From e4cd5eaede8309cf1af9c6e902e64bf61407b0a6 Mon Sep 17 00:00:00 2001
From: Zafer Balkan <zafer@zaferbalkan.com>
Date: Wed, 20 Jul 2022 21:41:55 +0300
Subject: [PATCH 1/2] Added Wazuh Agent as a malware scanner/antivirus

Solves https://github.com/CISOfy/lynis/issues/1304

Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent malware acting as an EDR. Therefore, it seems feasible to add wazuh-agent to the accepted antivirus products.

https://documentation.wazuh.com/current/user-manual/capabilities/anomalies-detection/index.html
https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html
---
 include/tests_malware | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/tests_malware b/include/tests_malware
index 40336fa5..3ddc9277 100644
--- a/include/tests_malware
+++ b/include/tests_malware
@@ -308,6 +308,17 @@
             Report "malware_scanner[]=trend-micro-av"
         fi
 
+        # Wazuh agent
+        LogText "Test: checking process wazuh-agent to test for Wazuh agent"
+        if IsRunning "wazuh-agent"; then
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found Wazuh component"
+            FOUND=1
+            MALWARE_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            Report "malware_scanner[]=wazuh"
+        fi
+
         if [ ${FOUND} -eq 0 ]; then
             LogText "Result: no commercial anti-virus tools found"
             AddHP 0 3

From 32a39eaaf884444baa7b5ec76a87b8e2990906ae Mon Sep 17 00:00:00 2001
From: Zafer Balkan <zafer@zaferbalkan.com>
Date: Wed, 20 Jul 2022 21:50:26 +0300
Subject: [PATCH 2/2] Added Wazuh agent as a rootkit scanner

Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent rootkits. Therefore, it seems feasible to add wazuh-agent to the accepted rootkit detection products.

https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html
---
 include/tests_malware | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/tests_malware b/include/tests_malware
index 3ddc9277..237b7cc1 100644
--- a/include/tests_malware
+++ b/include/tests_malware
@@ -43,6 +43,7 @@
     SYMANTEC_SCANNER_RUNNING=0
     SYNOLOGY_DAEMON_RUNNING=0
     TRENDMICRO_DSA_DAEMON_RUNNING=0
+    WAZUH_DAEMON_RUNNING=0
 #
 #################################################################################
 #
@@ -314,8 +315,10 @@
             if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
             LogText "Result: found Wazuh component"
             FOUND=1
+            WAZUH_DAEMON_RUNNING=1
             MALWARE_DAEMON_RUNNING=1
             MALWARE_SCANNER_INSTALLED=1
+            ROOTKIT_SCANNER_FOUND=1
             Report "malware_scanner[]=wazuh"
         fi