-
Notifications
You must be signed in to change notification settings - Fork 681
/
mon-staging.yml
110 lines (99 loc) · 4.42 KB
/
mon-staging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
dns_server:
- 8.8.8.8
- 8.8.4.4
# Hardcoding the IPv4 addresses will ONLY work with local testing in Vagrant.
app_ip: 10.0.1.2
app_hostname: app-staging
tor_services:
- name: ssh
ports:
- "22" # assumes remote and local ports are identical
authenticated: yes # value will automatically be coerced to boolean
client: admin
# Postfix is disabled in staging.
postfix_enabled: False
# But it does get configured.
sasl_username: "test"
sasl_domain: "ossec.test"
sasl_password: "password123"
# Log events for OSSEC alerts we suppress
log_events_without_ossec_alerts:
# Check that using an overloaded guard does not produce an OSSEC alert
- name: test_overloaded_tor_guard_does_not_produce_alert
alert: >
Aug 16 21:54:44 app-staging Tor[26695]: [warn] Your Guard
<name> (<fingerprint>) is failing a very large amount of
circuits. Most likely this means the Tor network is
overloaded, but it could also mean an attack against you
or potentially the guard itself.
# Check that OSSEC keep alive messages sent to the OSSEC manager
# do not produce OSSEC alerts.
#
# For more information see:
# https://github.com/ossec/ossec-hids/issues/466
# http://ossec-docs.readthedocs.io/en/latest/faq/alerts.html
#
# Example alert is from:
# https://groups.google.com/forum/#!msg/ossec-list/dE3klm84JMU/kGZkRdSl3ZkJ
- name: test_ossec_keep_alive_mark_does_not_produce_alert
alert: >
Dec 02 09:48:40 app-staging ossec-keepalive: --MARK--:
&pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2k
P]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-b
U)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214
O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'
+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*
jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6a
hj-%A-m_5lgab!OVR,!pR+;L]eLgilU
# Log events we expect an OSSEC alert to occur for
log_events_with_ossec_alerts:
# Check that a denied RWX mmaping would produce an OSSEC alert
- name: test_grsec_denied_rwx_mapping_produces_alert
alert: >
Feb 10 23:34:40 app kernel: [ 124.188641] grsec: denied
RWX mmap of <anonymous mapping> by /usr/sbin/apache2
[apache2:1328] uid/euid:33/33 gid/egid:33/33, parent
/usr/sbin/apache2[apache2:1309] uid/euid:0/0 gid/egid:0/0
level: "7" # Level 7 alert should be triggered by rule 100101
rule_id: "100101"
# When Ansible playbooks are run, an informative alert should be triggered
- name: test_ansible_playbook_triggers_alert
alert: >
Jul 22 17:06:41 app ansible-apt_key: Invoked with file=None
keyserver=None url=None data=-----BEGIN PGP PUBLIC KEY BLOCK
-----#012Version: GnuPG
v1#012#012mQENBEqg7GsBCACsef8koRT8UyZxiv1Irke5nVpte54TDtTl1
za1tOKfthmHbs2I#0124DHWG3qrwGayw+6yb5mMFe0h9Ap9IbilA5a1IdRs
dDgViyQQ3kvdfoavFHRxvGON#012tknIyk5Goa36GMBl84gQceRs/4Zx3kx
qCV+JYXE9CmdkpkVrh2K3j5+ysDWfD/kO#012dTzwu3WHaAwL8d5MJAGQn2
i6bTw4UHytrYemS1DdG/0EThCCyAnPmmb8iBkZlSW8#0126MzVqTrN37yvY
WTXk6MwKH50twaX5hzZAlSh9eqRjZLq51DDomO7EumXP90rS5mT#012QrS+
wiYfGQttoZfbh3wl5ZjejgEjx+qrnOH7ABEBAAG0JmRlYi50b3Jwcm9qZWN
0#012Lm9yZyBhcmNoaXZlIHNpZ25pbmcga2V5iEYEEBECAAYFAkqqojIACg
kQ61qJaiiY#012i/WmOgCfTyf3NJ7wHTBckwAeE4MSt5ZtXVsAn0XDq8PWW
nk4nK6TlevqK/VoWItF#012iEYEEBECAAYFAkqsYDUACgkQO50JPzGwl0vo
JwCcCSokiJSNY+yIr3nBPN/LJldb#012xekAmwfU60GeaWFwz7hqwVFL23x
eTpyniEYEEBECAAYFAkt9ndgACgkQYhWWT1sX#012KrI5TACfcBPbsaPA1A
UVVXXPv0KeWFYgVaIAoMr3jwd1NYVD6Te3D+yJhGzzCD6P#012iEYEEBECA
AYFAkt+li8ACgkQTlMAGaGhvAU4FwCfX3H4Ggm/x0yIAvmt4CW8AP9F#012
5D8AoKapuwbjsGncT3UdNFiHminAaq1tiEYEEBECAAYFAky6mjsACgkQhfc
mMSeh#012yJpL+gCggxs4C5o+Oznk7WmFrPQ3lbnfDKIAni4p20aRuwx6QW
GH8holjzTSmm5F#012iEYEEBECAAYFAlMI0FEACgkQhEMxewZV94DLagCcD
G5SR00+00VHzBVE6fDg027e#012N2sAnjNLOYbRSBxBnELUDKC7Vjaz/sAM
iEwEExECAAwFAkqg7nQFgwll/3cACgkQ#0123nqvbpTAnH+GJA
level: "13"
rule_id: "400001"
# Override and Log (as to not send email of messages pertaining to pssec
# server and agent starting up after each reboot.
- name: test_ossec_server_started_does_not_produce_email
alert: >
ossec: Ossec started.
level: "1"
rule_id: "400502"
- name: test_ossec_agent_started_does_not_produce_email
alert: >
ossec: Agent started
level: "1"
rule_id: "400503"
fpf_apt_repo_url: "https://apt-test.freedom.press"