improved test coverage + some refactoring

lleon1435 · Sep 1, 2022 · a67d5cf · a67d5cf
1 parent bcc792c
commit a67d5cf
Show file tree

Hide file tree

Showing 22 changed files with 262 additions and 254 deletions.
diff --git a/.github/coverage/badge.svg b/.github/coverage/badge.svg
diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt
diff --git a/agent/agent.go b/agent/agent.go
@@ -5,7 +5,6 @@ import (
 	"compress/gzip"
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -299,21 +298,6 @@ func (a *Agent) configureAuditPolicies() {
 	}()
 }
 
-func (a *Agent) restoreAuditPolicies() {
-	c := a.config.AuditConfig
-
-	for _, ap := range c.AuditPolicies {
-		if err := utils.DisableAuditPolicy(ap); err != nil {
-			a.logger.Errorf("Failed to disable audit policy %s: %s", ap, err)
-		}
-	}
-
-	dirs := utils.StdDirs(utils.ExpandEnvs(c.AuditDirs...)...)
-	if err := utils.RemoveEDRAuditACL(dirs...); err != nil {
-		a.logger.Errorf("Error while restoring File System Audit ACLs: %s", err)
-	}
-}
-
 func (a *Agent) update(force bool) (last error) {
 	var reloadRules, reloadContainers bool
 
@@ -480,8 +464,8 @@ func (a *Agent) fetchRulesFromManager() (err error) {
 		return fmt.Errorf("failed to verify rules integrity")
 	}
 
-	ioutil.WriteFile(sha256Path, []byte(sha256), 0600)
-	return ioutil.WriteFile(rulePath, []byte(rules), 0600)
+	os.WriteFile(sha256Path, []byte(sha256), 0600)
+	return os.WriteFile(rulePath, []byte(rules), 0600)
 }
 
 // containerPaths returns the path to the container and the path to its sha256 file
@@ -540,7 +524,7 @@ func (a *Agent) fetchIoCsFromManager() (err error) {
 	}
 
 	// Dump current container sha256 to a file
-	return ioutil.WriteFile(contSha256Path, []byte(compSha256), 0600)
+	return os.WriteFile(contSha256Path, []byte(compSha256), 0600)
 }
 
 // loads containers found in container database directory
@@ -762,7 +746,7 @@ func (a *Agent) updateAgentConfig() (err error) {
 
 func (a *Agent) cleanup() {
 	// Cleaning up empty dump directories if needed
-	fis, _ := ioutil.ReadDir(a.config.Dump.Dir)
+	fis, _ := os.ReadDir(a.config.Dump.Dir)
 	for _, fi := range fis {
 		if fi.IsDir() {
 			fp := filepath.Join(a.config.Dump.Dir, fi.Name())
@@ -1005,10 +989,26 @@ func (a *Agent) Wait() {
 
 // WaitWithTimeout waits the IDS to finish
 func (a *Agent) WaitWithTimeout(timeout time.Duration) {
-	t := time.NewTimer(timeout)
+	var slept time.Duration
+
+	step := time.Millisecond * 25
+	stop := make(chan bool)
+
 	go func() {
-		a.waitGroup.Wait()
-		t.Stop()
+		a.Wait()
+		stop <- true
 	}()
-	<-t.C
+
+	for {
+		select {
+		case <-stop:
+			return
+		default:
+			if slept >= timeout {
+				return
+			}
+			time.Sleep(step)
+			slept += step
+		}
+	}
 }
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -20,7 +20,9 @@ import (
 	"github.com/0xrawsec/whids/api/server"
 	"github.com/0xrawsec/whids/event"
 	"github.com/0xrawsec/whids/ioc"
+	"github.com/0xrawsec/whids/los"
 	"github.com/0xrawsec/whids/sysmon"
+	"github.com/0xrawsec/whids/tools"
 	"github.com/0xrawsec/whids/utils"
 )
 
@@ -103,8 +105,21 @@ var (
 			Key:  filepath.Join(mroot, "key.pem"),
 		},
 	}
+
+	// tools deployment
+	osqueryBin         []byte
+	osqueryTestBinPath = filepath.Join("data", fmt.Sprintf("%s.%s%s", los.OS, tools.ToolOSQueryi, los.ExecExt))
 )
 
+func init() {
+	var err error
+
+	if osqueryBin, err = os.ReadFile(osqueryTestBinPath); err != nil {
+		panic(err)
+	}
+
+}
+
 func generateCert(c server.ManagerConfig) {
 	hosts := []string{c.AdminAPI.Host, c.EndpointAPI.Host}
 	key, cert, err := utils.GenerateCert("Test", hosts, time.Hour*24*365)
@@ -175,6 +190,9 @@ func prepareManager() (m *server.Manager, cconf cconfig.Client) {
 	// already exists
 	m.CreateNewAdminAPIUser(testAdminUser)
 
+	osquery := tools.New(los.OS, tools.ToolOSQueryi, "osquery", osqueryBin)
+	m.TestAddTool(osquery)
+
 	m.AddEndpoint(cconf.UUID, cconf.Key)
 	if err := m.AddIoCs(randomIoCs(1000)); err != nil {
 		panic(err)
@@ -304,5 +322,9 @@ func TestAgent(t *testing.T) {
 
 	tt.Assert(gotSysmonEvent, "failed to monitor Sysmon events")
 
-	t.Log(utils.PrettyJsonOrPanic(a.tracker.Modules()))
+	t.Log(utils.PrettyJsonOrPanic(a.Report(false)))
+
+	a.WaitWithTimeout(time.Second * 15)
+
+	a.LogStats()
 }
diff --git a/agent/commands.go b/agent/commands.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -125,15 +124,20 @@ func cmdHash(path string) (nfi FileInfo, err error) {
 }
 
 func cmdDir(path string) (sfi []FileInfo, err error) {
-	var ofi []fs.FileInfo
+	var ofi []os.DirEntry
 
-	if ofi, err = ioutil.ReadDir(path); err != nil {
+	if ofi, err = os.ReadDir(path); err != nil {
 		return
 	}
 
 	sfi = make([]FileInfo, len(ofi))
-	for i, fi := range ofi {
+	for i, de := range ofi {
+		var fi fs.FileInfo
+
 		sfi[i].Dir = path
+		if fi, sfi[i].Err = de.Info(); sfi[i].Err != nil {
+			continue
+		}
 		sfi[i].FromFSFileInfo(fi)
 	}
 

diff --git a/agent/config/reports.go b/agent/config/reports.go
@@ -1,13 +1,13 @@
 package config
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"os/exec"
 	"time"
 
 	"github.com/0xrawsec/whids/tools"
+	"github.com/0xrawsec/whids/utils/command"
 )
 
 // ReportCommand is a structure both to configure commands to run in a report
@@ -18,43 +18,47 @@ type ReportCommand struct {
 	Args        []string      `json:"args" toml:"args" comment:"Argument of the command line"`
 	ExpectJSON  bool          `json:"expect-json" toml:"expect-json" comment:"Expect JSON formated output on stdout"`
 	Stdout      interface{}   `json:"stdout" toml:",omitempty"`
-	Stderr      []byte        `json:"stderr" toml:",omitempty"`
+	Stderr      string        `json:"stderr" toml:",omitempty"`
 	Error       string        `json:"error" toml:",omitempty"`
 	Timestamp   time.Time     `json:"timestamp" toml:",omitempty"`
 	Timeout     time.Duration `json:"timeout" toml:"timeout" comment:"Timeout to apply to the command (if > 0 this takes precedence over the global report timeout setting)"`
 }
 
 // Run the desired command
 func (c *ReportCommand) Run() {
-	var cmd *exec.Cmd
+	var cmd *command.Cmd
 	var err error
 	var stdout []byte
-	var cancel context.CancelFunc
 
-	ctx := context.Background()
 	if c.Timeout > 0 {
-		ctx, cancel = context.WithTimeout(context.Background(), c.Timeout)
-		defer cancel()
+		cmd = command.CommandTimeout(c.Timeout, c.Name, c.Args...)
+	} else {
+		cmd = command.Command(c.Name, c.Args...)
 	}
 
-	cmd = exec.CommandContext(ctx, c.Name, c.Args...)
+	defer cmd.Terminate()
 	// set timestamp
 	c.Timestamp = time.Now()
+
 	if stdout, err = cmd.Output(); err != nil {
 		c.Error = err.Error()
 		if ee, ok := err.(*exec.ExitError); ok {
-			c.Stderr = ee.Stderr
+			c.Stderr = string(ee.Stderr)
 		}
+		// return if we encountered an error
+		return
 	}
 
 	if c.ExpectJSON {
 		if err = json.Unmarshal(stdout, &(c.Stdout)); err != nil {
 			c.Stdout = string(stdout)
 			c.Error = err.Error()
 		}
-	} else {
-		c.Stdout = stdout
+		return
 	}
+
+	// we don't want to parse output as JSON
+	c.Stdout = stdout
 }
 
 var (

diff --git a/agent/hookdefs.go b/agent/hookdefs.go
@@ -2,7 +2,6 @@ package agent
 
 import (
 	"fmt"
-	"io/ioutil"
 	"math"
 	"net"
 	"os"
@@ -758,7 +757,7 @@ func hookClipboardEvents(h *Agent, e *event.EdrEvent) {
 		if fi, err := os.Stat(path); err == nil {
 			// limit size of ClipboardData to 1 Mega
 			if fi.Mode().IsRegular() && fi.Size() < utils.Mega {
-				if data, err := ioutil.ReadFile(path); err == nil {
+				if data, err := os.ReadFile(path); err == nil {
 					// We try to decode utf16 content because regexp can only match utf8
 					// Thus doing this is needed to apply detection rule on clipboard content
 					if enc, err := utils.Utf16ToUtf8(data); err == nil {

diff --git a/agent/hooks.go b/agent/hooks.go
@@ -1,8 +1,6 @@
 package agent
 
 import (
-	"reflect"
-	"runtime"
 	"sync"
 
 	"github.com/0xrawsec/whids/event"
@@ -119,7 +117,3 @@ func (hm *HookManager) RunHooksOn(h *Agent, e *event.EdrEvent) (ret bool) {
 
 	return
 }
-
-func getFunctionName(i interface{}) string {
-	return runtime.FuncForPC(reflect.ValueOf(i).Pointer()).Name()
-}
diff --git a/agent/hookutils.go b/agent/hookutils.go
@@ -41,30 +41,3 @@ func terminate(pid int) error {
 func isSysmonProcessTerminate(e *event.EdrEvent) bool {
 	return e.Channel() == sysmonChannel && e.EventID() == SysmonProcessTerminate
 }
-
-func srcPIDFromEvent(e *event.EdrEvent) int64 {
-
-	if pid, ok := e.GetInt(pathSysmonProcessId); ok {
-		return pid
-	}
-
-	if pid, ok := e.GetInt(pathSysmonSourceProcessId); ok {
-		return pid
-	}
-
-	return -1
-}
-
-func hasAction(e *event.EdrEvent, action string) bool {
-	if d := e.GetDetection(); d != nil {
-		return d.Actions.Contains(action)
-	}
-	return false
-}
-
-func getCriticality(e *event.EdrEvent) int {
-	if d := e.GetDetection(); d != nil {
-		return d.Criticality
-	}
-	return 0
-}
diff --git a/agent/sysinfo/sysinfo_test.go b/agent/sysinfo/sysinfo_test.go
@@ -1,16 +1,37 @@
 package sysinfo
 
 import (
+	"reflect"
 	"testing"
 
+	"github.com/0xrawsec/toast"
 	"github.com/0xrawsec/whids/utils"
 )
 
 func TestSystemInfo(t *testing.T) {
 	t.Parallel()
+
 	var h string
 	var err error
+
+	tt := toast.FromT(t)
+	ei := &EdrInfo{
+		Version: "major.minor.patch",
+		Commit:  "somerandomcommitid",
+	}
+
 	info := NewSystemInfo()
+	tt.Assert(edrInfo == nil)
+	tt.Assert(info.Edr == nil)
+
+	// we register edr information
+	RegisterEdrInfo(ei)
+	tt.Assert(edrInfo != nil)
+	tt.Assert(reflect.DeepEqual(edrInfo, ei))
+
+	info = NewSystemInfo()
+	tt.Assert(reflect.DeepEqual(info.Edr, ei))
+
 	if h, err = utils.Sha1Interface(info); err != nil {
 		t.Error(err)
 	}

diff --git a/api/client/upload.go b/api/client/upload.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -179,7 +178,7 @@ func (f *FileUpload) write(root string) (err error) {
 
 		for i := 1; i < f.Total; i++ {
 			chunkPath := fmt.Sprintf("%s.%d", path, i)
-			if content, err = ioutil.ReadFile(chunkPath); err != nil {
+			if content, err = os.ReadFile(chunkPath); err != nil {
 				return
 			}