Migrate test_analysisd documentation to QA Docs

docs/DocGenerator/config.yaml

@@ -5,6 +5,7 @@ Output path: "../output"
 Include paths:
  - "../../tests/integration/test_active_response"
  - "../../tests/integration/test_agentd"
+ - "../../tests/integration/test_analysisd"
 
 Include regex:
  - "^test_.*py$"
@@ -19,6 +20,13 @@ Ignore paths:
  - "../../tests/integration/test_active_response/test_analysisd/data"
  - "../../tests/integration/test_active_response/test_execd/data"
  - "../../tests/integration/test_agentd/data"
+ - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/data"
+ - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/yaml_generators"
+ - "../../tests/integration/test_analysisd/test_error_messages/data"
+ - "../../tests/integration/test_analysisd/test_event_messages/data"
+ - "../../tests/integration/test_analysisd/test_integrity_messages/data"
+ - "../../tests/integration/test_analysisd/test_mitre/data"
+ - "../../tests/integration/test_analysisd/test_scan_messages/data"
 
 Output fields:
  Module:

tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py

@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <[email protected]>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+ Copyright (C) 2015-2021, Wazuh Inc.
 
+ Created by Wazuh, Inc. <[email protected]>.
+
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+ integration
+
+description:
+ These tests will verify if the `wazuh-db` and `analysisd` daemons
+ correctly handle `syscheck` events considered rare.
+
+tiers:
+ - 2
+
+component:
+ manager
+
+path:
+ tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+ - analysisd
+ - syscheckd
+ - wazuh-db
+
+os_support:
+ - linux, rhel5
+ - linux, rhel6
+ - linux, rhel7
+ - linux, rhel8
+ - linux, amazon linux 1
+ - linux, amazon linux 2
+ - linux, debian buster
+ - linux, debian stretch
+ - linux, debian wheezy
+ - linux, ubuntu bionic
+ - linux, ubuntu xenial
+ - linux, ubuntu trusty
+ - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -51,16 +98,48 @@
  ids=[test_case['name'] for test_case in test_cases])
 def test_validate_rare_socket_responses(configure_sockets_environment, connect_to_sockets_module,
  wait_for_analysisd_startup, test_case: list):
- """Validate every response from the analysisd socket to the wazuh-db socket using rare cases with encoded characters.
+ '''
+ description:
+ Validate every response from the `analysisd` socket to the `wazuh-db` socket
+ using rare `syscheck` events with encoded characters.
+
+ wazuh_min_version:
+ 3.12
+
+ parameters:
+ - configure_sockets_environment:
+ type: fixture
+ brief: Configure environment for sockets and MITM.
+
+ - connect_to_sockets_module:
+ type: fixture
+ brief: Module scope version of `connect_to_sockets` fixture.
+
+ - wait_for_analysisd_startup:
+ type: fixture
+ brief: Wait until analysisd has begun and alerts.json is created.
+
+ - test_case:
+ type: list
+ brief: List of tests to be performed.
+
+ assertions:
+ - Check that the output logs are consistent with the syscheck events received.
+
+ test_input:
+ Different test cases that are contained in an external `YAML` file (syscheck_rare_events.yaml)
+ that includes `syscheck` events data and the expected output.
+
+ logging:
+ - ossec.log:
+ - "Multiple values located in the `syscheck_rare_events.yaml` file."
+
+ - alerts.json:
+ -"Multiple values located in the `syscheck_rare_events.yaml` file."
 
- This test will catch every response from analysisd to wazuh-db in real-time using the yaml
- `/data/syscheck_events.yaml`.
+ tags:
 
- Parameters
- ----------
- test_case : dict
- Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket.
- """
+ '''
  # There is only one stage per test_case
  stage = test_case[0]
  expected = callback_analysisd_message(stage['output'])

tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py

@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <[email protected]>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+ Copyright (C) 2015-2021, Wazuh Inc.
 
+ Created by Wazuh, Inc. <[email protected]>.
+
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+ integration
+
+description:
+ These tests will verify if the `wazuh-db` and `analysisd` daemons
+ correctly handle common `syscheck` events.
+
+tiers:
+ - 2
+
+component:
+ manager
+
+path:
+ tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+ - analysisd
+ - syscheckd
+ - wazuh-db
+
+os_support:
+ - linux, rhel5
+ - linux, rhel6
+ - linux, rhel7
+ - linux, rhel8
+ - linux, amazon linux 1
+ - linux, amazon linux 2
+ - linux, debian buster
+ - linux, debian stretch
+ - linux, debian wheezy
+ - linux, ubuntu bionic
+ - linux, ubuntu xenial
+ - linux, ubuntu trusty
+ - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -51,16 +98,48 @@
  ids=[test_case['name'] for test_case in test_cases])
 def test_validate_socket_responses(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup,
  test_case: list):
- """Validate every response from the analysisd socket to the wazuh-db socket.
+ '''
+ description:
+ Validate every response from the `analysisd` socket to the `wazuh-db` socket
+ using common `syscheck` events.
+
+ wazuh_min_version:
+ 3.12
+
+ parameters:
+ - configure_sockets_environment:
+ type: fixture
+ brief: Configure environment for sockets and MITM.
+
+ - connect_to_sockets_module:
+ type: fixture
+ brief: Module scope version of `connect_to_sockets` fixture.
+
+ - wait_for_analysisd_startup:
+ type: fixture
+ brief: Wait until analysisd has begun and alerts.json is created.
+
+ - test_case:
+ type: list
+ brief: List of tests to be performed.
+
+ assertions:
+ - Check that the output logs are consistent with the syscheck events received.
+
+ test_input:
+ Different test cases that are contained in an external `YAML` file (syscheck_events.yaml)
+ that includes `syscheck` events data and the expected output.
+
+ logging:
+ - ossec.log:
+ - "Multiple values located in the `syscheck_events.yaml` file."
+
+ - alerts.json:
+ -"Multiple values located in the `syscheck_events.yaml` file."
 
- This test will catch every response from analysisd to wazuh-db in real-time using the yaml
- `/data/syscheck_events.yaml`.
+ tags:
 
- Parameters
- ----------
- test_case : dict
- Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket.
- """
+ '''
  # There is only one stage per test_case
  stage = test_case[0]
  expected = callback_analysisd_message(stage['output'])

tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py

@@ -1,7 +1,54 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <[email protected]>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright:
+ Copyright (C) 2015-2021, Wazuh Inc.
 
+ Created by Wazuh, Inc. <[email protected]>.
+
+ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type:
+ integration
+
+description:
+ These tests will verify if the `analysisd` daemon correctly handles alerts generated
+ from the received Linux events.
+
+tiers:
+ - 2
+
+component:
+ manager
+
+path:
+ tests/integration/test_analysisd/test_all_syscheckd_configurations/
+
+daemons:
+ - analysisd
+ - syscheckd
+ - wazuh-db
+
+os_support:
+ - linux, rhel5
+ - linux, rhel6
+ - linux, rhel7
+ - linux, rhel8
+ - linux, amazon linux 1
+ - linux, amazon linux 2
+ - linux, debian buster
+ - linux, debian stretch
+ - linux, debian wheezy
+ - linux, ubuntu bionic
+ - linux, ubuntu xenial
+ - linux, ubuntu trusty
+ - linux, arch linux
+
+coverage:
+
+pytest_args:
+
+tags:
+
+'''
 import os
 
 import pytest
@@ -57,12 +104,53 @@ def get_alert(request):
 
 def test_validate_all_linux_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup,
  generate_events_and_alerts, get_alert):
- """Check the event messages handling by analysisd.
+ '''
+ description:
+ Check that the alerts generated by `analysisd` from Linux systems events are valid.
+ The `validate_analysis_alert_complex` function checks if an `analysisd` alert is
+ properly formatted in reference to its `syscheck` event.
+
+ wazuh_min_version:
+ 3.12
+
+ parameters:
+ - configure_sockets_environment:
+ type: fixture
+ brief: Configure environment for sockets and MITM.
+
+ - connect_to_sockets_module:
+ type: fixture
+ brief: Module scope version of `connect_to_sockets` fixture.
+
+ - wait_for_analysisd_startup:
+ type: fixture
+ brief: Wait until analysisd has begun and alerts.json is created.
+
+ - generate_events_and_alerts:
+ type: fixture
+ brief: Read the specified yaml and generate every event and alert using the input from every test case.
+
+ - get_alert:
+ type: fixture
+ brief: List of alerts to be validated.
+
+ assertions:
+ - Check that the alerts generated are consistent with the events received.
+
+ test_input:
+ Different test cases that are contained in an external `YAML` file (syscheck_events.yaml)
+ that includes `syscheck` events data and the expected output.
+
+ logging:
+ - ossec.log:
+ - "Multiple values located in the `syscheck_events.yaml` file."
+
+ - alerts.json:
+ -"Multiple values located in the `syscheck_events.yaml` file."
+
+ tags:
 
- The variable `test_case` is a yaml file that contains the input and the expected output for every test case.
- The function validate_analysis_integrity_state is a function responsible for checking that the output follows a
- certain jsonschema.
- """
+ '''
  alert = get_alert
  path = alert['syscheck']['path']
  mode = alert['syscheck']['event'].title()