def test_auditd_from_file(self):
input_file = os.path.join(_TEST_DATA, "auditd_log.txt")
parsed_events = read_from_file(input_file)
self.assertIsNotNone(parsed_events)
self.assertEqual(parsed_events.shape, (381, 97))
proc_events = get_event_subset(parsed_events, event_type="SYSCALL_EXECVE")
self.assertIsNotNone(proc_events)
self.assertEqual(proc_events.shape, (78, 20))
def test_auditd_cluster():
input_file = os.path.join(_TEST_DATA, "linux_events.csv")
input_df = pd.read_csv(input_file)
input_df["AuditdMessage"] = input_df.apply(
lambda x: ast.literal_eval(x.AuditdMessage), axis=1
)
output_df = extract_events_to_df(data=input_df)
proc_events = get_event_subset(output_df, event_type="SYSCALL_EXECVE")
clustered_procs = cluster_auditd_processes(proc_events, app=None)
check.is_not_none(clustered_procs)
check.equal(len(clustered_procs), 2)
def test_auditd_utils(self):
input_file = os.path.join(_TEST_DATA, "linux_events.csv")
input_df = pd.read_csv(input_file)
input_df["AuditdMessage"] = input_df.apply(
lambda x: ast.literal_eval(x.AuditdMessage), axis=1
)
output_df = extract_events_to_df(data=input_df)
proc_events = get_event_subset(output_df, event_type="SYSCALL_EXECVE")
proc_tree = generate_process_tree(proc_events)
pt_summary = get_summary_info(proc_tree)
self.assertGreaterEqual(len(proc_tree), 85)
self.assertEqual(pt_summary["LargestTreeDepth"], 5)