From 7a35303561773e5ab6e3d3bb5890038d0d601e10 Mon Sep 17 00:00:00 2001 From: mdengra Date: Wed, 29 Sep 2021 11:19:52 +0200 Subject: [PATCH] doc: Add test_benchmark and test_checks of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_hard_link.py Enhancements in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1936 --- docs/DocGenerator/config.yaml | 2 + .../test_benchmark/test_benchmark.py | 31 ++-- .../test_benchmark/test_report_changes_big.py | 45 +++--- .../test_files/test_checks/test_check_all.py | 104 ++++++------ .../test_checks/test_check_others.py | 70 ++++---- .../test_files/test_checks/test_checksums.py | 65 ++++---- .../test_files/test_checks/test_hard_link.py | 152 +++++++++++++++--- 7 files changed, 284 insertions(+), 185 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index e6ef9e7da6..d22f02e99d 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -49,6 +49,8 @@ Ignore paths: - "../../tests/integration/test_fim/test_files/test_ambiguous_confs/data" - "../../tests/integration/test_fim/test_files/test_audit/data" - "../../tests/integration/test_fim/test_files/test_basic_usage/data" + - "../../tests/integration/test_fim/test_files/test_benchmark/data" + - "../../tests/integration/test_fim/test_files/test_checks/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py index a1722c0c81..b6431bb4c9 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_benchmark.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` CUD events are generated for each modified file before the specified time expires. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files - for changes to the checksums, permissions, and ownership. +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM CUD events are generated for each modified file + before the specified time expires. The FIM capability is managed by the 'wazuh-syscheckd' daemon, + which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -23,7 +22,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -54,6 +52,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -61,15 +60,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_benchmark ''' import os @@ -130,13 +129,13 @@ def test_benchmark_regular_files(files, folder, tags_to_apply, get_configuration configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon detects CUD events (`added`, `modified`, and `deleted`) + description: Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') in a certain volume of file changes. For this purpose, the test will monitor a folder with multiple testing files and perform modifications on them (add, modify and delete). Finally, the test will verify that all FIM events have been generated for each change made to each file before the set timeout expires. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - files: @@ -156,20 +155,20 @@ def test_benchmark_regular_files(files, folder, tags_to_apply, get_configuration brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` CUD events are generated for each modified file before the specified time expires. + - Verify that FIM CUD events are generated for each modified file before the specified time expires. - input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon and, it + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the wazuh-syscheckd daemon and, it is combined with the testing files to be monitored defined in this module. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - realtime diff --git a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py index 067bb08695..23336e57b6 100644 --- a/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py +++ b/tests/integration/test_fim/test_files/test_benchmark/test_report_changes_big.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and - files with a large size using the `report_changes` feature. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon generates the 'diff' + files on large amounts of files and files with a large size using the 'report_changes' feature. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +23,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +53,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +61,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_benchmark ''' import os import sys @@ -264,15 +263,15 @@ def write_csv(data): def test_report_changes_big(file_size, n_files, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon generates the `diff` files on large amounts of files and - files with a large size using the `report_changes` feature. For this purpose, the test creates - in a monitored directory (with the `report_changes` attribute) large amounts of files and files - with large size. Then it checks if the expected number of `FIM` events is obtained, if they are + description: Check if the 'wazuh-syscheckd' daemon generates the 'diff' files on large amounts of files and + files with a large size using the 'report_changes' feature. For this purpose, the test creates + in a monitored directory (with the 'report_changes' attribute) large amounts of files and files + with large size. Then it checks if the expected number of FIM events is obtained, if they are of the correct type and if a copy of each file has been created in the corresponding directory. - In addition, the test generates a `CSV` file with metrics about the time used to create + In addition, the test generates a CSV file with metrics about the time used to create the files, generate the logs, and the size of the directory. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - file_size: @@ -292,23 +291,23 @@ def test_report_changes_big(file_size, n_files, tags_to_apply, get_configuration brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` events are generated for each modified file. - - Verify that for each modified file a `diff` file is generated. - - Verify that `diff` files are updated when files are modified. + - Verify that FIM events are generated for each modified file. + - Verify that for each modified file a 'diff' file is generated. + - Verify that 'diff' files are updated when files are modified. - input_description: A test case (ossec_conf) is contained in external `YAML` file (wazuh_conf.yaml) - which includes configuration settings for the `wazuh-syscheckd` daemon and, it + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing files to be monitored defined in this module. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) - - A `CSV` file with the metrics collected. + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + - A CSV file with the metrics collected. tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_all.py b/tests/integration/test_fim/test_files/test_checks/test_check_all.py index 92250afdcf..7aed831f2b 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_all.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_all.py @@ -7,11 +7,11 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_all` attribute along with other` check_` attributes. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM events generated contain only + the 'check_' fields specified in the configuration when using the 'check_all' attribute along + with other' check_' attributes. + The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +24,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +54,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +62,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -143,16 +143,16 @@ def get_configuration(request): def test_check_all_single(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=yes` and `check_sum=no` are set for the same directory, `syscheck` must - send an event containing every possible `check_` except the checksums. For this purpose, the test - will monitor a testing folder using the `check_all` attribute in conjunction with one `check_` - on the same directory, having `check_all` to `yes` and the other one to `no`. - Finally, the test will verify that the `FIM` events generated contain only the fields - of the `checks` specified for the monitored folder. + For example, if 'check_all=yes' and 'check_sum=no' are set for the same directory, 'syscheck' must + send an event containing every possible 'check_' except the checksums. For this purpose, the test + will monitor a testing folder using the 'check_all' attribute in conjunction with one 'check_' + on the same directory, having 'check_all' to 'yes' and the other one to 'no'. + Finally, the test will verify that the FIM events generated contain only the fields + of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -169,21 +169,21 @@ def test_check_all_single(path, checkers, get_configuration, configure_environme brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -219,16 +219,16 @@ def test_check_all_single(path, checkers, get_configuration, configure_environme def test_check_all(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=yes`, `check_sum=no`, and `check_md5sum=no` are set for the same directory, - `syscheck` must send an event containing every possible `check_` except the `md5` checksum. - For this purpose, the test will monitor a testing folder using the `check_all` attribute in - conjunction with more than one `check_` on the same directory, having `check_all` to `yes` and - the other ones to `no`. Finally, the test will verify that the `FIM` events generated contain - only the fields of the `checks` specified for the monitored folder. + For example, if 'check_all=yes', 'check_sum=no', and 'check_md5sum=no' are set for the same directory, + 'syscheck' must send an event containing every possible 'check_' except the 'md5' checksum. + For this purpose, the test will monitor a testing folder using the 'check_all' attribute in + conjunction with more than one 'check_' on the same directory, having 'check_all' to 'yes' and + the other ones to 'no'. Finally, the test will verify that the FIM events generated contain + only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -245,21 +245,21 @@ def test_check_all(path, checkers, get_configuration, configure_environment, res brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -275,17 +275,17 @@ def test_check_all(path, checkers, get_configuration, configure_environment, res def test_check_all_no(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, when setting `check_all` to `no`, only the `type` and `checksum` attributes should - appear in every `FIM` event. This will avoid any modification event. For this purpose, the test - will monitor a testing folder using the `check_all=no` attribute, create a testing file inside it, - and verify that only the `type` and `checksum` attributes are in the `added` event. Then, it - will modify the testing file and verify that no `FIM` events of type `modified` are generated. - Finally, the test will delete the testing file and verify that only the `type` and - `checksum` attributes are in the `deleted` event. + For example, when setting 'check_all' to 'no', only the 'type' and 'checksum' attributes should + appear in every 'FIM' event. This will avoid any modification event. For this purpose, the test + will monitor a testing folder using the 'check_all=no' attribute, create a testing file inside it, + and verify that only the 'type' and 'checksum' attributes are in the 'added' event. Then, it + will modify the testing file and verify that no 'FIM' events of type 'modified' are generated. + Finally, the test will delete the testing file and verify that only the 'type' and + 'checksum' attributes are in the 'deleted' event. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -302,24 +302,24 @@ def test_check_all_no(path, checkers, get_configuration, configure_environment, brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that `FIM` events generated are only of type `added` and `deleted` when - the `check_all=no` attribute is used. - - Verify that `FIM` events generated only contain the `type` and `checksum` attributes - when the `check_all=no` attribute is used. + - Verify that FIM events generated are only of type 'added' and 'deleted' when + the 'check_all=no' attribute is used. + - Verify that FIM events generated only contain the 'type' and 'checksum' attributes + when the 'check_all=no' attribute is used. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external 'YAML' files (wazuh_check_all.yaml or wazuh_check_all_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, and `deleted` event) + - r'.*Sending FIM event: (.+)$' ('added', and 'deleted' event) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_check_others.py b/tests/integration/test_fim/test_files/test_checks/test_check_others.py index cdf6ac2167..9da09a7637 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_check_others.py +++ b/tests/integration/test_fim/test_files/test_checks/test_check_others.py @@ -7,11 +7,11 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_` attributes individually without using the `check_all=yes` attribute. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring ('FIM') system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM events generated contain only + the 'check_' fields specified in the configuration when using the 'check_' attributes individually + without using the 'check_all=yes' attribute. + The 'FIM' capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +24,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +54,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +62,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -142,15 +142,15 @@ def get_configuration(request): def test_check_others_individually(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generate events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must + For example, if 'check_all=no' and 'check_sum=yes' are set for the same directory, 'syscheck' must send an event containing only the checksums. For this purpose, the test will monitor a testing folder - using the `check_all=no` attribute (in order to avoid using the default `check_all` configuration) - in conjunction with one `check_` on the same directory. Finally, the test will verify that - the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + using the 'check_all=no' attribute (in order to avoid using the default 'check_all' configuration) + in conjunction with one 'check_' on the same directory. Finally, the test will verify that + the FIM events generated contain only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -167,21 +167,21 @@ def test_check_others_individually(path, checkers, get_configuration, configure_ brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -218,18 +218,18 @@ def test_check_others_individually(path, checkers, get_configuration, configure_ def test_check_others(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generate events the checks specified in + description: Check if the 'wazuh-syscheckd' daemon adds in the generate events the checks specified in the configuration. These checks are attributes indicating that a monitored file has been modified. - For example, if `check_md5sum=yes`, `check_all=no` and `check_mtime=yes` are set for - the same directory, `syscheck` must send an event containing only the file modification time. - For this purpose, the test will monitor a testing folder using the `check_all=no` attribute - (in order to avoid using the default `check_all` configuration) in conjunction with more than - one `check_` on the same directory. Finally, the test will verify that the `FIM` events generated - contain only the fields of the `checks` specified for the monitored folder. - In adittion, the order of the `checks` (including `check_all=no`) will be different on each - test case to check the behavior of the `check_all=no` attribute. + For example, if 'check_md5sum=yes', 'check_all=no' and 'check_mtime=yes' are set for + the same directory, 'syscheck' must send an event containing only the file modification time. + For this purpose, the test will monitor a testing folder using the 'check_all=no' attribute + (in order to avoid using the default 'check_all' configuration) in conjunction with more than + one 'check_' on the same directory. Finally, the test will verify that the FIM events generated + contain only the fields of the 'checks' specified for the monitored folder. + In adittion, the order of the 'checks' (including 'check_all=no') will be different on each + test case to check the behavior of the 'check_all=no' attribute. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -246,21 +246,21 @@ def test_check_others(path, checkers, get_configuration, configure_environment, brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that the FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_check_others.yaml or wazuh_check_others_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_checksums.py b/tests/integration/test_fim/test_files/test_checks/test_checksums.py index f9a5da8b33..eefe9c4b8f 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_checksums.py +++ b/tests/integration/test_fim/test_files/test_checks/test_checksums.py @@ -7,11 +7,10 @@ type: integration -brief: These tests will check if the File Integrity Monitoring (`FIM`) system watches selected - files and triggering alerts when these files are modified. Specifically, they will check - if `FIM` events generated contain only the `check_` fields specified in the configuration - when using the `check_` attributes related to file checksum. - The `FIM` capability is managed by the `wazuh-syscheckd` daemon, which checks configured files +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM events generated contain only the 'check_' fields + specified in the configuration when using the 'check_' attributes related to file checksum. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. tier: 0 @@ -24,7 +23,6 @@ - manager daemons: - - wazuh-agentd - wazuh-syscheckd os_platform: @@ -55,6 +53,7 @@ - Windows Server 2016 - Windows server 2012 - Windows server 2003 + - Windows XP references: - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html @@ -62,15 +61,15 @@ pytest_args: - fim_mode: - realtime: Enable real-time monitoring on Linux (using the `inotify` system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the `who-data` information. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim + - fim_checks ''' import os import sys @@ -138,16 +137,16 @@ def get_configuration(request): def test_checksums_checkall(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks related to file checksum specified in the configuration. These checks are attributes indicating that - a monitored file has been modified. For example, if `check_all=yes` and `check_sum=no` are - set for the same directory, `syscheck` must send an event containing every possible `check_` + a monitored file has been modified. For example, if 'check_all=yes' and 'check_sum=no' are + set for the same directory, 'syscheck' must send an event containing every possible 'check_' except the checksums. For this purpose, the test will monitor a testing folder using - the `check_all` attribute in conjunction with checksum-related `checks` on the same directory, - having `check_all` to `yes` and the other ones to `no`. Finally, the test will verify that - the `FIM` events generated contain only the fields of the `checks` specified for the monitored folder. + the 'check_all' attribute in conjunction with checksum-related 'checks' on the same directory, + having 'check_all' to 'yes' and the other ones to 'no'. Finally, the test will verify that + the FIM events generated contain only the fields of the 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -164,21 +163,21 @@ def test_checksums_checkall(path, checkers, get_configuration, configure_environ brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled @@ -207,18 +206,18 @@ def test_checksums_checkall(path, checkers, get_configuration, configure_environ def test_checksums(path, checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): ''' - description: Check if the `wazuh-syscheckd` daemon adds in the generated events the checks related to + description: Check if the 'wazuh-syscheckd' daemon adds in the generated events the checks related to file checksum (checksum, sha1sum, sha256sum and md5sum) specified in the configuration. These checks are attributes indicating that a monitored file has been modified. For example, - if `check_all=no` and `check_sum=yes` are set for the same directory, `syscheck` must send + if 'check_all=no' and 'check_sum=yes' are set for the same directory, 'syscheck' must send an event only containing the file checksums. - For this purpose, the test will monitor a testing folder using the `check_all=no` attribute - (in order to avoid using the default `check_all` configuration) in conjunction with - checksum-related `checks` on the same directory. Finally, the test will verify that - the `FIM` events generated contain only the fields of the checksum-related `checks` + For this purpose, the test will monitor a testing folder using the 'check_all=no' attribute + (in order to avoid using the default 'check_all' configuration) in conjunction with + checksum-related 'checks' on the same directory. Finally, the test will verify that + the FIM events generated contain only the fields of the checksum-related 'checks' specified for the monitored folder. - wazuh_min_version: 4.2 + wazuh_min_version: 4.2.0 parameters: - path: @@ -235,21 +234,21 @@ def test_checksums(path, checkers, get_configuration, configure_environment, res brief: Configure a custom environment for testing. - restart_syscheckd: type: fixture - brief: Clear the `ossec.log` file and start a new monitor. + brief: Clear the 'ossec.log' file and start a new monitor. - wait_for_fim_start: type: fixture brief: Wait for realtime start, whodata start, or end of initial FIM scan. assertions: - - Verify that the `FIM` events generated contain only the `check_` fields specified in the configuration. + - Verify that FIM events generated contain only the 'check_' fields specified in the configuration. - input_description: Different test cases are contained in external `YAML` files + input_description: Different test cases are contained in external YAML files (wazuh_checksums.yaml or wazuh_checksums_windows.yaml) which includes - configuration settings for the `wazuh-syscheckd` daemon and testing + configuration settings for the 'wazuh-syscheckd' daemon and testing directories to monitor. expected_output: - - r'.*Sending FIM event: (.+)$' (`added`, `modified`, and `deleted` events) + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) tags: - scheduled diff --git a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py index e02dec4744..acf8778819 100644 --- a/tests/integration/test_fim/test_files/test_checks/test_hard_link.py +++ b/tests/integration/test_fim/test_files/test_checks/test_hard_link.py @@ -1,7 +1,69 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if FIM events are generated when 'hard links' + of a monitored file are modified but are located in a different directory than the source file. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 0 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + - https://en.wikipedia.org/wiki/Inode + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_checks +''' import os import sys import time @@ -55,28 +117,66 @@ def get_configuration(request): ]) def test_hard_link(path_file, file_name, path_link, link_name, num_links, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Test the check_inode option when used with Hard links by creating a hard link file inside and outside the - monitored directory. - - When a regular file with one or more hard links pointing to it is modified the event raised will have a field named - 'hard_links' that must contain a list with the path to those hard links. Only modification events for the regular - file are expected, not for the hard links, even if we modify a hard link. - - Parameters - ---------- - path_file : str - The path to the regular file to be created. - file_name : str - The name of the regular file to be created. - path_link : str - The path to the Hard links to be created. - link_name : str - The name of the Hard links to be created. - num_links : int - Number of hard links to create. All of them will be pointing to the same regular file. - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon detects events when the 'check_inode' attribute is used + and 'hard links' are modified while inside and outside the monitored directory. + When a regular file with one or more hard links pointing to it is modified, the FIM event + raised will have a field named 'hard_links' that must contain a list with the path to those + 'hard links'. Only modification events for the regular file are expected, not for the 'hard links' + even if the 'hard link' is modified. For this purpose, the test will monitor a directory where + it will add a testing file, create several 'hard links' pointing to it and verify that these + operations have generated the appropriate FIM 'added' events. Then it will modify the testing file + and check if the 'modified' events have been generated for that file only. Finally, the test + will verify that appropriate FIM events are generated if one of the 'hard links' + within the monitored directory is modified. + + wazuh_min_version: 4.2.0 + + parameters: + - path_file: + type: str + brief: Path to the regular file to be created. + - file_name: + type: str + brief: Name of the regular file to be created. + - path_link: + type: str + brief: Path to the 'hard links' to be created. + - link_name: + type: str + brief: Name of the 'hard links' to be created. + - num_links: + type: int + brief: Number of hard links to create. All of them will be pointing to the same regular file. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that the FIM events generated contain contain the proper number of 'hard links' + in the 'hard_links' field. + - Verify that only FIM events are generated when the regular file being monitored is modified. + + input_description: A test case (test_hard_link) is contained in external YAML file + (wazuh_hard_link.yaml) which includes configuration settings for + the 'wazuh-syscheckd' daemon and testing directory to monitor. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events) + + tags: + - scheduled + - time_travel + ''' def detect_and_validate_event(expected_file, mode, expected_hard_links): event_checker.events = event_checker.fetch_events(min_timeout=global_parameters.default_timeout)