Added Dockerfile

7a579ff1 · Matevz Erzen · Matevz Erzen · 3384ba8d · 7a579ff1 · 7a579ff1
Commit 7a579ff1 authored 3 years ago by Matevz Erzen Committed by Matevz Erzen 3 years ago
--- a/Dockerfile
+++ b/Dockerfile
+# syntax=docker/dockerfile:1
+
+FROM python:3.8-slim-buster
+
+WORKDIR /evidence-collector/
+
+COPY requirements.txt requirements.txt
+RUN pip3 install -r requirements.txt
+
+COPY . .
+
+CMD ["python3", "test.py"]
\ No newline at end of file
--- a/README.md
+++ b/README.md
@@ -8,29 +8,49 @@ Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/curr

 ## Installation & use

-1. Set up your Wazuh development environment
+### Using docker:

-2. Clone this repository
+1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.

-3. Install requirements
+2. Clone this repository.
+
+3. Build Docker image:
+
+```
+docker build -t evidence-collector .
+```
+
+4. Run the image:
+
+```
+docker run evidence-collector
+```
+
+> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`.
+
+### Local environment:
+
+1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
+
+2. Clone this repository.
+
+3. Install dependencies:

 ```
 pip install -r requirements.txt
 ```

-4. Run test script 
+4. Run `test.py`:

 ```
 python3 test.py
 ```

-### Setting up Wazuh development environment
-
-Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
+> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary.

 ### API User authentication

-Current implementation has disabled SSL certificate verification & uses simple username/password verification. Production version should change this with cert verification.
+Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification.

 ### Manual Elasticsearch API testin with cURL


--- a/constants/constants.py
+++ b/constants/constants.py
+WAZUH_IP = '192.168.33.10'
+WAZUH_API_PORT = 55000
+WAZUH_USERNAME = 'wazuh-wui'
+WAZUH_PASSWORD = 'wazuh-wui'
+
+ELASTIC_IP = '192.168.33.10'
+ELASTIC_API_PORT = 9200
+ELASTIC_USERNAME = 'admin'
+ELASTIC_PASSWORD = 'changeme'
\ No newline at end of file
--- a/evidence.py
+++ b/evidence.py
@@ -16,6 +16,6 @@ class Evidence:
    def toJson(self):
        return json.dumps(self.__dict__)

-def simple_evidence(evidence_id, timestamp, measurement_result, body):
-    return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body)
+def simple_evidence(evidence_id, timestamp, resource_id, measurement_result, body):
+    return Evidence(evidence_id, timestamp, resource_id, None, None, None, None, measurement_result, body)
    
\ No newline at end of file
--- a/test.py
+++ b/test.py
 import pprint
-from  wazuh_evidence_collector import *
+from  wazuh_evidence_collector.wazuh_evidence_collector import *

 evidences = run_full_check()


--- a/wazuh_client.py
+++ b/wazuh_client.py
--- a/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector.py
-from wazuh_client import WazuhClient
+from wazuh_evidence_collector.wazuh_client import WazuhClient
 from elasticsearch import Elasticsearch
 from elasticsearch_dsl import Search
-from evidence import Evidence, simple_evidence
+from evidence.evidence import Evidence, simple_evidence
 from random import randint
 from sys import maxsize
 from datetime import datetime
+from constants.constants import *
+import pprint

-wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
+wc = WazuhClient(WAZUH_IP, WAZUH_API_PORT, WAZUH_USERNAME, WAZUH_PASSWORD)
 es = Elasticsearch(
-        '192.168.33.10',
-        http_auth=('admin', 'changeme'),
+        ELASTIC_IP,
+        http_auth=(ELASTIC_USERNAME, ELASTIC_PASSWORD),
        scheme='https',
-        port=9200,
+        port=ELASTIC_API_PORT,
        use_ssl=False,
        verify_certs=False,
        ssl_show_warn=False,
@@ -110,9 +112,9 @@ def wazuh_monitoring_enabled(wc, agent_id):
    raw_evidence.append(evidence)

    if result_syscheck and result_rootcheck and result_aler_integration:
-        return simple_evidence(get_id('05.3'), get_timestamp(), "true", raw_evidence)
+        return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "true", raw_evidence)
    else: 
-        return simple_evidence(get_id('05.3'), get_timestamp(), "false", raw_evidence)
+        return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "false", raw_evidence)

 # Check if agent uses ClamAV or VirusTotal
 def malvare_protection_enabled(wc, es, agent_id):
@@ -174,9 +176,9 @@ def malvare_protection_enabled(wc, es, agent_id):
    raw_evidence.append(evidence)

    if result_virus_total or (result_lamd_process and result_clamd_logs):
-        return simple_evidence(get_id('05.4'), get_timestamp(), "true", raw_evidence)
+        return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "true", raw_evidence)
    else: 
-        return simple_evidence(get_id('05.4'), get_timestamp(), "false", raw_evidence)
+        return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "false", raw_evidence)

 # Check last Syscheck & Rootcheck scan times
 # When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.