From 2b9f95114ba941d555319f46e8f3690c210c2775 Mon Sep 17 00:00:00 2001
From: Gayane Osipyan <gosipyan@suse.com>
Date: Wed, 16 Oct 2024 10:25:34 +0200
Subject: [PATCH] Add client event tests

---
 .../velociraptor_client_event_collect.pm      | 208 +++++++++++++-----
 1 file changed, 149 insertions(+), 59 deletions(-)

diff --git a/tests/console/velociraptor_client_event_collect.pm b/tests/console/velociraptor_client_event_collect.pm
index 8a623496d5d2..88b1f5d47a95 100644
--- a/tests/console/velociraptor_client_event_collect.pm
+++ b/tests/console/velociraptor_client_event_collect.pm
@@ -25,19 +25,22 @@ sub run {
     # get os version
     my ($version, $sp, $host_distri) = get_os_release;
     my $sp_version = "$version.$sp";
-    # install necessary packages
-    zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Factory:/Head/standard/ yq");
-    zypper_call "in yq";
+
+    # add repository
+    zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Factory:/Head/standard/ factory",priority => 100);
 
     if (is_sle) {
         if (is_sle('=15-SP6') || $sp_version == '15.6') {
-            zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Velociraptor/SLE_15_SP6/ sensor");
+            zypper_call("ar -f --no-gpgcheck https://download.opensuse.org/repositories/home:/doreilly:/branches:/security:/sensor/15.6/ sensor");
         }
         elsif (is_sle('=15-SP5') || $sp_version == '15.5') {
-            zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Velociraptor/SLE_15_SP5/ sensor");
+            zypper_call("ar -f --no-gpgcheck https://download.opensuse.org/repositories/home:/doreilly:/branches:/security:/sensor/15.5/ sensor");
         }
         elsif (is_sle('=15-SP4') || $sp_version == '15.4') {
-            zypper_call("ar -f --no-gpgcheck  http://download.suse.de/ibs/SUSE:/Velociraptor/SLE_15_SP4/ sensor");
+            zypper_call("ar -f --no-gpgcheck https://download.opensuse.org/repositories/home:/doreilly:/branches:/security:/sensor/SLE_15_SP4/ sensor");
+        }
+        elsif (is_sle('=12-SP5') || $sp_version == '12.5') {
+            zypper_call("ar -f --no-gpgcheck https://download.opensuse.org/repositories/home:/doreilly:/branches:/security:/sensor/SLE_12_SP5/ sensor");
         }
         else {
             record_info("No repo", "Missing source repository");
@@ -47,79 +50,166 @@ sub run {
 
 
     # velociraptor client install
-    zypper_call "in velociraptor-client";
+    zypper_call "in --repo sensor velociraptor-client";
+    my $version = script_output "zypper info velociraptor-client | grep Source | cut -f 2 -d\":\" | tr -d \" \"";
+    print "ClientVersion:$version";
+    zypper_call "up velociraptor-client";
+    zypper_call "info velociraptor-client";
+    zypper_call"lr -U";
     systemctl "enable velociraptor-client";
     systemctl "is-enabled velociraptor-client";
 
     # generate config files
-    assert_script_run "velociraptor-client config generate > server.conf";
-    script_output 'yq -i ".defaults.event_max_wait = 1" server.conf';
-    script_output 'yq -i ".defaults.event_max_wait_jitter = 1" server.conf';
-    script_output 'yq -i ".defaults.event_change_notify_all_clients = true" server.conf';
-    background_script_run "velociraptor-client frontend -v --config server.conf > /dev/null 2>&1 &";
-    assert_script_run "velociraptor-client config client --config server.conf > client.conf";
-
-    # update config file
-    script_output 'yq -i ".Client.max_poll = 1" client.conf';
-    script_output 'yq -i ".Client.max_poll_std = 1" client.conf';
-    script_output 'yq -i ".Client.min_poll = 1" client.conf';
-    script_output 'yq -i ".Client.default_max_wait = 1" client.conf';
-
-    # copy config files
-    assert_script_run "cp client.conf  /etc/velociraptor/client.config";
-
-    # start client
-    sleep 10;
-    systemctl "restart velociraptor-client";
-    systemctl "status velociraptor-client";
-    # check server accessible
-    assert_script_run "curl -k https://localhost:8000/server.pem";
+    script_run('cat > init-config.json <<EOF
+{
+  "defaults": {
+    "event_max_wait": 1,
+    "event_max_wait_jitter": 1,
+    "event_change_notify_all_clients": true
+  },
+  "Client": {
+    "max_poll": 1,
+    "max_poll_std": 1,
+    "min_poll": 1,
+    "default_max_wait": 1
+  }
+}
+EOF
+(exit \$?)');
 
+    script_run "velociraptor-client config generate --merge_file=init-config.json > server.conf";
+    background_script_run "velociraptor-client frontend -v --config server.conf > /dev/null 2>&1 &";
+    script_run "velociraptor-client config client --config server.conf > /etc/velociraptor/client.config";
+    script_run "sed -i '/VELOCIRAPTOR_CLIENT_OPTS=\"\"/c\VELOCIRAPTOR_CLIENT_OPTS=\"-v\"' /etc/sysconfig/velociraptor-client";
     # generate server api config
     assert_script_run "velociraptor-client --config server.conf config api_client --name admin --role administrator api.config.yaml";
     # get client info from server
-    assert_script_run "velociraptor-client --api_config ~/api.config.yaml query 'SELECT * FROM info()'";
-
-    # get client id
     sleep 10;
-    my $clientid = script_output('velociraptor-client --api_config ~/api.config.yaml query \'SELECT *, os_info.hostname as Hostname, client_id FROM clients()\' | grep -oP \'"client_id": "\K.*(?=")\'', 120);
+    assert_script_run "velociraptor-client --api_config ~/api.config.yaml query 'SELECT * FROM info()'";
 
     # add client monitoring
     my @artifacts = qw(SUSE.Linux.Events.DNS SUSE.Linux.Events.ExecutableFiles SUSE.Linux.Events.ImmutableFile SUSE.Linux.Events.NewFiles SUSE.Linux.Events.NewFilesNoOwner SUSE.Linux.Events.NewHiddenFile SUSE.Linux.Events.NewZeroSizeLogFile SUSE.Linux.Events.Packages SUSE.Linux.Events.ProcessStatuses SUSE.Linux.Events.SSHLogin SUSE.Linux.Events.Services SUSE.Linux.Events.SshAuthorizedKeys SUSE.Linux.Events.SystemLogins SUSE.Linux.Events.TCPConnections SUSE.Linux.Events.Timers SUSE.Linux.Events.UserAccount SUSE.Linux.Events.UserGroupMembershipUpdates);
     foreach my $artifact (@artifacts) {
-        assert_script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\") FROM scope()'");
+        if ($artifact == 'SUSE.Linux.Events.Packages' || $artifact == 'SUSE.Linux.Events.SshAuthorizedKeys') {
+            script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\", parameters=dict(period=\"10\")) FROM scope()' > /dev/null");
+
+        }
+        else {
+            script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\") FROM scope()' > /dev/null");
+        }
     }
 
-    # generetae client events
+    # start client
+    systemctl "restart velociraptor-client";
+    systemctl "status velociraptor-client";
     sleep 10;
-    my $i = 0;
-    while ($i < 10) {
-        assert_script_run "echo 'Client Event exec' >> /home/genfile$i.sh";
-        assert_script_run "chmod +x /home/genfile$i.sh";
-        assert_script_run "echo 'Client Event exec' >> /tmp/genfile$i.sh";
-        assert_script_run "chmod +x /tmp/genfile$i.sh";
-        $i++;
-    }
-    sleep 60;
+    # trigger SUSE.Linux.Events.DNS
+    script_run "dig localhost";
+    script_run "host localhost";
+    script_run "nslookup localhost";
+    # trigger SUSE.Linux.Events.ExecutableFiles
+    script_run "echo 'Client Event exec' >> /home/genfileh.sh";
+    script_run "chmod +x /home/genfileh.sh";
+    script_run "echo 'Client Event exec' >> /tmp/genfilet.sh";
+    script_run "chmod +x /tmp/genfilet.sh";
+    # trigger SUSE.Linux.Events.ImmutableFile
+    script_run "echo 'Immutible file' >> /home/immutible.txt";
+    script_run "chattr +i /home/immutible.txt";
+    script_run "echo 'Immutible file' >> /tmp/immutible.txt";
+    script_run "chattr +i /tmp/immutible.txt";
+    # trigger SUSE.Linux.Events.NewFiles
+    script_run "sudo echo 'new files' >> /etc/cron.hourly/newfiles.txt";
+    script_run "sudo echo 'new files' >> /etc/cron.daily/newfiles.txt";
+    script_run "sudo echo 'new files' >> /etc/cron.weekly/newfiles.txt";
+    # trigger SUSE.Linux.Events.NewFilesNoOwner
+    script_run "echo 'No owner file' >> /home/noownerfile.txt";
+    script_run "chown 9999:9999 /home/noownerfile.txt";
+    script_run "echo 'No owner file' >> /tmp/noownerfile.txt";
+    script_run "chown 9999:9999 /tmp/noownerfile.txt";
+    # trigger SUSE.Linux.Events.NewHiddenFile
+    script_run "mkdir /home/.newhiddendir";
+    script_run "echo 'New hidden file' >> /home/.newhiddenfiles.txt";
+    script_run "mkdir /tmp/.newhiddenfir";
+    script_run "echo 'New hidden file' >> /tmp/.newhiddenfiles.txt";
+    # trigger SUSE.Linux.Events.NewZeroSizeLogFile
+    script_run "touch /var/log/newzerosizelog.txt";
+    # trigger SUSE.Linux.Events.SSHLogin && SUSE.Linux.Events.SystemLogins SUSE.Linux.Events.ProcessStatuses
+    zypper_call('in sshpass');
+    script_run "sudo useradd -m user1";
+    script_run "sudo useradd -m user2";
+    script_run "echo 'user1:passwd1' | sudo chpasswd";
+    script_run "echo 'user2:passwd2' | sudo chpasswd";
+    script_run('sshpass -p \'passwd1\' ssh -o StrictHostKeyChecking=no user1@localhost whoami');
+    script_run('sshpass -p \'passwd1\' ssh -o StrictHostKeyChecking=no user1@localhost date');
+    script_run('sshpass -p \'passwd2\' ssh -o StrictHostKeyChecking=no user2@localhost whoami');
+    script_run('sshpass -p \'passwd2\' ssh -o StrictHostKeyChecking=no user2@localhost date');
+    script_run "sudo userdel -r user1";
+    script_run "sudo userdel -r user2";
+    # trigger SUSE.Linux.Events.Services
+    script_run "systemctl status cron";
+    script_run "systemctl restart cron";
+    script_run "systemctl status cron";
+    # trigger SUSE.Linux.Events.Packages
+    zypper_call "in libexttextcat";
+    sleep 10;
+    zypper_call "rm libexttextcat";
+    # trigger SUSE.Linux.Events.SshAuthorizedKeys
+    script_run 'echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArandomstring test@testkey" >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys';
+    # trigger SUSE.Linux.Events.TCPConnections
+    script_run "nc localhost 8080";
+    # trigger SUSE.Linux.Events.Timers
+    # trigger SUSE.Linux.Events.UserAccount
+    # trigger SUSE.Linux.Events.UserGroupMembershipUpdates
+
+    # get client id
+    my $clientid = script_output('velociraptor-client --api_config ~/api.config.yaml query \'SELECT *, os_info.hostname as Hostname, client_id FROM clients()\' | grep -oP \'"client_id": "\K.*(?=")\'', 120);
+
     # check for collected event on server
-    script_output "ls -la /var/tmp/velociraptor/clients/$clientid/monitoring_logs/";
-    script_output "ls -la /var/tmp/velociraptor/clients/$clientid/monitoring/";
-    my $files = script_output "find /var/tmp/velociraptor/clients/$clientid/monitoring/ -type f -name '*.json' | awk -F/ '{print \$F}'";
-    my @names = split /\s+/, $files;
-    for (@names) {
-        my @name = split /\//, $_;
-        upload_logs($_, log_name => "artifact-$name[7].json");
-    }
-    # skipping validation on s390x due to https://jira.suse.com/browse/SENS-122
-    if (!is_s390x) {
-        script_output "grep -r -i genfile* /var/tmp/velociraptor/clients/$clientid/*";
+    sleep 90;
+    foreach my $artifact (@artifacts) {
+        my $path = "/var/tmp/velociraptor/clients/$clientid/monitoring/$artifact/";
+        if (-d $path) {
+            print "$path event logs present";
+            script_run("ls $path | grep json");
+        }
+        else {
+            print "$path event logs missing";
+        }
     }
+
+    # upload event logs
+    script_run "tar cvpzf eventlogs.tgz /var/tmp/velociraptor/clients/$clientid/";
+    upload_logs('eventlogs.tgz');
+
+    # search for SUSE.Linux.Events.ExecutableFiles
+    script_output "grep -r -i genfile* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.ImmutableFile
+    script_output "grep -r -i immutible* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.NewFiles
+    script_output "grep -r -i newfiles* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.NewFilesNoOwner
+    script_output "grep -r -i noownerfile* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.NewZeroSizeLogFile
+    script_output "grep -r -i newzerosizelog* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.NewHiddenFile
+    script_output "grep -r -i newhiddenfiles* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.Packages
+    script_output "grep -r -i libexttextcat* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.SSHLogin && SUSE.Linux.Events.SystemLogins && SUSE.Linux.Events.ProcessStatuses
+    script_output "grep -r -i user1* /var/tmp/velociraptor/clients/$clientid/*";
+    script_output "grep -r -i user2* /var/tmp/velociraptor/clients/$clientid/*";
+    script_output "grep -r -i whoami* /var/tmp/velociraptor/clients/$clientid/*";
+    script_output "grep -r -i date* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.Services
+    script_output "grep -r -i cron* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.SshAuthorizedKeys
+    script_output "grep -r -i test\@testkey* /var/tmp/velociraptor/clients/$clientid/*";
+    # search for SUSE.Linux.Events.TCPConnections
+    script_output "grep -r -i localhost* /var/tmp/velociraptor/clients/$clientid/*";
     #stop client cleanup
     systemctl "stop velociraptor-client";
-    assert_script_run "killall velociraptor-client";
+    script_run "killall velociraptor-client";
     zypper_call "rm velociraptor-client";
-    zypper_call "rm yq";
-    zypper_call("rr yq");
-
+    zypper_call("rr factory");
 }
 1;