Add SCA Test support

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
+- New 'SCA' test suite and framework. ([#3566](https://github.com/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests)
 - Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation)
 - Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests)
 - Add tests with new options to avoid FIM synchronization overlapping. ([#3318](https://github.com/wazuh/wazuh-qa/pull/3318)) \- (Framework + tests)

deps/wazuh_testing/wazuh_testing/__init__.py

@@ -22,7 +22,6 @@
     LOG_FILE_PATH = os.path.join(WAZUH_PATH, 'logs', 'ossec.log')
     SYSCOLLECTOR_DB_PATH = os.path.join(WAZUH_PATH, 'queue', 'syscollector', 'db', 'local.db')
 
-
 WAZUH_CONF_PATH = os.path.join(WAZUH_PATH, 'etc', 'ossec.conf')
 WAZUH_LOGS_PATH = os.path.join(WAZUH_PATH, 'logs')
 CLIENT_KEYS_PATH = os.path.join(WAZUH_PATH, 'etc' if platform.system() == 'Linux' else '', 'client.keys')
@@ -40,12 +39,12 @@
 API_JSON_LOG_FILE_PATH = os.path.join(WAZUH_PATH, 'logs', 'api.json')
 API_LOG_FOLDER = os.path.join(WAZUH_PATH, 'logs', 'api')
 WAZUH_TESTING_PATH = os.path.dirname(os.path.abspath(__file__))
+CIS_RULESET_PATH = os.path.join(WAZUH_PATH, 'ruleset', 'sca')
 WAZUH_TESTING_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
 DEFAULT_AUTHD_PASS_PATH = os.path.join(WAZUH_PATH, 'etc', 'authd.pass')
 TEMPLATE_DIR = 'configuration_template'
 TEST_CASES_DIR = 'test_cases'
 
-
 # Daemons
 LOGCOLLECTOR_DAEMON = 'wazuh-logcollector'
 AGENTLESS_DAEMON = 'wazuh-agentlessd'
@@ -79,6 +78,7 @@
 
 
 # Local internal options
+MODULESD_DEBUG = 'wazuh_modules.debug'
 WINDOWS_DEBUG = 'windows.debug'
 SYSCHECK_DEBUG = 'syscheck.debug'
 VERBOSE_DEBUG_OUTPUT = 2

deps/wazuh_testing/wazuh_testing/modules/sca/__init__.py

@@ -0,0 +1,11 @@
+# Copyright (C) 2015-2023, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+from wazuh_testing import MODULESD_DEBUG, VERBOSE_DEBUG_OUTPUT
+
+# Variables
+TEMP_FILE_PATH = '/tmp'
+
+# Setting Local_internal_option file
+SCA_DEFAULT_LOCAL_INTERNAL_OPTIONS = {MODULESD_DEBUG: str(VERBOSE_DEBUG_OUTPUT)}

deps/wazuh_testing/wazuh_testing/modules/sca/event_monitor.py

@@ -0,0 +1,138 @@
+# Copyright (C) 2015-2022, Wazuh Inc.
+# Created by Wazuh, Inc. <info@wazuh.com>.
+# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+import re
+import json
+
+from wazuh_testing import T_60, T_10, T_20
+from wazuh_testing.tools import LOG_FILE_PATH
+from wazuh_testing.modules import sca
+from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback
+
+# Callback Messages
+CB_SCA_ENABLED = r".*sca.*INFO: (Module started.)"
+CB_SCA_DISABLED = r".*sca.*INFO: (Module disabled). Exiting."
+CB_SCA_SCAN_STARTED = r".*sca.*INFO: (Starting Security Configuration Assessment scan)."
+CB_SCA_SCAN_ENDED = r".*sca.*INFO: Security Configuration Assessment scan finished. Duration: (\d+) seconds."
+CB_SCA_OSREGEX_ENGINE = r".*sca.*DEBUG: SCA will use '(.*)' engine to check the rules."
+CB_POLICY_EVALUATION_FINISHED = r".*sca.*INFO: Evaluation finished for policy '(.*)'."
+CB_SCAN_DB_DUMP_FINISHED = r".*sca.*DEBUG: Finished dumping scan results to SCA DB for policy '(.*)'.*"
+CB_SCAN_RULE_RESULT = r".*sca.*wm_sca_hash_integrity.*DEBUG: ID: (\d+); Result: '(.*)'"
+CB_SCA_SCAN_EVENT = r".*sca_send_alert.*Sending event: (.*)"
+
+
+# Error Messages
+ERR_MSG_REGEX_ENGINE = "Did not receive the expected 'SCA will use '.*' engine to check the rules' event"
+ERR_MSG_ID_RESULTS = 'Expected sca_has_integrity result events not found'
+ERR_MSG_SCA_SUMMARY = 'Expected SCA Scan Summary type event not found.'
+
+
+# Callback functions
+def callback_scan_id_result(line):
+    '''Callback that returns the ID an result of a SCA check
+    Args:
+        line (str): line string to check for match.
+    '''
+    match = re.match(CB_SCAN_RULE_RESULT, line)
+    if match:
+        return [match.group(1), match.group(2)]
+
+
+def callback_detect_sca_scan_summary(line):
+    '''Callback that return the json from a SCA summary event.
+    Args:
+        line (str): line string to check for match.
+    '''
+    match = re.match(CB_SCA_SCAN_EVENT, line)
+    if match:
+        if json.loads(match.group(1))['type'] == 'summary':
+            return json.loads(match.group(1))
+
+
+# Event check functions
+def check_sca_event(file_monitor=None, callback='.*', error_message=None, update_position=False,
+                    timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+    """Check if a sca event occurs
+
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+        callback (str): log regex to check in Wazuh log
+        error_message (str): error message to show in case of expected event does not occur
+        update_position (boolean): filter configuration parameter to search in Wazuh log
+        timeout (str): timeout to check the event in Wazuh log
+        accum_results (int): Accumulation of matches.
+        file_to_monitor (str): Path of the file where to check for the expected events
+    """
+    file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
+    error_message = f"Expected event to found in {file_to_monitor}: {callback}" if error_message is None else \
+                    error_message
+
+    file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
+                       callback=generate_monitoring_callback(callback), error_message=error_message)
+
+
+def check_sca_enabled(file_monitor=None):
+    """Check if the sca module is enabled
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    check_sca_event(callback=CB_SCA_ENABLED, timeout=T_10, file_monitor=file_monitor)
+
+
+def check_sca_disabled(file_monitor=None):
+    """Check if the sca module is disabled
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    check_sca_event(callback=CB_SCA_DISABLED, timeout=T_10, file_monitor=file_monitor)
+
+
+def check_sca_scan_started(file_monitor=None):
+    """Check if the sca scan has started
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    check_sca_event(callback=CB_SCA_SCAN_STARTED, timeout=T_10, file_monitor=file_monitor)
+
+
+def check_sca_scan_ended(file_monitor=None):
+    """Check if the sca scan has ended
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    check_sca_event(callback=CB_SCA_SCAN_ENDED, timeout=T_10, file_monitor=file_monitor)
+
+
+def get_scan_regex_engine(file_monitor=None):
+    """Check returns the regex engine used on a SCA scan.
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    file_monitor = FileMonitor(LOG_FILE_PATH) if file_monitor is None else file_monitor
+    engine = file_monitor.start(callback=generate_monitoring_callback(CB_SCA_OSREGEX_ENGINE), timeout=T_10,
+                                error_message=ERR_MSG_REGEX_ENGINE, update_position=False).result()
+    return engine
+
+
+def get_sca_scan_rule_id_results(file_monitor=None, results_num=1):
+    """Check the expected ammount of check results have been recieved
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+        results_num (int): Ammount of rule check results that should be recieved.
+    """
+    file_monitor = FileMonitor(LOG_FILE_PATH) if file_monitor is None else file_monitor
+    results = file_monitor.start(callback=callback_scan_id_result, timeout=T_20, accum_results=results_num,
+                                 error_message=ERR_MSG_ID_RESULTS).result()
+    return results
+
+
+def get_sca_scan_summary(file_monitor=None):
+    """Get the scan summary event
+    Args:
+        file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+    """
+    file_monitor = FileMonitor(LOG_FILE_PATH) if file_monitor is None else file_monitor
+    results = file_monitor.start(callback=callback_detect_sca_scan_summary, timeout=T_20,
+                                 error_message=ERR_MSG_SCA_SUMMARY).result()
+    return results

deps/wazuh_testing/wazuh_testing/tools/file.py

@@ -286,6 +286,30 @@ def remove_file(file_path):
             delete_path_recursively(file_path)
 
 
+def copy_files_in_folder(src_folder, dst_folder='/tmp', files_to_move=None):
+    """Copy files from a folder to target folder
+
+    Args:
+        src_folder (str): directory path from where to copy files.
+        dst_folder (str): directory path where files will be copied to.
+        files_to_move (list): List with files to move copy from a folder.
+    """
+    file_list = []
+    if os.path.isdir(src_folder):
+        if files_to_move is None:
+            for file in os.listdir(src_folder):
+                file_list.append(file)
+                copy(os.path.join(src_folder, file), dst_folder)
+                remove_file(os.path.join(src_folder, file))
+        else:
+            for file in files_to_move:
+                if os.path.isfile(os.path.join(src_folder, file)):
+                    file_list.append(file)
+                    copy(os.path.join(src_folder, file), dst_folder)
+                    remove_file(os.path.join(src_folder, file))
+    return file_list
+
+
 def modify_all_files_in_folder(folder_path, data):
     """Write data into all files in a folder
     Args:

tests/integration/conftest.py

@@ -604,7 +604,7 @@ def configure_local_internal_options_module(request):
     conf.set_local_internal_options_dict(backup_local_internal_options)
 
 
-@pytest.fixture(scope='function')
+@pytest.fixture()
 def configure_local_internal_options_function(request):
     """Fixture to configure the local internal options file.
 

tests/integration/test_sca/conftest.py

@@ -0,0 +1,53 @@
+import os
+import pytest
+
+from wazuh_testing import LOG_FILE_PATH, CIS_RULESET_PATH
+from wazuh_testing.modules import sca
+from wazuh_testing.modules.sca import event_monitor as evm
+from wazuh_testing.tools.file import copy, delete_file, copy_files_in_folder, delete_path_recursively
+from wazuh_testing.tools.monitoring import FileMonitor
+
+
+# Variables
+TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+
+
+# Fixtures
+@pytest.fixture()
+def wait_for_sca_enabled():
+    '''
+    Wait for the sca module to start.
+    '''
+    wazuh_monitor = FileMonitor(LOG_FILE_PATH)
+    evm.check_sca_enabled(wazuh_monitor)
+
+
+@pytest.fixture()
+def prepare_cis_policies_file(metadata):
+    '''
+    Copies policy file from named by metadata into agent's ruleset path. Deletes file after test.
+    Args:
+        metadata (dict): contains the test metadata. Must contain policy_file key with file name.
+    '''
+    files_to_restore = copy_files_in_folder(src_folder=CIS_RULESET_PATH, dst_folder=sca.TEMP_FILE_PATH)
+    filename = metadata['policy_file']
+    filepath = os.path.join(TEST_DATA_PATH, 'policies', filename)
+    copy(filepath, CIS_RULESET_PATH)
+    yield
+    copy_files_in_folder(src_folder=sca.TEMP_FILE_PATH, dst_folder=CIS_RULESET_PATH, files_to_move=files_to_restore)
+    delete_file(os.path.join(CIS_RULESET_PATH, filename))
+
+
+@pytest.fixture()
+def prepare_test_folder(folder_path='/testfile', mode=0o666):
+    '''
+    Creates folder with a given mode.
+    Args:
+        folder_path (str): path for the folder to create
+        mode (int): mode to be used for folder creation.
+    '''
+    os.makedirs(folder_path, mode, exist_ok=True)
+
+    yield
+
+    delete_path_recursively(folder_path)

tests/integration/test_sca/data/configuration_template/configuration_sca.yaml

@@ -0,0 +1,30 @@
+- sections:
+    - section: sca
+      elements:
+        - enabled:
+            value: ENABLED
+        - scan_on_start:
+            value: 'yes'
+        - interval:
+            value: INTERVAL
+        - policies:
+            elements:
+              - policy:
+                  value: POLICY_FILE
+
+    - section: rootcheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: syscheck
+      elements:
+        - disabled:
+            value: 'yes'
+
+    - section: wodle
+      attributes:
+        - name: syscollector
+      elements:
+        - disabled:
+            value: 'yes'

tests/integration/test_sca/data/policies/cis_centos8_osregex.yaml

@@ -0,0 +1,56 @@
+policy:
+  id: cis_centos8_osregex
+  file: cis_centos8_osregex
+  name: CIS Benchmark for CentOS Linux 8
+  description: This is mock file for checking CIS SCA compliance on centos 8 systems
+  references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/index.html
+
+requirements:
+  title: Check Centos 8 family platform
+  description: Requirements for running the policy against CentOS 8 family.
+  condition: any
+  rules:
+    - f:/etc/os-release -> r:Centos
+    - f:/proc/sys/kernel/ostype -> Linux
+
+checks:
+
+  # Check with default value - OS_REGEX
+  - id: 1
+    title: Test_1
+    description: Test osregex regex engine with osregex rules
+    rationale: Test_1
+    remediation: Run osregex
+    compliance:
+      - cis: [1.8.1.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat -L /etc/issue -> r:Access:\s*\(0644/-rw-r--r--\)\s*Uid:\s*\(\s*\t*0/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0/\s*\t*root\)
+
+  # Check with PCRE2 value
+  - id: 2
+    title: Test_2
+    description: Test osregex regex engine with pcre2 rules
+    rationale: Test_2
+    remediation: Run pcre2
+    compliance:
+      - cis: [1.7.5]
+      - cis_csc: ["5.1"]
+      - pci_dss: [10.2.5]
+      - hipaa: [164.312.b]
+      - nist_800_53: [AU.14, AC.7]
+      - gpg_13: ["7.8"]
+      - gdpr_IV: ["35.7", "32.2"]
+      - tsc: [CC6.1, CC6.8, CC7.2, CC7.3, CC7.4]
+    condition: all
+    rules:
+      - c:stat /etc/issue -> r:^Access:\s*\(0644\/.{0,10}\)\s*Uid:\s*\(\s*\t*0\/\s*\t*root\)\s*\t*Gid:\s*\(\s*\t*0\/\s*\t*root\)$
+    regex_type: pcre2