From 603b253e8bf53bdcb7c58f1b5946a428ea35dcf4 Mon Sep 17 00:00:00 2001
From: matevz_erzen <matevz.erzen@xlab.si>
Date: Wed, 22 Sep 2021 15:46:12 +0200
Subject: [PATCH] Check ClamAV packages and process

---
 verifier.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/verifier.py b/verifier.py
index bd33d20..624a1bc 100644
--- a/verifier.py
+++ b/verifier.py
@@ -3,6 +3,7 @@ from evidence import Evidence, simple_evidence
 from random import randint
 from sys import maxsize
 from datetime import datetime
+import pprint
 
 wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
 
@@ -99,6 +100,7 @@ def check_virus_total_integration(wc):
     return evidence
 
 # Check last Syscheck & Rootcheck scan times
+# When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.
 def check_last_scan_time(wc, agent_id):
     body = wc.req('GET', 'syscheck/' + agent_id + '/last_scan')
 
@@ -113,3 +115,33 @@ def check_last_scan_time(wc, agent_id):
     evidence2 = simple_evidence(get_id('05.4'), get_timestamp(), measurement_result, body)
 
     return evidence1, evidence2
+
+# Check if ClamAV daemon package installed
+def check_clamd_install(wc, agent_id):
+    body = wc.req('GET', 'syscollector/' + agent_id + '/packages')
+
+    measurement_result = 'false'
+
+    for package in body['data']['affected_items']:
+        if package['name'] == 'clamd':
+            measurement_result = 'true'
+            break
+    
+    evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+    return evidence
+
+# Check if ClamAV daemon process running
+def check_clamd_process(wc, agent_id):
+    body = wc.req('GET', 'syscollector/' + agent_id + '/processes')
+
+    measurement_result = 'false'
+
+    for package in body['data']['affected_items']:
+        if package['name'] == 'clamd':
+            measurement_result = 'true'
+            break
+
+    evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+    return evidence
-- 
GitLab