From 7a579ff149e4de2f6789d82c6b43c958af8ca2eb Mon Sep 17 00:00:00 2001 From: matevz_erzen <matevz.erzen@xlab.si> Date: Tue, 28 Sep 2021 11:33:43 +0200 Subject: [PATCH] Added Dockerfile --- Dockerfile | 12 +++++++ README.md | 36 ++++++++++++++----- constants/constants.py | 9 +++++ evidence.py => evidence/evidence.py | 4 +-- test.py | 2 +- .../wazuh_client.py | 0 .../wazuh_evidence_collector.py | 22 ++++++------ 7 files changed, 64 insertions(+), 21 deletions(-) create mode 100644 Dockerfile create mode 100644 constants/constants.py rename evidence.py => evidence/evidence.py (75%) rename wazuh_client.py => wazuh_evidence_collector/wazuh_client.py (100%) rename wazuh_evidence_collector.py => wazuh_evidence_collector/wazuh_evidence_collector.py (92%) diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d68658f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +# syntax=docker/dockerfile:1 + +FROM python:3.8-slim-buster + +WORKDIR /evidence-collector/ + +COPY requirements.txt requirements.txt +RUN pip3 install -r requirements.txt + +COPY . . + +CMD ["python3", "test.py"] \ No newline at end of file diff --git a/README.md b/README.md index 67c7c9a..268a3c0 100644 --- a/README.md +++ b/README.md @@ -8,29 +8,49 @@ Wazuh evidence collector uses [Wazuh's API](https://documentation.wazuh.com/curr ## Installation & use -1. Set up your Wazuh development environment +### Using docker: -2. Clone this repository +1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. -3. Install requirements +2. Clone this repository. + +3. Build Docker image: + +``` +docker build -t evidence-collector . +``` + +4. Run the image: + +``` +docker run evidence-collector +``` + +> Note: Current simple image runs code from `test.py`. If you wish to test anything else, change this file or edit `Dockerfile`. + +### Local environment: + +1. Set up your Wazuh development environment. Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. + +2. Clone this repository. + +3. Install dependencies: ``` pip install -r requirements.txt ``` -4. Run test script +4. Run `test.py`: ``` python3 test.py ``` -### Setting up Wazuh development environment - -Use [Security Monitoring](https://gitlab.xlab.si/medina/security-monitoring) repository to create and deploy Vagrant box with all required components. +> Note: This repository consists of multiple modules. When running code manually, use of `-m` flag might be necessary. ### API User authentication -Current implementation has disabled SSL certificate verification & uses simple username/password verification. Production version should change this with cert verification. +Current implementation has disabled SSL certificate verification & uses simple username/password verification (defined inside `/constants/constants.py`). Production version should change this with cert verification. ### Manual Elasticsearch API testin with cURL diff --git a/constants/constants.py b/constants/constants.py new file mode 100644 index 0000000..d4185e3 --- /dev/null +++ b/constants/constants.py @@ -0,0 +1,9 @@ +WAZUH_IP = '192.168.33.10' +WAZUH_API_PORT = 55000 +WAZUH_USERNAME = 'wazuh-wui' +WAZUH_PASSWORD = 'wazuh-wui' + +ELASTIC_IP = '192.168.33.10' +ELASTIC_API_PORT = 9200 +ELASTIC_USERNAME = 'admin' +ELASTIC_PASSWORD = 'changeme' \ No newline at end of file diff --git a/evidence.py b/evidence/evidence.py similarity index 75% rename from evidence.py rename to evidence/evidence.py index d3229b0..e5e906f 100644 --- a/evidence.py +++ b/evidence/evidence.py @@ -16,6 +16,6 @@ class Evidence: def toJson(self): return json.dumps(self.__dict__) -def simple_evidence(evidence_id, timestamp, measurement_result, body): - return Evidence(evidence_id, timestamp, None, None, None, None, None, measurement_result, body) +def simple_evidence(evidence_id, timestamp, resource_id, measurement_result, body): + return Evidence(evidence_id, timestamp, resource_id, None, None, None, None, measurement_result, body) \ No newline at end of file diff --git a/test.py b/test.py index 17fc419..4c76f3a 100644 --- a/test.py +++ b/test.py @@ -1,5 +1,5 @@ import pprint -from wazuh_evidence_collector import * +from wazuh_evidence_collector.wazuh_evidence_collector import * evidences = run_full_check() diff --git a/wazuh_client.py b/wazuh_evidence_collector/wazuh_client.py similarity index 100% rename from wazuh_client.py rename to wazuh_evidence_collector/wazuh_client.py diff --git a/wazuh_evidence_collector.py b/wazuh_evidence_collector/wazuh_evidence_collector.py similarity index 92% rename from wazuh_evidence_collector.py rename to wazuh_evidence_collector/wazuh_evidence_collector.py index e9f8c77..110588a 100644 --- a/wazuh_evidence_collector.py +++ b/wazuh_evidence_collector/wazuh_evidence_collector.py @@ -1,17 +1,19 @@ -from wazuh_client import WazuhClient +from wazuh_evidence_collector.wazuh_client import WazuhClient from elasticsearch import Elasticsearch from elasticsearch_dsl import Search -from evidence import Evidence, simple_evidence +from evidence.evidence import Evidence, simple_evidence from random import randint from sys import maxsize from datetime import datetime +from constants.constants import * +import pprint -wc = WazuhClient('192.168.33.10', 55000, 'wazuh-wui', 'wazuh-wui') +wc = WazuhClient(WAZUH_IP, WAZUH_API_PORT, WAZUH_USERNAME, WAZUH_PASSWORD) es = Elasticsearch( - '192.168.33.10', - http_auth=('admin', 'changeme'), + ELASTIC_IP, + http_auth=(ELASTIC_USERNAME, ELASTIC_PASSWORD), scheme='https', - port=9200, + port=ELASTIC_API_PORT, use_ssl=False, verify_certs=False, ssl_show_warn=False, @@ -110,9 +112,9 @@ def wazuh_monitoring_enabled(wc, agent_id): raw_evidence.append(evidence) if result_syscheck and result_rootcheck and result_aler_integration: - return simple_evidence(get_id('05.3'), get_timestamp(), "true", raw_evidence) + return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "true", raw_evidence) else: - return simple_evidence(get_id('05.3'), get_timestamp(), "false", raw_evidence) + return simple_evidence(get_id('05.3'), get_timestamp(), agent_id, "false", raw_evidence) # Check if agent uses ClamAV or VirusTotal def malvare_protection_enabled(wc, es, agent_id): @@ -174,9 +176,9 @@ def malvare_protection_enabled(wc, es, agent_id): raw_evidence.append(evidence) if result_virus_total or (result_lamd_process and result_clamd_logs): - return simple_evidence(get_id('05.4'), get_timestamp(), "true", raw_evidence) + return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "true", raw_evidence) else: - return simple_evidence(get_id('05.4'), get_timestamp(), "false", raw_evidence) + return simple_evidence(get_id('05.4'), get_timestamp(), agent_id, "false", raw_evidence) # Check last Syscheck & Rootcheck scan times # When producing 'real' evidence, make sure to provide differentiation between Syscheck and Rootcheck outputs. -- GitLab