From 1a67a1673984ab7f4b7598a807fcec7c431fb7b1 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 20 Jul 2022 15:28:10 -0300 Subject: [PATCH 01/43] Add: test_integratord_read_json_alerts test module --- .../config_integratord_read_json_alerts.yaml | 34 +++++ .../cases_integratord_read_json_alerts.yaml | 32 +++++ .../test_integratord_read_json_alerts.py | 120 ++++++++++++++++++ 3 files changed, 186 insertions(+) create mode 100644 tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml create mode 100644 tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml create mode 100644 tests/integration/test_integratord/test_integratord_read_json_alerts.py diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml new file mode 100644 index 0000000000..2503cc5bb6 --- /dev/null +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -0,0 +1,34 @@ +--- +- tags: + - all + apply_to_modules: + - test_integratord_read_json_alerts + sections: + - section: integration + elements: + - name: + value: "virustotal" + - api_key: + value: API_KEY + - rule_id: + value: "554" + - alert_format: + value: "json" + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: syscheck + elements: + - disabled: + value: 'yes' + - section: wodle + attributes: + - name: 'syscollector' + elements: + - disabled: + value: 'yes' \ No newline at end of file diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml new file mode 100644 index 0000000000..48270beb76 --- /dev/null +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml @@ -0,0 +1,32 @@ +- name: 'Read valid json alert' + description: 'Read a valid alert from alerts.json' + configuration_parameters: + API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'valid' + error_message: 'Did not recieve the expected VirusTotal alert in alerts.json' +- name: 'Read invalid json alert' + description: 'Read a invalid alert from alerts.json - removed rule key name - Integration fails' + configuration_parameters: + API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'invalid' + error_message: 'Did not recieve the expected "...Invalid JSON alert read..." event' +- name: 'Read Overlong json alert' + description: 'Read a an alert that is over 64kb alert from alerts.json - Integration fails' + configuration_parameters: + API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'overlong' + error_message: 'Did not recieve the expected "...Overlong JSON alert read..." event' +- name: 'Cannot read alerts - Inode changed' + description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' + configuration_parameters: + API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'inode_changed' + error_message: 'Did not recieve the expected "...Alert file inode changed..." event' \ No newline at end of file diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py new file mode 100644 index 0000000000..d265c834f2 --- /dev/null +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -0,0 +1,120 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +type: integration +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts + when these files are modified. In particular, these tests will check if FIM changes + the monitoring mode from 'realtime' to 'scheduled' when it is not supported. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. +components: + - fim +suite: files_basic_usage +targets: + - agent +daemons: + - wazuh-syscheckd +os_platform: + - macos + - solaris +os_version: + - macOS Catalina + - macOS Server + - Solaris 10 + - Solaris 11 +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. +tags: + - fim_basic_usage +''' +import os +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH +from wazuh_testing.tools.file import truncate_file, write_file +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator + + +# Marks +pytestmark = [pytest.mark.server] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_json_alerts.yaml') + +# Configurations +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +configurations = load_configuration_template(configurations_path, configuration_parameters, + configuration_metadata) +local_internal_options = {'integrator.debug': '2', 'syscheck.debug':'2'} + +# Variables +JSON_LOG_FILE = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json') + + + +# Tests +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', + zip(configurations, configuration_metadata), ids=case_ids) +def test_integratord_read_json_alerts(configuration, metadata, + configure_local_internal_options_module,restart_wazuh_function): + ''' + description: Check if the current OS platform falls to the 'scheduled' mode when 'realtime' is not available. + For this purpose, the test performs a CUD set of operations to a file with 'realtime' mode set as + the monitoring option in the 'ossec.conf' file. Firstly it checks for the initial 'realtime' event + appearing in the logs, and if the current OS does not support it, wait for the initial FIM scan + mode. After this, the set of operations takes place and the expected behavior is the events will be + generated with 'scheduled' mode and not 'realtime' as it is set in the configuration. + wazuh_min_version: 4.2.0 + tier: 0 + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + assertions: + - Verify that FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported. + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_check_realtime.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the testing directory to be monitored defined in this module. + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) + + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + if metadata['alert_type'] == 'valid': + callback = '.*VirusTotal: Alert - .*integration\":\"virustotal\".*' + wazuh_monitor = FileMonitor(JSON_LOG_FILE) + elif metadata['alert_type'] == 'invalid': + callback = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' + elif metadata['alert_type'] == 'overlong': + padding = "0"*90000 + sample = sample.replace("padding_input","agent_"+padding) + callback = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' + elif metadata['alert_type'] == 'inode_changed': + callback = '.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' + + # Insert custom Alert + os.system(f"echo '{sample}' >> {JSON_LOG_FILE}") + + # Read Response in ossec.log + result = wazuh_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_generator(callback), + error_message=metadata['error_message']).result() From e79c873872abe5d5a895c9f620b84d7db224fc59 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 20 Jul 2022 15:29:29 -0300 Subject: [PATCH 02/43] Add: load_configurations and get_test_cases_data --- .../wazuh_testing/tools/configuration.py | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/tools/configuration.py b/deps/wazuh_testing/wazuh_testing/tools/configuration.py index 01b92fb6ba..be33740e13 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/configuration.py +++ b/deps/wazuh_testing/wazuh_testing/tools/configuration.py @@ -13,6 +13,7 @@ import yaml from wazuh_testing import global_parameters, logger from wazuh_testing.tools import WAZUH_PATH, GEN_OSSEC, WAZUH_CONF, PREFIX, WAZUH_LOCAL_INTERNAL_OPTIONS +from wazuh_testing.tools.file import read_yaml from wazuh_testing import global_parameters, logger @@ -642,3 +643,50 @@ def set_local_internal_options_dict(dict_local_internal_options): for option_name, option_value in dict_local_internal_options.items(): local_internal_configuration_string = f"{str(option_name)}={str(option_value)}\n" local_internal_option_file.write(local_internal_configuration_string) + + +def load_configuration_template(data_file_path, configuration_parameters=[], configuration_metadata=[]): + """Load different configurations of Wazuh from a YAML file. + Args: + data_file_path (str): Full path of the YAML file to be loaded. + configuration_parameters (list(dict)) : List of dicts where each dict represents a replacement. + configuration_metadata (list(dict)): Custom metadata to be inserted in the configuration. + Returns: + list(dict): List containing wazuh configurations in dictionary form. + Raises: + ValueError: If the length of `params` and `metadata` are not equal. + """ + if len(configuration_parameters) != len(configuration_metadata): + raise ValueError(f"configuration_parameters and configuration_metadata should have the same data length " + f"{len(configuration_parameters)} != {len(configuration_metadata)}") + + configuration = read_yaml(data_file_path) + + if sys.platform == 'darwin': + configuration = set_correct_prefix([configuration], PREFIX) + + return [process_configuration(configuration[0], placeholders=replacement, metadata=meta) + for replacement, meta in zip(configuration_parameters, configuration_metadata)] + + +def get_test_cases_data(data_file_path): + """Load a test case template file and get its data. + Template example file: tests/integration/vulnerability_detector/test_providers/data/test_cases/test_enabled.yaml + Args: + data_file_path (str): Test case template file path. + Returns: + (list(dict), list(dict), list(str)): Configurations, metadata and test case names. + """ + test_cases_data = read_yaml(data_file_path) + configuration_parameters = [] + configuration_metadata = [] + test_cases_ids = [] + + for test_case in test_cases_data: + configuration_parameters.append(test_case['configuration_parameters']) + metadata_parameters = {'name': test_case['name'], 'description': test_case['description']} + metadata_parameters.update(test_case['metadata']) + configuration_metadata.append(metadata_parameters) + test_cases_ids.append(test_case['name']) + + return configuration_parameters, configuration_metadata, test_cases_ids \ No newline at end of file From 866995c61b8e79e9430732f555b72526caf4a9b8 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 20 Jul 2022 15:30:23 -0300 Subject: [PATCH 03/43] Add: restart_wazuh_function no get_configuration --- tests/integration/test_integratord/conftest.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 tests/integration/test_integratord/conftest.py diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py new file mode 100644 index 0000000000..f51b57661f --- /dev/null +++ b/tests/integration/test_integratord/conftest.py @@ -0,0 +1,14 @@ +# Copyright (C) 2015-2022, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +import pytest + +from wazuh_testing.tools.services import control_service + +@pytest.fixture(scope='function') +def restart_wazuh_function(): + """Restart wazuh-modulesd daemon before starting a test, and stop it after finishing""" + control_service('restart') + yield + control_service('stop') \ No newline at end of file From 6b790e748401055b005532eea2c1b6574ef98dc1 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 20 Jul 2022 15:32:16 -0300 Subject: [PATCH 04/43] Add: integratord folder for extranct variables and functions --- .../wazuh_testing/modules/integratord/__init__.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py new file mode 100644 index 0000000000..67d2371b86 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -0,0 +1,14 @@ + +# Variables + +# Callbacks +CB_VIRUSTOTAL_JSON_ALERT = r'.*VirusTotal: Alert - .*integration\":\"virustotal\".*' +CB_INVALID_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' +CB_OVERLONG_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' +CB_ALERTS_FILE_INODE_CHANGED = r'.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' + +# Error messages +ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = '' +ERR_MSG_INVALID_ALERT_NOT_FOUND = +ERR_MSG_OVERLONG_ALERT_NOT_FOUND = +ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND \ No newline at end of file From 8b68fd1e89241ed1171142cd6c82fc173b57c619 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 10:04:46 -0300 Subject: [PATCH 05/43] rm: removed error messages metadata --- .../cases_integratord_read_json_alerts.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml index 48270beb76..cf586bf601 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml @@ -1,3 +1,12 @@ + +- name: 'Cannot read alerts - Inode changed' + description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' + configuration_parameters: + API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'inode_changed' + - name: 'Read valid json alert' description: 'Read a valid alert from alerts.json' configuration_parameters: @@ -5,7 +14,7 @@ metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'valid' - error_message: 'Did not recieve the expected VirusTotal alert in alerts.json' + - name: 'Read invalid json alert' description: 'Read a invalid alert from alerts.json - removed rule key name - Integration fails' configuration_parameters: @@ -13,7 +22,7 @@ metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'invalid' - error_message: 'Did not recieve the expected "...Invalid JSON alert read..." event' + - name: 'Read Overlong json alert' description: 'Read a an alert that is over 64kb alert from alerts.json - Integration fails' configuration_parameters: @@ -21,12 +30,3 @@ metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'overlong' - error_message: 'Did not recieve the expected "...Overlong JSON alert read..." event' -- name: 'Cannot read alerts - Inode changed' - description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' - configuration_parameters: - API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a - metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'inode_changed' - error_message: 'Did not recieve the expected "...Alert file inode changed..." event' \ No newline at end of file From f70e4a415ac02cedc36e075acc2d4838a0aad820 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 10:07:21 -0300 Subject: [PATCH 06/43] Add: create integratord conftest --- .../integration/test_integratord/conftest.py | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index f51b57661f..54a5de10a2 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -1,14 +1,20 @@ -# Copyright (C) 2015-2022, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' import pytest -from wazuh_testing.tools.services import control_service +from wazuh_testing.tools import LOG_FILE_PATH +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.modules.integratord import (CB_VIRUSTOTAL_ENABLED,ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) + + @pytest.fixture(scope='function') -def restart_wazuh_function(): - """Restart wazuh-modulesd daemon before starting a test, and stop it after finishing""" - control_service('restart') - yield - control_service('stop') \ No newline at end of file +def wait_for_start_module(request): + # Wait for Virustotal Integration to start + file_monitor = FileMonitor(LOG_FILE_PATH) + file_monitor.start(timeout=20, callback=callback_generator(CB_VIRUSTOTAL_ENABLED), + error_message=ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) From 254b450d521698a428586b196407ae6dc6b508e4 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 10:09:21 -0300 Subject: [PATCH 07/43] Add: add restart_wazuh_function fixture (it does not use get_configuration) --- tests/integration/conftest.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 93aee85b21..44826690fc 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -88,6 +88,19 @@ def restart_wazuh(get_configuration, request): control_service('start') +@pytest.fixture(scope='function') +def restart_wazuh_function(daemons=None): + """Restarts before starting a test, and stop it after finishing, and cleans the log files.""" + truncate_file(LOG_FILE_PATH) + truncate_file(ALERT_FILE_PATH) + control_service('restart', daemons) + yield + control_service('stop',daemons) + truncate_file(LOG_FILE_PATH) + truncate_file(ALERT_FILE_PATH) + + + @pytest.fixture(scope='module') def reset_ossec_log(get_configuration, request): # Reset ossec.log and start a new monitor @@ -731,6 +744,7 @@ def create_file_structure_function(get_files_list): delete_file_structure(get_files_list) + @pytest.fixture(scope='module') def daemons_handler(get_configuration, request): """Handler of Wazuh daemons. From 4c4ef4c2a49be3725e33703beef7509d22269aa8 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 10:10:54 -0300 Subject: [PATCH 08/43] Refac & Docu: extract variables and fix docum --- .../modules/integratord/__init__.py | 23 +++-- .../test_integratord_read_json_alerts.py | 97 +++++++++++-------- 2 files changed, 70 insertions(+), 50 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index 67d2371b86..d0254545be 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -1,14 +1,21 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' # Variables # Callbacks -CB_VIRUSTOTAL_JSON_ALERT = r'.*VirusTotal: Alert - .*integration\":\"virustotal\".*' -CB_INVALID_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' -CB_OVERLONG_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' -CB_ALERTS_FILE_INODE_CHANGED = r'.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' +CB_VIRUSTOTAL_ENABLED = ".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" +CB_VIRUSTOTAL_JSON_ALERT = '.*VirusTotal: Alert - .*integration\":\"virustotal\".*' +CB_INVALID_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' +CB_OVERLONG_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' +CB_ALERTS_FILE_INODE_CHANGED = '.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' # Error messages -ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = '' -ERR_MSG_INVALID_ALERT_NOT_FOUND = -ERR_MSG_OVERLONG_ALERT_NOT_FOUND = -ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND \ No newline at end of file +ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = 'Did not recieve the expected "Enabling integration for virustotal"' +ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = 'Did not recieve the expected VirusTotal alert in alerts.json' +ERR_MSG_INVALID_ALERT_NOT_FOUND = 'Did not recieve the expected "...Invalid JSON alert read..." event' +ERR_MSG_OVERLONG_ALERT_NOT_FOUND = 'Did not recieve the expected "...Overlong JSON alert read..." event' +ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = 'Did not recieve the expected "...Alert file inode changed..." event' diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index d265c834f2..c3207d635d 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -2,46 +2,44 @@ copyright: Copyright (C) 2015-2022, Wazuh Inc. Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + type: integration -brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts - when these files are modified. In particular, these tests will check if FIM changes - the monitoring mode from 'realtime' to 'scheduled' when it is not supported. - The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured - files for changes to the checksums, permissions, and ownership. +brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that +given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an +overlong alert (64kb+) or what happens when it cannot read the file because it is missing. components: - - fim -suite: files_basic_usage + - integratord +suite: integratord_read_json_alerts targets: - agent daemons: - - wazuh-syscheckd + - wazuh-integratord os_platform: - - macos - - solaris + - Linux os_version: - - macOS Catalina - - macOS Server - - Solaris 10 - - Solaris 11 + - Centos 8 + - Ubuntu Focal references: - - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html - - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html + - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm pytest_args: - - fim_mode: - realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. - whodata: Implies real-time monitoring but adding the 'who-data' information. - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. tags: - - fim_basic_usage + - virustotal ''' import os +import time import pytest from wazuh_testing import global_parameters -from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH -from wazuh_testing.tools.file import truncate_file, write_file +from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH +from wazuh_testing.tools.file import remove_file, copy +from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, ERR_MSG_INVALID_ALERT_NOT_FOUND, + ERR_MSG_OVERLONG_ALERT_NOT_FOUND,ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND, CB_VIRUSTOTAL_JSON_ALERT, + CB_INVALID_JSON_ALERT_READ,CB_OVERLONG_JSON_ALERT_READ,CB_ALERTS_FILE_INODE_CHANGED) from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -62,11 +60,10 @@ configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) -local_internal_options = {'integrator.debug': '2', 'syscheck.debug':'2'} +local_internal_options = {'integrator.debug': '2'} # Variables -JSON_LOG_FILE = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json') - +TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') # Tests @@ -74,16 +71,13 @@ @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_integratord_read_json_alerts(configuration, metadata, - configure_local_internal_options_module,restart_wazuh_function): + configure_local_internal_options_module,restart_wazuh_function, wait_for_start_module): ''' - description: Check if the current OS platform falls to the 'scheduled' mode when 'realtime' is not available. - For this purpose, the test performs a CUD set of operations to a file with 'realtime' mode set as - the monitoring option in the 'ossec.conf' file. Firstly it checks for the initial 'realtime' event - appearing in the logs, and if the current OS does not support it, wait for the initial FIM scan - mode. After this, the set of operations takes place and the expected behavior is the events will be - generated with 'scheduled' mode and not 'realtime' as it is set in the configuration. - wazuh_min_version: 4.2.0 - tier: 0 + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case + of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or + broken, or overly long a message will appear in the ossec.log file. Also, in case that + wazuh_min_version: 4.3.5 + tier: 1 parameters: - configure_local_internal_options_module: type: fixture @@ -100,21 +94,40 @@ def test_integratord_read_json_alerts(configuration, metadata, sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) if metadata['alert_type'] == 'valid': - callback = '.*VirusTotal: Alert - .*integration\":\"virustotal\".*' - wazuh_monitor = FileMonitor(JSON_LOG_FILE) + wazuh_monitor = FileMonitor(ALERT_FILE_PATH) + callback = CB_VIRUSTOTAL_JSON_ALERT + error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED elif metadata['alert_type'] == 'invalid': - callback = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' + callback = CB_INVALID_JSON_ALERT_READ + error_message = ERR_MSG_INVALID_ALERT_NOT_FOUND elif metadata['alert_type'] == 'overlong': padding = "0"*90000 sample = sample.replace("padding_input","agent_"+padding) - callback = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' + callback = CB_OVERLONG_JSON_ALERT_READ + error_message = ERR_MSG_OVERLONG_ALERT_NOT_FOUND elif metadata['alert_type'] == 'inode_changed': - callback = '.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' + callback = CB_ALERTS_FILE_INODE_CHANGED + error_message = ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND + + # Insert custom Alert + if metadata['alert_type'] == 'inode_changed': + for n in range(3): + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + copy(ALERT_FILE_PATH, TEMP_FILE_PATH) + remove_file(ALERT_FILE_PATH) + result = wazuh_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_generator(callback), + error_message=error_message).result() + time.sleep(3) + copy(TEMP_FILE_PATH,ALERT_FILE_PATH) + wazuh_monitor = FileMonitor(ALERT_FILE_PATH) + callback = CB_VIRUSTOTAL_JSON_ALERT + error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED - # Insert custom Alert - os.system(f"echo '{sample}' >> {JSON_LOG_FILE}") + else: + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log result = wazuh_monitor.start(timeout=global_parameters.default_timeout, callback=callback_generator(callback), - error_message=metadata['error_message']).result() + error_message=error_message).result() From 932f05ca4fcace4e5164960c68aaabda5fe8c0eb Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 13:23:53 -0300 Subject: [PATCH 09/43] Add: set_wazuh_configuration fixture (does not use get_configuration) --- tests/integration/conftest.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 44826690fc..48387d45d1 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -864,3 +864,27 @@ def configure_local_internal_options_module(request): logger.debug(f"Restore local_internal_option to {str(backup_local_internal_options)}") conf.set_local_internal_options_dict(backup_local_internal_options) + +@pytest.fixture(scope='function') +def set_wazuh_configuration(configuration): + """Set wazuh configuration + + Args: + configuration (dict): Configuration template data to write in the ossec.conf + """ + # Save current configuration + backup_config = conf.get_wazuh_conf() + + # Configuration for testing + test_config = conf.set_section_wazuh_conf(configuration.get('sections')) + + # Set new configuration + conf.write_wazuh_conf(test_config) + + # Set current configuration + global_parameters.current_configuration = configuration + + yield + + # Restore previous configuration + conf.write_wazuh_conf(backup_config) \ No newline at end of file From aa69011b7ce101a16a35308c3ca5b309e6820f35 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 13:24:40 -0300 Subject: [PATCH 10/43] Fix: fixed conf file - problem with authd daemon --- .../config_integratord_read_json_alerts.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml index 2503cc5bb6..eea7e2813e 100644 --- a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -31,4 +31,8 @@ - name: 'syscollector' elements: - disabled: - value: 'yes' \ No newline at end of file + value: 'yes' + - section: auth + elements: + - disabled: + value: 'yes' From fe368598943b2237d1baaae0f88dea7d4eb3399d Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 21 Jul 2022 13:26:24 -0300 Subject: [PATCH 11/43] Add: added test case for removed json file --- .../cases_integratord_read_json_alerts.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml index cf586bf601..cb55d50e50 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml @@ -1,10 +1,9 @@ - - name: 'Cannot read alerts - Inode changed' description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' configuration_parameters: API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'inode_changed' - name: 'Read valid json alert' @@ -30,3 +29,11 @@ metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'overlong' + +- name: 'Cannot read alerts - Json File Deleted' + description: 'The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it.' + configuration_parameters: + API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'json_missing' From 380f82559180f64b70e92017338bfeef66527b88 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 22 Jul 2022 09:04:35 -0300 Subject: [PATCH 12/43] Add: truncate_monitored_files fixture --- tests/integration/conftest.py | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 48387d45d1..b73f790870 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -90,15 +90,13 @@ def restart_wazuh(get_configuration, request): @pytest.fixture(scope='function') def restart_wazuh_function(daemons=None): - """Restarts before starting a test, and stop it after finishing, and cleans the log files.""" - truncate_file(LOG_FILE_PATH) - truncate_file(ALERT_FILE_PATH) + """Restarts before starting a test, and stop it after finishing. + Args: + daemons(List): List of wazuh daemons that need to be restarted. Default restarts al daemons. + """ control_service('restart', daemons) yield control_service('stop',daemons) - truncate_file(LOG_FILE_PATH) - truncate_file(ALERT_FILE_PATH) - @pytest.fixture(scope='module') @@ -865,6 +863,22 @@ def configure_local_internal_options_module(request): logger.debug(f"Restore local_internal_option to {str(backup_local_internal_options)}") conf.set_local_internal_options_dict(backup_local_internal_options) + + +@pytest.fixture(scope='function') +def truncate_monitored_files(): + """Truncate all the log files and json alerts files before and after the test execution""" + log_files = [LOG_FILE_PATH, ALERT_FILE_PATH] + + for log_file in log_files: + truncate_file(log_file) + + yield + + for log_file in log_files: + truncate_file(log_file) + + @pytest.fixture(scope='function') def set_wazuh_configuration(configuration): """Set wazuh configuration From a5a9282eccea0ab807874b27205d2fd8ca525738 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 22 Jul 2022 09:25:06 -0300 Subject: [PATCH 13/43] Fix: refactor read_json_alerts and extract cases --- .../modules/integratord/__init__.py | 2 +- .../config_integratord_read_json_alerts.yaml | 2 + .../cases_integratord_read_json_alerts.yaml | 16 ---- .../test_integratord_read_json_alerts.py | 81 +++++++++---------- 4 files changed, 42 insertions(+), 59 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index d0254545be..c45bc221e7 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -8,7 +8,7 @@ # Callbacks CB_VIRUSTOTAL_ENABLED = ".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" -CB_VIRUSTOTAL_JSON_ALERT = '.*VirusTotal: Alert - .*integration\":\"virustotal\".*' +CB_VIRUSTOTAL_ALERT = '.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' CB_INVALID_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' CB_OVERLONG_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' CB_ALERTS_FILE_INODE_CHANGED = '.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml index eea7e2813e..e39ef95baa 100644 --- a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -3,6 +3,8 @@ - all apply_to_modules: - test_integratord_read_json_alerts + - test_integratord_change_inode_alert + - test_integratord_read_json_file_deleted sections: - section: integration elements: diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml index cb55d50e50..b9288992fd 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml @@ -1,11 +1,3 @@ -- name: 'Cannot read alerts - Inode changed' - description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' - configuration_parameters: - API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d - metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'inode_changed' - - name: 'Read valid json alert' description: 'Read a valid alert from alerts.json' configuration_parameters: @@ -29,11 +21,3 @@ metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: 'overlong' - -- name: 'Cannot read alerts - Json File Deleted' - description: 'The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it.' - configuration_parameters: - API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d - metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'json_missing' diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index c3207d635d..69fb4f5085 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -32,14 +32,13 @@ - virustotal ''' import os -import time import pytest +import yaml from wazuh_testing import global_parameters from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH -from wazuh_testing.tools.file import remove_file, copy from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, ERR_MSG_INVALID_ALERT_NOT_FOUND, - ERR_MSG_OVERLONG_ALERT_NOT_FOUND,ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND, CB_VIRUSTOTAL_JSON_ALERT, - CB_INVALID_JSON_ALERT_READ,CB_OVERLONG_JSON_ALERT_READ,CB_ALERTS_FILE_INODE_CHANGED) + ERR_MSG_OVERLONG_ALERT_NOT_FOUND,CB_VIRUSTOTAL_ALERT, CB_INVALID_JSON_ALERT_READ, + CB_OVERLONG_JSON_ALERT_READ) from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -62,15 +61,11 @@ configuration_metadata) local_internal_options = {'integrator.debug': '2'} -# Variables -TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') - - # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) -def test_integratord_read_json_alerts(configuration, metadata, +def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, configure_local_internal_options_module,restart_wazuh_function, wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case @@ -79,55 +74,57 @@ def test_integratord_read_json_alerts(configuration, metadata, wazuh_min_version: 4.3.5 tier: 1 parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh-modulesd daemon before starting a test, and stop it after finishing. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log assertions: - - Verify that FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported. - input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_check_realtime.yaml) - which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined - with the testing directory to be monitored defined in this module. + - Verify the expected response with for a given alert is recieved + input_description: + - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_json_alerts` file provides the test cases. expected_output: - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) ''' sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) + if metadata['alert_type'] == 'valid': - wazuh_monitor = FileMonitor(ALERT_FILE_PATH) - callback = CB_VIRUSTOTAL_JSON_ALERT + #wazuh_monitor = FileMonitor(ALERT_FILE_PATH) + callback = CB_VIRUSTOTAL_ALERT error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED + elif metadata['alert_type'] == 'invalid': callback = CB_INVALID_JSON_ALERT_READ error_message = ERR_MSG_INVALID_ALERT_NOT_FOUND + elif metadata['alert_type'] == 'overlong': - padding = "0"*90000 - sample = sample.replace("padding_input","agent_"+padding) callback = CB_OVERLONG_JSON_ALERT_READ error_message = ERR_MSG_OVERLONG_ALERT_NOT_FOUND - elif metadata['alert_type'] == 'inode_changed': - callback = CB_ALERTS_FILE_INODE_CHANGED - error_message = ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND - - # Insert custom Alert - if metadata['alert_type'] == 'inode_changed': - for n in range(3): - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") - copy(ALERT_FILE_PATH, TEMP_FILE_PATH) - remove_file(ALERT_FILE_PATH) - result = wazuh_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_generator(callback), - error_message=error_message).result() - time.sleep(3) - copy(TEMP_FILE_PATH,ALERT_FILE_PATH) - wazuh_monitor = FileMonitor(ALERT_FILE_PATH) - callback = CB_VIRUSTOTAL_JSON_ALERT - error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED - - else: - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") - + # Add 90kb of padding to alert to make it go over the allowed value of 64KB. + padding = "0"*90000 + sample = sample.replace("padding_input","agent_"+padding) + + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + # Read Response in ossec.log - result = wazuh_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_generator(callback), - error_message=error_message).result() + wazuh_monitor.start(timeout=global_parameters.default_timeout, callback=callback_generator(callback), + error_message=error_message).result() From be68835540ceac92234247b3b74077273d25e95d Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 22 Jul 2022 10:38:16 -0300 Subject: [PATCH 14/43] Add: new read_json_file_deleted test module --- ...es_integratord_read_json_file_deleted.yaml | 7 ++ ...test_integratord_read_json_file_deleted.py | 106 ++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100644 tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml create mode 100644 tests/integration/test_integratord/test_integratord_read_json_file_deleted.py diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml new file mode 100644 index 0000000000..95a0f1d334 --- /dev/null +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -0,0 +1,7 @@ +- name: 'Cannot read alerts - Json File Deleted' + description: 'The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it.' + configuration_parameters: + API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_type: 'json_missing' diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py new file mode 100644 index 0000000000..bfdf098df2 --- /dev/null +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -0,0 +1,106 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration +brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that +given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an +overlong alert (64kb+) or what happens when it cannot read the file because it is missing. +components: + - integratord +suite: integratord_read_json_alerts +targets: + - agent +daemons: + - wazuh-integratord +os_platform: + - Linux +os_version: + - Centos 8 + - Ubuntu Focal +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm +pytest_args: + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. +tags: + - virustotal +''' +import os +import time +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH +from wazuh_testing.tools.file import remove_file +from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, CB_VIRUSTOTAL_ALERT, + ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND, CB_CANNOT_RETRIEVE_JSON_FILE) +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator + + +# Marks +pytestmark = [pytest.mark.server] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_json_file_deleted.yaml') + +# Configurations +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +configurations = load_configuration_template(configurations_path, configuration_parameters, + configuration_metadata) +local_internal_options = {'integrator.debug': '2'} + + +# Tests +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', + zip(configurations, configuration_metadata), ids=case_ids) +def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module,restart_wazuh_function, wait_for_start_module): + ''' + description: Check that if while integratord is reading from the alerts.json file, it is deleted, the expected + error message is displayed, and if the file is created again and alerts are inserted, integratord continues + working and alerts are read + wazuh_min_version: 4.3.5 + tier: 1 + parameters: + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + assertions: + - Verify that FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported. + input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_check_realtime.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined + with the testing directory to be monitored defined in this module. + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) + + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + + remove_file(ALERT_FILE_PATH) + + result = wazuh_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_generator(CB_CANNOT_RETRIEVE_JSON_FILE), + error_message=ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND).result() + # Create file and insert alert. Wait one seconf so Integrator detects the file before the insertion + os.system(f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}") + time.sleep(1) + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Read Response in ossec.log + result = wazuh_monitor.start(timeout=global_parameters.default_timeout*2, + callback=callback_generator(CB_VIRUSTOTAL_ALERT), + error_message=ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() From 34742893d406f7ff819b0fcfa58b29bef6a08dd6 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 22 Jul 2022 10:45:31 -0300 Subject: [PATCH 15/43] Docu: updated documentation --- .../test_integratord_read_json_alerts.py | 4 ++- ...test_integratord_read_json_file_deleted.py | 29 +++++++++++++++---- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 69fb4f5085..037a799e32 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -101,7 +101,9 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_json_alerts` file provides the test cases. expected_output: - - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) + - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' + - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' + - r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' ''' sample = metadata['alert_sample'] diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index bfdf098df2..92bde926fe 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -75,16 +75,35 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu wazuh_min_version: 4.3.5 tier: 1 parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh-modulesd daemon before starting a test, and stop it after finishing. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log assertions: - - Verify that FIM changes the monitoring mode from 'realtime' to 'scheduled' when it is not supported. - input_description: A test case (ossec_conf) is contained in external YAML file (wazuh_conf_check_realtime.yaml) - which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is combined - with the testing directory to be monitored defined in this module. + - Verify the expected response with for a given alert is recieved + input_description: + - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_json_file_deleted` file provides the test cases. expected_output: - - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) + - r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*alerts\.json.*No such file.*' + - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' ''' sample = metadata['alert_sample'] From 0f9f1f7f10204b13c70c077ad79ce8255561d198 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:23:31 -0300 Subject: [PATCH 16/43] Add: new callbacks and error messages --- .../wazuh_testing/modules/integratord/__init__.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index c45bc221e7..7e354a2fe3 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -8,10 +8,16 @@ # Callbacks CB_VIRUSTOTAL_ENABLED = ".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" +CB_INTEGRATORD_SENDING_ALERT = '.*wazuh-integratord.*DEBUG: sending new alert' +CB_PROCESSING_ALERT = '.*wazuh-integratord.*Processing alert.*' +CB_INTEGRATORD_THREAD_READY ='.*wazuh-integratord.*DEBUG: Local requests thread ready' CB_VIRUSTOTAL_ALERT = '.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' +CB_VIRUSTOTAL_ALERT_JSON = '.*VirusTotal: Alert.*\"integration\":\"virustotal\".*' CB_INVALID_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' CB_OVERLONG_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' -CB_ALERTS_FILE_INODE_CHANGED = '.*wazuh-integratord.*DEBUG: jqueue_next\(\): Alert file inode changed.*' +CB_ALERTS_FILE_INODE_CHANGED = '.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' +CB_CANNOT_RETRIEVE_JSON_FILE = '.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*'\ + 'alerts\.json.*No such file.*' # Error messages ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = 'Did not recieve the expected "Enabling integration for virustotal"' @@ -19,3 +25,6 @@ ERR_MSG_INVALID_ALERT_NOT_FOUND = 'Did not recieve the expected "...Invalid JSON alert read..." event' ERR_MSG_OVERLONG_ALERT_NOT_FOUND = 'Did not recieve the expected "...Overlong JSON alert read..." event' ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = 'Did not recieve the expected "...Alert file inode changed..." event' +ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = 'Did not recieve the expected "...Could not retrieve information/open file"' +ERR_MSG_SENDING_ALERT_NOT_FOUND = 'Did not recieve the expected "...sending new alert" event' +ERR_MSG_PROCESSING_ALERT_NOT_FOUND = 'Did not recieve the expected "...Procesing alert" event' From 8673408a96efe3063c522f319218ca24b9ccdf07 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:25:53 -0300 Subject: [PATCH 17/43] Fix: extract variables and fix format --- tests/integration/test_integratord/conftest.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 54a5de10a2..45d69efea0 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -4,17 +4,19 @@ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 ''' + import pytest from wazuh_testing.tools import LOG_FILE_PATH from wazuh_testing.tools.monitoring import FileMonitor, callback_generator -from wazuh_testing.modules.integratord import (CB_VIRUSTOTAL_ENABLED,ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) +from wazuh_testing.modules import integratord as integrator +# Fixtures @pytest.fixture(scope='function') def wait_for_start_module(request): # Wait for Virustotal Integration to start file_monitor = FileMonitor(LOG_FILE_PATH) - file_monitor.start(timeout=20, callback=callback_generator(CB_VIRUSTOTAL_ENABLED), - error_message=ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) + file_monitor.start(timeout=20, callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), + error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) From a6367365443e6a5634d450abb3aacaf5dda4b12c Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:29:07 -0300 Subject: [PATCH 18/43] refactor: delete unecesary metadata --- .../test_cases/cases_integratord_read_json_file_deleted.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 95a0f1d334..457b82d355 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -4,4 +4,3 @@ API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'json_missing' From 3d2024159be6df673f3d241d0732041c61079074 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:29:59 -0300 Subject: [PATCH 19/43] Add: new test change_inode_alert --- .../cases_integratord_change_inode_alert.yaml | 6 + .../test_integratord_change_inode_alert.py | 140 ++++++++++++++++++ 2 files changed, 146 insertions(+) create mode 100644 tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml create mode 100644 tests/integration/test_integratord/test_integratord_change_inode_alert.py diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml new file mode 100644 index 0000000000..d906c5f53a --- /dev/null +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -0,0 +1,6 @@ +- name: 'Cannot read alerts - Inode changed' + description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' + configuration_parameters: + API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py new file mode 100644 index 0000000000..59bde24edf --- /dev/null +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -0,0 +1,140 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration +brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that +given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an +overlong alert (64kb+) or what happens when it cannot read the file because it is missing. +components: + - integratord +suite: integratord_read_json_alerts +targets: + - agent +daemons: + - wazuh-integratord +os_platform: + - Linux +os_version: + - Centos 8 + - Ubuntu Focal +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm +pytest_args: + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. +tags: + - virustotal +''' +import os +import time +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH +from wazuh_testing.tools.file import remove_file, copy +from wazuh_testing.modules import integratord as integrator +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator + + +# Marks +pytestmark = [pytest.mark.server] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_change_inode_alert.yaml') + +# Configurations +configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +configurations = load_configuration_template(configurations_path, configuration_parameters, + configuration_metadata) +local_internal_options = {'integrator.debug': '2'} + +# Variables +TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') + + +# Tests +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', + zip(configurations, configuration_metadata), ids=case_ids) +def test_integratord_change_json_inode(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): + ''' + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. + wazuh_min_version: 4.3.5 + tier: 1 + parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh-modulesd daemon before starting a test, and stop it after finishing. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log + assertions: + - Verify the expected response with for a given alert is recieved + input_description: + - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_json_alerts` file provides the test cases. + expected_output: + - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) + + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + + # Insert Alerts + for n in range(5): + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Get that alert is read + result = wazuh_monitor.start(timeout=global_parameters.default_timeout * 2, + callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), + error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, + update_position=False).result() + + # Change file to change inode + copy(ALERT_FILE_PATH, TEMP_FILE_PATH) + remove_file(ALERT_FILE_PATH) + copy(TEMP_FILE_PATH, ALERT_FILE_PATH) + + # Wait for Inode change to be detected and insert new alert + time.sleep(3) + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Monitor Inode Changed + result = wazuh_monitor.start(timeout=global_parameters.default_timeout * 2, + callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), + error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND).result() + os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Read Response in ossec.log + result = wazuh_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_generator(integrator.CB_PROCESSING_ALERT), + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() From 260aa4c4b5d3da2052d749c53611c58959f47c92 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:34:30 -0300 Subject: [PATCH 20/43] style: fix pycodestyle --- .../test_integratord_read_json_alerts.py | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 037a799e32..3335e07b34 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -35,10 +35,10 @@ import pytest import yaml from wazuh_testing import global_parameters -from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH +from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, ERR_MSG_INVALID_ALERT_NOT_FOUND, - ERR_MSG_OVERLONG_ALERT_NOT_FOUND,CB_VIRUSTOTAL_ALERT, CB_INVALID_JSON_ALERT_READ, - CB_OVERLONG_JSON_ALERT_READ) + ERR_MSG_OVERLONG_ALERT_NOT_FOUND, CB_VIRUSTOTAL_ALERT, + CB_INVALID_JSON_ALERT_READ, CB_OVERLONG_JSON_ALERT_READ) from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -58,7 +58,7 @@ # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) configurations = load_configuration_template(configurations_path, configuration_parameters, - configuration_metadata) + configuration_metadata) local_internal_options = {'integrator.debug': '2'} # Tests @@ -66,11 +66,12 @@ @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module,restart_wazuh_function, wait_for_start_module): + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or - broken, or overly long a message will appear in the ossec.log file. Also, in case that + broken, or overly long a message will appear in the ossec.log file. wazuh_min_version: 4.3.5 tier: 1 parameters: @@ -97,9 +98,9 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu brief: Detect the start of the Integratord module in the ossec.log assertions: - Verify the expected response with for a given alert is recieved - input_description: + input_description: - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_json_alerts` file provides the test cases. + - The `cases_integratord_read_json_alerts` file provides the test cases. expected_output: - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' @@ -110,7 +111,6 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu wazuh_monitor = FileMonitor(LOG_FILE_PATH) if metadata['alert_type'] == 'valid': - #wazuh_monitor = FileMonitor(ALERT_FILE_PATH) callback = CB_VIRUSTOTAL_ALERT error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED @@ -123,7 +123,7 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu error_message = ERR_MSG_OVERLONG_ALERT_NOT_FOUND # Add 90kb of padding to alert to make it go over the allowed value of 64KB. padding = "0"*90000 - sample = sample.replace("padding_input","agent_"+padding) + sample = sample.replace("padding_input", "agent_" + padding) os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") From 078a5327f8e2445892926bd5bf79e60b2f0cbba0 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 10:42:08 -0300 Subject: [PATCH 21/43] style: fix style --- ...test_integratord_read_json_file_deleted.py | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index 92bde926fe..b89acb28b2 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -58,7 +58,7 @@ # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) configurations = load_configuration_template(configurations_path, configuration_parameters, - configuration_metadata) + configuration_metadata) local_internal_options = {'integrator.debug': '2'} @@ -66,10 +66,11 @@ @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) -def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module,restart_wazuh_function, wait_for_start_module): +def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' - description: Check that if while integratord is reading from the alerts.json file, it is deleted, the expected + description: Check that if while integratord is reading from the alerts.json file, it is deleted, the expected error message is displayed, and if the file is created again and alerts are inserted, integratord continues working and alerts are read wazuh_min_version: 4.3.5 @@ -98,9 +99,9 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu brief: Detect the start of the Integratord module in the ossec.log assertions: - Verify the expected response with for a given alert is recieved - input_description: + input_description: - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_json_file_deleted` file provides the test cases. + - The `cases_integratord_read_json_file_deleted` file provides the test cases. expected_output: - r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*alerts\.json.*No such file.*' - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' @@ -108,18 +109,17 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu ''' sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) - + remove_file(ALERT_FILE_PATH) - result = wazuh_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_generator(CB_CANNOT_RETRIEVE_JSON_FILE), - error_message=ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND).result() - # Create file and insert alert. Wait one seconf so Integrator detects the file before the insertion + callback=callback_generator(CB_CANNOT_RETRIEVE_JSON_FILE), + error_message=ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND).result() + # Create file and insert alert. Wait one second so Integrator detects the file before the insertion os.system(f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}") - time.sleep(1) + time.sleep(2) os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") - + # Read Response in ossec.log result = wazuh_monitor.start(timeout=global_parameters.default_timeout*2, - callback=callback_generator(CB_VIRUSTOTAL_ALERT), - error_message=ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() + callback=callback_generator(CB_VIRUSTOTAL_ALERT), + error_message=ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() From 1af8af696714317bc5fa52f20e199d00c4577c69 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 25 Jul 2022 11:10:03 -0300 Subject: [PATCH 22/43] refactor: change variables to raw strings --- .../modules/integratord/__init__.py | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index 7e354a2fe3..0e12915145 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -7,24 +7,24 @@ # Variables # Callbacks -CB_VIRUSTOTAL_ENABLED = ".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" -CB_INTEGRATORD_SENDING_ALERT = '.*wazuh-integratord.*DEBUG: sending new alert' -CB_PROCESSING_ALERT = '.*wazuh-integratord.*Processing alert.*' -CB_INTEGRATORD_THREAD_READY ='.*wazuh-integratord.*DEBUG: Local requests thread ready' -CB_VIRUSTOTAL_ALERT = '.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' -CB_VIRUSTOTAL_ALERT_JSON = '.*VirusTotal: Alert.*\"integration\":\"virustotal\".*' -CB_INVALID_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' -CB_OVERLONG_JSON_ALERT_READ = '.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' -CB_ALERTS_FILE_INODE_CHANGED = '.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' -CB_CANNOT_RETRIEVE_JSON_FILE = '.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*'\ - 'alerts\.json.*No such file.*' +CB_VIRUSTOTAL_ENABLED = r".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" +CB_INTEGRATORD_SENDING_ALERT = r'.*wazuh-integratord.*DEBUG: sending new alert' +CB_PROCESSING_ALERT = r'.*wazuh-integratord.*Processing alert.*' +CB_INTEGRATORD_THREAD_READY = r'.*wazuh-integratord.*DEBUG: Local requests thread ready' +CB_VIRUSTOTAL_ALERT = r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' +CB_VIRUSTOTAL_ALERT_JSON = r'.*VirusTotal: Alert.*\"integration\":\"virustotal\".*' +CB_INVALID_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' +CB_OVERLONG_JSON_ALERT_READ = r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' +CB_ALERTS_FILE_INODE_CHANGED = r'.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' +CB_CANNOT_RETRIEVE_JSON_FILE = r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*'\ + r'alerts\.json.*No such file.*' # Error messages -ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = 'Did not recieve the expected "Enabling integration for virustotal"' -ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = 'Did not recieve the expected VirusTotal alert in alerts.json' -ERR_MSG_INVALID_ALERT_NOT_FOUND = 'Did not recieve the expected "...Invalid JSON alert read..." event' -ERR_MSG_OVERLONG_ALERT_NOT_FOUND = 'Did not recieve the expected "...Overlong JSON alert read..." event' -ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = 'Did not recieve the expected "...Alert file inode changed..." event' -ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = 'Did not recieve the expected "...Could not retrieve information/open file"' -ERR_MSG_SENDING_ALERT_NOT_FOUND = 'Did not recieve the expected "...sending new alert" event' -ERR_MSG_PROCESSING_ALERT_NOT_FOUND = 'Did not recieve the expected "...Procesing alert" event' +ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = r'Did not recieve the expected "Enabling integration for virustotal"' +ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = r'Did not recieve the expected VirusTotal alert in alerts.json' +ERR_MSG_INVALID_ALERT_NOT_FOUND = r'Did not recieve the expected "...Invalid JSON alert read..." event' +ERR_MSG_OVERLONG_ALERT_NOT_FOUND = r'Did not recieve the expected "...Overlong JSON alert read..." event' +ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = r'Did not recieve the expected "...Alert file inode changed..." event' +ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = r'Did not recieve the expected "...Could not retrieve information/open file"' +ERR_MSG_SENDING_ALERT_NOT_FOUND = r'Did not recieve the expected "...sending new alert" event' +ERR_MSG_PROCESSING_ALERT_NOT_FOUND = r'Did not recieve the expected "...Procesing alert" event' From 7df017440521015ce838fd8eeb03dccec49dc37a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Thu, 28 Jul 2022 10:20:30 -0300 Subject: [PATCH 23/43] Add: __init__.py to modules folder --- deps/wazuh_testing/wazuh_testing/modules/__init__.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 deps/wazuh_testing/wazuh_testing/modules/__init__.py diff --git a/deps/wazuh_testing/wazuh_testing/modules/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/__init__.py new file mode 100644 index 0000000000..e69de29bb2 From 1fd10a4109769569418d5ca3bf26c432464d00fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi?= Date: Thu, 28 Jul 2022 10:57:39 -0300 Subject: [PATCH 24/43] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd904f8121..1300a1eb28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ Wazuh commit: TBD https://github.com/wazuh/wazuh/commit/be15851b8ead7512d9cd4ef1 Release report: https://github.com/wazuh/wazuh/issues/14188 ## Added - +- Add Integratord IT - new test_integratord suite ([#3125](https://github.com/wazuh/wazuh-qa/pull/3125)) \- (Framework + Tests) - Add Remoted IT - test_multi_groups ([#3060](https://github.com/wazuh/wazuh-qa/pull/3060)) \- (Framework + Tests) ### Fixed From cb3e325317f95a275f087ed3b605b6a70d349dfa Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 29 Jul 2022 10:19:03 -0300 Subject: [PATCH 25/43] Style: fixe pycodestyle --- .../config_integratord_read_json_alerts.yaml | 7 +++---- .../cases_integratord_change_inode_alert.yaml | 4 ++-- .../cases_integratord_read_json_alerts.yaml | 18 +++++++++--------- ...ses_integratord_read_json_file_deleted.yaml | 4 ++-- .../test_integratord_read_json_alerts.py | 1 + 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml index e39ef95baa..69c2a7a414 100644 --- a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -1,4 +1,3 @@ ---- - tags: - all apply_to_modules: @@ -9,13 +8,13 @@ - section: integration elements: - name: - value: "virustotal" + value: 'virustotal' - api_key: value: API_KEY - rule_id: - value: "554" + value: '554' - alert_format: - value: "json" + value: 'json' - section: sca elements: - enabled: diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index d906c5f53a..d85641ffdd 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -1,5 +1,5 @@ -- name: 'Cannot read alerts - Inode changed' - description: 'The alerts.json file inode has changed and it cannot read alerts from it until it reloads.' +- name: Cannot read alerts - Inode changed + description: The alerts.json file inode has changed and it cannot read alerts from it until it reloads. configuration_parameters: API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d metadata: diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml index b9288992fd..883998a0b2 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml @@ -1,23 +1,23 @@ -- name: 'Read valid json alert' - description: 'Read a valid alert from alerts.json' +- name: Read valid json alert + description: Read a valid alert from alerts.json configuration_parameters: API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'valid' + alert_type: valid -- name: 'Read invalid json alert' - description: 'Read a invalid alert from alerts.json - removed rule key name - Integration fails' +- name: Read invalid json alert + description: Read a invalid alert from alerts.json - removed rule key name - Integration fails configuration_parameters: API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'invalid' + alert_type: invalid -- name: 'Read Overlong json alert' - description: 'Read a an alert that is over 64kb alert from alerts.json - Integration fails' +- name: Read Overlong json alert + description: Read a an alert that is over 64kb alert from alerts.json - Integration fails configuration_parameters: API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: 'overlong' + alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 457b82d355..8021f10af9 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -1,5 +1,5 @@ -- name: 'Cannot read alerts - Json File Deleted' - description: 'The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it.' +- name: Cannot read alerts - Json File Deleted + description: The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it. configuration_parameters: API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d metadata: diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 3335e07b34..0115fb7e33 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -61,6 +61,7 @@ configuration_metadata) local_internal_options = {'integrator.debug': '2'} + # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', From 1147271595b8064876b3d77bbb5a5583aad9ab27 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 29 Jul 2022 10:19:26 -0300 Subject: [PATCH 26/43] Docu: updated changelog.md --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 01e8fa907e..693a8f818a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ All notable changes to this project will be documented in this file. Wazuh commit: TBD \ Release report: TBD +## Added +- Add Integratord IT - new test_integratord suite ([#3125](https://github.com/wazuh/wazuh-qa/pull/3125)) \- (Framework + Tests) + ### Changed - Increase framework version of jq and pytest in the requirements file to support python3.10 ([#3107](https://github.com/wazuh/wazuh-qa/pull/3108)) \- (Framework) @@ -17,7 +20,6 @@ Wazuh commit: https://github.com/wazuh/wazuh/commit/be15851b8ead7512d9cd4ef1ee18 Release report: https://github.com/wazuh/wazuh/issues/14188 ## Added -- Add Integratord IT - new test_integratord suite ([#3125](https://github.com/wazuh/wazuh-qa/pull/3125)) \- (Framework + Tests) - Add Remoted IT - test_multi_groups ([#3060](https://github.com/wazuh/wazuh-qa/pull/3060)) \- (Framework + Tests) ### Fixed From 02bed2071f30e5a3f41099d91cb1f4ace606a306 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 29 Jul 2022 10:20:16 -0300 Subject: [PATCH 27/43] Add: extract local_actions from QACTL to tools --- .../wazuh_testing/tools/local_actions.py | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 deps/wazuh_testing/wazuh_testing/tools/local_actions.py diff --git a/deps/wazuh_testing/wazuh_testing/tools/local_actions.py b/deps/wazuh_testing/wazuh_testing/tools/local_actions.py new file mode 100644 index 0000000000..8e494e5b3f --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/tools/local_actions.py @@ -0,0 +1,54 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +import subprocess +import sys + +from wazuh_testing.qa_ctl import QACTL_LOGGER +from wazuh_testing.tools.logging import Logging +from wazuh_testing.tools.exceptions import QAValueError + +LOGGER = Logging.get_logger(QACTL_LOGGER) + + +def run_local_command_printing_output(command): + """Run local commands printing the output in the stdout. In addition, it is validate the result code. + + Args: + command (string): Command to run. + + Raises: + QAValueError: If the run command has failed (rc != 0). + """ + if sys.platform == 'win32': + run = subprocess.Popen(command, shell=True) + else: + run = subprocess.Popen(['/bin/bash', '-c', command]) + + # Wait for the process to finish + run.communicate() + + result_code = run.returncode + + if result_code != 0: + raise QAValueError(f"The command {command} returned {result_code} as result code.", LOGGER.error, + QACTL_LOGGER) + + +def run_local_command_returning_output(command): + """Run local commands catching and returning the stdout in a variable. Nothing is displayed on the stdout. + + Args: + command (string): Command to run. + + Returns: + str: Command output. + """ + if sys.platform == 'win32': + run = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE) + else: + run = subprocess.Popen(['/bin/bash', '-c', command], stdout=subprocess.PIPE) + + return run.stdout.read().decode() \ No newline at end of file From 352bfb54225573943c2eba56b002433a05433839 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 29 Jul 2022 14:53:58 -0300 Subject: [PATCH 28/43] Add: integratord event_monitor --- .../modules/integratord/event_monitor.py | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py new file mode 100644 index 0000000000..fc242c1a14 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py @@ -0,0 +1,25 @@ + + +from wazuh_testing.tools import LOG_FILE_PATH +from wazuh_testing.tools.monitoring import FileMonitor + + + +def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position=True, + timeout=30, accum_results=1, file_to_monitor=LOG_FILE_PATH): + """Check if an event occurs + Args: + file_monitor (FileMonitor): FileMonitor object to monitor the file content. + callback (str): log regex to check in Wazuh log + error_message (str): error message to show in case of expected event does not occur + update_position (boolean): filter configuration parameter to search in Wazuh log + timeout (str): timeout to check the event in Wazuh log + accum_results (int): Accumulation of matches. + """ + file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor + error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ + error_message + + file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=callback, error_message=error_message) + From 588619761ddf1fdf5d92c8d204180c51056e9dd4 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 29 Jul 2022 14:54:30 -0300 Subject: [PATCH 29/43] Fix: refactor integratord_change_inode_alert.py --- .../test_integratord_change_inode_alert.py | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 59bde24edf..9e324a8db8 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -37,7 +37,9 @@ from wazuh_testing import global_parameters from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.tools.file import remove_file, copy +from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.modules import integratord as integrator +from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -106,18 +108,17 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events) ''' - sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) - + command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" # Insert Alerts for n in range(5): - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + run_local_command_returning_output(command) # Get that alert is read - result = wazuh_monitor.start(timeout=global_parameters.default_timeout * 2, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, - update_position=False).result() + update_position=False) # Change file to change inode copy(ALERT_FILE_PATH, TEMP_FILE_PATH) @@ -126,15 +127,16 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config # Wait for Inode change to be detected and insert new alert time.sleep(3) - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + run_local_command_returning_output(command) # Monitor Inode Changed - result = wazuh_monitor.start(timeout=global_parameters.default_timeout * 2, + + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout * 2, callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), - error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND).result() - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) + run_local_command_returning_output(command) - # Read Response in ossec.log - result = wazuh_monitor.start(timeout=global_parameters.default_timeout, + # Read Response in ossec.log + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, callback=callback_generator(integrator.CB_PROCESSING_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) \ No newline at end of file From f16839cac9a7929e658dcc82d9a121bcca73d97d Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 10:13:40 -0300 Subject: [PATCH 30/43] Docu: change documentation comments --- .../wazuh_testing/modules/integratord/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index 0e12915145..8adc39ca2e 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -5,8 +5,9 @@ ''' # Variables +INTEGRATORD_PREFIX = 'wazuh-integratord' -# Callbacks +# Callback Messages CB_VIRUSTOTAL_ENABLED = r".*wazuh-integratord.*Enabling integration for: 'virustotal'.*" CB_INTEGRATORD_SENDING_ALERT = r'.*wazuh-integratord.*DEBUG: sending new alert' CB_PROCESSING_ALERT = r'.*wazuh-integratord.*Processing alert.*' From 07e6330812e989ce1db847f8513a990e4f32a60f Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 10:14:08 -0300 Subject: [PATCH 31/43] Fix: separate read_json_alerts in two tests (valid/invalid) --- ...integratord_read_invalid_json_alerts.yaml} | 8 -- ...es_integratord_read_valid_json_alerts.yaml | 6 + .../test_integratord_read_json_alerts.py | 104 +++++++++++++----- 3 files changed, 85 insertions(+), 33 deletions(-) rename tests/integration/test_integratord/data/test_cases/{cases_integratord_read_json_alerts.yaml => cases_integratord_read_invalid_json_alerts.yaml} (67%) create mode 100644 tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml similarity index 67% rename from tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml rename to tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index 883998a0b2..dd51290e53 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -1,11 +1,3 @@ -- name: Read valid json alert - description: Read a valid alert from alerts.json - configuration_parameters: - API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a - metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' - alert_type: valid - - name: Read invalid json alert description: Read a invalid alert from alerts.json - removed rule key name - Integration fails configuration_parameters: diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml new file mode 100644 index 0000000000..c3a8bbe4b0 --- /dev/null +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -0,0 +1,6 @@ +- name: Read valid json alert + description: Read a valid alert from alerts.json + configuration_parameters: + API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + metadata: + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 0115fb7e33..13dd30c17c 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -36,9 +36,9 @@ import yaml from wazuh_testing import global_parameters from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH -from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, ERR_MSG_INVALID_ALERT_NOT_FOUND, - ERR_MSG_OVERLONG_ALERT_NOT_FOUND, CB_VIRUSTOTAL_ALERT, - CB_INVALID_JSON_ALERT_READ, CB_OVERLONG_JSON_ALERT_READ) +from wazuh_testing.modules import integratord as integrator +from wazuh_testing.modules.integratord.event_monitor import check_integratord_event +from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -53,27 +53,86 @@ # Configuration and cases data configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') -cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_json_alerts.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_valid_json_alerts.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_invalid_json_alerts.yaml') + # Configurations -configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) -configurations = load_configuration_template(configurations_path, configuration_parameters, - configuration_metadata) +t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) +t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + local_internal_options = {'integrator.debug': '2'} # Tests @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', - zip(configurations, configuration_metadata), ids=case_ids) -def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) +def test_integratord_read_valid_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): + ''' + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case + of a valid alert, a virustotal integration alert is expected in the alerts.json file. + wazuh_min_version: 4.3.7 + tier: 1 + parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - restart_wazuh_function: + type: fixture + brief: Restart wazuh-modulesd daemon before starting a test, and stop it after finishing. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log + assertions: + - Verify the expected response with for a given alert is recieved + input_description: + - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_valid_json_alerts` file provides the test cases. + expected_output: + - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + + run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Read Response in ossec.log + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) + + +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', + zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +def test_integratord_read_invalid_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, configure_local_internal_options_module, restart_wazuh_function, wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or broken, or overly long a message will appear in the ossec.log file. - wazuh_min_version: 4.3.5 + wazuh_min_version: 4.3.7 tier: 1 parameters: - configuration: @@ -101,9 +160,8 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu - Verify the expected response with for a given alert is recieved input_description: - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_json_alerts` file provides the test cases. + - The `cases_integratord_read_invalid_json_alerts` file provides the test cases. expected_output: - - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' - r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' @@ -111,23 +169,19 @@ def test_integratord_read_json_alerts(configuration, metadata, set_wazuh_configu sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) - if metadata['alert_type'] == 'valid': - callback = CB_VIRUSTOTAL_ALERT - error_message = ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED - - elif metadata['alert_type'] == 'invalid': - callback = CB_INVALID_JSON_ALERT_READ - error_message = ERR_MSG_INVALID_ALERT_NOT_FOUND + if metadata['alert_type'] == 'invalid': + callback = integrator.CB_INVALID_JSON_ALERT_READ + error_message = integrator.ERR_MSG_INVALID_ALERT_NOT_FOUND elif metadata['alert_type'] == 'overlong': - callback = CB_OVERLONG_JSON_ALERT_READ - error_message = ERR_MSG_OVERLONG_ALERT_NOT_FOUND - # Add 90kb of padding to alert to make it go over the allowed value of 64KB. + callback = integrator.CB_OVERLONG_JSON_ALERT_READ + error_message = integrator. ERR_MSG_OVERLONG_ALERT_NOT_FOUND + # Add 90kb of padding to alert to make it go over the allowed value of 64KB. padding = "0"*90000 sample = sample.replace("padding_input", "agent_" + padding) - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - wazuh_monitor.start(timeout=global_parameters.default_timeout, callback=callback_generator(callback), - error_message=error_message).result() + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + callback=callback_generator(callback), error_message=error_message) From 3248dacaec2759c7772c07039d70e8e4d7aeeb6c Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 10:14:53 -0300 Subject: [PATCH 32/43] Fix: refactor tests and extract os commands --- ...test_integratord_read_json_file_deleted.py | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index b89acb28b2..716bf72f84 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -37,8 +37,9 @@ from wazuh_testing import global_parameters from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.tools.file import remove_file -from wazuh_testing.modules.integratord import (ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED, CB_VIRUSTOTAL_ALERT, - ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND, CB_CANNOT_RETRIEVE_JSON_FILE) +from wazuh_testing.modules import integratord as integrator +from wazuh_testing.modules.integratord.event_monitor import check_integratord_event +from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.tools.monitoring import FileMonitor, callback_generator @@ -107,19 +108,20 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' ''' - sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + command = f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}" remove_file(ALERT_FILE_PATH) - result = wazuh_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_generator(CB_CANNOT_RETRIEVE_JSON_FILE), - error_message=ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND).result() + check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, + callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), + error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) # Create file and insert alert. Wait one second so Integrator detects the file before the insertion - os.system(f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}") + run_local_command_returning_output(command) time.sleep(2) - os.system(f"echo '{sample}' >> {ALERT_FILE_PATH}") + run_local_command_returning_output(f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - result = wazuh_monitor.start(timeout=global_parameters.default_timeout*2, - callback=callback_generator(CB_VIRUSTOTAL_ALERT), - error_message=ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED).result() + check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, + callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) From 65749ed20b785b97eec88172c23229298e2c5819 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 10:15:22 -0300 Subject: [PATCH 33/43] Fix: remofactor wait_for_start_module --- tests/integration/test_integratord/conftest.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 45d69efea0..dffe1a2fc2 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -10,13 +10,13 @@ from wazuh_testing.tools import LOG_FILE_PATH from wazuh_testing.tools.monitoring import FileMonitor, callback_generator from wazuh_testing.modules import integratord as integrator +from wazuh_testing.modules.integratord.event_monitor import check_integratord_event -# Fixtures - @pytest.fixture(scope='function') def wait_for_start_module(request): - # Wait for Virustotal Integration to start + # Wait for integratord thread to start file_monitor = FileMonitor(LOG_FILE_PATH) - file_monitor.start(timeout=20, callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), - error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) + check_integratord_event(file_monitor=file_monitor, timeout=20, + callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), + error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) From 962e42885b919878a403b2058762d624afff042c Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 12:24:55 -0300 Subject: [PATCH 34/43] Fix: remove api_key value from yaml --- .../data/test_cases/cases_integratord_change_inode_alert.yaml | 2 +- .../cases_integratord_read_invalid_json_alerts.yaml | 4 ++-- .../test_cases/cases_integratord_read_json_file_deleted.yaml | 2 +- .../test_cases/cases_integratord_read_valid_json_alerts.yaml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index d85641ffdd..4c8699435d 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -1,6 +1,6 @@ - name: Cannot read alerts - Inode changed description: The alerts.json file inode has changed and it cannot read alerts from it until it reloads. configuration_parameters: - API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index dd51290e53..6e039cf323 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -1,7 +1,7 @@ - name: Read invalid json alert description: Read a invalid alert from alerts.json - removed rule key name - Integration fails configuration_parameters: - API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: invalid @@ -9,7 +9,7 @@ - name: Read Overlong json alert description: Read a an alert that is over 64kb alert from alerts.json - Integration fails configuration_parameters: - API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 8021f10af9..629874494a 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -1,6 +1,6 @@ - name: Cannot read alerts - Json File Deleted description: The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it. configuration_parameters: - API_KEY: 8512012a5ebf7eee0eb2adaf85444f76ab1a615ad1f2376b45716c370d74868d + API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index c3a8bbe4b0..582c35944f 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -1,6 +1,6 @@ - name: Read valid json alert description: Read a valid alert from alerts.json configuration_parameters: - API_KEY: d7f1a3b90040e663357def13d16cf0481ebbda4869caba712172bd7cc79dbc7a + API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' From e845a7fdf2a86564e025190389361dff8b84b343 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 12:25:36 -0300 Subject: [PATCH 35/43] Add: new integration_api_key parameter --- deps/wazuh_testing/wazuh_testing/__init__.py | 19 +++++++++++ tests/integration/conftest.py | 36 +++++++++++++++++++- 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py index 84ec005d4c..c8539a318f 100644 --- a/deps/wazuh_testing/wazuh_testing/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/__init__.py @@ -43,6 +43,7 @@ def __init__(self): self._gcp_configuration_file = None self._gcp_credentials = None self._fim_mode = [] + self._integration_api_key = None @property def default_timeout(self): @@ -242,6 +243,24 @@ def fim_mode(self, value): """ self._fim_mode = value + @property + def integration_api_key(self): + """Getter method for the `integration_api_key` property + + Returns: + string: api key value to be used by integratord tests + """ + return self._integration_api_key + + @integration_api_key.setter + def integration_api_key(self, value): + """Setter method for the `integration_api_key` property + + Args: + value (str): New value for the `integration_api_key`. + """ + self._integration_api_key = value + global_parameters = Parameters() logger = logging.getLogger('wazuh_testing') diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index b73f790870..1c983a347c 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -98,6 +98,15 @@ def restart_wazuh_function(daemons=None): yield control_service('stop',daemons) +@pytest.fixture(scope='module') +def restart_wazuh_module(daemons=None): + """Restarts before starting a test, and stop it after finishing. + Args: + daemons(List): List of wazuh daemons that need to be restarted. Default restarts al daemons. + """ + control_service('restart', daemons) + yield + control_service('stop',daemons) @pytest.fixture(scope='module') def reset_ossec_log(get_configuration, request): @@ -233,7 +242,14 @@ def pytest_addoption(parser): type=str, help="run tests using a specific WPK package path" ) - + parser.addoption( + "--integration_api_key", + action="store", + metavar="integration_api_key", + default=None, + type=str, + help="pass api key required for integratord tests." + ) def pytest_configure(config): # Register an additional marker @@ -287,6 +303,11 @@ def pytest_configure(config): mode = ["scheduled", "whodata", "realtime"] global_parameters.fim_mode = mode + # Set integration_api_key if it is passed through command line args + integration_api_key = config.getoption("--integration_api_key") + if integration_api_key: + global_parameters.integration_api_key = integration_api_key + # Set WPK package version global_parameters.wpk_version = config.getoption("--wpk_version") @@ -879,6 +900,19 @@ def truncate_monitored_files(): truncate_file(log_file) +@pytest.fixture(scope='module') +def truncate_monitored_files_module(): + """Truncate all the log files and json alerts files before and after the test execution""" + log_files = [LOG_FILE_PATH, ALERT_FILE_PATH] + + for log_file in log_files: + truncate_file(log_file) + + yield + + for log_file in log_files: + truncate_file(log_file) + @pytest.fixture(scope='function') def set_wazuh_configuration(configuration): """Set wazuh configuration From 100306540ac6351bee741f8e83989204d85f0342 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 1 Aug 2022 12:26:16 -0300 Subject: [PATCH 36/43] Fix: add API_KEY parameter --- .../test_integratord/test_integratord_change_inode_alert.py | 1 + .../test_integratord/test_integratord_read_json_alerts.py | 2 ++ .../test_integratord/test_integratord_read_json_file_deleted.py | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 9e324a8db8..af5b08d63d 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -58,6 +58,7 @@ # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) local_internal_options = {'integrator.debug': '2'} diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 13dd30c17c..2e58aa6980 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -59,9 +59,11 @@ # Configurations t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +t1_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, t1_configuration_metadata) t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +t2_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, t2_configuration_metadata) diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index 716bf72f84..57b17bc6fd 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -58,6 +58,7 @@ # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) +configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) local_internal_options = {'integrator.debug': '2'} @@ -108,7 +109,6 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' ''' - wazuh_monitor = FileMonitor(LOG_FILE_PATH) command = f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}" From b0859a2a98ee2e03254cc192cae6c319c0e304ee Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 12:20:19 -0300 Subject: [PATCH 37/43] style: Fix style to comply with PEP8 --- deps/wazuh_testing/wazuh_testing/__init__.py | 2 +- .../modules/integratord/event_monitor.py | 10 ++++---- .../wazuh_testing/tools/local_actions.py | 2 +- tests/integration/conftest.py | 11 +++++---- .../integration/test_integratord/conftest.py | 2 +- .../test_integratord_change_inode_alert.py | 21 +++++++--------- .../test_integratord_read_json_alerts.py | 24 ++++++++++--------- ...test_integratord_read_json_file_deleted.py | 9 +++---- 8 files changed, 43 insertions(+), 38 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py index c8539a318f..d3adc8f9f4 100644 --- a/deps/wazuh_testing/wazuh_testing/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/__init__.py @@ -22,7 +22,7 @@ def is_tcp(protocol): def is_tcp_udp(protocol): - _protocol = protocol.replace(' ','').upper().split(',') + _protocol = protocol.replace(' ', '').upper().split(',') _protocol.sort() return ','.join(_protocol) == TCP_UDP diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py index fc242c1a14..0e9697ab2c 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py @@ -1,12 +1,15 @@ - +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' from wazuh_testing.tools import LOG_FILE_PATH from wazuh_testing.tools.monitoring import FileMonitor - def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position=True, - timeout=30, accum_results=1, file_to_monitor=LOG_FILE_PATH): + timeout=30, accum_results=1, file_to_monitor=LOG_FILE_PATH): """Check if an event occurs Args: file_monitor (FileMonitor): FileMonitor object to monitor the file content. @@ -22,4 +25,3 @@ def check_integratord_event(file_monitor=None, callback='', error_message=None, file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, callback=callback, error_message=error_message) - diff --git a/deps/wazuh_testing/wazuh_testing/tools/local_actions.py b/deps/wazuh_testing/wazuh_testing/tools/local_actions.py index 8e494e5b3f..9509f0f541 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/local_actions.py +++ b/deps/wazuh_testing/wazuh_testing/tools/local_actions.py @@ -51,4 +51,4 @@ def run_local_command_returning_output(command): else: run = subprocess.Popen(['/bin/bash', '-c', command], stdout=subprocess.PIPE) - return run.stdout.read().decode() \ No newline at end of file + return run.stdout.read().decode() diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 1c983a347c..c53c66bb06 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -96,7 +96,8 @@ def restart_wazuh_function(daemons=None): """ control_service('restart', daemons) yield - control_service('stop',daemons) + control_service('stop', daemons) + @pytest.fixture(scope='module') def restart_wazuh_module(daemons=None): @@ -106,7 +107,8 @@ def restart_wazuh_module(daemons=None): """ control_service('restart', daemons) yield - control_service('stop',daemons) + control_service('stop', daemons) + @pytest.fixture(scope='module') def reset_ossec_log(get_configuration, request): @@ -251,6 +253,7 @@ def pytest_addoption(parser): help="pass api key required for integratord tests." ) + def pytest_configure(config): # Register an additional marker config.addinivalue_line( @@ -885,7 +888,6 @@ def configure_local_internal_options_module(request): conf.set_local_internal_options_dict(backup_local_internal_options) - @pytest.fixture(scope='function') def truncate_monitored_files(): """Truncate all the log files and json alerts files before and after the test execution""" @@ -913,6 +915,7 @@ def truncate_monitored_files_module(): for log_file in log_files: truncate_file(log_file) + @pytest.fixture(scope='function') def set_wazuh_configuration(configuration): """Set wazuh configuration @@ -935,4 +938,4 @@ def set_wazuh_configuration(configuration): yield # Restore previous configuration - conf.write_wazuh_conf(backup_config) \ No newline at end of file + conf.write_wazuh_conf(backup_config) diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index dffe1a2fc2..307792db9c 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -17,6 +17,6 @@ def wait_for_start_module(request): # Wait for integratord thread to start file_monitor = FileMonitor(LOG_FILE_PATH) - check_integratord_event(file_monitor=file_monitor, timeout=20, + check_integratord_event(file_monitor=file_monitor, timeout=20, callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index af5b08d63d..88d876e5b0 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -112,14 +112,13 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config wazuh_monitor = FileMonitor(LOG_FILE_PATH) command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" # Insert Alerts - for n in range(5): - run_local_command_returning_output(command) + run_local_command_returning_output(command) # Get that alert is read check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), - error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, - update_position=False) + callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), + error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, + update_position=False) # Change file to change inode copy(ALERT_FILE_PATH, TEMP_FILE_PATH) @@ -130,14 +129,12 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config time.sleep(3) run_local_command_returning_output(command) - # Monitor Inode Changed - + # Monitor Inode Changed check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout * 2, - callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), - error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) - run_local_command_returning_output(command) + callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), + error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback_generator(integrator.CB_PROCESSING_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) \ No newline at end of file + callback=callback_generator(integrator.CB_PROCESSING_ALERT), + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 2e58aa6980..9c41fc2c15 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -33,7 +33,8 @@ ''' import os import pytest -import yaml +import time + from wazuh_testing import global_parameters from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.modules import integratord as integrator @@ -61,11 +62,11 @@ t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) t1_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, - t1_configuration_metadata) + t1_configuration_metadata) t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) t2_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, - t2_configuration_metadata) + t2_configuration_metadata) local_internal_options = {'integrator.debug': '2'} @@ -75,9 +76,9 @@ @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_integratord_read_valid_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): +def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. @@ -113,23 +114,24 @@ def test_integratord_read_valid_json_alerts(configuration, metadata, set_wazuh_c expected_output: - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' ''' + sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) - + time.sleep(5) run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), + callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_integratord_read_invalid_json_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): +def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index 57b17bc6fd..bc562c20a2 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -34,6 +34,7 @@ import os import time import pytest + from wazuh_testing import global_parameters from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.tools.file import remove_file @@ -114,8 +115,8 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c remove_file(ALERT_FILE_PATH) check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), - error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) + callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), + error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) # Create file and insert alert. Wait one second so Integrator detects the file before the insertion run_local_command_returning_output(command) time.sleep(2) @@ -123,5 +124,5 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) + callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), + error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) From e32b7e1a57977964f53d04f50d186169fc5af14b Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 12:29:29 -0300 Subject: [PATCH 38/43] style: fix style to comply with PEP 8 #3125 --- .../test_integratord_change_inode_alert.py | 4 ++-- .../test_integratord_read_json_alerts.py | 10 +++++----- .../test_integratord_read_json_file_deleted.py | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 88d876e5b0..80618b3339 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -129,12 +129,12 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config time.sleep(3) run_local_command_returning_output(command) - # Monitor Inode Changed + # Monitor Inode Changed check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout * 2, callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) - # Read Response in ossec.log + # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, callback=callback_generator(integrator.CB_PROCESSING_ALERT), error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 9c41fc2c15..2d632707e3 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -77,8 +77,8 @@ @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. @@ -114,7 +114,7 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config expected_output: - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' ''' - + sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) time.sleep(5) @@ -130,8 +130,8 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): + configure_local_internal_options_module, restart_wazuh_function, + wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index bc562c20a2..e14acd2f22 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -114,7 +114,7 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c command = f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}" remove_file(ALERT_FILE_PATH) - check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) # Create file and insert alert. Wait one second so Integrator detects the file before the insertion @@ -123,6 +123,6 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c run_local_command_returning_output(f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor,timeout=global_parameters.default_timeout*2, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, callback=callback_generator(integrator.CB_VIRUSTOTAL_ALERT), error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) From c0720fb6a0920b21a1d9774b9be2be4bbffdcd79 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 13:17:15 -0300 Subject: [PATCH 39/43] style: Fix yaml style #3125 --- .../config_integratord_read_json_alerts.yaml | 18 ++++++------- .../cases_integratord_change_inode_alert.yaml | 13 +++++++++- ..._integratord_read_invalid_json_alerts.yaml | 26 +++++++++++++++++-- ...es_integratord_read_json_file_deleted.yaml | 13 +++++++++- ...es_integratord_read_valid_json_alerts.yaml | 13 +++++++++- 5 files changed, 69 insertions(+), 14 deletions(-) diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml index 69c2a7a414..acf8a61bfb 100644 --- a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -8,32 +8,32 @@ - section: integration elements: - name: - value: 'virustotal' + value: virustotal - api_key: value: API_KEY - rule_id: value: '554' - alert_format: - value: 'json' + value: json - section: sca elements: - enabled: value: 'no' - section: rootcheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: syscheck elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' - section: wodle attributes: - - name: 'syscollector' + - name: syscollector elements: - disabled: value: 'yes' - section: auth elements: - - disabled: - value: 'yes' + - disabled: + value: 'yes' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index 4c8699435d..a9158e09f5 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -3,4 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index 6e039cf323..bde44fbe11 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -3,7 +3,18 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.", + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: invalid - name: Read Overlong json alert @@ -11,5 +22,16 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_OVERLONG_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_OVERLONG_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 629874494a..25fc710757 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -3,4 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_MISSING_JSON_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_MISSING_JSON_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index 582c35944f..bc1274f968 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -3,4 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"c3"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe","sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' From a389c2f05ed64ec4dfbc24705538a94e075e675b Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 13:28:56 -0300 Subject: [PATCH 40/43] style: fix yaml indentations #3125 --- ..._integratord_read_invalid_json_alerts.yaml | 44 +++++++++---------- ...es_integratord_read_json_file_deleted.yaml | 22 +++++----- ...es_integratord_read_valid_json_alerts.yaml | 22 +++++----- 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index bde44fbe11..f84efa75db 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -4,17 +4,17 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: invalid - name: Read Overlong json alert @@ -23,15 +23,15 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 25fc710757..19f1da5979 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -4,14 +4,14 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index bc1274f968..6a85c5e0ef 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -4,14 +4,14 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ + "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": + "File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", + "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": + {"name":"syscheck_new_entry"},"location":"syscheck"}' From 1cc89b12bfe7c5cb756997201e663a553429b3f6 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 13:46:33 -0300 Subject: [PATCH 41/43] style: Fix yaml indentation #3125 --- ..._integratord_read_invalid_json_alerts.yaml | 46 +++++++++---------- ...es_integratord_read_json_file_deleted.yaml | 24 +++++----- ...es_integratord_read_valid_json_alerts.yaml | 24 +++++----- 3 files changed, 47 insertions(+), 47 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index f84efa75db..504e8f176a 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -4,17 +4,17 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", + "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", + "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]}, + "agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754", + "full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": + "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" + ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", + "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: invalid - name: Read Overlong json alert @@ -22,16 +22,16 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": + "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", + "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], + "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", + "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": + "1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n", + "syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16", + "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": + "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 19f1da5979..ec2a99242e 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -3,15 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": + "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", + "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], + "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", + "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": + "1657551196.2754","full_log":"File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: + scheduled\n","syscheck":{"path":"/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled", + "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": + "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index 6a85c5e0ef..90ba91281c 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -3,15 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": + "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", + "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], + "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", + "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": + "1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n", + "syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16", + "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": + "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' From 0ed18c35d68caf8b92fbb9ae74c25d45c1acc70c Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 13:51:35 -0300 Subject: [PATCH 42/43] style: Fix yaml indentation and style #3125 --- .../cases_integratord_change_inode_alert.yaml | 24 +++++++++---------- ...es_integratord_read_valid_json_alerts.yaml | 22 ++++++++--------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index a9158e09f5..d5716233dd 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -3,15 +3,15 @@ configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{ - "id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754","full_log": - "File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after":"root", - "gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"},"decoder": - {"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": + "File added to the system.", "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", + "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], + "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", + "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": + "1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: + scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled", + "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": + "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index 90ba91281c..af23ceb81d 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -4,14 +4,14 @@ API_KEY: Insert using --integration_api_key parameter metadata: alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": - "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", - "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], - "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", - "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n", - "syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16", - "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": - "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", + "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], + "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", + "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": + "1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n", + "syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16", + "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": + "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", + "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": + "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, + "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' From 9ee89bd5d5694de84fc89482771b07a36cb7fd10 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 8 Aug 2022 14:03:20 -0300 Subject: [PATCH 43/43] style: fix yaml style #3125 --- .../data/test_cases/cases_integratord_change_inode_alert.yaml | 2 +- .../test_cases/cases_integratord_read_json_file_deleted.yaml | 4 ++-- .../test_integratord_read_json_file_deleted.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index d5716233dd..e75cdfe15b 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -8,7 +8,7 @@ "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: + "1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled", "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index ec2a99242e..c060cc12fd 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -1,5 +1,5 @@ - name: Cannot read alerts - Json File Deleted - description: The alerts.json file is missing and it cannot read alerts from it. If a new file is created it will read it. + description: The alerts.json file is missing and it cannot read alerts from it. configuration_parameters: API_KEY: Insert using --integration_api_key parameter metadata: @@ -8,7 +8,7 @@ "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: + "1657551196.2754","full_log":"File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: scheduled\n","syscheck":{"path":"/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled", "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index e14acd2f22..d51bccba65 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -106,7 +106,7 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_json_file_deleted` file provides the test cases. expected_output: - - r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*alerts\.json.*No such file.*' + - r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*alerts.json.*No such file.*' - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' '''