mozilla
/
MozDef
зеркало из https://github.com/mozilla/MozDef.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #678 from mozilla/write_audit_custom 

Write audit custom
This commit is contained in:
Brandon Myers 2018-05-09 17:47:49 -05:00 коммит произвёл GitHub
Родитель 0cb3847703 5e79b98443
Коммит 249d4e0337
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
3 изменённых файлов: 171 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
alerts/write_audit.conf Normal file
Просмотреть файл

@ -0,0 +1,2 @@
[options]
skipprocess = process1 process2

44
alerts/write_audit.py Normal file
Просмотреть файл

@ -0,0 +1,44 @@
#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2014 Mozilla Corporation
#
# This code alerts on every successfully opened session on any of the host from a given list
from lib.alerttask import AlertTask
from query_models import SearchQuery, TermMatch, QueryStringMatch, PhraseMatch
class WriteAudit(AlertTask):
def main(self):
self.parse_config('write_audit.conf', ['skipprocess'])
search_query = SearchQuery(minutes=5)
search_query.add_must([
TermMatch('category', 'write'),
TermMatch('details.auditkey', 'audit'),
])
for processname in self.config.skipprocess.split():
search_query.add_must_not(PhraseMatch('details.processname', processname))
self.filtersManual(search_query)
self.searchEventsAggregated('details.originaluser', samplesLimit=10)
self.walkAggregations(threshold=2)
def onAggregation(self, aggreg):
category = 'write'
severity = 'WARNING'
tags = ['audit']
summary = ('{0} Filesystem write(s) to an auditd path by {1}'.format(aggreg['count'], aggreg['value'], ))
hostnames = self.mostCommon(aggreg['allevents'],'_source.hostname')
#did they modify more than one host?
#or just modify an existing configuration more than once?
if len(hostnames) > 1:
for i in hostnames[:5]:
summary += ' on {0} ({1} hosts)'.format(i[0], i[1])
return self.createAlertDict(summary, category, tags, aggreg['events'], severity)

125
tests/alerts/test_write_audit.py Normal file
Просмотреть файл

@ -0,0 +1,125 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation
from positive_alert_test_case import PositiveAlertTestCase
from negative_alert_test_case import NegativeAlertTestCase
from alert_test_suite import AlertTestSuite
class TestWriteAudit(AlertTestSuite):
alert_filename = "write_audit"
alert_classname = 'WriteAudit'
# This event is the default positive event that will cause the
# alert to trigger
default_event = {
"_type": "auditd",
"_source": {
"category": "write",
"summary": "Write: /etc/audit/",
"hostname": "exhostname",
"tags": ["audisp-json","2.1.0", "audit"],
"details": {
"processname": "vi",
"originaluser": "randomjoe",
"auditkey": "audit",
}
}
}
# This alert is the expected result from running this task
default_alert = {
"category": "write",
"severity": "WARNING",
"summary": "5 Filesystem write(s) to an auditd path by randomjoe",
"tags": ['audit'],
"notify_mozdefbot": True,
}
test_cases = []
test_cases.append(
PositiveAlertTestCase(
description="Positive test with default event and default alert expected",
events=AlertTestSuite.create_events(default_event, 5),
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['summary'] = 'Write: /etc/audit/rules.d/.audit.rules.swp'
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events with a summary of 'Write: /etc/audit/rules.d/.audit.rules.swp'",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['summary'] = 'Write: /etc/audit/rules.d/'
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events with a summary of 'Write: /etc/audit/rules.d/'",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 1})
test_cases.append(
PositiveAlertTestCase(
description="Positive test with events a minute earlier",
events=events,
expected_alert=default_alert
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['auditkey'] = 'exec'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with auditkey without 'audit'",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['processname'] = 'process1'
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with events with processname that matches exclusion of 'process1'",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['details']['originaluser'] = None
test_cases.append(
NegativeAlertTestCase(
description="Negative test case aggregation key excluded",
events=events,
)
)
events = AlertTestSuite.create_events(default_event, 5)
for event in events:
event['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 15})
event['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda({'minutes': 15})
test_cases.append(
NegativeAlertTestCase(
description="Negative test case with old timestamp",
events=events,
)
)