Permalink
Browse files

Add alert for generic auditd command

  • Loading branch information...
pwnbus committed May 24, 2018
1 parent 7e18f9c commit c248b4919ee9fe951e1c112782ee512c14f61232
Showing with 153 additions and 0 deletions.
  1. +2 −0 alerts/auditd_commands.conf
  2. +48 −0 alerts/auditd_commands.py
  3. +103 −0 tests/alerts/test_auditd_commands.py
@@ -0,0 +1,2 @@
[options]
commands = command1,command2
View
@@ -0,0 +1,48 @@
#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
from lib.alerttask import AlertTask
from query_models import SearchQuery, TermMatch
class AlertAuditdCommands(AlertTask):
def main(self):
self.parse_config('auditd_commands.conf', ['commands'])
search_query = SearchQuery(minutes=30)
auditd_match = TermMatch('category', 'auditd')
auditd_match |= TermMatch('tags', 'audit')
search_query.add_must(auditd_match)
command_names_matcher = None
for name in self.config.commands.split(","):
if command_names_matcher is None:
command_names_matcher = TermMatch('details.processname', name)
else:
command_names_matcher |= TermMatch('details.processname', name)
search_query.add_must(command_names_matcher)
self.filtersManual(search_query)
self.searchEventsSimple()
self.walkEvents()
def onEvent(self, event):
category = 'auditd'
tags = ['auditd_command']
severity = 'WARNING'
user = event['_source']['details']['originaluser']
host = event['_source']['hostname']
command = event['_source']['details']['processname']
summary = "{user} on {host} executed {command}".format(
user=user,
host=host,
command=command
)
return self.createAlertDict(summary, category, tags, [event], severity)
@@ -0,0 +1,103 @@
from positive_alert_test_case import PositiveAlertTestCase
from negative_alert_test_case import NegativeAlertTestCase
from alert_test_suite import AlertTestSuite
class TestAlertAuditdCommands(AlertTestSuite):
alert_filename = "auditd_commands"
# This event is the default positive event that will cause the
# alert to trigger
default_event = {
"_source": {
"category": "auditd",
"hostname": "host1.mozilla.com",
"details": {
"processname": 'command1',
"originaluser": "ttesterson"
}
}
}
# This alert is the expected result from running this task
default_alert = {
"category": "auditd",
"severity": "WARNING",
"summary": "ttesterson on host1.mozilla.com executed command1",
"tags": ['auditd_command'],
}
test_cases = []
event = AlertTestSuite.create_event(default_event)
test_cases.append(
PositiveAlertTestCase(
description="Positive test case with good event",
events=[event],
expected_alert=default_alert
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['category'] = "someother"
event['_source']['tags'] = ["audit", "othervalue"]
test_cases.append(
PositiveAlertTestCase(
description="Positive test case with audit in tags",
events=[event],
expected_alert=default_alert
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['details']['processname'] = 'command2'
alert = AlertTestSuite.create_alert(default_alert)
alert['summary'] = "ttesterson on host1.mozilla.com executed command2"
test_cases.append(
PositiveAlertTestCase(
description="Positive test case with additional command",
events=[event],
expected_alert=alert
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 29})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 29})
test_cases.append(
PositiveAlertTestCase(
description="Positive test case with event that's somewhat old",
events=[event],
expected_alert=default_alert
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['details']['processname'] = 'ls'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with bad processname",
events=[event],
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['category'] = "someother"
event['_source']['tags'] = ["othervalue"]
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with bad tags and category",
events=[event],
)
)
event = AlertTestSuite.create_event(default_event)
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 31})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 31})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with an old event",
events=[event],
)
)

0 comments on commit c248b49

Please sign in to comment.