Migrate test_env_variables and test_file_limit of test_fim/test_files documentation to qa-docs
#1947
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…style The following tests have been documentated: * test_audit.py * test_audit_after_initial_scan.py * test_audit_no_dir.py * test_remove_audit.py * test_remove_rule_five_times.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1918
…style Remove special character in the expected_output field that prevent the documentation generation in: * test_audit.py * test_audit_after_initial_scan.py Closes: #1918
…s style The following tests have been documentated: * test_basic_usage_changes.py * test_basic_usage_create_after_delete_dir.py * test_basic_usage_create_rt_wd.py * test_basic_usage_create_scheduled.py * test_basic_usage_db_inode_check.py * test_basic_usage_delete_folder.py * test_basic_usage_dir_with_commas.py * test_basic_usage_disabled.py * test_basic_usage_entries_match_path_count.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1927
Minor corrections in the tests documentation. Closes: #1927
…s style The following tests have been documentated: * test_basic_usage_move_dir.py * test_basic_usage_move_file.py * test_basic_usage_new_dirs.py * test_basic_usage_no_dir.py * test_basic_usage_quick_changes.py * test_basic_usage_rename.py * test_basic_usage_starting_agent.py * test_basic_usage_wildcards_runtime.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #1927
…st_files documentation Closes: #1936
…s documentation in QA Docs style The following tests have been documentated: * test_file_limit_capacity_alerts.py * test_file_limit_default.py * test_file_limit_delete_full.py * test_file_limit_full.py * test_file_limit_no_limit.py * test_file_limit_values.py Minor corrections in the documentation of the remaining tests. The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #1945
16 tasks
mdengra
deleted the
1945-qadocs-migrate-test-fim-env-variables-and-file-limit
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of issue #1810 and epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
Generated documentation
test_env_variablestest_dir_win32.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when environment variables are used to monitor directories in Windows systems. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_env_variables" ], "name": "test_dir_win32.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') when environment variables are used to monitor directories. For this purpose, the test will monitor a directory that is defined in an environment variable. Then, different operations will be performed on testing files, and finally, the test will verify that the proper FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "directory": { "type": "str", "brief": "Path to the directory to be monitored." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "put_env_variables": { "type": "fixture", "brief": "Create the environment variables." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated when environment variables are used to monitor directories." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_dir.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the directory to be monitored defined as an environment variable in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_tag_directories", "inputs": [ "get_configuration0-/testdir1", "get_configuration0-/testdir2", "get_configuration0-/testdir3", "get_configuration0-/testdir4", "get_configuration1-/testdir1", "get_configuration1-/testdir2", "get_configuration1-/testdir3", "get_configuration1-/testdir4", "get_configuration2-/testdir1", "get_configuration2-/testdir2", "get_configuration2-/testdir3", "get_configuration2-/testdir4", "get_configuration0-/testdir1/subdir", "get_configuration1-/testdir1/subdir", "get_configuration2-/testdir1/subdir" ] } ] }test_dir_win32.yaml
test_dir.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated when multiple environment variables are used to monitor directories. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_env_variables" ], "name": "test_dir.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects CUD events ('added', 'modified', and 'deleted') when environment variables are used to monitor directories. For this purpose, the test will monitor a directory that is defined in an environment variable. Then, different operations will be performed on testing files, and finally, the test will verify that the proper FIM events have been generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "directory": { "type": "str", "brief": "Path to the directory to be monitored." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "put_env_variables": { "type": "fixture", "brief": "Create the environment variables." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated when environment variables are used to monitor directories." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_dir.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the directories to be monitored defined as environment variables in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_tag_directories", "inputs": [ "get_configuration0-/testdir1", "get_configuration0-/testdir2", "get_configuration0-/testdir3", "get_configuration0-/testdir4", "get_configuration1-/testdir1", "get_configuration1-/testdir2", "get_configuration1-/testdir3", "get_configuration1-/testdir4", "get_configuration2-/testdir1", "get_configuration2-/testdir2", "get_configuration2-/testdir3", "get_configuration2-/testdir4" ] } ] }test_dir.yaml
test_ignore.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'ignore' tag works correctly when environment variables are used to define the directories to ignore. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#ignore" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_env_variables" ], "name": "test_ignore.py", "id": 3, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon ignores directories when they are defined using environment variables. For this purpose, the test will monitor a directory that is ignored in an environment variable set in the 'ignore' tag. Then, a testing file will be added to that directory, and finally, the test will verify that the 'ignoring' or `added` FIM events have been generated according to the test case.", "wazuh_min_version": "4.2.0", "parameters": [ { "directory": { "type": "str", "brief": "Path to the directory to be monitored." } }, { "event_generated": { "type": "bool", "brief": "True if the directory is not ignored. False otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "put_env_variables": { "type": "fixture", "brief": "Create the environment variables." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that 'ignoring' FIM event is generated when the ignored directories are defined using environment variables." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_ignore.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the directories to be ignored defined as environment variables in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' event if the testing directory is not ignored)" }, "r'.*Ignoring'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_tag_ignore", "inputs": [ "get_configuration0-/testdir1-True", "get_configuration0-/testdir2-False", "get_configuration0-/testdir3-False", "get_configuration0-/testdir4-True", "get_configuration1-/testdir1-True", "get_configuration1-/testdir2-False", "get_configuration1-/testdir3-False", "get_configuration1-/testdir4-True", "get_configuration2-/testdir1-True", "get_configuration2-/testdir2-False", "get_configuration2-/testdir3-False", "get_configuration2-/testdir4-True" ] } ] }test_ignore.yaml
test_nodiff.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the 'nodiff' tag works correctly when environment variables are used to define the files whose changes will not be tracked. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows", "macos" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP", "macOS Catalina" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#diff" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_env_variables" ], "name": "test_nodiff.py", "id": 4, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon truncates the content in the 'diff' files when testing files are defined using environment variables via the 'nodiff' tag. For this purpose, the test will monitor a directory using the 'report_changes=yes' attribute and some testing files will be defined in the 'nodiff' tag using environment variables. Then, it will perform operations on the testing files and check if the corresponding diff files have been created. Finally, the test will verify that the 'diff' files of the testing files set in the 'nodiff' tag have their content truncated.", "wazuh_min_version": "4.2.0", "parameters": [ { "directory": { "type": "str", "brief": "Path to the directory to be monitored." } }, { "filename": { "type": "str", "brief": "Name of the testing file to be tracked." } }, { "hidden_content": { "type": "bool", "brief": "True if the 'diff' file must not be created. False otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "put_env_variables": { "type": "fixture", "brief": "Create the environment variables." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that the 'content_changes' field of FIM events has a message indicating that the 'nodiff' option is being used.", "Verify that 'diff' files are its content truncated when files are specified via environment variables using the 'nodiff' tag." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_conf_nodiff.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the directories and testing files defined as environment variables in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" }, "The 'diff' file in the default location." ], "tags": [ "scheduled", "time_travel" ], "name": "test_tag_nodiff", "inputs": [ "get_configuration0-/testdir1-testing.txt-False", "get_configuration0-/testdir2-test.txt-True", "get_configuration0-/testdir3-test.txt-True", "get_configuration0-/testdir4-testing.txt-False", "get_configuration1-/testdir1-testing.txt-False", "get_configuration1-/testdir2-test.txt-True", "get_configuration1-/testdir3-test.txt-True", "get_configuration1-/testdir4-testing.txt-False", "get_configuration2-/testdir1-testing.txt-False", "get_configuration2-/testdir2-test.txt-True", "get_configuration2-/testdir3-test.txt-True", "get_configuration2-/testdir4-testing.txt-False" ] } ] }test_nodiff.yaml
test_file_limittest_file_limit_capacity_alerts.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the threshold set in the 'file_limit' tag generates FIM events when the number of monitored files approaches this value. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit", "https://en.wikipedia.org/wiki/Inode" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_capacity_alerts.py", "id": 10, "group_id": 4, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon generates events for different capacity thresholds limits when using the 'schedule' monitoring mode. For this purpose, the test will monitor a directory in which several testing files will be created, corresponding to different percentages of the total file limit. Then, it will check if FIM events are generated when the number of files created exceeds 80% of the total and when the number is less than that percentage. Finally, the test will verify that on the FIM event, inodes and monitored files number match.", "wazuh_min_version": "4.2.0", "parameters": [ { "percentage": { "type": "int", "brief": "Percentage of testing files to be created." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are generated when the number of files to be monitored exceeds the established threshold and vice versa.", "Verify that the FIM events contain the same number of inodes and files in the monitored directory." ], "input_description": "A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added' event if the testing directory is not ignored)" }, "r'.*Sending DB * full alert.'", "r'.*Sending DB back to normal alert.'", "r'.*Fim inode entries*, path count'", "r'.*Fim entries' (on Windows systems)" ], "tags": [ "scheduled", "time_travel" ], "name": "test_file_limit_capacity_alert", "inputs": [ "get_configuration0-80-tags_to_apply0", "get_configuration0-90-tags_to_apply1", "get_configuration0-0-tags_to_apply2" ] } ] }test_file_limit_capacity_alerts.yaml
test_file_limit_default.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the maximum number of files monitored by the 'wazuh-syscheckd' daemon is set to default when the 'file_limit' tag is missing in the configuration. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_default.py", "id": 5, "group_id": 4, "tests": [ { "description": "Check if the maximum number of files monitored by the 'wazuh-syscheckd' daemon is set to default when the 'file_limit' tag is missing in the configuration. For this purpose, the test will monitor a directory and wait for FIM to start and generate an event indicating the maximum number of files to monitor. Finally, the test will verify that this number matches the default value (100000).", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that an FIM event is generated indicating the maximum number of files to monitor is the default value (100000)." ], "input_description": "A test case (file_limit_default) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*Maximum number of entries to be monitored'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_file_limit_default", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_file_limit_default.yaml
test_file_limit_delete_full.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if, after manipulating files while the FIM database is in 'full database alert' mode, files that are deleted in 'normal' mode generate events consistent with deleted files. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_delete_full.py", "id": 6, "group_id": 4, "tests": [ { "description": "Check a specific case. If a testing file ('test_file1') is not inserted in the FIM database (because the maximum number of files to be monitored has already been reached), and another testing file ended in 0 ('test_file10') is in the database, after deleting 'test_file1', the FIM event 'delete' was raised for the 'test_file10' file. For this purpose, the test will monitor a directory and create several test files until the maximum limit of monitored files is reached. Then, it will create and delete the file 'test_file1' and wait for no FIM events to be generated (file limit reached). Finally, it will delete 'test_file10' and verify that the 'deleted' FIM event matches that file.", "wazuh_min_version": "4.2.0", "parameters": [ { "folder": { "type": "str", "brief": "Path to the directory to be monitored." } }, { "file_name": { "type": "str", "brief": "Name of the testing file to be created." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the FIM database is in 'full database alert' mode when the maximum number of files to monitor has been reached.", "Verify that no FIM events are generated when operations are performed on new files and the limit of files to monitor has been reached.", "Verify that after manipulating files in 'full database alert' mode, files that are deleted while the FIM database is in 'normal' mode generate events consistent with deleted files." ], "input_description": "A test case (tags_delete_full) is contained in external YAML file (wazuh_conf_delete_full.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*Sending DB * full alert.'", { "r'.*Sending FIM event": "(.+)$' ('deleted' event)" } ], "tags": [ "realtime", "who-data" ], "name": "test_file_limit_delete_full", "inputs": [ "get_configuration0-/testdir1-test_file1-tags_to_apply0", "get_configuration1-/testdir1-test_file1-tags_to_apply0" ] } ] }test_file_limit_delete_full.yaml
test_file_limit_full.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events are generated while the database is in 'full database alert' mode for reaching the limit of files to monitor set in the 'file_limit' tag. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit", "https://en.wikipedia.org/wiki/Inode" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_full.py", "id": 7, "group_id": 4, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon generates proper events while the FIM database is in 'full database alert' mode for reaching the limit of files to monitor set in the 'file_limit' tag. For this purpose, the test will monitor a directory in which several testing files will be created until the file monitoring limit is reached. Then, it will check if the FIM event 'full' is generated when a new testing file is added to the monitored directory. Finally, the test will verify that on the FIM event, inodes and monitored files number match.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the FIM database is in 'full database alert' mode when the maximum number of files to monitor has been reached.", "Verify that proper FIM events are generated while the database is in 'full database alert' mode." ], "input_description": "A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*Sending DB * full alert.'", "r'.*The DB is full.*'", "r'.*Fim inode entries*, path count'", "r'.*Fim entries' (on Windows systems)" ], "tags": [ "scheduled", "time_travel" ], "name": "test_file_limit_full", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_file_limit_full.yaml
test_file_limit_no_limit.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the FIM event 'no limit' is generated when the 'file_limit' feature is disabled in the configuration. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_no_limit.py", "id": 8, "group_id": 4, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects that the 'file_limit' feature of FIM is disabled. For this purpose, the test will monitor a testing directory, and finally, it will verify that the FIM event 'no limit' is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the FIM event 'no limit' is generated when the 'file_limit' feature is disabled." ], "input_description": "A test case (no_file_limit) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*No limit set to maximum number of entries to be monitored'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_file_limit_no_limit", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0" ] } ] }test_file_limit_no_limit.yaml
test_file_limit_values.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if the FIM event 'maximum number of entries' has the correct value for the monitored files limit of the 'file_limit' feature. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux", "windows" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6", "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows server 2012", "Windows server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit", "https://en.wikipedia.org/wiki/Inode" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_file_limit" ], "name": "test_file_limit_values.py", "id": 9, "group_id": 4, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects that the value of the 'entries' tag, which corresponds to the maximum number of files to monitor from the 'file_limit' feature of FIM. For this purpose, the test will monitor a directory. Then, it will check if the FIM event 'maximum number of entries' is generated and has the correct value. Finally, the test will verify that on the FIM event, inodes and monitored files number match.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that the FIM event 'maximum number of entries' has the correct value for the monitored files limit of the 'file_limit' feature." ], "input_description": "A test case (file_limit_conf) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*Maximum number of entries to be monitored'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_file_limit_values", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration2-tags_to_apply0", "get_configuration3-tags_to_apply0", "get_configuration4-tags_to_apply0", "get_configuration5-tags_to_apply0", "get_configuration6-tags_to_apply0", "get_configuration7-tags_to_apply0", "get_configuration8-tags_to_apply0", "get_configuration9-tags_to_apply0", "get_configuration10-tags_to_apply0", "get_configuration11-tags_to_apply0" ] } ] }test_file_limit_values.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s