diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..d68658f21ff52d43f8e241e29cb9830f9bb3506f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +# syntax=docker/dockerfile:1 + +FROM python:3.8-slim-buster + +WORKDIR /evidence-collector/ + +COPY requirements.txt requirements.txt +RUN pip3 install -r requirements.txt + +COPY . . + +CMD ["python3", "test.py"] \ No newline at end of file diff --git a/README.md b/README.md index 67c7c9ad9008a491d5e518b7c0cddf43a88587c1..268a3c0430adbec0cd58f33f6120243818ac513e 100644 --- a/README.md +++ b/README.md @@ -8,29 +8,49 @@ Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/curr ## Installation & use -1. Set up your Wazuh development environment +### Using docker: -2. Clone this repository +1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. -3. Install requirements +2. Clone this repository. + +3. Build Docker image: + +``` +docker build -t evidence-collector . +``` + +4. Run the image: + +``` +docker run evidence-collector +``` + +> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`. + +### Local environment: + +1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. + +2. Clone this repository. + +3. Install dependencies: ``` pip install -r requirements.txt ``` -4. Run test script +4. Run `test.py`: ``` python3 test.py ``` -### Setting up Wazuh development environment - -Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. +> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary. ### API User authentication -Current implementation has disabled SSL certificate verification & uses simple username/password verification. Production version should change this with cert verification. +Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification. ### Manual Elasticsearch API testin with cURL diff --git a/constants/constants.py b/constants/constants.py new file mode 100644 index 0000000000000000000000000000000000000000..d4185e3843440b8aa02cbe1cb575efd5ac42e584 --- /dev/null +++ b/constants/constants.py @@ -0,0 +1,9 @@ +WAZUH_IP = '192.168.33.10' +WAZUH_API_PORT = 55000 +WAZUH_USERNAME = 'wazuh-wui' +WAZUH_PASSWORD = 'wazuh-wui' + +ELASTIC_IP = '192.168.33.10' +ELASTIC_API_PORT = 9200 +ELASTIC_USERNAME = 'admin' +ELASTIC_PASSWORD = 'changeme' \ No newline at end of file diff --git a/evidence.py b/evidence/evidence.py similarity index 75% rename from evidence.py rename to evidence/evidence.py index d3229b0d82dfd9752fd65aff054f72aaa26ea2a1..e5e906f084486a1ddd05c30e592d1684f543cccc 100644 --- a/evidence.py +++ b/evidence/evidence.py @@ -16,6 +16,6 @@ class Evidence: def toJson(self): return json.dumps(self.__dict__) -def simple_evidence(evidence_id, timestamp, measurement_result, body): - return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body) +def simple_evidence(evidence_id, timestamp, resource_id, measurement_result, body): + return Evidence(evidence_id, timestamp, resource_id, None, None, None, None, measurement_result, body) \ No newline at end of file diff --git a/test.py b/test.py index 17fc4194afbaaa229f039984730af6102d4708a5..4c76f3a75a39cb4bc69762e4ae1db55616b3cc78 100644 --- a/test.py +++ b/test.py @@ -1,5 +1,5 @@ import pprint -from wazuh_evidence_collector import * +from wazuh_evidence_collector.wazuh_evidence_collector import * evidences = run_full_check() diff --git a/wazuh_client.py b/wazuh_evidence_collector/wazuh_client.py similarity index 100% rename from wazuh_client.py rename to wazuh_evidence_collector/wazuh_client.py diff --git a/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py similarity index 92% rename from wazuh_evidence_collector.py rename to wazuh_evidence_collector/wazuh_evidence_collector.py index e9f8c774c12eda6a0930161487cb223f60d950c9..110588a8353dd8069206ab5f23c9c830d670a463 100644 --- a/wazuh_evidence_collector.py +++ b/wazuh_evidence_collector/wazuh_evidence_collector.py @@ -1,17 +1,19 @@ -from wazuh_client import WazuhClient +from wazuh_evidence_collector.wazuh_client import WazuhClient from elasticsearch import Elasticsearch from elasticsearch_dsl import Search -from evidence import Evidence, simple_evidence +from evidence.evidence import Evidence, simple_evidence from random import randint from sys import maxsize from datetime import datetime +from constants.constants import * +import pprint -wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui') +wc = WazuhClient(WAZUH_IP, WAZUH_API_PORT, WAZUH_USERNAME, WAZUH_PASSWORD) es = Elasticsearch( - '192.168.33.10', - http_auth=('admin', 'changeme'), + ELASTIC_IP, + http_auth=(ELASTIC_USERNAME, ELASTIC_PASSWORD), scheme='https', - port=9200, + port=ELASTIC_API_PORT, use_ssl=False, verify_certs=False, ssl_show_warn=False, @@ -110,9 +112,9 @@ def wazuh_monitoring_enabled(wc, agent_id): raw_evidence.append(evidence) if result_syscheck and result_rootcheck and result_aler_integration: - return simple_evidence(get_id('05.3'), get_timestamp(), "true", raw_evidence) + return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "true", raw_evidence) else: - return simple_evidence(get_id('05.3'), get_timestamp(), "false", raw_evidence) + return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "false", raw_evidence) # Check if agent uses ClamAV or VirusTotal def malvare_protection_enabled(wc, es, agent_id): @@ -174,9 +176,9 @@ def malvare_protection_enabled(wc, es, agent_id): raw_evidence.append(evidence) if result_virus_total or (result_lamd_process and result_clamd_logs): - return simple_evidence(get_id('05.4'), get_timestamp(), "true", raw_evidence) + return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "true", raw_evidence) else: - return simple_evidence(get_id('05.4'), get_timestamp(), "false", raw_evidence) + return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "false", raw_evidence) # Check last Syscheck & Rootcheck scan times # When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.