forked from rabbott2018/cloudOneWorkloadSecurityDemo
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcloud_one_workload_security_demo.py
160 lines (139 loc) · 7.49 KB
/
cloud_one_workload_security_demo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
from cloud_one_antimalware_test import antimalwaretest
from cloud_one_ips_test import ipstest
from cloud_one_web_reputation_test import webreputationtest
from cloud_one_integrity_monitoring_test import integritymonitoringtest
from cloud_one_log_inspection_test import loginspectiontest
from cloud_one_application_control_test import applicationcontroltest
from cloud_one_docker_am_test import dockeramtest
from cloud_one_workload_security_demo_utils import getpolicyid, listpolicies, getoperatingsystem, gethostid
import deepsecurity
from deepsecurity.rest import ApiException
import sys, warnings
import time
import os.path
from os import path
import json
# This script will run tests against Deep Security or Cloud One agents to create events in the console and populate the dashboard
# Setup:
# These tests use curl and netcat so ensure that you have them installed on the system under tests
# The Deep Security Agent should be installed on the machine under test and it needs to be activated with a policy assigned
# You may need to modify two lines:
# configuration.host - If you are not using Cloud One Workload Security and are using an on-premise Deep Security Manager, change the URL to point to the correct Deep Security Manager
# configuration.api_key - Modify this line with the API key you have created for your Cloud One Workload Security or Deep Security Account
# For more information on creating API keys see: https://cloudone.trendmicro.com/docs/workload-security/api-send-request/#create-an-api-key
# Running the script:
# You can run the script using: python3 cloud_one_workload_security_demo.py
# After you run the script, it will provide a list of the policies in your Cloud One Workload or Deep Security Account
# Select the policy that is assigned to the system under test
# Confirm the system under test is correct, or if you have multiple computers with the policy assigned, select the correct system under test
# Then select which test to run:
# 1) Anti-malware
# 2) Intrusion Prevention
# 3) Integrity Monitoring
# 4) Web Reputation
# 5) Log Inspection
# 6) Application Control
# 7) Docker Anti-Malware (Supported on Linux only)
# 8) All Tests
def main ():
tests = []
dsmHost = "https://workload.us-1.cloudone.trendmicro.com:443"
apiSecretKey = ""
# Look for a configuration file
if os.path.exists('./config.json'):
f = open('./config.json', 'r')
config = json.loads(f.read())
f.close()
tests = config["tests"]
if "dsmHost" in config.keys():
dsmHost = config["dsmHost"]
apiSecretKey = config["apiSecretKey"] if "apiSecretKey" in config.keys() else ""
# Setup and connect to Cloud One Workload Security or Deep Security
api_version = 'v1'
overrides = False
if not sys.warnoptions:
warnings.simplefilter("ignore")
configuration = deepsecurity.Configuration()
configuration.host = dsmHost + '/api'
configuration.api_key['api-secret-key'] = apiSecretKey
print("Welcome to the test suite for Cloud One Workload Security")
print("This script works by running a set of tests and assigns rules at the policy level if necessary")
# Get the Operating System information
operating_system = getoperatingsystem()
print("")
print("The policies in your Cloud One account are:")
# List the policies and get the policy_id
policy_id = getpolicyid(configuration, api_version, overrides)
# Check the hosts that the policy is applied to so we can know what host
# the tests are being run on
host_id = gethostid(policy_id, configuration, api_version, overrides)
print("")
time.sleep(2)
# Set the variables for the tests to run
ips_rule_to_apply = "Malware Attack Detection"
if("ubuntu" in operating_system or "redhat" in operating_system or "amazon-linux" in operating_system):
im_rule_to_apply = "Unix - Open Port Monitor"
li_rule_to_apply = "Unix - Syslog"
if("windows" in operating_system):
im_rule_to_apply = "Microsoft Windows - 'Hosts' file modified"
li_rule_to_apply = "Microsoft Windows Events"
# Check with the user what test the user wants to run
user_input = 0
if len(tests) == 0:
while(user_input == 0):
print("The available tests are: ")
print("1 = Anti-Malware")
print("2 = Intrusion Prevention")
# print("3 = Integrity Monitoring")
print("4 = Web Reputation")
print("5 = Log Inspection")
print("6 = Application Control (Note: This test takes about 3 minutes to run)")
print("7 = Docker Anti-Malware (only works on Ubuntu and Redhat)")
print("8 = All Tests")
print("Which test would you like to perform: ")
user_input = input()
if (not user_input.isdigit()) or (int(user_input) > 8):
print("Invalid option, please try again")
user_input = 0
# Run the anti-malware test
if(int(user_input) == 1) or "Anti-Malware" in tests:
antimalwaretest(operating_system)
sys.exit()
# Run the intrusion prevention test
if(int(user_input) == 2) or "Intrusion Prevention" in tests:
ipstest(ips_rule_to_apply, policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
# # Run the Integrity Monitoring test
# if(int(user_input) == 3) or "Integrity Monitoring" in tests:
# integritymonitoringtest(host_id, im_rule_to_apply, policy_id, configuration, api_version, overrides, operating_system)
# exit()
# Run the Web Reputation test
if(int(user_input) == 4) or "Web Reputation" in tests:
webreputationtest(policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
# Run the Log Inspection test
if(int(user_input) == 5) or "Log Inspection" in tests:
loginspectiontest(li_rule_to_apply,policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
# Run the Application Control test
if(int(user_input) == 6) or "Application Control" in tests:
applicationcontroltest(host_id, policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
# Run the Docker antimalware test
if(int(user_input) == 7) or "Docker Anti-Malware" in tests:
dockeramtest(host_id, policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
# Run all tests
if(int(user_input) == 8) or "All Tests" in tests:
print("Running all tests")
antimalwaretest(operating_system)
ipstest(ips_rule_to_apply,policy_id, configuration, api_version, overrides, operating_system)
# integritymonitoringtest(host_id, im_rule_to_apply, policy_id, configuration, api_version, overrides, operating_system)
webreputationtest(policy_id, configuration, api_version, overrides, operating_system)
loginspectiontest(li_rule_to_apply,policy_id, configuration, api_version, overrides, operating_system)
applicationcontroltest(host_id, policy_id, configuration, api_version, overrides, operating_system)
if("ubuntu" in operating_system or "redhat" in operating_system or "amazon-linux" in operating_system):
dockeramtest(host_id, policy_id, configuration, api_version, overrides, operating_system)
sys.exit()
if __name__ == "__main__":
main()