FIM System tests - 0205 Restrict option #526
Assignees
Comments
|
There's a working branch at feature-526-restrict-option Initial resultsTesting the scenario a fault was detected on delete verification:
Creation and modification events were correctly logged but not deletion, a re-check was triggered after 15 minutes and events still were not found. This was experienced on file creation as well. Improve loggingOn a sidenote, I found out the logs are being rewritten on every execution, so the log file from checking the linux agent gets overwritten by the windows agent tests Already working on a fix for this. |
Scenario testingA complete scenario test was launched with these configurations: Common sections were omitted for brevity, the full config can be found on the scenario config folder at Linux agent ossec.conf: <!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<frequency>10</frequency>
...
<directories restrict="fimtest">/opt/fim_testing</directories>
...
</syscheck>Windows agent ossec.conf: <!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<frequency>10</frequency>
...
<directories restrict="fimtest" recursion_level="320">C:\fim_testing</directories>
...
</syscheck>file_configuration.json: {
"root_folder": "{{ agents_fim_testing_path }}",
"recursion_level": 8,
"folder_length": 16,
"file_length": 16,
"file_size_specifications":[
{ "size": 10240, "amount": 16000},
{ "size": 524288, "amount": 4000},
{ "size": 1048576, "amount": 1000},
{ "size": 10485760, "amount": 200}
]
}This will generate 21200 files. Execution was triggered with this command:
Test executionTASK [Verify alert json log | added] *****************************************************************************************************************************************
Tuesday 25 February 2020 12:50:18 +0100 (0:00:00.980) 0:02:34.147 ******
skipping: [172.16.0.161]
skipping: [172.16.0.131]
skipping: [172.16.0.141]
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631335.2444875, 'inode': 67643801, 'isgid': False, 'size': 1200386, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/added/files_generated.txt-172.16.0.131', 'xusr': False, 'atime': 1582631417.4134145, 'isdir': False, 'ctime': 1582631417.4324145, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631415.8918314, 'inode': 67643805, 'isgid': False, 'size': 2028608, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/added/files_generated.txt-172.16.0.141', 'xusr': False, 'atime': 1582631417.4314146, 'isdir': False, 'ctime': 1582631417.4324145, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
TASK [Verify elastic alerts | added] *****************************************************************************************************************************************
Tuesday 25 February 2020 12:55:12 +0100 (0:04:54.271) 0:07:28.418 ******
skipping: [172.16.0.161]
skipping: [172.16.0.131]
skipping: [172.16.0.141]
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631335.2444875, 'inode': 67643801, 'isgid': False, 'size': 1200386, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/added/files_generated.txt-172.16.0.131', 'xusr': False, 'atime': 1582631417.4134145, 'isdir': False, 'ctime': 1582631417.4324145, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631415.8918314, 'inode': 67643805, 'isgid': False, 'size': 2028608, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/added/files_generated.txt-172.16.0.141', 'xusr': False, 'atime': 1582631417.4314146, 'isdir': False, 'ctime': 1582631417.4324145, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
TASK [Verify alert json log | modified] **************************************************************************************************************************************
Tuesday 25 February 2020 13:00:03 +0100 (0:00:00.991) 0:12:19.157 ******
skipping: [172.16.0.161]
skipping: [172.16.0.131]
skipping: [172.16.0.141]
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631938.4110475, 'inode': 307477, 'isgid': False, 'size': 1200386, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/modified/files_modified.txt-172.16.0.131', 'xusr': False, 'atime': 1582632002.3118682, 'isdir': False, 'ctime': 1582632002.3708682, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582632000.7913086, 'inode': 307483, 'isgid': False, 'size': 2028608, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/modified/files_modified.txt-172.16.0.141', 'xusr': False, 'atime': 1582632002.3608682, 'isdir': False, 'ctime': 1582632002.3708682, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
TASK [Verify elastic alerts | modified] **************************************************************************************************************************************
Tuesday 25 February 2020 13:04:45 +0100 (0:04:41.857) 0:17:01.015 ******
skipping: [172.16.0.161]
skipping: [172.16.0.131]
skipping: [172.16.0.141]
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631938.4110475, 'inode': 307477, 'isgid': False, 'size': 1200386, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/modified/files_modified.txt-172.16.0.131', 'xusr': False, 'atime': 1582632002.3118682, 'isdir': False, 'ctime': 1582632002.3708682, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582632000.7913086, 'inode': 307483, 'isgid': False, 'size': 2028608, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/modified/files_modified.txt-172.16.0.141', 'xusr': False, 'atime': 1582632002.3608682, 'isdir': False, 'ctime': 1582632002.3708682, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
TASK [Verify alert json log | deleted] ***************************************************************************************************************************************
Tuesday 25 February 2020 13:09:35 +0100 (0:00:00.467) 0:21:51.556 ******
skipping: [172.16.0.161]
skipping: [172.16.0.131]
skipping: [172.16.0.141]
changed: [172.16.0.111] => (item={'uid': 1000, 'woth': False, 'mtime': 1582631335.2444875, 'inode': 67643803, 'isgid': False, 'size': 1200386, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/deleted/files_generated.txt-172.16.0.131', 'xusr': False, 'atime': 1582632575.3252842, 'isdir': False, 'ctime': 1582632575.3522842, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False})
failed: [172.16.0.111] (item={'uid': 1000, 'woth': False, 'mtime': 1582631415.8918314, 'inode': 67643812, 'isgid': False, 'size': 2028608, 'roth': True, 'isuid': False, 'isreg': True, 'pw_name': 'vagrant', 'gid': 1000, 'ischr': False, 'wusr': True, 'xoth': False, 'rusr': True, 'nlink': 1, 'issock': False, 'rgrp': True, 'gr_name': 'vagrant', 'path': '/opt/agents_files_output/deleted/files_generated.txt-172.16.0.141', 'xusr': False, 'atime': 1582632575.3512843, 'isdir': False, 'ctime': 1582632575.3522842, 'isblk': False, 'xgrp': False, 'dev': 64769, 'wgrp': False, 'isfifo': False, 'mode': '0644', 'islnk': False}) => {"ansible_loop_var": "item", "changed": true, "item": {"atime": 1582632575.3512843, "ctime": 1582632575.3522842, "dev": 64769, "gid": 1000, "gr_name": "vagrant", "inode": 67643812, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "mode": "0644", "mtime": 1582631415.8918314, "nlink": 1, "path": "/opt/agents_files_output/deleted/files_generated.txt-172.16.0.141", "pw_name": "vagrant", "rgrp": true, "roth": true, "rusr": true, "size": 2028608, "uid": 1000, "wgrp": false, "woth": false, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}, "msg": "non-zero return code", "rc": 1, "stderr": "Shared connection to 172.16.0.111 closed.\r\n", "stderr_lines": ["Shared connection to 172.16.0.111 closed."], "stdout": "2020-02-25 12:14:38,406 [INFO] alerts.json verification started\r\n2020-02-25 12:14:46,712 [INFO] Filelist related alerts aren't growing (0) ...\r\n2020-02-25 12:15:46,754 [INFO] Elapsed time: ~ 68 seconds \r\n\r\n2020-02-25 12:15:55,881 [INFO] Filelist related alerts aren't growing (1) ...\r\n2020-02-25 12:16:55,897 [INFO] Elapsed time: ~ 137 seconds \r\n\r\n2020-02-25 12:17:03,505 [INFO] Filelist related alerts aren't growing (2) ...\r\n2020-02-25 12:18:03,513 [INFO] Elapsed time: ~ 205 seconds \r\n\r\n2020-02-25 12:18:11,343 [INFO] Filelist related alerts aren't growing (3) ...\r\n2020-02-25 12:19:11,384 [INFO] Elapsed time: ~ 272 seconds \r\n\r\n2020-02-25 12:19:19,069 [INFO] Filelist related alerts aren't growing (4) ...\r\n2020-02-25 12:20:19,073 [INFO] Elapsed time: ~ 340 seconds \r\n\r\n2020-02-25 12:20:27,008 [WARNING] Verify alerts test - NOT OK. 8 alerts are missing.\r\n\r\n2020-02-25 12:20:27,010 [WARNING] 8 missing alerts.\r\n\r\n", "stdout_lines": ["2020-02-25 12:14:38,406 [INFO] alerts.json verification started", "2020-02-25 12:14:46,712 [INFO] Filelist related alerts aren't growing (0) ...", "2020-02-25 12:15:46,754 [INFO] Elapsed time: ~ 68 seconds ", "", "2020-02-25 12:15:55,881 [INFO] Filelist related alerts aren't growing (1) ...", "2020-02-25 12:16:55,897 [INFO] Elapsed time: ~ 137 seconds ", "", "2020-02-25 12:17:03,505 [INFO] Filelist related alerts aren't growing (2) ...", "2020-02-25 12:18:03,513 [INFO] Elapsed time: ~ 205 seconds ", "", "2020-02-25 12:18:11,343 [INFO] Filelist related alerts aren't growing (3) ...", "2020-02-25 12:19:11,384 [INFO] Elapsed time: ~ 272 seconds ", "", "2020-02-25 12:19:19,069 [INFO] Filelist related alerts aren't growing (4) ...", "2020-02-25 12:20:19,073 [INFO] Elapsed time: ~ 340 seconds ", "", "2020-02-25 12:20:27,008 [WARNING] Verify alerts test - NOT OK. 8 alerts are missing.", "", "2020-02-25 12:20:27,010 [WARNING] 8 missing alerts.", ""]}
Test resultsAll tests were ok except for 8 missing delete alerts on the Windows agent. After checking again it was verified the missing alerts. # python3 verify_alerts_json.py -i /opt/agents_files_output/deleted/files_generated.txt-172.16.0.141 -e deleted -t 1 -r 1
2020-02-25 12:25:09,107 [INFO] alerts.json verification started
2020-02-25 12:25:16,303 [INFO] Filelist related alerts aren't growing (0) ...
2020-02-25 12:25:17,304 [INFO] Elapsed time: ~ 8 seconds
2020-02-25 12:25:24,621 [INFO] Filelist related alerts aren't growing (1) ...
2020-02-25 12:25:25,622 [INFO] Elapsed time: ~ 16 seconds
2020-02-25 12:25:32,889 [WARNING] Verify alerts test - NOT OK. 8 alerts are missing.
2020-02-25 12:25:32,890 [WARNING] 8 missing alerts. |
|
Done in #535 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue will log the development of a scenario for testing the restrict option on syscheck.
Tasks
ossec.confwith restrict option enabledThe text was updated successfully, but these errors were encountered: