Migrate test_registry_restrict and test_registry_tags of test_fim/test_registry, and test_fim/test_synchronization documentation to qa-docs
#2106
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…st_registry, and test_fim/test_synchronization documentation in QA Docs style The following tests have been documentated: * test_registry_restrict.py * test_registry_tags.py * test_invalid_sync_response.py * test_registry_responses_win32.py * test_response_timeout.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Closes: #2085
…st_registry, and test_fim/test_synchronization documentation in QA Docs style The following tests have been documentated: * test_sync_disabled.py * test_sync_disabled_win32.py * test_sync_interval.py * test_sync_interval_win32.py * test_synchronize_integrity_scan.py * test_synchronize_integrity_win32.py The current scheme of the issue #1694 has been used. Updated config.yaml PEP-8 fixes. Closes: #2085
18 tasks
mdengra
deleted the
2085-qadocs-migrate-test-fim-registry-restrict-tags-synchronization
branch
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of issue #1810 and epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
New tags
The following tags are added to the wiki:
fim_registry_report_changesGenerated documentation
test_registry_restricttest_registry_restrict.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will verify that FIM generates events only for registry entry operations in monitored keys that do not match the 'restrict_key' or the 'restrict_value' attributes. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_registry_restrict" ], "name": "test_registry_restrict.py", "id": 1, "group_id": 0, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects or ignores events in monitored registry entries depending on the value set in the 'restrict_value' attribute. This attribute limit checks to values that match the entered string or regex and its name. For this purpose, the test will monitor a key, create testing values inside it, and make operations on that values. Finally, the test will verify that FIM 'added' and 'modified' events are generated only for the testing values that are not restricted.", "wazuh_min_version": "4.2.0", "parameters": [ { "key": { "type": "str", "brief": "Path of the registry root key (HKEY_* constants)." } }, { "subkey": { "type": "str", "brief": "The registry key being monitored by syscheck." } }, { "arch": { "type": "str", "brief": "Architecture of the registry." } }, { "value_name": { "type": "str", "brief": "Name of the testing value that will be created." } }, { "triggers_event": { "type": "bool", "brief": "True if an event must be generated, False otherwise." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are only generated for operations in monitored values that do not match the 'restrict_value' attribute.", "Verify that FIM 'ignoring' events are generated for monitored values that are restricted." ], "input_description": "A test case (value_restrict) is contained in external YAML file (wazuh_restrict_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing registry keys to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified' events)" }, "r'.*Ignoring entry .* due to restriction .*'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_restrict_value", "inputs": [ "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-0-value_restrict-True-tags_to_apply0", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-value_restrict-True-tags_to_apply1", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-value_restrict-True-tags_to_apply2", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-0-some_value-False-tags_to_apply3", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-some_value-False-tags_to_apply4", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-some_value-False-tags_to_apply5", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-0-value_restrict-True-tags_to_apply0", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-value_restrict-True-tags_to_apply1", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-value_restrict-True-tags_to_apply2", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-0-some_value-False-tags_to_apply3", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-some_value-False-tags_to_apply4", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-0-some_value-False-tags_to_apply5" ] }, { "description": "Check if the 'wazuh-syscheckd' daemon detects or ignores events in monitored registry entries depending on the value set in the 'restrict_key' attribute. This attribute limit checks to keys that match the entered string or regex and its name. For this purpose, the test will monitor a key, create testing subkeys inside it, and make operations on those subkeys. Finally, the test will verify that FIM 'added' and 'deleted' events are generated only for the testing subkeys that are not restricted.", "wazuh_min_version": "4.2.0", "parameters": [ { "key": { "type": "str", "brief": "Path of the registry root key (HKEY_* constants)." } }, { "subkey": { "type": "str", "brief": "The registry key being monitored by syscheck." } }, { "test_subkey": { "type": "str", "brief": "Name of the key that will be used for the test" } }, { "arch": { "type": "str", "brief": "Architecture of the registry." } }, { "triggers_event": { "type": "bool", "brief": "True if an event must be generated, False otherwise." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events are only generated for operations in monitored keys that do not match the 'restrict_key' attribute.", "Verify that FIM 'ignoring' events are generated for monitored keys that are restricted." ], "input_description": "A test case (key_restrict) is contained in external YAML file (wazuh_restrict_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing registry keys to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'deleted' events)" }, "r'.*Ignoring entry .* due to restriction .*'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_restrict_key", "inputs": [ "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-key_restrict-0-True-tags_to_apply0", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-key_restrict-0-True-tags_to_apply1", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-key_restrict-0-True-tags_to_apply2", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-some_key-0-False-tags_to_apply3", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-some_key-0-False-tags_to_apply4", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-some_key-0-False-tags_to_apply5", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-key_restrict-0-True-tags_to_apply0", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-key_restrict-0-True-tags_to_apply1", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-key_restrict-0-True-tags_to_apply2", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\testkey-some_key-0-False-tags_to_apply3", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-some_key-0-False-tags_to_apply4", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\testkey-some_key-0-False-tags_to_apply5" ] } ] }test_registry_restrict.yaml
test_registry_tagstest_registry_tags.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM events include all tags set in the 'tags' attribute. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#windows-registry" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_registry_tags" ], "name": "test_registry_tags.py", "id": 2, "group_id": 1, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon generates the tags required for each event depending on the values set in the 'tags' attribute. This attribute allows adding tags to alerts for monitored registry entries. For this purpose, the test will monitor a key and make value operations inside it. Finally, it will verify that FIM events generated include in the 'tags' field all tags set in the configuration.", "wazuh_min_version": "4.2.0", "parameters": [ { "key": { "type": "str", "brief": "Path of the registry root key (HKEY_* constants)." } }, { "subkey": { "type": "str", "brief": "The registry key being monitored by syscheck." } }, { "arch": { "type": "str", "brief": "Architecture of the registry." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM events include all tags set in the 'tags' attribute." ], "input_description": "A test case (ossec_conf) is contained in external YAML file (wazuh_registry_tag_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing registry keys to be monitored defined in this module.", "expected_output": [ { "r'.*Sending FIM event": "(.+)$' ('added', 'modified', and 'deleted' events)" } ], "tags": [ "scheduled", "time_travel" ], "name": "test_tags", "inputs": [ "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-00", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-01", "get_configuration0-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\test_key-0", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-00", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-01", "get_configuration1-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\test_key-0", "get_configuration2-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-00", "get_configuration2-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-01", "get_configuration2-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\test_key-0", "get_configuration3-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-00", "get_configuration3-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-01", "get_configuration3-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\test_key-0", "get_configuration4-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-00", "get_configuration4-HKEY_LOCAL_MACHINE-SOFTWARE\\\\test_key-01", "get_configuration4-HKEY_LOCAL_MACHINE-SOFTWARE\\\\Classes\\\\test_key-0" ] } ] }test_registry_tags.yaml
test_synchronizationtest_invalid_sync_response.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM detects invalid values for the 'interval' tag of the 'synchronization' feature. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_invalid_sync_response.py", "id": 9, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects invalid synchronization intervals by catching the warning message displayed on the log file. For this purpose, the test will monitor a testing directory and setup the 'synchronization' option using invalid values for its 'interval' tag. Finally, it will verify that the FIM 'warning' event has been generated, indicating that an invalid value is used.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that FIM 'warning' event is generated when using an invalid value for the interval tag of the 'synchronization' option." ], "input_description": "A test case (sync_invalid) is contained in external YAML file (wazuh_invalid_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*WARNING:.* Invalid value for element'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_invalid_sync_response", "inputs": [ "get_configuration0", "get_configuration1" ] } ] }test_invalid_sync_response.yaml
test_registry_responses_win32.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM synchronizes the registry DB when a modification is performed while the agent is down and decodes the synchronization events properly. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_registry_responses_win32.py", "id": 10, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon decodes the fields of synchronization events properly. For this purpose, the test will monitor a key and make key/value operations inside it. Finally, it will wait for the synchronization and verify that FIM sync events generated include the parent key path for the subkeys created and the value path with the parent subkey path for the added values.", "wazuh_min_version": "4.2.0", "parameters": [ { "key_name": { "type": "str", "brief": "Name of the subkey that will be created in the test." } }, { "value_name": { "type": "str", "brief": "Name of the value that will be created in the test." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM sync events generated include the parent key and subkey paths for the changes made in the monitored subkey.", "Verify that FIM sync events generated include the monitored value path and its parent key path for the changes made in the monitored value." ], "input_description": "A test case (registry_sync_responses) is contained in external YAML file (wazuh_conf_registry_responses_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing registry key to be monitored defined in this module.", "expected_output": [ "r'.*#!-fim_registry dbsync no_data (.+)'", "r'.*Sending integrity control message'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_registry_responses", "inputs": [ "get_configuration0-None-None-tags_to_apply0", "get_configuration0-None-:subkey1-tags_to_apply0", "get_configuration0-None-subkey2:-tags_to_apply0", "get_configuration0-None-:subkey3:-tags_to_apply0", "get_configuration0-:value1-None-tags_to_apply0", "get_configuration0-:value1-:subkey1-tags_to_apply0", "get_configuration0-:value1-subkey2:-tags_to_apply0", "get_configuration0-:value1-:subkey3:-tags_to_apply0", "get_configuration0-value2:-None-tags_to_apply0", "get_configuration0-value2:-:subkey1-tags_to_apply0", "get_configuration0-value2:-subkey2:-tags_to_apply0", "get_configuration0-value2:-:subkey3:-tags_to_apply0", "get_configuration0-:value3:-None-tags_to_apply0", "get_configuration0-:value3:-:subkey1-tags_to_apply0", "get_configuration0-:value3:-subkey2:-tags_to_apply0", "get_configuration0-:value3:-:subkey3:-tags_to_apply0" ] }, { "description": "Check if the 'wazuh-syscheckd' daemon synchronizes the registry DB when a modification is performed while the agent is down. For this purpose, the test will monitor a key and wait for the synchronization. Then it will stop the agent, make key/value operations inside the monitored key, and start the agent again. Finally, it will wait for the synchronization and verify that FIM sync events generated include the key and value paths for the modifications made.", "wazuh_min_version": "4.2.0", "parameters": [ { "key_name": { "type": "str", "brief": "Name of the subkey that will be created in the test." } }, { "value_name": { "type": "str", "brief": "Name of the value that will be created in the test." } }, { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM sync events generated include the monitored value path and its parent key path of the changes made while the agent was stopped." ], "input_description": "A test case (registry_sync_responses) is contained in external YAML file (wazuh_conf_registry_responses_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing registry key to be monitored defined in this module.", "expected_output": [ "r'.*#!-fim_registry dbsync no_data (.+)'", "r'.*Sending integrity control message'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_registry_sync_after_restart", "inputs": [ "get_configuration0-:subkey1:-value1-tags_to_apply0", "get_configuration0-:subkey2-:value2-tags_to_apply0" ] } ] }test_registry_responses_win32.yaml
test_response_timeout.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM ends the synchronization with the manager at the expected time set in the 'interval' and the 'response_timeout' tags. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_response_timeout.py", "id": 11, "group_id": 2, "tests": [ { "description": "Check if the agent synchronization ends at the expected time set in the 'interval' and the 'response_timeout' tags, being 'interval' greater than 'response_timeout'. To accomplish this, a connection with a Wazuh agent (Linux-based) must be established via SSH using Paramiko. All operations will take place on the Agent side. For this purpose, the test will monitor a testing directory and create multiple files inside it. Then, it will wait until the first synchronization ends and travel in time to a datetime when synchronization should not happen to ensure there is no synchronization at this time. Finally, the test will travel in time to a datetime when synchronization must occur, and wait until the next synchronization is detected.", "wazuh_min_version": "4.2.0", "parameters": [ { "num_files": { "type": "int", "brief": "Number of files to create within the testing directory." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that FIM sync events are generated at the specified intervals.", "Verify that the synchronization ends before the response timeout.", "Verify that no FIM sync events are generated before the specified intervals." ], "input_description": "A test case (response_timeout) is contained in external YAML file (wazuh_response_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'.*#!-fim_registry dbsync no_data (.+)'", "r'.*Sending integrity control message'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_response_timeout", "inputs": [ "get_configuration0-1", "get_configuration0-100", "get_configuration1-1", "get_configuration1-100", "get_configuration2-1", "get_configuration2-100", "get_configuration3-1", "get_configuration3-100", "get_configuration4-1", "get_configuration4-100", "get_configuration5-1", "get_configuration5-100", "get_configuration6-1", "get_configuration6-100", "get_configuration7-1", "get_configuration7-100", "get_configuration8-1", "get_configuration8-100", "get_configuration9-1", "get_configuration9-100", "get_configuration10-1", "get_configuration10-100", "get_configuration11-1", "get_configuration11-100", "get_configuration12-1", "get_configuration12-100", "get_configuration13-1", "get_configuration13-100", "get_configuration14-1", "get_configuration14-100" ] } ] }test_response_timeout.yaml
test_sync_disabled_win32.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM disables the synchronization of file/registry on Windows systems when the 'enabled' tag of the synchronization option is set to 'no', and vice versa. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_sync_disabled_win32.py", "id": 4, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to start/stop the file/registry synchronization. For this purpose, the test will monitor a directory/key. Finally, it will verify that no FIM 'integrity' event is generated when the synchronization is disabled, and verify that the FIM 'integrity' event generated corresponds with a file or a registry when the synchronization is enabled, depending on the test case.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "file_sync": { "type": "bool", "brief": "True if file synchronization is enabled. False otherwise." } }, { "registry_sync": { "type": "bool", "brief": "True if registry synchronization is enabled. False otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start_sync_disabled": { "type": "fixture", "brief": "Wait for end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM 'integrity' events are generated when the value of the 'enabled' tag is set yo 'no' (synchronization disabled).", "Verify that FIM 'integrity' events generated correspond to a file/registry depending on the value of the 'enabled' and the 'registry_enabled' tags (synchronization enabled)." ], "input_description": "Different test cases are contained in external YAML file (wazuh_disabled_sync_conf_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directory/key to be monitored defined in this module.", "expected_output": [ "r'.*Sending integrity control message'" ], "tags": [ "scheduled", "time_travel", "realtime", "who_data" ], "name": "test_sync_disabled", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration0-tags_to_apply0-False-False", "get_configuration0-tags_to_apply1-True-False", "get_configuration0-tags_to_apply2-True-True", "get_configuration1-tags_to_apply0-False-False", "get_configuration1-tags_to_apply1-True-False", "get_configuration1-tags_to_apply2-True-True", "get_configuration2-tags_to_apply0-False-False", "get_configuration2-tags_to_apply1-True-False", "get_configuration2-tags_to_apply2-True-True", "get_configuration3-tags_to_apply0-False-False", "get_configuration3-tags_to_apply1-True-False", "get_configuration3-tags_to_apply2-True-True", "get_configuration4-tags_to_apply0-False-False", "get_configuration4-tags_to_apply1-True-False", "get_configuration4-tags_to_apply2-True-True", "get_configuration5-tags_to_apply0-False-False", "get_configuration5-tags_to_apply1-True-False", "get_configuration5-tags_to_apply2-True-True", "get_configuration6-tags_to_apply0-False-False", "get_configuration6-tags_to_apply1-True-False", "get_configuration6-tags_to_apply2-True-True", "get_configuration7-tags_to_apply0-False-False", "get_configuration7-tags_to_apply1-True-False", "get_configuration7-tags_to_apply2-True-True", "get_configuration8-tags_to_apply0-False-False", "get_configuration8-tags_to_apply1-True-False", "get_configuration8-tags_to_apply2-True-True" ] } ] }test_sync_disabled_win32.yaml
test_sync_disabled.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM disables the synchronization on Linux systems when the 'enabled' tag of the synchronization option is set to 'no'. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_sync_disabled.py", "id": 3, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to disable the file synchronization. For this purpose, the test will monitor a testing directory, and finally, it will verify that no FIM 'integrity' event is generated when the synchronization is disabled.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that no FIM 'integrity' event is generated when the value of the 'enabled' tag is set yo 'no' (synchronization disabled)." ], "input_description": "A test case (sync_disabled) is contained in external YAML file (wazuh_disabled_sync_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directory to be monitored defined in this module.", "expected_output": [ "r'Initializing FIM Integrity Synchronization check'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_sync_disabled", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2" ] } ] }test_sync_disabled.yaml
test_sync_interval_win32.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM synchronizes the database on Windows systems at the period specified in the 'interval' and the 'max_interval' tags. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_sync_interval_win32.py", "id": 6, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon performs the file/registry synchronization at the intervals specified in the configuration, using the 'interval' and the 'max_interval' tags. For this purpose, the test will monitor a testing directory and registry key. Then, it will travel in time to the next synchronization time and verify that the FIM 'integrity' event is trigered. Finally, the test will travel in time to half of the interval and verify that no FIM 'integrity' event is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM 'integrity' event is generated when the interval specified has elapsed.", "Verify that no FIM 'integrity' event is generated at half of the interval specified." ], "input_description": "A test case (sync_interval) is contained in external YAML file (wazuh_conf_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the interval periods and the testing directory/key to be monitored defined in this module.", "expected_output": [ "r'Initializing FIM Integrity Synchronization check'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_sync_interval", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration3", "get_configuration4", "get_configuration5", "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration3", "get_configuration4", "get_configuration5" ] } ] }test_sync_interval_win32.yaml
test_sync_interval.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM synchronizes the database on Linux systems at the period specified in the 'interval' tag. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 2, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_sync_interval.py", "id": 5, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon performs the file synchronization at the intervals specified in the configuration, using the 'interval' tag. For this purpose, the test will monitor a testing directory. Then, it will travel in time to the next synchronization time and verify that the FIM 'integrity' event is trigered. Finally, the test will travel in time to half of the interval and verify that no FIM 'integrity' event is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } }, { "wait_for_fim_start": { "type": "fixture", "brief": "Wait for realtime start, whodata start, or end of initial FIM scan." } } ], "assertions": [ "Verify that FIM 'integrity' event is generated when the interval specified has elapsed.", "Verify that no FIM 'integrity' event is generated at half of the interval specified." ], "input_description": "A test case (sync_interval) is contained in external YAML file (wazuh_conf.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the interval periods and the testing directory to be monitored defined in this module.", "expected_output": [ "r'Initializing FIM Integrity Synchronization check'" ], "tags": [ "scheduled", "time_travel" ], "name": "test_sync_interval", "inputs": [ "get_configuration0", "get_configuration1", "get_configuration2", "get_configuration3", "get_configuration4", "get_configuration5" ] } ] }test_sync_interval.yaml
test_synchronize_integrity_scan.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM generates events while a database synchronization is being performed simultaneously on Linux systems. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent", "manager" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_synchronize_integrity_scan.py", "id": 7, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events while the synchronization is performed simultaneously. For this purpose, the test will monitor a testing directory. Then, it will check if the FIM 'integrity' and 'wodata' events are triggered. Finally, the test will create a testing file and verify that the FIM 'added' event is generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that FIM 'integrity' and 'wodata' events are generated.", "Verify that FIM 'added' event is generated when adding a testing file while the synchronization is performed." ], "input_description": "A test case (synchronize_events_conf) is contained in external YAML file (wazuh_conf_integrity_scan.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directories to be monitored defined in this module.", "expected_output": [ "r'File integrity monitoring real-time Whodata engine started'", "r'Initializing FIM Integrity Synchronization check'", { "r'.*Sending FIM event": "(.+)$' ('added' event)" } ], "tags": [ "realtime", "who_data" ], "name": "test_events_while_integrity_scan", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0" ] } ] }test_synchronize_integrity_scan.yaml
test_synchronize_integrity_win32.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM generates events while a database synchronization is being performed simultaneously on Windows systems. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership.", "tier": 1, "modules": [ "fim" ], "components": [ "agent" ], "daemons": [ "wazuh-syscheckd" ], "os_platform": [ "windows" ], "os_version": [ "Windows 10", "Windows 8", "Windows 7", "Windows Server 2016", "Windows Server 2012", "Windows Server 2003", "Windows XP" ], "references": [ "https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html", "https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization" ], "pytest_args": [ { "fim_mode": { "realtime": "Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.", "whodata": "Implies real-time monitoring but adding the 'who-data' information." } }, { "tier": { "0": "Only level 0 tests are performed, they check basic functionalities and are quick to perform.", "1": "Only level 1 tests are performed, they check functionalities of medium complexity.", "2": "Only level 2 tests are performed, they check advanced functionalities and are slow to perform." } } ], "tags": [ "fim_synchronization" ], "name": "test_synchronize_integrity_win32.py", "id": 8, "group_id": 2, "tests": [ { "description": "Check if the 'wazuh-syscheckd' daemon detects events while the synchronization is performed simultaneously. For this purpose, the test will monitor a testing directory and registry key. Then, it will create a subkey inside the monitored key. After this, the test will check if the FIM 'integrity' and 'wodata' (if needed) events are triggered. Finally, the test will create a testing file and registry value and verify that the FIM 'added' events are generated.", "wazuh_min_version": "4.2.0", "parameters": [ { "tags_to_apply": { "type": "set", "brief": "Run test if matches with a configuration identifier, skip otherwise." } }, { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_environment": { "type": "fixture", "brief": "Configure a custom environment for testing." } }, { "restart_syscheckd": { "type": "fixture", "brief": "Clear the 'ossec.log' file and start a new monitor." } } ], "assertions": [ "Verify that FIM 'integrity' and 'wodata' (if needed) events are generated.", "Check that FIM 'added' events are generated both when adding test files and registry values while synchronizing." ], "input_description": "A test case (synchronize_events_conf) is contained in external YAML file (wazuh_conf_integrity_scan_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directories/keys to be monitored defined in this module.", "expected_output": [ "r'File integrity monitoring real-time Whodata engine started'", "r'Initializing FIM Integrity Synchronization check'", { "r'.*Sending FIM event": "(.+)$' ('added' and 'modified' events)" } ], "tags": [ "realtime", "who_data" ], "name": "test_events_while_integrity_scan", "inputs": [ "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0", "get_configuration0-tags_to_apply0", "get_configuration1-tags_to_apply0" ] } ] }test_synchronize_integrity_win32.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s