From ed2f2cce97808db088524db0ccc583951442fa81 Mon Sep 17 00:00:00 2001 From: mdengra Date: Wed, 13 Oct 2021 16:52:29 +0200 Subject: [PATCH 1/2] doc: Add test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_scan_day.py * test_scan_day_and_time.py * test_scan_time.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #2031 --- .../test_files/test_scan/test_scan_day.py | 123 ++++++++++++++++- .../test_scan/test_scan_day_and_time.py | 124 ++++++++++++++++-- .../test_files/test_scan/test_scan_time.py | 124 ++++++++++++++++-- 3 files changed, 348 insertions(+), 23 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_scan/test_scan_day.py b/tests/integration/test_fim/test_files/test_scan/test_scan_day.py index 39e141a11f..a61146f8bb 100644 --- a/tests/integration/test_fim/test_files/test_scan/test_scan_day.py +++ b/tests/integration/test_fim/test_files/test_scan/test_scan_day.py @@ -1,6 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs + the scans on a specific day of the week set in the 'scan_day' tag. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-day + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_scan +''' import os from datetime import datetime, timedelta @@ -48,10 +118,49 @@ def get_configuration(request): def test_scan_day(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if there is a scan at a certain day of the week - - It will only scan once a week, on the given day. - """ + ''' + description: Check if the 'wazuh-syscheckd' performs a scan on the day of the week specified in + the 'scan_day' tag. For this purpose, the test will monitor a testing folder and + modify the system date to the day of the scan that should be performed. Then, it + will check if an FIM event, indicating that the scan is ended, is generated. Finally, + the test will verify that scans are not performed on a different day of the week + specified in the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that an FIM event is generated when the system date matches + the day of the week specified for the scan. + - Verify that scan is not performed on a different day of the week than scheduled. + + input_description: A test case (scan_day) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined + with the testing directory to be monitored and the scan days defined in the module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (at scan ends) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) day_of_week = {'monday': 0, diff --git a/tests/integration/test_fim/test_files/test_scan/test_scan_day_and_time.py b/tests/integration/test_fim/test_files/test_scan/test_scan_day_and_time.py index e980897b22..9e9a00d4de 100644 --- a/tests/integration/test_fim/test_files/test_scan/test_scan_day_and_time.py +++ b/tests/integration/test_fim/test_files/test_scan/test_scan_day_and_time.py @@ -1,6 +1,77 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files + are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs the scans + on a specific day of the week and time, set them in the 'scan_day' and 'scan_time' tags. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-day + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-time + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_scan +''' import os from calendar import monthrange from datetime import datetime, timedelta @@ -82,11 +153,48 @@ def get_configuration(request): def test_scan_day_and_time(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if there is a scan in a certain day and time - - This test must check both scan params. - """ + ''' + description: Check if the 'wazuh-syscheckd' performs a scan on the day of the week and the time specified in + the 'scan_day' and 'scan_time' tags. For this purpose, the test will monitor a testing folder and + modify the system date to the moment of the scan that should be performed. Then, it will check + if an FIM event, indicating that the scan is ended, is generated. Finally, the test will verify + that scans are not performed on a different day or time specified in the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that an FIM event is generated when the system date matches + the day of the week and the time specified for the scan. + - Verify that scan is not performed on a different day or time than scheduled. + + input_description: A test case (scan_both) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined + with the testing directory to be monitored and the scan dates defined in the module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (at scan ends) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) day_of_week = {'monday': 0, diff --git a/tests/integration/test_fim/test_files/test_scan/test_scan_time.py b/tests/integration/test_fim/test_files/test_scan/test_scan_time.py index f1e1dc534d..2a6e0ccedb 100644 --- a/tests/integration/test_fim/test_files/test_scan/test_scan_time.py +++ b/tests/integration/test_fim/test_files/test_scan/test_scan_time.py @@ -1,6 +1,76 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon runs + the scans at a specific time of day set in the 'scan_time' tag. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + - windows + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#scan-time + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_scan +''' import os from datetime import datetime, timedelta @@ -49,11 +119,49 @@ def get_configuration(request): def test_scan_time(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """ - Check if there is a scan at a certain time - - scan_time option makes sure there is only one scan every 24 hours, at a certain time. - """ + ''' + description: Check if the 'wazuh-syscheckd' performs a scan at the time of day specified in + the 'scan_time' tag. For this purpose, the test will monitor a testing folder and + modify the system date to the time of the scan that should be performed. Then, it + will check if an FIM event, indicating that the scan is ended, is generated. Finally, + the test will verify that scans are not performed at a different time of day + specified in the test case. + + wazuh_min_version: 4.2.0 + + parameters: + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that an FIM event is generated when the system date matches + the time of day specified for the scan. + - Verify that scan is not performed at a different time of day than scheduled. + + input_description: A test case (scan_time) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon. These are combined + with the testing directory to be monitored and the scan times defined in the module. + + expected_output: + - r'.*Sending FIM event: (.+)$' (at scan ends) + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) # Reformat given time to a readable format since it can be writen in several ways in ossec.conf From 78e6d1debfe7a418604bbef29d1a7cc6242fd21e Mon Sep 17 00:00:00 2001 From: mdengra Date: Thu, 14 Oct 2021 16:14:43 +0200 Subject: [PATCH 2/2] doc: Add test_scan, test_skip, and test_stats_integrity_sync of test_fim/test_files documentation in QA Docs style The following tests have been documentated: * test_skip.py * test_FIM_performance.py * test_stats_integrity_sync.py The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #2031 --- docs/DocGenerator/config.yaml | 3 + .../test_files/test_skip/test_skip.py | 274 ++++++++++++++++-- .../test_FIM_performance.py | 113 +++++++- .../test_stats_integrity_sync.py | 128 +++++++- 4 files changed, 481 insertions(+), 37 deletions(-) diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index 399dd0dc2c..6315a697f7 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -67,6 +67,9 @@ Ignore paths: - "../../tests/integration/test_fim/test_files/test_recursion_level/data" - "../../tests/integration/test_fim/test_files/test_restrict/data" - "../../tests/integration/test_fim/test_files/test_report_changes/data" + - "../../tests/integration/test_fim/test_files/test_scan/data" + - "../../tests/integration/test_fim/test_files/test_skip/data" + - "../../tests/integration/test_fim/test_files/test_stats_integrity_sync/data" Output fields: Module: diff --git a/tests/integration/test_fim/test_files/test_skip/test_skip.py b/tests/integration/test_fim/test_files/test_skip/test_skip.py index 45bb171a12..c867a9e1a5 100644 --- a/tests/integration/test_fim/test_files/test_skip/test_skip.py +++ b/tests/integration/test_fim/test_files/test_skip/test_skip.py @@ -1,7 +1,69 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if the 'wazuh-syscheckd' daemon skips + the scans on the special directories of Linux systems ('/dev', '/proc', '/sys', and NFS folders), + using the 'skip_' tags for this purpose. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-dev + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-nfs + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-proc + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#skip-sys + - https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_skip +''' import os import shutil import subprocess @@ -91,7 +153,49 @@ def extra_configuration_before_yield(): # tests def test_skip_proc(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if syscheckd skips /proc when setting 'skip_proc="yes"'.""" + ''' + description: Check if the 'wazuh-syscheckd' daemon skips the Linux '/proc' directory at scanning when + the 'skip_proc' tag is set to 'yes'. For this purpose, the test will monitor a PID folder + in the '/proc' directory. To generate the PID folder, it will call a script that contains + an endless loop to create the process that adds that folder to the '/proc' directory. Then, + the test adds to the main configuration the PID folder to monitor, and finally, it will verify + that the FIM 'added' event related to the PID folder ('skip_proc == no') or the FIM 'integrity' + event ('skip_proc == yes') is generated. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that no FIM events are generated from a monitored folder inside the '/proc' directory when + the 'skip_proc' tag is set to 'yes' and vice versa. + + input_description: A test case (skip_proc) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon, and these are + combined with the testing directory to be monitored defined in the module. + To generate the directory to monitor in '/proc', the 'proc.py' script is used, + which runs an endless loop to keep the PID active. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added' events if 'skip_proc == no') + - r'.*Sending integrity control message: (.+)$' (if 'skip_sys == yes') + + tags: + - scheduled + - time_travel + ''' check_apply_test({'skip_proc'}, get_configuration['tags']) trigger = get_configuration['metadata']['skip'] == 'no' @@ -138,7 +242,47 @@ def test_skip_proc(get_configuration, configure_environment, restart_syscheckd, def test_skip_sys(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if syscheckd skips /sys when setting 'skip_sys="yes"'.""" + ''' + description: Check if the 'wazuh-syscheckd' daemon skips the Linux '/sys' directory at scanning when the + 'skip_sys' tag is set to 'yes'. For this purpose, the test will monitor the 'module/isofs' + folder in the '/sys' directory. That folder is created by the 'isofs' module, so if it + does not exist, it must be load before the test run. Then, it will remove the 'isofs' folder + by unloading the 'isofs' module, and finally, it will verify that the FIM 'deleted' event + related to the 'isofs' folder ('skip_proc == no') or the FIM 'integrity' event + ('skip_proc == yes') is generated. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that no FIM events are generated from a monitored folder inside the '/sys' directory when + the 'skip_sys' tag is set to 'yes' and vice versa. + + input_description: A test case (skip_sys) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and the testing + directory to be monitored. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('deleted' events if 'skip_sys == no') + - r'.*Sending integrity control message: (.+)$' (if 'skip_sys == yes') + + tags: + - scheduled + - time_travel + ''' check_apply_test({'skip_sys'}, get_configuration['tags']) trigger = get_configuration['metadata']['skip'] == 'no' @@ -177,16 +321,52 @@ def test_skip_sys(get_configuration, configure_environment, restart_syscheckd, w def test_skip_dev(modify_inode_mock, directory, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if syscheckd skips /dev when setting 'skip_dev="yes"'. - - /proc, /sys, /dev and nfs directories are special directories. Unless it is specified with skip_*='no', syscheck - will skip these directories. If not, they will be monitored like a normal directory. - - Parameters - ---------- - directory : str - Directory that will be monitored. - """ + ''' + description: Check if the 'wazuh-syscheckd' daemon skips the Linux '/dev' directory at scanning when the + 'skip_dev' tag is set to 'yes'. For this purpose, the test will monitor the '/dev' directory. + Then, it will make file operations inside it, and finally, the test will verify that FIM events + from the '/dev' folder are generated or not depending on the value of the 'skip_dev' tag. + + wazuh_min_version: 4.2.0 + + parameters: + - modify_inode_mock: + type: None + brief: Change the inode of a file in Linux systems. + - directory: + type: str + brief: Path to the testing directory that will be monitored. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that no FIM events are generated from the '/dev' directory when + the 'skip_dev' tag is set to 'yes' and vice versa. + + input_description: A test case (skip_dev) is contained in external YAML file (wazuh_conf.yaml) which + includes configuration settings for the 'wazuh-syscheckd' daemon and the testing + directory to be monitored. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events if 'skip_sys == no') + + tags: + - scheduled + - time_travel + ''' check_apply_test(tags_to_apply, get_configuration['tags']) trigger = get_configuration['metadata']['skip'] == 'no' @@ -199,17 +379,57 @@ def test_skip_dev(modify_inode_mock, directory, tags_to_apply, get_configuration @patch('wazuh_testing.fim.modify_file_inode') def test_skip_nfs(modify_inode_mock, directory, tags_to_apply, configure_nfs, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): - """Check if syscheckd skips nfs directories when setting 'skip_nfs="yes"'. - - This test assumes you have a nfs directory mounted on '/nfs-mount-point'. If you do not have one, use the fixture - `configure_nfs`. - - Parameters - ---------- - directory : str - Directory that will be monitored. - """ - + ''' + description: Check if the 'wazuh-syscheckd' daemon skips NFS directories at scanning when the 'skip_nfs' tag + is set to 'yes'. For this purpose, the test will create and monitor a NFS mount point. Then, + it will make file operations inside it, and finally, the test will verify that FIM events + from the NFS folder are generated or not depending on the value of the 'skip_nfs' tag. + + wazuh_min_version: 4.2.0 + + parameters: + - modify_inode_mock: + type: None + brief: Change the inode of a file in Linux systems. + - directory: + type: str + brief: Path to the testing directory that will be monitored. + - tags_to_apply: + type: set + brief: Run test if match with a configuration identifier, skip otherwise. + - configure_nfs: + type: fixture + brief: Call NFS scripts to create and configure a NFS mount point. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start: + type: fixture + brief: Wait for realtime start, whodata start, or end of initial FIM scan. + + assertions: + - Verify that no FIM events are generated from an NFS monitored directory when + the 'skip_nfs' tag is set to 'yes' and vice versa. + + input_description: A test case (skip_nfs) is contained in external YAML file (wazuh_conf.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and + the testing directory to be monitored. To generate the NFS directory to monitor, + the 'configure_nfs.sh' script is used, which install, configure, and create a + mount point using NFS. To remove the mount point, the 'remove_nfs.sh' script is used. + + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified', and 'deleted' events if 'skip_nfs == no') + + tags: + - scheduled + - time_travel + ''' def custom_callback(filename): def callback(line): match = callback_detect_event(line) diff --git a/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_FIM_performance.py b/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_FIM_performance.py index 81be36ae96..bf97f97b36 100644 --- a/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_FIM_performance.py +++ b/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_FIM_performance.py @@ -1,7 +1,64 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check the overall performance of FIM using + the 'realtime' monitoring mode. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 3 + +modules: + - fim + +components: + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_stats_integrity_sync +''' import os import re import shutil @@ -558,7 +615,53 @@ def real_test(test_type, real_df, integrity_df, string_configuration, configurat 'real-time' ]) def test_performance(mode, file_size, eps, path_length, number_files, initial_clean, modify_local_internal_options): - """Execute and launch all the necessary processes to check all the cases with all the specified configurations.""" + ''' + description: Check the overall performance of the FIM module and generate the related metrics. + For this purpose, the test will monitor a directory hierarchy of variable depth and + create multiple testing files in it. Then, it will make different operations to bench + the different subsystems, and finally, the test will collect the metrics generated + to store them in CSV files. + + wazuh_min_version: 4.2.0 + + parameters: + - mode: + type: str + brief: FIM monitoring mode to be used. + - file_size: + type: str + brief: Size of the testing files to be created. + - eps: + type: str + brief: Number the events per second to generate. + - path_length: + type: str + brief: Level of depth of the directory hierarchy to be created. + - number_files: + type: str + brief: Number of testing files to be created. + - initial_clean: + type: fixture + brief: Clean the environment by removing the stats files and the testing dir. + - modify_local_internal_options: + type: fixture + brief: Replace the 'local_internal_options' file. + + assertions: + - Benchmark the FIM module and collect the generated metrics to store them in CSV files. + + input_description: A template is used for the main configuration of the manager. It is + included in an external '.conf' file (template_wazuh_conf.conf). + The test cases are defined in the module. + + expected_output: + - A CSV file with the metrics collected for the 'wazuh-agentd' daemon stats. + - A CSV file with the metrics collected for the database integrity. + - A CSV file with the general metrics collected. + + tags: + - realtime + ''' replace_conf(eps['sync_eps'], eps['fim_eps']) branch = detect_syscheck_version() os.makedirs(performance_dir, exist_ok=True) diff --git a/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_stats_integrity_sync.py b/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_stats_integrity_sync.py index bfb4658bc0..bfb15723a9 100644 --- a/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_stats_integrity_sync.py +++ b/tests/integration/test_fim/test_files/test_stats_integrity_sync/test_stats_integrity_sync.py @@ -1,7 +1,64 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when + these files are modified. Specifically, these tests will check the overall performance of + the statistics recollection by the Wazuh daemons related to the FIM module. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files + for changes to the checksums, permissions, and ownership. + +tier: 3 + +modules: + - fim + +components: + - manager + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_stats_integrity_sync +''' import os import re import socket @@ -742,7 +799,68 @@ def clean_environment(): ]) def test_initialize_stats_collector(fim_eps, sync_eps, files, directory, buffer, case, modify_file, modify_all, restore_all, initial_clean, modify_local_internal_options): - """Execute and launch all the necessary threads to check all the cases with all the specified configurations.""" + ''' + description: Check the overall performance in terms of statistics recollection by the Wazuh daemons related + to the FIM module. For this purpose, the test will initialize several agents that send to + the manager a variable load of events (sync and FIM events). Then, it will collect the + metrics generated by the 'wazuh-db', 'wazuh-analysisd', 'wazuh-remoted' daemons, and the + agents. Finally, the test will store those metrics in several CSV files. + + wazuh_min_version: 4.2.0 + + parameters: + - fim_eps: + type: str + brief: Number of FIM events per second to generate. + - sync_eps: + type: str + brief: Number of synchronization events per second to generate. + - files: + type: str + brief: Number of testing files to be created. + - directory: + type: str + brief: Path to the directoy to be monitored. + - buffer: + type: str + brief: Enable the agent buffer to avoid events flooding. + - case: + type: int + brief: ID of the test case to be tested. + - modify_file: + type: bool + brief: True for modify the checksum of a testing file. False otherwise. + - modify_all: + type: bool + brief: True for modify all checksums in the database. False otherwise. + - restore_all: + type: bool + brief: True if all entries in the 'fim_entry' table should be deleted. False otherwise. + - initial_clean: + type: fixture + brief: Clean the environment by removing the stats files and the testing dir. + - modify_local_internal_options: + type: fixture + brief: Replace the 'local_internal_options' file. + + assertions: + - Benchmark the statistics recollection by the Wazuh daemons related to the FIM module + and collect the generated metrics to store them in CSV files. + + input_description: A template is used for the main configuration of the agent. It is + included in an external '.conf' file (template_agent.conf). + The test cases are defined in the module. + + expected_output: + - A CSV file with the metrics collected from the 'wazuh-db' daemon. + - A CSV file with the metrics collected from the 'wazuh-analysisd' daemon. + - A CSV file with the metrics collected from the 'wazuh-remoted' daemon. + - A CSV file with the metrics collected from the agents. + - A CSV file with the metrics collected from the '.state' files. + + tags: + - realtime + ''' agents_dict = get_agents() attempts_info = { 'start': False,