tis-wazuh-plugin-import-from-wazuh
20-1
Plugin for importing wazuh breaches in wapt data audit
1070 téléchargements
Télécharger
Voir le résultat de la construction Voir l'analyse de VirusTotal
- package : tis-wazuh-plugin-import-from-wazuh
- name : Plugin Import Wazuh
- version : 20-1
- categories :
- maintainer : Simon Fonteneau ,Tranquil IT
- editor :
- licence :
- locale :
- target_os : all
- impacted_process :
- architecture : all
- signature_date : 2025-04-09 16:12
- size : 7.17 Ko
package : tis-wazuh-plugin-import-from-wazuh
version : 20-1
architecture : all
section : base
priority : optional
name : Plugin Import Wazuh
categories :
maintainer : Simon Fonteneau ,Tranquil IT
description : Plugin for importing wazuh breaches in wapt data audit
depends :
conflicts :
maturity : PROD
locale :
target_os : all
min_wapt_version :
sources :
installed_size :
impacted_process :
description_fr :
description_pl :
description_de :
description_es :
description_pt :
description_it :
description_nl :
description_ru :
audit_schedule : 1h
editor :
keywords :
licence :
homepage :
package_uuid : 20a53641-d1a6-4fc9-89da-443eb043ebe2
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : ab03226aa75b0f33fcb7fe327fa164535e5410d0b5cbe02fdd5e124a017f9cb9
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date : 2025-04-09T16:12:37.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : SDayCWdaEYV2FM5lo1ADTHRWSx8h0BlOHu47yD/1Dh6KF9S5GG+/tg4TFCplV2auTF29zZSdlo2YsDIpXb5jG4Ee3mzXGHFJQ8tIJNIBUC9TfxnzVWbeYGrAC1fPHW0K87TFW0G+wr3nmz8+yw/D8El1stzq2cpXIiPkiXoYJSD6WN30x7PXvgBIjssk34LQ3zPATKbeoxjpRHE3VSUKqUy2jgmp0z/W8qYmu8DIyUpfn1zNfmoTo1U7O09UmTtj1ei5qCmuypD4mzVbxxlVcct6hm5oehysA2fq1gnp0sdx/EjJCO5tCtVAvt1oisfqQCJstqYle/xpInA46vcZAg==# -*- coding: utf-8 -*-
from setuphelpers import *
from configparser import ConfigParser
from waptutils import get_verify_cert
from common import get_requests_client_cert_session
import platform
import waptlicences
import json
import concurrent.futures
import requests
from requests.auth import HTTPBasicAuth
import datetime
simultaneous_maximum_send=10
def audit():
CONFWAPT = ConfigParser()
CONFWAPT.read(makepath(WAPT.private_dir, "wapt_api.ini"))
username_wapt = CONFWAPT.get("wapt", "username")
password_wapt = CONFWAPT.get("wapt", "password")
srvwapt_url = CONFWAPT.get("wapt", "url")
t = waptlicences.waptserver_login(WAPT.config_filename,username_wapt,password_wapt)
if not 'session' in t['session_cookies']:
session_cookies = [u for u in t['session_cookies'] if u['Domain'] == WAPT.waptserver.server_url.split('://')[-1]][0]
else:
session_cookies = t['session_cookies']['session']
session_cookies['Name'] = 'session'
sessionwapt = get_requests_client_cert_session(WAPT.waptserver.server_url,cert=(t['client_certificate'],t['client_private_key'],t['client_private_key_password']),verify=WAPT.waptserver.verify_cert)
sessionwapt.cookies.set(session_cookies['Name'], session_cookies['Value'], domain=session_cookies['Domain'])
sessionwapt.verify = WAPT.waptserver.verify_cert
CONFWAZUH = ConfigParser()
CONFWAZUH.read(makepath(WAPT.private_dir, "elastic_wazuh_api.ini"))
url_elastic = CONFWAZUH.get("elastic", "url")
username_elastic = CONFWAZUH.get("elastic", "username")
password_elastic = CONFWAZUH.get("elastic", "password")
instance_name_elastic = CONFWAZUH.get("elastic", "instance_name")
if CONFWAZUH.has_option("elastic", 'verify_cert'):
verify_cert_wz = get_verify_cert(CONFWAZUH.get("elastic", 'verify_cert'))
else:
verify_cert_wz = True
dict_hostname_uuid = {}
for pc in json.loads(sessionwapt.get("%s/api/v3/hosts?&limit=1000000" % WAPT.waptserver.server_url).content)["result"]:
dict_hostname_uuid[str(pc["computer_name"]).lower()] = pc["uuid"]
list_error = []
list_run = []
for hostname, uuid in dict_hostname_uuid.items():
list_run.append({
"sessionwapt": sessionwapt,
"dict_hostname_uuid": {hostname: uuid},
"WAPT": WAPT,
"hostname":hostname,
"list_error":list_error,
"url_elastic": url_elastic,
"username_elastic" : username_elastic,
"password_elastic" : password_elastic,
"instance_name_elastic" : instance_name_elastic,
"verify_cert_wz" : verify_cert_wz
})
results = []
with concurrent.futures.ThreadPoolExecutor(simultaneous_maximum_send) as executor:
futures = {executor.submit(import_from_wazuh, **g): g for g in list_run}
for future in concurrent.futures.as_completed(futures):
results.append(future.result())
waptlicences.waptserver_logout(WAPT.config_filename)
if list_error:
print(" \n".join(list_error))
return "ERROR"
else:
return "OK"
def import_from_wazuh(sessionwapt=None,url_elastic=None,username_elastic=None,password_elastic=None,instance_name_elastic=None,dict_hostname_uuid=None,WAPT=None,hostname=None,list_error=None,verify_cert_wz=True):
waptdata = []
try:
# URL d'accès à l'index Elasticsearch pour les vulnérabilités
url = f"{url_elastic}/wazuh-states-vulnerabilities-{instance_name_elastic}/_search"
# Construction de la requête avec un filtre sur l'agent si nécessaire
query = {
"_source": [
"agent.id",
"agent.name",
"vulnerability.id",
"vulnerability.severity",
"vulnerability.reference",
"vulnerability.score.base",
"package.name",
"package.version"
],
"size": 100,
"sort": [
{
"_score": {
"order": "desc"
}
}
],
"query": {
"wildcard": {
"agent.name": {
"value": hostname,
"case_insensitive": True
}
}
}
}
# Envoi de la requête GET à Elasticsearch
response = requests.get(url, auth=HTTPBasicAuth(username_elastic, password_elastic), headers={'Content-Type': 'application/json'}, json=query, verify=verify_cert_wz)
response.raise_for_status()
data = response.json()
vulnerabilities = data.get('hits', {}).get('hits', [])
result = {"cve":{},"max_score_base":0,"status":"compliant" ,"list_patch": {}}
for vuln in vulnerabilities:
source = vuln["_source"]
cve_id = source.get("vulnerability", {}).get("id")
score_base = source.get("vulnerability", {}).get("score").get("base")
package_name = source.get("package", {}).get("name")
result['cve'][cve_id] = {
"agent_id": source.get("agent", {}).get("id"),
"agent_name": source.get("agent", {}).get("name"),
"score_base": score_base,
"vulnerability_id": cve_id,
"package_name": package_name,
"package_version": source.get("package", {}).get("version"),
"severity": source.get("vulnerability", {}).get("severity"),
"reference": source.get("vulnerability", {}).get("reference")
}
if package_name :
result['list_patch'][package_name.replace(' ','_')] = package_name
result['status'] = 'vulnerable'
if score_base > result['max_score_base']:
result['max_score_base'] = score_base
result['list_patch_list'] = list(result['list_patch'])
##################################################################
waptdata.append(
{
"host_id": dict_hostname_uuid[str(hostname).lower()],
"value_id": int(time.monotonic() * 1000),
"value_date": datetime2isodate(datetime.datetime.utcnow()),
"value_section": "wazuh",
"value_key": "wazuh",
"value": result,
"expiration_date": datetime2isodate(datetime.datetime.utcnow() + datetime.timedelta(minutes=1440)),
}
)
print("Get %s from wazuh" % str(hostname).lower())
time.sleep(0.0000001)
except Exception as e:
list_error.append("Error %s %s" % (str(hostname).lower(), str(e)))
sessionwapt.post("%s/api/v3/update_hosts_audit_data" % WAPT.waptserver.server_url, data=json.dumps(waptdata))
def install():
if not isfile(makepath(WAPT.private_dir, "elastic_wazuh_api.ini")):
filecopyto("elastic_wazuh_api.ini", makepath(WAPT.private_dir, "elastic_wazuh_api.ini"))
if not isfile(makepath(WAPT.private_dir, "wapt_api.ini")):
filecopyto("wapt_api.ini", makepath(WAPT.private_dir, "wapt_api.ini"))
def list_to_dict(newkey=None, listconvert=None):
newdict = {}
for p in listconvert:
newdict[p[newkey]] = p
return newdict
38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
12e47d258304c0f2b317f64e0c6a99174dca337cfe5afd6c2d719c7e53b77e8b : WAPT/control
ab03226aa75b0f33fcb7fe327fa164535e5410d0b5cbe02fdd5e124a017f9cb9 : WAPT/icon.png
1fe22e49e9af3a5269c6eaade15dcf242cd8146c39ce28fd98148e687b1afe9a : elastic_wazuh_api.ini
aa1684b6dc1bb90c1547d5da2e850cda3357d461a9ff1a1a6d0203a667b23295 : luti.json
cc7a6f278b60d25daffe9c54484c4f1297834235719db46404b1b82cc7cb0a78 : setup.py
cb302f842cf1695f553389a436898f9e580d7d866a6726789dca1994a55e9c3c : wapt_api.ini