From 603b253e8bf53bdcb7c58f1b5946a428ea35dcf4 Mon Sep 17 00:00:00 2001
From: matevz_erzen <matevz.erzen@xlab.si>
Date: Wed, 22 Sep 2021 15:46:12 +0200
Subject: [PATCH] Check ClamAV packages and process
---
verifier.py | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/verifier.py b/verifier.py
index bd33d20..624a1bc 100644
--- a/verifier.py
+++ b/verifier.py
@@ -3,6 +3,7 @@ from evidence import Evidence, simple_evidence
from random import randint
from sys import maxsize
from datetime import datetime
+import pprint
wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
@@ -99,6 +100,7 @@ def check_virus_total_integration(wc):
return evidence
# Check last Syscheck & Rootcheck scan times
+# When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.
def check_last_scan_time(wc, agent_id):
body = wc.req('GET', 'syscheck/' + agent_id + '/last_scan')
@@ -113,3 +115,33 @@ def check_last_scan_time(wc, agent_id):
evidence2 = simple_evidence(get_id('05.4'), get_timestamp(), measurement_result, body)
return evidence1, evidence2
+
+# Check if ClamAV daemon package installed
+def check_clamd_install(wc, agent_id):
+ body = wc.req('GET', 'syscollector/' + agent_id + '/packages')
+
+ measurement_result = 'false'
+
+ for package in body['data']['affected_items']:
+ if package['name'] == 'clamd':
+ measurement_result = 'true'
+ break
+
+ evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+ return evidence
+
+# Check if ClamAV daemon process running
+def check_clamd_process(wc, agent_id):
+ body = wc.req('GET', 'syscollector/' + agent_id + '/processes')
+
+ measurement_result = 'false'
+
+ for package in body['data']['affected_items']:
+ if package['name'] == 'clamd':
+ measurement_result = 'true'
+ break
+
+ evidence = simple_evidence(get_id('05.3'), get_timestamp(), measurement_result, body)
+
+ return evidence
--
GitLab