Skip to content

Commit

Permalink
Add client event tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@gosipyan
gosipyan committed Nov 7, 2024
1 parent 643780f commit b84eea1
Showing 1 changed file with 117 additions and 36 deletions.
153 changes: 117 additions & 36 deletions tests/console/velociraptor_client_event_collect.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ sub run {

if (is_sle) {
if (is_sle('=15-SP6') || $sp_version == '15.6') {
zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Velociraptor/SLE_15_SP6/ sensor");
zypper_call("ar -f --no-gpgcheck https://download.opensuse.org/repositories/home:/doreilly:/branches:/security:/sensor/15.6/ sensor");
}
elsif (is_sle('=15-SP5') || $sp_version == '15.5') {
zypper_call("ar -f --no-gpgcheck http://download.suse.de/ibs/SUSE:/Velociraptor/SLE_15_SP5/ sensor");
Expand Down Expand Up @@ -68,58 +68,139 @@ sub run {
# copy config files
assert_script_run "cp client.conf /etc/velociraptor/client.config";

# start client
sleep 10;
systemctl "restart velociraptor-client";
systemctl "status velociraptor-client";
# check server accessible
assert_script_run "curl -k https://localhost:8000/server.pem";

# generate server api config
assert_script_run "velociraptor-client --config server.conf config api_client --name admin --role administrator api.config.yaml";
# get client info from server
assert_script_run "velociraptor-client --api_config ~/api.config.yaml query 'SELECT * FROM info()'";

# get client id
sleep 10;
my $clientid = script_output('velociraptor-client --api_config ~/api.config.yaml query \'SELECT *, os_info.hostname as Hostname, client_id FROM clients()\' | grep -oP \'"client_id": "\K.*(?=")\'', 120);
assert_script_run "velociraptor-client --api_config ~/api.config.yaml query 'SELECT * FROM info()'";

# add client monitoring
my @artifacts = qw(SUSE.Linux.Events.DNS SUSE.Linux.Events.ExecutableFiles SUSE.Linux.Events.ImmutableFile SUSE.Linux.Events.NewFiles SUSE.Linux.Events.NewFilesNoOwner SUSE.Linux.Events.NewHiddenFile SUSE.Linux.Events.NewZeroSizeLogFile SUSE.Linux.Events.Packages SUSE.Linux.Events.ProcessStatuses SUSE.Linux.Events.SSHLogin SUSE.Linux.Events.Services SUSE.Linux.Events.SshAuthorizedKeys SUSE.Linux.Events.SystemLogins SUSE.Linux.Events.TCPConnections SUSE.Linux.Events.Timers SUSE.Linux.Events.UserAccount SUSE.Linux.Events.UserGroupMembershipUpdates);
foreach my $artifact (@artifacts) {
assert_script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\") FROM scope()'");
if ($artifact == 'SUSE.Linux.Events.Packages' || $artifact == 'SUSE.Linux.Events.SshAuthorizedKeys') {
script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\", parameters=dict(period=\"10\")) FROM scope()' > /dev/null");

}
else {
script_run("velociraptor-client --api_config ~/api.config.yaml query 'SELECT add_client_monitoring(artifact=\"$artifact\") FROM scope()' > /dev/null");
}
}

# generetae client events
# start client
systemctl "restart velociraptor-client";
systemctl "status velociraptor-client";
sleep 10;
my $i = 0;
while ($i < 10) {
assert_script_run "echo 'Client Event exec' >> /home/genfile$i.sh";
assert_script_run "chmod +x /home/genfile$i.sh";
assert_script_run "echo 'Client Event exec' >> /tmp/genfile$i.sh";
assert_script_run "chmod +x /tmp/genfile$i.sh";
$i++;
}
sleep 60;

# trigger SUSE.Linux.Events.DNS
script_run "dig localhost";
script_run "host localhost";
script_run "nslookup localhost";
# trigger SUSE.Linux.Events.ExecutableFiles
script_run "echo 'Client Event exec' >> /home/genfileh.sh";
script_run "chmod +x /home/genfileh.sh";
script_run "echo 'Client Event exec' >> /tmp/genfilet.sh";
script_run "chmod +x /tmp/genfilet.sh";
# trigger SUSE.Linux.Events.ImmutableFile
script_run "echo 'Immutible file' >> /home/immutible.txt";
script_run "chattr +i /home/immutible.txt";
script_run "echo 'Immutible file' >> /tmp/immutible.txt";
script_run "chattr +i /tmp/immutible.txt";
# trigger SUSE.Linux.Events.NewFiles
script_run "sudo echo 'new files' >> /etc/cron.hourly/newfiles.txt";
script_run "sudo echo 'new files' >> /etc/cron.daily/newfiles.txt";
script_run "sudo echo 'new files' >> /etc/cron.weekly/newfiles.txt";
# trigger SUSE.Linux.Events.NewFilesNoOwner
script_run "echo 'No owner file' >> /home/noownerfile.txt";
script_run "chown 9999:9999 /home/noownerfile.txt";
script_run "echo 'No owner file' >> /tmp/noownerfile.txt";
script_run "chown 9999:9999 /tmp/noownerfile.txt";
# trigger SUSE.Linux.Events.NewHiddenFile
script_run "mkdir /home/.newhiddendir";
script_run "echo 'New hidden file' >> /home/.newhiddenfiles.txt";
script_run "mkdir /tmp/.newhiddenfir";
script_run "echo 'New hidden file' >> /tmp/.newhiddenfiles.txt";
# trigger SUSE.Linux.Events.NewZeroSizeLogFile
script_run "touch /var/log/newzerosizelog.txt";
# trigger SUSE.Linux.Events.SSHLogin && SUSE.Linux.Events.SystemLogins SUSE.Linux.Events.ProcessStatuses
zypper_call('in sshpass');
script_run "sudo useradd -m user1";
script_run "sudo useradd -m user2";
script_run "echo 'user1:passwd1' | sudo chpasswd";
script_run "echo 'user2:passwd2' | sudo chpasswd";
script_run('sshpass -p \'passwd1\' ssh -o StrictHostKeyChecking=no user1@localhost whoami');
script_run('sshpass -p \'passwd1\' ssh -o StrictHostKeyChecking=no user1@localhost date');
script_run('sshpass -p \'passwd2\' ssh -o StrictHostKeyChecking=no user2@localhost whoami');
script_run('sshpass -p \'passwd2\' ssh -o StrictHostKeyChecking=no user2@localhost date');
script_run "sudo userdel -r user1";
script_run "sudo userdel -r user2";
# trigger SUSE.Linux.Events.Services
script_run "systemctl status cron";
script_run "systemctl restart cron";
script_run "systemctl status cron";
# trigger SUSE.Linux.Events.Packages
zypper_call "in libexttextcat";
zypper_call "in html2text";
zypper_call "rm libexttextcat";
zypper_call "rm html2text";
# trigger SUSE.Linux.Events.SshAuthorizedKeys
script_run 'echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArandomstring test@testkey" >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys';
# trigger SUSE.Linux.Events.TCPConnections
script_run "nc localhost 8080";
# trigger SUSE.Linux.Events.Timers
# trigger SUSE.Linux.Events.UserAccount
# trigger SUSE.Linux.Events.UserGroupMembershipUpdates

# get client id
my $clientid = script_output('velociraptor-client --api_config ~/api.config.yaml query \'SELECT *, os_info.hostname as Hostname, client_id FROM clients()\' | grep -oP \'"client_id": "\K.*(?=")\'', 120);

# check for collected event on server
script_output "ls -la /var/tmp/velociraptor/clients/$clientid/monitoring_logs/";
script_output "ls -la /var/tmp/velociraptor/clients/$clientid/monitoring/";
my $files = script_output "find /var/tmp/velociraptor/clients/$clientid/monitoring/ -type f -name '*.json' | awk -F/ '{print \$F}'";
my @names = split /\s+/, $files;
for (@names) {
my @name = split /\//, $_;
upload_logs($_, log_name => "artifact-$name[7].json");
}
# skipping validation on s390x due to https://jira.suse.com/browse/SENS-122
if (!is_s390x) {
script_output "grep -r -i genfile* /var/tmp/velociraptor/clients/$clientid/*";
sleep 90;
foreach my $artifact (@artifacts) {
my $path = "/var/tmp/velociraptor/clients/$clientid/monitoring/$artifact/";
if (-d $path) {
print "$path event logs present";
script_run("ls $path | grep json");
}
else {
print "$path event logs missing";
}
}

# upload event logs
script_run "tar cvpzf eventlogs.tgz /var/tmp/velociraptor/clients/$clientid/monitoring/";
upload_logs('eventlogs.tgz');

# search for SUSE.Linux.Events.ExecutableFiles
script_output "grep -r -i genfile* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.ImmutableFile
script_output "grep -r -i immutible* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.NewFiles
script_output "grep -r -i newfiles* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.NewFilesNoOwner
script_output "grep -r -i noownerfile* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.NewZeroSizeLogFile
script_output "grep -r -i newzerosizelog* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.NewHiddenFile
script_output "grep -r -i newhiddenfiles* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.Packages
script_output "grep -r -i $clientid /var/tmp/velociraptor/clients/$clientid/monitoring/SUSE.Linux.Events.Packages/*";
# search for SUSE.Linux.Events.SSHLogin && SUSE.Linux.Events.SystemLogins && SUSE.Linux.Events.ProcessStatuses
script_output "grep -r -i user1* /var/tmp/velociraptor/clients/$clientid/*";
script_output "grep -r -i user2* /var/tmp/velociraptor/clients/$clientid/*";
script_output "grep -r -i whoami* /var/tmp/velociraptor/clients/$clientid/*";
script_output "grep -r -i date* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.Services
script_output "grep -r -i cron* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.SshAuthorizedKeys
script_output "grep -r -i test\@testkey* /var/tmp/velociraptor/clients/$clientid/*";
# search for SUSE.Linux.Events.TCPConnections
script_output "grep -r -i localhost* /var/tmp/velociraptor/clients/$clientid/*";

#stop client cleanup
systemctl "stop velociraptor-client";
assert_script_run "killall velociraptor-client";
script_run "killall velociraptor-client";
zypper_call "rm velociraptor-client";
zypper_call "rm yq";
zypper_call("rr yq");

}
1;

0 comments on commit b84eea1

Please sign in to comment.