_to_watch| != 0 )
 		{
 		local field_name_map_keys = ZeekAgent::log_column_map(ColumnsKeys,
 		    "columns.");
-		Log::create_stream(LOG_KEYS, [$columns=InfoKeys, $policy=log_policy_keys]);
+		Log::create_stream(LOG_KEYS, [ $columns=InfoKeys, $policy=log_policy_keys ]);
 		Log::remove_default_filter(LOG_KEYS);
-		Log::add_filter(LOG_KEYS, [$name="default",
+		Log::add_filter(LOG_KEYS, [ $name="default",
 		    $path="zeek-agent-ssh-authorized-keys",
-		    $field_name_map=field_name_map_keys]);
-
+		    $field_name_map=field_name_map_keys ]);
 
 		for ( platform in key_paths_to_watch )
 			{
 			for ( path in key_paths_to_watch[platform] )
 				{
 				local stmt_keys = fmt("SELECT * FROM files_lines(\"%s\")", path);
-				ZeekAgent::query([$sql_stmt=stmt_keys, $event_=query_result_keys,
+				ZeekAgent::query([ $sql_stmt=stmt_keys, $event_=query_result_keys,
 				    $schedule_=query_interval,
-				    $subscription=subscription], ZeekAgent::Group, platform);
+				    $subscription=subscription ],
+				    ZeekAgent::Group, platform);
 				}
 			}
 		}

diff --git a/scripts/table/system-logs.zeek b/scripts/table/system-logs.zeek
@@ -2,7 +2,7 @@ module ZeekAgent_SystemLogs;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -40,13 +40,13 @@ event ZeekAgent_SystemLogs::query_result(ctx: ZeekAgent::Context,
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-system-logs",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-system-logs",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT * FROM system_logs_events",
+	ZeekAgent::query([ $sql_stmt="SELECT * FROM system_logs_events",
 	    $event_=query_result, $schedule_=query_interval,
 	    $subscription=ZeekAgent::Events, $requires_tables=set(
-	    "system_logs_events")]);
+	    "system_logs_events") ]);
 	}
diff --git a/scripts/table/users.zeek b/scripts/table/users.zeek
@@ -2,7 +2,7 @@ module ZeekAgent_Users;
 
 export {
 	## Query frequency.
-	option query_interval = 30 secs;
+	option query_interval = 30secs;
 
 	## Subscription type
 	option subscription = ZeekAgent::Differences;
@@ -49,11 +49,11 @@ event ZeekAgent_Users::query_result(ctx: ZeekAgent::Context, columns: Columns)
 event zeek_init()
 	{
 	local field_name_map = ZeekAgent::log_column_map(Columns, "columns.");
-	Log::create_stream(LOG, [$columns=Info, $policy=log_policy]);
+	Log::create_stream(LOG, [ $columns=Info, $policy=log_policy ]);
 	Log::remove_default_filter(LOG);
-	Log::add_filter(LOG, [$name="default", $path="zeek-agent-users",
-	    $field_name_map=field_name_map]);
+	Log::add_filter(LOG, [ $name="default", $path="zeek-agent-users",
+	    $field_name_map=field_name_map ]);
 
-	ZeekAgent::query([$sql_stmt="SELECT * FROM users", $event_=query_result,
-	    $schedule_=query_interval, $subscription=subscription]);
+	ZeekAgent::query([ $sql_stmt="SELECT * FROM users", $event_=query_result,
+	    $schedule_=query_interval, $subscription=subscription ]);
 	}
diff --git a/tests/zeek-agent/hello.zeek b/tests/zeek-agent/hello.zeek
@@ -14,15 +14,15 @@ global n = 0;
 event send_hello()
 	{
 	# We simulate an agent here by faking a corresponding "hello" event.
-	local ctx: ZeekAgent::Context = [$agent_id="fake_agent",
-	    $query_id="fake_query", $host_time=network_time()];
+	local ctx: ZeekAgent::Context = [ $agent_id="fake_agent",
+	    $query_id="fake_query", $host_time=network_time() ];
 
 	if ( ++n < 3 )
 		{
-		local hello: ZeekAgentAPI::AgentHelloV1 = [$agent_id="fake_agent",
-		    $instance_id="fake_instance"];
+		local hello: ZeekAgentAPI::AgentHelloV1 = [ $agent_id="fake_agent",
+		    $instance_id="fake_instance" ];
 		event ZeekAgentAPI::agent_hello_v1(ctx, hello);
-		schedule 0.1 secs { send_hello() };
+		schedule 0.1secs { send_hello() };
 		}
 	else
 		{
@@ -33,5 +33,5 @@ event send_hello()
 
 event zeek_init()
 	{
-	schedule 0 secs { send_hello() };
+	schedule 0secs { send_hello() };
 	}