Skip to content

Commit

Permalink
Merge pull request #537 from wazuh/feature-528-whodata-scenario
Browse files Browse the repository at this point in the history 
FIM System tests: 0203 Whodata Scenario
  • Loading branch information
Jose M. Garcia authored Feb 25, 2020
2 parents 6e623f3 + ac700c5 commit cc1863b
Show file tree
Hide file tree
Showing 7 changed files with 907 additions and 7 deletions.
36 changes: 30 additions & 6 deletions tests/system/fim/common_tasks/verify_alerts_elasticsearch.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ def makeQuery(query, Elastic, index_name):
"-s", "--sleep", type=int, required=False, dest='sleep_time',
help="Sleep time between retries", default="60"
)
parser.add_argument(
"-w", "--whodata", type=bool, required=False, dest='whodata_query',
help="Enable whodata queries", default="False"
)
args = parser.parse_args()

query = {
Expand All @@ -101,13 +105,33 @@ def makeQuery(query, Elastic, index_name):
for line in file_list:
query['query']['bool']['filter'][0]['term']['syscheck.path'] =\
line.rstrip()
try:
query_result = makeQuery(query, es, index_name)
print(query_result)
except Exception as e:
logging.info("Error when making the Query of " + str(args.whodata_query))
raise e

query_result = makeQuery(query, es, index_name)
if query_result['hits']['total']['value'] == 1:
success += 1
if (args.whodata_query):
try:
if (query_result['hits']['hits'][0]['_source']['syscheck']['audit']['process']['name'] in query_result):
success +=1
except IndexError:
failure_list.append(line)
failure += 1
except Exception as e:
logging.info("Error when filtering audit fields in alert " + line.rstrip())
raise e
else:
failure_list.append(line)
failure += 1
try:
if query_result['hits']['total']['value'] == 1:
success += 1
except IndexError:
failure_list.append(line)
failure += 1
except Exception as e:
logging.info("Error when filtering syscheck alerts hits of " + line.rstrip())
raise e
if failure == 0:
break
else:
Expand All @@ -131,4 +155,4 @@ def makeQuery(query, Elastic, index_name):
"Number of succeded files: {}\n Elapsed time: ~ {} seconds.".format(
success, elapsed
)
)
)
33 changes: 32 additions & 1 deletion tests/system/fim/common_tasks/verify_alerts_json.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,31 @@ def alerts_prune(path, target_event):
continue
return set([alerts['syscheck']['path'] for alerts in alerts_list])

def alerts_prune_whodata(path, target_event):
"""
Prunes desired whodata events from the alert.json file.
Extracts all events path to a set.
:param str path: path to alerts.json file
:param str target_event: target event kind (deleted|added|modified)
:return: Returns a set containing the alerts files path
"""
alerts_list = []
with open(path,errors='replace') as json_file:
for line in json_file:
try:
data = json.loads(line)
if (data['syscheck']['audit'] is not None and data['syscheck']['event'] == target_event):
if (data['syscheck']['audit']['user']['id'] != ""
and data['syscheck']['audit']['user']['name'] != ""
and data['syscheck']['audit']['process']['id'] != ""
and data['syscheck']['audit']['process']['name'] != ""
):
alerts_list.append(data)
except ValueError:
continue
except KeyError:
continue
return set([alerts['syscheck']['path'] for alerts in alerts_list])

def main():
logging.basicConfig(
Expand Down Expand Up @@ -87,14 +112,20 @@ def main():
parser.add_argument("-r", "--retry", type=int, required=False, dest='retry_count',
help="reading attempts on stopped alerts. default: 4 attemps",
default="4")
parser.add_argument("-w", "--whodata", type=bool, required=False, dest='whodata_check',
help="Enable Whodata alert's parsing.",
default="false")
args = parser.parse_args()

import time

stuck_alerts = 0

paths_list_set = paths_acquisition(args.input_file)
pruned_alerts_set = alerts_prune(args.log_json_path, args.event)
if (args.whodata_check is not None and args.whodata_check):
pruned_alerts_set = alerts_prune_whodata(args.log_json_path, args.event)
else:
pruned_alerts_set = alerts_prune(args.log_json_path, args.event)
sub_paths = paths_list_set - pruned_alerts_set
prev_lenght = len(sub_paths)
start = time.time()
Expand Down
7 changes: 7 additions & 0 deletions tests/system/fim/scenarios/203_whodata_frequency/actions/install_whodata.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
- name: Install Audit | Linux
package:
name: audit
state: present
when:
- inventory_hostname in groups['linuxagents']
209 changes: 209 additions & 0 deletions tests/system/fim/scenarios/203_whodata_frequency/config/agent_linux_ossec.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
<!--
Wazuh - Agent - Default configuration
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
<client>
<server>
<address>172.16.0.111</address>
<port>1514</port>
<protocol>udp</protocol>
</server>
<config-profile>linux_system_tests</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>

<client_buffer>
<!-- Agent buffer options -->
<disabled>no</disabled>
<queue_size>15000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>

<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>

<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>

<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>

<skip_nfs>yes</skip_nfs>
</rootcheck>

<wodle name="open-scap">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
</wodle>

<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>

<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>

<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>

<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>

<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>


<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>

<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>

<scan_on_start>yes</scan_on_start>

<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Whodata options -->
<directories check_all="yes" whodata="yes">/opt/fim_testing</directories>

<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>

<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>

<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>

<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>

<!-- Maximum output throughput -->
<max_eps>200</max_eps>

<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
</synchronization>
</syscheck>

<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>

<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>

<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>

<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>

</ossec_config>

<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>

<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>

</ossec_config>
Loading

0 comments on commit cc1863b

Please sign in to comment.