Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate test_registry_checks, test_registry_ignore, and test_registry_nodiff of test_fim/test_registry documentation to qa-docs #2125

Merged
merged 1 commit into from
Nov 2, 2021
Merged

Migrate test_registry_checks, test_registry_ignore, and test_registry_nodiff of test_fim/test_registry documentation to qa-docs #2125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
141 changes: 116 additions & 25 deletions tests/integration/test_fim/test_registry/test_registry_checks/test_registry_check_others.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,59 @@
# Copyright (C) 2015-2021, Wazuh Inc.
# Created by Wazuh, Inc. <info@wazuh.com>.
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

'''
copyright: Copyright (C) 2015-2021, Wazuh Inc.

Created by Wazuh, Inc. <info@wazuh.com>.

This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

type: integration

brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
these files are modified. Specifically, these tests will check if FIM events generated
contain only the 'check_' fields specified in the configuration when using the 'check_'
attributes individually and use the 'check_all=no' attribute.
The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
files for changes to the checksums, permissions, and ownership.

tier: 1

modules:
- fim

components:
- agent

daemons:
- wazuh-syscheckd

os_platform:
- windows

os_version:
- Windows 10
- Windows 8
- Windows 7
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2003
- Windows XP

references:
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry

pytest_args:
- fim_mode:
realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
whodata: Implies real-time monitoring but adding the 'who-data' information.
- tier:
0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
1: Only level 1 tests are performed, they check functionalities of medium complexity.
2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.

tags:
- fim_registry_checks
'''
import os

import pytest
Expand Down Expand Up @@ -81,27 +133,66 @@ def get_configuration(request):
params_list)
def test_check_others(key, subkey, key_attr, value_attr, triggers_key_modification, triggers_value_modification,
get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start):
"""
Test the behavior disabling different check options over the same key with check_all enabled.

Example:
check_all: "yes" check_size: "no" check_sum: "no".

Parameters
----------
key: str
key of the directory (HKEY_* constants).
subkey: str
Path of the subkey.
key_attr: set
Set of options that are expected for key events.
value_attr: set
Set of options that are expected for value events.
triggers_key_modification: boolean
Specify if the given options generate key events.
triggers_value_modification: boolean
Specify if the given options generate value events.
"""
'''
description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the 'check_' specified in
the configuration. These checks are attributes indicating that a monitored registry entry has
been modified. For example, if 'check_all=no' and 'check_sum=yes' are set for the same entry,
'syscheck' must send an event containing only the checksums.
For this purpose, the test will monitor a registry key using the 'check_all=no' attribute
(in order to avoid using the default 'check_all' configuration) in conjunction with several
'check_' on the same key. Then it will make key/value operations inside it, and finally,
the test will verify that FIM events generated contain only the fields of the 'check_' specified
for the monitored keys/values.

wazuh_min_version: 4.2.0

parameters:
- key:
type: str
brief: Path of the registry root key (HKEY_* constants).
- subkey:
type: str
brief: Path of the key that will be created under the root key.
- key_attr:
type: set
brief: Set of options that are expected for key events.
- value_attr:
type: set
brief: Set of options that are expected for value events.
- triggers_key_modification:
type: bool
brief: Specify if the given options generate key events.
- triggers_value_modification:
type: bool
brief: Specify if the given options generate value events.
- get_configuration:
type: fixture
brief: Get configurations from the module.
- configure_environment:
type: fixture
brief: Configure a custom environment for testing.
- restart_syscheckd:
type: fixture
brief: Clear the 'ossec.log' file and start a new monitor.
- wait_for_fim_start:
type: fixture
brief: Wait for realtime start, whodata start, or end of initial FIM scan.

assertions:
- Verify that the FIM events generated contain only the 'check_' fields specified in the configuration.

input_description: A test case (test_others) is contained in an external YAML file
(wazuh_check_others.yaml) which includes configuration settings for
the 'wazuh-syscheckd' daemon. That is combined with the testing registry
keys to be monitored defined in the module.

expected_output:
- r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events)

tags:
- scheduled
- time_travel
'''
check_apply_test({'test_others'}, get_configuration['tags'])
# Test registry keys.
registry_key_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=key_attr,
Expand Down
146 changes: 118 additions & 28 deletions tests/integration/test_fim/test_registry/test_registry_checks/test_registry_checkers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,59 @@
# Copyright (C) 2015-2021, Wazuh Inc.
# Created by Wazuh, Inc. <info@wazuh.com>.
# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

'''
copyright: Copyright (C) 2015-2021, Wazuh Inc.

Created by Wazuh, Inc. <info@wazuh.com>.

This program is free software; you can redistribute it and/or modify it under the terms of GPLv2

type: integration

brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
files are modified. Specifically, these tests will check if FIM events generated contain only
the 'check_' fields specified in the configuration when using the 'check_all' attribute along
with other 'check_' attributes.
The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured
files for changes to the checksums, permissions, and ownership.

tier: 1

modules:
- fim

components:
- agent

daemons:
- wazuh-syscheckd

os_platform:
- windows

os_version:
- Windows 10
- Windows 8
- Windows 7
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2003
- Windows XP

references:
- https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
- https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry

pytest_args:
- fim_mode:
realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
whodata: Implies real-time monitoring but adding the 'who-data' information.
- tier:
0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
1: Only level 1 tests are performed, they check functionalities of medium complexity.
2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.

tags:
- fim_registry_checks
'''
import os

import pytest
Expand Down Expand Up @@ -112,30 +164,68 @@ def get_configuration(request):
])
def test_checkers(key, subkey, arch, key_attrs, value_attrs, tags_to_apply, triggers_modification,
get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start):
"""
Test the functionality of `check_all` option is activated/desactivated alone and together with other
`check_*` options.

Example:
<windows_registry check_all="yes">HKEY_SOME_KEY</windows_registry>.
Parameters
----------
key: str
Root key (HKEY_* constants).
subkey: str
Path of the key.
arch: int
Architecture of the key.
key_attrs: set
Attributes for the key events.
value_attrs: set
Attributes for the value events.
tags_to_apply: set
Configuration that will be applied for every case.
triggers_modification: boolean
True if the given attributes trigger modification events.
"""

'''
description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the 'check_' specified in
the configuration. These checks are attributes indicating that a monitored registry entry has
been modified. For example, if 'check_all=yes' and 'check_sum=no' are set for the same entry,
'syscheck' must send an event containing every possible 'check_' except the checksums.
For this purpose, the test will monitor a registry key using the 'check_all' attribute in
conjunction with one or more 'check_' on the same key, having 'check_all' to 'yes' and the other
one to 'no'. Then it will make key/value operations inside it, and finally, finally, the test
will verify that the FIM events generated contain only the fields of the 'checks' specified for
the monitored keys/values.

wazuh_min_version: 4.2.0

parameters:
- key:
type: str
brief: Path of the registry root key (HKEY_* constants).
- subkey:
type: str
brief: Path of the key that will be created under the root key.
- arch:
type: str
brief: Architecture of the registry.
- key_attr:
type: set
brief: Set of options that are expected for key events.
- value_attr:
type: set
brief: Set of options that are expected for value events.
- tags_to_apply:
type: set
brief: Run test if match with a configuration identifier, skip otherwise.
- triggers_modification:
type: bool
brief: Specify if the given options generate registry events.
- get_configuration:
type: fixture
brief: Get configurations from the module.
- configure_environment:
type: fixture
brief: Configure a custom environment for testing.
- restart_syscheckd:
type: fixture
brief: Clear the 'ossec.log' file and start a new monitor.
- wait_for_fim_start:
type: fixture
brief: Wait for realtime start, whodata start, or end of initial FIM scan.

assertions:
- Verify that the FIM events generated contain only the 'check_' fields specified in the configuration.

input_description: Different test cases are contained in an external YAML file (wazuh_check_all.yaml)
which includes configuration settings for the 'wazuh-syscheckd' daemon. Those are
combined with the testing registry keys to be monitored defined in the module.

expected_output:
- r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events)

tags:
- scheduled
- time_travel
'''
check_apply_test(tags_to_apply, get_configuration['tags'])

# Test registry keys.
Expand Down
Loading