Add demo mode function.

Squashed commit of the following: commit 718efd4db1fd64e5baed53d27c149219fab47879 Author: Anže Žitnik <anze.zitnik@xlab.si> Date: Thu Jan 20 16:03:58 2022 +0100 Version up commit c574b33acd9c5c131e8a2b53ad69ff1a970d2203 Author: Anže Žitnik <anze.zitnik@xlab.si> Date: Thu Jan 20 16:02:07 2022 +0100 Add demo mode function. Created an option in constants.json where demo mode can be selected. It will not query wazuh or elastic, just output random evidence.

Add demo mode function.
1cf48f6e · Zitnik, Anze · 7e7ce806 · 1cf48f6e · 1cf48f6e · 1cf48f6e
Commit 1cf48f6e authored 3 years ago by Zitnik, Anze
--- a/MANIFEST
+++ b/MANIFEST
-VERSION=v0.0.6
+VERSION=v0.0.7
 SERVICE=evidence-collector
--- a/constants.json
+++ b/constants.json
 {
+    "general": {
+        "demo": false
+    },
    "wazuh": {
        "host": "192.168.33.10",
        "port": 55000,

--- a/wazuh_evidence_collector/checker.py
+++ b/wazuh_evidence_collector/checker.py
+from wazuh_evidence_collector.wazuh_client import WazuhClient
+from elasticsearch import Elasticsearch
+from elasticsearch_dsl import Search
+
+
+class Checker:
+    def __init__(self, wc, es):
+        self.wc = wc
+        self.es = es
+        
+    # Check if syscheck enabled
+    def check_syscheck(self, agent):
+        body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/syscheck')
+        
+        measurement_result = body['data']['syscheck']['disabled'] == 'no'
+        
+        return body, measurement_result
+    
+    # Check if rootcheck enabled
+    def check_rootcheck(self, agent):
+        body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/rootcheck')
+        
+        measurement_result = body['data']['rootcheck']['disabled'] == 'no'
+        
+        return body, measurement_result
+    
+    # Check if there's at least one valid alerting service
+    def check_alert_integrations(self):
+        body = self.wc.req('GET', 'manager/configuration')
+        
+        # Check email notifications integration
+        try:
+            email_notifications = (
+                True if body['data']['affected_items'][0]['global']['email_notification'] == 'yes' else False)
+        except:
+            email_notifications = False
+        
+        # Check Slack and PagerDuty notifications integration
+        try:
+            integrations = body['data']['affected_items'][0]['integration']
+            
+            slack_notifications = pagerduty_notifications = False
+            
+            for integration in integrations:
+                if integration['name'] == 'slack':
+                    slack_notifications = True
+                
+                if integration['name'] == 'pagerduty':
+                    pagerduty_notifications = True
+        except:
+            slack_notifications = pagerduty_notifications = False
+        
+        measurement_result = email_notifications or slack_notifications or pagerduty_notifications
+        
+        return body, measurement_result
+    
+    # Check for VirusTotal integration
+    def check_virus_total_integration(self):
+        body = self.wc.req('GET', 'manager/configuration')
+        
+        # Check VirusTotal integration
+        try:
+            integrations = body['data']['affected_items'][0]['integration']
+            
+            measurement_result = False
+            
+            for integration in integrations:
+                if integration['name'] == 'virustotal':
+                    measurement_result = True
+                    break
+        except:
+            measurement_result = False
+        
+        return body, measurement_result
+    
+    # Check if ClamAV daemon process running
+    def check_clamd_process(self, agent):
+        body = self.wc.req('GET', 'syscollector/' + agent[0] + '/processes')
+        
+        measurement_result = False
+        
+        for package in body['data']['affected_items']:
+            if package['name'] == 'clamd':
+                measurement_result = True
+                break
+        
+        return body, measurement_result
+    
+    # Check ClamAV logs in Elasticsearch
+    def check_clamd_logs_elastic(self, agent):
+        s = Search(using=self.es, index="wazuh-alerts-*") \
+            .query("match", predecoder__program_name="clamd") \
+            .query("match", rule__descrhosttion="Clamd restarted") \
+            .query("match", agent__id=agent[0])
+        
+        body = s.execute().to_dict()
+        
+        measurement_result = len(body['hits']['hits']) > 0
+        
+        return body, measurement_result
--- a/wazuh_evidence_collector/demo_checker.py
+++ b/wazuh_evidence_collector/demo_checker.py
+import random
+
+class DemoChecker:
+    
+    def __init__(self):
+        self.result = bool(random.getrandbits(1))
+    
+    def __body(self, name):
+        return {name: self.result}
+    
+    # Check if syscheck enabled
+    def check_syscheck(self, *_):
+        body = self.__body("syscheck")
+
+        return body, self.result
+    
+    # Check if rootcheck enabled
+    def check_rootcheck(self, *_):
+        body = self.__body("rootcheck")
+
+        return body, self.result
+    
+    # Check if there's at least one valid alerting service
+    def check_alert_integrations(self, *_):
+        body = self.__body("alerting_services")
+
+        return body, self.result
+    
+    # Check for VirusTotal integration
+    def check_virus_total_integration(self, *_):
+        body = self.__body("virustotal_integration")
+        
+        return body, self.result
+    
+    # Check if ClamAV daemon process running
+    def check_clamd_process(self, *_):
+        body = self.__body("clamd_process")
+        
+        return body, self.result
+    
+    # Check ClamAV logs in Elasticsearch
+    def check_clamd_logs_elastic(self, *_):
+        body = self.__body("clamd_logs")
+    
+        return body, self.result
--- a/wazuh_evidence_collector/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector/wazuh_evidence_collector.py
@@ -4,6 +4,8 @@ from elasticsearch import Elasticsearch
 from elasticsearch_dsl import Search
 from forward_evidence.forward_evidence import ForwardEvidence
 from forward_evidence.generate_evidence import create_resource, create_assessevidence_request, print_evidence
+from wazuh_evidence_collector.checker import Checker
+from wazuh_evidence_collector.demo_checker import DemoChecker
 import uuid
 import configparser
 import logging.config
@@ -15,18 +17,20 @@ f.close()
 logging.config.fileConfig('logging.conf')
 LOGGER = logging.getLogger('root')

+DEMO = CONSTANTS["general"]["demo"]

-wc = WazuhClient(CONSTANTS['wazuh']['host'], CONSTANTS['wazuh']['port'], CONSTANTS['wazuh']['username'], CONSTANTS['wazuh']['password'])
+if not DEMO:
+    wc = WazuhClient(CONSTANTS['wazuh']['host'], CONSTANTS['wazuh']['port'], CONSTANTS['wazuh']['username'], CONSTANTS['wazuh']['password'])

-es = Elasticsearch(
-        CONSTANTS['elastic']['host'],
-        http_auth=(CONSTANTS['elastic']['username'], CONSTANTS['elastic']['password']),
-        scheme='https',
-        port=CONSTANTS['elastic']['port'],
-        use_ssl=False,
-        verify_certs=False,
-        ssl_show_warn=False,
-    )
+    es = Elasticsearch(
+            CONSTANTS['elastic']['host'],
+            http_auth=(CONSTANTS['elastic']['username'], CONSTANTS['elastic']['password']),
+            scheme='https',
+            port=CONSTANTS['elastic']['port'],
+            use_ssl=False,
+            verify_certs=False,
+            ssl_show_warn=False,
+        )

 forwarder = ForwardEvidence(CONSTANTS, LOGGER)

@@ -56,6 +60,7 @@ def main():

 # Wrapper function that runs all the checks (for every manager/agent)
 def run_collector():
+    checker = Checker(wc, es) if not DEMO else DemoChecker()

    # Get list of all agent ids (including manager's)
    def get_agents(wc):
@@ -67,12 +72,12 @@ def run_collector():

        return body, agent_list

-    body, agent_list = get_agents(wc)
+    body, agent_list = get_agents(wc) if not DEMO else ({}, [[0, "dummyAgent0"], [1, "dummyAgent1"]])

    ae_req_list = []

    for agent in agent_list:
-        ae_req_list.append(generate_evidence(wc, es, agent))
+        ae_req_list.append(generate_evidence(agent, checker))

    # TODO:
    for ae_req in ae_req_list:
@@ -82,116 +87,25 @@ def run_collector():
    return ae_req_list

 # Run checks and generate evidence
-def generate_evidence(wc, es, agent):
-
-    # Check if syscheck enabled
-    def check_syscheck(wc, agent):
-        body = wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/syscheck')
-
-        measurement_result = body['data']['syscheck']['disabled'] == 'no'
-
-        return body, measurement_result
-
-    # Check if rootcheck enabled
-    def check_rootcheck(wc, agent):
-        body = wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/rootcheck')
-
-        measurement_result = body['data']['rootcheck']['disabled'] == 'no'
-
-        return body, measurement_result
-
-    # Check if there's at least one valid alerting service
-    def check_alert_integrations(wc):
-        body = wc.req('GET', 'manager/configuration')
-
-        # Check email notifications integration
-        try:
-            email_notifications = (True if body['data']['affected_items'][0]['global']['email_notification'] == 'yes' else False)
-        except:
-            email_notifications = False
-
-        # Check Slack and PagerDuty notifications integration
-        try:
-            integrations = body['data']['affected_items'][0]['integration']
-
-            slack_notifications = pagerduty_notifications = False
-
-            for integration in integrations:
-                if integration['name'] == 'slack':
-                    slack_notifications = True
-
-                if integration['name'] == 'pagerduty':
-                    pagerduty_notifications = True
-        except:
-            slack_notifications = pagerduty_notifications = False
-
-        measurement_result = email_notifications or slack_notifications or pagerduty_notifications
-
-        return body, measurement_result
-
-    # Check for VirusTotal integration
-    def check_virus_total_integration(wc):
-        body = wc.req('GET', 'manager/configuration')
-
-        # Check VirusTotal integration
-        try:
-            integrations = body['data']['affected_items'][0]['integration']
-
-            measurement_result = False
-
-            for integration in integrations:
-                if integration['name'] == 'virustotal':
-                    measurement_result = True
-                    break
-        except:
-            measurement_result = False
-
-        return body, measurement_result
-
-    # Check if ClamAV daemon process running
-    def check_clamd_process(wc, agent):
-        body = wc.req('GET', 'syscollector/' + agent[0] + '/processes')
-
-        measurement_result = False
-
-        for package in body['data']['affected_items']:
-            if package['name'] == 'clamd':
-                measurement_result = True
-                break
-
-        return body, measurement_result
-
-    # Check ClamAV logs in Elasticsearch
-    def check_clamd_logs_elastic(es, agent):
-        s = Search(using=es, index="wazuh-alerts-*") \
-        .query("match", predecoder__program_name="clamd") \
-        .query("match", rule__descrhosttion="Clamd restarted") \
-        .query("match", agent__id=agent[0]) 
-
-        body = s.execute().to_dict()
-
-        measurement_result = len(body['hits']['hits']) > 0
-
-        return body, measurement_result
-
+def generate_evidence(agent, checker):
    raw_evidence = []

-    evidence, result_syscheck = check_syscheck(wc, agent)
+    evidence, result_syscheck = checker.check_syscheck(agent)
    raw_evidence.append(evidence)

-    evidence, result_rootcheck = check_rootcheck(wc, agent)
+    evidence, result_rootcheck = checker.check_rootcheck(agent)
    raw_evidence.append(evidence)

-    evidence, result_alert_integration = check_alert_integrations(wc)
+    evidence, result_alert_integration = checker.check_alert_integrations()
    raw_evidence.append(evidence)

-    evidence, result_virus_total = check_virus_total_integration(wc)
+    evidence, result_virus_total = checker.check_virus_total_integration()
    raw_evidence.append(evidence)

-    evidence, result_clamd_process = check_clamd_process(wc, agent)
+    evidence, result_clamd_process = checker.check_clamd_process(agent)
    raw_evidence.append(evidence)

-    evidence, result_clamd_logs = check_clamd_logs_elastic(es, agent)
+    evidence, result_clamd_logs = checker.check_clamd_logs_elastic(agent)
    raw_evidence.append(evidence)

    # TODO: