Skip to content
Snippets Groups Projects
Normal view Permalink
checker.py 3.49 KiB
Newer Older
Zitnik, Anze's avatar
Add demo mode function.
Zitnik, Anze committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 
from wazuh_evidence_collector.wazuh_client import WazuhClient
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search


class Checker:
    def __init__(self, wc, es):
        self.wc = wc
        self.es = es
        
    # Check if syscheck enabled
    def check_syscheck(self, agent):
        body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/syscheck')
        
        measurement_result = body['data']['syscheck']['disabled'] == 'no'
        
        return body, measurement_result
    
    # Check if rootcheck enabled
    def check_rootcheck(self, agent):
        body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/rootcheck')
        
        measurement_result = body['data']['rootcheck']['disabled'] == 'no'
        
        return body, measurement_result
    
    # Check if there's at least one valid alerting service
    def check_alert_integrations(self):
        body = self.wc.req('GET', 'manager/configuration')
        
        # Check email notifications integration
        try:
            email_notifications = (
                True if body['data']['affected_items'][0]['global']['email_notification'] == 'yes' else False)
        except:
            email_notifications = False
        
        # Check Slack and PagerDuty notifications integration
        try:
            integrations = body['data']['affected_items'][0]['integration']
            
            slack_notifications = pagerduty_notifications = False
            
            for integration in integrations:
                if integration['name'] == 'slack':
                    slack_notifications = True
                
                if integration['name'] == 'pagerduty':
                    pagerduty_notifications = True
        except:
            slack_notifications = pagerduty_notifications = False
        
        measurement_result = email_notifications or slack_notifications or pagerduty_notifications
        
        return body, measurement_result
    
    # Check for VirusTotal integration
    def check_virus_total_integration(self):
        body = self.wc.req('GET', 'manager/configuration')
        
        # Check VirusTotal integration
        try:
            integrations = body['data']['affected_items'][0]['integration']
            
            measurement_result = False
            
            for integration in integrations:
                if integration['name'] == 'virustotal':
                    measurement_result = True
                    break
        except:
            measurement_result = False
        
        return body, measurement_result
    
    # Check if ClamAV daemon process running
    def check_clamd_process(self, agent):
        body = self.wc.req('GET', 'syscollector/' + agent[0] + '/processes')
        
        measurement_result = False
        
        for package in body['data']['affected_items']:
            if package['name'] == 'clamd':
                measurement_result = True
                break
        
        return body, measurement_result
    
    # Check ClamAV logs in Elasticsearch
    def check_clamd_logs_elastic(self, agent):
        s = Search(using=self.es, index="wazuh-alerts-*") \
            .query("match", predecoder__program_name="clamd") \
            .query("match", rule__descrhosttion="Clamd restarted") \
            .query("match", agent__id=agent[0])
        
        body = s.execute().to_dict()
        
        measurement_result = len(body['hits']['hits']) > 0
        
        return body, measurement_result