nixos/tests/suricata.nix

   1 import ./make-test-python.nix (
   2   { lib, pkgs, ... }:
   3   {
   4     name = "suricata";
   5     meta.maintainers = with lib.maintainers; [ felbinger ];
   6
   7     nodes = {
   8       ids = {
   9         imports = [
  10           ../modules/profiles/minimal.nix
  11           ../modules/services/networking/suricata/default.nix
  12         ];
  13
  14         networking.interfaces.eth1 = {
  15           useDHCP = false;
  16           ipv4.addresses = [
  17             {
  18               address = "192.168.1.2";
  19               prefixLength = 24;
  20             }
  21           ];
  22         };
  23
  24         # disable suricata-update because this requires an Internet connection
  25         systemd.services.suricata-update.enable = false;
  26
  27         # install suricata package to make suricatasc program available
  28         environment.systemPackages = with pkgs; [ suricata ];
  29
  30         services.suricata = {
  31           enable = true;
  32           settings = {
  33             vars.address-groups.HOME_NET = "192.168.1.0/24";
  34             unix-command.enabled = true;
  35             outputs = [ { fast.enabled = true; } ];
  36             af-packet = [ { interface = "eth1"; } ];
  37             classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
  38           };
  39         };
  40
  41         # create suricata.rules with the rule to detect the output of the id command
  42         systemd.tmpfiles.rules = [
  43           ''f /var/lib/suricata/rules/suricata.rules 644 suricata suricata 0 alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)''
  44         ];
  45       };
  46       helper = {
  47         imports = [ ../modules/profiles/minimal.nix ];
  48
  49         networking.interfaces.eth1 = {
  50           useDHCP = false;
  51           ipv4.addresses = [
  52             {
  53               address = "192.168.1.1";
  54               prefixLength = 24;
  55             }
  56           ];
  57         };
  58
  59         services.nginx = {
  60           enable = true;
  61           virtualHosts."localhost".locations = {
  62             "/id/".return = "200 'uid=0(root) gid=0(root) groups=0(root)'";
  63           };
  64         };
  65         networking.firewall.allowedTCPPorts = [ 80 ];
  66       };
  67     };
  68
  69     testScript = ''
  70       start_all()
  71
  72       # check that configuration has been applied correctly with suricatasc
  73       with subtest("suricata configuration test"):
  74           ids.wait_for_unit("suricata.service")
  75           assert '1' in ids.succeed("suricatasc -c 'iface-list' | ${pkgs.jq}/bin/jq .message.count")
  76
  77       # test detection of events based on a static ruleset (output of id command)
  78       with subtest("suricata rule test"):
  79           helper.wait_for_unit("nginx.service")
  80           ids.wait_for_unit("suricata.service")
  81
  82           ids.succeed("curl http://192.168.1.1/id/")
  83           assert "id check returned root [**] [Classification: Potentially Bad Traffic]" in ids.succeed("tail -n 1 /var/log/suricata/fast.log"), "Suricata didn't detect the output of id comment"
  84     '';
  85   }
  86 )