Migrate test_fim/test_files/test_follow_symbolic_link documentation to qa-docs
#1969
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…in QA Docs style The following tests have been documentated: * test_change_target.py * test_delete_symlink.py * test_delete_target.py * test_follow_symbolic_disabled.py * test_monitor_symlink.py * test_not_following_symbolic_link.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1948
…in QA Docs style The following tests have been documentated: * test_revert_symlink.py * test_symlink_and_dir.py * test_symlink_dir_inside_monitored_dir.py * test_symlink_to_dir_between_scans.py * test_symlink_within_dir.py The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #1948
Closed
19 tasks
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of issue #1810 and epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
Generated documentation
test_audit_rules_removed_after_change_link.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM automatically removes the 'audit' rule from the target of a monitored 'symbolic link' when the target of that link is replaced. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#whodata", "https://man7.org/linux/man-pages/man8/auditd.8.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link", "audit_rules" ], "name": "test_audit_rules_removed_after_change_link.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon removes the 'audit' rules when the target of a monitored symlink is changed. For this purpose, the test will monitor a 'symbolic link' pointing to a directory using the 'whodata' monitoring mode. Once FIM starts, it will create and expect events inside the pointed folder. After the events are processed, the test will change the target of the link to another folder and wait until the thread that checks the 'symbolic links' updates the link's target. Finally, it will generate some events inside the new target and verify that the audit rule of the previous target folder has been removed (via 'auditctl -l').", "wazuh_min_version": "4.2.0", "parameters": [ { "replaced_target": { "type": "str", "brief": "Directory where the 'symbolic link' is pointing." } }, { "new_target": { "type": "str", "brief": "Directory where the 'symbolic link' will be pointed after it is updated." } }, { "file_name": { "type": "str", "brief": "Name of the testing file that will be created inside the folders." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events 'added' are generated when creating the testing files.", "Verify that FIM automatically removes the 'audit' rule from the target of a monitored 'symbolic link' when the target of that link is replaced." ], "input_description": "A test case (check_audit_removed_rules) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' events)" }, "The 'auditctl -l' command should return the path where the symbolic link finally points." ], "tags": [ "realtime", "who_data" ], "name": "test_audit_rules_removed_after_change_link", "inputs": [ "get_configuration0-/testdir1-/testdir_not_target-testfile_1-tags_to_apply0" ] } ] }test_audit_rules_removed_after_change_link.yaml
test_change_target_inside_folder.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that no FIM events are generated in the initial target of a 'symbolic link' when it has already been changed to the final target. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_change_target_inside_folder.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon stops detecting events when the target of a monitored symlink is changed to a new folder. For this purpose, the test will monitor a 'symbolic link' pointing to a file/folder. Once FIM starts, the test will change the target of the link to another file/folder inside a monitored folder. Then, it will wait until the thread that checks the 'symbolic links' updates the target of the link. Finally, it will generate some events inside the new target and check that FIM events are triggered.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "previous_target": { "type": "str", "brief": "Directory where the 'symbolic link' is pointing." } }, { "new_target": { "type": "str", "brief": "Directory where the 'symbolic link' will be pointed after it is updated." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated at the initial target of the 'symbolic link'.", "Verify that FIM events are generated at the final target of the 'symbolic link'.", "Verify that no FIM events are generated in the initial target of the 'symbolic link' when it has already been changed to the final target." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_change_target_inside_folder", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration0-tags_to_apply1-/testdir_target-/testdir2", "get_configuration1-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration1-tags_to_apply1-/testdir_target-/testdir2", "get_configuration2-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration2-tags_to_apply1-/testdir_target-/testdir2", "get_configuration3-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration3-tags_to_apply1-/testdir_target-/testdir2", "get_configuration4-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration4-tags_to_apply1-/testdir_target-/testdir2", "get_configuration5-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration5-tags_to_apply1-/testdir_target-/testdir2" ] } ] }test_change_target_inside_folder.yaml
test_change_target_with_nested_directory.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that no FIM events are generated in the final target of the 'symbolic link' when it has already been monitored. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_change_target_with_nested_directory.py", "id": 3, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon stops detecting events when the target of a monitored symlink is changed to a new folder. For example, having a 'symbolic link' pointing to a folder that contains another monitored directory. Changing the target should not trigger 'added' events for the monitored subdirectory on the next scan. For this purpose, the test will monitor a 'symbolic link' pointing to a directory which contains a monitored subdirectory. Once FIM starts, it will create and expect events inside the pointed folder. After the events are processed, the test will change the target of the link to another folder, and wait until the thread that checks the 'symbolic links' updates the target of the link. Finally, it will verify that no events are triggered inside the monitored subdirectory.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "previous_target": { "type": "str", "brief": "Directory where the 'symbolic link' is pointing." } }, { "new_target": { "type": "str", "brief": "Directory where the 'symbolic link' will be pointed after it is updated." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated at the initial target folder of the 'symbolic link'.", "Verify that no FIM events are generated in the final target of the 'symbolic link' when it has already been monitored." ], "input_description": "A test case (nested_dir) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' event)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_change_target_inside_folder", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration0-tags_to_apply1-/testdir_target-/testdir2", "get_configuration1-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration1-tags_to_apply1-/testdir_target-/testdir2", "get_configuration2-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration2-tags_to_apply1-/testdir_target-/testdir2", "get_configuration3-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration3-tags_to_apply1-/testdir_target-/testdir2", "get_configuration4-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration4-tags_to_apply1-/testdir_target-/testdir2", "get_configuration5-tags_to_apply0-/testdir1-/testdir2/regular1", "get_configuration5-tags_to_apply1-/testdir_target-/testdir2", "get_configuration0-tags_to_apply0-/testdir1-/testdir2" ] } ] }test_change_target_with_nested_directory.yaml
test_change_target.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM updates the target of 'symbolic links' when it is changed. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_change_target.py", "id": 4, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' updates the symlink target properly. For this purpose, the test will monitor a 'symbolic link' pointing to a file/directory. Once FIM starts, it will create and expect events inside the pointed folder. Then, it will create files inside the new target, making sure that it will not generate any events. After the FIM events are processed, the test will change the target of the link to another folder and wait until the thread that checks the symbolic links updates the target. Finally, the test will check if the new file is being monitored and the old one is not.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "main_folder": { "type": "str", "brief": "Directory that is being pointed at or contains the pointed file." } }, { "aux_folder": { "type": "str", "brief": "Directory that will be pointed at or will contain the future pointed file." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated at the initial target of the 'symbolic link'.", "Verify that no FIM events are generated in the final target before changing it in the 'symbolic link'.", "Verify that no FIM events are generated in the initial target of the 'symbolic link' when it has already been changed to the final target." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_change_target", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration0-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration1-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration1-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration2-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration2-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration3-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration3-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration4-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration4-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration5-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration5-tags_to_apply1-/testdir_target-/testdir_not_target" ] } ] }test_change_target.yaml
test_delete_symlink.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM stops detecting events when deleting the monitored 'symbolic link'. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_delete_symlink.py", "id": 5, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' stops detecting events when deleting the monitored symlink. For this purpose, the test will monitor a 'symbolic link' pointing to a file/directory, and once FIM starts, it will create and expect events inside the pointed folder. After these events are processed, the test will remove the 'symbolic link' and wait until the links are reloaded. Then, it will create files inside the target that the link was pointing to and check that no events are triggered. Finally, the test will restore the link, generate events inside the target folder and verify that the FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "main_folder": { "type": "str", "brief": "Directory that is being pointed at or contains the pointed file." } }, { "aux_folder": { "type": "str", "brief": "Directory that will be pointed at or will contain the future pointed file." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated at the target of the 'symbolic link'.", "Verify that no FIM events are generated in the target when the 'symbolic link' is deleted.", "Verify that FIM events are generated at the target of the 'symbolic link' when it is restored." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_delete_symlink", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration0-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration1-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration1-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration2-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration2-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration3-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration3-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration4-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration4-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration5-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration5-tags_to_apply1-/testdir_target-/testdir_not_target" ] } ] }test_delete_symlink.yaml
test_delete_target.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM stops detecting events when deleting the target of a monitored 'symbolic link'. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_delete_target.py", "id": 6, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events properly when deleting a target of a symlink, this link is updated, and the target is recreated again. For this purpose, the test will monitor a 'symbolic link' pointing to a file/directory, and once FIM starts, it will create and expect events inside the pointed folder. After the events are processed, the test will remove the link target and wait until the links are reloaded. Then, the test will create the file/directory again, generate events inside the target that the link was pointing to, and check that no FIM events are triggered. Finally, the test will wait until the links are reloaded, generates, and checks the FIM events with the updated link.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "main_folder": { "type": "str", "brief": "Directory that is being pointed at or contains the pointed file." } }, { "aux_folder": { "type": "str", "brief": "Directory that will be pointed at or will contain the future pointed file." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that the FIM 'deleted' event is generated when deleting the target of the 'symbolic link'.", "Verify that no FIM events are generated when the destination folder is restored, and the link information has not been updated yet.", "Verify that the FIM 'modified' event is generated when the link information has been updated." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('modified' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_delete_target", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration0-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration1-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration1-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration2-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration2-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration3-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration3-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration4-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration4-tags_to_apply1-/testdir_target-/testdir_not_target", "get_configuration5-tags_to_apply0-/testdir1-/testdir_not_target", "get_configuration5-tags_to_apply1-/testdir_target-/testdir_not_target" ] } ] }test_delete_target.yaml
test_follow_symbolic_disabled.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM stops monitoring the target of a 'symbolic_link' when the attribute 'follow_symbolic_link' is disabled. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_follow_symbolic_disabled.py", "id": 7, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon considers a 'symbolic link' to be a regular file when the attribute 'follow_symbolic_link' is set to 'no'. For this purpose, the test will monitor a 'symbolic link' pointing to a file/directory. Once FIM starts, it will create and not expect events inside the pointed folder. Then, the test will modify the link target and check that no events are triggered. Finally, it will remove the link target and verify that no FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "path": { "type": "str", "brief": "Path to the target file or directory." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated when performing file operations on a 'symbolic link' target." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_follow_symbolic_disabled", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1", "get_configuration0-tags_to_apply1-/testdir_target", "get_configuration1-tags_to_apply0-/testdir1", "get_configuration1-tags_to_apply1-/testdir_target", "get_configuration2-tags_to_apply0-/testdir1", "get_configuration2-tags_to_apply1-/testdir_target", "get_configuration3-tags_to_apply0-/testdir1", "get_configuration3-tags_to_apply1-/testdir_target", "get_configuration4-tags_to_apply0-/testdir1", "get_configuration4-tags_to_apply1-/testdir_target", "get_configuration5-tags_to_apply0-/testdir1", "get_configuration5-tags_to_apply1-/testdir_target" ] } ] }test_follow_symbolic_disabled.yaml
test_monitor_symlink.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM generates events when monitoring a 'symbolic link' that points to a file or a directory. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_monitor_symlink.py", "id": 8, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events when monitoring a symlink that points to a file or a directory. For this purpose, the test will monitor a 'symbolic link' pointing to a file/directory. Once FIM starts, if the link is a folder, creates a file and checks if the expected FIM 'added' event is raised. Then, it will modify the link target and expect the 'modified' event. Finally, the test will remove the link target and verify that the FIM 'delete' event is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "main_folder": { "type": "str", "brief": "Directory that is being pointed at or contains the pointed file." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated when performing file operations on a 'symbolic link' target." ], "input_description": "Two test cases (monitored_file and monitored_dir) are contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the 'common.py' module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_monitor_symlink", "inputs": [ "get_configuration0-tags_to_apply0-/testdir1", "get_configuration0-tags_to_apply1-/testdir_target", "get_configuration1-tags_to_apply0-/testdir1", "get_configuration1-tags_to_apply1-/testdir_target", "get_configuration2-tags_to_apply0-/testdir1", "get_configuration2-tags_to_apply1-/testdir_target", "get_configuration3-tags_to_apply0-/testdir1", "get_configuration3-tags_to_apply1-/testdir_target", "get_configuration4-tags_to_apply0-/testdir1", "get_configuration4-tags_to_apply1-/testdir_target", "get_configuration5-tags_to_apply0-/testdir1", "get_configuration5-tags_to_apply1-/testdir_target" ] } ] }test_monitor_symlink.yaml
test_not_following_symbolic_link.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM stops monitoring the target of a 'symbolic_link' found in the monitored directory when the attribute 'follow_symbolic_link' is disabled. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_not_following_symbolic_link.py", "id": 9, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events when monitoring a directory with a symlink and not the symlink itself. For this purpose, the test will create some files in a non-monitored folder and will not expect any events. Then, it will create a 'symbolic link' inside the monitored folder pointing to the non-monitored folder. The test will expect an FIM 'added' event with the path of the 'symbolic link', as it is within a monitored directory. It will create some events in the link target and will not expect any events. Finally, the test will change the link target, and it will expect an FIM 'modified' event.", "wazuh_min_version": "4.2.0", "parameters": [ { "monitored_dir": { "type": "str", "brief": "Directory that is being monitored." } }, { "non_monitored_dir1": { "type": "str", "brief": "Directory that is being monitored." } }, { "non_monitored_dir2": { "type": "str", "brief": "Directory that is being monitored." } }, { "sym_target": { "type": "str", "brief": "Path to the target of the 'symbolic link'." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated when performing file operations on a 'symbolic link' target in a monitored directory.", "Verify that FIM events are generated when adding or modifying the 'symbolic link' itself." ], "input_description": "A test case (non_monitored_dir) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_monitor_directory_with_symlink", "inputs": [ "get_configuration0-/testdir_link-/testdir1-/testdir2-file-tags_to_apply0", "get_configuration0-/testdir_link-/testdir1-/testdir2-folder-tags_to_apply1", "get_configuration1-/testdir_link-/testdir1-/testdir2-file-tags_to_apply0", "get_configuration1-/testdir_link-/testdir1-/testdir2-folder-tags_to_apply1", "get_configuration2-/testdir_link-/testdir1-/testdir2-file-tags_to_apply0", "get_configuration2-/testdir_link-/testdir1-/testdir2-folder-tags_to_apply1" ] } ] }test_not_following_symbolic_link.yaml
test_revert_symlink.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM monitors the target of a 'symbolic link' when it is changed and when that change is reverted. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_revert_symlink.py", "id": 10, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects new targets when monitoring a directory with a symlink and its target is changed. For this purpose, the test will create a 'symbolic link' to a file/directory. Then, it will change the target to a directory and create some files inside, expecting all the FIM events. After the events are processed, the test will change the link to its previous target, and finally, it will make file operations and expect FIM events.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated when a monitored 'symbolic link' target is changed to a new directory.", "Verify that FIM events are generated when a monitored 'symbolic link' target is reverted to the previous directory." ], "input_description": "A test case (monitored_file) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the common.py module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symbolic_revert_symlink", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_revert_symlink.yaml
test_symlink_and_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that FIM does not trigger events for existing files when a 'symbolic link' is changed to a non-empty directory. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_symlink_and_dir.py", "id": 11, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events from existing files in a new target of a monitored symlink. For this purpose, the test will create a 'symbolic link' to a file/directory. Then, it will change the target to a non-empty directory, checking that no FIM events are triggered for the files already in the directory. Finally, the test will make file operatons and verify that FIM events are generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated for existing files when a 'symbolic link' is changed to a non-empty directory." ], "input_description": "A test case (symlink_and_dir) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symlink_dir_inside_monitored_dir", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_symlink_and_dir.yaml
test_symlink_dir_inside_monitored_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that FIM follows the precedence in the configuration when a directory is monitored inside a monitored 'symbolic link', and the 'follow_symbolic_link' attribute is enabled. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_symlink_dir_inside_monitored_dir.py", "id": 12, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects the precedence in the configuration when monitoring a subdirectory from a symlink having a different configuration, and the 'follow_symbolic_link' setting is used. The monitored directory configuration should prevail over the symlink configuration (checks, follow_symbolic_link, etc.). For this purpose, the test will create a directory, a 'symbolic link' to that directory, and a subdirectory. The directory and the symlink will be monitored using different options. Then, the test will make file operations inside the directory and check if the FIM events fields match the ones configured for the 'symbolic link'. Finally, it will make file operations in the subdirectory and verify that the FIM events fields match the ones configured for the link.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "checkers": { "type": "dict", "brief": "Check options to be used." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM follows the precedence in the configuration when monitoring a subdirectory from a 'symbolic link' having a different configuration, and the 'follow_symbolic_link' setting is used." ], "input_description": "A test case (symlink_dir_inside_monitored_dir) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symlink_dir_inside_monitored_dir", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0", "get_configuration0-tags_to_apply0-checkers0", "get_configuration1-tags_to_apply0-checkers0", "get_configuration2-tags_to_apply0-checkers0" ] } ] }test_symlink_dir_inside_monitored_dir.yaml
test_symlink_to_dir_between_scans.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that FIM monitors a new directory when a monitored 'symbolic link' is replaced by it, and the 'follow_symbolic_link' attribute is enabled. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_symlink_to_dir_between_scans.py", "id": 13, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events when a monitored symlink is replaced by a directory between scans, and the 'follow_symbolic_link' setting is used. For this purpose, the test will create a directory with some files and a 'symbolic link'. Then, it will remove the link and create a directory with the same path. Finally, it will wait until the next scheduled scan and verify that FIM events are generated by adding new files.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated from a new directory when a monitored 'symbolic link' is replaced by it, and the 'follow_symbolic_link' setting is used." ], "input_description": "A test case (replace_with_directory) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the common.py module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symlink_to_dir_between_scans", "inputs": [ "get_configuration0-tags_to_apply0" ] } ] }test_symlink_to_dir_between_scans.yaml
test_symlink_within_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that FIM follows the precedence of monitoring options when there is a 'symbolic link' within a monitored directory, and the 'follow_symbolic_link' attribute is enabled. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_follow_symbolic_link" ], "name": "test_symlink_within_dir.py", "id": 14, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects the precedence in the configuration when monitoring a subdirectory from a symlink having a different configuration, and the 'follow_symbolic_link' setting is used. The link configuration should prevail over the monitored directory (checks, follow_symbolic_link, etc...). For this purpose, the test will create a directory, a subdirectory, and a 'symbolic link' to the subdirectory. The directory and the 'symbolic link' are monitored using different options. Then, it will make file operations inside the directory, and check if the FIM events fields match the ones configured for that directory. Finally, the test will generate events in the subdirectory and verify that the FIM events fields match the ones configured for the link.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "checkers": { "type": "dict", "brief": "Check options to be used." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM follows the precedence of monitoring options when there is a 'symbolic link' within a monitored directory, and the 'follow_symbolic_link' attribute is enabled." ], "input_description": "A test case (symlink_within_directory) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, these are combined with the testing directories to be monitored defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_symlink_within_dir", "inputs": [ "get_configuration0-tags_to_apply0-checkers0", "get_configuration1-tags_to_apply0-checkers0", "get_configuration2-tags_to_apply0-checkers0" ] } ] }test_symlink_within_dir.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s