From 7a579ff149e4de2f6789d82c6b43c958af8ca2eb Mon Sep 17 00:00:00 2001
From: matevz_erzen <matevz.erzen@xlab.si>
Date: Tue, 28 Sep 2021 11:33:43 +0200
Subject: [PATCH] Added Dockerfile

---
 Dockerfile                                    | 12 +++++++
 README.md                                     | 36 ++++++++++++++-----
 constants/constants.py                        |  9 +++++
 evidence.py => evidence/evidence.py           |  4 +--
 test.py                                       |  2 +-
 .../wazuh_client.py                           |  0
 .../wazuh_evidence_collector.py               | 22 ++++++------
 7 files changed, 64 insertions(+), 21 deletions(-)
 create mode 100644 Dockerfile
 create mode 100644 constants/constants.py
 rename evidence.py => evidence/evidence.py (75%)
 rename wazuh_client.py => wazuh_evidence_collector/wazuh_client.py (100%)
 rename wazuh_evidence_collector.py => wazuh_evidence_collector/wazuh_evidence_collector.py (92%)

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d68658f
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+# syntax=docker/dockerfile:1
+
+FROM python:3.8-slim-buster
+
+WORKDIR /evidence-collector/
+
+COPY requirements.txt requirements.txt
+RUN pip3 install -r requirements.txt
+
+COPY . .
+
+CMD ["python3", "test.py"]
\ No newline at end of file
diff --git a/README.md b/README.md
index 67c7c9a..268a3c0 100644
--- a/README.md
+++ b/README.md
@@ -8,29 +8,49 @@ Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/curr
 
 ## Installation & use
 
-1. Set up your Wazuh development environment
+### Using docker:
 
-2. Clone this repository
+1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
 
-3. Install requirements
+2. Clone this repository.
+
+3. Build Docker image:
+
+```
+docker build -t evidence-collector .
+```
+
+4. Run the image:
+
+```
+docker run evidence-collector
+```
+
+> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`.
+
+### Local environment:
+
+1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
+
+2. Clone this repository.
+
+3. Install dependencies:
 
 ```
 pip install -r requirements.txt
 ```
 
-4. Run test script 
+4. Run `test.py`:
 
 ```
 python3 test.py
 ```
 
-### Setting up Wazuh development environment
-
-Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components.
+> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary.
 
 ### API User authentication
 
-Current implementation has disabled SSL certificate verification & uses simple username/password verification. Production version should change this with cert verification.
+Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification.
 
 ### Manual Elasticsearch API testin with cURL
 
diff --git a/constants/constants.py b/constants/constants.py
new file mode 100644
index 0000000..d4185e3
--- /dev/null
+++ b/constants/constants.py
@@ -0,0 +1,9 @@
+WAZUH_IP = '192.168.33.10'
+WAZUH_API_PORT = 55000
+WAZUH_USERNAME = 'wazuh-wui'
+WAZUH_PASSWORD = 'wazuh-wui'
+
+ELASTIC_IP = '192.168.33.10'
+ELASTIC_API_PORT = 9200
+ELASTIC_USERNAME = 'admin'
+ELASTIC_PASSWORD = 'changeme'
\ No newline at end of file
diff --git a/evidence.py b/evidence/evidence.py
similarity index 75%
rename from evidence.py
rename to evidence/evidence.py
index d3229b0..e5e906f 100644
--- a/evidence.py
+++ b/evidence/evidence.py
@@ -16,6 +16,6 @@ class Evidence:
     def toJson(self):
         return json.dumps(self.__dict__)
 
-def simple_evidence(evidence_id, timestamp, measurement_result, body):
-    return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body)
+def simple_evidence(evidence_id, timestamp, resource_id, measurement_result, body):
+    return Evidence(evidence_id, timestamp, resource_id, None, None, None, None, measurement_result, body)
     
\ No newline at end of file
diff --git a/test.py b/test.py
index 17fc419..4c76f3a 100644
--- a/test.py
+++ b/test.py
@@ -1,5 +1,5 @@
 import pprint
-from  wazuh_evidence_collector import *
+from  wazuh_evidence_collector.wazuh_evidence_collector import *
 
 evidences = run_full_check()
 
diff --git a/wazuh_client.py b/wazuh_evidence_collector/wazuh_client.py
similarity index 100%
rename from wazuh_client.py
rename to wazuh_evidence_collector/wazuh_client.py
diff --git a/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py
similarity index 92%
rename from wazuh_evidence_collector.py
rename to wazuh_evidence_collector/wazuh_evidence_collector.py
index e9f8c77..110588a 100644
--- a/wazuh_evidence_collector.py
+++ b/wazuh_evidence_collector/wazuh_evidence_collector.py
@@ -1,17 +1,19 @@
-from wazuh_client import WazuhClient
+from wazuh_evidence_collector.wazuh_client import WazuhClient
 from elasticsearch import Elasticsearch
 from elasticsearch_dsl import Search
-from evidence import Evidence, simple_evidence
+from evidence.evidence import Evidence, simple_evidence
 from random import randint
 from sys import maxsize
 from datetime import datetime
+from constants.constants import *
+import pprint
 
-wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui')
+wc = WazuhClient(WAZUH_IP, WAZUH_API_PORT, WAZUH_USERNAME, WAZUH_PASSWORD)
 es = Elasticsearch(
-        '192.168.33.10',
-        http_auth=('admin', 'changeme'),
+        ELASTIC_IP,
+        http_auth=(ELASTIC_USERNAME, ELASTIC_PASSWORD),
         scheme='https',
-        port=9200,
+        port=ELASTIC_API_PORT,
         use_ssl=False,
         verify_certs=False,
         ssl_show_warn=False,
@@ -110,9 +112,9 @@ def wazuh_monitoring_enabled(wc, agent_id):
     raw_evidence.append(evidence)
 
     if result_syscheck and result_rootcheck and result_aler_integration:
-        return simple_evidence(get_id('05.3'), get_timestamp(), "true", raw_evidence)
+        return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "true", raw_evidence)
     else: 
-        return simple_evidence(get_id('05.3'), get_timestamp(), "false", raw_evidence)
+        return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "false", raw_evidence)
 
 # Check if agent uses ClamAV or VirusTotal
 def malvare_protection_enabled(wc, es, agent_id):
@@ -174,9 +176,9 @@ def malvare_protection_enabled(wc, es, agent_id):
     raw_evidence.append(evidence)
 
     if result_virus_total or (result_lamd_process and result_clamd_logs):
-        return simple_evidence(get_id('05.4'), get_timestamp(), "true", raw_evidence)
+        return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "true", raw_evidence)
     else: 
-        return simple_evidence(get_id('05.4'), get_timestamp(), "false", raw_evidence)
+        return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "false", raw_evidence)
 
 # Check last Syscheck & Rootcheck scan times
 # When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs.
-- 
GitLab