diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 62731fbd4b..1f0768894e 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -189,7 +189,7 @@ CB_DATABASE_FULL_COULD_NOT_INSERT_KEY = r".*registry_key.*Couldn't insert ('.*') entry into DB. The DB is full.*" CB_COUNT_REGISTRY_ENTRIES = r".*Fim registry entries count: '(\d+)'" CB_COUNT_REGISTRY_VALUE_ENTRIES = r".*Fim registry values entries count: '(\d+)'" -CB_REGISTRY_DBSYNC_NO_DATA = r".*#!-fim_registry_(.*) dbsync no_data (.+)" +CB_REGISTRY_DBSYNC_NO_DATA = r".*fim_registry_(.*) dbsync no_data (.*)'" CB_REGISTRY_LIMIT_CAPACITY = r".*Registry database is (\d+)% full." CB_REGISTRY_DB_BACK_TO_NORMAL = r".*(The registry database status returns to normal)." CB_REGISTRY_LIMIT_VALUE = r".*Maximum number of registry values to be monitored: '(\d+)'" diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index bcb29a087a..65e8767ce8 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -143,14 +143,14 @@ def callback_num_inotify_watches(line): def callback_sync_start_time(line): - if fim.callback_detect_synchronization(line): + if callback_detect_synchronization(line): match = re.match(r"(\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}).*", line) if match: return datetime.strptime(match.group(1), '%Y/%m/%d %H:%M:%S') def callback_state_event_time(line): - if fim.callback_detect_integrity_event(line): + if callback_detect_integrity_control_event(line): match = re.match(r"(\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}).*", line) if match: return datetime.strptime(match.group(1), '%Y/%m/%d %H:%M:%S') @@ -167,7 +167,9 @@ def callback_real_time_whodata_started(line): def callback_detect_registry_integrity_clear_event(line): event = callback_detect_integrity_control_event(line) - if event and event['component'] == 'fim_registry' and event['type'] == 'integrity_clear': + if event and event['component'] == 'fim_registry_key' and event['type'] == 'integrity_clear': + return True + if event and event['component'] == 'fim_registry_value' and event['type'] == 'integrity_clear': return True return None diff --git a/tests/integration/test_fim/conftest.py b/tests/integration/test_fim/conftest.py index 988a219c2e..cb7d891722 100644 --- a/tests/integration/test_fim/conftest.py +++ b/tests/integration/test_fim/conftest.py @@ -16,9 +16,7 @@ from wazuh_testing.tools.monitoring import FileMonitor from wazuh_testing.tools.file import truncate_file, delete_path_recursively, create_file from wazuh_testing.modules.fim import (WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, SYNC_INTERVAL_VALUE, KEY_WOW64_64KEY, - FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS, MONITORED_DIR_1) -from wazuh_testing.modules.fim import (registry_parser, KEY_WOW64_64KEY, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, - SYNC_INTERVAL_VALUE, FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS, registry_parser) + MONITORED_DIR_1, registry_parser) from wazuh_testing.modules.fim import event_monitor as evm from wazuh_testing.modules.fim.utils import create_registry, delete_registry @@ -80,7 +78,7 @@ def install_audit(get_configuration): @pytest.fixture() -def wait_fim_start_function(configuration): +def wait_fim_start(configuration): """ Wait for realtime start, whodata start or end of initial FIM scan. Args: diff --git a/tests/integration/test_fim/test_files/test_report_changes/test_report_changes_and_diff.py b/tests/integration/test_fim/test_files/test_report_changes/test_report_changes_and_diff.py index 8621ad0cc0..f53e3b9a6b 100644 --- a/tests/integration/test_fim/test_files/test_report_changes/test_report_changes_and_diff.py +++ b/tests/integration/test_fim/test_files/test_report_changes/test_report_changes_and_diff.py @@ -113,7 +113,7 @@ @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=test_case_ids) def test_reports_file_and_nodiff(configuration, metadata, set_wazuh_configuration, configure_local_internal_options_function, restart_syscheck_function, - create_monitored_folders, wait_fim_start_function): + create_monitored_folders, wait_fim_start): ''' description: Check if the 'wazuh-syscheckd' daemon reports the file changes (or truncates if required) in the generated events using the 'nodiff' tag and vice versa. For this purpose, the test diff --git a/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py b/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py index 72a67ca1be..d4254cd359 100644 --- a/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py +++ b/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py @@ -56,14 +56,16 @@ ''' import os import pytest -from wazuh_testing import DATA, WAZUH_SERVICES_START +from wazuh_testing import LOG_FILE_PATH, DATA, WAZUH_SERVICES_START from wazuh_testing.tools.configuration import load_wazuh_configurations +from wazuh_testing.tools.monitoring import FileMonitor from wazuh_testing.tools.services import control_service from wazuh_testing.modules.fim.utils import (find_value_in_event_list, get_sync_msgs, generate_params, create_registry, modify_registry_value) from wazuh_testing.modules.fim import (FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS, SCHEDULED_MODE, WINDOWS_REGISTRY, SYNC_INTERVAL, SYNC_INTERVAL_VALUE, YAML_CONF_REGISTRY_RESPONSE, REG_SZ, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, registry_parser, KEY_WOW64_64KEY) +from wazuh_testing.modules.fim.event_monitor import detect_initial_scan # Marks pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] @@ -150,9 +152,9 @@ def test_registry_sync_after_restart(key_name, value_name, configure_local_inter modify_registry_value(key_handle, value_name, REG_SZ, 'This is a test with syscheckd down.') control_service(WAZUH_SERVICES_START) + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + detect_initial_scan(wazuh_log_monitor) + events = get_sync_msgs(timeout=SYNC_INTERVAL_VALUE) - events = get_sync_msgs(SYNC_INTERVAL_VALUE) - - assert find_value_in_event_list( - os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, key_path), value_name, - events) is not None, f"No sync event was found for {value_path}" + assert find_value_in_event_list(os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, key_path), value_name, + events) is not None, f"No sync event was found for {value_path}" diff --git a/tests/integration/test_fim/test_synchronization/test_sync_overlap.py b/tests/integration/test_fim/test_synchronization/test_sync_overlap.py index ab7f8d0f48..503abe8430 100644 --- a/tests/integration/test_fim/test_synchronization/test_sync_overlap.py +++ b/tests/integration/test_fim/test_synchronization/test_sync_overlap.py @@ -93,11 +93,12 @@ wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) local_internal_options = fim.FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS + # Tests @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=test_case_ids) @pytest.mark.parametrize('files_number', [configuration_metadata[0]['files']]) def test_sync_overlap(configuration, metadata, set_wazuh_configuration, configure_local_internal_options_function, - create_files_in_folder, restart_syscheck_function, wait_for_fim_start_function): + create_files_in_folder, restart_syscheck_function, wait_fim_start): ''' description: Check if the 'wazuh-syscheckd' daemon is performing a synchronization at the interval specified in the configuration, using the 'interval' tag, if a new synchronization is fired, and the last sync message diff --git a/tests/integration/test_fim/test_synchronization/test_sync_time.py b/tests/integration/test_fim/test_synchronization/test_sync_time.py index af36e93cae..45f91f7930 100644 --- a/tests/integration/test_fim/test_synchronization/test_sync_time.py +++ b/tests/integration/test_fim/test_synchronization/test_sync_time.py @@ -97,7 +97,7 @@ @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=test_case_ids) @pytest.mark.parametrize('files_number', [configuration_metadata[0]['files']]) def test_sync_time(configuration, metadata, set_wazuh_configuration, configure_local_internal_options_function, - create_files_in_folder, restart_syscheck_function, wait_for_fim_start_function): + create_files_in_folder, restart_syscheck_function, wait_fim_start): ''' description: Check when the 'wazuh-syscheckd' daemon is performing a synchronization, a normal synchronization will end before the configured `interval` and `max_interval`.