Mozdef / tests /alerts /test_write_audit.py

Upload folder using huggingface_hub

7c89ed7 verified 3 months ago

4.3 kB

	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at https://mozilla.org/MPL/2.0/.
	# Copyright (c) 2017 Mozilla Corporation

	from .positive_alert_test_case import PositiveAlertTestCase
	from .negative_alert_test_case import NegativeAlertTestCase

	from .alert_test_suite import AlertTestSuite


	class TestWriteAudit(AlertTestSuite):
	alert_filename = "write_audit"
	alert_classname = 'WriteAudit'

	# This event is the default positive event that will cause the
	# alert to trigger
	default_event = {
	"_source": {
	"category": "write",
	"summary": "Write: /etc/audit/plugins.d/temp-file.conf",
	"hostname": "exhostname",
	"tags": [
	"audisp-json",
	"2.1.0",
	"audit"
	],
	"details": {
	"processname": "vi",
	"originaluser": "randomjoe",
	"user": "root",
	"auditkey": "audit",
	}
	}
	}

	# This alert is the expected result from running this task
	default_alert = {
	"category": "write",
	"severity": "WARNING",
	"summary": "5 Filesystem write(s) to an auditd path (/etc/audit/plugins.d/temp-file.conf) by root (randomjoe)",
	"tags": ['audit'],
	}

	test_cases = []

	test_cases.append(
	PositiveAlertTestCase(
	description="Positive test with default event and default alert expected",
	events=AlertTestSuite.create_events(default_event, 5),
	expected_alert=default_alert
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['details']['originaluser'] = 'user1'
	expected_alert = AlertTestSuite.create_alert(default_alert)
	expected_alert['severity'] = 'NOTICE'
	expected_alert['summary'] = "5 Filesystem write(s) to an auditd path (/etc/audit/plugins.d/temp-file.conf) by root (user1)"
	test_cases.append(
	PositiveAlertTestCase(
	description="Positive test with expected downgraded severity",
	events=events,
	expected_alert=expected_alert
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
	event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
	test_cases.append(
	PositiveAlertTestCase(
	description="Positive test with events a minute earlier",
	events=events,
	expected_alert=default_alert
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['details']['auditkey'] = 'exec'
	test_cases.append(
	NegativeAlertTestCase(
	description="Negative test case with events with auditkey without 'audit'",
	events=events,
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['details']['processname'] = 'process1'
	test_cases.append(
	NegativeAlertTestCase(
	description="Negative test case with events with processname that matches exclusion of 'process1'",
	events=events,
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['details']['originaluser'] = None
	test_cases.append(
	NegativeAlertTestCase(
	description="Negative test case aggregation key excluded",
	events=events,
	)
	)

	events = AlertTestSuite.create_events(default_event, 5)
	for event in events:
	event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 20})
	event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 20})
	test_cases.append(
	NegativeAlertTestCase(
	description="Negative test case with old timestamp",
	events=events,
	)
	)