Merge pull request #3413 from wazuh/2947-test-eps

Add new `analysisd` test suite: `test_limit_eps`
wazuh · Oct 5, 2022 · a0a43c6 · a0a43c6
2 parents 5f567ef + f322334
commit a0a43c6
Show file tree

Hide file tree

Showing 40 changed files with 2,019 additions and 177 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ Wazuh commit: TBD \
 Release report: TBD
 
 ### Added
+
+- New testing suite for checking analysisd EPS limitation([#2947](https:/wazuh/wazuh-qa/pull/3181)) \- (Framework + Tests)
 - Add E2E tests for demo cases ([#3293](https:/wazuh/wazuh-qa/pull/3293)) \- (Framework + Tests)
 - Add configuration files for Jenkins automation of system/E2E tests ([#3221](https:/wazuh/wazuh-qa/pull/3221)) \- (Framework)
 - New vulnerability Detector integration tests for Ubuntu 22.04 ([#2957](https:/wazuh/wazuh-qa/pull/2957)) \- (Framework + Tests)

diff --git a/deps/wazuh_testing/setup.py b/deps/wazuh_testing/setup.py
@@ -27,7 +27,8 @@
  'qa_ctl/deployment/dockerfiles/qa_ctl/*',
  'qa_ctl/deployment/vagrantfile_template.txt',
  'qa_ctl/provisioning/wazuh_deployment/templates/preloaded_vars.conf.j2',
- 'data/qactl_conf_validator_schema.json'
+ 'data/qactl_conf_validator_schema.json',
+ 'data/all_disabled_ossec.conf'
 ]
 
 scripts_list = [

diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py
@@ -18,6 +18,9 @@
  else:
  WAZUH_PATH = os.path.join("/var", "ossec")
 
+
+WAZUH_CONF_PATH = os.path.join(WAZUH_PATH, 'etc', 'ossec.conf')
+WAZUH_LOGS_PATH = os.path.join(WAZUH_PATH, 'logs')
 CLIENT_KEYS_PATH = os.path.join(WAZUH_PATH, 'etc' if platform.system() == 'Linux' else '', 'client.keys')
 DB_PATH = os.path.join(WAZUH_PATH, 'queue', 'db')
 QUEUE_DB_PATH = os.path.join(WAZUH_PATH, 'queue', 'db')
@@ -26,12 +29,15 @@
 CVE_DB_PATH = os.path.join(WAZUH_PATH, 'queue', 'vulnerabilities', 'cve.db')
 LOG_FILE_PATH = os.path.join(WAZUH_PATH, 'logs', 'ossec.log')
 ALERTS_JSON_PATH = os.path.join(WAZUH_PATH, 'logs', 'alerts', 'alerts.json')
+ARCHIVES_LOG_PATH = os.path.join(WAZUH_PATH, 'logs', 'archives', 'archives.log')
+ARCHIVES_JSON_PATH = os.path.join(WAZUH_PATH, 'logs', 'archives', 'archives.json')
 CPE_HELPER_PATH = os.path.join(WAZUH_PATH, 'queue', 'vulnerabilities', 'dictionaries', 'cpe_helper.json')
 WAZUH_API_CONF = os.path.join(WAZUH_PATH, 'api', 'configuration', 'api.yaml')
 WAZUH_SECURITY_CONF = os.path.join(WAZUH_PATH, 'api', 'configuration', 'security', 'security.yaml')
 API_LOG_FILE_PATH = os.path.join(WAZUH_PATH, 'logs', 'api.log')
 API_JSON_LOG_FILE_PATH = os.path.join(WAZUH_PATH, 'logs', 'api.json')
 API_LOG_FOLDER = os.path.join(WAZUH_PATH, 'logs', 'api')
+WAZUH_TESTING_PATH = os.path.dirname(os.path.abspath(__file__))
 
 # Daemons
 LOGCOLLECTOR_DAEMON = 'wazuh-logcollector'
@@ -52,11 +58,17 @@
 
 API_DAEMONS_REQUIREMENTS = [API_DAEMON, DB_DAEMON, EXEC_DAEMON, ANALYSISD_DAEMON, REMOTE_DAEMON, MODULES_DAEMON]
 
+# Paths
+SYSLOG_SIMULATOR = os.path.join(WAZUH_TESTING_PATH, 'scripts', 'syslog_simulator.py')
+ANALYSISD_STATE = os.path.join(WAZUH_PATH, 'var', 'run', 'wazuh-analysisd.state')
+
 # Timeouts
 T_5 = 5
 T_10 = 10
 T_20 = 20
 T_30 = 30
+T_60 = 60
+
 
 # Protocols
 UDP = 'UDP'

diff --git a/deps/wazuh_testing/wazuh_testing/data/all_disabled_ossec.conf b/deps/wazuh_testing/wazuh_testing/data/all_disabled_ossec.conf
@@ -0,0 +1,87 @@
+<ossec_config>
+ <global>
+ <alerts_log>yes</alerts_log>
+ </global>
+
+ <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+ <logging>
+ <log_format>plain</log_format>
+ </logging>
+
+ <remote>
+ <connection>secure</connection>
+ <port>1514</port>
+ <protocol>tcp</protocol>
+ <queue_size>131072</queue_size>
+ </remote>
+
+ <!-- Policy monitoring -->
+ <rootcheck>
+ <disabled>yes</disabled>
+ </rootcheck>
+
+ <wodle name="cis-cat">
+ <disabled>yes</disabled>
+ </wodle>
+
+ <!-- Osquery integration -->
+ <wodle name="osquery">
+ <disabled>yes</disabled>
+ </wodle>
+
+ <!-- System inventory -->
+ <wodle name="syscollector">
+ <disabled>yes</disabled>
+ </wodle>
+
+ <sca>
+ <enabled>no</enabled>
+ </sca>
+
+ <vulnerability-detector>
+ <enabled>no</enabled>
+ </vulnerability-detector>
+
+ <!-- File integrity monitoring -->
+ <syscheck>
+ <disabled>yes</disabled>
+ </syscheck>
+
+ <ruleset>
+ <!-- Default ruleset -->
+ <decoder_dir>ruleset/decoders</decoder_dir>
+ <rule_dir>ruleset/rules</rule_dir>
+ <rule_exclude>0215-policy_rules.xml</rule_exclude>
+ <list>etc/lists/audit-keys</list>
+ <list>etc/lists/amazon/aws-eventnames</list>
+ <list>etc/lists/security-eventchannel</list>
+
+ <!-- User-defined ruleset -->
+ <decoder_dir>etc/decoders</decoder_dir>
+ <rule_dir>etc/rules</rule_dir>
+ </ruleset>
+
+ <rule_test>
+ <enabled>yes</enabled>
+ <threads>1</threads>
+ <max_sessions>64</max_sessions>
+ <session_timeout>15m</session_timeout>
+ </rule_test>
+
+ <!-- Configuration for wazuh-authd -->
+ <auth>
+ <disabled>no</disabled>
+ <port>1515</port>
+ <use_source_ip>no</use_source_ip>
+ <purge>yes</purge>
+ <use_password>no</use_password>
+ <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+ <!-- <ssl_agent_ca></ssl_agent_ca> -->
+ <ssl_verify_host>no</ssl_verify_host>
+ <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+ <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+ <ssl_auto_negotiate>no</ssl_auto_negotiate>
+ </auth>
+
+</ossec_config>
+
diff --git a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py
@@ -0,0 +1,9 @@
+
+ANALYSISD_PREFIX = r'.*wazuh-analysisd.*'
+MAILD_PREFIX = r'.*wazuh-maild.*'
+QUEUE_EVENTS_SIZE = 16384
+ANALYSISD_ONE_THREAD_CONFIG = {'analysisd.event_threads': '1', 'analysisd.syscheck_threads': '1',
+ 'analysisd.syscollector_threads': '1', 'analysisd.rootcheck_threads': '1',
+ 'analysisd.sca_threads': '1', 'analysisd.hostinfo_threads': '1',
+ 'analysisd.winevt_threads': '1', 'analysisd.rule_matching_threads': '1',
+ 'analysisd.dbsync_threads': '1', 'remoted.worker_pool': '1'}
diff --git a/deps/wazuh_testing/wazuh_testing/modules/analysisd/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/analysisd/event_monitor.py
@@ -0,0 +1,83 @@
+import re
+
+from wazuh_testing import T_10, T_20, T_60
+from wazuh_testing.modules.analysisd import ANALYSISD_PREFIX, MAILD_PREFIX
+from wazuh_testing import LOG_FILE_PATH, ANALYSISD_STATE
+from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback_groups
+
+
+def make_analysisd_callback(pattern, prefix=ANALYSISD_PREFIX):
+ """Create a callback function from a text pattern.
+
+ It already contains the analsisd prefix.
+
+ Args:
+ pattern (str): String to match on the log.
+ prefix (str): regular expression used as a prefix before the pattern.
+
+ Returns:
+ lambda: function that returns if there's a match in the file
+
+ Examples:
+ >>> callback_bionic_update_started = make_vuln_callback("Starting Ubuntu Bionic database update")
+ """
+ pattern = r'\s+'.join(pattern.split())
+ regex = re.compile(r'{}{}'.format(prefix, pattern))
+
+ return lambda line: regex.match(line) is not None
+
+
+def check_analysisd_event(file_monitor=None, callback='', error_message=None, update_position=True,
+ timeout=T_60, prefix=ANALYSISD_PREFIX, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+ """Check if a analysisd event occurs
+
+ Args:
+ file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+ callback (str): log regex to check in Wazuh log
+ error_message (str): error message to show in case of expected event does not occur
+ update_position (boolean): filter configuration parameter to search in Wazuh log
+ timeout (str): timeout to check the event in Wazuh log
+ prefix (str): log pattern regex
+ accum_results (int): Accumulation of matches.
+ """
+ file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
+ error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \
+ error_message
+
+ file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
+ callback=make_analysisd_callback(callback, prefix), error_message=error_message)
+
+
+def check_eps_disabled():
+ """Check if the eps module is disabled"""
+ check_analysisd_event(callback=fr'.*INFO: EPS limit disabled.*', timeout=T_10)
+
+
+def check_eps_enabled(maximum, timeframe):
+ """Check if the eps module is enable"""
+ check_analysisd_event(callback=fr".*INFO: EPS limit enabled, EPS: '{maximum}', timeframe: '{timeframe}'",
+ timeout=T_10)
+
+
+def check_configuration_error():
+ """Check the configuration error event in ossec.log"""
+ check_analysisd_event(timeout=T_10, callback=r".* \(\d+\): Configuration error at.*",
+ error_message="Could not find the event 'Configuration error at 'etc/ossec.conf' "
+ 'in ossec.log', prefix=MAILD_PREFIX)
+
+
+def get_analysisd_state():
+ """Get the states values of wazuh-analysisd.state file
+
+ Returns:
+ dict: Dictionary with all analysisd state
+ """
+ data = ""
+ with open(ANALYSISD_STATE, 'r') as file:
+ for line in file.readlines():
+ if not line.startswith("#") and not line.startswith('\n'):
+ data = data + line.replace('\'', '')
+ data = data[:-1]
+ analysisd_state = dict((a.strip(), b.strip()) for a, b in (element.split('=') for element in data.split('\n')))
+
+ return analysisd_state