def testAssertCheckUndetected(self): """Tests for the asertCheckUndetected() method.""" anomaly = { "finding": ["Adware 2.1.1 is installed"], "symptom": "Found: Malicious software.", "type": "ANALYSIS_ANOMALY" } # Simple no anomaly case. no_anomaly = {"SW-CHECK": checks.CheckResult(check_id="SW-CHECK")} self.assertCheckUndetected("SW-CHECK", no_anomaly) # The case were there is an anomaly in the results, just not the check # we are looking for. other_anomaly = { "SW-CHECK": checks.CheckResult(check_id="SW-CHECK"), "OTHER": checks.CheckResult(check_id="OTHER", anomaly=rdf_anomaly.Anomaly(**anomaly)) } self.assertCheckUndetected("SW-CHECK", other_anomaly) # Check the simple failure case works. has_anomaly = { "SW-CHECK": checks.CheckResult(check_id="SW-CHECK", anomaly=rdf_anomaly.Anomaly(**anomaly)) } self.assertRaises(AssertionError, self.assertCheckUndetected, "SW-CHECK", has_anomaly)
def testExtendAnomalies(self): anomaly1 = { "finding": ["Adware 2.1.1 is installed"], "explanation": "Found: Malicious software.", "type": "ANALYSIS_ANOMALY" } anomaly2 = { "finding": ["Java 6.0.240 is installed"], "explanation": "Found: Old Java installation.", "type": "ANALYSIS_ANOMALY" } result = checks.CheckResult(check_id="SW-CHECK", anomaly=anomaly_rdf.Anomaly(**anomaly1)) other = checks.CheckResult(check_id="SW-CHECK", anomaly=anomaly_rdf.Anomaly(**anomaly2)) result.ExtendAnomalies(other) expect = {"check_id": "SW-CHECK", "anomaly": [anomaly1, anomaly2]} self.assertDictEqual(expect, result.ToPrimitiveDict())
def _CheckMultipleSymPerCheck(self, check_id, results, sym_list, found_list): """Ensure results for a check containing multiple symptoms match.""" anom = [] for sym, found in zip(sym_list, found_list): anom.append( rdf_anomaly.Anomaly( symptom=sym, finding=found, type="ANALYSIS_ANOMALY")) expected = checks.CheckResult(check_id=check_id, anomaly=anom) self.assertResultEqual(expected, results[check_id])
def testAssertRanChecks(self): """Tests for the assertRanChecks() method.""" no_checks = {} some_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")} self.assertRanChecks(["EXISTS"], some_checks) self.assertRaises(AssertionError, self.assertRanChecks, ["EXISTS"], no_checks) self.assertRaises(AssertionError, self.assertRanChecks, ["FOOBAR"], some_checks)
def setUp(self): super(ProcessHostDataTests, self).setUp() registered = checks.CheckRegistry.checks.keys() if "SW-CHECK" not in registered: checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sw.yaml")]) if "SSHD-CHECK" not in registered: checks.LoadChecksFromFiles([os.path.join(CHECKS_DIR, "sshd.yaml")]) self.netcat = checks.CheckResult( check_id="SW-CHECK", anomaly=[ rdf_anomaly.Anomaly( finding=["netcat-traditional 1.10-40 is installed"], symptom="Found: l337 software installed", type="ANALYSIS_ANOMALY") ]) self.sshd = checks.CheckResult( check_id="SSHD-CHECK", anomaly=[ rdf_anomaly.Anomaly( finding=["Configured protocols: 2,1"], symptom="Found: Sshd allows protocol 1.", type="ANALYSIS_ANOMALY") ]) self.windows = checks.CheckResult( check_id="SW-CHECK", anomaly=[ rdf_anomaly.Anomaly( finding=["Java 6.0.240 is installed"], symptom="Found: Old Java installation.", type="ANALYSIS_ANOMALY"), rdf_anomaly.Anomaly( finding=["Adware 2.1.1 is installed"], symptom="Found: Malicious software.", type="ANALYSIS_ANOMALY") ]) self.data = { "WMIInstalledSoftware": self.SetArtifactData(parsed=GetWMIData()), "DebianPackagesStatus": self.SetArtifactData(parsed=GetDPKGData()), "SshdConfigFile": self.SetArtifactData(parsed=GetSSHDConfig()) }
def testAssertCheckDetectedAnom(self): """Tests for the assertCheckDetectedAnom() method.""" # Check we fail when our checkid isn't in the results. no_checks = {} self.assertRaises(AssertionError, self.assertCheckDetectedAnom, "UNICORN", no_checks, sym=None, findings=None) # Check we fail when our checkid is in the results but hasn't # produced an anomaly. passing_checks = {"EXISTS": checks.CheckResult(check_id="EXISTS")} self.assertRaises(AssertionError, self.assertCheckDetectedAnom, "EXISTS", passing_checks, sym=None, findings=None) # On to a 'successful' cases. anomaly = { "finding": ["Finding"], "symptom": "Found: An issue.", "type": "ANALYSIS_ANOMALY" } failing_checks = { "EXISTS": checks.CheckResult(check_id="EXISTS", anomaly=rdf_anomaly.Anomaly(**anomaly)) } # Check we pass when our check produces an anomaly and we don't care # about the details. self.assertCheckDetectedAnom("EXISTS", failing_checks, sym=None, findings=None) # When we do care only about the 'symptom'. self.assertCheckDetectedAnom("EXISTS", failing_checks, sym="Found: An issue.", findings=None) # And when we also care about the findings. self.assertCheckDetectedAnom("EXISTS", failing_checks, sym="Found: An issue.", findings=["Finding"]) # And check we match substrings of a 'finding'. self.assertCheckDetectedAnom("EXISTS", failing_checks, sym="Found: An issue.", findings=["Fin"]) # Check we complain when the symptom doesn't match. self.assertRaises(AssertionError, self.assertCheckDetectedAnom, "EXISTS", failing_checks, sym="wrong symptom", findings=None) # Check we complain when the symptom matches but the findings don't. self.assertRaises(AssertionError, self.assertCheckDetectedAnom, "EXISTS", failing_checks, sym="Found: An issue.", findings=["Not found"]) # Lastly, if there is a finding in the anomaly we didn't expect, we consider # that a problem. self.assertRaises(AssertionError, self.assertCheckDetectedAnom, "EXISTS", failing_checks, sym="Found: An issue.", findings=[])