Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify API to get HIPAA and NIST 800 53 rule groups #386

Closed
3 tasks done
crd1985 opened this issue May 15, 2019 · 5 comments
Closed
3 tasks done

Modify API to get HIPAA and NIST 800 53 rule groups #386

crd1985 opened this issue May 15, 2019 · 5 comments
Assignees
@davidjiglesias
Labels
enhancement
Milestone
22nd week

Comments

@crd1985
Copy link
Contributor

crd1985 commented May 15, 2019
edited
Loading

This issue requires the following issues to be closed in order to work:

Currently, there are a few endpoints used to list groups from several compliance standards:

  • GET /rules/gdpr
  • GET /rules/pci

To be consequent with the above, new endpoints should be added:

  • GET /rules/nist-800-53
  • GET /rules/hipaa

In addition, the following endpoints should be prepared to filter by nist-800-53 and hipaa accordingly to the new response:

{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "0020-syslog_rules.xml",
            "path": "ruleset/rules",
            "id": 1002,
            "level": 2,
            "description": "Unknown problem somewhere in the system.",
            "status": "enabled",
            "groups": [
               "gpg13_4.3",
               "syslog",
               "errors"
            ],
            "pci": [],
            "gdpr": [],
            "hipaa": [],
            "nist-800-53": [],
            "details": {
               "match": "core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted"
            }
         }
      ],
      "totalItems": 1
   }
}

Subtasks:

  • Review if there is further impact regarding API design
  • Adapt framework
  • Adapt API
@crd1985 crd1985 added this to the 21st week milestone May 15, 2019
@crd1985 crd1985 mentioned this issue May 15, 2019
Closed
@adri9valle adri9valle mentioned this issue May 15, 2019
Closed
@davidjiglesias
Copy link
Member

davidjiglesias commented May 17, 2019
edited
Loading

Status update

Summary

Today I have completed a draft implementation of the changes required to add new endpoints GET /rules/nist-800-53 and GET /rules/hipaa together with the new filters available for GET /rules.

Tasks

  • [0.25h] Review if there is further impact regarding API design. The implementation of these endpoints and the filters do not have any impact on the rest of the API.
  • [1h] Adapt API. Added changes to rules.js to include endpoints GET /rules/hipaa and GET /rules/nist-800-53. Also updated CHANGELOD.md to account for implemented changes in wazuh-api. Changes to wazuh-api committed in wazuh/wazuh-api branch dev-386-HIPAA-NIST
  • [0.75h] Adapt framework. Updated rule.py framework script to add get_hipaa and get_nist_800_53 to achieve the functionality of mentioned added endpoints. Also updated requests_lists.py to add new requests handling. Changes to wazuh framework in wazuh/wazuh branch dev-wazuh-api-386-HIPAA-NIST

Difficulties

Updating GET /rules with new filters hipaa and nist-800-53 proposed a minor challenge as to how do we access nist-800-83 parameter with nodejs req.query. Parameters using a - in the name cannot be accesed directly with a getter but require accesing the query array directly using the string name for the parameter.

Tests performed

Mocha tests are on hold until actual hipaa and nist-800-53 rules requirements are implemented.

Pending

Mocha test

@davidjiglesias
Copy link
Member

Status update

Summary

Today I have completed a full implementation of the changes required to add new endpoints GET /rules/nist-800-53 and GET /rules/hipaa together with the new filters available for GET /rules.

Tasks

  • [0.75h] Adapt API.
  • [0.75h] Adapt framework.

Difficulties

Tests performed

Added HIPAA and NIST_800_53 groups to local_rules.xml according to pci mappings:

<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,hipaa_164.312.b,nist_800_53_AU.3,nist_800_53_IA.10</group>
  • GET /rules/hipaa
root@0a91103484c4:/# curl -u foo:bar "http://localhost:55000/rules/hipaa?pretty"
{
   "error": 0,
   "data": {
      "items": [
         "164.312.b"
      ],
      "totalItems": 1
   }
}
  • GET /rules/nist-800-53
root@0a91103484c4:/# curl -u foo:bar "http://localhost:55000/rules/nist-800-53?pretty"
{
   "error": 0,
   "data": {
      "items": [
         "AU.3",
         "IA.10"
      ],
      "totalItems": 2
   }
}

Filters:

  • GET /rules?hippa
root@0a91103484c4:/# curl -u foo:bar "http://localhost:55000/rules?hipaa=164.312.b&pretty"
{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "local_rules.xml",
            "path": "etc/rules",
            "id": 100001,
            "description": "sshd: authentication failed from IP 1.1.1.1.",
            "level": 5,
            "status": "enabled",
            "groups": [
               "authentication_failed",
               "local",
               "syslog",
               "sshd"
            ],
            "pci": [
               "10.2.4",
               "10.2.5"
            ],
            "gdpr": [],
            "hipaa": [
               "164.312.b"
            ],
            "nist-800-53": [
               "AU.3",
               "IA.10"
            ],
            "details": {
               "if_sid": "5716",
               "srcip": "1.1.1.1"
            }
         }
      ],
      "totalItems": 1
   }
}
  • GET /rules?nist-800-53
root@0a91103484c4:/# curl -u foo:bar "http://localhost:55000/rules?nist-800-53=AU.3&pretty"
{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "local_rules.xml",
            "path": "etc/rules",
            "id": 100001,
            "description": "sshd: authentication failed from IP 1.1.1.1.",
            "level": 5,
            "status": "enabled",
            "groups": [
               "authentication_failed",
               "local",
               "syslog",
               "sshd"
            ],
            "pci": [
               "10.2.4",
               "10.2.5"
            ],
            "gdpr": [],
            "hipaa": [
               "164.312.b"
            ],
            "nist-800-53": [
               "AU.3",
               "IA.10"
            ],
            "details": {
               "if_sid": "5716",
               "srcip": "1.1.1.1"
            }
         }
      ],
      "totalItems": 1
   }
}

Pending

Mocha test

@davidjiglesias
Copy link
Member

Updated and run unit tests:

==================================== test session starts =====================================
platform linux -- Python 3.7.2, pytest-4.5.0, py-1.8.0, pluggy-0.12.0 -- /var/ossec/framework/python/bin/python3.7
cachedir: .pytest_cache
rootdir: /var/ossec/framework/python
plugins: cov-2.7.1
collected 42 items                                                                           

../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[None-get_rules_files] PASSED [  2%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[None-get_rules] PASSED [  4%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[all-get_rules_files] PASSED [  7%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[all-get_rules] PASSED [  9%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[enabled-get_rules_files] PASSED [ 11%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[enabled-get_rules] PASSED [ 14%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[disabled-get_rules_files] PASSED [ 16%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[disabled-get_rules] PASSED [ 19%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[random-get_rules_files] PASSED [ 21%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_status[random-get_rules] PASSED [ 23%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[None-get_rules_files] PASSED [ 26%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[None-get_rules] PASSED [ 28%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[ruleset/rules-get_rules_files] PASSED [ 30%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[ruleset/rules-get_rules] PASSED [ 33%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[random-get_rules_files] PASSED [ 35%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_path[random-get_rules] PASSED [ 38%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-0-get_rules_files] PASSED [ 40%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-0-get_rules] PASSED [ 42%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-1-get_rules_files] PASSED [ 45%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-1-get_rules] PASSED [ 47%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-500-get_rules_files] PASSED [ 50%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[0-500-get_rules] PASSED [ 52%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[1-500-get_rules_files] PASSED [ 54%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[1-500-get_rules] PASSED [ 57%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[2-500-get_rules_files] PASSED [ 59%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[2-500-get_rules] PASSED [ 61%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[3-500-get_rules_files] PASSED [ 64%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_pagination[3-500-get_rules] PASSED [ 66%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[None-get_rules_files] PASSED [ 69%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[None-get_rules] PASSED [ 71%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[sort1-get_rules_files] PASSED [ 73%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[sort1-get_rules] PASSED [ 76%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[sort2-get_rules_files] PASSED [ 78%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_sort[sort2-get_rules] PASSED [ 80%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[None-get_rules_files] PASSED [ 83%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[None-get_rules] PASSED [ 85%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[search1-get_rules_files] PASSED [ 88%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[search1-get_rules] PASSED [ 90%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[search2-get_rules_files] PASSED [ 92%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_rules_file_search[search2-get_rules] PASSED [ 95%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_hipaa PASSED [ 97%]
../lib/python3.7/site-packages/wazuh-3.9.1-py3.7.egg/wazuh/tests/test_rules.py::test_get_nist_800_53 PASSED [100%]

================================= 42 passed in 0.28 seconds ==================================

@davidjiglesias
Copy link
Member

davidjiglesias commented May 29, 2019
edited
Loading

Mocha integration tests:

  Rules
    GET/rules
       Request (278ms)
       Pagination (266ms)
       Retrieve all elements with limit=0 (259ms)
       Sort (269ms)
       Search (357ms)Filters: Invalid filterFilters: Invalid filter - Extra fieldFilters: status (266ms)Filters: group (292ms)Filters: level (1) (271ms)Filters: level (2) (374ms)Filters: path (277ms)Filters: file (265ms)Filters: pci (337ms)Filters: gdpr (265ms)Filters: hipaa (256ms)Filters: nist-800-53 (255ms)
    GET/rules/groups
       Request (259ms)
       Pagination (258ms)
       Retrieve all elements with limit=0 (260ms)
       Sort (257ms)
       Search (259ms)Filters: Invalid filter
    GET/rules/pci
       Request (259ms)
       Pagination (260ms)
       Retrieve all elements with limit=0 (259ms)
       Sort (258ms)
       Search (259ms)Filters: Invalid filter
    GET/rules/gdpr
       Request (260ms)
       Pagination (262ms)
       Retrieve all elements with limit=0 (259ms)
       Sort (259ms)
       Search (259ms)Filters: Invalid filter
    GET/rules/hipaa
       Request (260ms)
       Pagination (259ms)
       Retrieve all elements with limit=0 (258ms)
       Sort (263ms)
       Search (260ms)Filters: Invalid filter
    GET/rules/nist-800-53
       Request (263ms)
       Pagination (261ms)
       Retrieve all elements with limit=0 (262ms)
       Sort (269ms)
       Search (260ms)Filters: Invalid filter
    GET/rules/files
       Request (164ms)
       Pagination (165ms)
       Retrieve all elements with limit=0 (166ms)
       Sort (164ms)
       Search (165ms)Filters: Invalid filterFilters: Invalid filter - Extra fieldFilters: status (165ms)Filters: download (164ms)
    GET/rules/:rule_id
       Request (256ms)
       Pagination (255ms)
       Retrieve all elements with limit=0 (256ms)
       Sort (257ms)
       Search (259ms)Filters: Invalid filterParams: Bad rule idParams: No rule (254ms)


  64 passing (14s)

@crd1985 crd1985 modified the milestones: 21st week, 22nd week May 29, 2019
This was referenced May 29, 2019
Closed
Merged
Merged
@davidjiglesias
Copy link
Member

Status update

Summary

Hi team, I have done further testing on the new HIPAA and NIST-800-53 endpoints and rules filters now that the ruleset has been updated to support HIPAA and NIST-800-53.

Tasks

  • Update ruleset to 3.10 and test new rules endpoints
  • Run mocha tests

Difficulties

Tests performed

  • GET /rules/hipaa
root@fb66da1b7193:/# curl -u foo:bar "http://localhost:55000/rules/hipaa?pretty"
{
   "error": 0,
   "data": {
      "items": [
         "164.312.a.1",
         "164.312.a.2.I",
         "164.312.a.2.II",
         "164.312.a.2.III",
         "164.312.a.2.IV",
         "164.312.b",
         "164.312.c.1",
         "164.312.c.2",
         "164.312.d",
         "164.312.e.1",
         "164.312.e.2.I",
         "164.312.e.2.II"
      ],
      "totalItems": 12
   }
}
  • GET /rules/nist-800-53
root@fb66da1b7193:/# curl -u foo:bar "http://localhost:55000/rules/nist-800-53?pretty"
{
   "error": 0,
   "data": {
      "items": [
         "AC.12",
         "AC.2",
         "AC.7",
         "AU.1",
         "AU.3.1",
         "AU.6",
         "AU.8",
         "AU.9",
         "CA.3",
         "CM.1",
         "CM.3",
         "IA.10",
         "IA.4",
         "IA.5",
         "MA.2",
         "SA.11",
         "SC.2",
         "SC.7",
         "SC.8",
         "SI.10",
         "SI.11",
         "SI.15",
         "SI.16",
         "SI.5",
         "SI.7"
      ],
      "totalItems": 25
   }
}
  • Filters
    • GET /rules?hipaa=164.312.a.1
root@fb66da1b7193:/# curl -u foo:bar "http://localhost:55000/rules?hipaa=164.312.a.1&pretty&limit=1"
{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "0055-courier_rules.xml",
            "path": "ruleset/rules",
            "id": 3903,
            "description": "Courier logout/timeout.",
            "level": 0,
            "status": "enabled",
            "groups": [
               "syslog",
               "courier"
            ],
            "pci": [
               "8.1.5"
            ],
            "gdpr": [],
            "hipaa": [
               "164.312.a.1"
            ],
            "nist-800-53": [
               "AC.2"
            ],
            "gpg13": [
               "7.1"
            ],
            "details": {
               "if_sid": "3900",
               "match": "^LOGOUT,|^DISCONNECTED"
            }
         }
      ],
      "totalItems": 58
   }
}
  • Filters
    • GET /rules?nist-800-53=AC.12
root@fb66da1b7193:/# curl -u foo:bar "http://localhost:55000/rules?nist-800-53=AC.12&pretty&limit=1"
{
   "error": 0,
   "data": {
      "items": [
         {
            "file": "0155-dovecot_rules.xml",
            "path": "ruleset/rules",
            "id": 9706,
            "description": "Dovecot Session Disconnected.",
            "level": 3,
            "status": "enabled",
            "groups": [
               "dovecot"
            ],
            "pci": [
               "10.2.5",
               "8.1.5",
               "8.1.8"
            ],
            "gdpr": [
               "IV_35.7.d",
               "IV_32.2"
            ],
            "hipaa": [
               "164.312.b",
               "164.312.a.1",
               "164.312.a.2.III"
            ],
            "nist-800-53": [
               "AU.3.1",
               "IA.10",
               "AC.2",
               "AC.12"
            ],
            "gpg13": [
               "7.1"
            ],
            "details": {
               "if_sid": "9700",
               "match": ": Disconnected: "
            }
         }
      ],
      "totalItems": 1
   }
}
  • Mocha tests results:
Rules
    GET/rules
      ✓ Request (285ms)
      ✓ Pagination (271ms)
      ✓ Retrieve all elements with limit=0 (268ms)
      ✓ Sort (276ms)
      ✓ Search (363ms)
      ✓ Filters: Invalid filter
      ✓ Filters: Invalid filter - Extra field
      ✓ Filters: status (274ms)
      ✓ Filters: group (295ms)
      ✓ Filters: level (1) (279ms)
      ✓ Filters: level (2) (375ms)
      ✓ Filters: path (276ms)
      ✓ Filters: file (276ms)
      ✓ Filters: pci (345ms)
      ✓ Filters: gdpr (268ms)
      ✓ Filters: hipaa (442ms)
      ✓ Filters: nist-800-53 (262ms)
      ✓ Filters: gpg13 (277ms)
    GET/rules/groups
      ✓ Request (269ms)
      ✓ Pagination (264ms)
      ✓ Retrieve all elements with limit=0 (264ms)
      ✓ Sort (268ms)
      ✓ Search (271ms)
      ✓ Filters: Invalid filter
    GET/rules/pci
      ✓ Request (266ms)
      ✓ Pagination (267ms)
      ✓ Retrieve all elements with limit=0 (268ms)
      ✓ Sort (268ms)
      ✓ Search (271ms)
      ✓ Filters: Invalid filter
    GET/rules/gdpr
      ✓ Request (267ms)
      ✓ Pagination (269ms)
      ✓ Retrieve all elements with limit=0 (270ms)
      ✓ Sort (267ms)
      ✓ Search (272ms)
      ✓ Filters: Invalid filter
    GET/rules/gpg13
      ✓ Request (267ms)
      ✓ Pagination (267ms)
      ✓ Retrieve all elements with limit=0 (267ms)
      ✓ Sort (268ms)
      ✓ Search (269ms)
      ✓ Filters: Invalid filter
    GET/rules/hipaa
      ✓ Request (265ms)
      ✓ Pagination (267ms)
      ✓ Retrieve all elements with limit=0 (267ms)
      ✓ Sort (268ms)
      ✓ Search (269ms)
      ✓ Filters: Invalid filter
    GET/rules/nist-800-53
      ✓ Request (269ms)
      ✓ Pagination (268ms)
      ✓ Retrieve all elements with limit=0 (267ms)
      ✓ Sort (267ms)
      ✓ Search (266ms)
      ✓ Filters: Invalid filter
    GET/rules/files
      ✓ Request (164ms)
      ✓ Pagination (160ms)
      ✓ Retrieve all elements with limit=0 (164ms)
      ✓ Sort (161ms)
      ✓ Search (164ms)
      ✓ Filters: Invalid filter
      ✓ Filters: Invalid filter - Extra field
      ✓ Filters: status (165ms)
      ✓ Filters: download (163ms)
    GET/rules/:rule_id
      ✓ Request (263ms)
      ✓ Pagination (262ms)
      ✓ Retrieve all elements with limit=0 (264ms)
      ✓ Sort (266ms)
      ✓ Search (265ms)
      ✓ Filters: Invalid filter
      ✓ Params: Bad rule id
      ✓ Params: No rule (261ms)


  71 passing (16s)

Pending

@crd1985 crd1985 closed this as completed May 30, 2019
Open
@jay-Anonymous jay-Anonymous mentioned this issue Feb 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davidjiglesias davidjiglesias

Labels
enhancement
Projects
None yet
Milestone
22nd week
Development

No branches or pull requests
2 participants
@crd1985 @davidjiglesias