merge(#4188): merge 4.5 into 4188-fix-openssl-errors

wazuh · Jun 6, 2023 · d7e1ac6 · d7e1ac6
2 parents 93b05b6 + 3001be5
commit d7e1ac6
Show file tree

Hide file tree

Showing 11 changed files with 846 additions and 608 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - Skip `test_authd_ssl_options` cases that use TLS 1.1 causing errors on several OpenSSL versions \- (Tests)
+- Fix FIM test_large_changes test suite ([#3948](https:/wazuh/wazuh-qa/pull/3948)) \- (Tests)
 - Update `get_test_cases_data` function so it handles fim_mode parameter ([#4185](https:/wazuh/wazuh-qa/pull/4185)) \- (Framework)
 - Change FIM `regular_file_cud` and `EventChecker` file modification steps ([#4183](https:/wazuh/wazuh-qa/pull/4183)) \- (Framework + Tests)
 - Refactor library to change the environment ([#4145](https:/wazuh/wazuh-qa/pull/4145)) \- (Framework)
@@ -170,6 +171,7 @@ Release report: https:/wazuh/wazuh/issues/15504
 - Analysisd: Reduce execution time of tests with tier 0 ([#2546](https:/wazuh/wazuh-qa/pull/2546)) \- (Tests)
 - Adapt logtest ITs given the rules skipping ([#2200](https:/wazuh/wazuh-qa/pull/2200)) \- (Tests)
 - Updated the Authd response when a multigroup is too long ([#3746](https:/wazuh/wazuh-qa/pull/3746)) \- (Tests)
+- Refactor ITs related to syscollector deltas alerts ([#3579](https:/wazuh/wazuh-qa/pull/3579)) \- (Tests)
 
 ### Fixed
 

diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py
@@ -388,6 +388,19 @@ def callback_detect_file_deleted_event(line):
  return None
 
 
+def callback_detect_file_more_changes(line):
+ """ Callback that detects if a line in a log contains 'More changes' in content_changes.
+ Args:
+ line (String): string line to be checked by callback in FileMonitor.
+ Returns:
+ returns JSON string from log.
+ """
+ json_event = callback_detect_event(line)
+ if json_event is not None and 'content_changes' in json_event['data']:
+ if 'More changes' in json_event['data']['content_changes']:
+ return json_event
+
+
 def callback_audit_cannot_start(line):
  """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime.
 
@@ -501,3 +514,25 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'):
 
  file_monitor.start(timeout=T_60, callback=generate_monitoring_callback(pattern),
  error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT)
+
+
+def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True,
+ timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+ """ Check if FIM event occurs and return it according to the callback.
+ Args:
+ file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+ callback (str): log regex to check in Wazuh log
+ error_message (str): error message to show in case of expected event does not occur
+ update_position (boolean): filter configuration parameter to search in Wazuh log
+ timeout (str): timeout to check the event in Wazuh log
+ accum_results (int): Accumulation of matches.
+ Returns:
+ returns the value given by the callback used. Default None.
+ """
+ file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
+ error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \
+ error_message
+
+ result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
+ callback=callback, error_message=error_message).result()
+ return result
diff --git a/tests/integration/test_analysisd/conftest.py b/tests/integration/test_analysisd/conftest.py
@@ -47,13 +47,14 @@ def callback_analysisd_startup(line):
 
 
 @pytest.fixture(scope='module')
-def configure_custom_rules(request, get_configuration):
+def configure_custom_rules(request):
  """Configure a syscollector custom rules for testing.
  Restarting wazuh-analysisd is required to apply this changes.
  """
- data_dir = getattr(request.module, 'data_dir')
- source_rule = os.path.join(data_dir, get_configuration['rule_file'])
- target_rule = os.path.join(CUSTOM_RULES_PATH, get_configuration['rule_file'])
+ data_dir = getattr(request.module, 'TEST_RULES_PATH')
+ data_file = getattr(request.module, 'rule_file')
+ source_rule = os.path.join(data_dir, data_file)
+ target_rule = os.path.join(CUSTOM_RULES_PATH, data_file)
 
  # copy custom rule with specific privileges
  shutil.copy(source_rule, target_rule)

diff --git a/..._syscollector/data/syscollector_rules.xml → ...llector/data/rules/syscollector_rules.xml b/..._syscollector/data/syscollector_rules.xml → ...llector/data/rules/syscollector_rules.xml
diff --git a/tests/integration/test_analysisd/test_syscollector/data/syscollector.yaml b/tests/integration/test_analysisd/test_syscollector/data/syscollector.yaml
diff --git a/...tion/test_analysisd/test_syscollector/data/test_cases/cases_syscollector_integration.yaml b/...tion/test_analysisd/test_syscollector/data/test_cases/cases_syscollector_integration.yaml
diff --git a/tests/integration/test_analysisd/test_syscollector/test_syscollector_events.py b/tests/integration/test_analysisd/test_syscollector/test_syscollector_events.py
diff --git a/tests/integration/test_analysisd/test_syscollector/test_syscollector_integration.py b/tests/integration/test_analysisd/test_syscollector/test_syscollector_integration.py
@@ -0,0 +1,137 @@
+'''
+copyright: Copyright (C) 2015-2023, Wazuh Inc.
+ Created by Wazuh, Inc. <[email protected]>.
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: These tests will check if Analysisd handle Syscollector deltas
+ properly by generating alerts.
+
+components:
+ - analysisd
+
+suite: syscollector
+
+targets:
+ - manager
+
+daemons:
+ - wazuh-analysisd
+
+os_platform:
+ - linux
+
+os_version:
+ - Amazon Linux 2
+ - Amazon Linux 1
+ - CentOS 8
+ - CentOS 7
+ - Ubuntu Focal
+ - Ubuntu Bionic
+
+references:
+ - https://documentation.wazuh.com/current/user-manual/capabilities/syscollector.html\
+ #using-syscollector-information-to-trigger-alerts
+'''
+import os
+import pytest
+
+from wazuh_testing.tools.configuration import get_test_cases_data
+from wazuh_testing.tools import ANALYSISD_QUEUE_SOCKET_PATH, ALERT_FILE_PATH
+from wazuh_testing.analysis import CallbackWithContext, callback_check_syscollector_alert
+
+pytestmark = [pytest.mark.server]
+
+# Generic vars
+TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases')
+TEST_RULES_PATH = os.path.join(TEST_DATA_PATH, 'rules')
+
+local_internal_options = {'analysisd.debug': '2'}
+receiver_sockets_params = [(ANALYSISD_QUEUE_SOCKET_PATH, 'AF_UNIX', 'UDP')]
+receiver_sockets = None
+alert_timeout = 5
+file_to_monitor = ALERT_FILE_PATH
+
+# ---------------------------------------- TEST_SYSCOLLECTOR_EVENTS -------------------------------------
+# Configuration and cases data
+cases_path = os.path.join(TEST_CASES_PATH, 'cases_syscollector_integration.yaml')
+rule_file = "syscollector_rules.xml"
+
+# Enabled test configurations
+_, configuration_metadata, case_ids = get_test_cases_data(cases_path)
+
+
+@pytest.mark.tier(level=2)
+@pytest.mark.parametrize('metadata', configuration_metadata, ids=case_ids)
+def test_syscollector_integration(metadata, configure_local_internal_options_module, mock_agent_module,
+ configure_custom_rules, restart_analysisd, wait_for_analysisd_startup,
+ connect_to_sockets_function, file_monitoring):
+ """
+ description: Check if Analysisd handle Syscollector deltas properly by generating alerts.
+
+ wazuh_min_version: 4.4.0
+
+ tier: 2
+
+ parameters:
+ - metadata:
+ type: dict
+ brief: Get metadata from the module.
+ - mock_agent_module:
+ type: fixture
+ brief: Create mock agent and get agent_id
+ - configure_custom_rules:
+ type: fixture
+ brief: Copy custom rules to test.
+ - restart_analysisd:
+ type: fixture
+ brief: Restart analysisd daemon and truncate related log files.
+ - wait_for_analysisd_startup:
+ type: fixture
+ brief: Wait until analysisd is ready.
+ - connect_to_sockets_function:
+ type: fixture
+ brief: Connect to analysisd event queue.
+ - file_monitoring:
+ type: fixture
+ brief: Handle the monitoring of a specified file.
+
+ assertions:
+ - Verify that specific syscollector deltas trigger specific custom alert with certain values.
+
+ input_description:
+ Input dataset (defined as event_header + event_payload in cases_syscollector_integration.yaml)
+ cover, in most of the cases, INSERTED, MODIFIED and DELETED deltas
+ for each of the available scan; osinfo, hwinfo, processes, packages, network_interface,
+ network_address, network_protocol, ports and hotfixes.
+
+ expected_output:
+ Expected output (defined as alert_expected_values in cases_syscollector_integration.yaml)
+
+ tags:
+ - rules
+ """
+
+ # Get mock agent_id to create syscollector header
+ agent_id = mock_agent_module
+ event_header = f"d:[{agent_id}] {metadata['event_header']}"
+
+ # Add agent_id alert check
+ alert_expected_values = metadata['alert_expected_values']
+ alert_expected_values['agent.id'] = agent_id
+
+ # Create full message by header and payload concatenation
+ test_msg = event_header + metadata['event_payload']
+
+ # Send delta to analysisd queue
+ receiver_sockets[0].send(test_msg)
+
+ # Set callback according to stage parameters
+ alert_callback = CallbackWithContext(callback_check_syscollector_alert, alert_expected_values)
+
+ # Find expected outputs
+ log_monitor.start(timeout=alert_timeout,
+ callback=alert_callback,
+ error_message=f"Timeout expecting {metadata['description']} message.")