def testRuleApplicationExecution(self): """Tests the application_execution tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = appusage.MacOSApplicationUsageEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) event_data = syslog.SyslogLineEventData() event_data.body = 'some random log message' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data = syslog.SyslogLineEventData() event_data.body = 'somethin invoked COMMAND=/bin/launchctl' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution'])
def testRuleDeviceDisconnection(self): """Tests the device_disconnection tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: reporter is 'kernel' AND body contains 'USB disconnect' event_data = syslog.SyslogLineEventData() event_data.reporter = 'kernel' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'USB disconnect' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'kernel' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['device_disconnection'])
def testRuleSessionStop(self): """Tests the session_stop tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: reporter is 'systemd-logind' and body contains 'Removed session' event_data = syslog.SyslogLineEventData() event_data.reporter = 'systemd-logind' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'Removed session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'systemd-logind' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['session_stop'])
def testRulePromiscuous(self): """Tests the promiscuous tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'selinux:line' AND audit_type is 'ANOM_PROMISCUOUS' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'ANOM_PROMISCUOUS' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['promiscuous']) # Test: reporter is 'kernel' AND body contains 'promiscuous mode' event_data = syslog.SyslogLineEventData() event_data.reporter = 'kernel' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'promiscuous mode' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'kernel' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['promiscuous'])
def testRuleLogout(self): """Tests the logout tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND # pid != 0 event_data = utmp.UtmpEventData() event_data.type = 0 event_data.terminal = 'tty1' event_data.pid = 1 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 8 event_data.terminal = '' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.terminal = 'tty1' event_data.pid = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.pid = 1 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'login' AND body contains 'session closed' event_data = syslog.SyslogLineEventData() event_data.reporter = 'login' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session closed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'sshd' AND (body contains 'session closed' OR # body contains 'Close session') event_data = syslog.SyslogLineEventData() event_data.reporter = 'sshd' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session closed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sshd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) event_data.body = 'Close session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'systemd-logind' AND body contains 'logged out' event_data = syslog.SyslogLineEventData() event_data.reporter = 'systemd-logind' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'logged out' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'systemd-logind' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'dovecot' AND body contains 'Logged out' event_data = syslog.SyslogLineEventData() event_data.reporter = 'dovecot' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'Logged out' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'dovecot' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout'])
def testRuleApplicationExecution(self): """Tests the application_execution tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'bash:history:command' event_data = bash_history.BashHistoryEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'docker:json:layer' event_data = docker.DockerJSONLayerEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'selinux:line' AND audit_type is 'EXECVE' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'EXECVE' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'shell:zsh:history' event_data = zsh_extended_history.ZshHistoryEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: data_type is 'syslog:cron:task_run' event_data = cron.CronTaskRunEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) # Test: reporter is 'sudo' AND body contains 'COMMAND=' event_data = syslog.SyslogLineEventData() event_data.reporter = 'sudo' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'test if my COMMAND=bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sudo' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution'])
def testRuleLoginFailed(self): """Tests the login_failed tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'selinux:line' AND audit_type is 'ANOM_LOGIN_FAILURES' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'ANOM_LOGIN_FAILURES' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: data_type is 'selinux:line' AND audit_type is 'USER_LOGIN' AND # body contains 'res=failed' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' event_data.body = 'res=failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'USER_LOGIN' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'USER_LOGIN' event_data.body = 'res=failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: data_type is 'syslog:line' AND body contains 'pam_tally2' event_data = syslog.SyslogLineEventData() event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'pam_tally2' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: (reporter is 'sshd' OR # reporter is 'login' OR # reporter is 'postfix/submission/smtpd' OR # reporter is 'sudo') AND # body contains 'uthentication fail' # Test the reporter is 'bogus' cases first with all the message bodies event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' event_data.body = 'Authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'authentication failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) # Test the message body 'bogus' cases for all reporters event_data.reporter = 'sshd' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'postfix/submission/smtpd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sudo' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) # reporter is 'login' event_data.reporter = 'login' event_data.body = 'Authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # these come from PAM modules event_data.body = 'authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # reporter is 'sshd' event_data.reporter = 'sshd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # reporter is 'sudo' event_data.reporter = 'sudo' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # reporter is 'postfix/submission/smtpd' event_data.reporter = 'postfix/submission/smtpd' event_data.body = 'authentication failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: (reporter is 'xscreensaver' or # reporter is 'login') AND # body contains 'FAILED LOGIN' event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' event_data.body = 'FAILED LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'xscreensaver' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'FAILED LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) event_data.reporter = 'xscreensaver' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: reporter is 'su' AND body contains 'DENIED' event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' event_data.body = 'DENIED su from' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'su' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'DENIED su from' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: reporter is 'nologin' event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'nologin' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed'])
def testRuleLogin(self): """Tests the login tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 7 event_data = utmp.UtmpEventData() event_data.type = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 7 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: data_type is 'selinux:line' AND audit_type is 'LOGIN' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'login' AND (body contains 'logged in' OR # body contains 'ROOT LOGIN' OR body contains 'session opened') event_data = syslog.SyslogLineEventData() event_data.reporter = 'login' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'logged in' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'ROOT LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'session opened' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'sshd' AND (body contains 'session opened' OR # body contains 'Starting session') event_data = syslog.SyslogLineEventData() event_data.reporter = 'sshd' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session opened' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sshd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'Starting session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'dovecot' AND body contains 'imap-login: Login:'******'dovecot' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'imap-login: Login: user='******'dovecot' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'postfix/submission/smtpd' AND body contains 'sasl_' event_data = syslog.SyslogLineEventData() event_data.reporter = 'postfix/submission/smtpd' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'sasl_method=PLAIN, sasl_username='******'postfix/submission/smtpd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login'])
def testRuleLoginFailed(self): """Tests the login_failed tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'selinux:line' AND audit_type is 'ANOM_LOGIN_FAILURES' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'ANOM_LOGIN_FAILURES' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: data_type is 'selinux:line' AND audit_type is 'USER_LOGIN' AND # body contains 'res=failed' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' event_data.body = 'res=failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'USER_LOGIN' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'USER_LOGIN' event_data.body = 'res=failed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: data_type is 'syslog:line' AND body contains 'pam_tally2' event_data = syslog.SyslogLineEventData() event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'pam_tally2' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: reporter is 'sshd' AND body contains 'uthentication failure' event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' event_data.body = 'Authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sshd' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'Authentication failure' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed']) # Test: reporter is 'xscreensaver' AND body contains 'FAILED LOGIN' event_data = syslog.SyslogLineEventData() event_data.reporter = 'bogus' event_data.body = 'FAILED LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'xscreensaver' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.body = 'FAILED LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed'])