Ejemplo n.º 1
0
    def testRuleRunlevel(self):
        """Tests the runlevel tagging rule."""
        event = events.EventObject()
        event.timestamp = self._TEST_TIMESTAMP
        event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN

        # Test: data_type is 'linux:utmp:event' AND type == 1 AND
        #       username is 'runlevel'
        event_data = utmp.UtmpEventData()
        event_data.type = 0
        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.type = 1
        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['runlevel'])
Ejemplo n.º 2
0
    def testRuleShutdown(self):
        """Tests the shutdonw tagging rule."""
        event = events.EventObject()
        event.timestamp = self._TEST_TIMESTAMP
        event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN

        # Test: data_type is 'linux:utmp:event' AND type == 1 AND
        #       (terminal is '~~' OR terminal is 'system boot') AND
        #       username is 'shutdown'
        event_data = utmp.UtmpEventData()
        event_data.type = 0
        event_data.terminal = 'system boot'
        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.type = 1
        event_data.terminal = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.terminal = 'system boot'
        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.username = '******'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['shutdown'])

        event_data.terminal = '~~'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['shutdown'])
Ejemplo n.º 3
0
    def testRuleLogin(self):
        """Tests the login tagging rule."""
        event = events.EventObject()
        event.timestamp = self._TEST_TIMESTAMP
        event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN

        # Test: data_type is 'linux:utmp:event' AND type == 7
        event_data = utmp.UtmpEventData()
        event_data.type = 0

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.type = 7

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        # Test: data_type is 'selinux:line' AND audit_type is 'LOGIN'
        event_data = selinux.SELinuxLogEventData()
        event_data.audit_type = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.audit_type = 'LOGIN'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        # Test: reporter is 'login' AND (body contains 'logged in' OR
        #       body contains 'ROOT LOGIN' OR body contains 'session opened')
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'login'
        event_data.audit_type = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'logged in'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'login'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        event_data.body = 'ROOT LOGIN'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        event_data.body = 'session opened'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        # Test: reporter is 'sshd' AND (body contains 'session opened' OR
        #       body contains 'Starting session')
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'sshd'
        event_data.audit_type = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'session opened'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'sshd'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        event_data.body = 'Starting session'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        # Test: reporter is 'dovecot' AND body contains 'imap-login: Login:'******'dovecot'
        event_data.audit_type = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'imap-login: Login: user='******'dovecot'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])

        # Test: reporter is 'postfix/submission/smtpd' AND body contains 'sasl_'
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'postfix/submission/smtpd'
        event_data.audit_type = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'sasl_method=PLAIN, sasl_username='******'postfix/submission/smtpd'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['login'])
Ejemplo n.º 4
0
    def testRuleLogout(self):
        """Tests the logout tagging rule."""
        event = events.EventObject()
        event.timestamp = self._TEST_TIMESTAMP
        event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN

        # Test: data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND
        #       pid != 0
        event_data = utmp.UtmpEventData()
        event_data.type = 0
        event_data.terminal = 'tty1'
        event_data.pid = 1

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.type = 8
        event_data.terminal = ''

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.terminal = 'tty1'
        event_data.pid = 0

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.pid = 1

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])

        # Test: reporter is 'login' AND body contains 'session closed'
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'login'
        event_data.body = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'session closed'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'login'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])

        # Test: reporter is 'sshd' AND (body contains 'session closed' OR
        #       body contains 'Close session')
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'sshd'
        event_data.body = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'session closed'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'sshd'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])

        event_data.body = 'Close session'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])

        # Test: reporter is 'systemd-logind' AND body contains 'logged out'
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'systemd-logind'
        event_data.body = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'logged out'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'systemd-logind'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])

        # Test: reporter is 'dovecot' AND body contains 'Logged out'
        event_data = syslog.SyslogLineEventData()
        event_data.reporter = 'dovecot'
        event_data.body = 'bogus'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'bogus'
        event_data.body = 'Logged out'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 0)
        self._CheckLabels(storage_writer, [])

        event_data.reporter = 'dovecot'

        storage_writer = self._TagEvent(event, event_data)

        self.assertEqual(storage_writer.number_of_event_tags, 1)
        self._CheckLabels(storage_writer, ['logout'])
Ejemplo n.º 5
0
  def testRuleLogout(self):
    """Tests the logout tagging rule."""
    # Test: data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND
    #       pid != 0

    # Cannot use _CheckTaggingRule here because of terminal != ''
    event = events.EventObject()
    event.timestamp = self._TEST_TIMESTAMP
    event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN

    event_data = utmp.UtmpEventData()
    event_data.type = 0
    event_data.terminal = 'tty1'
    event_data.pid = 1

    storage_writer = self._TagEvent(event, event_data, None)

    self.assertEqual(storage_writer.number_of_event_tags, 0)
    self._CheckLabels(storage_writer, [])

    event_data.type = 8
    event_data.terminal = ''

    storage_writer = self._TagEvent(event, event_data, None)

    self.assertEqual(storage_writer.number_of_event_tags, 0)
    self._CheckLabels(storage_writer, [])

    event_data.terminal = 'tty1'
    event_data.pid = 0

    storage_writer = self._TagEvent(event, event_data, None)

    self.assertEqual(storage_writer.number_of_event_tags, 0)
    self._CheckLabels(storage_writer, [])

    event_data.pid = 1

    storage_writer = self._TagEvent(event, event_data, None)

    self.assertEqual(storage_writer.number_of_event_tags, 1)
    self._CheckLabels(storage_writer, ['logout'])

    # Test: reporter is 'login' AND body contains 'session closed'
    attribute_values_per_name = {
        'body': ['session closed'],
        'reporter': ['login']}
    self._CheckTaggingRule(
        syslog.SyslogLineEventData, attribute_values_per_name, ['logout'])

    # Test: reporter is 'sshd' AND (body contains 'session closed' OR
    #       body contains 'Close session')
    attribute_values_per_name = {
        'body': ['Close session', 'session closed'],
        'reporter': ['sshd']}
    self._CheckTaggingRule(
        syslog.SyslogLineEventData, attribute_values_per_name, ['logout'])

    # Test: reporter is 'systemd-logind' AND body contains 'logged out'
    attribute_values_per_name = {
        'body': ['logged out'],
        'reporter': ['systemd-logind']}
    self._CheckTaggingRule(
        syslog.SyslogLineEventData, attribute_values_per_name, ['logout'])

    # Test: reporter is 'dovecot' AND body contains 'Logged out'
    attribute_values_per_name = {
        'body': ['Logged out'],
        'reporter': ['dovecot']}
    self._CheckTaggingRule(
        syslog.SyslogLineEventData, attribute_values_per_name, ['logout'])

    # Test: data_type is 'selinux:line' AND audit_type is 'USER_LOGOUT'
    attribute_values_per_name = {
        'audit_type': ['USER_LOGOUT']}
    self._CheckTaggingRule(
        selinux.SELinuxLogEventData, attribute_values_per_name,
        ['logout'])