Add initial automated test for OSSEC alert using ossec-logtest

Verify that the log event describes in PR #871 (grsec denying RWX mmap) produces an OSSEC alert of level 7. Note: The rule added in PR #871 was later reverted, which is why current SecureDrop produces OSSEC alerts for this kind of log event.
freedomofpress · Aug 23, 2017 · 523447e · 523447e
1 parent e3d331b
commit 523447e
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/testinfra/mon/test_ossec_ruleset.py b/testinfra/mon/test_ossec_ruleset.py
@@ -0,0 +1,21 @@
+import re
+
+
+alert_level_regex = re.compile(r"Level: '(\d+)'")
+
+
+def test_grsec_denied_rwx_mapping_produces_alert(Command, Sudo):
+    """Check that a denied RWX mmaping produces an OSSEC alert"""
+    test_alert = ("Feb 10 23:34:40 app kernel: [  124.188641] grsec: denied "
+                  "RWX mmap of <anonymous mapping> by /usr/sbin/apache2"
+                  "[apache2:1328] uid/euid:33/33 gid/egid:33/33, parent "
+                  "/usr/sbin/apache2[apache2:1309] uid/euid:0/0 gid/egid:0/0")
+
+    with Sudo():
+        c = Command('echo "{}" | /var/ossec/bin/ossec-logtest'.format(
+                test_alert))
+
+        # Level 7 alert should be triggered by rule 100101
+        assert "Alert to be generated" in c.stderr
+        alert_level = alert_level_regex.findall(c.stderr)[0]
+        assert alert_level == "7"