import elasticsearch
import urllib3
from elasticsearch_dsl import Search
import os
from forward_evidence.resource_id_mapper import map_resource_id
WAZUH_CHECK_INTERVAL = os.environ.get("wazuh_check_interval")
WAZUH_RULE_LEVEL = int(os.environ.get("wazuh_rule_level"))
class Checker:
def __init__(self, wc, es, logger):
self.wc = wc
self.es = es
self.logger = logger
# Check if syscheck enabled
def check_syscheck(self, agent):
body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/syscheck')
measurement_result = body['data']['syscheck']['disabled'] == 'no'
return body, measurement_result
# Check if rootcheck enabled
def check_rootcheck(self, agent):
body = self.wc.req('GET', 'agents/' + agent[0] + '/config/syscheck/rootcheck')
measurement_result = body['data']['rootcheck']['disabled'] == 'no'
return body, measurement_result
# Check if there's at least one valid alerting service
def check_alert_integrations(self):
body = self.wc.req('GET', 'manager/configuration')
# Check email notifications integration
try:
email_notifications = (
True if body['data']['affected_items'][0]['global']['email_notification'] == 'yes' else False)
except:
email_notifications = False
# Check Slack and PagerDuty notifications integration
try:
integrations = body['data']['affected_items'][0]['integration']
slack_notifications = pagerduty_notifications = False
for integration in integrations:
if integration['name'] == 'slack':
slack_notifications = True
if integration['name'] == 'pagerduty':
pagerduty_notifications = True
except:
slack_notifications = pagerduty_notifications = False
measurement_result = email_notifications or slack_notifications or pagerduty_notifications
return body, measurement_result
# Check for VirusTotal integration
def check_virus_total_integration(self):
body = self.wc.req('GET', 'manager/configuration')
# Check VirusTotal integration
try:
integrations = body['data']['affected_items'][0]['integration']
measurement_result = False
for integration in integrations:
if integration['name'] == 'virustotal':
measurement_result = True
break
except:
measurement_result = False
return body, measurement_result
# Check if ClamAV daemon process running
def check_clamd_process(self, agent):
body = self.wc.req('GET', 'syscollector/' + agent[0] + '/processes')
measurement_result = False
for package in body['data']['affected_items']:
if package['name'] == 'clamd':
measurement_result = True
break
return body, measurement_result
# Check ClamAV logs in Elasticsearch
def check_clamd_logs_elastic(self, agent):
s = Search(using=self.es, index="wazuh-alerts-*") \
.query("match", predecoder__program_name="clamd") \
.query("match", rule__description="Clamd restarted") \
.query("match", agent__id=agent[0])
try:
body = s.execute().to_dict()
except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError,
urllib3.exceptions.MaxRetryError) as err:
self.logger.error(err)
self.logger.error("Elasticsearch not available")
return None, False
measurement_result = len(body['hits']['hits']) > 0
return body, measurement_result
def check_security_events(self, agent):
query = {
"query": {
"bool": {
"must": [
{
"match": {
"agent.id": agent[0]
}
},
{
"range" : {
"rule.level" : {
"gte" : WAZUH_RULE_LEVEL
}
}
},
{
"range" : {
"@timestamp" : {
"gte" : "now-" + WAZUH_CHECK_INTERVAL + "s"
}
}
}
]
}
}
}
try:
body = self.es.search(index="wazuh-alerts-*", body=query)
except (elasticsearch.exceptions.ConnectionError, TimeoutError, urllib3.exceptions.NewConnectionError,
urllib3.exceptions.MaxRetryError) as err:
self.logger.error(err)
self.logger.error("Elasticsearch not available")
return None
self.logger.debug(map_resource_id(agent[1]) + " security events count: " + str(len(body['hits']['hits'])))
return len(body['hits']['hits'])