def testRuleRunlevel(self): """Tests the runlevel tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 1 AND # username is 'runlevel' event_data = utmp.UtmpEventData() event_data.type = 0 event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 1 event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['runlevel'])
def testRuleShutdown(self): """Tests the shutdonw tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 1 AND # (terminal is '~~' OR terminal is 'system boot') AND # username is 'shutdown' event_data = utmp.UtmpEventData() event_data.type = 0 event_data.terminal = 'system boot' event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 1 event_data.terminal = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.terminal = 'system boot' event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['shutdown']) event_data.terminal = '~~' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['shutdown'])
def testRuleLogin(self): """Tests the login tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 7 event_data = utmp.UtmpEventData() event_data.type = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 7 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: data_type is 'selinux:line' AND audit_type is 'LOGIN' event_data = selinux.SELinuxLogEventData() event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.audit_type = 'LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'login' AND (body contains 'logged in' OR # body contains 'ROOT LOGIN' OR body contains 'session opened') event_data = syslog.SyslogLineEventData() event_data.reporter = 'login' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'logged in' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'ROOT LOGIN' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'session opened' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'sshd' AND (body contains 'session opened' OR # body contains 'Starting session') event_data = syslog.SyslogLineEventData() event_data.reporter = 'sshd' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session opened' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sshd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) event_data.body = 'Starting session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'dovecot' AND body contains 'imap-login: Login:'******'dovecot' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'imap-login: Login: user='******'dovecot' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login']) # Test: reporter is 'postfix/submission/smtpd' AND body contains 'sasl_' event_data = syslog.SyslogLineEventData() event_data.reporter = 'postfix/submission/smtpd' event_data.audit_type = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'sasl_method=PLAIN, sasl_username='******'postfix/submission/smtpd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login'])
def testRuleLogout(self): """Tests the logout tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND # pid != 0 event_data = utmp.UtmpEventData() event_data.type = 0 event_data.terminal = 'tty1' event_data.pid = 1 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 8 event_data.terminal = '' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.terminal = 'tty1' event_data.pid = 0 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.pid = 1 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'login' AND body contains 'session closed' event_data = syslog.SyslogLineEventData() event_data.reporter = 'login' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session closed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'login' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'sshd' AND (body contains 'session closed' OR # body contains 'Close session') event_data = syslog.SyslogLineEventData() event_data.reporter = 'sshd' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'session closed' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'sshd' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) event_data.body = 'Close session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'systemd-logind' AND body contains 'logged out' event_data = syslog.SyslogLineEventData() event_data.reporter = 'systemd-logind' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'logged out' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'systemd-logind' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'dovecot' AND body contains 'Logged out' event_data = syslog.SyslogLineEventData() event_data.reporter = 'dovecot' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'Logged out' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'dovecot' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout'])
def testRuleLogout(self): """Tests the logout tagging rule.""" # Test: data_type is 'linux:utmp:event' AND type == 8 AND terminal != '' AND # pid != 0 # Cannot use _CheckTaggingRule here because of terminal != '' event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = utmp.UtmpEventData() event_data.type = 0 event_data.terminal = 'tty1' event_data.pid = 1 storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 8 event_data.terminal = '' storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.terminal = 'tty1' event_data.pid = 0 storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.pid = 1 storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['logout']) # Test: reporter is 'login' AND body contains 'session closed' attribute_values_per_name = { 'body': ['session closed'], 'reporter': ['login']} self._CheckTaggingRule( syslog.SyslogLineEventData, attribute_values_per_name, ['logout']) # Test: reporter is 'sshd' AND (body contains 'session closed' OR # body contains 'Close session') attribute_values_per_name = { 'body': ['Close session', 'session closed'], 'reporter': ['sshd']} self._CheckTaggingRule( syslog.SyslogLineEventData, attribute_values_per_name, ['logout']) # Test: reporter is 'systemd-logind' AND body contains 'logged out' attribute_values_per_name = { 'body': ['logged out'], 'reporter': ['systemd-logind']} self._CheckTaggingRule( syslog.SyslogLineEventData, attribute_values_per_name, ['logout']) # Test: reporter is 'dovecot' AND body contains 'Logged out' attribute_values_per_name = { 'body': ['Logged out'], 'reporter': ['dovecot']} self._CheckTaggingRule( syslog.SyslogLineEventData, attribute_values_per_name, ['logout']) # Test: data_type is 'selinux:line' AND audit_type is 'USER_LOGOUT' attribute_values_per_name = { 'audit_type': ['USER_LOGOUT']} self._CheckTaggingRule( selinux.SELinuxLogEventData, attribute_values_per_name, ['logout'])