From 603b253e8bf53bdcb7c58f1b5946a428ea35dcf4 Mon Sep 17 00:00:00 2001 From: matevz_erzen <matevz.erzen@xlab.si> Date: Wed, 22 Sep 2021 15:46:12 +0200 Subject: [PATCH] Check ClamAV packages and process --- verifier.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/verifier.py b/verifier.py index bd33d20..624a1bc 100644 --- a/verifier.py +++ b/verifier.py @@ -3,6 +3,7 @@ from evidence import Evidence, simple_evidence from random import randint from sys import maxsize from datetime import datetime +import pprint wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui') @@ -99,6 +100,7 @@ def check_virus_total_integration(wc): return evidence # Check last Syscheck & Rootcheck scan times +# When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs. def check_last_scan_time(wc, agent_id): body = wc.req('GET', 'syscheck/' + agent_id + '/last_scan') @@ -113,3 +115,33 @@ def check_last_scan_time(wc, agent_id): evidence2 = simple_evidence(get_id('05.4'), get_timestamp(), measurement_result, body) return evidence1, evidence2 + +# Check if ClamAV daemon package installed +def check_clamd_install(wc, agent_id): + body = wc.req('GET', 'syscollector/' + agent_id + '/packages') + + measurement_result = 'false' + + for package in body['data']['affected_items']: + if package['name'] == 'clamd': + measurement_result = 'true' + break + + evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body) + + return evidence + +# Check if ClamAV daemon process running +def check_clamd_process(wc, agent_id): + body = wc.req('GET', 'syscollector/' + agent_id + '/processes') + + measurement_result = 'false' + + for package in body['data']['affected_items']: + if package['name'] == 'clamd': + measurement_result = 'true' + break + + evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body) + + return evidence -- GitLab