Migrate test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files documentation to qa-docs
#2038
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
13 tasks
mdengra
changed the title
test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files
mdengra
changed the title
test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_filestest_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files documentation to qa-docs
mdengra
deleted the
2031-qadocs-migrate-test-fim-scan-skip-stats-integrity-sync
branch
This was referenced Oct 26, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of issue #1810 and epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
Generated documentation
test_scantest_scan_day_and_time.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs the scans on a specific day of the week and time, set them in the 'scan_day' and 'scan_time' tags. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-day", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-time" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_scan" ], "name": "test_scan_day_and_time.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' performs a scan on the day of the week and the time specified in the 'scan_day' and 'scan_time' tags. For this purpose, the test will monitor a testing folder and modify the system date to the moment of the scan that should be performed. Then, it will check if an FIM event, indicating that the scan is ended, is generated. Finally, the test will verify that scans are not performed on a different day or time specified in the test case.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that an FIM event is generated when the system date matches the day of the week and the time specified for the scan.", "Verify that scan is not performed on a different day or time than scheduled." ], "input_description": "A test case (scan_both) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined with the testing directory to be monitored and the scan dates defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (at scan ends)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_scan_day_and_time", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0", "get_configuration3-tags_to_apply0" ] } ] }test_scan_day_and_time.yaml
test_scan_day.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs the scans on a specific day of the week set in the 'scan_day' tag. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-day" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_scan" ], "name": "test_scan_day.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' performs a scan on the day of the week specified in the 'scan_day' tag. For this purpose, the test will monitor a testing folder and modify the system date to the day of the scan that should be performed. Then, it will check if an FIM event, indicating that the scan is ended, is generated. Finally, the test will verify that scans are not performed on a different day of the week specified in the test case.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that an FIM event is generated when the system date matches the day of the week specified for the scan.", "Verify that scan is not performed on a different day of the week than scheduled." ], "input_description": "A test case (scan_day) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined with the testing directory to be monitored and the scan days defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (at scan ends)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_scan_day", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_scan_day.yaml
test_scan_time.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs the scans at a specific time of day set in the 'scan_time' tag. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-time" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_scan" ], "name": "test_scan_time.py", "id": 3, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' performs a scan at the time of day specified in the 'scan_time' tag. For this purpose, the test will monitor a testing folder and modify the system date to the time of the scan that should be performed. Then, it will check if an FIM event, indicating that the scan is ended, is generated. Finally, the test will verify that scans are not performed at a different time of day specified in the test case.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that an FIM event is generated when the system date matches the time of day specified for the scan.", "Verify that scan is not performed at a different time of day than scheduled." ], "input_description": "A test case (scan_time) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined with the testing directory to be monitored and the scan times defined in the module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (at scan ends)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_scan_time", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_scan_time.yaml
test_skiptest_skip.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon skips the scans on the special directories of Linux systems ('/dev', '/proc', '/sys', and NFS folders), using the 'skip_' tags for this purpose. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-dev", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-nfs", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-proc", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-sys", "https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_skip" ], "name": "test_skip.py", "id": 4, "group_id": 3, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon skips the Linux '/proc' directory at scanning when the 'skip_proc' tag is set to 'yes'. For this purpose, the test will monitor a PID folder in the '/proc' directory. To generate the PID folder, it will call a script that contains an endless loop to create the process that adds that folder to the '/proc' directory. Then, the test adds to the main configuration the PID folder to monitor, and finally, it will verify that the FIM 'added' event related to the PID folder ('skip_proc == no') or the FIM 'integrity' event ('skip_proc == yes') is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated from a monitored folder inside the '/proc' directory when the 'skip_proc' tag is set to 'yes' and vice versa." ], "input_description": "A test case (skip_proc) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon, and these are combined with the testing directory to be monitored defined in the module. To generate the directory to monitor in '/proc', the 'proc.py' script is used, which runs an endless loop to keep the PID active.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' events if 'skip_proc == no')" }, { "r'.*Sending integrity control message": "(.+)$' (if 'skip_sys == yes')" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_skip_proc", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration3", "get_configuration4", "get_configuration5", "get_configuration6", "get_configuration7" ] }, { "description": "Check if the 'wazuh-syscheckd' daemon skips the Linux '/sys' directory at scanning when the 'skip_sys' tag is set to 'yes'. For this purpose, the test will monitor the 'module/isofs' folder in the '/sys' directory. That folder is created by the 'isofs' module, so if it does not exist, it must be load before the test run. Then, it will remove the 'isofs' folder by unloading the 'isofs' module, and finally, it will verify that the FIM 'deleted' event related to the 'isofs' folder ('skip_proc == no') or the FIM 'integrity' event ('skip_proc == yes') is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated from a monitored folder inside the '/sys' directory when the 'skip_sys' tag is set to 'yes' and vice versa." ], "input_description": "A test case (skip_sys) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and the testing directory to be monitored.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('deleted' events if 'skip_sys == no')" }, { "r'.*Sending integrity control message": "(.+)$' (if 'skip_sys == yes')" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_skip_sys", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration3", "get_configuration4", "get_configuration5", "get_configuration6", "get_configuration7" ] }, { "description": "Check if the 'wazuh-syscheckd' daemon skips the Linux '/dev' directory at scanning when the 'skip_dev' tag is set to 'yes'. For this purpose, the test will monitor the '/dev' directory. Then, it will make file operations inside it, and finally, the test will verify that FIM events from the '/dev' folder are generated or not depending on the value of the 'skip_dev' tag.", "wazuh_min_version": "4.2.0", "parameters": [ { "modify_inode_mock": { "type": "None", "brief": "Change the inode of a file in Linux systems." } }, { "directory": { "type": "str", "brief": "Path to the testing directory that will be monitored." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated from the '/dev' directory when the 'skip_dev' tag is set to 'yes' and vice versa." ], "input_description": "A test case (skip_dev) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and the testing directory to be monitored.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events if 'skip_sys == no')" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_skip_dev", "inputs": [ "get_configuration0-/dev-tags_to_apply0", "get_configuration1-/dev-tags_to_apply0", "get_configuration2-/dev-tags_to_apply0", "get_configuration3-/dev-tags_to_apply0", "get_configuration4-/dev-tags_to_apply0", "get_configuration5-/dev-tags_to_apply0", "get_configuration6-/dev-tags_to_apply0", "get_configuration7-/dev-tags_to_apply0" ] }, { "description": "Check if the 'wazuh-syscheckd' daemon skips NFS directories at scanning when the 'skip_nfs' tag is set to 'yes'. For this purpose, the test will create and monitor a NFS mount point. Then, it will make file operations inside it, and finally, the test will verify that FIM events from the NFS folder are generated or not depending on the value of the 'skip_nfs' tag.", "wazuh_min_version": "4.2.0", "parameters": [ { "modify_inode_mock": { "type": "None", "brief": "Change the inode of a file in Linux systems." } }, { "directory": { "type": "str", "brief": "Path to the testing directory that will be monitored." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "configure_nfs": { "type": "fixture", "brief": "Call NFS scripts to create and configure a NFS mount point." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM events are generated from an NFS monitored directory when the 'skip_nfs' tag is set to 'yes' and vice versa." ], "input_description": "A test case (skip_nfs) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and the testing directory to be monitored. To generate the NFS directory to monitor, the 'configure_nfs.sh' script is used, which install, configure, and create a mount point using NFS. To remove the mount point, the 'remove_nfs.sh' script is used.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events if 'skip_nfs == no')" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_skip_nfs", "inputs": [ "get_configuration0-/nfs-mount-point-tags_to_apply0", "get_configuration1-/nfs-mount-point-tags_to_apply0", "get_configuration2-/nfs-mount-point-tags_to_apply0", "get_configuration3-/nfs-mount-point-tags_to_apply0", "get_configuration4-/nfs-mount-point-tags_to_apply0", "get_configuration5-/nfs-mount-point-tags_to_apply0", "get_configuration6-/nfs-mount-point-tags_to_apply0", "get_configuration7-/nfs-mount-point-tags_to_apply0" ] } ] }test_skip.yaml
test_stats_integrity_synctest_FIM_performance.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check the overall performance of FIM using the 'realtime' monitoring mode. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 3, "modules": [ "fim" ], "components": [ "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_stats_integrity_sync" ], "name": "test_FIM_performance.py", "id": 5, "group_id": 4, "tests": [ { "description": "Check the overall performance of the FIM module and generate the related metrics. For this purpose, the test will monitor a directory hierarchy of variable depth and create multiple testing files in it. Then, it will make different operations to bench the different subsystems, and finally, the test will collect the metrics generated to store them in CSV files.", "wazuh_min_version": "4.2.0", "parameters": [ { "mode": { "type": "str", "brief": "FIM monitoring mode to be used." } }, { "file_size": { "type": "str", "brief": "Size of the testing files to be created." } }, { "eps": { "type": "str", "brief": "Number the events per second to generate." } }, { "path_length": { "type": "str", "brief": "Level of depth of the directory hierarchy to be created." } }, { "number_files": { "type": "str", "brief": "Number of testing files to be created." } }, { "initial_clean": { "type": "fixture", "brief": "Clean the environment by removing the stats files and the testing dir." } }, { "modify_local_internal_options": { "type": "fixture", "brief": "Replace the 'local_internal_options' file." } } ], "assertions": [ "Benchmark the FIM module and collect the generated metrics to store them in CSV files." ], "input_description": "A template is used for the main configuration of the manager. It is included in an external '.conf' file (template_wazuh_conf.conf). The test cases are defined in the module.", "expected_output": [ "A CSV file with the metrics collected for the 'wazuh-agentd' daemon stats.", "A CSV file with the metrics collected for the database integrity.", "A CSV file with the general metrics collected." ], "tags": [ "realtime" ], "name": "test_performance", "inputs": [ "real-time-eps0-1-20-1", "real-time-eps0-1-20-1000", "real-time-eps0-1-20-100000", "real-time-eps0-1-128-1", "real-time-eps0-1-128-1000", "real-time-eps0-1-128-100000", "real-time-eps0-1-2048-1", "real-time-eps0-1-2048-1000", "real-time-eps0-1-2048-100000", "real-time-eps0-10-20-1", "real-time-eps0-10-20-1000", "real-time-eps0-10-20-100000", "real-time-eps0-10-128-1", "real-time-eps0-10-128-1000", "real-time-eps0-10-128-100000", "real-time-eps0-10-2048-1", "real-time-eps0-10-2048-1000", "real-time-eps0-10-2048-100000", "real-time-eps0-100-20-1", "real-time-eps0-100-20-1000", "real-time-eps0-100-20-100000", "real-time-eps0-100-128-1", "real-time-eps0-100-128-1000", "real-time-eps0-100-128-100000", "real-time-eps0-100-2048-1", "real-time-eps0-100-2048-1000", "real-time-eps0-100-2048-100000" ] } ] }test_FIM_performance.yaml
test_stats_integrity_sync.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check the overall performance of the statistics recollection by the Wazuh daemons related to the FIM module. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 3, "modules": [ "fim" ], "components": [ "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_stats_integrity_sync" ], "name": "test_stats_integrity_sync.py", "id": 6, "group_id": 4, "tests": [ { "description": "Check the overall performance in terms of statistics recollection by the Wazuh daemons related to the FIM module. For this purpose, the test will initialize several agents that send to the manager a variable load of events (sync and FIM events). Then, it will collect the metrics generated by the 'wazuh-db', 'wazuh-analysisd', 'wazuh-remoted' daemons, and the agents. Finally, the test will store those metrics in several CSV files.", "wazuh_min_version": "4.2.0", "parameters": [ { "fim_eps": { "type": "str", "brief": "Number of FIM events per second to generate." } }, { "sync_eps": { "type": "str", "brief": "Number of synchronization events per second to generate." } }, { "files": { "type": "str", "brief": "Number of testing files to be created." } }, { "directory": { "type": "str", "brief": "Path to the directoy to be monitored." } }, { "buffer": { "type": "str", "brief": "Enable the agent buffer to avoid events flooding." } }, { "case": { "type": "int", "brief": "ID of the test case to be tested." } }, { "modify_file": { "type": "bool", "brief": "True for modify the checksum of a testing file. False otherwise." } }, { "modify_all": { "type": "bool", "brief": "True for modify all checksums in the database. False otherwise." } }, { "restore_all": { "type": "bool", "brief": "True if all entries in the 'fim_entry' table should be deleted. False otherwise." } }, { "initial_clean": { "type": "fixture", "brief": "Clean the environment by removing the stats files and the testing dir." } }, { "modify_local_internal_options": { "type": "fixture", "brief": "Replace the 'local_internal_options' file." } } ], "assertions": [ "Benchmark the statistics recollection by the Wazuh daemons related to the FIM module and collect the generated metrics to store them in CSV files." ], "input_description": "A template is used for the main configuration of the agent. It is included in an external '.conf' file (template_agent.conf). The test cases are defined in the module.", "expected_output": [ "A CSV file with the metrics collected from the 'wazuh-db' daemon.", "A CSV file with the metrics collected from the 'wazuh-analysisd' daemon.", "A CSV file with the metrics collected from the 'wazuh-remoted' daemon.", "A CSV file with the metrics collected from the agents.", "A CSV file with the metrics collected from the '.state' files." ], "tags": [ "realtime" ], "name": "test_initialize_stats_collector", "inputs": [ "200-200-0-/test0k-no-0-False-False-True", "200-200-0-/test0k-no-1-True-False-False", "200-200-0-/test0k-no-2-False-True-False", "200-200-5000-/test5k-no-0-False-False-True", "200-200-5000-/test5k-no-1-True-False-False", "200-200-5000-/test5k-no-2-False-True-False", "1000-200-5000-/test5k-no-0-False-False-True", "1000-200-5000-/test5k-no-1-True-False-False", "1000-200-5000-/test5k-no-2-False-True-False", "5000-200-5000-/test5k-yes-0-False-False-True", "5000-200-5000-/test5k-yes-1-True-False-False", "5000-200-5000-/test5k-yes-2-False-True-False", "200-200-10000-/test10k-no-0-False-False-True", "200-200-10000-/test10k-no-1-True-False-False", "200-200-10000-/test10k-no-2-False-True-False", "1000-200-10000-/test10k-no-0-False-False-True", "1000-200-10000-/test10k-no-1-True-False-False", "1000-200-10000-/test10k-no-2-False-True-False", "5000-200-10000-/test10k-yes-0-False-False-True", "5000-200-10000-/test10k-yes-1-True-False-False", "5000-200-10000-/test10k-yes-2-False-True-False", "200-200-25000-/test25k-no-0-False-False-True", "200-200-25000-/test25k-no-1-True-False-False", "200-200-25000-/test25k-no-2-False-True-False", "1000-200-25000-/test25k-no-0-False-False-True", "1000-200-25000-/test25k-no-1-True-False-False", "1000-200-25000-/test25k-no-2-False-True-False", "5000-200-25000-/test25k-yes-0-False-False-True", "5000-200-25000-/test25k-yes-1-True-False-False", "5000-200-25000-/test25k-yes-2-False-True-False", "200-200-50000-/test50k-no-0-False-False-True", "200-200-50000-/test50k-no-1-True-False-False", "200-200-50000-/test50k-no-2-False-True-False", "1000-200-50000-/test50k-no-0-False-False-True", "1000-200-50000-/test50k-no-1-True-False-False", "1000-200-50000-/test50k-no-2-False-True-False", "5000-200-50000-/test50k-yes-0-False-False-True", "5000-200-50000-/test50k-yes-1-True-False-False", "5000-200-50000-/test50k-yes-2-False-True-False", "200-200-100000-/test100k-no-0-False-False-True", "200-200-100000-/test100k-no-1-True-False-False", "200-200-100000-/test100k-no-2-False-True-False", "1000-200-100000-/test100k-no-0-False-False-True", "1000-200-100000-/test100k-no-1-True-False-False", "1000-200-100000-/test100k-no-2-False-True-False", "5000-200-100000-/test100k-yes-0-False-False-True", "5000-200-100000-/test100k-yes-1-True-False-False", "5000-200-100000-/test100k-yes-2-False-True-False" ] } ] }test_stats_integrity_sync.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s