diff --git a/evidence.py b/evidence.py new file mode 100644 index 0000000000000000000000000000000000000000..16d50529ccf6202f8372a3eb701004d07c60857e --- /dev/null +++ b/evidence.py @@ -0,0 +1,20 @@ +import json + +class Evidence: + + def __init__(self, evidence_id, timestamp, resource_id, tool, resource_type, feature_type, feature_property, measurement_result, body): + self.evidence_id = evidence_id + self.timestamp = timestamp + self.resource_id = resource_id + self.tool = tool + self.resource_type = resource_type + self.feature_type = feature_type + self.feature_property = feature_property + self.measurement_result = measurement_result + self.body = body + + def get_json(self): + return json.dumps(self.__dict__) + +def simple_evidence(evidence_id, timestamp, measurement_result, body): + return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body) diff --git a/verifier.py b/verifier.py index d0ec9726e4e06c109aae6c6e4bb536a58e639f16..eb190bd6b09128cdb2f97f42b79e0acbbd52503b 100644 --- a/verifier.py +++ b/verifier.py @@ -1,19 +1,70 @@ from wazuhclient import WazuhClient - +from evidence import Evidence, simple_evidence +from random import randint +from sys import maxsize +import json +import pprint wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui') -agents = wc.req('GET', 'agents') -rules = wc.req('GET', 'rules') -print(agents) -print(rules) -syscheck1 = wc.req('GET', 'manager/configuration/mail/global') # check if mail or any integration service (integrator/integrations) are enabled -> automatic monitoring -print(syscheck1) -rules1 = wc.req('GET', 'agents/001/config/syscheck/internal') # SYSCHECK -print(rules1) -print(wc.req('GET', 'agents/001/config/syscheck/rootcheck')) # ROOTCHECK +# Get list of all agent ids (including manager's) +def get_agents(wc): + body = wc.req('GET', 'agents') + + agents_ids = [] + for agent in body['data']['affected_items']: + agents_ids.append(agent['id']) + + return body, agents_ids + + +# Check if syscheck enabled +def get_syscheck(wc, agent_id): + body = wc.req('GET', 'agents/' + agent_id + '/config/syscheck/syscheck') + + measurement_result = ('true' if body['data']['syscheck']['disabled'] == 'no' else 'false') + + return body, measurement_result + + +# Check if rootcheck enabled +def get_rootcheck(wc, agent_id): + body = wc.req('GET', 'agents/' + agent_id + '/config/syscheck/rootcheck') + + measurement_result = ('true' if body['data']['rootcheck']['disabled'] == 'no' else 'false') + + return body, measurement_result + + +# Check if there's at least one valid alerting service +def get_alert_integrations(wc): + body = wc.req('GET', 'manager/configuration') + + # Check email notifications integration + try: + email_notifications = (True if body['data']['affected_items'][0]['global']['email_notification'] == 'yes' else False) + except: + email_notifications = False + + # Check Slack and PagerDuty notifications integration + try: + integrations = body['data']['affected_items'][0]['integration'] + + slack_notifications = pagerduty_notifications = False + + for integration in integrations: + if integration['name'] == 'slack': + slack_notifications = True + + if integration['name'] == 'pagerduty': + pagerduty_notifications = True + except: + slack_notifications = pagerduty_notifications = False + + measurement_result = ('true' if email_notifications or slack_notifications or pagerduty_notifications else 'false') + + return body, measurement_result -print(wc.req('GET', 'sca/001')) -# TODO how to check integration with virustotal and/or ClamAV ?? \ No newline at end of file +#pprint.pprint(wc.req('GET', 'sca/000')) \ No newline at end of file