From 267d484b54b92e726b90bbf987db171be0e006b0 Mon Sep 17 00:00:00 2001 From: Mauro Moltrasio Date: Tue, 7 Apr 2020 10:32:50 +0000 Subject: [PATCH 1/8] Add integration test for windows 4659 events --- ...test_basic_usage_deferred_delete_folder.py | 129 ++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py new file mode 100644 index 0000000000..16cd383b8d --- /dev/null +++ b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -0,0 +1,129 @@ +# Copyright (C) 2015-2020, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +import os +from subprocess import Popen, PIPE, DEVNULL +import re +import json +from json import JSONDecodeError + +import pytest + +from wazuh_testing import global_parameters +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, \ + callback_detect_event, check_time_travel, validate_event +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test +from wazuh_testing.tools.monitoring import FileMonitor + +# Marks + +pytestmark = [pytest.mark.win32, pytest.mark.tier(level=0)] + +# variables + +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) +test_directories = [os.path.join( + PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] +directory_str = ','.join(test_directories) +for direc in list(test_directories): + test_directories.append(os.path.join(direc, 'subdir')) +test_data_path = os.path.join( + os.path.dirname(os.path.realpath(__file__)), 'data') +configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +testdir1, testdir2 = test_directories[2:] + +# configurations + +conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} +p, m = generate_params(extra_params=conf_params, modes=['whodata']) +configurations = load_wazuh_configurations( + configurations_path, __name__, params=p, metadata=m) + + +# callback +def callback_detect_delete_event(line): + msg = r'.*Sending FIM event: (.+)$' + match = re.match(msg, line) + + try: + event = json.loads(match.group(1)) + if event['type'] == 'event' and event['data']['type'] == 'deleted' and 'process_name' not in event['data']['audit']: + return event + except (AttributeError, JSONDecodeError, KeyError): + pass + + return None + +# fixtures + + +@pytest.fixture(scope='module', params=configurations) +def get_configuration(request): + """Get configurations from the module.""" + return request.param + + +# tests +@pytest.mark.parametrize('folder, file_list, filetype, tags_to_apply', [ + (testdir1, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},), + (testdir2, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},) +]) +def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, + get_configuration, configure_environment, + restart_syscheckd, wait_for_initial_scan): + """ + Check if syscheckd detects 'deleted' events from the files contained + in a folder that are deleted in a deferred manner. + + We first run the command in order to find the confirmation character in the os, + after that we delete the files + + The events generated must not contain the process_name parameter in order to guarantee + it's a 4659 event that generated it + + Parameters + ---------- + folder : str + Directory where the files will be created. + file_list : list + Names of the files. + filetype : str + Type of the files that will be created. + """ + check_apply_test(tags_to_apply, get_configuration['tags']) + + # Create files inside subdir folder + for file in file_list: + create_file(filetype, folder, file, content='') + + # Wait for the added events + events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event').result() + + # Delete the files under 'folder' + command = 'del "{}"\n'.format(folder) + # assert command == None + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) + try: + stdout = cmd.communicate(timeout=global_parameters.default_timeout) + except TimeoutError: + pass + + # Find the windows confirmation character + confirmation = re.search(r'\((\w)\/\w\)\?', stdout[0]) + assert confirmation + + # Run the command again and this time delete the files + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) + try: + stdout = cmd.communicate('{}\n'.format(confirmation.group(1)), timeout=global_parameters.default_timeout) + except TimeoutError: + pass + + # Start monitoring + events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event').result() From 08e2c49d61343d0f526c36a0138a059885155908 Mon Sep 17 00:00:00 2001 From: Mauro Moltrasio Date: Wed, 29 Apr 2020 15:27:47 +0200 Subject: [PATCH 2/8] Fix styling problems Fix some styling problems on test_basic_usage_deferred_delete_folder.py to comply with the stablished guidelines. --- ...test_basic_usage_deferred_delete_folder.py | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py index 16cd383b8d..6ad639d17d 100644 --- a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py +++ b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -11,8 +11,7 @@ import pytest from wazuh_testing import global_parameters -from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, \ - callback_detect_event, check_time_travel, validate_event +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, callback_detect_event from wazuh_testing.tools import PREFIX from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test from wazuh_testing.tools.monitoring import FileMonitor @@ -24,13 +23,11 @@ # variables wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) -test_directories = [os.path.join( - PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] +test_directories = [os.path.join(PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] directory_str = ','.join(test_directories) for direc in list(test_directories): test_directories.append(os.path.join(direc, 'subdir')) -test_data_path = os.path.join( - os.path.dirname(os.path.realpath(__file__)), 'data') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') testdir1, testdir2 = test_directories[2:] @@ -38,8 +35,7 @@ conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} p, m = generate_params(extra_params=conf_params, modes=['whodata']) -configurations = load_wazuh_configurations( - configurations_path, __name__, params=p, metadata=m) +configurations = load_wazuh_configurations(configurations_path, __name__, params=p, metadata=m) # callback @@ -49,7 +45,9 @@ def callback_detect_delete_event(line): try: event = json.loads(match.group(1)) - if event['type'] == 'event' and event['data']['type'] == 'deleted' and 'process_name' not in event['data']['audit']: + if (event['type'] == 'event' and + event['data']['type'] == 'deleted' and + 'process_name' not in event['data']['audit']): return event except (AttributeError, JSONDecodeError, KeyError): pass @@ -99,13 +97,13 @@ def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, create_file(filetype, folder, file, content='') # Wait for the added events - events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event').result() + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event') # Delete the files under 'folder' command = 'del "{}"\n'.format(folder) - # assert command == None + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) try: stdout = cmd.communicate(timeout=global_parameters.default_timeout) @@ -124,6 +122,6 @@ def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, pass # Start monitoring - events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event').result() + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event') From e469a6c2fa405756ab82d20f26bf753446ffe49d Mon Sep 17 00:00:00 2001 From: Mauro Moltrasio Date: Tue, 7 Apr 2020 10:32:50 +0000 Subject: [PATCH 3/8] Add integration test for windows 4659 events --- ...test_basic_usage_deferred_delete_folder.py | 129 ++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py new file mode 100644 index 0000000000..16cd383b8d --- /dev/null +++ b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -0,0 +1,129 @@ +# Copyright (C) 2015-2020, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +import os +from subprocess import Popen, PIPE, DEVNULL +import re +import json +from json import JSONDecodeError + +import pytest + +from wazuh_testing import global_parameters +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, \ + callback_detect_event, check_time_travel, validate_event +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test +from wazuh_testing.tools.monitoring import FileMonitor + +# Marks + +pytestmark = [pytest.mark.win32, pytest.mark.tier(level=0)] + +# variables + +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) +test_directories = [os.path.join( + PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] +directory_str = ','.join(test_directories) +for direc in list(test_directories): + test_directories.append(os.path.join(direc, 'subdir')) +test_data_path = os.path.join( + os.path.dirname(os.path.realpath(__file__)), 'data') +configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +testdir1, testdir2 = test_directories[2:] + +# configurations + +conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} +p, m = generate_params(extra_params=conf_params, modes=['whodata']) +configurations = load_wazuh_configurations( + configurations_path, __name__, params=p, metadata=m) + + +# callback +def callback_detect_delete_event(line): + msg = r'.*Sending FIM event: (.+)$' + match = re.match(msg, line) + + try: + event = json.loads(match.group(1)) + if event['type'] == 'event' and event['data']['type'] == 'deleted' and 'process_name' not in event['data']['audit']: + return event + except (AttributeError, JSONDecodeError, KeyError): + pass + + return None + +# fixtures + + +@pytest.fixture(scope='module', params=configurations) +def get_configuration(request): + """Get configurations from the module.""" + return request.param + + +# tests +@pytest.mark.parametrize('folder, file_list, filetype, tags_to_apply', [ + (testdir1, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},), + (testdir2, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},) +]) +def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, + get_configuration, configure_environment, + restart_syscheckd, wait_for_initial_scan): + """ + Check if syscheckd detects 'deleted' events from the files contained + in a folder that are deleted in a deferred manner. + + We first run the command in order to find the confirmation character in the os, + after that we delete the files + + The events generated must not contain the process_name parameter in order to guarantee + it's a 4659 event that generated it + + Parameters + ---------- + folder : str + Directory where the files will be created. + file_list : list + Names of the files. + filetype : str + Type of the files that will be created. + """ + check_apply_test(tags_to_apply, get_configuration['tags']) + + # Create files inside subdir folder + for file in file_list: + create_file(filetype, folder, file, content='') + + # Wait for the added events + events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event').result() + + # Delete the files under 'folder' + command = 'del "{}"\n'.format(folder) + # assert command == None + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) + try: + stdout = cmd.communicate(timeout=global_parameters.default_timeout) + except TimeoutError: + pass + + # Find the windows confirmation character + confirmation = re.search(r'\((\w)\/\w\)\?', stdout[0]) + assert confirmation + + # Run the command again and this time delete the files + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) + try: + stdout = cmd.communicate('{}\n'.format(confirmation.group(1)), timeout=global_parameters.default_timeout) + except TimeoutError: + pass + + # Start monitoring + events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event').result() From 99a272d19bfd804021468cfad587693fcdd1786a Mon Sep 17 00:00:00 2001 From: Mauro Moltrasio Date: Wed, 29 Apr 2020 15:27:47 +0200 Subject: [PATCH 4/8] Fix styling problems Fix some styling problems on test_basic_usage_deferred_delete_folder.py to comply with the stablished guidelines. --- ...test_basic_usage_deferred_delete_folder.py | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py index 16cd383b8d..6ad639d17d 100644 --- a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py +++ b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -11,8 +11,7 @@ import pytest from wazuh_testing import global_parameters -from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, \ - callback_detect_event, check_time_travel, validate_event +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, callback_detect_event from wazuh_testing.tools import PREFIX from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test from wazuh_testing.tools.monitoring import FileMonitor @@ -24,13 +23,11 @@ # variables wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) -test_directories = [os.path.join( - PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] +test_directories = [os.path.join(PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] directory_str = ','.join(test_directories) for direc in list(test_directories): test_directories.append(os.path.join(direc, 'subdir')) -test_data_path = os.path.join( - os.path.dirname(os.path.realpath(__file__)), 'data') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') testdir1, testdir2 = test_directories[2:] @@ -38,8 +35,7 @@ conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} p, m = generate_params(extra_params=conf_params, modes=['whodata']) -configurations = load_wazuh_configurations( - configurations_path, __name__, params=p, metadata=m) +configurations = load_wazuh_configurations(configurations_path, __name__, params=p, metadata=m) # callback @@ -49,7 +45,9 @@ def callback_detect_delete_event(line): try: event = json.loads(match.group(1)) - if event['type'] == 'event' and event['data']['type'] == 'deleted' and 'process_name' not in event['data']['audit']: + if (event['type'] == 'event' and + event['data']['type'] == 'deleted' and + 'process_name' not in event['data']['audit']): return event except (AttributeError, JSONDecodeError, KeyError): pass @@ -99,13 +97,13 @@ def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, create_file(filetype, folder, file, content='') # Wait for the added events - events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event').result() + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event') # Delete the files under 'folder' command = 'del "{}"\n'.format(folder) - # assert command == None + cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) try: stdout = cmd.communicate(timeout=global_parameters.default_timeout) @@ -124,6 +122,6 @@ def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, pass # Start monitoring - events = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event').result() + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, + accum_results=len(file_list), error_message='Did not receive expected ' + '"Sending FIM event: ..." event') From 112d6df85bbe8c180ebdb4d570ed24c46b698370 Mon Sep 17 00:00:00 2001 From: camila Date: Wed, 24 Nov 2021 10:58:30 -0300 Subject: [PATCH 5/8] move test basic usage deferred delete folder to basic usage folder --- .../test_basic_usage/test_basic_usage_deferred_delete_folder.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/integration/test_fim/{ => test_files}/test_basic_usage/test_basic_usage_deferred_delete_folder.py (100%) diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py similarity index 100% rename from tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py rename to tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py From c23f7e6fa01ffe79aa26a3b73837a9d3ee89dca4 Mon Sep 17 00:00:00 2001 From: camila Date: Wed, 24 Nov 2021 11:00:36 -0300 Subject: [PATCH 6/8] Changed fixture --- .../test_basic_usage/test_basic_usage_deferred_delete_folder.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py index 6ad639d17d..1d230813ae 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -70,7 +70,7 @@ def get_configuration(request): ]) def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, get_configuration, configure_environment, - restart_syscheckd, wait_for_initial_scan): + restart_syscheckd, wait_for_fim_start): """ Check if syscheckd detects 'deleted' events from the files contained in a folder that are deleted in a deferred manner. From 61fd31d748a63451581ed55b6128f963903d83ba Mon Sep 17 00:00:00 2001 From: Jotacarma Date: Fri, 26 Nov 2021 11:26:19 +0100 Subject: [PATCH 7/8] Moved callback to fim.py and modify it to detect normal deleted event. Some style changes --- deps/wazuh_testing/wazuh_testing/fim.py | 14 +++++++++ ...test_basic_usage_deferred_delete_folder.py | 30 ++++--------------- 2 files changed, 19 insertions(+), 25 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/fim.py b/deps/wazuh_testing/wazuh_testing/fim.py index 208ec59271..a0db616954 100644 --- a/deps/wazuh_testing/wazuh_testing/fim.py +++ b/deps/wazuh_testing/wazuh_testing/fim.py @@ -1012,6 +1012,20 @@ def callback_detect_modified_event(line): logger.warning(f"Couldn't load a log line into json object. Reason {e}") +def callback_detect_delete_event(line): + msg = r'.*Sending FIM event: (.+)$' + match = re.match(msg, line) + if not match: + return None + + try: + json_event = json.loads(match.group(1)) + if json_event['type'] == 'event' and json_event['data']['type'] == 'deleted': + return json_event + except (JSONDecodeError, AttributeError, KeyError) as e: + logger.warning(f"Couldn't load a log line into json object. Reason {e}") + + def callback_detect_modified_event_with_inode_mtime(line): msg = r'.*Sending FIM event: (.+)$' match = re.match(msg, line) diff --git a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py index 1d230813ae..7727180133 100644 --- a/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py +++ b/tests/integration/test_fim/test_files/test_basic_usage/test_basic_usage_deferred_delete_folder.py @@ -5,13 +5,11 @@ import os from subprocess import Popen, PIPE, DEVNULL import re -import json -from json import JSONDecodeError - import pytest from wazuh_testing import global_parameters -from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, callback_detect_event +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, callback_detect_event, \ + callback_detect_delete_event from wazuh_testing.tools import PREFIX from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test from wazuh_testing.tools.monitoring import FileMonitor @@ -34,29 +32,11 @@ # configurations conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} -p, m = generate_params(extra_params=conf_params, modes=['whodata']) -configurations = load_wazuh_configurations(configurations_path, __name__, params=p, metadata=m) - - -# callback -def callback_detect_delete_event(line): - msg = r'.*Sending FIM event: (.+)$' - match = re.match(msg, line) - - try: - event = json.loads(match.group(1)) - if (event['type'] == 'event' and - event['data']['type'] == 'deleted' and - 'process_name' not in event['data']['audit']): - return event - except (AttributeError, JSONDecodeError, KeyError): - pass +parameters, metadata = generate_params(extra_params=conf_params, modes=['whodata']) +configurations = load_wazuh_configurations(configurations_path, __name__, params=parameters, metadata=metadata) - return None # fixtures - - @pytest.fixture(scope='module', params=configurations) def get_configuration(request): """Get configurations from the module.""" @@ -114,7 +94,7 @@ def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, confirmation = re.search(r'\((\w)\/\w\)\?', stdout[0]) assert confirmation - # Run the command again and this time delete the files + # Run the command again and confirm deletion of files cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) try: stdout = cmd.communicate('{}\n'.format(confirmation.group(1)), timeout=global_parameters.default_timeout) From f000301fe6d6d80aab963f87022266e90aa40e50 Mon Sep 17 00:00:00 2001 From: camila Date: Tue, 30 Nov 2021 09:50:45 -0300 Subject: [PATCH 8/8] Deleted old path --- ...test_basic_usage_deferred_delete_folder.py | 127 ------------------ 1 file changed, 127 deletions(-) delete mode 100644 tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py diff --git a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py b/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py deleted file mode 100644 index 6ad639d17d..0000000000 --- a/tests/integration/test_fim/test_basic_usage/test_basic_usage_deferred_delete_folder.py +++ /dev/null @@ -1,127 +0,0 @@ -# Copyright (C) 2015-2020, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - -import os -from subprocess import Popen, PIPE, DEVNULL -import re -import json -from json import JSONDecodeError - -import pytest - -from wazuh_testing import global_parameters -from wazuh_testing.fim import LOG_FILE_PATH, generate_params, create_file, REGULAR, callback_detect_event -from wazuh_testing.tools import PREFIX -from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test -from wazuh_testing.tools.monitoring import FileMonitor - -# Marks - -pytestmark = [pytest.mark.win32, pytest.mark.tier(level=0)] - -# variables - -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) -test_directories = [os.path.join(PREFIX, 'testdir1'), os.path.join(PREFIX, 'testdir2')] -directory_str = ','.join(test_directories) -for direc in list(test_directories): - test_directories.append(os.path.join(direc, 'subdir')) -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') -testdir1, testdir2 = test_directories[2:] - -# configurations - -conf_params = {'TEST_DIRECTORIES': directory_str, 'MODULE_NAME': __name__} -p, m = generate_params(extra_params=conf_params, modes=['whodata']) -configurations = load_wazuh_configurations(configurations_path, __name__, params=p, metadata=m) - - -# callback -def callback_detect_delete_event(line): - msg = r'.*Sending FIM event: (.+)$' - match = re.match(msg, line) - - try: - event = json.loads(match.group(1)) - if (event['type'] == 'event' and - event['data']['type'] == 'deleted' and - 'process_name' not in event['data']['audit']): - return event - except (AttributeError, JSONDecodeError, KeyError): - pass - - return None - -# fixtures - - -@pytest.fixture(scope='module', params=configurations) -def get_configuration(request): - """Get configurations from the module.""" - return request.param - - -# tests -@pytest.mark.parametrize('folder, file_list, filetype, tags_to_apply', [ - (testdir1, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},), - (testdir2, ['regular0', 'regular1', 'regular2'], REGULAR, {'ossec_conf'},) -]) -def test_deferred_delete_file(folder, file_list, filetype, tags_to_apply, - get_configuration, configure_environment, - restart_syscheckd, wait_for_initial_scan): - """ - Check if syscheckd detects 'deleted' events from the files contained - in a folder that are deleted in a deferred manner. - - We first run the command in order to find the confirmation character in the os, - after that we delete the files - - The events generated must not contain the process_name parameter in order to guarantee - it's a 4659 event that generated it - - Parameters - ---------- - folder : str - Directory where the files will be created. - file_list : list - Names of the files. - filetype : str - Type of the files that will be created. - """ - check_apply_test(tags_to_apply, get_configuration['tags']) - - # Create files inside subdir folder - for file in file_list: - create_file(filetype, folder, file, content='') - - # Wait for the added events - wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event') - - # Delete the files under 'folder' - command = 'del "{}"\n'.format(folder) - - cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) - try: - stdout = cmd.communicate(timeout=global_parameters.default_timeout) - except TimeoutError: - pass - - # Find the windows confirmation character - confirmation = re.search(r'\((\w)\/\w\)\?', stdout[0]) - assert confirmation - - # Run the command again and this time delete the files - cmd = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=DEVNULL, universal_newlines=True) - try: - stdout = cmd.communicate('{}\n'.format(confirmation.group(1)), timeout=global_parameters.default_timeout) - except TimeoutError: - pass - - # Start monitoring - wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=callback_detect_delete_event, - accum_results=len(file_list), error_message='Did not receive expected ' - '"Sending FIM event: ..." event')