From 31d976276633843668973eb82929efe2670844e8 Mon Sep 17 00:00:00 2001
From: Cory Francis Myers <cory@freedom.press>
Date: Mon, 16 Oct 2023 17:16:24 -0700
Subject: [PATCH] test(ossec): test alerts from "disconnected submissions"
 checks

"manage.py check-disconnected-fs-{db,fs}-submissions" has output whether
or not there are disconnected submissions, so OSSEC matches on the
actual output, not just the presence of it.  Here we test both cases for
both checks, since they have different output.
---
 molecule/testinfra/vars/staging.yml | 33 +++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml
index c2bf91d776d..fc98f372b46 100644
--- a/molecule/testinfra/vars/staging.yml
+++ b/molecule/testinfra/vars/staging.yml
@@ -146,6 +146,21 @@ log_events_without_ossec_alerts:
     level: "0"
     rule_id: "199996"
 
+  # OSSEC should not alert when "manage.py check-disconnected-{db,fs}-
+  # submissions" has logged that there are no disconnected submissions.
+  - name: test_no_disconnected_db_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt':
+      No problems were found. All submissions' files are present.
+    level: "1"
+    rule_id: "400800"
+  - name: test_disconnected_fs_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt':
+      No unexpected files were found in the store.
+    level: "1"
+    rule_id: "400801"
+
 # Log events we expect an OSSEC alert to occur for
 log_events_with_ossec_alerts:
   # Check that a denied RWX mmaping would produce an OSSEC alert
@@ -215,6 +230,24 @@ log_events_with_ossec_alerts:
     level: "7"
     rule_id: "400700"
 
+  # OSSEC should alert when "manage.py check-disconnected-{db,fs}-submissions"
+  # has logged that there are disconnected submissions.
+  - name: test_disconnected_db_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_db_submissions.txt':
+      There are submissions in the database with no corresponding files. Run
+      "manage.py list-disconnected-db-submissions" for details.
+    level: "1"
+    rule_id: "400800"
+  - name: test_disconnected_fs_submissions_produces_alert
+    alert: >
+      ossec: output: 'cat /var/lib/securedrop/disconnected_fs_submissions.txt':
+      There are files in the submission area with no corresponding records in
+      the database. Run "manage.py list-disconnected-fs-submissions" for
+      details.
+    level: "1"
+    rule_id: "400801"
+
 fpf_apt_repo_url: "https://apt-test.freedom.press"
 
 daily_reboot_time: "4"