################################
Command Line Utilities (CLI)
################################


awp-mirror-update 
=================

Atomic OSSEC local mirror CLI: /etc/cron.daily/awp-mirror-update. This utility is responsible for maintaining the local agent software mirror on the hub server. By default it will run automatically run daily.

**Requires**

- Internet access to updates.atomicorp.com
- Cron (for automatic updates)


**Configuration**

File: /etc/asl/awp-mirror.conf

.. code-block:: console

  DISABLED=no : Enable/Disable mirror updates (default: enabled)
  AIX=1 : Enable/Disable AIX agent mirrors (default: enabled)
  AMZN=1 : Enable/Disable Amazon agent mirrors (default: enabled)
  DEBIAN=1 : Enable/Disable Debian agent mirrors (default: enabled)
  EL5=1 : Enable/Disable RHEL/Centos 5 agent mirrors (default: enabled)
  EL6=1 : Enable/Disable RHEL/Centos 6 agent mirrors (default: enabled)
  EL7=1 : Enable/Disable RHEL/Centos 7 agent mirrors (default: enabled)
  EL8=1 : Enable/Disable RHEL/Rocky/Centos 8 agent mirrors (default: enabled)
  SUSE=1 : Enable/Disable OpenSuSE agent mirrors (default: enabled)
  OSX=1 : Enable/Disable Apple OSX agent mirrors (default: enabled)
  SOLARIS=1 : Enable/Disable Solaris agent mirrors (default: enabled)
  UBUNTU=1 : Enable/Disable Ubuntu agent mirrors (default: enabled)
  WINDOWS=1 : Enable/Disable Windows agent mirrors (default: enabled)
  DEBUG=0 : Enable/Disable debug output (default: disabled)


**Usage**

/etc/cron.daily/awp-mirror-update



agent_cleanup.sh
================

Bulk remove agents that are in Disconnected, or a Never Connected state.


**Usage**

agent_cleanup.sh d - Remove all agents in a Disconnected state

agent_cleanup.sh nc - Remove all agents in a Never Connected state





agent-expire.sh
===============

Bulk remove agents that have not been connected in <X> days.  

**Usage**

agent-expire.sh <days> 

agent-expre.sh <days> --force  : remove with no input



agent-group-sort.sh
===================

List all agents in a particular group

**Usage**

agent-group-sort.sh <grouplist> <agent_control output>  

--show-agent List agents in CSV


atomicorp-api
=============

CLI api to manage agents. This utility can  perform the following:

 - list agents and groups
 - initialize components (auditd, clamav, fapolicyd)
 - install components (auditd, clamav, fapolicyd)
 - restart components (clamav, ossec-hids)
 - scan components (clamav)
 - update components (clamav, ossec-hids on RPM and DEB based systems)

**Usage**

/var/awp/bin/atomicorp-api

.. code-block:: console

  Usage: /var/awp/bin/atomicorp-api -l|-lg|-a|-g group|-i id -i <package>|-u <package> |-x <package>

    example: /var/awp/bin/atomicorp-api -a -u atomicorp


  Command line parameters

    List agents or groups
      -l				List Agents
      -lg 				List Groups

    Target requires one of the following
      -a 				All agents
      -g <group> 			All agents in group <group>
      -i <id>			Specified Agent ID

    Action requires one of the following
      -init <package>		Configure package (first time setup)
    		auditd 			- configure/update/start auditd
    		clamav 			- configure/update/start clamd
    		fapolicyd 		- configure/update/start fapolicyd
      -install <package>		Install package where package is:
    		auditd 			- installs auditd
    		clamav 			- installs clamav
    		fapolicyd 		- installs fapolicyd
      -restart <package>		Restart package
    		clamav 			- restart clamd
    		ossec-hids		- restart ossec
      -scan <module> <option>		Scan module
    		clamav 			- scan <path>
      -update <package>		Update package where package is:
  	  	clamav 			- update clamav signatures
        ossec-hids		- update atomic ossec

    Optional
      -h					Show this help
      -r					Realtime flag, shows responses in real time
      -t <timeout>			Timeout in seconds (default 30)


aum
===


.. code-block:: console

        aum -command [parameter] [-command [parameter]]

        Commands:
        -ck, -list                  Check for available updates
        -u, -upgrade                Download updates
        -uf                         Download and apply updates
        -f                          Along with -u or -upgrade, apply updates
        -h                          Display this help menu
        -debug #                    Debug level (0 - 4)



awp
===

.. code-block:: console

        Atomic Protector usage:

          General Syntax:
          awp -command [parameter] [-command [parameter]]

        Commands:
        --acl-get                                  Display current access control list settings

        --acl-add                                  Add IP(s) to ACL
         Example(s):
          --acl-add 1.2.3.4[,1.2.3.5,...]

        --acl-remove                               Remove IP(s) from ACL
         Example(s):
          --acl-remove 1.2.3.4[,1.2.3.5,...]

        --active-response-add											 Adds a new active response section to Ossec Configuration
         Examples(s):
           --active-response-add <identifier>=<entry>[ <identifier>=<entry> ...]
                 (Identifiers):	command, location, timeout, rulesid, repeatedoffenders, disabled, agentid, rulesgroup, level

        --aws-credentials											 Creates aws credentials file for interaction with aws
         Example:
         --aws-credentials <access_key_id> <access_key_pass>

        --aws-state_query											 Updates the state of your aws inventory. (Must have credentials set up)
         Example:
         --aws-state-query

         --blocklist-remove, -ub                   Remove IP(s) from the blocklist
         Examples(s):
          --blocklist-remove 1.2.3.4[,1.2.3.5,...]

         --blocklist-clear                        Remove all currently blocked IP(s)

         --blocklist-rebuild                      Rebuild the blocklist from the current day's data.

        --denylist-get                            Display current denylisted IP(s)

        -bl --denylist --denylist-add            Add IP(s) to the denylist
         Example(s):
          -bl 1.2.3.4[,1.2.3.5,...]
          -bl 1.2.3.4[,1.2.3.5,...] "Comment text"
          -bl 1.2.3.4[,1.2.3.5,...] username "Comment text"

        --denylist-remove                         Remove IP(s) from the denylist
         Examples(s):
          --denylist-remove 1.2.3.4[,1.2.3.5,...]

        -ck --check --list                         Display available updates

        --clientapi-get                            Display current clientapi settings

        --connections                              Display current connections to machine

        --country-codes-get                        Display a list of country codes and their respective country

        --domain-denylist-get                     Display currently denylisted domains

        --domain-denylist --domain-denylist-add  Add a domain to spam denylist
         Example(s):
          --domain-denylist-add foo.com[,bar.com,...]

        --domain-denylist-remove                  Remove a domain from malware denylist
         Example(s):
          --domain-denylist-remove foo.com[,bar.com,...]

        --debug                                    Display/modify debug level for AWP
         Example(s):
          --debug (display the current debug level)
          --debug <int> (set the debug level)

        -f   --fix                                 Fix and Repair mode

        --false-positive-report                    Report an alert as a false positive
         Example(s):
          --false-positive-report

        --false-negative-report                    Report an alert as a false negative
         Example(s):
          --false-negative-report

        --file-integrity-get --fim-get             Display current file integrity settings

        --file-integrity-detail-get                Retrieve package information associated with a file
         Example(s):
          --file-integrity-detail-get <filename>

        --firewall-start                           Start the AWP firewall

        --firewall-stop                            Stop the AWP firewall

        --firewall-restart                         Restart the AWP firewall

        --firewall-get                             Display current firewall settings

        --geo-denylist-get                        Display currently blocked countries

        --geo-denylist-add

        --geo-denylist-remove

        -h --help                                  Display this help menu

        --malware-detection-get                    Display current malware detection settings

        --malware-history-detail-get

        --no_color                                 Disable colors in output

        --rules-user-get                           Display current user WAF and HIDS rules

        --rule-modify                              Adjust rule level, log alert, email alert, and active response
        Example(s):
          --rule-modify 123456[,123457,...] [0-15] (yes|no) (yes|no) (yes|no)

        --rule-level                               Modify rule level
        Example(s):
          --rule-level 123456[,123457,...] [0-15]

        --rule-log                                 Turn rule logging on/off
        Example(s):
          --rule-log 123456[,123457,...] (yes|no|1|0|on|off)

        --rule-email                               Turn rule email alert on/off
        Example(s):
          --rule-email 123456[,123457,...] (yes|no|1|0|on|off)

        --rule-ar                                  Turn rule active response on/off
        Example(s):
          --rule-ar 123456[,123457,...] (yes|no|1|0|on|off)

        --rule-disable                             Disable modsec rule(s) by signature ID
         Example(s):
          --rule-disable 123456[,123457,...]

        --rule-disable-vhost                       Disable modsec rule(s) by vhost(s)
         Example(s):
          --rule-disable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
          NOTE: Each rule id will be disabled on each vhost

        --rule-enable                              Enable modsec rule(s) by signature ID
         Example(s):
          --rule-disable 123456[,123457,...]

        --rule-enable-vhost                        Enable modsec rule(s) by vhost(s)
         Example(s):
          --rule-enable-vhost 123456[,123457] foo.bar.com[,bar.foo.com,...]
          NOTE: Each rule id will be enabled on each vhost

        --rule-reset                               Remove user rule modifications

        -s --scan                                  Run a system scan
         Example(s):
          -s                (run a full system scan in non-fix mode)
          -s ossec,clamav   (run only the ossec and clamav sections of the scan)
          -s -f             (run a full system scan in fix mode)

        --show-alert                               Show alert details
         Example(s):
          --show-alert <path>

        --status,-v                                Display miscellaneous system info (OS, Kernel, etc.)

        --system-monitor                           Display AWP resource usage statistics

        --twaf-get                                 Display current TWAF settings

        --vuln-db-get                              Display vulnerability database details (key, threat level, score)

        --vuln-get                                 Display current system vulnerabilities

        --update -u                                Update system packages and component rules
         Example(s):
          -u                    (download and apply system updates only where outdated)
          -u -f                 (force system updates)
          -u --upgrade-channel  (download and apply updates from specified upgrade channel)

        --upgrade-channel                          Select channel to apply updates from

        --waf-enable-vhost --waf-disable-vhost

        --web-user-add                             Add a user for the AWP web console
         Example(s):
          --web-user-add <username> <passwd> <email> <group_id>

        --web-user-get                             Display list of current web console users

        --web-user-remove                          Remove a user from the AWP web console
         Example(s):
          --web-user-remove <username>

        --web-user-modify
         Example(s):
          --web-user-modify <name> <password>               (change password for username)
          --web-user-modify <name> <password> <email>       (change password and email for username)
          --web-user-modify <name> <password> <email> <gid> (change password, email, and gid for username)

        --accesslist-get                            Display all currently accesslisted IPs

        -wl --accesslist --accesslist-add            Add an IP to the accesslist
         Example(s):
          -wl 1.2.3.4[,1.2.3.5,...]
          -wl 1.2.3.4[,1.2.3.5,...] "Comment text"
          -wl 1.2.3.4[,1.2.3.5,...] username "Comment text"

        --accesslist-remove                         Remove an IP from the accesslist
         Example(s):
          --accesslist-remove 1.2.3.4[,1.2.3.5,...]



awp-add-user
============

.. code-block:: console

        All interactions are prompted within the program when run.

          -h
                Display help.



awp_firewall
============

.. code-block:: console

        Accepted usages:
        1) awp_firewall -start
        2) awp_firewall -restart
        3) awp_firewall -stop
        4) awp_firewall (-h|-help)




awp_indexgen
============

Generate index data

.. code-block:: console

        awp_indexgen 

          -f force generation





awp_jsongen
===========

Convert ossec alerts.log data to alerts.json format.



awp-monitor.sh
==============

Health monitoring script for the Atomic OSSEC web interface (awpwebd). It checks the responsiveness of the HTTPS endpoint and restarts the service if it fails.

**Configuration**

The script requires a configuration file to operate. If no configuration is found, it exits gracefully.
Default configuration path: ``/var/awp/etc/awp-monitor.conf``

Configuration variables:

.. code-block:: bash

    HOST="localhost"
    PORT="30001"
    URL_PATH="/"
    MAX_RETRIES="6"
    RETRY_WAIT="60"
    TIMEOUT="5"
    EXPECTED_CONTENT="Atomic OSSEC"
    RESTART_CMD="systemctl restart awpwebd"
    DEBUG="false"
    SILENT="false"

**Usage**

.. code-block:: console

    /var/awp/bin/awp-monitor.sh [OPTIONS]

    OPTIONS:
        -c, --config FILE     Configuration file (shell script or KEY=value format)
        -h, --host HOST       Target hostname or IP
        -p, --port PORT       HTTPS port to monitor
        -P, --path PATH       URL path to check
        -r, --retries NUM     Number of retry attempts
        -w, --wait SECONDS    Seconds to wait between retries
        -t, --timeout SECONDS Request timeout in seconds
        -e, --expected TEXT   Expected content in response
        -R, --restart CMD     Command to execute for service restart
        -d, --debug           Enable debug logging to /var/log/awp-healthcheck.log
        -s, --silent          Suppress standard output (recommended for cron)
        --help                Show help message

**Examples**

Run manually with debug output:

.. code-block:: console

    /var/awp/bin/awp-monitor.sh --debug

Run silently (cron mode):

.. code-block:: console

    /var/awp/bin/awp-monitor.sh --silent


awp-remove-user
===============

Remove Atomic OSSEC web users


awps
====

.. code-block:: console

        Usage of awps:

          -op
                Operation to perform.
                Allowed values:
                vuln             : internal usage, regenerates vulnerability json files
                stats            : aggregate and display event statistics
                agent_group_list : list available agent groups
                rule_group_list  : list available rule groups
                group_rule_ilst  : list rules in specified -rule-group(s)

          -agent-group
                An agent group to limit the results to.
                Multiple usages of -agent-group=x are allowed.
                If no agents or groups are specified, all groups will be included.

          -agent
                An agent id to include in the results.
                Multiple usages of -agent=x are allowed.
                If no agents or groups are specified, all will be included.

          -rule-group
                An ossec rule group to limit the results to.
                Multiple usages of -rule-group=x are allowed.
                If no rules or groups specified, all groups will be included.

          -rule
                A rule id to include in the results.
                Multiple usages of -rule=x are allowed.
                If no rules or groups are specified, all will be included.

          -stats-days
                Number of days over which to calculate the stats averages.
                Default: 1, Max: 180

          -j
                Render output as json.
                Applies only to -op=stats

          -h
                Display help.


        Ex:
          ./awps -op=stats -agent-group=MyAgents





compliance-control.sh
=====================

.. code-block:: console

        /var/awp/bin/compliance-control.sh Usage: 
           Enable/Disable Compliance testing for maintenance:
             /var/awp/bin/compliance-control.sh <enable|disable> global - Disable Compliance tests globally
             /var/awp/bin/compliance-control.sh <enable|disable> <groupname>  - Disable Compliance tests for group
             /var/awp/bin/compliance-control.sh list - List all Compliance tests groups
             /var/awp/bin/compliance-control.sh status - Show Compliance tests status

           Show Status
           /var/awp/bin/compliance-control.sh status

           Show groups
           /var/awp/bin/compliance-control.sh list




fim-control.sh
==============

.. code-block:: console

        /var/awp/bin/fim-control.sh Usage:
           Enable/Disable FIM for maintenance:
             /var/awp/bin/fim-control.sh <enable|disable> global - Disable FIM globally
             /var/awp/bin/fim-control.sh <enable|disable> <groupname>  - Disable FIM for group
             /var/awp/bin/fim-control.sh list - List all FIM groups
             /var/awp/bin/fim-control.sh status - Show FIM status

           Show Status
           /var/awp/bin/fim-control.sh status

           Show groups
           /var/awp/bin/fim-control.sh list



host-query.sh
=============

Simple search for host Process, Package, or port information.


key_util.sh
===========

Remove IP address pinning from client.keys


malware-scan
============

.. code-block:: console

        Atomicorp Malware Scan CLI
        Version: 0.1
        Usage: /var/awp/bin/malware-scan -a|-g group|-i id -s <path>|-u|-x

          example: /var/awp/bin/malware-scan -a -s /etc


        Command line parameters

          Target requires one of the following
            -a 			All agents
            -g <group> 		All agents in group <group>
            -i <id>		Specified Agent ID

          Action requires one of the following
            -s <path>		malware scan <path>
            -u 			update signatures
            -x 			initialize scanner (first time setup)



rpmfix.sh
=========

Simple RPM database repair utility


setup
=====

Atomic OSSEC configuration utility


show_invalid_agents.sh
======================

List Invalid agents


wdbclient
=========

``wdbclient`` is a command-line utility on the **manager (hub)** that queries the Wazuh DB socket (default: ``/var/ossec/queue/db/wdb``). It replaces direct ``sqlite3`` reads of ``global.db`` for supported operations and adds **agent inventory** helpers.

Typical location: ``/var/awp/bin/wdbclient`` (or the path used by your installation).

**Common options**

.. code-block:: console

   -socket path   Path to the wdb Unix socket (default: /var/ossec/queue/db/wdb)
   -json          With agent-inventory only: print one JSON object on stdout
   -h, -help      Show help

**Global / agent list queries** (examples: ``list-agents``, ``select-groups``, ``agent-list``, ``agent-id-name-group``) — run ``wdbclient -help`` for the full list of drop-in replacements for legacy SQLite queries.

**Agent inventory (syscollector / WDB agent DB)**

Run on the manager with the target agent ID:

.. code-block:: console

   wdbclient agent-osinfo <agent_id>
   wdbclient agent-packages <agent_id> [not-triaged]
   wdbclient agent-hotfixes <agent_id>
   wdbclient agent-containers <agent_id>
   wdbclient agent-programs-deep <agent_id> [deep_scan_id]
   wdbclient agent-sql <agent_id> <sql statement...>
   wdbclient agent-inventory <agent_id>

- **agent-containers** streams container inventory from ``sys_containers`` (same underlying data as container inventory APIs).
- **agent-inventory** runs a combined check (OS info, packages, hotfixes, and sample rows from network, hardware, ports, programs, processes). Default output is multi-section text; use ``-json`` to emit a **single JSON object** suitable for saving to a file:

.. code-block:: console

   wdbclient -json agent-inventory 56 > report.json

For full request syntax and column layouts, run ``wdbclient`` with no arguments or ``-help`` on the hub.





