-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Amazon Linux in vulnerability detector #1473
Changes from 43 commits
5e2196e
56b984c
c96edb0
f942f09
5a20309
ab163cf
fa15b11
ebca43e
8b92374
4fea7e5
6fef2d8
b19a129
bc30cd9
55a9674
c0dfdf6
37e46b5
aa875ce
51eb60c
5caa808
c14aa3c
291306d
d2c20b8
e301af2
bd69c54
922be4d
f0923a6
3a8cfcb
5af0e29
c401ade
09616f1
bab86c1
954cc50
f2a1bb4
0f10145
cde19f3
f2a4356
da3d588
1e4adbf
db168db
3c835db
2f579bc
2c82fd0
43a86bc
db25b81
ccb1aa9
7ced10f
3fe1eff
54097a0
29c964a
330f641
d0f3b5c
49b0c9a
869101f
a594d6f
90a0668
c37258d
d63bc9b
b4a6b8b
e084892
6ecc08a
db2fd6c
72487c5
a917c58
59edee3
aba1c5e
3739c8d
de880e9
db2a41c
5260e06
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -43,29 +43,78 @@ | |||||||||||||
CUSTOM_NVD_VULNERABILITIES_2 = 'nvd_vulnerabilities_2.json' | ||||||||||||||
CUSTOM_MSU_JSON_FEED = 'custom_msu.json' | ||||||||||||||
CUSTOM_ARCHLINUX_JSON_FEED = 'custom_archlinux_feed.json' | ||||||||||||||
CUSTOM_ALAS_JSON_FEED = 'custom_alas_feed.json' | ||||||||||||||
CUSTOM_ALAS2_JSON_FEED = 'custom_alas2_feed.json' | ||||||||||||||
INVALID_RHEL_FEEDS_CONF = 'wazuh_invalid_redhat_feed.yaml' | ||||||||||||||
INVALID_CANONICAL_FEEDS_CONF = 'wazuh_invalid_canonical_feed.yaml' | ||||||||||||||
INVALID_ARCHLINUX_FEEDS_CONF = 'wazuh_invalid_archlinux_feed.yaml' | ||||||||||||||
INVALID_DEBIAN_FEEDS_CONF = 'wazuh_invalid_debian_feed.yaml' | ||||||||||||||
INVALID_MSU_FEEDS_CONF = 'wazuh_invalid_msu_feed.yaml' | ||||||||||||||
INVALID_ALAS_FEEDS_CONF = 'wazuh_invalid_alas_feed.yaml' | ||||||||||||||
INVALID_ALAS2_FEEDS_CONF = 'wazuh_invalid_alas2_feed.yaml' | ||||||||||||||
|
||||||||||||||
REDHAT_NUM_CUSTOM_VULNERABILITIES = 1 | ||||||||||||||
CANONICAL_NUM_CUSTOM_VULNERABILITIES = 1 | ||||||||||||||
DEBIAN_NUM_CUSTOM_VULNERABILITIES = 3 | ||||||||||||||
NVD_NUM_CUSTOM_VULNERABILITIES = 5 | ||||||||||||||
ARCH_NUM_CUSTOM_VULNERABILITIES = 50 | ||||||||||||||
ALAS_NUM_CUSTOM_VULNERABILITIES = 36 | ||||||||||||||
ALAS2_NUM_CUSTOM_VULNERABILITIES = 18 | ||||||||||||||
|
||||||||||||||
SYSTEM_DATA = { | ||||||||||||||
'RHEL8': {'target': 'RHEL8', 'os_name': 'CentOS Linux', 'os_major': '8', 'os_minor': '1', 'name': 'centos8'}, | ||||||||||||||
'BIONIC': {'target': 'BIONIC', 'os_name': 'Ubuntu', 'os_major': '18', 'os_minor': '04', 'name': 'Ubuntu-bionic'}, | ||||||||||||||
'BUSTER': {'target': 'BUSTER', 'os_name': 'Debian GNU/Linux', 'os_major': '10', 'os_minor': '0', 'name': 'debian10'}, | ||||||||||||||
'ARCH': {'target': 'ARCH', 'os_name': 'Arch Linux', 'os_major': '', 'os_minor': '', 'name': 'archlinux'} | ||||||||||||||
'WINDOWS10': {'target': 'WINDOWS10', 'os_name': 'Microsoft Windows Server 2016 Datacenter Evaluation', | ||||||||||||||
'os_major': '10', 'os_minor': '0', 'os_platform': 'windows', 'name': 'windows', 'format': 'win'}, | ||||||||||||||
'MAC': {'target': 'MAC', 'os_name': 'Mac OS X', 'os_major': '10', 'os_minor': '15', 'os_platform': 'darwin', | ||||||||||||||
'name': 'macos-catalina', 'format': 'pkg'}, | ||||||||||||||
'MACS': {'target': 'MAC', 'os_name': 'Mac OS X Server', 'os_major': '5', 'os_minor': '10', 'os_platform': 'darwin', | ||||||||||||||
"name": "macos-server", 'format': 'pkg'}, | ||||||||||||||
'ARCH': {'target': 'ARCH', 'os_name': 'Arch Linux', 'os_major': '', 'os_minor': '', 'os_platform': '', | ||||||||||||||
'name': 'archlinux', 'format': 'rpm'}, | ||||||||||||||
'ALAS': {'target': 'Amazon-Linux', 'os_name': 'Amazon Linux AMI', 'os_major': '2018', 'os_minor': '03', | ||||||||||||||
'os_platform': 'amzn', 'name': 'amazonlinux', 'format': 'rpm'}, | ||||||||||||||
'ALAS2': {'target': 'Amazon-Linux-2', 'os_name': 'Amazon Linux', 'os_major': '2', 'os_minor': '', | ||||||||||||||
'os_platform': 'amzn', 'name': 'amazonlinux2', 'format': 'rpm'}, | ||||||||||||||
'RHEL8': {'target': 'RHEL8', 'os_name': 'CentOS Linux', 'os_major': '8', 'os_minor': '1', 'os_platform': 'centos', | ||||||||||||||
'name': 'centos8', 'format': 'rpm'}, | ||||||||||||||
'RHEL7': {'target': 'RHEL7', 'os_name': 'CentOS Linux', 'os_major': '7', 'os_minor': '1', 'os_platform': 'centos', | ||||||||||||||
'name': 'centos7', 'format': 'rpm'}, | ||||||||||||||
'RHEL6': {'target': 'RHEL6', 'os_name': 'CentOS Linux', 'os_major': '6', 'os_minor': '1', 'os_platform': 'centos', | ||||||||||||||
'name': 'centos6', 'format': 'rpm'}, | ||||||||||||||
'RHEL5': {'target': 'RHEL5', 'os_name': 'CentOS Linux', 'os_major': '5', 'os_minor': '1', 'os_platform': 'centos', | ||||||||||||||
'name': 'centos5', 'format': 'rpm'}, | ||||||||||||||
'BIONIC': {'target': 'BIONIC', 'os_name': 'Ubuntu', 'os_major': '18', 'os_minor': '04', 'os_platform': 'ubuntu', | ||||||||||||||
'name': 'Ubuntu-bionic', 'format': 'deb'}, | ||||||||||||||
'XENIAL': {'target': 'XENIAL', 'os_name': 'Ubuntu', 'os_major': '16', 'os_minor': '04', 'os_platform': 'ubuntu', | ||||||||||||||
'name': 'Ubuntu-xenial', 'format': 'deb'}, | ||||||||||||||
'TRUSTY': {'target': 'TRUSTY', 'os_name': 'Ubuntu', 'os_major': '14', 'os_minor': '04', 'os_platform': 'ubuntu', | ||||||||||||||
'name': 'Ubuntu-trusty', 'format': 'deb'}, | ||||||||||||||
'BUSTER': {'target': 'BUSTER', 'os_name': 'Debian GNU/Linux', 'os_major': '10', 'os_minor': '0', | ||||||||||||||
'os_platform': 'debian', 'name': 'debian10', 'format': 'deb'}, | ||||||||||||||
'STRETCH': {'target': 'STRETCH', 'os_name': 'Debian GNU/Linux', 'os_major': '9', 'os_minor': '0', | ||||||||||||||
'os_platform': 'debian', 'name': 'debian9', 'format': 'deb'} | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
VENDOR = { | ||||||||||||||
'RHEL8': 'Red Hat, Inc.', | ||||||||||||||
'RHEL7': 'Red Hat, Inc.', | ||||||||||||||
'RHEL6': 'Red Hat, Inc.', | ||||||||||||||
'RHEL5': 'Red Hat, Inc.', | ||||||||||||||
'BIONIC': 'canonical', | ||||||||||||||
'XENIAL': 'canonical', | ||||||||||||||
'TRUSTY': 'canonical', | ||||||||||||||
'BUSTER': 'debian', | ||||||||||||||
'STRETCH': 'debian', | ||||||||||||||
'Amazon-Linux': 'Amazon.com', | ||||||||||||||
'Amazon-Linux-2': 'Amazon.com', | ||||||||||||||
'ARCH': 'Arch Linux', | ||||||||||||||
} | ||||||||||||||
|
||||||||||||||
NVD_LOG = 'National Vulnerability Database' | ||||||||||||||
REDHAT_LOG = 'Red Hat Enterprise Linux' | ||||||||||||||
BIONIC_LOG = 'Ubuntu Bionic' | ||||||||||||||
ARCH_LOG = 'Arch Linux' | ||||||||||||||
ALAS_LOG = 'Amazon Linux 1' | ||||||||||||||
ALAS2_LOG = 'Amazon Linux 2' | ||||||||||||||
BUSTER_LOG = 'Debian Buster' | ||||||||||||||
MSU_LOG = 'Microsoft Security Update' | ||||||||||||||
CUSTOM_MSU = 'custom_msu.json' | ||||||||||||||
|
@@ -119,6 +168,7 @@ def mock_cve_db(func): | |||||||||||||
@vd.mock_cve_db | ||||||||||||||
def mock_vulnerability_scan(request, mock_agent): | ||||||||||||||
""" | ||||||||||||||
|
||||||||||||||
@functools.wraps(func) | ||||||||||||||
def magic(*args, **kwargs): | ||||||||||||||
control_service('stop', daemon='wazuh-modulesd') | ||||||||||||||
|
@@ -358,7 +408,7 @@ def insert_osinfo(agent="000", scan_id=int(time()), scan_time=datetime.datetime. | |||||||||||||
|
||||||||||||||
def insert_package(agent="000", scan_id=int(time()), format="rpm", name=DEFAULT_PACKAGE_NAME, | ||||||||||||||
priority="", section="Unspecified", size=99, vendor="wazuhintegrationtests", version="1.0.0-1.el7", | ||||||||||||||
architecture="x86_64", multiarch="", description="Wazuh Integration tests mock package", | ||||||||||||||
architecture="noarch", multiarch="", description="Wazuh Integration tests mock package", | ||||||||||||||
source="Wazuh Integration tests mock package", location="", triaged=0, | ||||||||||||||
install_time=datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"), | ||||||||||||||
scan_time=datetime.datetime.now().strftime("%Y/%m/%d %H:%M:%S"), checksum="dummychecksum"): | ||||||||||||||
|
@@ -671,7 +721,7 @@ def check_feed_imported_successfully(wazuh_log_monitor, log_system_name, expecte | |||||||||||||
|
||||||||||||||
|
||||||||||||||
def check_failure_when_importing_feed(wazuh_log_monitor, expected_vulnerabilities_number=0, update_position=False, | ||||||||||||||
timeout=VULN_DETECTOR_GLOBAL_TIMEOUT, parser_error=False): | ||||||||||||||
timeout=VULN_DETECTOR_EXTENDED_GLOBAL_TIMEOUT, parser_error=False): | ||||||||||||||
"""Check an error message when importing redhat OVAL feeds and checks that the vulnerabilities table is empty | ||||||||||||||
|
||||||||||||||
Args: | ||||||||||||||
|
@@ -727,14 +777,15 @@ def set_system(system): | |||||||||||||
pass | ||||||||||||||
|
||||||||||||||
|
||||||||||||||
def insert_data_json_feed(data, field_name, field_value, append_data): | ||||||||||||||
def insert_data_json_feed(data, field_name, field_value, append_data, brackets=True): | ||||||||||||||
"""Allow insert key:value pair as string, since otherwise, you could not insert lists or dictionaries as a key | ||||||||||||||
|
||||||||||||||
Args: | ||||||||||||||
data (dict): data dictionary | ||||||||||||||
field_name (str): field name to insert | ||||||||||||||
field_value (str): field value to insert | ||||||||||||||
append_data (dict): additional data to insert | ||||||||||||||
brackets (bool): insert data between brackets | ||||||||||||||
|
||||||||||||||
Returns: | ||||||||||||||
str: JSON string | ||||||||||||||
|
@@ -747,9 +798,15 @@ def insert_data_json_feed(data, field_name, field_value, append_data): | |||||||||||||
raw_data = json.dumps(data, indent=4, ensure_ascii=False).replace('"replace_me"', f"{field_name}") | ||||||||||||||
|
||||||||||||||
if append_data: | ||||||||||||||
return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]" | ||||||||||||||
if brackets: | ||||||||||||||
return f"[\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n]" | ||||||||||||||
else: | ||||||||||||||
return f"\n{raw_data},\n{json.dumps(append_data, indent=4, ensure_ascii=False)}\n" | ||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done in commit ccb1aa9 |
||||||||||||||
else: | ||||||||||||||
return f"[\n{raw_data}]" | ||||||||||||||
if brackets: | ||||||||||||||
return f"[\n{raw_data}]" | ||||||||||||||
else: | ||||||||||||||
return f"\n{raw_data}" | ||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done in commit ccb1aa9 |
||||||||||||||
|
||||||||||||||
|
||||||||||||||
def check_if_modulesd_is_running(): | ||||||||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,21 +2,21 @@ | |
|
||
Wazuh is able to detect vulnerabilities in the applications installed in agents using the `Vulnerability Detector` | ||
module. This software audit is performed through the integration of vulnerability feeds indexed by `Canonical`, | ||
`Debian`, `RedHat`, and the `National Vulnerability Database`. | ||
`Debian`, `RedHat`, `Amazon Linux` and the `National Vulnerability Database`. | ||
|
||
This directory includes all the integration tests developed to test the correct functioning of this module. | ||
|
||
These tests can be classified in these categories: | ||
|
||
- **[test_feeds](test_feeds#test-feeds)**: Tests that check the behavior of Vulnerability Detector when a feed with an | ||
unexpected content/type is imported, feeds downloads... | ||
- **[test_feeds](test_feeds/#test-feeds)**: Tests that check the behavior of Vulnerability Detector when a feed with an | ||
unexpected content/type is imported, check feeds downloads, etc. | ||
|
||
- **[test_general_settings](test_general_settings#test-general-settings)**: Tests that check basic configuration of the | ||
- **[test_general_settings](test_general_settings/#test-general-settings)**: Tests that check basic configuration of the | ||
Vulnerability Detector in the `ossec.conf`. | ||
|
||
- **[test_providers](test_providers#test-providers)**: Tests that check the providers configuration in the `ossec.conf`. | ||
- **[test_providers](test_providers/#test-providers)**: Tests that check the providers configuration in the `ossec.conf`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In the future, to be more specific in 5.0, Maybe you can add something like:
If you agree, you should modify it in the new documentation created. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As we agreed in the daily, we will keep the same file name. |
||
|
||
- **[test_scan_results](test_scan_results#test-scan-results)** Tests that check if Vulnerability Detector generates | ||
- **[test_scan_results](test_scan_results/#test-scan-results)** Tests that check if Vulnerability Detector generates | ||
alerts in the right cases. | ||
|
||
We can specify the set of tests that we want to launch, either individually, module, package or custom. Normally, | ||
|
@@ -71,15 +71,22 @@ Detector generates the alerts from NVD feed. | |
Tests mock RedHat, Ubuntu and Debian systems, and insert custom vulnerabilities and vulnerable packages to see if | ||
Vulnerability Detector generates the alerts from NVD and providers feed. | ||
|
||
- **[test_alas_inventory_alas_feed](test_scan_results/test_alas_inventory_alas_feed.md#test-amazon-linux-inventory-alas-feed)**: | ||
Tests that mock Amazon Linux systems and insert custom vulnerabilities and vulnerable packages to check if Vulnerability | ||
Detector generates alerts from ALAS provider feed. | ||
--- | ||
|
||
### Tier 1 | ||
|
||
#### Test feeds | ||
|
||
- **[test_download_feeds](test_feeds/test_download_feed.md)**: The tests download | ||
the different feeds (Redhat, Canonical, Debian, and NVD), import them, and check if the confirmation message appears | ||
- **[test_download_feeds](test_feeds/test_download_feeds.md)**: The tests download | ||
the different feeds (Redhat, Canonical, Debian, Amazon Linux and NVD), import them, and check if the confirmation message appears | ||
in the logs. | ||
- **[test_invalid_type_custom_feeds](test_feeds/test_invalid_type_custom_feeds.md#test-invalid-type-custom-feeds)**: | ||
Tests that import files of several different types (`.mp3`, `.jpg`, `.pdf` ...) as custom feed, and check the response | ||
of Vulnerability Detector. | ||
- **[test_invalid_type_url_feeds](test_feeds/test_invalid_type_url_feeds.md)**: The tests check that when importing feed files from a bad url, vulnerability report a log parse error otherwise they are imported correctly. | ||
|
||
#### Test providers | ||
|
||
|
@@ -103,10 +110,6 @@ result in `ossec.log`. | |
|
||
#### Test feeds - GENERIC | ||
|
||
- **[test_invalid_type_custom_feeds](test_feeds/test_invalid_type_custom_feeds.md#test-invalid-type-custom-feeds)**: | ||
Tests that import files of several different types (`.mp3`, `.jpg`, `.pdf` ...) as custom feed, and check the response | ||
of Vulnerability Detector. | ||
|
||
- **[test_validate_feed_content](test_feeds/test_validate_feed_content.md#test-validate-feed-content)**: | ||
Tests that download the feeds of all providers, verify the format of each feed is as expected and their content is also | ||
`XML` or `JSON` parseable. | ||
|
@@ -152,3 +155,17 @@ Set of tests that check the behavior of vulnerability detector when the value of | |
|
||
- **[test_missing_tags_debian_feed](test_feeds/debian/test_missing_tags_debian_feed.md#test-missing-tags-debian-feed)**: | ||
Set of tests that check the behavior of Vulnerability Detector when any tag is missing from the feed. | ||
|
||
#### Test feeds - AMAZON LINUX | ||
|
||
- **[test_extra_tags_alas_feed](test_feeds/alas/test_extra_tags_alas_feed.md#test-extra-tags-alas-feed)**: | ||
Set of tests that check the behavior of Vulnerability Detector when there is any extra tag in the feed. | ||
|
||
- **[test_invalid_syntax_alas_feed](test_feeds/alas/test_invalid_syntax_alas_feed.md#test-invalid-syntax-alas-feed)**: | ||
Set of tests check the behavior of Vulnerability Detector when the feed has some kind of syntactic error. | ||
|
||
- **[test_invalid_values_alas_feed](test_feeds/alas/test_invalid_values_alas_feed.md#test-invalid-values-alas-feed)**: | ||
Set of tests that check the behavior of vulnerability detector when the value of a tag is not correct. | ||
|
||
- **[test_missing_tags_alas_feed](test_feeds/alas/test_missing_tags_alas_feed.md#test-missing-tags-alas-feed)**: | ||
Set of tests that check the behavior of Vulnerability Detector when any tag is missing from the feed. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
# Test extra tags Amazon Linux feed | ||
|
||
Set of tests that are based on checking the behavior of Vulnerability Detector when there is an extra tag in the feed. | ||
|
||
## General info | ||
|
||
|Tier | Number of tests | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 2 | 244 | 0:46:20 | test_extra_tags_alas_feed.py | | ||
|
||
## Test logic | ||
|
||
For each of the following values a new label `<x>y</x>` will be created. | ||
|
||
``` | ||
[[1, 2, 3], {"a": 1, "b": 2}, "extra_tag", 12345, "ñ", "テスト", "ИСПЫТАНИЕ", "测试", "اختبار", " ", ""] | ||
``` | ||
|
||
For instance: | ||
|
||
``` | ||
<[1, 2, 3]>[1, 2, 3]</[1, 2, 3]>, <[1, 2, 3]>{"a": 1, "b": 2}</[1, 2, 3]>, ... | ||
``` | ||
|
||
## Tests | ||
|
||
- `test_no_feed_changes`: Check the original feed is successfully imported. | ||
- `test_extra_tags_alas_feed`: Check if the feeds are successfully imported when they contain new extra labels. | ||
|
||
## Checks | ||
|
||
- [x] Feed is imported successfully with the original feed. | ||
- [x] Vulnerabilities are inserted into the `vulnerabilities` database. | ||
- [x] Action status message displayed in `ossec.log`. | ||
- [x] `wazuh-modulesd` is still running once the test has finished (it didn't crash). | ||
|
||
## Observed behavior | ||
|
||
The feed will be successfully imported if: | ||
|
||
- The original feed is successfully imported. | ||
- The modified feed contains valid tags. Those tags are not empty and the type of inserted tag is `string`. | ||
|
||
For other cases, the feed will not be imported. | ||
|
||
## Execution result | ||
|
||
``` | ||
=============================================================== test session starts ================================================================ | ||
platform linux -- Python 3.7.3, pytest-6.2.3, py-1.10.0, pluggy-0.13.1 | ||
OS: CentOS 8, CPU: 2, memory: 2048 | ||
collected 244 items | ||
|
||
tests/integration/test_vulnerability_detector/test_feeds/alas/test_extra_tags_alas_feed.py ................................................. [ 20%] | ||
............................................................................................................................................ [ 77%] | ||
....................................................... [100%] | ||
|
||
========================================================= 244 passed in 2780.03s (0:46:20) ========================================================= | ||
``` | ||
|
||
## Code documentation | ||
|
||
::: tests.integration.test_vulnerability_detector.test_feeds.alas.test_extra_tags_alas_feed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in commit db25b81