From 2a3f602fb67294226cc1fbf9c1650150fce25065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matev=C5=BE=20Er=C5=BEen?= <matevz.erzen@xlab.si> Date: Fri, 25 Mar 2022 15:10:28 +0000 Subject: [PATCH] Resource ID mapping --- .dockerignore | 3 ++- MANIFEST | 2 +- Makefile | 7 ++++++- README.md | 16 ++++++++++++++++ forward_evidence/generate_evidence.py | 5 +++-- forward_evidence/resource_id_mapper.py | 14 ++++++++++++++ resource_id_map.json | 5 +++++ .../wazuh_evidence_collector.py | 3 +-- 8 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 forward_evidence/resource_id_mapper.py create mode 100644 resource_id_map.json diff --git a/.dockerignore b/.dockerignore index 76be2e3..3a2b624 100644 --- a/.dockerignore +++ b/.dockerignore @@ -10,4 +10,5 @@ dump.rdb test/ venv/ env/ -.env \ No newline at end of file +.env +resource_id_map.json \ No newline at end of file diff --git a/MANIFEST b/MANIFEST index 2bde23d..ab96834 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1,2 +1,2 @@ -VERSION=v0.0.12 +VERSION=v0.0.13 SERVICE=evidence-collector diff --git a/Makefile b/Makefile index ea933d0..c4e391d 100644 --- a/Makefile +++ b/Makefile @@ -2,4 +2,9 @@ build: docker build -t evidence-collector . run: - docker run --env-file .env evidence-collector + docker run --env-file .env -v ${PWD}/resource_id_map.json:/evidence-collector/resource_id_map.json --name evidence-collector evidence-collector + +stop-and-clean: + docker stop evidence-collector || \ + docker rm evidence-collector || \ + docker volume rm resource_id_map.json \ No newline at end of file diff --git a/README.md b/README.md index 01e8f72..4d61a10 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,22 @@ All of the following environment variables have to be set (or passed to containe | `clouditor_client_id` | Clouditor OAuth2 default id. Default value `clouditor`. | | `clouditor_client_secret` | Clouditor OAuth2 default secret. Default value `clouditor`. | +### Medina resource ID mapping + +Resource IDs used to generate evidence resources can be easily mapped to required values. In case ID isn't set, Evidence collector will use `name` parameter acquired from Wazuh - which is set to machine's hostname, unless explicitly set to something else. + +IDs can be set as `key:value` pairs inside `resource_id_map.json` file, that is later passed to Docker container: + +``` +{ + "manager": "wazuh_manager", + "agent1": "test_agent_1", + "agent2": "test_agent_2" +} +``` + +Where `key` represents Wazuh's `name` parameter (machine's hostname) and `value` equals to string `name` will be mapped to. + ### Generate gRPC code from `.proto` files ``` diff --git a/forward_evidence/generate_evidence.py b/forward_evidence/generate_evidence.py index c8a5a6b..1375b67 100644 --- a/forward_evidence/generate_evidence.py +++ b/forward_evidence/generate_evidence.py @@ -1,12 +1,13 @@ import json +from forward_evidence.resource_id_mapper import map_resource_id from grpc_gen.assessment_pb2 import AssessEvidenceRequest # Used if user doesn't provide other _default_resource_type = ["VirtualMachine", "Compute", "Resource"] -def create_resource(id, name, type, property_list): +def create_resource(name, type, property_list): resource = { - "id": str(id), + "id": str(map_resource_id(name)), "name": str(name), "type": type if type is not None else _default_resource_type } diff --git a/forward_evidence/resource_id_mapper.py b/forward_evidence/resource_id_mapper.py new file mode 100644 index 0000000..ed38702 --- /dev/null +++ b/forward_evidence/resource_id_mapper.py @@ -0,0 +1,14 @@ +import json + +try: + f = open('resource_id_map.json') + map = json.load(f) + f.close() +except: + map = {} + +def map_resource_id(name): + if name in map: + return map[name] + else: + return name diff --git a/resource_id_map.json b/resource_id_map.json new file mode 100644 index 0000000..71d7661 --- /dev/null +++ b/resource_id_map.json @@ -0,0 +1,5 @@ +{ + "manager": "wazuh_manager", + "agent1": "test_agent_1", + "agent2": "test_agent_2" +} \ No newline at end of file diff --git a/wazuh_evidence_collector/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py index c13a063..4278cb1 100644 --- a/wazuh_evidence_collector/wazuh_evidence_collector.py +++ b/wazuh_evidence_collector/wazuh_evidence_collector.py @@ -133,8 +133,7 @@ def generate_evidence(agent, checker): else: malware_protection["malwareProtection"].update({ "applicationLogging": { "enabled": False, "loggingService": [], "retentionPeriod": None }}) - # TODO: change ID - resource = create_resource(agent[0], agent[1], None, malware_protection) + resource = create_resource(agent[1], None, malware_protection) return create_assessevidence_request(get_id(), "evidence_collector_service", get_tool_id(), raw_evidence, resource) if __name__ == "__main__": -- GitLab