diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index c9de77f2c4..fffd874ed5 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -105,6 +105,7 @@ predefined_values: - Ubuntu Xenial - Ubuntu Focal - macOS Server + - macOS Sierra - macOS Catalina - Windows XP - Windows 7 @@ -254,6 +255,7 @@ predefined_values: - key_polling - limits - logcollector + - logcollector_macos - logcollector_age - logcollector_cmd_exec - logcollector_configuration diff --git a/tests/integration/test_logcollector/test_macos/test_macos_file_status_basic.py b/tests/integration/test_logcollector/test_macos/test_macos_file_status_basic.py index ba66c8017e..33029df4aa 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_file_status_basic.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_file_status_basic.py @@ -1,7 +1,45 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the logcollector generates the 'file_status.json' + file used by the 'only future events' option when using ULS (unified logging system) events in + macOS systems. Log data collection is the real-time process of making sense out of the records + generated by servers or devices. This component can receive logs through text files or Windows + event logs. It can also directly receive logs via remote syslog which is useful + for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://developer.apple.com/documentation/os/logging + +tags: + - logcollector_macos +''' import pytest import wazuh_testing.logcollector as logcollector import sys @@ -54,19 +92,63 @@ def get_configuration(request): return request.param -def test_macos_file_status_basic(restart_logcollector_required_daemons_package, truncate_log_file, delete_file_status_json, - configure_local_internal_options_module, - get_configuration, configure_environment, - file_monitoring, daemons_handler): - """Checks if logcollector stores correctly "macos"-formatted localfile data. - - This test uses logger tool and a custom log to generate an ULS event. When logcollector receives a valid log, then - the file_status.json is updated. - - Raises: - TimeoutError: If the callbacks, that checks the expected logs, are not satisfied in the expected time. - FileNotFoundError: If the file_status.json is not available in the expected time. - """ +def test_macos_file_status_basic(restart_logcollector_required_daemons_package, truncate_log_file, + delete_file_status_json, configure_local_internal_options_module, + get_configuration, configure_environment, file_monitoring, daemons_handler): + ''' + description: Check if the 'wazuh-logcollector' builds and updates the 'file_status.json' file from ULS events. + For this purpose, the test will configure a 'localfile' section using the macOS settings. + Once the logcollector is started, it will wait until the macOS ULS module is ready, and then, + the test will generate 'unified logging system' (ULS) events by using a logger tool. After this, + it will check if the 'file_status.json' file has been created and if the 'macos' key is inside it. + Finally, the test will verify that the 'file_status.json' file has valid content. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - truncate_log_file: + type: fixture + brief: Clear the 'ossec.log' file. + - delete_file_status_json: + type: fixture + brief: Delete the 'file_status.json' file from logcollector. + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + + assertions: + - Verify that the logcollector detects the macOS ULS events. + - Verify that the logcollector generates the 'file_status.json' file with valid content. + + input_description: A configuration template (test_macos_file_status_basic) is contained in an external YAML + file (wazuh_macos_file_status_basic.yaml). That template is combined with two test cases + defined in the module. Those include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - r'Monitoring macOS logs with.*log stream' + - r'Logger testing message - file status' (testing macOS ULS message) + - r'"macos"' + + tags: + - logs + ''' log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=logcollector.callback_monitoring_macos_logs, error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) @@ -109,4 +191,4 @@ def test_macos_file_status_basic(restart_logcollector_required_daemons_package, assert file_status_json['macos']['settings'], "Error finding 'settings' key inside 'macos'" assert file_status_json['macos']['settings'] \ - == logcollector.compose_macos_log_command(conf_type, conf_level, conf_predicate) \ No newline at end of file + == logcollector.compose_macos_log_command(conf_type, conf_level, conf_predicate) diff --git a/tests/integration/test_logcollector/test_macos/test_macos_file_status_predicate.py b/tests/integration/test_logcollector/test_macos/test_macos_file_status_predicate.py index fd11f3e419..7741462df2 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_file_status_predicate.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_file_status_predicate.py @@ -1,7 +1,43 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will verify that the logcollector does not add to the 'file_status.json' + file event-related data when the predicate used in the 'query' tag is invalid. Log data collection + is the real-time process of making sense out of the records generated by servers or devices. + This component can receive logs through text files or Windows event logs. It can also directly + receive logs via remote syslog which is useful for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query + +tags: + - logcollector_macos +''' import pytest import sys import time @@ -51,15 +87,61 @@ def test_macos_file_status_predicate(restart_logcollector_required_daemons_packa configure_local_internal_options_module, get_configuration, configure_environment, file_monitoring, daemons_handler): - """Checks that logcollector does not store 'macos'-formatted localfile data since its predicate is erroneous. - - The agent uses a dummy localfile (/Library/Ossec/logs/active-responses.log) which triggers the creation of - file_status.json file. - - Raises: - TimeoutError: If the callbacks, that checks the expected logs, are not satisfied in the expected time. - FileNotFoundError: If the file_status.json is not available in the expected time. - """ + ''' + description: Check if the 'wazuh-logcollector' does not update the 'file_status.json' file from logging + events when using an invalid predicate in the 'query' tag of the 'localfile' section. + The agent uses a dummy localfile (/Library/Ossec/logs/active-responses.log) which triggers + the creation of the 'file_status.json' file. + For this purpose, the test will configure a 'localfile' section using the macOS settings + but using an invalid predicate. Once the logcollector is started, it will verify that + event errors are generated, indicating that an invalid setting has been detected. After + this, the test will check if the 'file_status.json' file has been created, and finally, + it will verify that the 'macos' key is not inside it since the predicate used is invalid. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - truncate_log_file: + type: fixture + brief: Clear the 'ossec.log' file. + - delete_file_status_json: + type: fixture + brief: Delete the 'file_status.json' file from logcollector. + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + + assertions: + - Verify that the logcollector generates error events when it detects an invalid predicate. + - Verify that the logcollector generates the 'file_status.json' file without the 'macos' key. + + input_description: A configuration template (test_macos_file_status_predicate) is contained in an external + YAML file (wazuh_macos_file_status_predicate.yaml). That template is combined with + two test cases defined in the module. Those include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Execution error .*' + - r"macOS 'log stream' process exited" + + tags: + - logs + ''' time.sleep(2) log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=callback_log_bad_predicate(), diff --git a/tests/integration/test_logcollector/test_macos/test_macos_file_status_when_no_macos.py b/tests/integration/test_logcollector/test_macos/test_macos_file_status_when_no_macos.py index db1937f7f1..b828c54321 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_file_status_when_no_macos.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_file_status_when_no_macos.py @@ -1,7 +1,43 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will verify that the logcollector does not add to the 'file_status.json' + file event-related data when the predicate used in the 'query' tag is invalid. Log data collection + is the real-time process of making sense out of the records generated by servers or devices. + This component can receive logs through text files or Windows event logs. It can also directly + receive logs via remote syslog which is useful for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query + +tags: + - logcollector_macos +''' import pytest import sys @@ -60,21 +96,66 @@ def get_configuration(request): def test_macos_file_status_when_no_macos(restart_logcollector_required_daemons_package, truncate_log_file, handle_files, - delete_file_status_json, - configure_local_internal_options_module, - get_configuration, - configure_environment, - file_monitoring, daemons_handler): - """Checks that logcollector does not store and removes, if exists, previous "macos"-formatted localfile data in the - file_status.json - - Given a file_status.json that contains a valid combination of "settings" and "timestamp" of "macos", when starting - an agent that has no "macos" localfile configured on its ossec.conf file, it should happen that, when - file_status.json is updated after a certain time, no "macos" status should remain stored on the status file. - - Raises: - TimeoutError: If the callbacks, that checks the expected logs, are not satisfied in the expected time. - """ + delete_file_status_json, configure_local_internal_options_module, + get_configuration, configure_environment, file_monitoring, daemons_handler): + ''' + description: Check if the 'wazuh-logcollector' does not store and removes if exists, previous + macos-formatted localfile data in the 'file_status.json' file when the macOS localfile + section does not exist in the configuration. For this purpose, the test will create a + testing log file and configure a 'localfile' section to monitor it. Once the logcollector + is started, it will check if the 'file_status.json' file exists, if not, the test + will create it. Then it will verify that the 'macos' key is inside of that file, adding + the key if necessary. After this, it will wait for the update of the 'file_status.json' + file, and finally, the test will verify that the macOS key is not inside it since + the localfile related section does not exist in the main configuration file. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - truncate_log_file: + type: fixture + brief: Clear the 'ossec.log' file. + - handle_files: + type: fixture + brief: Create a dummy file to be monitored by logcollector. + - delete_file_status_json: + type: fixture + brief: Delete the 'file_status.json' file from logcollector. + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + + assertions: + - Verify that the logcollector starts to monitor a log file. + - Verify that the logcollector removes the 'macos' key from the 'file_status.json' + when no localfile is configured with macOS settings. + + input_description: A configuration template (test_macos_file_status_when_no_macos) is contained in an external + YAML file (wazuh_macos_file_status_when_no_macos.yaml). That template is combined with + a test case defined in the module. That include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Started' + + tags: + - logs + ''' file_status_json = {} log_monitor.start(timeout=LOG_COLLECTOR_GLOBAL_TIMEOUT, @@ -100,7 +181,7 @@ def test_macos_file_status_when_no_macos(restart_logcollector_required_daemons_p # Waits for file_status.json to be created, with a timeout about the time needed to update the file wait_file(LOGCOLLECTOR_FILE_STATUS_PATH, LOG_COLLECTOR_GLOBAL_TIMEOUT) - + # Waits about the time needed to update the file status sleep(wait_file_status_update_time) diff --git a/tests/integration/test_logcollector/test_macos/test_macos_format_basic.py b/tests/integration/test_logcollector/test_macos/test_macos_format_basic.py index 855d38035f..0cd645b148 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_format_basic.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_format_basic.py @@ -1,7 +1,44 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the logcollector properly processes the macOS + unified logging system (ULS) events. Log data collection is the real-time process of making + sense out of the records generated by servers or devices. This component can receive logs + through text files or Windows event logs. It can also directly receive logs via remote + syslog which is useful for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://developer.apple.com/documentation/os/logging + +tags: + - logcollector_macos +''' import os import pytest import time @@ -43,6 +80,7 @@ macos_log_message_timeout = 40 macos_monitoring_macos_log_timeout = 30 + # fixtures @pytest.fixture(scope="module", params=configurations) def get_configuration(request): @@ -55,27 +93,70 @@ def restart_logcollector_function(): control_service('restart', 'wazuh-logcollector') - @pytest.mark.parametrize('macos_message', macos_log_messages, ids=[log_message['id'] for log_message in macos_log_messages]) -def test_macos_format_basic(restart_logcollector_required_daemons_package, get_configuration, configure_environment, - configure_local_internal_options_module, - macos_message, file_monitoring, daemons_handler, +def test_macos_format_basic(restart_logcollector_required_daemons_package, get_configuration, configure_environment, + configure_local_internal_options_module, macos_message, file_monitoring, daemons_handler, restart_logcollector_function): - - """Check if logcollector gather correctly macOS unified logging system events. - - This test uses logger tool and a custom log to generate ULS events. The agent is connected to a authd simulator - and sended events are gather using remoted simulator tool. - - Raises: - TimeoutError: If the expected callback is not generated. - """ + ''' + description: Check if the 'wazuh-logcollector' gathers properly macOS unified logging system (ULS) events. + For this purpose, the test will configure a 'localfile' section using the macOS settings. + Once the logcollector is started, it will check if the 'monitoring' event is triggered, + indicating that the logcollector starts to monitor the macOS logs, and then, the test + will generate a ULS event by using a logger tool. After this, it will create a custom + callback from the testing ULS event, and finally, the test will verify that + the logcollector event with the testing log message has been generated. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - macos_message: + type: dict + brief: Dictionary with the testing macOS ULS event. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + - restart_logcollector_function: + type: fixture + brief: Restart the 'wazuh-logcollector' daemon on each test case. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the logcollector generates events from the macOS ULS log messages. + + input_description: A configuration template (test_macos_format_basic) is contained in an external YAML file + (wazuh_macos_format_basic.yaml). That template is combined with two test cases defined + in the module. Those include configuration settings for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - r'Logger message example' + - r'Custom os_log event message' + + tags: + - logs + ''' expected_macos_message = "" log_command = macos_message['command'] - log_monitor.start(timeout=macos_monitoring_macos_log_timeout, callback=logcollector.callback_monitoring_macos_logs, - error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) + log_monitor.start(timeout=macos_monitoring_macos_log_timeout, + callback=logcollector.callback_monitoring_macos_logs, + error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) time.sleep(3) @@ -85,12 +166,13 @@ def test_macos_format_basic(restart_logcollector_required_daemons_package, get_c macos_message['message']) elif log_command == 'os_log': - logcollector.generate_macos_custom_log(macos_message['type'],macos_message['level'], macos_message['subsystem'], - macos_message['category']) - expected_macos_message = logcollector.format_macos_message_pattern( - 'custom_log', - logcollector.TEMPLATE_OSLOG_MESSAGE, 'log', macos_message['subsystem'], - macos_message['category']) - - log_monitor.start(timeout=macos_log_message_timeout, callback=logcollector.callback_macos_log(expected_macos_message), - error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) + logcollector.generate_macos_custom_log(macos_message['type'], macos_message['level'], + macos_message['subsystem'], macos_message['category']) + expected_macos_message = logcollector.format_macos_message_pattern('custom_log', + logcollector.TEMPLATE_OSLOG_MESSAGE, + 'log', macos_message['subsystem'], + macos_message['category']) + + log_monitor.start(timeout=macos_log_message_timeout, + callback=logcollector.callback_macos_log(expected_macos_message), + error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) diff --git a/tests/integration/test_logcollector/test_macos/test_macos_format_only_future_events.py b/tests/integration/test_logcollector/test_macos/test_macos_format_only_future_events.py index 7c3dd2d199..18be433900 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_format_only_future_events.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_format_only_future_events.py @@ -1,6 +1,44 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the 'only-future-events' option of the logcollector + properly works when using the macOS unified logging system (ULS). Log data collection is + the real-time process of making sense out of the records generated by servers or devices. + This component can receive logs through text files or Windows event logs. It can also directly + receive logs via remote syslog which is useful for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#only-future-events + - https://developer.apple.com/documentation/os/logging + +tags: + - logcollector_macos +''' import fnmatch import os import time @@ -36,6 +74,8 @@ macos_log_message_timeout = 40 macos_monitoring_macos_log_timeout = 30 macos_monitoring_timout_after_logcollector_started = 3 + + # Fixtures @pytest.fixture(scope="module", params=configurations, ids=configuration_ids) def get_configuration(request): @@ -54,19 +94,69 @@ def get_connection_configuration(): """Get configurations from the module.""" return logcollector.DEFAULT_AUTHD_REMOTED_SIMULATOR_CONFIGURATIO -def test_macos_format_only_future_events(restart_logcollector_required_daemons_package, get_configuration, configure_environment, - configure_local_internal_options_module, - daemons_handler, file_monitoring): - """Check if logcollector use correctly only-future-events option using macos log format. - Raises: - TimeoutError: If the expected callback is not generated. - """ +def test_macos_format_only_future_events(restart_logcollector_required_daemons_package, get_configuration, + configure_environment, configure_local_internal_options_module, + daemons_handler, file_monitoring): + ''' + description: Check if the 'only-future-events' option is used properly by the 'wazuh-logcollector' when + using the macOS unified logging system (ULS) events. For this purpose, the test will configure + a 'localfile' section using the macOS settings. Once the logcollector is started, it will check + if the 'monitoring' event is triggered, indicating that the logcollector starts to monitor + the macOS logs, and then, the test will generate a ULS event by using a logger tool. After this, + it will check if the logcollector event with the testing log message is triggered. Then, the test + will stop the 'wazuh-logcollector' daemon, generate a ULS event, and start it again. The test + will check if that event has been detected (depending on the value of the 'only-future-events' tag). + Finally, it will verify that the logcollector continues detecting new ULS events. + + wazuh_min_version: 4.2.0 + + parameters: + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the logcollector detects the logs messages generated while it stopped + when it is started, and the 'only-future-events' option is disabled. + - Verify that the logcollector ignores the logs messages generated while it stopped + when it is started, and the 'only-future-events' option is enabled. + - Verify that the log collector continues detecting new logs messages when it is started. + + input_description: A configuration template (test_macos_format_only_future_events) is contained in an external + YAML file (wazuh_macos_format_only_future_events.yaml). That template is combined with two + test cases defined in the module. Those include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - r'Old logger message' + - r'New logger message' + + tags: + - logs + ''' log_monitor = FileMonitor(LOG_FILE_PATH) macos_logcollector_monitored = logcollector.callback_monitoring_macos_logs log_monitor.start(timeout=30, callback=macos_logcollector_monitored, - error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) + error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) time.sleep(macos_monitoring_timout_after_logcollector_started) @@ -78,11 +168,10 @@ def test_macos_format_only_future_events(restart_logcollector_required_daemons_p logcollector.generate_macos_logger_log(old_message) expected_old_macos_message = logcollector.format_macos_message_pattern('logger', old_message) + log_monitor.start(timeout=macos_log_message_timeout, + callback=logcollector.callback_macos_log(expected_old_macos_message)) - log_monitor.start(timeout=macos_log_message_timeout, - callback=logcollector.callback_macos_log(expected_old_macos_message)) - - ## Stop wazuh agent and ensure it gets old macos messages if only-future-events option is disabled + # Stop wazuh agent and ensure it gets old macos messages if only-future-events option is disabled control_service('stop') @@ -94,13 +183,16 @@ def test_macos_format_only_future_events(restart_logcollector_required_daemons_p if only_future_events == 'yes': with pytest.raises(TimeoutError): - log_monitor.start(timeout=macos_log_message_timeout, callback=logcollector.callback_macos_log(expected_old_macos_message)) + log_monitor.start(timeout=macos_log_message_timeout, + callback=logcollector.callback_macos_log(expected_old_macos_message)) else: - log_monitor.start(timeout=macos_log_message_timeout, callback=logcollector.callback_macos_log(expected_old_macos_message)) + log_monitor.start(timeout=macos_log_message_timeout, + callback=logcollector.callback_macos_log(expected_old_macos_message)) logcollector.generate_macos_logger_log(new_message) expected_new_macos_message = logcollector.format_macos_message_pattern('logger', new_message) - log_monitor.start(timeout=macos_log_message_timeout, callback=logcollector.callback_macos_log(expected_new_macos_message), - error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) + log_monitor.start(timeout=macos_log_message_timeout, + callback=logcollector.callback_macos_log(expected_new_macos_message), + error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) diff --git a/tests/integration/test_logcollector/test_macos/test_macos_format_query.py b/tests/integration/test_logcollector/test_macos/test_macos_format_query.py index 680022b1eb..5e332723bc 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_format_query.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_format_query.py @@ -1,6 +1,44 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the 'query' option of the logcollector properly works + when using the macOS unified logging system (ULS). Log data collection is the real-time process + of making sense out of the records generated by servers or devices. This component can receive + logs through text files or Windows event logs. It can also directly receive logs via remote + syslog which is useful for firewalls and other such devices. + +tier: 1 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query + - https://developer.apple.com/documentation/os/logging + +tags: + - logcollector_macos +''' import os import pytest @@ -248,8 +286,8 @@ 'query_predicate': 'process == "logger" AND eventMessage CONTAINS[c] "Custom oslog event message"', 'level': 'default', 'type': ['log'], - 'lambda_function': lambda process, eventMessage: process == 'logger' - and "Custom oslog event message" in eventMessage, + 'lambda_function': lambda process, eventMessage: process == 'logger' and + "Custom oslog event message" in eventMessage, 'clause': ['program_name', 'message'] }, @@ -311,12 +349,57 @@ def get_connection_configuration(): def test_macos_format_query(configure_local_internal_options_module, restart_logcollector_required_daemons_package, get_configuration, configure_environment, get_connection_configuration, file_monitoring, restart_logcollector): - """Check if logcollector use correctly query option using macos log format. - - Raises: - TimeoutError: If the expected callback is not generated. - """ - + ''' + description: Check if the 'query' option together with its attributes ('type' and 'level') is properly used + by the 'wazuh-logcollector' when using the macOS unified logging system (ULS) events. For this + purpose, the test will configure a 'localfile' section using the macOS settings. Once the + logcollector is started, it will check if the 'monitoring' event is triggered, indicating + that the logcollector starts to monitor the macOS logs, and then, the test will generate + multiple ULS events by using a logger tool. Finally, it will verify that the log collector + events with the testing log messages are only triggered if they fulfill the query predicate. + + wazuh_min_version: 4.2.0 + + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - get_connection_configuration: + type: fixture + brief: Get configurations from the module. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + - restart_logcollector: + type: fixture + brief: Reset the 'ossec.log' file and start a new monitor. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the logcollector generates events for all ULS events that fulfill + the 'query' predicate and vice versa. + + input_description: Configuration templates (test_macos_format_query) are contained in external YAML files + (wazuh_macos_format_query*.yaml, ). Those templates are combined with different + test cases defined in the module. Those include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - Multiple testing log messages from the ULS events. + + tags: + - logs + ''' sleep(1) cfg = get_configuration['metadata'] @@ -325,7 +408,7 @@ def test_macos_format_query(configure_local_internal_options_module, restart_log wazuh_log_monitor.start(timeout=30, callback=macos_logcollector_monitored, error_message=logcollector.GENERIC_CALLBACK_ERROR_ANALYZING_MACOS) - ## Generate macOS log messages + # Generate macOS log messages for macos_log in macos_log_list: log_message_command = macos_log['program_name'] @@ -363,8 +446,8 @@ def test_macos_format_query(configure_local_internal_options_module, restart_log if macos_log_type not in configuration_type: same_type = False - if logcollector.MAP_MACOS_LEVEL_VALUE[macos_log_level] < logcollector.MAP_MACOS_LEVEL_VALUE[ - configuration_level]: + if logcollector.MAP_MACOS_LEVEL_VALUE[macos_log_level] < \ + logcollector.MAP_MACOS_LEVEL_VALUE[configuration_level]: same_level = False for clause in cfg['clause']: diff --git a/tests/integration/test_logcollector/test_macos/test_macos_log_process.py b/tests/integration/test_logcollector/test_macos/test_macos_log_process.py index 98681b1f1f..5f971af695 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_log_process.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_log_process.py @@ -1,7 +1,44 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if macOS 'log stream' processes are properly managed by + the logcollector. Log data collection is the real-time process of making sense out of the records + generated by servers or devices. This component can receive logs through text files or Windows + event logs. It can also directly receive logs via remote syslog which is useful + for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + - macOS Sierra + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + +tags: + - logcollector_macos +''' import os import pytest import platform @@ -64,14 +101,49 @@ def check_process_status(process_list, running=True, stage=''): @pytest.mark.skip(reason="Unexpected false positive, further investigation is required") def test_independent_log_process(get_configuration, configure_environment, file_monitoring, restart_required_logcollector_function): - """Check that independent execution of log processes (external to Wazuh) are not altered because of the Wazuh agent. - - Launches a log process and start Wazuh, check that the independent log process keep running along with the one - started by Wazuh. Stops Wazuh and check that the independent process is still running. - - Raises: - TimeoutError: If the expected callback is not generated. - """ + ''' + description: Check if the independent execution of log processes (external to Wazuh) is not altered when + the Wazuh agent is started or stopped. For this purpose, the test will configure a 'localfile' + section using the macOS settings. Once the logcollector is started, it will check if the + 'monitoring' event is triggered, indicating that the logcollector starts to monitor the macOS + logs. Then, the test will stop the Wazuh agent, launch a new log process and start it again. + After this, it will verify that the log process is active by checking its PID, stopping the agent, + and verifying that the log process remains active. Finally, the test will kill the log process + launched and start the agent again to restore the initial estate of the system. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_required_logcollector_function: + type: fixture + brief: Restart the Wazuh agent. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the Wazuh agent does not kill independent log processes when it is started. + - Verify that the Wazuh agent does not kill independent log processes when it is stopped. + + input_description: A configuration template (test_macos_log_process) is contained in an external YAML + file (wazuh_macos_format_basic.yaml). That template is combined with a test case + defined in the module. That include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - PID of the log process launched. + + tags: + - logs + ''' macos_logcollector_monitored = logcollector.callback_monitoring_macos_logs log_monitor.start(timeout=logcollector.LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=macos_logcollector_monitored, error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) @@ -98,15 +170,50 @@ def test_independent_log_process(get_configuration, configure_environment, file_ @pytest.mark.skip(reason="Unexpected false positive, further investigation is required") def test_macos_log_process_stop(get_configuration, configure_environment, file_monitoring, restart_required_logcollector_function): - """Check if logcollector stops the log and script process when Wazuh agent or logcollector stop. - - There are two process that would run on macOS system when logcollector is configured to get - macOS system logs. The log process and the script (only for Sierra) one. If logcollector process - finish or the agent is stopped, those process must stop. - - Raises: - TimeoutError: If the expected callback is not generated. - """ + ''' + description: Check if the 'wazuh-logcollector' daemon stops the 'log' and 'script' process when the Wazuh agent + or logcollector are stopped. Two processes would run on the macOS system when the logcollector is + configured to get macOS system logs. The log process and the script (only for Sierra) one. If the + logcollector process is finished or the Wazuh agent is stopped, those processes must stop. + For this purpose, the test will configure a 'localfile' section using the macOS settings. Once + the logcollector is started, it will check if the 'monitoring' event is triggered, indicating that + the logcollector starts to monitor the macOS logs. Then, the test will verify that the 'log' and + 'script' processes are running, stop the 'wazuh-logcollector' daemon, verify that the 'log' and + 'script' processes are stopped, and start it again. Finally, the test will repeat the previous + steps, but stopping and starting the Wazuh agent instead of the 'wazuh-logcollector' daemon. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_required_logcollector_function: + type: fixture + brief: Restart the Wazuh agent. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the 'log' and 'script' processes are finished when the 'wazuh-logcollector' daemon is stopped. + - Verify that the 'log' and 'script' processes are finished when the wazuh agent is stopped. + + input_description: A configuration template (test_macos_log_process) is contained in an external YAML + file (wazuh_macos_format_basic.yaml). That template is combined with a test case + defined in the module. That include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + + tags: + - logs + ''' process_to_stop = ['log', 'script'] if macos_sierra else ['log'] macos_logcollector_monitored = logcollector.callback_monitoring_macos_logs @@ -132,14 +239,48 @@ def test_macos_log_process_stop(get_configuration, configure_environment, file_m @pytest.mark.skip(reason="Unexpected false positive, further investigation is required") def test_macos_log_process_stop_suddenly_warning(get_configuration, configure_environment, file_monitoring, restart_required_logcollector_function): - """Check if logcollector alerts when `log stream` process has stopped. - - In Sierra this tests also checks that, if log process ends, then script process also ends and the other way around. - - Raises: - TimeoutError: If the expected callback is not generated. - """ - + ''' + description: Check if the 'wazuh-logcollector' daemon generates an error event when the 'log stream' process + is stopped. In macOS Sierra, this test also checks if when the log process ends, then the 'script' + process also ends. For this purpose, the test will configure a 'localfile' section using the macOS + settings. Once the logcollector is started, it will check if the 'monitoring' event is triggered, + indicating that the logcollector starts to monitor the macOS logs. Then, the test will verify that + the 'log' and 'script' processes are running. After this, it will send a signal to terminate that + processes and check if they are closed. Finally, the test will verify that a logcollector error + event is generated when the log or script process is not detected. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_required_logcollector_function: + type: fixture + brief: Restart the Wazuh agent. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the logcollector detects when the 'log' or 'script' process is closed. + + input_description: A configuration template (test_macos_log_process) is contained in an external YAML + file (wazuh_macos_format_basic.yaml). That template is combined with a test case + defined in the module. That include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - r'macOS "log stream" process exited' + + tags: + - logs + ''' macos_logcollector_monitored = logcollector.callback_monitoring_macos_logs log_monitor.start(timeout=logcollector.LOG_COLLECTOR_GLOBAL_TIMEOUT, callback=macos_logcollector_monitored, error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) diff --git a/tests/integration/test_logcollector/test_macos/test_macos_multiline_values.py b/tests/integration/test_logcollector/test_macos/test_macos_multiline_values.py index a2d8d174bb..d5e4311695 100644 --- a/tests/integration/test_logcollector/test_macos/test_macos_multiline_values.py +++ b/tests/integration/test_logcollector/test_macos/test_macos_multiline_values.py @@ -1,7 +1,44 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-logcollector' daemon monitors configured files and commands for new log messages. + Specifically, these tests will check if the 'wazuh-logcollector' daemon properly gathers + macOS unified logging system (ULS) events when working with multi-line logs. Log data + collection is the real-time process of making sense out of the records generated by servers + or devices. This component can receive logs through text files or Windows event logs. It can + also directly receive logs via remote syslog which is useful for firewalls and other such devices. + +tier: 0 + +modules: + - logcollector + +components: + - agent + +daemons: + - wazuh-logcollector + +os_platform: + - macos + +os_version: + - macOS Catalina + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html + - https://developer.apple.com/documentation/os/logging + +tags: + - logcollector_macos +''' import os import pytest import time @@ -31,6 +68,7 @@ macos_uls_time_to_wait_after_start = 3 macos_logcollector_start = 30 + # fixtures @pytest.fixture(scope="module", params=configurations) def get_configuration(request): @@ -48,18 +86,58 @@ def get_connection_configuration(): def test_macos_multiline_values(configure_local_internal_options_module, restart_logcollector_required_daemons_package, get_configuration, configure_environment, macos_message, file_monitoring, daemons_handler): - - """Check if logcollector correctly collects multiline events from the macOS unified logging system. - - This test uses logger tool and a custom log to generate ULS events. The agent is connected to a authd simulator - and sended events are gather using remoted simulator tool. - - Raises: - TimeoutError: If the expected callback is not generated. - """ + ''' + description: Check if the 'wazuh-logcollector' daemon collects multiline events from the macOS ULS + (unified logging system). For this purpose, the test will configure a 'localfile' section + using the macOS settings. Once the logcollector is started, it will check if the 'monitoring' + event is triggered, indicating that the logcollector starts to monitor the macOS logs. Then, + the test will generate a multiline ULS event by using a logger tool. Finally, the test + will verify that a logcollector event with the testing log message has been generated. + + wazuh_min_version: 4.2.0 + + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Set internal configuration for testing. + - restart_logcollector_required_daemons_package: + type: fixture + brief: Restart the 'wazuh-agentd', 'wazuh-logcollector', and 'wazuh-modulesd' daemons. + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - macos_message: + type: dict + brief: Dictionary with the testing macOS ULS event. + - daemons_handler: + type: fixture + brief: Handler of Wazuh daemons. + - file_monitoring: + type: fixture + brief: Handle the monitoring of a specified file. + + assertions: + - Verify that the logcollector starts monitoring the macOS ULS log messages. + - Verify that the logcollector correctly gather unified logging system (ULS) events with multiline format. + + input_description: A configuration template (test_macos_multiline_values) is contained in an external + YAML file (wazuh_macos_format_basic.yaml). That template is combined with a + test case defined in the module. That include configuration settings + for the 'wazuh-logcollector' daemon. + + expected_output: + - r'Monitoring macOS logs with.*' + - r'Here is a multiline log.*' + + tags: + - logs + ''' macos_logcollector_monitored = logcollector.callback_monitoring_macos_logs log_monitor.start(timeout=macos_logcollector_start, callback=macos_logcollector_monitored, - error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) + error_message=logcollector.GENERIC_CALLBACK_ERROR_TARGET_SOCKET) time.sleep(macos_uls_time_to_wait_after_start) multiline_message = macos_message['message'].split('\n')[:-1]