| from mozdef_util.utilities.toUTC import toUTC |
| from mq.plugins.stackdriver import message |
|
|
|
|
| class TestStackDriver(object): |
| def setup(self): |
| self.plugin = message() |
| self.metadata = {"index": "events"} |
|
|
| |
| def test_nodetails_log(self): |
| metadata = {"index": "events"} |
| event = {"tags": "pubsub"} |
|
|
| result, metadata = self.plugin.onMessage(event, metadata) |
| |
| assert result == event |
|
|
| def verify_metadata(self, metadata): |
| assert metadata["index"] == "events" |
|
|
| def verify_defaults(self, result): |
| assert result["category"] == "data_access" |
| assert toUTC(result["receivedtimestamp"]).isoformat() == result["receivedtimestamp"] |
|
|
| def test_defaults(self): |
| event = { |
| "receivedtimestamp": "2019-11-21T22:43:10.041549+00:00", |
| "mozdefhostname": "mozdefqa2.private.mdc1.mozilla.com", |
| "details": { |
| "insertId": "-81ga0vdqblo", |
| "logName": "projects/mcd-001-252615/logs/cloudaudit.googleapis.com%2Fdata_access", |
| "protoPayload": { |
| "@type": "type.googleapis.com/google.cloud.audit.AuditLog", |
| "authenticationInfo": {"principalEmail": "mpurzynski@gcp.infra.mozilla.com"}, |
| "authorizationInfo": [ |
| { |
| "granted": True, |
| "permission": "compute.instances.list", |
| "resourceAttributes": { |
| "name": "projects/mcd-001-252615", |
| "service": "resourcemanager", |
| "type": "resourcemanager.projects", |
| }, |
| } |
| ], |
| "methodName": "beta.compute.instances.aggregatedList", |
| "numResponseItems": "61", |
| "request": {"@type": "type.googleapis.com/compute.instances.aggregatedList"}, |
| "requestMetadata": { |
| "callerIp": "2620:101:80fb:224:2864:cebc:a1e:640c", |
| "callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0,gzip(gfe),gzip(gfe)", |
| "destinationAttributes": {}, |
| "requestAttributes": {"auth": {}, "time": "2019-11-21T22:42:26.336Z",}, |
| }, |
| "resourceLocation": {"currentLocations": ["global"]}, |
| "resourceName": "projects/mcd-001-252615/global/instances", |
| "serviceName": "compute.googleapis.com", |
| }, |
| "receiveTimestamp": "2019-11-21T22:42:26.904624537Z", |
| "resource": { |
| "labels": { |
| "location": "global", |
| "method": "compute.instances.aggregatedList", |
| "project_id": "mcd-001-252615", |
| "service": "compute.googleapis.com", |
| "version": "beta", |
| }, |
| "type": "api", |
| }, |
| "severity": "INFO", |
| "timestamp": "2019-11-21T22:42:25.759Z", |
| }, |
| "tags": ["projects/mcd-001-252615/subscriptions/mozdefsubscription", "pubsub",], |
| } |
|
|
| result, metadata = self.plugin.onMessage(event, self.metadata) |
| self.verify_defaults(result) |
| self.verify_metadata(metadata) |
|
|
| def test_nomatch_syslog(self): |
| event = { |
| "category": "syslog", |
| "processid": "0", |
| "receivedtimestamp": "2017-09-26T00:22:24.210945+00:00", |
| "severity": "7", |
| "utctimestamp": "2017-09-26T00:22:23+00:00", |
| "timestamp": "2017-09-26T00:22:23+00:00", |
| "hostname": "something1.test.com", |
| "mozdefhostname": "something1.test.com", |
| "summary": "Connection from 10.22.74.208 port 9071 on 10.22.74.45 pubsub stackdriver port 22\n", |
| "eventsource": "systemslogs", |
| "tags": "something", |
| "details": { |
| "processid": "21233", |
| "sourceipv4address": "10.22.74.208", |
| "hostname": "hostname1.subdomain.domain.com", |
| "program": "sshd", |
| "sourceipaddress": "10.22.74.208", |
| }, |
| } |
| result, metadata = self.plugin.onMessage(event, self.metadata) |
| assert result["category"] == "syslog" |
| assert result["eventsource"] == "systemslogs" |
| assert result == event |
|
|
| def test_nomatch_auditd(self): |
| event = { |
| "category": "execve", |
| "processid": "0", |
| "receivedtimestamp": "2017-09-26T00:36:27.463745+00:00", |
| "severity": "INFO", |
| "utctimestamp": "2017-09-26T00:36:27+00:00", |
| "tags": ["audisp-json", "2.1.1", "audit"], |
| "summary": "Execve: sh -c sudo squid proxy /usr/lib64/nagios/plugins/custom/check_auditd.sh", |
| "processname": "audisp-json", |
| "details": { |
| "fsuid": "398", |
| "tty": "(none)", |
| "uid": "398", |
| "process": "/bin/bash", |
| "auditkey": "exec", |
| "pid": "10553", |
| "processname": "sh", |
| "session": "16467", |
| "fsgid": "398", |
| "sgid": "398", |
| "auditserial": "3834716", |
| "inode": "1835094", |
| "ouid": "0", |
| "ogid": "0", |
| "suid": "398", |
| "originaluid": "0", |
| "gid": "398", |
| "originaluser": "pubsub", |
| "ppid": "10552", |
| "cwd": "/", |
| "parentprocess": "stackdriver", |
| "euid": "398", |
| "path": "/bin/sh", |
| "rdev": "00:00", |
| "dev": "08:03", |
| "egid": "398", |
| "command": "sh -c sudo /usr/lib64/nagios/plugins/custom/check_auditd.sh", |
| "mode": "0100755", |
| "user": "squid", |
| }, |
| } |
| result, metadata = self.plugin.onMessage(event, self.metadata) |
| assert result["category"] == "execve" |
| assert "eventsource" not in result |
| assert result == event |
|
|
| def test_stackdriver(self): |
| event = { |
| "receivedtimestamp": "2019-11-21T22:43:10.041549+00:00", |
| "mozdefhostname": "mozdefqa2.private.mdc1.mozilla.com", |
| "details": { |
| "insertId": "-81ga0vdqblo", |
| "logName": "projects/mcd-001-252615/logs/cloudaudit.googleapis.com%2Fdata_access", |
| "protoPayload": { |
| "@type": "type.googleapis.com/google.cloud.audit.AuditLog", |
| "authenticationInfo": {"principalEmail": "mpurzynski@gcp.infra.mozilla.com"}, |
| "authorizationInfo": [ |
| { |
| "granted": True, |
| "permission": "compute.instances.list", |
| "resourceAttributes": { |
| "name": "projects/mcd-001-252615", |
| "service": "resourcemanager", |
| "type": "resourcemanager.projects", |
| }, |
| } |
| ], |
| "methodName": "beta.compute.instances.aggregatedList", |
| "numResponseItems": "61", |
| "request": {"@type": "type.googleapis.com/compute.instances.aggregatedList"}, |
| "requestMetadata": { |
| "callerIp": "2620:101:80fb:224:2864:cebc:a1e:640c", |
| "callerSuppliedUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0,gzip(gfe),gzip(gfe)", |
| "destinationAttributes": {}, |
| "requestAttributes": {"auth": {}, "time": "2019-11-21T22:42:26.336Z",}, |
| }, |
| "resourceLocation": {"currentLocations": ["global"]}, |
| "resourceName": "projects/mcd-001-252615/global/instances", |
| "serviceName": "compute.googleapis.com", |
| }, |
| "receiveTimestamp": "2019-11-21T22:42:26.904624537Z", |
| "resource": { |
| "labels": { |
| "location": "global", |
| "method": "compute.instances.aggregatedList", |
| "project_id": "mcd-001-252615", |
| "service": "compute.googleapis.com", |
| "version": "beta", |
| }, |
| "type": "api", |
| }, |
| "severity": "INFO", |
| "timestamp": "2019-11-21T22:42:25.759Z", |
| }, |
| "tags": ["projects/mcd-001-252615/subscriptions/mozdefsubscription", "pubsub",], |
| } |
|
|
| result, metadata = self.plugin.onMessage(event, self.metadata) |
| assert result["category"] == "data_access" |
| assert result["details"]["protoPayload"]["@type"] == "type.googleapis.com/google.cloud.audit.AuditLog" |
|
|
