Merge pull request #2452 from amalone-scwx/am_args

parameterize T1070.002 tests

atomics/T1070.002/T1070.002.yaml

@@ -8,10 +8,28 @@ atomic_tests:
   supported_platforms:
   - macos
   - linux
+  input_arguments:
+    syslog_path:
+      description: path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/.
+      type: string
+      default: /var/log/system.log
+    macos_audit_path:
+      description: path of audit file to delete
+      type: string
+      default: /var/audit/20220725213300.202208110700021
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
+    get_prereq_command: |
+      touch #{syslog_path}
+      if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
   executor:
     command: |
-      sudo rm -rf /private/var/log/system.log*
-      sudo rm -rf /private/var/audit/*
+      sudo rm -rf #{syslog_path}
+      if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
     name: sh
     elevation_required: true
 - name: Delete log files using built-in log utility 
@@ -24,7 +42,6 @@ atomic_tests:
     command: |
       sudo log erase --all
       sudo log erase --ttl #Deletes only time-to-live log content
-      sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
     name: sh
     elevation_required: true
 - name: Truncate system log files via truncate utility
@@ -33,10 +50,23 @@ atomic_tests:
     This test truncates the system log files using the truncate utility with (-s 0 or --size=0) parameter which sets file size to zero, thus emptying the file content
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path of system log to delete.
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      sudo truncate -s 0 /var/log/system.log #size parameter shorthand
-      sudo truncate --size=0 /var/log/system.log #size parameter 
+      sudo truncate -s 0 #{system_log_path} #size parameter shorthand
+      sudo truncate --size=0 #{system_log_path} #size parameter 
     name: sh
     elevation_required: true
 - name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -45,10 +75,23 @@ atomic_tests:
     The first sub-test truncates the log file to zero bytes via /dev/null and the second sub-test fills the log file with null bytes(zeroes) via /dev/zero, using cat utility
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path of system log to delete.
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
-      sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
+      sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
+      sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
     name: sh
     elevation_required: true
 - name: System log file deletion via find utility
@@ -57,11 +100,32 @@ atomic_tests:
     This test finds and deletes the system log files within /var/log/ directory using various executions(rm, shred, unlink)
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_name1:
+      description: name or prefix of system log to delete.
+      type: string
+      default: system.log
+    system_log_name2:
+      description: name or prefix of system log to delete.
+      type: string
+      default: system.log.97.gz
+    system_log_name3:
+      description: name or prefix of system log to delete.
+      type: string
+      default: system.log.98.gz
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
+    get_prereq_command: |
+      touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
   executor:
     command: |
-      sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
-      sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
-      sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
+      sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
+      sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
+      sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
     name: sh
     elevation_required: true
 - name: Overwrite macOS system log via echo utility
@@ -70,9 +134,14 @@ atomic_tests:
     This test overwrites the contents of system log file with an empty string using echo utility
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
   executor:
     command: |
-      sudo echo '' > /var/log/system.log
+      sudo echo '' > #{system_log_path}
     name: sh
     elevation_required: true
 - name: Real-time system log clearance/deletion
@@ -92,9 +161,22 @@ atomic_tests:
     This test deletes the system log file using unlink utility
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      sudo unlink /var/log/system.log
+      sudo unlink #{system_log_path}
     name: sh
     elevation_required: true
 - name: Delete system log files using shred utility
@@ -103,9 +185,22 @@ atomic_tests:
     This test overwrites the contents of the log file with zero bytes(-z) using three passes(-n 3) of data, and then delete the file(-u) securely
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      sudo shred -u -z -n 3 /var/log/system.log
+      sudo shred -u -z -n 3 #{system_log_path}
     name: sh
     elevation_required: true
 - name: Delete system log files using srm utility
@@ -116,10 +211,27 @@ atomic_tests:
     Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
+    system_log_folder:
+      description: path to log parent folder
+      type: string
+      default: /var/log/
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path} #{system_log_folder}
+    get_prereq_command: |
+      mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
   executor:
     command: |
-      sudo srm /var/log/system.log #system log file deletion
-      sudo srm -r /var/log/ #recursive deletion of log files
+      sudo srm #{system_log_path} #system log file deletion
+      sudo srm -r #{system_log_folder} #recursive deletion of log files
     name: sh
     elevation_required: true
 - name: Delete system log files using OSAScript
@@ -128,9 +240,22 @@ atomic_tests:
     This test deletes the system log file using osascript via "do shell script"(sh/bash by default) which in-turn spawns rm utility, requires admin privileges
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
+      osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
     name: sh
     elevation_required: true
 - name: Delete system log files using Applescript
@@ -141,9 +266,22 @@ atomic_tests:
     Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
   supported_platforms:
   - macos
+  input_arguments:
+    system_log_path:
+      description: path to system.log
+      type: string
+      default: /var/log/system.log
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{system_log_path}
+    get_prereq_command: |
+      touch #{system_log_path}
   executor:
     command: |
-      osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
+      osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
     name: sh
     elevation_required: true
 - name: Delete system journal logs via rm and journalctl utilities
@@ -152,9 +290,22 @@ atomic_tests:
     The first sub-test deletes the journal files using rm utility in the "/var/log/journal/" directory and the second sub-test clears the journal by modifiying time period of logs that should be retained to zero.
   supported_platforms:
   - linux
+  input_arguments:
+    journal_folder:
+      description: path to journal logs
+      type: string
+      default: /var/log/journal
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat #{journal_folder}
+    get_prereq_command: |
+      mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
   executor:
     command: |
-      sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
+      sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
       sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
     name: sh
     elevation_required: true 
@@ -169,7 +320,16 @@ atomic_tests:
       description: Username of mail spool
       type: string
       default: root
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      target files must exist
+    prereq_command: |
+      stat /var/spool/mail/#{username}
+    get_prereq_command: |
+      touch /var/spool/mail/#{username}
   executor:
+    elevation_required: true
     command: |
       echo 0> /var/spool/mail/#{username}
     name: bash
@@ -188,3 +348,6 @@ atomic_tests:
     command: |
       echo 0> #{log_path}
     name: bash
+    elevation_required: true
+    cleanup_command: |
+      if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi