Skip to content
Snippets Groups Projects
Commit 7a579ff1 authored by Matevz Erzen's avatar Matevz Erzen Committed by Matevz Erzen
Browse files

Added Dockerfile

parent 3384ba8d
No related branches found
No related tags found
No related merge requests found
# syntax=docker/dockerfile:1
FROM python:3.8-slim-buster
WORKDIR /evidence-collector/
COPY requirements.txt requirements.txt
RUN pip3 install -r requirements.txt
COPY . .
CMD ["python3", "test.py"]
\ No newline at end of file
......@@ -8,29 +8,49 @@ Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/curr
## Installation & use
1. Set up your Wazuh development environment
### Using docker:
2. Clone this repository
1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
3. Install requirements
2. Clone this repository.
3. Build Docker image:
```
docker build -t evidence-collector .
```
4. Run the image:
```
docker run evidence-collector
```
> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`.
### Local environment:
1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
2. Clone this repository.
3. Install dependencies:
```
pip install -r requirements.txt
```
4. Run test script
4. Run `test.py`:
```
python3 test.py
```
### Setting up Wazuh development environment
Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary.
### API User authentication
Current implementation has disabled SSL certificate verification & uses simple username/password verification. Production version should change this with cert verification.
Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification.
### Manual Elasticsearch API testin with cURL
......
WAZUH_IP = '192.168.33.10'
WAZUH_API_PORT = 55000
WAZUH_USERNAME = 'wazuh-wui'
WAZUH_PASSWORD = 'wazuh-wui'
ELASTIC_IP = '192.168.33.10'
ELASTIC_API_PORT = 9200
ELASTIC_USERNAME = 'admin'
ELASTIC_PASSWORD = 'changeme'
\ No newline at end of file
......@@ -16,6 +16,6 @@ class Evidence:
def toJson(self):
return json.dumps(self.__dict__)
def simple_evidence(evidence_id, timestamp, measurement_result, body):
return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body)
def simple_evidence(evidence_id, timestamp, resource_id, measurement_result, body):
return Evidence(evidence_id, timestamp, resource_id, None, None, None, None, measurement_result, body)
\ No newline at end of file
import pprint
from wazuh_evidence_collector import *
from wazuh_evidence_collector.wazuh_evidence_collector import *
evidences = run_full_check()
......
File moved
from wazuh_client import WazuhClient
from wazuh_evidence_collector.wazuh_client import WazuhClient
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
from evidence import Evidence, simple_evidence
from evidence.evidence import Evidence, simple_evidence
from random import randint
from sys import maxsize
from datetime import datetime
from constants.constants import *
import pprint
wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
wc = WazuhClient(WAZUH_IP, WAZUH_API_PORT, WAZUH_USERNAME, WAZUH_PASSWORD)
es = Elasticsearch(
'192.168.33.10',
http_auth=('admin', 'changeme'),
ELASTIC_IP,
http_auth=(ELASTIC_USERNAME, ELASTIC_PASSWORD),
scheme='https',
port=9200,
port=ELASTIC_API_PORT,
use_ssl=False,
verify_certs=False,
ssl_show_warn=False,
......@@ -110,9 +112,9 @@ def wazuh_monitoring_enabled(wc, agent_id):
raw_evidence.append(evidence)
if result_syscheck and result_rootcheck and result_aler_integration:
return simple_evidence(get_id('05.3'), get_timestamp(), "true", raw_evidence)
return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "true", raw_evidence)
else:
return simple_evidence(get_id('05.3'), get_timestamp(), "false", raw_evidence)
return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "false", raw_evidence)
# Check if agent uses ClamAV or VirusTotal
def malvare_protection_enabled(wc, es, agent_id):
......@@ -174,9 +176,9 @@ def malvare_protection_enabled(wc, es, agent_id):
raw_evidence.append(evidence)
if result_virus_total or (result_lamd_process and result_clamd_logs):
return simple_evidence(get_id('05.4'), get_timestamp(), "true", raw_evidence)
return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "true", raw_evidence)
else:
return simple_evidence(get_id('05.4'), get_timestamp(), "false", raw_evidence)
return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "false", raw_evidence)
# Check last Syscheck & Rootcheck scan times
# When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment