File size: 6,240 Bytes
7c89ed7 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 | #!/usr/bin/env python
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
from .positive_alert_test_case import PositiveAlertTestCase
from .negative_alert_test_case import NegativeAlertTestCase
from .alert_test_suite import AlertTestSuite
class TestSessionOpenedUser(AlertTestSuite):
alert_filename = "session_opened_sensitive_user"
# This event is the default positive event that will cause the
# alert to trigger
default_event = {
"_source": {
"category": "syslog",
"hostname": "exhostname",
"summary": 'pam_unix(sshd:session): session opened for user user1 by (uid=0)',
"details": {
"program": "sshd",
}
}
}
# This alert is the expected result from running this task
default_alert = {
"category": "session",
"severity": "WARNING",
"tags": ['pam', 'syslog'],
"summary": "Session opened by a sensitive user outside of the expected window - sample hosts: exhostname [total 10 hosts]"
}
test_cases = []
test_cases.append(
PositiveAlertTestCase(
description="Positive test with default event and default alert expected",
events=AlertTestSuite.create_events(default_event, 10),
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events a minute earlier",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['summary'] = 'pam_unix(sshd:session): session opened for user user2 by (uid=0)'
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events with a user 'user2'",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['summary'] = 'pam_unix(sshd:session): session opened for user user1 by (uid=0)'
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events with a user 'user1'",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 10)
randomhostsalert = AlertTestSuite.copy(default_alert)
randomhostsalert['summary'] = "Session opened by a sensitive user outside of the expected window - sample hosts:"
for event in events:
randomhostname = 'host' + str(events.index(event))
event['_source']['hostname'] = randomhostname
randomhostsalert['summary'] += ' {0}'.format(randomhostname)
randomhostsalert['summary'] += " [total 10 hosts]"
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events with a user 'user1'",
events=events,
expected_alert=randomhostsalert
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['summary'] = 'pam_unix(sshd:session): session opened for user user3 by (uid=0)'
test_cases.append(
NegativeAlertTestCase(
description="Negative test with wrong username",
events=events
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.create_timestamp_from_now_lambda(hour=3, minute=45, second=30)
event['_source']['receivedtimestamp'] = AlertTestSuite.create_timestamp_from_now_lambda(hour=3, minute=45, second=30)
test_cases.append(
NegativeAlertTestCase(
description="Negative test with events inside whitelisted time",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['summary'] = 'login failed'
test_cases.append(
NegativeAlertTestCase(
description="Negative test with events with a summary of 'login failed'",
events=events
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['category'] = 'badcategory'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with wrong category",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['details']['program'] = 'ssh'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with wrong program",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['summary'] = 'pam_unix(sshd:session): session closed for user user1 by (uid=0)'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with 'session closed' summary",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 10)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 15})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 15})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with old timestamp",
events=events,
)
)
|