Check ClamAV packages and process

verifier.py

@@ -3,6 +3,7 @@ from evidence import Evidence, simple_evidence
 from random import randint
 from sys import maxsize
 from datetime import datetime
+import pprint
 
 wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
 
@@ -99,6 +100,7 @@ def check_virus_total_integration(wc):
     return evidence
 
 # Check last Syscheck & Rootcheck scan times
+# When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.
 def check_last_scan_time(wc, agent_id):
     body = wc.req('GET', 'syscheck/' + agent_id + '/last_scan')
 
@@ -113,3 +115,33 @@ def check_last_scan_time(wc, agent_id):
     evidence2 = simple_evidence(get_id('05.4'), get_timestamp(), measurement_result, body)
 
     return evidence1, evidence2
+
+# Check if ClamAV daemon package installed
+def check_clamd_install(wc, agent_id):
+    body = wc.req('GET', 'syscollector/' + agent_id + '/packages')
+
+    measurement_result = 'false'
+
+    for package in body['data']['affected_items']:
+        if package['name'] == 'clamd':
+            measurement_result = 'true'
+            break
+    
+    evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+    return evidence
+
+# Check if ClamAV daemon process running
+def check_clamd_process(wc, agent_id):
+    body = wc.req('GET', 'syscollector/' + agent_id + '/processes')
+
+    measurement_result = 'false'
+
+    for package in body['data']['affected_items']:
+        if package['name'] == 'clamd':
+            measurement_result = 'true'
+            break
+
+    evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+    return evidence