Migrate test_basic_usage of test_fim/test_files documentation to qa-docs
#2109
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of epic #1796 and the issue #1810, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
Generated documentation
test_basic_usage_baseline_generation.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the modifications made on files during the initial scan ('baseline') generate events when the scan is finished. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_baseline_generation.py", "id": 15, "group_id": 0, "tests": [ { "description": "Check if FIM events are appearing after the 'baseline'. The log message 'File integrity monitoring scan ended' informs about the end of the first scan, which generates the 'baseline'. For this purpose, the test creates a test file while the initial scan is being performed. When the baseline has been generated it checks if the FIM addition event has been triggered.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that a FIM addition event was generated during the initial scan." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$'" } ], "tags": [ "realtime" ], "name": "test_wait_until_baseline", "inputs": [ "get_configuration0", "get_configuration1" ] } ] }test_basic_usage_baseline_generation.yaml
test_basic_usage_changes.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will check if common operations ('add', 'modify', and 'delete') on monitored directories are correctly detected. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_changes.py", "id": 16, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects regular file changes (add, modify, delete). For this purpose, the test uses different character encodings in the names of the testing directories and files and performs operations on them. Finally, it verifies that the FIM events have been generated properly.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the monitored testing directory." } }, { "name": { "type": "str", "brief": "Name used for the testing files." } }, { "encoding": { "type": "str", "brief": "Character encoding used for the directory and testing files." } }, { "checkers": { "type": "dict", "brief": "Syscheck checkers (check_all)." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that all FIM events are generated for the operations performed, and these contain all 'check_' fields specified in the configuration." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (Initial scan when restarting Wazuh)" }, "Multiple FIM events logs of the monitored directories." ], "tags": [ "scheduled", "time_travel" ], "name": "test_regular_file_changes", "inputs": [ "get_configuration0-0.25-tags_to_apply0", "get_configuration0-0.5-tags_to_apply1", "get_configuration0-0.75-tags_to_apply2", "get_configuration0-1-tags_to_apply3", "get_configuration0-1.25-tags_to_apply4", "get_configuration0-1.5-tags_to_apply5", "get_configuration0-1.75-tags_to_apply6", "get_configuration0-2-tags_to_apply7", "get_configuration1-0.25-tags_to_apply0", "get_configuration1-0.5-tags_to_apply1", "get_configuration1-0.75-tags_to_apply2", "get_configuration1-1-tags_to_apply3", "get_configuration1-1.25-tags_to_apply4", "get_configuration1-1.5-tags_to_apply5", "get_configuration1-1.75-tags_to_apply6", "get_configuration1-2-tags_to_apply7", "get_configuration0-regular0-None-checkers0-tags_to_apply0-/testdir1", "get_configuration0-regular0-None-checkers0-tags_to_apply0-/testdir2", "get_configuration0-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir1", "get_configuration0-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir2", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir1", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir2", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir1", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir2", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir1", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir2", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir1", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir2", "get_configuration1-regular0-None-checkers0-tags_to_apply0-/testdir1", "get_configuration1-regular0-None-checkers0-tags_to_apply0-/testdir2", "get_configuration1-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir1", "get_configuration1-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir2", "get_configuration1-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir1", "get_configuration1-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir2", "get_configuration1-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir1", "get_configuration1-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir2", "get_configuration1-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir1", "get_configuration1-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir2", "get_configuration1-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir1", "get_configuration1-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir2", "get_configuration2-regular0-None-checkers0-tags_to_apply0-/testdir1", "get_configuration2-regular0-None-checkers0-tags_to_apply0-/testdir2", "get_configuration2-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir1", "get_configuration2-\\u6a94\\u6848-cp950-checkers1-tags_to_apply1-/testdir2", "get_configuration2-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir1", "get_configuration2-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-koi8-r-checkers2-tags_to_apply2-/testdir2", "get_configuration2-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir1", "get_configuration2-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-cp737-checkers3-tags_to_apply3-/testdir2", "get_configuration2-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir1", "get_configuration2-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-cp720-checkers4-tags_to_apply4-/testdir2", "get_configuration2-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir1", "get_configuration2-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-None-checkers5-tags_to_apply5-/testdir2" ] } ] }test_basic_usage_changes.yaml
test_basic_usage_create_after_delete_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will check if FIM events are still generated when a monitored directory is deleted and created again. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_create_after_delete_dir.py", "id": 17, "group_id": 0, "tests": [ { "description": "Check if a monitored directory keeps reporting FIM events after deleting and creating it again. Under Windows systems, it verifies that the directory watcher is refreshed (checks the SACLs) after directory re-creation one second after. For this purpose, the test creates the testing directory to be monitored, checks that FIM events are generated, and then deletes it. Finally, it creates the directory again and verifies that the events are still generated correctly.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are still generated when a monitored directory is deleted and created again." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml or wazuh_conf_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (Initial scan when restarting Wazuh)" }, "Multiple FIM events logs of the monitored directories." ], "tags": [ "realtime", "who-data" ], "name": "test_create_after_delete", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0" ] } ] }test_basic_usage_create_after_delete_dir.yaml
test_basic_usage_create_rt_wd.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will verify that only regular files are monitored using the 'realtime' and 'whodata' monitoring modes. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_create_rt_wd.py", "id": 18, "group_id": 0, "tests": [ { "description": "Check if a special or regular file creation is detected by the 'wazuh-syscheckd' daemon using the 'realtime' and 'whodata' monitoring modes. Regular files must be monitored, special files must not. For this purpose, the test creates the testing directories and files using different character encodings in their names. Finally, it verifies that only the regular testing files have generated FIM events.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the monitored testing directory." } }, { "name": { "type": "str", "brief": "Name used for the testing file." } }, { "filetype": { "type": "str", "brief": "Type of the testing file." } }, { "content": { "type": "str", "brief": "Content of the testing file." } }, { "checkers": { "type": "dict", "brief": "Checks that will compared to the ones from the event." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "encoding": { "type": "str", "brief": "Character encoding used for the directory and testing files." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are only generated for the regular testing files, and these contain all 'check_' fields specified in the configuration." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (Initial scan when restarting Wazuh)" }, "Multiple FIM events logs of the monitored directories." ], "tags": [ "realtime", "who-data" ], "name": "test_create_file_realtime_whodata", "inputs": [ "get_configuration0-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir1", "get_configuration0-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir2", "get_configuration0-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir1", "get_configuration0-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir2", "get_configuration0-socketfile-socket--checkers2-tags_to_apply2-None-/testdir1", "get_configuration0-socketfile-socket--checkers2-tags_to_apply2-None-/testdir2", "get_configuration0-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir1", "get_configuration0-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir2", "get_configuration0-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir1", "get_configuration0-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir2", "get_configuration0-file4-regular--checkers5-tags_to_apply5-None-/testdir1", "get_configuration0-file4-regular--checkers5-tags_to_apply5-None-/testdir2", "get_configuration0-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir1", "get_configuration0-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir2", "get_configuration0-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir1", "get_configuration0-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir2", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir1", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir2", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir1", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir2", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir1", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir2", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir1", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir2", "get_configuration1-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir1", "get_configuration1-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir2", "get_configuration1-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir1", "get_configuration1-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir2", "get_configuration1-socketfile-socket--checkers2-tags_to_apply2-None-/testdir1", "get_configuration1-socketfile-socket--checkers2-tags_to_apply2-None-/testdir2", "get_configuration1-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir1", "get_configuration1-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir2", "get_configuration1-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir1", "get_configuration1-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir2", "get_configuration1-file4-regular--checkers5-tags_to_apply5-None-/testdir1", "get_configuration1-file4-regular--checkers5-tags_to_apply5-None-/testdir2", "get_configuration1-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir1", "get_configuration1-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir2", "get_configuration1-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir1", "get_configuration1-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir2", "get_configuration1-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir1", "get_configuration1-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir2", "get_configuration1-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir1", "get_configuration1-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir2", "get_configuration1-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir1", "get_configuration1-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir2", "get_configuration1-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir1", "get_configuration1-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir2" ] } ] }test_basic_usage_create_rt_wd.yaml
test_basic_usage_create_scheduled.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will verify that only regular files are monitored using the 'scheduled' monitoring mode. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_create_scheduled.py", "id": 19, "group_id": 0, "tests": [ { "description": "Check if a special or regular file creation is detected by the 'wazuh-syscheckd' daemon using the 'scheduled' monitoring mode. Regular files must be monitored, special files must not. For this purpose, the test creates the testing directories and files using different character encodings in their names, and then it changes the system time until the next scheduled scan. Finally, it verifies that only the regular testing files have generated FIM events.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the monitored testing directory." } }, { "name": { "type": "str", "brief": "Name used for the testing file." } }, { "filetype": { "type": "str", "brief": "Type of the testing file." } }, { "content": { "type": "str", "brief": "Content of the testing file." } }, { "checkers": { "type": "dict", "brief": "Checks that will compared to the ones from the event." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "encoding": { "type": "str", "brief": "Character encoding used for the directory and testing files." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are only generated for the regular testing files, and these contain all 'check_' fields specified in the configuration." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' (Initial scan when restarting Wazuh)" }, "Multiple FIM events logs of the monitored directories." ], "tags": [ "scheduled", "time_travel" ], "name": "test_create_file_scheduled", "inputs": [ "get_configuration0-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir1", "get_configuration0-file-regular-Sample content-checkers0-tags_to_apply0-None-/testdir2", "get_configuration0-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir1", "get_configuration0-file2-regular-Sample content-checkers1-tags_to_apply1-None-/testdir2", "get_configuration0-socketfile-socket--checkers2-tags_to_apply2-None-/testdir1", "get_configuration0-socketfile-socket--checkers2-tags_to_apply2-None-/testdir2", "get_configuration0-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir1", "get_configuration0-file3-regular-Sample content-checkers3-tags_to_apply3-None-/testdir2", "get_configuration0-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir1", "get_configuration0-fifofile-fifo--checkers4-tags_to_apply4-None-/testdir2", "get_configuration0-file4-regular--checkers5-tags_to_apply5-None-/testdir1", "get_configuration0-file4-regular--checkers5-tags_to_apply5-None-/testdir2", "get_configuration0-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir1", "get_configuration0-file-\\xf1-regular--checkers6-tags_to_apply6-None-/testdir2", "get_configuration0-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir1", "get_configuration0-\\u6a94\\u6848-regular--checkers7-tags_to_apply7-cp950-/testdir2", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir1", "get_configuration0-\\u041e\\u0431\\u0440\\u0430\\u0437\\u0435\\u0446\\u0442\\u0435\\u043a\\u0441\\u0442\\u0430-regular--checkers8-tags_to_apply8-koi8-r-/testdir2", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir1", "get_configuration0-\\u0394\\u03b5\\u03af\\u03b3\\u03bc\\u03b1\\u03ba\\u03b5\\u03b9\\u03bc\\u03ad\\u03bd\\u03bf\\u03c5-regular--checkers9-tags_to_apply9-cp737-/testdir2", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir1", "get_configuration0-\\u0646\\u0635\\u0628\\u0633\\u064a\\u0637-regular--checkers10-tags_to_apply10-cp720-/testdir2", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir1", "get_configuration0-\\u039e\\xb3\\u039e\\xb5\\u039e\\u0389\\u039e\\xb1-regular--checkers11-tags_to_apply11-None-/testdir2" ] } ] }test_basic_usage_create_scheduled.yaml
test_basic_usage_db_inode_check.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check for false positives due to possible inconsistencies with 'inodes' in the FIM database. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html", "https://en.wikipedia.org/wiki/Inode" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_db_inode_check.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check for false positives due to possible inconsistencies with inodes in the FIM database. For example, with 'check_mtime=no' and 'check_inode=no', no modification events should appear, and using 'check_mtime=yes' and 'check_inode=yes', since the 'mtime' and 'inode' attributes are modified, modification events should appear. For this purpose, the test will monitor a folder using the 'scheduled' monitoring mode, create ten files with some content and wait for the scan. Then, remove the files and create them again (adding one more at the beginning or deleting it) with different inodes. Finally, the test changes the system time until the next scheduled scan and check if there are any unexpected events in the log.", "wazuh_min_version": "4.2.0", "parameters": [ { "test_cases": { "type": "int", "brief": "Test case number." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that the FIM database does not become inconsistent due to the change of inodes, whether or not 'check_mtime' and 'check_inode' are enabled." ], "input_description": "Two test cases defined in this module, and the configuration settings for the 'wazuh-syscheckd' daemon (tag ossec_conf) which are contained in external YAML file (wazuh_conf_check_inodes.yaml).", "expected_output": [ { "r'.*Sending FIM event": "(.+)$'" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_db_inode_check", "inputs": [ "get_configuration0-0", "get_configuration0-1", "get_configuration0-2", "get_configuration1-0", "get_configuration1-1", "get_configuration1-2" ] } ] }test_basic_usage_db_inode_check.yaml
test_basic_usage_delete_folder.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if when a monitored folder is deleted, the files inside it generate FIM events of the type 'deleted'. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_delete_folder.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects 'deleted' events from the files contained in a folder that is being deleted. For example, the folder '/testdir' is monitored, and the files 'r1', 'r2' and 'r3' are inside '/testdir'. If '/testdir' is deleted, three events of type 'deleted' must be generated, one for each of the regular files. For this purpose, the test will monitor a folder using the 'scheduled' monitoring mode, create the testing files inside it, and change the system time until the next scheduled scan. Then, remove the monitored folder, and finally, the test verifies that the 'deleted' events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the monitored testing directory." } }, { "file_list": { "type": "list", "brief": "Used names for the testing files." } }, { "filetype": { "type": "str", "brief": "Type of the testing file." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that when a monitored folder is deleted, the files inside it generate FIM events of the type 'deleted'." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$'" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_delete_folder", "inputs": [ "get_configuration0-/testdir1/subdir-file_list0-regular-tags_to_apply0", "get_configuration0-/testdir2/subdir-file_list1-regular-tags_to_apply1", "get_configuration1-/testdir1/subdir-file_list0-regular-tags_to_apply0", "get_configuration1-/testdir2/subdir-file_list1-regular-tags_to_apply1", "get_configuration2-/testdir1/subdir-file_list0-regular-tags_to_apply0", "get_configuration2-/testdir2/subdir-file_list1-regular-tags_to_apply1" ] } ] }test_basic_usage_delete_folder.yaml
test_basic_usage_dir_with_commas.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated on a monitored folder whose name contains commas. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_dir_with_commas.py", "id": 3, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon generates FIM events from monitoring folders whose name contains commas. For this purpose, the test will monitor a testing folder using the 'scheduled' monitoring mode, and create the testing files inside it. Then, perform CUD (creation, update, and delete) operations and finally verify that the FIM events are generated correctly.", "wazuh_min_version": "4.2.0", "parameters": [ { "directory": { "type": "str", "brief": "Path to the monitored testing directory." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "put_env_variables": { "type": "fixture", "brief": "Create environment variables." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated on a monitored folder whose name contains commas." ], "input_description": "A test case is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ "Multiple FIM events logs of the monitored directories." ], "tags": [ "scheduled", "time_travel" ], "name": "test_directories_with_commas", "inputs": [ "get_configuration0-/test,dir1", "get_configuration0-/testdir2,", "get_configuration1-/test,dir1", "get_configuration1-/testdir2,", "get_configuration2-/test,dir1", "get_configuration2-/testdir2," ] } ] }test_basic_usage_dir_with_commas.yaml
test_basic_usage_disabled.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that when the 'wazuh-syscheckd' daemon is disabled, no FIM events are generated. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_disabled.py", "id": 4, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon generates FIM events when it is disabled in the main configuration file. For this purpose, the test will monitor a testing folder and finally verifies that no FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that when the 'wazuh-syscheckd' daemon is disabled, no FIM events are generated." ], "input_description": "A test case is contained in external YAML file (wazuh_conf_disabled.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "No FIM events should be generated." ], "tags": [ "scheduled" ], "name": "test_disabled", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2" ] } ] }test_basic_usage_disabled.yaml
test_basic_usage_entries_match_path_count.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will verify that when using 'hard' and 'symbolic' links, the FIM events contain the number of inodes and paths to files consistent. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows", "macos", "solaris" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP", "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html", "https://en.wikipedia.org/wiki/Inode" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_entries_match_path_count.py", "id": 5, "group_id": 0, "tests": [ { "description": "Check if FIM events contain the correct number of file paths when 'hard' and 'symbolic' links are used. For this purpose, the test will monitor a testing folder and create two regular files, a 'symlink' and a 'hard link' before the scan starts. Finally, it verifies in the generated FIM event that three inodes and four file paths are detected.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that when using hard and symbolic links, the FIM events contain the number of inodes and paths to files consistent." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ "r'.*Fim inode entries*, path count' (If the OS used is not Windows)", "r'.*Fim entries' (If the OS used is Windows)" ], "tags": [ "scheduled", "time_travel" ], "name": "test_entries_match_path_count", "inputs": [ "get_configuration0" ] } ] }test_basic_usage_entries_match_path_count.yaml
test_basic_usage_move_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when subfolders are moved between monitored directories. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_move_dir.py", "id": 6, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects 'added' and 'deleted' events when moving a subdirectory from a monitored folder to another one. For this purpose, the test will move a testing subfolder from the source directory to the target directory and change the system time until the next scheduled scan. Finally, it verifies that the expected FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "source_folder": { "type": "str", "brief": "Path to the source directory where the subfolder to move is located." } }, { "target_folder": { "type": "str", "brief": "Path to the destination directory where the subfolder will be moved." } }, { "subdir": { "type": "str", "brief": "Name of the subfolder to be moved." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "triggers_delete_event": { "type": "bool", "brief": "True if it expects a 'deleted' event in the source folder. False otherwise." } }, { "triggers_add_event": { "type": "bool", "brief": "True if it expects an 'added' event in the target folder. False otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events of type 'added' and 'deleted' are generated when subfolders are moved between monitored directories." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_move_dir", "inputs": [ "get_configuration0-/testdir4-/testdir2-subdir-tags_to_apply0-False-True", "get_configuration0-/testdir1-/-subdir-tags_to_apply1-True-False", "get_configuration0-/testdir3-/testdir2-subdir2-tags_to_apply2-True-True", "get_configuration0-/testdir3-/testdir2-subdir3/-tags_to_apply3-True-True", "get_configuration1-/testdir4-/testdir2-subdir-tags_to_apply0-False-True", "get_configuration1-/testdir1-/-subdir-tags_to_apply1-True-False", "get_configuration1-/testdir3-/testdir2-subdir2-tags_to_apply2-True-True", "get_configuration1-/testdir3-/testdir2-subdir3/-tags_to_apply3-True-True", "get_configuration2-/testdir4-/testdir2-subdir-tags_to_apply0-False-True", "get_configuration2-/testdir1-/-subdir-tags_to_apply1-True-False", "get_configuration2-/testdir3-/testdir2-subdir2-tags_to_apply2-True-True", "get_configuration2-/testdir3-/testdir2-subdir3/-tags_to_apply3-True-True" ] } ] }test_basic_usage_move_dir.yaml
test_basic_usage_move_file.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when files are moved between monitored directories. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_move_file.py", "id": 7, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects 'added' and 'deleted' events when moving a file from a monitored folder to another one. For this purpose, the test will create a testing file and move it from the source directory to the target directory. Then, it changes the system time until the next scheduled scan, and finally, it removes the testing file and verifies that the expected FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "file": { "type": "str", "brief": "Name of the testing file to be created." } }, { "file_content": { "type": "str", "brief": "Content of the testing file to be created." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "source_folder": { "type": "str", "brief": "Path to the source directory where the testing file to move is located." } }, { "target_folder": { "type": "str", "brief": "Path to the destination directory where the testing file will be moved." } }, { "triggers_delete_event": { "type": "bool", "brief": "True if it expects a 'deleted' event in the source folder. False otherwise." } }, { "triggers_add_event": { "type": "bool", "brief": "True if it expects an 'added' event in the target folder. False otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events of type 'added' and 'deleted' are generated when files are moved between monitored directories." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_move_file", "inputs": [ "get_configuration0-/testdir1-/-True-False-regular1--tags_to_apply0", "get_configuration0-/testdir1-/testdir1/subdir-True-True-regular1--tags_to_apply0", "get_configuration0-/testdir1-/testdir2-True-True-regular1--tags_to_apply0", "get_configuration0-/-/testdir1-False-True-regular1--tags_to_apply0", "get_configuration0-/-/testdir1/subdir-False-True-regular1--tags_to_apply0", "get_configuration1-/testdir1-/-True-False-regular1--tags_to_apply0", "get_configuration1-/testdir1-/testdir1/subdir-True-True-regular1--tags_to_apply0", "get_configuration1-/testdir1-/testdir2-True-True-regular1--tags_to_apply0", "get_configuration1-/-/testdir1-False-True-regular1--tags_to_apply0", "get_configuration1-/-/testdir1/subdir-False-True-regular1--tags_to_apply0", "get_configuration2-/testdir1-/-True-False-regular1--tags_to_apply0", "get_configuration2-/testdir1-/testdir1/subdir-True-True-regular1--tags_to_apply0", "get_configuration2-/testdir1-/testdir2-True-True-regular1--tags_to_apply0", "get_configuration2-/-/testdir1-False-True-regular1--tags_to_apply0", "get_configuration2-/-/testdir1/subdir-False-True-regular1--tags_to_apply0" ] } ] }test_basic_usage_move_file.yaml
test_basic_usage_new_dirs.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated after the next scheduled scan using the 'scheduled' monitoring mode. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_new_dirs.py", "id": 8, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects 'CUD' (creation, update, and delete) events after the next scheduled scan. For this purpose, the test will create a monitored folder and several testing files inside it. Then, it will perform different operations over the testing files and verify that no events are generated before the next scheduled scan. Finally, the test will perform operations on another set of testing files and wait to the next scheduled scan for the expected FIM events to be generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that FIM events are generated after the next scheduled scan using the 'scheduled' monitoring mode." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_new_dirs.yaml or wazuh_conf_new_dirs_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled" ], "name": "test_new_directory", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0" ] } ] }test_basic_usage_new_dirs.yaml
test_basic_usage_no_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon generates a debug log when the 'directories' configuration tag is empty. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_no_dir.py", "id": 9, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon shows a debug message when an empty 'directories' tag is found. For this purpose, the test uses a configuration without specifying the directory to monitor. It will then verify that the appropriate debug message is generated. Finally, the test will use a valid directory and verify that the above message is not generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the 'wazuh-syscheckd' daemon generates a debug log when the 'directories' configuration tag is empty.", "Verify that the 'wazuh-syscheckd' daemon does not generate a debug log when the 'directories' configuration tag is not empty." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ "r'Empty directories tag found in the configuration.'" ], "tags": [ "scheduled" ], "name": "test_new_directory", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0", "get_configuration3-tags_to_apply0", "get_configuration4-tags_to_apply0", "get_configuration5-tags_to_apply0" ] } ] }test_basic_usage_no_dir.yaml
test_basic_usage_quick_changes.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events of type 'added', 'modified', and 'deleted' are generated when the related operations are performed in specific time intervals. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_quick_changes.py", "id": 10, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' regular file changes (add, modify, delete) with a very specific delay between every operation. For this purpose, the test will perform the above operations over a testing file and wait for the specified time between each operation. Finally, the test will check that the expected FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "sleep": { "type": "float", "brief": "Delay in seconds between every action." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events of type 'added', 'modified', and 'deleted' are generated when the related operations are performed in specific time intervals." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$'" } ], "tags": [ "realtime", "who-data" ], "name": "test_regular_file_changes", "inputs": [ "get_configuration0-0.25-tags_to_apply0", "get_configuration0-0.5-tags_to_apply1", "get_configuration0-0.75-tags_to_apply2", "get_configuration0-1-tags_to_apply3", "get_configuration0-1.25-tags_to_apply4", "get_configuration0-1.5-tags_to_apply5", "get_configuration0-1.75-tags_to_apply6", "get_configuration0-2-tags_to_apply7", "get_configuration1-0.25-tags_to_apply0", "get_configuration1-0.5-tags_to_apply1", "get_configuration1-0.75-tags_to_apply2", "get_configuration1-1-tags_to_apply3", "get_configuration1-1.25-tags_to_apply4", "get_configuration1-1.5-tags_to_apply5", "get_configuration1-1.75-tags_to_apply6", "get_configuration1-2-tags_to_apply7" ] } ] }test_basic_usage_quick_changes.yaml
test_basic_usage_realtime_unsupported.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. In particular, these tests will check if FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "macos", "solaris" ], "os_version": [ "macOS Catalina", "Solaris 10", "Solaris 11" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_realtime_unsupported.py", "id": 20, "group_id": 0, "tests": [ { "description": "Check if the current OS platform falls to the 'scheduled' mode when 'realtime' is not available. For this purpose, the test performs a CUD set of operations to a file with 'realtime' mode set as the monitoring option in the 'ossec.conf' file. Firstly it checks for the initial 'realtime' event appearing in the logs, and if the current OS does not support it, wait for the initial FIM scan mode. After this, the set of operations takes place and the expected behavior is the events will be generated with 'scheduled' mode and not 'realtime' as it is set in the configuration.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "file_monitoring": { "type": "fixture", "brief": "Handle the monitoring of a specified file." } }, { "configure_local_internal_options_module": { "type": "fixture", "brief": "Configure the local internal options file." } }, { "daemons_handler": { "type": "fixture", "brief": "Handle the Wazuh daemons." } } ], "assertions": [ "Verify that FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_check_realtime.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' and 'deleted' events)" } ], "tags": [ "realtime", "scheduled" ], "name": "test_realtime_unsupported", "inputs": [ "get_configuration0" ] } ] }test_basic_usage_realtime_unsupported.yaml
test_basic_usage_rename.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events of type 'added' and 'deleted' are generated when monitored directories or files are renamed. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_rename.py", "id": 11, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events when renaming directories or files. When changing directory or file names, FIM events of type 'deleted' and 'added' should be generated. For this purpose, the test will create the directory and testing files to be monitored and verify that they have been created correctly. It will then verify two cases, on the one hand that the proper FIM events are generated when the testing files are renamed in the monitored directory, and on the other hand, that these events are generated when the monitored directory itself is renamed.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the directory where the files will be created." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "clean_directories": { "type": "fixture", "brief": "Delete the contents of the testing directory." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events of type 'added' and 'deleted' are generated when monitored directories or files are renamed." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_rename", "inputs": [ "get_configuration0-/testdir1/subdir-tags_to_apply0", "get_configuration0-/testdir2/subdir-tags_to_apply1", "get_configuration1-/testdir1/subdir-tags_to_apply0", "get_configuration1-/testdir2/subdir-tags_to_apply1", "get_configuration2-/testdir1/subdir-tags_to_apply0", "get_configuration2-/testdir2/subdir-tags_to_apply1" ] } ] }test_basic_usage_rename.yaml
test_basic_usage_starting_agent.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events of type 'modified' and 'deleted' are generated when files that exist before starting the Wazuh agent are modified. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_starting_agent.py", "id": 12, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects 'modified' and 'deleted' events when modifying files that exist before the Wazuh agent is started. For this purpose, the test will modify the testing file, change the system time to the next scheduled scan, and verify that the proper FIM event is generated. Finally, the test will perform the above steps but deleting the testing file.", "wazuh_min_version": "4.2.0", "parameters": [ { "filename": { "type": "str", "brief": "Name of the testing file to be modified." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events of type 'modified' and 'deleted' are generated when files that exist before starting the Wazuh agent are modified." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('modified' and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_events_from_existing_files", "inputs": [ "get_configuration0-tags_to_apply0-regular0", "get_configuration0-tags_to_apply0-regular1", "get_configuration0-tags_to_apply0-regular2", "get_configuration1-tags_to_apply0-regular0", "get_configuration1-tags_to_apply0-regular1", "get_configuration1-tags_to_apply0-regular2", "get_configuration2-tags_to_apply0-regular0", "get_configuration2-tags_to_apply0-regular1", "get_configuration2-tags_to_apply0-regular2" ] } ] }test_basic_usage_starting_agent.yaml
test_basic_usage_wildcards_runtime.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM monitors newly added directories that match a wildcard used in the configuration. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_wildcards_runtime.py", "id": 14, "group_id": 0, "tests": [ { "description": "Check if the number of directories to monitor grows when using wildcards to specify them. For this purpose, the test will configure wildcards expressions and create an empty folder. Once the FIM module has started, and the 'baseline' scan is completed, the test will create folders that may match a configured expression, and it waits until the wildcards are expanded again (in the next scan). Once the wildcards are reloaded, the test will create, modify and delete files inside those folders. Finally, the test will wait for events of a folder only if it matches a configured expression.", "wazuh_min_version": "4.2.0", "parameters": [ { "subfolder_name": { "type": "str", "brief": "Path to the subdirectory in the monitored folder." } }, { "filename": { "type": "str", "brief": "Name of the testing file that will be created in the subfolder." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_initial_scan": { "type": "fixture", "brief": "Wait until the first FIM scan is completed." } }, { "create_test_folders": { "type": "fixture", "brief": "Create the testing folders that will match (or not) the configured glob expression." } }, { "wait_for_wildcards_scan": { "type": "fixture", "brief": "Wait until the end of wildcards scan event is triggered." } } ], "assertions": [ "Verify that FIM monitors newly added directories that match a wildcard used in the configuration." ], "input_description": "A test case (ossec_conf_wildcards_runtime) is contained in external YAML file (wazuh_conf_wildcards_rt.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' and 'deleted' events)" } ], "tags": [ "scheduled", "who-data" ], "name": "test_basic_usage_wildcards_runtime", "inputs": [ "get_configuration0-tags_to_apply0-regular_1-simple1", "get_configuration0-tags_to_apply0-regular_1-stars123", "get_configuration0-tags_to_apply0-regular_1-not_monitored_directory", "get_configuration1-tags_to_apply0-regular_1-simple1", "get_configuration1-tags_to_apply0-regular_1-stars123", "get_configuration1-tags_to_apply0-regular_1-not_monitored_directory", "get_configuration2-tags_to_apply0-regular_1-simple1", "get_configuration2-tags_to_apply0-regular_1-stars123", "get_configuration2-tags_to_apply0-regular_1-not_monitored_directory" ] } ] }test_basic_usage_wildcards_runtime.yaml
test_basic_usage_wildcards.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM monitors newly added directories that match a wildcard used in the configuration. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 0, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2019", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_basic_usage" ], "name": "test_basic_usage_wildcards.py", "id": 13, "group_id": 0, "tests": [ { "description": "Check if the number of directories to monitor grows when using wildcards to specify them. For this purpose, the test creates a set of directories that match the wildcard expressions and ones that do not match the expressions set in the directories to be monitored. Then, the test will create, modify and delete files inside a folder given as an argument. Finally, the test will wait for events only if the folder where the changes are made matches the expression previously set in the 'wazuh-syscheckd' daemon configuration.", "wazuh_min_version": "4.2.0", "parameters": [ { "subfolder_name": { "type": "str", "brief": "Path to the subdirectory in the monitored folder." } }, { "filename": { "type": "str", "brief": "Name of the testing file that will be created in the subfolder." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if match with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait until the first FIM scan is completed." } } ], "assertions": [ "Verify that FIM monitors newly added directories that match a wildcard used in the configuration." ], "input_description": "A test case (ossec_conf_wildcards) is contained in external YAML file (wazuh_conf_wildcards.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directories to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' and 'deleted' events)" } ], "tags": [ "scheduled" ], "name": "test_basic_usage_wildcards", "inputs": [ "get_configuration0-tags_to_apply0-regular_1-simple1", "get_configuration0-tags_to_apply0-regular_1-stars123", "get_configuration0-tags_to_apply0-regular_1-not_monitored_directory", "get_configuration1-tags_to_apply0-regular_1-simple1", "get_configuration1-tags_to_apply0-regular_1-stars123", "get_configuration1-tags_to_apply0-regular_1-not_monitored_directory", "get_configuration2-tags_to_apply0-regular_1-simple1", "get_configuration2-tags_to_apply0-regular_1-stars123", "get_configuration2-tags_to_apply0-regular_1-not_monitored_directory" ] } ] }test_basic_usage_wildcards.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s