Unstable FIM tests for Solaris agent

[Rebits]

Version	Commit	Report
4.5.0	9ce0d83	solaris_report.zip

Description

Solaris agent FIM tests seem unstable. The test case test_realtime_unsupported[get_configuration0]. It is required to check these tests and ensure they are stable

[fedepacher]

Update 2022/11/03

The Wazuh agent works as is expected in manual testing in a Solaris 11 OS, ignoring the realetime tag and using the scheduled mode instead.
To check this it has configured the local_internal_option.conf file as follows:

syscheck.debug=2
monitord.rotate_log=0

And the ossec.conf file is as follows:

<syscheck>
  <disabled>no</disabled>
  <directories check_all="yes" realtime="yes">/dir</directories>
</syscheck>

It has created/updated/deleted files inside /dir folder to check the wazuh agent behavior.
As the scheduled mode is performed (instead of realtime mode) the <frecuency> tag by default is 12 hours therefore, it has modified the local system DateTime with the following command:

date 1104055222
Friday, November  4, 2022 05:52:00 AM EET

To launch the check file integrity monitoring.

[fedepacher]

Update 2022/11/07

I have noticed that every time the test fails is because it has performed a DateTime change before letting Wazuh achieve the following log:

DEBUG: Finished calculating FIM integrity.

This means, that the test creates/modifies/deletes a file, makes a DateTime change, and checks for the FIM integrity result but, as FIM has not finished calculating the integrity it fails.
This problem may be done by the use of DateTime change. To avoid the use of the time travel function, I propose the addition of the following tag to the ossec.conf file i the syscheck module:

<frequency>3</frequency>

This tag will set the scan frequency to 3 seconds instead of using the default value of 43200 seconds (12 hours).