-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3413 from wazuh/2947-test-eps
Add new `analysisd` test suite: `test_limit_eps`
- Loading branch information
Showing
40 changed files
with
2,019 additions
and
177 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
87 changes: 87 additions & 0 deletions
87
deps/wazuh_testing/wazuh_testing/data/all_disabled_ossec.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
<ossec_config> | ||
<global> | ||
<alerts_log>yes</alerts_log> | ||
</global> | ||
|
||
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> | ||
<logging> | ||
<log_format>plain</log_format> | ||
</logging> | ||
|
||
<remote> | ||
<connection>secure</connection> | ||
<port>1514</port> | ||
<protocol>tcp</protocol> | ||
<queue_size>131072</queue_size> | ||
</remote> | ||
|
||
<!-- Policy monitoring --> | ||
<rootcheck> | ||
<disabled>yes</disabled> | ||
</rootcheck> | ||
|
||
<wodle name="cis-cat"> | ||
<disabled>yes</disabled> | ||
</wodle> | ||
|
||
<!-- Osquery integration --> | ||
<wodle name="osquery"> | ||
<disabled>yes</disabled> | ||
</wodle> | ||
|
||
<!-- System inventory --> | ||
<wodle name="syscollector"> | ||
<disabled>yes</disabled> | ||
</wodle> | ||
|
||
<sca> | ||
<enabled>no</enabled> | ||
</sca> | ||
|
||
<vulnerability-detector> | ||
<enabled>no</enabled> | ||
</vulnerability-detector> | ||
|
||
<!-- File integrity monitoring --> | ||
<syscheck> | ||
<disabled>yes</disabled> | ||
</syscheck> | ||
|
||
<ruleset> | ||
<!-- Default ruleset --> | ||
<decoder_dir>ruleset/decoders</decoder_dir> | ||
<rule_dir>ruleset/rules</rule_dir> | ||
<rule_exclude>0215-policy_rules.xml</rule_exclude> | ||
<list>etc/lists/audit-keys</list> | ||
<list>etc/lists/amazon/aws-eventnames</list> | ||
<list>etc/lists/security-eventchannel</list> | ||
|
||
<!-- User-defined ruleset --> | ||
<decoder_dir>etc/decoders</decoder_dir> | ||
<rule_dir>etc/rules</rule_dir> | ||
</ruleset> | ||
|
||
<rule_test> | ||
<enabled>yes</enabled> | ||
<threads>1</threads> | ||
<max_sessions>64</max_sessions> | ||
<session_timeout>15m</session_timeout> | ||
</rule_test> | ||
|
||
<!-- Configuration for wazuh-authd --> | ||
<auth> | ||
<disabled>no</disabled> | ||
<port>1515</port> | ||
<use_source_ip>no</use_source_ip> | ||
<purge>yes</purge> | ||
<use_password>no</use_password> | ||
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers> | ||
<!-- <ssl_agent_ca></ssl_agent_ca> --> | ||
<ssl_verify_host>no</ssl_verify_host> | ||
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert> | ||
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key> | ||
<ssl_auto_negotiate>no</ssl_auto_negotiate> | ||
</auth> | ||
|
||
</ossec_config> | ||
|
9 changes: 9 additions & 0 deletions
9
deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
|
||
ANALYSISD_PREFIX = r'.*wazuh-analysisd.*' | ||
MAILD_PREFIX = r'.*wazuh-maild.*' | ||
QUEUE_EVENTS_SIZE = 16384 | ||
ANALYSISD_ONE_THREAD_CONFIG = {'analysisd.event_threads': '1', 'analysisd.syscheck_threads': '1', | ||
'analysisd.syscollector_threads': '1', 'analysisd.rootcheck_threads': '1', | ||
'analysisd.sca_threads': '1', 'analysisd.hostinfo_threads': '1', | ||
'analysisd.winevt_threads': '1', 'analysisd.rule_matching_threads': '1', | ||
'analysisd.dbsync_threads': '1', 'remoted.worker_pool': '1'} |
83 changes: 83 additions & 0 deletions
83
deps/wazuh_testing/wazuh_testing/modules/analysisd/event_monitor.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
import re | ||
|
||
from wazuh_testing import T_10, T_20, T_60 | ||
from wazuh_testing.modules.analysisd import ANALYSISD_PREFIX, MAILD_PREFIX | ||
from wazuh_testing import LOG_FILE_PATH, ANALYSISD_STATE | ||
from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback_groups | ||
|
||
|
||
def make_analysisd_callback(pattern, prefix=ANALYSISD_PREFIX): | ||
"""Create a callback function from a text pattern. | ||
It already contains the analsisd prefix. | ||
Args: | ||
pattern (str): String to match on the log. | ||
prefix (str): regular expression used as a prefix before the pattern. | ||
Returns: | ||
lambda: function that returns if there's a match in the file | ||
Examples: | ||
>>> callback_bionic_update_started = make_vuln_callback("Starting Ubuntu Bionic database update") | ||
""" | ||
pattern = r'\s+'.join(pattern.split()) | ||
regex = re.compile(r'{}{}'.format(prefix, pattern)) | ||
|
||
return lambda line: regex.match(line) is not None | ||
|
||
|
||
def check_analysisd_event(file_monitor=None, callback='', error_message=None, update_position=True, | ||
timeout=T_60, prefix=ANALYSISD_PREFIX, accum_results=1, file_to_monitor=LOG_FILE_PATH): | ||
"""Check if a analysisd event occurs | ||
Args: | ||
file_monitor (FileMonitor): FileMonitor object to monitor the file content. | ||
callback (str): log regex to check in Wazuh log | ||
error_message (str): error message to show in case of expected event does not occur | ||
update_position (boolean): filter configuration parameter to search in Wazuh log | ||
timeout (str): timeout to check the event in Wazuh log | ||
prefix (str): log pattern regex | ||
accum_results (int): Accumulation of matches. | ||
""" | ||
file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor | ||
error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ | ||
error_message | ||
|
||
file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, | ||
callback=make_analysisd_callback(callback, prefix), error_message=error_message) | ||
|
||
|
||
def check_eps_disabled(): | ||
"""Check if the eps module is disabled""" | ||
check_analysisd_event(callback=fr'.*INFO: EPS limit disabled.*', timeout=T_10) | ||
|
||
|
||
def check_eps_enabled(maximum, timeframe): | ||
"""Check if the eps module is enable""" | ||
check_analysisd_event(callback=fr".*INFO: EPS limit enabled, EPS: '{maximum}', timeframe: '{timeframe}'", | ||
timeout=T_10) | ||
|
||
|
||
def check_configuration_error(): | ||
"""Check the configuration error event in ossec.log""" | ||
check_analysisd_event(timeout=T_10, callback=r".* \(\d+\): Configuration error at.*", | ||
error_message="Could not find the event 'Configuration error at 'etc/ossec.conf' " | ||
'in ossec.log', prefix=MAILD_PREFIX) | ||
|
||
|
||
def get_analysisd_state(): | ||
"""Get the states values of wazuh-analysisd.state file | ||
Returns: | ||
dict: Dictionary with all analysisd state | ||
""" | ||
data = "" | ||
with open(ANALYSISD_STATE, 'r') as file: | ||
for line in file.readlines(): | ||
if not line.startswith("#") and not line.startswith('\n'): | ||
data = data + line.replace('\'', '') | ||
data = data[:-1] | ||
analysisd_state = dict((a.strip(), b.strip()) for a, b in (element.split('=') for element in data.split('\n'))) | ||
|
||
return analysisd_state |
Oops, something went wrong.