Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial automated tests for OSSEC and whitelist overloaded Tor guard log event #2137

Merged
merged 3 commits into from
Aug 23, 2017
Merged

Add initial automated tests for OSSEC and whitelist overloaded Tor guard log event #2137

merged 3 commits into from
Aug 23, 2017

Conversation

redshiftzero
Copy link
Contributor

@redshiftzero redshiftzero commented Aug 16, 2017
edited
Loading

Status

Ready for review

Description of Changes

Fixes #1670 and begins work towards #2134

Changes proposed in this pull request:

(Happy to break this up into separate PRs to aid in review)

Testing

At minimum, verify the new tests run and pass in the CI staging environment.

If you want to be super thorough:

  1. Provision staging on dd40158 and see that test_overloaded_tor_guard_does_not_produce_alert fails ("Alert to be generated" appears in the output of ossec-logtest)
  2. Provision staging on 32b18ad and see that test_overloaded_tor_guard_does_not_produce_alert now passes ("Alert to be generated" does not appear in the output of ossec-logtest)

Deployment

This just updates the OSSEC rules, so there should be no issues in deployment.

Checklist

If you made changes to the system configuration:

@conorsch
Copy link
Contributor

Hmm, I would expect the RWX mmap of <anonymous mapping> by /usr/sbin/apache2 alert never to fire, given that we set kernel.grsecurity.rwxmap_logging=0 in the grsecurity role. @redshiftzero have you observed that particular event on staging machines?

@redshiftzero
Copy link
Contributor Author

Hmm so this isn't apache2, but I see this event:

Aug 16 21:58:28 app-staging kernel: [ 7.847843] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/landscape-sysinfo[landscape-sysin:279] uid/euid:0/0 gid/egid:0/0, parent /usr/share/landscape/landscape-sysinfo.wrapper[50-landscape-sy:269] uid/euid:0/0 gid/egid:0/0

in /var/log/syslog on app-staging provisioned today.

This was referenced Aug 17, 2017
Merged
Closed
@redshiftzero
Add initial automated test for OSSEC alert using ossec-logtest
523447e 
Verify that the log event describes in PR #871 (grsec denying RWX
mmap) produces an OSSEC alert of level 7.

Note: The rule added in PR #871 was later reverted, which is why
current SecureDrop produces OSSEC alerts for this kind of log
event.
@redshiftzero
Add test to reproduce overloaded Tor guard OSSEC alert
dd40158 
A Tor log event indicating that a Tor guard in use is overloaded
currently produces an OSSEC alert. While this alert is an
excellent candidate to be sent upstream to FPF for analysis,
there is no action that a SecureDrop administrator is expected
to take, making this a spurious OSSEC alert.

This test reproduces this spurious alert and is a regression test
for an OSSEC rule patch.
@redshiftzero
OSSEC rules: Remove alert when Tor guard is overloaded
32b18ad
@redshiftzero redshiftzero force-pushed the ossec-testinfra-tests branch from 0bf8027 to 32b18ad Compare August 23, 2017 16:40
@conorsch
Copy link
Contributor

Spinning up VMs to test out these changes.

@conorsch conorsch mentioned this pull request Aug 23, 2017
Closed
@conorsch
Copy link
Contributor

We have alerting tests! 😍 Thanks @redshiftzero!

I'll note now that we're definitely going to want to DRY out the alerting config tests by writing a reusable function (should technically be a fixture in pytest/testinfra nomenclature, but a helper function will work too), and reading in the alert metadata via the YAML testinfra vars files. Won't block merge for that, since we have several pending alert test PRs (e.g. #2143, #2152).

Will need to circle back on the dev docs anyway to explain the alert testing workflow, we can handle DRY cleanup then.

conorsch
conorsch approved these changes Aug 23, 2017
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to be super thorough

I did and was. Confirmed that the new test failed on develop, but passed after reprovisioning staging machines with the code changes in this PR (via the rebuilt deb package).

@redshiftzero redshiftzero mentioned this pull request Aug 23, 2017
Closed
@redshiftzero
Copy link
Contributor Author

Nice, thanks for reviewing this @conorsch - I'm with you on DRYing up the alerting config tests and adding developer docs to explain that people should be writing regression tests for OSSEC rule changes (to address in a followup).

@redshiftzero redshiftzero merged commit 5d067bb into develop Aug 23, 2017
@redshiftzero redshiftzero deleted the ossec-testinfra-tests branch August 24, 2017 18:23
@redshiftzero redshiftzero mentioned this pull request Apr 12, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch conorsch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@redshiftzero @conorsch