From 315c70f7265015079e236a7cb6764c3c675eeea5 Mon Sep 17 00:00:00 2001 From: mdengra Date: Tue, 5 Oct 2021 10:19:43 +0200 Subject: [PATCH] doc: Add test_ignore, test_inotify, and test_invalid of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_remove_rename_folder.py * test_invalid.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #1970 --- docs/DocGenerator/config.yaml | 3 + .../test_ignore/test_ignore_valid.py | 3 + .../test_inotify/test_num_watches.py | 3 +- .../test_inotify/test_remove_rename_folder.py | 131 ++++++++++++++++-- .../test_files/test_invalid/test_invalid.py | 116 ++++++++++++++-- 5 files changed, 231 insertions(+), 25 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index 3458a83154..2a48b11c21 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -54,6 +54,9 @@ Ignore paths: - "../../tests/integration/test_fim/test_files/test_env_variables/data" - "../../tests/integration/test_fim/test_files/test_file_limit/data" - "../../tests/integration/test_fim/test_files/test_follow_symbolic_link/data" + - "../../tests/integration/test_fim/test_files/test_ignore/data" + - "../../tests/integration/test_fim/test_files/test_inotify/data" + - "../../tests/integration/test_fim/test_files/test_invalid/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_ignore/test_ignore_valid.py b/tests/integration/test_fim/test_files/test_ignore/test_ignore_valid.py index e125ce9fc0..5d55e295eb 100644 --- a/tests/integration/test_fim/test_files/test_ignore/test_ignore_valid.py +++ b/tests/integration/test_fim/test_files/test_ignore/test_ignore_valid.py @@ -204,6 +204,9 @@ def test_ignore_subdirectory(folder, filename, content, triggers_event, the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the module. + inputs: + - 936 test cases including multiple regular expressions and names for testing files and directories. + expected_output: - r'.*Sending FIM event: (.+)$' ('added' events) - r'.*Ignoring .* due to' diff --git a/tests/integration/test_fim/test_files/test_inotify/test_num_watches.py b/tests/integration/test_fim/test_files/test_inotify/test_num_watches.py index 4d2ff210fb..33f769cfff 100644 --- a/tests/integration/test_fim/test_files/test_inotify/test_num_watches.py +++ b/tests/integration/test_fim/test_files/test_inotify/test_num_watches.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-syscheckd @@ -200,7 +201,7 @@ def test_num_watches(realtime_enabled, decreases_num_watches, rename_folder, get combined with the testing directories to be monitored defined in the module. expected_output: - - r'.*Folders monitored with real-time engine + - r'.*Folders monitored with real-time engine' tags: - realtime diff --git a/tests/integration/test_fim/test_files/test_inotify/test_remove_rename_folder.py b/tests/integration/test_fim/test_files/test_inotify/test_remove_rename_folder.py index a4ac501b0a..687aa8f9bd 100644 --- a/tests/integration/test_fim/test_files/test_inotify/test_remove_rename_folder.py +++ b/tests/integration/test_fim/test_files/test_inotify/test_remove_rename_folder.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will verify that FIM manages + the 'inotify watches' (adds, deletes) when a monitored directory is modified. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_inotify +''' import os import shutil as sh import sys @@ -79,17 +148,49 @@ def get_configuration(request): (False, True) ]) def test_readded_watches(removed, renamed, get_configuration, configure_environment, restart_syscheckd_each_time): - """ - Check if Wazuh delete watches when directory is removed or renamed, and add watches when directory is readded. - - Parameters - ---------- - removed : Boolean - Tells if the directory must be removed - renamed : Boolean - Tells if the directory must be renamed - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon deletes an 'inotify watch' when renaming or deleting + a monitored directory, and add an 'inotify watch' when the directory is restored. For this + purpose, the test will create and monitor a testing directory. Once FIM is started, it will + verify that a watch has been added. Then, the test will make file operations (rename, delete) + on the monitored directory and check if the watch has been removed. Finally, it will restore + the directory and verify that the 'inotify watch' has been added by checking the FIM events. + + wazuh_min_version: 4.2.0 + + parameters: + - removed: + type: bool + brief: True if the directory must be removed. False otherwise. + - renamed: + type: bool + brief: True if the directory must be renamed. False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd_each_time: + type: fixture + brief: Clear the 'ossec.log' file, add a testing directory, and start a new monitor in each test case. + + assertions: + - Verify that FIM removes 'inotify watches' when deleting or renaming a monitored folder. + - Verify that FIM adds 'inotify watches' when a deleted monitored folder is restored. + + input_description: A test case is contained in external YAML file (wazuh_conf_num_watches.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, these are + combined with the testing directories to be monitored defined in the module. + + expected_output: + - r'.*Folders monitored with real-time engine' + - r'.*Directory added for real time monitoring' (On Windows systems) + - r'.*Realtime watch deleted for' + + tags: + - realtime + ''' # Check Wazuh add directory to realtime mode if sys.platform == 'win32': directory = wazuh_log_monitor.start(timeout=40, callback=callback_realtime_added_directory, diff --git a/tests/integration/test_fim/test_files/test_invalid/test_invalid.py b/tests/integration/test_fim/test_files/test_invalid/test_invalid.py index e984af3f71..f1ec4e5c19 100644 --- a/tests/integration/test_fim/test_files/test_invalid/test_invalid.py +++ b/tests/integration/test_fim/test_files/test_invalid/test_invalid.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when + these files are modified. Specifically, these tests will verify that FIM detects + invalid configurations and indicates the location of the errors detected. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#ignore + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_invalid +''' import os import sys @@ -49,11 +118,40 @@ def get_configuration(request): ({'invalid_no_regex', 'invalid_scan', 'invalid_file_limit'}) ]) def test_invalid(tags_to_apply, get_configuration, configure_environment): - """ - Checks if an invalid configuration is detected - - Using invalid configurations with different attributes, expect an error message and syscheck unable to restart. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon detects invalid configurations. For this purpose, the test + will configure 'syscheck' using invalid configuration settings with different attributes. Finally, + it will verify that error events are generated indicating the source of the errors. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + + assertions: + - Verify that FIM raises a 'ValueError' when an invalid configuration is used + and the testing platform is not Windows. + - Verify that an FIM error event is generated when an invalid configuration is detected. + + input_description: Different test cases are contained in external YAML files (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, these are + combined with the testing directories to be monitored defined in the module. + + expected_output: + - r'.*Configuration error at' + + tags: + - realtime + - scheduled + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Configuration error -> ValueError raised try: