def testAssertCheckUndetected(self):
"""Tests for the asertCheckUndetected() method."""
anomaly = {
"finding": ["Adware 2.1.1 is installed"],
"symptom": "Found: Malicious software.",
"type": "ANALYSIS_ANOMALY"
}
# Simple no anomaly case.
no_anomaly = {"SW-CHECK": checks.CheckResult(check_id="SW-CHECK")}
self.assertCheckUndetected("SW-CHECK", no_anomaly)
# The case were there is an anomaly in the results, just not the check
# we are looking for.
other_anomaly = {
"SW-CHECK":
checks.CheckResult(check_id="SW-CHECK"),
"OTHER":
checks.CheckResult(
check_id="OTHER", anomaly=rdf_anomaly.Anomaly(**anomaly))
}
self.assertCheckUndetected("SW-CHECK", other_anomaly)
# Check the simple failure case works.
has_anomaly = {
"SW-CHECK":
checks.CheckResult(
check_id="SW-CHECK", anomaly=rdf_anomaly.Anomaly(**anomaly))
}
self.assertRaises(AssertionError, self.assertCheckUndetected, "SW-CHECK",
has_anomaly)
def testAssertRanChecks(self):
"""Tests for the assertRanChecks() method."""
no_checks = {}
some_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")}
self.assertRanChecks(["EXISTS"], some_checks)
self.assertRaises(AssertionError, self.assertRanChecks, ["EXISTS"],
no_checks)
self.assertRaises(AssertionError, self.assertRanChecks, ["FOOBAR"],
some_checks)
def testExtendAnomalies(self):
anomaly1 = {
"finding": ["Adware 2.1.1 is installed"],
"symptom": "Found: Malicious software.",
"explanation": "Remove software.",
"type": "ANALYSIS_ANOMALY"
}
anomaly2 = {
"finding": ["Java 6.0.240 is installed"],
"symptom": "Found: Old Java installation.",
"explanation": "Update Java.",
"type": "ANALYSIS_ANOMALY"
}
result = checks.CheckResult(check_id="SW-CHECK",
anomaly=rdf_anomaly.Anomaly(**anomaly1))
other = checks.CheckResult(check_id="SW-CHECK",
anomaly=rdf_anomaly.Anomaly(**anomaly2))
result.ExtendAnomalies(other)
expect = {"check_id": "SW-CHECK", "anomaly": [anomaly1, anomaly2]}
self.assertDictEqual(expect, result.ToPrimitiveDict())
def _CheckMultipleSymPerCheck(self, check_id, results, sym_list,
found_list):
"""Ensure results for a check containing multiple symptoms match."""
anom = []
for sym, found in zip(sym_list, found_list):
anom.append(
rdf_anomaly.Anomaly(symptom=sym,
finding=found,
type="ANALYSIS_ANOMALY"))
expected = checks.CheckResult(check_id=check_id, anomaly=anom)
self.assertResultEqual(expected, results[check_id])
def setUp(self):
super(ProcessHostDataTests, self).setUp()
registered = checks.CheckRegistry.checks.keys()
if "SW-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sw.yaml")])
if "SSHD-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sshd.yaml")])
self.netcat = checks.CheckResult(
check_id="SW-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["netcat-traditional 1.10-40 is installed"],
symptom="Found: l337 software installed",
type="ANALYSIS_ANOMALY")
])
self.sshd = checks.CheckResult(
check_id="SSHD-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["Configured protocols: 2,1"],
symptom="Found: Sshd allows protocol 1.",
type="ANALYSIS_ANOMALY")
])
self.windows = checks.CheckResult(
check_id="SW-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["Java 6.0.240 is installed"],
symptom="Found: Old Java installation.",
type="ANALYSIS_ANOMALY"),
rdf_anomaly.Anomaly(
finding=["Adware 2.1.1 is installed"],
symptom="Found: Malicious software.",
type="ANALYSIS_ANOMALY")
])
self.data = {
"WMIInstalledSoftware": self.SetArtifactData(parsed=GetWMIData()),
"DebianPackagesStatus": self.SetArtifactData(parsed=GetDPKGData()),
"SshdConfigFile": self.SetArtifactData(parsed=GetSSHDConfig())
}
def testAssertCheckDetectedAnom(self):
"""Tests for the assertCheckDetectedAnom() method."""
# Check we fail when our checkid isn't in the results.
no_checks = {}
self.assertRaises(
AssertionError,
self.assertCheckDetectedAnom,
"UNICORN",
no_checks,
sym=None,
findings=None)
# Check we fail when our checkid is in the results but hasn't
# produced an anomaly.
passing_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")}
self.assertRaises(
AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
passing_checks,
sym=None,
findings=None)
# On to a 'successful' cases.
anomaly = {
"finding": ["Finding"],
"symptom": "Found: An issue.",
"type": "ANALYSIS_ANOMALY"
}
failing_checks = {
"EXISTS":
checks.CheckResult(
check_id="EXISTS", anomaly=rdf_anomaly.Anomaly(**anomaly))
}
# Check we pass when our check produces an anomaly and we don't care
# about the details.
self.assertCheckDetectedAnom(
"EXISTS", failing_checks, sym=None, findings=None)
# When we do care only about the 'symptom'.
self.assertCheckDetectedAnom(
"EXISTS", failing_checks, sym="Found: An issue.", findings=None)
# And when we also care about the findings.
self.assertCheckDetectedAnom(
"EXISTS", failing_checks, sym="Found: An issue.", findings=["Finding"])
# And check we match substrings of a 'finding'.
self.assertCheckDetectedAnom(
"EXISTS", failing_checks, sym="Found: An issue.", findings=["Fin"])
# Check we complain when the symptom doesn't match.
self.assertRaises(
AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="wrong symptom",
findings=None)
# Check we complain when the symptom matches but the findings don't.
self.assertRaises(
AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="Found: An issue.",
findings=["Not found"])
# Lastly, if there is a finding in the anomaly we didn't expect, we consider
# that a problem.
self.assertRaises(
AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="Found: An issue.",
findings=[])