diff --git a/tests/integration/test_agentd/test_agentd_state.py b/tests/integration/test_agentd/test_agentd_state.py index df2787daec..0e190f3587 100644 --- a/tests/integration/test_agentd/test_agentd_state.py +++ b/tests/integration/test_agentd/test_agentd_state.py @@ -149,7 +149,7 @@ def test_agentd_state(configure_environment, test_case: list): brief: Configure a custom environment for testing. - test_case: type: list - brief: List of tests to be performed. + brief: List of test_case stages. assertions: - Verify that the 'wazuh-agentd.state' statistics file has been created. diff --git a/tests/integration/test_logtest/test_configuration/test_configuration_file.py b/tests/integration/test_logtest/test_configuration/test_configuration_file.py index a0f4500c0f..d0a25f0fbc 100644 --- a/tests/integration/test_logtest/test_configuration/test_configuration_file.py +++ b/tests/integration/test_logtest/test_configuration/test_configuration_file.py @@ -8,9 +8,10 @@ type: integration brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples - remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work - parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluate through - 'wazuh-logtest' tool or making requests via RESTful API. + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. tier: 0 @@ -115,7 +116,7 @@ def test_configuration_file(get_configuration, configure_environment, restart_wa - 'Event not found' tags: - - logtest_configuration_file + - logtest_configuration ''' callback = None if 'valid_conf' in get_configuration['tags']: diff --git a/tests/integration/test_logtest/test_configuration/test_get_configuration_sock.py b/tests/integration/test_logtest/test_configuration/test_get_configuration_sock.py index 521180364e..7c9543db0c 100644 --- a/tests/integration/test_logtest/test_configuration/test_get_configuration_sock.py +++ b/tests/integration/test_logtest/test_configuration/test_get_configuration_sock.py @@ -8,9 +8,10 @@ type: integration brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples - remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work - parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluate through - 'wazuh-logtest' tool or making requests via RESTful API. + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. tier: 0 @@ -123,7 +124,7 @@ def test_get_configuration_sock(get_configuration, configure_environment, restar - 'Expected value in session_timeout tag: .*. Value received: .*' tags: - - logtest_configuration_sock + - logtest_configuration ''' configuration = get_configuration['sections'][0]['elements'] diff --git a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_decoder_syntax.py b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_decoder_syntax.py index 2d5d2284b8..32dab2eeeb 100644 --- a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_decoder_syntax.py +++ b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_decoder_syntax.py @@ -1,20 +1,72 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import pytest import os - -from wazuh_testing.tools import WAZUH_PATH from yaml import safe_load from shutil import copy from json import loads +from wazuh_testing.tools import WAZUH_PATH + # Marks pytestmark = [pytest.mark.linux, pytest.mark.tier(level=0), pytest.mark.server] -# Configurations +# Configurationsa test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') messages_path = os.path.join(test_data_path, 'invalid_decoder_syntax.yaml') @@ -56,8 +108,43 @@ def test_invalid_decoder_syntax(get_configuration, configure_local_decoders, restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every input message in logtest socket generates the adequate output.""" - + ''' + description: Check if `wazuh-logtest` correctly detects and handles errors when processing a decoders file. + To do this, it send a logtest request using the input configurations and parse the logtest reply + received looking for errors. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configuration from the module. + - configure_local_decoders: + type: fixture + brief: Configure a custom decoder for testing. + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that `wazuh-logtest` retrieves errors when the loaded decoders are invalid. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'invalid_decoder_syntax.yaml'. + + expected_output: + - r'Failed stage(s) : .*' (When an error occurs, it is appended) + - 'Error when executing {action} in daemon {daemon}. Exit status: {result}' + + tags: + - logtest_invalid_rule_decoder_syntax + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_rules_syntax.py b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_rules_syntax.py index be5f032596..8371ffee53 100644 --- a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_rules_syntax.py +++ b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/test_invalid_rules_syntax.py @@ -1,15 +1,67 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import pytest import os - -from wazuh_testing.tools import WAZUH_PATH from yaml import safe_load from shutil import copy from json import loads +from wazuh_testing.tools import WAZUH_PATH + # Marks pytestmark = [pytest.mark.linux, pytest.mark.tier(level=0), pytest.mark.server] @@ -56,8 +108,44 @@ def test_invalid_rule_syntax(get_configuration, configure_local_rules, restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every input message in logtest socket generates the adequate output """ - + ''' + description: Check if `wazuh-logtest` correctly detects and handles errors when processing a rules file. + To do this, it send a logtest request(via AF_UNIX socket) using the input configurations and parse + the logtest reply received looking for errors. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configuration from the module. + - configure_local_rules: + type: fixture + brief: Configure a custom rule in local_rules.xml for testing. Restart Wazuh is needed for applying the + configuration. + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that `wazuh-logtest` retrieves errors when the loaded rules are invalid. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'invalid_rules_syntax.yaml'. + + expected_output: + - r'Failed stage(s) : .*' (When an error occurs, it is appended) + - 'Error when executing {action} in daemon {daemon}. Exit status: {result}' + + tags: + - logtest_invalid_rule_decoder_syntax + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_invalid_socket_input/test_invalid_socket_input.py b/tests/integration/test_logtest/test_invalid_socket_input/test_invalid_socket_input.py index 12d4296ff1..b00f5af432 100644 --- a/tests/integration/test_logtest/test_invalid_socket_input/test_invalid_socket_input.py +++ b/tests/integration/test_logtest/test_invalid_socket_input/test_invalid_socket_input.py @@ -1,12 +1,64 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. -import os -from struct import pack + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' +import os import pytest import yaml +from struct import pack + from wazuh_testing.tools import WAZUH_PATH # Marks @@ -29,14 +81,44 @@ @pytest.mark.parametrize('test_case', [test_case['test_case'] for test_case in test_cases], ids=[test_case['name'] for test_case in test_cases]) -def test_invalid_socket_input(restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function, test_case: list): - """Check that every input message in logtest socket generates the adequate output - - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ +def test_invalid_socket_input(restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function, + test_case: list): + ''' + description: Check if `wazuh-logtest` correctly detects and handles errors when sending a message through + the socket to `wazuh-analysisd`. To do this, it sends the inputs through a socket(differentiating by + oversized messages), receives and decodes the message. Then, that message is compared with the test + case output. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + - test_case: + type: list + brief: List of test_case stages. (dicts with input, output and stage keys) + + assertions: + - Verify that the comunication through the sockets works well by verifying that all the test cases produce + the right output. + - Verify that oversized messages log an error. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'invalid_socket_input.yaml'. + + expected_output: + - r'Failed test case stage : .*' + + tags: + - logtest_invalid_socket_input + ''' stage = test_case[0] if stage["stage"] != 'Oversize message': diff --git a/tests/integration/test_logtest/test_invalid_token/test_invalid_session_token.py b/tests/integration/test_logtest/test_invalid_token/test_invalid_session_token.py index a532301b4b..ecdcdc808a 100644 --- a/tests/integration/test_logtest/test_invalid_token/test_invalid_session_token.py +++ b/tests/integration/test_logtest/test_invalid_token/test_invalid_session_token.py @@ -1,12 +1,64 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import json import os - import pytest import yaml + from wazuh_testing.logtest import callback_session_initialized, callback_invalid_token from wazuh_testing.tools import WAZUH_PATH from wazuh_testing.tools.monitoring import SocketController @@ -44,14 +96,41 @@ def close_connection(connection): [test_case['test_case'] for test_case in test_cases], ids=[test_case['name'] for test_case in test_cases]) def test_invalid_session_token(restart_required_logtest_daemons, wait_for_logtest_startup, test_case): - """Check that every input message in logtest socket generates the adequate output - - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ - + ''' + description: Check if `wazuh-logtest` correctly detects and handles errors when using a session token. + To do this, it sends the inputs through a socket, receives and decodes the message. Then, it checks + if any invalid token or session token is not catched. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - test_case: + type: list + brief: List of test_case stages (dicts with input, output and stage keys) + + assertions: + - Verify that new session is correctly initialized. + - Verify that invalid session token is received. + - Verify that errors are retrieved due to invalid session tokens. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'invalid_session_token.yaml'. + + expected_output: + - r'Failed test case stage(s): .*' (When an error occurs, it is appended) + - r'.*: .* is not a valid token' (An error that could be appended) + - r'.*: Session initialized with token .*' (An error that could be appended) + - 'Error when executing .* in daemon .*. Exit status: .*' + + tags: + - logtest_invalid_token + ''' errors = [] stage = test_case[0] connection = create_connection() diff --git a/tests/integration/test_logtest/test_log_process_options/test_rules_verbose.py b/tests/integration/test_logtest/test_log_process_options/test_rules_verbose.py index 619f397a0b..e70d9d3c59 100644 --- a/tests/integration/test_logtest/test_log_process_options/test_rules_verbose.py +++ b/tests/integration/test_logtest/test_log_process_options/test_rules_verbose.py @@ -1,7 +1,59 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import json import os import shutil @@ -42,7 +94,8 @@ @pytest.fixture(scope='function') def configure_rules_list(get_configuration, request): """Configure a custom rules for testing. - Restart Wazuh is not needed for applying the configuration is optional. + + Restart Wazuh is not needed for applying the configuration, is optional. """ # save current rules @@ -93,11 +146,50 @@ def restart_required_logtest_daemons(): def test_rules_verbose(get_configuration, restart_required_logtest_daemons, configure_rules_list, wait_for_logtest_startup, connect_to_sockets_function): - """Check the correct behaviour of logtest `rules_debug` field. - - This test writes different inputs at the logtest socket and checks the responses to be the expected. - """ - + ''' + description: Check if 'wazuh-logtest' works correctly in 'verbose' mode for rules debugging. To do this, it sends + the inputs through a socket, receives and decodes the message. Then, it checks + if any invalid token or session token is not catched. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configuration from the module. + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - configure_rules_list: + type: fixture + brief: Configure a custom rules for testing. Restart Wazuh is not needed for applying the configuration + is optional. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the logtest reply message has no run error. + - Verify that the 'rule_id' within the reply message is correct. + - Verify that logtest is running in verbose mode. + - Verify that when running in verbose mode the local rule debug messages has been written + - Verify that when running in verbose mode the local rule debug messages written are the expected count. + - Verify that if a warning message is catched it matches with any test case message. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'rules_verbose.yaml'. + + expected_output: + - 'The rules_debug field was not found in the response data' + - 'The warning message was not found in the response data' + - 'Error when executing .* in daemon .*. Exit status: .*' + + tags: + - logtest_log_process_options + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_session_for_inactivity.py b/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_session_for_inactivity.py index c3542dcfcf..884b4a095b 100644 --- a/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_session_for_inactivity.py +++ b/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_session_for_inactivity.py @@ -1,7 +1,60 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + - https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#analysisd + +tags: + - logtest_configuration +''' import pytest import os @@ -25,10 +78,11 @@ receiver_sockets_params = [(LOGTEST_SOCKET_PATH, 'AF_UNIX', 'TCP')] receiver_sockets = None local_internal_options = {'analysisd.debug': '1'} -create_session_data = {'version':1, 'command':'log_processing', - 'parameters':{'event': 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928', - 'log_format': 'syslog', - 'location': 'master->/var/log/syslog'}} +create_session_data = {'version': 1, 'command': 'log_processing', + 'parameters': {'event': 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey ' + 'from 18.18.18.18 port 48928', + 'log_format': 'syslog', + 'location': 'master->/var/log/syslog'}} msg_create_session = dumps(create_session_data) @@ -49,10 +103,52 @@ def test_remove_old_session_for_inactivity(configure_local_internal_options_modu file_monitoring, wait_for_logtest_startup, connect_to_sockets_function): - """Create more sessions than allowed and wait session_timeout seconds, - then check Wazuh-logtest has removed session for inactivity. - """ - + ''' + description: Check if 'wazuh-logtest' correctly detects and handles the situation where trying to remove old + sessions due to inactivity. To do this, it creates more sessions than allowed and waits session_timeout + seconds, then checks that 'wazuh-logtest' has removed the session due to inactivity. + + wazuh_min_version: 4.2.0 + + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - get_configuration: + type: fixture + brief: Get configuration from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the session is created. + - Verify that the old session is removed after 'session_timeout' delay due to inactivity. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'wazuh_conf.yaml' and the session creation data from the module. + + expected_output: + - 'Session initialization event not found' + - 'Session removal event not found' + - r'Error when executing .* in daemon .*. Exit status: .*' + + tags: + - logtest_remove_old_sessions + - analysisd + ''' session_timeout = int(get_configuration['sections'][0]['elements'][3]['session_timeout']['value']) receiver_sockets[0].send(msg_create_session, True) @@ -60,11 +156,11 @@ def test_remove_old_session_for_inactivity(configure_local_internal_options_modu msg_recived = msg_recived.decode() log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_session_initialized, - error_message="Session initialization event not found") + callback=callback_session_initialized, + error_message="Session initialization event not found") sleep(session_timeout) log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_remove_session, - error_message="Session removal event not found") + callback=callback_remove_session, + error_message="Session removal event not found") diff --git a/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_sessions.py b/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_sessions.py index 0ab0081c75..b5e29e20d9 100644 --- a/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_sessions.py +++ b/tests/integration/test_logtest/test_remove_old_sessions/test_remove_old_sessions.py @@ -1,7 +1,59 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import pytest import os @@ -24,7 +76,8 @@ # Variables local_internal_options = {'analysisd.debug': '1'} create_session_data = {'version': 1, 'command': 'log_processing', - 'parameters': {'event': 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928', + 'parameters': {'event': 'Oct 15 21:07:56 linux-agent sshd[29205]: Invalid user blimey ' + 'from 18.18.18.18 port 48928', 'log_format': 'syslog', 'location': 'master->/var/log/syslog'}} msg_create_session = dumps(create_session_data) @@ -54,10 +107,55 @@ def test_remove_old_session(configure_local_internal_options_module, get_configuration, configure_environment, file_monitoring, restart_required_logtest_daemons, wait_for_logtest_startup): - """Create more sessions than allowed and wait for the message which - informs that Wazuh-logtest has removed the oldest session. - """ - + ''' + description: Check if 'wazuh-logtest' correctly detects and handles the situation where trying to use more + sessions than allowed. To do this, it creates more sessions than allowed and wait for the message which + informs that 'wazuh-logtest' has removed the oldest session. + + wazuh_min_version: 4.2.0 + + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - get_configuration: + type: fixture + brief: Get configuration from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + + assertions: + - Verify that the session will exceed the allowed sessions with the last one to verify that the first(oldest) + session is correctly removed. + - Verify that every session is correctly created. + - Verify that the first session is valid. + - Verify that the 'removal session' is created. + - Verify that the removed session is the first one. + - Verify that the session that exceeds the limit is created. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'wazuh_conf.yaml' and the session creation data from the module. + + expected_output: + - 'Session initialization event not found' + - 'Session removal event not found' + - 'Incorrect session removed' + - r'Error when executing .* in daemon .*. Exit status: .*' + + tags: + - logtest_remove_old_sessions + - analysisd + ''' max_sessions = int(get_configuration['sections'][0]['elements'][2]['max_sessions']['value']) first_session_token = None diff --git a/tests/integration/test_logtest/test_remove_session/test_remove_session.py b/tests/integration/test_logtest/test_remove_session/test_remove_session.py index 6eaf3039c4..488f5994da 100644 --- a/tests/integration/test_logtest/test_remove_session/test_remove_session.py +++ b/tests/integration/test_logtest/test_remove_session/test_remove_session.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import json import os @@ -49,14 +103,42 @@ def create_session(): @pytest.mark.parametrize('test_case', [test_case['test_case'] for test_case in test_cases], ids=[test_case['name'] for test_case in test_cases]) -def test_remove_session(restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function, test_case: list): - """Check that every input message in logtest socket generates the adequate output - - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ +def test_remove_session(restart_required_logtest_daemons, wait_for_logtest_startup, connect_to_sockets_function, + test_case: list): + ''' + description: Check if 'wazuh-logtest' correctly detects and removes the sessions under pre-defined scenarios. + To do this, the session input is sent and the output is received, then it checks if the received data + within the logtest socket is the same that the test case expected output. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + - test_case: + type: list + brief: List of test_case stages. (dicts with input, output and stage keys) + + assertions: + - Verify that every test case output matches with the actual received. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'remove_session.yaml' and the session creation data from the module. + + expected_output: + - r'Failed test case stage : .*' + + tags: + - logtest_remove_session + - analysisd + ''' stage = test_case[0] if stage["stage"] != 'Remove session OK': diff --git a/tests/integration/test_logtest/test_rules_decoders_load/test_load_rules_decoders.py b/tests/integration/test_logtest/test_rules_decoders_load/test_load_rules_decoders.py index 565834ff44..ea940760e7 100644 --- a/tests/integration/test_logtest/test_rules_decoders_load/test_load_rules_decoders.py +++ b/tests/integration/test_logtest/test_rules_decoders_load/test_load_rules_decoders.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import json import os import shutil @@ -57,6 +111,44 @@ def create_dummy_session(): list(test_cases), ids=[test_case['name'] for test_case in test_cases]) def test_load_rules_decoders(restart_required_logtest_daemons, wait_for_logtest_startup, test_case): + ''' + description: Check if 'wazuh-logtest' does produce the right decoder/rule matching when processing a log under + different sets of configurations. To do this, creates backup rules and decoders and copy the test case + rules and decoders to restore after the checks. It sends the requests to the logtest socket and checks + if the outputs match with the expected test cases. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + - test_case: + type: list + brief: List of test_case stages. (dicts with input, output and stage keys) + + assertions: + - Verify that the predecoder output matches with test case expected. + - Verify that the decoder output matches with test case expected. + - Verify that the rule output matches with test case expected. + - Verify that the alert output matches with test case expected. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'remove_session.yaml' and the dummy session from the module. + + expected_output: + - r'Failed stage(s) :.*' + + tags: + - logtest_rules_decoders_load + - analysisd + ''' # List to store assert messages errors = [] diff --git a/tests/integration/test_logtest/test_ruleset_refresh/test_alert_labels.py b/tests/integration/test_logtest/test_ruleset_refresh/test_alert_labels.py index a15108d640..6385650e02 100644 --- a/tests/integration/test_logtest/test_ruleset_refresh/test_alert_labels.py +++ b/tests/integration/test_logtest/test_ruleset_refresh/test_alert_labels.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import os import pytest @@ -30,7 +84,8 @@ @pytest.fixture(scope='function') def configure_rules_list(get_configuration, request): """Configure a custom rules and log alert level for testing. - Restart Wazuh is not needed for applying the configuration is optional. + + Restarting Wazuh is not needed for applying the configuration, it is optional. """ # configuration for testing @@ -61,8 +116,50 @@ def get_configuration(request): def test_rule_list(restart_required_logtest_daemons, get_configuration, configure_environment, configure_rules_list, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every test case run on logtest generates the adequate output.""" - + ''' + description: Check that after modifying the alert level it takes effect when opening a new logtest sessions, without + having to reset the manager. To do this, it sends a request to logtest socket and get its response. + Then, it checks that the expected alert matches. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - configure_rules_list: + type: fixture + brief: Configure custom rules for testing. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the result does not contain errors. + - Verify that the 'rule_id' sent matches with the result. + - Verify that the alert sent matches with the result. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'log_alert_level.yaml'. + + expected_output: + - result.error == 0 + - result.data.output.rule.id == test_case.rule_id + - result.data.alert == test_case.alert + + tags: + - logtest_ruleset_refresh + - analysisd + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_ruleset_refresh/test_cdb_labels.py b/tests/integration/test_logtest/test_ruleset_refresh/test_cdb_labels.py index 7ad44837d3..40369d643b 100644 --- a/tests/integration/test_logtest/test_ruleset_refresh/test_cdb_labels.py +++ b/tests/integration/test_logtest/test_ruleset_refresh/test_cdb_labels.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import os import pytest @@ -30,7 +84,8 @@ @pytest.fixture(scope='function') def configure_cdbs_list(get_configuration, request): """Configure a custom cdbs for testing. - Restart Wazuh is not needed for applying the configuration is optional. + + Restarting Wazuh is not needed for applying the configuration, it is optional. """ # cdb configuration for testing @@ -73,8 +128,50 @@ def get_configuration(request): def test_cdb_list(restart_required_logtest_daemons, get_configuration, configure_environment, configure_cdbs_list, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every test case run on logtest generates the adequate output.""" - + ''' + description: Checks if modifying the configuration of the cdb list, by using its labels, takes effect when opening + new logtest sessions without having to reset the manager. To do this, it sends a request to logtest + socket with the test case and it checks that the result matches with the test case result. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - configure_cdbs_list: + type: fixture + brief: Configure a custom cdbs for testing. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the result does not contain errors. + - Verify that the result is from the cdb list. + - Verify that the 'rule_id' sent matches with the result. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'cdb_list.yaml'. + + expected_output: + - result.error == 0 + - cdb not in result.data.output + - result.data.output.rule.id == test_case.rule_id + + tags: + - logtest_ruleset_refresh + - analysisd + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_ruleset_refresh/test_decoder_labels.py b/tests/integration/test_logtest/test_ruleset_refresh/test_decoder_labels.py index 7dd1d8f3eb..58a1f960da 100644 --- a/tests/integration/test_logtest/test_ruleset_refresh/test_decoder_labels.py +++ b/tests/integration/test_logtest/test_ruleset_refresh/test_decoder_labels.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import os import pytest @@ -30,7 +84,8 @@ @pytest.fixture(scope='function') def configure_decoders_list(get_configuration, request): """Configure a custom decoder in local_decoder.xml for testing. - Restart Wazuh is needed for applying the configuration is optional. + + Restarting Wazuh is needed for applying the configuration, it is optional. """ # configuration for testing @@ -61,8 +116,50 @@ def get_configuration(request): def test_rules_verbose(restart_required_logtest_daemons, get_configuration, configure_environment, configure_decoders_list, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every test case run on logtest generates the adequate output.""" - + ''' + description: Checks if modifying the configuration of the decoder, by using its labels, takes effect when opening + new logtest sessions without having to reset the manager. To do this, it sends a request to logtest + socket with the test case and it checks that the result matches with the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - configure_cdbs_list: + type: fixture + brief: Configure a custom cdbs for testing. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the result does not contain errors. + - Verify that the result is from the decoder list. + - Verify that the 'rule_id' sent matches with the result. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'decoder_list.yaml'. + + expected_output: + - result.error == 0 + - name not in result.data.output.decoder + - result.data.output.decoder.name == test_case.decoder_name + + tags: + - logtest_ruleset_refresh + - analysisd + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True) diff --git a/tests/integration/test_logtest/test_ruleset_refresh/test_rule_labels.py b/tests/integration/test_logtest/test_ruleset_refresh/test_rule_labels.py index e56b607df2..d89797c060 100644 --- a/tests/integration/test_logtest/test_ruleset_refresh/test_rule_labels.py +++ b/tests/integration/test_logtest/test_ruleset_refresh/test_rule_labels.py @@ -1,7 +1,61 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logtest' tool allows the testing and verification of rules and decoders against provided log examples + remotely inside a sandbox in 'wazuh-analysisd'. This functionality is provided by the manager, whose work + parameters are configured in the ossec.conf file in the XML rule_test section. Test logs can be evaluated through + the 'wazuh-logtest' tool or by making requests via RESTful API. These tests will check if the logtest + configuration is valid. Also checks rules, decoders, decoders, alerts matching logs correctly. + +tier: 0 + +modules: + - logtest + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/index.html + - https://documentation.wazuh.com/current/user-manual/ruleset/testing.html?highlight=logtest + - https://documentation.wazuh.com/current/user-manual/capabilities/wazuh-logtest/logtest-configuration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +tags: + - logtest_configuration +''' import os import pytest @@ -61,8 +115,50 @@ def get_configuration(request): def test_rule_list(restart_required_logtest_daemons, get_configuration, configure_environment, configure_rules_list, wait_for_logtest_startup, connect_to_sockets_function): - """Check that every test case run on logtest generates the adequate output.""" - + ''' + description: Checks if modifying the configuration of the decoder, by using its labels, takes effect when opening + new logtest sessions without having to reset the manager. To do this, it sends a request to logtest + socket with the test case and it checks that the result matches with the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_required_logtest_daemons: + type: fixture + brief: Wazuh logtests daemons handler. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration. + - configure_cdbs_list: + type: fixture + brief: Configure a custom cdbs for testing. + - wait_for_logtest_startup: + type: fixture + brief: Wait until logtest has begun. + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + + assertions: + - Verify that the result does not contain errors. + - Verify that the rule result is from the rule list. + - Verify that the 'rule_id' sent matches with the result. + + input_description: Some test cases are defined in the module. These include some input configurations stored in + the 'rule_list.yaml'. + + expected_output: + - result.error == 0 + - cdb not in result.data.output + - result.data.output.rule.id == test_case.rule_id + + tags: + - logtest_ruleset_refresh + - analysisd + ''' # send the logtest request receiver_sockets[0].send(get_configuration['input'], size=True)