Add yamllint to GHA

Signed-off-by: Gábor Lipták <gliptak@gmail.com>
2024-11-06 01:15:17 +00:00 · 2021-07-26 16:26:03 -04:00 · 2021-07-26 16:26:03 -04:00 · d2592ee0b6
commit d2592ee0b6
parent 7cacc57313
13 changed files with 91 additions and 90 deletions
--- a/.github/workflows/sigma-test.yml
+++ b/.github/workflows/sigma-test.yml
@ -8,7 +8,9 @@ on:
    branches:
      - "*"
  pull_request:
-    branches: [ master, oscd ]
+    branches:
+      - master
+      - oscd

 jobs:
  test-sigma:
@ -31,3 +33,9 @@ jobs:
    - name: Test SQL(ite) Backend
      run: |
        pipenv run make test-backend-sql
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: yaml-lint
+      uses: ibiqlik/action-yamllint@v3
--- a/4
+++ b/4
@ -104,7 +104,7 @@ test-sigmac:
 	$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE)  tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
-	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
+	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
@ -113,7 +113,7 @@ test-sigmac:
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
-	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
+	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml

 test-merge:
--- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
+++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: process_creation
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
 detection:
    parent_image:
        ParentImage|endswith:
--- a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
+++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
@ -35,7 +35,7 @@ fields:
    - IntegrityLevel
    - User
    - Image
-    ParentProcessGuid
+    - ParentProcessGuid
 falsepositives:
    - System administrator usage
    - Penetration test 
--- a/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
+++ b/rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
@ -12,7 +12,7 @@ date: 2019/06/03
 logsource:
    category: process_creation
    product: windows
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
 detection:
    selection:
        ParentIntegrityLevel: Medium
--- a/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml
+++ b/rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml
@ -15,7 +15,7 @@ modified: 2020/09/01
 logsource:
    category: process_creation
    product: windows
-    definition : Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
+    definition: Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section
 detection:
    selection:
        ParentUser:
--- a/tests/invalid_yaml.badyml
+++ b/tests/invalid_yaml.badyml
--- a/tools/config/arcsight-zeek.yml
+++ b/tools/config/arcsight-zeek.yml
@ -458,7 +458,7 @@ fieldmappings:
    #service=http:
    #service=sip:
  msg:
-    -  'message'
+    - 'message'
    #service=notice:
    #service=pop3:
  name:
@ -832,7 +832,7 @@ fieldmappings:
  #password:
  pending: message
  #status: message
-  successful_commands:  message
+  successful_commands: message
  #username: sourceUserName
  # Radius
  connect_info: message
--- a/tools/config/ecs-auditd.yml
+++ b/tools/config/ecs-auditd.yml
@ -1,4 +1,4 @@
-title:  Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
+title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules
 order: 20
 backends:
  - es-qs
@ -70,7 +70,6 @@ fieldmappings:
    data: data
    default-context: default-context
    dev: dev
-    dev: dev
    device: device
    dir: dir
    direction: direction
@ -92,7 +91,6 @@ fieldmappings:
    feature: feature
    fi: fi
    fp: fp
-    fp: fp
    format: format
    fsgid: fsgid
    fsuid: fsuid
@ -169,7 +167,6 @@ fieldmappings:
    ogid: ogid
    ocomm: ocomm
    old: old
-    old: old
    old-auid: old-auid
    old-chardev: old-chardev
    old-disk: old-disk
--- a/tools/config/ecs-filebeat.yml
+++ b/tools/config/ecs-filebeat.yml
@ -1,4 +1,4 @@
-title:  Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema 
+title: Elastic filebeat (from 7.x) index pattern and field mapping following Elastic Common Schema
 order: 20
 backends:
  - es-qs
--- a/tools/config/logrhythm_winevent.yml
+++ b/tools/config/logrhythm_winevent.yml
@ -1,71 +1,71 @@
---
-title: LogRhythm Windows EventID Field Mapping
-
-order: 20
-backends:
- - es-qs-lr
-
-logsources:
-  eventlogs:
-    product: windows
-    conditions:
-      logSourceTypeName: 'MS Windows Event Logging XML - Security'
-
-fieldmappings:
-  EventID: vendorMessageID
-  TicketOptions: object
-  TicketEncryptionType: sessionType
-  ServiceName: processName
-  TargetUserName:
-    - originUser
-    - impactedUser
-  Workstation: originHostname
-  SubjectUserName: originUser
-  LogonType: command
-  LogonProcessName: processName
-  WorkstationName:
-    - originHostname
-    - impactedHostname
-  SubjectLogonId: session
-  SubStatus: status
-  IpPort: originPort
-  IpAddress:
-    - originIp
-    - impactedIp
-  ErrorCode: responseCode
-  Task: vendorInfo
-  PrivilegeList: subject
-  SamAccountName: impactedUser
-  PrimaryGroupId: group
-  StatusCode: responseCode
-  Level: severity
-  SubjectDomainName: domainOrigin
-  DSName: domainImpacted
-  ObjectDN: objectName
-  ObjectGUID: object
-  ObjectClass: objectType
-  OperationType: action
-  Computer: impactedHostname
-  CategoryId: policy
-  SubcategoryId: objectName
-  SubCategoryGuid: object
-  AuditPolicyChanges: action
-  ObjectCollectionName: objectType
-  CountOfCredentialsReturned: quantity
-  AlgorithmName: policy
-  KeyName: objectName
-  KeyType: objectType
-  KeyFilePath: object
-  Operation: action
-  ReturnCode: responseCode
-  ChannelType: objectType
-  DomainName: domainImpacted
-  ExecutionProcessId: processId
-  processName: process
-  ProviderName: vendorInfo
-  SChannelName: objectName
-  SecureChannelName: objectName
-  ThreadId: session
-  UserName: 
-    - originUser
+---
+title: LogRhythm Windows EventID Field Mapping
+
+order: 20
+backends:
+ - es-qs-lr
+
+logsources:
+  eventlogs:
+    product: windows
+    conditions:
+      logSourceTypeName: 'MS Windows Event Logging XML - Security'
+
+fieldmappings:
+  EventID: vendorMessageID
+  TicketOptions: object
+  TicketEncryptionType: sessionType
+  ServiceName: processName
+  TargetUserName:
+    - originUser
+    - impactedUser
+  Workstation: originHostname
+  SubjectUserName: originUser
+  LogonType: command
+  LogonProcessName: processName
+  WorkstationName:
+    - originHostname
+    - impactedHostname
+  SubjectLogonId: session
+  SubStatus: status
+  IpPort: originPort
+  IpAddress:
+    - originIp
+    - impactedIp
+  ErrorCode: responseCode
+  Task: vendorInfo
+  PrivilegeList: subject
+  SamAccountName: impactedUser
+  PrimaryGroupId: group
+  StatusCode: responseCode
+  Level: severity
+  SubjectDomainName: domainOrigin
+  DSName: domainImpacted
+  ObjectDN: objectName
+  ObjectGUID: object
+  ObjectClass: objectType
+  OperationType: action
+  Computer: impactedHostname
+  CategoryId: policy
+  SubcategoryId: objectName
+  SubCategoryGuid: object
+  AuditPolicyChanges: action
+  ObjectCollectionName: objectType
+  CountOfCredentialsReturned: quantity
+  AlgorithmName: policy
+  KeyName: objectName
+  KeyType: objectType
+  KeyFilePath: object
+  Operation: action
+  ReturnCode: responseCode
+  ChannelType: objectType
+  DomainName: domainImpacted
+  ExecutionProcessId: processId
+  processName: process
+  ProviderName: vendorInfo
+  SChannelName: objectName
+  SecureChannelName: objectName
+  ThreadId: session
+  UserName:
+    - originUser
    - impactedUser
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@ -225,7 +225,6 @@ fieldmappings:
    Accesses: winlog.event_data.Accesses
    AccessList: winlog.event_data.AccessList
    AttributeValue: winlog.event_data.AttributeValue
-    AttributeValue: winlog.event_data.AttributeValue
    AuditSourceName: winlog.event_data.AuditSourceName
    AuthenticationPackage: winlog.event_data.AuthenticationPackageName
    CallerProcessName: winlog.event_data.CallerProcessName
@ -279,4 +278,4 @@ fieldmappings:
    TaskName: winlog.event_data.TaskName
    # UserName => smbclient-security  eventid:31017
    UserName: winlog.event_data.UserName
-    Workstation : winlog.event_data.Workstation
+    Workstation: winlog.event_data.Workstation
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@ -203,8 +203,6 @@ fieldmappings:
    ContextInfo: winlog.event_data.ContextInfo
    # from here missing field at 20210706
    Accesses: winlog.event_data.Accesses
-    AccessList: winlog.event_data.AccessList
-    AttributeValue: winlog.event_data.AttributeValue
    AttributeValue: winlog.event_data.AttributeValue
    AuditSourceName: winlog.event_data.AuditSourceName
    AuthenticationPackage: winlog.event_data.AuthenticationPackageName
@ -214,7 +212,6 @@ fieldmappings:
    Company: winlog.event_data.Company
    DestAddress: winlog.event_data.DestAddress
    Destination: winlog.event_data.Destination
-    DestinationIsIpv6: winlog.event_data.DestinationIsIpv6
    DestPort: winlog.event_data.DestPort
    Device: winlog.event_data.Device
    DeviceDescription: winlog.event_data.DeviceDescription
@ -258,4 +255,4 @@ fieldmappings:
    TaskName: winlog.event_data.TaskName
    # UserName => smbclient-security  eventid:31017
    UserName: winlog.event_data.UserName 
-    Workstation : winlog.event_data.Workstation
+    Workstation: winlog.event_data.Workstation