public void TestManyArgumentProcessEventParsing()
{
SetupAusearchReturnValue(ManyArgumentsEvent);
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
Assert.AreEqual(1, events.Count());
var processEvent = (ProcessCreate)events.ToList()[0];
var processCreationPayload = processEvent.Payload.First();
Assert.AreEqual(false, processEvent.IsEmpty);
Assert.AreEqual("sudo ls -a --author -b -B -c -lt -C -d -D -F -f -g -h", processCreationPayload.CommandLine);
Assert.AreEqual("/usr/bin/sudo", processCreationPayload.Executable);
Assert.AreEqual((uint)29229, processCreationPayload.ProcessId);
Assert.AreEqual((uint)27103, processCreationPayload.ParentProcessId);
Assert.AreEqual("1001", processCreationPayload.UserId);
Assert.AreEqual(2018, processCreationPayload.Time.Year);
Assert.AreEqual(12, processCreationPayload.Time.Month);
Assert.AreEqual(27, processCreationPayload.Time.Day);
Assert.AreEqual(9, processCreationPayload.Time.Hour);
Assert.AreEqual(51, processCreationPayload.Time.Minute);
Assert.AreEqual(4, processCreationPayload.Time.Second);
MockedShell.VerifyAll();
}
public void TestEncodedExecutableName()
{
SetupAusearchReturnValue(EncodedProcName);
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
Assert.AreEqual(1, events.Count());
var processEvent = (ProcessCreate)events.ToList()[0];
var processCreationPayload = processEvent.Payload.First();
Assert.AreEqual(false, processEvent.IsEmpty);
Assert.AreEqual("/home/kfir/dev/space ", processCreationPayload.CommandLine);
Assert.AreEqual("/home/kfir/dev/space ", processCreationPayload.Executable);
Assert.AreEqual((uint)52362, processCreationPayload.ProcessId);
Assert.AreEqual((uint)51661, processCreationPayload.ParentProcessId);
Assert.AreEqual("1000", processCreationPayload.UserId);
Assert.AreEqual(2019, processCreationPayload.Time.Year);
Assert.AreEqual(1, processCreationPayload.Time.Month);
Assert.AreEqual(29, processCreationPayload.Time.Day);
Assert.AreEqual(15, processCreationPayload.Time.Hour);
Assert.AreEqual(40, processCreationPayload.Time.Minute);
Assert.AreEqual(19, processCreationPayload.Time.Second);
MockedShell.VerifyAll();
}
public void TestNoEventsGeneratedWhenAuditdReturnsNoEvents()
{
SetupAusearchReturnValue("");
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
Assert.AreEqual(0, events.Count());
MockedShell.VerifyAll();
}
public void TestProcessEventParsing()
{
SetupAusearchReturnValue(ProcessEvent);
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
Assert.AreEqual(2, events.Count());
var processEvent = (ProcessCreate)events.ToList()[0];
var processCreationPayload = processEvent.Payload.First();
Assert.AreEqual(false, processEvent.IsEmpty);
Assert.AreEqual("cat /etc/passwd", processCreationPayload.CommandLine);
Assert.AreEqual("/bin/cat", processCreationPayload.Executable);
Assert.AreEqual((uint)19552, processCreationPayload.ProcessId);
Assert.AreEqual((uint)10227, processCreationPayload.ParentProcessId);
Assert.AreEqual("1000", processCreationPayload.UserId);
Assert.AreEqual(2018, processCreationPayload.Time.Year);
Assert.AreEqual(12, processCreationPayload.Time.Month);
Assert.AreEqual(21, processCreationPayload.Time.Day);
Assert.AreEqual(11, processCreationPayload.Time.Hour);
Assert.AreEqual(22, processCreationPayload.Time.Minute);
Assert.AreEqual(32, processCreationPayload.Time.Second);
processEvent = (ProcessCreate)events.ToList()[1];
processCreationPayload = processEvent.Payload.First();
Assert.AreEqual(false, processEvent.IsEmpty);
Assert.AreEqual("/bin/bash -c sudo ausearch -m EXECVE --input-logs --checkpoint /var/tmp/ProcessCreationEventGeneratorCheckpoint", processCreationPayload.CommandLine);
Assert.AreEqual("/bin/bash", processCreationPayload.Executable);
Assert.AreEqual((uint)19553, processCreationPayload.ProcessId);
Assert.AreEqual((uint)10227, processCreationPayload.ParentProcessId);
Assert.AreEqual("1000", processCreationPayload.UserId);
Assert.AreEqual(2018, processCreationPayload.Time.Year);
Assert.AreEqual(12, processCreationPayload.Time.Month);
Assert.AreEqual(21, processCreationPayload.Time.Day);
Assert.AreEqual(11, processCreationPayload.Time.Hour);
Assert.AreEqual(22, processCreationPayload.Time.Minute);
Assert.AreEqual(32, processCreationPayload.Time.Second);
MockedShell.VerifyAll();
}
public void TestAusearchFallbackIsExecuted()
{
MockedShell.SetupSequence(m => m.ExecuteProcess(
It.IsAny <string>(),
It.Is <string>(cmd => cmd.Contains("ausearch")),
It.IsAny <ErrorHandler>(),
It.IsAny <IEnumerable <int> >()))
.Throws(new CommandExecutionFailedException("ausearch cmd", 10, "malformed checkpoint"))
.Returns("");
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
MockedShell.Verify(m => m.ExecuteProcess(It.IsAny <string>(),
It.Is <string>(cmd => cmd.Contains("ausearch") && !cmd.Contains("-ts")), It.IsAny <ErrorHandler>(),
It.IsAny <IEnumerable <int> >()));
MockedShell.Verify(m => m.ExecuteProcess(It.IsAny <string>(),
It.Is <string>(cmd => cmd.Contains("ausearch") && cmd.Contains("-ts")), It.IsAny <ErrorHandler>(),
It.IsAny <IEnumerable <int> >()));
}
public void TestLoginEventParseing()
{
SetupAusearchReturnValue(LoginEvent1);
var events = GeneratorUnderTest.GetEvents();
events.ValidateSchema();
Assert.AreEqual(1, events.Count());
Login loginEvent = (Login)events.First();
Assert.AreEqual("/usr/sbin/lightdm", loginEvent.Payload.First().Executable);
Assert.AreEqual((uint)1082, loginEvent.Payload.First().ProcessId);
Assert.AreEqual(null, loginEvent.Payload.First().UserId);
Assert.AreEqual("kfir", loginEvent.Payload.First().UserName);
Assert.AreEqual("PAM:authentication", loginEvent.Payload.First().Operation);
Assert.AreEqual(LoginResult.Success, loginEvent.Payload.First().Result);
Assert.AreEqual(null, loginEvent.Payload.First().RemoteAddress);
MockedShell.VerifyAll();
}