File size: 4,301 Bytes
7c89ed7 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | # This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
from .positive_alert_test_case import PositiveAlertTestCase
from .negative_alert_test_case import NegativeAlertTestCase
from .alert_test_suite import AlertTestSuite
class TestWriteAudit(AlertTestSuite):
alert_filename = "write_audit"
alert_classname = 'WriteAudit'
# This event is the default positive event that will cause the
# alert to trigger
default_event = {
"_source": {
"category": "write",
"summary": "Write: /etc/audit/plugins.d/temp-file.conf",
"hostname": "exhostname",
"tags": [
"audisp-json",
"2.1.0",
"audit"
],
"details": {
"processname": "vi",
"originaluser": "randomjoe",
"user": "root",
"auditkey": "audit",
}
}
}
# This alert is the expected result from running this task
default_alert = {
"category": "write",
"severity": "WARNING",
"summary": "5 Filesystem write(s) to an auditd path (/etc/audit/plugins.d/temp-file.conf) by root (randomjoe)",
"tags": ['audit'],
}
test_cases = []
test_cases.append(
PositiveAlertTestCase(
description="Positive test with default event and default alert expected",
events=AlertTestSuite.create_events(default_event, 5),
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['originaluser'] = 'user1'
expected_alert = AlertTestSuite.create_alert(default_alert)
expected_alert['severity'] = 'NOTICE'
expected_alert['summary'] = "5 Filesystem write(s) to an auditd path (/etc/audit/plugins.d/temp-file.conf) by root (user1)"
test_cases.append(
PositiveAlertTestCase(
description="Positive test with expected downgraded severity",
events=events,
expected_alert=expected_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events a minute earlier",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['auditkey'] = 'exec'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with auditkey without 'audit'",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['processname'] = 'process1'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with processname that matches exclusion of 'process1'",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['originaluser'] = None
test_cases.append(
NegativeAlertTestCase(
description="Negative test case aggregation key excluded",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 20})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 20})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with old timestamp",
events=events,
)
)
|