def testAssertCheckUndetected(self):
"""Tests for the asertCheckUndetected() method."""
anomaly = {
"finding": ["Adware 2.1.1 is installed"],
"symptom": "Found: Malicious software.",
"type": "ANALYSIS_ANOMALY"
}
# Simple no anomaly case.
no_anomaly = {"SW-CHECK": checks.CheckResult(check_id="SW-CHECK")}
self.assertCheckUndetected("SW-CHECK", no_anomaly)
# The case were there is an anomaly in the results, just not the check
# we are looking for.
other_anomaly = {
"SW-CHECK":
checks.CheckResult(check_id="SW-CHECK"),
"OTHER":
checks.CheckResult(check_id="OTHER",
anomaly=[rdf_anomaly.Anomaly(**anomaly)])
}
self.assertCheckUndetected("SW-CHECK", other_anomaly)
# Check the simple failure case works.
has_anomaly = {
"SW-CHECK":
checks.CheckResult(check_id="SW-CHECK",
anomaly=[rdf_anomaly.Anomaly(**anomaly)])
}
self.assertRaises(AssertionError, self.assertCheckUndetected,
"SW-CHECK", has_anomaly)
def testWithAnomaly(self):
checkresult = checks.CheckResult(
check_id="check-id-2",
anomaly=[
rdf_anomaly.Anomaly(
type="PARSER_ANOMALY",
symptom="something was wrong on the system"),
rdf_anomaly.Anomaly(
type="MANUAL_ANOMALY",
symptom="manually found wrong stuff",
anomaly_reference_id=["id1", "id2"],
finding=["file has bad permissions: /tmp/test"]),
])
converter = check_result.CheckResultConverter()
results = list(converter.Convert(self.metadata, checkresult))
self.assertLen(results, 2)
self.assertEqual(results[0].check_id, checkresult.check_id)
self.assertEqual(results[0].anomaly.type, checkresult.anomaly[0].type)
self.assertEqual(results[0].anomaly.symptom,
checkresult.anomaly[0].symptom)
self.assertEqual(results[1].check_id, checkresult.check_id)
self.assertEqual(results[1].anomaly.type, checkresult.anomaly[1].type)
self.assertEqual(results[1].anomaly.symptom,
checkresult.anomaly[1].symptom)
self.assertEqual(
results[1].anomaly.anomaly_reference_id,
"\n".join(checkresult.anomaly[1].anomaly_reference_id))
self.assertEqual(results[1].anomaly.finding,
checkresult.anomaly[1].finding[0])
def testNoAnomaly(self):
checkresult = checks.CheckResult(check_id="check-id-1")
converter = check_result.CheckResultConverter()
results = list(converter.Convert(self.metadata, checkresult))
self.assertLen(results, 1)
self.assertEqual(results[0].check_id, checkresult.check_id)
self.assertFalse(results[0].HasField("anomaly"))
def _CheckMultipleSymPerCheck(self, check_id, results, sym_list, found_list):
"""Ensure results for a check containing multiple symptoms match."""
anom = []
for sym, found in zip(sym_list, found_list):
anom.append(
rdf_anomaly.Anomaly(
symptom=sym, finding=found, type="ANALYSIS_ANOMALY"))
expected = checks.CheckResult(check_id=check_id, anomaly=anom)
self.assertResultEqual(expected, results[check_id])
def testAssertRanChecks(self):
"""Tests for the assertRanChecks() method."""
no_checks = {}
some_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")}
self.assertRanChecks(["EXISTS"], some_checks)
self.assertRaises(AssertionError, self.assertRanChecks, ["EXISTS"],
no_checks)
self.assertRaises(AssertionError, self.assertRanChecks, ["FOOBAR"],
some_checks)
def testExtendAnomalies(self):
anomaly1 = {
"finding": ["Adware 2.1.1 is installed"],
"symptom": "Found: Malicious software.",
"explanation": "Remove software.",
"type": "ANALYSIS_ANOMALY"
}
anomaly2 = {
"finding": ["Java 6.0.240 is installed"],
"symptom": "Found: Old Java installation.",
"explanation": "Update Java.",
"type": "ANALYSIS_ANOMALY"
}
result = checks.CheckResult(
check_id="SW-CHECK", anomaly=[rdf_anomaly.Anomaly(**anomaly1)])
other = checks.CheckResult(
check_id="SW-CHECK", anomaly=[rdf_anomaly.Anomaly(**anomaly2)])
result.ExtendAnomalies([other])
expect = {"check_id": "SW-CHECK", "anomaly": [anomaly1, anomaly2]}
self.assertDictEqual(expect, result.ToPrimitiveDict())
def setUp(self):
super(ProcessHostDataTests, self).setUp()
registered = set(iterkeys(checks.CheckRegistry.checks))
if "SW-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sw.yaml")])
if "SSHD-CHECK" not in registered:
checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sshd.yaml")])
self.netcat = checks.CheckResult(
check_id="SW-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["netcat-traditional 1.10-40 is installed"],
symptom="Found: l337 software installed",
type="ANALYSIS_ANOMALY")
])
self.sshd = checks.CheckResult(
check_id="SSHD-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["Configured protocols: 2,1"],
symptom="Found: Sshd allows protocol 1.",
type="ANALYSIS_ANOMALY")
])
self.windows = checks.CheckResult(
check_id="SW-CHECK",
anomaly=[
rdf_anomaly.Anomaly(
finding=["Java 6.0.240 is installed"],
symptom="Found: Old Java installation.",
type="ANALYSIS_ANOMALY"),
rdf_anomaly.Anomaly(
finding=["Adware 2.1.1 is installed"],
symptom="Found: Malicious software.",
type="ANALYSIS_ANOMALY")
])
self.data = {
"WMIInstalledSoftware": self.SetArtifactData(parsed=GetWMIData()),
"DebianPackagesStatus": self.SetArtifactData(parsed=GetDPKGData()),
"SshdConfigFile": self.SetArtifactData(parsed=GetSSHDConfig())
}
def testAssertCheckDetectedAnom(self):
"""Tests for the assertCheckDetectedAnom() method."""
# Check we fail when our checkid isn't in the results.
no_checks = {}
self.assertRaises(AssertionError,
self.assertCheckDetectedAnom,
"UNICORN",
no_checks,
sym=None,
findings=None)
# Check we fail when our checkid is in the results but hasn't
# produced an anomaly.
passing_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")}
self.assertRaises(AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
passing_checks,
sym=None,
findings=None)
# On to a 'successful' cases.
anomaly = {
"finding": ["Finding"],
"symptom": "Found: An issue.",
"type": "ANALYSIS_ANOMALY"
}
failing_checks = {
"EXISTS":
checks.CheckResult(check_id="EXISTS",
anomaly=[rdf_anomaly.Anomaly(**anomaly)])
}
# Check we pass when our check produces an anomaly and we don't care
# about the details.
self.assertCheckDetectedAnom("EXISTS",
failing_checks,
sym=None,
findings=None)
# When we do care only about the 'symptom'.
self.assertCheckDetectedAnom("EXISTS",
failing_checks,
sym="Found: An issue.",
findings=None)
# And when we also care about the findings.
self.assertCheckDetectedAnom("EXISTS",
failing_checks,
sym="Found: An issue.",
findings=["Finding"])
# And check we match substrings of a 'finding'.
self.assertCheckDetectedAnom("EXISTS",
failing_checks,
sym="Found: An issue.",
findings=["Fin"])
# Check we complain when the symptom doesn't match.
self.assertRaises(AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="wrong symptom",
findings=None)
# Check we complain when the symptom matches but the findings don't.
self.assertRaises(AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="Found: An issue.",
findings=["Not found"])
# Lastly, if there is a finding in the anomaly we didn't expect, we consider
# that a problem.
self.assertRaises(AssertionError,
self.assertCheckDetectedAnom,
"EXISTS",
failing_checks,
sym="Found: An issue.",
findings=[])
