From 3b8eb63c448821f08467785ff196528748bcd140 Mon Sep 17 00:00:00 2001 From: mdengra Date: Thu, 23 Sep 2021 16:06:31 +0200 Subject: [PATCH 01/12] doc: Migrate test_fim/test_files/test_audit documentation in QA Docs style The following tests have been documentated: * test_audit.py * test_audit_after_initial_scan.py * test_audit_no_dir.py * test_remove_audit.py * test_remove_rule_five_times.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1918 --- docs/DocGenerator/config.yaml | 3 + .../test_ambiguous_complex.py | 4 +- .../test_ambiguous_simple.py | 4 +- .../test_ambiguous_whodata_thread.py | 4 +- .../test_duplicate_entries.py | 4 +- .../test_ignore_works_over_restrict.py | 4 +- .../test_whodata_prevails_over_realtime.py | 4 +- .../test_files/test_audit/test_audit.py | 438 +++++++++++++----- .../test_audit_after_initial_scan.py | 183 ++++++-- .../test_audit/test_audit_no_dir.py | 132 +++++- .../test_audit/test_remove_audit.py | 128 ++++- .../test_audit/test_remove_rule_five_times.py | 138 +++++- 12 files changed, 832 insertions(+), 214 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index 37cb5c59ac..8b7538d506 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -9,6 +9,7 @@ Include paths: - "../../tests/integration/test_api" - "../../tests/integration/test_authd" - "../../tests/integration/test_cluster" + - "../../tests/integration/test_fim" Include regex: - "^test_.*py$" @@ -45,6 +46,8 @@ Ignore paths: - "../../tests/integration/test_api/test_config/test_use_only_authd/data" - "../../tests/integration/test_authd/data" - "../../tests/integration/test_cluster/test_key_polling/data" + - "../../tests/integration/test_fim/test_files/test_ambiguous_confs/data" + - "../../tests/integration/test_fim/test_files/test_audit/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_complex.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_complex.py index b7056e0229..54a3abdaa5 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_complex.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_complex.py @@ -61,8 +61,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_simple.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_simple.py index 60c87e3990..c35055bdd7 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_simple.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_simple.py @@ -63,8 +63,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_whodata_thread.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_whodata_thread.py index 573eb2d064..d7644a2813 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_whodata_thread.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ambiguous_whodata_thread.py @@ -60,8 +60,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_duplicate_entries.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_duplicate_entries.py index dc374e8265..732f8bb114 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_duplicate_entries.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_duplicate_entries.py @@ -62,8 +62,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py index 933928bc27..dfe0089443 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_ignore_works_over_restrict.py @@ -62,8 +62,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_whodata_prevails_over_realtime.py b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_whodata_prevails_over_realtime.py index 2d4e3d5e85..9a7b902049 100644 --- a/tests/integration/test_fim/test_files/test_ambiguous_confs/test_whodata_prevails_over_realtime.py +++ b/tests/integration/test_fim/test_files/test_ambiguous_confs/test_whodata_prevails_over_realtime.py @@ -54,8 +54,8 @@ pytest_args: - fim_mode: - realtime: Enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the who-data information. + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit.py b/tests/integration/test_fim/test_files/test_audit/test_audit.py index be6fd3e62b..5ee8d62361 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit.py @@ -1,7 +1,68 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the `wazuh-syscheckd` and `auditd` daemons work together properly. + The `who-data` feature of the of the File Integrity Monitoring (`FIM`) system uses + the Linux Audit subsystem to get the information about who made the changes in a monitored directory. + These changes produce audit events that are processed by `syscheck` and reported to the manager. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://man7.org/linux/man-pages/man8/auditd.8.html + - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim + - auditd +''' import os import subprocess @@ -47,19 +108,41 @@ def get_configuration(request): ]) def test_audit_health_check(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Check if the health check is passed. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - """ - + ''' + description: Check if the health check of the `auditd` daemon is passed. + For this purpose, the test will monitor a testing folder using + `who-data` and it will check that the health check passed + verifying that the proper `FIM` event is generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that the `who-data` health check of `FIM` is passed. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'Whodata health-check: Success.' + + tags: + - who-data + ''' logger.info('Applying the test configuration') check_apply_test(tags_to_apply, get_configuration['tags']) @@ -72,20 +155,42 @@ def test_audit_health_check(tags_to_apply, get_configuration, ]) def test_added_rules(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Check if the specified folders are added to Audit rules list. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Check if the specified folders are added to the `audit` rules list. + For this purpose, the test will monitor several folders using `who-data`. + Once `FIM` starts, the test will check if the a rule for every monitored + directory is added verifying that the proper `FIM` event is generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` adds `audit` rules for the monitored directories. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Added audit rule for monitoring directory' + + tags: + - audit-rules + - who-data + ''' logger.info('Applying the test configuration') check_apply_test(tags_to_apply, get_configuration['tags']) logger.info('Checking the event...') @@ -105,20 +210,44 @@ def test_added_rules(tags_to_apply, get_configuration, ]) def test_readded_rules(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Check if the removed rules are added to Audit rules list. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Check if the removed rules are added to the audit rules list. + For this purpose, the test will monitor several folders using `who-data`. + Once `FIM` starts, the test will remove the audit rule (using `auditctl`) + and will wait until the manipulation event is triggered. Finally, the test + will check that the `audit` rule is added again verifying that + the proper `FIM` event is generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` is able to re-add `audit` rules for the monitored directories. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Added audit rule for monitoring directory' + + tags: + - audit-rules + - who-data + ''' logger.info('Applying the test configuration') check_apply_test(tags_to_apply, get_configuration['tags']) @@ -145,20 +274,45 @@ def test_readded_rules(tags_to_apply, get_configuration, ]) def test_readded_rules_on_restart(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Check if the rules are added to Audit when it restarts. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Check if `FIM` is able to add the `audit` rules when the `auditd` daemon is restarted. + For this purpose, the test will monitor a folder using `whodata`. Once FIM starts, + the test will restart the `auditd` daemon and, it will wait until it has started. + After `auditd` is running, the test will wait for the `FIM` `connect` and + `load rule` events to be generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` adds the `audit` rules for the monitored directories + after the `auditd` daemon restarting. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'(6030): Audit: connected' + - r'.*Added audit rule for monitoring directory' + + tags: + - audit-rules + - who-data + ''' logger.info('Applying the test configuration') check_apply_test(tags_to_apply, get_configuration['tags']) @@ -188,19 +342,43 @@ def test_readded_rules_on_restart(tags_to_apply, get_configuration, ]) def test_move_rules_realtime(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Check if the rules are changed to realtime when Audit stops. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Check if `FIM` switches the monitoring mode of the testing directories from `who-data` + to `realtime` when the `auditd` daemon stops. For this purpose, the test will monitor + several folders using `whodata`. Once `FIM` starts, the test will stop the auditd service. + Then it will wait until the monitored directories using `whodata` are monitored with + `realtime`, verifying that the proper `FIM` events are generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` switches the monitoring mode of the testing directories from `whodata` to `realtime` + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Directory added for real time monitoring' + + tags: + - realtime + - who-data + ''' logger.info('Applying the test configuration') check_apply_test(tags_to_apply, get_configuration['tags']) @@ -228,22 +406,46 @@ def test_move_rules_realtime(tags_to_apply, get_configuration, ("custom_audit_key", "/testdir1") ]) def test_audit_key(audit_key, path, get_configuration, configure_environment, restart_syscheckd): - """Check `` functionality by adding a audit rule and checking if alerts with that key are triggered when - a file is created. - - Args: - audit_key (str): Name of the audit_key to monitor. - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Check the `audit_key` functionality by adding a `audit` rule and checking if alerts with + that key are triggered when a file is created. The `audit` keys are keywords that allow + identifying which audit rules generate particular events. For this purpose, the test + will manually add a rule for a monitored path using a custom `audit` key. After `FIM` starts, + the test will check that the events that are generated with the custom key are processed. + + wazuh_min_version: 4.2 + + parameters: + - audit_key: + type: str + brief: Name of the `audit_key` to monitor. + - path: + type: str + brief: Path to the audit_key + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that the `Match audit_key` event of `FIM` is generated correctly. + + input_description: A test case (audit_key) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'Match audit_key' (`key="wazuh_hc"` and `key="wazuh_fim"` must not appear in the event) + + tags: + - audit-keys + - who-data + ''' logger.info('Applying the test configuration') check_apply_test({audit_key}, get_configuration['tags']) @@ -276,23 +478,49 @@ def test_audit_key(audit_key, path, get_configuration, configure_environment, re ({'restart_audit_false'}, False) ]) def test_restart_audit(tags_to_apply, should_restart, get_configuration, configure_environment, restart_syscheckd): - """Check `` functionality by removing the plugin and monitoring audit to see if it restart and create - the file again. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - should_restart (boolean): True if Auditd should restart, False otherwise - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the time before the and after the restart are equal when auditd has been restarted or if the time - before and after the restart are different when auditd hasn't been restarted - """ - + ''' + description: Check the `restart_audit` functionality by removing the `af_wazuh.conf` plugin used + by the `auditd` daemon and monitoring the `auditd` process to see if it restart and + and finally, it checks if the deleted plugin is created again. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - should_restart: + type: bool + brief: True if the `auditd` daemon should restart, False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that the `auditd` process is created again when restarting + this service by checking its creation time. + - Verify that the `auditd` process is not killed when the restart command + is not sent by checking its creation time. + - Verify that the `af_wazuh.conf` plugin of the `auditd` daemon + is created again after being deleted. + + input_description: Two test cases (audit_key and restart_audit_false) are contained in external + `YAML` file (wazuh_conf.yaml) which includes configuration settings for + the `wazuh-syscheckd` daemon and testing directories to monitor. + + expected_output: + - The creation time of the `auditd` daemon process. + + tags: + - audit-keys + - who-data + ''' def get_audit_creation_time(): for proc in psutil.process_iter(attrs=['name']): if proc.name() == "auditd": diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py index 6d1daecb05..20192c6240 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py @@ -1,8 +1,70 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the `wazuh-syscheckd` and `auditd` daemons work together properly. + The first one, called `test_remove_and_read_folder` checks that `FIM` monitors a folder if + it is removed and created. The second one, restarts `auditd` and checks if `who-data` works. + The `who-data` feature of the of the File Integrity Monitoring (`FIM`) system uses + the Linux Audit subsystem to get the information about who made the changes in a monitored directory. + These changes produce audit events that are processed by `syscheck` and reported to the manager. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://man7.org/linux/man-pages/man8/auditd.8.html + - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim + - auditd +''' import os import shutil import subprocess @@ -49,20 +111,51 @@ def get_configuration(request): def test_remove_and_read_folder(tags_to_apply, folder, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Remove folder which is monitored with auditd and then create it again. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - folder (str): The folder to remove and read. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects the events generated by `auditd` + after deleting and creating a testing directory. For this purpose, the test + will monitor a folder using `whodata. Once `FIM` starts, the test will remove + the folder and checks if the `audit` rule associated to that folder has been removed. + Finally, it creates again the same folder and checks that the `audit` rule is added. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - folder: + type: str + brief: The testing folder to remove and add. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` is able to monitor the folders using `who-data` + after they are removed and created again. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - r'.* Audit rule removed.' + - r'.*Added audit rule for monitoring directory' + + tags: + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) shutil.rmtree(folder, ignore_errors=True) @@ -81,19 +174,45 @@ def test_remove_and_read_folder(tags_to_apply, folder, get_configuration, ]) def test_reconnect_to_audit(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Restart auditd and check Wazuh reconnect to auditd - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects the events generated by `auditd` + after restarting. For this purpose, restart the `auditd` daemon and check that + the connection closing and opening events are generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` can recover from loosing its connection to the `auditd` daemon. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - r'.*Audit: connection closed.' + - r'(6030): Audit: connected' + + tags: + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) restart_command = ["service", "auditd", "restart"] diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py b/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py index 6116c61c01..77155d28a3 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py @@ -1,8 +1,68 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system doesn't add audit rules for + non-existing directories. The `who-data` feature of the `FIM` system uses the Linux Audit subsystem + to get the information about who made the changes in a monitored directory. These changes produce + audit events that are processed by `syscheck` and reported to the manager. The `FIM` capability + is managed by the `wazuh-syscheckd` daemon, which checks configured files for changes + to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://man7.org/linux/man-pages/man8/auditd.8.html + - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim + - auditd +''' import os import shutil import sys @@ -62,25 +122,49 @@ def extra_configuration_after_yield(): {'audit_no_dir'} ]) def test_audit_no_dir(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Monitor non-existent directory in whodata. Check that it is added to the rules after creating it. - - The audit thread runs always a directory that is configured to be monitored in - who-data mode. Doesn't matter if it exists at start-up or not. Once that thread - is up, the audit rules are reloaded every 30 seconds (not configurable), so - when the directory is created, it starts to be monitored. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - ValueError: If the path of the event is wrong. - """ - + ''' + description: Monitor non-existent directory with `who-data` and check that it is added + to the rules after creating it. For this purpose, the test will monitor + a non-existing folder using `who-data`. Once FIM starts, the test + will check that the audit rule is not added. Then, it will create + the folder and wait until the rule is added again. + The audit thread runs always a directory that is configured to be monitored + in `who-data` mode. Does not matter if it exists at start-up or not. Once that + thread is up, the audit rules are reloaded every 30 seconds (not configurable), + so when the directory is created, it starts to be monitored. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` does not add rules for non-existing directories. + - Verify that `FIM` is able to monitor a folder after it's creation. + + input_description: A test case (audit_no_dir) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Unable to add audit rule for' + - r'.*Added audit rule for monitoring directory' + + tags: + - audit-rules + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Assert message is generated: Unable to add audit rule for .... diff --git a/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py b/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py index d10d708d79..041b0314bb 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py +++ b/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py @@ -1,8 +1,70 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the `wazuh-syscheckd` and `auditd` daemons work together properly. + In particular, it will be verified that when there is no `auditd` package installed on + the system, the directories monitored with `who-data` mode are monitored with `realtime`. + The `who-data` feature of the of the File Integrity Monitoring (`FIM`) system uses + the Linux Audit subsystem to get the information about who made the changes in a monitored directory. + These changes produce audit events that are processed by `syscheck` and reported to the manager. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://man7.org/linux/man-pages/man8/auditd.8.html + - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim + - auditd +''' import os import re import subprocess @@ -74,20 +136,48 @@ def uninstall_install_audit(): ]) def test_move_folders_to_realtime(tags_to_apply, get_configuration, uninstall_install_audit, configure_environment, restart_syscheckd): - """Check folders monitored with Whodata change to Real-time if auditd is not installed - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - get_configuration (fixture): Gets the current configuration of the test. - uninstall_install_audit (fixture): Uninstall auditd before the test and install auditd again after the test is - executed. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - Raises: - TimeoutError: If an expected event couldn't be captured. - """ - + ''' + description: Check if `FIM` switches the monitoring mode of the testing directories from `who-data` + to `realtime` when the `auditd` package is not installed. For this purpose, the test + will monitor several folders using `whodata` and uninstall the `authd` package. + Once `FIM` starts, it will wait until the monitored directories using `whodata` + are monitored with `realtime` verifying that the proper `FIM` events are generated. + Finally, the test will install the `auditd` package again. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - uninstall_install_audit: + type: fixture + brief: Uninstall `auditd` before the test and install it again after the test run. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` switches the monitoring mode of the testing directories from `whodata` to `realtime` + if the `authd` package is not installed. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Who-data engine could not start. Switching who-data to real-time.' + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) wazuh_log_monitor.start(timeout=20, callback=fim.callback_audit_cannot_start, diff --git a/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py b/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py index fe6b66e966..e1662e5842 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py +++ b/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py @@ -1,8 +1,70 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the `wazuh-syscheckd` and `auditd` daemons work together properly. + In particular, it will be verified that when the `audit` rules of a directory monitored + in `who-data` mode are manipulated multiple times, they switch to being monitored in + `realtime` mode. The `who-data` feature of the of the File Integrity Monitoring (`FIM`) system uses + the Linux Audit subsystem to get the information about who made the changes in a monitored directory. + These changes produce audit events that are processed by `syscheck` and reported to the manager. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://man7.org/linux/man-pages/man8/auditd.8.html + - https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim + - auditd +''' import os import subprocess @@ -44,23 +106,55 @@ def get_configuration(request): ]) def test_remove_rule_five_times(tags_to_apply, folder, audit_key, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Remove auditd rule using auditctl five times and check Wazuh ignores folder. - - Args: - tags_to_apply (set): Run test if matches with a configuration identifier, skip otherwise. - folder (str): Path whose rule will be removed. - audit_key (str): Name of the configured audit key. - get_configuration (fixture): Gets the current configuration of the test. - uninstall_install_audit (fixture): Uninstall auditd before the test and install auditd again after the test is - executed. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - - Raises: - TimeoutError: If an expected event couldn't be captured. - """ - + ''' + description: Check if `FIM` stops monitoring with `whodata` when at least five manipulations + in the `audit` rules have been done by a user. For this purpose, the test + will monitor a folder using `who-data`. Once `FIM` starts, the test will modify + five times the `audit` rules and, finally it will wait until the monitored + directory using `whodata` is monitored with `realtime` verifying that + the proper `FIM` events are generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - audit_key: + type: str + brief: Name of the configured audit key. + - folder: + type: str + brief: Path to the testing directory whose rule will be removed. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` switches the monitoring mode of the testing directory + from `whodata` to `realtime` when an user edits the `audit` rules. + + input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'Detected Audit rules manipulation' + - r'.*Deleting Audit rules' + + tags: + - audit-rules + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) for _ in range(0, 5): From b7bddd7783c6b8a89add5ba6935d2aca1372d052 Mon Sep 17 00:00:00 2001 From: mdengra Date: Thu, 23 Sep 2021 16:30:33 +0200 Subject: [PATCH 02/12] doc: Migrate test_fim/test_files/test_audit documentation in QA Docs style Remove special character in the expected_output field that prevent the documentation generation in: * test_audit.py * test_audit_after_initial_scan.py Closes: #1918 --- tests/integration/test_fim/test_files/test_audit/test_audit.py | 2 +- .../test_files/test_audit/test_audit_after_initial_scan.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit.py b/tests/integration/test_fim/test_files/test_audit/test_audit.py index 5ee8d62361..2aa9a6360f 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit.py @@ -306,7 +306,7 @@ def test_readded_rules_on_restart(tags_to_apply, get_configuration, and testing directories to monitor. expected_output: - - r'(6030): Audit: connected' + - r'Audit: connected' - r'.*Added audit rule for monitoring directory' tags: diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py index 20192c6240..a3e3579ba2 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py @@ -208,7 +208,7 @@ def test_reconnect_to_audit(tags_to_apply, get_configuration, configure_environm expected_output: - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) - r'.*Audit: connection closed.' - - r'(6030): Audit: connected' + - r'Audit: connected' tags: - who-data From 63aae27d26b11735bd22c07e585310b147166bc6 Mon Sep 17 00:00:00 2001 From: mdengra Date: Thu, 23 Sep 2021 17:36:42 +0200 Subject: [PATCH 03/12] doc: Migrate test_fim/test_files/test_basic_usage documentation in QA Docs style The following test test_basic_usage_baseline_generation.py has been documentated. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1927 --- .../test_basic_usage_baseline_generation.py | 114 ++++++++++++++++-- 1 file changed, 102 insertions(+), 12 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py index 77e9a09bdd..a22135a216 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py @@ -1,7 +1,72 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check that + the modifications made on files during the initial scan (`baseline`) generate events when + the scan is finished. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os from time import time @@ -62,14 +127,39 @@ def extra_configuration_before_yield(): def test_wait_until_baseline(get_configuration, configure_environment, restart_syscheckd): - """ - Check if events are appearing after the baseline - The message 'File integrity monitoring scan ended' informs about the end of the first scan, - which generates the baseline - - It creates a file, checks if the baseline has generated before the file addition event, and then - if this event has generated. - """ + ''' + description: Check if `FIM` events are appearing after the `baseline`. The log message + `File integrity monitoring scan ended` informs about the end of the first scan, + which generates the `baseline`. For this purpose, the test creates a test file + while the initial scan is being performed. When the baseline has been generated + it checks if the `FIM` addition event has been triggered. + + wazuh_min_version: 4.2 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that a `FIM` addition event was generated during the initial scan. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon + and testing directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' + + tags: + - realtime + ''' check_apply_test({'ossec_conf'}, get_configuration['tags']) # Create a file during initial scan to check if the event is logged after the 'scan ended' message From f0a084e80dc40854045247c29f3b8bcdf74f8daf Mon Sep 17 00:00:00 2001 From: mdengra Date: Fri, 24 Sep 2021 14:46:35 +0200 Subject: [PATCH 04/12] doc: Add test_fim/test_files/test_basic_usage documentation in QA Docs style The following tests have been documentated: * test_basic_usage_changes.py * test_basic_usage_create_after_delete_dir.py * test_basic_usage_create_rt_wd.py * test_basic_usage_create_scheduled.py * test_basic_usage_db_inode_check.py * test_basic_usage_delete_folder.py * test_basic_usage_dir_with_commas.py * test_basic_usage_disabled.py * test_basic_usage_entries_match_path_count.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1927 --- .../test_basic_usage_baseline_generation.py | 6 +- .../test_basic_usage_changes.py | 140 ++++++++++++++-- ...est_basic_usage_create_after_delete_dir.py | 130 ++++++++++++--- .../test_basic_usage_create_rt_wd.py | 155 +++++++++++++++--- .../test_basic_usage_create_scheduled.py | 155 +++++++++++++++--- .../test_basic_usage_db_inode_check.py | 128 ++++++++++++--- .../test_basic_usage_delete_folder.py | 146 ++++++++++++++--- .../test_basic_usage_dir_with_commas.py | 116 ++++++++++++- .../test_basic_usage_disabled.py | 110 +++++++++++-- ...st_basic_usage_entries_match_path_count.py | 123 ++++++++++++-- 10 files changed, 1057 insertions(+), 152 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py index a22135a216..55506ade33 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py @@ -151,9 +151,9 @@ def test_wait_until_baseline(get_configuration, configure_environment, restart_s - Verify that a `FIM` addition event was generated during the initial scan. input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. - + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + expected_output: - r'.*Sending FIM event: (.+)$' diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py index 0fa1067312..3694688b75 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. In particular, they will check if common + operations (`add`, `modify`, `delete`) on monitored directories are correctly detected. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + - macos + - solaris + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - macOS Catalina + - Solaris 10 + - Solaris 11 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import sys @@ -68,16 +137,59 @@ def get_configuration(request): def test_regular_file_changes(folder, name, encoding, checkers, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects regular file changes (add, modify, delete) - - Parameters - ---------- - folder : str - Directory where the files will be created. - checkers : dict - Syscheck checkers (check_all). - """ + ''' + description: Check if the `wazuh-syscheckd` daemon detects regular file changes (add, modify, delete). + For this purpose, the test uses different character encodings in the names of the testing + directories and files and performs operations on them. Finally, it verifies that + the `FIM` events have been generated properly. + + wazuh_min_version: 4.2 + + parameters: + - folder: + type: str + brief: Path to the monitored testing directory. + - name: + type: str + brief: Name used for the testing files. + - encoding: + type: str + brief: Character encoding used for the directory and testing files. + - checkers: + type: dict + brief: Syscheck checkers (check_all). + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that all `FIM` events are generated for the operations performed, + and these contain all `check_` fields specified in the configuration. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - Multiple `FIM` events logs of the monitored directories. + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) mult = 1 if sys.platform == 'win32' else 2 diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py index 3c961e45c7..3e0184d9d6 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py @@ -1,7 +1,71 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. In particular, they will check if + `FIM` events are still generated when a monitored directory is deleted and created again. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import shutil import sys @@ -50,22 +114,48 @@ def get_configuration(request): ]) def test_create_after_delete(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check that a monitored directory keeps reporting events after deleting and creating it again. It tests - that under Windows systems the directory watcher is refreshed after directory re-creation 1 second after. - - This test performs the following steps: - - Monitor a directory that exist. - - Create some files inside. Check that it does produce events in ossec.log. - - Delete the directory and wait for a second. - - Create the directory again and wait for a second. - - Check that creating files within the directory do generate events again. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise - """ + ''' + description: Check if a monitored directory keeps reporting `FIM` events after deleting and creating it again. + Under Windows systems, it verifies that the directory watcher is refreshed (checks the SACLs) + after directory re-creation one second after. For this purpose, the test creates the testing + directory to be monitored, checks that `FIM` events are generated, and then deletes it. + Finally, it creates the directory again and verifies that the events are still generated correctly. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events are still generated when a monitored directory is deleted and created again. + + input_description: A test case (ossec_conf) is contained in external `YAML` file + (wazuh_conf.yaml or wazuh_conf_win32.yaml) which includes configuration + settings for the `wazuh-syscheckd` daemon and, it is combined with + the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - Multiple `FIM` events logs of the monitored directories. + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Create the monitored directory with files and check that events are not raised diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py index 7b2250a920..483050bfed 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. In particular, they will verify that only + regular files are monitored using the `realtime` and `whodata` monitoring modes. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + - macos + - solaris + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - macOS Catalina + - Solaris 10 + - Solaris 11 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import sys @@ -79,24 +148,66 @@ def get_configuration(request): def test_create_file_realtime_whodata(folder, name, filetype, content, checkers, tags_to_apply, encoding, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if a special or regular file creation is detected by syscheck using realtime and whodata monitoring - - Regular files must be monitored. Special files must not. - - Parameters - ---------- - folder : str - Name of the monitored folder. - name : str - Name of the file. - filetype : str - Type of the file. - content : str - Content of the file. - checkers : set - Checks that will compared to the ones from the event. - """ + ''' + description: Check if a special or regular file creation is detected by the `wazuh-syscheckd` daemon using + the `realtime` and `whodata` monitoring modes. Regular files must be monitored, special files + must not. For this purpose, the test creates the testing directories and files using different + character encodings in their names. Finally, it verifies that only the regular testing + files have generated `FIM` events. + + wazuh_min_version: 4.2 + + parameters: + - folder: + type: str + brief: Path to the monitored testing directory. + - name: + type: str + brief: Name used for the testing file. + - filetype: + type: str + brief: Type of the testing file. + - content: + type: str + brief: Content of the testing file. + - checkers: + type: dict + brief: Checks that will compared to the ones from the event. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - encoding: + type: str + brief: Character encoding used for the directory and testing files. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events are only generated for the regular testing files, + and these contain all `check_` fields specified in the configuration. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - Multiple `FIM` events logs of the monitored directories. + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Create files diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py index 1eb166fa28..514d6f85b3 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. In particular, they will verify that only + regular files are monitored using the `scheduled` monitoring mode. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + - macos + - solaris + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - macOS Catalina + - Solaris 10 + - Solaris 11 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import sys @@ -77,24 +146,66 @@ def get_configuration(request): ]) def test_create_file_scheduled(folder, name, filetype, content, checkers, tags_to_apply, encoding, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if a special or regular file creation is detected by syscheck using scheduled monitoring - - Regular files must be monitored. Special files must not. - - Parameters - ---------- - folder : str - Name of the monitored folder. - name : str - Name of the file. - filetype : str - Type of the file. - content : str - Content of the file. - checkers : set - Checks that will compared to the ones from the event. - """ + ''' + description: Check if a special or regular file creation is detected by the `wazuh-syscheckd` daemon using + the `scheduled` monitoring mode. Regular files must be monitored, special files must not. + For this purpose, the test creates the testing directories and files using different + character encodings in their names, and then it changes the system time until the next + scheduled scan. Finally, it verifies that only the regular testing files have generated `FIM` events. + + wazuh_min_version: 4.2 + + parameters: + - folder: + type: str + brief: Path to the monitored testing directory. + - name: + type: str + brief: Name used for the testing file. + - filetype: + type: str + brief: Type of the testing file. + - content: + type: str + brief: Content of the testing file. + - checkers: + type: dict + brief: Checks that will compared to the ones from the event. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - encoding: + type: str + brief: Character encoding used for the directory and testing files. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events are only generated for the regular testing files, + and these contain all `check_` fields specified in the configuration. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) + - Multiple `FIM` events logs of the monitored directories. + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Create files diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py index d66f1cca43..8c6e40618c 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py @@ -1,7 +1,65 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check for + false positives due to possible inconsistencies with inodes in the `FIM` database. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import shutil @@ -73,23 +131,51 @@ def wait_for_fim_start_function(get_configuration, request): @pytest.mark.parametrize('test_cases', [0, 1, 2]) def test_db_inode_check(test_cases, get_configuration, configure_environment, restart_syscheck_function, wait_for_fim_start_function): - """Test to check for false positives due to possible inconsistencies with inodes in the database. - Cases: - - With check_mtime="no" and check_inode="no", no modification events should appear. - - With check_mtime="yes" and check_inode="yes", modification events should have: - "changed_attributes":["mtime","inode"] - - Args: - test_added (boolean): variable to set whether the test will add one more or one less file. - get_configuration (fixture): Function to access the configuration in use. - configure_environment (fixture): Fixture to prepare the environment to pass the test - restart_syscheck_function (fixture): Restart syscheck and truncate the log file with function scope. - wait_for_fim_start_function (fixture): Wait until the log 'scan end' appear, with function scope. - - Raises: - AttributeError: If an wrong or unexpected modified event appear - """ - + ''' + description: Check for false positives due to possible inconsistencies with inodes in the `FIM` database. + For example, with `check_mtime=no` and `check_inode=no`, no modification events should appear, + and using `check_mtime=yes` and `check_inode=yes`, since the `mtime` and `inode` attributes + are modified, modification events should appear. + For this purpose, the test will monitor a folder using the `scheduled` monitoring mode, + create ten files with some content and wait for the scan. Then, remove the files and + create them again (adding one more at the beginning or deleting it) with different inodes. + Finally, the test changes the system time until the next scheduled scan and check + if there are any unexpected events in the log. + + wazuh_min_version: 4.2 + + parameters: + - test_cases: + type: int + brief: Test case number. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` database does not become inconsistent due to the change of inodes, + whether or not `check_mtime` and `check_inode` are enabled. + + input_description: Two test cases defined in this module, and the configuration settings for + the `wazuh-syscheckd` daemon (tag ossec_conf) which are contained in external + `YAML` file (wazuh_conf_check_inodes.yaml). + + expected_output: + - r'.*Sending FIM event: (.+)$' + + tags: + - scheduled + - time_travel + ''' check_apply_test({'ossec_conf'}, get_configuration['tags']) aux_file_list = file_list.copy() diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py index 080902cf0b..9dc63855b6 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py @@ -1,7 +1,71 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if when a + monitored folder is deleted, the files inside it generate `FIM` events of the type `deleted`. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import shutil from collections import Counter @@ -53,23 +117,59 @@ def get_configuration(request): def test_delete_folder(folder, file_list, filetype, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects 'deleted' events from the files contained - in a folder that is being deleted. - - If we are monitoring /testdir and we have r1, r2, r3 withing /testdir, if we delete /testdir, - we must see 3 events of the type 'deleted'. One for each one of the regular files. - - Parameters - ---------- - folder : str - Directory where the files will be created. - file_list : list - Names of the files. - filetype : str - Type of the files that will be created. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects 'deleted' events from the files contained + in a folder that is being deleted. For example, the folder `/testdir` is monitored, and + the files `r1`, `r2` and `r3` are inside `/testdir`. If `/testdir` is deleted, three + events of type `deleted` must be generated, one for each of the regular files. + For this purpose, the test will monitor a folder using the `scheduled` monitoring mode, + create the testing files inside it, and change the system time until the next + scheduled scan. Then, remove the monitored folder, and finally, the test + verifies that the `deleted` events have been generated. + + wazuh_min_version: 4.2 + + parameters: + - folder: + type: str + brief: Path to the monitored testing directory. + - file_list: + type: list + brief: Used names for the testing files. + - filetype: + type: str + brief: Type of the testing file. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that when a monitored folder is deleted, the files inside it + generate `FIM` events of the type `deleted`. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' mode = get_configuration['metadata']['fim_mode'] @@ -80,8 +180,8 @@ def test_delete_folder(folder, file_list, filetype, tags_to_apply, check_time_travel(scheduled, monitor=wazuh_log_monitor) events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event').result() + accum_results=len(file_list), + error_message='Did not receive expected "Sending FIM event: ..." event').result() for ev in events: validate_event(ev, mode=mode) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py index 4098964795..e05f461383 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py @@ -1,7 +1,71 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if `FIM` events + are generated on a monitored folder whose name contains commas. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 2 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import pytest @@ -48,9 +112,49 @@ def get_configuration(request): ]) def test_directories_with_commas(directory, get_configuration, put_env_variables, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test alerts are generated when monitor environment variables - """ + ''' + description: Check if the `wazuh-syscheckd` daemon generates `FIM` events from monitoring folders + whose name contains commas. For this purpose, the test will monitor a testing folder + using the `scheduled` monitoring mode, and create the testing files inside it. + Then, perform CUD (creation, update, and delete) operations and finally verify that + the `FIM` events are generated correctly. + + wazuh_min_version: 4.2 + + parameters: + - directory: + type: str + brief: Path to the monitored testing directory. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - put_env_variables: + type: fixture + brief: Create environment variables. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events are generated on a monitored folder whose name contains commas. + + input_description: A test case is contained in external `YAML` file (wazuh_conf.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and, it is combined with + the testing directories to be monitored defined in this module. + + expected_output: + - Multiple `FIM` events logs of the monitored directories. + + tags: + - scheduled + - time_travel + ''' check_apply_test({'ossec_conf'}, get_configuration['tags']) regular_file_cud(directory, wazuh_log_monitor, file_list=["testing_env_variables"], diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py index 898ea05fd9..d54b14486e 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py @@ -1,7 +1,71 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will verify that when + the `wazuh-syscheckd` daemon is disabled, no `FIM` events are generated. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import pytest @@ -45,13 +109,37 @@ def get_configuration(request): # tests def test_disabled(get_configuration, configure_environment, restart_syscheckd): - """Check if syscheckd sends events when disabled="yes". - - Parameters - ---------- - folder : str - Path where files will be created. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon generates `FIM` events when it is disabled + in the main configuration file. For this purpose, the test will monitor a testing + folder and finally verifies that no `FIM` events have been generated. + + wazuh_min_version: 4.2 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that when the `wazuh-syscheckd` daemon is disabled, no `FIM` events are generated. + + input_description: A test case is contained in external `YAML` file (wazuh_conf_disabled.yaml) which + includes configuration settings for the `wazuh-syscheckd` daemon and, it is combined + with the testing directory to be monitored defined in this module. + + expected_output: + - No `FIM` events should be generated. + + tags: + - scheduled + ''' # Expect a timeout when checking for syscheckd initial scan with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=10, callback=callback_detect_end_scan) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py index 48d53d272d..450015084b 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files and + triggering alerts when these files are modified. In particular, they will verify that when using + `hard` and `symbolic` links, the `FIM` events contain the number of inodes and paths to files consistent. + The FIM capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + - macos + - solaris + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - macOS Catalina + - Solaris 10 + - Solaris 11 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + +tags: + - fim +''' import os import pytest @@ -51,12 +121,45 @@ def extra_configuration_before_yield(): def test_entries_match_path_count(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if FIM entries match the path count - - It creates two regular files, a symlink and a hard link before the scan begins. After events are logged, - we should have 3 inode entries and a path count of 4. - """ + ''' + description: Check if `FIM` events contain the correct number of file paths when `hard` + and `symbolic` links are used. For this purpose, the test will monitor + a testing folder and create two regular files, a `symlink` and a `hard link` + before the scan starts. Finally, it verifies in the generated `FIM` event + that three inodes and four file paths are detected. + + wazuh_min_version: 4.2 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that when using hard and symbolic links, the `FIM` events contain + the number of inodes and paths to files consistent. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Fim inode entries*, path count' (If the OS used is not Windows) + - r'.*Fim entries' (If the OS used is Windows) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'ossec_conf'}, get_configuration['tags']) entries, path_count = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, From 6889e4d27edd8e574dbd598bafd0094c44fead9c Mon Sep 17 00:00:00 2001 From: mdengra Date: Fri, 24 Sep 2021 14:49:16 +0200 Subject: [PATCH 05/12] doc: Add test_fim/test_files/test_audit documentation in QA Docs style Minor corrections in the tests documentation. Closes: #1927 --- .../test_files/test_audit/test_audit.py | 20 ++++++++++++------- .../test_audit_after_initial_scan.py | 6 +++--- .../test_audit/test_audit_no_dir.py | 3 ++- .../test_audit/test_remove_audit.py | 3 ++- .../test_audit/test_remove_rule_five_times.py | 4 ++-- 5 files changed, 22 insertions(+), 14 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit.py b/tests/integration/test_fim/test_files/test_audit/test_audit.py index 2aa9a6360f..aa74e92d05 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit.py @@ -135,7 +135,8 @@ def test_audit_health_check(tags_to_apply, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'Whodata health-check: Success.' @@ -182,7 +183,8 @@ def test_added_rules(tags_to_apply, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'.*Added audit rule for monitoring directory' @@ -239,7 +241,8 @@ def test_readded_rules(tags_to_apply, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'.*Added audit rule for monitoring directory' @@ -303,7 +306,8 @@ def test_readded_rules_on_restart(tags_to_apply, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'Audit: connected' @@ -370,7 +374,8 @@ def test_move_rules_realtime(tags_to_apply, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'.*Directory added for real time monitoring' @@ -437,7 +442,8 @@ def test_audit_key(audit_key, path, get_configuration, configure_environment, re input_description: A test case (audit_key) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'Match audit_key' (`key="wazuh_hc"` and `key="wazuh_fim"` must not appear in the event) @@ -512,7 +518,7 @@ def test_restart_audit(tags_to_apply, should_restart, get_configuration, configu input_description: Two test cases (audit_key and restart_audit_false) are contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for - the `wazuh-syscheckd` daemon and testing directories to monitor. + the `wazuh-syscheckd` daemon. expected_output: - The creation time of the `auditd` daemon process. diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py index a3e3579ba2..8654463986 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py @@ -146,7 +146,8 @@ def test_remove_and_read_folder(tags_to_apply, folder, get_configuration, input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored defined + in this module. expected_output: - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) @@ -202,8 +203,7 @@ def test_reconnect_to_audit(tags_to_apply, get_configuration, configure_environm - Verify that `FIM` can recover from loosing its connection to the `auditd` daemon. input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + which includes configuration settings for the `wazuh-syscheckd` daemon. expected_output: - r'.*Sending FIM event: (.+)$' (Initial scan when restarting Wazuh) diff --git a/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py b/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py index 77155d28a3..ee48889735 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py +++ b/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py @@ -155,7 +155,8 @@ def test_audit_no_dir(tags_to_apply, get_configuration, configure_environment, r input_description: A test case (audit_no_dir) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'.*Unable to add audit rule for' diff --git a/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py b/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py index 041b0314bb..816c56b28e 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py +++ b/tests/integration/test_fim/test_files/test_audit/test_remove_audit.py @@ -169,7 +169,8 @@ def test_move_folders_to_realtime(tags_to_apply, get_configuration, uninstall_in input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + and, it is combined with the testing directories to be monitored + defined in this module. expected_output: - r'.*Who-data engine could not start. Switching who-data to real-time.' diff --git a/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py b/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py index e1662e5842..0ba2748d20 100644 --- a/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py +++ b/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py @@ -144,8 +144,8 @@ def test_remove_rule_five_times(tags_to_apply, folder, audit_key, from `whodata` to `realtime` when an user edits the `audit` rules. input_description: A test case (config1) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon - and testing directories to monitor. + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. expected_output: - r'Detected Audit rules manipulation' From 3ef28d9be4b8f7ee77750d34b755c864abff89ce Mon Sep 17 00:00:00 2001 From: mdengra Date: Mon, 27 Sep 2021 17:47:11 +0200 Subject: [PATCH 06/12] doc: Add test_fim/test_files/test_basic_usage documentation in QA Docs style The following tests have been documentated: * test_basic_usage_move_dir.py * test_basic_usage_move_file.py * test_basic_usage_new_dirs.py * test_basic_usage_no_dir.py * test_basic_usage_quick_changes.py * test_basic_usage_rename.py * test_basic_usage_starting_agent.py * test_basic_usage_wildcards_runtime.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1927 --- .../test_basic_usage_baseline_generation.py | 7 +- .../test_basic_usage_changes.py | 5 + ...est_basic_usage_create_after_delete_dir.py | 5 + .../test_basic_usage_create_rt_wd.py | 5 + .../test_basic_usage_create_scheduled.py | 5 + .../test_basic_usage_db_inode_check.py | 5 + .../test_basic_usage_delete_folder.py | 5 + .../test_basic_usage_dir_with_commas.py | 7 +- .../test_basic_usage_disabled.py | 5 + ...st_basic_usage_entries_match_path_count.py | 5 + .../test_basic_usage_move_dir.py | 150 ++++++++++++++--- .../test_basic_usage_move_file.py | 155 +++++++++++++++--- .../test_basic_usage_new_dirs.py | 129 +++++++++++++-- .../test_basic_usage_no_dir.py | 122 ++++++++++++-- .../test_basic_usage_quick_changes.py | 130 +++++++++++++-- .../test_basic_usage_rename.py | 138 ++++++++++++++-- .../test_basic_usage_starting_agent.py | 123 +++++++++++++- .../test_basic_usage_wildcards_runtime.py | 148 ++++++++++++++--- 18 files changed, 1020 insertions(+), 129 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py index 55506ade33..af4c9cee4d 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_baseline_generation.py @@ -21,6 +21,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -63,6 +64,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim @@ -153,7 +158,7 @@ def test_wait_until_baseline(get_configuration, configure_environment, restart_s input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) which includes configuration settings for the `wazuh-syscheckd` daemon and, it is combined with the testing directories to be monitored defined in this module. - + expected_output: - r'.*Sending FIM event: (.+)$' diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py index 3694688b75..91e08d4156 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_changes.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -67,6 +68,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py index 3e0184d9d6..f4ccd06325 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_after_delete_dir.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -62,6 +63,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py index 483050bfed..66ccc08539 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_rt_wd.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -67,6 +68,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py index 514d6f85b3..c5a75463b4 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_create_scheduled.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -67,6 +68,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py index 8c6e40618c..f1b11e2408 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_db_inode_check.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -56,6 +57,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py index 9dc63855b6..d4e64234b6 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_delete_folder.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -62,6 +63,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py index e05f461383..e44465bd72 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_dir_with_commas.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -62,6 +63,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim @@ -117,7 +122,7 @@ def test_directories_with_commas(directory, get_configuration, put_env_variables whose name contains commas. For this purpose, the test will monitor a testing folder using the `scheduled` monitoring mode, and create the testing files inside it. Then, perform CUD (creation, update, and delete) operations and finally verify that - the `FIM` events are generated correctly. + the `FIM` events are generated correctly. wazuh_min_version: 4.2 diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py index d54b14486e..a7deb0564e 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_disabled.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -62,6 +63,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py index 450015084b..16c7078f42 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_entries_match_path_count.py @@ -20,6 +20,7 @@ components: - agent + - manager daemons: - wazuh-agentd @@ -68,6 +69,10 @@ - fim_mode: realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - fim diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_dir.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_dir.py index 6a4d476dc8..501aa92568 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_dir.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_dir.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if + `FIM` events are generated when subfolders are moved between monitored directories. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import shutil import sys @@ -70,24 +139,61 @@ def extra_configuration_after_yield(): ]) def test_move_dir(source_folder, target_folder, subdir, tags_to_apply, triggers_delete_event, triggers_add_event, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects 'added' or 'deleted' events when moving a - subfolder from a folder to another one. - - Parameters - ---------- - subdir : str - Name of the subdir to be moved. - source_folder : str - Folder to move the file from. - target_folder : str - Destination folder to move the file to. - triggers_delete_event : bool - Expect a 'deleted' event in the source folder. - triggers_add_event : bool - Expect a 'added' event in the target folder. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects `added` and `deleted` events when moving a subdirectory + from a monitored folder to another one. For this purpose, the test will move a testing subfolder + from the source directory to the target directory and change the system time until the next + scheduled scan. Finally, it verifies that the expected `FIM` events have been generated. + + wazuh_min_version: 4.2 + + parameters: + - source_folder: + type: str + brief: Path to the source directory where the subfolder to move is located. + - target_folder: + type: str + brief: Path to the destination directory where the subfolder will be moved. + - subdir: + type: str + brief: Name of the subfolder to be moved. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - triggers_delete_event: + type: bool + brief: True if it expects a `deleted` event in the source folder. False otherwise. + - triggers_add_event: + type: bool + brief: True if it expects an `added` event in the target folder. False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events of type `added` and `deleted` are generated + when subfolders are moved between monitored directories. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added` and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' mode = get_configuration['metadata']['fim_mode'] diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_file.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_file.py index 5d1a8f3498..1b1ee7154f 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_file.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_move_file.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if + `FIM` events are generated when files are moved between monitored directories. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import pytest @@ -58,25 +127,65 @@ def test_move_file(file, file_content, tags_to_apply, source_folder, target_fold triggers_delete_event, triggers_add_event, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects 'added' or 'deleted' events when moving a file. - - Parameters - ---------- - file : str - Name of the file to be created. - file_content : str - Content of the file to be created. - source_folder : str - Folder to move the file from. - target_folder : str - Destination folder to move the file to. - triggers_delete_event : bool - Expects a 'deleted' event in the `source_folder`. - triggers_add_event : bool - Expects a 'added' event in the `target_folder`. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects `added` and `deleted` events when moving a file + from a monitored folder to another one. For this purpose, the test will create a testing file and + move it from the source directory to the target directory. Then, it changes the system time until + the next scheduled scan, and finally, it removes the testing file and verifies that + the expected `FIM` events have been generated. + + wazuh_min_version: 4.2 + + parameters: + - file: + type: str + brief: Name of the testing file to be created. + - file_content: + type: str + brief: Content of the testing file to be created. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - source_folder: + type: str + brief: Path to the source directory where the testing file to move is located. + - target_folder: + type: str + brief: Path to the destination directory where the testing file will be moved. + - triggers_delete_event: + type: bool + brief: True if it expects a `deleted` event in the source folder. False otherwise. + - triggers_add_event: + type: bool + brief: True if it expects an `added` event in the target folder. False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events of type `added` and `deleted` are generated + when files are moved between monitored directories. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added` and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' mode = get_configuration['metadata']['fim_mode'] diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_new_dirs.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_new_dirs.py index f5a399213f..3775887664 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_new_dirs.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_new_dirs.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if + `FIM` events are generated after the next scheduled scan using the `scheduled` monitoring mode. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import shutil import sys @@ -63,20 +132,44 @@ def extra_configuration_after_yield(): {'ossec_conf'} ]) def test_new_directory(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - Check that a new monitored directory generates events after the next scheduled scan. - - This test performs the following steps: - - Monitor a directory that does not exist. - - Create the directory with files inside. Check that this does not produce events in ossec.log. - - Move time forward to the next scheduled scan. - - Check that now creating files within the directory do generate events. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise - """ + ''' + description: Check if the `wazuh-syscheckd` daemon detects `CUD` (creation, update, and delete) events after + the next scheduled scan. For this purpose, the test will create a monitored folder and several + testing files inside it. Then, it will perform different operations over the testing files and + verify that no events are generated before the next scheduled scan. Finally, the test + will perform operations on another set of testing files and wait to the next scheduled scan for + the expected `FIM` events to be generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that `FIM` events are generated after the next scheduled scan using the `scheduled` monitoring mode. + + input_description: A test case (ossec_conf) is contained in external `YAML` file + (wazuh_conf_new_dirs.yaml or wazuh_conf_new_dirs_win32.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + ''' check_apply_test(tags_to_apply, get_configuration['tags']) if sys.platform != 'win32': diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_no_dir.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_no_dir.py index 7a3649e436..90bef7982e 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_no_dir.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_no_dir.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected files + and triggering alerts when these files are modified. Specifically, they will check if + the `wazuh-syscheckd` daemon generates a debug log when the `directories` configuration tag is empty. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import pytest @@ -49,13 +118,44 @@ def get_configuration(request): {'ossec_conf'} ]) def test_new_directory(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """Verify that syscheck shows a debug message when an empty directories tag is found. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise - """ + ''' + description: Check if the `wazuh-syscheckd` daemon shows a debug message when an empty `directories` tag is found. + For this purpose, the test uses a configuration without specifying the directory to monitor. + It will then verify that the appropriate debug message is generated. Finally, the test will use + a valid directory and verify that the above message is not generated. + + wazuh_min_version: 4.2 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + + assertions: + - Verify that the `wazuh-syscheckd` daemon generates a debug log when + the `directories` configuration tag is empty. + - Verify that the `wazuh-syscheckd` daemon does not generate a debug log when + the `directories` configuration tag is not empty. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'Empty directories tag found in the configuration.' + + tags: + - scheduled + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Check that the warning is displayed when there is no directory. diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_quick_changes.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_quick_changes.py index 0e58fbb217..839c711b3d 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_quick_changes.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_quick_changes.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events of type `added`, `modified`, and `deleted` are generated when the related + operations are performed in specific time intervals. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import time @@ -55,15 +125,49 @@ def get_configuration(request): ]) def test_regular_file_changes(sleep, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects regular file changes (add, modify, delete) with a very specific delay between every - action. - - Parameters - ---------- - sleep : float - Delay in seconds between every action. - """ + ''' + description: Check if the `wazuh-syscheckd` regular file changes (add, modify, delete) with a very specific delay + between every operation. For this purpose, the test will perform the above operations over + a testing file and wait for the specified time between each operation. Finally, the test + will check that the expected `FIM` events have been generated. + + wazuh_min_version: 4.2 + + parameters: + - sleep: + type: float + brief: Delay in seconds between every action. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events of type `added`, `modified`, and `deleted` are generated + when the related operations are performed in specific time intervals. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) file = 'regular' diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_rename.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_rename.py index e3d3325f91..1cdef57263 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_rename.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_rename.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events of type `added` and `deleted` are generated when monitored directories + or files are renamed. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import shutil @@ -66,17 +136,55 @@ def clean_directories(request): def test_rename(folder, tags_to_apply, get_configuration, clean_directories, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if syscheckd detects events when renaming directories or files. - - If we rename a directory or file, we expect 'deleted' and 'added' events. - - Parameters - ---------- - folder : str - Directory where the files will be created. - """ - + ''' + description: Check if the `wazuh-syscheckd` daemon detects events when renaming directories or files. + When changing directory or file names, `FIM` events of type `deleted` and `added` + should be generated. For this purpose, the test will create the directory and testing files + to be monitored and verify that they have been created correctly. It will then verify two cases, + on the one hand that the proper `FIM` events are generated when the testing files are renamed + in the monitored directory, and on the other hand, that these events are generated + when the monitored directory itself is renamed. + + wazuh_min_version: 4.2 + + parameters: + - folder: + type: str + brief: Path to the directory where the files will be created. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - clean_directories: + type: fixture + brief: Delete the contents of the testing directory. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events of type `added` and `deleted` are generated + when monitored directories or files are renamed. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added` and `deleted` events) + + tags: + - scheduled + - time_travel + ''' def expect_events(path): event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_starting_agent.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_starting_agent.py index 7446745599..c4855ff9b1 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_starting_agent.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_starting_agent.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events of type `modified` and `deleted` are generated when files that exist before + starting the Wazuh agent are modified. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import pytest @@ -65,7 +135,50 @@ def get_configuration(request): ]) def test_events_from_existing_files(filename, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if syscheck generates modified alerts for files that exists when starting the agent""" + ''' + description: Check if the `wazuh-syscheckd` daemon detects `modified` and `deleted` events when modifying + files that exist before the Wazuh agent is started. For this purpose, the test will modify + the testing file, change the system time to the next scheduled scan, and verify that + the proper `FIM` event is generated. Finally, the test will perform + the above steps but deleting the testing file. + + wazuh_min_version: 4.2 + + parameters: + - filename: + type: str + brief: Name of the testing file to be modified. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events of type `modified` and `deleted` are generated + when files that exist before starting the Wazuh agent are modified. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`modified` and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' mode = get_configuration['metadata']['fim_mode'] diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py index 4a281c5df6..246c7d2837 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` monitors newly added directories that match a wildcard used in the configuration. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys import pytest @@ -74,22 +143,61 @@ def get_configuration(request): def test_basic_usage_wildcards_runtime(subfolder_name, file_name, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan, create_test_folders, wait_for_wildcards_scan): - """Test the expansion once a given directory matches a configured expresion. - - The test monitors a given expresion and will create folders that match the configured expresion. It also creates - folders that doesn't match the expresion and check that no event is triggered if changes are made inside a folder - that doesn't match the glob expresion. - Params: - subfolder_name (str): Name of the subfolder under root folder. - file_name (str): Name of the file that will be created under subfolder. - tags_to_apply (str): Value holding the configuration used in the test. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_initial_scan (fixture): Waits until the first FIM scan is completed. - create_test_folders (fixture): Creates the folders that will match (or not) the configured glob expresion. - wait_for_wildcards_scan (fixture): Waits until the end of wildcards scan event is triggered. - """ + ''' + description: Check if the number of directories to monitor grows when using wildcards to specify them. + For this purpose, the test will configure wildcards expressions and create an empty folder. + Once the `FIM` module has started, and the `baseline` scan is completed, the test will create + folders that may match a configured expression, and it waits until the wildcards are expanded + again (in the next scan). Once the wildcards are reloaded, the test will create, modify and + delete files inside those folders. Finally, the test will wait for events of a folder + only if it matches a configured expression. + + wazuh_min_version: 4.2 + + parameters: + - subfolder_name: + type: str + brief: Path to the subdirectory in the monitored folder. + - filename: + type: str + brief: Name of the testing file that will be created in the subfolder. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_initial_scan: + type: fixture + brief: Wait until the first FIM scan is completed. + - create_test_folders: + type: fixture + brief: Create the testing folders that will match (or not) the configured glob expression. + - wait_for_wildcards_scan: + type: fixture + brief: Wait until the end of wildcards scan event is triggered. + + assertions: + - Verify that `FIM` monitors newly added directories that match a wildcard used in the configuration. + + input_description: A test case (ossec_conf_wildcards_runtime) is contained in external `YAML` file + (wazuh_conf_wildcards_rt.yaml) which includes configuration settings for + the `wazuh-syscheckd` daemon and, it is combined with the testing directories + to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified` and `deleted` events) + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) if sys.platform == 'win32': if '?' in file_name or '*' in file_name: From e87c8f5c686cd8b51f845db9d85015082f200420 Mon Sep 17 00:00:00 2001 From: mdengra Date: Tue, 28 Sep 2021 09:32:24 +0200 Subject: [PATCH 07/12] doc: Add test_fim/test_files/test_basic_usage documentation in QA Docs style The following tests have been documentated: * test_basic_usage_wildcards_runtime.py * test_basic_usage_wildcards.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #1927 --- docs/DocGenerator/config.yaml | 1 + .../test_basic_usage_wildcards.py | 145 +++++++++++++++--- .../test_basic_usage_wildcards_runtime.py | 2 +- 3 files changed, 122 insertions(+), 26 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index 8b7538d506..e6ef9e7da6 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -48,6 +48,7 @@ Ignore paths: - "../../tests/integration/test_cluster/test_key_polling/data" - "../../tests/integration/test_fim/test_files/test_ambiguous_confs/data" - "../../tests/integration/test_fim/test_files/test_audit/data" + - "../../tests/integration/test_fim/test_files/test_basic_usage/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards.py index 4828f1d21e..7addfc38d9 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` monitors newly added directories that match a wildcard used in the configuration. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys import pytest @@ -56,27 +125,53 @@ def get_configuration(request): @pytest.mark.parametrize('tags_to_apply', [{'ossec_conf_wildcards'}]) def test_basic_usage_wildcards(subfolder_name, file_name, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Test the correct expansion of wildcards for monitored directories in syscheck - - The following wildcards expansions will be tried against the directory list: - - test_folder/simple? will match simple? - - test_folder/star* will match stars123 - - test_folder/*ple* will match simple1 and multiple_1 - - not_monitored_directory won't match any of the previous expressions - - For each subfolder there will be three different calls to regular_file_cud and - for every subfolder the variable triggers_event will be set properly depending on the - wildcards matching of the subfolder. - - Params: - subfolder_name (str): Name of the subfolder under root folder. - file_name (str): Name of the file that will be created under subfolder. - tags_to_apply (str): Value holding the configuration used in the test. - get_configuration (fixture): Gets the current configuration of the test. - configure_environment (fixture): Configure the environment for the execution of the test. - restart_syscheckd (fixture): Restarts syscheck. - wait_for_fim_start (fixture): Waits until the first FIM scan is completed. - """ + ''' + description: Check if the number of directories to monitor grows when using wildcards to specify them. + For this purpose, the test creates a set of directories that match the wildcard expressions + and ones that do not match the expressions set in the directories to be monitored. + Then, the test will create, modify and delete files inside a folder given as an argument. + Finally, the test will wait for events only if the folder where the changes are made + matches the expression previously set in the `wazuh-syscheckd` daemon configuration. + + wazuh_min_version: 4.2 + + parameters: + - subfolder_name: + type: str + brief: Path to the subdirectory in the monitored folder. + - filename: + type: str + brief: Name of the testing file that will be created in the subfolder. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait until the first FIM scan is completed. + + assertions: + - Verify that `FIM` monitors newly added directories that match a wildcard used in the configuration. + + input_description: A test case (ossec_conf_wildcards) is contained in external `YAML` file + (wazuh_conf_wildcards.yaml) which includes configuration settings for + the `wazuh-syscheckd` daemon and, it is combined with the testing + directories to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified` and `deleted` events) + + tags: + - scheduled + ''' if sys.platform == 'win32': if '?' in file_name or '*' in file_name: pytest.skip("Windows can't create files with wildcards.") diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py index 246c7d2837..f582fd04c4 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_wildcards_runtime.py @@ -195,7 +195,7 @@ def test_basic_usage_wildcards_runtime(subfolder_name, file_name, tags_to_apply, - r'.*Sending FIM event: (.+)$' (`added`, `modified` and `deleted` events) tags: - - realtime + - scheduled - who-data ''' check_apply_test(tags_to_apply, get_configuration['tags']) From f7f57efbcab48a35faf46b6b494ca6b01a8d5309 Mon Sep 17 00:00:00 2001 From: mdengra Date: Tue, 28 Sep 2021 14:43:27 +0200 Subject: [PATCH 08/12] doc: Add test_benchmark and test_checks of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_benchmark.py * test_report_changes_big.py * test_check_all.py * test_check_others.py * test_checksums.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1936 --- .../test_benchmark/test_benchmark.py | 133 ++++++++- .../test_benchmark/test_report_changes_big.py | 150 ++++++++-- .../test_files/test_checks/test_check_all.py | 268 ++++++++++++++---- .../test_checks/test_check_others.py | 205 +++++++++++--- .../test_files/test_checks/test_checksums.py | 205 +++++++++++--- 5 files changed, 801 insertions(+), 160 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py index 595bb48e23..a1722c0c81 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` CUD events are generated for each modified file before the specified time expires. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import pytest @@ -60,16 +129,52 @@ def get_configuration(request): def test_benchmark_regular_files(files, folder, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check syscheckd detects a certain volume of file changes (add, modify, delete) - - Parameters - ---------- - files: list - List of regular files to be created. - folder : str - Monitored directory where files will be created. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon detects CUD events (`added`, `modified`, and `deleted`) + in a certain volume of file changes. For this purpose, the test will monitor a folder with + multiple testing files and perform modifications on them (add, modify and delete). Finally, + the test will verify that all FIM events have been generated for each change made + to each file before the set timeout expires. + + wazuh_min_version: 4.2 + + parameters: + - files: + type: list + brief: List of regular files to be created. + - folder: + type: str + brief: Monitored directory where the testing files will be created. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` CUD events are generated for each modified file before the specified time expires. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing files to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) min_timeout = 30 diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py index 828b0fcb1e..067bb08695 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and + files with a large size using the `report_changes` feature. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys from datetime import datetime @@ -161,7 +231,7 @@ def calculate_metrics(folder, event_list, fim_mode): elapsed_time_list = [event['data']['timestamp'] - event['data']['attributes']['mtime'] for event in event_list] return size_original_folder, used_rss_memory, used_vms_memory, total_creation_time, mean(elapsed_time_list), \ - median(elapsed_time_list), min(elapsed_time_list), max(elapsed_time_list) + median(elapsed_time_list), min(elapsed_time_list), max(elapsed_time_list) def write_csv(data): @@ -193,25 +263,57 @@ def write_csv(data): ]) def test_report_changes_big(file_size, n_files, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Verify syscheck when using the report_changes option with large amount of files. - - This test creates, in a monitored directory with the report_changes option, - large amounts of files and files with a large size. Then it checks if the - expected number of events is obtained, if they are of the correct type and if a - copy of each file has been created in the corresponding directory. - - In addition, the test generates a CSV file with metrics about the time used - to create the files, to generate the logs and the size of the directory. - - Parameters - ---------- - n_files : int - Number of files to create - file_size : int - Size of each file in bytes - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise - """ + ''' + description: Check if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and + files with a large size using the `report_changes` feature. For this purpose, the test creates + in a monitored directory (with the `report_changes` attribute) large amounts of files and files + with large size. Then it checks if the expected number of `FIM` events is obtained, if they are + of the correct type and if a copy of each file has been created in the corresponding directory. + In addition, the test generates a `CSV` file with metrics about the time used to create + the files, generate the logs, and the size of the directory. + + wazuh_min_version: 4.2 + + parameters: + - file_size: + type: int + brief: Size of each testing file in bytes. + - n_files: + type: int + brief: Number of testing files to create. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events are generated for each modified file. + - Verify that for each modified file a `diff` file is generated. + - Verify that `diff` files are updated when files are modified. + + input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) + which includes configuration settings for the `wazuh-syscheckd` daemon and, it + is combined with the testing files to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - A `CSV` file with the metrics collected. + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) fim_mode = get_configuration['metadata']['fim_mode'] data = [] diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_all.py b/tests/integration/test_fim/test_files/test_checks/test_check_all.py index c257463839..92250afdcf 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_all.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_all.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events generated contain only the `check_` fields specified in the configuration + when using the `check_all` attribute along with other` check_` attributes. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys @@ -72,22 +142,53 @@ def get_configuration(request): @pytest.mark.parametrize('path, checkers', parametrize_list) def test_check_all_single(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the functionality of `check_all` option when used in conjunction with another check on the same directory, - having "check_all" to "yes" and the other check to "no". - - Example: - check_all="yes" check_sum="no" - check_all="yes" check_mtime="no" - ... - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + the configuration. These checks are attributes indicating that a monitored file has been modified. + For example, if `check_all=yes` and `check_sum=no` are set for the same directory, `syscheck` must + send an event containing every possible `check_` except the checksums. For this purpose, the test + will monitor a testing folder using the `check_all` attribute in conjunction with one `check_` + on the same directory, having `check_all` to `yes` and the other one to `no`. + Finally, the test will verify that the `FIM` events generated contain only the fields + of the `checks` specified for the monitored folder. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_check_all_single'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=15, options=checkers, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') @@ -117,22 +218,53 @@ def test_check_all_single(path, checkers, get_configuration, configure_environme @pytest.mark.parametrize('path, checkers', parametrize_list) def test_check_all(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the functionality of `check_all` option when used in conjunction with more than one check on the same directory, - having "check_all" to "yes" and the other ones to "no". - - Example: - check_all="yes" check_sum="no" check_md5sum="no" - check_all="yes" check_perm="yes" check_mtime="no" - ... - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + the configuration. These checks are attributes indicating that a monitored file has been modified. + For example, if `check_all=yes`, `check_sum=no`, and `check_md5sum=no` are set for the same directory, + `syscheck` must send an event containing every possible `check_` except the `md5` checksum. + For this purpose, the test will monitor a testing folder using the `check_all` attribute in + conjunction with more than one `check_` on the same directory, having `check_all` to `yes` and + the other ones to `no`. Finally, the test will verify that the `FIM` events generated contain + only the fields of the `checks` specified for the monitored folder. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_check_all'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=15, options=checkers, @@ -142,19 +274,57 @@ def test_check_all(path, checkers, get_configuration, configure_environment, res @pytest.mark.parametrize('path, checkers', [(testdir1, {})]) def test_check_all_no(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the functionality of `check_all` option when set to no. - - When setting `check_all` to no, only 'type' and 'checksum' attributes should appear in every event. This will - avoid any modification event. - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + the configuration. These checks are attributes indicating that a monitored file has been modified. + For example, when setting `check_all` to `no`, only the `type` and `checksum` attributes should + appear in every `FIM` event. This will avoid any modification event. For this purpose, the test + will monitor a testing folder using the `check_all=no` attribute, create a testing file inside it, + and verify that only the `type` and `checksum` attributes are in the `added` event. Then, it + will modify the testing file and verify that no `FIM` events of type `modified` are generated. + Finally, the test will delete the testing file and verify that only the `type` and + `checksum` attributes are in the `deleted` event. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that `FIM` events generated are only of type `added` and `deleted` when + the `check_all=no` attribute is used. + - Verify that `FIM` events generated only contain the `type` and `checksum` attributes + when the `check_all=no` attribute is used. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, and `deleted` event) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_check_all_no'}, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_others.py b/tests/integration/test_fim/test_files/test_checks/test_check_others.py index 7b8c21ada4..cdf6ac2167 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_others.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_others.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events generated contain only the `check_` fields specified in the configuration + when using the `check_` attributes individually without using the `check_all=yes` attribute. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys @@ -71,22 +141,52 @@ def get_configuration(request): @pytest.mark.parametrize('path, checkers', parametrize_list) def test_check_others_individually(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the behavior of every Check option individually without using the Check_all option. Check_all option will - be set to "no" in order to avoid using the default check_all configuration. - - Example: - check_all="no" check_sum="yes" - check_all="no" check_mtime="yes" - ... - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + the configuration. These checks are attributes indicating that a monitored file has been modified. + For example, if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must + send an event containing only the checksums. For this purpose, the test will monitor a testing folder + using the `check_all=no` attribute (in order to avoid using the default `check_all` configuration) + in conjunction with one `check_` on the same directory. Finally, the test will verify that + the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_check_others_individually'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=15, options=checkers, @@ -117,24 +217,55 @@ def test_check_others_individually(path, checkers, get_configuration, configure_ @pytest.mark.parametrize('path, checkers', parametrize_list) def test_check_others(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the behavior of several combinations of Check options over the same directory with Check_all disabled to - avoid using the default check_all configuration. The order of the checks (including check_all="no") will be - different on each case to test the behavior of check_all="no". - - Example: - check_all: "no" check_size: "yes" check_sum: "yes" - check_all: "no" check_md5sum: "yes" check_mtime: "yes" check_group: "yes" - check_md5sum: "yes" check_all: "no" check_mtime: "yes" check_group: "yes" - ... - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + the configuration. These checks are attributes indicating that a monitored file has been modified. + For example, if `check_md5sum=yes`, `check_all=no` and `check_mtime=yes` are set for + the same directory, `syscheck` must send an event containing only the file modification time. + For this purpose, the test will monitor a testing folder using the `check_all=no` attribute + (in order to avoid using the default `check_all` configuration) in conjunction with more than + one `check_` on the same directory. Finally, the test will verify that the `FIM` events generated + contain only the fields of the `checks` specified for the monitored folder. + In adittion, the order of the `checks` (including `check_all=no`) will be different on each + test case to check the behavior of the `check_all=no` attribute. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_check_others'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=15, options=checkers, diff --git a/tests/integration/test_fim/test_files/test_checks/test_checksums.py b/tests/integration/test_fim/test_files/test_checks/test_checksums.py index 7136575f4c..f9a5da8b33 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_checksums.py +++ b/tests/integration/test_fim/test_files/test_checks/test_checksums.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected + files and triggering alerts when these files are modified. Specifically, they will check + if `FIM` events generated contain only the `check_` fields specified in the configuration + when using the `check_` attributes related to file checksum. + The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-agentd + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the `who-data` information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim +''' import os import sys @@ -67,22 +137,53 @@ def get_configuration(request): ]) def test_checksums_checkall(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the behavior of check_all="yes" when using it with one or more check_sum options (checksum, sha1sum, - sha256sum and md5sum) set to "no". - - Example: - check_all="yes" check_sum="no" - check_all="yes" check_sum="no" check_md5sum="no" - ... - - Parameters - ---------- - path : str - Directory where the file is being created and monitored. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + file checksum specified in the configuration. These checks are attributes indicating that + a monitored file has been modified. For example, if `check_all=yes` and `check_sum=no` are + set for the same directory, `syscheck` must send an event containing every possible `check_` + except the checksums. For this purpose, the test will monitor a testing folder using + the `check_all` attribute in conjunction with checksum-related `checks` on the same directory, + having `check_all` to `yes` and the other ones to `no`. Finally, the test will verify that + the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_checksums_checkall'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=checkers, @@ -105,23 +206,55 @@ def test_checksums_checkall(path, checkers, get_configuration, configure_environ ]) def test_checksums(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the checksum options (checksum, sha1sum, sha256sum and md5sum) - behavior when is used alone or in conjunction. - Check_all option will be set to "no" in order to avoid using the default check_all configuration. - - Example: - check_all: "no" check_sum: "yes" - check_all: "no" check_sum: "yes" check_md5sum: "no" - ... - - Parameters - ---------- - path : str - Directory where the file is being created. - checkers : dict - Check options to be used. - """ + ''' + description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + file checksum (checksum, sha1sum, sha256sum and md5sum) specified in the configuration. + These checks are attributes indicating that a monitored file has been modified. For example, + if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must send + an event only containing the file checksums. + For this purpose, the test will monitor a testing folder using the `check_all=no` attribute + (in order to avoid using the default `check_all` configuration) in conjunction with + checksum-related `checks` on the same directory. Finally, the test will verify that + the `FIM` events generated contain only the fields of the checksum-related `checks` + specified for the monitored folder. + + wazuh_min_version: 4.2 + + parameters: + - path: + type: str + brief: Directory where the file is being created and monitored. + - checkers: + type: set + brief: Checks to be compared to the actual event check list. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the `ossec.log` file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + + input_description: Different test cases are contained in external `YAML` files + (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes + configuration settings for the `wazuh-syscheckd` daemon and testing + directories to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + + tags: + - scheduled + - time_travel + ''' check_apply_test({'test_checksums'}, get_configuration['tags']) regular_file_cud(path, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=checkers, From 7a35303561773e5ab6e3d3bb5890038d0d601e10 Mon Sep 17 00:00:00 2001 From: mdengra Date: Wed, 29 Sep 2021 11:19:52 +0200 Subject: [PATCH 09/12] doc: Add test_benchmark and test_checks of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_hard_link.py Enhancements in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1936 --- docs/DocGenerator/config.yaml | 2 + .../test_benchmark/test_benchmark.py | 31 ++-- .../test_benchmark/test_report_changes_big.py | 45 +++--- .../test_files/test_checks/test_check_all.py | 104 ++++++------ .../test_checks/test_check_others.py | 70 ++++---- .../test_files/test_checks/test_checksums.py | 65 ++++---- .../test_files/test_checks/test_hard_link.py | 152 +++++++++++++++--- 7 files changed, 284 insertions(+), 185 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index e6ef9e7da6..d22f02e99d 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -49,6 +49,8 @@ Ignore paths: - "../../tests/integration/test_fim/test_files/test_ambiguous_confs/data" - "../../tests/integration/test_fim/test_files/test_audit/data" - "../../tests/integration/test_fim/test_files/test_basic_usage/data" + - "../../tests/integration/test_fim/test_files/test_benchmark/data" + - "../../tests/integration/test_fim/test_files/test_checks/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py index a1722c0c81..b6431bb4c9 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` CUD events are generated for each modified file before the specified time expires. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files - for changes to the checksums, permissions, and ownership. +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM CUD events are generated for each modified file + before the specified time expires. The FIM capability is managed by the 'wazuh-syscheckd' daemon, + which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -23,7 +22,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -54,6 +52,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -61,15 +60,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_benchmark ''' import os @@ -130,13 +129,13 @@ def test_benchmark_regular_files(files, folder, tags_to_apply, get_configuration configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon detects CUD events (`added`, `modified`, and `deleted`) + description: Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') in a certain volume of file changes. For this purpose, the test will monitor a folder with multiple testing files and perform modifications on them (add, modify and delete). Finally, the test will verify that all FIM events have been generated for each change made to each file before the set timeout expires. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - files: @@ -156,20 +155,20 @@ def test_benchmark_regular_files(files, folder, tags_to_apply, get_configuration brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` CUD events are generated for each modified file before the specified time expires. + - Verify that FIM CUD events are generated for each modified file before the specified time expires. - input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon and, it + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the wazuh-syscheckd daemon and, it is combined with the testing files to be monitored defined in this module. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - realtime diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py index 067bb08695..23336e57b6 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and - files with a large size using the `report_changes` feature. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon generates the 'diff' + files on large amounts of files and files with a large size using the 'report_changes' feature. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +23,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +53,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +61,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_benchmark ''' import os import sys @@ -264,15 +263,15 @@ def write_csv(data): def test_report_changes_big(file_size, n_files, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and - files with a large size using the `report_changes` feature. For this purpose, the test creates - in a monitored directory (with the `report_changes` attribute) large amounts of files and files - with large size. Then it checks if the expected number of `FIM` events is obtained, if they are + description: Check if the 'wazuh-syscheckd' daemon generates the 'diff' files on large amounts of files and + files with a large size using the 'report_changes' feature. For this purpose, the test creates + in a monitored directory (with the 'report_changes' attribute) large amounts of files and files + with large size. Then it checks if the expected number of FIM events is obtained, if they are of the correct type and if a copy of each file has been created in the corresponding directory. - In addition, the test generates a `CSV` file with metrics about the time used to create + In addition, the test generates a CSV file with metrics about the time used to create the files, generate the logs, and the size of the directory. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - file_size: @@ -292,23 +291,23 @@ def test_report_changes_big(file_size, n_files, tags_to_apply, get_configuration brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` events are generated for each modified file. - - Verify that for each modified file a `diff` file is generated. - - Verify that `diff` files are updated when files are modified. + - Verify that FIM events are generated for each modified file. + - Verify that for each modified file a 'diff' file is generated. + - Verify that 'diff' files are updated when files are modified. - input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon and, it + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing files to be monitored defined in this module. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) - - A `CSV` file with the metrics collected. + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + - A CSV file with the metrics collected. tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_all.py b/tests/integration/test_fim/test_files/test_checks/test_check_all.py index 92250afdcf..7aed831f2b 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_all.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_all.py @@ -7,11 +7,11 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_all` attribute along with other` check_` attributes. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM events generated contain only + the 'check_' fields specified in the configuration when using the 'check_all' attribute along + with other' check_' attributes. + The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +24,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +54,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +62,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -143,16 +143,16 @@ def get_configuration(request): def test_check_all_single(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=yes` and `check_sum=no` are set for the same directory, `syscheck` must - send an event containing every possible `check_` except the checksums. For this purpose, the test - will monitor a testing folder using the `check_all` attribute in conjunction with one `check_` - on the same directory, having `check_all` to `yes` and the other one to `no`. - Finally, the test will verify that the `FIM` events generated contain only the fields - of the `checks` specified for the monitored folder. + For example, if 'check_all=yes' and 'check_sum=no' are set for the same directory, 'syscheck' must + send an event containing every possible 'check_' except the checksums. For this purpose, the test + will monitor a testing folder using the 'check_all' attribute in conjunction with one 'check_' + on the same directory, having 'check_all' to 'yes' and the other one to 'no'. + Finally, the test will verify that the FIM events generated contain only the fields + of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -169,21 +169,21 @@ def test_check_all_single(path, checkers, get_configuration, configure_environme brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -219,16 +219,16 @@ def test_check_all_single(path, checkers, get_configuration, configure_environme def test_check_all(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=yes`, `check_sum=no`, and `check_md5sum=no` are set for the same directory, - `syscheck` must send an event containing every possible `check_` except the `md5` checksum. - For this purpose, the test will monitor a testing folder using the `check_all` attribute in - conjunction with more than one `check_` on the same directory, having `check_all` to `yes` and - the other ones to `no`. Finally, the test will verify that the `FIM` events generated contain - only the fields of the `checks` specified for the monitored folder. + For example, if 'check_all=yes', 'check_sum=no', and 'check_md5sum=no' are set for the same directory, + 'syscheck' must send an event containing every possible 'check_' except the 'md5' checksum. + For this purpose, the test will monitor a testing folder using the 'check_all' attribute in + conjunction with more than one 'check_' on the same directory, having 'check_all' to 'yes' and + the other ones to 'no'. Finally, the test will verify that the FIM events generated contain + only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -245,21 +245,21 @@ def test_check_all(path, checkers, get_configuration, configure_environment, res brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -275,17 +275,17 @@ def test_check_all(path, checkers, get_configuration, configure_environment, res def test_check_all_no(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, when setting `check_all` to `no`, only the `type` and `checksum` attributes should - appear in every `FIM` event. This will avoid any modification event. For this purpose, the test - will monitor a testing folder using the `check_all=no` attribute, create a testing file inside it, - and verify that only the `type` and `checksum` attributes are in the `added` event. Then, it - will modify the testing file and verify that no `FIM` events of type `modified` are generated. - Finally, the test will delete the testing file and verify that only the `type` and - `checksum` attributes are in the `deleted` event. + For example, when setting 'check_all' to 'no', only the 'type' and 'checksum' attributes should + appear in every 'FIM' event. This will avoid any modification event. For this purpose, the test + will monitor a testing folder using the 'check_all=no' attribute, create a testing file inside it, + and verify that only the 'type' and 'checksum' attributes are in the 'added' event. Then, it + will modify the testing file and verify that no 'FIM' events of type 'modified' are generated. + Finally, the test will delete the testing file and verify that only the 'type' and + 'checksum' attributes are in the 'deleted' event. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -302,24 +302,24 @@ def test_check_all_no(path, checkers, get_configuration, configure_environment, brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` events generated are only of type `added` and `deleted` when - the `check_all=no` attribute is used. - - Verify that `FIM` events generated only contain the `type` and `checksum` attributes - when the `check_all=no` attribute is used. + - Verify that FIM events generated are only of type 'added' and 'deleted' when + the 'check_all=no' attribute is used. + - Verify that FIM events generated only contain the 'type' and 'checksum' attributes + when the 'check_all=no' attribute is used. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external 'YAML' files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, and `deleted` event) + - r'.*Sending FIM event: (.+)$' ('added', and 'deleted' event) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_others.py b/tests/integration/test_fim/test_files/test_checks/test_check_others.py index cdf6ac2167..9da09a7637 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_others.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_others.py @@ -7,11 +7,11 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_` attributes individually without using the `check_all=yes` attribute. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring ('FIM') system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM events generated contain only + the 'check_' fields specified in the configuration when using the 'check_' attributes individually + without using the 'check_all=yes' attribute. + The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +24,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +54,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +62,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -142,15 +142,15 @@ def get_configuration(request): def test_check_others_individually(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generate events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must + For example, if 'check_all=no' and 'check_sum=yes' are set for the same directory, 'syscheck' must send an event containing only the checksums. For this purpose, the test will monitor a testing folder - using the `check_all=no` attribute (in order to avoid using the default `check_all` configuration) - in conjunction with one `check_` on the same directory. Finally, the test will verify that - the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + using the 'check_all=no' attribute (in order to avoid using the default 'check_all' configuration) + in conjunction with one 'check_' on the same directory. Finally, the test will verify that + the FIM events generated contain only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -167,21 +167,21 @@ def test_check_others_individually(path, checkers, get_configuration, configure_ brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -218,18 +218,18 @@ def test_check_others_individually(path, checkers, get_configuration, configure_ def test_check_others(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generate events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_md5sum=yes`, `check_all=no` and `check_mtime=yes` are set for - the same directory, `syscheck` must send an event containing only the file modification time. - For this purpose, the test will monitor a testing folder using the `check_all=no` attribute - (in order to avoid using the default `check_all` configuration) in conjunction with more than - one `check_` on the same directory. Finally, the test will verify that the `FIM` events generated - contain only the fields of the `checks` specified for the monitored folder. - In adittion, the order of the `checks` (including `check_all=no`) will be different on each - test case to check the behavior of the `check_all=no` attribute. + For example, if 'check_md5sum=yes', 'check_all=no' and 'check_mtime=yes' are set for + the same directory, 'syscheck' must send an event containing only the file modification time. + For this purpose, the test will monitor a testing folder using the 'check_all=no' attribute + (in order to avoid using the default 'check_all' configuration) in conjunction with more than + one 'check_' on the same directory. Finally, the test will verify that the FIM events generated + contain only the fields of the 'checks' specified for the monitored folder. + In adittion, the order of the 'checks' (including 'check_all=no') will be different on each + test case to check the behavior of the 'check_all=no' attribute. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -246,21 +246,21 @@ def test_check_others(path, checkers, get_configuration, configure_environment, brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_checksums.py b/tests/integration/test_fim/test_files/test_checks/test_checksums.py index f9a5da8b33..eefe9c4b8f 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_checksums.py +++ b/tests/integration/test_fim/test_files/test_checks/test_checksums.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_` attributes related to file checksum. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM events generated contain only the 'check_' fields + specified in the configuration when using the 'check_' attributes related to file checksum. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +23,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +53,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +61,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -138,16 +137,16 @@ def get_configuration(request): def test_checksums_checkall(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks related to file checksum specified in the configuration. These checks are attributes indicating that - a monitored file has been modified. For example, if `check_all=yes` and `check_sum=no` are - set for the same directory, `syscheck` must send an event containing every possible `check_` + a monitored file has been modified. For example, if 'check_all=yes' and 'check_sum=no' are + set for the same directory, 'syscheck' must send an event containing every possible 'check_' except the checksums. For this purpose, the test will monitor a testing folder using - the `check_all` attribute in conjunction with checksum-related `checks` on the same directory, - having `check_all` to `yes` and the other ones to `no`. Finally, the test will verify that - the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + the 'check_all' attribute in conjunction with checksum-related 'checks' on the same directory, + having 'check_all' to 'yes' and the other ones to 'no'. Finally, the test will verify that + the FIM events generated contain only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -164,21 +163,21 @@ def test_checksums_checkall(path, checkers, get_configuration, configure_environ brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -207,18 +206,18 @@ def test_checksums_checkall(path, checkers, get_configuration, configure_environ def test_checksums(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks related to file checksum (checksum, sha1sum, sha256sum and md5sum) specified in the configuration. These checks are attributes indicating that a monitored file has been modified. For example, - if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must send + if 'check_all=no' and 'check_sum=yes' are set for the same directory, 'syscheck' must send an event only containing the file checksums. - For this purpose, the test will monitor a testing folder using the `check_all=no` attribute - (in order to avoid using the default `check_all` configuration) in conjunction with - checksum-related `checks` on the same directory. Finally, the test will verify that - the `FIM` events generated contain only the fields of the checksum-related `checks` + For this purpose, the test will monitor a testing folder using the 'check_all=no' attribute + (in order to avoid using the default 'check_all' configuration) in conjunction with + checksum-related 'checks' on the same directory. Finally, the test will verify that + the FIM events generated contain only the fields of the checksum-related 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -235,21 +234,21 @@ def test_checksums(path, checkers, get_configuration, configure_environment, res brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py index e02dec4744..acf8778819 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py +++ b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py @@ -1,7 +1,69 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM events are generated when 'hard links' + of a monitored file are modified but are located in a different directory than the source file. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_checks +''' import os import sys import time @@ -55,28 +117,66 @@ def get_configuration(request): ]) def test_hard_link(path_file, file_name, path_link, link_name, num_links, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the check_inode option when used with Hard links by creating a hard link file inside and outside the - monitored directory. - - When a regular file with one or more hard links pointing to it is modified the event raised will have a field named - 'hard_links' that must contain a list with the path to those hard links. Only modification events for the regular - file are expected, not for the hard links, even if we modify a hard link. - - Parameters - ---------- - path_file : str - The path to the regular file to be created. - file_name : str - The name of the regular file to be created. - path_link : str - The path to the Hard links to be created. - link_name : str - The name of the Hard links to be created. - num_links : int - Number of hard links to create. All of them will be pointing to the same regular file. - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon detects events when the 'check_inode' attribute is used + and 'hard links' are modified while inside and outside the monitored directory. + When a regular file with one or more hard links pointing to it is modified, the FIM event + raised will have a field named 'hard_links' that must contain a list with the path to those + 'hard links'. Only modification events for the regular file are expected, not for the 'hard links' + even if the 'hard link' is modified. For this purpose, the test will monitor a directory where + it will add a testing file, create several 'hard links' pointing to it and verify that these + operations have generated the appropriate FIM 'added' events. Then it will modify the testing file + and check if the 'modified' events have been generated for that file only. Finally, the test + will verify that appropriate FIM events are generated if one of the 'hard links' + within the monitored directory is modified. + + wazuh_min_version: 4.2.0 + + parameters: + - path_file: + type: str + brief: Path to the regular file to be created. + - file_name: + type: str + brief: Name of the regular file to be created. + - path_link: + type: str + brief: Path to the 'hard links' to be created. + - link_name: + type: str + brief: Name of the 'hard links' to be created. + - num_links: + type: int + brief: Number of hard links to create. All of them will be pointing to the same regular file. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the FIM events generated contain contain the proper number of 'hard links' + in the 'hard_links' field. + - Verify that only FIM events are generated when the regular file being monitored is modified. + + input_description: A test case (test_hard_link) is contained in external YAML file + (wazuh_hard_link.yaml) which includes configuration settings for + the 'wazuh-syscheckd' daemon and testing directory to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + + tags: + - scheduled + - time_travel + ''' def detect_and_validate_event(expected_file, mode, expected_hard_links): event_checker.events = event_checker.fetch_events(min_timeout=global_parameters.default_timeout) From fc07b87a541211b20cf0e6f36659c33d4b9a7d54 Mon Sep 17 00:00:00 2001 From: mdengra Date: Wed, 29 Sep 2021 12:42:48 +0200 Subject: [PATCH 10/12] doc: Fix tier number of test_benchmark and test_checks in test_fim/test_files documentation Closes: #1936 --- .../test_fim/test_files/test_benchmark/test_benchmark.py | 2 +- .../test_files/test_benchmark/test_report_changes_big.py | 2 +- .../test_fim/test_files/test_checks/test_check_all.py | 2 +- .../test_fim/test_files/test_checks/test_check_others.py | 2 +- .../test_fim/test_files/test_checks/test_checksums.py | 2 +- .../test_fim/test_files/test_checks/test_hard_link.py | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py index b6431bb4c9..022149d003 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py @@ -12,7 +12,7 @@ before the specified time expires. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 3 modules: - fim diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py index 23336e57b6..5e52af12cb 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py @@ -13,7 +13,7 @@ The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 3 modules: - fim diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_all.py b/tests/integration/test_fim/test_files/test_checks/test_check_all.py index 7aed831f2b..bf55bd69dd 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_all.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_all.py @@ -14,7 +14,7 @@ The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 1 modules: - fim diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_others.py b/tests/integration/test_fim/test_files/test_checks/test_check_others.py index 9da09a7637..376d592f36 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_others.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_others.py @@ -14,7 +14,7 @@ The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 1 modules: - fim diff --git a/tests/integration/test_fim/test_files/test_checks/test_checksums.py b/tests/integration/test_fim/test_files/test_checks/test_checksums.py index eefe9c4b8f..ca6a9b9646 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_checksums.py +++ b/tests/integration/test_fim/test_files/test_checks/test_checksums.py @@ -13,7 +13,7 @@ The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 1 modules: - fim diff --git a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py index acf8778819..983f403e71 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py +++ b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py @@ -13,7 +13,7 @@ The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. -tier: 0 +tier: 1 modules: - fim From 0473dda4a7ecdeed19459b2f61485f0747563d5b Mon Sep 17 00:00:00 2001 From: mdengra Date: Wed, 29 Sep 2021 16:57:00 +0200 Subject: [PATCH 11/12] doc: Add test_env_variables and test_file_limit of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_dir.py * test_dir_win32.py * test_ignore.py * test_nodiff.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1945 --- .../test_files/test_env_variables/test_dir.py | 121 +++++++++++++- .../test_env_variables/test_dir_win32.py | 102 +++++++++++- .../test_env_variables/test_ignore.py | 129 ++++++++++++++- .../test_env_variables/test_nodiff.py | 150 ++++++++++++++++-- 4 files changed, 465 insertions(+), 37 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_dir.py b/tests/integration/test_fim/test_files/test_env_variables/test_dir.py index 7056b2fe28..bf15a2853b 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_dir.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_dir.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if FIM events are + generated when multiple environment variables are used to monitor directories. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 2 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_env_variables +''' import os import sys @@ -61,9 +130,49 @@ def get_configuration(request): ]) def test_tag_directories(directory, get_configuration, put_env_variables, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test alerts are generated when monitor environment variables - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') + when environment variables are used to monitor directories. For this purpose, the test + will monitor a directory that is defined in an environment variable. Then, different + operations will be performed on testing files, and finally, the test will verify + that the proper FIM events have been generated. + + wazuh_min_version: 4.2.0 + + parameters: + - directory: + type: str + brief: Path to the directory to be monitored. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - put_env_variables: + type: fixture + brief: Create the environment variables. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that FIM events are generated when environment variables are used to monitor directories. + + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_dir.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the directories to be monitored defined as environment variables in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + + tags: + - scheduled + - time_travel + ''' regular_file_cud(directory, wazuh_log_monitor, file_list=["testing_env_variables"], min_timeout=global_parameters.default_timeout, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py b/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py index 82453543ca..3160be9107 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py @@ -1,7 +1,57 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if FIM events are + generated when environment variables are used to monitor directories in Windows systems. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 2 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - windows + +os_version: + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_env_variables +''' import os import pytest @@ -43,9 +93,49 @@ def get_configuration(request): @pytest.mark.parametrize('directory', [subdir1]) def test_tag_directories(directory, get_configuration, put_env_variables, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test alerts are generated when monitor environment variables - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') + when environment variables are used to monitor directories. For this purpose, the test + will monitor a directory that is defined in an environment variable. Then, different + operations will be performed on testing files, and finally, the test will verify + that the proper FIM events have been generated. + + wazuh_min_version: 4.2.0 + + parameters: + - directory: + type: str + brief: Path to the directory to be monitored. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - put_env_variables: + type: fixture + brief: Create the environment variables. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that FIM events are generated when environment variables are used to monitor directories. + + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_dir.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the directory to be monitored defined as an environment variable in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + + tags: + - scheduled + - time_travel + ''' regular_file_cud(directory, wazuh_log_monitor, file_list=["testing_env_variables"], min_timeout=global_parameters.default_timeout, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py b/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py index c3a8e761ce..27ba3dcd1e 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if the 'ignore' tag + works correctly when environment variables are used to define the directories to ignore. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 2 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#ignore + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_env_variables +''' import os import sys @@ -64,10 +133,54 @@ def get_configuration(request): ]) def test_tag_ignore(directory, event_generated, get_configuration, configure_environment, put_env_variables, restart_syscheckd, wait_for_fim_start): - """ - Test environment variables are ignored - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon ignores directories when they are defined using + environment variables. For this purpose, the test will monitor a directory that is ignored + in an environment variable set in the 'ignore' tag. Then, a testing file will be added to + that directory, and finally, the test will verify that the 'ignoring' or `added` FIM events + have been generated according to the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - directory: + type: str + brief: Path to the directory to be monitored. + - event_generated: + type: bool + brief: True if the directory is not ignored. False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - put_env_variables: + type: fixture + brief: Create the environment variables. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that 'ignoring' FIM event is generated when the ignored directories + are defined using environment variables. + + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_ignore.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the directories to be ignored defined as environment variables in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added' event if the testing directory is not ignored) + - r'.*Ignoring' + + tags: + - scheduled + - time_travel + ''' # Create text files filename = "test" create_file(REGULAR, directory, filename, content="") diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_nodiff.py b/tests/integration/test_fim/test_files/test_env_variables/test_nodiff.py index 9be81d88f1..50cb01002f 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_nodiff.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_nodiff.py @@ -1,7 +1,78 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if the 'nodiff' tag works correctly + when environment variables are used to define the files whose changes will not be tracked. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 2 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + - macos + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#diff + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_env_variables +''' import os import sys @@ -26,10 +97,12 @@ # Check big environment variables ending with backslash if sys.platform == 'win32': - paths = [os.path.join(PREFIX, 'a' * 50 + '\\') for i in range(10)] + [os.path.join(dir2, "test.txt"), os.path.join(dir3, "test.txt")] + paths = [os.path.join(PREFIX, 'a' * 50 + '\\') for i in range(10)] + \ + [os.path.join(dir2, "test.txt"), os.path.join(dir3, "test.txt")] test_env = "%TEST_NODIFF_ENV%" else: - paths = [os.path.join(PREFIX, 'a' * 50 + '\\') for i in range(100)] + [os.path.join(dir2, "test.txt"), os.path.join(dir3, "test.txt")] + paths = [os.path.join(PREFIX, 'a' * 50 + '\\') for i in range(100)] + \ + [os.path.join(dir2, "test.txt"), os.path.join(dir3, "test.txt")] test_env = "$TEST_NODIFF_ENV" multiple_env_var = os.pathsep.join(paths) @@ -62,17 +135,60 @@ def get_configuration(request): ]) def test_tag_nodiff(directory, filename, hidden_content, get_configuration, put_env_variables, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test nodiff option works with environment variables - - Parameters - ---------- - directory : str - Directory where the file is being created. - hidden_content : bool - True if content must be truncated,, False otherwise. - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon truncates the content in the 'diff' files when testing files + are defined using environment variables via the 'nodiff' tag. For this purpose, the test will monitor + a directory using the 'report_changes=yes' attribute and some testing files will be defined in + the 'nodiff' tag using environment variables. Then, it will perform operations on the testing files + and check if the corresponding diff files have been created. Finally, the test will verify that + the 'diff' files of the testing files set in the 'nodiff' tag have their content truncated. + + wazuh_min_version: 4.2.0 + + parameters: + - directory: + type: str + brief: Path to the directory to be monitored. + - filename: + type: str + brief: Name of the testing file to be tracked. + - hidden_content: + type: bool + brief: True if the 'diff' file must not be created. False otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - put_env_variables: + type: fixture + brief: Create the environment variables. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the 'content_changes' field of FIM events has a message + indicating that the 'nodiff' option is being used. + - Verify that 'diff' files are its content truncated when files are specified + via environment variables using the 'nodiff' tag. + + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_nodiff.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the directories and testing files defined as environment variables in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + - The 'diff' file in the default location. + + tags: + - scheduled + - time_travel + ''' files = {filename: b'Hello word!'} def report_changes_validator(event): From 495587599085da7bd205569fbdf429b8429ce5d0 Mon Sep 17 00:00:00 2001 From: mdengra Date: Thu, 30 Sep 2021 12:45:34 +0200 Subject: [PATCH 12/12] doc: Add test_env_variables and test_file_limit of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_file_limit_capacity_alerts.py * test_file_limit_default.py * test_file_limit_delete_full.py * test_file_limit_full.py * test_file_limit_no_limit.py * test_file_limit_values.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #1945 --- docs/DocGenerator/config.yaml | 2 + .../test_files/test_env_variables/test_dir.py | 4 +- .../test_env_variables/test_dir_win32.py | 2 +- .../test_env_variables/test_ignore.py | 2 +- .../test_file_limit_capacity_alerts.py | 137 +++++++++++++++-- .../test_file_limit_default.py | 133 +++++++++++++--- .../test_file_limit_delete_full.py | 144 +++++++++++++++--- .../test_file_limit/test_file_limit_full.py | 137 +++++++++++++++-- .../test_file_limit_no_limit.py | 120 +++++++++++++-- .../test_file_limit/test_file_limit_values.py | 135 +++++++++++++--- 10 files changed, 721 insertions(+), 95 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index d22f02e99d..9b9b602a7c 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -51,6 +51,8 @@ Ignore paths: - "../../tests/integration/test_fim/test_files/test_basic_usage/data" - "../../tests/integration/test_fim/test_files/test_benchmark/data" - "../../tests/integration/test_fim/test_files/test_checks/data" + - "../../tests/integration/test_fim/test_files/test_env_variables/data" + - "../../tests/integration/test_fim/test_files/test_file_limit/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_dir.py b/tests/integration/test_fim/test_files/test_env_variables/test_dir.py index bf15a2853b..6d0a96e440 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_dir.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_dir.py @@ -10,8 +10,8 @@ brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when multiple environment variables are used to monitor directories. - The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured - files for changes to the checksums, permissions, and ownership. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. tier: 2 diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py b/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py index 3160be9107..345e30862b 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_dir_win32.py @@ -10,7 +10,7 @@ brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when environment variables are used to monitor directories in Windows systems. - The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 2 diff --git a/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py b/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py index 27ba3dcd1e..4467b83125 100644 --- a/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py +++ b/tests/integration/test_fim/test_files/test_env_variables/test_ignore.py @@ -10,7 +10,7 @@ brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'ignore' tag works correctly when environment variables are used to define the directories to ignore. - The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 2 diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py index 483c69976f..b6ca7cf67d 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py @@ -1,7 +1,78 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if the threshold + set in the 'file_limit' tag generates FIM events when the number of monitored files + approaches this value. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os import sys @@ -58,14 +129,56 @@ def get_configuration(request): ]) def test_file_limit_capacity_alert(percentage, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Checks that the corresponding alerts appear in schedule mode for different capacity thresholds. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon generates events for different capacity thresholds limits when + using the 'schedule' monitoring mode. For this purpose, the test will monitor a directory in which + several testing files will be created, corresponding to different percentages of the total file limit. + Then, it will check if FIM events are generated when the number of files created exceeds 80% of + the total and when the number is less than that percentage. Finally, the test will verify that + on the FIM event, inodes and monitored files number match. + + wazuh_min_version: 4.2.0 + + parameters: + - percentage: + type: int + brief: Percentage of testing files to be created. + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that FIM events are generated when the number of files to be monitored + exceeds the established threshold and vice versa. + - Verify that the FIM events contain the same number of inodes and files in the monitored directory. + + input_description: A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is + combined with the testing directory to be monitored defined in this module. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added' event if the testing directory is not ignored) + - r'.*Sending DB * full alert.' + - r'.*Sending DB back to normal alert.' + - r'.*Fim inode entries*, path count' + - r'.*Fim entries' (on Windows systems) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) NUM_FILES = percentage + 1 diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py index b5c3287060..3a440a98fb 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if the maximum + number of files monitored by the 'wazuh-syscheckd' daemon is set to default when + the 'file_limit' tag is missing in the configuration. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os import pytest @@ -48,21 +118,50 @@ def get_configuration(request): {'file_limit_default'} ]) def test_file_limit_default(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - Check that if the file_limit option is missing, the maximum number of files monitored is set to default. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check if the maximum number of files monitored by the 'wazuh-syscheckd' daemon is set to default + when the 'file_limit' tag is missing in the configuration. For this purpose, the test will monitor + a directory and wait for FIM to start and generate an event indicating the maximum number of files + to monitor. Finally, the test will verify that this number matches the default value (100000). + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that an FIM event is generated indicating the maximum number of files + to monitor is the default value (100000). + + input_description: A test case (file_limit_default) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is + combined with the testing directory to be monitored defined in this module. + + expected_output: + - r'.*Maximum number of entries to be monitored' + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) - file_limit_value = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_value_file_limit, - error_message='Did not receive expected ' - '"DEBUG: ...: Maximum number of entries to be monitored: ..." event' - ).result() + file_limit_value = wazuh_log_monitor.start( + timeout=global_parameters.default_timeout, + callback=callback_value_file_limit, + error_message='Did not receive expected ' + '"DEBUG: ...: Maximum number of entries to be monitored: ..." event').result() if file_limit_value: assert file_limit_value == str(NUM_FILES), 'Wrong value for file_limit' diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_delete_full.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_delete_full.py index 980615bf51..4225565d8c 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_delete_full.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_delete_full.py @@ -1,7 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if, after manipulating files while + the FIM database is in 'full database alert' mode, files that are deleted in 'normal' mode + generate events consistent with deleted files. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os from time import sleep @@ -69,20 +139,58 @@ def extra_configuration_before_yield(): ]) def test_file_limit_delete_full(folder, file_name, tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - This test checks a specific case: - If in a file (for example test_1) is not inserted in the database and a file ended in 0 (for example test_10) is - inserted in the DB, after deleting test_1, the delete alert was raised for test_10. - - Parameters - ---------- - folder: path - Path to the folder where the test is going to be executed. - file_name: - base name of the file (in the example above it will be test_) - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check a specific case. If a testing file ('test_file1') is not inserted in the FIM database + (because the maximum number of files to be monitored has already been reached), and another + testing file ended in 0 ('test_file10') is in the database, after deleting 'test_file1', + the FIM event 'delete' was raised for the 'test_file10' file. For this purpose, the test + will monitor a directory and create several test files until the maximum limit of monitored + files is reached. Then, it will create and delete the file 'test_file1' and wait for + no FIM events to be generated (file limit reached). Finally, it will delete 'test_file10' + and verify that the 'deleted' FIM event matches that file. + + wazuh_min_version: 4.2.0 + + parameters: + - folder: + type: str + brief: Path to the directory to be monitored. + - file_name: + type: str + brief: Name of the testing file to be created. + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that the FIM database is in 'full database alert' mode + when the maximum number of files to monitor has been reached. + - Verify that no FIM events are generated when operations are performed on new files + and the limit of files to monitor has been reached. + - Verify that after manipulating files in 'full database alert' mode, files that are deleted + while the FIM database is in 'normal' mode generate events consistent with deleted files. + + input_description: A test case (tags_delete_full) is contained in external YAML file (wazuh_conf_delete_full.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with + the testing directory to be monitored defined in this module. + + expected_output: + - r'.*Sending DB * full alert.' + - r'.*Sending FIM event: (.+)$' ('deleted' event) + + tags: + - realtime + - who-data + ''' check_apply_test(tags_to_apply, get_configuration['tags']) database_state = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py index bd0e90ab7e..cf00e48583 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py @@ -1,7 +1,78 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if FIM events are + generated while the database is in 'full database alert' mode for reaching the limit + of files to monitor set in the 'file_limit' tag. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks + configured files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os import sys @@ -63,14 +134,49 @@ def extra_configuration_before_yield(): {'file_limit_conf'} ]) def test_file_limit_full(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - Check that the full database alerts are being sent. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon generates proper events while the FIM database is in + 'full database alert' mode for reaching the limit of files to monitor set in the 'file_limit' tag. + For this purpose, the test will monitor a directory in which several testing files will be created + until the file monitoring limit is reached. Then, it will check if the FIM event 'full' is generated + when a new testing file is added to the monitored directory. Finally, the test will verify that + on the FIM event, inodes and monitored files number match. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that the FIM database is in 'full database alert' mode + when the maximum number of files to monitor has been reached. + - Verify that proper FIM events are generated while the database is in 'full database alert' mode. + + input_description: A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is + combined with the testing directory to be monitored defined in this module. + + expected_output: + - r'.*Sending DB * full alert.' + - r'.*The DB is full.*' + - r'.*Fim inode entries*, path count' + - r'.*Fim entries' (on Windows systems) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) database_state = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, @@ -83,9 +189,10 @@ def test_file_limit_full(tags_to_apply, get_configuration, configure_environment create_file(REGULAR, testdir1, 'file_full', content='content') - wazuh_log_monitor.start(timeout=40, callback=callback_file_limit_full_database, - error_message='Did not receive expected ' - '"DEBUG: ...: Couldn\'t insert \'...\' entry into DB. The DB is full, ..." event') + wazuh_log_monitor.start( + timeout=40, callback=callback_file_limit_full_database, + error_message='Did not receive expected ' + '"DEBUG: ...: Couldn\'t insert \'...\' entry into DB. The DB is full, ..." event') entries, path_count = wazuh_log_monitor.start(timeout=40, callback=callback_entries_path_count, error_message='Did not receive expected ' diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py index b85fa63d2b..e5a2b71ac4 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py @@ -1,7 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when + these files are modified. Specifically, these tests will check if the FIM event 'no limit' + is generated when the 'file_limit' feature is disabled in the configuration. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os import pytest @@ -47,14 +116,41 @@ def get_configuration(request): {'no_file_limit'} ]) def test_file_limit_no_limit(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - Check that a 0 in file_limit disables the limit. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon detects that the 'file_limit' feature of FIM is disabled. + For this purpose, the test will monitor a testing directory, and finally, it will verify + that the FIM event 'no limit' is generated. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that the FIM event 'no limit' is generated when the 'file_limit' feature is disabled. + + input_description: A test case (no_file_limit) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is + combined with the testing directory to be monitored defined in this module. + + expected_output: + - r'.*No limit set to maximum number of entries to be monitored' + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_file_limit_zero, diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py index c3c53b5281..ce715988e7 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py @@ -1,7 +1,78 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. Specifically, these tests will check if the FIM event + 'maximum number of entries' has the correct value for the monitored files limit of + the 'file_limit' feature. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows server 2012 + - Windows server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_file_limit +''' import os import sys @@ -62,21 +133,51 @@ def extra_configuration_before_yield(): {'file_limit_conf'} ]) def test_file_limit_values(tags_to_apply, get_configuration, configure_environment, restart_syscheckd): - """ - Check that a list of different values gets configured correctly in file_limit. - - Parameters - ---------- - tags_to_apply : set - Run test if matches with a configuration identifier, skip otherwise. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon detects that the value of the 'entries' tag, which corresponds + to the maximum number of files to monitor from the 'file_limit' feature of FIM. For this purpose, + the test will monitor a directory. Then, it will check if the FIM event 'maximum number of entries' + is generated and has the correct value. Finally, the test will verify that on the FIM event, + inodes and monitored files number match. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if matches with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that the FIM event 'maximum number of entries' has the correct value + for the monitored files limit of the 'file_limit' feature. + + input_description: A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is + combined with the testing directory to be monitored defined in this module. + + expected_output: + - r'.*Maximum number of entries to be monitored' + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) - file_limit_value = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_value_file_limit, - error_message='Did not receive expected ' - '"DEBUG: ...: Maximum number of entries to be monitored: ..." event' - ).result() + file_limit_value = wazuh_log_monitor.start( + timeout=global_parameters.default_timeout, + callback=callback_value_file_limit, + error_message='Did not receive expected ' + '"DEBUG: ...: Maximum number of entries to be monitored: ..." event').result() if file_limit_value: assert file_limit_value == get_configuration['metadata']['file_limit'], 'Wrong value for file_limit'