From 7dc2c0853b00264d26df560580fded5196a87be3 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 24 May 2022 16:48:20 +0200 Subject: [PATCH 001/552] add: New end to end test for audit test case --- requirements.txt | 1 + .../general_playbooks/get_alerts.yml | 8 +++++++ .../test_audit/playbooks/configuration.yml | 22 +++++++++++++++++++ .../test_audit/playbooks/generate_events.yml | 5 +++++ tests/end_to_end/test_audit/test_audit.py | 6 +++++ 5 files changed, 42 insertions(+) create mode 100644 tests/end_to_end/general_playbooks/get_alerts.yml create mode 100644 tests/end_to_end/test_audit/playbooks/configuration.yml create mode 100644 tests/end_to_end/test_audit/playbooks/generate_events.yml create mode 100644 tests/end_to_end/test_audit/test_audit.py diff --git a/requirements.txt b/requirements.txt index 919553663c..a93c4d53a6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,3 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 +pytest-ansible-playbook diff --git a/tests/end_to_end/general_playbooks/get_alerts.yml b/tests/end_to_end/general_playbooks/get_alerts.yml new file mode 100644 index 0000000000..febc63fb94 --- /dev/null +++ b/tests/end_to_end/general_playbooks/get_alerts.yml @@ -0,0 +1,8 @@ +- name: Get alerts + hosts: wazuh-manager + tasks: + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /home/juliamagan/Desktop/QA/2893/ + become: True diff --git a/tests/end_to_end/test_audit/playbooks/configuration.yml b/tests/end_to_end/test_audit/playbooks/configuration.yml new file mode 100644 index 0000000000..70b502d299 --- /dev/null +++ b/tests/end_to_end/test_audit/playbooks/configuration.yml @@ -0,0 +1,22 @@ +--- +- name: Test case configuration + hosts: wazuh-manager + tasks: + - name: Get euid + shell: echo $EUID + register: euid + - debug: + var: euid.stdout + - name: Create wazuh audit rules file + become: True + copy: + dest: /etc/audit/rules.d/wazuh.rules + content: | + -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c + -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c + - name: Delete previous audit rules + become: True + shell: auditctl -D + - name: Load audit rules + become: True + shell: auditctl -R /etc/audit/rules.d/wazuh.rules diff --git a/tests/end_to_end/test_audit/playbooks/generate_events.yml b/tests/end_to_end/test_audit/playbooks/generate_events.yml new file mode 100644 index 0000000000..c136fb8775 --- /dev/null +++ b/tests/end_to_end/test_audit/playbooks/generate_events.yml @@ -0,0 +1,5 @@ +- name: Generate events + hosts: wazuh-manager + tasks: + - name: Ping google + shell: ping -c 1 www.google.com diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py new file mode 100644 index 0000000000..97f2a7f97b --- /dev/null +++ b/tests/end_to_end/test_audit/test_audit.py @@ -0,0 +1,6 @@ +import pytest + + +@pytest.mark.ansible_playbook_setup('configuration.yml', 'generate_events.yml', 'get_alerts.yml') +def test_bar(ansible_playbook): + assert 1 == 1 From 6b5e216076fa1e011bbcdad052e477e07f262fac Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 24 May 2022 18:23:06 +0200 Subject: [PATCH 002/552] fix: Store `alerts.json` in the specified path --- tests/end_to_end/general_playbooks/get_alerts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/general_playbooks/get_alerts.yml b/tests/end_to_end/general_playbooks/get_alerts.yml index febc63fb94..109854301a 100644 --- a/tests/end_to_end/general_playbooks/get_alerts.yml +++ b/tests/end_to_end/general_playbooks/get_alerts.yml @@ -5,4 +5,5 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /home/juliamagan/Desktop/QA/2893/ + flat: yes become: True From 7eaa0e6b33df8e1780ce7e5002498e3a360785f3 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:10:50 +0200 Subject: [PATCH 003/552] fix: Move playbooks to same path --- tests/end_to_end/general_playbooks/get_alerts.yml | 9 --------- .../test_audit/playbooks/generate_events.yml | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 9 deletions(-) delete mode 100644 tests/end_to_end/general_playbooks/get_alerts.yml diff --git a/tests/end_to_end/general_playbooks/get_alerts.yml b/tests/end_to_end/general_playbooks/get_alerts.yml deleted file mode 100644 index 109854301a..0000000000 --- a/tests/end_to_end/general_playbooks/get_alerts.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Get alerts - hosts: wazuh-manager - tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /home/juliamagan/Desktop/QA/2893/ - flat: yes - become: True diff --git a/tests/end_to_end/test_audit/playbooks/generate_events.yml b/tests/end_to_end/test_audit/playbooks/generate_events.yml index c136fb8775..1fe59138a4 100644 --- a/tests/end_to_end/test_audit/playbooks/generate_events.yml +++ b/tests/end_to_end/test_audit/playbooks/generate_events.yml @@ -1,5 +1,20 @@ +- name: Clean alerts.json + hosts: wazuh-manager + tasks: + - name: Truncate file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True - name: Generate events hosts: wazuh-manager tasks: - name: Ping google shell: ping -c 1 www.google.com +- name: Get alerts + hosts: wazuh-manager + tasks: + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True From e871433366d271750b9b1d562b96baaa210c5fd5 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:12:08 +0200 Subject: [PATCH 004/552] add: Create common library for events --- .../wazuh_testing/event_monitor.py | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 deps/wazuh_testing/wazuh_testing/event_monitor.py diff --git a/deps/wazuh_testing/wazuh_testing/event_monitor.py b/deps/wazuh_testing/wazuh_testing/event_monitor.py new file mode 100644 index 0000000000..5bc4a56839 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/event_monitor.py @@ -0,0 +1,39 @@ +import re + +from wazuh_testing.tools.monitoring import FileMonitor + + +def make_callback(pattern, prefix=''): + """Create a callback function from a text pattern. + Args: + pattern (str): String to match on the log. + prefix (str): regular expression used as prefix before the pattern. + Returns: + lambda: function that returns if there's a match in the file + """ + pattern = r'\s+'.join(pattern.split()) + regex = re.compile(r'{}{}'.format(prefix, pattern)) + + return lambda line: regex.match(line) + + +def check_event(file_monitor=None, callback='', error_message=None, update_position=True, timeout=20, + accum_results=1, file_to_monitor=None): + """Check if an API event occurs + Args: + file_monitor (FileMonitor): FileMonitor object to monitor the file content. + callback (str): log regex to check in the file + error_message (str): error message to show in case of expected event does not occur + update_position (boolean): filter configuration parameter to search in the file + timeout (str): timeout to check the event in the file + prefix (str): log pattern regex + accum_results (int): Accumulation of matches. + """ + file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor + error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ + error_message + + result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=make_callback(callback), error_message=error_message) + + return result From 514997974ab7da595710064123478d964e48e520 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:12:36 +0200 Subject: [PATCH 005/552] add: Create conftest for E2E tests --- tests/end_to_end/test_audit/conftest.py | 34 +++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tests/end_to_end/test_audit/conftest.py diff --git a/tests/end_to_end/test_audit/conftest.py b/tests/end_to_end/test_audit/conftest.py new file mode 100644 index 0000000000..88fdd20e4a --- /dev/null +++ b/tests/end_to_end/test_audit/conftest.py @@ -0,0 +1,34 @@ +import os +import pytest +from wazuh_testing.tools.file import remove_file, get_file_lines + +alerts_json = os.path.join('/tmp', 'alerts.json') +credentials_file = os.path.join('/tmp', 'passwords.wazuh') + + +@pytest.fixture(scope='function') +def clean_environment(): + + yield + + remove_file(alerts_json) + remove_file(credentials_file) + + +@pytest.fixture(scope='function') +def get_dashboard_credentials(): + + password = '' + user = '' + + for line in get_file_lines(credentials_file): + if 'username: admin' in line: + user = 'admin' + + if 'password: ' in line and user == 'admin': + password_line = line + password = password_line.split()[1] + + dashboard_credentials = [user, password] + + yield dashboard_credentials From 6c14bde91c4e935aabad8b55f534ed39b5a72fd8 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:13:09 +0200 Subject: [PATCH 006/552] add: Create playbook for credentials --- .../test_audit/playbooks/credentials.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 tests/end_to_end/test_audit/playbooks/credentials.yml diff --git a/tests/end_to_end/test_audit/playbooks/credentials.yml b/tests/end_to_end/test_audit/playbooks/credentials.yml new file mode 100644 index 0000000000..12703fc831 --- /dev/null +++ b/tests/end_to_end/test_audit/playbooks/credentials.yml @@ -0,0 +1,16 @@ +--- +- name: Get credentials + hosts: wazuh-manager + tasks: + - name: Unzip wazuh install files + unarchive: + src: /home/vagrant/wazuh-install-files.tar + dest: /home/vagrant + remote_src: yes + become: True + - name: Get passwords file + fetch: + src: /home/vagrant/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes + become: True From 0abbf465519d2ae2cd0c1197f85b7323055d6e1f Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:14:55 +0200 Subject: [PATCH 007/552] add: Add audit test --- tests/end_to_end/test_audit/test_audit.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 97f2a7f97b..4a2df42aa3 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -1,6 +1,16 @@ import pytest +import os +from wazuh_testing.event_monitor import check_event -@pytest.mark.ansible_playbook_setup('configuration.yml', 'generate_events.yml', 'get_alerts.yml') -def test_bar(ansible_playbook): - assert 1 == 1 +alerts_json = os.path.join('/tmp', 'alerts.json') + + +@pytest.mark.ansible_playbook_setup('credentials.yml', 'configuration.yml', 'generate_events.yml') +def test_audit(ansible_playbook, get_dashboard_credentials, clean_environment): + + expected_alert = r'\{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{"level"\:3,"description"\:"Audit\: '\ + r'Command\: \/usr\/bin\/ping\.","id"\:"80792","firedtimes"\:(\d+).*euid=1000.*' \ + r'a3=\\"www\.google\.com\\".*\}' + + check_event(callback=expected_alert, file_to_monitor=alerts_json) From f1aea1a3062c9084eaaadf9f48c476ec45693c46 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 30 May 2022 13:41:17 -0300 Subject: [PATCH 008/552] add: cherry-pick new requirement. Co-authored-by: Julia Magan --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index 919553663c..a93c4d53a6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,3 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 +pytest-ansible-playbook From dd3d710a479c43e3284d94cad431a85648b15107 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 30 May 2022 13:45:50 -0300 Subject: [PATCH 009/552] add: cherry-pick docker monitoring test. --- .../playbooks/configuration.yaml | 55 +++++++++++++++++++ .../playbooks/generate_alerts.yaml | 19 +++++++ .../test_docker_monitoring.py | 6 ++ 3 files changed, 80 insertions(+) create mode 100644 tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml create mode 100644 tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml new file mode 100644 index 0000000000..e9f64b566f --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml @@ -0,0 +1,55 @@ +--- +- name: Test case configuration + hosts: wazuh-manager + tasks: + - name: Uninstall old versions of Docker (CentOS) + become: True + shell: > + yum -y remove docker + docker-client + docker-client-latest + docker-common + docker-latest + docker-latest-logrotate + docker-logrotate + docker-engine + docker-ce + docker-ce-cli + containerd.io + docker-compose-plugin + when: ansible_facts['distribution'] == "CentOS" + + - name: Uninstall old versions of Docker (Ubuntu) + become: True + shell: > + apt-get -y remove docker + docker-engine + docker.io + containerd + runc && apt-get -y purge docker-ce + docker-ce-cli + containerd.io + docker-compose-plugin + when: ansible_facts['distribution'] == "Ubuntu" + + - name: Install Docker using the convenience script + become: True + shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh + + - name: Configure the docker-listener module + become: True + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: "^" + block: | + + 10m + 5 + yes + no + + marker: "" + + - name: Restart wazuh-manager + become: True + shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml new file mode 100644 index 0000000000..e3a790cb9d --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml @@ -0,0 +1,19 @@ +--- +- name: Generate alerts in the manager + hosts: wazuh-manager + tasks: + - name: Run 'docker pull nginx' + become: True + shell: docker pull nginx + + - name: Run 'docker run -d -P --name nginx_container nginx' + become: True + shell: docker run -d -P --name nginx_container nginx + + - name: Run 'docker exec -d nginx_container /bin/bash' + become: True + shell: docker exec -d nginx_container /bin/bash + + - name: Run 'docker stop `docker ps -a -q` && docker rm `docker ps -a -q`' + become: True + shell: docker stop `docker ps -a -q` && docker rm `docker ps -a -q` diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py new file mode 100644 index 0000000000..a9b2f9bb50 --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -0,0 +1,6 @@ +import pytest + + +@pytest.mark.ansible_playbook_setup('configuration.yaml', 'generate_alerts.yaml') +def test_docker_monitoring(ansible_playbook): + assert 1 == 1 From 394ef19a4850085929375fa77f1e153ce1996230 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 24 May 2022 14:51:55 -0300 Subject: [PATCH 010/552] added test to detect ssh brute force attack --- tests/e2e/test_brute_force/data/config.yml | 16 ++++ .../e2e/test_brute_force/test_brute_force.py | 86 +++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 tests/e2e/test_brute_force/data/config.yml create mode 100644 tests/e2e/test_brute_force/test_brute_force.py diff --git a/tests/e2e/test_brute_force/data/config.yml b/tests/e2e/test_brute_force/data/config.yml new file mode 100644 index 0000000000..08fa4a2003 --- /dev/null +++ b/tests/e2e/test_brute_force/data/config.yml @@ -0,0 +1,16 @@ +--- +wazuh-agent-linux: + - ip: "192.168.0.6" + - hostname: "centos-agent" + - rule_id: "5712" + +wazuh-agent-windows: + - ip: "192.168.0.7" + - hostname: "windows" + - rule_id: "60204" + +wazuh-manager-indexer: +- ip: "192.168.0.5" +- hostname: "centos-manager-kibana" +- username_indexer: "wazuh" +- password_ indexer: "Y6f1YvUNAH1DpxjRg162WKO6yfV496W1" diff --git a/tests/e2e/test_brute_force/test_brute_force.py b/tests/e2e/test_brute_force/test_brute_force.py new file mode 100644 index 0000000000..5b8048d500 --- /dev/null +++ b/tests/e2e/test_brute_force/test_brute_force.py @@ -0,0 +1,86 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +type: e2e +brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with + minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs + to be configured first. The agent then checks for the registration key in the client.keys file, and when the file + is empty, it automatically requests the key from the configured manager the agent is reporting to. + +''' + +import paramiko +import pytest +from opensearchpy import OpenSearch +import yaml + + +@pytest.fixture +def configurations(): + yaml_file_path = 'data/config.yml' + with open(yaml_file_path) as stream: + configurations = yaml.safe_load(stream) + return configurations + + +def test_brute_force(configurations): + """ + Test to detect a SSH Brute Force attack + """ + ip_agent = configurations['wazuh-agent-linux'][0]['ip'] + agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] + rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] + indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] + indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] + indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] + + ssh = paramiko.SSHClient() + + for i in range(8): + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy) + try: + ssh.connect(hostname= ip_agent, username='test_user', password="test") + except paramiko.AuthenticationException: + print("Next connection") + + open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) + _asserts(open_search_alerts, agent_hostname) + + +def _get_opensearch_alert(indexer_ip, rule_id, username, password): + auth = (username, password) + host = indexer_ip + port = '9200' + index_name = 'wazuh-alerts-4.x-*' + rule_id = rule_id + query = '{"query": {"bool": {"must": [{"term": {"rule.id": "' + rule_id + '"}}]}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' + + client = OpenSearch( + hosts= [{'host': host, 'port': port}], + http_auth = auth, + use_ssl = True, + verify_certs = False, + timeout = 30, + max_retries = 10, + retry_on_timeout = True + + ) + + response = client.search( + body = query, + index= index_name + ) + + return response + + +def _asserts(response, agent_hostname): + agent = response['hits']['hits'][0]['_source']['agent']['name'] + description = response['hits']['hits'][0]['_source']['rule']['description'] + rule_id = response['hits']['hits'][0]['_source']['rule']['id'] + mitre_technique = response['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] + assert description == 'sshd: brute force trying to get access to the system.', 'Invalid description' + assert rule_id == '5712', 'Invalid rule id' + assert mitre_technique == 'Brute Force', 'Invalid mitre technique' + assert agent == agent_hostname, 'Invalid agent' From 2788fad1ea377664672d811d0c84e14274fa7cf0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 24 May 2022 15:38:21 -0300 Subject: [PATCH 011/552] added timestamp validation --- tests/e2e/test_brute_force/test_brute_force.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/e2e/test_brute_force/test_brute_force.py b/tests/e2e/test_brute_force/test_brute_force.py index 5b8048d500..57d668f71e 100644 --- a/tests/e2e/test_brute_force/test_brute_force.py +++ b/tests/e2e/test_brute_force/test_brute_force.py @@ -14,6 +14,8 @@ import pytest from opensearchpy import OpenSearch import yaml +import datetime +import time @pytest.fixture @@ -35,6 +37,10 @@ def test_brute_force(configurations): indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] + current_time = datetime.datetime.utcnow() + timestamp = current_time.timestamp() + timestamp_formatted = time.strftime('%Y-%m-%dT%H:%M:%S.%3M+0000', time.localtime(timestamp)) + ssh = paramiko.SSHClient() for i in range(8): @@ -45,10 +51,13 @@ def test_brute_force(configurations): print("Next connection") open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) - _asserts(open_search_alerts, agent_hostname) + _asserts(open_search_alerts, agent_hostname, timestamp_formatted) def _get_opensearch_alert(indexer_ip, rule_id, username, password): + """ + Get alert generated in opensearch + """ auth = (username, password) host = indexer_ip port = '9200' @@ -75,11 +84,13 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): return response -def _asserts(response, agent_hostname): +def _asserts(response, agent_hostname, timestamp_test): agent = response['hits']['hits'][0]['_source']['agent']['name'] description = response['hits']['hits'][0]['_source']['rule']['description'] rule_id = response['hits']['hits'][0]['_source']['rule']['id'] mitre_technique = response['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] + timestamp = response['hits']['hits'][0]['_source']['timestamp'] + assert timestamp >= timestamp_test , 'Alert not generated' assert description == 'sshd: brute force trying to get access to the system.', 'Invalid description' assert rule_id == '5712', 'Invalid rule id' assert mitre_technique == 'Brute Force', 'Invalid mitre technique' From efb27383f61df80350ccb33d39fd89581e69af55 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 1 Jun 2022 09:22:12 -0300 Subject: [PATCH 012/552] added playbook to generate events --- .../playbooks/generate_events.yml | 23 +++++++++++++ .../e2e/test_brute_force/test_brute_force.py | 32 ++++--------------- 2 files changed, 30 insertions(+), 25 deletions(-) create mode 100644 tests/e2e/test_brute_force/playbooks/generate_events.yml diff --git a/tests/e2e/test_brute_force/playbooks/generate_events.yml b/tests/e2e/test_brute_force/playbooks/generate_events.yml new file mode 100644 index 0000000000..0c761d630e --- /dev/null +++ b/tests/e2e/test_brute_force/playbooks/generate_events.yml @@ -0,0 +1,23 @@ +--- + - name: Generate events + hosts: localhost + ignore_errors: True + tasks: + - name: ssh connection + expect: + command: ssh {{item}}@wazuh-agent + timeout: 5 + responses: + "Password": "1" + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - name: wait for alert + pause: + seconds: 5 diff --git a/tests/e2e/test_brute_force/test_brute_force.py b/tests/e2e/test_brute_force/test_brute_force.py index 57d668f71e..3f1eb7c4e8 100644 --- a/tests/e2e/test_brute_force/test_brute_force.py +++ b/tests/e2e/test_brute_force/test_brute_force.py @@ -10,48 +10,33 @@ ''' -import paramiko +import os import pytest from opensearchpy import OpenSearch import yaml -import datetime -import time @pytest.fixture def configurations(): - yaml_file_path = 'data/config.yml' + yaml_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data/config.yml') with open(yaml_file_path) as stream: configurations = yaml.safe_load(stream) return configurations -def test_brute_force(configurations): +@pytest.mark.ansible_playbook_setup('generate_events.yml') +def test_brute_force(configurations, ansible_playbook): """ Test to detect a SSH Brute Force attack """ - ip_agent = configurations['wazuh-agent-linux'][0]['ip'] agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] - current_time = datetime.datetime.utcnow() - timestamp = current_time.timestamp() - timestamp_formatted = time.strftime('%Y-%m-%dT%H:%M:%S.%3M+0000', time.localtime(timestamp)) - - ssh = paramiko.SSHClient() - - for i in range(8): - ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy) - try: - ssh.connect(hostname= ip_agent, username='test_user', password="test") - except paramiko.AuthenticationException: - print("Next connection") - open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) - _asserts(open_search_alerts, agent_hostname, timestamp_formatted) + _asserts(open_search_alerts, agent_hostname) def _get_opensearch_alert(indexer_ip, rule_id, username, password): @@ -63,7 +48,7 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): port = '9200' index_name = 'wazuh-alerts-4.x-*' rule_id = rule_id - query = '{"query": {"bool": {"must": [{"term": {"rule.id": "' + rule_id + '"}}]}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' + query = '{"query": {"bool": {"must": []}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' client = OpenSearch( hosts= [{'host': host, 'port': port}], @@ -73,7 +58,6 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): timeout = 30, max_retries = 10, retry_on_timeout = True - ) response = client.search( @@ -84,13 +68,11 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): return response -def _asserts(response, agent_hostname, timestamp_test): +def _asserts(response, agent_hostname): agent = response['hits']['hits'][0]['_source']['agent']['name'] description = response['hits']['hits'][0]['_source']['rule']['description'] rule_id = response['hits']['hits'][0]['_source']['rule']['id'] mitre_technique = response['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] - timestamp = response['hits']['hits'][0]['_source']['timestamp'] - assert timestamp >= timestamp_test , 'Alert not generated' assert description == 'sshd: brute force trying to get access to the system.', 'Invalid description' assert rule_id == '5712', 'Invalid rule id' assert mitre_technique == 'Brute Force', 'Invalid mitre technique' From 11a31a26efb65876783f8faeddb9656b3b5357e7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 1 Jun 2022 09:49:56 -0300 Subject: [PATCH 013/552] add: get_credentials task added and some fixes. #2935 --- .../test_docker_monitoring/conftest.py | 21 +++++++++++++++++++ .../playbooks/configuration.yaml | 18 ++++++++++++++++ .../test_docker_monitoring.py | 3 ++- 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 tests/end_to_end/test_docker_monitoring/conftest.py diff --git a/tests/end_to_end/test_docker_monitoring/conftest.py b/tests/end_to_end/test_docker_monitoring/conftest.py new file mode 100644 index 0000000000..858c62d5de --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/conftest.py @@ -0,0 +1,21 @@ +import os +import pytest + +from wazuh_testing.tools import file + + +credentials_file = os.path.join('/tmp', 'passwords.wazuh') + + +@pytest.fixture(scope="function") +def get_opensearch_credentials(): + user = '' + password = '' + + for line in file.get_file_lines(credentials_file): + if 'username: admin' in line: + user = 'admin' + if user != '' and 'password: ' in line: + password = line.split()[1] + + yield user, password diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml index e9f64b566f..b7320467c8 100644 --- a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml @@ -36,6 +36,10 @@ become: True shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh + - name: Start Docker with systemd + become: True + shell: systemctl start docker + - name: Configure the docker-listener module become: True blockinfile: @@ -53,3 +57,17 @@ - name: Restart wazuh-manager become: True shell: systemctl restart wazuh-manager + + - name: Unzip Wazuh installation files + become: True + unarchive: + src: /root/wazuh-install-files.tar + dest: /root + remote_src: yes + + - name: Get credentials file + become: True + fetch: + src: /root/wazuh-install-files/passwords.wazuh + dest: /tmp + flat: yes diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index a9b2f9bb50..4aa2a707ce 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -2,5 +2,6 @@ @pytest.mark.ansible_playbook_setup('configuration.yaml', 'generate_alerts.yaml') -def test_docker_monitoring(ansible_playbook): +def test_docker_monitoring(ansible_playbook, get_opensearch_credentials): + user, password = get_opensearch_credentials assert 1 == 1 From 90ea8a4867ccb33ec85cd1b16240a2d9d2045d8b Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 26 May 2022 17:52:26 -0300 Subject: [PATCH 014/552] netcat automation --- tests/end_to_end/test_netcat/data/config.yml | 16 ++++ .../test_netcat/playbooks/configuration.yml | 22 +++++ .../test_netcat/playbooks/generate_events.yml | 6 ++ .../test_netcat/playbooks/get_alerts.yml | 10 ++ tests/end_to_end/test_netcat/test_netcat.py | 96 +++++++++++++++++++ 5 files changed, 150 insertions(+) create mode 100644 tests/end_to_end/test_netcat/data/config.yml create mode 100644 tests/end_to_end/test_netcat/playbooks/configuration.yml create mode 100644 tests/end_to_end/test_netcat/playbooks/generate_events.yml create mode 100644 tests/end_to_end/test_netcat/playbooks/get_alerts.yml create mode 100644 tests/end_to_end/test_netcat/test_netcat.py diff --git a/tests/end_to_end/test_netcat/data/config.yml b/tests/end_to_end/test_netcat/data/config.yml new file mode 100644 index 0000000000..d8e6a102df --- /dev/null +++ b/tests/end_to_end/test_netcat/data/config.yml @@ -0,0 +1,16 @@ +--- +wazuh-agent-linux: + - ip: "192.168.0.6" + - hostname: "centos-agent" + - rule_id: "100051" + +wazuh-agent-windows: + - ip: "192.168.0.7" + - hostname: "windows" + - rule_id: "60204" + +wazuh-manager-indexer: +- ip: "192.168.0.5" +- hostname: "centos-manager-kibana" +- username_indexer: "wazuh" +- password_ indexer: "Y6f1YvUNAH1DpxjRg162WKO6yfV496W1" diff --git a/tests/end_to_end/test_netcat/playbooks/configuration.yml b/tests/end_to_end/test_netcat/playbooks/configuration.yml new file mode 100644 index 0000000000..29f9aca88e --- /dev/null +++ b/tests/end_to_end/test_netcat/playbooks/configuration.yml @@ -0,0 +1,22 @@ +--- + - name: Test case configuration + hosts: wazuh-manager + tasks: + - name: Get euid + shell: echo $EUID + register: euid + - debug: + var: euid.stdout + - name: Create wazuh audit rules file + become: True + copy: + dest: /etc/audit/rules.d/wazuh.rules + content: | + -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c + -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c + - name: Delete previous audit rules + become: True + shell: auditctl -D + - name: Load audit rules + become: True + shell: auditctl -R /etc/audit/rules.d/wazuh.rules \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/playbooks/generate_events.yml b/tests/end_to_end/test_netcat/playbooks/generate_events.yml new file mode 100644 index 0000000000..28624cd6aa --- /dev/null +++ b/tests/end_to_end/test_netcat/playbooks/generate_events.yml @@ -0,0 +1,6 @@ +--- +- name: Generate events + hosts: wazuh-agent + tasks: + - name: Run netcat + shell: nc -l 8000 \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/playbooks/get_alerts.yml b/tests/end_to_end/test_netcat/playbooks/get_alerts.yml new file mode 100644 index 0000000000..870c50bd67 --- /dev/null +++ b/tests/end_to_end/test_netcat/playbooks/get_alerts.yml @@ -0,0 +1,10 @@ +--- +name: Get alerts + hosts: wazuh-manager + tasks: + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: C:\Users\elian\OneDrive\Documents\Vagrant\Maquinas\centos-manager-kibana + flat: yes + become: True \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py new file mode 100644 index 0000000000..56507bf894 --- /dev/null +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -0,0 +1,96 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +type: e2e +brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with + minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs + to be configured first. The agent then checks for the registration key in the client.keys file, and when the file + is empty, it automatically requests the key from the configured manager the agent is reporting to. +''' + +import paramiko +import pytest +from opensearchpy import OpenSearch +import yaml +import datetime +import time + + +@pytest.fixture +def configurations(): + yaml_file_path = 'data/config.yml' + with open(yaml_file_path) as stream: + configurations = yaml.safe_load(stream) + return configurations + + +def test_netcat(configurations): + """ + Test to detect Netcat + """ + ip_agent = configurations['wazuh-agent-linux'][0]['ip'] + agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] + rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] + indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] + indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] + indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] + + current_time = datetime.datetime.utcnow() + timestamp = current_time.timestamp() + timestamp_formatted = time.strftime('%Y-%m-%dT%H:%M:%S.%3M+0000', time.localtime(timestamp)) + + ssh = paramiko.SSHClient() + ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy) + ssh.connect(hostname= ip_agent, username='vagrant', password="vagrant") + command = 'nc -l 8000' + ssh.exec_command(command) + time.sleep(30) + kill_nc = "sudo pkill -fx 'nc -l 8000'" + ssh.exec_command(kill_nc) + print(kill_nc) + ssh.close + open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) + _asserts(open_search_alerts, agent_hostname, timestamp_formatted) + + +def _get_opensearch_alert(indexer_ip, rule_id, username, password): + """ + Get alert generated in opensearch + """ + auth = (username, password) + host = indexer_ip + port = '9200' + index_name = 'wazuh-alerts-4.x-*' + rule_id = rule_id + query = '{"query": {"bool": {"must": [{"term": {"rule.id": "' + rule_id + '"}}]}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' + + client = OpenSearch( + hosts= [{'host': host, 'port': port}], + http_auth = auth, + use_ssl = True, + verify_certs = False, + timeout = 30, + max_retries = 10, + retry_on_timeout = True + + ) + + response = client.search( + body = query, + index= index_name + ) + + print(response) + return response + + +def _asserts(response, agent_hostname, timestamp_test): + agent = response['hits']['hits'][0]['_source']['agent']['name'] + description = response['hits']['hits'][0]['_source']['rule']['description'] + rule_id = response['hits']['hits'][0]['_source']['rule']['id'] + timestamp = response['hits']['hits'][0]['_source']['timestamp'] + assert timestamp >= timestamp_test , 'Alert not generated' + assert description == 'Netcat listening for incoming connections.' + assert rule_id == '100051', 'Invalid rule id' + assert agent == agent_hostname, 'Invalid agent' \ No newline at end of file From 579c3bd34ed96c461a823a33f128a9e06aaade49 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 1 Jun 2022 14:36:31 -0300 Subject: [PATCH 015/552] added test for netcat --- .../test_netcat/playbooks/configuration.yml | 22 ------------ .../test_netcat/playbooks/generate_events.yml | 15 +++++--- .../test_netcat/playbooks/get_alerts.yml | 10 ------ tests/end_to_end/test_netcat/test_netcat.py | 35 +++++-------------- 4 files changed, 18 insertions(+), 64 deletions(-) delete mode 100644 tests/end_to_end/test_netcat/playbooks/configuration.yml delete mode 100644 tests/end_to_end/test_netcat/playbooks/get_alerts.yml diff --git a/tests/end_to_end/test_netcat/playbooks/configuration.yml b/tests/end_to_end/test_netcat/playbooks/configuration.yml deleted file mode 100644 index 29f9aca88e..0000000000 --- a/tests/end_to_end/test_netcat/playbooks/configuration.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - - name: Test case configuration - hosts: wazuh-manager - tasks: - - name: Get euid - shell: echo $EUID - register: euid - - debug: - var: euid.stdout - - name: Create wazuh audit rules file - become: True - copy: - dest: /etc/audit/rules.d/wazuh.rules - content: | - -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c - -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c - - name: Delete previous audit rules - become: True - shell: auditctl -D - - name: Load audit rules - become: True - shell: auditctl -R /etc/audit/rules.d/wazuh.rules \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/playbooks/generate_events.yml b/tests/end_to_end/test_netcat/playbooks/generate_events.yml index 28624cd6aa..542d4d17de 100644 --- a/tests/end_to_end/test_netcat/playbooks/generate_events.yml +++ b/tests/end_to_end/test_netcat/playbooks/generate_events.yml @@ -1,6 +1,11 @@ --- -- name: Generate events - hosts: wazuh-agent - tasks: - - name: Run netcat - shell: nc -l 8000 \ No newline at end of file + - name: Generate events + hosts: wazuh-agent + ignore_errors: True + tasks: + - name: netcat + command: nc -l 8000 + timeout: 30 + + + diff --git a/tests/end_to_end/test_netcat/playbooks/get_alerts.yml b/tests/end_to_end/test_netcat/playbooks/get_alerts.yml deleted file mode 100644 index 870c50bd67..0000000000 --- a/tests/end_to_end/test_netcat/playbooks/get_alerts.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: Get alerts - hosts: wazuh-manager - tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: C:\Users\elian\OneDrive\Documents\Vagrant\Maquinas\centos-manager-kibana - flat: yes - become: True \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 56507bf894..09785e2bee 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -9,49 +9,32 @@ is empty, it automatically requests the key from the configured manager the agent is reporting to. ''' -import paramiko +import os import pytest from opensearchpy import OpenSearch import yaml -import datetime -import time @pytest.fixture def configurations(): - yaml_file_path = 'data/config.yml' + yaml_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data/config.yml') with open(yaml_file_path) as stream: configurations = yaml.safe_load(stream) return configurations - -def test_netcat(configurations): +@pytest.mark.ansible_playbook_setup('generate_events.yml') +def test_netcat(configurations, ansible_playbook): """ Test to detect Netcat """ - ip_agent = configurations['wazuh-agent-linux'][0]['ip'] agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] - current_time = datetime.datetime.utcnow() - timestamp = current_time.timestamp() - timestamp_formatted = time.strftime('%Y-%m-%dT%H:%M:%S.%3M+0000', time.localtime(timestamp)) - - ssh = paramiko.SSHClient() - ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy) - ssh.connect(hostname= ip_agent, username='vagrant', password="vagrant") - command = 'nc -l 8000' - ssh.exec_command(command) - time.sleep(30) - kill_nc = "sudo pkill -fx 'nc -l 8000'" - ssh.exec_command(kill_nc) - print(kill_nc) - ssh.close open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) - _asserts(open_search_alerts, agent_hostname, timestamp_formatted) + _asserts(open_search_alerts, agent_hostname) def _get_opensearch_alert(indexer_ip, rule_id, username, password): @@ -62,8 +45,7 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): host = indexer_ip port = '9200' index_name = 'wazuh-alerts-4.x-*' - rule_id = rule_id - query = '{"query": {"bool": {"must": [{"term": {"rule.id": "' + rule_id + '"}}]}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' + query = '{"query": {"bool": {"must": []}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' client = OpenSearch( hosts= [{'host': host, 'port': port}], @@ -85,12 +67,11 @@ def _get_opensearch_alert(indexer_ip, rule_id, username, password): return response -def _asserts(response, agent_hostname, timestamp_test): +def _asserts(response, agent_hostname): agent = response['hits']['hits'][0]['_source']['agent']['name'] description = response['hits']['hits'][0]['_source']['rule']['description'] rule_id = response['hits']['hits'][0]['_source']['rule']['id'] - timestamp = response['hits']['hits'][0]['_source']['timestamp'] - assert timestamp >= timestamp_test , 'Alert not generated' + print(response['hits']['hits'][0]['_source']['timestamp']) assert description == 'Netcat listening for incoming connections.' assert rule_id == '100051', 'Invalid rule id' assert agent == agent_hostname, 'Invalid agent' \ No newline at end of file From 9e97202d008f2ef1ff255c07029ad450d99d57bd Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 1 Jun 2022 14:49:09 -0300 Subject: [PATCH 016/552] deleted white spaces --- tests/end_to_end/test_netcat/playbooks/generate_events.yml | 3 --- tests/end_to_end/test_netcat/test_netcat.py | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/end_to_end/test_netcat/playbooks/generate_events.yml b/tests/end_to_end/test_netcat/playbooks/generate_events.yml index 542d4d17de..7f20fe5bd2 100644 --- a/tests/end_to_end/test_netcat/playbooks/generate_events.yml +++ b/tests/end_to_end/test_netcat/playbooks/generate_events.yml @@ -6,6 +6,3 @@ - name: netcat command: nc -l 8000 timeout: 30 - - - diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 09785e2bee..4020daf39c 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -74,4 +74,4 @@ def _asserts(response, agent_hostname): print(response['hits']['hits'][0]['_source']['timestamp']) assert description == 'Netcat listening for incoming connections.' assert rule_id == '100051', 'Invalid rule id' - assert agent == agent_hostname, 'Invalid agent' \ No newline at end of file + assert agent == agent_hostname, 'Invalid agent' From eeaefc06631b8ec71d836d5093687b114a09012d Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 1 Jun 2022 14:50:56 -0300 Subject: [PATCH 017/552] deleted windows agent from config --- tests/end_to_end/test_netcat/data/config.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/config.yml b/tests/end_to_end/test_netcat/data/config.yml index d8e6a102df..0d33fe7b70 100644 --- a/tests/end_to_end/test_netcat/data/config.yml +++ b/tests/end_to_end/test_netcat/data/config.yml @@ -4,11 +4,6 @@ wazuh-agent-linux: - hostname: "centos-agent" - rule_id: "100051" -wazuh-agent-windows: - - ip: "192.168.0.7" - - hostname: "windows" - - rule_id: "60204" - wazuh-manager-indexer: - ip: "192.168.0.5" - hostname: "centos-manager-kibana" From cad242e3a52d96a1c73770e06086c804c07b95c9 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 1 Jun 2022 19:52:45 -0300 Subject: [PATCH 018/552] add: test cases added, and request alerts to the OS API. #2935 --- .../wazuh_testing/tools/configuration.py | 14 ++- .../test_docker_monitoring/conftest.py | 2 +- .../cases_test_docker_monitoring.json | 115 ++++++++++++++++++ .../playbooks/configuration.yaml | 4 +- .../test_docker_monitoring.py | 43 ++++++- 5 files changed, 170 insertions(+), 8 deletions(-) create mode 100644 tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json diff --git a/deps/wazuh_testing/wazuh_testing/tools/configuration.py b/deps/wazuh_testing/wazuh_testing/tools/configuration.py index 79166ce962..ee290a3149 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/configuration.py +++ b/deps/wazuh_testing/wazuh_testing/tools/configuration.py @@ -696,18 +696,26 @@ def load_configuration_template(data_file_path, configuration_parameters=[], con for replacement, meta in zip(configuration_parameters, configuration_metadata)] -def get_test_cases_data(data_file_path): - """Load a test case template file and get its data. +def get_test_cases_data(data_file_path, format='yaml'): + """Load a test case template file in YAML or JSON format and get its data. Template example file: tests/integration/vulnerability_detector/test_providers/data/test_cases/test_enabled.yaml Args: data_file_path (str): Test case template file path. + format (str): File format (yaml or json). Returns: (list(dict), list(dict), list(str)): Configurations, metadata and test case names. """ - test_cases_data = file.read_yaml(data_file_path) + if format.lower() not in ('yaml', 'json'): + raise ValueError(f"Invalid argument: 'format' is not `yaml` or `json`. Current value: {format}") + + if format == 'yaml': + test_cases_data = file.read_yaml(data_file_path) + else: + test_cases_data = file.read_json(data_file_path) + configuration_parameters = [] configuration_metadata = [] test_cases_ids = [] diff --git a/tests/end_to_end/test_docker_monitoring/conftest.py b/tests/end_to_end/test_docker_monitoring/conftest.py index 858c62d5de..1684a163ce 100644 --- a/tests/end_to_end/test_docker_monitoring/conftest.py +++ b/tests/end_to_end/test_docker_monitoring/conftest.py @@ -15,7 +15,7 @@ def get_opensearch_credentials(): for line in file.get_file_lines(credentials_file): if 'username: admin' in line: user = 'admin' - if user != '' and 'password: ' in line: + if user != '' and password == '' and 'password: ' in line: password = line.split()[1] yield user, password diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json new file mode 100644 index 0000000000..f9fa31d30b --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json @@ -0,0 +1,115 @@ +[ + { + "name": "docker_pull", + "description": "Test if an alert is generated when using the `pull` command.", + "configuration_parameters": {}, + "metadata": { + "opensearch_query": { + "query": { + "bool": { + "filter": [ + { + "match_phrase": { + "data.docker.Action": "pull" + } + } + ] + } + } + }, + "regex": "'.+\"docker\":.+\"Action\": \"(pull)\".+\"Attributes\":.+\"(nginx)\".+\"description\": \"(Docker: Image or repository nginx pulled)\".+'gm" + } + }, + { + "name": "docker_run", + "description": "Test if an alert is generated when using the `pull` command.", + "configuration_parameters": {}, + "metadata": { + "opensearch_query": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match_phrase": { + "data.docker.Action": "create" + } + }, + { + "match_phrase": { + "data.docker.Action": "start" + } + }, + { + "match_phrase": { + "data.docker.Action": "connect" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + }, + "regex": ".+\"docker\":.+\"Action\": \"(create)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container created)\".+\"docker\":.+\"Action\": \"(connect)\".+\"container\".+\"description\": \"(Docker: Network bridge connected)\".+\"docker\":.+\"Action\": \"(start)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container started)\".+" + } + }, + { + "name": "docker_exec", + "description": "Test if an alert is generated when using the `exec` command.", + "configuration_parameters": {}, + "metadata": { + "opensearch_query": { + "query": { + "bool": { + "filter": [ + { + "match_phrase": { + "data.docker.Action": "exec_start: /bin/bash " + } + } + ] + } + } + }, + "regex": ".+\"docker\":.+\"Action\": \"(exec_start: /bin/bash )\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Started shell session in container nginx_container)\".+" + } + }, + { + "name": "docker_stop_rm", + "description": "Test if an alert is generated when using the `exec` command.", + "configuration_parameters": {}, + "metadata": { + "opensearch_query": { + "query": { + "bool": { + "filter": [ + { + "bool": { + "should": [ + { + "match_phrase": { + "data.docker.Action": "destroy" + } + }, + { + "match_phrase": { + "data.docker.Action": "stop" + } + } + ], + "minimum_should_match": 1 + } + } + ] + } + } + }, + "regex": ".+\"docker\":.+\"Action\": \"(stop)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container stopped)\".+\"docker\":.+\"Action\": \"(destroy)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container destroyed)\".+" + } + } +] \ No newline at end of file diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml index b7320467c8..64fe253f41 100644 --- a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml @@ -38,7 +38,7 @@ - name: Start Docker with systemd become: True - shell: systemctl start docker + shell: systemctl stop docker && systemctl stop docker.socket && systemctl start docker - name: Configure the docker-listener module become: True @@ -69,5 +69,5 @@ become: True fetch: src: /root/wazuh-install-files/passwords.wazuh - dest: /tmp + dest: /tmp/ flat: yes diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 4aa2a707ce..855d315b9b 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -1,7 +1,46 @@ +import json +import os +import re import pytest +import requests +from requests.auth import HTTPBasicAuth + +from wazuh_testing.tools import configuration as config + +# Test cases data +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') +test_cases_file_path = os.path.join(TEST_CASES_PATH, 'cases_test_docker_monitoring.json') + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path, format='json') + + +def get_alerts_from_opensearch_api(user, password, query): + import pdb; pdb.set_trace() + hostname = 'wazuh-manager' + params = {'pretty': 'true'} + headers = {'Content-Type': 'application/json'} + path = 'wazuh-alerts-4.x-*/_search' + url = f"https://{hostname}:9200/{path}" + + response = requests.get(url=url, params=params, verify=False, auth=HTTPBasicAuth(user, password), json=query, + headers=headers) + + assert response.status_code == 200, 'The response is not the expected. ' \ + f"Actual: {response.status_code} - {response.content}" + + opensearch_query_result = json.dumps(response.json()) + + return opensearch_query_result @pytest.mark.ansible_playbook_setup('configuration.yaml', 'generate_alerts.yaml') -def test_docker_monitoring(ansible_playbook, get_opensearch_credentials): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_docker_monitoring(ansible_playbook, metadata, get_opensearch_credentials): user, password = get_opensearch_credentials - assert 1 == 1 + opensearch_result = get_alerts_from_opensearch_api(user, password, metadata['opensearch_query']) + + match = re.search(metadata['regex'], opensearch_result) + + assert match is not None, 'The expected alerts were not indexed.' From 8188f116991b33a2c89e41f2d799bf5ca02f5029 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 2 Jun 2022 12:30:28 +0200 Subject: [PATCH 019/552] fix: Get the right credentials --- tests/end_to_end/test_audit/conftest.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/conftest.py b/tests/end_to_end/test_audit/conftest.py index 88fdd20e4a..fd2bfca741 100644 --- a/tests/end_to_end/test_audit/conftest.py +++ b/tests/end_to_end/test_audit/conftest.py @@ -29,6 +29,9 @@ def get_dashboard_credentials(): password_line = line password = password_line.split()[1] - dashboard_credentials = [user, password] + if user != '' and password != '': + break + + dashboard_credentials = {'user': user, 'password': password} yield dashboard_credentials From 5edd3b8c2219255145b428576484a281ee3e9053 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 2 Jun 2022 12:32:20 +0200 Subject: [PATCH 020/552] add: Get alerts through the API --- .../wazuh_testing/tools/end_to_end.py | 32 +++++++++++++++++++ tests/end_to_end/test_audit/test_audit.py | 22 +++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 deps/wazuh_testing/wazuh_testing/tools/end_to_end.py diff --git a/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py b/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py new file mode 100644 index 0000000000..4f4ed05bf3 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py @@ -0,0 +1,32 @@ +import requests + + +def get_alert_dashboard_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*', query=None, credentials=None): + + url = f'https://{ip_address}:9200/{index}/_search?' + + response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, + auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) + + return response + + +def make_query(must_match=None): + + query = { + "query": { + "bool": { + "must": must_match + } + }, + "size": 1, + "sort": [ + { + "timestamp": { + "order": "desc" + } + } + ] + } + + return query diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 4a2df42aa3..3a6507e1c3 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -1,6 +1,8 @@ import pytest import os +from wazuh_testing.tools.end_to_end import get_alert_dashboard_api, make_query + from wazuh_testing.event_monitor import check_event alerts_json = os.path.join('/tmp', 'alerts.json') @@ -9,8 +11,24 @@ @pytest.mark.ansible_playbook_setup('credentials.yml', 'configuration.yml', 'generate_events.yml') def test_audit(ansible_playbook, get_dashboard_credentials, clean_environment): - expected_alert = r'\{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{"level"\:3,"description"\:"Audit\: '\ - r'Command\: \/usr\/bin\/ping\.","id"\:"80792","firedtimes"\:(\d+).*euid=1000.*' \ + expected_alert = r'\{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{"level"\:3,"description"\:"Audit\:'\ + r' Command\: \/usr\/bin\/ping\.","id"\:"80792","firedtimes"\:(\d+).*euid=1000.*' \ r'a3=\\"www\.google\.com\\".*\}' check_event(callback=expected_alert, file_to_monitor=alerts_json) + + query = make_query([ + { + "term": { + "rule.id": "80792" + } + }, + { + "term": { + "data.audit.command": "ping" + } + } + ]) + + alert_dashboard = get_alert_dashboard_api(query=query, credentials=get_dashboard_credentials) + assert alert_dashboard.status_code == 200, 'The alert not found in wazuh-dashboard API' From 54810e2956156ba70fdb59a2f19aac17434e37c8 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 2 Jun 2022 16:15:48 -0300 Subject: [PATCH 021/552] fix: pdb line deleted. #2935 --- .../end_to_end/test_docker_monitoring/test_docker_monitoring.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 855d315b9b..1797766383 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -17,7 +17,6 @@ def get_alerts_from_opensearch_api(user, password, query): - import pdb; pdb.set_trace() hostname = 'wazuh-manager' params = {'pretty': 'true'} headers = {'Content-Type': 'application/json'} From 7b842082c08493d629af1914aa621fe3c0abbbf2 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 2 Jun 2022 18:55:01 -0300 Subject: [PATCH 022/552] refac: run_ansible_playbooks added to run the test with several test cases and prevent the configuration from being executed several times. #2935 --- tests/end_to_end/conftest.py | 16 ++++++++++++++++ .../test_cases/cases_test_docker_monitoring.json | 2 +- .../test_docker_monitoring.py | 10 ++++++++-- 3 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 tests/end_to_end/conftest.py diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py new file mode 100644 index 0000000000..e1338d57f7 --- /dev/null +++ b/tests/end_to_end/conftest.py @@ -0,0 +1,16 @@ +import pytest +from pytest_ansible_playbook import runner + + +@pytest.fixture(scope="module") +def run_ansible_playbooks(request): + # Check if the required attributes are defined. + import pdb; pdb.set_trace() + try: + params = request.module.playbooks + except AttributeError as e: + print(e) + + with runner(request, params['setup_playbooks'], params['teardown_playbooks'], params['skip_teardown']): + + yield diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json index f9fa31d30b..6138faded3 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json @@ -112,4 +112,4 @@ "regex": ".+\"docker\":.+\"Action\": \"(stop)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container stopped)\".+\"docker\":.+\"Action\": \"(destroy)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container destroyed)\".+" } } -] \ No newline at end of file +] diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 1797766383..dacfe8703e 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -12,6 +12,13 @@ TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') test_cases_file_path = os.path.join(TEST_CASES_PATH, 'cases_test_docker_monitoring.json') +# Playbooks +playbooks = { + 'setup_playbooks': ['configuration.yaml', 'generate_alerts.yaml'], + 'teardown_playbooks': [], + 'skip_teardown': True +} + # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path, format='json') @@ -34,9 +41,8 @@ def get_alerts_from_opensearch_api(user, password, query): return opensearch_query_result -@pytest.mark.ansible_playbook_setup('configuration.yaml', 'generate_alerts.yaml') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_docker_monitoring(ansible_playbook, metadata, get_opensearch_credentials): +def test_docker_monitoring(run_ansible_playbooks, metadata, get_opensearch_credentials): user, password = get_opensearch_credentials opensearch_result = get_alerts_from_opensearch_api(user, password, metadata['opensearch_query']) From 87994d5f8bb50db512bf994befdbe54924876747 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 12:52:13 +0200 Subject: [PATCH 023/552] fix: Move `conftest.py` --- tests/end_to_end/{test_audit => }/conftest.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/{test_audit => }/conftest.py (100%) diff --git a/tests/end_to_end/test_audit/conftest.py b/tests/end_to_end/conftest.py similarity index 100% rename from tests/end_to_end/test_audit/conftest.py rename to tests/end_to_end/conftest.py From 250407bb38b319d522c0a2493ddafff00d8befd1 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 12:55:19 +0200 Subject: [PATCH 024/552] fix: Create `data` and `test_cases`, and move `playbooks` --- .../end_to_end/test_audit/{ => data}/playbooks/configuration.yml | 0 tests/end_to_end/test_audit/{ => data}/playbooks/credentials.yml | 0 .../test_audit/{ => data}/playbooks/generate_events.yml | 0 tests/end_to_end/test_audit/data/test_cases/cases_audit.yml | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/test_audit/{ => data}/playbooks/configuration.yml (100%) rename tests/end_to_end/test_audit/{ => data}/playbooks/credentials.yml (100%) rename tests/end_to_end/test_audit/{ => data}/playbooks/generate_events.yml (100%) create mode 100644 tests/end_to_end/test_audit/data/test_cases/cases_audit.yml diff --git a/tests/end_to_end/test_audit/playbooks/configuration.yml b/tests/end_to_end/test_audit/data/playbooks/configuration.yml similarity index 100% rename from tests/end_to_end/test_audit/playbooks/configuration.yml rename to tests/end_to_end/test_audit/data/playbooks/configuration.yml diff --git a/tests/end_to_end/test_audit/playbooks/credentials.yml b/tests/end_to_end/test_audit/data/playbooks/credentials.yml similarity index 100% rename from tests/end_to_end/test_audit/playbooks/credentials.yml rename to tests/end_to_end/test_audit/data/playbooks/credentials.yml diff --git a/tests/end_to_end/test_audit/playbooks/generate_events.yml b/tests/end_to_end/test_audit/data/playbooks/generate_events.yml similarity index 100% rename from tests/end_to_end/test_audit/playbooks/generate_events.yml rename to tests/end_to_end/test_audit/data/playbooks/generate_events.yml diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml new file mode 100644 index 0000000000..e69de29bb2 From 892d41ba0a7baa0b61f9033e4db6338424a96cba Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 14:55:25 +0200 Subject: [PATCH 025/552] fix: Crate yaml for test cases --- .../data/test_cases/cases_audit.yml | 10 ++++++ tests/end_to_end/test_audit/test_audit.py | 32 +++++++++++++------ 2 files changed, 33 insertions(+), 9 deletions(-) diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml index e69de29bb2..94d002af3d 100644 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml +++ b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml @@ -0,0 +1,10 @@ +- name: ping_google + description: Ping www.google.com and check generated alerts + configuration_parameters: null + metadata: + rule.id: 80792 + level: 3 + description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." + euid: 1000 + a3: '\\"www\.google\.com\\"' + data.audit.command: ping diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 3a6507e1c3..e0554a2ea9 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -3,32 +3,46 @@ from wazuh_testing.tools.end_to_end import get_alert_dashboard_api, make_query +from wazuh_testing.tools import configuration as config from wazuh_testing.event_monitor import check_event alerts_json = os.path.join('/tmp', 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.ansible_playbook_setup('credentials.yml', 'configuration.yml', 'generate_events.yml') -def test_audit(ansible_playbook, get_dashboard_credentials, clean_environment): +def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_environment): - expected_alert = r'\{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{"level"\:3,"description"\:"Audit\:'\ - r' Command\: \/usr\/bin\/ping\.","id"\:"80792","firedtimes"\:(\d+).*euid=1000.*' \ - r'a3=\\"www\.google\.com\\".*\}' + level = metadata['level'] + description = metadata['description'] + rule_id = metadata['rule.id'] + euid = metadata['euid'] + a3 = metadata['a3'] + data_audit_command = metadata['data.audit.command'] - check_event(callback=expected_alert, file_to_monitor=alerts_json) + expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ + r'"id"\:"{}".*euid={}.*a3={}.*\}}'.format(level, description, rule_id, euid, a3) query = make_query([ { "term": { - "rule.id": "80792" + "rule.id": f"{rule_id}" } }, { "term": { - "data.audit.command": "ping" + "data.audit.command": f"{data_audit_command}" } } ]) - alert_dashboard = get_alert_dashboard_api(query=query, credentials=get_dashboard_credentials) - assert alert_dashboard.status_code == 200, 'The alert not found in wazuh-dashboard API' + + try: + assert str(rule_id) in alert_dashboard.text + except AssertionError: + check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + raise AssertionError('The alert has occurred, but has not been indexed.') From 17c50610cb3b1dde2f163b762b53e56ce574a28a Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 14:56:26 +0200 Subject: [PATCH 026/552] fix: Ignore request warning --- tests/end_to_end/test_audit/test_audit.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index e0554a2ea9..60b3a2da65 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -13,6 +13,7 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.ansible_playbook_setup('credentials.yml', 'configuration.yml', 'generate_events.yml') def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_environment): From 9802a6676e1e627ce05177d182a190329294e32b Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 15:03:20 +0200 Subject: [PATCH 027/552] fix: Add specific version for `pytest-ansible-playbook` --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a93c4d53a6..a486bae2cd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook +pytest-ansible-playbook==0.4.1 From 5918e31bfb86019273db26c5906376788b9214c3 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 15:37:54 +0200 Subject: [PATCH 028/552] add: Add functions and fixtures documentation --- .../wazuh_testing/tools/end_to_end.py | 25 ++++++++++++++++++- tests/end_to_end/conftest.py | 9 ++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py b/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py index 4f4ed05bf3..92479b87b2 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py +++ b/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py @@ -1,8 +1,24 @@ +# Copyright (C) 2015-2022, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import requests -def get_alert_dashboard_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*', query=None, credentials=None): +def get_alert_indexer_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*', query=None, credentials=None): + """Get an alert from the wazuh-indexer API + Make a request to the wazuh-indexer API to get the last indexed alert that matches the values passed in + must_match. + + Args: + ip_address (str): wazuh-indexer IP address. + index (str): Index in which to search for the alert. + query (dict): Query to send to the API. + credentials(dict): wazuh-indexer credentials. + + Returns: + `obj`(map): Search results + """ url = f'https://{ip_address}:9200/{index}/_search?' response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, @@ -12,7 +28,14 @@ def get_alert_dashboard_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x- def make_query(must_match=None): + """Creates a query according to the values passed in must_match. + + Args: + must_match (list): Values to be matched with the indexed alert. + Returns: + dict: Fully formed query. + """ query = { "query": { "bool": { diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index fd2bfca741..5f016b130e 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -1,3 +1,6 @@ +# Copyright (C) 2015-2022, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import os import pytest from wazuh_testing.tools.file import remove_file, get_file_lines @@ -8,7 +11,7 @@ @pytest.fixture(scope='function') def clean_environment(): - + """Delete alerts and credentials files from the temporary folder.""" yield remove_file(alerts_json) @@ -17,7 +20,11 @@ def clean_environment(): @pytest.fixture(scope='function') def get_dashboard_credentials(): + """Get wazuh-dashboard username and password. + Returns: + dict: wazuh-dashboard credentials. + """ password = '' user = '' From e771e847d16b52373d290b603f0048197f88e6c4 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 15:42:58 +0200 Subject: [PATCH 029/552] fix: Group extra checks --- .../end_to_end/test_audit/data/test_cases/cases_audit.yml | 7 ++++--- tests/end_to_end/test_audit/test_audit.py | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml index 94d002af3d..cf2cf756be 100644 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml +++ b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml @@ -5,6 +5,7 @@ rule.id: 80792 level: 3 description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." - euid: 1000 - a3: '\\"www\.google\.com\\"' - data.audit.command: ping + extra: + euid: 1000 + a3: '\\"www\.google\.com\\"' + data.audit.command: ping diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 60b3a2da65..184b2da220 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -21,9 +21,9 @@ def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_envi level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] - euid = metadata['euid'] - a3 = metadata['a3'] - data_audit_command = metadata['data.audit.command'] + euid = metadata['extra']['euid'] + a3 = metadata['extra']['a3'] + data_audit_command = metadata['extra']['data.audit.command'] expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ r'"id"\:"{}".*euid={}.*a3={}.*\}}'.format(level, description, rule_id, euid, a3) From db49b50a7254d22970a990e2840240bf258e256e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 3 Jun 2022 15:17:43 -0300 Subject: [PATCH 030/552] fix: run_ansible_playbooks fixed, debug line deleted. #2935 --- tests/end_to_end/conftest.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e1338d57f7..e1f031f518 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -5,7 +5,6 @@ @pytest.fixture(scope="module") def run_ansible_playbooks(request): # Check if the required attributes are defined. - import pdb; pdb.set_trace() try: params = request.module.playbooks except AttributeError as e: From 81c3539a90bd905dd910ae829b2a0acc3e909779 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 3 Jun 2022 19:40:08 -0300 Subject: [PATCH 031/552] add: run_extra_playbooks fixture added with function scope to run playbooks for individual test cases; and doc added to fixtures. #2935 --- tests/end_to_end/conftest.py | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e1f031f518..7c8b7ecfc9 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -4,6 +4,18 @@ @pytest.fixture(scope="module") def run_ansible_playbooks(request): + """Will run a list of playbooks defined in the 'playbooks' attribute of the executing test function. + + The 'playbooks' attribute is a python dictionary with the following structure: + { + 'setup_playbooks': (list), + 'teardown_playbooks': (list), + 'skip_teardown': (bool) + } + + Args: + request (fixture): Provide information on the executing test function. + """ # Check if the required attributes are defined. try: params = request.module.playbooks @@ -13,3 +25,31 @@ def run_ansible_playbooks(request): with runner(request, params['setup_playbooks'], params['teardown_playbooks'], params['skip_teardown']): yield + + +@pytest.fixture(scope="function") +def run_extra_playbooks(request): + """Will run a list of playbooks if an element called 'extra_playbooks' exists in the metadata list inside the test + case YAML file. + + The 'extra_playbooks' is a list of playbook files. Example: ['run_commands.yaml', 'configure_wodle.yaml'] + + Args: + request (fixture): Provide information on the executing test function. + """ + extra_playbooks = None + # Get the current test case id + current_test_case_id = request.node.name.split('[')[1].replace(']', '') + + # Each 'case' has the metadata object of the test case + for case in request.module.configuration_metadata: + # Check if the current test case has extra playbooks to run + if case['name'] == current_test_case_id: + try: + extra_playbooks = case['extra_playbooks'] + except KeyError as e: + pass + + with runner(request, setup_playbooks=extra_playbooks, skip_teardown=True): + + yield From 123080749474b20642377a4b4e36ce16643243b4 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 7 Jun 2022 16:48:39 +0200 Subject: [PATCH 032/552] fix: Move files --- .../{tools/end_to_end.py => end_to_end/__init__.py} | 8 ++++---- .../{configuration.yml => configuration.yaml} | 4 ++++ .../playbooks/{credentials.yml => credentials.yaml} | 2 ++ .../{generate_events.yml => generate_events.yaml} | 11 ++++------- tests/end_to_end/test_audit/test_audit.py | 5 +++-- 5 files changed, 17 insertions(+), 13 deletions(-) rename deps/wazuh_testing/wazuh_testing/{tools/end_to_end.py => end_to_end/__init__.py} (84%) rename tests/end_to_end/test_audit/data/playbooks/{configuration.yml => configuration.yaml} (99%) rename tests/end_to_end/test_audit/data/playbooks/{credentials.yml => credentials.yaml} (99%) rename tests/end_to_end/test_audit/data/playbooks/{generate_events.yml => generate_events.yaml} (77%) diff --git a/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py similarity index 84% rename from deps/wazuh_testing/wazuh_testing/tools/end_to_end.py rename to deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 92479b87b2..a1ffd738c9 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/end_to_end.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -4,7 +4,7 @@ import requests -def get_alert_indexer_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*', query=None, credentials=None): +def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): """Get an alert from the wazuh-indexer API Make a request to the wazuh-indexer API to get the last indexed alert that matches the values passed in @@ -19,7 +19,7 @@ def get_alert_indexer_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*' Returns: `obj`(map): Search results """ - url = f'https://{ip_address}:9200/{index}/_search?' + url = f"https://{ip_address}:9200/{index}/_search?" response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) @@ -27,8 +27,8 @@ def get_alert_indexer_api(ip_address='wazuh-manager', index='wazuh-alerts-4.x-*' return response -def make_query(must_match=None): - """Creates a query according to the values passed in must_match. +def make_query(must_match): + """Create a query according to the values passed in must_match. Args: must_match (list): Values to be matched with the indexed alert. diff --git a/tests/end_to_end/test_audit/data/playbooks/configuration.yml b/tests/end_to_end/test_audit/data/playbooks/configuration.yaml similarity index 99% rename from tests/end_to_end/test_audit/data/playbooks/configuration.yml rename to tests/end_to_end/test_audit/data/playbooks/configuration.yaml index 70b502d299..69a6865458 100644 --- a/tests/end_to_end/test_audit/data/playbooks/configuration.yml +++ b/tests/end_to_end/test_audit/data/playbooks/configuration.yaml @@ -2,11 +2,13 @@ - name: Test case configuration hosts: wazuh-manager tasks: + - name: Get euid shell: echo $EUID register: euid - debug: var: euid.stdout + - name: Create wazuh audit rules file become: True copy: @@ -14,9 +16,11 @@ content: | -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c + - name: Delete previous audit rules become: True shell: auditctl -D + - name: Load audit rules become: True shell: auditctl -R /etc/audit/rules.d/wazuh.rules diff --git a/tests/end_to_end/test_audit/data/playbooks/credentials.yml b/tests/end_to_end/test_audit/data/playbooks/credentials.yaml similarity index 99% rename from tests/end_to_end/test_audit/data/playbooks/credentials.yml rename to tests/end_to_end/test_audit/data/playbooks/credentials.yaml index 12703fc831..26903b78ba 100644 --- a/tests/end_to_end/test_audit/data/playbooks/credentials.yml +++ b/tests/end_to_end/test_audit/data/playbooks/credentials.yaml @@ -2,12 +2,14 @@ - name: Get credentials hosts: wazuh-manager tasks: + - name: Unzip wazuh install files unarchive: src: /home/vagrant/wazuh-install-files.tar dest: /home/vagrant remote_src: yes become: True + - name: Get passwords file fetch: src: /home/vagrant/wazuh-install-files/passwords.wazuh diff --git a/tests/end_to_end/test_audit/data/playbooks/generate_events.yml b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml similarity index 77% rename from tests/end_to_end/test_audit/data/playbooks/generate_events.yml rename to tests/end_to_end/test_audit/data/playbooks/generate_events.yaml index 1fe59138a4..d170d34307 100644 --- a/tests/end_to_end/test_audit/data/playbooks/generate_events.yml +++ b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml @@ -1,17 +1,14 @@ -- name: Clean alerts.json +- name: Generate events hosts: wazuh-manager tasks: + - name: Truncate file shell: echo "" > /var/ossec/logs/alerts/alerts.json become: True -- name: Generate events - hosts: wazuh-manager - tasks: + - name: Ping google shell: ping -c 1 www.google.com -- name: Get alerts - hosts: wazuh-manager - tasks: + - name: Get alerts.json fetch: src: /var/ossec/logs/alerts/alerts.json diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 184b2da220..2f46f9d2e7 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -4,6 +4,7 @@ from wazuh_testing.tools.end_to_end import get_alert_dashboard_api, make_query from wazuh_testing.tools import configuration as config +from wazuh_testing.end_to_end import get_alert_indexer_api, make_query from wazuh_testing.event_monitor import check_event alerts_json = os.path.join('/tmp', 'alerts.json') @@ -40,10 +41,10 @@ def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_envi } } ]) - alert_dashboard = get_alert_dashboard_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) try: - assert str(rule_id) in alert_dashboard.text + assert str(rule_id) in indexed_alert.text except AssertionError: check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') raise AssertionError('The alert has occurred, but has not been indexed.') From 20aff5d35bfd5fb57740c9600d075b7adaa88979 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 7 Jun 2022 16:49:16 +0200 Subject: [PATCH 033/552] fix: Use `gettempdir()` --- tests/end_to_end/conftest.py | 7 +++++-- tests/end_to_end/test_audit/test_audit.py | 8 ++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 5f016b130e..c3bec6df12 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -3,10 +3,13 @@ # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import os import pytest +from tempfile import gettempdir + from wazuh_testing.tools.file import remove_file, get_file_lines -alerts_json = os.path.join('/tmp', 'alerts.json') -credentials_file = os.path.join('/tmp', 'passwords.wazuh') + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +credentials_file = os.path.join(gettempdir(), 'passwords.wazuh') @pytest.fixture(scope='function') diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 2f46f9d2e7..724c3806ab 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -1,13 +1,13 @@ -import pytest import os - -from wazuh_testing.tools.end_to_end import get_alert_dashboard_api, make_query +import pytest +from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing.end_to_end import get_alert_indexer_api, make_query from wazuh_testing.event_monitor import check_event -alerts_json = os.path.join('/tmp', 'alerts.json') + +alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') From 1c971bd3b6e16da578362408dce64f1a3db074d5 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 7 Jun 2022 16:51:19 +0200 Subject: [PATCH 034/552] fix: Install `pytest-ansible-playbook` in Linux --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a486bae2cd..4e27a972bb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook==0.4.1 +pytest-ansible-playbook==0.4.1; platform_system == "Linux" From 2cf1454e124b65dd702c9432f625ffd8776a3ac2 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 7 Jun 2022 16:24:03 -0300 Subject: [PATCH 035/552] fix: test cases fixed. #2935 --- .../cases_test_docker_monitoring.json | 97 +++++++++++-------- .../test_docker_monitoring.py | 1 + 2 files changed, 55 insertions(+), 43 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json index 6138faded3..02b597f683 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.json @@ -7,9 +7,19 @@ "opensearch_query": { "query": { "bool": { - "filter": [ + "must": [ { - "match_phrase": { + "term": { + "rule.id": "87932" + } + }, + { + "term": { + "rule.description": "Docker: Image or repository nginx pulled" + } + }, + { + "term": { "data.docker.Action": "pull" } } @@ -17,7 +27,7 @@ } } }, - "regex": "'.+\"docker\":.+\"Action\": \"(pull)\".+\"Attributes\":.+\"(nginx)\".+\"description\": \"(Docker: Image or repository nginx pulled)\".+'gm" + "regex": ".+\"docker\":.+\"Action\": \"(pull)\".+\"Attributes\":.+\"(nginx)\".+\"description\": \"(Docker: Image or repository nginx pulled)\".+" } }, { @@ -28,34 +38,27 @@ "opensearch_query": { "query": { "bool": { - "filter": [ + "must": [ + { + "term": { + "rule.id": "87903" + } + }, + { + "term": { + "rule.description": "Docker: Container nginx_container started" + } + }, { - "bool": { - "should": [ - { - "match_phrase": { - "data.docker.Action": "create" - } - }, - { - "match_phrase": { - "data.docker.Action": "start" - } - }, - { - "match_phrase": { - "data.docker.Action": "connect" - } - } - ], - "minimum_should_match": 1 + "term": { + "data.docker.Action": "start" } } ] } } }, - "regex": ".+\"docker\":.+\"Action\": \"(create)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container created)\".+\"docker\":.+\"Action\": \"(connect)\".+\"container\".+\"description\": \"(Docker: Network bridge connected)\".+\"docker\":.+\"Action\": \"(start)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container started)\".+" + "regex": ".+\"docker\":.+\"Action\": \"(start)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container started)\".+" } }, { @@ -66,9 +69,19 @@ "opensearch_query": { "query": { "bool": { - "filter": [ + "must": [ { - "match_phrase": { + "term": { + "rule.id": "87908" + } + }, + { + "term": { + "rule.description": "Docker: Started shell session in container nginx_container" + } + }, + { + "term": { "data.docker.Action": "exec_start: /bin/bash " } } @@ -87,29 +100,27 @@ "opensearch_query": { "query": { "bool": { - "filter": [ + "must": [ + { + "term": { + "rule.id": "87902" + } + }, + { + "term": { + "rule.description": "Docker: Container nginx_container destroyed" + } + }, { - "bool": { - "should": [ - { - "match_phrase": { - "data.docker.Action": "destroy" - } - }, - { - "match_phrase": { - "data.docker.Action": "stop" - } - } - ], - "minimum_should_match": 1 + "term": { + "data.docker.Action": "destroy" } } ] } } }, - "regex": ".+\"docker\":.+\"Action\": \"(stop)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container stopped)\".+\"docker\":.+\"Action\": \"(destroy)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container destroyed)\".+" + "regex": ".+\"docker\":.+\"Action\": \"(destroy)\".+\"image\": \"(nginx)\".+\"description\": \"(Docker: Container nginx_container destroyed)\".+" } } -] +] \ No newline at end of file diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index dacfe8703e..46bc83bc5c 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -42,6 +42,7 @@ def get_alerts_from_opensearch_api(user, password, query): @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_docker_monitoring(run_ansible_playbooks, metadata, get_opensearch_credentials): user, password = get_opensearch_credentials opensearch_result = get_alerts_from_opensearch_api(user, password, metadata['opensearch_query']) From 493de86ea34b17911e51acf49f0ce5c346872403 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 7 Jun 2022 16:36:58 -0300 Subject: [PATCH 036/552] doc: documentation added and gettempdir function added. #2935 --- tests/end_to_end/conftest.py | 3 +++ tests/end_to_end/test_docker_monitoring/conftest.py | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 7c8b7ecfc9..4d8b551005 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -1,3 +1,6 @@ +# Copyright (C) 2015-2022, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import pytest from pytest_ansible_playbook import runner diff --git a/tests/end_to_end/test_docker_monitoring/conftest.py b/tests/end_to_end/test_docker_monitoring/conftest.py index 1684a163ce..380cd85a3e 100644 --- a/tests/end_to_end/test_docker_monitoring/conftest.py +++ b/tests/end_to_end/test_docker_monitoring/conftest.py @@ -1,10 +1,14 @@ +# Copyright (C) 2015-2022, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import os import pytest +from tempfile import gettempdir from wazuh_testing.tools import file -credentials_file = os.path.join('/tmp', 'passwords.wazuh') +credentials_file = os.path.join(gettempdir(), 'passwords.wazuh') @pytest.fixture(scope="function") From dfb01e634270f5924f2f855bd6a3b65f48a5f5fe Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 7 Jun 2022 16:52:01 -0300 Subject: [PATCH 037/552] doc: documentation added and some improvements made. #2935 --- tests/end_to_end/test_docker_monitoring/conftest.py | 5 +++++ .../test_docker_monitoring/playbooks/configuration.yaml | 1 + .../playbooks/{generate_alerts.yaml => generate_events.yaml} | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) rename tests/end_to_end/test_docker_monitoring/playbooks/{generate_alerts.yaml => generate_events.yaml} (93%) diff --git a/tests/end_to_end/test_docker_monitoring/conftest.py b/tests/end_to_end/test_docker_monitoring/conftest.py index 380cd85a3e..4a16ffe24f 100644 --- a/tests/end_to_end/test_docker_monitoring/conftest.py +++ b/tests/end_to_end/test_docker_monitoring/conftest.py @@ -13,6 +13,11 @@ @pytest.fixture(scope="function") def get_opensearch_credentials(): + """Get wazuh-dashboard username and password. + + Returns: + dict: wazuh-dashboard credentials. + """ user = '' password = '' diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml index 64fe253f41..77d4ee0e88 100644 --- a/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/playbooks/configuration.yaml @@ -2,6 +2,7 @@ - name: Test case configuration hosts: wazuh-manager tasks: + - name: Uninstall old versions of Docker (CentOS) become: True shell: > diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml similarity index 93% rename from tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml rename to tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml index e3a790cb9d..e455a75c96 100644 --- a/tests/end_to_end/test_docker_monitoring/playbooks/generate_alerts.yaml +++ b/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml @@ -1,7 +1,8 @@ --- -- name: Generate alerts in the manager +- name: Generate events in the manager hosts: wazuh-manager tasks: + - name: Run 'docker pull nginx' become: True shell: docker pull nginx From aac87fce1f423ed7b94c8b8bb4ca14d0ca679047 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 25 May 2022 16:12:08 +0200 Subject: [PATCH 038/552] add: Create common library for events --- .../wazuh_testing/event_monitor.py | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 deps/wazuh_testing/wazuh_testing/event_monitor.py diff --git a/deps/wazuh_testing/wazuh_testing/event_monitor.py b/deps/wazuh_testing/wazuh_testing/event_monitor.py new file mode 100644 index 0000000000..5bc4a56839 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/event_monitor.py @@ -0,0 +1,39 @@ +import re + +from wazuh_testing.tools.monitoring import FileMonitor + + +def make_callback(pattern, prefix=''): + """Create a callback function from a text pattern. + Args: + pattern (str): String to match on the log. + prefix (str): regular expression used as prefix before the pattern. + Returns: + lambda: function that returns if there's a match in the file + """ + pattern = r'\s+'.join(pattern.split()) + regex = re.compile(r'{}{}'.format(prefix, pattern)) + + return lambda line: regex.match(line) + + +def check_event(file_monitor=None, callback='', error_message=None, update_position=True, timeout=20, + accum_results=1, file_to_monitor=None): + """Check if an API event occurs + Args: + file_monitor (FileMonitor): FileMonitor object to monitor the file content. + callback (str): log regex to check in the file + error_message (str): error message to show in case of expected event does not occur + update_position (boolean): filter configuration parameter to search in the file + timeout (str): timeout to check the event in the file + prefix (str): log pattern regex + accum_results (int): Accumulation of matches. + """ + file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor + error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ + error_message + + result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=make_callback(callback), error_message=error_message) + + return result From 2ac7fa57a00aeebf7a2845a7f0c9b648fd72f557 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 15:03:20 +0200 Subject: [PATCH 039/552] fix: Add specific version for `pytest-ansible-playbook` --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a93c4d53a6..a486bae2cd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook +pytest-ansible-playbook==0.4.1 From 542af51ff8a2ddc1896631e135359089f98e35c3 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 7 Jun 2022 16:51:19 +0200 Subject: [PATCH 040/552] fix: Install `pytest-ansible-playbook` in Linux --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a486bae2cd..4e27a972bb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,4 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook==0.4.1 +pytest-ansible-playbook==0.4.1; platform_system == "Linux" From 0242710672680aa242f0b427e239bd181d67721f Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 3 Jun 2022 12:52:13 +0200 Subject: [PATCH 041/552] fix: Move `conftest.py` and fixtures to run playbooks without marker and run extra playbooks after setup. (#2935) Author: Julia Date: Fri Jun 3 12:52:13 2022 +0200 Co-authored-by: mauromalara --- tests/end_to_end/conftest.py | 37 +++++++++++++++++++ .../test_docker_monitoring/conftest.py | 30 --------------- 2 files changed, 37 insertions(+), 30 deletions(-) delete mode 100644 tests/end_to_end/test_docker_monitoring/conftest.py diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 4d8b551005..7795f03a56 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -1,9 +1,46 @@ # Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +import os import pytest from pytest_ansible_playbook import runner +from wazuh_testing.tools.file import remove_file, get_file_lines + +alerts_json = os.path.join('/tmp', 'alerts.json') +credentials_file = os.path.join('/tmp', 'passwords.wazuh') + + +@pytest.fixture(scope='function') +def clean_environment(): + + yield + + remove_file(alerts_json) + remove_file(credentials_file) + + +@pytest.fixture(scope='function') +def get_dashboard_credentials(): + + password = '' + user = '' + + for line in get_file_lines(credentials_file): + if 'username: admin' in line: + user = 'admin' + + if 'password: ' in line and user == 'admin': + password_line = line + password = password_line.split()[1] + + if user != '' and password != '': + break + + dashboard_credentials = {'user': user, 'password': password} + + yield dashboard_credentials + @pytest.fixture(scope="module") def run_ansible_playbooks(request): diff --git a/tests/end_to_end/test_docker_monitoring/conftest.py b/tests/end_to_end/test_docker_monitoring/conftest.py deleted file mode 100644 index 4a16ffe24f..0000000000 --- a/tests/end_to_end/test_docker_monitoring/conftest.py +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (C) 2015-2022, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -import os -import pytest -from tempfile import gettempdir - -from wazuh_testing.tools import file - - -credentials_file = os.path.join(gettempdir(), 'passwords.wazuh') - - -@pytest.fixture(scope="function") -def get_opensearch_credentials(): - """Get wazuh-dashboard username and password. - - Returns: - dict: wazuh-dashboard credentials. - """ - user = '' - password = '' - - for line in file.get_file_lines(credentials_file): - if 'username: admin' in line: - user = 'admin' - if user != '' and password == '' and 'password: ' in line: - password = line.split()[1] - - yield user, password From bfb879e29dacff74e9d14a5d7b7025506fb42bdb Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 12:20:09 +0200 Subject: [PATCH 042/552] fix: Refactor `get_dashboard_credentials()` --- tests/end_to_end/conftest.py | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c3bec6df12..fb9c12eddf 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -28,20 +28,18 @@ def get_dashboard_credentials(): Returns: dict: wazuh-dashboard credentials. """ - password = '' - user = '' + passwords_list = [] + users_list = [] for line in get_file_lines(credentials_file): - if 'username: admin' in line: - user = 'admin' + if 'username:' in line: + user = line.split()[1] + users_list.append(user) - if 'password: ' in line and user == 'admin': - password_line = line - password = password_line.split()[1] + if 'password:' in line: + password = line.split()[1] + passwords_list.append(password) - if user != '' and password != '': - break - - dashboard_credentials = {'user': user, 'password': password} + dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} yield dashboard_credentials From 961bd34627570ea8022816d8434548dfb5746a15 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 12:20:56 +0200 Subject: [PATCH 043/552] fix: Wait 5 seconds before checking the alert --- .../end_to_end/test_audit/data/playbooks/generate_events.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml index d170d34307..7e0fc07a10 100644 --- a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml @@ -9,6 +9,10 @@ - name: Ping google shell: ping -c 1 www.google.com + - name: Wait for alert to be generated + wait_for: + timeout: 5 + - name: Get alerts.json fetch: src: /var/ossec/logs/alerts/alerts.json From 545fa1cb601efbde03b36aa7121cc02807563cbd Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 12:21:44 +0200 Subject: [PATCH 044/552] fix: Rename playbooks --- tests/end_to_end/test_audit/test_audit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 724c3806ab..cbbee631f9 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -16,7 +16,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -@pytest.mark.ansible_playbook_setup('credentials.yml', 'configuration.yml', 'generate_events.yml') +@pytest.mark.ansible_playbook_setup('credentials.yaml', 'configuration.yaml', 'generate_events.yaml') def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_environment): level = metadata['level'] From 5b471e8873e6ebe9dd7ba537cf6ad2ebf101c70e Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 12:27:59 +0200 Subject: [PATCH 045/552] fix: Change indentation --- .../wazuh_testing/end_to_end/__init__.py | 28 +++++++++---------- tests/end_to_end/test_audit/test_audit.py | 22 +++++++-------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index a1ffd738c9..1085f996b2 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -37,19 +37,19 @@ def make_query(must_match): dict: Fully formed query. """ query = { - "query": { - "bool": { - "must": must_match - } - }, - "size": 1, - "sort": [ - { - "timestamp": { - "order": "desc" - } - } - ] - } + "query": { + "bool": { + "must": must_match + } + }, + "size": 1, + "sort": [ + { + "timestamp": { + "order": "desc" + } + } + ] + } return query diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index cbbee631f9..d4c79a56f3 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -30,17 +30,17 @@ def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_envi r'"id"\:"{}".*euid={}.*a3={}.*\}}'.format(level, description, rule_id, euid, a3) query = make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "data.audit.command": f"{data_audit_command}" - } - } - ]) + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "data.audit.command": f"{data_audit_command}" + } + } + ]) indexed_alert = get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) try: From 7bc06fbdcf93d91d4d02ea3fdebfcbb07933e52a Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 13:13:17 +0200 Subject: [PATCH 046/552] fix: Create fixtures to avoid warnings and to be able to run playbooks with different scopes --- tests/end_to_end/conftest.py | 30 +++++++++++++++++++++++ tests/end_to_end/test_audit/test_audit.py | 5 ++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index fb9c12eddf..74c6d3632a 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -4,6 +4,7 @@ import os import pytest from tempfile import gettempdir +from pytest_ansible_playbook import runner from wazuh_testing.tools.file import remove_file, get_file_lines @@ -43,3 +44,32 @@ def get_dashboard_credentials(): dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} yield dashboard_credentials + + +@pytest.fixture(scope='module') +def configure_environment(request): + """Fixture to configure environment. + + Execute the configuration playbooks declared in the test to configure the environment. + + Args: + request (fixture): Provide information on the executing test function. + """ + configuration_playbooks = getattr(request.module, 'configuration_playbooks') + with runner(request, configuration_playbooks): + + yield + + +@pytest.fixture(scope='function') +def generate_events(request): + """Fixture to generate events. + + Execute the playbooks declared in the test to generate events. + Args: + request (fixture): Provide information on the executing test function. + """ + events_playbooks = getattr(request.module, 'events_playbooks') + with runner(request, events_playbooks): + + yield diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index d4c79a56f3..ae024fcb8c 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -10,14 +10,15 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') +configuration_playbooks = ['configuration.yaml', 'credentials.yaml'] +events_playbooks = ['generate_events.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -@pytest.mark.ansible_playbook_setup('credentials.yaml', 'configuration.yaml', 'generate_events.yaml') -def test_audit(ansible_playbook, metadata, get_dashboard_credentials, clean_environment): +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): level = metadata['level'] description = metadata['description'] From f20b375ebe25aa382a831077b41f67b9d75663d6 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 17:19:35 +0200 Subject: [PATCH 047/552] fix: Delete extra lines --- tests/end_to_end/conftest.py | 2 -- tests/end_to_end/test_audit/test_audit.py | 1 - 2 files changed, 3 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 74c6d3632a..66e02ea04a 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -57,7 +57,6 @@ def configure_environment(request): """ configuration_playbooks = getattr(request.module, 'configuration_playbooks') with runner(request, configuration_playbooks): - yield @@ -71,5 +70,4 @@ def generate_events(request): """ events_playbooks = getattr(request.module, 'events_playbooks') with runner(request, events_playbooks): - yield diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index ae024fcb8c..253b137226 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -19,7 +19,6 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): - level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] From eca0f3f59e593941c1f3a44f9f1840fd0fd583cd Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 17:22:21 +0200 Subject: [PATCH 048/552] fix: Change indentation --- tests/end_to_end/test_audit/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_audit/data/playbooks/configuration.yaml index 69a6865458..1be76127a5 100644 --- a/tests/end_to_end/test_audit/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_audit/data/playbooks/configuration.yaml @@ -7,7 +7,7 @@ shell: echo $EUID register: euid - debug: - var: euid.stdout + var: euid.stdout - name: Create wazuh audit rules file become: True From 16a6558c7f6bdfe0a3c17b56dfa15b7fd8dd071b Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 8 Jun 2022 22:11:29 +0200 Subject: [PATCH 049/552] fix: Refactor `get_dashboard_credentials` --- tests/end_to_end/conftest.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 66e02ea04a..83a0b6130f 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -29,19 +29,17 @@ def get_dashboard_credentials(): Returns: dict: wazuh-dashboard credentials. """ - passwords_list = [] - users_list = [] + password_index = None - for line in get_file_lines(credentials_file): - if 'username:' in line: + for index, line in enumerate(get_file_lines(credentials_file)): + if 'username: admin' in line: user = line.split()[1] - users_list.append(user) - - if 'password:' in line: + user_index = index + password_index = user_index + 1 + if index == password_index: password = line.split()[1] - passwords_list.append(password) - dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} + dashboard_credentials = {'user': user, 'password': password} yield dashboard_credentials From 25516af6bef92ee8ea45954c2c983447d1962d1b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 8 Jun 2022 20:17:05 -0300 Subject: [PATCH 050/552] fix: Use gettempdir() Co-authored-by: mauromalara --- tests/end_to_end/conftest.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 7795f03a56..ee79cf05ea 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -3,12 +3,14 @@ # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import os import pytest +from tempfile import gettempdir from pytest_ansible_playbook import runner from wazuh_testing.tools.file import remove_file, get_file_lines -alerts_json = os.path.join('/tmp', 'alerts.json') -credentials_file = os.path.join('/tmp', 'passwords.wazuh') + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +credentials_file = os.path.join(gettempdir(), 'passwords.wazuh') @pytest.fixture(scope='function') From 91ad1a826e92d7c0e54997803596af15e04c43d1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 8 Jun 2022 20:45:11 -0300 Subject: [PATCH 051/552] refactor brute force test using common libraries --- tests/e2e/test_brute_force/data/config.yml | 16 ---- .../e2e/test_brute_force/test_brute_force.py | 79 ------------------- .../data/playbooks/credentials.yaml | 18 +++++ .../data/playbooks/generate_events.yaml} | 16 +++- .../data/test_cases/cases_brute_force.yaml | 10 +++ .../test_brute_force/test_brute_force.py | 61 ++++++++++++++ 6 files changed, 104 insertions(+), 96 deletions(-) delete mode 100644 tests/e2e/test_brute_force/data/config.yml delete mode 100644 tests/e2e/test_brute_force/test_brute_force.py create mode 100644 tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml rename tests/{e2e/test_brute_force/playbooks/generate_events.yml => end_to_end/test_brute_force/data/playbooks/generate_events.yaml} (63%) create mode 100644 tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force.py diff --git a/tests/e2e/test_brute_force/data/config.yml b/tests/e2e/test_brute_force/data/config.yml deleted file mode 100644 index 08fa4a2003..0000000000 --- a/tests/e2e/test_brute_force/data/config.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -wazuh-agent-linux: - - ip: "192.168.0.6" - - hostname: "centos-agent" - - rule_id: "5712" - -wazuh-agent-windows: - - ip: "192.168.0.7" - - hostname: "windows" - - rule_id: "60204" - -wazuh-manager-indexer: -- ip: "192.168.0.5" -- hostname: "centos-manager-kibana" -- username_indexer: "wazuh" -- password_ indexer: "Y6f1YvUNAH1DpxjRg162WKO6yfV496W1" diff --git a/tests/e2e/test_brute_force/test_brute_force.py b/tests/e2e/test_brute_force/test_brute_force.py deleted file mode 100644 index 3f1eb7c4e8..0000000000 --- a/tests/e2e/test_brute_force/test_brute_force.py +++ /dev/null @@ -1,79 +0,0 @@ -''' -copyright: Copyright (C) 2015-2021, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -type: e2e -brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with - minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs - to be configured first. The agent then checks for the registration key in the client.keys file, and when the file - is empty, it automatically requests the key from the configured manager the agent is reporting to. - -''' - -import os -import pytest -from opensearchpy import OpenSearch -import yaml - - -@pytest.fixture -def configurations(): - yaml_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data/config.yml') - with open(yaml_file_path) as stream: - configurations = yaml.safe_load(stream) - return configurations - - -@pytest.mark.ansible_playbook_setup('generate_events.yml') -def test_brute_force(configurations, ansible_playbook): - """ - Test to detect a SSH Brute Force attack - """ - agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] - rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] - indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] - indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] - indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] - - open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) - _asserts(open_search_alerts, agent_hostname) - - -def _get_opensearch_alert(indexer_ip, rule_id, username, password): - """ - Get alert generated in opensearch - """ - auth = (username, password) - host = indexer_ip - port = '9200' - index_name = 'wazuh-alerts-4.x-*' - rule_id = rule_id - query = '{"query": {"bool": {"must": []}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' - - client = OpenSearch( - hosts= [{'host': host, 'port': port}], - http_auth = auth, - use_ssl = True, - verify_certs = False, - timeout = 30, - max_retries = 10, - retry_on_timeout = True - ) - - response = client.search( - body = query, - index= index_name - ) - - return response - - -def _asserts(response, agent_hostname): - agent = response['hits']['hits'][0]['_source']['agent']['name'] - description = response['hits']['hits'][0]['_source']['rule']['description'] - rule_id = response['hits']['hits'][0]['_source']['rule']['id'] - mitre_technique = response['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] - assert description == 'sshd: brute force trying to get access to the system.', 'Invalid description' - assert rule_id == '5712', 'Invalid rule id' - assert mitre_technique == 'Brute Force', 'Invalid mitre technique' - assert agent == agent_hostname, 'Invalid agent' diff --git a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml new file mode 100644 index 0000000000..26903b78ba --- /dev/null +++ b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml @@ -0,0 +1,18 @@ +--- +- name: Get credentials + hosts: wazuh-manager + tasks: + + - name: Unzip wazuh install files + unarchive: + src: /home/vagrant/wazuh-install-files.tar + dest: /home/vagrant + remote_src: yes + become: True + + - name: Get passwords file + fetch: + src: /home/vagrant/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes + become: True diff --git a/tests/e2e/test_brute_force/playbooks/generate_events.yml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml similarity index 63% rename from tests/e2e/test_brute_force/playbooks/generate_events.yml rename to tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 0c761d630e..3137fd6f91 100644 --- a/tests/e2e/test_brute_force/playbooks/generate_events.yml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -3,6 +3,7 @@ hosts: localhost ignore_errors: True tasks: + - name: ssh connection expect: command: ssh {{item}}@wazuh-agent @@ -18,6 +19,19 @@ - test_user - test_user - test_user - - name: wait for alert + + - name: Wait for alert pause: seconds: 5 + + - name: Get logs + hosts: wazuh-manager + ignore_errors: True + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml new file mode 100644 index 0000000000..dcfdf0d902 --- /dev/null +++ b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml @@ -0,0 +1,10 @@ +--- +- name: ssh_brute_force + description: Execute brute force attacks using SSH and check generated alerts + configuration_parameters: null + metadata: + rule: + id: 5712 + level: 10 + description: "sshd: brute force trying to get access to the system. Non existent user." + mitre_technique: "Brute Force" diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py new file mode 100644 index 0000000000..9ae833e6a2 --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -0,0 +1,61 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +type: e2e +brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with + minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs + to be configured first. The agent then checks for the registration key in the client.keys file, and when the file + is empty, it automatically requests the key from the configured manager the agent is reporting to. + +''' + +import os +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing.end_to_end import get_alert_indexer_api, make_query +from wazuh_testing.event_monitor import check_event + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') +configuration_playbooks = ['credentials.yaml'] +events_playbooks = ['generate_events.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to detect a SSH Brute Force attack + """ + rule_id = metadata['rule']['id'] + rule_level = metadata['rule']['level'] + rule_description = metadata['rule']['description'] + rule_mitre_technique = metadata['rule']['mitre_technique'] + + expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ + r'"id"\:"{}".*\}}'.format(rule_level, rule_description, rule_id) + + query = make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + indexed_alert = get_alert_indexer_api(query=query, credentials=get_dashboard_credentials).json() + + try: + assert indexed_alert['hits']['hits'][0]['_source']['rule']['id'] == str(rule_id), 'Invalid rule id' + assert indexed_alert['hits']['hits'][0]['_source']['rule']['level'] == rule_level, 'Invalid rule level' + assert indexed_alert['hits']['hits'][0]['_source']['rule']['description'] == rule_description, 'Invalid description' + assert indexed_alert['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] == rule_mitre_technique, 'Invalid mitre technique' + except AssertionError: + check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + raise AssertionError('The alert has occurred, but has not been indexed.') From 6a29d34cd4d9c2cf9e124f34f2519604f0698c1b Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 14:32:36 +0200 Subject: [PATCH 052/552] fix: Use `ansible-runner` instead of `pytest-ansible-playbook` --- requirements.txt | 1 - tests/end_to_end/conftest.py | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4e27a972bb..919553663c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,3 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook==0.4.1; platform_system == "Linux" diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 83a0b6130f..e14be6fd1b 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -5,6 +5,7 @@ import pytest from tempfile import gettempdir from pytest_ansible_playbook import runner +import ansible_runner from wazuh_testing.tools.file import remove_file, get_file_lines From f96c13cbf5dc195fb83264c87ae1adbd80e0d81c Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 14:37:13 +0200 Subject: [PATCH 053/552] fix: Change fixture scope --- tests/end_to_end/conftest.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e14be6fd1b..2b33657535 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -2,10 +2,9 @@ # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 import os +import ansible_runner import pytest from tempfile import gettempdir -from pytest_ansible_playbook import runner -import ansible_runner from wazuh_testing.tools.file import remove_file, get_file_lines @@ -23,7 +22,7 @@ def clean_environment(): remove_file(credentials_file) -@pytest.fixture(scope='function') +@pytest.fixture(scope='module') def get_dashboard_credentials(): """Get wazuh-dashboard username and password. From 8506b66fa1acff7a424035b82fcacfe1097524b6 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 14:37:41 +0200 Subject: [PATCH 054/552] fix: Create fixtures to run playbooks and be able to pass `extra_vars` to them --- tests/end_to_end/conftest.py | 49 ++++++++++++++++--- .../data/playbooks/generate_events.yaml | 4 +- .../data/test_cases/cases_audit.yml | 3 ++ 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 2b33657535..0462593e51 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -45,7 +45,7 @@ def get_dashboard_credentials(): @pytest.fixture(scope='module') -def configure_environment(request): +def configure_environment(request, pytestconfig): """Fixture to configure environment. Execute the configuration playbooks declared in the test to configure the environment. @@ -53,19 +53,52 @@ def configure_environment(request): Args: request (fixture): Provide information on the executing test function. """ - configuration_playbooks = getattr(request.module, 'configuration_playbooks') - with runner(request, configuration_playbooks): - yield + metadata = getattr(request.module, 'configuration_metadata') + inventory_playbook = pytestconfig.getoption('--inventory_path') + + if not inventory_playbook: + raise ValueError('No specified inventory') + + for playbook in getattr(request.module, 'configuration_playbooks'): + configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + + for test_case in metadata: + if 'extra_vars' in test_case: + ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook, + extravars=test_case['extra_vars']) + else: + ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook) @pytest.fixture(scope='function') -def generate_events(request): +def generate_events(request, metadata, pytestconfig): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. """ - events_playbooks = getattr(request.module, 'events_playbooks') - with runner(request, events_playbooks): - yield + inventory_playbook = pytestconfig.getoption('--inventory_path') + + if not inventory_playbook: + raise ValueError('No specified inventory') + + for playbook in getattr(request.module, 'events_playbooks'): + generate_events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + + if 'extra_vars' in metadata: + ansible_runner.run(playbook=generate_events_playbook_path, inventory=inventory_playbook, + extravars=metadata['extra_vars']) + else: + ansible_runner.run(playbook=generate_events_playbook_path, inventory=inventory_playbook) + + +def pytest_addoption(parser): + parser.addoption( + '--inventory_path', + action='store', + metavar='INVENTORY_PATH', + default=None, + type=str, + help='Inventory path', + ) diff --git a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml index 7e0fc07a10..e692cd879b 100644 --- a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml @@ -6,8 +6,8 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: True - - name: Ping google - shell: ping -c 1 www.google.com + - name: "{{ event_description }}" + shell: "{{ command }}" - name: Wait for alert to be generated wait_for: diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml index cf2cf756be..a7779abc85 100644 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml +++ b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml @@ -2,6 +2,9 @@ description: Ping www.google.com and check generated alerts configuration_parameters: null metadata: + extra_vars: + event_description: Ping google + command: ping -c 1 www.google.com rule.id: 80792 level: 3 description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." From 3feb8591baaf69b3919a0c3b27dbf021e0b2a052 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 14:39:41 +0200 Subject: [PATCH 055/552] Revert "fix: Refactor `get_dashboard_credentials`" This reverts commit 16a6558c7f6bdfe0a3c17b56dfa15b7fd8dd071b. --- tests/end_to_end/conftest.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 0462593e51..41d7098910 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -29,17 +29,19 @@ def get_dashboard_credentials(): Returns: dict: wazuh-dashboard credentials. """ - password_index = None + passwords_list = [] + users_list = [] - for index, line in enumerate(get_file_lines(credentials_file)): - if 'username: admin' in line: + for line in get_file_lines(credentials_file): + if 'username:' in line: user = line.split()[1] - user_index = index - password_index = user_index + 1 - if index == password_index: + users_list.append(user) + + if 'password:' in line: password = line.split()[1] + passwords_list.append(password) - dashboard_credentials = {'user': user, 'password': password} + dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} yield dashboard_credentials From 68cc1916f9e47843a9d4a4058159db0a143a5805 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 14:42:27 +0200 Subject: [PATCH 056/552] fix: Check if credentials were found --- tests/end_to_end/conftest.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 41d7098910..c7d7d0e2bc 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -41,6 +41,9 @@ def get_dashboard_credentials(): password = line.split()[1] passwords_list.append(password) + if len(users_list) == 0 or len(passwords_list) == 0: + raise ValueError('No credentials found') + dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} yield dashboard_credentials From b8d192d66f0a6fc4e652920db73f6cb035c96ddf Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 16:46:12 +0200 Subject: [PATCH 057/552] fix: Refactor setup fixtures --- tests/end_to_end/conftest.py | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c7d7d0e2bc..53236194a1 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -50,7 +50,7 @@ def get_dashboard_credentials(): @pytest.fixture(scope='module') -def configure_environment(request, pytestconfig): +def configure_environment(request): """Fixture to configure environment. Execute the configuration playbooks declared in the test to configure the environment. @@ -58,44 +58,38 @@ def configure_environment(request, pytestconfig): Args: request (fixture): Provide information on the executing test function. """ - metadata = getattr(request.module, 'configuration_metadata') - inventory_playbook = pytestconfig.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory_path') if not inventory_playbook: - raise ValueError('No specified inventory') + raise ValueError('Inventory not specified') for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - - for test_case in metadata: - if 'extra_vars' in test_case: - ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook, - extravars=test_case['extra_vars']) - else: - ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook) + ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook) @pytest.fixture(scope='function') -def generate_events(request, metadata, pytestconfig): +def generate_events(request, metadata): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. + metadata (dict): Dictionary with test case metadata. """ - inventory_playbook = pytestconfig.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory_path') if not inventory_playbook: - raise ValueError('No specified inventory') + raise ValueError('Inventory not specified') for playbook in getattr(request.module, 'events_playbooks'): - generate_events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + + parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + if 'extra_vars' in metadata: + parameters.update({'extravars': metadata['extra_vars']}) - if 'extra_vars' in metadata: - ansible_runner.run(playbook=generate_events_playbook_path, inventory=inventory_playbook, - extravars=metadata['extra_vars']) - else: - ansible_runner.run(playbook=generate_events_playbook_path, inventory=inventory_playbook) + ansible_runner.run(**parameters) def pytest_addoption(parser): From d59a1e9239b5c912b8385c3401fee4e0837e4110 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 9 Jun 2022 17:30:01 +0200 Subject: [PATCH 058/552] fix: Add some comments --- tests/end_to_end/conftest.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 53236194a1..4529d49a3e 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -63,6 +63,7 @@ def configure_environment(request): if not inventory_playbook: raise ValueError('Inventory not specified') + # For each configuration playbook previously declared in the test, get the complete path and run it for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook) @@ -82,10 +83,12 @@ def generate_events(request, metadata): if not inventory_playbook: raise ValueError('Inventory not specified') + # For each event generation playbook previously declared in the test, obtain the complete path and execute it. for playbook in getattr(request.module, 'events_playbooks'): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) From e01c3b66b38ace9bbcfbb9672fff53b9485ae99f Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 9 Jun 2022 12:42:07 -0300 Subject: [PATCH 059/552] add: a check to verify if the alert is in the log file was added. #2935 --- tests/end_to_end/conftest.py | 6 +++++- .../playbooks/generate_events.yaml | 15 +++++++++++++++ .../test_docker_monitoring.py | 15 +++++++++++---- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index ee79cf05ea..fb07127540 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -15,7 +15,7 @@ @pytest.fixture(scope='function') def clean_environment(): - + """Delete alerts and credentials files from the temporary folder.""" yield remove_file(alerts_json) @@ -24,7 +24,11 @@ def clean_environment(): @pytest.fixture(scope='function') def get_dashboard_credentials(): + """Get wazuh-dashboard username and password. + Returns: + dict: wazuh-dashboard credentials. + """ password = '' user = '' diff --git a/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml index e455a75c96..e284fca2d3 100644 --- a/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/playbooks/generate_events.yaml @@ -3,6 +3,10 @@ hosts: wazuh-manager tasks: + - name: Truncate alerts file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + - name: Run 'docker pull nginx' become: True shell: docker pull nginx @@ -18,3 +22,14 @@ - name: Run 'docker stop `docker ps -a -q` && docker rm `docker ps -a -q`' become: True shell: docker stop `docker ps -a -q` && docker rm `docker ps -a -q` + + - name: Wait for alerts to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 46bc83bc5c..693e818522 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -3,18 +3,21 @@ import re import pytest import requests +from tempfile import gettempdir from requests.auth import HTTPBasicAuth +from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config # Test cases data TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') test_cases_file_path = os.path.join(TEST_CASES_PATH, 'cases_test_docker_monitoring.json') +alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks playbooks = { - 'setup_playbooks': ['configuration.yaml', 'generate_alerts.yaml'], + 'setup_playbooks': ['configuration.yaml', 'generate_events.yaml'], 'teardown_playbooks': [], 'skip_teardown': True } @@ -43,10 +46,14 @@ def get_alerts_from_opensearch_api(user, password, query): @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(run_ansible_playbooks, metadata, get_opensearch_credentials): - user, password = get_opensearch_credentials +def test_docker_monitoring(run_ansible_playbooks, metadata, get_dashboard_credentials): + user, password = [get_dashboard_credentials['user'], get_dashboard_credentials['password']] opensearch_result = get_alerts_from_opensearch_api(user, password, metadata['opensearch_query']) match = re.search(metadata['regex'], opensearch_result) - assert match is not None, 'The expected alerts were not indexed.' + try: + assert match is not None + except AssertionError: + evm.check_event(callback=metadata['regex'], file_to_monitor=alerts_json, error_message='The alert was not triggered.') + raise AssertionError('The alert was triggered but not indexed.') From d5b5277d0ef31051dc869dc26edc2f70f6971c97 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 9 Jun 2022 17:06:17 -0300 Subject: [PATCH 060/552] Deleted ignore_error in get logs yaml --- .../data/playbooks/credentials.yaml | 30 +++++++++---------- .../data/playbooks/generate_events.yaml | 1 - 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml index 26903b78ba..eecb72d130 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml @@ -1,18 +1,18 @@ --- -- name: Get credentials - hosts: wazuh-manager - tasks: + - name: Get credentials + hosts: wazuh-manager + tasks: - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True + - name: Unzip wazuh install files + unarchive: + src: /home/vagrant/wazuh-install-files.tar + dest: /home/vagrant + remote_src: yes + become: True - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True + - name: Get passwords file + fetch: + src: /home/vagrant/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 3137fd6f91..35b4d15a4e 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -26,7 +26,6 @@ - name: Get logs hosts: wazuh-manager - ignore_errors: True tasks: - name: Get alerts.json From cb9c70198d8f2eac62031d37cd68227b77bb8e13 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 9 Jun 2022 17:19:25 -0300 Subject: [PATCH 061/552] del: pytest-ansible-playbook library deleted. #2935 --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4e27a972bb..919553663c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -45,4 +45,3 @@ wmi>=1.5.1; platform_system=='Windows' deepdiff==5.6.0; platform_system == "Linux" or platform_system=='Windows' libcst==0.3.23 ; python_version <= '3.6' treelib==1.6.1 -pytest-ansible-playbook==0.4.1; platform_system == "Linux" From 3bd3c993e4e1af78409c465e21a8220d36abf000 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 9 Jun 2022 17:24:32 -0300 Subject: [PATCH 062/552] style: some style stuff fixed. #2935 --- deps/wazuh_testing/wazuh_testing/tools/configuration.py | 3 +++ .../data/test_cases/cases_test_docker_monitoring.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/tools/configuration.py b/deps/wazuh_testing/wazuh_testing/tools/configuration.py index f606082f86..79166ce962 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/configuration.py +++ b/deps/wazuh_testing/wazuh_testing/tools/configuration.py @@ -698,9 +698,12 @@ def load_configuration_template(data_file_path, configuration_parameters=[], con def get_test_cases_data(data_file_path): """Load a test case template file and get its data. + Template example file: tests/integration/vulnerability_detector/test_providers/data/test_cases/test_enabled.yaml + Args: data_file_path (str): Test case template file path. + Returns: (list(dict), list(dict), list(str)): Configurations, metadata and test case names. """ diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml index 18a22348ea..f4c8a52098 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml @@ -11,6 +11,7 @@ extra_vars: event_description: Run 'docker pull nginx' command: docker pull nginx + - name: docker_run description: Test if an alert is generated when using the `pull` command. configuration_parameters: null @@ -23,6 +24,7 @@ extra_vars: event_description: Run 'docker run -d -P --name nginx_container nginx' command: docker run -d -P --name nginx_container nginx + - name: docker_exec description: Test if an alert is generated when using the `exec` command. configuration_parameters: null @@ -35,6 +37,7 @@ extra_vars: event_description: Run 'docker exec -d nginx_container /bin/bash' command: docker exec -d nginx_container /bin/bash + - name: docker_stop_rm description: Test if an alert is generated when using the `exec` command. configuration_parameters: null From 6c90c9832483155e4779faef52207aae39415810 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 10 Jun 2022 13:39:00 +0100 Subject: [PATCH 063/552] feat: include wazuh_environment playbook --- .../wazuh_environment.yaml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml diff --git a/provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml b/provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml new file mode 100644 index 0000000000..23cf18bb74 --- /dev/null +++ b/provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml @@ -0,0 +1,65 @@ +--- +# Certificates generation + - hosts: wi1 + roles: + - role: ../../roles/wazuh/wazuh-indexer + indexer_network_host: "{{ private_ip }}" + perform_installation: false + become: true + vars: + indexer_node_master: true + tags: + - generate-certs + +# Wazuh indexer cluster + - hosts: wi_cluster + strategy: free + roles: + - role: ../../roles/wazuh/wazuh-indexer + indexer_network_host: "{{ private_ip }}" + become: true + become_user: root + vars: + indexer_node_master: true + + + - hosts: manager + roles: + - role: "../../roles/wazuh/ansible-wazuh-manager" + become: true + become_user: root + + - hosts: filebeat + roles: + - role: "../../roles/wazuh/ansible-filebeat-oss" + become: true + become_user: root + +# Indexer + dashboard node + - hosts: dashboard + roles: + - role: "../../roles/wazuh/wazuh-indexer" + - role: "../../roles/wazuh/wazuh-dashboard" + become: true + become_user: root + vars: + indexer_network_host: "{{ hostvars.dashboard.private_ip }}" + indexer_node_master: false + indexer_node_ingest: false + indexer_node_data: false + indexer_cluster_nodes: "{{ indexer_discovery_nodes }}" + ansible_shell_allow_world_readable_temp: true + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.master.private_ip }} + port: 55000 + username: wazuh + password: wazuh + + # Agent + - hosts: agent + strategy: free + become: yes + become_user: root + roles: + - ../../roles/wazuh/ansible-wazuh-agent From de272050ca3415a878861a8ee0461883c3936f17 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 10 Jun 2022 10:08:01 -0300 Subject: [PATCH 064/552] fix: some YAML syntax and spelling stuff fixed. #2935 --- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/test_cases/cases_test_docker_monitoring.yaml | 4 ++-- .../test_docker_monitoring/test_docker_monitoring.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml index 29a39f0aae..40d2a237c9 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -7,9 +7,9 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: True - - name: {{ event_description }} + - name: "{{ event_description }}" become: True - shell: {{ command }} + shell: "{{ command }}" - name: Wait for alerts to be generated wait_for: diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml index f4c8a52098..1f1bba3db7 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml @@ -13,7 +13,7 @@ command: docker pull nginx - name: docker_run - description: Test if an alert is generated when using the `pull` command. + description: Test if an alert is generated when using the `run` command. configuration_parameters: null metadata: rule.id: '87903' @@ -39,7 +39,7 @@ command: docker exec -d nginx_container /bin/bash - name: docker_stop_rm - description: Test if an alert is generated when using the `exec` command. + description: Test if an alert is generated when using the `stop` and `rm` commands. configuration_parameters: null metadata: rule.id: '87902' diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 2b66f11474..e4178a0b9e 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -1,8 +1,8 @@ import json import os import re -from tempfile import gettempdir import pytest +from tempfile import gettempdir from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm From c5b9d5ea7398b50d5cd1cc4b8f0a8d5eeae34119 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 10 Jun 2022 11:32:09 -0300 Subject: [PATCH 065/552] refact: changes requested in the review --- .../data/playbooks/credentials.yaml | 31 +++++---- .../data/playbooks/generate_events.yaml | 63 +++++++++---------- .../data/test_cases/cases_brute_force.yaml | 2 +- .../test_brute_force/test_brute_force.py | 33 +++++----- 4 files changed, 61 insertions(+), 68 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml index eecb72d130..d93f760cc7 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml @@ -1,18 +1,17 @@ ---- - - name: Get credentials - hosts: wazuh-manager - tasks: +- name: Get credentials + hosts: wazuh-manager + tasks: - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True + - name: Unzip wazuh install files + unarchive: + src: /home/vagrant/wazuh-install-files.tar + dest: /home/vagrant + remote_src: yes + become: True - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True + - name: Get passwords file + fetch: + src: /home/vagrant/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 35b4d15a4e..2208c813d3 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -1,36 +1,35 @@ ---- - - name: Generate events - hosts: localhost - ignore_errors: True - tasks: +- name: Generate events + hosts: localhost + tasks: - - name: ssh connection - expect: - command: ssh {{item}}@wazuh-agent - timeout: 5 - responses: - "Password": "1" - loop: - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user + - name: ssh connection + expect: + command: ssh {{item}}@wazuh-agent + timeout: 5 + responses: + Password: 1 + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + ignore_errors: True - - name: Wait for alert - pause: - seconds: 5 + - name: Wait for alert + pause: + seconds: 5 - - name: Get logs - hosts: wazuh-manager - tasks: +- name: Get logs + hosts: all + tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: yes - become: True + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml index dcfdf0d902..2e1e8ae656 100644 --- a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml @@ -1,4 +1,3 @@ ---- - name: ssh_brute_force description: Execute brute force attacks using SSH and check generated alerts configuration_parameters: null @@ -7,4 +6,5 @@ id: 5712 level: 10 description: "sshd: brute force trying to get access to the system. Non existent user." + extra: mitre_technique: "Brute Force" diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 9ae833e6a2..25242d83df 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -1,30 +1,21 @@ -''' -copyright: Copyright (C) 2015-2022, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -type: e2e -brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with - minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs - to be configured first. The agent then checks for the registration key in the client.keys file, and when the file - is empty, it automatically requests the key from the configured manager the agent is reporting to. - -''' - import os import pytest from tempfile import gettempdir from wazuh_testing.tools import configuration as config -from wazuh_testing.end_to_end import get_alert_indexer_api, make_query -from wazuh_testing.event_monitor import check_event - +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +# Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') + +# Playbooks configuration_playbooks = ['credentials.yaml'] events_playbooks = ['generate_events.yaml'] +# Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -37,25 +28,29 @@ def test_brute_force(configure_environment, metadata, get_dashboard_credentials, rule_id = metadata['rule']['id'] rule_level = metadata['rule']['level'] rule_description = metadata['rule']['description'] - rule_mitre_technique = metadata['rule']['mitre_technique'] + rule_mitre_technique = metadata['extra']['mitre_technique'] expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ r'"id"\:"{}".*\}}'.format(rule_level, rule_description, rule_id) - query = make_query([ + query = e2e.make_query([ { "term": { "rule.id": f"{rule_id}" } } ]) - indexed_alert = get_alert_indexer_api(query=query, credentials=get_dashboard_credentials).json() + indexed_alert = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials).json() try: + # Check that indexed alert has the correct rule id assert indexed_alert['hits']['hits'][0]['_source']['rule']['id'] == str(rule_id), 'Invalid rule id' + # Check that indexed alert has the correct rule level assert indexed_alert['hits']['hits'][0]['_source']['rule']['level'] == rule_level, 'Invalid rule level' + # Check that indexed alert has the correct rule description assert indexed_alert['hits']['hits'][0]['_source']['rule']['description'] == rule_description, 'Invalid description' + # Check that indexed alert has the correct mitre technique assert indexed_alert['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] == rule_mitre_technique, 'Invalid mitre technique' except AssertionError: - check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') raise AssertionError('The alert has occurred, but has not been indexed.') From 90dc4b343fee368d4543d98c3faa455c1d35a624 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 10 Jun 2022 15:24:14 -0300 Subject: [PATCH 066/552] fix: generation of events fixed. #2935 --- .../cases_test_docker_monitoring.yaml | 18 +++++++++--------- .../test_docker_monitoring.py | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml index 1f1bba3db7..ce6d5d6470 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml @@ -8,9 +8,9 @@ extra: data.docker.Action: pull regex: '.+"docker":.+"Action": "(pull)".+"Attributes":.+"(nginx)".+"description": "(Docker: Image or repository nginx pulled)".+' - extra_vars: - event_description: Run 'docker pull nginx' - command: docker pull nginx + extra_vars: + event_description: Run 'docker pull nginx' + command: docker pull nginx - name: docker_run description: Test if an alert is generated when using the `run` command. @@ -21,9 +21,9 @@ extra: data.docker.Action: start regex: '.+"docker":.+"Action": "(start)".+"image": "(nginx)".+"description": "(Docker: Container nginx_container started)".+' - extra_vars: - event_description: Run 'docker run -d -P --name nginx_container nginx' - command: docker run -d -P --name nginx_container nginx + extra_vars: + event_description: Run 'docker run -d -P --name nginx_container nginx' + command: docker run -d -P --name nginx_container nginx - name: docker_exec description: Test if an alert is generated when using the `exec` command. @@ -34,9 +34,9 @@ extra: data.docker.Action: 'exec_start: /bin/bash ' regex: '.+"docker":.+"Action": "(exec_start: /bin/bash )".+"image": "(nginx)".+"description": "(Docker: Started shell session in container nginx_container)".+' - extra_vars: - event_description: Run 'docker exec -d nginx_container /bin/bash' - command: docker exec -d nginx_container /bin/bash + extra_vars: + event_description: Run 'docker exec -d nginx_container /bin/bash' + command: docker exec -d nginx_container /bin/bash - name: docker_stop_rm description: Test if an alert is generated when using the `stop` and `rm` commands. diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index e4178a0b9e..d02cdee01d 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -24,7 +24,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials): +def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] docker_action = metadata['extra']['data.docker.Action'] From cae4ed1cbaa6c88728cf63cd973388a556dedd1e Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 13 Jun 2022 17:54:52 -0300 Subject: [PATCH 067/552] add: configuration yaml, cases_netcat yaml and generate events yaml --- .../data/playbooks/configuration.yaml | 59 +++++++++++++++++++ .../data/playbooks/credentials.yaml | 17 ++++++ .../playbooks/generate_events.yaml} | 4 ++ .../data/test_cases/cases_netcat.yaml | 8 +++ 4 files changed, 88 insertions(+) create mode 100644 tests/end_to_end/test_netcat/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_netcat/data/playbooks/credentials.yaml rename tests/end_to_end/test_netcat/{playbooks/generate_events.yml => data/playbooks/generate_events.yaml} (70%) create mode 100644 tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..5febba5689 --- /dev/null +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -0,0 +1,59 @@ +- name: Test agent configuration + hosts: wazuh-agent + tasks: + + - name: Install netcat (CentOS) + become: True + shell: yum install -y nmap-ncat + when: ansible_facts['distribution'] == "CentOS" + + - name: Install netcat (Ubuntu) + become: True + shell: > + apt-get install netcat + apt-get -y install nmap + when: ansible_facts['distribution'] == "Ubuntu" + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Configure manager to periodically get a list of running processes + become: True + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: "" + block: | + + full_command + process list + ps -e -o pid,uname,command + 30 + + marker: "" + + - name: Configure local rules + become: True + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: "" + block: | + + + 530 + ^ossec: output: 'process list' + List of running processes. + process_monitor, + + + 100050 + nc -l + Netcat listening for incoming connections. + process_monitor, + + + marker: "" + + - name: Restart wazuh-manager + become: True + shell: systemctl restart wazuh-manager \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml b/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml new file mode 100644 index 0000000000..0673ea9814 --- /dev/null +++ b/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml @@ -0,0 +1,17 @@ +- name: Get credentials + hosts: wazuh-manager + tasks: + + - name: Unzip wazuh install files + unarchive: + src: /home/vagrant/wazuh-install-files.tar + dest: /home/vagrant + remote_src: yes + become: True + + - name: Get passwords file + fetch: + src: /home/vagrant/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes + become: True \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/playbooks/generate_events.yml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml similarity index 70% rename from tests/end_to_end/test_netcat/playbooks/generate_events.yml rename to tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 7f20fe5bd2..248f38645c 100644 --- a/tests/end_to_end/test_netcat/playbooks/generate_events.yml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -6,3 +6,7 @@ - name: netcat command: nc -l 8000 timeout: 30 + + - name: Wait for alert + pause: + seconds: 5 diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml new file mode 100644 index 0000000000..ee850813a7 --- /dev/null +++ b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml @@ -0,0 +1,8 @@ +- name: Netcat + description: Detecting unauthorized processes + configuration_parameters: null + metadata: + rule: + id: 100051 + level: 7 + description: "Netcat listening for incoming connections." From e991fa8ea8cdc99b17d9fd3521fbacbeddab3fdc Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 13 Jun 2022 18:48:11 -0300 Subject: [PATCH 068/552] refac: assert refactor and new regex added. #2935 --- .../cases_test_docker_monitoring.yaml | 4 ---- .../test_docker_monitoring.py | 18 +++++++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml index ce6d5d6470..4d924cec10 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml @@ -7,7 +7,6 @@ rule.description: 'Docker: Image or repository nginx pulled' extra: data.docker.Action: pull - regex: '.+"docker":.+"Action": "(pull)".+"Attributes":.+"(nginx)".+"description": "(Docker: Image or repository nginx pulled)".+' extra_vars: event_description: Run 'docker pull nginx' command: docker pull nginx @@ -20,7 +19,6 @@ rule.description: 'Docker: Container nginx_container started' extra: data.docker.Action: start - regex: '.+"docker":.+"Action": "(start)".+"image": "(nginx)".+"description": "(Docker: Container nginx_container started)".+' extra_vars: event_description: Run 'docker run -d -P --name nginx_container nginx' command: docker run -d -P --name nginx_container nginx @@ -33,7 +31,6 @@ rule.description: 'Docker: Started shell session in container nginx_container' extra: data.docker.Action: 'exec_start: /bin/bash ' - regex: '.+"docker":.+"Action": "(exec_start: /bin/bash )".+"image": "(nginx)".+"description": "(Docker: Started shell session in container nginx_container)".+' extra_vars: event_description: Run 'docker exec -d nginx_container /bin/bash' command: docker exec -d nginx_container /bin/bash @@ -46,7 +43,6 @@ rule.description: 'Docker: Container nginx_container destroyed' extra: data.docker.Action: destroy - regex: '.+"docker":.+"Action": "(destroy)".+"image": "(nginx)".+"description": "(Docker: Container nginx_container destroyed)".+' extra_vars: event_description: Run 'docker stop `docker ps -a -q` && docker rm `docker ps -a -q`' command: docker stop `docker ps -a -q` && docker rm `docker ps -a -q` diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index d02cdee01d..68726fce26 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -24,11 +24,15 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events): +def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] docker_action = metadata['extra']['data.docker.Action'] - alert_regex = metadata['extra']['regex'] + expected_api_alert = f".+\"Action\": \"({docker_action})\".+\"description\": \"({rule_description})\".+\"id\": " \ + f"\"({rule_id})\"" + expected_log_alert = f".+\"description\":\"({rule_description})\".+\"id\":\"({rule_id})\"" \ + f".+\"Action\":\"({docker_action})\"" query = e2e.make_query([ { @@ -48,14 +52,14 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } ]) response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - assert response.status_code == 200, 'The response is not the expected. ' \ + assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" indexed_alert = json.dumps(response.json()) - match = re.search(alert_regex, indexed_alert) try: - assert match is not None + match = re.search(expected_api_alert, indexed_alert) + assert match is not None, 'The alert was triggered but not indexed.' except AssertionError as exc: err_msg = 'The alert was not triggered.' - evm.check_event(callback=alert_regex, file_to_monitor=alerts_json, error_message=err_msg) - raise AssertionError('The alert was triggered but not indexed.') from exc + evm.check_event(callback=expected_log_alert, file_to_monitor=alerts_json, error_message=err_msg) + raise AssertionError(exc.args[0]) From a8e4f4842ecdc86e3e0e3a3ccae0d248bdc23592 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 10:49:24 +0200 Subject: [PATCH 069/552] fix: Get credentials through inventory --- tests/end_to_end/conftest.py | 22 +++++-------------- .../data/playbooks/credentials.yaml | 18 --------------- tests/end_to_end/test_audit/test_audit.py | 2 +- 3 files changed, 6 insertions(+), 36 deletions(-) delete mode 100644 tests/end_to_end/test_audit/data/playbooks/credentials.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 4529d49a3e..06ac43dbba 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -23,29 +23,17 @@ def clean_environment(): @pytest.fixture(scope='module') -def get_dashboard_credentials(): +def get_dashboard_credentials(request): """Get wazuh-dashboard username and password. Returns: dict: wazuh-dashboard credentials. """ - passwords_list = [] - users_list = [] - - for line in get_file_lines(credentials_file): - if 'username:' in line: - user = line.split()[1] - users_list.append(user) - - if 'password:' in line: - password = line.split()[1] - passwords_list.append(password) - - if len(users_list) == 0 or len(passwords_list) == 0: - raise ValueError('No credentials found') - - dashboard_credentials = {'user': users_list[0], 'password': passwords_list[0]} + inventory_playbook = [request.config.getoption('--inventory_path')] + inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', + host='wazuh-manager') + dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} yield dashboard_credentials diff --git a/tests/end_to_end/test_audit/data/playbooks/credentials.yaml b/tests/end_to_end/test_audit/data/playbooks/credentials.yaml deleted file mode 100644 index 26903b78ba..0000000000 --- a/tests/end_to_end/test_audit/data/playbooks/credentials.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Get credentials - hosts: wazuh-manager - tasks: - - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True - - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 253b137226..cb94016e90 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -10,7 +10,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') -configuration_playbooks = ['configuration.yaml', 'credentials.yaml'] +configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From abe4ecb416e636ae91910e95cdb942bfa77c1d60 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 10:54:10 +0200 Subject: [PATCH 070/552] fix: Delete unnecessary code --- tests/end_to_end/conftest.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 06ac43dbba..03060a56d1 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -6,20 +6,17 @@ import pytest from tempfile import gettempdir -from wazuh_testing.tools.file import remove_file, get_file_lines +from wazuh_testing.tools.file import remove_file alerts_json = os.path.join(gettempdir(), 'alerts.json') -credentials_file = os.path.join(gettempdir(), 'passwords.wazuh') @pytest.fixture(scope='function') def clean_environment(): """Delete alerts and credentials files from the temporary folder.""" yield - remove_file(alerts_json) - remove_file(credentials_file) @pytest.fixture(scope='module') From 7a6f3e5ab3687184f764dab8f624dc88a2dd4ad3 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 10:54:52 +0200 Subject: [PATCH 071/552] fix: Check if inventory path is defined and add comments --- tests/end_to_end/conftest.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 03060a56d1..8ab99ec812 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -27,9 +27,14 @@ def get_dashboard_credentials(request): dict: wazuh-dashboard credentials. """ inventory_playbook = [request.config.getoption('--inventory_path')] + + if not inventory_playbook: + raise ValueError('Inventory not specified') + inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', host='wazuh-manager') + # Inventory is a tuple, with the second value empty, so we must access inventory[0] dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} yield dashboard_credentials From 6c999a4bd75fc25a6b82bcc3f2ad83709ad9dbd3 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 10:59:40 +0200 Subject: [PATCH 072/552] fix: Change imports --- tests/end_to_end/test_audit/test_audit.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index cb94016e90..0b60e6f04b 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -2,9 +2,9 @@ import pytest from tempfile import gettempdir +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config -from wazuh_testing.end_to_end import get_alert_indexer_api, make_query -from wazuh_testing.event_monitor import check_event alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -29,7 +29,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ r'"id"\:"{}".*euid={}.*a3={}.*\}}'.format(level, description, rule_id, euid, a3) - query = make_query([ + query = e2e.make_query([ { "term": { "rule.id": f"{rule_id}" @@ -41,10 +41,10 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener } } ]) - indexed_alert = get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) try: assert str(rule_id) in indexed_alert.text except AssertionError: - check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') raise AssertionError('The alert has occurred, but has not been indexed.') From e61f419794117694e83212c47c2f12478a1ab067 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 14 Jun 2022 10:21:27 -0300 Subject: [PATCH 073/552] add: task to kill netcat process --- .../data/playbooks/generate_events.yaml | 37 +++++++++++++------ 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 248f38645c..0e4220439d 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -1,12 +1,27 @@ --- - - name: Generate events - hosts: wazuh-agent - ignore_errors: True - tasks: - - name: netcat - command: nc -l 8000 - timeout: 30 - - - name: Wait for alert - pause: - seconds: 5 +- name: Generate events + hosts: wazuh-agent + ignore_errors: True + tasks: + - name: netcat + command: nc -l 8000 + timeout: 30 + + - name: Wait for alert + pause: + seconds: 5 + + - name: Kill process + become: True + command: pkill -fx 'nc -l 8000' + +- name: Get logs + hosts: all + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True From 9a0fd0ec71c8b91d326e1523515946546e90601e Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 17:21:25 +0200 Subject: [PATCH 074/552] fix: Add regex to check indexed alert and compare timestamps --- tests/end_to_end/test_audit/test_audit.py | 31 +++++++++++++++++------ 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 0b60e6f04b..d99465e7f3 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -1,10 +1,15 @@ import os +import json +import re import pytest +from datetime import datetime from tempfile import gettempdir +from time import sleep from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.tools.time import parse_date_time_format alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -26,8 +31,11 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener a3 = metadata['extra']['a3'] data_audit_command = metadata['extra']['data.audit.command'] - expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ - r'"id"\:"{}".*euid={}.*a3={}.*\}}'.format(level, description, rule_id, euid, a3) + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{level},' \ + fr'"description"\:"{description}","id"\:"{rule_id}".*euid={euid}.*a3={a3}.*\}}' + expected_indexed_alert = fr'.*"rule":.*"level": {level}, "description": "{description}".*"id": "{rule_id}".*' \ + fr'euid={euid}.*comm=\\"{data_audit_command}\\".*a3={a3}.*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' query = e2e.make_query([ { @@ -41,10 +49,17 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener } } ]) - indexed_alert = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - try: - assert str(rule_id) in indexed_alert.text - except AssertionError: - evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') - raise AssertionError('The alert has occurred, but has not been indexed.') + sleep(wait_indexed_alert) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + assert response.status_code == 200, f"The response is not the expected. Actual response {response.status_code}" + indexed_alert = json.dumps(response.json()) + match = re.search(expected_indexed_alert, indexed_alert) + assert match is not None + indexed_alert_timestamp = match.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + assert indexed_alert_timestamp == raised_alert_timestamp From 2197b3dc91e0b780e8076b4529c3b68a9069886c Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 17:24:37 +0200 Subject: [PATCH 075/552] fix: Rename file --- .../data/test_cases/{cases_audit.yml => cases_audit.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/test_audit/data/test_cases/{cases_audit.yml => cases_audit.yaml} (100%) diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml similarity index 100% rename from tests/end_to_end/test_audit/data/test_cases/cases_audit.yml rename to tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml From 6b372a86e110c51760348fb924419121c546748e Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 17:33:09 +0200 Subject: [PATCH 076/552] fix: Add error message --- tests/end_to_end/test_audit/test_audit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index be635c74b4..f412128571 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -60,7 +60,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener assert response.status_code == 200, f"The response is not the expected. Actual response {response.status_code}" indexed_alert = json.dumps(response.json()) match = re.search(expected_indexed_alert, indexed_alert) - assert match is not None + assert match is not None, 'Alert triggered, but not indexed' indexed_alert_timestamp = match.group(1) indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') assert indexed_alert_timestamp == raised_alert_timestamp From ac5573250837a34c197336c7e2860b5096061a7f Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 17:33:45 +0200 Subject: [PATCH 077/552] fix: Add `wait_indexed_alert` --- tests/end_to_end/test_audit/test_audit.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index f412128571..f43971df46 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -17,6 +17,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 05786415c3c934684511cd8dbeb8196eed2c1d8b Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 14 Jun 2022 18:06:20 +0200 Subject: [PATCH 078/552] fix: Delete unnecessary quotes --- tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml index a7779abc85..c888904858 100644 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml +++ b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml @@ -10,5 +10,5 @@ description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." extra: euid: 1000 - a3: '\\"www\.google\.com\\"' + a3: \\"www\.google\.com\\" data.audit.command: ping From ff6772fe1cbf714af381d4b41bacc60033af49f8 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 14 Jun 2022 13:48:19 -0300 Subject: [PATCH 079/552] fix: deleted credentials yaml --- tests/end_to_end/test_netcat/test_netcat.py | 127 ++++++++------------ 1 file changed, 52 insertions(+), 75 deletions(-) diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 4020daf39c..3dce3c8059 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -1,77 +1,54 @@ -''' -copyright: Copyright (C) 2015-2021, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -type: e2e -brief: Wazuh includes a registration process that provides the user with an automated mechanism to enroll agents with - minimal configuration steps. To register an agent using the enrollment method, a manager with a valid IP needs - to be configured first. The agent then checks for the registration key in the client.keys file, and when the file - is empty, it automatically requests the key from the configured manager the agent is reporting to. -''' - import os import pytest -from opensearchpy import OpenSearch -import yaml - - -@pytest.fixture -def configurations(): - yaml_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data/config.yml') - with open(yaml_file_path) as stream: - configurations = yaml.safe_load(stream) - return configurations - -@pytest.mark.ansible_playbook_setup('generate_events.yml') -def test_netcat(configurations, ansible_playbook): - """ - Test to detect Netcat - """ - agent_hostname = configurations['wazuh-agent-linux'][1]['hostname'] - rule_id = configurations['wazuh-agent-linux'][2]['rule_id'] - indexer_ip = configurations['wazuh-manager-indexer'][0]['ip'] - indexer_user = configurations['wazuh-manager-indexer'][2]['username_indexer'] - indexer_password = configurations['wazuh-manager-indexer'][3]['password_ indexer'] - - open_search_alerts = _get_opensearch_alert(indexer_ip, rule_id, indexer_user, indexer_password) - _asserts(open_search_alerts, agent_hostname) - - -def _get_opensearch_alert(indexer_ip, rule_id, username, password): - """ - Get alert generated in opensearch - """ - auth = (username, password) - host = indexer_ip - port = '9200' - index_name = 'wazuh-alerts-4.x-*' - query = '{"query": {"bool": {"must": []}}, "size": 1, "sort": [{"timestamp": {"order": "desc"}}]}' - - client = OpenSearch( - hosts= [{'host': host, 'port': port}], - http_auth = auth, - use_ssl = True, - verify_certs = False, - timeout = 30, - max_retries = 10, - retry_on_timeout = True - - ) - - response = client.search( - body = query, - index= index_name - ) - - print(response) - return response - - -def _asserts(response, agent_hostname): - agent = response['hits']['hits'][0]['_source']['agent']['name'] - description = response['hits']['hits'][0]['_source']['rule']['description'] - rule_id = response['hits']['hits'][0]['_source']['rule']['id'] - print(response['hits']['hits'][0]['_source']['timestamp']) - assert description == 'Netcat listening for incoming connections.' - assert rule_id == '100051', 'Invalid rule id' - assert agent == agent_hostname, 'Invalid agent' +import re +import json +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +## Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml', 'credentials.yaml'] +events_playbooks = ['generate_events.yaml'] + +#Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + level = metadata['rule']['level'] + description = metadata['rule']['description'] + rule_id = metadata['rule']['id'] + + expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ + r'"id"\:"{}".*\}}'.format(level, description, rule_id) + expected_api_alert = f".+\"description\": \"({description})\".+\"id\": " \ + f"\"({rule_id})\"" + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" + + indexed_alert = json.dumps(response.json()) + + try: + match = re.search(expected_api_alert, indexed_alert) + assert match is not None, 'The alert was triggered but not indexed' + except AssertionError as exc: + err_msg = 'THe alert was not triggered' + evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + raise AssertionError(exc.args[0]) From 30fa296abe9623f2f43ab1ef5919c17618cabb96 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 15 Jun 2022 12:07:55 +0200 Subject: [PATCH 080/552] fix: Move assert --- deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py | 3 +++ tests/end_to_end/test_audit/test_audit.py | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 1085f996b2..7954b789c6 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -24,6 +24,9 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) + if response.status_code != 200: + raise Exception(f"The response is not the expected. Actual response {response.status_code}") + return response diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index f43971df46..83bae07589 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -58,7 +58,6 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener sleep(wait_indexed_alert) response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - assert response.status_code == 200, f"The response is not the expected. Actual response {response.status_code}" indexed_alert = json.dumps(response.json()) match = re.search(expected_indexed_alert, indexed_alert) assert match is not None, 'Alert triggered, but not indexed' From defa22677f774621896c3bec551b55c2b273d0fb Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 15 Jun 2022 12:08:25 +0200 Subject: [PATCH 081/552] fix: Add comments --- tests/end_to_end/test_audit/test_audit.py | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 83bae07589..5c3d370a2a 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -51,16 +51,27 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener } } ]) + + # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) sleep(wait_indexed_alert) + + # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - match = re.search(expected_indexed_alert, indexed_alert) - assert match is not None, 'Alert triggered, but not indexed' - indexed_alert_timestamp = match.group(1) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - assert indexed_alert_timestamp == raised_alert_timestamp + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 85a36ccf7e801c47cce59c4f3fa7a90ec0ac563f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 15 Jun 2022 12:23:25 -0300 Subject: [PATCH 082/552] fix: deleted credentials yaml, added task to truncate alert json, refactor cases_brute_force and refactor test case with new asserts --- .../data/playbooks/credentials.yaml | 17 ------ .../data/playbooks/generate_events.yaml | 8 +++ .../data/test_cases/cases_brute_force.yaml | 7 +-- .../test_brute_force/test_brute_force.py | 56 ++++++++++++------- 4 files changed, 46 insertions(+), 42 deletions(-) delete mode 100644 tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml diff --git a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml b/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml deleted file mode 100644 index d93f760cc7..0000000000 --- a/tests/end_to_end/test_brute_force/data/playbooks/credentials.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Get credentials - hosts: wazuh-manager - tasks: - - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True - - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 2208c813d3..314fe35578 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -1,3 +1,11 @@ +- name: Truncate file + hosts: all + tasks: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + - name: Generate events hosts: localhost tasks: diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml index 2e1e8ae656..74684202e3 100644 --- a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml @@ -2,9 +2,8 @@ description: Execute brute force attacks using SSH and check generated alerts configuration_parameters: null metadata: - rule: - id: 5712 - level: 10 - description: "sshd: brute force trying to get access to the system. Non existent user." + rule.id: 5712 + rule.level: 10 + rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: "Brute Force" diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 25242d83df..6a38f69869 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -1,10 +1,14 @@ import os +import json +import re import pytest +from datetime import datetime from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.tools.time import parse_date_time_format # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -12,7 +16,6 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') # Playbooks -configuration_playbooks = ['credentials.yaml'] events_playbooks = ['generate_events.yaml'] # Configuration @@ -21,17 +24,20 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_environment): """ Test to detect a SSH Brute Force attack """ - rule_id = metadata['rule']['id'] - rule_level = metadata['rule']['level'] - rule_description = metadata['rule']['description'] + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ - r'"id"\:"{}".*\}}'.format(rule_level, rule_description, rule_id) + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}".*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' query = e2e.make_query([ { @@ -40,17 +46,25 @@ def test_brute_force(configure_environment, metadata, get_dashboard_credentials, } } ]) - indexed_alert = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials).json() - - try: - # Check that indexed alert has the correct rule id - assert indexed_alert['hits']['hits'][0]['_source']['rule']['id'] == str(rule_id), 'Invalid rule id' - # Check that indexed alert has the correct rule level - assert indexed_alert['hits']['hits'][0]['_source']['rule']['level'] == rule_level, 'Invalid rule level' - # Check that indexed alert has the correct rule description - assert indexed_alert['hits']['hits'][0]['_source']['rule']['description'] == rule_description, 'Invalid description' - # Check that indexed alert has the correct mitre technique - assert indexed_alert['hits']['hits'][0]['_source']['rule']['mitre']['technique'][0] == rule_mitre_technique, 'Invalid mitre technique' - except AssertionError: - evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') - raise AssertionError('The alert has occurred, but has not been indexed.') + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' + From 6f05dc5da903dcd51c429ccd75081751126b5bbd Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 15 Jun 2022 12:54:03 -0300 Subject: [PATCH 083/552] fix: added linting changes --- .../data/playbooks/generate_events.yaml | 14 +++++++------- .../data/test_cases/cases_brute_force.yaml | 2 +- .../test_brute_force/test_brute_force.py | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 314fe35578..e6dac58297 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -4,7 +4,7 @@ - name: Truncate alert.json shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + become: true - name: Generate events hosts: localhost @@ -12,10 +12,10 @@ - name: ssh connection expect: - command: ssh {{item}}@wazuh-agent - timeout: 5 - responses: - Password: 1 + command: ssh {{item}}@wazuh-agent + timeout: 5 + responses: + Password: 1 loop: - test_user - test_user @@ -25,7 +25,7 @@ - test_user - test_user - test_user - ignore_errors: True + ignore_errors: true - name: Wait for alert pause: @@ -40,4 +40,4 @@ src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ flat: yes - become: True + become: true diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml index 74684202e3..d58f3ff6dd 100644 --- a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml @@ -6,4 +6,4 @@ rule.level: 10 rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: - mitre_technique: "Brute Force" + mitre_technique: Brute Force diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 6a38f69869..3d1608cf2c 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -36,7 +36,8 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}".*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' query = e2e.make_query([ @@ -67,4 +68,3 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean # Check that alert has been indexed (checking that the timestamp is the expected one) assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' - From 3b6a4adf75dd694fbb32cff8db574321e8e61330 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 15 Jun 2022 17:00:16 -0300 Subject: [PATCH 084/552] add: truncate file in generate events yaml, extra vars in cases yaml, regex and asserts in test case --- .../data/playbooks/generate_events.yaml | 23 ++++--- .../data/test_cases/cases_netcat.yaml | 12 ++-- tests/end_to_end/test_netcat/test_netcat.py | 63 +++++++++++++------ 3 files changed, 68 insertions(+), 30 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 0e4220439d..f70910aa56 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -1,19 +1,26 @@ ---- +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + - name: Generate events hosts: wazuh-agent - ignore_errors: True + ignore_errors: true tasks: - - name: netcat - command: nc -l 8000 + - name: "{{ event_description_netcat }}" + command: "{{ command_netcat }}" timeout: 30 - name: Wait for alert pause: seconds: 5 - - name: Kill process - become: True - command: pkill -fx 'nc -l 8000' + - name: "{{ event_description_kill_netcat }}" + become: true + command: "{{ command_kill_netcat }}" - name: Get logs hosts: all @@ -24,4 +31,4 @@ src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ flat: yes - become: True + become: true diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml index ee850813a7..6615e8ba27 100644 --- a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml +++ b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml @@ -2,7 +2,11 @@ description: Detecting unauthorized processes configuration_parameters: null metadata: - rule: - id: 100051 - level: 7 - description: "Netcat listening for incoming connections." + extra_vars: + event_description_netcat: Run netcat + command_netcat: nc -l 8000 + event_description_kill_netcat: Kill netcat + command_kill_netcat: pkill -fx 'nc -l 8000' + rule.id: 100051 + rule.level: 7 + rule.description: "Netcat listening for incoming connections." diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 3dce3c8059..04c0f3100f 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -1,12 +1,14 @@ import os -import pytest -import re import json +import re +import pytest +from datetime import datetime from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.tools.time import parse_date_time_format ## Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -24,14 +26,16 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): - level = metadata['rule']['level'] - description = metadata['rule']['description'] - rule_id = metadata['rule']['id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] - expected_alert = r'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{},"description"\:"{}",'\ - r'"id"\:"{}".*\}}'.format(level, description, rule_id) - expected_api_alert = f".+\"description\": \"({description})\".+\"id\": " \ - f"\"({rule_id})\"" + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' query = e2e.make_query([ { @@ -40,15 +44,38 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener } } ]) - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - try: - match = re.search(expected_api_alert, indexed_alert) - assert match is not None, 'The alert was triggered but not indexed' - except AssertionError as exc: - err_msg = 'THe alert was not triggered' - evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') - raise AssertionError(exc.args[0]) + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' + + + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" + + # indexed_alert = json.dumps(response.json()) + + # try: + # match = re.search(expected_api_alert, indexed_alert) + # assert match is not None, 'The alert was triggered but not indexed' + # except AssertionError as exc: + # err_msg = 'THe alert was not triggered' + # evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') + # raise AssertionError(exc.args[0]) From 23ad773d325d850e56667edbcef508e4f8c53a4e Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 15 Jun 2022 17:04:10 -0300 Subject: [PATCH 085/552] fix: deleted credential and config yaml --- tests/end_to_end/test_netcat/data/config.yml | 11 ----------- .../test_netcat/data/playbooks/credentials.yaml | 17 ----------------- tests/end_to_end/test_netcat/test_netcat.py | 2 +- 3 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 tests/end_to_end/test_netcat/data/config.yml delete mode 100644 tests/end_to_end/test_netcat/data/playbooks/credentials.yaml diff --git a/tests/end_to_end/test_netcat/data/config.yml b/tests/end_to_end/test_netcat/data/config.yml deleted file mode 100644 index 0d33fe7b70..0000000000 --- a/tests/end_to_end/test_netcat/data/config.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -wazuh-agent-linux: - - ip: "192.168.0.6" - - hostname: "centos-agent" - - rule_id: "100051" - -wazuh-manager-indexer: -- ip: "192.168.0.5" -- hostname: "centos-manager-kibana" -- username_indexer: "wazuh" -- password_ indexer: "Y6f1YvUNAH1DpxjRg162WKO6yfV496W1" diff --git a/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml b/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml deleted file mode 100644 index 0673ea9814..0000000000 --- a/tests/end_to_end/test_netcat/data/playbooks/credentials.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- name: Get credentials - hosts: wazuh-manager - tasks: - - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True - - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True \ No newline at end of file diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 04c0f3100f..aa17a143bc 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -16,7 +16,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') # Playbooks -configuration_playbooks = ['configuration.yaml', 'credentials.yaml'] +configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] #Configuration From 07a4fe99f0bb190ab1172793ce126dff62ca85f0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 15 Jun 2022 17:08:26 -0300 Subject: [PATCH 086/552] fix: added end line and deleted comment code --- .../test_netcat/data/playbooks/configuration.yaml | 2 +- tests/end_to_end/test_netcat/test_netcat.py | 14 -------------- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml index 5febba5689..2ebf32b773 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -56,4 +56,4 @@ - name: Restart wazuh-manager become: True - shell: systemctl restart wazuh-manager \ No newline at end of file + shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index aa17a143bc..194022260f 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -65,17 +65,3 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener # Check that alert has been indexed (checking that the timestamp is the expected one) assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' - - - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" - - # indexed_alert = json.dumps(response.json()) - - # try: - # match = re.search(expected_api_alert, indexed_alert) - # assert match is not None, 'The alert was triggered but not indexed' - # except AssertionError as exc: - # err_msg = 'THe alert was not triggered' - # evm.check_event(callback=expected_alert, file_to_monitor=alerts_json, error_message='The alert has not occurred') - # raise AssertionError(exc.args[0]) From fa91fde22ecb1068d3d61c74440b693ff9117d3a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 15 Jun 2022 21:13:24 -0300 Subject: [PATCH 087/552] add: now it is possible to pass extra vars to the configuration playbooks. #2887 --- tests/end_to_end/conftest.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 4529d49a3e..96b072bf8b 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -66,7 +66,13 @@ def configure_environment(request): # For each configuration playbook previously declared in the test, get the complete path and run it for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - ansible_runner.run(playbook=configuration_playbook_path, inventory=inventory_playbook) + parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook} + + # Check if the module has extra variables to pass to the playbook + configuration_extra_vars = getattr(request.module, 'configuration_extra_vars') + parameters.update({'extravars': configuration_extra_vars}) + + ansible_runner.run(**parameters) @pytest.fixture(scope='function') From 33a8a6a58fb34dc955f8528cbaa9411548eec0e7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 15 Jun 2022 21:19:49 -0300 Subject: [PATCH 088/552] fix: dont fail when the extra vars attribute is absent. #2887 --- tests/end_to_end/conftest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 96b072bf8b..5c1be8d561 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -69,7 +69,7 @@ def configure_environment(request): parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook} # Check if the module has extra variables to pass to the playbook - configuration_extra_vars = getattr(request.module, 'configuration_extra_vars') + configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) parameters.update({'extravars': configuration_extra_vars}) ansible_runner.run(**parameters) From 6810e30690f029a5a03a228bca84146e971e7fb3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 15 Jun 2022 21:22:06 -0300 Subject: [PATCH 089/552] add: added a module to test osquery integration. #2887 --- .../configuration/osquery_integration.json | 22 +++++ .../data/playbooks/configuration.yaml | 71 ++++++++++++++++ .../data/playbooks/generate_events.yaml | 24 ++++++ .../cases_test_osquery_integration.yaml | 13 +++ .../test_osquery_integration.py | 82 +++++++++++++++++++ 5 files changed, 212 insertions(+) create mode 100644 tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json create mode 100644 tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml create mode 100644 tests/end_to_end/test_osquery_integration/test_osquery_integration.py diff --git a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json new file mode 100644 index 0000000000..079061e8a7 --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json @@ -0,0 +1,22 @@ +{ + "options": { + "config_plugin": "filesystem", + "logger_plugin": "filesystem", + "utc": "true" + }, + "schedule": { + "low_free_memory": { + "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;", + "interval": 60, + "description": "Free RAM is under 10%." + } + }, + "packs": { + "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", + "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", + "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", + "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", + "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", + "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf" + } +} \ No newline at end of file diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..d958496a69 --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml @@ -0,0 +1,71 @@ +--- +- name: Test configuration + hosts: wazuh-manager + become: True + tasks: + + - name: Check if Osquery is installed or not on CentOS + command: rpm -q osquery + register: osquery_check + when: ansible_facts['distribution'] == "CentOS" + + - name: Install Osquery on CentOS + shell: > + curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery + yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo + yum-config-manager --enable osquery-s3-rpm-repo + yum -y install osquery + when: (ansible_facts['distribution'] == "CentOS" and "is not installed" in osquery_check.stdout) + + - name: Configure Osquery + copy: + src: "{{ configuration_file }}" + dest: /etc/osquery/osquery.conf + owner: root + group: root + mode: '0644' + backup: yes + + - name: Configure the Osquery module + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: "" + insertbefore: "^" + block: | + + no + yes + /usr/bin + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + no + + + - name: Enable and start Osquery + shell: systemctl enable osqueryd && systemctl start osqueryd + + - name: Restart the manager + shell: systemctl restart wazuh-manager + + - name: Check if stress is installed or not on CentOS + command: rpm -q stress + register: stress_check + when: ansible_facts['distribution'] == "CentOS" + + - name: Install stress + shell: > + yum install -y epel-release + yum -y install stress + when: (ansible_facts['distribution'] == "CentOS" and "is not installed" in stress_check.stdout) + + - name: Unzip Wazuh installation files + unarchive: + src: /root/wazuh-install-files.tar + dest: /root + remote_src: yes + + - name: Get credentials file + fetch: + src: /root/wazuh-install-files/passwords.wazuh + dest: /tmp/ + flat: yes diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..0c2d37b29a --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml @@ -0,0 +1,24 @@ +--- +- name: Generate events + hosts: wazuh-manager + become: True + tasks: + + - name: Truncate alerts file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Truncate osquery results file + shell: echo "" > /var/log/osquery/osqueryd.results.log + + - name: "{{ event_description }}" + shell: "{{ command }}" + + - name: Wait for alerts to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes diff --git a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml new file mode 100644 index 0000000000..f1bd3f67e8 --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml @@ -0,0 +1,13 @@ +--- +- name: low_free_memory + description: Test if an osquery alert is generated when the host is stressed + configuration_parameters: null + metadata: + rule.id: "24012" + rule.description: "osquery: System memory is under 10%" + rule.level: 4 + extra: + data.osquery.name: "low_free_memory" + extra_vars: + event_description: Stress system memory + command: stress --vm-bytes $(awk '/MemAvailable/{printf "%d\n", $2 * 0.98;}' < /proc/meminfo)k --vm-keep -m 1 -t 60 diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py new file mode 100644 index 0000000000..8614680f79 --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -0,0 +1,82 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +import wazuh_testing as fw +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_test_osquery_integration.yaml') +osquery_configuration_file_path = os.path.join(test_data_path, 'configuration', 'osquery_integration.json') +alerts_json = os.path.join(gettempdir(), 'alerts.json') +configuration_playbooks = ['configuration.yaml'] +configuration_extra_vars = {'configuration_file': osquery_configuration_file_path} +events_playbooks = ['generate_events.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + osquery_name = metadata['extra']['data.osquery.name'] + + expected_alert_json = fr".+timestamp\":\"(.+)\".+level\":{rule_level},\"description\":\"{rule_description}\"," \ + fr"\"id\":\"{rule_id}\".+osquery\":.+\"name\":\"{osquery_name}\"" + + expected_indexed_alert = fr".+osquery\":.+\"name\": \"{osquery_name}\".+level\": {rule_level}, " \ + fr"\"description\": \"{rule_description}\".+\"id\": \"{rule_id}\"" \ + r'.+"timestamp": "(.+)"' + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "data.osquery.name": f"{osquery_name}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(fw.T_5) + + # Get indexed alert + get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'",'') + get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'",'') + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From ced7d8990b0043155fe47e9532b36bae152b0bc0 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 10:31:43 -0300 Subject: [PATCH 090/552] add: rule.level added to regex. #2935 --- ...cker_monitoring.yaml => cases_docker_monitoring.yaml} | 4 ++++ .../test_docker_monitoring/test_docker_monitoring.py | 9 +++++---- 2 files changed, 9 insertions(+), 4 deletions(-) rename tests/end_to_end/test_docker_monitoring/data/test_cases/{cases_test_docker_monitoring.yaml => cases_docker_monitoring.yaml} (95%) diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml similarity index 95% rename from tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml rename to tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml index 4d924cec10..d730163051 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_test_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml @@ -5,6 +5,7 @@ metadata: rule.id: '87932' rule.description: 'Docker: Image or repository nginx pulled' + rule.level: 3 extra: data.docker.Action: pull extra_vars: @@ -17,6 +18,7 @@ metadata: rule.id: '87903' rule.description: 'Docker: Container nginx_container started' + rule.level: 3 extra: data.docker.Action: start extra_vars: @@ -29,6 +31,7 @@ metadata: rule.id: '87908' rule.description: 'Docker: Started shell session in container nginx_container' + rule.level: 5 extra: data.docker.Action: 'exec_start: /bin/bash ' extra_vars: @@ -41,6 +44,7 @@ metadata: rule.id: '87902' rule.description: 'Docker: Container nginx_container destroyed' + rule.level: 5 extra: data.docker.Action: destroy extra_vars: diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 68726fce26..1ad6bd337f 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -28,11 +28,12 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden clean_environment): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] docker_action = metadata['extra']['data.docker.Action'] - expected_api_alert = f".+\"Action\": \"({docker_action})\".+\"description\": \"({rule_description})\".+\"id\": " \ - f"\"({rule_id})\"" - expected_log_alert = f".+\"description\":\"({rule_description})\".+\"id\":\"({rule_id})\"" \ - f".+\"Action\":\"({docker_action})\"" + expected_api_alert = f".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ + f"id.+{rule_id}.+" + expected_log_alert = f".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ + f"Action.+{docker_action}.+" query = e2e.make_query([ { From 034115e5e237de5dd954968034cc04354b0d38b1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 16 Jun 2022 10:52:01 -0300 Subject: [PATCH 091/552] fix: added linter errors --- .../data/playbooks/configuration.yaml | 42 +++++++++---------- .../data/test_cases/cases_netcat.yaml | 2 +- tests/end_to_end/test_netcat/test_netcat.py | 6 +-- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml index 2ebf32b773..67ac458e7b 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -3,15 +3,15 @@ tasks: - name: Install netcat (CentOS) - become: True + become: true shell: yum install -y nmap-ncat when: ansible_facts['distribution'] == "CentOS" - name: Install netcat (Ubuntu) - become: True + become: true shell: > - apt-get install netcat - apt-get -y install nmap + apt-get install netcat + apt-get -y install nmap when: ansible_facts['distribution'] == "Ubuntu" - name: Test manager configuration @@ -19,25 +19,25 @@ tasks: - name: Configure manager to periodically get a list of running processes - become: True + become: true blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: "" - block: | - - full_command - process list - ps -e -o pid,uname,command - 30 - - marker: "" + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + full_command + process list + ps -e -o pid,uname,command + 30 + + marker: - name: Configure local rules - become: True + become: true blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: "" - block: | + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | 530 @@ -52,8 +52,8 @@ process_monitor, - marker: "" + marker: - name: Restart wazuh-manager - become: True + become: true shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml index 6615e8ba27..9ba26c967c 100644 --- a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml +++ b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml @@ -9,4 +9,4 @@ command_kill_netcat: pkill -fx 'nc -l 8000' rule.id: 100051 rule.level: 7 - rule.description: "Netcat listening for incoming connections." + rule.description: Netcat listening for incoming connections. diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 194022260f..4bbb4c6804 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -5,12 +5,12 @@ from datetime import datetime from tempfile import gettempdir +from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm -from wazuh_testing.tools.time import parse_date_time_format -## Test cases data +# Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') @@ -19,7 +19,7 @@ configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -#Configuration +# Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 47d50e0d374ac96974041de58c945145e0b66d09 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 16 Jun 2022 10:55:06 -0300 Subject: [PATCH 092/552] fix: linter error in generat events yaml --- .../end_to_end/test_netcat/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index f70910aa56..e5e8b80ade 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -4,7 +4,7 @@ - name: Truncate file alert.json shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + become: true - name: Generate events hosts: wazuh-agent From 10de6d15f6ff7b7343b3434ea735b85146fe2fd4 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 16 Jun 2022 11:07:52 -0300 Subject: [PATCH 093/552] fix: linter errors in configuration yaml --- .../data/playbooks/configuration.yaml | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml index 67ac458e7b..d25bd5c9b1 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -24,13 +24,13 @@ path: /var/ossec/etc/ossec.conf insertbefore: block: | - - full_command - process list - ps -e -o pid,uname,command - 30 - - marker: + + full_command + process list + ps -e -o pid,uname,command + 30 + + marker: - name: Configure local rules become: true @@ -38,20 +38,20 @@ path: /var/ossec/etc/rules/local_rules.xml insertafter: block: | - - - 530 - ^ossec: output: 'process list' - List of running processes. - process_monitor, - - - 100050 - nc -l - Netcat listening for incoming connections. - process_monitor, - - + + + 530 + ^ossec: output: 'process list' + List of running processes. + process_monitor, + + + 100050 + nc -l + Netcat listening for incoming connections. + process_monitor, + + marker: - name: Restart wazuh-manager From db3887e2f8eb5abe66564934447adf0bb6170654 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 16 Jun 2022 11:17:00 -0300 Subject: [PATCH 094/552] fix: linter error in configuration yaml and generate events yaml --- .../data/playbooks/configuration.yaml | 32 +++++++++---------- .../data/playbooks/generate_events.yaml | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml index d25bd5c9b1..0847cc1ec1 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -25,10 +25,10 @@ insertbefore: block: | - full_command - process list - ps -e -o pid,uname,command - 30 + full_command + process list + ps -e -o pid,uname,command + 30 marker: @@ -39,18 +39,18 @@ insertafter: block: | - - 530 - ^ossec: output: 'process list' - List of running processes. - process_monitor, - - - 100050 - nc -l - Netcat listening for incoming connections. - process_monitor, - + + 530 + ^ossec: output: 'process list' + List of running processes. + process_monitor, + + + 100050 + nc -l + Netcat listening for incoming connections. + process_monitor, + marker: diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index e5e8b80ade..327347cf73 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -30,5 +30,5 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ - flat: yes + flat: true become: true From 3baa409773dec6b57996240c9dfbe89bdaf83918 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 12:27:16 -0300 Subject: [PATCH 095/552] fix(test)!: test cases file renamed. #2935 --- .../end_to_end/test_docker_monitoring/test_docker_monitoring.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 1ad6bd337f..750bda6015 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -11,7 +11,7 @@ # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') -test_cases_file_path = os.path.join(test_cases_path, 'cases_test_docker_monitoring.yaml') +test_cases_file_path = os.path.join(test_cases_path, 'cases_docker_monitoring.yaml') alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks From b50405915f4d3c5bea22fd3fefa676e5d3d8bb9d Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 12:43:07 -0300 Subject: [PATCH 096/552] fix(test)!: credentials are now extracted correctly. #2935 --- .../test_docker_monitoring/test_docker_monitoring.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 750bda6015..964c1c4d42 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -52,6 +52,9 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } } ]) + + get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'",'') + get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'",'') response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" From f2012313903d5f5531b0f6d8b46d9fbfd03bc089 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 13:30:23 -0300 Subject: [PATCH 097/552] fix(linter): linter corrections applied. #2935 --- .../data/playbooks/configuration.yaml | 43 +++++++------------ .../data/playbooks/generate_events.yaml | 5 +-- .../test_cases/cases_docker_monitoring.yaml | 1 - 3 files changed, 16 insertions(+), 33 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 77d4ee0e88..96ea90e068 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -1,10 +1,15 @@ ---- - name: Test case configuration hosts: wazuh-manager + become: true tasks: + - name: Check if Docker is installed or not on CentOS + command: rpm -q docker + register: docker_check + when: ansible_facts['distribution'] == "CentOS" + ignore_errors: true + - name: Uninstall old versions of Docker (CentOS) - become: True shell: > yum -y remove docker docker-client @@ -18,56 +23,38 @@ docker-ce-cli containerd.io docker-compose-plugin - when: ansible_facts['distribution'] == "CentOS" - - - name: Uninstall old versions of Docker (Ubuntu) - become: True - shell: > - apt-get -y remove docker - docker-engine - docker.io - containerd - runc && apt-get -y purge docker-ce - docker-ce-cli - containerd.io - docker-compose-plugin - when: ansible_facts['distribution'] == "Ubuntu" + when: (ansible_facts['distribution'] == "CentOS" and "is not installed" not in docker_check.stdout) - name: Install Docker using the convenience script - become: True shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh + when: ("is not installed" in docker_check.stdout) - name: Start Docker with systemd - become: True shell: systemctl stop docker && systemctl stop docker.socket && systemctl start docker - name: Configure the docker-listener module - become: True blockinfile: path: /var/ossec/etc/ossec.conf - insertbefore: "^" + insertbefore: ^ block: | - 10m - 5 - yes - no + 10m + 5 + yes + no - marker: "" + marker: - name: Restart wazuh-manager - become: True shell: systemctl restart wazuh-manager - name: Unzip Wazuh installation files - become: True unarchive: src: /root/wazuh-install-files.tar dest: /root remote_src: yes - name: Get credentials file - become: True fetch: src: /root/wazuh-install-files/passwords.wazuh dest: /tmp/ diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml index 40d2a237c9..a60f108381 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -1,14 +1,12 @@ ---- - name: Generate events in the manager hosts: wazuh-manager + become: true tasks: - name: Truncate alerts file shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True - name: "{{ event_description }}" - become: True shell: "{{ command }}" - name: Wait for alerts to be generated @@ -20,4 +18,3 @@ src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ flat: yes - become: True diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml index d730163051..0b67665273 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml @@ -1,4 +1,3 @@ ---- - name: docker_pull description: Test if an alert is generated when using the `pull` command. configuration_parameters: null From a840d2ae59090658c1779272dc857057b7f840c6 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 13:37:16 -0300 Subject: [PATCH 098/552] fix(linter): linter corrections applied (yes replaced by true). #2935 --- .../test_docker_monitoring/data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 2 +- .../test_docker_monitoring/test_docker_monitoring.py | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 96ea90e068..3bc5690ca8 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -52,10 +52,10 @@ unarchive: src: /root/wazuh-install-files.tar dest: /root - remote_src: yes + remote_src: true - name: Get credentials file fetch: src: /root/wazuh-install-files/passwords.wazuh dest: /tmp/ - flat: yes + flat: true diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml index a60f108381..cda5dfd3df 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -17,4 +17,4 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ - flat: yes + flat: true diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 964c1c4d42..ce76997d70 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -53,8 +53,8 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } ]) - get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'",'') - get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'",'') + get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'", '') + get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'", '') response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" From 2f76f5822ace87481dadf1a515869a58dbb3c1fa Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 16 Jun 2022 14:43:59 -0300 Subject: [PATCH 099/552] fix: changed command to install netcat in ubuntu --- .../data/playbooks/configuration.yaml | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml index 0847cc1ec1..0f2be15765 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml @@ -2,23 +2,7 @@ hosts: wazuh-agent tasks: - - name: Install netcat (CentOS) - become: true - shell: yum install -y nmap-ncat - when: ansible_facts['distribution'] == "CentOS" - - - name: Install netcat (Ubuntu) - become: true - shell: > - apt-get install netcat - apt-get -y install nmap - when: ansible_facts['distribution'] == "Ubuntu" - -- name: Test manager configuration - hosts: wazuh-manager - tasks: - - - name: Configure manager to periodically get a list of running processes + - name: Configure agent to get a list of running processes become: true blockinfile: path: /var/ossec/etc/ossec.conf @@ -32,6 +16,24 @@ marker: + - name: Restart wazuh-agent + become: true + shell: systemctl restart wazuh-agent + + - name: Install netcat (CentOS) + become: true + shell: yum install -y nmap-ncat + when: ansible_facts['distribution'] == "CentOS" + + - name: Install netcat (Ubuntu) + become: true + shell: apt install ncat nmap -y + when: ansible_facts['distribution'] == "Ubuntu" + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + - name: Configure local rules become: true blockinfile: From be397a6c1614df98c13b422110389a1d656d6eb8 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 18:39:36 -0300 Subject: [PATCH 100/552] refac: tasks to get credentials removed and some fixes to the configuration playbook. #2935 --- .../data/playbooks/configuration.yaml | 32 ++----------------- .../test_docker_monitoring.py | 2 -- 2 files changed, 2 insertions(+), 32 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 3bc5690ca8..3ae36440c6 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -4,30 +4,14 @@ tasks: - name: Check if Docker is installed or not on CentOS - command: rpm -q docker + command: docker info register: docker_check when: ansible_facts['distribution'] == "CentOS" ignore_errors: true - - name: Uninstall old versions of Docker (CentOS) - shell: > - yum -y remove docker - docker-client - docker-client-latest - docker-common - docker-latest - docker-latest-logrotate - docker-logrotate - docker-engine - docker-ce - docker-ce-cli - containerd.io - docker-compose-plugin - when: (ansible_facts['distribution'] == "CentOS" and "is not installed" not in docker_check.stdout) - - name: Install Docker using the convenience script shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh - when: ("is not installed" in docker_check.stdout) + when: docker_check.rc != 0 - name: Start Docker with systemd shell: systemctl stop docker && systemctl stop docker.socket && systemctl start docker @@ -47,15 +31,3 @@ - name: Restart wazuh-manager shell: systemctl restart wazuh-manager - - - name: Unzip Wazuh installation files - unarchive: - src: /root/wazuh-install-files.tar - dest: /root - remote_src: true - - - name: Get credentials file - fetch: - src: /root/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: true diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index ce76997d70..988ce659d7 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -53,8 +53,6 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } ]) - get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'", '') - get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'", '') response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" From 36b2041ccde824b50f63d79895dc0ba2dfbf12c4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 21:03:02 -0300 Subject: [PATCH 101/552] refac: test refactored to follow the e2e tests standard. #2935 --- .../test_docker_monitoring.py | 46 +++++++++++++------ 1 file changed, 32 insertions(+), 14 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 988ce659d7..578be59d59 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -1,9 +1,13 @@ -import json import os +import json import re import pytest +from datetime import datetime from tempfile import gettempdir +from time import sleep +import wazuh_testing as fw +from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -30,10 +34,12 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] docker_action = metadata['extra']['data.docker.Action'] - expected_api_alert = f".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ - f"id.+{rule_id}.+" - expected_log_alert = f".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ - f"Action.+{docker_action}.+" + + expected_alert_json = f".+timestamp\":\"(.+)\",.+level.+{rule_level}.+description.+{rule_description}.+" \ + f"id.+{rule_id}.+Action.+{docker_action}.+" + + expected_indexed_alert = f".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ + f"id.+{rule_id}.+timestamp\": \"(.+)\",.+" query = e2e.make_query([ { @@ -53,15 +59,27 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } ]) - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - assert response.status_code == 200, f"The response is not the expected. Actual response {response.text}" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(fw.T_10) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - try: - match = re.search(expected_api_alert, indexed_alert) - assert match is not None, 'The alert was triggered but not indexed.' - except AssertionError as exc: - err_msg = 'The alert was not triggered.' - evm.check_event(callback=expected_log_alert, file_to_monitor=alerts_json, error_message=err_msg) - raise AssertionError(exc.args[0]) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From e3b01d2c7a97c62278a1c4d3d11d6f0bd3e4c4be Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 21:15:34 -0300 Subject: [PATCH 102/552] =?UTF-8?q?fix(playbooks):=20playbook=C2=B4s=20nam?= =?UTF-8?q?e=20changed=20and=20linter=20fixes=20applied.=20#2887?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../configuration/osquery_integration.json | 2 +- .../data/playbooks/configuration.yaml | 21 ++++--------------- .../data/playbooks/generate_events.yaml | 5 ++--- ...on.yaml => cases_osquery_integration.yaml} | 1 - .../test_osquery_integration.py | 2 +- 5 files changed, 8 insertions(+), 23 deletions(-) rename tests/end_to_end/test_osquery_integration/data/test_cases/{cases_test_osquery_integration.yaml => cases_osquery_integration.yaml} (99%) diff --git a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json index 079061e8a7..a34ce3cd65 100644 --- a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json +++ b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json @@ -19,4 +19,4 @@ "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf" } -} \ No newline at end of file +} diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml index d958496a69..1fd818db57 100644 --- a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml @@ -1,7 +1,6 @@ ---- - name: Test configuration hosts: wazuh-manager - become: True + become: true tasks: - name: Check if Osquery is installed or not on CentOS @@ -24,13 +23,13 @@ owner: root group: root mode: '0644' - backup: yes + backup: true - name: Configure the Osquery module blockinfile: path: /var/ossec/etc/ossec.conf - marker: "" - insertbefore: "^" + marker: + insertbefore: ^ block: | no @@ -57,15 +56,3 @@ yum install -y epel-release yum -y install stress when: (ansible_facts['distribution'] == "CentOS" and "is not installed" in stress_check.stdout) - - - name: Unzip Wazuh installation files - unarchive: - src: /root/wazuh-install-files.tar - dest: /root - remote_src: yes - - - name: Get credentials file - fetch: - src: /root/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml index 0c2d37b29a..85ad397bf5 100644 --- a/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml @@ -1,7 +1,6 @@ ---- - name: Generate events hosts: wazuh-manager - become: True + become: true tasks: - name: Truncate alerts file @@ -21,4 +20,4 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ - flat: yes + flat: true diff --git a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml similarity index 99% rename from tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml rename to tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml index f1bd3f67e8..fc1ba9833f 100644 --- a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_test_osquery_integration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml @@ -1,4 +1,3 @@ ---- - name: low_free_memory description: Test if an osquery alert is generated when the host is stressed configuration_parameters: null diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 8614680f79..5f5d73501e 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -14,7 +14,7 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_test_osquery_integration.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_osquery_integration.yaml') osquery_configuration_file_path = os.path.join(test_data_path, 'configuration', 'osquery_integration.json') alerts_json = os.path.join(gettempdir(), 'alerts.json') configuration_playbooks = ['configuration.yaml'] From 699b7a15ca39f8b86bd8409e68acabddcbc94505 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 21:17:33 -0300 Subject: [PATCH 103/552] fix(credentials)!: credentials code deleted from test. #2887 --- .../test_osquery_integration/test_osquery_integration.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 5f5d73501e..115142290b 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -64,8 +64,6 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred sleep(fw.T_5) # Get indexed alert - get_dashboard_credentials['user'] = get_dashboard_credentials['user'].replace("'",'') - get_dashboard_credentials['password'] = get_dashboard_credentials['password'].replace("'",'') response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) From 2fdb7ff634f0adf73671bfbe8897fe1227b5faef Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 16 Jun 2022 21:21:42 -0300 Subject: [PATCH 104/552] fix(linter): linter suggestions applied. #2887 --- .../data/playbooks/configuration.yaml | 12 ++++++------ .../data/test_cases/cases_osquery_integration.yaml | 5 +++-- .../test_osquery_integration.py | 2 -- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml index 1fd818db57..6ba1d15a23 100644 --- a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml @@ -32,12 +32,12 @@ insertbefore: ^ block: | - no - yes - /usr/bin - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - no + no + yes + /usr/bin + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + no - name: Enable and start Osquery diff --git a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml index fc1ba9833f..7c95fe3763 100644 --- a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml @@ -6,7 +6,8 @@ rule.description: "osquery: System memory is under 10%" rule.level: 4 extra: - data.osquery.name: "low_free_memory" + data.osquery.name: low_free_memory extra_vars: event_description: Stress system memory - command: stress --vm-bytes $(awk '/MemAvailable/{printf "%d\n", $2 * 0.98;}' < /proc/meminfo)k --vm-keep -m 1 -t 60 + command: > + stress --vm-bytes $(awk '/MemAvailable/{printf "%d\n", $2 * 0.98;}' < /proc/meminfo)k --vm-keep -m 1 -t 60 diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 115142290b..eecb3af610 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -24,7 +24,6 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, @@ -67,7 +66,6 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' From 1e6528db28588d8bf47d0adc9b0bbe63a4cfa946 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 17 Jun 2022 11:15:33 -0300 Subject: [PATCH 105/552] fix(linter): deleted extra line. #2935 --- .../test_docker_monitoring/test_docker_monitoring.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 578be59d59..484827982a 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -35,11 +35,12 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden rule_level = metadata['rule.level'] docker_action = metadata['extra']['data.docker.Action'] - expected_alert_json = f".+timestamp\":\"(.+)\",.+level.+{rule_level}.+description.+{rule_description}.+" \ - f"id.+{rule_id}.+Action.+{docker_action}.+" + expected_alert_json = fr".+timestamp\":\"(.+)\",.+level.+{rule_level}.+description.+{rule_description}.+" \ + fr"id.+{rule_id}.+Action.+{docker_action}.+" - expected_indexed_alert = f".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ - f"id.+{rule_id}.+timestamp\": \"(.+)\",.+" + expected_indexed_alert = fr".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ + fr"id.+{rule_id}.+timestamp\": \"(.+)\"" \ + r'},.+' query = e2e.make_query([ { @@ -72,7 +73,6 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' From 9b77489c411072ee891e1697cafceb3d1ea43137 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 21 Jun 2022 12:20:26 -0300 Subject: [PATCH 106/552] add: test sql injection --- .../test_brute_force/test_brute_force.py | 5 +- .../data/playbooks/configuration.yaml | 28 +++++++ .../data/playbooks/generate_events.yaml | 29 ++++++++ .../data/test_cases/cases_sql_injection.yaml | 9 +++ .../test_sql_injection/test_sql_injection.py | 74 +++++++++++++++++++ 5 files changed, 143 insertions(+), 2 deletions(-) create mode 100644 tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml create mode 100644 tests/end_to_end/test_sql_injection/test_sql_injection.py diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 3d1608cf2c..3653b0cd77 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -1,3 +1,4 @@ +from cmath import exp import os import json import re @@ -33,8 +34,7 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_alert_json = fr'.*"rule":.*"level":{rule_level},"description:"{rule_description}".*"id":"{rule_id}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ @@ -49,6 +49,7 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean ]) # Check that alert has been raised and save timestamp + print(expected_alert_json) raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..c921cd8087 --- /dev/null +++ b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml @@ -0,0 +1,28 @@ +- name: Test agent configuration + hosts: wazuh-agent + tasks: + + - name: Install apache (CentOS) + become: true + shell: dnf install httpd -y + when: ansible_facts['distribution'] == "CentOS" + + - name: Start apache + become: true + shell: systemctl start httpd + + - name: Configure agent to monitor the Apache access logs + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + apache + /var/log/httpd/access_log + + marker: + + - name: Restart wazuh-agent + become: true + shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..21d242c2b6 --- /dev/null +++ b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml @@ -0,0 +1,29 @@ +- name: Truncate file + hosts: all + tasks: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: localhost + tasks: + + - name: sql injection + command: curl -XGET "http://wazuh-agent/?id=SELECT+*+FROM+users"; + + - name: Wait for alert + pause: + seconds: 5 + +- name: Get logs + hosts: all + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: true diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml new file mode 100644 index 0000000000..663b0c59c6 --- /dev/null +++ b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -0,0 +1,9 @@ +- name: sql_injection + description: Execute a sql injection attack and check generated alerts + configuration_parameters: null + metadata: + rule.id: 31103 + rule.level: 7 + rule.description: "SQL injection attemp." + extra: + mitre_technique: Exploit Public-Facing Application \ No newline at end of file diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py new file mode 100644 index 0000000000..dbfb7a7359 --- /dev/null +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -0,0 +1,74 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config +from wazuh_testing.tools.time import parse_date_time_format + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to detect a SQL injection attack + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_mitre_technique = metadata['extra']['mitre_technique'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(wait_indexed_alert) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From a0f66312d81e5ec991fd2d28e1d4d0e92b922162 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 21 Jun 2022 12:30:21 -0300 Subject: [PATCH 107/552] fix: requested changes --- .../test_netcat/data/playbooks/generate_events.yaml | 6 +++--- .../test_netcat/data/test_cases/cases_netcat.yaml | 2 -- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 327347cf73..eee2f6d01b 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -15,12 +15,12 @@ timeout: 30 - name: Wait for alert - pause: + wait_for: seconds: 5 - - name: "{{ event_description_kill_netcat }}" + - name: Kill netcat become: true - command: "{{ command_kill_netcat }}" + command: pkill -fx 'nc -l 8000' - name: Get logs hosts: all diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml index 9ba26c967c..e84915df00 100644 --- a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml +++ b/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml @@ -5,8 +5,6 @@ extra_vars: event_description_netcat: Run netcat command_netcat: nc -l 8000 - event_description_kill_netcat: Kill netcat - command_kill_netcat: pkill -fx 'nc -l 8000' rule.id: 100051 rule.level: 7 rule.description: Netcat listening for incoming connections. From 96016ae9ca38441b9392f168996d51e0cf914dc7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 21 Jun 2022 12:42:23 -0300 Subject: [PATCH 108/552] fix: changed seconds for timeout --- .../end_to_end/test_netcat/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index eee2f6d01b..0b55af2c37 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -16,7 +16,7 @@ - name: Wait for alert wait_for: - seconds: 5 + timeout: 5 - name: Kill netcat become: true From 0dc64f2c8ee277337245a0a66c1f97f3198c59e5 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 21 Jun 2022 18:34:28 -0300 Subject: [PATCH 109/552] fix: alert description --- .../test_sql_injection/data/test_cases/cases_sql_injection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml index 663b0c59c6..78019d20f4 100644 --- a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml +++ b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -4,6 +4,6 @@ metadata: rule.id: 31103 rule.level: 7 - rule.description: "SQL injection attemp." + rule.description: "SQL injection attempt." extra: mitre_technique: Exploit Public-Facing Application \ No newline at end of file From f1b7255ff03f4844cc1aed0a646a00284a6fbf0b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 21 Jun 2022 18:55:43 -0300 Subject: [PATCH 110/552] fix(playbooks): fix some errors. #2935 An extra alert was added after each docker command to avoid the last alert from not being indexed. Some corrections have been made to the configuration playbook to avoid test failure under certain circumstances. Refs: https://www.elastic.co/guide/en/beats/filebeat/master/newline-character-required-eof.html#newline-character-required-eof --- .../data/playbooks/configuration.yaml | 12 ++++++++---- .../data/playbooks/generate_events.yaml | 3 +++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 3ae36440c6..ebfe1a98d2 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -4,17 +4,21 @@ tasks: - name: Check if Docker is installed or not on CentOS - command: docker info + command: systemctl status docker --no-pager register: docker_check when: ansible_facts['distribution'] == "CentOS" ignore_errors: true - name: Install Docker using the convenience script shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh - when: docker_check.rc != 0 + when: (docker_check.rc != 0 and docker_check.rc != 3) - - name: Start Docker with systemd - shell: systemctl stop docker && systemctl stop docker.socket && systemctl start docker + - name: Stop docker to avoid errors and start it + shell: | + systemctl stop docker + systemctl stop docker.socket + systemctl start docker + when: docker_check.rc == 3 - name: Configure the docker-listener module blockinfile: diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml index cda5dfd3df..988daf8fd3 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -9,6 +9,9 @@ - name: "{{ event_description }}" shell: "{{ command }}" + - name: Dummy alert + shell: 'echo "$(date +"%b %d %T") agent sshd[29205]: Invalid user a from 18.18.1.1 port 22" >> /var/log/messages' + - name: Wait for alerts to be generated wait_for: timeout: 5 From bbd754bb4e316b7ea736594956f0c580e7d523a8 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 21 Jun 2022 19:03:34 -0300 Subject: [PATCH 111/552] feat(framework): added a new function to delete indices using the indexer API. #2935 --- .../wazuh_testing/end_to_end/__init__.py | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 7954b789c6..ad679d5faa 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -30,6 +30,30 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= return response +def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): + """Delete indices from wazuh-indexer using its API. + + Make a request to the wazuh-indexer API to delete indices that match a given name. + + Args: + ip_address (str): wazuh-indexer IP address. + index (str): Name of the index to be deleted. + credentials(dict): wazuh-indexer credentials. + + Returns: + obj(class): `Response ` object + """ + url = f"https://{ip_address}:9200/{index}" + + response = requests.delete(url=url, params={'pretty': 'true'}, verify=False, + auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) + + if response.status_code != 200: + raise Exception(f"The response is not the expected. Actual response {response.status_code}") + + return response + + def make_query(must_match): """Create a query according to the values passed in must_match. From dabcaf2582985da2b2e0c57ab7f192d5984e4399 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 21 Jun 2022 19:21:07 -0300 Subject: [PATCH 112/552] fix(e2e): clean indices after each test case. #2935 --- tests/end_to_end/conftest.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index ebed3e647a..253db63bf3 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -7,16 +7,22 @@ from tempfile import gettempdir from wazuh_testing.tools.file import remove_file +from wazuh_testing import end_to_end as e2e alerts_json = os.path.join(gettempdir(), 'alerts.json') @pytest.fixture(scope='function') -def clean_environment(): - """Delete alerts and credentials files from the temporary folder.""" +def clean_environment(get_dashboard_credentials): + """Delete alerts and delete indices using the API. + + Args: + credentials(dict): wazuh-indexer credentials. + """ yield remove_file(alerts_json) + e2e.delete_index_api(credentials=get_dashboard_credentials) @pytest.fixture(scope='module') From 5727ea65e8514d1814848f95043fb99000d55459 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 21 Jun 2022 19:31:41 -0300 Subject: [PATCH 113/552] fix(framework): linter correction applied. #2935 --- deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index ad679d5faa..823e892589 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -46,7 +46,7 @@ def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alert url = f"https://{ip_address}:9200/{index}" response = requests.delete(url=url, params={'pretty': 'true'}, verify=False, - auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) + auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) if response.status_code != 200: raise Exception(f"The response is not the expected. Actual response {response.status_code}") From f3f762060f48234f976090535f1ccc5c0867d960 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 22 Jun 2022 09:16:39 -0300 Subject: [PATCH 114/552] fix: added command as parameter --- .../data/playbooks/generate_events.yaml | 8 ++++---- .../data/test_cases/cases_sql_injection.yaml | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml index 21d242c2b6..569c0989e7 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml @@ -10,12 +10,12 @@ hosts: localhost tasks: - - name: sql injection - command: curl -XGET "http://wazuh-agent/?id=SELECT+*+FROM+users"; + - name: "{{ event_description }}" + command: "{{ command }}" - name: Wait for alert - pause: - seconds: 5 + wait_for: + timeout: 5 - name: Get logs hosts: all diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml index 78019d20f4..af518fa8a4 100644 --- a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml +++ b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -2,6 +2,9 @@ description: Execute a sql injection attack and check generated alerts configuration_parameters: null metadata: + extra_vars: + event_description: Run SQL injection + command: curl -XGET "http://wazuh-agent/?id=SELECT+*+FROM+users"; rule.id: 31103 rule.level: 7 rule.description: "SQL injection attempt." From 0a16b5a9f1da367ee6a8806246a964636669f1b5 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 22 Jun 2022 09:20:45 -0300 Subject: [PATCH 115/552] fix: wrong change in brute force test --- tests/end_to_end/test_brute_force/test_brute_force.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 3653b0cd77..3d1608cf2c 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -1,4 +1,3 @@ -from cmath import exp import os import json import re @@ -34,7 +33,8 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - expected_alert_json = fr'.*"rule":.*"level":{rule_level},"description:"{rule_description}".*"id":"{rule_id}' + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ @@ -49,7 +49,6 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean ]) # Check that alert has been raised and save timestamp - print(expected_alert_json) raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) From 6986d73cfdd20101391259c6463c78768ddd40a1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 22 Jun 2022 09:24:43 -0300 Subject: [PATCH 116/552] fix: added end line cases yaml --- .../test_sql_injection/data/test_cases/cases_sql_injection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml index af518fa8a4..8ce146d2c3 100644 --- a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml +++ b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -9,4 +9,4 @@ rule.level: 7 rule.description: "SQL injection attempt." extra: - mitre_technique: Exploit Public-Facing Application \ No newline at end of file + mitre_technique: Exploit Public-Facing Application From ee47a170d29adb1fb1b669154e8576c83c9f7d0f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 23 Jun 2022 08:39:29 -0300 Subject: [PATCH 117/552] fix: linter errors --- .../test_sql_injection/data/playbooks/generate_events.yaml | 2 +- .../test_sql_injection/data/test_cases/cases_sql_injection.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml index 569c0989e7..b08066ce4a 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml @@ -25,5 +25,5 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ - flat: yes + flat: true become: true diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml index 8ce146d2c3..2869de8e4e 100644 --- a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml +++ b/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -7,6 +7,6 @@ command: curl -XGET "http://wazuh-agent/?id=SELECT+*+FROM+users"; rule.id: 31103 rule.level: 7 - rule.description: "SQL injection attempt." + rule.description: SQL injection attempt. extra: mitre_technique: Exploit Public-Facing Application From 5ce74aca92915eca4e49d927bb7ac58c9071abc7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 23 Jun 2022 09:29:29 -0300 Subject: [PATCH 118/552] fix(conf-playbook): another condition added to avoid the docker socket error. #2935 --- .../test_docker_monitoring/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index ebfe1a98d2..0a3b3ad870 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -18,7 +18,7 @@ systemctl stop docker systemctl stop docker.socket systemctl start docker - when: docker_check.rc == 3 + when: (docker_check.rc == 3 or docker_check.rc == 0) - name: Configure the docker-listener module blockinfile: From d50708de21c0bf6e595247a72ad545c1127033e7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 23 Jun 2022 09:55:32 -0300 Subject: [PATCH 119/552] fix: requested changes ignore errors and comment about it --- .../test_netcat/data/playbooks/generate_events.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 0b55af2c37..47f1e72bc4 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -8,11 +8,12 @@ - name: Generate events hosts: wazuh-agent - ignore_errors: true tasks: + - name: "{{ event_description_netcat }}" command: "{{ command_netcat }}" timeout: 30 + ignore_errors: true #Added 'ignore errors' because the command nc -l 8000 continues running after the timeout - name: Wait for alert wait_for: @@ -23,7 +24,7 @@ command: pkill -fx 'nc -l 8000' - name: Get logs - hosts: all + hosts: wazuh-manager tasks: - name: Get alerts.json From e9111f086f3eec661f5679d4b1bae5f0f867df80 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 23 Jun 2022 10:09:15 -0300 Subject: [PATCH 120/552] fix: added space in comment --- .../end_to_end/test_netcat/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml index 47f1e72bc4..9ec5373f32 100644 --- a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml @@ -13,7 +13,7 @@ - name: "{{ event_description_netcat }}" command: "{{ command_netcat }}" timeout: 30 - ignore_errors: true #Added 'ignore errors' because the command nc -l 8000 continues running after the timeout + ignore_errors: true # Added 'ignore errors' because the command nc -l 8000 continues running after the timeout - name: Wait for alert wait_for: From cf819a9c17e58d70ade4be64515184ff6319956f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 23 Jun 2022 11:27:12 -0300 Subject: [PATCH 121/552] fix: changed hosts to wazuh-manager --- .../test_sql_injection/data/playbooks/generate_events.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml index b08066ce4a..f4c58677dc 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Truncate file - hosts: all + hosts: wazuh-manager tasks: - name: Truncate alert.json @@ -18,7 +18,7 @@ timeout: 5 - name: Get logs - hosts: all + hosts: wazuh-manager tasks: - name: Get alerts.json From 02a8fa57b118f088553fc79d668b23ead4069939 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 23 Jun 2022 13:10:46 -0300 Subject: [PATCH 122/552] fix: some fixes related to the test setup have been made. #2887 Configuration playbook fixed. Paths of Osquery configuration file modified. --- .../configuration/osquery_integration.json | 12 ++++----- .../data/playbooks/configuration.yaml | 26 +++++++++++-------- .../test_osquery_integration.py | 6 ++--- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json index a34ce3cd65..d25a9e649e 100644 --- a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json +++ b/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json @@ -12,11 +12,11 @@ } }, "packs": { - "osquery-monitoring": "/opt/osquery/share/osquery/packs/osquery-monitoring.conf", - "incident-response": "/opt/osquery/share/osquery/packs/incident-response.conf", - "it-compliance": "/opt/osquery/share/osquery/packs/it-compliance.conf", - "vuln-management": "/opt/osquery/share/osquery/packs/vuln-management.conf", - "hardware-monitoring": "/opt/osquery/share/osquery/packs/hardware-monitoring.conf", - "ossec-rootkit": "/opt/osquery/share/osquery/packs/ossec-rootkit.conf" + "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf", + "incident-response": "/usr/share/osquery/packs/incident-response.conf", + "it-compliance": "/usr/share/osquery/packs/it-compliance.conf", + "vuln-management": "/usr/share/osquery/packs/vuln-management.conf", + "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf", + "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf" } } diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml index 6ba1d15a23..6cfa240d2d 100644 --- a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml @@ -4,17 +4,17 @@ tasks: - name: Check if Osquery is installed or not on CentOS - command: rpm -q osquery + command: systemctl status osqueryd --no-pager register: osquery_check when: ansible_facts['distribution'] == "CentOS" + ignore_errors: true - name: Install Osquery on CentOS - shell: > - curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery - yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo - yum-config-manager --enable osquery-s3-rpm-repo - yum -y install osquery - when: (ansible_facts['distribution'] == "CentOS" and "is not installed" in osquery_check.stdout) + shell: | + curl -LO https://pkg.osquery.io/rpm/osquery-4.5.1-1.linux.x86_64.rpm + rpm -ivh ./osquery-4.5.1-1.linux.x86_64.rpm + register: installation + when: (ansible_facts['distribution'] == "CentOS" and osquery_check.rc != 0 and osquery_check.rc != 3) - name: Configure Osquery copy: @@ -24,6 +24,7 @@ group: root mode: '0644' backup: true + when: (osquery_check.rc == 3 or osquery_check.rc == 0 or installation.rc == 0) - name: Configure the Osquery module blockinfile: @@ -40,8 +41,9 @@ no - - name: Enable and start Osquery - shell: systemctl enable osqueryd && systemctl start osqueryd + - name: Start Osquery + shell: systemctl start osqueryd + when: (osquery_check.rc == 3 or osquery_check.rc == 0) - name: Restart the manager shell: systemctl restart wazuh-manager @@ -50,9 +52,11 @@ command: rpm -q stress register: stress_check when: ansible_facts['distribution'] == "CentOS" + ignore_errors: true - name: Install stress - shell: > + shell: | yum install -y epel-release yum -y install stress - when: (ansible_facts['distribution'] == "CentOS" and "is not installed" in stress_check.stdout) + register: stressing + when: (ansible_facts['distribution'] == "CentOS" and stress_check.rc == 1) diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index eecb3af610..543c3e00bb 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -33,12 +33,12 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred rule_id = metadata['rule.id'] osquery_name = metadata['extra']['data.osquery.name'] - expected_alert_json = fr".+timestamp\":\"(.+)\".+level\":{rule_level},\"description\":\"{rule_description}\"," \ + expected_alert_json = fr".+timestamp\":\"(.+)\",.+level\":{rule_level},\"description\":\"{rule_description}\"," \ fr"\"id\":\"{rule_id}\".+osquery\":.+\"name\":\"{osquery_name}\"" expected_indexed_alert = fr".+osquery\":.+\"name\": \"{osquery_name}\".+level\": {rule_level}, " \ fr"\"description\": \"{rule_description}\".+\"id\": \"{rule_id}\"" \ - r'.+"timestamp": "(.+)"' + r'.+timestamp\": \"(.+)\"},.+' query = e2e.make_query([ { @@ -60,7 +60,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) + sleep(fw.T_10) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) From f7d2442230d1ffbae2c77d73fc7ba9e7addad867 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 23 Jun 2022 20:41:29 -0300 Subject: [PATCH 123/552] feat(test)!: module to test the detection of a shellshock attack added. #2888 --- .../data/playbooks/configuration.yaml | 45 +++++++++++ .../data/playbooks/generate_events.yaml | 20 +++++ .../cases_shellshock_attack_detection.yaml | 10 +++ .../test_shellshock_attack_detection.py | 75 +++++++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml create mode 100644 tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..ba3b63d5e5 --- /dev/null +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -0,0 +1,45 @@ +- name: Test setup + hosts: wazuh-manager + become: true + tasks: + + - name: Check if Firewalld is installed on CentOS + shell: systemctl status firewalld --no-pager + register: firewall_check + when: ansible_facts['distribution'] == "CentOS" + ignore_errors: true + + - name: Stop Firewalld if it's installed and active + shell: systemctl stop firewalld + when: (ansible_facts['distribution'] == "CentOS" and firewall_check.rc == 0) + + - name: Check if Apache is installed or not on CentOS + shell: systemctl status httpd --no-pager + register: apache_check + when: ansible_facts['distribution'] == "CentOS" + ignore_errors: true + + - name: Install Apache Server on CentOS + shell: | + yum update httpd -y + yum install httpd -y + register: installation + when: (ansible_facts['distribution'] == "CentOS" and apache_check.rc != 0 and apache_check.rc != 3) + + - name: Configure a localfile instance to collect the logs from Apache + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + apache + /var/log/httpd/access_log + + + - name: Start Apache + shell: systemctl start httpd + when: (apache_check.rc == 3 or installation is succeeded) + + - name: Restart the manager + shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..3f09567044 --- /dev/null +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -0,0 +1,20 @@ +- name: Generate events + hosts: wazuh-manager + become: true + tasks: + + - name: Truncate alerts file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: "{{ event_description }}" + shell: "{{ command }}" + + - name: Wait for alerts to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml new file mode 100644 index 0000000000..b3b03ddc43 --- /dev/null +++ b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml @@ -0,0 +1,10 @@ +- name: shellshock_attack + description: Test if an alert is generated when a shellshock attack is attempted + configuration_parameters: null + metadata: + rule.id: "31166" + rule.description: "Shellshock attack attempt" + rule.level: 6 + extra_vars: + event_description: Shellshock attack + command: 'curl -k "localhost" -H "User-Agent: () { :; }; /bin/cat /etc/passwd"' diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py new file mode 100644 index 0000000000..b681cfcc12 --- /dev/null +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -0,0 +1,75 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +import wazuh_testing as fw +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_shellshock_attack_detection.yaml') +alerts_json = os.path.join(gettempdir(), 'alerts.json') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + + expected_alert_json = fr".+timestamp\":\"(.+)\",.+level\":{rule_level},\"description\":\"{rule_description}\"," \ + fr"\"id\":\"{rule_id}\"" + + expected_indexed_alert = fr".+level\": {rule_level}, \"description\": \"{rule_description}\"" \ + fr".+\"id\": \"{rule_id}\".+timestamp\": \"(.+)\"" \ + r'},.+' + + query = e2e.make_query([ + { + "term": { + "rule.id": rule_id + } + }, + { + "term": { + "rule.level": rule_level + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(fw.T_5) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 5954ee03e8bc85bf442caa23177163d0261e4f09 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 24 Jun 2022 08:42:12 -0300 Subject: [PATCH 124/552] fix: changed import --- tests/end_to_end/test_sql_injection/test_sql_injection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index dbfb7a7359..5b7d1b813b 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -6,10 +6,10 @@ from tempfile import gettempdir from time import sleep +from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config -from wazuh_testing.tools.time import parse_date_time_format alerts_json = os.path.join(gettempdir(), 'alerts.json') From 6e00ee2439db6b1ffb77c8d7befafac18f869528 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 24 Jun 2022 10:27:04 -0300 Subject: [PATCH 125/552] refac(conftest): validation for extra_vars added. #2887 Co-authored-by: Julia Magan --- tests/end_to_end/conftest.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c4c5753c88..9f918d6c38 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -61,7 +61,8 @@ def configure_environment(request): # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) - parameters.update({'extravars': configuration_extra_vars}) + if configuration_extra_vars is not None: + parameters.update({'extravars': configuration_extra_vars}) ansible_runner.run(**parameters) From 792a2cc1d10abd324af4d0d2a27b46d62e6ab4e2 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 24 Jun 2022 11:22:06 -0300 Subject: [PATCH 126/552] fix(test): some fixes have been made. #2888 Regex fixed to match the indexed alert. Query fixed. Sleep time fixed. --- .../test_shellshock_attack_detection.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index b681cfcc12..57e326a40c 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -33,7 +33,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo expected_alert_json = fr".+timestamp\":\"(.+)\",.+level\":{rule_level},\"description\":\"{rule_description}\"," \ fr"\"id\":\"{rule_id}\"" - expected_indexed_alert = fr".+level\": {rule_level}, \"description\": \"{rule_description}\"" \ + expected_indexed_alert = fr".+level\": {rule_level}.+\"description\": \"{rule_description}\"" \ fr".+\"id\": \"{rule_id}\".+timestamp\": \"(.+)\"" \ r'},.+' @@ -45,7 +45,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo }, { "term": { - "rule.level": rule_level + "rule.level": f"{rule_level}" } } ]) @@ -57,7 +57,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) + sleep(fw.T_10) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) From e0f6f535d9244e2f75b808e17c07aba92d913d4e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 24 Jun 2022 11:26:37 -0300 Subject: [PATCH 127/552] fix(cases): linter corrections applied. #2888 --- .../data/test_cases/cases_shellshock_attack_detection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml index b3b03ddc43..c3542dbd27 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml @@ -7,4 +7,4 @@ rule.level: 6 extra_vars: event_description: Shellshock attack - command: 'curl -k "localhost" -H "User-Agent: () { :; }; /bin/cat /etc/passwd"' + command: 'curl -k "localhost" -H "User-Agent{{ ":" }} () { :; }; /bin/cat /etc/passwd"' From bd178724d65cf9a09454aa70c65f08e51549ca93 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Thu, 23 Jun 2022 18:49:12 +0200 Subject: [PATCH 128/552] add: Add custom qa roles #3582 on jenkins' repo Changes: - Added ansible structure to QA's repo - Added two new roles: `apache` and `qa_framework` roles - `customize` flag has been added to `qa_framework` role: by setting this as true, we can customize any var within all hosts `apache` role works on all systems but in Solaris and macOS it freezes during the Apache installation. --- ansible/playbooks/apache.yml | 27 +++++++++++ ansible/playbooks/qa_framework.yml | 12 +++++ ansible/roles/apache/tasks/Linux.yml | 14 ++++++ ansible/roles/apache/tasks/MacOS.yml | 17 +++++++ ansible/roles/apache/tasks/Solaris.yml | 37 +++++++++++++++ ansible/roles/apache/tasks/Windows.yml | 27 +++++++++++ ansible/roles/apache/tasks/main.yml | 47 ++++++++++++++++++++ ansible/roles/apache/vars/Debian.yml | 2 + ansible/roles/apache/vars/MacOS.yml | 3 ++ ansible/roles/apache/vars/RedHat.yml | 2 + ansible/roles/apache/vars/Solaris.yml | 3 ++ ansible/roles/apache/vars/Windows.yml | 13 ++++++ ansible/roles/apache/vars/main.yml | 0 ansible/roles/qa_framework/defaults/main.yml | 8 ++++ ansible/roles/qa_framework/tasks/Solaris.yml | 4 ++ ansible/roles/qa_framework/tasks/Unix.yml | 35 +++++++++++++++ ansible/roles/qa_framework/tasks/Windows.yml | 20 +++++++++ ansible/roles/qa_framework/tasks/main.yml | 41 +++++++++++++++++ ansible/roles/qa_framework/vars/Solaris.yml | 1 + ansible/roles/qa_framework/vars/Unix.yml | 1 + ansible/roles/qa_framework/vars/Windows.yml | 2 + ansible/roles/qa_framework/vars/macOS.yml | 1 + ansible/roles/qa_framework/vars/main.yml | 0 23 files changed, 317 insertions(+) create mode 100644 ansible/playbooks/apache.yml create mode 100644 ansible/playbooks/qa_framework.yml create mode 100644 ansible/roles/apache/tasks/Linux.yml create mode 100644 ansible/roles/apache/tasks/MacOS.yml create mode 100644 ansible/roles/apache/tasks/Solaris.yml create mode 100644 ansible/roles/apache/tasks/Windows.yml create mode 100644 ansible/roles/apache/tasks/main.yml create mode 100644 ansible/roles/apache/vars/Debian.yml create mode 100644 ansible/roles/apache/vars/MacOS.yml create mode 100644 ansible/roles/apache/vars/RedHat.yml create mode 100644 ansible/roles/apache/vars/Solaris.yml create mode 100644 ansible/roles/apache/vars/Windows.yml create mode 100644 ansible/roles/apache/vars/main.yml create mode 100644 ansible/roles/qa_framework/defaults/main.yml create mode 100644 ansible/roles/qa_framework/tasks/Solaris.yml create mode 100644 ansible/roles/qa_framework/tasks/Unix.yml create mode 100644 ansible/roles/qa_framework/tasks/Windows.yml create mode 100644 ansible/roles/qa_framework/tasks/main.yml create mode 100644 ansible/roles/qa_framework/vars/Solaris.yml create mode 100644 ansible/roles/qa_framework/vars/Unix.yml create mode 100644 ansible/roles/qa_framework/vars/Windows.yml create mode 100644 ansible/roles/qa_framework/vars/macOS.yml create mode 100644 ansible/roles/qa_framework/vars/main.yml diff --git a/ansible/playbooks/apache.yml b/ansible/playbooks/apache.yml new file mode 100644 index 0000000000..d1374c03d0 --- /dev/null +++ b/ansible/playbooks/apache.yml @@ -0,0 +1,27 @@ +- hosts: linux solaris + become: yes + become_user: root + roles: + - ../roles/apache + vars: + apache_hosts: + - port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + max_retries: 5 + retry_interval: 5 + +- hosts: windows macos + roles: + - ../roles/apache + vars: + apache_hosts: + - port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + max_retries: 5 + retry_interval: 5 diff --git a/ansible/playbooks/qa_framework.yml b/ansible/playbooks/qa_framework.yml new file mode 100644 index 0000000000..8164a22eb0 --- /dev/null +++ b/ansible/playbooks/qa_framework.yml @@ -0,0 +1,12 @@ +- hosts: qa_framework + roles: + - ../roles/qa_framework + vars: + apache_hosts: + - port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + max_retries: 5 + retry_interval: 5 diff --git a/ansible/roles/apache/tasks/Linux.yml b/ansible/roles/apache/tasks/Linux.yml new file mode 100644 index 0000000000..76a0a286eb --- /dev/null +++ b/ansible/roles/apache/tasks/Linux.yml @@ -0,0 +1,14 @@ +- name: Install apache server + package: + name: "{{ program }}" + state: present + +- name: "Start {{ service }} service" + service: + name: "{{ service }}" + state: started + +- name: "Check {{ service }} is running" + command: systemctl status "{{ service }}" + register: service_status + failed_when: (service_status.stderr | length > 0) or ("active (running)" not in service_status.stdout ) diff --git a/ansible/roles/apache/tasks/MacOS.yml b/ansible/roles/apache/tasks/MacOS.yml new file mode 100644 index 0000000000..8c5f6cbb54 --- /dev/null +++ b/ansible/roles/apache/tasks/MacOS.yml @@ -0,0 +1,17 @@ + # - name: Install MacOS package Apache + # become: true + # shell: installer -pkg wazuh-* -target / + # args: + # chdir: /Users/vagrant + +- name: Install {{ program }} with brew | MacOS + homebrew: + name: "{{ program }}" + update_homebrew: yes + +# - name: Install {{ program }} with brew | MacOS +# become: false +# shell: /usr/local/bin/brew install {{ program }} + +- name: Start {{ program }} with brew | MacOS + shell: /usr/local/bin/brew services start {{ program }} diff --git a/ansible/roles/apache/tasks/Solaris.yml b/ansible/roles/apache/tasks/Solaris.yml new file mode 100644 index 0000000000..85ccb2e9d0 --- /dev/null +++ b/ansible/roles/apache/tasks/Solaris.yml @@ -0,0 +1,37 @@ +# Works on Solaris 11 +# - name: Install solaris wazuh agent custom package +# become: true +# shell: pkg install web/server/{{ program }} +# environment: +# PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + +- name: Install CSWpkgutil + become: true + shell: pkgadd -d http://get.opencsw.org/now -n + environment: + PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + +- name: Fetch new catalog and descriptions + become: true + shell: /opt/csw/bin/pkgutil -U + environment: + PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + +- name: Install apache2 + become: true + shell: /opt/csw/bin/pkgutil -y -i apache2 + environment: + PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + +- name: List files + become: true + shell: /usr/sbin/pkgchk -L CSWapache2 + environment: + PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + +- name: Enable service + become: true + shell: svcadm -v enable /network/http:apache2 + environment: + PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + diff --git a/ansible/roles/apache/tasks/Windows.yml b/ansible/roles/apache/tasks/Windows.yml new file mode 100644 index 0000000000..395a5aa5bf --- /dev/null +++ b/ansible/roles/apache/tasks/Windows.yml @@ -0,0 +1,27 @@ +- name: Download the Apache binaries + win_get_url: + url: "{{ apache_zip_url }}" + dest: "{{ home_dir }}" + checksum: "{{apache_algorithm}}:{{apache_checksum}}" + +- name: Unzip Apache binaries zip + community.windows.win_unzip: + src: "{{ apache_zip_path }}" + dest: "{{ home_dir }}" + creates: "{{ apache_folder_path }}" + +- name: Replace Apache's ServerRoot location + community.windows.win_lineinfile: + path: "{{ apache_folder_path }}/conf/httpd.conf" + backrefs: yes + regex: Define SRVROOT "c:/Apache24" + line: Define SRVROOT "c:/Users/qa/Apache24" + +- name: Verify httpd.conf + ansible.windows.win_shell: "{{ apache_bin_path }} -t" + +- name: Install Apache service + ansible.windows.win_shell: "{{ apache_bin_path }} -k install" + +- name: Start Apache service + ansible.windows.win_shell: "{{ apache_bin_path }} -k start" diff --git a/ansible/roles/apache/tasks/main.yml b/ansible/roles/apache/tasks/main.yml new file mode 100644 index 0000000000..9fa8bf7f4d --- /dev/null +++ b/ansible/roles/apache/tasks/main.yml @@ -0,0 +1,47 @@ +# vars + +# Linux +- name: Include Debian custom vars + include_vars: ../vars/Debian.yml + when: ansible_os_family == "Debian" + +- name: Include RedHat custom vars + include_vars: ../vars/RedHat.yml + when: ansible_os_family == "RedHat" + +# Windows +- name: Include Windows custom vars + include_vars: ../vars/Windows.yml + when: ansible_os_family == "Windows" + +# Solaris +- name: Include Solaris custom vars + include_vars: ../vars/Solaris.yml + when: ansible_os_family == "Solaris" + +# MacOS +- name: Include MacOS custom vars + include_vars: ../vars/MacOS.yml + when: ansible_os_family == "Darwin" + +# tasks + +# Linux +- name: Include Linux custom tasks + include_tasks: "Linux.yml" + when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" + +# Windows +- name: Include Windows custom tasks + include_tasks: "Windows.yml" + when: ansible_os_family == "Windows" + +# Solaris +- name: Include Solaris custom tasks + include_tasks: "Solaris.yml" + when: ansible_os_family == "Solaris" + +# macOS +- name: Include MacOS custom tasks + include_tasks: "MacOS.yml" + when: ansible_os_family == "Darwin" diff --git a/ansible/roles/apache/vars/Debian.yml b/ansible/roles/apache/vars/Debian.yml new file mode 100644 index 0000000000..40e59bbde6 --- /dev/null +++ b/ansible/roles/apache/vars/Debian.yml @@ -0,0 +1,2 @@ +program: "apache2" +service: "apache2" diff --git a/ansible/roles/apache/vars/MacOS.yml b/ansible/roles/apache/vars/MacOS.yml new file mode 100644 index 0000000000..99a8e9c4d6 --- /dev/null +++ b/ansible/roles/apache/vars/MacOS.yml @@ -0,0 +1,3 @@ +program: "httpd" +service: "httpd" +home_dir: /Users/vagrant diff --git a/ansible/roles/apache/vars/RedHat.yml b/ansible/roles/apache/vars/RedHat.yml new file mode 100644 index 0000000000..0364124645 --- /dev/null +++ b/ansible/roles/apache/vars/RedHat.yml @@ -0,0 +1,2 @@ +program: "httpd" +service: "httpd" diff --git a/ansible/roles/apache/vars/Solaris.yml b/ansible/roles/apache/vars/Solaris.yml new file mode 100644 index 0000000000..32e0902b98 --- /dev/null +++ b/ansible/roles/apache/vars/Solaris.yml @@ -0,0 +1,3 @@ +program : apache-24 +service: apache24 +home_dir: /export/home/vagrant diff --git a/ansible/roles/apache/vars/Windows.yml b/ansible/roles/apache/vars/Windows.yml new file mode 100644 index 0000000000..3a8c53efc7 --- /dev/null +++ b/ansible/roles/apache/vars/Windows.yml @@ -0,0 +1,13 @@ +# https://archive.apache.org/dist/httpd/binaries/win32/?C=M;O=D openssl msi with its sha file +# https://www.apachelounge.com/download/VS16/binaries binaries and checksums +service: httpd +apache_version: 2.4.54 +home_dir: C:\Users/qa +# latest stable version +apache_zip_url: "https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip" +apache_algorithm: sha256 +apache_checksum: b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c +apache_zip_file: httpd-{{apache_version}}-win64-VS16.zip +apache_zip_path: "{{home_dir}}/{{apache_zip_file}}" +apache_folder_path: "{{home_dir}}/Apache24" +apache_bin_path: "{{apache_folder_path}}/bin/httpd.exe" diff --git a/ansible/roles/apache/vars/main.yml b/ansible/roles/apache/vars/main.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/ansible/roles/qa_framework/defaults/main.yml b/ansible/roles/qa_framework/defaults/main.yml new file mode 100644 index 0000000000..7aaa295c68 --- /dev/null +++ b/ansible/roles/qa_framework/defaults/main.yml @@ -0,0 +1,8 @@ +qa_repository_url: https://github.com/wazuh/wazuh-qa.git +qa_repository_reference: master +qa_requirements_file: requirements.txt +test_setup_qa_path: deps/wazuh_testing +setup_installer: setup.py +build_dir: /tmp/wazuh-qa +# This flag allows modifying any var +customize: false diff --git a/ansible/roles/qa_framework/tasks/Solaris.yml b/ansible/roles/qa_framework/tasks/Solaris.yml new file mode 100644 index 0000000000..fc4b0471ba --- /dev/null +++ b/ansible/roles/qa_framework/tasks/Solaris.yml @@ -0,0 +1,4 @@ +- name: Install python requirements on Solaris + command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }}" + args: + chdir: "{{ build_dir }}" diff --git a/ansible/roles/qa_framework/tasks/Unix.yml b/ansible/roles/qa_framework/tasks/Unix.yml new file mode 100644 index 0000000000..5f71a1afd1 --- /dev/null +++ b/ansible/roles/qa_framework/tasks/Unix.yml @@ -0,0 +1,35 @@ +- name: Clone Wazuh-QA repo | UNIX + git: + repo: "{{ qa_repository_url }}" + dest: "{{ build_dir }}" + version: "{{ qa_repository_reference }}" + depth: 1 + register: clone_result + retries: 6 + delay: 10 + until: clone_result is success + when: ansible_os_family != "Solaris" + +- name: Clone Wazuh-QA repo | Solaris + git: + repo: "{{ qa_repository_url }}" + dest: "{{ build_dir }}" + version: "{{ qa_repository_reference }}" + depth: 1 + register: clone_result + retries: 6 + delay: 10 + until: clone_result is success + environment: + PATH: "/opt/python3/bin/:/usr/bin:/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + when: ansible_os_family == "Solaris" + +- name: Install python requirements | UNIX + command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir --only-binary=:cryptography,grpcio: --user" + args: + chdir: "{{ build_dir }}" + +- name: Install setup.py | UNIX + command: "{{ python_executable }} {{ setup_installer }} install --user" + args: + chdir: "{{ build_dir }}/{{ test_setup_qa_path }}" diff --git a/ansible/roles/qa_framework/tasks/Windows.yml b/ansible/roles/qa_framework/tasks/Windows.yml new file mode 100644 index 0000000000..66a0689ae4 --- /dev/null +++ b/ansible/roles/qa_framework/tasks/Windows.yml @@ -0,0 +1,20 @@ +- name: Create {{ build_dir }} if does not exist + ansible.windows.win_file: + path: "{{ build_dir }}" + state: directory + +- name: Clone Wazuh-QA repo | Windows + win_command: powershell.exe - + args: + chdir: "{{ build_dir }}" + stdin: "git clone {{ qa_repository_url }} -b {{ qa_repository_reference }} --depth=1 {{ build_dir }}/tmp; move tmp/* ./" + +- name: Install python requirements | Windows + win_command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir --only-binary=:cryptography,grpcio:" + args: + chdir: "{{ build_dir }}" + +- name: Install setup.py | Windows + win_command: "{{ python_executable }} {{ setup_installer }} install" + args: + chdir: "{{ build_dir }}\\{{ test_setup_qa_path }}" diff --git a/ansible/roles/qa_framework/tasks/main.yml b/ansible/roles/qa_framework/tasks/main.yml new file mode 100644 index 0000000000..e1aa89cfc9 --- /dev/null +++ b/ansible/roles/qa_framework/tasks/main.yml @@ -0,0 +1,41 @@ +# vars + +# Unix +- name: Include Unix custom vars + include_vars: Unix.yml + when: + - customize == false + - ansible_os_family != "Windows" + +# Solaris +- name: Include Solaris custom vars + include_vars: Solaris.yml + when: + - customize == false + - ansible_os_family == "Solaris" + +# macOS +- name: Include macOS custom vars + include_vars: macOS.yml + when: + - customize == false + - ansible_os_family == "Darwin" + +# Windows +- name: Include Windows custom vars + include_vars: Windows.yml + when: + - customize == false + - ansible_os_family == "Windows" + +# tasks + +# Unix|Solaris|macOS +- name: Include Unix custom tasks + include_tasks: Unix.yml + when: ansible_os_family != "Windows" + +# Windows +- name: Include Windows custom tasks + include_tasks: Windows.yml + when: ansible_os_family == "Windows" diff --git a/ansible/roles/qa_framework/vars/Solaris.yml b/ansible/roles/qa_framework/vars/Solaris.yml new file mode 100644 index 0000000000..0abc152641 --- /dev/null +++ b/ansible/roles/qa_framework/vars/Solaris.yml @@ -0,0 +1 @@ +python_executable: /opt/python3/bin/python3 diff --git a/ansible/roles/qa_framework/vars/Unix.yml b/ansible/roles/qa_framework/vars/Unix.yml new file mode 100644 index 0000000000..d7ccd9d41b --- /dev/null +++ b/ansible/roles/qa_framework/vars/Unix.yml @@ -0,0 +1 @@ +python_executable: /usr/local/bin/python3.10 diff --git a/ansible/roles/qa_framework/vars/Windows.yml b/ansible/roles/qa_framework/vars/Windows.yml new file mode 100644 index 0000000000..3bfbd88b1e --- /dev/null +++ b/ansible/roles/qa_framework/vars/Windows.yml @@ -0,0 +1,2 @@ +build_dir: C:\Users\qa\AppData\Local\Temp\wazuh-qa +python_executable: C:\Users\qa\AppData\Local\Programs\Python\Python310\python.exe diff --git a/ansible/roles/qa_framework/vars/macOS.yml b/ansible/roles/qa_framework/vars/macOS.yml new file mode 100644 index 0000000000..fc4312d0aa --- /dev/null +++ b/ansible/roles/qa_framework/vars/macOS.yml @@ -0,0 +1 @@ +python_executable: /Library/Developer/CommandLineTools/usr/bin/python3 diff --git a/ansible/roles/qa_framework/vars/main.yml b/ansible/roles/qa_framework/vars/main.yml new file mode 100644 index 0000000000..e69de29bb2 From 5c51bfdd273795632269da47ad9ebff159b12367 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Fri, 24 Jun 2022 14:12:39 +0200 Subject: [PATCH 129/552] fix: Fix vars hostname #3682 --- ansible/playbooks/qa_framework.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/playbooks/qa_framework.yml b/ansible/playbooks/qa_framework.yml index 8164a22eb0..779099b4a4 100644 --- a/ansible/playbooks/qa_framework.yml +++ b/ansible/playbooks/qa_framework.yml @@ -2,7 +2,7 @@ roles: - ../roles/qa_framework vars: - apache_hosts: + qa_hosts: - port: 1514 protocol: tcp api_port: 55000 From b09dfeca89cb1b05788f8ea223da370c79f7b8e7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 24 Jun 2022 16:25:18 -0300 Subject: [PATCH 130/552] fix(linter): quotes error fixed. #2888 --- .../data/test_cases/cases_shellshock_attack_detection.yaml | 6 +++--- .../test_shellshock_attack_detection.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml index c3542dbd27..825647043b 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml @@ -2,9 +2,9 @@ description: Test if an alert is generated when a shellshock attack is attempted configuration_parameters: null metadata: - rule.id: "31166" - rule.description: "Shellshock attack attempt" + rule.id: 31166 + rule.description: Shellshock attack attempt rule.level: 6 extra_vars: event_description: Shellshock attack - command: 'curl -k "localhost" -H "User-Agent{{ ":" }} () { :; }; /bin/cat /etc/passwd"' + command: curl -k "localhost" -H "User-Agent{{":"}} () { :; }; /bin/cat /etc/passwd" diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 57e326a40c..d059f6c86b 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -40,7 +40,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo query = e2e.make_query([ { "term": { - "rule.id": rule_id + "rule.id": f"{rule_id}" } }, { From 8d2fa7f9e275bcce85602c978c916be9de028bf2 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 24 Jun 2022 17:48:22 -0300 Subject: [PATCH 131/552] fix(test)!: fixes added to avoid the `alert not indexed` error. #2935 --- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 5 +---- .../data/test_cases/cases_docker_monitoring.yaml | 8 ++++---- .../test_docker_monitoring/test_docker_monitoring.py | 8 ++++---- 4 files changed, 10 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 0a3b3ad870..a2355b0a40 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -11,6 +11,7 @@ - name: Install Docker using the convenience script shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh + register: installation when: (docker_check.rc != 0 and docker_check.rc != 3) - name: Stop docker to avoid errors and start it @@ -18,7 +19,6 @@ systemctl stop docker systemctl stop docker.socket systemctl start docker - when: (docker_check.rc == 3 or docker_check.rc == 0) - name: Configure the docker-listener module blockinfile: diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml index 988daf8fd3..962aaeb874 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -9,12 +9,9 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Dummy alert - shell: 'echo "$(date +"%b %d %T") agent sshd[29205]: Invalid user a from 18.18.1.1 port 22" >> /var/log/messages' - - name: Wait for alerts to be generated wait_for: - timeout: 5 + timeout: 20 - name: Get alerts.json fetch: diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml index 0b67665273..441cc5242b 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml @@ -2,7 +2,7 @@ description: Test if an alert is generated when using the `pull` command. configuration_parameters: null metadata: - rule.id: '87932' + rule.id: 87932 rule.description: 'Docker: Image or repository nginx pulled' rule.level: 3 extra: @@ -15,7 +15,7 @@ description: Test if an alert is generated when using the `run` command. configuration_parameters: null metadata: - rule.id: '87903' + rule.id: 87903 rule.description: 'Docker: Container nginx_container started' rule.level: 3 extra: @@ -28,7 +28,7 @@ description: Test if an alert is generated when using the `exec` command. configuration_parameters: null metadata: - rule.id: '87908' + rule.id: 87908 rule.description: 'Docker: Started shell session in container nginx_container' rule.level: 5 extra: @@ -41,7 +41,7 @@ description: Test if an alert is generated when using the `stop` and `rm` commands. configuration_parameters: null metadata: - rule.id: '87902' + rule.id: 87902 rule.description: 'Docker: Container nginx_container destroyed' rule.level: 5 extra: diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 484827982a..1e517fd1fe 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -45,17 +45,17 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden query = e2e.make_query([ { "term": { - "rule.id": rule_id + "rule.id": f"{rule_id}" } }, { "term": { - "rule.description": rule_description + "rule.description": f"{rule_description}" } }, { "term": { - "data.docker.Action": docker_action + "data.docker.Action": f"{docker_action}" } } ]) @@ -67,7 +67,7 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_10) + sleep(fw.T_5) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) From 3167e57dc905451d529dad8c9ae10e7492d442a7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 27 Jun 2022 12:07:02 -0300 Subject: [PATCH 132/552] add(configuration): comments added to explain each action. #2935 --- .../data/playbooks/configuration.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index a2355b0a40..7d3eef4f7e 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -7,14 +7,18 @@ command: systemctl status docker --no-pager register: docker_check when: ansible_facts['distribution'] == "CentOS" + # Ignore non-zero return codes for use in subsequent checks ignore_errors: true - name: Install Docker using the convenience script shell: curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh - register: installation + # If the return code is 0 means that Docker is already installed and running + # If the return code is 3 means that Docker is installed but not running when: (docker_check.rc != 0 and docker_check.rc != 3) - - name: Stop docker to avoid errors and start it + - name: Stop Docker to avoid errors and start it + # Sometimes the service fails when running any command even if it is running + # The solution is to stop Docker and then start it again. shell: | systemctl stop docker systemctl stop docker.socket From 6cf630d445793f9c5c3abc8afc1c9f24d1554647 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 27 Jun 2022 12:28:28 -0300 Subject: [PATCH 133/552] add(configuration): comments to explain each action added. #2887 --- .../data/playbooks/configuration.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml index 6cfa240d2d..f294228a6c 100644 --- a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml @@ -7,6 +7,7 @@ command: systemctl status osqueryd --no-pager register: osquery_check when: ansible_facts['distribution'] == "CentOS" + # Ignore non-zero return codes for use in subsequent checks ignore_errors: true - name: Install Osquery on CentOS @@ -14,6 +15,8 @@ curl -LO https://pkg.osquery.io/rpm/osquery-4.5.1-1.linux.x86_64.rpm rpm -ivh ./osquery-4.5.1-1.linux.x86_64.rpm register: installation + # If the return code is 0, it means that Osquery is already installed and running. + # If the return code is 3, it means that Osquery is installed but not running. when: (ansible_facts['distribution'] == "CentOS" and osquery_check.rc != 0 and osquery_check.rc != 3) - name: Configure Osquery @@ -24,6 +27,7 @@ group: root mode: '0644' backup: true + # If the installation return code is 0, it means that the installation was successful. when: (osquery_check.rc == 3 or osquery_check.rc == 0 or installation.rc == 0) - name: Configure the Osquery module @@ -52,6 +56,7 @@ command: rpm -q stress register: stress_check when: ansible_facts['distribution'] == "CentOS" + # Ignore non-zero return codes for use in subsequent checks (installation) ignore_errors: true - name: Install stress From 59b3d37fdf9484332517775d195c380eb137602a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 27 Jun 2022 13:03:49 -0300 Subject: [PATCH 134/552] refac(configuration): comments to explain each action added. #2888 --- .../data/playbooks/configuration.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml index ba3b63d5e5..77cc2238d7 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -7,16 +7,20 @@ shell: systemctl status firewalld --no-pager register: firewall_check when: ansible_facts['distribution'] == "CentOS" + # Ignore non-zero return codes for use in subsequent checks ignore_errors: true - name: Stop Firewalld if it's installed and active shell: systemctl stop firewalld + # If the return code is 0, it means that firewalld is running, it is necessary to stop it to allow + # the shellshock attack. when: (ansible_facts['distribution'] == "CentOS" and firewall_check.rc == 0) - name: Check if Apache is installed or not on CentOS shell: systemctl status httpd --no-pager register: apache_check when: ansible_facts['distribution'] == "CentOS" + # Ignore non-zero return codes for use in subsequent checks (Apache installation) ignore_errors: true - name: Install Apache Server on CentOS @@ -24,6 +28,8 @@ yum update httpd -y yum install httpd -y register: installation + # If the return code is 0, it means that Apache is running. + # If the return code is 3, it means that Apache is installed but not running. when: (ansible_facts['distribution'] == "CentOS" and apache_check.rc != 0 and apache_check.rc != 3) - name: Configure a localfile instance to collect the logs from Apache @@ -39,6 +45,8 @@ - name: Start Apache shell: systemctl start httpd + # If the return code is 3, it means that Apache is not running. + # If Apache has been recently installed, it is necessary to start it when: (apache_check.rc == 3 or installation is succeeded) - name: Restart the manager From 484e6016181d2288be201d4d6a4476f72ca7cbe1 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 28 Jun 2022 10:54:22 -0300 Subject: [PATCH 135/552] refac(ansible-tasks): the order of the tasks was changed. #2888 --- .../data/playbooks/configuration.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml index 77cc2238d7..76ef15b54c 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -43,11 +43,11 @@ /var/log/httpd/access_log + - name: Restart the manager + shell: systemctl restart wazuh-manager + - name: Start Apache shell: systemctl start httpd # If the return code is 3, it means that Apache is not running. # If Apache has been recently installed, it is necessary to start it when: (apache_check.rc == 3 or installation is succeeded) - - - name: Restart the manager - shell: systemctl restart wazuh-manager From c5b751f480d18ab81ef619c7036bc9ab378b3436 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 28 Jun 2022 16:28:21 -0300 Subject: [PATCH 136/552] refac: suggested changes applied. #2935 Ansible tasks reordered and refactored. Fixture documentation fixed. delete_index_api function refactored. --- .../wazuh_testing/end_to_end/__init__.py | 30 +++++++++------ tests/end_to_end/conftest.py | 2 +- .../data/playbooks/configuration.yaml | 38 +++++++++++-------- 3 files changed, 42 insertions(+), 28 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 823e892589..8d8808bf80 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -1,6 +1,7 @@ # Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +from http import HTTPStatus import requests @@ -24,8 +25,8 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) - if response.status_code != 200: - raise Exception(f"The response is not the expected. Actual response {response.status_code}") + assert response.status_code == HTTPStatus.OK, 'The document(s) have not been obtained successfully.'\ + f"Actual response {response.status_code}" return response @@ -42,15 +43,22 @@ def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alert Returns: obj(class): `Response ` object - """ - url = f"https://{ip_address}:9200/{index}" - - response = requests.delete(url=url, params={'pretty': 'true'}, verify=False, - auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) - - if response.status_code != 200: - raise Exception(f"The response is not the expected. Actual response {response.status_code}") - + obj(class): `NoneType` object + """ + get_indices_route = f"_cat/indices/{index}" + url = f"https://{ip_address}:9200/" + authorization = requests.auth.HTTPBasicAuth(credentials['user'], credentials['password']) + + response = requests.get(url=url+get_indices_route, params={'pretty': 'true'}, verify=False, auth=authorization) + assert response.status_code == HTTPStatus.OK, 'The index(es) have not been obtained successfully.' \ + f"Actual response {response.status_code}" + + if response.text == '': + return None + + response = requests.delete(url=url+index, params={'pretty': 'true'}, verify=False, auth=authorization) + assert response.status_code == HTTPStatus.OK, 'The index(es) have not been deleted successfully.' \ + f"Actual response {response.status_code}" return response diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index d23450533c..f4a122258a 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -15,7 +15,7 @@ @pytest.fixture(scope='function') def clean_environment(get_dashboard_credentials): - """Delete alerts and delete indices using the API. + """Remove the temporary file that contains the alerts and delete indices using the API. Args: credentials(dict): wazuh-indexer credentials. diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml index 7d3eef4f7e..1db8bcd16d 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml @@ -3,6 +3,28 @@ become: true tasks: + - name: Configure the docker-listener module + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: ^ + block: | + + 10m + 5 + yes + no + + marker: + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + + - name: Force systemd to reread configs + systemd: + daemon_reload: yes + - name: Check if Docker is installed or not on CentOS command: systemctl status docker --no-pager register: docker_check @@ -23,19 +45,3 @@ systemctl stop docker systemctl stop docker.socket systemctl start docker - - - name: Configure the docker-listener module - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: ^ - block: | - - 10m - 5 - yes - no - - marker: - - - name: Restart wazuh-manager - shell: systemctl restart wazuh-manager From 010c9f5af10700f0f4060b31a88bcd43b03ccc02 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 28 Jun 2022 16:34:13 -0300 Subject: [PATCH 137/552] fix(test-case): test description fixed and comment added. #2935 --- .../data/test_cases/cases_docker_monitoring.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml index 441cc5242b..ca573ecc1b 100644 --- a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml @@ -37,8 +37,9 @@ event_description: Run 'docker exec -d nginx_container /bin/bash' command: docker exec -d nginx_container /bin/bash -- name: docker_stop_rm - description: Test if an alert is generated when using the `stop` and `rm` commands. +- name: docker_rm + # Two commands are executed, but only the `destroy` action is tested. + description: Test if an alert is generated when using the `rm` command. configuration_parameters: null metadata: rule.id: 87902 From a99e552bdc0bd25b423d54c15c2f963bf4ac2c4a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 28 Jun 2022 16:55:22 -0300 Subject: [PATCH 138/552] fix: some fixes applied. #2935 --- .../data/playbooks/configuration.yaml | 34 +++++++++++-------- .../data/playbooks/generate_events.yaml | 2 +- .../test_shellshock_attack_detection.py | 2 +- 3 files changed, 21 insertions(+), 17 deletions(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml index 76ef15b54c..a49b02da38 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -3,6 +3,22 @@ become: true tasks: + - name: Configure a localfile instance to collect the logs from Apache + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + apache + /var/log/httpd/access_log + + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + - name: Check if Firewalld is installed on CentOS shell: systemctl status firewalld --no-pager register: firewall_check @@ -32,22 +48,10 @@ # If the return code is 3, it means that Apache is installed but not running. when: (ansible_facts['distribution'] == "CentOS" and apache_check.rc != 0 and apache_check.rc != 3) - - name: Configure a localfile instance to collect the logs from Apache - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | - - apache - /var/log/httpd/access_log - - - - name: Restart the manager - shell: systemctl restart wazuh-manager - - name: Start Apache - shell: systemctl start httpd + systemd: + state: started + name: httpd # If the return code is 3, it means that Apache is not running. # If Apache has been recently installed, it is necessary to start it when: (apache_check.rc == 3 or installation is succeeded) diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index 3f09567044..94388a6066 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -11,7 +11,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 5 + timeout: 10 - name: Get alerts.json fetch: diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index d059f6c86b..711dba988c 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -57,7 +57,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_10) + sleep(fw.T_5) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) From 32ce9a26f29e52ea001e0ec34aa9dd6e44460ca5 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 29 Jun 2022 11:48:53 -0300 Subject: [PATCH 139/552] add(test)!: test to check if the detection of suspicious binaries works as expected. #3035 --- .../data/configuration/trojan_script.sh | 5 ++ .../data/playbooks/configuration.yaml | 15 ++++ .../data/playbooks/generate_events.yaml | 22 +++++ .../cases_detecting_suspicious_binaries.yaml | 10 +++ .../test_detecting_suspicious_binaries.py | 90 +++++++++++++++++++ 5 files changed, 142 insertions(+) create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh b/tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh new file mode 100644 index 0000000000..34b1cc9792 --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh @@ -0,0 +1,5 @@ +#!/bin/bash +echo "`date` this is evil" > /tmp/trojan_created_file +echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file +#Now running original binary +/usr/bin/w.copy diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..170f6aa358 --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -0,0 +1,15 @@ +- name: Configure environment + hosts: wazuh-manager + tasks: + + - name: Create a copy of the system binary + copy: + src: /usr/bin/w + dest: /usr/bin/w.copy + mode: preserve + remote_src: true + + - name: Replace the content of the system binary with the trojan script + copy: + src: "{{ trojan_script_path }}" + dest: /usr/bin/w diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..ede64103d2 --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -0,0 +1,22 @@ +- name: Generate events + hosts: wazuh-manager + become: true + tasks: + + - name: Truncate alerts file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Restart manager to run the rootcheck scan + systemd: + state: restarted + name: wazuh-manager + + - name: Wait for alerts to be generated + wait_for: + timeout: 10 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml new file mode 100644 index 0000000000..7055552b5f --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml @@ -0,0 +1,10 @@ +- name: detect_trojaned_file + description: Test the detection of a trojaned file + configuration_parameters: null + metadata: + rule.id: 510 + rule.description: Host-based anomaly detection event (rootcheck). + rule.level: 7 + extra: + data.title: Trojaned version of file detected. + data.file: /bin/w diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py new file mode 100644 index 0000000000..0cb498d9dd --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -0,0 +1,90 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +import wazuh_testing as fw +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +# Test cases data +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_path = os.path.join(test_data_path, 'test_cases') +test_cases_file_path = os.path.join(test_cases_path, 'cases_detecting_suspicious_binaries.yaml') +trojan_script_path = os.path.join(test_data_path, 'configuration', 'trojan_script.sh') +alerts_json = os.path.join(gettempdir(), 'alerts.json') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +configuration_extra_vars = {'trojan_script_path': trojan_script_path} + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + data_title = metadata['extra']['data.title'] + data_file = metadata['extra']['data.file'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+' + + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ + fr":\"{re.escape(rule_description)}.+id.+{rule_id}.+title.+{data_title}.+" \ + fr"file.+{re.escape(data_file)}" + + expected_indexed_alert = fr".+file.+{re.escape(data_file)}.+title.+{data_title}.+level.+{rule_level}.+" \ + fr"description.+{re.escape(rule_description)}.+id.+{rule_id}.+"\ + fr"timestamp\": \"({timestamp_regex})\"" + + query = e2e.make_query([ + { + "term": { + "data.file": f"{data_file}" + } + }, + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "data.title": f"{data_title}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(fw.T_5) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 03f92bf40f114ac3655f78227ad6c6d23bd22b84 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 29 Jun 2022 22:40:57 -0300 Subject: [PATCH 140/552] add: tests first iteration --- .../active_response_sript/remove-threat.sh | 37 +++++++ .../data/playbooks/configuration.yaml | 51 +++++++++ .../data/playbooks/configuration_ar.yaml | 101 ++++++++++++++++++ .../data/playbooks/generate_events.yaml | 24 +++++ .../data/playbooks/generate_events_ar.yaml | 35 ++++++ .../data/test_cases/cases_virustotal.yaml | 26 +++++ .../test_virus_total_active_response.py | 79 ++++++++++++++ .../test_virustotal/test_virustotal.py | 74 +++++++++++++ 8 files changed, 427 insertions(+) create mode 100644 tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh create mode 100644 tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml create mode 100644 tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml create mode 100644 tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virus_total_active_response.py create mode 100644 tests/end_to_end/test_virustotal/test_virustotal.py diff --git a/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh b/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh new file mode 100644 index 0000000000..7b94933d39 --- /dev/null +++ b/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh @@ -0,0 +1,37 @@ + #!/bin/bash + + LOCAL=`dirname $0`; + cd $LOCAL + cd ../ + + PWD=`pwd` + + read INPUT_JSON + FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file) + COMMAND=$(echo $INPUT_JSON | jq -r .command) + LOG_FILE="${PWD}/../logs/active-responses.log" + + #------------------------ Analyze command -------------------------# + if [ ${COMMAND} = "add" ] + then + # Send control message to execd + printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n' + + read RESPONSE + COMMAND2=$(echo $RESPONSE | jq -r .command) + if [ ${COMMAND2} != "continue" ] + then + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE} + exit 0; + fi + fi + + # Removing file + rm -f $FILENAME + if [ $? -eq 0 ]; then + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE} + else + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE} + fi + + exit 0; diff --git a/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..9f33a2fc44 --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml @@ -0,0 +1,51 @@ +- name: Test manager configuration + hosts: wazuh-manager + become: true + tasks: + + - name: Configure Virustotal integration + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + + virustotal + 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + syscheck + json + + marker: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Restart the manager + shell: systemctl restart wazuh-manager + +- name: Test agent configuration + hosts: wazuh-agent + become: true + tasks: + + - name: Delete folder + command: rm -r /test + ignore_errors: true + + - name: Create folder + command: mkdir /test + ignore_errors: true + + - name: Configure syscheck + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /test + marker: + + - name: Restart the agent + shell: systemctl restart wazuh-agent + + # - name: Wait until realtime is started + # wait_for: + # timeout: 5 diff --git a/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml b/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml new file mode 100644 index 0000000000..e6c3c9798b --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml @@ -0,0 +1,101 @@ +- name: Test manager configuration + hosts: wazuh-manager + become: true + tasks: + + - name: Configure Virustotal integration and active response + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + virustotal + 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + 100200,100201 + json + + + remove-threat + remove-threat.sh + no + + + no + remove-threat + local + 87105 + + marker: + + - name: Configure local rules virus total integration + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | + + + + 550 + /root + File modified in /root directory. + + + 554 + /root + File added to /root directory. + + + + + 657 + Successfully removed threat + $(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file) + + + + 657 + Error removing threat + Error removing threat located at $(parameters.alert.data.virustotal.source.file) + + + marker: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Restart the manager + shell: systemctl restart wazuh-manager + +- name: Test agent configuration + hosts: wazuh-agent + become: true + tasks: + + - name: Configure syscheck + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /root + marker: + + - name: Add active response script + copy: + src: "{{ active_response_script }}" + dest: /var/ossec/active-response + + - name: Install jq (CentOS) + become: true + shell: yum install jq + when: ansible_facts['distribution'] == "CentOS" + + + - name: Change remove threat owner and permissions + become: true + shell: | + chmod 750 /var/ossec/active-response/bin/remove-threat.sh + chown root:ossec /var/ossec/active-response/bin/remove-threat.sh + + - name: Restart the agent + shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..686e26cd0e --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml @@ -0,0 +1,24 @@ +- name: Generate events + hosts: wazuh-agent + tasks: + + - name: "{{ event_description }}" + become: true + copy: + dest: "{{ path }}" + content: "{{ content }}" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml b/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml new file mode 100644 index 0000000000..c0cb28e0dc --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml @@ -0,0 +1,35 @@ +- name: Generate events + hosts: wazuh-agent + tasks: + + # - name: Delete folder + # become: true + # command: rm -r /test + # ignore_errors: true + + # - name: "{{ event_description }}" + # become: true + # command: "{{ command }}" + # ignore_errors: true + + - name: "{{ event_description }}" + become: true + shell: "{{ shell }}" + # shell: | + # cd /root + # curl -LO http://www.eicar.org/download/eicar.com + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml new file mode 100644 index 0000000000..929e01510f --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml @@ -0,0 +1,26 @@ +# - name: Scan file linux +# description: Scanning a file and check generated alerts +# configuration_parameters: null +# metadata: +# extra_vars: +# event_description: Create a file into the monitored folder +# path: /test/virus_total.txt +# content: | +# test_virus_total +# rule.id: 87103 +# rule.level: 3 +# rule.description: "VirusTotal: Alert - No records in VirusTotal database" + +- name: Remove malicious file + description: Detecting and removing malware + configuration_parameters: null + metadata: + extra_vars: + event_description: Run malicious file + shell: | + cd /root + curl -LO http://www.eicar.org/download/eicar.com + rule.id: 100092 + rule.level: 12 + rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " + program: "active-response\/bin\/remove-threat.sh" diff --git a/tests/end_to_end/test_virustotal/test_virus_total_active_response.py b/tests/end_to_end/test_virustotal/test_virus_total_active_response.py new file mode 100644 index 0000000000..77ac3ab14e --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virus_total_active_response.py @@ -0,0 +1,79 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') +configuration_playbooks = ['configuration_ar.yaml'] +remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') +configuration_extra_vars = {'configuration_file': remove_threat_file_path} +events_playbooks = ['generate_events_ar.yaml'] +wait_indexed_alert = 5 + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to delete a malicious file detected by virustotal + """ + + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + program = metadata['program'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},.*"description": "{rule_description} "' \ + r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + print(expected_alert_json) + print(expected_indexed_alert) + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(wait_indexed_alert) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + print(indexed_alert) + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal.py b/tests/end_to_end/test_virustotal/test_virustotal.py new file mode 100644 index 0000000000..60cf1bf967 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal.py @@ -0,0 +1,74 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to detect a scanning virus total + """ + # rule_id = metadata['rule.id'] + # rule_level = metadata['rule.level'] + # rule_description = metadata['rule.description'] + + # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + # r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # print(expected_indexed_alert) + + # query = e2e.make_query([ + + # { + # "term": { + # "rule.id": f"{rule_id}" + # } + # } + # ]) + + # # Check that alert has been raised and save timestamp + # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + # error_message='The alert has not occurred').result() + # raised_alert_timestamp = raised_alert.group(1) + # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + # sleep(wait_indexed_alert) + + # # Get indexed alert + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # indexed_alert = json.dumps(response.json()) + # print(indexed_alert) + # # Check that the alert data is the expected one + # alert_data = re.search(expected_indexed_alert, indexed_alert) + # assert alert_data is not None, 'Alert triggered, but not indexed' + + # # Get indexed alert timestamp + # indexed_alert_timestamp = alert_data.group(1) + # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Check that alert has been indexed (checking that the timestamp is the expected one) + # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From eb886dec33790589420f808f22710d0b6ee578f1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 30 Jun 2022 12:07:51 -0300 Subject: [PATCH 141/552] add: Tests virus total second iteration --- .../active_response_script/remove-threat.sh | 37 +++++++ .../data/playbooks/configuration.yaml | 103 ++++++++++++++++++ .../data/playbooks/generate_events.yaml | 32 ++++++ .../data/test_cases/cases_virustotal.yaml | 13 +++ .../test_virustotal_active_response.py | 79 ++++++++++++++ .../data/playbooks/configuration.yaml | 51 +++++++++ .../data/playbooks/generate_events.yaml | 24 ++++ .../data/test_cases/cases_virustotal.yaml | 12 ++ .../test_virustotal_fim.py | 74 +++++++++++++ 9 files changed, 425 insertions(+) create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh new file mode 100644 index 0000000000..7b94933d39 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh @@ -0,0 +1,37 @@ + #!/bin/bash + + LOCAL=`dirname $0`; + cd $LOCAL + cd ../ + + PWD=`pwd` + + read INPUT_JSON + FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file) + COMMAND=$(echo $INPUT_JSON | jq -r .command) + LOG_FILE="${PWD}/../logs/active-responses.log" + + #------------------------ Analyze command -------------------------# + if [ ${COMMAND} = "add" ] + then + # Send control message to execd + printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n' + + read RESPONSE + COMMAND2=$(echo $RESPONSE | jq -r .command) + if [ ${COMMAND2} != "continue" ] + then + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE} + exit 0; + fi + fi + + # Removing file + rm -f $FILENAME + if [ $? -eq 0 ]; then + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE} + else + echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE} + fi + + exit 0; diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..16fc975957 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml @@ -0,0 +1,103 @@ +- name: Test manager configuration + hosts: wazuh-manager + become: true + tasks: + + - name: Configure Virustotal integration and active response + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + virustotal + 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + 100200,100201 + json + + + remove-threat + remove-threat.sh + no + + + no + remove-threat + local + 87105 + + marker: + + - name: Configure local rules virus total integration + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | + + + + 550 + /root + File modified in /root directory. + + + 554 + /root + File added to /root directory. + + + + + 657 + Successfully removed threat + $(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file) + + + + 657 + Error removing threat + Error removing threat located at $(parameters.alert.data.virustotal.source.file) + + + marker: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Restart the manager + shell: systemctl restart wazuh-manager + +- name: Test agent configuration + hosts: wazuh-agent + become: true + tasks: + + - name: Configure syscheck + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /root + marker: + + - name: Add active response script + become: true + copy: + src: "{{ active_response_script }}" + dest: /var/ossec/active-response + + + - name: Install jq (CentOS) + become: true + shell: yum install jq + when: ansible_facts['distribution'] == "CentOS" + + + - name: Change remove threat owner and permissions + become: true + shell: | + chmod 750 /var/ossec/active-response/bin/remove-threat.sh + chown root:ossec /var/ossec/active-response/bin/remove-threat.sh + + - name: Restart the agent + shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..451af3904b --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml @@ -0,0 +1,32 @@ +- name: Generate events + hosts: wazuh-agent + tasks: + + # - name: Delete folder + # become: true + # command: rm -r /test + # ignore_errors: true + + # - name: "{{ event_description }}" + # become: true + # command: "{{ command }}" + # ignore_errors: true + + - name: "{{ event_description }}" + become: true + shell: "{{ shell }}" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml new file mode 100644 index 0000000000..c0a5330942 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml @@ -0,0 +1,13 @@ +- name: Remove malicious file + description: Detecting and removing malware + configuration_parameters: null + metadata: + extra_vars: + event_description: Run malicious file + shell: | + cd /root + curl -LO http://www.eicar.org/download/eicar.com + rule.id: 100092 + rule.level: 12 + rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " + program: "active-response\/bin\/remove-threat.sh" diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py new file mode 100644 index 0000000000..528a6d08d8 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -0,0 +1,79 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') +configuration_playbooks = ['configuration.yaml'] +remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') +configuration_extra_vars = {'active_response_script': remove_threat_file_path} +events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to delete a malicious file detected by virustotal + """ + + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + program = metadata['program'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + print(expected_alert_json) + print(expected_indexed_alert) + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(wait_indexed_alert) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + print(indexed_alert) + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..9f33a2fc44 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml @@ -0,0 +1,51 @@ +- name: Test manager configuration + hosts: wazuh-manager + become: true + tasks: + + - name: Configure Virustotal integration + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + + virustotal + 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + syscheck + json + + marker: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + - name: Restart the manager + shell: systemctl restart wazuh-manager + +- name: Test agent configuration + hosts: wazuh-agent + become: true + tasks: + + - name: Delete folder + command: rm -r /test + ignore_errors: true + + - name: Create folder + command: mkdir /test + ignore_errors: true + + - name: Configure syscheck + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /test + marker: + + - name: Restart the agent + shell: systemctl restart wazuh-agent + + # - name: Wait until realtime is started + # wait_for: + # timeout: 5 diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..686e26cd0e --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml @@ -0,0 +1,24 @@ +- name: Generate events + hosts: wazuh-agent + tasks: + + - name: "{{ event_description }}" + become: true + copy: + dest: "{{ path }}" + content: "{{ content }}" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml new file mode 100644 index 0000000000..322e0d2a95 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml @@ -0,0 +1,12 @@ +- name: Scan file linux + description: Scanning a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + event_description: Create a file into the monitored folder + path: /test/virus_total.txt + content: | + test_virus_total + rule.id: 87103 + rule.level: 3 + rule.description: "VirusTotal: Alert - No records in VirusTotal database" diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py new file mode 100644 index 0000000000..c140f4475b --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -0,0 +1,74 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to scanning a file using FIM and then do a request to virustotal to check if it is malicious + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + print(expected_indexed_alert) + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(wait_indexed_alert) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + print(indexed_alert) + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 64e22b45664f1435b290862ba790fabfc490494a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 30 Jun 2022 12:13:21 -0300 Subject: [PATCH 142/552] rm: deleted old tests structure --- .../active_response_sript/remove-threat.sh | 37 ------- .../data/playbooks/configuration.yaml | 51 --------- .../data/playbooks/configuration_ar.yaml | 101 ------------------ .../data/playbooks/generate_events.yaml | 24 ----- .../data/playbooks/generate_events_ar.yaml | 35 ------ .../data/test_cases/cases_virustotal.yaml | 26 ----- .../test_virus_total_active_response.py | 79 -------------- .../test_virustotal/test_virustotal.py | 74 ------------- 8 files changed, 427 deletions(-) delete mode 100644 tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh delete mode 100644 tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml delete mode 100644 tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml delete mode 100644 tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virus_total_active_response.py delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal.py diff --git a/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh b/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh deleted file mode 100644 index 7b94933d39..0000000000 --- a/tests/end_to_end/test_virustotal/active_response_sript/remove-threat.sh +++ /dev/null @@ -1,37 +0,0 @@ - #!/bin/bash - - LOCAL=`dirname $0`; - cd $LOCAL - cd ../ - - PWD=`pwd` - - read INPUT_JSON - FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file) - COMMAND=$(echo $INPUT_JSON | jq -r .command) - LOG_FILE="${PWD}/../logs/active-responses.log" - - #------------------------ Analyze command -------------------------# - if [ ${COMMAND} = "add" ] - then - # Send control message to execd - printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n' - - read RESPONSE - COMMAND2=$(echo $RESPONSE | jq -r .command) - if [ ${COMMAND2} != "continue" ] - then - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE} - exit 0; - fi - fi - - # Removing file - rm -f $FILENAME - if [ $? -eq 0 ]; then - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE} - else - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE} - fi - - exit 0; diff --git a/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml deleted file mode 100644 index 9f33a2fc44..0000000000 --- a/tests/end_to_end/test_virustotal/data/playbooks/configuration.yaml +++ /dev/null @@ -1,51 +0,0 @@ -- name: Test manager configuration - hosts: wazuh-manager - become: true - tasks: - - - name: Configure Virustotal integration - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - - virustotal - 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 - syscheck - json - - marker: - - - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - - - name: Restart the manager - shell: systemctl restart wazuh-manager - -- name: Test agent configuration - hosts: wazuh-agent - become: true - tasks: - - - name: Delete folder - command: rm -r /test - ignore_errors: true - - - name: Create folder - command: mkdir /test - ignore_errors: true - - - name: Configure syscheck - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - /test - marker: - - - name: Restart the agent - shell: systemctl restart wazuh-agent - - # - name: Wait until realtime is started - # wait_for: - # timeout: 5 diff --git a/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml b/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml deleted file mode 100644 index e6c3c9798b..0000000000 --- a/tests/end_to_end/test_virustotal/data/playbooks/configuration_ar.yaml +++ /dev/null @@ -1,101 +0,0 @@ -- name: Test manager configuration - hosts: wazuh-manager - become: true - tasks: - - - name: Configure Virustotal integration and active response - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - virustotal - 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 - 100200,100201 - json - - - remove-threat - remove-threat.sh - no - - - no - remove-threat - local - 87105 - - marker: - - - name: Configure local rules virus total integration - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | - - - - 550 - /root - File modified in /root directory. - - - 554 - /root - File added to /root directory. - - - - - 657 - Successfully removed threat - $(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file) - - - - 657 - Error removing threat - Error removing threat located at $(parameters.alert.data.virustotal.source.file) - - - marker: - - - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - - - name: Restart the manager - shell: systemctl restart wazuh-manager - -- name: Test agent configuration - hosts: wazuh-agent - become: true - tasks: - - - name: Configure syscheck - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - /root - marker: - - - name: Add active response script - copy: - src: "{{ active_response_script }}" - dest: /var/ossec/active-response - - - name: Install jq (CentOS) - become: true - shell: yum install jq - when: ansible_facts['distribution'] == "CentOS" - - - - name: Change remove threat owner and permissions - become: true - shell: | - chmod 750 /var/ossec/active-response/bin/remove-threat.sh - chown root:ossec /var/ossec/active-response/bin/remove-threat.sh - - - name: Restart the agent - shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml deleted file mode 100644 index 686e26cd0e..0000000000 --- a/tests/end_to_end/test_virustotal/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Generate events - hosts: wazuh-agent - tasks: - - - name: "{{ event_description }}" - become: true - copy: - dest: "{{ path }}" - content: "{{ content }}" - - - name: Wait for alert - wait_for: - timeout: 5 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml b/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml deleted file mode 100644 index c0cb28e0dc..0000000000 --- a/tests/end_to_end/test_virustotal/data/playbooks/generate_events_ar.yaml +++ /dev/null @@ -1,35 +0,0 @@ -- name: Generate events - hosts: wazuh-agent - tasks: - - # - name: Delete folder - # become: true - # command: rm -r /test - # ignore_errors: true - - # - name: "{{ event_description }}" - # become: true - # command: "{{ command }}" - # ignore_errors: true - - - name: "{{ event_description }}" - become: true - shell: "{{ shell }}" - # shell: | - # cd /root - # curl -LO http://www.eicar.org/download/eicar.com - - - name: Wait for alert - wait_for: - timeout: 5 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml deleted file mode 100644 index 929e01510f..0000000000 --- a/tests/end_to_end/test_virustotal/data/test_cases/cases_virustotal.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# - name: Scan file linux -# description: Scanning a file and check generated alerts -# configuration_parameters: null -# metadata: -# extra_vars: -# event_description: Create a file into the monitored folder -# path: /test/virus_total.txt -# content: | -# test_virus_total -# rule.id: 87103 -# rule.level: 3 -# rule.description: "VirusTotal: Alert - No records in VirusTotal database" - -- name: Remove malicious file - description: Detecting and removing malware - configuration_parameters: null - metadata: - extra_vars: - event_description: Run malicious file - shell: | - cd /root - curl -LO http://www.eicar.org/download/eicar.com - rule.id: 100092 - rule.level: 12 - rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " - program: "active-response\/bin\/remove-threat.sh" diff --git a/tests/end_to_end/test_virustotal/test_virus_total_active_response.py b/tests/end_to_end/test_virustotal/test_virus_total_active_response.py deleted file mode 100644 index 77ac3ab14e..0000000000 --- a/tests/end_to_end/test_virustotal/test_virus_total_active_response.py +++ /dev/null @@ -1,79 +0,0 @@ -import os -import json -import re -import pytest -from datetime import datetime -from tempfile import gettempdir -from time import sleep - -from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm -from wazuh_testing.tools import configuration as config - - -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') -configuration_playbooks = ['configuration_ar.yaml'] -remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') -configuration_extra_vars = {'configuration_file': remove_threat_file_path} -events_playbooks = ['generate_events_ar.yaml'] -wait_indexed_alert = 5 - -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): - """ - Test to delete a malicious file detected by virustotal - """ - - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - program = metadata['program'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},.*"description": "{rule_description} "' \ - r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - print(expected_alert_json) - print(expected_indexed_alert) - - query = e2e.make_query([ - - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) - - # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - print(indexed_alert) - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal.py b/tests/end_to_end/test_virustotal/test_virustotal.py deleted file mode 100644 index 60cf1bf967..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal.py +++ /dev/null @@ -1,74 +0,0 @@ -import os -import json -import re -import pytest -from datetime import datetime -from tempfile import gettempdir -from time import sleep - -from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm -from wazuh_testing.tools import configuration as config - - -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -wait_indexed_alert = 5 - -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): - """ - Test to detect a scanning virus total - """ - # rule_id = metadata['rule.id'] - # rule_level = metadata['rule.level'] - # rule_description = metadata['rule.description'] - - # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - # r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # print(expected_indexed_alert) - - # query = e2e.make_query([ - - # { - # "term": { - # "rule.id": f"{rule_id}" - # } - # } - # ]) - - # # Check that alert has been raised and save timestamp - # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - # error_message='The alert has not occurred').result() - # raised_alert_timestamp = raised_alert.group(1) - # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - # sleep(wait_indexed_alert) - - # # Get indexed alert - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # indexed_alert = json.dumps(response.json()) - # print(indexed_alert) - # # Check that the alert data is the expected one - # alert_data = re.search(expected_indexed_alert, indexed_alert) - # assert alert_data is not None, 'Alert triggered, but not indexed' - - # # Get indexed alert timestamp - # indexed_alert_timestamp = alert_data.group(1) - # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # # Check that alert has been indexed (checking that the timestamp is the expected one) - # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From dbb69357c0416cb1c24b0acc68f25a8a16d981de Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 4 Jul 2022 16:36:39 -0300 Subject: [PATCH 143/552] add: virustotal key as a parameter in configs --- .../test_virustotal/data/configuration/virustotal_key | 1 + .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 10 ---------- .../test_virustotal_active_response.py | 11 ++++++----- .../data/playbooks/configuration.yaml | 5 +---- .../test_virustotal_fim/test_virustotal_fim.py | 9 ++++++--- 6 files changed, 15 insertions(+), 23 deletions(-) create mode 100644 tests/end_to_end/test_virustotal/data/configuration/virustotal_key diff --git a/tests/end_to_end/test_virustotal/data/configuration/virustotal_key b/tests/end_to_end/test_virustotal/data/configuration/virustotal_key new file mode 100644 index 0000000000..431e2428e6 --- /dev/null +++ b/tests/end_to_end/test_virustotal/data/configuration/virustotal_key @@ -0,0 +1 @@ +3e4db70c621cd9dd9e3400254297eea03215987facca9931a42dcb86ffb8aa78 \ No newline at end of file diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml index 16fc975957..0baa36c4e0 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml @@ -10,7 +10,7 @@ block: | virustotal - 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + {{ virustotal_key }} 100200,100201 json diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml index 451af3904b..b2da1fc4d2 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml @@ -2,16 +2,6 @@ hosts: wazuh-agent tasks: - # - name: Delete folder - # become: true - # command: rm -r /test - # ignore_errors: true - - # - name: "{{ event_description }}" - # become: true - # command: "{{ command }}" - # ignore_errors: true - - name: "{{ event_description }}" become: true shell: "{{ shell }}" diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 528a6d08d8..56ede618d2 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -7,6 +7,7 @@ from time import sleep from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import file from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -14,10 +15,13 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_general_configuration_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') -configuration_extra_vars = {'active_response_script': remove_threat_file_path} +virustotal_key_path = os.path.join(test_general_configuration_path, 'configuration', 'virustotal_key') +data_virustotal_key = file.read_file(virustotal_key_path) +configuration_extra_vars = {'active_response_script': remove_threat_file_path, 'virustotal_key': data_virustotal_key} events_playbooks = ['generate_events.yaml'] wait_indexed_alert = 5 @@ -42,9 +46,6 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - print(expected_alert_json) - print(expected_indexed_alert) - query = e2e.make_query([ { @@ -66,7 +67,7 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - print(indexed_alert) + # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml index 9f33a2fc44..bce197834c 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml @@ -10,7 +10,7 @@ block: | virustotal - 3a794171c57dbde000594062ce703e299c8812b76d4821f5577e42d3108be4a9 + {{ virustotal_key }} syscheck json @@ -46,6 +46,3 @@ - name: Restart the agent shell: systemctl restart wazuh-agent - # - name: Wait until realtime is started - # wait_for: - # timeout: 5 diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index c140f4475b..177c4c64f1 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -7,6 +7,7 @@ from time import sleep from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import file from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -14,8 +15,12 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_general_configuration_path= os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] +virustotal_key_path = os.path.join(test_general_configuration_path, 'configuration', 'virustotal_key') +data_virustotal_key = file.read_file(virustotal_key_path) +configuration_extra_vars = {'virustotal_key': data_virustotal_key} events_playbooks = ['generate_events.yaml'] wait_indexed_alert = 5 @@ -38,8 +43,6 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - print(expected_indexed_alert) - query = e2e.make_query([ { @@ -61,7 +64,7 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) - print(indexed_alert) + # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' From 68f8a9c3f70558e593a7d7245e04397d5ba0751a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 4 Jul 2022 18:33:18 -0300 Subject: [PATCH 144/552] fix: linter errors --- .../data/playbooks/configuration.yaml | 6 ++---- .../test_virustotal_active_response.py | 3 ++- .../test_virustotal_fim/data/playbooks/configuration.yaml | 1 - .../data/test_cases/cases_virustotal.yaml | 2 +- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml index 0baa36c4e0..b59cf59a83 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml @@ -86,18 +86,16 @@ src: "{{ active_response_script }}" dest: /var/ossec/active-response - - name: Install jq (CentOS) become: true shell: yum install jq when: ansible_facts['distribution'] == "CentOS" - - name: Change remove threat owner and permissions become: true shell: | - chmod 750 /var/ossec/active-response/bin/remove-threat.sh - chown root:ossec /var/ossec/active-response/bin/remove-threat.sh + chmod 750 /var/ossec/active-response/bin/remove-threat.sh + chown root:ossec /var/ossec/active-response/bin/remove-threat.sh - name: Restart the agent shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 56ede618d2..9c2482aeaa 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -43,7 +43,8 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},' \ + fr'.*"description": "{rule_description}"' \ r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' query = e2e.make_query([ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml index bce197834c..c5956e554c 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml @@ -45,4 +45,3 @@ - name: Restart the agent shell: systemctl restart wazuh-agent - diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml index 322e0d2a95..ba05fec6ed 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml @@ -6,7 +6,7 @@ event_description: Create a file into the monitored folder path: /test/virus_total.txt content: | - test_virus_total + test_virus_total rule.id: 87103 rule.level: 3 rule.description: "VirusTotal: Alert - No records in VirusTotal database" From fe13fcd5214a8849103198291775e3a6ca685275 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 4 Jul 2022 18:36:18 -0300 Subject: [PATCH 145/552] fix: linter whitespace error --- .../test_virustotal/test_virustotal_fim/test_virustotal_fim.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 177c4c64f1..1013f04626 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -15,7 +15,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_general_configuration_path= os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') +test_general_configuration_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] virustotal_key_path = os.path.join(test_general_configuration_path, 'configuration', 'virustotal_key') From 19684053b8d730d6152d3dd800a0e6ebe2618dfc Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 4 Jul 2022 18:40:29 -0300 Subject: [PATCH 146/552] fix: linter error quotes --- .../data/test_cases/cases_virustotal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml index c0a5330942..ced12b18e9 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml @@ -10,4 +10,4 @@ rule.id: 100092 rule.level: 12 rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " - program: "active-response\/bin\/remove-threat.sh" + program: active-response/bin/remove-threat.sh From 040f8a4a2a56e8acd37235129e33afe4959bda7c Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 5 Jul 2022 12:18:54 -0300 Subject: [PATCH 147/552] fix: requested changes --- .../test_virustotal/data/configuration/virustotal_key | 1 - .../data/playbooks/configuration.yaml | 2 +- .../data/test_cases/cases_virustotal.yaml | 2 +- .../test_virustotal_active_response.py | 7 ++----- .../test_virustotal_fim/data/playbooks/configuration.yaml | 5 ----- .../data/test_cases/cases_virustotal.yaml | 2 +- .../test_virustotal_fim/test_virustotal_fim.py | 4 ---- 7 files changed, 5 insertions(+), 18 deletions(-) delete mode 100644 tests/end_to_end/test_virustotal/data/configuration/virustotal_key diff --git a/tests/end_to_end/test_virustotal/data/configuration/virustotal_key b/tests/end_to_end/test_virustotal/data/configuration/virustotal_key deleted file mode 100644 index 431e2428e6..0000000000 --- a/tests/end_to_end/test_virustotal/data/configuration/virustotal_key +++ /dev/null @@ -1 +0,0 @@ -3e4db70c621cd9dd9e3400254297eea03215987facca9931a42dcb86ffb8aa78 \ No newline at end of file diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml index b59cf59a83..98fe79aa08 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml @@ -91,7 +91,7 @@ shell: yum install jq when: ansible_facts['distribution'] == "CentOS" - - name: Change remove threat owner and permissions + - name: Change remove-threat.sh owner and permissions become: true shell: | chmod 750 /var/ossec/active-response/bin/remove-threat.sh diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml index ced12b18e9..b7cac764c8 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml @@ -1,4 +1,4 @@ -- name: Remove malicious file +- name: remove_malicious_file description: Detecting and removing malware configuration_parameters: null metadata: diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 9c2482aeaa..053ba75af8 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -7,7 +7,6 @@ from time import sleep from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing.tools import file from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -15,13 +14,11 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_general_configuration_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') -virustotal_key_path = os.path.join(test_general_configuration_path, 'configuration', 'virustotal_key') -data_virustotal_key = file.read_file(virustotal_key_path) -configuration_extra_vars = {'active_response_script': remove_threat_file_path, 'virustotal_key': data_virustotal_key} +configuration_extra_vars = {'active_response_script': remove_threat_file_path} + events_playbooks = ['generate_events.yaml'] wait_indexed_alert = 5 diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml index c5956e554c..1c3a72fba9 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml @@ -27,13 +27,8 @@ become: true tasks: - - name: Delete folder - command: rm -r /test - ignore_errors: true - - name: Create folder command: mkdir /test - ignore_errors: true - name: Configure syscheck blockinfile: diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml index ba05fec6ed..d045286713 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml @@ -1,4 +1,4 @@ -- name: Scan file linux +- name: scanning_file description: Scanning a file and check generated alerts configuration_parameters: null metadata: diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 1013f04626..75cf8a4799 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -7,7 +7,6 @@ from time import sleep from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing.tools import file from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -18,9 +17,6 @@ test_general_configuration_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] -virustotal_key_path = os.path.join(test_general_configuration_path, 'configuration', 'virustotal_key') -data_virustotal_key = file.read_file(virustotal_key_path) -configuration_extra_vars = {'virustotal_key': data_virustotal_key} events_playbooks = ['generate_events.yaml'] wait_indexed_alert = 5 From abad3fb7d8dc07e29212c2ce7237b018914022b4 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 15:12:40 +0200 Subject: [PATCH 148/552] fix: Delete residual files --- .../test_audit/data/playbooks/credentials.yaml | 18 ------------------ .../test_audit/data/test_cases/cases_audit.yml | 14 -------------- 2 files changed, 32 deletions(-) delete mode 100644 tests/end_to_end/test_audit/data/playbooks/credentials.yaml delete mode 100644 tests/end_to_end/test_audit/data/test_cases/cases_audit.yml diff --git a/tests/end_to_end/test_audit/data/playbooks/credentials.yaml b/tests/end_to_end/test_audit/data/playbooks/credentials.yaml deleted file mode 100644 index 26903b78ba..0000000000 --- a/tests/end_to_end/test_audit/data/playbooks/credentials.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Get credentials - hosts: wazuh-manager - tasks: - - - name: Unzip wazuh install files - unarchive: - src: /home/vagrant/wazuh-install-files.tar - dest: /home/vagrant - remote_src: yes - become: True - - - name: Get passwords file - fetch: - src: /home/vagrant/wazuh-install-files/passwords.wazuh - dest: /tmp/ - flat: yes - become: True diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml deleted file mode 100644 index a7779abc85..0000000000 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: ping_google - description: Ping www.google.com and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - event_description: Ping google - command: ping -c 1 www.google.com - rule.id: 80792 - level: 3 - description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." - extra: - euid: 1000 - a3: '\\"www\.google\.com\\"' - data.audit.command: ping From 4fa8fa6ae47571f217885a22471316938c2ce4d3 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 15:13:10 +0200 Subject: [PATCH 149/552] fix: Sort imports --- tests/end_to_end/test_audit/test_audit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 5c3d370a2a..9f62652a44 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -6,10 +6,10 @@ from tempfile import gettempdir from time import sleep +from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config -from wazuh_testing.tools.time import parse_date_time_format alerts_json = os.path.join(gettempdir(), 'alerts.json') From c2fcef2dc28210252a2ffdb8055cb9ab6c3f1e13 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 16:12:16 +0200 Subject: [PATCH 150/552] fix: Sort imports --- deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 8d8808bf80..a87266957a 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -1,8 +1,8 @@ # Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -from http import HTTPStatus import requests +from http import HTTPStatus def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): From 30f2253bb326b77ae28c33fca3b6a324004a3015 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 16:12:53 +0200 Subject: [PATCH 151/552] fix: Get alert by timestamp --- .../wazuh_testing/end_to_end/__init__.py | 8 ++-- tests/end_to_end/test_audit/test_audit.py | 46 ++++++++----------- 2 files changed, 23 insertions(+), 31 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index a87266957a..36c673854d 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -4,7 +4,10 @@ import requests from http import HTTPStatus +from wazuh_testing.tools.utils import retry + +@retry(Exception, attempts=3, delay=5) def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): """Get an alert from the wazuh-indexer API @@ -24,9 +27,8 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) - - assert response.status_code == HTTPStatus.OK, 'The document(s) have not been obtained successfully.'\ - f"Actual response {response.status_code}" + if '"hits" : [ ]' in response.text: + raise Exception('Alert not indexed') return response diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 9f62652a44..fc7c7f56d7 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -2,11 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -14,7 +11,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] wait_indexed_alert = 5 @@ -38,28 +35,28 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener fr'euid={euid}.*comm=\\"{data_audit_command}\\".*a3={a3}.*' \ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "data.audit.command": f"{data_audit_command}" - } - } - ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "data.audit.command": f"{data_audit_command}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) @@ -68,10 +65,3 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From ca56ef0832ffe2230b3e931928437e6751498b87 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 17:38:31 +0200 Subject: [PATCH 152/552] fix: Get brute force alert with timestamp --- .../test_brute_force/test_brute_force.py | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 3d1608cf2c..c95a8ddcc2 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -40,20 +40,25 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -61,10 +66,3 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 6b1e339b1329ac4b6787013b59b8429ca88b20c2 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 17:41:34 +0200 Subject: [PATCH 153/552] fix: Remove unnecessary lines --- tests/end_to_end/test_audit/test_audit.py | 1 - tests/end_to_end/test_brute_force/test_brute_force.py | 1 - 2 files changed, 2 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index fc7c7f56d7..fb874a2851 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -14,7 +14,6 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -wait_indexed_alert = 5 configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index c95a8ddcc2..c1a01c5f16 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -44,7 +44,6 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') query = e2e.make_query([ { From 04a04fa8f32ec156c08722ac1f4c9ad03c2cb98f Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 17:42:53 +0200 Subject: [PATCH 154/552] fix: Remove unnecessary imports --- tests/end_to_end/test_brute_force/test_brute_force.py | 2 -- .../test_docker_monitoring/test_docker_monitoring.py | 4 ---- 2 files changed, 6 deletions(-) diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index c1a01c5f16..fb6ba7b2b7 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -2,13 +2,11 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm -from wazuh_testing.tools.time import parse_date_time_format # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 1e517fd1fe..65c435d51f 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -2,12 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -import wazuh_testing as fw -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config From d0ee7d88b4d5d0f5698fad52e4c7b77896bc7ae0 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 6 Jul 2022 17:43:29 +0200 Subject: [PATCH 155/552] fix: Get docker alert with timestamp --- .../test_docker_monitoring.py | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 65c435d51f..0c78773222 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -38,6 +38,11 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden fr"id.+{rule_id}.+timestamp\": \"(.+)\"" \ r'},.+' + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -53,18 +58,14 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden "term": { "data.docker.Action": f"{docker_action}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -72,10 +73,3 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From e8d4f8102de3fe5bb22990342aa92d0c323f7377 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 6 Jul 2022 16:14:10 -0300 Subject: [PATCH 156/552] refac(conftest)!: now the hostname is dynamic and it depends on the inventory. #3035 BREAKING CHANGE: The conftest of the E2E tests was refactored in order to allow the test run on different hosts, depending on the inventory file. Some fixes have been made in the test and playbooks. --- tests/end_to_end/conftest.py | 41 +++++++++++++++---- .../data/playbooks/configuration.yaml | 3 +- .../data/playbooks/generate_events.yaml | 2 +- .../cases_detecting_suspicious_binaries.yaml | 2 +- .../test_detecting_suspicious_binaries.py | 14 +++---- 5 files changed, 43 insertions(+), 19 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index f4a122258a..46ca9fe145 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -4,6 +4,7 @@ import os import ansible_runner import pytest +import yaml from tempfile import gettempdir from wazuh_testing.tools.file import remove_file @@ -14,15 +15,16 @@ @pytest.fixture(scope='function') -def clean_environment(get_dashboard_credentials): +def clean_environment(get_dashboard_credentials, request): """Remove the temporary file that contains the alerts and delete indices using the API. Args: - credentials(dict): wazuh-indexer credentials. + credentials (dict): wazuh-indexer credentials. + request (fixture): Provide information on the executing test function. """ yield remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials) + e2e.delete_index_api(credentials=get_dashboard_credentials, ip_address=request.module.current_hostname) @pytest.fixture(scope='module') @@ -37,11 +39,17 @@ def get_dashboard_credentials(request): if not inventory_playbook: raise ValueError('Inventory not specified') - inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', - host='wazuh-manager') + # Get the hostname from the inventory + hostname = [*yaml.safe_load(open(inventory_playbook[0]))['all']['hosts'].keys()][0] - # Inventory is a tuple, with the second value empty, so we must access inventory[0] - dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} + # get_inventory returns a tuple with the second element empty, that's why we access to the first element using [0] + inventory = ansible_runner.get_inventory(action='host', host=hostname, inventories=inventory_playbook, + response_format='json')[0] + + dashboard_credentials = { + 'user': inventory['dashboard_user'], + 'password': inventory['dashboard_password'] + } yield dashboard_credentials @@ -60,15 +68,23 @@ def configure_environment(request): if not inventory_playbook: raise ValueError('Inventory not specified') + # Get the hostname from the inventory + hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] + # Set the current hostname as an attribute of the test + request.module.current_hostname = hostname + # For each configuration playbook previously declared in the test, get the complete path and run it for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook} + # Add the hostname to the extravars dictionary + parameters.update({'extravars': {'inventory_hostname': hostname}}) + # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if configuration_extra_vars is not None: - parameters.update({'extravars': configuration_extra_vars}) + parameters['extravars'].update(configuration_extra_vars) ansible_runner.run(**parameters) @@ -87,14 +103,21 @@ def generate_events(request, metadata): if not inventory_playbook: raise ValueError('Inventory not specified') + # Get the hostname from the inventory + hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] + # For each event generation playbook previously declared in the test, obtain the complete path and execute it. for playbook in getattr(request.module, 'events_playbooks'): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + + # Add the hostname to the extravars dictionary + parameters.update({'extravars': {'inventory_hostname': hostname}}) + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: - parameters.update({'extravars': metadata['extra_vars']}) + parameters['extravars'].update(metadata['extra_vars']) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index 170f6aa358..cff7e81b25 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -1,5 +1,6 @@ - name: Configure environment - hosts: wazuh-manager + hosts: "{{ inventory_hostname }}" + become: true tasks: - name: Create a copy of the system binary diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index ede64103d2..f3c4f047ac 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: "{{ inventory_hostname }}" become: true tasks: diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml index 7055552b5f..4906ea7ed5 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml @@ -3,7 +3,7 @@ configuration_parameters: null metadata: rule.id: 510 - rule.description: Host-based anomaly detection event (rootcheck). + rule.description: Host-based anomaly detection event \(rootcheck\). rule.level: 7 extra: data.title: Trojaned version of file detected. diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 0cb498d9dd..fecc30fb52 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -37,15 +37,13 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash rule_level = metadata['rule.level'] data_title = metadata['extra']['data.title'] data_file = metadata['extra']['data.file'] - timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+' + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ - fr":\"{re.escape(rule_description)}.+id.+{rule_id}.+title.+{data_title}.+" \ - fr"file.+{re.escape(data_file)}" + fr":\"{rule_description}.+id.+{rule_id}.+title.+{data_title}.+file.+{data_file}" - expected_indexed_alert = fr".+file.+{re.escape(data_file)}.+title.+{data_title}.+level.+{rule_level}.+" \ - fr"description.+{re.escape(rule_description)}.+id.+{rule_id}.+"\ - fr"timestamp\": \"({timestamp_regex})\"" + expected_indexed_alert = fr".+file.+{data_file}.+title.+{data_title}.+level.+{rule_level}.+" \ + fr"description.+{rule_description}.+id.+{rule_id}.+timestamp\": \"({timestamp_regex})\"" query = e2e.make_query([ { @@ -75,7 +73,9 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash sleep(fw.T_5) # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # current_hostname is defined in conftest (configure_environment) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, + ip_address=current_hostname) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one From a0f11bd419745afbd032a4c2a4d1b2181e9ec2c4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 6 Jul 2022 16:18:24 -0300 Subject: [PATCH 157/552] feat(teardown)!: teardown stage added. #3035 --- tests/end_to_end/conftest.py | 19 +++++++++++++++++++ .../data/playbooks/teardown_playbook.yaml | 16 ++++++++++++++++ .../test_detecting_suspicious_binaries.py | 1 + 3 files changed, 36 insertions(+) create mode 100644 tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 46ca9fe145..6f087d9fee 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -121,6 +121,25 @@ def generate_events(request, metadata): ansible_runner.run(**parameters) + yield + inventory_playbook = request.config.getoption('--inventory_path') + # Get the hostname from the inventory + hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] + + # Execute each playbook for the teardown + for playbook in getattr(request.module, 'teardown_playbook'): + teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + + # Add the hostname to the extravars dictionary + parameters.update({'extravars': {'inventory_hostname': hostname}}) + + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case + if 'extra_vars' in metadata: + parameters['extravars'].update(metadata['extra_vars']) + + ansible_runner.run(**parameters) + def pytest_addoption(parser): parser.addoption( diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml new file mode 100644 index 0000000000..e4fa423d7f --- /dev/null +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml @@ -0,0 +1,16 @@ +- name: Cleanup environment + hosts: "{{ inventory_hostname }}" + become: true + tasks: + + - name: Restore the system binary + copy: + src: /usr/bin/w.copy + dest: /usr/bin/w + mode: preserve + remote_src: true + + - name: Delete the system binary copy + file: + path: /usr/bin/w.copy + state: absent diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index fecc30fb52..9d9f201b06 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -23,6 +23,7 @@ configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] configuration_extra_vars = {'trojan_script_path': trojan_script_path} +teardown_playbook = ['teardown_playbook.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 25b90e931dcf3f921a15f7973b2c273ed72b209b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 7 Jul 2022 18:45:23 -0300 Subject: [PATCH 158/552] refac: dynamic hostname removed. #3035 --- tests/end_to_end/conftest.py | 48 ++++--------------- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown_playbook.yaml | 2 +- .../test_detecting_suspicious_binaries.py | 4 +- 5 files changed, 14 insertions(+), 44 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 6f087d9fee..e5e8ecca4a 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -4,7 +4,6 @@ import os import ansible_runner import pytest -import yaml from tempfile import gettempdir from wazuh_testing.tools.file import remove_file @@ -15,16 +14,15 @@ @pytest.fixture(scope='function') -def clean_environment(get_dashboard_credentials, request): +def clean_environment(get_dashboard_credentials): """Remove the temporary file that contains the alerts and delete indices using the API. Args: credentials (dict): wazuh-indexer credentials. - request (fixture): Provide information on the executing test function. """ yield remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials, ip_address=request.module.current_hostname) + e2e.delete_index_api(credentials=get_dashboard_credentials) @pytest.fixture(scope='module') @@ -39,17 +37,11 @@ def get_dashboard_credentials(request): if not inventory_playbook: raise ValueError('Inventory not specified') - # Get the hostname from the inventory - hostname = [*yaml.safe_load(open(inventory_playbook[0]))['all']['hosts'].keys()][0] + inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', + host='wazuh-manager') - # get_inventory returns a tuple with the second element empty, that's why we access to the first element using [0] - inventory = ansible_runner.get_inventory(action='host', host=hostname, inventories=inventory_playbook, - response_format='json')[0] - - dashboard_credentials = { - 'user': inventory['dashboard_user'], - 'password': inventory['dashboard_password'] - } + # Inventory is a tuple, with the second value empty, so we must access inventory[0] + dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} yield dashboard_credentials @@ -68,23 +60,15 @@ def configure_environment(request): if not inventory_playbook: raise ValueError('Inventory not specified') - # Get the hostname from the inventory - hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] - # Set the current hostname as an attribute of the test - request.module.current_hostname = hostname - # For each configuration playbook previously declared in the test, get the complete path and run it for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook} - # Add the hostname to the extravars dictionary - parameters.update({'extravars': {'inventory_hostname': hostname}}) - # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if configuration_extra_vars is not None: - parameters['extravars'].update(configuration_extra_vars) + parameters.update({'extravars': configuration_extra_vars}) ansible_runner.run(**parameters) @@ -103,40 +87,28 @@ def generate_events(request, metadata): if not inventory_playbook: raise ValueError('Inventory not specified') - # Get the hostname from the inventory - hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] - # For each event generation playbook previously declared in the test, obtain the complete path and execute it. for playbook in getattr(request.module, 'events_playbooks'): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} - - # Add the hostname to the extravars dictionary - parameters.update({'extravars': {'inventory_hostname': hostname}}) - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: - parameters['extravars'].update(metadata['extra_vars']) + parameters.update({'extravars': metadata['extra_vars']}) ansible_runner.run(**parameters) yield inventory_playbook = request.config.getoption('--inventory_path') - # Get the hostname from the inventory - hostname = [*yaml.safe_load(open(inventory_playbook))['all']['hosts'].keys()][0] # Execute each playbook for the teardown for playbook in getattr(request.module, 'teardown_playbook'): teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} - - # Add the hostname to the extravars dictionary - parameters.update({'extravars': {'inventory_hostname': hostname}}) + parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: - parameters['extravars'].update(metadata['extra_vars']) + parameters.update({'extravars': metadata['extra_vars']}) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index cff7e81b25..0350b4eca3 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure environment - hosts: "{{ inventory_hostname }}" + hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index f3c4f047ac..ede64103d2 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: "{{ inventory_hostname }}" + hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml index e4fa423d7f..3fccb59588 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml +++ b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml @@ -1,5 +1,5 @@ - name: Cleanup environment - hosts: "{{ inventory_hostname }}" + hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 9d9f201b06..bafaa54c48 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -74,9 +74,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash sleep(fw.T_5) # Get indexed alert - # current_hostname is defined in conftest (configure_environment) - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, - ip_address=current_hostname) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one From 2a39a9f7431cf0674e030a9e7e76fac7f5ddf139 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 13:18:01 +0200 Subject: [PATCH 159/552] fix: Get Netcat alert by timestamp --- tests/end_to_end/test_netcat/test_netcat.py | 31 +++++++++------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 4bbb4c6804..7a5497269f 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -2,10 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -37,19 +35,23 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener fr'.*"id": "{rule_id}".*' \ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) @@ -58,10 +60,3 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 40e19faf999451982cd1062431ef281e04ac9e70 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 13:18:46 +0200 Subject: [PATCH 160/552] fix: Get osquery alert by timestamp --- .../test_osquery_integration.py | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 543c3e00bb..edbf8f7e76 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -2,12 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -import wazuh_testing as fw -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -40,6 +36,11 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred fr"\"description\": \"{rule_description}\".+\"id\": \"{rule_id}\"" \ r'.+timestamp\": \"(.+)\"},.+' + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -50,18 +51,14 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred "term": { "data.osquery.name": f"{osquery_name}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp }" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_10) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -69,10 +66,3 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 33538e671c1024ec7626fe1c04a843eb0786b33e Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 13:19:28 +0200 Subject: [PATCH 161/552] fix: Get shellshock alert by timestamp --- .../test_shellshock_attack_detection.py | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 711dba988c..b5f0cf8952 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -2,12 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -import wazuh_testing as fw -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -37,6 +33,11 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo fr".+\"id\": \"{rule_id}\".+timestamp\": \"(.+)\"" \ r'},.+' + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -47,18 +48,14 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo "term": { "rule.level": f"{rule_level}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -66,10 +63,3 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 7cfa97e390f32a907084bf78a858fa6076a9b881 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 13:19:48 +0200 Subject: [PATCH 162/552] fix: Get SQL injection alert by timestamp --- .../test_sql_injection/test_sql_injection.py | 30 +++++++------------ 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 5b7d1b813b..3246a9d81c 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -2,11 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -17,7 +14,6 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -wait_indexed_alert = 5 configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -40,24 +36,25 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { "rule.id": f"{rule_id}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -65,10 +62,3 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 654d039018ffaf49421dc8189a9b4938faf58fa8 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 13:25:44 +0200 Subject: [PATCH 163/552] fix: Get Virustotal alerts by timestamp --- .../test_virustotal_active_response.py | 38 +++++++------------ .../test_virustotal_fim.py | 35 ++++++----------- 2 files changed, 25 insertions(+), 48 deletions(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 053ba75af8..b5dbb154ff 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -2,11 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -16,12 +13,10 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') configuration_extra_vars = {'active_response_script': remove_threat_file_path} -events_playbooks = ['generate_events.yaml'] -wait_indexed_alert = 5 - configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -44,23 +39,23 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, fr'.*"description": "{rule_description}"' \ r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + }, + ]) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) @@ -69,10 +64,3 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 75cf8a4799..4839eca407 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -2,11 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -18,7 +15,6 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -wait_indexed_alert = 5 configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -39,23 +35,23 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) @@ -64,10 +60,3 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From d48e39518cfa34dbe84fd8a2fbb254fb32006ae4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 8 Jul 2022 09:59:36 -0300 Subject: [PATCH 164/552] fix(teardown): teardown moved to the clean_environment fixture. #3035 --- tests/end_to_end/conftest.py | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e5e8ecca4a..f039ee4401 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -14,15 +14,29 @@ @pytest.fixture(scope='function') -def clean_environment(get_dashboard_credentials): +def clean_environment(get_dashboard_credentials, request, metadata): """Remove the temporary file that contains the alerts and delete indices using the API. Args: credentials (dict): wazuh-indexer credentials. + request (fixture): Provide information on the executing test function. + metadata (dict): Dictionary with test case metadata. """ yield remove_file(alerts_json) e2e.delete_index_api(credentials=get_dashboard_credentials) + inventory_playbook = request.config.getoption('--inventory_path') + + # Execute each playbook for the teardown + for playbook in getattr(request.module, 'teardown_playbook'): + teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + + parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case + if 'extra_vars' in metadata: + parameters.update({'extravars': metadata['extra_vars']}) + + ansible_runner.run(**parameters) @pytest.fixture(scope='module') @@ -98,20 +112,6 @@ def generate_events(request, metadata): ansible_runner.run(**parameters) - yield - inventory_playbook = request.config.getoption('--inventory_path') - - # Execute each playbook for the teardown - for playbook in getattr(request.module, 'teardown_playbook'): - teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - - parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - if 'extra_vars' in metadata: - parameters.update({'extravars': metadata['extra_vars']}) - - ansible_runner.run(**parameters) - def pytest_addoption(parser): parser.addoption( From 52a9954a92acb7f72957e2c4ab27b86d09584427 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 15:56:29 +0200 Subject: [PATCH 165/552] fix: Get alert by timestamp --- .../test_detecting_suspicious_binaries.py | 32 +++++++------------ 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index bafaa54c48..89f7604d52 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -2,12 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -import wazuh_testing as fw -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -22,8 +18,8 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -configuration_extra_vars = {'trojan_script_path': trojan_script_path} teardown_playbook = ['teardown_playbook.yaml'] +configuration_extra_vars = {'trojan_script_path': trojan_script_path} # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -46,6 +42,11 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash expected_indexed_alert = fr".+file.+{data_file}.+title.+{data_title}.+level.+{rule_level}.+" \ fr"description.+{rule_description}.+id.+{rule_id}.+timestamp\": \"({timestamp_regex})\"" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -61,18 +62,14 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash "term": { "data.title": f"{data_title}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -80,10 +77,3 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From fbb3199913f33f165b9f50090fc19c627a941ef2 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 8 Jul 2022 16:00:04 +0200 Subject: [PATCH 166/552] fix: Rename teardown playbook --- .../data/playbooks/{teardown_playbook.yaml => teardown.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/{teardown_playbook.yaml => teardown.yaml} (100%) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown_playbook.yaml rename to tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml From 30c9ae7e7f5b647b6eacc980bb1274fc06d9a077 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Mon, 11 Jul 2022 18:27:53 +0200 Subject: [PATCH 167/552] refac: Move playbooks and roles to privisioning folder and hosts rename #3032 --- ansible/playbooks/apache.yml | 27 ------------------- provisioning/playbooks/apache.yml | 14 ++++++++++ .../playbooks/qa_framework.yml | 0 .../roles/apache/tasks/Linux.yml | 0 .../roles/apache/tasks/MacOS.yml | 0 .../roles/apache/tasks/Solaris.yml | 0 .../roles/apache/tasks/Windows.yml | 0 .../roles/apache/tasks/main.yml | 0 .../roles/apache/vars/Debian.yml | 0 .../roles/apache/vars/MacOS.yml | 0 .../roles/apache/vars/RedHat.yml | 0 .../roles/apache/vars/Solaris.yml | 0 .../roles/apache/vars/Windows.yml | 0 .../roles/apache/vars/main.yml | 0 .../roles/qa_framework/defaults/main.yml | 0 .../roles/qa_framework/tasks/Solaris.yml | 0 .../roles/qa_framework/tasks/Unix.yml | 0 .../roles/qa_framework/tasks/Windows.yml | 0 .../roles/qa_framework/tasks/main.yml | 0 .../roles/qa_framework/vars/Solaris.yml | 0 .../roles/qa_framework/vars/Unix.yml | 0 .../roles/qa_framework/vars/Windows.yml | 0 .../roles/qa_framework/vars/macOS.yml | 0 .../roles/qa_framework/vars/main.yml | 0 24 files changed, 14 insertions(+), 27 deletions(-) delete mode 100644 ansible/playbooks/apache.yml create mode 100644 provisioning/playbooks/apache.yml rename {ansible => provisioning}/playbooks/qa_framework.yml (100%) rename {ansible => provisioning}/roles/apache/tasks/Linux.yml (100%) rename {ansible => provisioning}/roles/apache/tasks/MacOS.yml (100%) rename {ansible => provisioning}/roles/apache/tasks/Solaris.yml (100%) rename {ansible => provisioning}/roles/apache/tasks/Windows.yml (100%) rename {ansible => provisioning}/roles/apache/tasks/main.yml (100%) rename {ansible => provisioning}/roles/apache/vars/Debian.yml (100%) rename {ansible => provisioning}/roles/apache/vars/MacOS.yml (100%) rename {ansible => provisioning}/roles/apache/vars/RedHat.yml (100%) rename {ansible => provisioning}/roles/apache/vars/Solaris.yml (100%) rename {ansible => provisioning}/roles/apache/vars/Windows.yml (100%) rename {ansible => provisioning}/roles/apache/vars/main.yml (100%) rename {ansible => provisioning}/roles/qa_framework/defaults/main.yml (100%) rename {ansible => provisioning}/roles/qa_framework/tasks/Solaris.yml (100%) rename {ansible => provisioning}/roles/qa_framework/tasks/Unix.yml (100%) rename {ansible => provisioning}/roles/qa_framework/tasks/Windows.yml (100%) rename {ansible => provisioning}/roles/qa_framework/tasks/main.yml (100%) rename {ansible => provisioning}/roles/qa_framework/vars/Solaris.yml (100%) rename {ansible => provisioning}/roles/qa_framework/vars/Unix.yml (100%) rename {ansible => provisioning}/roles/qa_framework/vars/Windows.yml (100%) rename {ansible => provisioning}/roles/qa_framework/vars/macOS.yml (100%) rename {ansible => provisioning}/roles/qa_framework/vars/main.yml (100%) diff --git a/ansible/playbooks/apache.yml b/ansible/playbooks/apache.yml deleted file mode 100644 index d1374c03d0..0000000000 --- a/ansible/playbooks/apache.yml +++ /dev/null @@ -1,27 +0,0 @@ -- hosts: linux solaris - become: yes - become_user: root - roles: - - ../roles/apache - vars: - apache_hosts: - - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - max_retries: 5 - retry_interval: 5 - -- hosts: windows macos - roles: - - ../roles/apache - vars: - apache_hosts: - - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - max_retries: 5 - retry_interval: 5 diff --git a/provisioning/playbooks/apache.yml b/provisioning/playbooks/apache.yml new file mode 100644 index 0000000000..a301342046 --- /dev/null +++ b/provisioning/playbooks/apache.yml @@ -0,0 +1,14 @@ +- hosts: apache + tasks: + - name: Install apache block + - block: + - name: Install apache server in Linux systems + become: yes + become_user: root + import_role: + name: ../roles/apache + when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" + - name: Install apache server in Windows and macOS hosts + import_role: + name: ../roles/apache + when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" diff --git a/ansible/playbooks/qa_framework.yml b/provisioning/playbooks/qa_framework.yml similarity index 100% rename from ansible/playbooks/qa_framework.yml rename to provisioning/playbooks/qa_framework.yml diff --git a/ansible/roles/apache/tasks/Linux.yml b/provisioning/roles/apache/tasks/Linux.yml similarity index 100% rename from ansible/roles/apache/tasks/Linux.yml rename to provisioning/roles/apache/tasks/Linux.yml diff --git a/ansible/roles/apache/tasks/MacOS.yml b/provisioning/roles/apache/tasks/MacOS.yml similarity index 100% rename from ansible/roles/apache/tasks/MacOS.yml rename to provisioning/roles/apache/tasks/MacOS.yml diff --git a/ansible/roles/apache/tasks/Solaris.yml b/provisioning/roles/apache/tasks/Solaris.yml similarity index 100% rename from ansible/roles/apache/tasks/Solaris.yml rename to provisioning/roles/apache/tasks/Solaris.yml diff --git a/ansible/roles/apache/tasks/Windows.yml b/provisioning/roles/apache/tasks/Windows.yml similarity index 100% rename from ansible/roles/apache/tasks/Windows.yml rename to provisioning/roles/apache/tasks/Windows.yml diff --git a/ansible/roles/apache/tasks/main.yml b/provisioning/roles/apache/tasks/main.yml similarity index 100% rename from ansible/roles/apache/tasks/main.yml rename to provisioning/roles/apache/tasks/main.yml diff --git a/ansible/roles/apache/vars/Debian.yml b/provisioning/roles/apache/vars/Debian.yml similarity index 100% rename from ansible/roles/apache/vars/Debian.yml rename to provisioning/roles/apache/vars/Debian.yml diff --git a/ansible/roles/apache/vars/MacOS.yml b/provisioning/roles/apache/vars/MacOS.yml similarity index 100% rename from ansible/roles/apache/vars/MacOS.yml rename to provisioning/roles/apache/vars/MacOS.yml diff --git a/ansible/roles/apache/vars/RedHat.yml b/provisioning/roles/apache/vars/RedHat.yml similarity index 100% rename from ansible/roles/apache/vars/RedHat.yml rename to provisioning/roles/apache/vars/RedHat.yml diff --git a/ansible/roles/apache/vars/Solaris.yml b/provisioning/roles/apache/vars/Solaris.yml similarity index 100% rename from ansible/roles/apache/vars/Solaris.yml rename to provisioning/roles/apache/vars/Solaris.yml diff --git a/ansible/roles/apache/vars/Windows.yml b/provisioning/roles/apache/vars/Windows.yml similarity index 100% rename from ansible/roles/apache/vars/Windows.yml rename to provisioning/roles/apache/vars/Windows.yml diff --git a/ansible/roles/apache/vars/main.yml b/provisioning/roles/apache/vars/main.yml similarity index 100% rename from ansible/roles/apache/vars/main.yml rename to provisioning/roles/apache/vars/main.yml diff --git a/ansible/roles/qa_framework/defaults/main.yml b/provisioning/roles/qa_framework/defaults/main.yml similarity index 100% rename from ansible/roles/qa_framework/defaults/main.yml rename to provisioning/roles/qa_framework/defaults/main.yml diff --git a/ansible/roles/qa_framework/tasks/Solaris.yml b/provisioning/roles/qa_framework/tasks/Solaris.yml similarity index 100% rename from ansible/roles/qa_framework/tasks/Solaris.yml rename to provisioning/roles/qa_framework/tasks/Solaris.yml diff --git a/ansible/roles/qa_framework/tasks/Unix.yml b/provisioning/roles/qa_framework/tasks/Unix.yml similarity index 100% rename from ansible/roles/qa_framework/tasks/Unix.yml rename to provisioning/roles/qa_framework/tasks/Unix.yml diff --git a/ansible/roles/qa_framework/tasks/Windows.yml b/provisioning/roles/qa_framework/tasks/Windows.yml similarity index 100% rename from ansible/roles/qa_framework/tasks/Windows.yml rename to provisioning/roles/qa_framework/tasks/Windows.yml diff --git a/ansible/roles/qa_framework/tasks/main.yml b/provisioning/roles/qa_framework/tasks/main.yml similarity index 100% rename from ansible/roles/qa_framework/tasks/main.yml rename to provisioning/roles/qa_framework/tasks/main.yml diff --git a/ansible/roles/qa_framework/vars/Solaris.yml b/provisioning/roles/qa_framework/vars/Solaris.yml similarity index 100% rename from ansible/roles/qa_framework/vars/Solaris.yml rename to provisioning/roles/qa_framework/vars/Solaris.yml diff --git a/ansible/roles/qa_framework/vars/Unix.yml b/provisioning/roles/qa_framework/vars/Unix.yml similarity index 100% rename from ansible/roles/qa_framework/vars/Unix.yml rename to provisioning/roles/qa_framework/vars/Unix.yml diff --git a/ansible/roles/qa_framework/vars/Windows.yml b/provisioning/roles/qa_framework/vars/Windows.yml similarity index 100% rename from ansible/roles/qa_framework/vars/Windows.yml rename to provisioning/roles/qa_framework/vars/Windows.yml diff --git a/ansible/roles/qa_framework/vars/macOS.yml b/provisioning/roles/qa_framework/vars/macOS.yml similarity index 100% rename from ansible/roles/qa_framework/vars/macOS.yml rename to provisioning/roles/qa_framework/vars/macOS.yml diff --git a/ansible/roles/qa_framework/vars/main.yml b/provisioning/roles/qa_framework/vars/main.yml similarity index 100% rename from ansible/roles/qa_framework/vars/main.yml rename to provisioning/roles/qa_framework/vars/main.yml From 5bbeeb60cf2ae257c48f53a20487c8b4921d7cc0 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Mon, 11 Jul 2022 18:47:38 +0200 Subject: [PATCH 168/552] fix: Fix block ansible field format #3032 --- provisioning/playbooks/apache.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/provisioning/playbooks/apache.yml b/provisioning/playbooks/apache.yml index a301342046..d3e2ecc322 100644 --- a/provisioning/playbooks/apache.yml +++ b/provisioning/playbooks/apache.yml @@ -1,14 +1,14 @@ - hosts: apache tasks: - name: Install apache block - - block: - - name: Install apache server in Linux systems - become: yes - become_user: root - import_role: - name: ../roles/apache - when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" - - name: Install apache server in Windows and macOS hosts - import_role: - name: ../roles/apache - when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" + block: + - name: Install apache server in Linux systems + become: yes + become_user: root + import_role: + name: ../roles/apache + when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" + - name: Install apache server in Windows and macOS hosts + import_role: + name: ../roles/apache + when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" From 8b773a6c19eacb0bed76e74fc0b144cdfa983037 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Mon, 11 Jul 2022 18:59:46 +0200 Subject: [PATCH 169/552] rm: Remove older tasks --- provisioning/roles/apache/tasks/MacOS.yml | 10 ---------- provisioning/roles/apache/tasks/Solaris.yml | 7 ------- 2 files changed, 17 deletions(-) diff --git a/provisioning/roles/apache/tasks/MacOS.yml b/provisioning/roles/apache/tasks/MacOS.yml index 8c5f6cbb54..cb611ad60a 100644 --- a/provisioning/roles/apache/tasks/MacOS.yml +++ b/provisioning/roles/apache/tasks/MacOS.yml @@ -1,17 +1,7 @@ - # - name: Install MacOS package Apache - # become: true - # shell: installer -pkg wazuh-* -target / - # args: - # chdir: /Users/vagrant - - name: Install {{ program }} with brew | MacOS homebrew: name: "{{ program }}" update_homebrew: yes -# - name: Install {{ program }} with brew | MacOS -# become: false -# shell: /usr/local/bin/brew install {{ program }} - - name: Start {{ program }} with brew | MacOS shell: /usr/local/bin/brew services start {{ program }} diff --git a/provisioning/roles/apache/tasks/Solaris.yml b/provisioning/roles/apache/tasks/Solaris.yml index 85ccb2e9d0..d3b94a8696 100644 --- a/provisioning/roles/apache/tasks/Solaris.yml +++ b/provisioning/roles/apache/tasks/Solaris.yml @@ -1,10 +1,3 @@ -# Works on Solaris 11 -# - name: Install solaris wazuh agent custom package -# become: true -# shell: pkg install web/server/{{ program }} -# environment: -# PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" - - name: Install CSWpkgutil become: true shell: pkgadd -d http://get.opencsw.org/now -n From 574e35e3fba471802b4c84488f4d732a46710bdd Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 11 Jul 2022 14:42:58 -0300 Subject: [PATCH 170/552] add: Test vulnerability detector linux --- .../data/playbooks/configuration.yaml | 88 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 30 +++++++ .../cases_vulnerability_detector.yaml | 10 +++ .../test_vulnerability_detector.py | 68 ++++++++++++++ 4 files changed, 196 insertions(+) create mode 100644 tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..7f23d2fcec --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -0,0 +1,88 @@ +- name: Test agent configuration + hosts: wazuh-agent + tasks: + + - name: Enable the agent module to collect installed packages + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + no + 10s + yes + yes + + marker: + + - name: Restart wazuh-agent + become: true + shell: systemctl restart wazuh-agent + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Truncate file ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + + - name: Enabled vulnerability detector module + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + yes + 10s + 10s + yes + + + + no + focal + 1h + + + + + no + stretch + buster + 1h + + + + + yes + 8 + 1h + + + + + no + 1h + + + + yes + 2022 + 1h + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager + + - name: Wait until the feeds were downloaded and the first scan was completed + become: true + ansible.builtin.wait_for: + timeout: 900 + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..9f2e9e60e3 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml @@ -0,0 +1,30 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-agent + tasks: + + - name: "{{ event_description }}" + become: true + command: "{{ command }}" + + - name: Wait for alert + wait_for: + timeout: 90 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml new file mode 100644 index 0000000000..649ab851f1 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -0,0 +1,10 @@ +- name: vulnerability_detector + description: Detect vim vulnerability + configuration_parameters: null + metadata: + extra_vars: + event_description: Install vulnerable vim package + command: yum install vim-enhanced-2:8.0.1763-16.el8.x86_64 -y + rule.id: 23505 + rule.level: 10 + rule.description: CVE-2022-1621 affects vim-enhanced \ No newline at end of file diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py new file mode 100644 index 0000000000..e25656c732 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -0,0 +1,68 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata) +def test_vd(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From a46cc2e3cca02d85f76a3345cb51bf64cb132e42 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 11 Jul 2022 17:50:07 -0300 Subject: [PATCH 171/552] add: test vdt to run on Ubuntu 20.04 --- .../data/playbooks/configuration.yaml | 4 ++-- .../data/test_cases/cases_vulnerability_detector.yaml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index 7f23d2fcec..3381eace1f 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -42,7 +42,7 @@ - no + yes focal 1h @@ -57,7 +57,7 @@ - yes + no 8 1h diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml index 649ab851f1..221520d3e7 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -4,7 +4,8 @@ metadata: extra_vars: event_description: Install vulnerable vim package - command: yum install vim-enhanced-2:8.0.1763-16.el8.x86_64 -y + command: apt install vim=2:8.1.2269-1ubuntu5.7 + #command: yum install vim-enhanced-2:8.0.1763-16.el8.x86_64 -y rule.id: 23505 rule.level: 10 - rule.description: CVE-2022-1621 affects vim-enhanced \ No newline at end of file + rule.description: CVE-2022-1621 affects vim \ No newline at end of file From 25421513b5954c91ca925541ba4a7e21d59486de Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 10:43:40 +0200 Subject: [PATCH 172/552] add: Add audit teardown --- .../end_to_end/test_audit/data/playbooks/teardown.yaml | 10 ++++++++++ tests/end_to_end/test_audit/test_audit.py | 1 + 2 files changed, 11 insertions(+) create mode 100644 tests/end_to_end/test_audit/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_audit/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..c281d904af --- /dev/null +++ b/tests/end_to_end/test_audit/data/playbooks/teardown.yaml @@ -0,0 +1,10 @@ +--- +- name: Cleanup environment + hosts: wazuh-manager + tasks: + + - name: Delete wazuh audit rules file + become: True + file: + path: /etc/audit/rules.d/wazuh.rules + state: absent diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index fb874a2851..6b640f5a55 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -14,6 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 9fd7d5477315ab857c60ebdfbb9eb63f077feaf5 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 10:44:00 +0200 Subject: [PATCH 173/552] fix: Change teardown playbook name --- .../test_detecting_suspicious_binaries.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 89f7604d52..5b088c657d 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -18,7 +18,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] +teardown_playbook = ['teardown.yaml'] configuration_extra_vars = {'trojan_script_path': trojan_script_path} # Configuration From 3d493eefa7a36018e24f7d46d613fa1e4a5caa10 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 11:18:05 +0200 Subject: [PATCH 174/552] fix: Change teardown_playbook to teardown_playbooks --- tests/end_to_end/conftest.py | 2 +- tests/end_to_end/test_audit/test_audit.py | 2 +- .../test_detecting_suspicious_binaries.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index f039ee4401..26fe0c2431 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -28,7 +28,7 @@ def clean_environment(get_dashboard_credentials, request, metadata): inventory_playbook = request.config.getoption('--inventory_path') # Execute each playbook for the teardown - for playbook in getattr(request.module, 'teardown_playbook'): + for playbook in getattr(request.module, 'teardown_playbooks'): teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 6b640f5a55..69dc45ab22 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -14,7 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown.yaml'] +teardown_playbooks = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 5b088c657d..7c3cc61247 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -18,7 +18,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown.yaml'] +teardown_playbooks = ['teardown.yaml'] configuration_extra_vars = {'trojan_script_path': trojan_script_path} # Configuration From e0bad118b41a997e186fea754c248c54195bcf11 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 11:18:54 +0200 Subject: [PATCH 175/552] add: Add docker teardown --- .../data/playbooks/teardown.yaml | 16 ++++++++++++++++ .../test_docker_monitoring.py | 1 + 2 files changed, 17 insertions(+) create mode 100644 tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..d2db0c912f --- /dev/null +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml @@ -0,0 +1,16 @@ +--- +- name: Cleanup environment + hosts: wazuh-manager + tasks: + + - name: Delete the docker-listener module configuration + become: True + blockinfile: + path: /var/ossec/etc/ossec.conf + block: '' + marker: + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 0c78773222..fb3a855139 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -17,6 +17,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 60ed4a54e770f5948dee61bc5b10e51173d843d1 Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Tue, 12 Jul 2022 13:08:02 +0200 Subject: [PATCH 176/552] refac: Change PATH var declaration #3032 environment has been moved to the include_tasks block --- provisioning/roles/apache/tasks/Solaris.yml | 13 +------------ provisioning/roles/apache/tasks/main.yml | 4 ++++ provisioning/roles/apache/vars/Solaris.yml | 1 + 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/provisioning/roles/apache/tasks/Solaris.yml b/provisioning/roles/apache/tasks/Solaris.yml index d3b94a8696..3a3b4d2631 100644 --- a/provisioning/roles/apache/tasks/Solaris.yml +++ b/provisioning/roles/apache/tasks/Solaris.yml @@ -1,30 +1,19 @@ - name: Install CSWpkgutil become: true shell: pkgadd -d http://get.opencsw.org/now -n - environment: - PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" - name: Fetch new catalog and descriptions become: true - shell: /opt/csw/bin/pkgutil -U - environment: - PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + shell: /opt/csw/bin/pkgutil -U - name: Install apache2 become: true shell: /opt/csw/bin/pkgutil -y -i apache2 - environment: - PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" - name: List files become: true shell: /usr/sbin/pkgchk -L CSWapache2 - environment: - PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" - name: Enable service become: true shell: svcadm -v enable /network/http:apache2 - environment: - PATH: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" - diff --git a/provisioning/roles/apache/tasks/main.yml b/provisioning/roles/apache/tasks/main.yml index 9fa8bf7f4d..edc473df4a 100644 --- a/provisioning/roles/apache/tasks/main.yml +++ b/provisioning/roles/apache/tasks/main.yml @@ -40,6 +40,10 @@ - name: Include Solaris custom tasks include_tasks: "Solaris.yml" when: ansible_os_family == "Solaris" + args: + apply: + environment: + PATH: "{{ environment_paths }}" # macOS - name: Include MacOS custom tasks diff --git a/provisioning/roles/apache/vars/Solaris.yml b/provisioning/roles/apache/vars/Solaris.yml index 32e0902b98..53e77171bf 100644 --- a/provisioning/roles/apache/vars/Solaris.yml +++ b/provisioning/roles/apache/vars/Solaris.yml @@ -1,3 +1,4 @@ program : apache-24 service: apache24 home_dir: /export/home/vagrant +environment_paths: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" From 9b6254585fe95502e36a0a21d7f4504b17e6557c Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 13:44:00 +0200 Subject: [PATCH 177/552] fix: Restart as root user --- .../test_docker_monitoring/data/playbooks/teardown.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml index d2db0c912f..59c8906f9a 100644 --- a/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,10 +1,10 @@ --- - name: Cleanup environment hosts: wazuh-manager + become: True tasks: - name: Delete the docker-listener module configuration - become: True blockinfile: path: /var/ossec/etc/ossec.conf block: '' From c15950c78e4e95de7a3982e69fd5a3b377b24007 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 13:44:29 +0200 Subject: [PATCH 178/552] add: Add netcat teardown --- .../test_netcat/data/playbooks/teardown.yaml | 32 +++++++++++++++++++ tests/end_to_end/test_netcat/test_netcat.py | 1 + 2 files changed, 33 insertions(+) create mode 100644 tests/end_to_end/test_netcat/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/test_netcat/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..30dd19616b --- /dev/null +++ b/tests/end_to_end/test_netcat/data/playbooks/teardown.yaml @@ -0,0 +1,32 @@ +--- +- name: Cleanup agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete agent configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + block: '' + marker: + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent + +- name: Cleanup manager environment + hosts: wazuh-manager + become: True + tasks: + + - name: Delete added rules + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + block: '' + marker: + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 7a5497269f..b960fa482b 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -16,6 +16,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 2860df0e7c9b4597e484d5c89cdb162982df61d5 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 14:03:08 +0200 Subject: [PATCH 179/552] add: Add osquery teardown --- .../data/playbooks/teardown.yaml | 30 +++++++++++++++++++ .../test_osquery_integration.py | 1 + 2 files changed, 31 insertions(+) create mode 100644 tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..71d1aab929 --- /dev/null +++ b/tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml @@ -0,0 +1,30 @@ +--- +- name: Cleanup manager environment + hosts: wazuh-manager + become: True + tasks: + + - name: Delete Osquery configuration file + file: + path: /etc/osquery/osquery.conf + state: absent + + - name: Delete the Osquery module configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Stop Osquery + systemd: + state: stopped + name: osqueryd + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + + - name: Uninstall stress + shell: yum remove -y stress + when: (ansible_facts['distribution'] == "CentOS" diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index edbf8f7e76..d7c4073dcd 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -16,6 +16,7 @@ configuration_playbooks = ['configuration.yaml'] configuration_extra_vars = {'configuration_file': osquery_configuration_file_path} events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From e2332d22ccb7c3df628784137e19fc840a27ca32 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 12 Jul 2022 11:08:05 -0300 Subject: [PATCH 180/552] fix: deleted timeout --- .../data/playbooks/configuration.yaml | 1 - .../data/playbooks/generate_events.yaml | 2 +- .../data/test_cases/cases_vulnerability_detector.yaml | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index 3381eace1f..5addaee3c0 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -83,6 +83,5 @@ - name: Wait until the feeds were downloaded and the first scan was completed become: true ansible.builtin.wait_for: - timeout: 900 path: /var/ossec/logs/ossec.log search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml index 9f2e9e60e3..09bd5dcf2d 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml @@ -16,7 +16,7 @@ - name: Wait for alert wait_for: - timeout: 90 + timeout: 60 - name: Get logs hosts: wazuh-manager diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml index 221520d3e7..472de5b6b1 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -5,7 +5,6 @@ extra_vars: event_description: Install vulnerable vim package command: apt install vim=2:8.1.2269-1ubuntu5.7 - #command: yum install vim-enhanced-2:8.0.1763-16.el8.x86_64 -y rule.id: 23505 rule.level: 10 rule.description: CVE-2022-1621 affects vim \ No newline at end of file From 779411fdec2f69d67c52d5e68b54d16068c66320 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 12 Jul 2022 11:12:49 -0300 Subject: [PATCH 181/552] fix: rename test and added comment --- .../data/test_cases/cases_vulnerability_detector.yaml | 2 +- .../test_vulnerability_detector.py | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml index 472de5b6b1..d3a0265d4d 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -7,4 +7,4 @@ command: apt install vim=2:8.1.2269-1ubuntu5.7 rule.id: 23505 rule.level: 10 - rule.description: CVE-2022-1621 affects vim \ No newline at end of file + rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index e25656c732..83c36055dc 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -25,7 +25,10 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata) -def test_vd(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to detect a vulnerability (Ubuntu 20.04) + """ rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From a76e7077453a2d5b8e80816e4e28c59e139d58fd Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 16:15:17 +0200 Subject: [PATCH 182/552] add: Add shellshock teardown --- .../data/playbooks/teardown.yaml | 16 ++++++++++++++++ .../test_shellshock_attack_detection.py | 1 + 2 files changed, 17 insertions(+) create mode 100644 tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..41cc05337c --- /dev/null +++ b/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -0,0 +1,16 @@ +--- +- name: Cleanup manager environment + hosts: wazuh-manager + become: True + tasks: + + - name: Delete localfile configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index b5f0cf8952..fd6fa87873 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -14,6 +14,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From 04eff3b853351fd60aa11f6ff166d8dce62188eb Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 16:17:25 +0200 Subject: [PATCH 183/552] add: Add SQL injection teardown --- .../data/playbooks/teardown.yaml | 16 ++++++++++++++++ .../test_sql_injection/test_sql_injection.py | 1 + 2 files changed, 17 insertions(+) create mode 100644 tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..b22e1ff754 --- /dev/null +++ b/tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml @@ -0,0 +1,16 @@ +--- +- name: Cleanup agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete localfile configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 3246a9d81c..ae6fea80c9 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -14,6 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From a57d4a569eff2b1bccce223be6572abc1eeeb56a Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 16:27:31 +0200 Subject: [PATCH 184/552] add: Add Virustotal active response teardown --- .../data/playbooks/teardown.yaml | 43 +++++++++++++++++++ .../test_virustotal_active_response.py | 1 + 2 files changed, 44 insertions(+) create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..5bf7bf7ae1 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml @@ -0,0 +1,43 @@ +--- +- name: Cleanup manager environment + hosts: wazuh-manager + become: True + tasks: + + - name: Delete Configure Virustotal integration and active response configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Delete local rules virus total integration + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + block: '' + marker: + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + +- name: Cleanup agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete syscheck configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Delete active response script + file: + path: /var/ossec/active-response/remove-threat.sh + state: absent + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index b5dbb154ff..68202381fe 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -14,6 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] remove_threat_file_path = os.path.join(test_data_path, 'active_response_script', 'remove-threat.sh') configuration_extra_vars = {'active_response_script': remove_threat_file_path} From cab6ff53065ddc959cb42f9c43ca6cb575c8282f Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 16:29:00 +0200 Subject: [PATCH 185/552] fix: typo --- .../data/playbooks/teardown.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml index 5bf7bf7ae1..6d9b34e9c8 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml @@ -4,7 +4,7 @@ become: True tasks: - - name: Delete Configure Virustotal integration and active response configuration + - name: Delete Virustotal integration and active response configuration blockinfile: path: /var/ossec/etc/ossec.conf marker: From cefe991cdd38c660464fc188e1fdfdd205a7e535 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 12 Jul 2022 17:36:28 +0200 Subject: [PATCH 186/552] add: Add Virustotal fim teardown --- .../data/playbooks/teardown.yaml | 37 +++++++++++++++++++ .../test_virustotal_fim.py | 1 + 2 files changed, 38 insertions(+) create mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..3b14451252 --- /dev/null +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml @@ -0,0 +1,37 @@ +--- +- name: Cleanup manager environment + hosts: wazuh-manager + become: True + tasks: + + - name: Delete Virustotal integration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + +- name: Cleanup agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete syscheck configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Delete folder + file: + path: /test + state: absent + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 4839eca407..b6bcca93aa 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -15,6 +15,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From cc03763f89281fa7bf782a711d53eed1edd8b236 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 12 Jul 2022 19:28:48 -0300 Subject: [PATCH 187/552] feat(test): test_aws_infrastructure_monitoring added. #3079 --- tests/end_to_end/conftest.py | 18 ++-- .../data/configuration/aws_s3_api.py | 46 ++++++++++ .../data/playbooks/configuration.yaml | 52 +++++++++++ .../data/playbooks/generate_events.yaml | 21 +++++ .../data/playbooks/teardown_playbook.yaml | 25 ++++++ .../cases_aws_infrastructure_monitoring.yaml | 10 +++ .../test_aws_infrastructure_monitoring.py | 89 +++++++++++++++++++ 7 files changed, 256 insertions(+), 5 deletions(-) create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index f039ee4401..37766b1174 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -14,13 +14,12 @@ @pytest.fixture(scope='function') -def clean_environment(get_dashboard_credentials, request, metadata): +def clean_environment(get_dashboard_credentials, request): """Remove the temporary file that contains the alerts and delete indices using the API. Args: credentials (dict): wazuh-indexer credentials. request (fixture): Provide information on the executing test function. - metadata (dict): Dictionary with test case metadata. """ yield remove_file(alerts_json) @@ -32,9 +31,11 @@ def clean_environment(get_dashboard_credentials, request, metadata): teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - if 'extra_vars' in metadata: - parameters.update({'extravars': metadata['extra_vars']}) + + # Check if the module has extra variables to pass to the playbook + configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) + if configuration_extra_vars is not None: + parameters.update({'extravars': configuration_extra_vars}) ansible_runner.run(**parameters) @@ -106,9 +107,16 @@ def generate_events(request, metadata): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case + # Also, add the module extra vars if it is configured. + module_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) + if module_extra_vars is not None: + parameters['extravars'].update(module_extra_vars) + elif module_extra_vars is not None: + parameters.update({'extravars': module_extra_vars}) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py new file mode 100644 index 0000000000..a6c89c7e6f --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py @@ -0,0 +1,46 @@ +#!/usr/local/bin/python3.8 + +import argparse +import logging +import boto3 +from botocore.exceptions import ClientError + + +def get_parameters(): + """ + Returns: + argparse.Namespace: Object with the user parameters. + """ + parser = argparse.ArgumentParser() + + parser.add_argument('--aws_access_key_id', '-a', type=str, action='store', required=True, dest='aws_access_key_id') + parser.add_argument('--aws_secret_access_key', '-s', type=str, action='store', required=True, + dest='aws_secret_access_key') + + arguments = parser.parse_args() + + return arguments + + +def create_bucket(access_key_id, secret_access_key): + """ Create an S3 bucket in the default region (us-east-1) + + Args: + access_key_id (str): AWS access key ID + secret_access_key (str): AWS secret access key + """ + try: + client = boto3.client('s3', aws_access_key_id=access_key_id, + aws_secret_access_key=secret_access_key) + client.create_bucket(Bucket='delete-this-dummy-bucket') + except ClientError as e: + logging.error(e) + + +def main(): + parameters = get_parameters() + create_bucket(parameters.aws_access_key_id, parameters.aws_secret_access_key) + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..ea075ea148 --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -0,0 +1,52 @@ +- name: Configure environment + hosts: wazuh-manager + become: true + tasks: + + - name: Configure the aws-s3 wodle + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + no + no + 1m + yes + no + + {{ bucket_name }} + {{ aws_access_key_id }} + {{ aws_secret_access_key }} + {{ date }} + {{ aws_region }} + + + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + + - name: Copy the script to send a request to the AWS API + copy: + src: "{{ aws_s3_script }}" + dest: /tmp + mode: '0710' + + - name: Install python v3.8.4 + shell: | + yum -y update + yum -y groupinstall "Development Tools" + yum -y install gcc openssl-devel bzip2-devel libffi-devel + curl -O https://www.python.org/ftp/python/3.8.4/Python-3.8.4.tgz + tar xvf Python-3.8.4.tgz + cd Python-3.8.4 + ./configure --enable-optimizations --with-ensurepip=install + make -j 8 + make altinstall + + + - name: Install boto3 python package (script dependency) + shell: python3.8 -m pip install boto3 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..240887638d --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -0,0 +1,21 @@ +- name: Generate events + hosts: wazuh-manager + become: true + tasks: + + - name: Truncate alerts file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + + # Create a bucket using the AWS API + - name: Run the script using python3 (create S3 bucket) + script: "{{ aws_s3_script }} --a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" + + - name: Wait for alerts to be generated + wait_for: + timeout: 10 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml new file mode 100644 index 0000000000..1a0d35a8df --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml @@ -0,0 +1,25 @@ +- name: Cleanup environment + hosts: wazuh-manager + become: true + tasks: + + - name: Remove the aws-s3 wodle block + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + state: absent + + - name: Remove the script (create S3 bucket via API) + file: + path: /tmp/aws_s3_api.py + state: absent + + - name: Remove python3 installation file + file: + path: ./Python-3.8.4.tgz + state: absent + + - name: Remove python3 installation folder + file: + path: ./Python-3.8.4/ + state: absent \ No newline at end of file diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml new file mode 100644 index 0000000000..57c68bfe06 --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -0,0 +1,10 @@ +- name: CloudTrail service + description: > + AWS CloudTrail is a service used for auditing AWS accounts. + It logs API calls (CloudTrail Event) stored for 90 days by default. + There are 2 types of events{{":"}} Management events (active by default) and data events. + configuration_parameters: null + metadata: + rule.id: 80202 + rule.description: AWS Cloudtrail{{":"}} s3.amazonaws.com - CreateBucket. + rule.level: 3 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py new file mode 100644 index 0000000000..6fb8d8d76b --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -0,0 +1,89 @@ +import os +import json +import re +import pytest +from requests import request +import yaml +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +import wazuh_testing as fw +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +# Test cases data +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_path = os.path.join(test_data_path, 'test_cases') +test_cases_file_path = os.path.join(test_cases_path, 'cases_aws_infrastructure_monitoring.yaml') +alerts_json = os.path.join(gettempdir(), 'alerts.json') +aws_s3_script = os.path.join(test_data_path, 'configuration', 'aws_s3_api.py') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown_playbook.yaml'] +configuration_extra_vars = { + 'aws_s3_script': aws_s3_script, + 'date': datetime.strftime(datetime.now(), '%Y-%b-%d').upper() +} + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dashboard_credentials, + generate_events, clean_environment): + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' + + import pdb; pdb.set_trace() + + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ + fr":\"{rule_description}.+id.+{rule_id}.+" + + expected_indexed_alert = fr".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ + fr"timestamp\": \"({timestamp_regex})\"" + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(fw.T_5) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From e13ea544afaf1fa7cbd6cee3dcd67405bc28dcea Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 12 Jul 2022 19:33:47 -0300 Subject: [PATCH 188/552] fix: script parameter fixed. #3079 --- .../data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 240887638d..811d63700e 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -8,7 +8,7 @@ # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) - script: "{{ aws_s3_script }} --a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" + script: "{{ aws_s3_script }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" - name: Wait for alerts to be generated wait_for: From 0b86661327912869109dbbde3062cb7a6aec2e3a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 12 Jul 2022 19:34:48 -0300 Subject: [PATCH 189/552] style: fix extra space. #3079 --- .../data/playbooks/configuration.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index ea075ea148..41e855dae2 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -47,6 +47,5 @@ make -j 8 make altinstall - - name: Install boto3 python package (script dependency) shell: python3.8 -m pip install boto3 From 09462fcaa81959656c00d6f73bdb2057f3d653e3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 12 Jul 2022 19:35:28 -0300 Subject: [PATCH 190/552] style: add EOL. #3079 --- .../data/playbooks/teardown_playbook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml index 1a0d35a8df..d03ccee73e 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml @@ -22,4 +22,4 @@ - name: Remove python3 installation folder file: path: ./Python-3.8.4/ - state: absent \ No newline at end of file + state: absent From f4c87cb0f06efb64d5c3de714227f7cd69719cf5 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 12 Jul 2022 19:37:02 -0300 Subject: [PATCH 191/552] fix(test)!: pdb line removed. #3079 --- .../test_aws_infrastructure_monitoring.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 6fb8d8d76b..f840ac9b2c 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -43,8 +43,6 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash rule_level = metadata['rule.level'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' - import pdb; pdb.set_trace() - expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ fr":\"{rule_description}.+id.+{rule_id}.+" From c3fc08d0015b5ff6d32a82674ad922d8199a7a9c Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 13 Jul 2022 17:40:16 +0200 Subject: [PATCH 192/552] fix: Delete audit rules --- tests/end_to_end/test_audit/data/playbooks/teardown.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/end_to_end/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_audit/data/playbooks/teardown.yaml index c281d904af..35081c89ac 100644 --- a/tests/end_to_end/test_audit/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_audit/data/playbooks/teardown.yaml @@ -8,3 +8,7 @@ file: path: /etc/audit/rules.d/wazuh.rules state: absent + + - name: Delete audit rules + become: True + shell: auditctl -D From d9487f317431e992d9c1ee0a40030f0f58fd7927 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 13 Jul 2022 17:40:33 +0200 Subject: [PATCH 193/552] fix: Change hosts --- .../test_brute_force/data/playbooks/generate_events.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index e6dac58297..7266cf419c 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Truncate file - hosts: all + hosts: wazuh-manager tasks: - name: Truncate alert.json @@ -32,7 +32,7 @@ seconds: 5 - name: Get logs - hosts: all + hosts: wazuh-manager tasks: - name: Get alerts.json From 52233391308cd31673ca2e19c511db523a346bbb Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 13 Jul 2022 18:02:08 +0200 Subject: [PATCH 194/552] fix: Fix clean_environment --- tests/end_to_end/conftest.py | 20 ++++++++++++------- .../test_brute_force/test_brute_force.py | 1 + 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 26fe0c2431..59cd5b5891 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -27,16 +27,22 @@ def clean_environment(get_dashboard_credentials, request, metadata): e2e.delete_index_api(credentials=get_dashboard_credentials) inventory_playbook = request.config.getoption('--inventory_path') + if not inventory_playbook: + raise ValueError('Inventory not specified') + + teardown_playbooks = getattr(request.module, 'teardown_playbooks') + # Execute each playbook for the teardown - for playbook in getattr(request.module, 'teardown_playbooks'): - teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + if teardown_playbooks is not None: + for playbook in teardown_playbooks: + teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - if 'extra_vars' in metadata: - parameters.update({'extravars': metadata['extra_vars']}) + parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case + if 'extra_vars' in metadata: + parameters.update({'extravars': metadata['extra_vars']}) - ansible_runner.run(**parameters) + ansible_runner.run(**parameters) @pytest.fixture(scope='module') diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index fb6ba7b2b7..dc57f88239 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -15,6 +15,7 @@ # Playbooks events_playbooks = ['generate_events.yaml'] +teardown_playbooks = None # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) From f414d80a6a469316a325c7e8c7312f4690d5a442 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 13 Jul 2022 17:35:04 -0300 Subject: [PATCH 195/552] add: test vdt windows (in progress) --- .../data/playbooks/configuration.yaml | 87 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 30 +++++++ .../cases_vulnerability_detector.yaml | 10 +++ .../test_vulnerability_detector.py | 71 +++++++++++++++ .../data/playbooks/configuration.yaml | 87 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 31 +++++++ .../cases_vulnerability_detector.yaml | 10 +++ .../test_vulnerability_detector_windows.py | 72 +++++++++++++++ 8 files changed, 398 insertions(+) create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..5addaee3c0 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -0,0 +1,87 @@ +- name: Test agent configuration + hosts: wazuh-agent + tasks: + + - name: Enable the agent module to collect installed packages + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + no + 10s + yes + yes + + marker: + + - name: Restart wazuh-agent + become: true + shell: systemctl restart wazuh-agent + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Truncate file ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + + - name: Enabled vulnerability detector module + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + yes + 10s + 10s + yes + + + + yes + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 8 + 1h + + + + + no + 1h + + + + yes + 2022 + 1h + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager + + - name: Wait until the feeds were downloaded and the first scan was completed + become: true + ansible.builtin.wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..09bd5dcf2d --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -0,0 +1,30 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-agent + tasks: + + - name: "{{ event_description }}" + become: true + command: "{{ command }}" + + - name: Wait for alert + wait_for: + timeout: 60 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml new file mode 100644 index 0000000000..d3a0265d4d --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml @@ -0,0 +1,10 @@ +- name: vulnerability_detector + description: Detect vim vulnerability + configuration_parameters: null + metadata: + extra_vars: + event_description: Install vulnerable vim package + command: apt install vim=2:8.1.2269-1ubuntu5.7 + rule.id: 23505 + rule.level: 10 + rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py new file mode 100644 index 0000000000..83c36055dc --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py @@ -0,0 +1,71 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata) +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): + """ + Test to detect a vulnerability (Ubuntu 20.04) + """ + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..cef6a38223 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -0,0 +1,87 @@ +- name: Test agent configuration + hosts: wazuh-windows + tasks: + + - name: Enable the agent module to collect installed packages + ansible.windows.win_shell: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nno" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n10s" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + + - name: Restart wazuh-agent + ansible.windows.win_shell: | + net stop wazuh + net start wazuh + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Truncate file ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + + - name: Enabled vulnerability detector module + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + yes + 10s + 10s + yes + + + + no + focal + 1h + + + + + no + stretch + buster + 1h + + + + + no + 8 + 1h + + + + + yes + 1h + + + + + yes + 2021 + 1h + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager + + - name: Wait until the feeds were downloaded and the first scan was completed + become: true + ansible.builtin.wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..f9a0a7db4b --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -0,0 +1,31 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-windows + tasks: + + - name: Install mozilla + ansible.windows.win_shell: | + Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" -OutFile "C:\temp\test.exe" + Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru + +- name: Wait alert + hosts: wazuh-manager + tasks: + + - name: Wait for alert + wait_for: + timeout: 60 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml new file mode 100644 index 0000000000..d3a0265d4d --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml @@ -0,0 +1,10 @@ +- name: vulnerability_detector + description: Detect vim vulnerability + configuration_parameters: null + metadata: + extra_vars: + event_description: Install vulnerable vim package + command: apt install vim=2:8.1.2269-1ubuntu5.7 + rule.id: 23505 + rule.level: 10 + rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py new file mode 100644 index 0000000000..6adee793b8 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py @@ -0,0 +1,72 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +#@pytest.mark.parametrize('metadata', configuration_metadata) +def test_vulnerability_detector(configure_environment, generate_events, clean_environment): + """ + Test to detect a vulnerability (Ubuntu 20.04) + """ + print('HOLAAAA') + # rule_level = metadata['rule.level'] + # rule_description = metadata['rule.description'] + # rule_id = metadata['rule.id'] + + # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + # fr'.*"id": "{rule_id}".*' \ + # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # query = e2e.make_query([ + # { + # "term": { + # "rule.id": f"{rule_id}" + # } + # } + # ]) + + + # # Check that alert has been raised and save timestamp + # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + # error_message='The alert has not occurred').result() + # raised_alert_timestamp = raised_alert.group(1) + # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Get indexed alert + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # indexed_alert = json.dumps(response.json()) + + # # Check that the alert data is the expected one + # alert_data = re.search(expected_indexed_alert, indexed_alert) + # assert alert_data is not None, 'Alert triggered, but not indexed' + + # # Get indexed alert timestamp + # indexed_alert_timestamp = alert_data.group(1) + # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Check that alert has been indexed (checking that the timestamp is the expected one) + # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 641d41c8705825bc5895ad3d3fb639d06ce23e98 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 13 Jul 2022 17:36:39 -0300 Subject: [PATCH 196/552] fix: new tests drop --- .../data/playbooks/configuration.yaml | 87 ------------------- .../data/playbooks/generate_events.yaml | 30 ------- .../cases_vulnerability_detector.yaml | 10 --- .../test_vulnerability_detector.py | 71 --------------- 4 files changed, 198 deletions(-) delete mode 100644 tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml deleted file mode 100644 index 5addaee3c0..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ /dev/null @@ -1,87 +0,0 @@ -- name: Test agent configuration - hosts: wazuh-agent - tasks: - - - name: Enable the agent module to collect installed packages - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - no - 10s - yes - yes - - marker: - - - name: Restart wazuh-agent - become: true - shell: systemctl restart wazuh-agent - -- name: Test manager configuration - hosts: wazuh-manager - tasks: - - - name: Truncate file ossec.log - shell: echo "" > /var/ossec/logs/ossec.log - become: true - - - name: Enabled vulnerability detector module - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - yes - 10s - 10s - yes - - - - yes - focal - 1h - - - - - no - stretch - buster - 1h - - - - - no - 8 - 1h - - - - - no - 1h - - - - yes - 2022 - 1h - - - marker: - - - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager - - - name: Wait until the feeds were downloaded and the first scan was completed - become: true - ansible.builtin.wait_for: - path: /var/ossec/logs/ossec.log - search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml deleted file mode 100644 index 09bd5dcf2d..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,30 +0,0 @@ -- name: Truncate files - hosts: wazuh-manager - tasks: - - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true - -- name: Generate events - hosts: wazuh-agent - tasks: - - - name: "{{ event_description }}" - become: true - command: "{{ command }}" - - - name: Wait for alert - wait_for: - timeout: 60 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml deleted file mode 100644 index d3a0265d4d..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ /dev/null @@ -1,10 +0,0 @@ -- name: vulnerability_detector - description: Detect vim vulnerability - configuration_parameters: null - metadata: - extra_vars: - event_description: Install vulnerable vim package - command: apt install vim=2:8.1.2269-1ubuntu5.7 - rule.id: 23505 - rule.level: 10 - rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py deleted file mode 100644 index 83c36055dc..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ /dev/null @@ -1,71 +0,0 @@ -import os -import json -import re -import pytest -from datetime import datetime -from tempfile import gettempdir - -from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') - -# Playbooks -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): - """ - Test to detect a vulnerability (Ubuntu 20.04) - """ - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 47f6a6b40c79f22f13dde26a10e768797280fb16 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 13 Jul 2022 18:55:42 -0300 Subject: [PATCH 197/552] refac: several changes applied. #3079 --- tests/end_to_end/conftest.py | 5 ++-- .../data/configuration/aws_s3_api.py | 10 ++++++-- .../data/playbooks/configuration.yaml | 25 ++++++++++++------- .../data/playbooks/generate_events.yaml | 21 ++++++++++++---- .../cases_aws_infrastructure_monitoring.yaml | 2 ++ 5 files changed, 45 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 37766b1174..731d87162f 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -22,8 +22,6 @@ def clean_environment(get_dashboard_credentials, request): request (fixture): Provide information on the executing test function. """ yield - remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials) inventory_playbook = request.config.getoption('--inventory_path') # Execute each playbook for the teardown @@ -39,6 +37,9 @@ def clean_environment(get_dashboard_credentials, request): ansible_runner.run(**parameters) + remove_file(alerts_json) + e2e.delete_index_api(credentials=get_dashboard_credentials) + @pytest.fixture(scope='module') def get_dashboard_credentials(request): diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py index a6c89c7e6f..9184080230 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py @@ -1,11 +1,15 @@ -#!/usr/local/bin/python3.8 +#!/usr/bin/python3.8 import argparse import logging +from datetime import datetime import boto3 from botocore.exceptions import ClientError +formats = ['%a, %d %b %Y %H:%M:%S %Z', '%Y-%m-%dT%H:%M:%SZ'] + + def get_parameters(): """ Returns: @@ -32,7 +36,9 @@ def create_bucket(access_key_id, secret_access_key): try: client = boto3.client('s3', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) - client.create_bucket(Bucket='delete-this-dummy-bucket') + response = client.create_bucket(Bucket='delete-this-dummy-bucket') + response_date = response['ResponseMetadata']['HTTPHeaders']['date'] + print(str(datetime.strptime(response_date, formats[0]).strftime(formats[1]))[:-3]) except ClientError as e: logging.error(e) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 41e855dae2..5c2f0b5917 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -12,7 +12,7 @@ no no - 1m + 10s yes no @@ -35,17 +35,24 @@ dest: /tmp mode: '0710' - - name: Install python v3.8.4 + - name: Check if python3 is installed + shell: python3.8 --version + ignore_errors: true + register: python_check + + - name: Install python v3.8.7 shell: | yum -y update - yum -y groupinstall "Development Tools" - yum -y install gcc openssl-devel bzip2-devel libffi-devel - curl -O https://www.python.org/ftp/python/3.8.4/Python-3.8.4.tgz - tar xvf Python-3.8.4.tgz - cd Python-3.8.4 - ./configure --enable-optimizations --with-ensurepip=install - make -j 8 + yum -y install wget make gcc openssl-devel bzip2-devel + wget https://www.python.org/ftp/python/3.8.7/Python-3.8.7.tgz + tar xzf Python-3.8.7.tgz + cd Python-3.8.7 + ./configure --enable-optimizations make altinstall + ln -sfn /usr/local/bin/python3.8 /usr/bin/python3.8 + ln -sfn /usr/local/bin/pip3.8 /usr/bin/pip3.8 + # Do not install python3 if it is already installed + when: python_check is failed - name: Install boto3 python package (script dependency) shell: python3.8 -m pip install boto3 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 811d63700e..0181e7be76 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -1,21 +1,32 @@ - name: Generate events hosts: wazuh-manager + vars: + w_path: /var/ossec/logs/alerts/alerts.json become: true tasks: - name: Truncate alerts file - shell: echo "" > /var/ossec/logs/alerts/alerts.json + shell: echo "" > {{ w_path }} # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) script: "{{ aws_s3_script }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" + register: result - - name: Wait for alerts to be generated - wait_for: - timeout: 10 + - debug: + var: result + + - name: Wait for the alert to be generated + shell: "( tail -f -n0 {{ w_path }} & ) | grep -q '{{ result.stdout_lines[0] }}.*{{ex}}' && echo '' > {{ w_path }}" + register: result + async: 480 + poll: 60 + + - debug: + var: result.stderr - name: Get alerts.json fetch: - src: /var/ossec/logs/alerts/alerts.json + src: "{{ w_path }}" dest: /tmp/ flat: true diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml index 57c68bfe06..ddf957ab2d 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -8,3 +8,5 @@ rule.id: 80202 rule.description: AWS Cloudtrail{{":"}} s3.amazonaws.com - CreateBucket. rule.level: 3 + extra_vars: + ex: CreateBucket From bae47e1d31196c64bbaebfc305a6603cb2321cd7 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 14 Jul 2022 13:13:24 +0200 Subject: [PATCH 198/552] fix: Fix brute force `generate_events` --- .../data/playbooks/generate_events.yaml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 7266cf419c..0c3c3f0cef 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -10,26 +10,31 @@ hosts: localhost tasks: - - name: ssh connection + - name: SSH fingerprint + expect: + command: ssh test_user@wazuh-agent + responses: + (.*)continue connecting(.*): 'yes' + timeout: 5 + register: result + failed_when: + - "'password' not in result.stdout" + + - name: SSH connection expect: command: ssh {{item}}@wazuh-agent timeout: 5 responses: - Password: 1 + (?i)password: 1 loop: - test_user - test_user - test_user - - test_user - - test_user - - test_user - - test_user - - test_user ignore_errors: true - name: Wait for alert - pause: - seconds: 5 + wait_for: + timeout: 5 - name: Get logs hosts: wazuh-manager From 962199da5cc10521d0b5350e81e2722a6c3ecda0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 14 Jul 2022 10:59:50 -0300 Subject: [PATCH 199/552] add: cases yaml windows --- .../data/playbooks/generate_events.yaml | 6 +- .../cases_vulnerability_detector.yaml | 10 +-- .../test_vulnerability_detector_windows.py | 69 +++++++++---------- 3 files changed, 42 insertions(+), 43 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index f9a0a7db4b..c544b89ab6 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -10,10 +10,8 @@ hosts: wazuh-windows tasks: - - name: Install mozilla - ansible.windows.win_shell: | - Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" -OutFile "C:\temp\test.exe" - Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru + - name: "{{ event_description }}" + ansible.windows.win_shell: "{{ command }}" - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml index d3a0265d4d..4037ef795b 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml @@ -1,10 +1,12 @@ - name: vulnerability_detector - description: Detect vim vulnerability + description: Detect Mozilla vulnerability configuration_parameters: null metadata: extra_vars: - event_description: Install vulnerable vim package - command: apt install vim=2:8.1.2269-1ubuntu5.7 + event_description: Install vulnerable Mozilla package + command: | + Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" -OutFile "C:\temp\test.exe" + Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru rule.id: 23505 rule.level: 10 - rule.description: CVE-2022-1621 affects vim + rule.description: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py index 6adee793b8..1aec61a533 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py @@ -24,49 +24,48 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -#@pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, generate_events, clean_environment): +@pytest.mark.parametrize('metadata', configuration_metadata) +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): """ - Test to detect a vulnerability (Ubuntu 20.04) + Test to detect a vulnerability (Windows) """ - print('HOLAAAA') - # rule_level = metadata['rule.level'] - # rule_description = metadata['rule.description'] - # rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] - # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - # fr'.*"id": "{rule_id}".*' \ - # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - # query = e2e.make_query([ - # { - # "term": { - # "rule.id": f"{rule_id}" - # } - # } - # ]) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) - # # Check that alert has been raised and save timestamp - # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - # error_message='The alert has not occurred').result() - # raised_alert_timestamp = raised_alert.group(1) - # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # # Get indexed alert - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # indexed_alert = json.dumps(response.json()) + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) - # # Check that the alert data is the expected one - # alert_data = re.search(expected_indexed_alert, indexed_alert) - # assert alert_data is not None, 'Alert triggered, but not indexed' + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' - # # Get indexed alert timestamp - # indexed_alert_timestamp = alert_data.group(1) - # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # # Check that alert has been indexed (checking that the timestamp is the expected one) - # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From aa9483429db613c3b35af6ea1fd2aba5897ca943 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 14 Jul 2022 12:00:33 -0300 Subject: [PATCH 200/552] fix: renamed test linux --- ...erability_detector.py => test_vulnerability_detector_linux.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/{test_vulnerability_detector.py => test_vulnerability_detector_linux.py} (100%) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector.py rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py From 9f1d4dc35c3c24da8093cd5ace3c4cd4c7025d12 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 14 Jul 2022 15:55:07 -0300 Subject: [PATCH 201/552] add: teardown playbooks --- .../data/playbooks/teardown_playbook.yaml | 7 +++++++ .../test_vulnerability_detector_linux.py | 5 +++-- .../data/playbooks/teardown_playbook.yaml | 7 +++++++ .../data/test_cases/cases_vulnerability_detector.yaml | 3 ++- .../test_vulnerability_detector_windows.py | 5 +++-- 5 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml new file mode 100644 index 0000000000..627d6b3bf1 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml @@ -0,0 +1,7 @@ +- name: Cleanup environment + hosts: wazuh-agent + become: true + tasks: + + - name: Uninstall vim vulnerable package + command: apt-get remove vim -y diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 83c36055dc..e19bdc9e2b 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -18,6 +18,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown_playbook.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -25,7 +26,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): """ Test to detect a vulnerability (Ubuntu 20.04) """ @@ -48,7 +50,6 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c } ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml new file mode 100644 index 0000000000..4e04411ee0 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml @@ -0,0 +1,7 @@ +- name: Cleanup environment + hosts: wazuh-windows + tasks: + + - name: Unistall Mozilla Firefox vulnerable package + ansible.windows.win_shell: | + Start-Process "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" -ArgumentList "/S" -Wait diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml index 4037ef795b..74d9184d15 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml @@ -5,7 +5,8 @@ extra_vars: event_description: Install vulnerable Mozilla package command: | - Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" -OutFile "C:\temp\test.exe" + Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` + -OutFile "C:\temp\test.exe" Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru rule.id: 23505 rule.level: 10 diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py index 1aec61a533..2698876a29 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py @@ -18,6 +18,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown_playbook.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -25,7 +26,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): """ Test to detect a vulnerability (Windows) """ @@ -48,7 +50,6 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c } ]) - # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() From 94154ac20ec619e0ee33d1d6de585e1e63197f6a Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 15 Jul 2022 13:58:11 +0200 Subject: [PATCH 202/552] fix: Change teardown scope --- tests/end_to_end/conftest.py | 35 ++++++++----------- tests/end_to_end/test_audit/test_audit.py | 2 +- .../test_brute_force/test_brute_force.py | 2 +- .../test_detecting_suspicious_binaries.py | 2 +- .../test_docker_monitoring.py | 2 +- .../test_osquery_integration.py | 2 +- .../test_shellshock_attack_detection.py | 2 +- .../test_virustotal_active_response.py | 2 +- .../test_virustotal_fim.py | 2 +- 9 files changed, 22 insertions(+), 29 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 59cd5b5891..4cdfadf631 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -14,35 +14,15 @@ @pytest.fixture(scope='function') -def clean_environment(get_dashboard_credentials, request, metadata): +def clean_alerts_index(get_dashboard_credentials): """Remove the temporary file that contains the alerts and delete indices using the API. Args: credentials (dict): wazuh-indexer credentials. - request (fixture): Provide information on the executing test function. - metadata (dict): Dictionary with test case metadata. """ yield remove_file(alerts_json) e2e.delete_index_api(credentials=get_dashboard_credentials) - inventory_playbook = request.config.getoption('--inventory_path') - - if not inventory_playbook: - raise ValueError('Inventory not specified') - - teardown_playbooks = getattr(request.module, 'teardown_playbooks') - - # Execute each playbook for the teardown - if teardown_playbooks is not None: - for playbook in teardown_playbooks: - teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - - parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - if 'extra_vars' in metadata: - parameters.update({'extravars': metadata['extra_vars']}) - - ansible_runner.run(**parameters) @pytest.fixture(scope='module') @@ -92,6 +72,19 @@ def configure_environment(request): ansible_runner.run(**parameters) + yield + + teardown_playbooks = getattr(request.module, 'teardown_playbooks') + + # Execute each playbook for the teardown + if teardown_playbooks is not None: + for playbook in teardown_playbooks: + teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) + + parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + + ansible_runner.run(**parameters) + @pytest.fixture(scope='function') def generate_events(request, metadata): diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 69dc45ab22..9c73ba7890 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -21,7 +21,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index dc57f88239..627951572f 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -23,7 +23,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SSH Brute Force attack """ diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 7c3cc61247..f221bbd1e1 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -28,7 +28,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index fb3a855139..ca594f7ffd 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -26,7 +26,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index d7c4073dcd..b8ae95f315 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -24,7 +24,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index fd6fa87873..3273688cbc 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -22,7 +22,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 68202381fe..26b309968f 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -23,7 +23,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to delete a malicious file detected by virustotal """ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index b6bcca93aa..c8d5753195 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -22,7 +22,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to scanning a file using FIM and then do a request to virustotal to check if it is malicious """ From de2f288d51c467f924814e1bf169de893639f942 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 15 Jul 2022 13:59:40 +0200 Subject: [PATCH 203/552] fix: Change tests name --- tests/end_to_end/test_netcat/test_netcat.py | 2 +- tests/end_to_end/test_sql_injection/test_sql_injection.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index b960fa482b..bcdd65a336 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -24,7 +24,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_netcat(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index ae6fea80c9..06008d1a09 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -21,7 +21,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_environment): +def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SQL injection attack """ From c386d04ea0affd8e36aa768b5a13fb2488dc4dec Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 15 Jul 2022 14:52:45 +0200 Subject: [PATCH 204/552] fix: Delete expected euid --- tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml | 1 - tests/end_to_end/test_audit/test_audit.py | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml index c888904858..bb46aa7e91 100644 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml +++ b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml @@ -9,6 +9,5 @@ level: 3 description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." extra: - euid: 1000 a3: \\"www\.google\.com\\" data.audit.command: ping diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 9c73ba7890..e37ef235b5 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -25,14 +25,13 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] - euid = metadata['extra']['euid'] a3 = metadata['extra']['a3'] data_audit_command = metadata['extra']['data.audit.command'] expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{level},' \ - fr'"description"\:"{description}","id"\:"{rule_id}".*euid={euid}.*a3={a3}.*\}}' + fr'"description"\:"{description}","id"\:"{rule_id}".*a3={a3}.*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {level}, "description": "{description}".*"id": "{rule_id}".*' \ - fr'euid={euid}.*comm=\\"{data_audit_command}\\".*a3={a3}.*' \ + fr'comm=\\"{data_audit_command}\\".*a3={a3}.*' \ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp From d0d1b087836b00774877a080b7aef4131ad02aeb Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 15 Jul 2022 17:10:25 +0200 Subject: [PATCH 205/552] fix: Fix brute force events to work with instances --- .../data/playbooks/generate_events.yaml | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 0c3c3f0cef..a502e98b27 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -10,27 +10,25 @@ hosts: localhost tasks: - - name: SSH fingerprint - expect: - command: ssh test_user@wazuh-agent - responses: - (.*)continue connecting(.*): 'yes' - timeout: 5 - register: result - failed_when: - - "'password' not in result.stdout" - - name: SSH connection expect: - command: ssh {{item}}@wazuh-agent - timeout: 5 + command: ssh {{item}}@wazuh-agent -i {{hostvars['wazuh-agent']['ansible_ssh_private_key_file']}} responses: + (.*)continue connecting(.*): 'yes' (?i)password: 1 + timeout: 5 loop: - test_user - test_user - test_user - ignore_errors: true + - test_user + - test_user + - test_user + - test_user + - test_user + register: result + failed_when: + - "'Permission denied' not in result.stdout" - name: Wait for alert wait_for: From f1550e844fa7bd44707f45decc6ccf2e4f818e0a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 15 Jul 2022 12:37:03 -0300 Subject: [PATCH 206/552] fix: several fixes were applied. #3079 --- .../README.md | 36 +++++++++++++++++++ ...{aws_s3_api.py => aws_cloudtrail_event.py} | 0 .../data/playbooks/configuration.yaml | 6 ---- .../data/playbooks/generate_events.yaml | 18 +++++----- .../data/playbooks/teardown_playbook.yaml | 5 --- .../cases_aws_infrastructure_monitoring.yaml | 6 ++-- .../test_aws_infrastructure_monitoring.py | 8 ++--- 7 files changed, 50 insertions(+), 29 deletions(-) create mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/README.md rename tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/{aws_s3_api.py => aws_cloudtrail_event.py} (100%) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md b/tests/end_to_end/test_aws_infrastructure_monitoring/README.md new file mode 100644 index 0000000000..bb42078c67 --- /dev/null +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/README.md @@ -0,0 +1,36 @@ +## Description + +The `test_aws_infrastructure_monitoring.py` module checks if alerts are triggered in the manager when an event obtained +from AWS services matches a rule. + +## Global requirements + +- Credentials (access key ID and secret access key) of an IAM User with permissions to: + - Create S3 Buckets + - Get data from S3 Buckets + - Create and configure a Trail + +### Use case: CloudTrail + +**Preconditions**: +- Create and configure a Trail (you will create an S3 bucket in this process) +- Create an inventory as follows: + ``` + all: + hosts: + wazuh-manager: + ansible_connection: ssh + ansible_user: USER + ansible_password: PASSWORD + ansible_ssh_private_key_file: PATH_TO_PRIVATE_KEY + ansible_python_interpreter: /usr/bin/python + dashboard_user: WAZUH_DASHBOARD_USER + dashboard_password: WAZUH_DASHBOARD_PASS + vars: + bucket_name: S3_BUCKET_OF_THE_TRAIL + aws_region: S3_BUCKET_REGION + aws_access_key_id: IAM_USER_ACCESS_KEY_ID + aws_secret_access_key: IAM_USER_SECRET_ACCESS_KEY + ``` + +**How to run**: `python -m pytest -s tests/end_to_end/test_aws_infrastructure_monitoring/ --inventory_path ` diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_s3_api.py rename to tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 5c2f0b5917..15250c1fe3 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -29,12 +29,6 @@ state: restarted name: wazuh-manager - - name: Copy the script to send a request to the AWS API - copy: - src: "{{ aws_s3_script }}" - dest: /tmp - mode: '0710' - - name: Check if python3 is installed shell: python3.8 --version ignore_errors: true diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 0181e7be76..9e24184b0d 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -10,20 +10,18 @@ # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) - script: "{{ aws_s3_script }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" - register: result - - - debug: - var: result + script: "{{ aws_api_script }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" + register: time - name: Wait for the alert to be generated - shell: "( tail -f -n0 {{ w_path }} & ) | grep -q '{{ result.stdout_lines[0] }}.*{{ex}}' && echo '' > {{ w_path }}" - register: result + shell: "(tail -f -n0 {{ w_path }} &) | grep -q '{{ time.stdout_lines[0] }}.*{{ ev }}' && echo '' >> {{ w_path }}" + # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. async: 480 - poll: 60 + poll: 5 - - debug: - var: result.stderr + - name: Wait for alerts to be indexed + wait_for: + timeout: 10 - name: Get alerts.json fetch: diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml index d03ccee73e..bd311b93d5 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml @@ -9,11 +9,6 @@ marker: state: absent - - name: Remove the script (create S3 bucket via API) - file: - path: /tmp/aws_s3_api.py - state: absent - - name: Remove python3 installation file file: path: ./Python-3.8.4.tgz diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml index ddf957ab2d..a0204f42e1 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -2,11 +2,11 @@ description: > AWS CloudTrail is a service used for auditing AWS accounts. It logs API calls (CloudTrail Event) stored for 90 days by default. - There are 2 types of events{{":"}} Management events (active by default) and data events. + There are 2 types of events: Management events (active by default) and data events. configuration_parameters: null metadata: rule.id: 80202 - rule.description: AWS Cloudtrail{{":"}} s3.amazonaws.com - CreateBucket. + rule.description: "AWS Cloudtrail: s3.amazonaws.com - CreateBucket." rule.level: 3 extra_vars: - ex: CreateBucket + ev: CreateBucket diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index f840ac9b2c..011ec88da5 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -19,14 +19,14 @@ test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_aws_infrastructure_monitoring.yaml') alerts_json = os.path.join(gettempdir(), 'alerts.json') -aws_s3_script = os.path.join(test_data_path, 'configuration', 'aws_s3_api.py') +aws_api_script = os.path.join(test_data_path, 'configuration', 'aws_cloudtrail_event.py') # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbook = ['teardown_playbook.yaml'] configuration_extra_vars = { - 'aws_s3_script': aws_s3_script, + 'aws_api_script': aws_api_script, 'date': datetime.strftime(datetime.now(), '%Y-%b-%d').upper() } @@ -43,6 +43,7 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash rule_level = metadata['rule.level'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' + import pdb; pdb.set_trace() expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ fr":\"{rule_description}.+id.+{rule_id}.+" @@ -68,9 +69,6 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash raised_alert_timestamp = raised_alert.group(1) raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(fw.T_5) - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) From bce75992592adc2c0c0a443b2671cebb38cce30c Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 15 Jul 2022 17:37:23 +0200 Subject: [PATCH 207/552] fix: Fix events in virustotal test --- .../data/playbooks/configuration.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml index 98fe79aa08..4e99ce5e95 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml @@ -84,18 +84,18 @@ become: true copy: src: "{{ active_response_script }}" - dest: /var/ossec/active-response + dest: /var/ossec/active-response/bin - name: Install jq (CentOS) become: true - shell: yum install jq + shell: yum install -y jq when: ansible_facts['distribution'] == "CentOS" - name: Change remove-threat.sh owner and permissions become: true shell: | chmod 750 /var/ossec/active-response/bin/remove-threat.sh - chown root:ossec /var/ossec/active-response/bin/remove-threat.sh + chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh - name: Restart the agent shell: systemctl restart wazuh-agent From e924a6e6914d3204d148dd30eed2b6eb5c2bed06 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 15 Jul 2022 12:39:25 -0300 Subject: [PATCH 208/552] fix: remove debugger line. #3079 --- .../test_aws_infrastructure_monitoring.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 011ec88da5..560730f260 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -43,7 +43,6 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash rule_level = metadata['rule.level'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' - import pdb; pdb.set_trace() expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ fr":\"{rule_description}.+id.+{rule_id}.+" From 5cf91a10884dbda130a2cf87d535eecc2a9fa982 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 15 Jul 2022 12:53:44 -0300 Subject: [PATCH 209/552] fix: linter corrections applied and unused imports removed. #3079 --- .../data/configuration/aws_cloudtrail_event.py | 5 ++--- .../data/playbooks/generate_events.yaml | 2 +- .../test_aws_infrastructure_monitoring.py | 4 ---- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py index 9184080230..e4e69bc705 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py @@ -34,8 +34,7 @@ def create_bucket(access_key_id, secret_access_key): secret_access_key (str): AWS secret access key """ try: - client = boto3.client('s3', aws_access_key_id=access_key_id, - aws_secret_access_key=secret_access_key) + client = boto3.client('s3', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) response = client.create_bucket(Bucket='delete-this-dummy-bucket') response_date = response['ResponseMetadata']['HTTPHeaders']['date'] print(str(datetime.strptime(response_date, formats[0]).strftime(formats[1]))[:-3]) @@ -49,4 +48,4 @@ def main(): if __name__ == '__main__': - main() \ No newline at end of file + main() diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 9e24184b0d..eb8b88b0df 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -14,7 +14,7 @@ register: time - name: Wait for the alert to be generated - shell: "(tail -f -n0 {{ w_path }} &) | grep -q '{{ time.stdout_lines[0] }}.*{{ ev }}' && echo '' >> {{ w_path }}" + shell: (tail -f -n0 {{ w_path }} &) | grep -q '{{ time.stdout_lines[0] }}.*{{ ev }}' && echo '' >> {{ w_path }} # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. async: 480 poll: 5 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 560730f260..6ff1aedf4c 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -2,13 +2,9 @@ import json import re import pytest -from requests import request -import yaml from datetime import datetime from tempfile import gettempdir -from time import sleep -import wazuh_testing as fw from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm From 2f7e3a42892cefaff6dfb7343d65e0fb0d927537 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 15 Jul 2022 18:58:39 -0300 Subject: [PATCH 210/552] feat(test)!: module to test the integration with yara was added. #3085 --- tests/end_to_end/conftest.py | 7 + .../data/configuration/malware_downloader.sh | 39 +++++ .../data/configuration/yara_script.sh | 51 +++++++ .../data/playbooks/configuration.yaml | 138 ++++++++++++++++++ .../data/playbooks/generate_events.yaml | 22 +++ .../data/playbooks/teardown.yaml | 48 ++++++ .../test_cases/cases_yara_integration.yaml | 10 ++ .../test_yara_integration.py | 83 +++++++++++ 8 files changed, 398 insertions(+) create mode 100644 tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh create mode 100644 tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh create mode 100644 tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml create mode 100644 tests/end_to_end/test_yara_integration/test_yara_integration.py diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index f039ee4401..50924c1e9b 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -106,9 +106,16 @@ def generate_events(request, metadata): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case + # Also, add the module extra vars if it is configured. + module_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) + if module_extra_vars is not None: + parameters['extravars'].update(module_extra_vars) + elif module_extra_vars is not None: + parameters.update({'extravars': module_extra_vars}) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh b/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh new file mode 100644 index 0000000000..f7260ddacb --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# Wazuh - Malware Downloader for test purposes +# Copyright (C) 2015-2022, Wazuh Inc. +# +# This program is free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + +function fetch_sample(){ + + curl -s -XGET "$1" -o "$2" + +} + +echo +# Mirai +echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)" +echo "Downloading malware sample..." +fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading." +echo + +# Xbash +echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" +echo "Downloading malware sample..." +fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading." +echo + +# VPNFilter +echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/" +echo "Downloading malware sample..." +fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading." +echo + +# Webshell +echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php" +echo "Downloading malware sample..." +fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading." +echo diff --git a/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh b/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh new file mode 100644 index 0000000000..68934dd07c --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# Wazuh - Yara active response +# Copyright (C) 2015-2022, Wazuh Inc. +# +# This program is free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + + +#------------------------- Gather parameters -------------------------# + +# Extra arguments +read INPUT_JSON +YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1]) +YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3]) +FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path) + +# Set LOG_FILE path +LOG_FILE="logs/active-responses.log" + +size=0 +actual_size=$(stat -c %s ${FILENAME}) +while [ ${size} -ne ${actual_size} ]; do + sleep 1 + size=${actual_size} + actual_size=$(stat -c %s ${FILENAME}) +done + +#----------------------- Analyze parameters -----------------------# + +if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]] +then + echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE} + exit 1 +fi + +#------------------------- Main workflow --------------------------# + +# Execute Yara scan on the specified filename +yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")" + +if [[ $yara_output != "" ]] +then + # Iterate every detected rule and append it to the LOG_FILE + while read -r line; do + echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE} + done <<< "$yara_output" +fi + +exit 0; diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..b9c5ebc908 --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -0,0 +1,138 @@ +- name: Configure environment + hosts: wazuh-manager + become: true + tasks: + + - name: Configure local rules for Yara + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + marker: + block: | + + + 550 + /tmp/yara/malware/ + File modified in /tmp/yara/malware/ directory. + + + 554 + /tmp/yara/malware/ + File added to /tmp/yara/malware/ directory. + + + + + yara_decoder + Yara grouping rule + + + 108000 + wazuh-yara: INFO - Scan result: + File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule) + + + + - name: Configure local decoders for Yara + blockinfile: + path: /var/ossec/etc/decoders/local_decoder.xml + marker: + block: | + + wazuh-yara: + + + yara_decoder + wazuh-yara: (\S+) - Scan result: (\S+) (\S+) + log_type, yara_rule, yara_scanned_file + + + - name: Configure an active response for Yara + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + yara + yara.sh + -yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar + no + + + yara + local + 100300,100301 + + + - name: Configure syscheck + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /tmp/yara/malware + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + + - name: Create a directory to store Yara rules + file: + path: /tmp/yara/rules + state: directory + + - name: Download Yara rules + uri: + url: https://valhalla.nextron-systems.com/api/v1/get + method: POST + headers: + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Referer: https://valhalla.nextron-systems.com/ + Content-Type: application/x-www-form-urlencoded + DNT: "1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1" + body: demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text + dest: /tmp/yara/rules/yara_rules.yar + + - name: Install epel-release + package: + name: + - epel-release + state: present + when: ansible_facts['distribution'] == "CentOS" + + - name: Install Yara on CentOS + package: + name: + - yara + state: present + when: ansible_facts['distribution'] == "CentOS" + + - name: Create a directory to store malware + file: + path: /tmp/yara/malware + state: directory + + - name: Download Mirai malware + uri: + url: https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai + follow_redirects: all + dest: /tmp/yara/malware/mirai + + - name: Run Yara scan + shell: yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai + + - name: Copy the Yara script + copy: + src: "{{ yara_script }}" + dest: /var/ossec/active-response/bin/ + owner: root + group: wazuh + mode: '0750' + + - name: Install jq (JSON Processor) on CentOS + package: + name: + - jq + state: present + when: ansible_facts['distribution'] == "CentOS" diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..24236ecb0f --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -0,0 +1,22 @@ +- name: Generate events + hosts: wazuh-manager + vars: + alerts_path: /var/ossec/logs/alerts/alerts.json + become: true + tasks: + + - name: Truncate alerts file + shell: echo "" > {{ alerts_path }} + + - name: Download malware and run scan + script: "{{ malware_downloader_script }}" + + - name: Wait for alerts to be generated + wait_for: + timeout: 10 + + - name: Get alerts.json + fetch: + src: "{{ alerts_path }}" + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..a25bb58e4e --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml @@ -0,0 +1,48 @@ +- name: Configure environment + hosts: wazuh-manager + become: true + tasks: + + - name: Remove local rules for Yara + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + marker: + state: absent + + - name: Remove local decoders for Yara + blockinfile: + path: /var/ossec/etc/decoders/local_decoder.xml + marker: + state: absent + + - name: Remove the Yara configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + state: absent + + - name: Remove Yara and epel-release from CentOS + package: + name: + - epel-release + - yara + state: absent + when: ansible_facts['distribution'] == "CentOS" + + - name: Remove the directory with malware + file: + path: /tmp/yara/ + state: absent + + - name: Remove the Yara script + file: + path: /tmp/yara_script.sh + state: absent + + - name: Remove jq (JSON Processor) on CentOS + package: + name: + - jq + state: absent + when: ansible_facts['distribution'] == "CentOS" + diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml new file mode 100644 index 0000000000..bdb7c03fc1 --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -0,0 +1,10 @@ +- name: Run Yara scan to detect malware + description: Test the detection of a trojaned file + configuration_parameters: null + metadata: + rule.id: 108001 + rule.level: 12 + rule.description: 'File \"/tmp/yara/malware/mirai\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' + #extra_vars: + # task_name: Run Yara scan + # command: yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py new file mode 100644 index 0000000000..7ca3bddbca --- /dev/null +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -0,0 +1,83 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +# Test cases data +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_path = os.path.join(test_data_path, 'test_cases') +test_cases_file_path = os.path.join(test_cases_path, 'cases_yara_integration.yaml') +yara_script = os.path.join(test_data_path, 'configuration', 'yara_script.sh') +malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') +alerts_json = os.path.join(gettempdir(), 'alerts.json') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown.yaml'] +configuration_extra_vars = {'yara_script': yara_script, 'malware_downloader_script': malware_downloader_script} + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' + + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ + fr":\"{rule_description}.+id.+{rule_id}" + + expected_indexed_alert = fr".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ + fr"timestamp\": \"({timestamp_regex})\"" + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.level": f"{rule_level}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 21e1225c653194a9a90fd6564e94b5dc03464250 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 18 Jul 2022 17:51:33 -0300 Subject: [PATCH 211/552] add: one test for linux and windows --- .../data/playbooks/configuration.yaml | 50 ++++++----- .../data/playbooks/generate_events.yaml | 14 ++- .../data/playbooks/teardown_playbook.yaml | 15 ++++ .../cases_vulnerability_detector.yaml | 16 ++++ .../test_vulnerability_detector.py | 81 +++++++++++++++++ .../data/playbooks/configuration.yaml | 87 ------------------- .../data/playbooks/generate_events.yaml | 30 ------- .../data/playbooks/teardown_playbook.yaml | 7 -- .../cases_vulnerability_detector.yaml | 10 --- .../test_vulnerability_detector_linux.py | 72 --------------- .../data/playbooks/teardown_playbook.yaml | 7 -- .../cases_vulnerability_detector.yaml | 13 --- .../test_vulnerability_detector_windows.py | 72 --------------- 13 files changed, 153 insertions(+), 321 deletions(-) rename tests/end_to_end/test_vulnerability_detector/{test_vulnerability_detector_windows => }/data/playbooks/configuration.yaml (77%) rename tests/end_to_end/test_vulnerability_detector/{test_vulnerability_detector_windows => }/data/playbooks/generate_events.yaml (61%) create mode 100644 tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml delete mode 100644 tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml similarity index 77% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml rename to tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index cef6a38223..fa5b0a0cb6 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -1,8 +1,31 @@ +- name: Test agent configuration + hosts: wazuh-agent + tasks: + + - name: Enable the agent module to collect installed packages (Ubuntu) + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + no + 10s + yes + yes + + marker: + + - name: Restart wazuh-agent (Ubuntu) + become: true + shell: systemctl restart wazuh-agent + + - name: Test agent configuration hosts: wazuh-windows tasks: - - name: Enable the agent module to collect installed packages + - name: Enable the agent module to collect installed packages (Windows) ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" @@ -14,11 +37,12 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - - name: Restart wazuh-agent + - name: Restart wazuh-agent (Windows) ansible.windows.win_shell: | net stop wazuh net start wazuh + - name: Test manager configuration hosts: wazuh-manager tasks: @@ -41,27 +65,12 @@ - no + yes focal 1h - - - no - stretch - buster - 1h - - - - - no - 8 - 1h - - - + yes 1h @@ -82,6 +91,7 @@ - name: Wait until the feeds were downloaded and the first scan was completed become: true - ansible.builtin.wait_for: + wait_for: path: /var/ossec/logs/ossec.log search_regex: Vulnerability scan finished. + diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml similarity index 61% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml index c544b89ab6..3f1a6e2e9c 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml @@ -6,12 +6,20 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: true -- name: Generate events +- name: Generate events linux + hosts: wazuh-agent + tasks: + + - name: "{{ event_description_linux }}" + become: true + command: "{{ command_linux }}" + +- name: Generate events windows hosts: wazuh-windows tasks: - - name: "{{ event_description }}" - ansible.windows.win_shell: "{{ command }}" + - name: "{{ event_description_windows }}" + ansible.windows.win_shell: "{{ command_windows }}" - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml new file mode 100644 index 0000000000..4085e54877 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml @@ -0,0 +1,15 @@ +- name: Cleanup environment + hosts: wazuh-agent + tasks: + + - name: Uninstall vim vulnerable package + become: true + command: apt-get remove vim -y + +- name: Cleanup environment + hosts: wazuh-windows + tasks: + + - name: Uninstall Mozilla Firefox vulnerable package + ansible.windows.win_shell: | + Start-Process "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" -ArgumentList "/S" -Wait diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml new file mode 100644 index 0000000000..2d263a2d14 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -0,0 +1,16 @@ +- name: detect_vulnerability + description: Detect vulnerability + configuration_parameters: null + metadata: + extra_vars: + event_description_linux: Install vulnerable vim package + command_linux: apt install -y vim=2:8.1.2269-1ubuntu5.7 + event_description_windows: Install vulnerable Mozilla package + command_windows: | + Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` + -OutFile "C:\temp\test.exe" + Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru + rule.id: 23505 + rule.level: 10 + rule.description_linux: CVE-2022-1621 affects vim + rule.description_windows: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py new file mode 100644 index 0000000000..4df0644c70 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -0,0 +1,81 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown_playbook.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata) +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): + """ + Test to detect a vulnerability + """ + rule_level = metadata['rule.level'] + rule_id = metadata['rule.id'] + rule_descriptions = [metadata['rule.description_linux'], metadata['rule.description_windows']] + + for rule_description in rule_descriptions: + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + rule_description = rule_description.replace('\\', '') + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml deleted file mode 100644 index 5addaee3c0..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ /dev/null @@ -1,87 +0,0 @@ -- name: Test agent configuration - hosts: wazuh-agent - tasks: - - - name: Enable the agent module to collect installed packages - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - no - 10s - yes - yes - - marker: - - - name: Restart wazuh-agent - become: true - shell: systemctl restart wazuh-agent - -- name: Test manager configuration - hosts: wazuh-manager - tasks: - - - name: Truncate file ossec.log - shell: echo "" > /var/ossec/logs/ossec.log - become: true - - - name: Enabled vulnerability detector module - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - yes - 10s - 10s - yes - - - - yes - focal - 1h - - - - - no - stretch - buster - 1h - - - - - no - 8 - 1h - - - - - no - 1h - - - - yes - 2022 - 1h - - - marker: - - - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager - - - name: Wait until the feeds were downloaded and the first scan was completed - become: true - ansible.builtin.wait_for: - path: /var/ossec/logs/ossec.log - search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml deleted file mode 100644 index 09bd5dcf2d..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,30 +0,0 @@ -- name: Truncate files - hosts: wazuh-manager - tasks: - - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true - -- name: Generate events - hosts: wazuh-agent - tasks: - - - name: "{{ event_description }}" - become: true - command: "{{ command }}" - - - name: Wait for alert - wait_for: - timeout: 60 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml deleted file mode 100644 index 627d6b3bf1..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown_playbook.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Cleanup environment - hosts: wazuh-agent - become: true - tasks: - - - name: Uninstall vim vulnerable package - command: apt-get remove vim -y diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml deleted file mode 100644 index d3a0265d4d..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml +++ /dev/null @@ -1,10 +0,0 @@ -- name: vulnerability_detector - description: Detect vim vulnerability - configuration_parameters: null - metadata: - extra_vars: - event_description: Install vulnerable vim package - command: apt install vim=2:8.1.2269-1ubuntu5.7 - rule.id: 23505 - rule.level: 10 - rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py deleted file mode 100644 index e19bdc9e2b..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ /dev/null @@ -1,72 +0,0 @@ -import os -import json -import re -import pytest -from datetime import datetime -from tempfile import gettempdir - -from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') - -# Playbooks -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): - """ - Test to detect a vulnerability (Ubuntu 20.04) - """ - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml deleted file mode 100644 index 4e04411ee0..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown_playbook.yaml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Cleanup environment - hosts: wazuh-windows - tasks: - - - name: Unistall Mozilla Firefox vulnerable package - ansible.windows.win_shell: | - Start-Process "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" -ArgumentList "/S" -Wait diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml deleted file mode 100644 index 74d9184d15..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: vulnerability_detector - description: Detect Mozilla vulnerability - configuration_parameters: null - metadata: - extra_vars: - event_description: Install vulnerable Mozilla package - command: | - Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` - -OutFile "C:\temp\test.exe" - Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru - rule.id: 23505 - rule.level: 10 - rule.description: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py deleted file mode 100644 index 2698876a29..0000000000 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detector_windows.py +++ /dev/null @@ -1,72 +0,0 @@ -import os -import json -import re -import pytest -from datetime import datetime -from tempfile import gettempdir - -from wazuh_testing.tools.time import parse_date_time_format -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') - -# Playbooks -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): - """ - Test to detect a vulnerability (Windows) - """ - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 03f4493f6b7d53fbbd3edbbad71eb19fc958d53f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 18 Jul 2022 18:14:15 -0300 Subject: [PATCH 212/552] fix:linter errors --- .../data/playbooks/configuration.yaml | 5 +---- .../test_vulnerability_detector.py | 8 +++++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index fa5b0a0cb6..4c4c4d7926 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -20,7 +20,6 @@ become: true shell: systemctl restart wazuh-agent - - name: Test agent configuration hosts: wazuh-windows tasks: @@ -42,7 +41,6 @@ net stop wazuh net start wazuh - - name: Test manager configuration hosts: wazuh-manager tasks: @@ -70,7 +68,7 @@ 1h - + yes 1h @@ -94,4 +92,3 @@ wait_for: path: /var/ossec/logs/ossec.log search_regex: Vulnerability scan finished. - diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index 4df0644c70..3b27556225 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -37,8 +37,9 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c for rule_description in rule_descriptions: - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*' \ @@ -75,7 +76,8 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c # Get indexed alert timestamp indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), + '%Y-%m-%d %H:%M:%S') # Check that alert has been indexed (checking that the timestamp is the expected one) assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 571ed725d36992065cbdc099e3c3bb977ccef447 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 18 Jul 2022 18:22:56 -0300 Subject: [PATCH 213/552] fix: linter errors in vulnerability_detector.py --- .../test_vulnerability_detector.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index 3b27556225..884db80051 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -42,15 +42,15 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' rule_description = rule_description.replace('\\', '') query = e2e.make_query([ { "term": { - "rule.id": f"{rule_id}" + "rule.id": f"{rule_id}" } }, { @@ -62,7 +62,7 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') From ea02203c48a3271005f64b918462e9decc010e4d Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 19 Jul 2022 13:44:45 +0200 Subject: [PATCH 214/552] fix: Change comment --- tests/end_to_end/test_audit/test_audit.py | 2 +- tests/end_to_end/test_brute_force/test_brute_force.py | 2 +- .../test_detecting_suspicious_binaries.py | 2 +- .../end_to_end/test_docker_monitoring/test_docker_monitoring.py | 2 +- tests/end_to_end/test_netcat/test_netcat.py | 2 +- .../test_osquery_integration/test_osquery_integration.py | 2 +- .../test_shellshock_attack_detection.py | 2 +- tests/end_to_end/test_sql_injection/test_sql_injection.py | 2 +- .../test_virustotal_active_response.py | 2 +- .../test_virustotal/test_virustotal_fim/test_virustotal_fim.py | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index e37ef235b5..f74b82233a 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -57,7 +57,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 627951572f..ee1e8cb8d9 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -57,7 +57,7 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index f221bbd1e1..3c633e341b 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -70,7 +70,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index ca594f7ffd..eb65293a5d 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -67,7 +67,7 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index bcdd65a336..23e4d785f1 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -54,7 +54,7 @@ def test_netcat(configure_environment, metadata, get_dashboard_credentials, gene } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index b8ae95f315..7965485941 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -60,7 +60,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 3273688cbc..6d2795e752 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -57,7 +57,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 06008d1a09..1c3f0a39ff 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -56,7 +56,7 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 26b309968f..8c56e9ad44 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -58,7 +58,7 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, }, ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index c8d5753195..90b133cd82 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -54,7 +54,7 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) From 966a2625d5ec246af22e413ba1ed3facb92a81fb Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 19 Jul 2022 17:54:49 -0300 Subject: [PATCH 215/552] fix!: several fixes were applied. #3085 --- .../data/configuration/yara_script.sh | 51 ------------------- .../data/playbooks/configuration.yaml | 20 ++++++-- .../test_cases/cases_yara_integration.yaml | 7 ++- .../test_yara_integration.py | 7 +-- 4 files changed, 23 insertions(+), 62 deletions(-) delete mode 100644 tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh diff --git a/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh b/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh deleted file mode 100644 index 68934dd07c..0000000000 --- a/tests/end_to_end/test_yara_integration/data/configuration/yara_script.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -# Wazuh - Yara active response -# Copyright (C) 2015-2022, Wazuh Inc. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - - -#------------------------- Gather parameters -------------------------# - -# Extra arguments -read INPUT_JSON -YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1]) -YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3]) -FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path) - -# Set LOG_FILE path -LOG_FILE="logs/active-responses.log" - -size=0 -actual_size=$(stat -c %s ${FILENAME}) -while [ ${size} -ne ${actual_size} ]; do - sleep 1 - size=${actual_size} - actual_size=$(stat -c %s ${FILENAME}) -done - -#----------------------- Analyze parameters -----------------------# - -if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]] -then - echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE} - exit 1 -fi - -#------------------------- Main workflow --------------------------# - -# Execute Yara scan on the specified filename -yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")" - -if [[ $yara_output != "" ]] -then - # Iterate every detected rule and append it to the LOG_FILE - while read -r line; do - echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE} - done <<< "$yara_output" -fi - -exit 0; diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml index b9c5ebc908..80721a883c 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -55,7 +55,7 @@ yara yara.sh - -yara_path /usr/local/bin -yara_rules /tmp/yara/rules/yara_rules.yar + -yara_path /usr/bin -yara_rules /tmp/yara/rules/yara_rules.yar no @@ -94,19 +94,27 @@ body: demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text dest: /tmp/yara/rules/yara_rules.yar + - name: Check if epel-release is installed + shell: rpm -qa epel-release + register: check_epel_release + - name: Install epel-release package: name: - epel-release state: present - when: ansible_facts['distribution'] == "CentOS" + when: ( ansible_facts['distribution'] == "CentOS" and "epel" not in check_epel_release.stdout) + + - name: Check if yara is installed + shell: rpm -qa yara + register: check_yara - name: Install Yara on CentOS package: name: - yara state: present - when: ansible_facts['distribution'] == "CentOS" + when: ( ansible_facts['distribution'] == "CentOS" and "yara" not in check_yara.stdout) - name: Create a directory to store malware file: @@ -130,9 +138,13 @@ group: wazuh mode: '0750' + - name: Check if jq is installed + shell: rpm -qa jq + register: check_jq + - name: Install jq (JSON Processor) on CentOS package: name: - jq state: present - when: ansible_facts['distribution'] == "CentOS" + when: ( ansible_facts['distribution'] == "CentOS" and "jq" not in check_jq.stdout) diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml index bdb7c03fc1..b1ee42a162 100644 --- a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -4,7 +4,6 @@ metadata: rule.id: 108001 rule.level: 12 - rule.description: 'File \"/tmp/yara/malware/mirai\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' - #extra_vars: - # task_name: Run Yara scan - # command: yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai + rule.description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' + extra: + data.yara_rule: Mirai_Botnet_Malware_RID2EF6 diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 7ca3bddbca..4146ce3a6d 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -14,7 +14,7 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_yara_integration.yaml') -yara_script = os.path.join(test_data_path, 'configuration', 'yara_script.sh') +yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -35,12 +35,13 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] + data_yara_rule = metadata['extra']['data.yara_rule'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ fr":\"{rule_description}.+id.+{rule_id}" - expected_indexed_alert = fr".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ + expected_indexed_alert = fr".+yara_rule\": \"{data_yara_rule}.+level.+{rule_level}.+id.+{rule_id}.+" \ fr"timestamp\": \"({timestamp_regex})\"" query = e2e.make_query([ @@ -56,7 +57,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent }, { "term": { - "rule.description": f"{rule_description}" + "data.yara_rule": f"{data_yara_rule}" } } ]) From 54489b2b86124829bcaab71fedf8edbadff771eb Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 19 Jul 2022 18:18:53 -0300 Subject: [PATCH 216/552] fix(configuration): yara script renamed. #3085 --- .../data/configuration/yara.sh | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 tests/end_to_end/test_yara_integration/data/configuration/yara.sh diff --git a/tests/end_to_end/test_yara_integration/data/configuration/yara.sh b/tests/end_to_end/test_yara_integration/data/configuration/yara.sh new file mode 100644 index 0000000000..68934dd07c --- /dev/null +++ b/tests/end_to_end/test_yara_integration/data/configuration/yara.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# Wazuh - Yara active response +# Copyright (C) 2015-2022, Wazuh Inc. +# +# This program is free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + + +#------------------------- Gather parameters -------------------------# + +# Extra arguments +read INPUT_JSON +YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1]) +YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3]) +FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path) + +# Set LOG_FILE path +LOG_FILE="logs/active-responses.log" + +size=0 +actual_size=$(stat -c %s ${FILENAME}) +while [ ${size} -ne ${actual_size} ]; do + sleep 1 + size=${actual_size} + actual_size=$(stat -c %s ${FILENAME}) +done + +#----------------------- Analyze parameters -----------------------# + +if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]] +then + echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE} + exit 1 +fi + +#------------------------- Main workflow --------------------------# + +# Execute Yara scan on the specified filename +yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")" + +if [[ $yara_output != "" ]] +then + # Iterate every detected rule and append it to the LOG_FILE + while read -r line; do + echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE} + done <<< "$yara_output" +fi + +exit 0; From 139c80a3c8358337610bae62449a9e668cd22537 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 19 Jul 2022 18:48:30 -0300 Subject: [PATCH 217/552] refac: some changes were applied for the test to be compatible with the framework changes. #3085 --- .../end_to_end/test_yara_integration/test_yara_integration.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 4146ce3a6d..b1f02b88ef 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -21,7 +21,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown.yaml'] +teardown_playbooks = ['teardown.yaml'] configuration_extra_vars = {'yara_script': yara_script, 'malware_downloader_script': malware_downloader_script} # Configuration @@ -31,7 +31,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From 3619a6902002c8c7eb0d3b860f53a5dd7f5336be Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 19 Jul 2022 18:50:01 -0300 Subject: [PATCH 218/552] fix: linter corrections applied. #3085 --- .../test_yara_integration/data/playbooks/teardown.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml index a25bb58e4e..d44dda49dd 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml @@ -45,4 +45,3 @@ - jq state: absent when: ansible_facts['distribution'] == "CentOS" - From ccc2470f43ad3d895a42bc3b47f4d848dd71706f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 19 Jul 2022 10:32:54 +0100 Subject: [PATCH 219/552] feat: add qa dynamic roles --- .../wazuh_environment.yaml | 15 ++- provisioning/roles.yaml | 101 ++++++++++++++++++ 2 files changed, 108 insertions(+), 8 deletions(-) rename provisioning/{wazuh_ansible_playbooks => playbooks}/wazuh_environment.yaml (74%) create mode 100644 provisioning/roles.yaml diff --git a/provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml b/provisioning/playbooks/wazuh_environment.yaml similarity index 74% rename from provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml rename to provisioning/playbooks/wazuh_environment.yaml index 23cf18bb74..f513f7c5e8 100644 --- a/provisioning/wazuh_ansible_playbooks/wazuh_environment.yaml +++ b/provisioning/playbooks/wazuh_environment.yaml @@ -2,7 +2,7 @@ # Certificates generation - hosts: wi1 roles: - - role: ../../roles/wazuh/wazuh-indexer + - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" indexer_network_host: "{{ private_ip }}" perform_installation: false become: true @@ -15,31 +15,30 @@ - hosts: wi_cluster strategy: free roles: - - role: ../../roles/wazuh/wazuh-indexer + - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" indexer_network_host: "{{ private_ip }}" become: true become_user: root vars: indexer_node_master: true - - hosts: manager roles: - - role: "../../roles/wazuh/ansible-wazuh-manager" + - role: "{{wazuh_ansible_roles }}/wazuh/ansible-wazuh-manager" become: true become_user: root - hosts: filebeat roles: - - role: "../../roles/wazuh/ansible-filebeat-oss" + - role: "{{wazuh_ansible_roles }}/wazuh/ansible-filebeat-oss" become: true become_user: root # Indexer + dashboard node - hosts: dashboard roles: - - role: "../../roles/wazuh/wazuh-indexer" - - role: "../../roles/wazuh/wazuh-dashboard" + - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-indexer" + - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-dashboard" become: true become_user: root vars: @@ -62,4 +61,4 @@ become: yes become_user: root roles: - - ../../roles/wazuh/ansible-wazuh-agent + - "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml new file mode 100644 index 0000000000..b0e8a7690b --- /dev/null +++ b/provisioning/roles.yaml @@ -0,0 +1,101 @@ +qa_framework: + playbook: ./playbooks/qa_framework.yml + os: ANY + service: ANY + vars: + mandatory: + qa_repository_reference: QA_REFERENCE + +#---------------------- + +apache: + playbook: ./playbooks/apache.yml + os: LINUX_BASED_OS + service: ANY + +#---------------------- + +agent: + playbook: ./playbooks/wazuh_environment.yaml + os: ANY + service: ANY + vars: + mandatory: + package: + version: VERSION + revision: REVISION + repository: REPOSITORY + manager: MANAGER_HOST + +#---------------------- + +manager: + playbook: ./playbooks/wazuh_environment.yaml + os: LINUX_BASED_OS + service: ANY + resources: + default: + cpu: 2 + memory: 2048 + vars: + mandatory: + package: + version: VERSION + revision: REVISION + repository: REPOSITORY + default: + type: master + +#---------------------- + +indexer: + playbook: ./playbooks/wazuh_environment.yaml + os: LINUX_BASED_OS + service: ANY + resources: + minimal: + cpu: 4 + memory: 4096 + default: + cpu: 4 + memory: 4096 + vars: + mandatory: + package: + version: VERSION + revision: REVISION + repository: REPOSITORY + +#---------------------- + +dashboard: + playbook: ./playbooks/wazuh_environment.yaml + os: LINUX_BASED_OS + service: ANY + resources: + minimal: + cpu: 4 + memory: 4096 + default: + cpu: 4 + memory: 4096 + vars: + mandatory: + package: + version: VERSION + revision: REVISION + repository: REPOSITORY + +#---------------------- + +filebeat: + depends: manager + playbook: ./playbooks/wazuh_environment.yaml + service: ANY + os: LINUX_BASED_OS + resources: + default: + cpu: 2 + memory: 2048 + +#---------------------- From bf1b1a3103bb6bfa2ecd304462382697fca6a716 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 09:09:25 -0300 Subject: [PATCH 220/552] add: configuration yaml emotet --- .../general_playbooks/inventory.yml | 27 ++++++ .../data/emotet_file/trigger-emotet.exe | Bin 0 -> 36352 bytes .../data/playbooks/configuration.yaml | 67 +++++++++++++++ .../data/playbooks/generate_events.yaml | 38 +++++++++ .../data/test_cases/cases_emotet.yaml | 0 tests/end_to_end/test_emotet/test_emotet.py | 78 ++++++++++++++++++ 6 files changed, 210 insertions(+) create mode 100644 tests/end_to_end/general_playbooks/inventory.yml create mode 100644 tests/end_to_end/test_emotet/data/emotet_file/trigger-emotet.exe create mode 100644 tests/end_to_end/test_emotet/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml create mode 100644 tests/end_to_end/test_emotet/test_emotet.py diff --git a/tests/end_to_end/general_playbooks/inventory.yml b/tests/end_to_end/general_playbooks/inventory.yml new file mode 100644 index 0000000000..ef0c21eede --- /dev/null +++ b/tests/end_to_end/general_playbooks/inventory.yml @@ -0,0 +1,27 @@ +all: + hosts: + wazuh-manager: + ansible_connection: ssh + ansible_user: vagrant + ansible_ssh_pass: vagrant + ansible_python_interpreter: /usr/bin/python3 + dashboard_user: admin + dashboard_password: BpC6DTTmF5P0vV6vACB8tP5wDlUTzGU+ + + wazuh-agent1: + ansible_connection: ssh + ansible_user: vagrant + ansible_ssh_pass: vagrant + ansible_python_interpreter: /usr/bin/python3 + + wazuh-windows: + ansible_user: Administrator + ansible_password: vagrant + ansible_connection: winrm + ansible_winrm_server_cert_validation: ignore + ansible_winrm_transport: basic + ansible_winrm_port: 5985 + ansible_python_interpreter: C:\Users\vagrant\AppData\Local\Programs\Pyhton\Python39\python.exe + + vars: + virustotal_key: 3e4db70c621cd9dd9e3400254297eea03215987facca9931a42dcb86ffb8aa78 diff --git a/tests/end_to_end/test_emotet/data/emotet_file/trigger-emotet.exe b/tests/end_to_end/test_emotet/data/emotet_file/trigger-emotet.exe new file mode 100644 index 0000000000000000000000000000000000000000..6f58e2acf0da266cd7a3fcd372fe72b97731957a GIT binary patch literal 36352 zcmeIbdte(^l|O!GG#Wi@D;~*~?8J`cyigq5iQ}eukTmf#QR7GAS01!=WLt@q$R1ac zW4oz~T_{U|lol3BfGxBOEU>)ULJM133KT+rrR{g2&@GgPcWDakZh3Tp_WL>K&PcM8 zvfc0QU%&5H&YZdDanC*X+;g8ZQaTUcEF3}z4cE&r3vn0j^x4JmuY)&8L5w5Nos6etBkyb%<)q&|5E?qOW_;Ueq8xT(@^q}YDC3!yNbQmWW>gAm31 zFL$?462Rw;(0hOq_kr%D#G=nrLKH3{y(%=EHJ!!X!1v^3tk1-!Gr)g#Jpg!ISJWr} z6Bgn~eJY(A29a&M4+$ODn{efQcEKU_sd&k?VPND9&uvnx4WQ&O{Bjrbv1 zbBB6eshz`0lDw59aZ7NydTJH0niZ%TCu*vut2U;Cq(rY-5e%k7GU=--2f?vH6}_kc zebiHHkh3-*?`9d~)RI}E)u`!mDxK1jixTC>TuNe`GiWZ$rbA{0(lGzjYTFu41U5Lu z>!~cX&k`k42_f8;<8~-?5UDCj2ung54)S_~1?zSO3)ijIUG4}f?X3z+t+J-UG;HzC zqd^sS=wP9Hk&=e9uF$~(*P^l-KCRbyLp7I%pMxz`ebPPTDJyxKW9eY6!EM1H6nPC= zt|mtaN`ej->NU_2fFI!r8p{m7c&QZOruaoLf+q0N9hLWzD9OPyG+wYALKJdU8zXQn z1goY=FH6=(B1oBQ0g&%9wQ32sry4;??D zG`G1AiT#F);#t8^1~b*ra@BzmNvTmCS}+o(PGAp7f@1Jl#GsBCRO{5z8r9qn4Wac& z{^v0%g-^pGr6Apdd{$&u1p-%&VO``e%GVcgt0o3ZZ@{tea?g-2~aKE`sbAb`KA` z>c7_uIQm14HKl<9H2%6$_Dc-)snrZupunoUOGfL)b4Ec;DfN#gjC}}w@mpN9*!V53 zLP}eo8^OdxD?W%j##Itg?2Z%IpbK<0;X(*i?Me@!FmIS7PNVxM1&&&etExEsG9=!w z)%smkhD^Jv{4${iU3%3no>TPDMweVZ)TGev6POn?K^@jj^8)4$-5UF?fgYng+U(U2 z?1g?czXSaBas9tD_HE7|`~J^{HEkACrzVH9HTo&co?4AHjy)hkKVr9J+rY8GAu#&! zM-6dKHBye2P**IRMkBRE3`J-fRn?bhve(nYKq4a+1(U5siGu>Z1LI;H+JHXlDKctn zHBj|hGD$O!Qs!fn*&>W0t(ggi#~Gdg9Hb=yhU_HLkud-%9*m6VrA?$YlQPv7N`84n z(nv*Zo20FdOaQAYJYw-kzHY6wq-s|~m6bZOzSK5}Y^>UK=us|M+E!b#Kv}V^>}nD% z84Nar^7-L8R6buMd@~4;TBs!~Mbro_HsQL9_-@<(obN*a|Mp#AgChPFKJ=jPJG^=u zP2pG{@;HR>6bq%h!;d&FUEq?a!=hfSTlP6kyg`*^ zJ9xb{yB?VxrwA@H(Y{`pt{T-2V?s9HoTY>d;W=J$SQ5p&5|N06=8cdJrQZT*zBQYX zcTzmltC4M4D$nPZ2^-i1f>q^~4UCWtOKls768w`^bu+Xg}|EQhF8Id4P3v*bAk z`!C3@v(u;9D)y^-3NxujGl6d2#ANJsw5lcRw@Kmf&tO5-a>pqmAI9EAuH)aH)lgNQ za|I@b3+2O4fNWKoEMUj4mzB2tMf7}sVPl4R5VV_&(wuXT?JlC^HyKOV z?jqzucM&ze7;ODe48d%(Fhb38&@P84`OU%-b~%JxSPoISoSKa?YR#MBzM7w?<+J2` zHGK=vS?+12v(z8#5Kq5@7~CJ^1Wr@6Uh~p_J)=XGB=e&?&^oQr4ed0Z)+sfmbP`c5 zt#iq4hgG2FFy9H8M$P42=jXGAJo`63>M;Kn+|aHsAw=}xdUR^;&3dB?72tYs{L4JL z)Jpx%d>69GwqC&F@O=dyhr}!JxE)`C$G&GCk1P3Byqm1Zr*iohP`Ts_s9fd+R4y%_ zdTX`}Zu7cIIii~HVLCOr$>MU6pcig|saRN1le=>cs~UA@2d4#0vY46HsIh=ahBMRd zUHNLser8%7XhBY@1~aXw=ffu{!PVG#7(1n^(LBoGs&xm|yxpqT?~R;69XDL5ULYqY zrhMrFe*rJW)yP5QIaKz#d?sytNtGJG#7<1!Vn*Hzq(;pbq#Z2@UZ~&a_bt>P%+sL< zx1U1*`yG6;rTQH*=w~VZ33(q>&Te8PID0AXr2+hN`W>f;7~J^UU_f8@8tDscwt32u zd0C(l`}=@%T`6|y2WhXL=d_LAHk`qo7)nvNmES4zQ!$}~T$@k=1DRXv4}SYr$sK>(~NnFiY-$UHNAHt)Z1RZh$B9h!J$$eA}&_<1yb4_iXtA zMJ*o)lbE4dTtoAie+NEQ-M!`ZY-nRA&u*f@plZ}u9NacrMmMn+gtyI>@lEUn0dBKp zgcEx~h}&!#;i6XPIH(acm*xgT9SJ) zEyT^&@Z?i5qT!JsO4B8R$KB+#9@AvgfG(m z)DDwX95LSKUDpm27Vofv>0FX0#{kR!&RpSYeJab>}Llo_q$gq z_rfd5*{4jjPr?&Oj3@L_s|shEVWe8+n{Bo3*upTrhwkOGm&@B;x>< z^e4b8bef;UEfCo93CuM{!2A@jqLKgx$WJ3BOZ7bhUn`N%kf64%$YOn#QJiRh4vDQ5 zXiua+Pef;`7lBfBBv9fniTo2Nsdoa8+=*0#b78s(ojwAcfl{M1XgKdMO3g1&PB6kH zFr?(VF9Izw?;;|O2TRPmDdi3ZJY0c**JFMO6d5&@YU)-LAW4RYqcQSjuxF{Bs`<~9 z*K1g{QJ>st;5asN4^ayYJ@rZC4VS?F5)8GcaaRICBN#La?l6MpS0J_KNoSzYD7*$w z0}ci}>)wbwcjo0OVWG?@Wh`=ARurZ0MNacRfGzt;cfeN?SYl|8tgu}f`6_r@pGKg7 zTD_18FNypb2G!IzvNep{kBnS3kNGtur4xec>QhwR)T0pOu9si?CB~A}pNR2wWT^G2 zGN<_sVCyy;ORVVfm=Ayu@EN|k6$XrzKJqs(F_37={t>+3xh^+=<5U8~$q$t5-p6+n&Gh;dlUt z;{ka%e(`X3*EEg5tN0jb4ion|+?}{5;CrH{5O_tnzaIBe+(BgeHv!vm6`?QM@(>X* zT=ybDCmHCY{0ZPJxCANaF`Pclp+#2m5LDXe@M(C)Nc)@p;A6Bi9C*U*^f`Tc1WGVW z)$T}t8#OA>Ppv>Znhzpf6hw#fAy%P`C8z^8G^Pt4TR8swA_AlIP@`%+yG5NHVgmBT zkmnkDLy_-LMg2SQv&QA+j(j=C1#$yM5GDXq%$X5=k;lEVK~?M9}C-wXVr6 zcw>ph-vC;j3$Hei$f9~(ytW&x+Af+?Baf4Z{}o^s{Rp!r<4+LY!}t#=*~`fvA&FNq z&>u8ao85;S$6`I|<3~KGr-)Rimei=H`jA>(w{#8aN5u4D*c*8g`B!^qiARrMPf>w% zr-JBCrPM4<9YO#Q$_3O1mj$bW=^rC2ULlZwN7YkgL&%(fR+)B~DWq#s@(mJ4T|w$< zXh}bXY}df#e$tFX8M>cpCIp))LL9uJ$g)}%uo$y*(TXFNi!qzkwt&T$&7$>5E*E1q zYxe>cV>XLcGr3%h*{tXS7GpMx0x6e^F`GpTq8y7cICy}l^pXuHKsaC%IAO2C?E72P zQ`oj^j*MG~Wt#aD_}2U>0SpFS^Jf4xx2dPl(i+RDr*ImL@MXE5XXU;@asv+Y7r5hr zNYGJgqV4UMMei^SGJ+M(L8eB}VWi{S+zwcgj~{l$b9dk^UWFI&IPP+6o?C zu(kIX*o&LL2P^UifYkw4-Lp7I_#@JWKm8(Zv*ar&VZg92!mDD5E%-Del+2L&VtZ;L#KyG%`yZ1a>d^n z%gmRcp>SP2%A3Z#WLe?nwVj*E*XNNVFGG6Gx{zG@8ReLK%Z+lQ?54!ddhEd?SRr^* zHzPwtLCRDC0)=k5A}e+qg%La$h9g2hqN5zNN};KNu%;wXlzQtDba*Fa@EPvFk}aQ7 zAmLMuCGRzLqGHWtV%O!}nj}WC=|`K3!go zW+CM&BH#m%GsoA-!{wGpC?^sq+OjfNR$kuJmtiX}9qU$JMDr5T{0&>AHUcxGxp}%n zZ+i=x!7PR-)qcyDsL7>NenF4gT3)%JAK4%!BJukid@*?LuQ_sLi)6b&L6khC^u$sk*J|+80iBT%M zG2+S+_>< zI!8ArVQ-B=TWisT1s7@|FwTfdO^Em4Dnyz-M33Xz1KKC^=)}7c*Hxf>8CL}91Of){ zxT3f;c9-63>~X!h_wr^%F3nl*$xG@t)HiNuY}iU#oFWNWTOq_s3`g(5y>A85y_r;E z{206{#QDpF_)sxu{k`I5Ow34%mAm_+t+;;>_$tg7E1Q$%5DDW0o0S7Q@2K>6f&9nn zMiB%7$(wP7aA6P>C`!!XB6=l2HSSbrs&4?7j*DoUabaNM=f9XXSf1_$xJVXlWYrAM zL6llW7uy)N0(!-pm7@w?y;eSe^xa5%#Y2F)cuM&$(jGMmxC~Givv`*26_05o^CH8W zos@nb!xtF-8PF$oyFLK{pUMrCIJ%U|JqhR&H!dZ~Z!e94>sj{iOLcMMGSYK9pilf{ z8I`D2P+4^qMBm78hT)kC^5n-Deu3dV41dmCXC=vB%J2ZgL5AaiKJlJP()@8iU3|Op z?n+(!p1Fm~xs>I1S9-S=N;DaM|*5u*oT1&Se>!1o|6-|fOO4SRYW z7^ZlEB^IzU!Z3Q!c;iIx#;^q}11$!0k)~q2;!iqXBdQoXZDA`JyVb&0V?-zxcOZ8u zB-b+U)8LgNT?<=^#Xp1R5$nYz%sb2ZHUq=rLVORrB8)5B7<-bj9l*$zUqP}QHIdlw zfK}pjpp&hJDp=N!x_l6_ex(s`fX_vWMFlV?urzcQ<0(5y9>hB;gv~K_Sj@s3QFSZe zK6N|b>(rfq#~IELMSlah19NXxn*ncQ_(_IeWB3Dx=NSqI$t+=5&2S^bR)zx%uVOgC z@Qn=L!|`8U9CGJK5T&l$b|Xv;XgLLHb3GK>H!Vyicx>SCw& zo3OKwVS?ct!&@1Cg5g&g{(#|c8M+FnE^jWNTE7EO7lFcI=jO zj}*=!{pG@U0Dhy0xT}k))*Ff`21s5PEz57x(f5|$0r-XGAE8MPv*In`-zWi;vM)^d zJ4J&U!F(64ChSdRE$Sxp7dkV_Vfz_-!2K!hLGTV)*!|igz=kaB3GFfL;>RrP*V+@n zObc^5&tcY`wy-kiFMwTRVe6ddaYA>Ug>7>_2W(Da;(&7#dfksL-l+3IV867mYn_h( zd(M*lu=7PM1L&YmhzHzXbm~e-TxVh5az2K2!P_kCCyd=HF;SpE}dP{KmpM^Q4Y$YGK#ujmiqK z#=>sWHv^+1N!!<)|0A*(s{G81qUaDNu941(+jZgGBz)M zfR)H=MR6@j&WmS(?GPPx5=JG^U|!tozF*lT-e_Upa-UV2 zMPMUIzDYdnJ}+8DSYjN5t>RD?dj!1qTav$YKdQ7*CiYU?^J4|4A{LhN{9M^Ben`VB zYIL3F8D)>qUMsPi8LPFhzh|t6FM;UuSv=@X_@OF}x2SjHUff^M2i|#$_Z`Msn>e5NdBI`u zl38rCa)tO?3wx$uvvQ^QxP|=(u&cy<7Un73BnHLzv)EyEP`sSQHY-DdzGp#o2o@ew zhsE_4wyJQm5*P2WuuZ^@iq9}cez`$CCjKmW?td&ittP~!Ev&`;ox*nmyUfDQG1hKj zzb|}0cwH9eENWB|qTj-NMR$OArG-@%{R6Os#KhX7P1t3eu&~!MHfCWRjF}cT%-Gcy zHeK`_^1YQYvihugTzphw?z2S?iWA~a3;RjYBf!39VSfTIDIT$~65k`hp0uz!--CD? z@fi!-1KyZ;(ZYto8y9*jdE!m(>%bcqB^GuDJX2I#*yq4A#d-^S5WESo-NJqb-h{Z^ z!u|r@)#8AKl`VM$Slq%Impmv^B4uG+;HAWzg(bjCi_;c%19)liJ`1}Yyo~s$h1~;Q zhD^rifuhHk=n6K8{CS}0S4$pNbJ!o2oEImvJgxXSU|(P@zwl7LDe)BxqkL21n-)g- zrp3b+M){^i2Y1$6#Ma{Psx#sfmy_CC#Npz9Rj(0uF(&)pwc-by&&GZwF>!eLJN0Wt zBWrn+NG*RKPPLxOlYG4>uz2@D^7YWJh*Q`?s^X1+4)JzCO`HLAiVp%})eYzpcLKV_ zSBgd0BfgEaR~R^lR740+6;*%^@ftu))B`$2BOq3`fQo4Qt8g!KrDQ+Ss<;BsAw~f; zF~(ey!P~B!PH}pM(-&&Kp6PF9nYRNv#I1muxb32JMSO%MKh2VqOB0k!5qB~Dt4x2; zP{W#d3~8r052%Y502T2kK$Q>U9m3@&N`ARMrYr|k#p(;vuVIR;ujJOT;RcTRwf^!F2%k2l; ztQ=w(W0+ugHNzQ(^MKEZ8v!?oTbR-$C{6HL^^D>#`FHhpB~tQ7^<&DVCEKz0d2LCf z;$fN3LcYZDRnB`x$&~CAG0>Me5)9XhYf3hWwJf<-%#~C-){3{4JglBoJ_0x+K38&H z%!qp!euLq|fQ6j5Q2d}|z2j=6H$&TROK6P$9bioSiJ@NloOoPWT6);=xKdl%s8n+) z=U~YZ$J5GS=~2KNO2-`MnEoPLsHjvglwP`7@gTj-aaOsrG~+PTv!$m1zgPN3N4fe` z>3LCYaerO<7RdZZDcM{eyv4CrT@$?3@uE@_BnsJoRw2vJDy_lW9Jec7!H+l;^~&Hs zIvUh;@Uy7zRPZgx^`_t#k^VsNUchezA8{nf(e*wKR^sj(xLJzBJ z#ib1UL+3y_%5W<5D_C-Us8J~qZw;Ln39d_t_+n^@Rw2F-s@7smxm`R8nV9+nG@Mna zE@zcrLjJ5memkp>-)v#nOB?2F#D>}vWL}}dJq(9{pZ9j&>7dx zDl=s#0B->Ntay9bd93c-JE6U#t`Af@F+F8+BeiL99!vlb~s}tq#1Z9RPH!wWS@K%D#9p#(E$JG1Fsa}tk z-=?hsY;dAC@y^h4U+V%gGa$K4{b^kMaGap}@c*#B=|`Z?`s(YBO4&<)C2 ziMO&Iv!_Ft`dP|&xyN5#j;JJTqXan6%=WYi|S?PVb7Z254Ba|(q%u< z9v3^7H7bvb%NZU4_i>Q{JO_K8*3PN#SoR#?KQQI>l zvrKh1ustuTeXecJT25cWv9Xf8#87JX!HRr=rkGj!M5BWzmXutK->&9>eZQkXZ_*DrW-9j}?I~29hB9Ay9`B8ihxa>vUeE>Z+bVnYGfY3D6re2f!*Ttr z(&ySFW*m=JPU$laTC>hLXsueU{Iqgb-zq&Oo~e9;z7}QO=9qWTXn7;xCUM5`{pGYP zp~z_vwA$|A^zDvw%XQ^$hf<}(^Uf;Oc?;wpR=)}u*B)0kSKX(db=*|-P5n{FC#oI> zytitTIOlk{>M{MC3o+~&u_B-BRQ0%%w ztO{?!8xv$t2g{sM>cS{6K;2%b3765a8+wmyK2o_-Ro-5g4MdRR@+#8*tJ!o@uW#>tv&+D&gu?Owl6*A zifTjE)ON?i1d~V;cN{X;R-XiXGb9f|XIwky_(JupE1^A9{Q=M^=Fd5vss51bYOQp| z#{sKWe8v@Z)U0S!9(B-+5M@8lBkv}x!YV{NU|8%0T!s0|jpq&hfVDUcbBhhw*SK-I zHUhW>bAVfH$9mf>c44K9H}bH?bmMnDW&u0I^?>`t-vIXE`&(|DlHCG$1$KjOLVOA^BR&r}jo)2yi)+O_fOF!0%yCaa-Xnen+dMeA+Y5MJ{2sI3bK*~c zf5b}+9`R?K@_R7-`qX-{QvA+UFV->KEB=J^GEO%#Y+=}o_x0<=Ymt6~_kax2{eXT%zfu2! z%OwF1cMyGW+Q zMKUWnUGKsRgQC4~9E-s>6@3!$9Yvo5yq)3aita-Co+6UDzvwGSmlk~uaHp3_>|>Z< zILGi-hM!>gRfa!c_*;gq0?K6+lRXv1WMM8%zlP#K4e>+*>o*rL1+C*m+5-&Fpa4~z zUD3I4A;TrWRJ_ea(11@=cxDM;0GNssVmkLKXSfW0qTj0^Sb_5)1!u7#q<4a^;yZ%N z0J}j`5l>Zs`*Dh+iXOBw{aVOsz&@M~t9aT(C&X7Uyb7(a;<*{YK~V?#5r#uJD^{^? zAvi1=Kpz2A@#L)$>7#(EI3_kBJqoBI#y2B2CSfCd7qHPP&vOb)u`_P{FeG#-|2v?POSzW81aUt9GPIF{3 z8NW=#$IMJTGdN;SjVI06NIX@C$BXsx>9}Y~#Yf`fnM5qvZl=aW;za#Eb1I(d9gQcG zqNS&;wLdx-?P~9~)9oEiyL&lTf3zo_nM{qh;MbJWqCXu^?VB1A`+7IF9czNmO&)La9>kz?}6@~R?*r$ z*wqcZt*1BI+b4S3_V>5-_6;_*c1F8E=xOTf?h$PVTRQq%+Xh?OditX6(UzvZwq6#E z_ADTZ-aXw1278+ZK;6^UvUjk#`yihCA80z%JIE|V29-eBdOMqX`dXS`f^ExScUQ-u z!S20cps6F;iZTZKd)s=tnmXG=OLynKj<$S?Z7?JT+Ij}5kF<65MVmTc>^`btOLtd$ zw5PMFFWTKDcDHr4^+a3p#CnCTe6X*nXLlPiWL5Nvy=`s#a;0~554QF6kRJ#RwlsCM zv~_f}wOTmXz5OkF20OZUcXti;w)OT>ky4g?+uq&ZWy?mpxN?I{EiIt-4RY^}rc@7trNsK!GZ3_s;g@WO`JNYg{B3vA8x=#$sACi?`6o+JjLhHhv6)*Y0@6 zqMH~Q#xv4l42(@DV~J!8g|hz6*z~^9nRH?}mXrfV)(zm~QIL^`No$a`d$xs&-rg zTT-6)TI1>ARDwrH(P#FLCx#(O(_fkbpk*|cYRA~i`0!|a_ykg|n5@N#_)LOkJ>YF8 z5gkn_yfOqNJ8KTwl8cG`nB%MowK?acA zeTm@{7pv>;IEMDbu;@snGpON&RSZqlM6$EAreafg#fjX3ImE&w5*%I1mYL*1*!t|(SEJoDudTH_P=jt$4j zh_w;{l3kxf(>zA>#77b-L`i%^MAO}q87zkuklIoyGnGeak9M>T_8r=XIjC!ISNDM~ zk)yOmd-vv{Eqj`J^3Z)z{E%f%xTmeNyRVIwNm#(`>+c)f)6~_9hY>{R?(bVfku!lM zf`-F<$(Akda7bq~Z+!& zHhr;tYl8c3EH!gvBbG?k(yu)cPmbhwS7gVEDz`S09eTlvMYT`w3M`Ap?3ha#!Po^knIT5#po@4P$c3!0+oN_d!7l<4{uDD>xK4hhga#Q6{ zPE8z@qP9;YW;rw`YqcB`WF02tx^FUJ_wLn>?bW48z)n8g>I%2$1wROFGlN+ z=2Lf1CPu{A3_2GoI=C;DIEjwTEB?V@x#Z{J0>)zPP9m5IX!&XB$R}kLGch`z#`HQI zw={Rf(61>!q8fEg)3TjVJKaWW@~${`03%jww@oK93kY3iCUJD8IgXlP`;f#u%u5ML zZW|xTCt^OuG%=YRAuWiFT(uV2Z=pHc^Xz7uVecSZPPSgOH`1JXQARe$;-JswSj?at zuh5Tq=Dv6r&&#z~VP3AqEXsA!QGoJXl#$J`SXDO1Vg}`~;(GCbKzUw)m6vO=!n|CI zS(MA}Q5P%hm3aC27VD(q?0k!PlrJyBNHh;6E=3+~%z4$7Me>BQv~(^~<94P_TEO>@ zkMi~!Q9O*94t*v!HCurzm->SjN{V5OgNaOkkI2MQu!n;gd;56mWPGGSBsgZpByi@8 z#inTw!RZNm>j`3Z?3*~+8#|dDD|@gAz)W4wn`3jL7g}+&kQSY>RC+X)Y)Us}@N)Ig zB*w-5@iE@CkMNPf(PRwECwnlqhhk|WTf=tC9kR()PRkvvpc!1Q*VE=?3Y&MFd1PpZ zK|{%KGBF{JCa|oRL!ZFlC71H)ObSC#+FAfxV@q1DuZH9>E@DlS>8aRgQX~e<)G;h# z#MD3{mBD&WO!eaTtGOAI6ToRP6BiRx>1$}MEU=i!RdjfGl!;UAT*ni%vK;CiO&raL zp{8VJHiN#xN0BGh{58#8J}7;-iP7i)QnoMLR?3V7LuFr{!G?r!@$ov_0|k z#E)95ZqbxZ$H#_}Gwk1-FKjaWJu*3*=OmlaVouCpk{Z1Tt1pG)v9Va{#D(he76lhF zX&oCIpUE+-wYD9r#E0Kf*<8$aP*~eo?5DYRQxOMQ-64j1;+&1h2NEM#s$-6} z4kt+If-#Jhx2F>56UiAKhiGtW+*m(?UQPaKXL~U&#?du$hSND9I%zWAiUDby78W>u zwrR8*WJ?xO=!lFCKbt2}(Qy{wQ?q?$0-GB$x5KoS7uc@HJVsy{v-YS!@+ISnN$qJKss#>CoqDJFqNvDO>|=WHwIr(vk-%Q zY2i`XPPYGv-84)yVqW{T&|(wED%_x$Wv8TPWDwI)t@Jo;UVCCA3Dc77GtFcl=8hBr(E`OT5fa6iWWL3z_yZfTd^*a$qDOhmRip)!y1orQIO6rR&<&t z<6UHFv^9~&M8F46GAU!2YSomSieX;i%2jYV|y60A_m`Ylu^{FXl2*YEN%gdjaKX(-M^m zY+}CB1vK>B#L)yDl2B32NlZ~zYEo__T4rK&#EFR$6UKNtNlnMybWdh1$)cUHW9R`f zPGft|_XDG}S0j~&Flf<1(qwu9LyjCyt;0F;{DNTP;e?LuxPG)2l#?^ZfUJ;wtdd3$ zS*r36Q}SEIqO&GmKAnt7wKQ7bh$~J{70~_I$S6G#;fA79d~8{dV%QyJ3Xj9Yq9M8+ zMsNmB5XkS~c?ULFSL8Uk6fK!^RpLQ|TirUx!BW6p2+PF?kM<;yhvEze5p1s!Xx8LY zCHp|mK4g+&O;k&3Zn@xC2Yax%6G?~s@1Tb}99IHX>NKs%iZZ$3zb|%K> z?6H!dbERG^4>(7knTaL$U=@iDIG$HRNHnbQ4)@G;4E3I_Y}4^f)Z*#j&b5n~(}&(KOQSC`(tCYdF-RNH>p z@ZcZ~@yXasOEQ*DZ^HCF4j1t_z`-QOQgJ~CGML2kk7l>i4)L;~!NCn8+LWFdA4V2B z9naD?V#zKpC}6W_>0Pz`vMqyy_6u$h#{q&aO3@+{KYijXU# zh!Gjl(X`$7Mg-e@AeP8jq1ub#tZkeIR4g!2F&=X8toq_RTbW7DUKfhkL(4@U0@tJC zq_NUPY}=`JOi5;HCX3VaSu8$mHWs58W~rTcdg4KK5eeOVT;xBEX9X;o)gt|eMS47j zhsWfZ{IuL==TFV>FHOkVCPffi0~aN5#%JvmB$h~H`NZ=<`al9f4Bd#vUL1dA><3GX zh`v-J`;;6@pJU^A?41}+3qH#^hF;han;ah=MPm$OW<@}grTu;FTX@cFj-}(5ULuuK zFSk-wFNk*YGk{=`AV2zIRKEG^g>)2myca9gAHJoiSR2TV5_F+v9kl&2>iqc*0by=J7Qr=2Q~-LzcJjTrPQiXy6e>Cgc0 z*3jWW81L$g<6WFdym7M)82yRr=mj*%v7vBw<9#ww)Pi?{aDDcms=Va5dpQs}Xpk4?3HW6N4Lhvp`Bq zJH2?7w``t;Ag%C&ESVJGzD9z?bSAUi@&uKD<@7QMBQW#WuVIiC_#PGZj6IEJs13#-YlD@jBYV%wfn+fSce- zXzO~4qtQU>KwNK-{^2ZR^tv~^Kn$dak4!d!(Jytw5>n*J8svQ4bOtDUy? zag<5nbQ!3Mhh)cLgHlun7#BmRdlJ zr4v!p565-lJ-sH_(1~)VplblF*e))Gkq3YsL#rNuw&RG`{BpXvoWm%A?7W=qNU)wR zOOMn$jW-b!c=wg436x>qshr(t(h1l}^`ByUx58esyB&5#!B65l;&eX@nZqcjA2tlb zzO9fMLA^$xf#mV6Mab=e{7KMyq3<~R=Mt75Ls=)_hl4161Iy#E7IFvKf3lnn@XCIK z&~YxW9gTAs7H@?<3c+UBGlX(`VDDkrh}|UXqjn)bZ32bbDatt2E6MiA_8CK~%6gF9 zWM>abI?Q(NK`SJ=UOmu1z~vr#le2oe>uW0hH~=#*T?=j4n0)kzU&_85c6HNY4P;rvu&?K*W$eUC5V{Pr@HmAIg6mU5MJb1^0uv zQ@tADpJSZ=Ft^(n@+Yl!mG*Q&R`v_(SG~}_5Bez%rua_n8AV%CJ5!vsqt3ECiU-+G zsU4`jsh^E-yS70-2|oFqU{HP+_ZNx-s&6m+C;cePC!4S@fq!Xyqj`$#q;ata`G;}u#CX?%y3zO}{XzZc z0CZ2nk2Kz7z~2DBPQw2OQ7(R{N9xsl68VGrJx3LofBV0rm&^bsV~e;ai&DGH4I#ZzRzOoa$l6 zYZBg~v55Sbf_|DGr+~FV7me2>p9H<#@;CLvM$S+D;ULnB<3{#ts)Ou*_;xe&jH8T` zuwx_qfp?2>9{|4}^&EgkiW6$z5!9FZAJv2Ua};=f+|jru`wQ7j@w^+9V~{1g^ZQW~ zyuTOTl=IO5>?D0uKPtZuIK@51t&IN`@b>|yIGaSdi|bGG$ijG}a!KD7+z)eosK3g2 zN0xJp<7JxTd>r+l`AhcW%h~7BekzaRipDi+&k*?3f2Mxg3O(JBAzR6>8{x;RL8p0##+4TEkE0wakMxYedK%BE-yh4<(}MUU zOKBXG^EAa3`BBbu$3d0z58lgVeKfC8zb5~Y&o-b3=IkPUG{0;_u6#KfrzSzC^&PFd z@L~z%Xnw^RFx$O}{X+eI!m2NoOMRC5Gqo?xuLHoP`~doktS7ZE_51(&c-;?sgG7Vu^OICy<9u0BCbWn=9Iq(cZ3}|HNzip>-4`(1wRLTC@!# znZ;$u4Oafnk&Y;yEBs&YTp2jI=cZq{fAo&;J^4xD{^B)P43uB;)Q#?jd$$aH^3twN zCG_i~#YUm8%wHSpaI-CtT5R!WSmDj8(#07uos ziqT}W6@)d#*kNqKwbd0?DZRCb?wf3J2>VElPm7>H0u2NT13;%gG_(Cc3c<_6x zQJ=5ar@Ha0d7LVQZ%X~0ihsY`=PMAp+vBNp!o?n!aQKXVRmI(C^7&L%S5c=X9VJ)z z55eFoU3#fMrWlvFKeKc2^~U$S+sNR!Q71(bWNR_FR8{{NGF**o5?_idH+BIU+sol5 zsP#bYc8$J-rHMIq+%E0+_;pn6cLZJlK)wop*iq`AQGNbdpO5XGn=cG&u-P)cD6ISE zZm{FQ6V@yY-u4?#fVmspVFy~ms6&AGH;|ED{}}w_H-PWM)v7_oY5chE+%06ge;+8w zI1AP+Yd8%ECK1b-@GijaoP4M;qs%bD;lt~WF&ii+yGD}63OuA4gpHz~&4?TV_D zI#G_#jkZyJdNJZ)xzN0dQMknA@>lz-jY7n^QQ|L?IetXaZVs3tx83%zwAk3{c2kr% zsCLHO(}gaF&4#!OkwT!sDPZTbq@=J=YJ6VaUgX=n69+v0d5?eY=Ty)6B1vWE&6g4a zjtj-O@qx*{GOD2w#n;?Ga3Ng@0hy^%-m0m{`PDk(63VL%CC9@*gu%56e_0Mlr0>Z_2|9-e12x@`Se5+kc{H2xt`3C>|CggX!{a54K z?{-5A{#jXcm+G&sbb4G4f35#&(8&oE>{kDL6bg-gv=hE=h)Ou5>7DF@P7R$gj^;Ds zKJsB5S2-@LaL9^(&;kNsj;dbiA-m?UH0EPc=1Qq8&e{@`J0K|Z+;nr0E75t2Ttf5t zDk>`AN<=Unt=73pz(en$k1UFt>@;^z2QGfP&3RM z^EYsN%=_5ld3;-ydW|PcOn7qMsS^yK2hE>0=5O)Ozl-onWBv@xuc)lx3>6iK=86h1 zio(tcpOgcWJXk@E6A%H#gYFFp{NsvI^-#adTp{YUY$L3a0t`=AxP4IhVgLN?6+ZM| z^jToG`3^Rt!r@ZTPNLF5r9kS&0+-WYhP$KE;Re%(+8OhoRN3R7)dYq`xY*%F2+Z9G zh6mzvH~JhtH-OFwy#At8-Yz5leKZ_w@{w$RQyB?BF`Y6VOgKo6_ z{P!S0-o<_XaSBf&NTG8sa`w}Ht0O$i>bbjt%8vh?mm{0=l9Cr8|4;$kXQyQe6b-17 z10$UZJ5-qa7jM{6>8td)jq4ROiLcT@+OPM(>`MHP5JbU`io-e7XlZtv^y zdzw&EOr6_*eL1=kYU6`qCo*6|yJ;bqX89|n@i@OZMiMWt7U5kv(f^nFPdq@sV9M^FE5m(@5OWJNP(uo=zb{T7y$GH1 z&k#kpwZPOITG`1CYIK44%0 z@fq!hP>Nq)0^MGvU#RIWmZ4`?^6wJtGd4g$Ef$ALw&Yfnj@NlvPi`$w<%Dr!)%+Ot4D|bMVO&>m+1(bM_6a0y`-QOo za~m#UKhTp(I^~;$zv$Fvp*M1VAfHeilkb|~FWPC1!TU*A9sW=AA*=Z9m+#%ab9yWp z#)~fWRC~vYhWZUF!g1?i`i>QNl3urEML3OD)JO1L#qs!#6*KYlik+7gdAH-e4t_^E z3>!4}#Xr^x19NQL4kJX=SSP{m9>cmmJ-j1(G>o{cLwAIeT! z-;lC!P*QlI$NJI^zVMgClm7Ip)Y@ok4dav3W4%pkj(5aQ#*^VB!5u4N_#z*@YLr?L zo=niIpJ}-9C|+NQTa{uZ>n~!BZTk8Jwr^jbbpiyoueVzW2(|YAg`W?~-==?R" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nMicrosoft-Windows-Sysmon/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + + - name: Copy trigger_emotet.exe in the agent + ansible.windows.win_copy: + src: "{{ emotet_file }}" + dest: C:\Temp\ + + - name: Restart wazuh-agent (Windows) + ansible.windows.win_shell: | + net stop wazuh + net start wazuh + + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Configure local rules + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | + + + sysmon + technique_name=Indirect Command Execution + Indirect Command Execution: $(win.eventdata.image) + + T1202 + + + + + sysmon + technique_name=Regsvr32 + Regsvr32: $(win.eventdata.image) + + T1218 + + + + + 255559 + WINWORD.EXE + Word Executing WScript $(win.eventdata.image) + + T1059.005 + + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..c597ad91da --- /dev/null +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -0,0 +1,38 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + + +- name: Generate events windows + hosts: wazuh-windows + + tasks: + + - name: Open Word document + ansible.windows.win_shell: | + $MSWORD = New-Object -ComObject word.application + $MSWORD.visible = $true + + - name: Run trigger-emotet.exe + ansible.windows.win_shell: | + cd C:\Users\Administrator\Desktop + ./trigger-emotet.exe + +- name: Wait alert + hosts: wazuh-manager + tasks: + + - name: Wait for alert + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true \ No newline at end of file diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py new file mode 100644 index 0000000000..2f6dd52e25 --- /dev/null +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -0,0 +1,78 @@ +import os +import json +import re +import pytest +from datetime import datetime +from tempfile import gettempdir +from time import sleep + +from wazuh_testing.tools.time import parse_date_time_format +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') +configuration_playbooks = ['configuration.yaml'] +emotet_file_path = os.path.join(test_data_path, 'emotet_file', 'trigger-emotet.exe') +configuration_extra_vars = {'emotet_file': emotet_file_path} + +events_playbooks = ['generate_events.yaml'] +wait_indexed_alert = 5 + +#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_emotet(generate_events): + """ + Test to delete a malicious file detected by virustotal + """ + print('HOLAAAAAAAAAAAAA') + # rule_id = metadata['rule.id'] + # rule_level = metadata['rule.level'] + # rule_description = metadata['rule.description'] + # program = metadata['program'] + + # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + # expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},' \ + # fr'.*"description": "{rule_description}"' \ + # r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # query = e2e.make_query([ + + # { + # "term": { + # "rule.id": f"{rule_id}" + # } + # } + # ]) + + # # Check that alert has been raised and save timestamp + # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + # error_message='The alert has not occurred').result() + # raised_alert_timestamp = raised_alert.group(1) + # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + # sleep(wait_indexed_alert) + + # # Get indexed alert + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # indexed_alert = json.dumps(response.json()) + + # # Check that the alert data is the expected one + # alert_data = re.search(expected_indexed_alert, indexed_alert) + # assert alert_data is not None, 'Alert triggered, but not indexed' + + # # Get indexed alert timestamp + # indexed_alert_timestamp = alert_data.group(1) + # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # # Check that alert has been indexed (checking that the timestamp is the expected one) + # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 97690f6ff6d846ad4f72c4da72e8aa7f8be8fbab Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 09:58:51 -0300 Subject: [PATCH 221/552] fix: test modified to run with new framework changes --- .../{teardown_playbook.yaml => teardown.yaml} | 0 .../test_vulnerability_detector.py | 30 ++++++++----------- 2 files changed, 13 insertions(+), 17 deletions(-) rename tests/end_to_end/test_vulnerability_detector/data/playbooks/{teardown_playbook.yaml => teardown.yaml} (100%) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown_playbook.yaml rename to tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index 884db80051..87d31f8090 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -2,10 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -18,7 +16,7 @@ # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] +teardown_playbooks = ['teardown.yaml'] # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @@ -27,7 +25,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata) def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): + clean_alerts_index): """ Test to detect a vulnerability """ @@ -47,6 +45,11 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c rule_description = rule_description.replace('\\', '') + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -57,16 +60,16 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c "term": { "rule.description": f"{rule_description}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -74,10 +77,3 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), - '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From e8c27f73cffd7023682351e79ada1c317e375528 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 10:11:12 -0300 Subject: [PATCH 222/552] fix: linter errors --- .../test_vulnerability_detector/test_vulnerability_detector.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index 87d31f8090..3ba9039b93 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -68,7 +68,6 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c } ]) - # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -76,4 +75,3 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - From 2d8c31babff502c98f9625ed38de0cfb888c803b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 15:12:33 -0300 Subject: [PATCH 223/552] refac: several changes applied (suggested and new ones. #3079 AWS API script modified. Test case configuration added to each E2E test. Test modified to follow the new E2E standard. README.md modified Configuration and teardown playbooks modified to remove the python installation task. --- tests/end_to_end/conftest.py | 15 +++--- tests/end_to_end/test_audit/test_audit.py | 5 +- .../README.md | 1 + .../configuration/aws_cloudtrail_event.py | 21 +++++---- .../data/playbooks/configuration.yaml | 19 -------- .../data/playbooks/generate_events.yaml | 17 +++---- .../{teardown_playbook.yaml => teardown.yaml} | 10 ---- .../cases_aws_infrastructure_monitoring.yaml | 5 +- .../test_aws_infrastructure_monitoring.py | 46 +++++++++---------- .../test_brute_force/test_brute_force.py | 4 +- .../test_detecting_suspicious_binaries.py | 6 +-- .../test_docker_monitoring.py | 4 +- tests/end_to_end/test_netcat/test_netcat.py | 5 +- .../test_osquery_integration.py | 6 +-- .../test_shellshock_attack_detection.py | 6 +-- .../test_sql_injection/test_sql_injection.py | 5 +- .../test_virustotal_active_response.py | 5 +- .../test_virustotal_fim.py | 5 +- 18 files changed, 81 insertions(+), 104 deletions(-) rename tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/{teardown_playbook.yaml => teardown.yaml} (52%) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 666f14e25f..ce28184c58 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -90,13 +90,14 @@ def configure_environment(request): @pytest.fixture(scope='function') -def generate_events(request, metadata): +def generate_events(request, metadata, configuration): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. metadata (dict): Dictionary with test case metadata. + configuration (dict): Dictionary with test case configuration. """ inventory_playbook = request.config.getoption('--inventory_path') @@ -108,16 +109,14 @@ def generate_events(request, metadata): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - # Also, add the module extra vars if it is configured. - module_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) - if module_extra_vars is not None: - parameters['extravars'].update(module_extra_vars) - elif module_extra_vars is not None: - parameters.update({'extravars': module_extra_vars}) + if configuration is not None: + if 'extra_vars' not in metadata: + parameters.update({'extravars': configuration}) + else: + parameters['extravars'].update(configuration) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index f74b82233a..516fe079a7 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -20,8 +20,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_audit(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md b/tests/end_to_end/test_aws_infrastructure_monitoring/README.md index bb42078c67..820754195a 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/README.md @@ -5,6 +5,7 @@ from AWS services matches a rule. ## Global requirements +- Python 3 installed in the managed node - Credentials (access key ID and secret access key) of an IAM User with permissions to: - Create S3 Buckets - Get data from S3 Buckets diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py index e4e69bc705..675c1d9411 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py @@ -1,10 +1,8 @@ -#!/usr/bin/python3.8 +#!/usr/bin/python3 import argparse -import logging from datetime import datetime import boto3 -from botocore.exceptions import ClientError formats = ['%a, %d %b %Y %H:%M:%S %Z', '%Y-%m-%dT%H:%M:%SZ'] @@ -33,13 +31,16 @@ def create_bucket(access_key_id, secret_access_key): access_key_id (str): AWS access key ID secret_access_key (str): AWS secret access key """ - try: - client = boto3.client('s3', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) - response = client.create_bucket(Bucket='delete-this-dummy-bucket') - response_date = response['ResponseMetadata']['HTTPHeaders']['date'] - print(str(datetime.strptime(response_date, formats[0]).strftime(formats[1]))[:-3]) - except ClientError as e: - logging.error(e) + client = boto3.client('s3', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) + response = client.create_bucket(Bucket='delete-this-dummy-bucket') + response_date = response['ResponseMetadata']['HTTPHeaders']['date'] + # The format of the request datetieme is changed here to match the timestamp of the AWS event in the alerts.json log + request_datetime = datetime.strptime(response_date, formats[0]) + # The last 3 characters are removed due to the difference with the server in seconds. + # e.g: 2022-07-20T15:41:05Z --> 2022-07-20T15:41: + datetime_str = request_datetime.strftime(formats[1])[:-3] + # Print the formatted time from the request because Ansible will pick it up from the standard output + print(datetime_str) def main(): diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 15250c1fe3..a48c600406 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -29,24 +29,5 @@ state: restarted name: wazuh-manager - - name: Check if python3 is installed - shell: python3.8 --version - ignore_errors: true - register: python_check - - - name: Install python v3.8.7 - shell: | - yum -y update - yum -y install wget make gcc openssl-devel bzip2-devel - wget https://www.python.org/ftp/python/3.8.7/Python-3.8.7.tgz - tar xzf Python-3.8.7.tgz - cd Python-3.8.7 - ./configure --enable-optimizations - make altinstall - ln -sfn /usr/local/bin/python3.8 /usr/bin/python3.8 - ln -sfn /usr/local/bin/pip3.8 /usr/bin/pip3.8 - # Do not install python3 if it is already installed - when: python_check is failed - - name: Install boto3 python package (script dependency) shell: python3.8 -m pip install boto3 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index eb8b88b0df..ba9c9cacb5 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -1,23 +1,24 @@ - name: Generate events hosts: wazuh-manager vars: - w_path: /var/ossec/logs/alerts/alerts.json + alerts_log: /var/ossec/logs/alerts/alerts.json become: true tasks: - name: Truncate alerts file - shell: echo "" > {{ w_path }} + shell: echo "" > {{ alerts_log }} # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) - script: "{{ aws_api_script }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" + script: "{{ AWS_API_SCRIPT }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" register: time - name: Wait for the alert to be generated - shell: (tail -f -n0 {{ w_path }} &) | grep -q '{{ time.stdout_lines[0] }}.*{{ ev }}' && echo '' >> {{ w_path }} - # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. - async: 480 - poll: 5 + wait_for: + path: "{{ alerts_log }}" + search_regex: "{{ time.stdout_lines[0] }}.*{{ event_name }}" + # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. + timeout: 480 - name: Wait for alerts to be indexed wait_for: @@ -25,6 +26,6 @@ - name: Get alerts.json fetch: - src: "{{ w_path }}" + src: "{{ alerts_log }}" dest: /tmp/ flat: true diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml similarity index 52% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml rename to tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index bd311b93d5..755062ec77 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown_playbook.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -8,13 +8,3 @@ path: /var/ossec/etc/ossec.conf marker: state: absent - - - name: Remove python3 installation file - file: - path: ./Python-3.8.4.tgz - state: absent - - - name: Remove python3 installation folder - file: - path: ./Python-3.8.4/ - state: absent diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml index a0204f42e1..1b89233f4b 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -3,10 +3,11 @@ AWS CloudTrail is a service used for auditing AWS accounts. It logs API calls (CloudTrail Event) stored for 90 days by default. There are 2 types of events: Management events (active by default) and data events. - configuration_parameters: null + configuration_parameters: + AWS_API_SCRIPT: CUSTOM_AWS_SCRIPT_PATH metadata: rule.id: 80202 rule.description: "AWS Cloudtrail: s3.amazonaws.com - CreateBucket." rule.level: 3 extra_vars: - ev: CreateBucket + event_name: CreateBucket diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 6ff1aedf4c..2c7d63686f 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -5,7 +5,6 @@ from datetime import datetime from tempfile import gettempdir -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -15,25 +14,27 @@ test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_aws_infrastructure_monitoring.yaml') alerts_json = os.path.join(gettempdir(), 'alerts.json') -aws_api_script = os.path.join(test_data_path, 'configuration', 'aws_cloudtrail_event.py') # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] -configuration_extra_vars = { - 'aws_api_script': aws_api_script, - 'date': datetime.strftime(datetime.now(), '%Y-%b-%d').upper() -} +teardown_playbooks = ['teardown.yaml'] +configuration_extra_vars = {'date': datetime.strftime(datetime.now(), '%Y-%b-%d').upper()} # Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +t1_configuration, metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + +# Custom paths +aws_api_script = os.path.join(test_data_path, 'configuration', 'aws_cloudtrail_event.py') +# Update configuration with custom paths +t1_configuration = config.update_configuration_template(t1_configuration, ['CUSTOM_AWS_SCRIPT_PATH'], [aws_api_script]) -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) + +@pytest.mark.parametrize('configuration,metadata', zip(t1_configuration,metadata), ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dashboard_credentials, - generate_events, clean_environment): +def test_aws_infrastructure_monitoring(configuration, metadata, configure_environment, get_dashboard_credentials, + generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] @@ -45,6 +46,11 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash expected_indexed_alert = fr".+level.+{rule_level}.+description.+{rule_description}.+id.+{rule_id}.+" \ fr"timestamp\": \"({timestamp_regex})\"" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -55,15 +61,14 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash "term": { "rule.description": f"{rule_description}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -71,10 +76,3 @@ def test_aws_infrastructure_monitoring(configure_environment, metadata, get_dash # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index ee1e8cb8d9..59ad4395ec 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -22,8 +22,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_brute_force(configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SSH Brute Force attack """ diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 3c633e341b..88a831fdf5 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -25,10 +25,10 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_detecting_suspicious_binaries(configure_environment, configuration, metadata, get_dashboard_credentials, + generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index eb65293a5d..0d1d55aeca 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -23,9 +23,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_docker_monitoring(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 23e4d785f1..6b9a7bbb92 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -23,8 +23,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_netcat(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_netcat(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 7965485941..ae8a0e8af6 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -22,8 +22,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_osquery_integration(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] @@ -55,7 +55,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred }, { "term": { - "timestamp": f"{raised_alert_timestamp }" + "timestamp": f"{raised_alert_timestamp}" } } ]) diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 6d2795e752..5104686fd3 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -20,9 +20,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_shellshock_attack_detection(configure_environment, configuration, metadata, get_dashboard_credentials, + generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 1c3f0a39ff..2396f92fca 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -20,8 +20,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_sql_injection(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to detect a SQL injection attack """ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index 8c56e9ad44..b6551cc8d9 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -22,8 +22,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_virustotal(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to delete a malicious file detected by virustotal """ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 90b133cd82..3434b9a0fd 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -21,8 +21,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +def test_virustotal(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to scanning a file using FIM and then do a request to virustotal to check if it is malicious """ From 196afbf0019b7c563ebe45a7e5c0448b4971170f Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 15:17:21 -0300 Subject: [PATCH 224/552] fix(linter): correction applied. #3079 --- .../test_aws_infrastructure_monitoring.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 2c7d63686f..12abb4752c 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -31,7 +31,7 @@ t1_configuration = config.update_configuration_template(t1_configuration, ['CUSTOM_AWS_SCRIPT_PATH'], [aws_api_script]) -@pytest.mark.parametrize('configuration,metadata', zip(t1_configuration,metadata), ids=cases_ids) +@pytest.mark.parametrize('configuration,metadata', zip(t1_configuration, metadata), ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_aws_infrastructure_monitoring(configuration, metadata, configure_environment, get_dashboard_credentials, generate_events, clean_alerts_index): From 2a5ea152a8a39f585268ce7a10be845bc85994fd Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 15:30:34 -0300 Subject: [PATCH 225/552] fix: remove the deletion of packages. #3085 --- .../data/playbooks/teardown.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml index d44dda49dd..5625770bd3 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml @@ -21,14 +21,6 @@ marker: state: absent - - name: Remove Yara and epel-release from CentOS - package: - name: - - epel-release - - yara - state: absent - when: ansible_facts['distribution'] == "CentOS" - - name: Remove the directory with malware file: path: /tmp/yara/ @@ -38,10 +30,3 @@ file: path: /tmp/yara_script.sh state: absent - - - name: Remove jq (JSON Processor) on CentOS - package: - name: - - jq - state: absent - when: ansible_facts['distribution'] == "CentOS" From 4580a68e412856af350a432083893ec1553ab91c Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 15:34:01 -0300 Subject: [PATCH 226/552] refac: the way to check the timestamp was changed. #3085 --- .../test_yara_integration.py | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index b1f02b88ef..e555d6fdfc 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -44,6 +44,11 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent expected_indexed_alert = fr".+yara_rule\": \"{data_yara_rule}.+level.+{rule_level}.+id.+{rule_id}.+" \ fr"timestamp\": \"({timestamp_regex})\"" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + query = e2e.make_query([ { "term": { @@ -59,15 +64,14 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent "term": { "data.yara_rule": f"{data_yara_rule}" } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - # Get indexed alert response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) @@ -75,10 +79,3 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 0abc9788956f81a57e334d350532d0deb5ee034b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 15:51:24 -0300 Subject: [PATCH 227/552] cherry-pick 2d8c31b and E2E test Yara integration updated. #3085 --- tests/end_to_end/conftest.py | 15 +++++++-------- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_cases/cases_yara_integration.yaml | 4 +++- .../test_yara_integration.py | 19 ++++++++++++------- 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 1d01defb3c..ce74a4d9e1 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -87,13 +87,14 @@ def configure_environment(request): @pytest.fixture(scope='function') -def generate_events(request, metadata): +def generate_events(request, metadata, configuration): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. metadata (dict): Dictionary with test case metadata. + configuration (dict): Dictionary with test case configuration. """ inventory_playbook = request.config.getoption('--inventory_path') @@ -105,16 +106,14 @@ def generate_events(request, metadata): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} - # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case - # Also, add the module extra vars if it is configured. - module_extra_vars = getattr(request.module, 'configuration_extra_vars', None) if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) - if module_extra_vars is not None: - parameters['extravars'].update(module_extra_vars) - elif module_extra_vars is not None: - parameters.update({'extravars': module_extra_vars}) + if configuration is not None: + if 'extra_vars' not in metadata: + parameters.update({'extravars': configuration}) + else: + parameters['extravars'].update(configuration) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml index 80721a883c..1db025bbfb 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -132,7 +132,7 @@ - name: Copy the Yara script copy: - src: "{{ yara_script }}" + src: "{{ YARA_SCRIPT }}" dest: /var/ossec/active-response/bin/ owner: root group: wazuh diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml index 24236ecb0f..bec3e139a3 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -9,7 +9,7 @@ shell: echo "" > {{ alerts_path }} - name: Download malware and run scan - script: "{{ malware_downloader_script }}" + script: "{{ MALWARE_DOWNLOADER_SCRIPT }}" - name: Wait for alerts to be generated wait_for: diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml index b1ee42a162..ba162b87a5 100644 --- a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -1,6 +1,8 @@ - name: Run Yara scan to detect malware description: Test the detection of a trojaned file - configuration_parameters: null + configuration_parameters: + YARA_SCRIPT: CUSTOM_YARA_SCRIPT_PATH + MALWARE_DOWNLOADER_SCRIPT: CUSTOM_MALWARE_SCRIPT_PATH metadata: rule.id: 108001 rule.level: 12 diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index e555d6fdfc..422a7a28f2 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -2,10 +2,8 @@ import json import re import pytest -from datetime import datetime from tempfile import gettempdir -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -14,23 +12,30 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_yara_integration.yaml') -yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') -malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] -configuration_extra_vars = {'yara_script': yara_script, 'malware_downloader_script': malware_downloader_script} # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +# Custom paths +yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') +malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') + +# Update configuration with custom paths +configurations = config.update_configuration_template(configurations, + ['CUSTOM_YARA_SCRIPT_PATH', 'CUSTOM_MALWARE_SCRIPT_PATH'], + [yara_script, malware_downloader_script]) + + +@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_yara_integration(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From df2a57b36e82d86c756ab4da90e286cc955d3799 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 20 Jul 2022 16:12:01 -0300 Subject: [PATCH 228/552] fix: yara_script path moved to module extra vars. #3085 --- .../data/playbooks/configuration.yaml | 2 +- .../data/test_cases/cases_yara_integration.yaml | 1 - .../test_yara_integration/test_yara_integration.py | 12 ++++++------ 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml index 1db025bbfb..80721a883c 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -132,7 +132,7 @@ - name: Copy the Yara script copy: - src: "{{ YARA_SCRIPT }}" + src: "{{ yara_script }}" dest: /var/ossec/active-response/bin/ owner: root group: wazuh diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml index ba162b87a5..dd9cccfaa0 100644 --- a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -1,7 +1,6 @@ - name: Run Yara scan to detect malware description: Test the detection of a trojaned file configuration_parameters: - YARA_SCRIPT: CUSTOM_YARA_SCRIPT_PATH MALWARE_DOWNLOADER_SCRIPT: CUSTOM_MALWARE_SCRIPT_PATH metadata: rule.id: 108001 diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 422a7a28f2..19ef9a0ce3 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -28,9 +28,9 @@ malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') # Update configuration with custom paths -configurations = config.update_configuration_template(configurations, - ['CUSTOM_YARA_SCRIPT_PATH', 'CUSTOM_MALWARE_SCRIPT_PATH'], - [yara_script, malware_downloader_script]) +configurations = config.update_configuration_template(configurations, ['CUSTOM_MALWARE_SCRIPT_PATH'], + [malware_downloader_script]) +configuration_extra_vars = {'yara_script': yara_script} @pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) @@ -71,9 +71,9 @@ def test_yara_integration(configure_environment, configuration, metadata, get_da } }, { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) From 351853064ccf86e31a6979f07e5e6b2fdbddaf1f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:07:23 -0300 Subject: [PATCH 229/552] fix: create temp folder in configuration yaml --- .../data/playbooks/configuration.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index 4c4c4d7926..8536f9d494 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -24,6 +24,17 @@ hosts: wazuh-windows tasks: + - name: Create temp folder + win_file: + path: C:\temp + state: directory + + - name: Copy ossec.conf + ansible.windows.win_copy: + src: C:\Program Files (x86)\ossec-agent\ossec.conf + dest: C:\temp + remote_src: yes + - name: Enable the agent module to collect installed packages (Windows) ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" From 9e5158df0d731812125a685df0d28c7cf4f3754c Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:08:23 -0300 Subject: [PATCH 230/552] fix: refactor generate events yaml --- .../data/playbooks/generate_events.yaml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml index 3f1a6e2e9c..6109c5606d 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml @@ -6,20 +6,20 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: true -- name: Generate events linux - hosts: wazuh-agent +- name: Generate events + hosts: agents + vars: + os: "{{ os }}" tasks: - - name: "{{ event_description_linux }}" + - name: "{{ event_description }}" become: true - command: "{{ command_linux }}" + command: "{{ command }}" + when: os == ansible_facts['distribution'] -- name: Generate events windows - hosts: wazuh-windows - tasks: - - - name: "{{ event_description_windows }}" - ansible.windows.win_shell: "{{ command_windows }}" + - name: "{{ event_description }}" + ansible.windows.win_shell: "{{ command }}" + when: os == ansible_facts['os_family'] - name: Wait alert hosts: wazuh-manager From 50b8bfccac4a8d86968c8312a76d406d9f104a98 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:09:57 -0300 Subject: [PATCH 231/552] fix: added two test cases ubuntu and windows --- .../cases_vulnerability_detector.yaml | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml index 2d263a2d14..7637d80797 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml @@ -1,16 +1,26 @@ -- name: detect_vulnerability - description: Detect vulnerability +- name: detect_vulnerability_ubuntu + description: Detect vim vulnerability configuration_parameters: null metadata: extra_vars: - event_description_linux: Install vulnerable vim package - command_linux: apt install -y vim=2:8.1.2269-1ubuntu5.7 - event_description_windows: Install vulnerable Mozilla package - command_windows: | + os: Ubuntu + event_description: Install vulnerable vim package + command: apt install -y vim=2:8.1.2269-1ubuntu5.7 + rule.id: 23505 + rule.level: 10 + rule.description: CVE-2022-1621 affects vim + +- name: detect_vulnerability_windows + description: Detect Mozilla Firefox vulnerability + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Install vulnerable Mozilla package + command: | Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` -OutFile "C:\temp\test.exe" Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru rule.id: 23505 rule.level: 10 - rule.description_linux: CVE-2022-1621 affects vim - rule.description_windows: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) + rule.description: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) From 042087b6a5e452e63b51eba402508835b21dc6e3 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:11:05 -0300 Subject: [PATCH 232/552] fix: added teardown to restore ossec config --- .../data/playbooks/teardown.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml index 4085e54877..e9ec1257d9 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml @@ -6,6 +6,13 @@ become: true command: apt-get remove vim -y + - name: Delete agent configuration + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + block: '' + marker: + - name: Cleanup environment hosts: wazuh-windows tasks: @@ -13,3 +20,19 @@ - name: Uninstall Mozilla Firefox vulnerable package ansible.windows.win_shell: | Start-Process "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" -ArgumentList "/S" -Wait + + - name: Restore ossec.conf without changes + ansible.windows.win_copy: + src: C:\temp\ossec.conf + dest: C:\Program Files (x86)\ossec-agent + remote_src: yes + + - name: Delete C:\temp folder + ansible.windows.win_file: + path: C:\temp + state: absent + + - name: Restart wazuh-agent (Windows) + ansible.windows.win_shell: | + net stop wazuh + net start wazuh \ No newline at end of file From 312a68fd7de4f557e0a86acb21bb6d0a8bbcd42a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:11:50 -0300 Subject: [PATCH 233/552] fix: change test to run with new framework changes --- .../test_vulnerability_detector.py | 67 ++++++++----------- 1 file changed, 29 insertions(+), 38 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index 3ba9039b93..eeb9047c43 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -23,7 +23,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ @@ -31,47 +31,38 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c """ rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] - rule_descriptions = [metadata['rule.description_linux'], metadata['rule.description_windows']] + rule_description = metadata['rule.description'] - for rule_description in rule_descriptions: + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - fr'"rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) - rule_description = rule_description.replace('\\', '') - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "rule.description": f"{rule_description}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" } - ]) + } + ]) - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From be80f7d5fc36592d8b881ece76940ab1cc1c36e1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 20 Jul 2022 23:31:24 -0300 Subject: [PATCH 234/552] fix: linter errors --- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/teardown.yaml | 4 ++-- .../test_vulnerability_detector.py | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml index 8536f9d494..8deb0ebb1a 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml @@ -33,7 +33,7 @@ ansible.windows.win_copy: src: C:\Program Files (x86)\ossec-agent\ossec.conf dest: C:\temp - remote_src: yes + remote_src: true - name: Enable the agent module to collect installed packages (Windows) ansible.windows.win_shell: | diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml index e9ec1257d9..ad9b6a8c35 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml @@ -25,7 +25,7 @@ ansible.windows.win_copy: src: C:\temp\ossec.conf dest: C:\Program Files (x86)\ossec-agent - remote_src: yes + remote_src: true - name: Delete C:\temp folder ansible.windows.win_file: @@ -35,4 +35,4 @@ - name: Restart wazuh-agent (Windows) ansible.windows.win_shell: | net stop wazuh - net start wazuh \ No newline at end of file + net start wazuh diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py index eeb9047c43..d8a1c66ce3 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py @@ -34,16 +34,16 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c rule_description = metadata['rule.description'] expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - fr'"rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From dfae96744f56f507d8b4522cf909d1a6df5bf41f Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 21 Jul 2022 08:29:47 -0300 Subject: [PATCH 235/552] fix: requested changes applied. #3085 --- .../data/configuration/malware_downloader.sh | 18 ------------------ .../data/playbooks/configuration.yaml | 10 +--------- .../data/playbooks/generate_events.yaml | 6 +++++- .../data/playbooks/teardown.yaml | 10 ++++++++-- .../test_yara_integration.py | 1 - 5 files changed, 14 insertions(+), 31 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh b/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh index f7260ddacb..4b7b8fb6d1 100644 --- a/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh +++ b/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh @@ -19,21 +19,3 @@ echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)" echo "Downloading malware sample..." fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading." echo - -# Xbash -echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" -echo "Downloading malware sample..." -fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading." -echo - -# VPNFilter -echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/" -echo "Downloading malware sample..." -fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading." -echo - -# Webshell -echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php" -echo "Downloading malware sample..." -fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading." -echo diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml index 80721a883c..5e673c7aa8 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -68,6 +68,7 @@ blockinfile: path: /var/ossec/etc/ossec.conf insertafter: + marker: block: | /tmp/yara/malware @@ -121,15 +122,6 @@ path: /tmp/yara/malware state: directory - - name: Download Mirai malware - uri: - url: https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai - follow_redirects: all - dest: /tmp/yara/malware/mirai - - - name: Run Yara scan - shell: yara /tmp/yara/rules/yara_rules.yar /tmp/yara/malware/mirai - - name: Copy the Yara script copy: src: "{{ yara_script }}" diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml index bec3e139a3..425a253d32 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -8,7 +8,11 @@ - name: Truncate alerts file shell: echo "" > {{ alerts_path }} - - name: Download malware and run scan + - name: Wait for Wazuh to initilize correctly + wait_for: + timeout: 10 + + - name: Download malware script: "{{ MALWARE_DOWNLOADER_SCRIPT }}" - name: Wait for alerts to be generated diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml index 5625770bd3..2671bac892 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml @@ -21,12 +21,18 @@ marker: state: absent + - name: Remove the syscheck configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + state: absent + - name: Remove the directory with malware file: path: /tmp/yara/ state: absent - - name: Remove the Yara script + - name: Remove the Yara active-response script file: - path: /tmp/yara_script.sh + path: /var/ossec/active-response/bin/yara.sh state: absent diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 19ef9a0ce3..644370ae07 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -22,7 +22,6 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - # Custom paths yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') From 4bc0dcd4b3c3176336ec3cf52c1136d0ee6a7f91 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 16:58:29 +0200 Subject: [PATCH 236/552] fix: Change the handling of failed responses. --- .../wazuh_testing/end_to_end/__init__.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 36c673854d..ce505d7279 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -29,6 +29,9 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) if '"hits" : [ ]' in response.text: raise Exception('Alert not indexed') + else: + assert response.status_code == HTTPStatus.OK, "The request wasn't successful. " \ + f"Actual response: {response.text}" return response @@ -47,20 +50,12 @@ def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alert obj(class): `Response ` object obj(class): `NoneType` object """ - get_indices_route = f"_cat/indices/{index}" url = f"https://{ip_address}:9200/" authorization = requests.auth.HTTPBasicAuth(credentials['user'], credentials['password']) - response = requests.get(url=url+get_indices_route, params={'pretty': 'true'}, verify=False, auth=authorization) - assert response.status_code == HTTPStatus.OK, 'The index(es) have not been obtained successfully.' \ - f"Actual response {response.status_code}" - - if response.text == '': - return None - response = requests.delete(url=url+index, params={'pretty': 'true'}, verify=False, auth=authorization) - assert response.status_code == HTTPStatus.OK, 'The index(es) have not been deleted successfully.' \ - f"Actual response {response.status_code}" + assert response.status_code == HTTPStatus.OK, 'The index(es) have not been deleted successfully. ' \ + f"Actual response {response.text}" return response From b33d79a3de0955a780a0f7751de1ab7c7efd4bf0 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:00:00 +0200 Subject: [PATCH 237/552] fix: Move extra vars from configuration to metadata --- tests/end_to_end/conftest.py | 5 ----- .../data/test_cases/cases_yara_integration.yaml | 5 +++-- .../test_yara_integration/test_yara_integration.py | 4 ++-- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index ce74a4d9e1..8c5fb9c858 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -109,11 +109,6 @@ def generate_events(request, metadata, configuration): # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) - if configuration is not None: - if 'extra_vars' not in metadata: - parameters.update({'extravars': configuration}) - else: - parameters['extravars'].update(configuration) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml index dd9cccfaa0..5d3f46abb3 100644 --- a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -1,8 +1,9 @@ - name: Run Yara scan to detect malware description: Test the detection of a trojaned file - configuration_parameters: - MALWARE_DOWNLOADER_SCRIPT: CUSTOM_MALWARE_SCRIPT_PATH + configuration_parameters: null metadata: + extra_vars: + MALWARE_DOWNLOADER_SCRIPT: CUSTOM_MALWARE_SCRIPT_PATH rule.id: 108001 rule.level: 12 rule.description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 644370ae07..ef2098cfd0 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -27,8 +27,8 @@ malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') # Update configuration with custom paths -configurations = config.update_configuration_template(configurations, ['CUSTOM_MALWARE_SCRIPT_PATH'], - [malware_downloader_script]) +configuration_metadata = config.update_configuration_template(configuration_metadata, ['CUSTOM_MALWARE_SCRIPT_PATH'], + [malware_downloader_script]) configuration_extra_vars = {'yara_script': yara_script} From 7180a78c5258d2d3a27a5cc1b00a8cbe23c9e1fe Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:00:34 +0200 Subject: [PATCH 238/552] fix: Increase timeout --- .../data/playbooks/generate_events.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml index 425a253d32..36e2085d30 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -8,16 +8,12 @@ - name: Truncate alerts file shell: echo "" > {{ alerts_path }} - - name: Wait for Wazuh to initilize correctly - wait_for: - timeout: 10 - - name: Download malware script: "{{ MALWARE_DOWNLOADER_SCRIPT }}" - name: Wait for alerts to be generated wait_for: - timeout: 10 + timeout: 15 - name: Get alerts.json fetch: From 26796847ffa2f9f96af06a12917913b8609ebf09 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:10:31 +0200 Subject: [PATCH 239/552] fix: Remove unused configuration --- tests/end_to_end/conftest.py | 3 +-- .../end_to_end/test_yara_integration/test_yara_integration.py | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 8c5fb9c858..4cdfadf631 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -87,14 +87,13 @@ def configure_environment(request): @pytest.fixture(scope='function') -def generate_events(request, metadata, configuration): +def generate_events(request, metadata): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. metadata (dict): Dictionary with test case metadata. - configuration (dict): Dictionary with test case configuration. """ inventory_playbook = request.config.getoption('--inventory_path') diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index ef2098cfd0..af6edf3661 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -32,9 +32,9 @@ configuration_extra_vars = {'yara_script': yara_script} -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_yara_integration(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, +def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From d2ca13f7bcfc7d5fe6725099cc7865503d23ad83 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:13:21 +0200 Subject: [PATCH 240/552] fix: Fix comment --- tests/end_to_end/test_yara_integration/test_yara_integration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index af6edf3661..10bebdff18 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -76,7 +76,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) From 492eb5de010fb1c48921bfead91e7200a3e4e3ca Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:33:34 +0200 Subject: [PATCH 241/552] fix: Change extra vars from configuration to metadata --- tests/end_to_end/conftest.py | 8 +------- .../cases_aws_infrastructure_monitoring.yaml | 4 ++-- .../test_aws_infrastructure_monitoring.py | 12 ++++++------ 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index ce28184c58..0466667b58 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -90,14 +90,13 @@ def configure_environment(request): @pytest.fixture(scope='function') -def generate_events(request, metadata, configuration): +def generate_events(request, metadata): """Fixture to generate events. Execute the playbooks declared in the test to generate events. Args: request (fixture): Provide information on the executing test function. metadata (dict): Dictionary with test case metadata. - configuration (dict): Dictionary with test case configuration. """ inventory_playbook = request.config.getoption('--inventory_path') @@ -112,11 +111,6 @@ def generate_events(request, metadata, configuration): # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) - if configuration is not None: - if 'extra_vars' not in metadata: - parameters.update({'extravars': configuration}) - else: - parameters['extravars'].update(configuration) ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml index 1b89233f4b..d76c5a88f2 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -3,11 +3,11 @@ AWS CloudTrail is a service used for auditing AWS accounts. It logs API calls (CloudTrail Event) stored for 90 days by default. There are 2 types of events: Management events (active by default) and data events. - configuration_parameters: - AWS_API_SCRIPT: CUSTOM_AWS_SCRIPT_PATH + configuration_parameters: null metadata: rule.id: 80202 rule.description: "AWS Cloudtrail: s3.amazonaws.com - CreateBucket." rule.level: 3 extra_vars: event_name: CreateBucket + AWS_API_SCRIPT: CUSTOM_AWS_SCRIPT_PATH diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 12abb4752c..3cf92f1ef8 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -22,19 +22,19 @@ configuration_extra_vars = {'date': datetime.strftime(datetime.now(), '%Y-%b-%d').upper()} # Configuration -t1_configuration, metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +configuration, metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) # Custom paths aws_api_script = os.path.join(test_data_path, 'configuration', 'aws_cloudtrail_event.py') # Update configuration with custom paths -t1_configuration = config.update_configuration_template(t1_configuration, ['CUSTOM_AWS_SCRIPT_PATH'], [aws_api_script]) +metadata = config.update_configuration_template(metadata, ['CUSTOM_AWS_SCRIPT_PATH'], [aws_api_script]) -@pytest.mark.parametrize('configuration,metadata', zip(t1_configuration, metadata), ids=cases_ids) +@pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_aws_infrastructure_monitoring(configuration, metadata, configure_environment, get_dashboard_credentials, - generate_events, clean_alerts_index): +def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, generate_events, + clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] @@ -69,7 +69,7 @@ def test_aws_infrastructure_monitoring(configuration, metadata, configure_enviro } ]) - # Get indexed alert + # Check if the alert has been indexed and get its data response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) indexed_alert = json.dumps(response.json()) From 269f0ef1a87f96125f29acb05044f82023eab408 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:34:11 +0200 Subject: [PATCH 242/552] fix: Remove unused configuration --- tests/end_to_end/test_audit/test_audit.py | 2 +- tests/end_to_end/test_brute_force/test_brute_force.py | 4 ++-- .../test_detecting_suspicious_binaries.py | 6 +++--- .../test_docker_monitoring/test_docker_monitoring.py | 4 ++-- tests/end_to_end/test_netcat/test_netcat.py | 5 ++--- .../test_osquery_integration/test_osquery_integration.py | 4 ++-- .../test_shellshock_attack_detection.py | 6 +++--- tests/end_to_end/test_sql_injection/test_sql_injection.py | 5 ++--- .../test_virustotal_active_response.py | 5 ++--- .../test_virustotal_fim/test_virustotal_fim.py | 5 ++--- 10 files changed, 21 insertions(+), 25 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 516fe079a7..4503d72eb9 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -20,7 +20,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_audit(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): level = metadata['level'] diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index 59ad4395ec..ee1e8cb8d9 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -22,8 +22,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_brute_force(configuration, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SSH Brute Force attack """ diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 88a831fdf5..3c633e341b 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -25,10 +25,10 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_detecting_suspicious_binaries(configure_environment, configuration, metadata, get_dashboard_credentials, - generate_events, clean_alerts_index): +def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index 0d1d55aeca..eb65293a5d 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -23,9 +23,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, +def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py index 6b9a7bbb92..23e4d785f1 100644 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ b/tests/end_to_end/test_netcat/test_netcat.py @@ -23,9 +23,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_netcat(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_netcat(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index ae8a0e8af6..3fa1906a84 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -22,8 +22,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_osquery_integration(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 5104686fd3..6d2795e752 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -20,9 +20,9 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_shellshock_attack_detection(configure_environment, configuration, metadata, get_dashboard_credentials, - generate_events, clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 2396f92fca..1c3f0a39ff 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -20,9 +20,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_sql_injection(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SQL injection attack """ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py index b6551cc8d9..8c56e9ad44 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py @@ -22,9 +22,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_virustotal(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to delete a malicious file detected by virustotal """ diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py index 3434b9a0fd..90b133cd82 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py @@ -21,9 +21,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('configuration,metadata', zip(configurations, configuration_metadata), ids=cases_ids) -def test_virustotal(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to scanning a file using FIM and then do a request to virustotal to check if it is malicious """ From ed67667ab49621be61bbca06efc07582b8a87bcd Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 21 Jul 2022 17:37:57 +0200 Subject: [PATCH 243/552] fix: Remove unused configuration in audit test --- tests/end_to_end/test_audit/test_audit.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 4503d72eb9..f74b82233a 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -21,8 +21,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, configuration, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] From 08c55d39793e23ab0872e5d7858c3ecbd8239256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 21 Jul 2022 16:38:44 +0100 Subject: [PATCH 244/552] add: add jinja templates for roles #3121 --- provisioning/roles/apache/schema.j2 | 23 ++ provisioning/roles/qa_framework/schema.j2 | 24 ++ .../roles/wauzh_environment/schema.j2 | 219 ++++++++++++++++++ 3 files changed, 266 insertions(+) create mode 100644 provisioning/roles/apache/schema.j2 create mode 100644 provisioning/roles/qa_framework/schema.j2 create mode 100644 provisioning/roles/wauzh_environment/schema.j2 diff --git a/provisioning/roles/apache/schema.j2 b/provisioning/roles/apache/schema.j2 new file mode 100644 index 0000000000..1f09d1381b --- /dev/null +++ b/provisioning/roles/apache/schema.j2 @@ -0,0 +1,23 @@ +{% macro expand_ansible_connection_attributes(attributes_map) %} +{% for attr_key, attr_value in attributes_map.items() %} +{{- attr_key }}: {{ attr_value }} +{% endfor %} +{%- endmacro -%} + +{% if apache is defined%} +apache: + hosts: + {%- for apache_key, apache_value in apache.items() %} + + apache{{ loop.index }}: + ansible_host: {{ apache_value['ip'] }} + {{ expand_ansible_connection_attributes(apache_value['connection_attributes']) | indent(6) }} + {%- endfor %} +{% endif %} + + +all: + vars: + # General ansible connection parameters + ansible_ssh_common_args: -o StrictHostKeyChecking=no + ansible_winrm_server_cert_validation: ignore diff --git a/provisioning/roles/qa_framework/schema.j2 b/provisioning/roles/qa_framework/schema.j2 new file mode 100644 index 0000000000..c34218c18f --- /dev/null +++ b/provisioning/roles/qa_framework/schema.j2 @@ -0,0 +1,24 @@ +{% macro expand_ansible_connection_attributes(attributes_map) %} +{% for attr_key, attr_value in attributes_map.items() %} +{{- attr_key }}: {{ attr_value }} +{% endfor %} +{%- endmacro -%} + +{% if qa_framework is defined%} +qa_framework: + hosts: + {%- for qa_framework_key, qa_framework_value in qa_framework.items() %} + + qa_framework{{ loop.index }}: + ansible_host: {{ qa_framework_value['ip'] }} + {{ expand_ansible_connection_attributes(qa_framework_value['connection_attributes']) | indent(6) }} + qa_repository_reference: {{ qa_framework_value['qa_repository_reference'] }} + {%- endfor %} +{% endif %} + + +all: + vars: + # General ansible connection parameters + ansible_ssh_common_args: -o StrictHostKeyChecking=no + ansible_winrm_server_cert_validation: ignore diff --git a/provisioning/roles/wauzh_environment/schema.j2 b/provisioning/roles/wauzh_environment/schema.j2 new file mode 100644 index 0000000000..4cffed33e5 --- /dev/null +++ b/provisioning/roles/wauzh_environment/schema.j2 @@ -0,0 +1,219 @@ +{% if vars['indexer'] is defined %} +{%- set indexer = vars['indexer'] -%} +{%- set last_indexer_node = indexer|length - 1-%} + +{% endif %} + +{% if vars['dashboard'] is defined %} +{%- set dashboard = vars['dashboard'] -%} +{%- set dashboard_node = last_indexer_node + 2 -%} +{% else %} +{%- set dashboard_node = last_indexer_node + 1-%} +{% endif %} + +{% if vars['manager'] is defined %} +{%- set manager = vars['manager'] -%} +{%- set master_node = dashboard_node + 1 -%} + + {% if manager['workers'] is not defined %} + {%- set workers = {} -%} + {% else %} + {%- set workers = vars['manager']['workers'] -%} + + {% endif %} +{% endif %} + +{% if vars['agent'] is defined %} +{%- set agent = vars['agent'] -%} +{% endif %} + +{% if vars['filebeat'] is defined %} +{%- set filebeat = vars['filebeat'] -%} +{% endif %} + +{% macro expand_ansible_connection_attributes(attributes_map) %} +{% for attr_key, attr_value in attributes_map.items() %} +{{- attr_key }}: {{ attr_value }} +{% endfor %} +{%- endmacro -%} + + +{% if indexer is defined%} +wi_cluster: + hosts: + {%- for indexer_key, indexer_value in indexer.items() %} + + wi{{ loop.index }}: + {{ expand_ansible_connection_attributes(indexer_value['connection_attributes']) | indent(6) }} + ansible_host: {{ indexer_value['ip'] }} + private_ip: {{ indexer_value['ip'] }} + {% endfor %} + + {% if dashboard is defined %} + dashboard: + ansible_host: {{ dashboard['ip'] }} + {{ expand_ansible_connection_attributes(dashboard['connection_attributes']) | indent(6) }} + private_ip: {{ dashboard['ip'] }} + dashboard_node_name: "node-{{ dashboard_node }}" + {% endif %} + + vars: + {% raw %} + indexer_network_host: "{{ private_ip }}" + {% endraw %} + + indexer_discovery_nodes: + + {% for indexer_key, indexer_value in indexer.items() %} + - "{{ indexer_value['ip'] }}" + {% endfor %} + + indexer_cluster_nodes: + + {% for indexer_key, indexer_value in indexer.items() %} + - "{{ indexer_value['ip'] }}" + {% endfor %} + + instances: + + {%- for indexer_key, indexer_value in indexer.items() %} + + node{{ loop.index }}: + name: node-{{loop.index}} + ip: "{{ indexer_value['ip'] }}" + role: indexer + {% endfor %} + + {%- if dashboard is defined %} + + node{{dashboard_node}}: + name: node-{{dashboard_node}} + ip: "{{ dashboard['ip'] }}" + role: dashboard + {% endif %} + + {%- if manager is defined %} + + node{{master_node}}: + name: node-{{master_node}} + ip: "{{ manager['master']['ip'] }}" + role: wazuh + node_type: master + + {%- for worker_key, worker_value in workers.items() %} + {% set real_node_index = master_node + loop.index %} + + node{{real_node_index}}: + name: node-{{real_node_index}} + ip: "{{ worker_value['ip'] }}" + role: wazuh + node_type: worker + {% endfor %} + {% endif %} +{% endif %} + + +{% if manager is defined -%} +manager: + hosts: + {%- if manager['master'] %} + + master: + ansible_host: {{ manager['master']['ip'] }} + {{ expand_ansible_connection_attributes(manager['master']['connection_attributes']) | indent(8) }} + private_ip: {{ manager['master']['ip'] }} + wazuh_manager_config: + cluster: + disable: 'no' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{ manager['master']['ip'] }}" + hidden: 'no' + {%- endif -%} + + {%- for worker_key, worker_values in workers.items() %} + + worker{{loop.index}}: + ansible_host: {{ worker_values['ip'] }} + {{ expand_ansible_connection_attributes(worker_values['connection_attributes']) | indent(8) }} + private_ip: {{ worker_values['ip'] }} + wazuh_manager_config: + cluster: + disable: 'no' + node_name: "{{worker_key}}" + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{manager['master']['ip']}}" + hidden: 'no' + {% endfor %} + + +{% if filebeat is defined%} +filebeat: + hosts: + {%- for filebeat_key, filebeat_value in filebeat.items() %} + + filebeat{{ loop.index }}: + ansible_host: {{ filebeat_value['ip'] }} + {{ expand_ansible_connection_attributes(filebeat_value['connection_attributes']) | indent(6) }} + filebeat_node_name: node-{{ loop.index + master_node - 1 }} + {%- endfor %} + + vars: + filebeat_output_indexer_hosts: + - "{{ indexer['indexer1']['ip'] }}" +{%- endif -%} +{% endif %} + +{% if agent is defined%} + +agent: + hosts: + {% for agent_key, agent_value in agent.items() -%} + agent{{loop.index}}: + ansible_host: {{ agent_value['ip'] }} + {{ expand_ansible_connection_attributes(agent_value['connection_attributes']) | indent(6) }} + wazuh_managers: + - address: {{ agent_value['manager_ip'] }} + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: ansible + max_retries: 5 + retry_interval: 5 + {% endfor %} +{% endif %} + +all: + vars: + # General ansible connection parameters + ansible_ssh_common_args: -o StrictHostKeyChecking=no + ansible_winrm_server_cert_validation: ignore + # Custom Packages parameters + wazuh_custom_packages_installation_agent_enabled: true + wazuh_custom_packages_installation_manager_enabled: true + {% if custom_package_deb_agent is defined%} + wazuh_custom_packages_installation_agent_deb_url: {{ custom_package_deb_agent }} + {% endif %} + {% if custom_package_rpm_agent is defined%} + wazuh_custom_packages_installation_agent_rpm_url: {{ custom_package_rpm_agent }} + {% endif %} + {% if custom_pakckage_msi_agent is defined%} + wazuh_custom_packages_installation_agent_msi_url: {{ custom_pakckage_msi_agent}} + {% endif %} + {% if macos_agent_pkg is defined%} + macos_agent_pkg: {{ custom_package_macos_agent}} + {% endif %} + {% if solaris_agent_pkg is defined%} + solaris_agent_pkg: {{ custom_package_solaris_agent}} + {% endif %} + {% if custom_package_deb_manager is defined%} + wazuh_custom_packages_installation_manager_deb_url: {{ custom_package_deb_manager}} + {% endif %} + {% if wazuh_custom_packages_installation_manager_rpm_url is defined%} + wazuh_custom_packages_installation_manager_rpm_url: {{ custom_package_rpm_manager}} + {% endif %} From 565e3e912870bcd6e1735e995225a6888fbc9a61 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 22 Jul 2022 11:12:31 -0300 Subject: [PATCH 245/552] add: emotet test --- .../data/playbooks/configuration.yaml | 4 +- .../data/playbooks/generate_events.yaml | 20 ++++ .../data/test_cases/cases_emotet.yaml | 7 ++ tests/end_to_end/test_emotet/test_emotet.py | 95 ++++++++++--------- 4 files changed, 77 insertions(+), 49 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 59e547fde7..b76c347900 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -2,7 +2,7 @@ hosts: wazuh-windows tasks: - - name: Configure Wazuh to collect Sysmon events green_circle + - name: Configure Wazuh to collect Sysmon events ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" @@ -14,7 +14,7 @@ - name: Copy trigger_emotet.exe in the agent ansible.windows.win_copy: src: "{{ emotet_file }}" - dest: C:\Temp\ + dest: C:\Users\Administrator\Desktop - name: Restart wazuh-agent (Windows) ansible.windows.win_shell: | diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index c597ad91da..425bee6a91 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -22,6 +22,26 @@ cd C:\Users\Administrator\Desktop ./trigger-emotet.exe + # - name: Accept pop up trigger-emotet.exe + # ansible.windows.win_shell: | + # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') + + # - name: Wait for next pop up + # ansible.windows.win_wait_for: + # timeout: 10 + + # - name: Accept second pop up trigger-emotet.exe + # ansible.windows.win_shell: | + # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') + + # - name: Wait for next pop up + # ansible.windows.win_wait_for: + # timeout: 5 + + # - name: Accept third pop up trigger-emotet.exe + # ansible.windows.win_shell: | + # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') + - name: Wait alert hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml index e69de29bb2..1c454f3b75 100644 --- a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml @@ -0,0 +1,7 @@ +- name: emotet_attack + description: Execute emotet attack and check generated alerts + configuration_parameters: null + metadata: + rule.id: 92151 + rule.level: 12 + rule.description: Binary loaded PowerShell automation library - Possible unmanaged Powershell execution by suspicious process diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 2f6dd52e25..c5ccacb6cc 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -20,59 +20,60 @@ configuration_extra_vars = {'emotet_file': emotet_file_path} events_playbooks = ['generate_events.yaml'] +teardown_playbook = ['teardown_playbook.yaml'] wait_indexed_alert = 5 -#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_emotet(generate_events): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_environment): """ Test to delete a malicious file detected by virustotal """ print('HOLAAAAAAAAAAAAA') - # rule_id = metadata['rule.id'] - # rule_level = metadata['rule.level'] - # rule_description = metadata['rule.description'] - # program = metadata['program'] - - # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - # expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},' \ - # fr'.*"description": "{rule_description}"' \ - # r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # query = e2e.make_query([ - - # { - # "term": { - # "rule.id": f"{rule_id}" - # } - # } - # ]) - - # # Check that alert has been raised and save timestamp - # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - # error_message='The alert has not occurred').result() - # raised_alert_timestamp = raised_alert.group(1) - # raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - # sleep(wait_indexed_alert) - - # # Get indexed alert - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # indexed_alert = json.dumps(response.json()) - - # # Check that the alert data is the expected one - # alert_data = re.search(expected_indexed_alert, indexed_alert) - # assert alert_data is not None, 'Alert triggered, but not indexed' - - # # Get indexed alert timestamp - # indexed_alert_timestamp = alert_data.group(1) - # indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # # Check that alert has been indexed (checking that the timestamp is the expected one) - # assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},' \ + fr'.*"description": "{rule_description}"' \ + r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + } + ]) + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) + sleep(wait_indexed_alert) + + # Get indexed alert + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' + + # Get indexed alert timestamp + indexed_alert_timestamp = alert_data.group(1) + indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') + + # Check that alert has been indexed (checking that the timestamp is the expected one) + assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 12bb86def79159050c6a2dfb13a18b8308308117 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 22 Jul 2022 11:35:45 -0300 Subject: [PATCH 246/552] fix: changed confguration yaml --- .../test_emotet/data/playbooks/configuration.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index b76c347900..453e16d6e3 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -2,6 +2,17 @@ hosts: wazuh-windows tasks: + - name: Create temp folder + win_file: + path: C:\temp + state: directory + + - name: Copy ossec.conf + ansible.windows.win_copy: + src: C:\Program Files (x86)\ossec-agent\ossec.conf + dest: C:\temp + remote_src: true + - name: Configure Wazuh to collect Sysmon events ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" @@ -14,7 +25,7 @@ - name: Copy trigger_emotet.exe in the agent ansible.windows.win_copy: src: "{{ emotet_file }}" - dest: C:\Users\Administrator\Desktop + dest: C:\temp - name: Restart wazuh-agent (Windows) ansible.windows.win_shell: | From dd6f427a143da796cd0288a4af418c56eebff2fb Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 22 Jul 2022 11:37:44 -0300 Subject: [PATCH 247/552] fix: deleted comment code --- .../data/playbooks/generate_events.yaml | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index 425bee6a91..c597ad91da 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -22,26 +22,6 @@ cd C:\Users\Administrator\Desktop ./trigger-emotet.exe - # - name: Accept pop up trigger-emotet.exe - # ansible.windows.win_shell: | - # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') - - # - name: Wait for next pop up - # ansible.windows.win_wait_for: - # timeout: 10 - - # - name: Accept second pop up trigger-emotet.exe - # ansible.windows.win_shell: | - # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') - - # - name: Wait for next pop up - # ansible.windows.win_wait_for: - # timeout: 5 - - # - name: Accept third pop up trigger-emotet.exe - # ansible.windows.win_shell: | - # $wshell = New-Object -ComObject wscript.shell; $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('%C'); $wshell.AppActivate('trigger-emotet.exe'); Sleep 1; $wshell.SendKeys('{ENTER}') - - name: Wait alert hosts: wazuh-manager tasks: From 4b62a41722ad671b7d60752605f330b6c4af476a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 22 Jul 2022 11:38:25 -0300 Subject: [PATCH 248/552] fix: changed test to run with new framework updates --- tests/end_to_end/test_emotet/test_emotet.py | 55 +++++---------------- 1 file changed, 11 insertions(+), 44 deletions(-) diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index c5ccacb6cc..a88326c527 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -1,12 +1,7 @@ import os -import json -import re import pytest -from datetime import datetime from tempfile import gettempdir -from time import sleep -from wazuh_testing.tools.time import parse_date_time_format from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -20,60 +15,32 @@ configuration_extra_vars = {'emotet_file': emotet_file_path} events_playbooks = ['generate_events.yaml'] -teardown_playbook = ['teardown_playbook.yaml'] -wait_indexed_alert = 5 +teardown_playbooks = ['teardown.yaml'] +# Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_environment): +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ - Test to delete a malicious file detected by virustotal + Test to detect a vulnerability """ - print('HOLAAAAAAAAAAAAA') - rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] + rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},' \ - fr'.*"description": "{rule_description}"' \ - r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - query = e2e.make_query([ - - { - "term": { - "rule.id": f"{rule_id}" - } - } - ]) + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) - raised_alert_timestamp = datetime.strptime(parse_date_time_format(raised_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Wait a few seconds for the alert to be indexed (alert.json -> filebeat -> wazuh-indexer) - sleep(wait_indexed_alert) - - # Get indexed alert - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' - - # Get indexed alert timestamp - indexed_alert_timestamp = alert_data.group(1) - indexed_alert_timestamp = datetime.strptime(parse_date_time_format(indexed_alert_timestamp), '%Y-%m-%d %H:%M:%S') - - # Check that alert has been indexed (checking that the timestamp is the expected one) - assert indexed_alert_timestamp == raised_alert_timestamp, 'Alert triggered, but not indexed' From 0a1baff9c8eae6249ace1427ebb17f1e96713b45 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 22 Jul 2022 11:38:54 -0300 Subject: [PATCH 249/552] add: teardown playbook --- .../test_emotet/data/playbooks/teardown.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/end_to_end/test_emotet/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..73ebeef177 --- /dev/null +++ b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml @@ -0,0 +1,19 @@ +- name: Cleanup environment + hosts: wazuh-windows + tasks: + + - name: Restore ossec.conf without changes + ansible.windows.win_copy: + src: C:\temp\ossec.conf + dest: C:\Program Files (x86)\ossec-agent + remote_src: true + + - name: Delete C:\temp folder + ansible.windows.win_file: + path: C:\temp + state: absent + + - name: Restart wazuh-agent (Windows) + ansible.windows.win_shell: | + net stop wazuh + net start wazuh \ No newline at end of file From 9b08ad515cc245a21f721a818f335d24681afb72 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 25 Jul 2022 09:09:51 -0300 Subject: [PATCH 250/552] fix: python version modified (playbook) and repeated lines removed. #3079 --- tests/end_to_end/conftest.py | 3 --- .../data/playbooks/configuration.yaml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 0466667b58..4cdfadf631 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -24,9 +24,6 @@ def clean_alerts_index(get_dashboard_credentials): remove_file(alerts_json) e2e.delete_index_api(credentials=get_dashboard_credentials) - remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials) - @pytest.fixture(scope='module') def get_dashboard_credentials(request): diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index a48c600406..6443f0e648 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -30,4 +30,4 @@ name: wazuh-manager - name: Install boto3 python package (script dependency) - shell: python3.8 -m pip install boto3 + shell: python3 -m pip install boto3 From 1b4c4d88c3fb5114942f109e95daccdd907efcec Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 11:16:31 -0300 Subject: [PATCH 251/552] fix: renamed task in generate events yaml --- .../data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml index 6109c5606d..b90248b960 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml @@ -25,7 +25,7 @@ hosts: wazuh-manager tasks: - - name: Wait for alert + - name: Waiting for vulnerability scan, alert reporting and indexing wait_for: timeout: 60 From 109b0d0be8e50a7c48b9bbe965db828efc4a1844 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 15:22:46 -0300 Subject: [PATCH 252/552] add: added sysmon install --- .../data/playbooks/configuration.yaml | 21 +++++++++++++ .../data/playbooks/generate_events.yaml | 2 +- .../test_emotet/data/playbooks/teardown.yaml | 7 ++++- tests/end_to_end/test_emotet/test_emotet.py | 30 +++++++++++++++++-- 4 files changed, 55 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 453e16d6e3..3eea6db91f 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -13,6 +13,27 @@ dest: C:\temp remote_src: true + - name: Install sysmon + ansible.windows.win_shell: | + Set-Location C:\temp + Write-Host "Location set $path" + Write-Host "Retrieving Sysmon..." + Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -Outfile Sysmon.zip + + - name: Unzip sysmon + ansible.windows.win_shell: | + Expand-Archive -Path C:\temp\Sysmon.zip -DestinationPath C:\temp\Sysmon + + - name: Copy Sysmon configuration file + ansible.windows.win_copy: + src: "{{ sysmon_config }}" + dest: C:\temp\Sysmon + + - name: Install sysmon + ansible.windows.win_shell: | + cd C:\temp\Sysmon + ./Sysmon64.exe -accepteula -i sysconfig.xml + - name: Configure Wazuh to collect Sysmon events ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index c597ad91da..676f380f49 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -35,4 +35,4 @@ src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ flat: true - become: true \ No newline at end of file + become: true diff --git a/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml index 73ebeef177..36957dc3b1 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml @@ -8,6 +8,11 @@ dest: C:\Program Files (x86)\ossec-agent remote_src: true + - name: Uninstall Sysmon + ansible.windows.win_shell: | + cd C:\temp\Sysmon + ./Sysmon64.exe -u force + - name: Delete C:\temp folder ansible.windows.win_file: path: C:\temp @@ -16,4 +21,4 @@ - name: Restart wazuh-agent (Windows) ansible.windows.win_shell: | net stop wazuh - net start wazuh \ No newline at end of file + net start wazuh diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index a88326c527..706a9f5947 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -1,4 +1,6 @@ +import json import os +import re import pytest from tempfile import gettempdir @@ -12,7 +14,8 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') configuration_playbooks = ['configuration.yaml'] emotet_file_path = os.path.join(test_data_path, 'emotet_file', 'trigger-emotet.exe') -configuration_extra_vars = {'emotet_file': emotet_file_path} +sysmon_config= os.path.join(test_data_path, 'sysmon_config', 'sysconfig.xml') +configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -23,10 +26,10 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to detect a vulnerability + Test to detect an emotet attack """ rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] @@ -44,3 +47,24 @@ def test_vulnerability_detector(configure_environment, metadata, get_dashboard_c raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From d2cb555f8fb03e2245ad5a6ee9572ce1b148b5db Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 15:24:34 -0300 Subject: [PATCH 253/552] add: sysmon config xml --- .../data/sysmon_config/sysconfig.xml | 1284 +++++++++++++++++ 1 file changed, 1284 insertions(+) create mode 100644 tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml diff --git a/tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml b/tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml new file mode 100644 index 0000000000..2237e640e8 --- /dev/null +++ b/tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml @@ -0,0 +1,1284 @@ + + +* + + + + + +sethc.exe +utilman.exe +osk.exe +Magnify.exe +DisplaySwitch.exe +Narrator.exe +AtBroker.exe +sdbinst.exe +bitsadmin.exe + +eventvwr.exe +c:\windows\system32\mmc.exe + +fodhelper.exe +ˆ + +fltMC.exe +unload;detach + + +fltMC.exe +misc::mflt + + +InstallUtil.exe +/logfile=;/LogToConsole=false;/U + +whoami.exe +ipconfig.exe +tasklist.exe +systeminfo.exe;sysinfo.exe +netstat.exe +qprocess.exe +nslookup.exe +net.exe;net1.exe +quser.exe +query.exe +tracert.exe +tree.com +route.exe +runas.exe +reg.exe +taskkill.exe +netsh.exe +klist.exe +wevtutil.exe +taskeng.exe +regsvr32.exe +wmiprvse.exe +wmiprvse.exe +hh.exe +cmd.exe +cmd.exe +powershell.exe +powershell.exe +powershell_ise.exe +bash.exe +odbcconf.exe +pcalua.exe +cscript.exe +wscript.exe +pcalua.exe +cscript.exe +wscript.exe +mshta.exe +control.exe +mshta.exe +attrib.exe +cmdkey.exe +nbtstat.exe;nbtinfo.exe +qwinsta.exe +rwinsta.exe +schtasks.exe;sctasks.exe +replace.exe +jjs.exe +appcmd.exe +sc.exe +certutil.exe +findstr.exe +where.exe +forfiles.exe +icacls.exe;cacls.exe +xcopy.exe +robocopy.exe +takeown.exe +makecab.exe +wusa.exe +vassadmin.exe +nltest.exe;nltestk.exe +winrs.exe +computerdefaults.exe +dism.exe +fodhelper.exe +mofcomp.exe +C:\WINDOWS\system32\wbem\scrcons.exe +ScrCons + +esentutl.exe +/y;/vss/d + + +Mavinject.exe;mavinject64.exe +/INJECTRUNNING + + +nltestrk.exe +"C:\WINDOWS\system32\nltest.exe" /domain_trusts + + +CMSTP.exe +/ni;/s + +MSBuild.exe +excel.exe +winword.exe +powerpnt.exe +outlook.exe +msaccess.exe +mspub.exe +regsvcs.exe;regasm.exe +SyncAppvPublishingServer.exe +PsList.exe +PsService.exe +PsExec.exe +PsExec.c +PsGetSID.exe +PsKill.exe +PKill.exe +ProcDump +PsLoggedOn.exe +PsFile.exe +ShellRunas +PipeList.exe +AccessChk.exe +AccessEnum.exe +LogonSessions.exe +PsLogList.exe +PsInfo.exe +LoadOrd +PsPasswd.exe +ru.exe +Regsize +ProcDump +-ma lsass.exe +C:\PerfLogs\ +C:\$Recycle.bin\ +C:\Intel\Logs\ +C:\Users\Default\ +C:\Users\Public\ +C:\Users\NetworkService\ +C:\Windows\Fonts\ +C:\Windows\Debug\ +C:\Windows\Media\ +C:\Windows\Help\ +C:\Windows\addins\ +C:\Windows\repair\ +C:\Windows\security\ +C:\Windows\system32\config\systemprofile\ +VolumeShadowCopy +\htdocs\ +\wwwroot\ +\Temp\ +\Appdata\Local\ + +control;/name +rundll32.exe;shell32.dll;Control_RunDLL + + +MpCmdRun.exe +Add-MpPreference;RemoveDefinitions;DisableIOAVProtection + +wsmprovhost.exe +winrm.cmd + + + + + +C:\Temp +C:\Windows\Temp +C:\Tmp +C:\Users + + + + + +vnc.exe +vncviewer.exe +vncservice.exe +winexesvc.exe +bitsadmin.exe +omniinet.exe +hpsmhd.exe +ipconfig.exe +tasklist.exe +netstat.exe +qprocess.exe +nslookup.exe +net.exe +quser.exe +query.exe +runas.exe +reg.exe +netsh.exe +klist.exe +wevtutil.exe +taskeng.exe +regsvr32.exe +hh.exe +cmd.exe +powershell.exe +bash.exe +pcalua.exe +cscript.exe +wscript.exe +mshta.exe +nbtstat.exe +net1.exe +nslookup.exe +qwinsta.exe +rwinsta.exe +schtasks.exe +taskkill.exe +sc.exe +nltest.exe +winrs.exe +Mavinject.exe +at.exe +certutil.exe +cmd.exe +cscript.exe +java.exe +mshta.exe +msiexec.exe +net.exe +notepad.exe +powershell.exe +reg.exe +regsvr32.exe +rundll32.exe +sc.exe +wmic.exe +wscript.exe +driverquery.exe +dsquery.exe +hh.exe +infDefaultInstall.exe +javaw.exe +javaws.exe +mmc.exe +msbuild.exe +nbtstat.exe +net1.exe +nslookup.exe +qprocess.exe +qwinsta.exe +regsvcs.exe +rwinsta.exe +schtasks.exe +taskkill.exe +tasklist.exe +replace.exe +1080 +3128 +8080 +22 +23 +25 +3389 +5800 +5900 +psexec.exe +psexesvc.exe +C:\Users +C:\ProgramData +C:\Windows\Temp +C:\Temp +C:\PerfLogs\ +C:\$Recycle.bin\ +C:\Intel\Logs\ +C:\Users\Default\ +C:\Users\Public\ +C:\Users\NetworkService\ +C:\Windows\Fonts\ +C:\Windows\Debug\ +C:\Windows\Media\ +C:\Windows\Help\ +C:\Windows\addins\ +C:\Windows\repair\ +C:\Windows\security\ +C:\Windows\system32\config\systemprofile\ +\htdocs\ +\wwwroot\ +SyncAppvPublishingServer.exe +tor.exe +1723 +4500 +9001 +9030 +5986 +449 +447 +8082 +svchost.exe + + + + + +C:\Users +C:\Temp +C:\Windows\Temp + + + + + + + + + + +C:\Windows\System32\samlib.dll +C:\Windows\System32\WinSCard.dll +C:\Windows\System32\cryptdll.dll +C:\Windows\System32\hid.dll +C:\Windows\System32\vaultcli.dll +C:\Windows\System32\wlanapi.dll + +.wll +.xll +system.management.automation.ni.dll +system.management.automation.dll +taskschd.dll +scrobj.dll +admin$;c$;\\;\appdata\;\temp\ +c:\programdata\ +C:\Windows\Media\ +C:\Windows\addins\ +C:\Windows\system32\config\systemprofile\ +C:\Windows\Debug\ +C:\Windows\Temp +C:\PerfLogs\ +C:\Windows\Help\ +C:\Intel\Logs\ +C:\Temp +C:\Windows\repair\ +C:\Windows\security\ +C:\Windows\Fonts\ +file: +$Recycle.bin\ +\Windows\IME\ +wmiutils.dll + + + + + +LoadLibrary +C:\Windows\System32\rundll32.exe +C:\Windows\System32\svchost.exe +C:\Windows\System32\sysmon.exe + +0x001A0000 +c:\windows\system32\lsass.exe + +0x00590000 + + + + + + + + + +dbghelp.dll +dbgore.dll + +C:\Windows\system32\csrss.exe +0x1F1FFF + + +C:\Windows\system32\wininit.exe +0x1F1FFF + + +C:\Windows\system32\winlogon.exe +0x1F1FFF + + +C:\Windows\system32\services.exe +0x1F1FFF + +0x21410 + +C:\Windows\system32\lsass.exe +0x1FFFFF + + +C:\Windows\system32\lsass.exe +0x1F1FFF + + +C:\Windows\system32\lsass.exe +0x1010 + + +C:\Windows\system32\lsass.exe +0x143A + +0x0800 +0x0810 +0x0820 +0x800 +0x810 +0x820 +C:\PerfLogs\ +C:\$Recycle.bin\ +C:\Intel\Logs\ +C:\Users\Default\ +C:\Users\Public\ +C:\Users\NetworkService\ +C:\Windows\Fonts\ +C:\Windows\Debug\ +C:\Windows\Media\ +C:\Windows\Help\ +C:\Windows\addins\ +C:\Windows\repair\ +C:\Windows\security\ +C:\Windows\system32\config\systemprofile\ +VolumeShadowCopy +\htdocs\ +\wwwroot\ +\Temp\ + +System.Management.Automation.ni.dll +C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe + + + + + + +C:\Windows\AppPatch\Custom +.bat +.cmd +.chm +C:\Users\Default +AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ +\UsageLogs\cscript.exe.log +\UsageLogs\wscript.exe.log +\UsageLogs\wmic.exe.log +\UsageLogs\mshta.exe.log +\UsageLogs\svchost.exe.log +\UsageLogs\regsvr32.exe.log +\UsageLogs\rundll32.exe.log +\Downloads\ +C:\Windows\System32\Drivers +C:\Windows\SysWOW64\Drivers +.exe +C:\Windows\System32\GroupPolicy\Machine\Scripts +C:\Windows\System32\GroupPolicy\User\Scripts +.hta +.iso +.img +.lnk +.scf +.application +.appref-ms +.*proj +.sln +.settingcontent-ms +.docm +.pptm +.xlsm +.xlm +.dotm +.xltm +.potm +.ppsm +.sldm +.xlam +.xla +.iqy +.slk +\Content.Outlook\ +.rft +.jsp +.jspx +.asp +.aspx +.php +.war +.ace +C:\Windows\System32\WindowsPowerShell +C:\Windows\SysWOW64\WindowsPowerShell +.ps1 +.ps2 +.py +.pyc +.pyw +rundll32.exe +C:\Windows\System32\Tasks +C:\Windows\Tasks\ +\Start Menu +\Startup +.sys +.url +.vb +.vbe +.vbs +C:\Windows\System32\Wbem +C:\Windows\SysWOW64\Wbem +C:\WINDOWS\system32\wbem\scrcons.exe +C:\Windows\Temp\ +C:\Temp\ +C:\PerfLogs\ +C:\Users\Public\ +\AppData\Temp\ + + + + + +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom +HKLM\SYSTEM\CurrentControlSet\Control\Lsa +\CurrentVersion\Run +\Group Policy\Scripts +\Windows\System\Scripts +\Policies\Explorer\Run +\ServiceDll +\ImagePath +\Start +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell +HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 +HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute +\Explorer\FileExts +\shell\install\command +\shell\open\command +\shell\open\ddeexec +Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup +\mscfile\shell\open\command +ms-settings\shell\open\command +Classes\exefile\shell\runas\command\isolatedCommand +Software\Classes\CLSID +\services\Netlogon\Parameters\DisablePasswordChange +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls +HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls +REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions +HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options +HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options +\Internet Explorer\Toolbar +\Internet Explorer\Extensions +\Browser Helper Objects +HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors +SOFTWARE\Microsoft\Netsh +\UrlUpdateInfo +\Microsoft\Office\Outlook\Addins +\Software\Microsoft\VSTO\Security\Inclusion +\Software\Microsoft\VSTO\SolutionMetadata +HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services +SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe +HKLM\SOFTWARE\Microsoft\Cryptography\OID +HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID +HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust +HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust +\PsExec\EulaAccepted +\PsFile\EulaAccepted +\PsGetSID\EulaAccepted +\PsInfo\EulaAccepted +\PsKill\EulaAccepted +\PsList\EulaAccepted +\PsLoggedOn\EulaAccepted +\PsLogList\EulaAccepted +\PsPasswd\EulaAccepted +\PsService\EulaAccepted +\PsShutDown\EulaAccepted +\PsSuspend\EulaAccepted +SYSTEM\CurrentControlSet\services\SysmonDrv +SYSTEM\CurrentControlSet\services\Sysmon +HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram +HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths +HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls +\InprocServer32\(Default) +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider +HKLM\SYSTEM\CurrentControlSet\Control\Lsa +HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders +\Control\SecurityProviders\WDigest +HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting +HKLM\SOFTWARE\Policies\Microsoft\Windows Defender +HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List +HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify +HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT +HKLM\SYSTEM\CurrentControlSet\Control\Safeboot +HKLM\SYSTEM\CurrentControlSet\Control\Winlogon +\FriendlyName +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) + +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System +C:\Windows\System32\svchost.exe + +HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order +HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles +HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates +\Microsoft\SystemCertificates\Root\Certificates +HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled +HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring +\Classes\AllFilesystemObjects +\Classes\Directory +\Classes\Drive +\Classes\Folder +\ContextMenuHandlers +\CurrentVersion\Shell +HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks +HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad +{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA +HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy +HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify +HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup +HKLM\SYSTEM\CurrentControlSet\Services\WinSock +\ProxyServer +SYSTEM\CurrentControlSet\Control\CrashControl + + + + + +Temp\7z +.bat +.cmd +Temp\debug.bin +Downloads +.exe +.hta +.lnk +Content.Outlook +.ps1 +.ps2 +.reg +.vb +.vbe +.vbs + + + + + +Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe +Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe +Program Files (x86)\Citrix\ICA Client\wfcrun32.exe +Program Files (x86)\Citrix\ICA Client\concentr.exe +\Vivisimo Velocity +\SQLLocal\MSSQLSERVER +\SQLLocal\INSTANCE01 +\SQLLocal\SQLEXPRESS +\SQLLocal\COMMVAULT +\SQLLocal\RTCLOCAL +\SQLLocal\RTC +\SQLLocal\TMSM +Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe +PostgreSQL\9.6\bin\postgres.exe +\pgsignal_ +Program Files\Qlik\Sense\Engine\Engine.exe +Program Files\SplunkUniversalForwarder\bin\splunkd.exe +Program Files\SplunkUniversalForwarder\bin\splunk.exe +Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe +Program Files\Trend\SPROTECT\x64\tsc.exe +Program Files\Trend\SPROTECT\x64\tsc64.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe +Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe +\Trend Micro OSCE Command Handler Manager +\Trend Micro OSCE Command Handler2 Manager +\Trend Micro Endpoint Encryption ToolBox Command Handler Manager +\OfcServerNamePipe +\ntapvsrq +\srvsvc +\wkssvc +\lsass +\winreg +\spoolss +Anonymous Pipe +c:\windows\system32\inetsrv\w3wp.exe + + + + + +Created + + + + +.1rx.io +.2mdn.net +.adadvisor.net +.adap.tv +.addthis.com +.adform.net +.adnxs.com +.adroll.com +.adrta.com +.adsafeprotected.com +.adsrvr.org +.advertising.com +.amazon-adsystem.com +.amazon-adsystem.com +.analytics.yahoo.com +.aol.com +.betrad.com +.bidswitch.net +.casalemedia.com +.chartbeat.net +.cnn.com +.convertro.com +.criteo.com +.criteo.net +.crwdcntrl.net +.demdex.net +.domdex.com +.dotomi.com +.doubleclick.net +.doubleverify.com +.emxdgt.com +.exelator.com +.google-analytics.com +.googleadservices.com +.googlesyndication.com +.googletagmanager.com +.googlevideo.com +.gstatic.com +.gvt1.com +.gvt2.com +.ib-ibi.com +.jivox.com +.mathtag.com +.moatads.com +.moatpixel.com +.mookie1.com +.myvisualiq.net +.netmng.com +.nexac.com +.openx.net +.optimizely.com +.outbrain.com +.pardot.com +.phx.gbl +.pinterest.com +.pubmatic.com +.quantcount.com +.quantserve.com +.revsci.net +.rfihub.net +.rlcdn.com +.rubiconproject.com +.scdn.co +.scorecardresearch.com +.serving-sys.com +.sharethrough.com +.simpli.fi +.sitescout.com +.smartadserver.com +.snapads.com +.spotxchange.com +.taboola.com +.taboola.map.fastly.net +.tapad.com +.tidaltv.com +.trafficmanager.net +.tremorhub.com +.tribalfusion.com +.turn.com +.twimg.com +.tynt.com +.w55c.net +.ytimg.com +.zorosrv.com +1rx.io +adservice.google.com +ampcid.google.com +clientservices.googleapis.com +googleadapis.l.google.com +imasdk.googleapis.com +l.google.com +ml314.com +mtalk.google.com +update.googleapis.com +www.googletagservices.com +.mozaws.net +.mozilla.com +.mozilla.net +.mozilla.org +clients1.google.com +clients2.google.com +clients3.google.com +clients4.google.com +clients5.google.com +clients6.google.com +safebrowsing.googleapis.com +.akadns.net +.netflix.com +aspnetcdn.com +ajax.googleapis.com +cdnjs.cloudflare.com +fonts.googleapis.com +.typekit.net +cdnjs.cloudflare.com +.stackassets.com +.steamcontent.com +.arpa. +.arpa +.msftncsi.com +.localmachine +localhost + +C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe +.logitech.com + +C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe +-pushp.svc.ms +.b-msedge.net +.bing.com +.hotmail.com +.live.com +.live.net +.s-microsoft.com +.microsoft.com +.microsoftonline.com +.microsoftstore.com +.ms-acdc.office.com +.msedge.net +.msn.com +.msocdn.com +.skype.com +.skype.net +.windows.com +.windows.net.nsatc.net +.windowsupdate.com +.xboxlive.com +login.windows.net +.activedirectory.windowsazure.com +.aria.microsoft.com +.msauth.net +.msftauth.net +.opinsights.azure.com +management.azure.com +outlook.office365.com +portal.azure.com +substrate.office.com +osi.office.net +.digicert.com +.globalsign.com +.globalsign.net +msocsp.com +ocsp.msocsp.com +pki.goog +ocsp.godaddy.com +amazontrust.com +ocsp.sectigo.com +pki-goog.l.google.com +.usertrust.com +ocsp.comodoca.com +ocsp.verisign.com +ocsp.entrust.net +ocsp.identrust.com +status.rapidssl.com +status.thawte.com +ocsp.int-x3.letsencrypt.org +subca.ocsp-certum.com +cscasha2.ocsp-certum.com +.spotify.com +.spotify.map.fastly.net + + + + +C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe +C:\Windows\system32\igfxCUIService.exe +C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe +C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe +C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe +C:\Windows\System32\smss.exe +C:\Windows\system32\CompatTelRunner.exe +C:\Windows\system32\wbem\WMIADAP.EXE +C:\Windows\System32\DriverStore\Temp\ +C:\Windows\System32\wbem\Performance\ +WRITABLE.TST +\AppData\Roaming\Microsoft\Windows\Recent\ +C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\ +C:\WINDOWS\winsxs\amd64_microsoft-windows +c:\Program Files\Microsoft Security Client\MsMpEng.exe +c:\windows\system32\provtool.exe +C:\WINDOWS\CCM\CcmExec.exe +C:\Windows\CCM +C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces +C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask +C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector +C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant +C:\WINDOWS\system32\svchost.exe + + + + +C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe +C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe +Toolbar\WebBrowser +Toolbar\WebBrowser\ITBar7Height +Toolbar\ShellBrowser\ITBar7Layout +Internet Explorer\Toolbar\Locked +ShellBrowser +C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe +C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe +C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe +C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe +C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe +C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe +C:\Program Files\McAfee\Agent\masvc.exe +C:\Program Files\McAfee\Agent\x86\mfemactl.exe +C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe +C:\Program Files\McAfee\Agent\x86\macompatsvc.exe +C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe +C:\Program Files\Common Files\McAfee\Engine\scanners +C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe +C:\Program Files (x86)\Webroot\WRSA.exe +C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit +\OpenWithProgids +\OpenWithList +\UserChoice +\UserChoice\ProgId +\UserChoice\Hash +\OpenWithList\MRUList +} 0xFFFF +Office\root\integration\integrator.exe +C:\WINDOWS\system32\backgroundTaskHost.exe +C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe +C:\Program Files\Windows Defender\MsMpEng.exe +C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe +C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe +\CurrentVersion\Run +\CurrentVersion\RunOnce +\CurrentVersion\App Paths +\CurrentVersion\Image File Execution Options +\CurrentVersion\Shell Extensions\Cached +\CurrentVersion\Shell Extensions\Approved +}\PreviousPolicyAreas +\Control\WMI\Autologger\ +HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start +\Lsa\OfflineJoin\CurrentValue +\Components\TrustedInstaller\Events +\Components\TrustedInstaller +\Components\Wlansvc +\Components\Wlansvc\Events +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ +\Directory\shellex +\Directory\shellex\DragDropHandlers +\Drive\shellex +\Drive\shellex\DragDropHandlers +_Classes\AppX +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ +HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates +C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe +C:\$WINDOWS.~BT\ +\services\clr_optimization_v2.0.50727_32\Start +\services\clr_optimization_v2.0.50727_64\Start +\services\clr_optimization_v4.0.30319_32\Start +\services\clr_optimization_v4.0.30319_64\Start +\services\DeviceAssociationService\Start +\services\BITS\Start +\services\TrustedInstaller\Start +\services\tunnel\Start +\services\UsoSvc\Start + + + + + +AcroRd32.exe +/CR;channel= + + +C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe +C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe +C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe +C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe + +C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe +C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe +C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe +C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe +C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe +C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe +C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe +C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe +C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe +C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe +C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe +C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe +C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe +C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe +C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe +C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe +C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe +C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe +C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe +C:\Program Files\NVIDIA Corporation\ +C:\Program Files\Realtek\ +C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe +C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe +C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe +C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe +"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= +"C:\Program Files\Google\Chrome\Application\chrome.exe" --type= +C:\Program Files (x86)\Google\Update\ +C:\Program Files (x86)\Google\Update\ +C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe +C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe +C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe +C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe +C:\Program Files\RES Software\Workspace Manager\respesvc.exe +C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe +C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe +C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe +C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe +C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe +C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe +C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe +C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE +C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE +"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel +"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe +C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe +C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe +C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe +C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe +C:\Program Files\SplunkUniversalForwarder\bin\ +C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe +C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe +D:\Program Files\SplunkUniversalForwarder\bin\ +D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe +D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe +C:\Program Files\Splunk\bin\ +C:\Program Files\Splunk\bin\splunkd.exe +D:\Program Files\Splunk\bin\ +D:\Program Files\Splunk\bin\splunkd.exe +C:\Windows\system32\svchost.exe -k appmodel -s StateRepository +C:\Windows\system32\svchost.exe -k appmodel +C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc +C:\Windows\system32\svchost.exe -k camera -s FrameServer +C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM +C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay +C:\Windows\system32\svchost.exe -k defragsvc +C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc +C:\Windows\system32\svchost.exe -k imgsvc +C:\Windows\system32\svchost.exe -k localService -s EventSystem +C:\Windows\system32\svchost.exe -k localService -s bthserv +C:\Windows\system32\svchost.exe -k localService -s nsi +C:\Windows\system32\svchost.exe -k localService -s w32Time +C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation +C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp +C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog +C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc +C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc +C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted +C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc +C:\Windows\system32\svchost.exe -k localServiceNoNetwork +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost +C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted +C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc +C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc +C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC +C:\Windows\system32\svchost.exe -k netsvcs -s BITS +C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc +C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc +C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc +C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc +C:\Windows\system32\svchost.exe -k netsvcs -s SENS +C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv +C:\Windows\system32\svchost.exe -k netsvcs -s Themes +C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt +C:\Windows\system32\svchost.exe -k netsvcs +C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc +C:\Windows\system32\svchost.exe -k networkService -s Dnscache +C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation +C:\Windows\system32\svchost.exe -k networkService -s NlaSvc +C:\Windows\system32\svchost.exe -k networkService -s TermService +C:\Windows\system32\svchost.exe -k networkService +C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted +C:\Windows\system32\svchost.exe -k rPCSS +C:\Windows\system32\svchost.exe -k secsvcs +C:\Windows\system32\svchost.exe -k swprv +C:\Windows\system32\svchost.exe -k unistackSvcGroup +C:\Windows\system32\svchost.exe -k utcsvc +C:\Windows\system32\svchost.exe -k wbioSvcGroup +C:\Windows\system32\svchost.exe -k werSvcGroup +C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC +C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc +C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC +C:\Windows\system32\svchost.exe -k wsappx +C:\Windows\system32\svchost.exe -k netsvcs +C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted +C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe +C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe +C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe +C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe +C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe +C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe +C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe +C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe +C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe +C:\Program Files\Windows Defender\ +C:\Windows\system32\MpSigStub.exe +C:\Windows\SoftwareDistribution\Download\Install\AM_ +C:\Program Files\Microsoft Security Client\MpCmdRun.exe +C:\Windows\system32\DllHost.exe /Processid +C:\Windows\system32\SearchIndexer.exe /Embedding +C:\Windows\System32\CompatTelRunner.exe +C:\Windows\System32\MusNotification.exe +C:\Windows\System32\MusNotificationUx.exe +C:\Windows\System32\audiodg.exe +C:\Windows\System32\conhost.exe +C:\Windows\System32\powercfg.exe +C:\Windows\System32\wbem\WmiApSrv.exe +C:\Windows\System32\wermgr.exe +C:\Windows\SysWOW64\wermgr.exe +C:\Windows\system32\sppsvc.exe +AppContainer +%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows +C:\Windows\system32\SearchIndexer.exe + + + + +AppData\Roaming\Dropbox\bin\Dropbox.exe +C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe +OneDrive.exe +OneDriveStandaloneUpdater.exe +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe +C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe +C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe +C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe +C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe +Spotify.exe +C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe +C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe +microsoft.com +microsoft.com.akadns.net +microsoft.com.nsatc.net + + + + +Intel +microsoft +windows + + + + +C:\Windows\CarbonBlack\cb.exe +c:\Program Files\Couchbase\Server\bin\sigar_port.exe +C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe +C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe +C:\Program Files\Ivanti\Workspace Control\cpushld.exe +C:\Program Files\RES Software\Workspace Manager\cpushld.exe +wmiprvse.exe +GoogleUpdate.exe +LTSVC.exe +taskmgr.exe +VBoxService.exe +vmtoolsd.exe +\Citrix\System32\wfshell.exe +C:\Windows\System32\lsm.exe +Microsoft.Identity.AadConnect.Health.AadSync.Host.exe +C:\Program Files (x86)\Symantec\Symantec Endpoint Protection +0x1000 +0x1400 +0x101400 +0x101000 +C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe +C:\Program Files\McAfee\Agent\x86\macompatsvc.exe +C:\Program Files\Microsoft Security Client\MsMpEng.exe +C:\Program Files\Windows Defender\MsMpEng.exe +C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe +C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe +C:\WINDOWS\CCM\CcmExec.exe +C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe +C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe +C:\Program Files\WinZip\FAHWindow64.exe + + + + +AppData\Local\Google\Chrome\Application\chrome.exe +Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe +OneDrive.exe +setup + + + + +\atsvc +\msagent_ +\msf-pipe +\PSEXESVC +\srvsvc +\winreg + + + + +C:\Windows\System32\svchost.exe +C:\Windows\System32\wininit.exe +C:\Windows\System32\csrss.exe +C:\Windows\System32\services.exe +C:\Windows\System32\winlogon.exe +C:\Windows\System32\audiodg.exe +C:\windows\system32\kernel32.dll +Google\Chrome\Application\chrome.exe +C:\Windows\System32\wbem\WmiPrvSE.exe + + + + \ No newline at end of file From 99e2bdd8db919b79425a807ca8324830dc1873e9 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 15:27:22 -0300 Subject: [PATCH 254/552] fix: deletec inventory --- .../general_playbooks/inventory.yml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 tests/end_to_end/general_playbooks/inventory.yml diff --git a/tests/end_to_end/general_playbooks/inventory.yml b/tests/end_to_end/general_playbooks/inventory.yml deleted file mode 100644 index ef0c21eede..0000000000 --- a/tests/end_to_end/general_playbooks/inventory.yml +++ /dev/null @@ -1,27 +0,0 @@ -all: - hosts: - wazuh-manager: - ansible_connection: ssh - ansible_user: vagrant - ansible_ssh_pass: vagrant - ansible_python_interpreter: /usr/bin/python3 - dashboard_user: admin - dashboard_password: BpC6DTTmF5P0vV6vACB8tP5wDlUTzGU+ - - wazuh-agent1: - ansible_connection: ssh - ansible_user: vagrant - ansible_ssh_pass: vagrant - ansible_python_interpreter: /usr/bin/python3 - - wazuh-windows: - ansible_user: Administrator - ansible_password: vagrant - ansible_connection: winrm - ansible_winrm_server_cert_validation: ignore - ansible_winrm_transport: basic - ansible_winrm_port: 5985 - ansible_python_interpreter: C:\Users\vagrant\AppData\Local\Programs\Pyhton\Python39\python.exe - - vars: - virustotal_key: 3e4db70c621cd9dd9e3400254297eea03215987facca9931a42dcb86ffb8aa78 From c62a061cfed934c99dae75df22ef1889f0937bc6 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 15:32:30 -0300 Subject: [PATCH 255/552] fix: linter error in test_emotet.py --- tests/end_to_end/test_emotet/test_emotet.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 706a9f5947..5a7395e3ce 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -14,7 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') configuration_playbooks = ['configuration.yaml'] emotet_file_path = os.path.join(test_data_path, 'emotet_file', 'trigger-emotet.exe') -sysmon_config= os.path.join(test_data_path, 'sysmon_config', 'sysconfig.xml') +sysmon_config = os.path.join(test_data_path, 'sysmon_config', 'sysconfig.xml') configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} events_playbooks = ['generate_events.yaml'] @@ -27,7 +27,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): + clean_alerts_index): """ Test to detect an emotet attack """ From 719377bbdc72451d5fd2520a6295315e7344f0e9 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 16:21:47 -0300 Subject: [PATCH 256/552] fix: linter errors --- .../test_emotet/data/playbooks/configuration.yaml | 6 +++--- .../test_emotet/data/playbooks/generate_events.yaml | 1 - .../test_emotet/data/test_cases/cases_emotet.yaml | 3 ++- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 3eea6db91f..4190d50297 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -34,11 +34,12 @@ cd C:\temp\Sysmon ./Sysmon64.exe -accepteula -i sysconfig.xml - - name: Configure Wazuh to collect Sysmon events + - name: Configure Wazuh to collect Sysmon events ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nMicrosoft-Windows-Sysmon/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` + "`nMicrosoft-Windows-Sysmon/Operational" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" @@ -53,7 +54,6 @@ net stop wazuh net start wazuh - - name: Test manager configuration hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index 676f380f49..2a36f4c250 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -6,7 +6,6 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: true - - name: Generate events windows hosts: wazuh-windows diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml index 1c454f3b75..cc989773ee 100644 --- a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml @@ -4,4 +4,5 @@ metadata: rule.id: 92151 rule.level: 12 - rule.description: Binary loaded PowerShell automation library - Possible unmanaged Powershell execution by suspicious process + rule.description: "Binary loaded PowerShell automation library - + Possible unmanaged Powershell execution by suspicious process" From a24c93ef4e40ed3ef85bd31ca0db65522f3d0bff Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 25 Jul 2022 16:26:27 -0300 Subject: [PATCH 257/552] fix: linter error quotes --- .../end_to_end/test_emotet/data/test_cases/cases_emotet.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml index cc989773ee..1131605adf 100644 --- a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml @@ -4,5 +4,5 @@ metadata: rule.id: 92151 rule.level: 12 - rule.description: "Binary loaded PowerShell automation library - - Possible unmanaged Powershell execution by suspicious process" + rule.description: Binary loaded PowerShell automation library - + Possible unmanaged Powershell execution by suspicious process From 0cbfc82a6a6d32097f510669bda2e51463bc50df Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 10:33:34 -0300 Subject: [PATCH 258/552] feat: new module to test the integration with Suricata was added. #3114 --- .../data/playbooks/configuration.yaml | 66 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 22 +++++++ .../data/playbooks/teardown.yaml | 10 +++ .../cases_suricata_integration.yaml | 9 +++ .../test_suricata_integration.py | 66 +++++++++++++++++++ 5 files changed, 173 insertions(+) create mode 100644 tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml create mode 100644 tests/end_to_end/test_suricata_integration/test_suricata_integration.py diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..85532c1284 --- /dev/null +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -0,0 +1,66 @@ +- name: Prepare environment + hosts: wazuh-manager + become: true + tasks: + + - name: Check if Suricata is installed + shell: rpm -qa suricata + register: check_suricata + + - name: Download Suricata repo and install dependencies + shell: | + cd /etc/yum.repos.d + yum -y install epel-release wget jq + curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-6.0-testing/repo/epel-7/jasonish-suricata-6.0-testing-epel-7.repo + cd ~ + when: '"suricata" not in check_suricata.stdout' + + - name: Upgrade all packages, excluding kernel related packages + yum: + name: '*' + state: latest + exclude: kernel* + when: '"suricata" not in check_suricata.stdout' + + - name: Install the latest version of Suricata + yum: + name: suricata + state: present + when: '"suricata" not in check_suricata.stdout' + + - name: Download and extract Emerging rules + shell: | + wget https://rules.emergingthreats.net/open/suricata-6.0.3/emerging.rules.tar.gz + tar zxvf emerging.rules.tar.gz + rm /etc/suricata/rules/* -f + mv rules/*.rules /etc/suricata/rules/ + rm -f /etc/suricata/suricata.yaml + wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml + when: '"suricata" not in check_suricata.stdout' + + - name: Change the default interface + shell: sed -i "s/eth0/$(nmcli device status | awk 'NR==2 {print $1}')/g" /etc/sysconfig/suricata + when: '"suricata" not in check_suricata.stdout' + + - name: Start Suricata + systemd: + daemon_reload: yes + enabled: yes + state: started + name: suricata + + - name: Configure Wazuh to read Suricata logs file + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + syslog + /var/log/suricata/eve.json + + + - name: Restart Wazuh to apply the change + systemd: + state: started + name: wazuh-manager diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..7f4004d47b --- /dev/null +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml @@ -0,0 +1,22 @@ +- name: Generate events + hosts: wazuh-manager + become: true + vars: + alerts_path: /var/ossec/logs/alerts/alerts.json + tasks: + + - name: Truncate alerts file + shell: echo "" > {{ alerts_path }} + + - name: Run command to generate an alert + shell: curl -s http://testmynids.org/uid/index.html + + - name: Wait for alerts to be generated + wait_for: + timeout: 10 + + - name: Get alerts.json + fetch: + src: "{{ alerts_path }}" + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..3e26b1821a --- /dev/null +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml @@ -0,0 +1,10 @@ +- name: Configure environment + hosts: wazuh-manager + become: true + tasks: + + - name: Remove Wazuh logs configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + state: absent diff --git a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml new file mode 100644 index 0000000000..1cd08df84b --- /dev/null +++ b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml @@ -0,0 +1,9 @@ +- name: Generate a specific web request known to trip NIDS rules + description: Test the detection of threats by monitoring network traffic + configuration_parameters: null + metadata: + rule.id: 86601 + rule.level: 3 + rule.description: "Suricata: Alert - ET POLICY curl User-Agent Outbound" + extra: + data.hostname: testmynids.org diff --git a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py new file mode 100644 index 0000000000..3828df26d1 --- /dev/null +++ b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py @@ -0,0 +1,66 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_suricata_integration.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + data_hostname = metadata['extra']['data.hostname'] + timestamp = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + + expected_alert_json = f"timestamp.+({timestamp}).+level.+{rule_level}.+description" \ + f".+{rule_description}.+id.+{rule_id}.+hostname.+{data_hostname}" + expected_indexed_alert = fr".+hostname\" : \"{data_hostname}.+level.+{rule_level}.+description.+" \ + fr"{rule_description}.+id.+{rule_id}" + import pdb; pdb.set_trace() + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 0efcc86f3448c454e1d2fe282638d69a8f8d5187 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 10:44:53 -0300 Subject: [PATCH 259/552] fix: debug line removed. #3114 --- .../test_suricata_integration/test_suricata_integration.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py index 3828df26d1..b330a82694 100644 --- a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py @@ -21,7 +21,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] @@ -32,7 +32,6 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener f".+{rule_description}.+id.+{rule_id}.+hostname.+{data_hostname}" expected_indexed_alert = fr".+hostname\" : \"{data_hostname}.+level.+{rule_level}.+description.+" \ fr"{rule_description}.+id.+{rule_id}" - import pdb; pdb.set_trace() # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From e078cb44586ff67e1b4fe277da808e418afbd6a0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 11:54:40 -0300 Subject: [PATCH 260/552] add: test structure --- .../data/playbooks/configuration.yaml | 53 +++++++++++++++ .../data/playbooks/generate_events.yaml | 29 ++++++++ .../data/playbooks/teardown.yaml | 0 .../test_cases/cases_windows_defender.yaml | 0 .../test_windows_defender.py | 68 +++++++++++++++++++ 5 files changed, 150 insertions(+) create mode 100644 tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml create mode 100644 tests/end_to_end/test_windows_defender/test_windows_defender.py diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..36285a42d6 --- /dev/null +++ b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml @@ -0,0 +1,53 @@ +- name: Test agent configuration + hosts: wazuh-windows + tasks: + + - name: Create temp folder + win_file: + path: C:\temp + state: directory + + - name: Copy ossec.conf + ansible.windows.win_copy: + src: C:\Program Files (x86)\ossec-agent\ossec.conf + dest: C:\temp + remote_src: true + + - name: Enable the agent module to collect installed packages (Windows) + ansible.windows.win_shell: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nMicrosoft-Windows-Windows Defender/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + + - name: Restart wazuh-agent (Windows) + ansible.windows.win_shell: | + net stop wazuh + net start wazuh + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Configure local rules + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | + + + 62100 + ^5001$ + Windows Defender Real-time Protection was disabled. + defender,attack.t1089 + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager + diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..e3016ae087 --- /dev/null +++ b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml @@ -0,0 +1,29 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-windows + tasks: + + - name: Disable Windows Defender + ansible.windows.win_shell: Set-MpPreference -DisableRealtimeMonitoring 1 + +- name: Wait alert + hosts: wazuh-manager + tasks: + + - name: Waiting for vulnerability scan, alert reporting and indexing + wait_for: + timeout: 60 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml b/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_windows_defender/test_windows_defender.py new file mode 100644 index 0000000000..ba96a9716c --- /dev/null +++ b/tests/end_to_end/test_windows_defender/test_windows_defender.py @@ -0,0 +1,68 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +# Configuration +#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_vulnerability_detector(configure_environment, generate_events): + """ + Test to detect a vulnerability + """ + print('HOLAAA') + # rule_level = metadata['rule.level'] + # rule_id = metadata['rule.id'] + # rule_description = metadata['rule.description'] + + # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + # fr'"rule"\:{{"level"\:{rule_level},' \ + # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + # fr'.*"id": "{rule_id}".*' \ + # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # # Check that alert has been raised and save timestamp + # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + # error_message='The alert has not occurred').result() + # raised_alert_timestamp = raised_alert.group(1) + + # query = e2e.make_query([ + # { + # "term": { + # "rule.id": f"{rule_id}" + # } + # }, + # { + # "term": { + # "timestamp": f"{raised_alert_timestamp}" + # } + # } + # ]) + + # # Check if the alert has been indexed and get its data + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # indexed_alert = json.dumps(response.json()) + + # # Check that the alert data is the expected one + # alert_data = re.search(expected_indexed_alert, indexed_alert) + # assert alert_data is not None, 'Alert triggered, but not indexed' From ed8a4619cf33626e52fad3a22a38531f8e3a35c1 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 11:58:59 -0300 Subject: [PATCH 261/552] fix --- tests/end_to_end/test_emotet/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 4190d50297..97198fa09d 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -13,7 +13,7 @@ dest: C:\temp remote_src: true - - name: Install sysmon + - name: Download sysmon ansible.windows.win_shell: | Set-Location C:\temp Write-Host "Location set $path" From a0a100ae7101eb33a0505647449094d4f1a34646 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 12:01:28 -0300 Subject: [PATCH 262/552] fix: deleted line --- tests/end_to_end/test_emotet/test_emotet.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 5a7395e3ce..e0f644040c 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -16,7 +16,6 @@ emotet_file_path = os.path.join(test_data_path, 'emotet_file', 'trigger-emotet.exe') sysmon_config = os.path.join(test_data_path, 'sysmon_config', 'sysconfig.xml') configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} - events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] From cac85cfb4c001d2bef7ba6f4210499fa9dd5465b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 13:15:34 -0300 Subject: [PATCH 263/552] fix!: regular expressions fixed and linter corrections applied. #3114 --- .../test_suricata_integration.py | 75 ++++++++++--------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py index b330a82694..3b7e3d2244 100644 --- a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py @@ -21,45 +21,46 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - data_hostname = metadata['extra']['data.hostname'] - timestamp = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' +def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + data_hostname = metadata['extra']['data.hostname'] + timestamp = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = f"timestamp.+({timestamp}).+level.+{rule_level}.+description" \ - f".+{rule_description}.+id.+{rule_id}.+hostname.+{data_hostname}" - expected_indexed_alert = fr".+hostname\" : \"{data_hostname}.+level.+{rule_level}.+description.+" \ - fr"{rule_description}.+id.+{rule_id}" + expected_alert_json = fr".*timestamp.+({timestamp}).+level.+{rule_level}.+description.+{rule_description}.+id.+" \ + fr"{rule_id}.+hostname.+{data_hostname}" + expected_indexed_alert = fr".*hostname.*{data_hostname}.+level.+{rule_level}.+description.+" \ + fr"{rule_description}.+id.+{rule_id}" - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "rule.description": f"{rule_description}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 032abf815919fdc6b6e9bfcf1758bfab3b82b16e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 13:25:34 -0300 Subject: [PATCH 264/552] docs: Ansible task explanation added. #3114 --- .../test_suricata_integration/data/playbooks/configuration.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index 85532c1284..a195719fe0 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -38,6 +38,8 @@ wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml when: '"suricata" not in check_suricata.stdout' + # Get the default interface from the Suricata configuration and replace it with the first interface obtained from + # the output of the nmcli command - name: Change the default interface shell: sed -i "s/eth0/$(nmcli device status | awk 'NR==2 {print $1}')/g" /etc/sysconfig/suricata when: '"suricata" not in check_suricata.stdout' From d46db55f640391a9c0c1eb995083d93612ffd54d Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 13:40:48 -0300 Subject: [PATCH 265/552] fix: linter corrections applied. #3114 --- .../data/playbooks/configuration.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index a195719fe0..e43ea72cf6 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -8,11 +8,10 @@ register: check_suricata - name: Download Suricata repo and install dependencies - shell: | - cd /etc/yum.repos.d - yum -y install epel-release wget jq - curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-6.0-testing/repo/epel-7/jasonish-suricata-6.0-testing-epel-7.repo - cd ~ + shell: > + cd /etc/yum.repos.d && yum -y install epel-release wget jq && + curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-6.0-testing/repo/epel-7/ + jasonish-suricata-6.0-testing-epel-7.repo && cd ~ when: '"suricata" not in check_suricata.stdout' - name: Upgrade all packages, excluding kernel related packages @@ -46,8 +45,8 @@ - name: Start Suricata systemd: - daemon_reload: yes - enabled: yes + daemon_reload: true + enabled: true state: started name: suricata From 8065c8d7d8fdf88894f48525080d4cd6aa301b95 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 13:57:32 -0300 Subject: [PATCH 266/552] fix: assert replaced by elif statement. #3085 --- .../wazuh_testing/end_to_end/__init__.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index ce505d7279..a1622b2979 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -27,11 +27,11 @@ def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index= response = requests.get(url=url, params={'pretty': 'true'}, json=query, verify=False, auth=requests.auth.HTTPBasicAuth(credentials['user'], credentials['password'])) + if '"hits" : [ ]' in response.text: raise Exception('Alert not indexed') - else: - assert response.status_code == HTTPStatus.OK, "The request wasn't successful. " \ - f"Actual response: {response.text}" + elif response.status_code != HTTPStatus.OK: + raise Exception(f"The request wasn't successful.\nActual response: {response.text}") return response @@ -54,8 +54,10 @@ def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alert authorization = requests.auth.HTTPBasicAuth(credentials['user'], credentials['password']) response = requests.delete(url=url+index, params={'pretty': 'true'}, verify=False, auth=authorization) - assert response.status_code == HTTPStatus.OK, 'The index(es) have not been deleted successfully. ' \ - f"Actual response {response.text}" + + if response.status_code != HTTPStatus.OK: + raise Exception(f"The index(es) have not been deleted successfully. Actual response {response.text}") + return response From 97856db79c96c1a2e48e3b6bc73580f4b559cc07 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 15:36:32 -0300 Subject: [PATCH 267/552] fix: corrections applied. #3085 --- .../data/configuration/malware_downloader.sh | 21 ------------------- .../data/playbooks/configuration.yaml | 6 +++--- .../data/playbooks/generate_events.yaml | 6 +++++- .../test_cases/cases_yara_integration.yaml | 2 +- .../test_yara_integration.py | 7 +------ 5 files changed, 10 insertions(+), 32 deletions(-) delete mode 100644 tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh diff --git a/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh b/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh deleted file mode 100644 index 4b7b8fb6d1..0000000000 --- a/tests/end_to_end/test_yara_integration/data/configuration/malware_downloader.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# Wazuh - Malware Downloader for test purposes -# Copyright (C) 2015-2022, Wazuh Inc. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - -function fetch_sample(){ - - curl -s -XGET "$1" -o "$2" - -} - -echo -# Mirai -echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)" -echo "Downloading malware sample..." -fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading." -echo diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml index 5e673c7aa8..7d2dbcffcd 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml @@ -104,7 +104,7 @@ name: - epel-release state: present - when: ( ansible_facts['distribution'] == "CentOS" and "epel" not in check_epel_release.stdout) + when: '"epel" not in check_epel_release.stdout' - name: Check if yara is installed shell: rpm -qa yara @@ -115,7 +115,7 @@ name: - yara state: present - when: ( ansible_facts['distribution'] == "CentOS" and "yara" not in check_yara.stdout) + when: '"yara" not in check_yara.stdout' - name: Create a directory to store malware file: @@ -139,4 +139,4 @@ name: - jq state: present - when: ( ansible_facts['distribution'] == "CentOS" and "jq" not in check_jq.stdout) + when: '"jq" not in check_jq.stdout' diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml index 36e2085d30..b4f944a641 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -8,8 +8,12 @@ - name: Truncate alerts file shell: echo "" > {{ alerts_path }} + - name: Wait until the server is ready + wait_for: + timeout: 5 + - name: Download malware - script: "{{ MALWARE_DOWNLOADER_SCRIPT }}" + shell: curl -s -XGET {{ url }} -o "/tmp/yara/malware/mirai" - name: Wait for alerts to be generated wait_for: diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml index 5d3f46abb3..b65f9bf17e 100644 --- a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -3,7 +3,7 @@ configuration_parameters: null metadata: extra_vars: - MALWARE_DOWNLOADER_SCRIPT: CUSTOM_MALWARE_SCRIPT_PATH + url: https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai rule.id: 108001 rule.level: 12 rule.description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 10bebdff18..75c9f44476 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -24,11 +24,6 @@ # Custom paths yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') -malware_downloader_script = os.path.join(test_data_path, 'configuration', 'malware_downloader.sh') - -# Update configuration with custom paths -configuration_metadata = config.update_configuration_template(configuration_metadata, ['CUSTOM_MALWARE_SCRIPT_PATH'], - [malware_downloader_script]) configuration_extra_vars = {'yara_script': yara_script} @@ -50,7 +45,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=1, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From a495c913a35476caf997578d7d3d60bf1b49cb5f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 15:58:15 -0300 Subject: [PATCH 268/552] fix: added process name in regex --- .../test_emotet/data/test_cases/cases_emotet.yaml | 1 + tests/end_to_end/test_emotet/test_emotet.py | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml index 1131605adf..cc5a5abd6f 100644 --- a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml @@ -6,3 +6,4 @@ rule.level: 12 rule.description: Binary loaded PowerShell automation library - Possible unmanaged Powershell execution by suspicious process + process: trigger-emotet.exe diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index e0f644040c..fc695288b2 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -33,13 +33,15 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, gene rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] + process = metadata['process'] expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ fr'"rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' \ + fr'"full_log"\:.*{process}.*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ + fr'.*"id": "{rule_id}".*"full_log":.*{process}.*' \ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp From b53027d8a167d9b26ac44ca2b2fe5c40c3abb752 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 16:06:29 -0300 Subject: [PATCH 269/552] fix: timeout fixed. #3085 --- .../test_yara_integration/data/playbooks/generate_events.yaml | 2 +- tests/end_to_end/test_yara_integration/test_yara_integration.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml index b4f944a641..50119374dd 100644 --- a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml @@ -10,7 +10,7 @@ - name: Wait until the server is ready wait_for: - timeout: 5 + timeout: 10 - name: Download malware shell: curl -s -XGET {{ url }} -o "/tmp/yara/malware/mirai" diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 75c9f44476..2c8d27d961 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -45,7 +45,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - timeout=1, error_message='The alert has not occurred').result() + timeout=5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From 409cb89845dedc71a818855d52c272755e703088 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 16:27:56 -0300 Subject: [PATCH 270/552] add: generate events yaml --- .../data/playbooks/generate_events.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml index e3016ae087..622c79ea24 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml @@ -10,16 +10,16 @@ hosts: wazuh-windows tasks: - - name: Disable Windows Defender - ansible.windows.win_shell: Set-MpPreference -DisableRealtimeMonitoring 1 + - name: "{{ event_description }}" + ansible.windows.win_shell: "{{ command }}" - name: Wait alert hosts: wazuh-manager tasks: - - name: Waiting for vulnerability scan, alert reporting and indexing + - name: Waiting for alert wait_for: - timeout: 60 + timeout: 5 - name: Get alerts.json fetch: From 0282807fb11e6db77f5cdfe4d0975d9b96b0f6e8 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 26 Jul 2022 16:28:18 -0300 Subject: [PATCH 271/552] add: teardown yaml --- .../data/playbooks/teardown.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml index e69de29bb2..545714f280 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml @@ -0,0 +1,22 @@ +- name: Cleanup environment + hosts: wazuh-windows + tasks: + + - name: Restore ossec.conf without changes + ansible.windows.win_copy: + src: C:\temp\ossec.conf + dest: C:\Program Files (x86)\ossec-agent + remote_src: true + + - name: Delete C:\temp folder + ansible.windows.win_file: + path: C:\temp + state: absent + + - name: Enable Windows Defender + ansible.windows.win_shell: set-MpPreference -DisableRealtimeMonitoring $False + + - name: Restart wazuh-agent (Windows) + ansible.windows.win_shell: | + net stop wazuh + net start wazuh From 74f50fb97e13658c433ade112e0a90af982fb19b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 26 Jul 2022 18:19:57 -0300 Subject: [PATCH 272/552] fix: corrections applied. #3079 --- .../configuration/aws_cloudtrail_event.py | 35 ++++++++++++++----- .../data/playbooks/generate_events.yaml | 8 ++--- 2 files changed, 30 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py index 675c1d9411..fbca399b68 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py @@ -1,10 +1,14 @@ #!/usr/bin/python3 import argparse -from datetime import datetime +from datetime import datetime, timedelta +from time import sleep import boto3 +# Hide deprecation warning for python<=3.6 +boto3.compat.filter_python_deprecation_warnings() + formats = ['%a, %d %b %Y %H:%M:%S %Z', '%Y-%m-%dT%H:%M:%SZ'] @@ -24,28 +28,41 @@ def get_parameters(): return arguments -def create_bucket(access_key_id, secret_access_key): - """ Create an S3 bucket in the default region (us-east-1) +def create_bucket(client): + """Create an S3 bucket in the default region (us-east-1) Args: access_key_id (str): AWS access key ID secret_access_key (str): AWS secret access key """ - client = boto3.client('s3', aws_access_key_id=access_key_id, aws_secret_access_key=secret_access_key) response = client.create_bucket(Bucket='delete-this-dummy-bucket') response_date = response['ResponseMetadata']['HTTPHeaders']['date'] # The format of the request datetieme is changed here to match the timestamp of the AWS event in the alerts.json log - request_datetime = datetime.strptime(response_date, formats[0]) - # The last 3 characters are removed due to the difference with the server in seconds. - # e.g: 2022-07-20T15:41:05Z --> 2022-07-20T15:41: - datetime_str = request_datetime.strftime(formats[1])[:-3] + # 1 second is substracted to avoid the difference with the server time + request_datetime = datetime.strptime(response_date, formats[0]) - timedelta(seconds=1) + datetime_str = request_datetime.strftime(formats[1]) # Print the formatted time from the request because Ansible will pick it up from the standard output print(datetime_str) +def delete_bucket(client): + """Delete an S3 bucket in the default region (us-east-1) + + Args: + access_key_id (str): AWS access key ID + secret_access_key (str): AWS secret access key + """ + client.delete_bucket(Bucket='delete-this-dummy-bucket') + + def main(): parameters = get_parameters() - create_bucket(parameters.aws_access_key_id, parameters.aws_secret_access_key) + client = boto3.client('s3', aws_access_key_id=parameters.aws_access_key_id, + aws_secret_access_key=parameters.aws_secret_access_key) + create_bucket(client) + # Wait for the event to be generated in AWS + sleep(10) + delete_bucket(client) if __name__ == '__main__': diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index ba9c9cacb5..081b3b96d7 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -1,12 +1,12 @@ - name: Generate events hosts: wazuh-manager vars: - alerts_log: /var/ossec/logs/alerts/alerts.json + alerts_path: /var/ossec/logs/alerts/alerts.json become: true tasks: - name: Truncate alerts file - shell: echo "" > {{ alerts_log }} + shell: echo "" > {{ alerts_path }} # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) @@ -15,7 +15,7 @@ - name: Wait for the alert to be generated wait_for: - path: "{{ alerts_log }}" + path: "{{ alerts_path }}" search_regex: "{{ time.stdout_lines[0] }}.*{{ event_name }}" # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. timeout: 480 @@ -26,6 +26,6 @@ - name: Get alerts.json fetch: - src: "{{ alerts_log }}" + src: "{{ alerts_path }}" dest: /tmp/ flat: true From 31cd9657174227c3a2f0fb2a853e52a238a62d90 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 27 Jul 2022 12:58:44 +0200 Subject: [PATCH 273/552] add: Add new E2E test for FIM events --- .../data/playbooks/configuration.yaml | 61 ++++++++++++ .../data/playbooks/generate_events.yaml | 42 +++++++++ .../test_fim/data/playbooks/teardown.yaml | 44 +++++++++ .../test_fim/data/test_cases/cases_fim.yaml | 92 +++++++++++++++++++ tests/end_to_end/test_fim/test_fim.py | 63 +++++++++++++ 5 files changed, 302 insertions(+) create mode 100644 tests/end_to_end/test_fim/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_fim/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_fim/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml create mode 100644 tests/end_to_end/test_fim/test_fim.py diff --git a/tests/end_to_end/test_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..8c3e8df1ed --- /dev/null +++ b/tests/end_to_end/test_fim/data/playbooks/configuration.yaml @@ -0,0 +1,61 @@ +--- +- name: Test case configuration + hosts: agents + tasks: + + - name: Create directory to monitor (Linux) + become: True + file: + path: /tmp/test_demo_fim + state: directory + when: ansible_facts['system'] == "Linux" + + - name: Add directory to syscheck configuration (Linux) + become: True + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /tmp/test_demo_fim + marker: + when: ansible_facts['system'] == "Linux" + + - name: Restart Wazuh (Linux) + become: True + systemd: + name: wazuh-agent + state: restarted + when: ansible_facts['system'] == "Linux" + + - name: Create directory to monitor (Windows) + win_file: + path: C:\Test\test_demo_fim + state: directory + when: ansible_facts['os_family'] == "Windows" + + - name: Add directory to syscheck configuration (Windows) + win_lineinfile: + path: C:\Program Files (x86)\ossec-agent\ossec.conf + insertafter: + line: | + C:\\Test\\test_demo_fim + when: ansible_facts['os_family'] == "Windows" + + - name: Truncate ossec.log + win_file: + path: C:\Program Files (x86)\ossec-agent\ossec.log + state: absent + when: ansible_facts['os_family'] == "Windows" + + - name: Restart Wazuh (Windows) + win_shell: | + net stop wazuh + net start wazuh + when: ansible_facts['os_family'] == "Windows" + + - name: Wait for whodata start + win_wait_for: + path: C:\Program Files (x86)\ossec-agent\ossec.log + search_regex: File integrity monitoring real-time Whodata engine started. + timeout: 20 + when: ansible_facts['os_family'] == "Windows" diff --git a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..4ddc7c0196 --- /dev/null +++ b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml @@ -0,0 +1,42 @@ +- name: Clean alerts file + hosts: wazuh-manager + tasks: + + - name: Truncate file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + +- name: Generate events + hosts: agents + vars: + os: "{{ os }}" + tasks: + + - name: "{{ event_description }}" + become: True + file: + path: "{{ path }}" + state: "{{ state }}" + mode: "{{ mode }}" + when: os == "Linux" + + - name: "{{ event_description }}" + win_file: + path: "{{ path }}" + state: "{{ state }}" + when: os == ansible_facts['os_family'] + +- name: Get alerts + hosts: wazuh-manager + tasks: + + - name: Wait for alert to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_fim/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..584f20e9c3 --- /dev/null +++ b/tests/end_to_end/test_fim/data/playbooks/teardown.yaml @@ -0,0 +1,44 @@ +--- +- name: Cleanup Linux agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete syscheck configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Delete folder + file: + path: /tmp/test_demo_fim + state: absent + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent + +- name: Cleanup Windows agent environment + hosts: wazuh-windows + tasks: + + - name: Delete syscheck configuration + win_lineinfile: + path: C:\Program Files (x86)\ossec-agent\ossec.conf + regex: C\:\\\\Test\\\\test_demo_fim + state: absent + when: ansible_facts['os_family'] == "Windows" + + - name: Delete directory to monitor (Windows) + win_file: + path: C:\Test + state: absent + when: ansible_facts['os_family'] == "Windows" + + - name: Restart Wazuh (Windows) + win_shell: | + net stop wazuh + net start wazuh + when: ansible_facts['os_family'] == "Windows" diff --git a/tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml new file mode 100644 index 0000000000..aa44555b74 --- /dev/null +++ b/tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml @@ -0,0 +1,92 @@ +- name: create_file_linux + description: Create a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Linux + event_description: Create a file into the monitored folder + path: /tmp/test_demo_fim/monitored_file.txt + state: touch + mode: 0755 + rule.id: 554 + rule.level: 5 + rule.description: File added to the system\. + extra: + syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt + +- name: modify_file_linux + description: Modify a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Linux + event_description: Modify a file from the monitored folder + path: /tmp/test_demo_fim/monitored_file.txt + state: file + mode: 0750 + rule.id: 550 + rule.level: 7 + rule.description: Integrity checksum changed\. + extra: + syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt + +- name: delete_file_linux + description: Delete a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Linux + event_description: Delete a file from the monitored folder + path: /tmp/test_demo_fim/monitored_file.txt + state: absent + mode: 0755 + rule.id: 553 + rule.level: 7 + rule.description: File deleted\. + extra: + syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt + +- name: create_file_windows + description: Create a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Create a file into the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: touch + rule.id: 554 + rule.level: 5 + rule.description: File added to the system\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt + +- name: modify_file_windows + description: Modify a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Modify a file from the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: touch + rule.id: 550 + rule.level: 7 + rule.description: Integrity checksum changed\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt + +- name: delete_file_windows + description: Delete a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Delete a file from the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: absent + rule.id: 553 + rule.level: 7 + rule.description: File deleted\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt diff --git a/tests/end_to_end/test_fim/test_fim.py b/tests/end_to_end/test_fim/test_fim.py new file mode 100644 index 0000000000..d46bb6dd33 --- /dev/null +++ b/tests/end_to_end/test_fim/test_fim.py @@ -0,0 +1,63 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_fim(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + """ + Test to scanning a file using FIM + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + syscheck_path = metadata['extra']['syscheck.path'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ + fr'"{syscheck_path}".*\}}' + + expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ + fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 5564074a56ca5172d43b3f2c2641f91b136adb36 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 27 Jul 2022 16:32:43 -0300 Subject: [PATCH 274/552] refac: the way the API script generates the event was changed. #3079 --- tests/end_to_end/conftest.py | 5 ++ .../configuration/aws_cloudtrail_event.py | 48 ++++--------------- .../data/playbooks/generate_events.yaml | 5 +- .../data/playbooks/teardown.yaml | 8 ++++ .../cases_aws_infrastructure_monitoring.yaml | 1 + .../test_aws_infrastructure_monitoring.py | 2 + 6 files changed, 28 insertions(+), 41 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 4cdfadf631..c1d6fe70c5 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -83,6 +83,11 @@ def configure_environment(request): parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + # Check if the module has extra variables to pass to the playbook + configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) + if configuration_extra_vars is not None: + parameters.update({'extravars': configuration_extra_vars}) + ansible_runner.run(**parameters) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py index fbca399b68..a1559d8915 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py @@ -1,16 +1,12 @@ #!/usr/bin/python3 import argparse -from datetime import datetime, timedelta -from time import sleep import boto3 # Hide deprecation warning for python<=3.6 boto3.compat.filter_python_deprecation_warnings() -formats = ['%a, %d %b %Y %H:%M:%S %Z', '%Y-%m-%dT%H:%M:%SZ'] - def get_parameters(): """ @@ -19,50 +15,26 @@ def get_parameters(): """ parser = argparse.ArgumentParser() - parser.add_argument('--aws_access_key_id', '-a', type=str, action='store', required=True, dest='aws_access_key_id') - parser.add_argument('--aws_secret_access_key', '-s', type=str, action='store', required=True, - dest='aws_secret_access_key') + parser.add_argument('--aws_access_key_id', '-i', type=str, action='store', required=True) + parser.add_argument('--aws_secret_access_key', '-k', type=str, action='store', required=True) + parser.add_argument('--bucket_name', '-b', type=str, action='store', required=True) + parser.add_argument('--create', '-c', action='store_true') arguments = parser.parse_args() return arguments -def create_bucket(client): - """Create an S3 bucket in the default region (us-east-1) - - Args: - access_key_id (str): AWS access key ID - secret_access_key (str): AWS secret access key - """ - response = client.create_bucket(Bucket='delete-this-dummy-bucket') - response_date = response['ResponseMetadata']['HTTPHeaders']['date'] - # The format of the request datetieme is changed here to match the timestamp of the AWS event in the alerts.json log - # 1 second is substracted to avoid the difference with the server time - request_datetime = datetime.strptime(response_date, formats[0]) - timedelta(seconds=1) - datetime_str = request_datetime.strftime(formats[1]) - # Print the formatted time from the request because Ansible will pick it up from the standard output - print(datetime_str) - - -def delete_bucket(client): - """Delete an S3 bucket in the default region (us-east-1) - - Args: - access_key_id (str): AWS access key ID - secret_access_key (str): AWS secret access key - """ - client.delete_bucket(Bucket='delete-this-dummy-bucket') - - def main(): parameters = get_parameters() + client = boto3.client('s3', aws_access_key_id=parameters.aws_access_key_id, aws_secret_access_key=parameters.aws_secret_access_key) - create_bucket(client) - # Wait for the event to be generated in AWS - sleep(10) - delete_bucket(client) + + if parameters.create: + client.create_bucket(Bucket=parameters.bucket_name) + else: + client.delete_bucket(Bucket=parameters.bucket_name) if __name__ == '__main__': diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 081b3b96d7..9a174ad899 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -10,13 +10,12 @@ # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) - script: "{{ AWS_API_SCRIPT }} -a {{ aws_access_key_id }} -s {{ aws_secret_access_key }}" - register: time + script: "{{ AWS_API_SCRIPT }} -i {{ aws_access_key_id }} -k {{ aws_secret_access_key }} -b {{ bucket }} -c" - name: Wait for the alert to be generated wait_for: path: "{{ alerts_path }}" - search_regex: "{{ time.stdout_lines[0] }}.*{{ event_name }}" + search_regex: "{{ event_name }}.*{{ bucket }}" # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. timeout: 480 diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index 755062ec77..17c9bab1ea 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -8,3 +8,11 @@ path: /var/ossec/etc/ossec.conf marker: state: absent + + - name: Delete the created bucket using the AWS API + script: "{{ AWS_API_SCRIPT }} -i {{ aws_access_key_id }} -k {{ aws_secret_access_key }} -b {{ bucket }}" + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml index d76c5a88f2..5724733778 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml @@ -10,4 +10,5 @@ rule.level: 3 extra_vars: event_name: CreateBucket + bucket: delete-this-dummy-bucket AWS_API_SCRIPT: CUSTOM_AWS_SCRIPT_PATH diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 3cf92f1ef8..32fe9f06d1 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -29,6 +29,8 @@ # Update configuration with custom paths metadata = config.update_configuration_template(metadata, ['CUSTOM_AWS_SCRIPT_PATH'], [aws_api_script]) +bucket_name = metadata[0]['extra_vars']['bucket'] +configuration_extra_vars.update({'AWS_API_SCRIPT': aws_api_script, 'bucket': bucket_name}) @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) From 951949a24b883f2cb178fc3a3160dbd769948259 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 28 Jul 2022 12:45:27 -0300 Subject: [PATCH 275/552] feat!: new module to test the Slack integration. #3126 --- .../data/playbooks/configuration.yaml | 31 ++++++++ .../data/playbooks/generate_events.yaml | 44 ++++++++++++ .../data/playbooks/teardown.yaml | 15 ++++ .../test_cases/cases_slack_integration.yaml | 9 +++ .../test_slack_integration.py | 71 +++++++++++++++++++ 5 files changed, 170 insertions(+) create mode 100644 tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml create mode 100644 tests/end_to_end/test_slack_integration/test_slack_integration.py diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..8687afcf8b --- /dev/null +++ b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml @@ -0,0 +1,31 @@ +- name: Configure environment + hosts: wazuh-manager + become: true + vars: + alerts_path: /var/ossec/logs/alerts/alerts.json + conf_path: /var/ossec/etc/ossec.conf + tasks: + + - name: Set the Slack integration block + blockinfile: + path: "{{ conf_path }}" + marker: + insertbefore: ^ + block: | + + slack + {{ web_hook_url }} + 10 + json + + + - name: Truncate integrations log + shell: echo "" > {{ alerts_path }} + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager + + - name: Install pexpect using pip + shell: python3 -m pip install pexpect>=3.3 diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..8b752ea132 --- /dev/null +++ b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml @@ -0,0 +1,44 @@ +- name: Generate events + hosts: wazuh-manager + vars: + alerts_path: /var/ossec/logs/alerts/alerts.json + integrations_log: /var/ossec/logs/integrations.log + become: true + tasks: + + - name: Truncate integrations log + shell: echo "" > {{ integrations_log }} + + - name: Attempt a brute force SSH attack + expect: + command: ssh {{ item }}@localhost + timeout: 5 + responses: + Password: invalid_password + loop: + - not-a-user + - not-a-user + - not-a-user + - not-a-user + - not-a-user + - not-a-user + - not-a-user + - not-a-user + ignore_errors: true + + - name: Wait for alert to be read + pause: + seconds: 5 + + # Check if the alert has been sent to Slack + - name: Get integrations.log + wait_for: + path: "{{ integrations_log }}" + search_regex: "hooks.slack.com" + timeout: 5 + + - name: Get alerts.json + fetch: + src: "{{ alerts_path }}" + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..6e975c7f8d --- /dev/null +++ b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml @@ -0,0 +1,15 @@ +- name: Cleanup environment + hosts: wazuh-manager + become: true + tasks: + + - name: Remove the Slack integration block + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + state: absent + + - name: Restart wazuh-manager + systemd: + state: restarted + name: wazuh-manager diff --git a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml new file mode 100644 index 0000000000..086196d6b7 --- /dev/null +++ b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml @@ -0,0 +1,9 @@ +- name: Slac integration - SSH Brute force attack + description: Test that Wazuh sends the alert via Slack by attempting a brute force SSH attack. + configuration_parameters: null + metadata: + rule.id: 5712 + rule.description: "sshd: brute force trying to get access to the system. Non existent user." + rule.level: 10 + extra: + srcuser: not-a-user diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py new file mode 100644 index 0000000000..b045095acb --- /dev/null +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -0,0 +1,71 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +# Test cases data +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_path = os.path.join(test_data_path, 'test_cases') +test_cases_file_path = os.path.join(test_cases_path, 'cases_slack_integration.yaml') +alerts_json = os.path.join(gettempdir(), 'alerts.json') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +# Configuration +configuration, metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.parametrize('metadata', metadata, ids=cases_ids) +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, + clean_alerts_index): + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + extra_srcuser = metadata['extra']['srcuser'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' + + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level}.+description\"" \ + fr":\"{rule_description}.+id.+{rule_id}.+srcuser.+{extra_srcuser}" + + expected_indexed_alert = fr".+srcuser.+{extra_srcuser}.+level.+{rule_level}.+description.+{rule_description}.+id" \ + fr".+{rule_id}.+timestamp\": \"({timestamp_regex})\"" + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "rule.description": f"{rule_description}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From fa3765a57f9f06864426293b3168272ea329db28 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 28 Jul 2022 16:42:24 -0300 Subject: [PATCH 276/552] fix: now timeout is dynamic. #3085 --- .../end_to_end/test_yara_integration/test_yara_integration.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 2c8d27d961..32418abe9b 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -45,7 +46,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - timeout=5, error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From c4b3c58e3c8ee47ccf86b1de0b68d6741d78d3d0 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 28 Jul 2022 16:53:22 -0300 Subject: [PATCH 277/552] fix: some minor fixes were applied. #3126 --- .../test_slack_integration/data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_slack_integration/data/playbooks/teardown.yaml | 4 +++- .../data/test_cases/cases_slack_integration.yaml | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml index 8687afcf8b..afd116d072 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml @@ -19,7 +19,7 @@ json - - name: Truncate integrations log + - name: Truncate alerts log shell: echo "" > {{ alerts_path }} - name: Restart wazuh-manager diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml index 8b752ea132..3b14710fff 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml @@ -26,7 +26,7 @@ - not-a-user ignore_errors: true - - name: Wait for alert to be read + - name: Wait for the alert to be generated pause: seconds: 5 diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml index 6e975c7f8d..56a0796c8f 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml @@ -1,11 +1,13 @@ - name: Cleanup environment hosts: wazuh-manager become: true + vars: + conf_path: /var/ossec/etc/ossec.conf tasks: - name: Remove the Slack integration block blockinfile: - path: /var/ossec/etc/ossec.conf + path: "{{ conf_path }" marker: state: absent diff --git a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml index 086196d6b7..30f39dfb8a 100644 --- a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml +++ b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml @@ -1,4 +1,4 @@ -- name: Slac integration - SSH Brute force attack +- name: Slack integration - SSH Brute force attack description: Test that Wazuh sends the alert via Slack by attempting a brute force SSH attack. configuration_parameters: null metadata: From d8a4bf529e7e292f398ee07078e769d661ed5571 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 28 Jul 2022 17:03:42 -0300 Subject: [PATCH 278/552] fix: linter correction applied and typo error fixed. #3126 --- .../test_slack_integration/data/playbooks/generate_events.yaml | 2 +- .../test_slack_integration/data/playbooks/teardown.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml index 3b14710fff..ec7490e702 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml @@ -34,7 +34,7 @@ - name: Get integrations.log wait_for: path: "{{ integrations_log }}" - search_regex: "hooks.slack.com" + search_regex: hooks.slack.com timeout: 5 - name: Get alerts.json diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml index 56a0796c8f..f9e6b2bf3a 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml @@ -7,7 +7,7 @@ - name: Remove the Slack integration block blockinfile: - path: "{{ conf_path }" + path: "{{ conf_path }}" marker: state: absent From a5b7d9c615122f743d4dd4dc7aff94c80ea010be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 29 Jul 2022 09:07:26 +0100 Subject: [PATCH 279/552] fix: debug commit --- provisioning/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml index b0e8a7690b..4593ba4b10 100644 --- a/provisioning/roles.yaml +++ b/provisioning/roles.yaml @@ -34,7 +34,7 @@ manager: os: LINUX_BASED_OS service: ANY resources: - default: + minimal: cpu: 2 memory: 2048 vars: From 3e337ec774c18ea3b96b7756a2f65875559d491c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 29 Jul 2022 12:04:59 +0100 Subject: [PATCH 280/552] fix: remove package key from roles.yaml --- provisioning/roles.yaml | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml index b0e8a7690b..9183ba4d99 100644 --- a/provisioning/roles.yaml +++ b/provisioning/roles.yaml @@ -21,10 +21,9 @@ agent: service: ANY vars: mandatory: - package: - version: VERSION - revision: REVISION - repository: REPOSITORY + version: VERSION + revision: REVISION + repository: REPOSITORY manager: MANAGER_HOST #---------------------- @@ -34,15 +33,14 @@ manager: os: LINUX_BASED_OS service: ANY resources: - default: + minimal: cpu: 2 memory: 2048 vars: mandatory: - package: - version: VERSION - revision: REVISION - repository: REPOSITORY + version: VERSION + revision: REVISION + repository: REPOSITORY default: type: master @@ -56,15 +54,11 @@ indexer: minimal: cpu: 4 memory: 4096 - default: - cpu: 4 - memory: 4096 vars: mandatory: - package: - version: VERSION - revision: REVISION - repository: REPOSITORY + version: VERSION + revision: REVISION + repository: REPOSITORY #---------------------- @@ -76,15 +70,11 @@ dashboard: minimal: cpu: 4 memory: 4096 - default: - cpu: 4 - memory: 4096 vars: mandatory: - package: - version: VERSION - revision: REVISION - repository: REPOSITORY + version: VERSION + revision: REVISION + repository: REPOSITORY #---------------------- @@ -94,7 +84,7 @@ filebeat: service: ANY os: LINUX_BASED_OS resources: - default: + minimal: cpu: 2 memory: 2048 From dfcbe01264ec003407ba0ea1f47062b3b8102add Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 29 Jul 2022 13:55:01 +0200 Subject: [PATCH 281/552] fix: Add script to execute `trigger-emotet.exe` correctly --- .../data/configuration/exec_emotet_script.vbs | 6 ++++++ .../{sysmon_config => configuration}/sysconfig.xml | 0 .../trigger-emotet.exe | Bin .../test_emotet/data/playbooks/configuration.yaml | 5 +++++ .../test_emotet/data/playbooks/generate_events.yaml | 3 +-- tests/end_to_end/test_emotet/test_emotet.py | 10 +++++----- 6 files changed, 17 insertions(+), 7 deletions(-) create mode 100644 tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs rename tests/end_to_end/test_emotet/data/{sysmon_config => configuration}/sysconfig.xml (100%) rename tests/end_to_end/test_emotet/data/{emotet_file => configuration}/trigger-emotet.exe (100%) diff --git a/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs b/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs new file mode 100644 index 0000000000..64ebe4d2ca --- /dev/null +++ b/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs @@ -0,0 +1,6 @@ +set shell = CreateObject("WScript.Shell") +shell.run"C:\temp\trigger-emotet.exe" +WScript.Sleep 10000 +shell.SendKeys "{ENTER}" +WScript.Sleep 10000 +shell.SendKeys "{ENTER}" diff --git a/tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml b/tests/end_to_end/test_emotet/data/configuration/sysconfig.xml similarity index 100% rename from tests/end_to_end/test_emotet/data/sysmon_config/sysconfig.xml rename to tests/end_to_end/test_emotet/data/configuration/sysconfig.xml diff --git a/tests/end_to_end/test_emotet/data/emotet_file/trigger-emotet.exe b/tests/end_to_end/test_emotet/data/configuration/trigger-emotet.exe similarity index 100% rename from tests/end_to_end/test_emotet/data/emotet_file/trigger-emotet.exe rename to tests/end_to_end/test_emotet/data/configuration/trigger-emotet.exe diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 97198fa09d..513b904e01 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -44,6 +44,11 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + - name: Copy exec_emotet_script.vbs in the agent + ansible.windows.win_copy: + src: "{{ vbs_script_path }}" + dest: C:\temp + - name: Copy trigger_emotet.exe in the agent ansible.windows.win_copy: src: "{{ emotet_file }}" diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index 2a36f4c250..61cb394f64 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -18,8 +18,7 @@ - name: Run trigger-emotet.exe ansible.windows.win_shell: | - cd C:\Users\Administrator\Desktop - ./trigger-emotet.exe + cscript C:\temp\exec_emotet_script.vbs - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index fc695288b2..a9577c6129 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -13,9 +13,10 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') configuration_playbooks = ['configuration.yaml'] -emotet_file_path = os.path.join(test_data_path, 'emotet_file', 'trigger-emotet.exe') -sysmon_config = os.path.join(test_data_path, 'sysmon_config', 'sysconfig.xml') -configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} +emotet_file_path = os.path.join(test_data_path, 'configuration', 'trigger-emotet.exe') +sysmon_config = os.path.join(test_data_path, 'configuration', 'sysconfig.xml') +vbs_script = os.path.join(test_data_path, 'configuration', 'exec_emotet_script.vbs') +configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config, 'vbs_script': vbs_script} events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -25,8 +26,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect an emotet attack """ From e48b4781ef45808e30c4153584978a4139ffaa70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 29 Jul 2022 13:30:00 +0100 Subject: [PATCH 282/552] add: createInventory playbook --- provisioning/roles/createInventory.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 provisioning/roles/createInventory.yaml diff --git a/provisioning/roles/createInventory.yaml b/provisioning/roles/createInventory.yaml new file mode 100644 index 0000000000..f0557a8929 --- /dev/null +++ b/provisioning/roles/createInventory.yaml @@ -0,0 +1,7 @@ +- hosts: localhost + gather_facts: no + tasks: + - name: Template a file + ansible.builtin.template: + src: {{ source_template }} + dest: {{ dest_inventory}} \ No newline at end of file From e3cbe56ed2665936d06f393bd6c45f1297202a04 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 29 Jul 2022 15:13:47 +0200 Subject: [PATCH 283/552] fix: Change variable name --- tests/end_to_end/test_emotet/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 513b904e01..7b99773686 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -46,7 +46,7 @@ - name: Copy exec_emotet_script.vbs in the agent ansible.windows.win_copy: - src: "{{ vbs_script_path }}" + src: "{{ vbs_script }}" dest: C:\temp - name: Copy trigger_emotet.exe in the agent From e79258c2edd4938f7487da8bbe7402f0176e8fcf Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 29 Jul 2022 12:12:23 -0300 Subject: [PATCH 284/552] feat(test_case): new test case added to test Wazuh when an RDP brute force attack is attempted. #3026 --- .../data/playbooks/configuration.yaml | 10 ++++++++ .../data/playbooks/generate_events.yaml | 23 +++++++++-------- .../data/test_cases/cases_brute_force.yaml | 14 +++++++++++ .../test_brute_force/test_brute_force.py | 25 ++++++++++--------- 4 files changed, 50 insertions(+), 22 deletions(-) create mode 100644 tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml b/tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..58928acd9b --- /dev/null +++ b/tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml @@ -0,0 +1,10 @@ +- name: Configure environment + hosts: localhost + become: true + tasks: + + # Install hydra to attempt the RDP brute force attack + - name: Install hydra + package: + name: hydra + state: present diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index a502e98b27..081bf525ed 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -10,6 +10,7 @@ hosts: localhost tasks: + # Case: Unix agent - name: SSH connection expect: command: ssh {{item}}@wazuh-agent -i {{hostvars['wazuh-agent']['ansible_ssh_private_key_file']}} @@ -17,18 +18,20 @@ (.*)continue connecting(.*): 'yes' (?i)password: 1 timeout: 5 - loop: - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user + loop: [test_user, test_user, test_user, test_user, test_user, test_user, test_user, test_user] register: result failed_when: - "'Permission denied' not in result.stdout" + when: agent_os == "Linux" + + # Case: Windows agent + - name: Attempt a RDP brute force attack + shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows + loop: [test_user, test_user, test_user, test_user, test_user, test_user, test_user, test_user] + register: result + failed_when: + - "'0 valid password found' not in result.stdout" + when: agent_os == "Windows" - name: Wait for alert wait_for: @@ -42,5 +45,5 @@ fetch: src: /var/ossec/logs/alerts/alerts.json dest: /tmp/ - flat: yes + flat: true become: true diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml index d58f3ff6dd..d8af2bca0f 100644 --- a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml @@ -7,3 +7,17 @@ rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force + extra_vars: + agent_os: Linux + +- name: rdp_brute_force + description: Check if the alert is generated when executing a brute force attack via RDP. + configuration_parameters: null + metadata: + rule.id: 60204 + rule.level: 10 + rule.description: Multiple Windows logon failures. + extra: + mitre_technique: Brute Force + extra_vars: + agent_os: Windows diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/test_brute_force.py index ee1e8cb8d9..fc8822aa44 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/test_brute_force.py @@ -14,6 +14,7 @@ test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') # Playbooks +configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = None @@ -23,21 +24,21 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to detect a SSH Brute Force attack + Test to detect a SSH/RDP Brute Force attack """ rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] + timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, @@ -46,14 +47,14 @@ def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean query = e2e.make_query([ { - "term": { - "rule.id": f"{rule_id}" - } + "term": { + "rule.id": f"{rule_id}" + } }, { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } ]) From aed04de5b3dd5d544640cd427ee21f4b82627b51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 29 Jul 2022 16:17:30 +0100 Subject: [PATCH 285/552] fix: create inventory playbook #3121 --- provisioning/roles/createInventory.yaml | 12 +++++++----- .../schema.j2 | 0 2 files changed, 7 insertions(+), 5 deletions(-) rename provisioning/roles/{wauzh_environment => wazuh_environment}/schema.j2 (100%) diff --git a/provisioning/roles/createInventory.yaml b/provisioning/roles/createInventory.yaml index f0557a8929..eb1d104009 100644 --- a/provisioning/roles/createInventory.yaml +++ b/provisioning/roles/createInventory.yaml @@ -1,7 +1,9 @@ -- hosts: localhost - gather_facts: no +--- +- name: Creating inventory using templates + hosts: localhost + tasks: - - name: Template a file + - name: "Template a file" ansible.builtin.template: - src: {{ source_template }} - dest: {{ dest_inventory}} \ No newline at end of file + src: "{{ source_template }}" + dest: "{{ dest_inventory}}" diff --git a/provisioning/roles/wauzh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 similarity index 100% rename from provisioning/roles/wauzh_environment/schema.j2 rename to provisioning/roles/wazuh_environment/schema.j2 From 12ba21200298e4f07d99df2b0f6c2abb88b2c522 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 29 Jul 2022 12:29:30 -0300 Subject: [PATCH 286/552] fix(linter): corrections applied. #3026 --- .../data/playbooks/generate_events.yaml | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml index 081bf525ed..8d6dcb71ee 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml @@ -18,7 +18,15 @@ (.*)continue connecting(.*): 'yes' (?i)password: 1 timeout: 5 - loop: [test_user, test_user, test_user, test_user, test_user, test_user, test_user, test_user] + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user register: result failed_when: - "'Permission denied' not in result.stdout" @@ -27,7 +35,15 @@ # Case: Windows agent - name: Attempt a RDP brute force attack shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows - loop: [test_user, test_user, test_user, test_user, test_user, test_user, test_user, test_user] + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user register: result failed_when: - "'0 valid password found' not in result.stdout" From 812fd6e48dffd31264e55104c6a474cd41c5199b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 29 Jul 2022 16:37:27 +0100 Subject: [PATCH 287/552] fix: schema for wazuh_environment --- .../roles/wazuh_environment/schema.j2 | 25 +++++++++---------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index 4cffed33e5..c20718b42e 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -1,9 +1,11 @@ {% if vars['indexer'] is defined %} {%- set indexer = vars['indexer'] -%} {%- set last_indexer_node = indexer|length - 1-%} - +{% else %} +{%- set last_indexer_node = 0-%} {% endif %} + {% if vars['dashboard'] is defined %} {%- set dashboard = vars['dashboard'] -%} {%- set dashboard_node = last_indexer_node + 2 -%} @@ -11,6 +13,7 @@ {%- set dashboard_node = last_indexer_node + 1-%} {% endif %} + {% if vars['manager'] is defined %} {%- set manager = vars['manager'] -%} {%- set master_node = dashboard_node + 1 -%} @@ -33,7 +36,9 @@ {% macro expand_ansible_connection_attributes(attributes_map) %} {% for attr_key, attr_value in attributes_map.items() %} +{% if 'ansible' in attr_key %} {{- attr_key }}: {{ attr_value }} +{% endif %} {% endfor %} {%- endmacro -%} @@ -44,15 +49,13 @@ wi_cluster: {%- for indexer_key, indexer_value in indexer.items() %} wi{{ loop.index }}: - {{ expand_ansible_connection_attributes(indexer_value['connection_attributes']) | indent(6) }} - ansible_host: {{ indexer_value['ip'] }} + {{ expand_ansible_connection_attributes(indexer_value) | indent(6) }} private_ip: {{ indexer_value['ip'] }} {% endfor %} {% if dashboard is defined %} dashboard: - ansible_host: {{ dashboard['ip'] }} - {{ expand_ansible_connection_attributes(dashboard['connection_attributes']) | indent(6) }} + {{ expand_ansible_connection_attributes(dashboard) | indent(6) }} private_ip: {{ dashboard['ip'] }} dashboard_node_name: "node-{{ dashboard_node }}" {% endif %} @@ -119,8 +122,7 @@ manager: {%- if manager['master'] %} master: - ansible_host: {{ manager['master']['ip'] }} - {{ expand_ansible_connection_attributes(manager['master']['connection_attributes']) | indent(8) }} + {{ expand_ansible_connection_attributes(manager['master']) | indent(8) }} private_ip: {{ manager['master']['ip'] }} wazuh_manager_config: cluster: @@ -136,8 +138,7 @@ manager: {%- for worker_key, worker_values in workers.items() %} worker{{loop.index}}: - ansible_host: {{ worker_values['ip'] }} - {{ expand_ansible_connection_attributes(worker_values['connection_attributes']) | indent(8) }} + {{ expand_ansible_connection_attributes(worker_values) | indent(8) }} private_ip: {{ worker_values['ip'] }} wazuh_manager_config: cluster: @@ -157,8 +158,7 @@ filebeat: {%- for filebeat_key, filebeat_value in filebeat.items() %} filebeat{{ loop.index }}: - ansible_host: {{ filebeat_value['ip'] }} - {{ expand_ansible_connection_attributes(filebeat_value['connection_attributes']) | indent(6) }} + {{ expand_ansible_connection_attributes(filebeat_value) | indent(6) }} filebeat_node_name: node-{{ loop.index + master_node - 1 }} {%- endfor %} @@ -174,8 +174,7 @@ agent: hosts: {% for agent_key, agent_value in agent.items() -%} agent{{loop.index}}: - ansible_host: {{ agent_value['ip'] }} - {{ expand_ansible_connection_attributes(agent_value['connection_attributes']) | indent(6) }} + {{ expand_ansible_connection_attributes(agent_value) | indent(6) }} wazuh_managers: - address: {{ agent_value['manager_ip'] }} port: 1514 From 8c8e2d7364e6813ca2dd5ea91b3d2a4aee95988b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 29 Jul 2022 13:51:08 -0300 Subject: [PATCH 288/552] fix: Tasks were rearranged. #3114 Ansible tasks were rearranged so that Wazuh is fully launched before generating alerts. --- .../data/playbooks/configuration.yaml | 32 +++++++++---------- .../data/playbooks/teardown.yaml | 5 +++ 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index e43ea72cf6..ebe69d48e2 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -3,6 +3,22 @@ become: true tasks: + - name: Configure Wazuh to read Suricata logs file + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + insertbefore: ^ + block: | + + syslog + /var/log/suricata/eve.json + + + - name: Restart Wazuh to apply the change + systemd: + state: restarted + name: wazuh-manager + - name: Check if Suricata is installed shell: rpm -qa suricata register: check_suricata @@ -49,19 +65,3 @@ enabled: true state: started name: suricata - - - name: Configure Wazuh to read Suricata logs file - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | - - syslog - /var/log/suricata/eve.json - - - - name: Restart Wazuh to apply the change - systemd: - state: started - name: wazuh-manager diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml index 3e26b1821a..a4f2285252 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml @@ -8,3 +8,8 @@ path: /var/ossec/etc/ossec.conf marker: state: absent + + - name: Restart Wazuh to apply the change + systemd: + state: restarted + name: wazuh-manager From c6033305286b2780776d03f11459c66af0d098d2 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 29 Jul 2022 14:25:06 -0300 Subject: [PATCH 289/552] fix: rename case --- .../test_cases/cases_windows_defender.yaml | 11 +++ .../test_windows_defender.py | 72 +++++++++---------- 2 files changed, 47 insertions(+), 36 deletions(-) diff --git a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml b/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml index e69de29bb2..67e8fc3547 100644 --- a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml +++ b/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml @@ -0,0 +1,11 @@ +- name: detect_windows_defender_disable + description: Detect when Windows Defender is disabled + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Disable Windows Defender + command: Set-MpPreference -DisableRealtimeMonitoring 1 + rule.id: 255303 + rule.level: 12 + rule.description: Windows Defender Real-time Protection was disabled. diff --git a/tests/end_to_end/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_windows_defender/test_windows_defender.py index ba96a9716c..a5f373e452 100644 --- a/tests/end_to_end/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_windows_defender/test_windows_defender.py @@ -11,7 +11,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_windows_defender.yaml') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -19,50 +19,50 @@ teardown_playbooks = ['teardown.yaml'] # Configuration -#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector(configure_environment, generate_events): +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_windows_defender(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to detect a vulnerability """ - print('HOLAAA') - # rule_level = metadata['rule.level'] - # rule_id = metadata['rule.id'] - # rule_description = metadata['rule.description'] + rule_level = metadata['rule.level'] + rule_id = metadata['rule.id'] + rule_description = metadata['rule.description'] - # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - # fr'"rule"\:{{"level"\:{rule_level},' \ - # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - # fr'.*"id": "{rule_id}".*' \ - # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - # # Check that alert has been raised and save timestamp - # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - # error_message='The alert has not occurred').result() - # raised_alert_timestamp = raised_alert.group(1) + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) - # query = e2e.make_query([ - # { - # "term": { - # "rule.id": f"{rule_id}" - # } - # }, - # { - # "term": { - # "timestamp": f"{raised_alert_timestamp}" - # } - # } - # ]) + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) - # # Check if the alert has been indexed and get its data - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # indexed_alert = json.dumps(response.json()) + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) - # # Check that the alert data is the expected one - # alert_data = re.search(expected_indexed_alert, indexed_alert) - # assert alert_data is not None, 'Alert triggered, but not indexed' + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From bbfd8565f53e837f338ce82b9badcf37d86455ce Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 29 Jul 2022 14:41:43 -0300 Subject: [PATCH 290/552] fix: configuration yaml improved --- .../test_windows_defender/data/playbooks/configuration.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml index 36285a42d6..16a75bfe4b 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml @@ -17,7 +17,8 @@ ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nMicrosoft-Windows-Windows Defender/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` + "`nMicrosoft-Windows-Windows Defender/Operational" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" @@ -50,4 +51,3 @@ - name: Restart wazuh-manager become: true shell: systemctl restart wazuh-manager - From a2a32cf09b49f318393d5d1265e16a29a635d7b7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 29 Jul 2022 14:55:15 -0300 Subject: [PATCH 291/552] fix: improve cases yaml --- .../data/test_cases/cases_windows_defender.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml b/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml index 67e8fc3547..1e4064ff1a 100644 --- a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml +++ b/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml @@ -3,7 +3,6 @@ configuration_parameters: null metadata: extra_vars: - os: Windows event_description: Disable Windows Defender command: Set-MpPreference -DisableRealtimeMonitoring 1 rule.id: 255303 From dc1081b11f7ec3aebf3f20bfe24b0d387bbae372 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 29 Jul 2022 16:46:00 -0300 Subject: [PATCH 292/552] Add: test structure --- .../data/playbooks/configuration.yaml | 97 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 32 ++++++ .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_ip_reputation.yaml | 0 .../test_ip_reputation/test_ip_reputation.py | 66 +++++++++++++ 5 files changed, 195 insertions(+) create mode 100644 tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml create mode 100644 tests/end_to_end/test_ip_reputation/test_ip_reputation.py diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..932ea392d5 --- /dev/null +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -0,0 +1,97 @@ +- name: Test manager configuration + hosts: wazuh-manager + become: true + tasks: + + - name: Install apache + become: true + shell: dnf install httpd -y + + - name: Start apache + become: true + shell: systemctl start httpd + + - name: Install pyhton + become: true + shell: yum install python39 -y + + - name: Download Alienvault IP + become: yes + shell: wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset + + - name: Download script to convert from ipset format to cdblist format + become: yes + shell: wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py + + - name: Add the attacker IP to the list + become: yes + shell: echo "192.168.0.16" >> /var/ossec/etc/lists/alienvault_reputation.ipset + + - name: Convert .ipset to .cdb using script + become: yes + shell: python3 /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault + + - name: Remove the .ipset file and the script + become: yes + shell: | + rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset + rm -rf /var/ossec/etc/lists/iplist-to-cdblist.py + + - name: Assign the right permissions and owner to the file + become: yes + shell: | + chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault + chmod 660 /var/ossec/etc/lists/blacklist-alienvault + + - name: Configure localfile + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + apache + /var/log/httpd/access_log + + + + ruleset/decoders + ruleset/rules + 0215-policy_rules.xml + etc/lists/audit-keys + etc/lists/blacklist-alienvault + + etc/decoders + etc/rules + + + + firewall-drop + firewall-drop + yes + + + + firewall-drop + server + 100100 + 10s + + marker: + + - name: Configure local rules virus total integration + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: | + + + web|attack|attacks + etc/lists/blacklist-alienvault + IP address found in AlienVault reputation database. + + + marker: + + - name: Restart the manager + shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..511e51bf70 --- /dev/null +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -0,0 +1,32 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-windows + tasks: + + - name: apache + ansible.windows.win_shell: | + $Web = New-Object Net.WebClient + $Web.DownloadString("http://192.168.0.17") + ignore_errors: yes + +- name: Wait alert + hosts: wazuh-manager + tasks: + + - name: Waiting for vulnerability scan, alert reporting and indexing + wait_for: + timeout: 60 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py new file mode 100644 index 0000000000..5085b66187 --- /dev/null +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -0,0 +1,66 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): + """ + Test to detect a SQL injection attack + """ + # rule_id = metadata['rule.id'] + # rule_level = metadata['rule.level'] + # rule_description = metadata['rule.description'] + # rule_mitre_technique = metadata['extra']['mitre_technique'] + + # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + # fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ + # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # # Check that alert has been raised and save timestamp + # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + # error_message='The alert has not occurred').result() + # raised_alert_timestamp = raised_alert.group(1) + + # query = e2e.make_query([ + + # { + # "term": { + # "rule.id": f"{rule_id}" + # } + # }, + # { + # "term": { + # "timestamp": f"{raised_alert_timestamp}" + # } + # } + # ]) + + # # Check if the alert has been indexed and get its data + # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + # indexed_alert = json.dumps(response.json()) + + # # Check that the alert data is the expected one + # alert_data = re.search(expected_indexed_alert, indexed_alert) + # assert alert_data is not None, 'Alert triggered, but not indexed' From f1c9938c96b60a5587ab444a4da2ecd55451d839 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 1 Aug 2022 11:12:22 -0300 Subject: [PATCH 293/552] fix: task name --- .../test_windows_defender/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml index 16a75bfe4b..9b4eca9eea 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml @@ -13,7 +13,7 @@ dest: C:\temp remote_src: true - - name: Enable the agent module to collect installed packages (Windows) + - name: Enable the agent to collect eventchannel logs ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" From 113a9c2979f9ad4abe64095bc0e991fa3eaeaa09 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 1 Aug 2022 14:03:02 -0300 Subject: [PATCH 294/552] add: cases yaml --- .../data/test_cases/cases_ip_reputation.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml index e69de29bb2..ae960f1e4b 100644 --- a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml +++ b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml @@ -0,0 +1,15 @@ +- name: ip_reputation_active_response + description: Detecting IP reputation + configuration_parameters: null + metadata: + extra_vars: + event_description: Access Apache wen server + command: | + $Web = New-Object Net.WebClient + $Web.DownloadString("http://192.168.0.17") + rule.id: 641 + rule.level: 12 + rule.description: + rule.id.alienvault: 100100 + rule.level.alienvault: 10 + rule.description.alienvault: IP address found in AlienVault reputation database From 747b01d8f26678e38f26004e8bebf33188dcecb3 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 01:03:40 -0300 Subject: [PATCH 295/552] add: generate events --- .../data/playbooks/configuration.yaml | 9 +++++---- .../data/playbooks/generate_events.yaml | 12 +++++------- .../data/test_cases/cases_ip_reputation.yaml | 18 ++++++++++-------- 3 files changed, 20 insertions(+), 19 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index 932ea392d5..3d4a4dbf62 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -5,7 +5,7 @@ - name: Install apache become: true - shell: dnf install httpd -y + shell: yum install httpd -y - name: Start apache become: true @@ -25,7 +25,7 @@ - name: Add the attacker IP to the list become: yes - shell: echo "192.168.0.16" >> /var/ossec/etc/lists/alienvault_reputation.ipset + shell: echo "{{ attacker_ip_win }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset - name: Convert .ipset to .cdb using script become: yes @@ -43,7 +43,7 @@ chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault chmod 660 /var/ossec/etc/lists/blacklist-alienvault - - name: Configure localfile + - name: Configure ossec.conf blockinfile: path: /var/ossec/etc/ossec.conf insertbefore: @@ -78,7 +78,7 @@ marker: - - name: Configure local rules virus total integration + - name: Configure local rules active response become: true blockinfile: path: /var/ossec/etc/rules/local_rules.xml @@ -94,4 +94,5 @@ marker: - name: Restart the manager + become: true shell: systemctl restart wazuh-manager diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml index 511e51bf70..c661962de5 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -10,19 +10,17 @@ hosts: wazuh-windows tasks: - - name: apache - ansible.windows.win_shell: | - $Web = New-Object Net.WebClient - $Web.DownloadString("http://192.168.0.17") - ignore_errors: yes + - name: "{{ event_description }}" + ansible.windows.win_shell: "{{ command }}" + ignore_errors: yes # Added 'ignore errors' because the IP is blacklisted - name: Wait alert hosts: wazuh-manager tasks: - - name: Waiting for vulnerability scan, alert reporting and indexing + - name: Waiting for alert wait_for: - timeout: 60 + timeout: 5 - name: Get alerts.json fetch: diff --git a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml index ae960f1e4b..67dcf12c17 100644 --- a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml +++ b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml @@ -3,13 +3,15 @@ configuration_parameters: null metadata: extra_vars: - event_description: Access Apache wen server + event_description: Access Apache web server command: | $Web = New-Object Net.WebClient - $Web.DownloadString("http://192.168.0.17") - rule.id: 641 - rule.level: 12 - rule.description: - rule.id.alienvault: 100100 - rule.level.alienvault: 10 - rule.description.alienvault: IP address found in AlienVault reputation database + $Web.DownloadString("http://wazuh-manager") + malicious_ip: + rule.id: 100100 + rule.level: 10 + rule.description: IP address found in AlienVault reputation database. + active_response: + rule.id: 651 + rule.level: 3 + rule.description : Host Blocked by firewall-drop Active Response From 0bd71cfe9216e7d94302af284b0499f3a054a5aa Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 01:04:09 -0300 Subject: [PATCH 296/552] add: teardown yaml --- .../data/playbooks/teardown.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml index e69de29bb2..76e10d8d7f 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml @@ -0,0 +1,29 @@ +- name: Cleanup environment + hosts: wazuh-manager + tasks: + + - name: Uninstall apache + become: true + command: yum remove httpd -y + + - name: Uninstall python + become: true + command: yum remove python39 -y + + - name: Delete added rules + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + block: '' + marker: + + - name: Delete the ossec.conf configuration + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + block: '' + marker: + + - name: Restart the manager + become: true + shell: systemctl restart wazuh-manager From 4fd1b118c6f853dfabf69773c77443fdf23b2521 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 01:04:43 -0300 Subject: [PATCH 297/552] add: check 2 alerts in logs --- .../test_ip_reputation/test_ip_reputation.py | 90 ++++++++++--------- 1 file changed, 48 insertions(+), 42 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py index 5085b66187..027d3741de 100644 --- a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -11,56 +11,62 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_ip_reputation.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] -#configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -#@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to detect a SQL injection attack + Test to detect a IP Reputation """ - # rule_id = metadata['rule.id'] - # rule_level = metadata['rule.level'] - # rule_description = metadata['rule.description'] - # rule_mitre_technique = metadata['extra']['mitre_technique'] - - # expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - # fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - # expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - # fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ - # r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # # Check that alert has been raised and save timestamp - # raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - # error_message='The alert has not occurred').result() - # raised_alert_timestamp = raised_alert.group(1) - - # query = e2e.make_query([ - - # { - # "term": { - # "rule.id": f"{rule_id}" - # } - # }, - # { - # "term": { - # "timestamp": f"{raised_alert_timestamp}" - # } - # } - # ]) - - # # Check if the alert has been indexed and get its data - # response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - # indexed_alert = json.dumps(response.json()) - - # # Check that the alert data is the expected one - # alert_data = re.search(expected_indexed_alert, indexed_alert) - # assert alert_data is not None, 'Alert triggered, but not indexed' + + first_alert = {"rule_id": metadata['malicious_ip']['rule.id'], "rule_level": metadata['malicious_ip']['rule.level'], + "rule_description": metadata['malicious_ip']['rule.description']} + second_alert = {"rule_id": metadata['active_response']['rule.id'], "rule_level": metadata['active_response']['rule.level'], + "rule_description": metadata['active_response']['rule.description']} + + ip_alerts = [first_alert, second_alert] + + for alert in ip_alerts: + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{alert["rule_level"]},' \ + fr'"description"\:"{alert["rule_description"]}","id"\:"{alert["rule_id"]}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {alert["rule_level"]},.*"description": "{alert["rule_description"]}"' \ + fr'.*"id": "{alert["rule_id"]}".*'\ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + rule_id = alert["rule_id"] + + query = e2e.make_query([ + + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From d83c74e535b92bbe83b591561567d3ba008c56b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 2 Aug 2022 10:10:34 +0100 Subject: [PATCH 298/552] add: support for custom packages for indexer/dashboard --- .../roles/wazuh_environment/schema.j2 | 31 +++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index c20718b42e..e6bbaf4e59 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -192,27 +192,52 @@ all: # General ansible connection parameters ansible_ssh_common_args: -o StrictHostKeyChecking=no ansible_winrm_server_cert_validation: ignore + # Custom Packages parameters wazuh_custom_packages_installation_agent_enabled: true wazuh_custom_packages_installation_manager_enabled: true + + wazuh_custom_packages_installation_dashboard_enabled: true + wazuh_custom_packages_installation_indexer_enabled: true + + {% if custom_package_deb_agent is defined%} wazuh_custom_packages_installation_agent_deb_url: {{ custom_package_deb_agent }} {% endif %} + {% if custom_package_rpm_agent is defined%} wazuh_custom_packages_installation_agent_rpm_url: {{ custom_package_rpm_agent }} {% endif %} {% if custom_pakckage_msi_agent is defined%} wazuh_custom_packages_installation_agent_msi_url: {{ custom_pakckage_msi_agent}} {% endif %} - {% if macos_agent_pkg is defined%} + {% if custom_package_macos_agent is defined%} macos_agent_pkg: {{ custom_package_macos_agent}} {% endif %} - {% if solaris_agent_pkg is defined%} + {% if custom_package_solaris_agent is defined%} solaris_agent_pkg: {{ custom_package_solaris_agent}} {% endif %} {% if custom_package_deb_manager is defined%} wazuh_custom_packages_installation_manager_deb_url: {{ custom_package_deb_manager}} {% endif %} - {% if wazuh_custom_packages_installation_manager_rpm_url is defined%} + {% if custom_package_rpm_manager is defined%} wazuh_custom_packages_installation_manager_rpm_url: {{ custom_package_rpm_manager}} {% endif %} + + {% if custom_package_deb_dashboard is defined%} + wazuh_custom_packages_installation_dashboard_deb_url: {{ custom_package_deb_dashboard}} + {% endif %} + + + {% if custom_package_rpm_dashboard is defined%} + wazuh_custom_packages_installation_dashboard_rpm_url: {{ custom_package_rpm_dashboard}} + {% endif %} + + + {% if custom_package_deb_indexer is defined%} + wazuh_custom_packages_installation_indexer_deb_url: {{ custom_package_deb_indexer}} + {% endif %} + + {% if custom_package_rpm_indexer is defined%} + wazuh_custom_packages_installation_indexer_rpm_url: {{ custom_package_rpm_indexer}} + {% endif %} From 83f2f00cfaf113accd4022dc6df6f21e88950254 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 2 Aug 2022 11:02:05 +0100 Subject: [PATCH 299/552] fix: indentation for custom_packages fields --- provisioning/roles.yaml | 2 +- .../roles/wazuh_environment/schema.j2 | 22 +++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml index 9183ba4d99..1da3500158 100644 --- a/provisioning/roles.yaml +++ b/provisioning/roles.yaml @@ -24,7 +24,7 @@ agent: version: VERSION revision: REVISION repository: REPOSITORY - manager: MANAGER_HOST + manager_ip: MANAGER_HOST #---------------------- diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index e6bbaf4e59..bd9b8b02c1 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -201,43 +201,43 @@ all: wazuh_custom_packages_installation_indexer_enabled: true - {% if custom_package_deb_agent is defined%} + {% if custom_package_deb_agent is defined-%} wazuh_custom_packages_installation_agent_deb_url: {{ custom_package_deb_agent }} {% endif %} - {% if custom_package_rpm_agent is defined%} + {%- if custom_package_rpm_agent is defined-%} wazuh_custom_packages_installation_agent_rpm_url: {{ custom_package_rpm_agent }} {% endif %} - {% if custom_pakckage_msi_agent is defined%} + {%- if custom_pakckage_msi_agent is defined-%} wazuh_custom_packages_installation_agent_msi_url: {{ custom_pakckage_msi_agent}} {% endif %} - {% if custom_package_macos_agent is defined%} + {%- if custom_package_macos_agent is defined-%} macos_agent_pkg: {{ custom_package_macos_agent}} {% endif %} - {% if custom_package_solaris_agent is defined%} + {%- if custom_package_solaris_agent is defined-%} solaris_agent_pkg: {{ custom_package_solaris_agent}} {% endif %} - {% if custom_package_deb_manager is defined%} + {%- if custom_package_deb_manager is defined-%} wazuh_custom_packages_installation_manager_deb_url: {{ custom_package_deb_manager}} {% endif %} - {% if custom_package_rpm_manager is defined%} + {%- if custom_package_rpm_manager is defined-%} wazuh_custom_packages_installation_manager_rpm_url: {{ custom_package_rpm_manager}} {% endif %} - {% if custom_package_deb_dashboard is defined%} + {%- if custom_package_deb_dashboard is defined-%} wazuh_custom_packages_installation_dashboard_deb_url: {{ custom_package_deb_dashboard}} {% endif %} - {% if custom_package_rpm_dashboard is defined%} + {%- if custom_package_rpm_dashboard is defined-%} wazuh_custom_packages_installation_dashboard_rpm_url: {{ custom_package_rpm_dashboard}} {% endif %} - {% if custom_package_deb_indexer is defined%} + {%- if custom_package_deb_indexer is defined-%} wazuh_custom_packages_installation_indexer_deb_url: {{ custom_package_deb_indexer}} {% endif %} - {% if custom_package_rpm_indexer is defined%} + {%- if custom_package_rpm_indexer is defined-%} wazuh_custom_packages_installation_indexer_rpm_url: {{ custom_package_rpm_indexer}} {% endif %} From 66fb2ad7e7bed0c426f4d8f76c17912c74e052f6 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 09:52:08 -0300 Subject: [PATCH 300/552] fix: rename task in configuration yaml --- .../test_ip_reputation/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index 3d4a4dbf62..df32c4ef12 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -78,7 +78,7 @@ marker: - - name: Configure local rules active response + - name: Configure local rules become: true blockinfile: path: /var/ossec/etc/rules/local_rules.xml From 11df3468a488a3739cae0a17fe3e96b6508a97ed Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 09:52:38 -0300 Subject: [PATCH 301/552] add: parametrize events generation --- .../test_ip_reputation/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml index c661962de5..61216cc8f5 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -12,7 +12,7 @@ - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" - ignore_errors: yes # Added 'ignore errors' because the IP is blacklisted + ignore_errors: yes # Ignore powershell error - name: Wait alert hosts: wazuh-manager From a8d377d9f255cfdae2a246368d3552f4a796155f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 11:01:08 -0300 Subject: [PATCH 302/552] Fix lynter errores --- .../data/playbooks/configuration.yaml | 34 +++++++++++-------- .../data/playbooks/generate_events.yaml | 4 +-- .../data/test_cases/cases_ip_reputation.yaml | 2 +- .../test_ip_reputation/test_ip_reputation.py | 18 ++++++---- 4 files changed, 33 insertions(+), 25 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index df32c4ef12..57ab09299c 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -16,29 +16,33 @@ shell: yum install python39 -y - name: Download Alienvault IP - become: yes - shell: wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset -O /var/ossec/etc/lists/alienvault_reputation.ipset + become: true + shell: > + wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset + -O /var/ossec/etc/lists/alienvault_reputation.ipset - name: Download script to convert from ipset format to cdblist format - become: yes + become: true shell: wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py - name: Add the attacker IP to the list - become: yes + become: true shell: echo "{{ attacker_ip_win }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset - name: Convert .ipset to .cdb using script - become: yes - shell: python3 /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset /var/ossec/etc/lists/blacklist-alienvault + become: true + shell: > + python3 /tmp/iplist-to-cdblist.py /var/ossec/etc/lists/alienvault_reputation.ipset + /var/ossec/etc/lists/blacklist-alienvault - name: Remove the .ipset file and the script - become: yes + become: true shell: | rm -rf /var/ossec/etc/lists/alienvault_reputation.ipset rm -rf /var/ossec/etc/lists/iplist-to-cdblist.py - name: Assign the right permissions and owner to the file - become: yes + become: true shell: | chown wazuh:wazuh /var/ossec/etc/lists/blacklist-alienvault chmod 660 /var/ossec/etc/lists/blacklist-alienvault @@ -84,13 +88,13 @@ path: /var/ossec/etc/rules/local_rules.xml insertafter: block: | - - - web|attack|attacks - etc/lists/blacklist-alienvault - IP address found in AlienVault reputation database. - - + + + web|attack|attacks + etc/lists/blacklist-alienvault + IP address found in AlienVault reputation database. + + marker: - name: Restart the manager diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml index 61216cc8f5..ba53017c75 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -11,8 +11,8 @@ tasks: - name: "{{ event_description }}" - ansible.windows.win_shell: "{{ command }}" - ignore_errors: yes # Ignore powershell error + ansible.windows.win_shell: "{{ command }}" + ignore_errors: true # Ignore powershell error - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml index 67dcf12c17..d6044d65d9 100644 --- a/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml +++ b/tests/end_to_end/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml @@ -14,4 +14,4 @@ active_response: rule.id: 651 rule.level: 3 - rule.description : Host Blocked by firewall-drop Active Response + rule.description: Host Blocked by firewall-drop Active Response diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py index 027d3741de..818884fcef 100644 --- a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -27,24 +27,28 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential Test to detect a IP Reputation """ - first_alert = {"rule_id": metadata['malicious_ip']['rule.id'], "rule_level": metadata['malicious_ip']['rule.level'], + first_alert = {"rule_id": metadata['malicious_ip']['rule.id'], + "rule_level": metadata['malicious_ip']['rule.level'], "rule_description": metadata['malicious_ip']['rule.description']} - second_alert = {"rule_id": metadata['active_response']['rule.id'], "rule_level": metadata['active_response']['rule.level'], + second_alert = {"rule_id": metadata['active_response']['rule.id'], + "rule_level": metadata['active_response']['rule.level'], "rule_description": metadata['active_response']['rule.description']} ip_alerts = [first_alert, second_alert] for alert in ip_alerts: - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{alert["rule_level"]},' \ + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{alert["rule_level"]},' \ fr'"description"\:"{alert["rule_description"]}","id"\:"{alert["rule_id"]}".*\}}' - expected_indexed_alert = fr'.*"rule":.*"level": {alert["rule_level"]},.*"description": "{alert["rule_description"]}"' \ + expected_indexed_alert = fr'.*"rule":.*"level": {alert["rule_level"]},' \ + fr'.*"description": "{alert["rule_description"]}"' \ fr'.*"id": "{alert["rule_id"]}".*'\ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) rule_id = alert["rule_id"] @@ -53,12 +57,12 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential { "term": { - "rule.id": f"{rule_id}" + "rule.id": f"{rule_id}" } }, { "term": { - "timestamp": f"{raised_alert_timestamp}" + "timestamp": f"{raised_alert_timestamp}" } } ]) From bfcf76ade38628b9f2319fe4f9853f4093ba00a8 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 2 Aug 2022 11:11:58 -0300 Subject: [PATCH 303/552] Fix linter errors --- .../data/playbooks/generate_events.yaml | 3 ++- .../test_ip_reputation/test_ip_reputation.py | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml index ba53017c75..5fe50ba98e 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -12,7 +12,8 @@ - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" - ignore_errors: true # Ignore powershell error + # Ignore powershell error + ignore_errors: true - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py index 818884fcef..d5d9ae5ee7 100644 --- a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -38,13 +38,13 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential for alert in ip_alerts: expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - fr'"rule"\:{{"level"\:{alert["rule_level"]},' \ - fr'"description"\:"{alert["rule_description"]}","id"\:"{alert["rule_id"]}".*\}}' + fr'"rule"\:{{"level"\:{alert["rule_level"]},' \ + fr'"description"\:"{alert["rule_description"]}","id"\:"{alert["rule_id"]}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {alert["rule_level"]},' \ - fr'.*"description": "{alert["rule_description"]}"' \ - fr'.*"id": "{alert["rule_id"]}".*'\ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'.*"description": "{alert["rule_description"]}"' \ + fr'.*"id": "{alert["rule_id"]}".*'\ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From 9b22527e5d106f028cb8d78487b5195041326ac3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 2 Aug 2022 11:38:04 -0300 Subject: [PATCH 304/552] refac: several changes applied for Ansible to run tasks in an Ubuntu node. #3114 --- .../data/playbooks/configuration.yaml | 63 ++++++++++--------- .../cases_suricata_integration.yaml | 6 +- 2 files changed, 38 insertions(+), 31 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index ebe69d48e2..093c6c4c73 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -1,6 +1,8 @@ - name: Prepare environment hosts: wazuh-manager become: true + vars: + suricata_conf_path: /etc/suricata/suricata.yaml tasks: - name: Configure Wazuh to read Suricata logs file @@ -20,44 +22,47 @@ name: wazuh-manager - name: Check if Suricata is installed - shell: rpm -qa suricata + shell: dpkg -l suricata | grep suricata register: check_suricata + ignore_errors: true - - name: Download Suricata repo and install dependencies - shell: > - cd /etc/yum.repos.d && yum -y install epel-release wget jq && - curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-6.0-testing/repo/epel-7/ - jasonish-suricata-6.0-testing-epel-7.repo && cd ~ - when: '"suricata" not in check_suricata.stdout' - - - name: Upgrade all packages, excluding kernel related packages - yum: - name: '*' - state: latest - exclude: kernel* - when: '"suricata" not in check_suricata.stdout' + - name: Add and configure the repo to install Suricata + shell: | + add-apt-repository ppa:oisf/suricata-5.0 -y + apt-get update -y + when: '"no packages found matching suricata" in check_suricata.stderr' - - name: Install the latest version of Suricata - yum: - name: suricata + - name: Install Suricata + package: + name: suricata=5.0.9-0ubuntu4 state: present - when: '"suricata" not in check_suricata.stdout' + when: '"no packages found matching suricata" in check_suricata.stderr' - name: Download and extract Emerging rules shell: | - wget https://rules.emergingthreats.net/open/suricata-6.0.3/emerging.rules.tar.gz - tar zxvf emerging.rules.tar.gz - rm /etc/suricata/rules/* -f - mv rules/*.rules /etc/suricata/rules/ - rm -f /etc/suricata/suricata.yaml - wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml - when: '"suricata" not in check_suricata.stdout' + cd /tmp/ + curl -LO https://rules.emergingthreats.net/open/suricata-5.0.8/emerging.rules.tar.gz + tar -xvzf emerging.rules.tar.gz && mv rules/*.rules /etc/suricata/rules/ + chmod 640 /etc/suricata/rules/*.rules + when: '"no packages found matching suricata" in check_suricata.stderr' - # Get the default interface from the Suricata configuration and replace it with the first interface obtained from - # the output of the nmcli command - name: Change the default interface - shell: sed -i "s/eth0/$(nmcli device status | awk 'NR==2 {print $1}')/g" /etc/sysconfig/suricata - when: '"suricata" not in check_suricata.stdout' + replace: + path: "{{ suricata_conf_path }}" + regexp: 'af-packet:\n - interface: eth0' + replace: 'af-packet:\n - interface: {{ ansible_default_ipv4.interface }}' + + - name: Configure external network in Suricata + replace: + path: "{{ suricata_conf_path }}" + regexp: 'EXTERNAL_NET: "!\$HOME_NET"' + replace: 'EXTERNAL_NET: "any"' + + - name: Configure rules path in Suricata + replace: + path: "{{ suricata_conf_path }}" + regexp: 'default-rule-path: \S.*\n\nrule-files:\n.*- suricata.rules' + replace: 'default-rule-path: /etc/suricata/rules\n\nrule-files:\n - "*.rules"' - name: Start Suricata systemd: diff --git a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml index 1cd08df84b..12dda8bb67 100644 --- a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml @@ -1,5 +1,7 @@ -- name: Generate a specific web request known to trip NIDS rules - description: Test the detection of threats by monitoring network traffic +- name: trigger_emerging_policy_rule + description: | + Test the detection of threats by monitoring network traffic. The test generates a specific web request + known to trip NIDS rules. configuration_parameters: null metadata: rule.id: 86601 From 6c4f812c1201ae3bfa96c4fe3e4003214255f31a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 2 Aug 2022 13:40:31 -0300 Subject: [PATCH 305/552] refac: requested changes applied. #3126 The task that installs pexpect was removed. New task added in the teardown playbook to clean the ssh known_hosts. The tasks that attempts an ssh brute force attack now fails if the output is not the expected. --- .../data/playbooks/configuration.yaml | 3 --- .../data/playbooks/generate_events.yaml | 6 ++++-- .../test_slack_integration/data/playbooks/teardown.yaml | 3 +++ .../data/test_cases/cases_slack_integration.yaml | 2 +- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml index afd116d072..8dde578413 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml @@ -26,6 +26,3 @@ systemd: state: restarted name: wazuh-manager - - - name: Install pexpect using pip - shell: python3 -m pip install pexpect>=3.3 diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml index ec7490e702..841bf85549 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml @@ -14,7 +14,8 @@ command: ssh {{ item }}@localhost timeout: 5 responses: - Password: invalid_password + (.*)continue connecting(.*): 'yes' + (?i)password: invalid_password loop: - not-a-user - not-a-user @@ -24,7 +25,8 @@ - not-a-user - not-a-user - not-a-user - ignore_errors: true + register: command_result + failed_when: "'Permission denied' not in command_result.stdout" - name: Wait for the alert to be generated pause: diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml index f9e6b2bf3a..e3b07973b4 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/teardown.yaml @@ -5,6 +5,9 @@ conf_path: /var/ossec/etc/ossec.conf tasks: + - name: Clean added host + shell: ssh-keygen -R localhost + - name: Remove the Slack integration block blockinfile: path: "{{ conf_path }}" diff --git a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml index 30f39dfb8a..b101421f60 100644 --- a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml +++ b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml @@ -1,4 +1,4 @@ -- name: Slack integration - SSH Brute force attack +- name: slack_integration_brute_force_attack description: Test that Wazuh sends the alert via Slack by attempting a brute force SSH attack. configuration_parameters: null metadata: From dfea381fb5e5080842a3344bb57f7b3860228f21 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 3 Aug 2022 09:57:37 -0300 Subject: [PATCH 306/552] fix: rename task with WIndows Defender --- .../test_windows_defender/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml index 9b4eca9eea..f7757ab10a 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml @@ -13,7 +13,7 @@ dest: C:\temp remote_src: true - - name: Enable the agent to collect eventchannel logs + - name: Enable the agent to collect Windows Defender logs ansible.windows.win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" From 584adc0c189079565afb4016ceaf6acf555e4e51 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 3 Aug 2022 11:13:10 -0300 Subject: [PATCH 307/552] add: failed_when instead of ignore_errors --- .../test_ip_reputation/data/playbooks/generate_events.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml index 5fe50ba98e..7c70a9baab 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/generate_events.yaml @@ -12,8 +12,8 @@ - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" - # Ignore powershell error - ignore_errors: true + register: result + failed_when: "'Forbidden' not in result.stderr" - name: Wait alert hosts: wazuh-manager From bbcd0d82d590468a6e5b15e50ca8a3feb393c937 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 2 Aug 2022 12:15:36 +0100 Subject: [PATCH 308/552] fix: remove become in agent playbook --- provisioning/playbooks/wazuh_environment.yaml | 20 +++++++++++++------ provisioning/roles.yaml | 2 +- .../roles/wazuh_environment/schema.j2 | 17 +++++++++++++--- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/provisioning/playbooks/wazuh_environment.yaml b/provisioning/playbooks/wazuh_environment.yaml index f513f7c5e8..9ee160e972 100644 --- a/provisioning/playbooks/wazuh_environment.yaml +++ b/provisioning/playbooks/wazuh_environment.yaml @@ -13,7 +13,6 @@ # Wazuh indexer cluster - hosts: wi_cluster - strategy: free roles: - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" indexer_network_host: "{{ private_ip }}" @@ -57,8 +56,17 @@ # Agent - hosts: agent - strategy: free - become: yes - become_user: root - roles: - - "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + tasks: + - name: Agents + block: + - name: Install UNIX based agents + become: yes + become_user: root + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family != "Windows" + + - name: Install Windows based agents + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family == "Windows" \ No newline at end of file diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml index 1da3500158..9183ba4d99 100644 --- a/provisioning/roles.yaml +++ b/provisioning/roles.yaml @@ -24,7 +24,7 @@ agent: version: VERSION revision: REVISION repository: REPOSITORY - manager_ip: MANAGER_HOST + manager: MANAGER_HOST #---------------------- diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index bd9b8b02c1..2f16c16075 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -1,5 +1,7 @@ {% if vars['indexer'] is defined %} {%- set indexer = vars['indexer'] -%} +{%- set indexer_nodes = indexer.keys() | list -%} +{%- set first_indexer_node = indexer_nodes | first -%} {%- set last_indexer_node = indexer|length - 1-%} {% else %} {%- set last_indexer_node = 0-%} @@ -51,9 +53,15 @@ wi_cluster: wi{{ loop.index }}: {{ expand_ansible_connection_attributes(indexer_value) | indent(6) }} private_ip: {{ indexer_value['ip'] }} - {% endfor %} + {%- if indexer|length == 1 %} + + single_node: true + {% endif %} + + {%- endfor -%} + + {%- if dashboard is defined %} - {% if dashboard is defined %} dashboard: {{ expand_ansible_connection_attributes(dashboard) | indent(6) }} private_ip: {{ dashboard['ip'] }} @@ -101,7 +109,10 @@ wi_cluster: name: node-{{master_node}} ip: "{{ manager['master']['ip'] }}" role: wazuh + {%- if workers|length != 0 %} + node_type: master + {% endif %} {%- for worker_key, worker_value in workers.items() %} {% set real_node_index = master_node + loop.index %} @@ -164,7 +175,7 @@ filebeat: vars: filebeat_output_indexer_hosts: - - "{{ indexer['indexer1']['ip'] }}" + - "{{ indexer[first_indexer_node]['ip'] }}" {%- endif -%} {% endif %} From 7c9e9987f2564dca1fdce97fcec0c2fcaff560f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 3 Aug 2022 16:38:46 +0100 Subject: [PATCH 309/552] fix: aio environment --- .../roles/wazuh_environment/schema.j2 | 31 +++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index 2f16c16075..63cc553218 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -9,8 +9,20 @@ {% if vars['dashboard'] is defined %} -{%- set dashboard = vars['dashboard'] -%} + + {% if vars['dashboard']['ip'] == vars['indexer'][first_indexer_node]['ip'] %} + {%- set all_in_one = true-%} + {% else %} + {%- set all_in_one = false-%} +{% endif %} + + {% if all_in_one %} +{%- set dashboard_node = last_indexer_node + 1 -%} + {% else %} {%- set dashboard_node = last_indexer_node + 2 -%} + {% endif %} +{%- set dashboard = vars['dashboard'] -%} + {% else %} {%- set dashboard_node = last_indexer_node + 1-%} {% endif %} @@ -63,9 +75,22 @@ wi_cluster: {%- if dashboard is defined %} dashboard: + {%- if all_in_one %} + + perform_installation: false + indexer_node_name: "node-1" + dashboard_node_name: "node-1" + + {% else %} + + + dashboard_node_name: "node-{{ dashboard_node }}" + + {% endif %} + {{ expand_ansible_connection_attributes(dashboard) | indent(6) }} private_ip: {{ dashboard['ip'] }} - dashboard_node_name: "node-{{ dashboard_node }}" + {% endif %} vars: @@ -95,7 +120,7 @@ wi_cluster: role: indexer {% endfor %} - {%- if dashboard is defined %} + {%- if dashboard is defined and not all_in_one %} node{{dashboard_node}}: name: node-{{dashboard_node}} From 054e0b4f90dfd35322576d4b80820a12eae120b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 3 Aug 2022 18:16:33 +0100 Subject: [PATCH 310/552] fix: remove single nodes for aio with cluster nodes --- provisioning/roles/wazuh_environment/schema.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index 63cc553218..35ed78fee4 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -65,10 +65,6 @@ wi_cluster: wi{{ loop.index }}: {{ expand_ansible_connection_attributes(indexer_value) | indent(6) }} private_ip: {{ indexer_value['ip'] }} - {%- if indexer|length == 1 %} - - single_node: true - {% endif %} {%- endfor -%} From 3c97657f92a7053144cccdb9139c8f34d214f94b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 3 Aug 2022 14:20:19 -0300 Subject: [PATCH 311/552] refac: now we check if the alert reaches Slack. #3126 --- .../data/configuration/slack_api_script.py | 42 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 14 ++++++- .../test_cases/cases_slack_integration.yaml | 2 + .../test_slack_integration.py | 34 ++++++++++++++- 4 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py diff --git a/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py b/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py new file mode 100644 index 0000000000..1c64a16768 --- /dev/null +++ b/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py @@ -0,0 +1,42 @@ +#!/usr/bin/python3 + +import argparse +import requests +from http import HTTPStatus + + +def get_parameters(): + """ + Returns: + argparse.Namespace: Object with the user parameters. + """ + parser = argparse.ArgumentParser() + + parser.add_argument('--token', '-t', type=str, action='store', required=True) + parser.add_argument('--channel', '-c', type=str, action='store', required=True) + parser.add_argument('--messages_limit', '-m', type=int, action='store', required=True) + parser.add_argument('--path', '-p', type=str, action='store', required=True) + + arguments = parser.parse_args() + + return arguments + + +def main(): + parameters = get_parameters() + + headers = {'Authorization': f"Bearer {parameters.token}", 'content-type': 'application/json', 'charset': 'utf8'} + url = 'https://slack.com/api/conversations.history' + payload = {'channel': parameters.channel, 'limit': parameters.messages_limit} + + response = requests.get(url, params=payload, headers=headers) + + if response.status_code != HTTPStatus.OK or "'ok': False" in response.text: + raise Exception(f"There was an error while trying to get the messages from channel: {response.text}") + + with open(parameters.path, 'w') as messages_log: + messages_log.write(response.text) + + +if __name__ == '__main__': + main() diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml index 841bf85549..c3b93e89d3 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/generate_events.yaml @@ -3,6 +3,7 @@ vars: alerts_path: /var/ossec/logs/alerts/alerts.json integrations_log: /var/ossec/logs/integrations.log + slack_messages_log: /tmp/slack_messages.log become: true tasks: @@ -32,8 +33,7 @@ pause: seconds: 5 - # Check if the alert has been sent to Slack - - name: Get integrations.log + - name: Check if the alert has been sent to Slack wait_for: path: "{{ integrations_log }}" search_regex: hooks.slack.com @@ -44,3 +44,13 @@ src: "{{ alerts_path }}" dest: /tmp/ flat: true + + # Get messages from Slack channel using the API of Slack + - name: Run the script using python3 (Get messages from Slack channel) + script: "{{ SLACK_API_SCRIPT }} -t {{ slack_token }} -c {{ slack_channel }} -m 1 -p {{ slack_messages_log }}" + + - name: Get Slack messages log + fetch: + src: "{{ slack_messages_log }}" + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml index b101421f60..4221639a9a 100644 --- a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml +++ b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml @@ -7,3 +7,5 @@ rule.level: 10 extra: srcuser: not-a-user + extra_vars: + SLACK_API_SCRIPT: CUSTOM_SLACK_SCRIPT_PATH diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py index b045095acb..42aef1e410 100644 --- a/tests/end_to_end/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -4,6 +4,8 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw +from wazuh_testing.tools.file import remove_file from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -22,11 +24,33 @@ # Configuration configuration, metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Custom paths +slack_api_script = os.path.join(test_data_path, 'configuration', 'slack_api_script.py') + +# Update configuration with custom paths +metadata = config.update_configuration_template(metadata, ['CUSTOM_SLACK_SCRIPT_PATH'], [slack_api_script]) + + +@pytest.fixture(scope='function') +def get_slack_log_path(): + """Get the temporary path to the file containing the Slack messages. Then delete the temporary file. + + Returns: + slack_messages_log(str): String with the file path. + """ + + slack_messages_log = os.path.join(gettempdir(), 'slack_messages.log') + + yield slack_messages_log + + remove_file(slack_messages_log) + + @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, - clean_alerts_index): + get_slack_log_path, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] @@ -39,9 +63,11 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden expected_indexed_alert = fr".+srcuser.+{extra_srcuser}.+level.+{rule_level}.+description.+{rule_description}.+id" \ fr".+{rule_id}.+timestamp\": \"({timestamp_regex})\"" + expected_slack_log = fr".*{rule_description}.+{rule_id} _\(Level {rule_level}\)" + # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ @@ -69,3 +95,7 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) assert alert_data is not None, 'Alert triggered, but not indexed' + + # Check if the alert received in Slack is the same as the triggered one + evm.check_event(callback=expected_slack_log, file_to_monitor=get_slack_log_path, + timeout=fw.T_5, error_message='The alert has not reached Slack').result() From 5d0bf5db083da9aa8de986ff6c29283ea49b93e9 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 3 Aug 2022 14:23:43 -0300 Subject: [PATCH 312/552] fix: linter corrections applied. #3126 --- .../end_to_end/test_slack_integration/test_slack_integration.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py index 42aef1e410..f1336cf019 100644 --- a/tests/end_to_end/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -46,7 +46,6 @@ def get_slack_log_path(): remove_file(slack_messages_log) - @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, From 9d4e354a04c8a9a2aa236ab2c57247e74da5c914 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 4 Aug 2022 11:49:24 +0200 Subject: [PATCH 313/552] fix: Fix IP addresses --- .../data/playbooks/configuration.yaml | 12 +++++++++++- .../test_ip_reputation/data/playbooks/teardown.yaml | 10 ++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index 57ab09299c..10705c5661 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -27,7 +27,7 @@ - name: Add the attacker IP to the list become: true - shell: echo "{{ attacker_ip_win }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset + shell: echo "{{ hostvars['wazuh-windows']['ip_address'] }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset - name: Convert .ipset to .cdb using script become: true @@ -100,3 +100,13 @@ - name: Restart the manager become: true shell: systemctl restart wazuh-manager + +- name: Windows agent configuration + hosts: wazuh-windows + tasks: + + - name: Add hostname to hosts file + win_lineinfile: + path: C:\Windows\System32\drivers\etc\hosts + line: | + {{ hostvars['wazuh-manager']['ip_address'] }} wazuh-manager diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml index 76e10d8d7f..975ebe08eb 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/teardown.yaml @@ -27,3 +27,13 @@ - name: Restart the manager become: true shell: systemctl restart wazuh-manager + +- name: Cleanup Windows agent environment + hosts: wazuh-windows + tasks: + + - name: Delete syscheck configuration + win_lineinfile: + path: C:\Windows\System32\drivers\etc\hosts + regex: wazuh-manager + state: absent From 574c384a3f563fb9a2bbd9cedc1c9ddf36a78383 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 4 Aug 2022 13:23:59 +0200 Subject: [PATCH 314/552] fix: Change playbooks to generate every alert --- .../data/configuration/exec_emotet_script.vbs | 6 ---- .../data/playbooks/configuration.yaml | 36 ++++++++++++------- .../data/playbooks/generate_events.yaml | 13 +++---- .../test_emotet/data/playbooks/teardown.yaml | 16 +++++++-- 4 files changed, 40 insertions(+), 31 deletions(-) delete mode 100644 tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs diff --git a/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs b/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs deleted file mode 100644 index 64ebe4d2ca..0000000000 --- a/tests/end_to_end/test_emotet/data/configuration/exec_emotet_script.vbs +++ /dev/null @@ -1,6 +0,0 @@ -set shell = CreateObject("WScript.Shell") -shell.run"C:\temp\trigger-emotet.exe" -WScript.Sleep 10000 -shell.SendKeys "{ENTER}" -WScript.Sleep 10000 -shell.SendKeys "{ENTER}" diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 7b99773686..ef218e20b3 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -2,40 +2,55 @@ hosts: wazuh-windows tasks: + - name: Disable Windows Defender + win_shell: | + Set-MpPreference -DisableRealtimeMonitoring 1 + - name: Create temp folder win_file: path: C:\temp state: directory + - name: Download PSTools + win_shell: | + Set-Location C:\temp + Write-Host "Location set $path" + Write-Host "Retrieving PSTools..." + Invoke-WebRequest -Uri https://download.sysinternals.com/files/PSTools.zip -Outfile PSTools.zip + + - name: Unzip PSTools + win_shell: | + Expand-Archive -Path C:\temp\PSTools.zip -DestinationPath C:\temp\PSTools + - name: Copy ossec.conf - ansible.windows.win_copy: + win_copy: src: C:\Program Files (x86)\ossec-agent\ossec.conf dest: C:\temp remote_src: true - name: Download sysmon - ansible.windows.win_shell: | + win_shell: | Set-Location C:\temp Write-Host "Location set $path" Write-Host "Retrieving Sysmon..." Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -Outfile Sysmon.zip - name: Unzip sysmon - ansible.windows.win_shell: | + win_shell: | Expand-Archive -Path C:\temp\Sysmon.zip -DestinationPath C:\temp\Sysmon - name: Copy Sysmon configuration file - ansible.windows.win_copy: + win_copy: src: "{{ sysmon_config }}" dest: C:\temp\Sysmon - name: Install sysmon - ansible.windows.win_shell: | + win_shell: | cd C:\temp\Sysmon ./Sysmon64.exe -accepteula -i sysconfig.xml - name: Configure Wazuh to collect Sysmon events - ansible.windows.win_shell: | + win_shell: | Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` @@ -44,18 +59,13 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - - name: Copy exec_emotet_script.vbs in the agent - ansible.windows.win_copy: - src: "{{ vbs_script }}" - dest: C:\temp - - name: Copy trigger_emotet.exe in the agent - ansible.windows.win_copy: + win_copy: src: "{{ emotet_file }}" dest: C:\temp - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | + win_shell: | net stop wazuh net start wazuh diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index 61cb394f64..eb6868b25d 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -10,15 +10,10 @@ hosts: wazuh-windows tasks: - - - name: Open Word document - ansible.windows.win_shell: | - $MSWORD = New-Object -ComObject word.application - $MSWORD.visible = $true - - - name: Run trigger-emotet.exe - ansible.windows.win_shell: | - cscript C:\temp\exec_emotet_script.vbs + - name: Execute trigger-emotet.exe + win_command: C:\temp\PSTools\psexec.exe -accepteula -nobanner -i 1 -d C:\temp\trigger-emotet.exe + register: output + failed_when: '"with process ID {{ output.rc }}" not in output.stderr' - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml index 36957dc3b1..c19b003aea 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/teardown.yaml @@ -3,22 +3,32 @@ tasks: - name: Restore ossec.conf without changes - ansible.windows.win_copy: + win_copy: src: C:\temp\ossec.conf dest: C:\Program Files (x86)\ossec-agent remote_src: true - name: Uninstall Sysmon - ansible.windows.win_shell: | + win_shell: | cd C:\temp\Sysmon ./Sysmon64.exe -u force + - name: Kill trigger-emotet.exe + win_shell: | + taskkill /im trigger-emotet.exe /f + become: yes + become_method: runas + become_user: Administrator + - name: Delete C:\temp folder ansible.windows.win_file: path: C:\temp state: absent - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | + win_shell: | net stop wazuh net start wazuh + + - name: Enable Windows Defender + win_shell: set-MpPreference -DisableRealtimeMonitoring $False From aff0d498fd554302937a7e5aa07e4a59c5a6f229 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 4 Aug 2022 08:42:09 -0300 Subject: [PATCH 315/552] fix: stabilized test, Ansible tasks changed to work independently of the environment. #3114 --- .../data/playbooks/configuration.yaml | 33 +++++++++++-------- .../data/playbooks/generate_events.yaml | 2 +- .../cases_suricata_integration.yaml | 2 +- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index 093c6c4c73..126f894ea7 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -26,25 +26,23 @@ register: check_suricata ignore_errors: true - - name: Add and configure the repo to install Suricata + - name: Add the repo to install Suricata shell: | - add-apt-repository ppa:oisf/suricata-5.0 -y - apt-get update -y + add-apt-repository ppa:oisf/suricata-stable -y when: '"no packages found matching suricata" in check_suricata.stderr' - name: Install Suricata package: - name: suricata=5.0.9-0ubuntu4 + name: suricata state: present when: '"no packages found matching suricata" in check_suricata.stderr' - - name: Download and extract Emerging rules - shell: | - cd /tmp/ - curl -LO https://rules.emergingthreats.net/open/suricata-5.0.8/emerging.rules.tar.gz - tar -xvzf emerging.rules.tar.gz && mv rules/*.rules /etc/suricata/rules/ - chmod 640 /etc/suricata/rules/*.rules - when: '"no packages found matching suricata" in check_suricata.stderr' + - name: Enable and stop Suricata + systemd: + daemon_reload: true + enabled: true + state: stopped + name: suricata - name: Change the default interface replace: @@ -62,11 +60,18 @@ replace: path: "{{ suricata_conf_path }}" regexp: 'default-rule-path: \S.*\n\nrule-files:\n.*- suricata.rules' - replace: 'default-rule-path: /etc/suricata/rules\n\nrule-files:\n - "*.rules"' + replace: 'default-rule-path: /var/lib/suricata/rules\n\nrule-files:\n - "*.rules"' + + - name: Configure live rule reloading + replace: + path: "{{ suricata_conf_path }}" + regexp: '#include: include2.yaml' + replace: '#include: include2.yaml\ndetect-engine:\n - rule-reload: true' + + - name: Updating Suricata rules + shell: suricata-update - name: Start Suricata systemd: - daemon_reload: true - enabled: true state: started name: suricata diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml index 7f4004d47b..fe1866327b 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml @@ -9,7 +9,7 @@ shell: echo "" > {{ alerts_path }} - name: Run command to generate an alert - shell: curl -s http://testmynids.org/uid/index.html + shell: curl http://testmynids.org/uid/index.html - name: Wait for alerts to be generated wait_for: diff --git a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml index 12dda8bb67..f2116417bf 100644 --- a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml @@ -6,6 +6,6 @@ metadata: rule.id: 86601 rule.level: 3 - rule.description: "Suricata: Alert - ET POLICY curl User-Agent Outbound" + rule.description: "Suricata: Alert - GPL ATTACK_RESPONSE id check returned root" extra: data.hostname: testmynids.org From 29a7187e4c54bc324aec971907ef759c12594ba3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 4 Aug 2022 11:14:58 -0300 Subject: [PATCH 316/552] refac: now the fixture remove the file. #3126 --- .../test_slack_integration.py | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py index f1336cf019..ef1b134194 100644 --- a/tests/end_to_end/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -15,6 +15,7 @@ test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_slack_integration.yaml') alerts_json = os.path.join(gettempdir(), 'alerts.json') +slack_messages_log = os.path.join(gettempdir(), 'slack_messages.log') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -32,16 +33,10 @@ @pytest.fixture(scope='function') -def get_slack_log_path(): - """Get the temporary path to the file containing the Slack messages. Then delete the temporary file. - - Returns: - slack_messages_log(str): String with the file path. +def remove_slack_log(): + """Delete the temporary path to the file containing the Slack messages. """ - - slack_messages_log = os.path.join(gettempdir(), 'slack_messages.log') - - yield slack_messages_log + yield remove_file(slack_messages_log) @@ -49,7 +44,7 @@ def get_slack_log_path(): @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, - get_slack_log_path, clean_alerts_index): + remove_slack_log, clean_alerts_index): rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] @@ -96,5 +91,5 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden assert alert_data is not None, 'Alert triggered, but not indexed' # Check if the alert received in Slack is the same as the triggered one - evm.check_event(callback=expected_slack_log, file_to_monitor=get_slack_log_path, + evm.check_event(callback=expected_slack_log, file_to_monitor=slack_messages_log, timeout=fw.T_5, error_message='The alert has not reached Slack').result() From 7540ffc719420acfcef7b281de2a780afa8662c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 4 Aug 2022 10:18:53 +0100 Subject: [PATCH 317/552] add: include custom_parameter handling for each host --- .../roles/wazuh_environment/schema.j2 | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index 35ed78fee4..b59862936a 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -57,6 +57,64 @@ {%- endmacro -%} + +{% macro expand_custom_package(role, role_parameters) %} + +{% if role == 'agent' %} +{% if role_parameters['wazuh_custom_packages_installation_agent_rpm_url'] is defined%} +wazuh_custom_packages_installation_agent_rpm_url: {{role_parameters['wazuh_custom_packages_installation_agent_rpm_url']}} +{% endif %} +{% if role_parameters['wazuh_custom_packages_installation_agent_deb_url'] is defined%} +wazuh_custom_packages_installation_agent_deb_url: {{role_parameters['wazuh_custom_packages_installation_agent_deb_url']}} +{% endif %} + +{% if role_parameters['wazuh_custom_packages_installation_agent_msi_url'] is defined %} +wazuh_custom_packages_installation_agent_msi_url: {{role_parameters['wazuh_custom_packages_installation_agent_msi_url']}} +{% endif %} + +{% if role_parameters['wazuh_custom_packages_installation_agent_macos_url'] is defined%} +custom_package_macos_agent: {{role_parameters['wazuh_custom_packages_installation_agent_macos_url']}} +{% endif %} + +{% if role_parameters['wazuh_custom_packages_installation_agent_solaris_url:'] is defined%} +custom_package_solaris_agent: {{role_parameters['wazuh_custom_packages_installation_agent_solaris_url']}} +{% endif %} +{% endif %} + + +{% if role == 'manager' %} +{% if role_parameters['wazuh_custom_packages_installation_manager_deb_url'] is defined %} +wazuh_custom_packages_installation_manager_deb_url: {{role_parameters['wazuh_custom_packages_installation_manager_deb_url']}} +{% endif %} +{% if role_parameters['wazuh_custom_packages_installation_manager_rpm_url'] is defined%} +wazuh_custom_packages_installation_manager_rpm_url: {{role_parameters['wazuh_custom_packages_installation_manager_rpm_url']}} +{% endif %} +{% endif %} + + + +{% if role == 'dashboard' %} +{% if role_parameters['wazuh_custom_packages_installation_dashboard_deb_url'] is defined%} +wazuh_custom_packages_installation_dashboard_deb_url: {{role_parameters['wazuh_custom_packages_installation_dashboard_deb_url']}} +{% endif %} +{% if role_parameters['wazuh_custom_packages_installation_dashboard_rpm_url'] is defined %} +wazuh_custom_packages_installation_dashboard_rpm_url: {{role_parameters['wazuh_custom_packages_installation_dashboard_rpm_url']}} +{% endif %} +{% endif %} + +{% if role == 'indexer' %} +{% if role_parameters['wazuh_custom_packages_installation_indexer_deb_url'] is defined %} +wazuh_custom_packages_installation_indexer_deb_url: {{role_parameters['wazuh_custom_packages_installation_indexer_deb_url']}} +{% endif %} +{% if role_parameters['wazuh_custom_packages_installation_indexer_rpm_url'] is defined %} +wazuh_custom_packages_installation_indexer_rpm_url: {{role_parameters['wazuh_custom_packages_installation_indexer_rpm_url']}} +{% endif %} +{% endif %} + +{%- endmacro -%} + + + {% if indexer is defined%} wi_cluster: hosts: @@ -65,6 +123,7 @@ wi_cluster: wi{{ loop.index }}: {{ expand_ansible_connection_attributes(indexer_value) | indent(6) }} private_ip: {{ indexer_value['ip'] }} + {{ expand_custom_package('indexer', indexer_value) | indent(6) }} {%- endfor -%} @@ -76,6 +135,7 @@ wi_cluster: perform_installation: false indexer_node_name: "node-1" dashboard_node_name: "node-1" + {{ expand_custom_package('indexer', indexer_value) | indent(6) }} {% else %} @@ -156,6 +216,7 @@ manager: master: {{ expand_ansible_connection_attributes(manager['master']) | indent(8) }} private_ip: {{ manager['master']['ip'] }} + {{ expand_custom_package('manager', manager['master']) | indent(8) }} wazuh_manager_config: cluster: disable: 'no' @@ -172,6 +233,7 @@ manager: worker{{loop.index}}: {{ expand_ansible_connection_attributes(worker_values) | indent(8) }} private_ip: {{ worker_values['ip'] }} + {{ expand_custom_package('manager', worker_values) | indent(6) }} wazuh_manager_config: cluster: disable: 'no' @@ -206,6 +268,7 @@ agent: hosts: {% for agent_key, agent_value in agent.items() -%} agent{{loop.index}}: + {{ expand_custom_package('agent', agent_value) | indent(6) }} {{ expand_ansible_connection_attributes(agent_value) | indent(6) }} wazuh_managers: - address: {{ agent_value['manager_ip'] }} From 35af66c0399b6e1d451731a10c4a7a604a8494ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 5 Aug 2022 09:28:58 +0100 Subject: [PATCH 318/552] fix: all vars custom packages renamed --- .../roles/wazuh_environment/schema.j2 | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index b59862936a..eb957d9764 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -73,11 +73,11 @@ wazuh_custom_packages_installation_agent_msi_url: {{role_parameters['wazuh_custo {% endif %} {% if role_parameters['wazuh_custom_packages_installation_agent_macos_url'] is defined%} -custom_package_macos_agent: {{role_parameters['wazuh_custom_packages_installation_agent_macos_url']}} +wazuh_custom_packages_installation_agent_macos_url: {{role_parameters['wazuh_custom_packages_installation_agent_macos_url']}} {% endif %} {% if role_parameters['wazuh_custom_packages_installation_agent_solaris_url:'] is defined%} -custom_package_solaris_agent: {{role_parameters['wazuh_custom_packages_installation_agent_solaris_url']}} +wazuh_custom_packages_installation_agent_solaris_url: {{role_parameters['wazuh_custom_packages_installation_agent_solaris_url']}} {% endif %} {% endif %} @@ -296,43 +296,43 @@ all: wazuh_custom_packages_installation_indexer_enabled: true - {% if custom_package_deb_agent is defined-%} - wazuh_custom_packages_installation_agent_deb_url: {{ custom_package_deb_agent }} + {% if wazuh_custom_packages_installation_agent_deb_url is defined-%} + wazuh_custom_packages_installation_agent_deb_url: {{ wazuh_custom_packages_installation_agent_deb_url }} {% endif %} - {%- if custom_package_rpm_agent is defined-%} - wazuh_custom_packages_installation_agent_rpm_url: {{ custom_package_rpm_agent }} + {%- if wazuh_custom_packages_installation_agent_rpm_url is defined-%} + wazuh_custom_packages_installation_agent_rpm_url: {{ wazuh_custom_packages_installation_agent_rpm_url }} {% endif %} - {%- if custom_pakckage_msi_agent is defined-%} - wazuh_custom_packages_installation_agent_msi_url: {{ custom_pakckage_msi_agent}} + {%- if wazuh_custom_packages_installation_agent_msi_url is defined-%} + wazuh_custom_packages_installation_agent_msi_url: {{ wazuh_custom_packages_installation_agent_msi_url}} {% endif %} - {%- if custom_package_macos_agent is defined-%} - macos_agent_pkg: {{ custom_package_macos_agent}} + {%- if wazuh_custom_packages_installation_agent_macos_url is defined-%} + wazuh_custom_packages_installation_agent_macos_url: {{ wazuh_custom_packages_installation_agent_macos_url}} {% endif %} - {%- if custom_package_solaris_agent is defined-%} - solaris_agent_pkg: {{ custom_package_solaris_agent}} + {%- if wazuh_custom_packages_installation_agent_solaris_url is defined-%} + wazuh_custom_packages_installation_agent_solaris_url: {{ wazuh_custom_packages_installation_agent_solaris_url}} {% endif %} - {%- if custom_package_deb_manager is defined-%} - wazuh_custom_packages_installation_manager_deb_url: {{ custom_package_deb_manager}} + {%- if wazuh_custom_packages_installation_manager_deb_url is defined-%} + wazuh_custom_packages_installation_manager_deb_url: {{ wazuh_custom_packages_installation_manager_deb_url}} {% endif %} - {%- if custom_package_rpm_manager is defined-%} - wazuh_custom_packages_installation_manager_rpm_url: {{ custom_package_rpm_manager}} + {%- if wazuh_custom_packages_installation_manager_rpm_url is defined-%} + wazuh_custom_packages_installation_manager_rpm_url: {{ wazuh_custom_packages_installation_manager_rpm_url}} {% endif %} - {%- if custom_package_deb_dashboard is defined-%} - wazuh_custom_packages_installation_dashboard_deb_url: {{ custom_package_deb_dashboard}} + {%- if wazuh_custom_packages_installation_dashboard_deb_url is defined-%} + wazuh_custom_packages_installation_dashboard_deb_url: {{ wazuh_custom_packages_installation_dashboard_deb_url}} {% endif %} - {%- if custom_package_rpm_dashboard is defined-%} - wazuh_custom_packages_installation_dashboard_rpm_url: {{ custom_package_rpm_dashboard}} + {%- if wazuh_custom_packages_installation_dashboard_rpm_url is defined-%} + wazuh_custom_packages_installation_dashboard_rpm_url: {{ wazuh_custom_packages_installation_dashboard_rpm_url}} {% endif %} - {%- if custom_package_deb_indexer is defined-%} - wazuh_custom_packages_installation_indexer_deb_url: {{ custom_package_deb_indexer}} + {%- if wazuh_custom_packages_installation_indexer_deb_url is defined-%} + wazuh_custom_packages_installation_indexer_deb_url: {{ wazuh_custom_packages_installation_indexer_deb_url}} {% endif %} - {%- if custom_package_rpm_indexer is defined-%} - wazuh_custom_packages_installation_indexer_rpm_url: {{ custom_package_rpm_indexer}} + {%- if wazuh_custom_packages_installation_indexer_rpm_url is defined-%} + wazuh_custom_packages_installation_indexer_rpm_url: {{ wazuh_custom_packages_installation_indexer_rpm_url}} {% endif %} From ce2e998eee0fbf9e3009372273886d336568e07a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 5 Aug 2022 10:14:33 +0100 Subject: [PATCH 319/552] fix: dashboard custom package --- provisioning/roles/wazuh_environment/schema.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/provisioning/roles/wazuh_environment/schema.j2 b/provisioning/roles/wazuh_environment/schema.j2 index eb957d9764..53edd7d0a9 100644 --- a/provisioning/roles/wazuh_environment/schema.j2 +++ b/provisioning/roles/wazuh_environment/schema.j2 @@ -135,11 +135,14 @@ wi_cluster: perform_installation: false indexer_node_name: "node-1" dashboard_node_name: "node-1" - {{ expand_custom_package('indexer', indexer_value) | indent(6) }} - {% else %} + {{ expand_custom_package('indexer', vars['dashboard']) | indent(6) }} + {{ expand_custom_package('dashboard', vars['dashboard']) | indent(6) }} + {% else %} + {{ expand_custom_package('indexer', vars['dashboard']) | indent(6) }} + {{ expand_custom_package('dashboard', vars['dashboard']) | indent(6) }} dashboard_node_name: "node-{{ dashboard_node }}" {% endif %} @@ -233,7 +236,7 @@ manager: worker{{loop.index}}: {{ expand_ansible_connection_attributes(worker_values) | indent(8) }} private_ip: {{ worker_values['ip'] }} - {{ expand_custom_package('manager', worker_values) | indent(6) }} + {{ expand_custom_package('manager', worker_values) | indent(8) }} wazuh_manager_config: cluster: disable: 'no' From c30fafa912efb6718b704cb921dccaebb3f6a088 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 5 Aug 2022 12:08:33 +0100 Subject: [PATCH 320/552] fix: qa_framework and apache schemes --- provisioning/roles/apache/schema.j2 | 4 +++- provisioning/roles/qa_framework/schema.j2 | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/provisioning/roles/apache/schema.j2 b/provisioning/roles/apache/schema.j2 index 1f09d1381b..0c8b0de891 100644 --- a/provisioning/roles/apache/schema.j2 +++ b/provisioning/roles/apache/schema.j2 @@ -1,6 +1,8 @@ {% macro expand_ansible_connection_attributes(attributes_map) %} {% for attr_key, attr_value in attributes_map.items() %} +{% if 'ansible' in attr_key %} {{- attr_key }}: {{ attr_value }} +{% endif %} {% endfor %} {%- endmacro -%} @@ -11,7 +13,7 @@ apache: apache{{ loop.index }}: ansible_host: {{ apache_value['ip'] }} - {{ expand_ansible_connection_attributes(apache_value['connection_attributes']) | indent(6) }} + {{ expand_ansible_connection_attributes(apache_value) | indent(6) }} {%- endfor %} {% endif %} diff --git a/provisioning/roles/qa_framework/schema.j2 b/provisioning/roles/qa_framework/schema.j2 index c34218c18f..a21b295280 100644 --- a/provisioning/roles/qa_framework/schema.j2 +++ b/provisioning/roles/qa_framework/schema.j2 @@ -1,6 +1,8 @@ {% macro expand_ansible_connection_attributes(attributes_map) %} {% for attr_key, attr_value in attributes_map.items() %} +{% if 'ansible' in attr_key %} {{- attr_key }}: {{ attr_value }} +{% endif %} {% endfor %} {%- endmacro -%} @@ -11,7 +13,7 @@ qa_framework: qa_framework{{ loop.index }}: ansible_host: {{ qa_framework_value['ip'] }} - {{ expand_ansible_connection_attributes(qa_framework_value['connection_attributes']) | indent(6) }} + {{ expand_ansible_connection_attributes(qa_framework_value) | indent(6) }} qa_repository_reference: {{ qa_framework_value['qa_repository_reference'] }} {%- endfor %} {% endif %} From da04dda20c8198b2556cdd32825cb3338c21978c Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 5 Aug 2022 13:20:43 +0200 Subject: [PATCH 321/552] fix: Change wget to curl --- .../test_ip_reputation/data/playbooks/configuration.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index 10705c5661..2d8124c6c4 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -15,15 +15,15 @@ become: true shell: yum install python39 -y - - name: Download Alienvault IP + - name: Download Alienvault IP set become: true shell: > - wget https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset - -O /var/ossec/etc/lists/alienvault_reputation.ipset + curl https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset + -o /var/ossec/etc/lists/alienvault_reputation.ipset - name: Download script to convert from ipset format to cdblist format become: true - shell: wget https://wazuh.com/resources/iplist-to-cdblist.py -O /tmp/iplist-to-cdblist.py + shell: curl https://wazuh.com/resources/iplist-to-cdblist.py -o /tmp/iplist-to-cdblist.py - name: Add the attacker IP to the list become: true From eff97b986a58d67ee27a9baaeda8694374fe6139 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 5 Aug 2022 13:22:25 +0200 Subject: [PATCH 322/552] fix: Add new line --- .../test_ip_reputation/data/playbooks/configuration.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index 2d8124c6c4..f3088346ec 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -56,6 +56,7 @@ apache /var/log/httpd/access_log + ruleset/decoders From 0b80f8679a9cd77c1f7cb55154a07712d46a2d0c Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 5 Aug 2022 13:28:56 +0200 Subject: [PATCH 323/552] fix: Delete python installation --- .../test_ip_reputation/data/playbooks/configuration.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index f3088346ec..e351a87884 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -11,10 +11,6 @@ become: true shell: systemctl start httpd - - name: Install pyhton - become: true - shell: yum install python39 -y - - name: Download Alienvault IP set become: true shell: > From ce7b61dd8739f363eba3583db35fb34f6754fd96 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 5 Aug 2022 13:36:53 +0200 Subject: [PATCH 324/552] fix: Refactor expected alerts --- .../test_ip_reputation/test_ip_reputation.py | 32 ++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py index d5d9ae5ee7..073932012d 100644 --- a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -21,38 +21,34 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a IP Reputation """ - first_alert = {"rule_id": metadata['malicious_ip']['rule.id'], - "rule_level": metadata['malicious_ip']['rule.level'], - "rule_description": metadata['malicious_ip']['rule.description']} - second_alert = {"rule_id": metadata['active_response']['rule.id'], - "rule_level": metadata['active_response']['rule.level'], - "rule_description": metadata['active_response']['rule.description']} + malicious_ip_alert = metadata['malicious_ip'] + active_response_alert = metadata['active_response'] + expected_alerts = [malicious_ip_alert, active_response_alert] - ip_alerts = [first_alert, second_alert] + for alert in expected_alerts: + rule_level = alert['rule.level'] + rule_id = alert['rule.id'] + rule_description = alert['rule.description'] - for alert in ip_alerts: expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - fr'"rule"\:{{"level"\:{alert["rule_level"]},' \ - fr'"description"\:"{alert["rule_description"]}","id"\:"{alert["rule_id"]}".*\}}' + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_indexed_alert = fr'.*"rule":.*"level": {alert["rule_level"]},' \ - fr'.*"description": "{alert["rule_description"]}"' \ - fr'.*"id": "{alert["rule_id"]}".*'\ + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},' \ + fr'.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*'\ r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + error_message=f"The alert '{rule_description}' has not occurred").result() raised_alert_timestamp = raised_alert.group(1) - rule_id = alert["rule_id"] - query = e2e.make_query([ { From a6d3836ae7f246d3e199045790b045b405a06480 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 5 Aug 2022 09:16:32 -0300 Subject: [PATCH 325/552] fix: rule id added in the integration config. #3126 --- .../test_slack_integration/data/playbooks/configuration.yaml | 1 + .../data/test_cases/cases_slack_integration.yaml | 3 ++- .../test_slack_integration/test_slack_integration.py | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml index 8dde578413..0949898f33 100644 --- a/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_slack_integration/data/playbooks/configuration.yaml @@ -16,6 +16,7 @@ slack {{ web_hook_url }} 10 + {{ RULE_ID }} json diff --git a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml index 4221639a9a..7975633115 100644 --- a/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml +++ b/tests/end_to_end/test_slack_integration/data/test_cases/cases_slack_integration.yaml @@ -1,6 +1,7 @@ - name: slack_integration_brute_force_attack description: Test that Wazuh sends the alert via Slack by attempting a brute force SSH attack. - configuration_parameters: null + configuration_parameters: + RULE_ID: 5712 metadata: rule.id: 5712 rule.description: "sshd: brute force trying to get access to the system. Non existent user." diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py index ef1b134194..d4ae6acd8a 100644 --- a/tests/end_to_end/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -30,11 +30,12 @@ # Update configuration with custom paths metadata = config.update_configuration_template(metadata, ['CUSTOM_SLACK_SCRIPT_PATH'], [slack_api_script]) +configuration_extra_vars = configuration[0] @pytest.fixture(scope='function') def remove_slack_log(): - """Delete the temporary path to the file containing the Slack messages. + """Delete the temporary file containing the Slack messages. """ yield From 786e4087d052d815dddf1ec6dad402d7020a5a6f Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 5 Aug 2022 10:39:58 -0300 Subject: [PATCH 326/552] fix: now the test waits until Suricata finish its initialization. #3114 --- .../data/playbooks/configuration.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index 126f894ea7..96444ea775 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -3,6 +3,7 @@ become: true vars: suricata_conf_path: /etc/suricata/suricata.yaml + suricata_log_path: /var/log/suricata/suricata.log tasks: - name: Configure Wazuh to read Suricata logs file @@ -63,10 +64,12 @@ replace: 'default-rule-path: /var/lib/suricata/rules\n\nrule-files:\n - "*.rules"' - name: Configure live rule reloading - replace: + blockinfile: path: "{{ suricata_conf_path }}" - regexp: '#include: include2.yaml' - replace: '#include: include2.yaml\ndetect-engine:\n - rule-reload: true' + insertafter: EOF + block: | + detect-engine: + - rule-reload: true - name: Updating Suricata rules shell: suricata-update @@ -75,3 +78,8 @@ systemd: state: started name: suricata + + - name: Wait for Suricata to start completely + wait_for: + path: "{{ suricata_log_path }}" + search_regex: - All AFP capture threads are running. From fa5a5783cbc025ac40302061a8953e99d9439402 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 5 Aug 2022 11:09:57 -0300 Subject: [PATCH 327/552] fix: linter corrections applied. #3114 --- .../data/playbooks/configuration.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index 96444ea775..895fe437f0 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -67,9 +67,7 @@ blockinfile: path: "{{ suricata_conf_path }}" insertafter: EOF - block: | - detect-engine: - - rule-reload: true + block: "detect-engine:\n - rule-reload: true" - name: Updating Suricata rules shell: suricata-update From a5520393c780b7e3f5cf533f22dd8f423a5fd5fa Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 8 Aug 2022 10:14:13 +0200 Subject: [PATCH 328/552] fix: Clean Suricata logs --- .../data/playbooks/configuration.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml index 895fe437f0..115fa8a16e 100644 --- a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml @@ -69,6 +69,9 @@ insertafter: EOF block: "detect-engine:\n - rule-reload: true" + - name: Clean Suricata logs + shell: echo '' > "{{ suricata_log_path }}" + - name: Updating Suricata rules shell: suricata-update From 7c8101f5a80db63bc84431aceaef0ebbec796a3c Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 9 Aug 2022 19:25:34 +0200 Subject: [PATCH 329/552] fix: Add windows auto logon and fix expected alerts --- .../data/playbooks/configuration.yaml | 8 +++ .../data/playbooks/generate_events.yaml | 8 +-- .../data/test_cases/cases_emotet.yaml | 17 +++-- tests/end_to_end/test_emotet/test_emotet.py | 69 ++++++++++--------- 4 files changed, 61 insertions(+), 41 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index ef218e20b3..e9f10f89c1 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -2,6 +2,14 @@ hosts: wazuh-windows tasks: + - name: Auto logon + community.windows.win_auto_logon: + username: "{{ ansible_user }}" + password: "{{ ansible_password }}" + + - name: Reboot Windows agent + win_reboot: + - name: Disable Windows Defender win_shell: | Set-MpPreference -DisableRealtimeMonitoring 1 diff --git a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml index eb6868b25d..df7da79516 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/generate_events.yaml @@ -8,12 +8,12 @@ - name: Generate events windows hosts: wazuh-windows - tasks: + - name: Execute trigger-emotet.exe - win_command: C:\temp\PSTools\psexec.exe -accepteula -nobanner -i 1 -d C:\temp\trigger-emotet.exe + win_shell: C:\temp\PSTools\psexec.exe -accepteula -nobanner -i 1 -d C:\temp\trigger-emotet.exe register: output - failed_when: '"with process ID {{ output.rc }}" not in output.stderr' + failed_when: '"with process ID" not in output.stderr' - name: Wait alert hosts: wazuh-manager @@ -21,7 +21,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 10 - name: Get alerts.json fetch: diff --git a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml index cc5a5abd6f..3ef00c97ad 100644 --- a/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_emotet/data/test_cases/cases_emotet.yaml @@ -2,8 +2,15 @@ description: Execute emotet attack and check generated alerts configuration_parameters: null metadata: - rule.id: 92151 - rule.level: 12 - rule.description: Binary loaded PowerShell automation library - - Possible unmanaged Powershell execution by suspicious process - process: trigger-emotet.exe + regsvr32: + rule.id: 255561 + rule.level: 5 + rule.description: 'Regsvr32: C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe' + extra: + groups: emotet + word_executing_script: + rule.id: 255926 + rule.level: 12 + rule.description: Word Executing WScript C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe + extra: + groups: emotet diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index a9577c6129..9749dcaae5 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -30,42 +30,47 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, gene """ Test to detect an emotet attack """ - rule_level = metadata['rule.level'] - rule_id = metadata['rule.id'] - rule_description = metadata['rule.description'] - process = metadata['process'] + regsvr32_alert = metadata['regsvr32'] + word_executing_script_alert = metadata['word_executing_script'] + expected_alerts = [regsvr32_alert, word_executing_script_alert] - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ - fr'"rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' \ - fr'"full_log"\:.*{process}.*\}}' + for alert in expected_alerts: + rule_level = alert['rule.level'] + rule_id = alert['rule.id'] + rule_description = alert['rule.description'] + rule_groups = alert['extra']['groups'] - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*"full_log":.*{process}.*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' \ + fr'"groups"\:\["{rule_groups}"\].*\}}' - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level}, "description": "{rule_description}".*'\ + fr'"groups": \["{rule_groups}"\].*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message=f"The alert '{rule_description}' has not occurred").result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } } - } - ]) + ]) - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, f"Alert '{rule_description}' triggered, but not indexed" From 07c6b9c6c78a978098c2e330d7dd9eaa7b271c49 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 08:48:45 +0200 Subject: [PATCH 330/552] fix: Delete unnecessary script --- tests/end_to_end/test_emotet/test_emotet.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 9749dcaae5..7d6d2bcde0 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -15,8 +15,7 @@ configuration_playbooks = ['configuration.yaml'] emotet_file_path = os.path.join(test_data_path, 'configuration', 'trigger-emotet.exe') sysmon_config = os.path.join(test_data_path, 'configuration', 'sysconfig.xml') -vbs_script = os.path.join(test_data_path, 'configuration', 'exec_emotet_script.vbs') -configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config, 'vbs_script': vbs_script} +configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] From ca4f968fbf0a2a700a67ff6a27b368b79a1c3549 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 14:02:34 +0200 Subject: [PATCH 331/552] fix: Change how types are obtained --- .../wazuh_testing/qa_docs/lib/config.py | 14 ++++++++++---- .../wazuh_testing/qa_docs/schema.yaml | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py b/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py index c5f3ce2b85..95a429ef04 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py @@ -105,9 +105,11 @@ def __set_documentation_path(self, path): def __get_test_types(self): """Get all the test types within wazuh-qa framework.""" - for name in os.listdir(self.project_path): - if os.path.isdir(os.path.join(self.project_path, name)): - self.test_types.append(name) + predefined_types = self.predefined_values['type'] + for type in predefined_types: + for folder in self.project_path.split(os.sep): + if type == folder and type not in self.test_types: + self.test_types.append(type) def __get_include_paths(self): """Get all the components and suites to include within all the specified types.""" @@ -115,7 +117,11 @@ def __get_include_paths(self): self.include_paths = [] for type in self.test_types: - subset_tests = os.path.join(self.project_path, type) + if type not in self.project_path: + subset_tests = os.path.join(self.project_path, type) + else: + subset_tests = self.project_path + if self.test_components: if self.test_suites: if self.test_modules: diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 734e0cba75..729ab37a04 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -351,4 +351,4 @@ predefined_values: - who_data - windows - worker - - wpk \ No newline at end of file + - wpk From 5131e340b4ecb7c6a4f53b16805600a0eebc565b Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 14:08:42 +0200 Subject: [PATCH 332/552] add: Include tests that are not in sub directories --- deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py b/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py index 95a429ef04..ab22c26a8f 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/lib/config.py @@ -114,6 +114,7 @@ def __get_test_types(self): def __get_include_paths(self): """Get all the components and suites to include within all the specified types.""" dir_regex = re.compile("test_.") + test_regex = re.compile("^test_.*.py$") self.include_paths = [] for type in self.test_types: @@ -149,6 +150,8 @@ def __get_include_paths(self): for name in os.listdir(subset_tests): if os.path.isdir(os.path.join(subset_tests, name)) and dir_regex.match(name): self.include_paths.append(os.path.join(subset_tests, name)) + elif test_regex.match(name) and subset_tests not in self.include_paths: + self.include_paths.append(subset_tests) def __read_schema_file(self, file): """Read schema file. From 9937cfdde405b3be7e4568a3416801eacda9b2ff Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 14:17:43 +0200 Subject: [PATCH 333/552] add: Add `end_to_end` to types --- deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 729ab37a04..9c2e7f22f9 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -49,6 +49,7 @@ predefined_values: - performance - system - unit + - end_to_end components: - active_response - agentd From 689d4056a6b68e9f445dbda2f4c55edaf6eb5714 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 14:18:25 +0200 Subject: [PATCH 334/552] fix: Add expected parameter for check_documentation --- deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py b/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py index 26adb01a5e..c1e1935517 100644 --- a/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py +++ b/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py @@ -258,6 +258,12 @@ def check_incompatible_parameters(parameters): 'as input', qadocs_logger.error) + if parameters.check_doc: + if not parameters.test_modules: + raise QAValueError('The --check-documentation option needs the modules to be checked. You must specify it by' + ' using -m.', + qadocs_logger.error) + qadocs_logger.debug('Parameters incompatibilities checked.') From af70877a72795fb176ee4203836794d4cfe0fff6 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 14:56:59 +0200 Subject: [PATCH 335/552] add: Add audit module documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + tests/end_to_end/test_audit/test_audit.py | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 9c2e7f22f9..d26e224799 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -209,6 +209,7 @@ predefined_values: - debian - debian_feeds - decoder + - demo - diff - disk_quota - dos_attack diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index f74b82233a..327c0781e6 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -1,3 +1,40 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the integration with audit is working correctly. + Audit logging is used to capture and log execve system calls. + +components: + - logcollector + +targets: + - manager + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#audit + - https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html + +tags: + - demo + - auditd + - audit_rules +''' import os import json import re From 9db4ebae22d9808c56519b6ef90c7fd05ea0371e Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 10 Aug 2022 15:07:51 +0200 Subject: [PATCH 336/552] add: Add test_audit documentation --- tests/end_to_end/test_audit/test_audit.py | 38 +++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 327c0781e6..f1df35352d 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -59,6 +59,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated and indexed when a command is executed. + + test_phases: + - Set a custom Wazuh configuration. + - Generate an event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' level = metadata['level'] description = metadata['description'] rule_id = metadata['rule.id'] From fc6b9e3299fd7e6b995f8d0bebcb43da5ea565ca Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 10 Aug 2022 12:59:44 -0300 Subject: [PATCH 337/552] add: separate test cases brute force --- .../data/playbooks/generate_events.yaml | 17 ----- .../data/test_cases/cases_brute_force.yaml | 12 ---- .../linux/test_brute_force_linux.py | 66 +++++++++++++++++++ .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 43 ++++++++++++ .../data/test_cases/cases_brute_force.yaml | 11 ++++ .../test_brute_force_windows.py} | 4 +- 7 files changed, 122 insertions(+), 31 deletions(-) rename tests/end_to_end/test_brute_force/{ => linux}/data/playbooks/generate_events.yaml (70%) rename tests/end_to_end/test_brute_force/{ => linux}/data/test_cases/cases_brute_force.yaml (51%) create mode 100644 tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py rename tests/end_to_end/test_brute_force/{ => windows}/data/playbooks/configuration.yaml (100%) create mode 100644 tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml rename tests/end_to_end/test_brute_force/{test_brute_force.py => windows/test_brute_force_windows.py} (96%) diff --git a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml similarity index 70% rename from tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml index 8d6dcb71ee..5bad2651c0 100644 --- a/tests/end_to_end/test_brute_force/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml @@ -32,23 +32,6 @@ - "'Permission denied' not in result.stdout" when: agent_os == "Linux" - # Case: Windows agent - - name: Attempt a RDP brute force attack - shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows - loop: - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - register: result - failed_when: - - "'0 valid password found' not in result.stdout" - when: agent_os == "Windows" - - name: Wait for alert wait_for: timeout: 5 diff --git a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml similarity index 51% rename from tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml rename to tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml index d8af2bca0f..961242a177 100644 --- a/tests/end_to_end/test_brute_force/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml @@ -9,15 +9,3 @@ mitre_technique: Brute Force extra_vars: agent_os: Linux - -- name: rdp_brute_force - description: Check if the alert is generated when executing a brute force attack via RDP. - configuration_parameters: null - metadata: - rule.id: 60204 - rule.level: 10 - rule.description: Multiple Windows logon failures. - extra: - mitre_technique: Brute Force - extra_vars: - agent_os: Windows diff --git a/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py b/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py new file mode 100644 index 0000000000..c7905dd879 --- /dev/null +++ b/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py @@ -0,0 +1,66 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') + +# Playbooks +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = None + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + """ + Test to detect a SSH/RDP Brute Force attack + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_mitre_technique = metadata['extra']['mitre_technique'] + timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + + expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml b/tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/data/playbooks/configuration.yaml rename to tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..eb0640edbf --- /dev/null +++ b/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml @@ -0,0 +1,43 @@ +- name: Truncate file + hosts: wazuh-manager + tasks: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: localhost + tasks: + + # Case: Windows agent + - name: Attempt a RDP brute force attack + shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + register: result + failed_when: + - "'0 valid passwords found' not in result.stdout" + when: agent_os == "Windows" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml new file mode 100644 index 0000000000..4d1eca08e9 --- /dev/null +++ b/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml @@ -0,0 +1,11 @@ +- name: rdp_brute_force + description: Check if the alert is generated when executing a brute force attack via RDP. + configuration_parameters: null + metadata: + rule.id: 60204 + rule.level: 10 + rule.description: Multiple Windows logon failures. + extra: + mitre_technique: Brute Force + extra_vars: + agent_os: Windows diff --git a/tests/end_to_end/test_brute_force/test_brute_force.py b/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py similarity index 96% rename from tests/end_to_end/test_brute_force/test_brute_force.py rename to tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py index fc8822aa44..3b315d1f9d 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force.py +++ b/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py @@ -26,13 +26,13 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to detect a SSH/RDP Brute Force attack + Test to detect a RDP Brute Force attack """ rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + timestamp = fr'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' From 2a92ce917b3517f49fb2f22326f87e19ade58a80 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 10 Aug 2022 13:04:01 -0300 Subject: [PATCH 338/552] fix: rename comment --- .../end_to_end/test_brute_force/linux/test_brute_force_linux.py | 2 +- .../test_brute_force/windows/test_brute_force_windows.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py b/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py index c7905dd879..e17168384d 100644 --- a/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py +++ b/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py @@ -25,7 +25,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to detect a SSH/RDP Brute Force attack + Test to detect a SSH Brute Force attack """ rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py b/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py index 3b315d1f9d..c6f395d63f 100644 --- a/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py +++ b/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py @@ -32,7 +32,7 @@ def test_brute_force(configure_environment, metadata, get_dashboard_credentials, rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = fr'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' From 9661382b1675ff524b581c2c013170f8f0a55dae Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 10 Aug 2022 13:44:43 -0300 Subject: [PATCH 339/552] add: separate tests linux and windows fim cases --- .../linux/data/playbooks/configuration.yaml | 28 +++++++++ .../data/playbooks/generate_events.yaml | 6 -- .../linux/data/playbooks/teardown.yaml | 21 +++++++ .../data/test_cases/cases_fim.yaml | 45 ------------- .../{test_fim.py => linux/test_fim_linux.py} | 2 +- .../data/playbooks/configuration.yaml | 24 ------- .../data/playbooks/generate_events.yaml | 34 ++++++++++ .../data/playbooks/teardown.yaml | 21 ------- .../windows/data/test_cases/cases_fim.yaml | 44 +++++++++++++ .../test_fim/windows/test_fim_windows.py | 63 +++++++++++++++++++ 10 files changed, 191 insertions(+), 97 deletions(-) create mode 100644 tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml rename tests/end_to_end/test_fim/{ => linux}/data/playbooks/generate_events.yaml (81%) create mode 100644 tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml rename tests/end_to_end/test_fim/{ => linux}/data/test_cases/cases_fim.yaml (50%) rename tests/end_to_end/test_fim/{test_fim.py => linux/test_fim_linux.py} (98%) rename tests/end_to_end/test_fim/{ => windows}/data/playbooks/configuration.yaml (62%) create mode 100644 tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml rename tests/end_to_end/test_fim/{ => windows}/data/playbooks/teardown.yaml (58%) create mode 100644 tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml create mode 100644 tests/end_to_end/test_fim/windows/test_fim_windows.py diff --git a/tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..59b98055a7 --- /dev/null +++ b/tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml @@ -0,0 +1,28 @@ +--- +- name: Test case configuration + hosts: agents + tasks: + + - name: Create directory to monitor (Linux) + become: True + file: + path: /tmp/test_demo_fim + state: directory + when: ansible_facts['system'] == "Linux" + + - name: Add directory to syscheck configuration (Linux) + become: True + blockinfile: + path: /var/ossec/etc/ossec.conf + insertafter: + block: | + /tmp/test_demo_fim + marker: + when: ansible_facts['system'] == "Linux" + + - name: Restart Wazuh (Linux) + become: True + systemd: + name: wazuh-agent + state: restarted + when: ansible_facts['system'] == "Linux" diff --git a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml similarity index 81% rename from tests/end_to_end/test_fim/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml index 4ddc7c0196..ecb5668c41 100644 --- a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml @@ -20,12 +20,6 @@ mode: "{{ mode }}" when: os == "Linux" - - name: "{{ event_description }}" - win_file: - path: "{{ path }}" - state: "{{ state }}" - when: os == ansible_facts['os_family'] - - name: Get alerts hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..69e7ecd2c5 --- /dev/null +++ b/tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml @@ -0,0 +1,21 @@ +--- +- name: Cleanup Linux agent environment + hosts: wazuh-agent + become: True + tasks: + + - name: Delete syscheck configuration + blockinfile: + path: /var/ossec/etc/ossec.conf + marker: + block: '' + + - name: Delete folder + file: + path: /tmp/test_demo_fim + state: absent + + - name: Restart wazuh-agent + systemd: + state: restarted + name: wazuh-agent diff --git a/tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml similarity index 50% rename from tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml rename to tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml index aa44555b74..64de2cdb5f 100644 --- a/tests/end_to_end/test_fim/data/test_cases/cases_fim.yaml +++ b/tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml @@ -45,48 +45,3 @@ rule.description: File deleted\. extra: syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt - -- name: create_file_windows - description: Create a file and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - os: Windows - event_description: Create a file into the monitored folder - path: C:\Test\test_demo_fim\monitored_file.txt - state: touch - rule.id: 554 - rule.level: 5 - rule.description: File added to the system\. - extra: - syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt - -- name: modify_file_windows - description: Modify a file and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - os: Windows - event_description: Modify a file from the monitored folder - path: C:\Test\test_demo_fim\monitored_file.txt - state: touch - rule.id: 550 - rule.level: 7 - rule.description: Integrity checksum changed\. - extra: - syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt - -- name: delete_file_windows - description: Delete a file and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - os: Windows - event_description: Delete a file from the monitored folder - path: C:\Test\test_demo_fim\monitored_file.txt - state: absent - rule.id: 553 - rule.level: 7 - rule.description: File deleted\. - extra: - syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt diff --git a/tests/end_to_end/test_fim/test_fim.py b/tests/end_to_end/test_fim/linux/test_fim_linux.py similarity index 98% rename from tests/end_to_end/test_fim/test_fim.py rename to tests/end_to_end/test_fim/linux/test_fim_linux.py index d46bb6dd33..6bc4b08f27 100644 --- a/tests/end_to_end/test_fim/test_fim.py +++ b/tests/end_to_end/test_fim/linux/test_fim_linux.py @@ -22,7 +22,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ - Test to scanning a file using FIM + Test to scanning a file in Linux using FIM """ rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] diff --git a/tests/end_to_end/test_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/windows/data/playbooks/configuration.yaml similarity index 62% rename from tests/end_to_end/test_fim/data/playbooks/configuration.yaml rename to tests/end_to_end/test_fim/windows/data/playbooks/configuration.yaml index 8c3e8df1ed..152ecd3a31 100644 --- a/tests/end_to_end/test_fim/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_fim/windows/data/playbooks/configuration.yaml @@ -3,30 +3,6 @@ hosts: agents tasks: - - name: Create directory to monitor (Linux) - become: True - file: - path: /tmp/test_demo_fim - state: directory - when: ansible_facts['system'] == "Linux" - - - name: Add directory to syscheck configuration (Linux) - become: True - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - /tmp/test_demo_fim - marker: - when: ansible_facts['system'] == "Linux" - - - name: Restart Wazuh (Linux) - become: True - systemd: - name: wazuh-agent - state: restarted - when: ansible_facts['system'] == "Linux" - - name: Create directory to monitor (Windows) win_file: path: C:\Test\test_demo_fim diff --git a/tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..33aba8f51c --- /dev/null +++ b/tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml @@ -0,0 +1,34 @@ +- name: Clean alerts file + hosts: wazuh-manager + tasks: + + - name: Truncate file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + +- name: Generate events + hosts: agents + vars: + os: "{{ os }}" + tasks: + + - name: "{{ event_description }}" + win_file: + path: "{{ path }}" + state: "{{ state }}" + when: os == ansible_facts['os_family'] + +- name: Get alerts + hosts: wazuh-manager + tasks: + + - name: Wait for alert to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_fim/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/windows/data/playbooks/teardown.yaml similarity index 58% rename from tests/end_to_end/test_fim/data/playbooks/teardown.yaml rename to tests/end_to_end/test_fim/windows/data/playbooks/teardown.yaml index 584f20e9c3..71f1722e53 100644 --- a/tests/end_to_end/test_fim/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_fim/windows/data/playbooks/teardown.yaml @@ -1,25 +1,4 @@ --- -- name: Cleanup Linux agent environment - hosts: wazuh-agent - become: True - tasks: - - - name: Delete syscheck configuration - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - block: '' - - - name: Delete folder - file: - path: /tmp/test_demo_fim - state: absent - - - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent - - name: Cleanup Windows agent environment hosts: wazuh-windows tasks: diff --git a/tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml new file mode 100644 index 0000000000..1233e78df8 --- /dev/null +++ b/tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml @@ -0,0 +1,44 @@ +- name: create_file_windows + description: Create a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Create a file into the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: touch + rule.id: 554 + rule.level: 5 + rule.description: File added to the system\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt + +- name: modify_file_windows + description: Modify a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Modify a file from the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: touch + rule.id: 550 + rule.level: 7 + rule.description: Integrity checksum changed\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt + +- name: delete_file_windows + description: Delete a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + os: Windows + event_description: Delete a file from the monitored folder + path: C:\Test\test_demo_fim\monitored_file.txt + state: absent + rule.id: 553 + rule.level: 7 + rule.description: File deleted\. + extra: + syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt diff --git a/tests/end_to_end/test_fim/windows/test_fim_windows.py b/tests/end_to_end/test_fim/windows/test_fim_windows.py new file mode 100644 index 0000000000..1d376b60e2 --- /dev/null +++ b/tests/end_to_end/test_fim/windows/test_fim_windows.py @@ -0,0 +1,63 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_fim(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + """ + Test to scanning a file in Windows using FIM + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + syscheck_path = metadata['extra']['syscheck.path'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ + fr'"{syscheck_path}".*\}}' + + expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ + fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 533321a8074a025329a484d5814c65af1514851f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 10 Aug 2022 14:38:47 -0300 Subject: [PATCH 340/552] separate tests windows and linux in vulnerability detector module --- .../linux/data/playbooks/configuration.yaml | 67 ++++++++++++++++++ .../data/playbooks/generate_events.yaml | 6 +- .../linux/data/playbooks/teardown.yaml | 14 ++++ .../cases_vulnerability_detector.yaml | 11 +++ .../test_vulnerability_detector_linux.py} | 0 .../data/playbooks/configuration.yaml | 29 -------- .../data/playbooks/generate_events.yaml | 32 +++++++++ .../data/playbooks/teardown.yaml | 15 ---- .../cases_vulnerability_detector.yaml | 12 ---- .../test_vulnerability_detection_windows.py | 68 +++++++++++++++++++ 10 files changed, 193 insertions(+), 61 deletions(-) create mode 100644 tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml rename tests/end_to_end/test_vulnerability_detector/{ => linux}/data/playbooks/generate_events.yaml (81%) create mode 100644 tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml rename tests/end_to_end/test_vulnerability_detector/{test_vulnerability_detector.py => linux/test_vulnerability_detector_linux.py} (100%) rename tests/end_to_end/test_vulnerability_detector/{ => windows}/data/playbooks/configuration.yaml (77%) create mode 100644 tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml rename tests/end_to_end/test_vulnerability_detector/{ => windows}/data/playbooks/teardown.yaml (65%) rename tests/end_to_end/test_vulnerability_detector/{ => windows}/data/test_cases/cases_vulnerability_detector.yaml (62%) create mode 100644 tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..48b1994095 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml @@ -0,0 +1,67 @@ +- name: Test agent configuration + hosts: wazuh-agent1 + tasks: + + - name: Enable the agent module to collect installed packages (Ubuntu) + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + no + 10s + yes + yes + + marker: + + - name: Restart wazuh-agent (Ubuntu) + become: true + shell: systemctl restart wazuh-agent + +- name: Test manager configuration + hosts: wazuh-manager + tasks: + + - name: Truncate file ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + + - name: Enabled vulnerability detector module + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + + yes + 10s + 10s + yes + + + + yes + focal + 1h + + + + + yes + 2021 + 1h + + + marker: + + - name: Restart wazuh-manager + become: true + shell: systemctl restart wazuh-manager + + - name: Wait until the feeds were downloaded and the first scan was completed + become: true + wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml similarity index 81% rename from tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml index b90248b960..cd7aeddbfa 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: agents + hosts: wazuh-agent1 vars: os: "{{ os }}" tasks: @@ -17,10 +17,6 @@ command: "{{ command }}" when: os == ansible_facts['distribution'] - - name: "{{ event_description }}" - ansible.windows.win_shell: "{{ command }}" - when: os == ansible_facts['os_family'] - - name: Wait alert hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..33d0f220d8 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml @@ -0,0 +1,14 @@ +- name: Cleanup environment + hosts: wazuh-agent1 + tasks: + + - name: Uninstall vim vulnerable package + become: true + command: apt-get remove vim -y + + - name: Delete agent configuration + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + block: '' + marker: diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml new file mode 100644 index 0000000000..3c47b28c8b --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml @@ -0,0 +1,11 @@ +- name: detect_vulnerability_ubuntu + description: Detect vim vulnerability + configuration_parameters: null + metadata: + extra_vars: + os: Ubuntu + event_description: Install vulnerable vim package + command: apt install -y vim=2:8.1.2269-1ubuntu5.7 + rule.id: 23505 + rule.level: 10 + rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py b/tests/end_to_end/test_vulnerability_detector/linux/test_vulnerability_detector_linux.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py rename to tests/end_to_end/test_vulnerability_detector/linux/test_vulnerability_detector_linux.py diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/configuration.yaml similarity index 77% rename from tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml rename to tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/configuration.yaml index 8deb0ebb1a..754cdbfb17 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/configuration.yaml @@ -1,25 +1,3 @@ -- name: Test agent configuration - hosts: wazuh-agent - tasks: - - - name: Enable the agent module to collect installed packages (Ubuntu) - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - - no - 10s - yes - yes - - marker: - - - name: Restart wazuh-agent (Ubuntu) - become: true - shell: systemctl restart wazuh-agent - - name: Test agent configuration hosts: wazuh-windows tasks: @@ -72,13 +50,6 @@ 10s yes - - - yes - focal - 1h - - yes diff --git a/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..cf308ee624 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml @@ -0,0 +1,32 @@ +- name: Truncate files + hosts: wazuh-manager + tasks: + + - name: Truncate file alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: wazuh-windows + vars: + os: "{{ os }}" + tasks: + + - name: "{{ event_description }}" + ansible.windows.win_shell: "{{ command }}" + when: os == ansible_facts['os_family'] + +- name: Wait alert + hosts: wazuh-manager + tasks: + + - name: Waiting for vulnerability scan, alert reporting and indexing + wait_for: + timeout: 60 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/teardown.yaml similarity index 65% rename from tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml rename to tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/teardown.yaml index ad9b6a8c35..f51902df42 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/teardown.yaml @@ -1,18 +1,3 @@ -- name: Cleanup environment - hosts: wazuh-agent - tasks: - - - name: Uninstall vim vulnerable package - become: true - command: apt-get remove vim -y - - - name: Delete agent configuration - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - block: '' - marker: - - name: Cleanup environment hosts: wazuh-windows tasks: diff --git a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml similarity index 62% rename from tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml rename to tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml index 7637d80797..d891e85bab 100644 --- a/tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml @@ -1,15 +1,3 @@ -- name: detect_vulnerability_ubuntu - description: Detect vim vulnerability - configuration_parameters: null - metadata: - extra_vars: - os: Ubuntu - event_description: Install vulnerable vim package - command: apt install -y vim=2:8.1.2269-1ubuntu5.7 - rule.id: 23505 - rule.level: 10 - rule.description: CVE-2022-1621 affects vim - - name: detect_vulnerability_windows description: Detect Mozilla Firefox vulnerability configuration_parameters: null diff --git a/tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py new file mode 100644 index 0000000000..d8a1c66ce3 --- /dev/null +++ b/tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py @@ -0,0 +1,68 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): + """ + Test to detect a vulnerability + """ + rule_level = metadata['rule.level'] + rule_id = metadata['rule.id'] + rule_description = metadata['rule.description'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + fr'"rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 7be7469d3a60816f32f1188064bea62fc0dbfadc Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 10 Aug 2022 15:12:11 -0300 Subject: [PATCH 341/552] fix: host name --- .../linux/data/playbooks/configuration.yaml | 2 +- .../linux/data/playbooks/generate_events.yaml | 2 +- .../linux/data/playbooks/teardown.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml index 48b1994095..ed2ccc359e 100644 --- a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Test agent configuration - hosts: wazuh-agent1 + hosts: wazuh-agent tasks: - name: Enable the agent module to collect installed packages (Ubuntu) diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml index cd7aeddbfa..4a2c06d40d 100644 --- a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: wazuh-agent1 + hosts: agents vars: os: "{{ os }}" tasks: diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml index 33d0f220d8..13cdcc0590 100644 --- a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup environment - hosts: wazuh-agent1 + hosts: wazuh-agent tasks: - name: Uninstall vim vulnerable package From 05475bcd0e434e483736ce0445ebd3ed969e8061 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 10 Aug 2022 15:32:55 -0300 Subject: [PATCH 342/552] fix: requested changes applied. #3126 --- .../data/configuration/slack_api_script.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py b/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py index 1c64a16768..a2a5911217 100644 --- a/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py +++ b/tests/end_to_end/test_slack_integration/data/configuration/slack_api_script.py @@ -14,7 +14,7 @@ def get_parameters(): parser.add_argument('--token', '-t', type=str, action='store', required=True) parser.add_argument('--channel', '-c', type=str, action='store', required=True) - parser.add_argument('--messages_limit', '-m', type=int, action='store', required=True) + parser.add_argument('--messages-limit', '-m', type=int, action='store', required=True) parser.add_argument('--path', '-p', type=str, action='store', required=True) arguments = parser.parse_args() @@ -23,17 +23,21 @@ def get_parameters(): def main(): + # Obtain user-specified parameters from the command line parameters = get_parameters() headers = {'Authorization': f"Bearer {parameters.token}", 'content-type': 'application/json', 'charset': 'utf8'} url = 'https://slack.com/api/conversations.history' payload = {'channel': parameters.channel, 'limit': parameters.messages_limit} + # Get the last N messages from a Slack channel response = requests.get(url, params=payload, headers=headers) + # Check if the response is as expected if response.status_code != HTTPStatus.OK or "'ok': False" in response.text: raise Exception(f"There was an error while trying to get the messages from channel: {response.text}") + # Write the messages obtained from Slack to a flat file with open(parameters.path, 'w') as messages_log: messages_log.write(response.text) From ebca3e813e171819b6aebe576594e9fc78cc5457 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:05:01 +0200 Subject: [PATCH 343/552] fix: Upload external files to S3 --- .../data/configuration/sysconfig.xml | 1284 ----------------- .../data/configuration/trigger-emotet.exe | Bin 36352 -> 0 bytes .../data/playbooks/configuration.yaml | 26 +- tests/end_to_end/test_emotet/test_emotet.py | 3 - 4 files changed, 15 insertions(+), 1298 deletions(-) delete mode 100644 tests/end_to_end/test_emotet/data/configuration/sysconfig.xml delete mode 100644 tests/end_to_end/test_emotet/data/configuration/trigger-emotet.exe diff --git a/tests/end_to_end/test_emotet/data/configuration/sysconfig.xml b/tests/end_to_end/test_emotet/data/configuration/sysconfig.xml deleted file mode 100644 index 2237e640e8..0000000000 --- a/tests/end_to_end/test_emotet/data/configuration/sysconfig.xml +++ /dev/null @@ -1,1284 +0,0 @@ - - -* - - - - - -sethc.exe -utilman.exe -osk.exe -Magnify.exe -DisplaySwitch.exe -Narrator.exe -AtBroker.exe -sdbinst.exe -bitsadmin.exe - -eventvwr.exe -c:\windows\system32\mmc.exe - -fodhelper.exe -ˆ - -fltMC.exe -unload;detach - - -fltMC.exe -misc::mflt - - -InstallUtil.exe -/logfile=;/LogToConsole=false;/U - -whoami.exe -ipconfig.exe -tasklist.exe -systeminfo.exe;sysinfo.exe -netstat.exe -qprocess.exe -nslookup.exe -net.exe;net1.exe -quser.exe -query.exe -tracert.exe -tree.com -route.exe -runas.exe -reg.exe -taskkill.exe -netsh.exe -klist.exe -wevtutil.exe -taskeng.exe -regsvr32.exe -wmiprvse.exe -wmiprvse.exe -hh.exe -cmd.exe -cmd.exe -powershell.exe -powershell.exe -powershell_ise.exe -bash.exe -odbcconf.exe -pcalua.exe -cscript.exe -wscript.exe -pcalua.exe -cscript.exe -wscript.exe -mshta.exe -control.exe -mshta.exe -attrib.exe -cmdkey.exe -nbtstat.exe;nbtinfo.exe -qwinsta.exe -rwinsta.exe -schtasks.exe;sctasks.exe -replace.exe -jjs.exe -appcmd.exe -sc.exe -certutil.exe -findstr.exe -where.exe -forfiles.exe -icacls.exe;cacls.exe -xcopy.exe -robocopy.exe -takeown.exe -makecab.exe -wusa.exe -vassadmin.exe -nltest.exe;nltestk.exe -winrs.exe -computerdefaults.exe -dism.exe -fodhelper.exe -mofcomp.exe -C:\WINDOWS\system32\wbem\scrcons.exe -ScrCons - -esentutl.exe -/y;/vss/d - - -Mavinject.exe;mavinject64.exe -/INJECTRUNNING - - -nltestrk.exe -"C:\WINDOWS\system32\nltest.exe" /domain_trusts - - -CMSTP.exe -/ni;/s - -MSBuild.exe -excel.exe -winword.exe -powerpnt.exe -outlook.exe -msaccess.exe -mspub.exe -regsvcs.exe;regasm.exe -SyncAppvPublishingServer.exe -PsList.exe -PsService.exe -PsExec.exe -PsExec.c -PsGetSID.exe -PsKill.exe -PKill.exe -ProcDump -PsLoggedOn.exe -PsFile.exe -ShellRunas -PipeList.exe -AccessChk.exe -AccessEnum.exe -LogonSessions.exe -PsLogList.exe -PsInfo.exe -LoadOrd -PsPasswd.exe -ru.exe -Regsize -ProcDump --ma lsass.exe -C:\PerfLogs\ -C:\$Recycle.bin\ -C:\Intel\Logs\ -C:\Users\Default\ -C:\Users\Public\ -C:\Users\NetworkService\ -C:\Windows\Fonts\ -C:\Windows\Debug\ -C:\Windows\Media\ -C:\Windows\Help\ -C:\Windows\addins\ -C:\Windows\repair\ -C:\Windows\security\ -C:\Windows\system32\config\systemprofile\ -VolumeShadowCopy -\htdocs\ -\wwwroot\ -\Temp\ -\Appdata\Local\ - -control;/name -rundll32.exe;shell32.dll;Control_RunDLL - - -MpCmdRun.exe -Add-MpPreference;RemoveDefinitions;DisableIOAVProtection - -wsmprovhost.exe -winrm.cmd - - - - - -C:\Temp -C:\Windows\Temp -C:\Tmp -C:\Users - - - - - -vnc.exe -vncviewer.exe -vncservice.exe -winexesvc.exe -bitsadmin.exe -omniinet.exe -hpsmhd.exe -ipconfig.exe -tasklist.exe -netstat.exe -qprocess.exe -nslookup.exe -net.exe -quser.exe -query.exe -runas.exe -reg.exe -netsh.exe -klist.exe -wevtutil.exe -taskeng.exe -regsvr32.exe -hh.exe -cmd.exe -powershell.exe -bash.exe -pcalua.exe -cscript.exe -wscript.exe -mshta.exe -nbtstat.exe -net1.exe -nslookup.exe -qwinsta.exe -rwinsta.exe -schtasks.exe -taskkill.exe -sc.exe -nltest.exe -winrs.exe -Mavinject.exe -at.exe -certutil.exe -cmd.exe -cscript.exe -java.exe -mshta.exe -msiexec.exe -net.exe -notepad.exe -powershell.exe -reg.exe -regsvr32.exe -rundll32.exe -sc.exe -wmic.exe -wscript.exe -driverquery.exe -dsquery.exe -hh.exe -infDefaultInstall.exe -javaw.exe -javaws.exe -mmc.exe -msbuild.exe -nbtstat.exe -net1.exe -nslookup.exe -qprocess.exe -qwinsta.exe -regsvcs.exe -rwinsta.exe -schtasks.exe -taskkill.exe -tasklist.exe -replace.exe -1080 -3128 -8080 -22 -23 -25 -3389 -5800 -5900 -psexec.exe -psexesvc.exe -C:\Users -C:\ProgramData -C:\Windows\Temp -C:\Temp -C:\PerfLogs\ -C:\$Recycle.bin\ -C:\Intel\Logs\ -C:\Users\Default\ -C:\Users\Public\ -C:\Users\NetworkService\ -C:\Windows\Fonts\ -C:\Windows\Debug\ -C:\Windows\Media\ -C:\Windows\Help\ -C:\Windows\addins\ -C:\Windows\repair\ -C:\Windows\security\ -C:\Windows\system32\config\systemprofile\ -\htdocs\ -\wwwroot\ -SyncAppvPublishingServer.exe -tor.exe -1723 -4500 -9001 -9030 -5986 -449 -447 -8082 -svchost.exe - - - - - -C:\Users -C:\Temp -C:\Windows\Temp - - - - - - - - - - -C:\Windows\System32\samlib.dll -C:\Windows\System32\WinSCard.dll -C:\Windows\System32\cryptdll.dll -C:\Windows\System32\hid.dll -C:\Windows\System32\vaultcli.dll -C:\Windows\System32\wlanapi.dll - -.wll -.xll -system.management.automation.ni.dll -system.management.automation.dll -taskschd.dll -scrobj.dll -admin$;c$;\\;\appdata\;\temp\ -c:\programdata\ -C:\Windows\Media\ -C:\Windows\addins\ -C:\Windows\system32\config\systemprofile\ -C:\Windows\Debug\ -C:\Windows\Temp -C:\PerfLogs\ -C:\Windows\Help\ -C:\Intel\Logs\ -C:\Temp -C:\Windows\repair\ -C:\Windows\security\ -C:\Windows\Fonts\ -file: -$Recycle.bin\ -\Windows\IME\ -wmiutils.dll - - - - - -LoadLibrary -C:\Windows\System32\rundll32.exe -C:\Windows\System32\svchost.exe -C:\Windows\System32\sysmon.exe - -0x001A0000 -c:\windows\system32\lsass.exe - -0x00590000 - - - - - - - - - -dbghelp.dll -dbgore.dll - -C:\Windows\system32\csrss.exe -0x1F1FFF - - -C:\Windows\system32\wininit.exe -0x1F1FFF - - -C:\Windows\system32\winlogon.exe -0x1F1FFF - - -C:\Windows\system32\services.exe -0x1F1FFF - -0x21410 - -C:\Windows\system32\lsass.exe -0x1FFFFF - - -C:\Windows\system32\lsass.exe -0x1F1FFF - - -C:\Windows\system32\lsass.exe -0x1010 - - -C:\Windows\system32\lsass.exe -0x143A - -0x0800 -0x0810 -0x0820 -0x800 -0x810 -0x820 -C:\PerfLogs\ -C:\$Recycle.bin\ -C:\Intel\Logs\ -C:\Users\Default\ -C:\Users\Public\ -C:\Users\NetworkService\ -C:\Windows\Fonts\ -C:\Windows\Debug\ -C:\Windows\Media\ -C:\Windows\Help\ -C:\Windows\addins\ -C:\Windows\repair\ -C:\Windows\security\ -C:\Windows\system32\config\systemprofile\ -VolumeShadowCopy -\htdocs\ -\wwwroot\ -\Temp\ - -System.Management.Automation.ni.dll -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - - - - - - -C:\Windows\AppPatch\Custom -.bat -.cmd -.chm -C:\Users\Default -AppData\Local\Microsoft\CLR_v2.0\UsageLogs\ -\UsageLogs\cscript.exe.log -\UsageLogs\wscript.exe.log -\UsageLogs\wmic.exe.log -\UsageLogs\mshta.exe.log -\UsageLogs\svchost.exe.log -\UsageLogs\regsvr32.exe.log -\UsageLogs\rundll32.exe.log -\Downloads\ -C:\Windows\System32\Drivers -C:\Windows\SysWOW64\Drivers -.exe -C:\Windows\System32\GroupPolicy\Machine\Scripts -C:\Windows\System32\GroupPolicy\User\Scripts -.hta -.iso -.img -.lnk -.scf -.application -.appref-ms -.*proj -.sln -.settingcontent-ms -.docm -.pptm -.xlsm -.xlm -.dotm -.xltm -.potm -.ppsm -.sldm -.xlam -.xla -.iqy -.slk -\Content.Outlook\ -.rft -.jsp -.jspx -.asp -.aspx -.php -.war -.ace -C:\Windows\System32\WindowsPowerShell -C:\Windows\SysWOW64\WindowsPowerShell -.ps1 -.ps2 -.py -.pyc -.pyw -rundll32.exe -C:\Windows\System32\Tasks -C:\Windows\Tasks\ -\Start Menu -\Startup -.sys -.url -.vb -.vbe -.vbs -C:\Windows\System32\Wbem -C:\Windows\SysWOW64\Wbem -C:\WINDOWS\system32\wbem\scrcons.exe -C:\Windows\Temp\ -C:\Temp\ -C:\PerfLogs\ -C:\Users\Public\ -\AppData\Temp\ - - - - - -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom -HKLM\SYSTEM\CurrentControlSet\Control\Lsa -\CurrentVersion\Run -\Group Policy\Scripts -\Windows\System\Scripts -\Policies\Explorer\Run -\ServiceDll -\ImagePath -\Start -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell -HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 -HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute -\Explorer\FileExts -\shell\install\command -\shell\open\command -\shell\open\ddeexec -Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup -\mscfile\shell\open\command -ms-settings\shell\open\command -Classes\exefile\shell\runas\command\isolatedCommand -Software\Classes\CLSID -\services\Netlogon\Parameters\DisablePasswordChange -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls -HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls -REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DNS\Parameters\ServerLevelPluginDll -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions -HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options -HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options -\Internet Explorer\Toolbar -\Internet Explorer\Extensions -\Browser Helper Objects -HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors -SOFTWARE\Microsoft\Netsh -\UrlUpdateInfo -\Microsoft\Office\Outlook\Addins -\Software\Microsoft\VSTO\Security\Inclusion -\Software\Microsoft\VSTO\SolutionMetadata -HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe -HKLM\SOFTWARE\Microsoft\Cryptography\OID -HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID -HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust -HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust -\PsExec\EulaAccepted -\PsFile\EulaAccepted -\PsGetSID\EulaAccepted -\PsInfo\EulaAccepted -\PsKill\EulaAccepted -\PsList\EulaAccepted -\PsLoggedOn\EulaAccepted -\PsLogList\EulaAccepted -\PsPasswd\EulaAccepted -\PsService\EulaAccepted -\PsShutDown\EulaAccepted -\PsSuspend\EulaAccepted -SYSTEM\CurrentControlSet\services\SysmonDrv -SYSTEM\CurrentControlSet\services\Sysmon -HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram -HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths -HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls -\InprocServer32\(Default) -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider -HKLM\SYSTEM\CurrentControlSet\Control\Lsa -HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders -\Control\SecurityProviders\WDigest -HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpyNetReporting -HKLM\SOFTWARE\Policies\Microsoft\Windows Defender -HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify -HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT -HKLM\SYSTEM\CurrentControlSet\Control\Safeboot -HKLM\SYSTEM\CurrentControlSet\Control\Winlogon -\FriendlyName -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) - -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -C:\Windows\System32\svchost.exe - -HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order -HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles -HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates -\Microsoft\SystemCertificates\Root\Certificates -HKLM\SOFTWARE\Microsoft\Security Center\AllAlertsDisabled -HKLM\SOFTWARE\Microsoft\Security Center\DisableMonitoring -\Classes\AllFilesystemObjects -\Classes\Directory -\Classes\Drive -\Classes\Folder -\ContextMenuHandlers -\CurrentVersion\Shell -HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks -HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad -{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA -HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy -HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify -HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup -HKLM\SYSTEM\CurrentControlSet\Services\WinSock -\ProxyServer -SYSTEM\CurrentControlSet\Control\CrashControl - - - - - -Temp\7z -.bat -.cmd -Temp\debug.bin -Downloads -.exe -.hta -.lnk -Content.Outlook -.ps1 -.ps2 -.reg -.vb -.vbe -.vbs - - - - - -Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe -Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe -Program Files (x86)\Citrix\ICA Client\wfcrun32.exe -Program Files (x86)\Citrix\ICA Client\concentr.exe -\Vivisimo Velocity -\SQLLocal\MSSQLSERVER -\SQLLocal\INSTANCE01 -\SQLLocal\SQLEXPRESS -\SQLLocal\COMMVAULT -\SQLLocal\RTCLOCAL -\SQLLocal\RTC -\SQLLocal\TMSM -Program Files (x86)\Microsoft SQL Server\110\DTS\binn\dtexec.exe -PostgreSQL\9.6\bin\postgres.exe -\pgsignal_ -Program Files\Qlik\Sense\Engine\Engine.exe -Program Files\SplunkUniversalForwarder\bin\splunkd.exe -Program Files\SplunkUniversalForwarder\bin\splunk.exe -Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\verconn.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiOnClose.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WEB_OSCE\WEB\CGI\cgiRqHotFix.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\LWCSService.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\WSS\iCRCService.exe -Program Files\Trend\SPROTECT\x64\tsc.exe -Program Files\Trend\SPROTECT\x64\tsc64.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\osceintegrationservice.exe -Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\web\service\OfcLogReceiverSvc.exe -\Trend Micro OSCE Command Handler Manager -\Trend Micro OSCE Command Handler2 Manager -\Trend Micro Endpoint Encryption ToolBox Command Handler Manager -\OfcServerNamePipe -\ntapvsrq -\srvsvc -\wkssvc -\lsass -\winreg -\spoolss -Anonymous Pipe -c:\windows\system32\inetsrv\w3wp.exe - - - - - -Created - - - - -.1rx.io -.2mdn.net -.adadvisor.net -.adap.tv -.addthis.com -.adform.net -.adnxs.com -.adroll.com -.adrta.com -.adsafeprotected.com -.adsrvr.org -.advertising.com -.amazon-adsystem.com -.amazon-adsystem.com -.analytics.yahoo.com -.aol.com -.betrad.com -.bidswitch.net -.casalemedia.com -.chartbeat.net -.cnn.com -.convertro.com -.criteo.com -.criteo.net -.crwdcntrl.net -.demdex.net -.domdex.com -.dotomi.com -.doubleclick.net -.doubleverify.com -.emxdgt.com -.exelator.com -.google-analytics.com -.googleadservices.com -.googlesyndication.com -.googletagmanager.com -.googlevideo.com -.gstatic.com -.gvt1.com -.gvt2.com -.ib-ibi.com -.jivox.com -.mathtag.com -.moatads.com -.moatpixel.com -.mookie1.com -.myvisualiq.net -.netmng.com -.nexac.com -.openx.net -.optimizely.com -.outbrain.com -.pardot.com -.phx.gbl -.pinterest.com -.pubmatic.com -.quantcount.com -.quantserve.com -.revsci.net -.rfihub.net -.rlcdn.com -.rubiconproject.com -.scdn.co -.scorecardresearch.com -.serving-sys.com -.sharethrough.com -.simpli.fi -.sitescout.com -.smartadserver.com -.snapads.com -.spotxchange.com -.taboola.com -.taboola.map.fastly.net -.tapad.com -.tidaltv.com -.trafficmanager.net -.tremorhub.com -.tribalfusion.com -.turn.com -.twimg.com -.tynt.com -.w55c.net -.ytimg.com -.zorosrv.com -1rx.io -adservice.google.com -ampcid.google.com -clientservices.googleapis.com -googleadapis.l.google.com -imasdk.googleapis.com -l.google.com -ml314.com -mtalk.google.com -update.googleapis.com -www.googletagservices.com -.mozaws.net -.mozilla.com -.mozilla.net -.mozilla.org -clients1.google.com -clients2.google.com -clients3.google.com -clients4.google.com -clients5.google.com -clients6.google.com -safebrowsing.googleapis.com -.akadns.net -.netflix.com -aspnetcdn.com -ajax.googleapis.com -cdnjs.cloudflare.com -fonts.googleapis.com -.typekit.net -cdnjs.cloudflare.com -.stackassets.com -.steamcontent.com -.arpa. -.arpa -.msftncsi.com -.localmachine -localhost - -C:\ProgramData\LogiShrd\LogiOptions\Software\Current\updater.exe -.logitech.com - -C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe --pushp.svc.ms -.b-msedge.net -.bing.com -.hotmail.com -.live.com -.live.net -.s-microsoft.com -.microsoft.com -.microsoftonline.com -.microsoftstore.com -.ms-acdc.office.com -.msedge.net -.msn.com -.msocdn.com -.skype.com -.skype.net -.windows.com -.windows.net.nsatc.net -.windowsupdate.com -.xboxlive.com -login.windows.net -.activedirectory.windowsazure.com -.aria.microsoft.com -.msauth.net -.msftauth.net -.opinsights.azure.com -management.azure.com -outlook.office365.com -portal.azure.com -substrate.office.com -osi.office.net -.digicert.com -.globalsign.com -.globalsign.net -msocsp.com -ocsp.msocsp.com -pki.goog -ocsp.godaddy.com -amazontrust.com -ocsp.sectigo.com -pki-goog.l.google.com -.usertrust.com -ocsp.comodoca.com -ocsp.verisign.com -ocsp.entrust.net -ocsp.identrust.com -status.rapidssl.com -status.thawte.com -ocsp.int-x3.letsencrypt.org -subca.ocsp-certum.com -cscasha2.ocsp-certum.com -.spotify.com -.spotify.map.fastly.net - - - - -C:\Program Files (x86)\Dell\CommandUpdate\InvColPC.exe -C:\Windows\system32\igfxCUIService.exe -C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe -C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe -C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe -C:\Windows\System32\smss.exe -C:\Windows\system32\CompatTelRunner.exe -C:\Windows\system32\wbem\WMIADAP.EXE -C:\Windows\System32\DriverStore\Temp\ -C:\Windows\System32\wbem\Performance\ -WRITABLE.TST -\AppData\Roaming\Microsoft\Windows\Recent\ -C:\$WINDOWS.~BT\Sources\SafeOS\SafeOS.Mount\ -C:\WINDOWS\winsxs\amd64_microsoft-windows -c:\Program Files\Microsoft Security Client\MsMpEng.exe -c:\windows\system32\provtool.exe -C:\WINDOWS\CCM\CcmExec.exe -C:\Windows\CCM -C:\Windows\System32\Tasks\Microsoft\Windows\PLA\FabricTraces -C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask -C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector -C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant -C:\WINDOWS\system32\svchost.exe - - - - -C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\aciseposture.exe -C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -Toolbar\WebBrowser -Toolbar\WebBrowser\ITBar7Height -Toolbar\ShellBrowser\ITBar7Layout -Internet Explorer\Toolbar\Locked -ShellBrowser -C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe -C:\Program Files\RES Software\Workspace Manager\pfwsmgr.exe -C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe -C:\Program Files\McAfee\Endpoint Security\Adaptive Threat Protection\mfeatp.exe -C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe -C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe -C:\Program Files\McAfee\Agent\masvc.exe -C:\Program Files\McAfee\Agent\x86\mfemactl.exe -C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe -C:\Program Files\McAfee\Agent\x86\macompatsvc.exe -C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeensppl.exe -C:\Program Files\Common Files\McAfee\Engine\scanners -C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe -C:\Program Files (x86)\Webroot\WRSA.exe -C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit -HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\AuditPolicy -HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System -HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache -HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -\OpenWithProgids -\OpenWithList -\UserChoice -\UserChoice\ProgId -\UserChoice\Hash -\OpenWithList\MRUList -} 0xFFFF -Office\root\integration\integrator.exe -C:\WINDOWS\system32\backgroundTaskHost.exe -C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe -C:\Program Files\Windows Defender\MsMpEng.exe -C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe -C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe -\CurrentVersion\Run -\CurrentVersion\RunOnce -\CurrentVersion\App Paths -\CurrentVersion\Image File Execution Options -\CurrentVersion\Shell Extensions\Cached -\CurrentVersion\Shell Extensions\Approved -}\PreviousPolicyAreas -\Control\WMI\Autologger\ -HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start -\Lsa\OfflineJoin\CurrentValue -\Components\TrustedInstaller\Events -\Components\TrustedInstaller -\Components\Wlansvc -\Components\Wlansvc\Events -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ -\Directory\shellex -\Directory\shellex\DragDropHandlers -\Drive\shellex -\Drive\shellex\DragDropHandlers -_Classes\AppX -HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ -HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates -C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe -C:\$WINDOWS.~BT\ -\services\clr_optimization_v2.0.50727_32\Start -\services\clr_optimization_v2.0.50727_64\Start -\services\clr_optimization_v4.0.30319_32\Start -\services\clr_optimization_v4.0.30319_64\Start -\services\DeviceAssociationService\Start -\services\BITS\Start -\services\TrustedInstaller\Start -\services\tunnel\Start -\services\UsoSvc\Start - - - - - -AcroRd32.exe -/CR;channel= - - -C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe -C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe -C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe -C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\LogTransport2.exe - -C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe -C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe -C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\CCXProcess.exe -C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe -C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe -C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe -C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe -C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe -C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AdobeGCClient.exe -C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P6\adobe_licutil.exe -C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe -C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\P7\adobe_licutil.exe -C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe -C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe -C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe -C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe -C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe -C:\Program Files\NVIDIA Corporation\ -C:\Program Files\Realtek\ -C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe -C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe -C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe -C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe -"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= -"C:\Program Files\Google\Chrome\Application\chrome.exe" --type= -C:\Program Files (x86)\Google\Update\ -C:\Program Files (x86)\Google\Update\ -C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe -C:\Program Files (x86)\RES Software\Workspace Manager\respesvc64.exe -C:\Program Files (x86)\Ivanti\Workspace Control\pfwsmgr.exe -C:\Program Files (x86)\RES Software\Workspace Manager\ResPesvc64.exe -C:\Program Files\RES Software\Workspace Manager\respesvc.exe -C:\Program Files\Ivanti\Workspace Control\ResPesvc.exe -C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe -C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe -C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe -C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe -C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe -C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe -C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE -C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -"C:\Program Files\Mozilla Firefox\plugin-container.exe" --channel -"C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe" --channel -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe -C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe -C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe -C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe -C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe -C:\Program Files\SplunkUniversalForwarder\bin\ -C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe -C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe -D:\Program Files\SplunkUniversalForwarder\bin\ -D:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe -D:\Program Files\SplunkUniversalForwarder\bin\splunk.exe -C:\Program Files\Splunk\bin\ -C:\Program Files\Splunk\bin\splunkd.exe -D:\Program Files\Splunk\bin\ -D:\Program Files\Splunk\bin\splunkd.exe -C:\Windows\system32\svchost.exe -k appmodel -s StateRepository -C:\Windows\system32\svchost.exe -k appmodel -C:\WINDOWS\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc -C:\Windows\system32\svchost.exe -k camera -s FrameServer -C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM -C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay -C:\Windows\system32\svchost.exe -k defragsvc -C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc -C:\Windows\system32\svchost.exe -k imgsvc -C:\Windows\system32\svchost.exe -k localService -s EventSystem -C:\Windows\system32\svchost.exe -k localService -s bthserv -C:\Windows\system32\svchost.exe -k localService -s nsi -C:\Windows\system32\svchost.exe -k localService -s w32Time -C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp -C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog -C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc -C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc -C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc -C:\Windows\system32\svchost.exe -k localServiceNoNetwork -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost -C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc -C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc -C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC -C:\Windows\system32\svchost.exe -k netsvcs -s BITS -C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc -C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc -C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc -C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc -C:\Windows\system32\svchost.exe -k netsvcs -s SENS -C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv -C:\Windows\system32\svchost.exe -k netsvcs -s Themes -C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt -C:\Windows\system32\svchost.exe -k netsvcs -C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc -C:\Windows\system32\svchost.exe -k networkService -s Dnscache -C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation -C:\Windows\system32\svchost.exe -k networkService -s NlaSvc -C:\Windows\system32\svchost.exe -k networkService -s TermService -C:\Windows\system32\svchost.exe -k networkService -C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted -C:\Windows\system32\svchost.exe -k rPCSS -C:\Windows\system32\svchost.exe -k secsvcs -C:\Windows\system32\svchost.exe -k swprv -C:\Windows\system32\svchost.exe -k unistackSvcGroup -C:\Windows\system32\svchost.exe -k utcsvc -C:\Windows\system32\svchost.exe -k wbioSvcGroup -C:\Windows\system32\svchost.exe -k werSvcGroup -C:\WINDOWS\System32\svchost.exe -k wsappx -p -s ClipSVC -C:\WINDOWS\system32\svchost.exe -k wsappx -p -s AppXSvc -C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC -C:\Windows\system32\svchost.exe -k wsappx -C:\Windows\system32\svchost.exe -k netsvcs -C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -C:\Program Files\Trend Micro\Deep Security Agent\ds_monitor.exe -C:\Program Files\Trend Micro\Deep Security Agent\dsa.exe -C:\Program Files\Trend Micro\Deep Security Agent\dsuam.exe -C:\Program Files\Trend Micro\Deep Security Agent\Notifier.exe -C:\Program Files\Trend Micro\Deep Security Agent\lib\Patch.exe -C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe -C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopExtIns32.exe -C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmExtIns.exe -C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe -C:\Program Files\Windows Defender\ -C:\Windows\system32\MpSigStub.exe -C:\Windows\SoftwareDistribution\Download\Install\AM_ -C:\Program Files\Microsoft Security Client\MpCmdRun.exe -C:\Windows\system32\DllHost.exe /Processid -C:\Windows\system32\SearchIndexer.exe /Embedding -C:\Windows\System32\CompatTelRunner.exe -C:\Windows\System32\MusNotification.exe -C:\Windows\System32\MusNotificationUx.exe -C:\Windows\System32\audiodg.exe -C:\Windows\System32\conhost.exe -C:\Windows\System32\powercfg.exe -C:\Windows\System32\wbem\WmiApSrv.exe -C:\Windows\System32\wermgr.exe -C:\Windows\SysWOW64\wermgr.exe -C:\Windows\system32\sppsvc.exe -AppContainer -%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows -C:\Windows\system32\SearchIndexer.exe - - - - -AppData\Roaming\Dropbox\bin\Dropbox.exe -C:\Program Files\ESET\ESET Nod32 Antivirus\ekrn.exe -OneDrive.exe -OneDriveStandaloneUpdater.exe -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe -C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe -C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe -Spotify.exe -C:\Program files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe -C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe -microsoft.com -microsoft.com.akadns.net -microsoft.com.nsatc.net - - - - -Intel -microsoft -windows - - - - -C:\Windows\CarbonBlack\cb.exe -c:\Program Files\Couchbase\Server\bin\sigar_port.exe -C:\Program Files (x86)\Ivanti\Workspace Control\cpushld.exe -C:\Program Files (x86)\RES Software\Workspace Manager\cpushld.exe -C:\Program Files\Ivanti\Workspace Control\cpushld.exe -C:\Program Files\RES Software\Workspace Manager\cpushld.exe -wmiprvse.exe -GoogleUpdate.exe -LTSVC.exe -taskmgr.exe -VBoxService.exe -vmtoolsd.exe -\Citrix\System32\wfshell.exe -C:\Windows\System32\lsm.exe -Microsoft.Identity.AadConnect.Health.AadSync.Host.exe -C:\Program Files (x86)\Symantec\Symantec Endpoint Protection -0x1000 -0x1400 -0x101400 -0x101000 -C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe -C:\Program Files\McAfee\Agent\x86\macompatsvc.exe -C:\Program Files\Microsoft Security Client\MsMpEng.exe -C:\Program Files\Windows Defender\MsMpEng.exe -C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe -C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe -C:\WINDOWS\CCM\CcmExec.exe -C:\Program Files (x86)\VMware\VMWare Player\vmware-authd.exe -C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe -C:\Program Files\WinZip\FAHWindow64.exe - - - - -AppData\Local\Google\Chrome\Application\chrome.exe -Root\VFS\ProgramFilesX86\Google\Chrome\Application\chrome.exe -OneDrive.exe -setup - - - - -\atsvc -\msagent_ -\msf-pipe -\PSEXESVC -\srvsvc -\winreg - - - - -C:\Windows\System32\svchost.exe -C:\Windows\System32\wininit.exe -C:\Windows\System32\csrss.exe -C:\Windows\System32\services.exe -C:\Windows\System32\winlogon.exe -C:\Windows\System32\audiodg.exe -C:\windows\system32\kernel32.dll -Google\Chrome\Application\chrome.exe -C:\Windows\System32\wbem\WmiPrvSE.exe - - - - \ No newline at end of file diff --git a/tests/end_to_end/test_emotet/data/configuration/trigger-emotet.exe b/tests/end_to_end/test_emotet/data/configuration/trigger-emotet.exe deleted file mode 100644 index 6f58e2acf0da266cd7a3fcd372fe72b97731957a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 36352 zcmeIbdte(^l|O!GG#Wi@D;~*~?8J`cyigq5iQ}eukTmf#QR7GAS01!=WLt@q$R1ac zW4oz~T_{U|lol3BfGxBOEU>)ULJM133KT+rrR{g2&@GgPcWDakZh3Tp_WL>K&PcM8 zvfc0QU%&5H&YZdDanC*X+;g8ZQaTUcEF3}z4cE&r3vn0j^x4JmuY)&8L5w5Nos6etBkyb%<)q&|5E?qOW_;Ueq8xT(@^q}YDC3!yNbQmWW>gAm31 zFL$?462Rw;(0hOq_kr%D#G=nrLKH3{y(%=EHJ!!X!1v^3tk1-!Gr)g#Jpg!ISJWr} z6Bgn~eJY(A29a&M4+$ODn{efQcEKU_sd&k?VPND9&uvnx4WQ&O{Bjrbv1 zbBB6eshz`0lDw59aZ7NydTJH0niZ%TCu*vut2U;Cq(rY-5e%k7GU=--2f?vH6}_kc zebiHHkh3-*?`9d~)RI}E)u`!mDxK1jixTC>TuNe`GiWZ$rbA{0(lGzjYTFu41U5Lu z>!~cX&k`k42_f8;<8~-?5UDCj2ung54)S_~1?zSO3)ijIUG4}f?X3z+t+J-UG;HzC zqd^sS=wP9Hk&=e9uF$~(*P^l-KCRbyLp7I%pMxz`ebPPTDJyxKW9eY6!EM1H6nPC= zt|mtaN`ej->NU_2fFI!r8p{m7c&QZOruaoLf+q0N9hLWzD9OPyG+wYALKJdU8zXQn z1goY=FH6=(B1oBQ0g&%9wQ32sry4;??D zG`G1AiT#F);#t8^1~b*ra@BzmNvTmCS}+o(PGAp7f@1Jl#GsBCRO{5z8r9qn4Wac& z{^v0%g-^pGr6Apdd{$&u1p-%&VO``e%GVcgt0o3ZZ@{tea?g-2~aKE`sbAb`KA` z>c7_uIQm14HKl<9H2%6$_Dc-)snrZupunoUOGfL)b4Ec;DfN#gjC}}w@mpN9*!V53 zLP}eo8^OdxD?W%j##Itg?2Z%IpbK<0;X(*i?Me@!FmIS7PNVxM1&&&etExEsG9=!w z)%smkhD^Jv{4${iU3%3no>TPDMweVZ)TGev6POn?K^@jj^8)4$-5UF?fgYng+U(U2 z?1g?czXSaBas9tD_HE7|`~J^{HEkACrzVH9HTo&co?4AHjy)hkKVr9J+rY8GAu#&! zM-6dKHBye2P**IRMkBRE3`J-fRn?bhve(nYKq4a+1(U5siGu>Z1LI;H+JHXlDKctn zHBj|hGD$O!Qs!fn*&>W0t(ggi#~Gdg9Hb=yhU_HLkud-%9*m6VrA?$YlQPv7N`84n z(nv*Zo20FdOaQAYJYw-kzHY6wq-s|~m6bZOzSK5}Y^>UK=us|M+E!b#Kv}V^>}nD% z84Nar^7-L8R6buMd@~4;TBs!~Mbro_HsQL9_-@<(obN*a|Mp#AgChPFKJ=jPJG^=u zP2pG{@;HR>6bq%h!;d&FUEq?a!=hfSTlP6kyg`*^ zJ9xb{yB?VxrwA@H(Y{`pt{T-2V?s9HoTY>d;W=J$SQ5p&5|N06=8cdJrQZT*zBQYX zcTzmltC4M4D$nPZ2^-i1f>q^~4UCWtOKls768w`^bu+Xg}|EQhF8Id4P3v*bAk z`!C3@v(u;9D)y^-3NxujGl6d2#ANJsw5lcRw@Kmf&tO5-a>pqmAI9EAuH)aH)lgNQ za|I@b3+2O4fNWKoEMUj4mzB2tMf7}sVPl4R5VV_&(wuXT?JlC^HyKOV z?jqzucM&ze7;ODe48d%(Fhb38&@P84`OU%-b~%JxSPoISoSKa?YR#MBzM7w?<+J2` zHGK=vS?+12v(z8#5Kq5@7~CJ^1Wr@6Uh~p_J)=XGB=e&?&^oQr4ed0Z)+sfmbP`c5 zt#iq4hgG2FFy9H8M$P42=jXGAJo`63>M;Kn+|aHsAw=}xdUR^;&3dB?72tYs{L4JL z)Jpx%d>69GwqC&F@O=dyhr}!JxE)`C$G&GCk1P3Byqm1Zr*iohP`Ts_s9fd+R4y%_ zdTX`}Zu7cIIii~HVLCOr$>MU6pcig|saRN1le=>cs~UA@2d4#0vY46HsIh=ahBMRd zUHNLser8%7XhBY@1~aXw=ffu{!PVG#7(1n^(LBoGs&xm|yxpqT?~R;69XDL5ULYqY zrhMrFe*rJW)yP5QIaKz#d?sytNtGJG#7<1!Vn*Hzq(;pbq#Z2@UZ~&a_bt>P%+sL< zx1U1*`yG6;rTQH*=w~VZ33(q>&Te8PID0AXr2+hN`W>f;7~J^UU_f8@8tDscwt32u zd0C(l`}=@%T`6|y2WhXL=d_LAHk`qo7)nvNmES4zQ!$}~T$@k=1DRXv4}SYr$sK>(~NnFiY-$UHNAHt)Z1RZh$B9h!J$$eA}&_<1yb4_iXtA zMJ*o)lbE4dTtoAie+NEQ-M!`ZY-nRA&u*f@plZ}u9NacrMmMn+gtyI>@lEUn0dBKp zgcEx~h}&!#;i6XPIH(acm*xgT9SJ) zEyT^&@Z?i5qT!JsO4B8R$KB+#9@AvgfG(m z)DDwX95LSKUDpm27Vofv>0FX0#{kR!&RpSYeJab>}Llo_q$gq z_rfd5*{4jjPr?&Oj3@L_s|shEVWe8+n{Bo3*upTrhwkOGm&@B;x>< z^e4b8bef;UEfCo93CuM{!2A@jqLKgx$WJ3BOZ7bhUn`N%kf64%$YOn#QJiRh4vDQ5 zXiua+Pef;`7lBfBBv9fniTo2Nsdoa8+=*0#b78s(ojwAcfl{M1XgKdMO3g1&PB6kH zFr?(VF9Izw?;;|O2TRPmDdi3ZJY0c**JFMO6d5&@YU)-LAW4RYqcQSjuxF{Bs`<~9 z*K1g{QJ>st;5asN4^ayYJ@rZC4VS?F5)8GcaaRICBN#La?l6MpS0J_KNoSzYD7*$w z0}ci}>)wbwcjo0OVWG?@Wh`=ARurZ0MNacRfGzt;cfeN?SYl|8tgu}f`6_r@pGKg7 zTD_18FNypb2G!IzvNep{kBnS3kNGtur4xec>QhwR)T0pOu9si?CB~A}pNR2wWT^G2 zGN<_sVCyy;ORVVfm=Ayu@EN|k6$XrzKJqs(F_37={t>+3xh^+=<5U8~$q$t5-p6+n&Gh;dlUt z;{ka%e(`X3*EEg5tN0jb4ion|+?}{5;CrH{5O_tnzaIBe+(BgeHv!vm6`?QM@(>X* zT=ybDCmHCY{0ZPJxCANaF`Pclp+#2m5LDXe@M(C)Nc)@p;A6Bi9C*U*^f`Tc1WGVW z)$T}t8#OA>Ppv>Znhzpf6hw#fAy%P`C8z^8G^Pt4TR8swA_AlIP@`%+yG5NHVgmBT zkmnkDLy_-LMg2SQv&QA+j(j=C1#$yM5GDXq%$X5=k;lEVK~?M9}C-wXVr6 zcw>ph-vC;j3$Hei$f9~(ytW&x+Af+?Baf4Z{}o^s{Rp!r<4+LY!}t#=*~`fvA&FNq z&>u8ao85;S$6`I|<3~KGr-)Rimei=H`jA>(w{#8aN5u4D*c*8g`B!^qiARrMPf>w% zr-JBCrPM4<9YO#Q$_3O1mj$bW=^rC2ULlZwN7YkgL&%(fR+)B~DWq#s@(mJ4T|w$< zXh}bXY}df#e$tFX8M>cpCIp))LL9uJ$g)}%uo$y*(TXFNi!qzkwt&T$&7$>5E*E1q zYxe>cV>XLcGr3%h*{tXS7GpMx0x6e^F`GpTq8y7cICy}l^pXuHKsaC%IAO2C?E72P zQ`oj^j*MG~Wt#aD_}2U>0SpFS^Jf4xx2dPl(i+RDr*ImL@MXE5XXU;@asv+Y7r5hr zNYGJgqV4UMMei^SGJ+M(L8eB}VWi{S+zwcgj~{l$b9dk^UWFI&IPP+6o?C zu(kIX*o&LL2P^UifYkw4-Lp7I_#@JWKm8(Zv*ar&VZg92!mDD5E%-Del+2L&VtZ;L#KyG%`yZ1a>d^n z%gmRcp>SP2%A3Z#WLe?nwVj*E*XNNVFGG6Gx{zG@8ReLK%Z+lQ?54!ddhEd?SRr^* zHzPwtLCRDC0)=k5A}e+qg%La$h9g2hqN5zNN};KNu%;wXlzQtDba*Fa@EPvFk}aQ7 zAmLMuCGRzLqGHWtV%O!}nj}WC=|`K3!go zW+CM&BH#m%GsoA-!{wGpC?^sq+OjfNR$kuJmtiX}9qU$JMDr5T{0&>AHUcxGxp}%n zZ+i=x!7PR-)qcyDsL7>NenF4gT3)%JAK4%!BJukid@*?LuQ_sLi)6b&L6khC^u$sk*J|+80iBT%M zG2+S+_>< zI!8ArVQ-B=TWisT1s7@|FwTfdO^Em4Dnyz-M33Xz1KKC^=)}7c*Hxf>8CL}91Of){ zxT3f;c9-63>~X!h_wr^%F3nl*$xG@t)HiNuY}iU#oFWNWTOq_s3`g(5y>A85y_r;E z{206{#QDpF_)sxu{k`I5Ow34%mAm_+t+;;>_$tg7E1Q$%5DDW0o0S7Q@2K>6f&9nn zMiB%7$(wP7aA6P>C`!!XB6=l2HSSbrs&4?7j*DoUabaNM=f9XXSf1_$xJVXlWYrAM zL6llW7uy)N0(!-pm7@w?y;eSe^xa5%#Y2F)cuM&$(jGMmxC~Givv`*26_05o^CH8W zos@nb!xtF-8PF$oyFLK{pUMrCIJ%U|JqhR&H!dZ~Z!e94>sj{iOLcMMGSYK9pilf{ z8I`D2P+4^qMBm78hT)kC^5n-Deu3dV41dmCXC=vB%J2ZgL5AaiKJlJP()@8iU3|Op z?n+(!p1Fm~xs>I1S9-S=N;DaM|*5u*oT1&Se>!1o|6-|fOO4SRYW z7^ZlEB^IzU!Z3Q!c;iIx#;^q}11$!0k)~q2;!iqXBdQoXZDA`JyVb&0V?-zxcOZ8u zB-b+U)8LgNT?<=^#Xp1R5$nYz%sb2ZHUq=rLVORrB8)5B7<-bj9l*$zUqP}QHIdlw zfK}pjpp&hJDp=N!x_l6_ex(s`fX_vWMFlV?urzcQ<0(5y9>hB;gv~K_Sj@s3QFSZe zK6N|b>(rfq#~IELMSlah19NXxn*ncQ_(_IeWB3Dx=NSqI$t+=5&2S^bR)zx%uVOgC z@Qn=L!|`8U9CGJK5T&l$b|Xv;XgLLHb3GK>H!Vyicx>SCw& zo3OKwVS?ct!&@1Cg5g&g{(#|c8M+FnE^jWNTE7EO7lFcI=jO zj}*=!{pG@U0Dhy0xT}k))*Ff`21s5PEz57x(f5|$0r-XGAE8MPv*In`-zWi;vM)^d zJ4J&U!F(64ChSdRE$Sxp7dkV_Vfz_-!2K!hLGTV)*!|igz=kaB3GFfL;>RrP*V+@n zObc^5&tcY`wy-kiFMwTRVe6ddaYA>Ug>7>_2W(Da;(&7#dfksL-l+3IV867mYn_h( zd(M*lu=7PM1L&YmhzHzXbm~e-TxVh5az2K2!P_kCCyd=HF;SpE}dP{KmpM^Q4Y$YGK#ujmiqK z#=>sWHv^+1N!!<)|0A*(s{G81qUaDNu941(+jZgGBz)M zfR)H=MR6@j&WmS(?GPPx5=JG^U|!tozF*lT-e_Upa-UV2 zMPMUIzDYdnJ}+8DSYjN5t>RD?dj!1qTav$YKdQ7*CiYU?^J4|4A{LhN{9M^Ben`VB zYIL3F8D)>qUMsPi8LPFhzh|t6FM;UuSv=@X_@OF}x2SjHUff^M2i|#$_Z`Msn>e5NdBI`u zl38rCa)tO?3wx$uvvQ^QxP|=(u&cy<7Un73BnHLzv)EyEP`sSQHY-DdzGp#o2o@ew zhsE_4wyJQm5*P2WuuZ^@iq9}cez`$CCjKmW?td&ittP~!Ev&`;ox*nmyUfDQG1hKj zzb|}0cwH9eENWB|qTj-NMR$OArG-@%{R6Os#KhX7P1t3eu&~!MHfCWRjF}cT%-Gcy zHeK`_^1YQYvihugTzphw?z2S?iWA~a3;RjYBf!39VSfTIDIT$~65k`hp0uz!--CD? z@fi!-1KyZ;(ZYto8y9*jdE!m(>%bcqB^GuDJX2I#*yq4A#d-^S5WESo-NJqb-h{Z^ z!u|r@)#8AKl`VM$Slq%Impmv^B4uG+;HAWzg(bjCi_;c%19)liJ`1}Yyo~s$h1~;Q zhD^rifuhHk=n6K8{CS}0S4$pNbJ!o2oEImvJgxXSU|(P@zwl7LDe)BxqkL21n-)g- zrp3b+M){^i2Y1$6#Ma{Psx#sfmy_CC#Npz9Rj(0uF(&)pwc-by&&GZwF>!eLJN0Wt zBWrn+NG*RKPPLxOlYG4>uz2@D^7YWJh*Q`?s^X1+4)JzCO`HLAiVp%})eYzpcLKV_ zSBgd0BfgEaR~R^lR740+6;*%^@ftu))B`$2BOq3`fQo4Qt8g!KrDQ+Ss<;BsAw~f; zF~(ey!P~B!PH}pM(-&&Kp6PF9nYRNv#I1muxb32JMSO%MKh2VqOB0k!5qB~Dt4x2; zP{W#d3~8r052%Y502T2kK$Q>U9m3@&N`ARMrYr|k#p(;vuVIR;ujJOT;RcTRwf^!F2%k2l; ztQ=w(W0+ugHNzQ(^MKEZ8v!?oTbR-$C{6HL^^D>#`FHhpB~tQ7^<&DVCEKz0d2LCf z;$fN3LcYZDRnB`x$&~CAG0>Me5)9XhYf3hWwJf<-%#~C-){3{4JglBoJ_0x+K38&H z%!qp!euLq|fQ6j5Q2d}|z2j=6H$&TROK6P$9bioSiJ@NloOoPWT6);=xKdl%s8n+) z=U~YZ$J5GS=~2KNO2-`MnEoPLsHjvglwP`7@gTj-aaOsrG~+PTv!$m1zgPN3N4fe` z>3LCYaerO<7RdZZDcM{eyv4CrT@$?3@uE@_BnsJoRw2vJDy_lW9Jec7!H+l;^~&Hs zIvUh;@Uy7zRPZgx^`_t#k^VsNUchezA8{nf(e*wKR^sj(xLJzBJ z#ib1UL+3y_%5W<5D_C-Us8J~qZw;Ln39d_t_+n^@Rw2F-s@7smxm`R8nV9+nG@Mna zE@zcrLjJ5memkp>-)v#nOB?2F#D>}vWL}}dJq(9{pZ9j&>7dx zDl=s#0B->Ntay9bd93c-JE6U#t`Af@F+F8+BeiL99!vlb~s}tq#1Z9RPH!wWS@K%D#9p#(E$JG1Fsa}tk z-=?hsY;dAC@y^h4U+V%gGa$K4{b^kMaGap}@c*#B=|`Z?`s(YBO4&<)C2 ziMO&Iv!_Ft`dP|&xyN5#j;JJTqXan6%=WYi|S?PVb7Z254Ba|(q%u< z9v3^7H7bvb%NZU4_i>Q{JO_K8*3PN#SoR#?KQQI>l zvrKh1ustuTeXecJT25cWv9Xf8#87JX!HRr=rkGj!M5BWzmXutK->&9>eZQkXZ_*DrW-9j}?I~29hB9Ay9`B8ihxa>vUeE>Z+bVnYGfY3D6re2f!*Ttr z(&ySFW*m=JPU$laTC>hLXsueU{Iqgb-zq&Oo~e9;z7}QO=9qWTXn7;xCUM5`{pGYP zp~z_vwA$|A^zDvw%XQ^$hf<}(^Uf;Oc?;wpR=)}u*B)0kSKX(db=*|-P5n{FC#oI> zytitTIOlk{>M{MC3o+~&u_B-BRQ0%%w ztO{?!8xv$t2g{sM>cS{6K;2%b3765a8+wmyK2o_-Ro-5g4MdRR@+#8*tJ!o@uW#>tv&+D&gu?Owl6*A zifTjE)ON?i1d~V;cN{X;R-XiXGb9f|XIwky_(JupE1^A9{Q=M^=Fd5vss51bYOQp| z#{sKWe8v@Z)U0S!9(B-+5M@8lBkv}x!YV{NU|8%0T!s0|jpq&hfVDUcbBhhw*SK-I zHUhW>bAVfH$9mf>c44K9H}bH?bmMnDW&u0I^?>`t-vIXE`&(|DlHCG$1$KjOLVOA^BR&r}jo)2yi)+O_fOF!0%yCaa-Xnen+dMeA+Y5MJ{2sI3bK*~c zf5b}+9`R?K@_R7-`qX-{QvA+UFV->KEB=J^GEO%#Y+=}o_x0<=Ymt6~_kax2{eXT%zfu2! z%OwF1cMyGW+Q zMKUWnUGKsRgQC4~9E-s>6@3!$9Yvo5yq)3aita-Co+6UDzvwGSmlk~uaHp3_>|>Z< zILGi-hM!>gRfa!c_*;gq0?K6+lRXv1WMM8%zlP#K4e>+*>o*rL1+C*m+5-&Fpa4~z zUD3I4A;TrWRJ_ea(11@=cxDM;0GNssVmkLKXSfW0qTj0^Sb_5)1!u7#q<4a^;yZ%N z0J}j`5l>Zs`*Dh+iXOBw{aVOsz&@M~t9aT(C&X7Uyb7(a;<*{YK~V?#5r#uJD^{^? zAvi1=Kpz2A@#L)$>7#(EI3_kBJqoBI#y2B2CSfCd7qHPP&vOb)u`_P{FeG#-|2v?POSzW81aUt9GPIF{3 z8NW=#$IMJTGdN;SjVI06NIX@C$BXsx>9}Y~#Yf`fnM5qvZl=aW;za#Eb1I(d9gQcG zqNS&;wLdx-?P~9~)9oEiyL&lTf3zo_nM{qh;MbJWqCXu^?VB1A`+7IF9czNmO&)La9>kz?}6@~R?*r$ z*wqcZt*1BI+b4S3_V>5-_6;_*c1F8E=xOTf?h$PVTRQq%+Xh?OditX6(UzvZwq6#E z_ADTZ-aXw1278+ZK;6^UvUjk#`yihCA80z%JIE|V29-eBdOMqX`dXS`f^ExScUQ-u z!S20cps6F;iZTZKd)s=tnmXG=OLynKj<$S?Z7?JT+Ij}5kF<65MVmTc>^`btOLtd$ zw5PMFFWTKDcDHr4^+a3p#CnCTe6X*nXLlPiWL5Nvy=`s#a;0~554QF6kRJ#RwlsCM zv~_f}wOTmXz5OkF20OZUcXti;w)OT>ky4g?+uq&ZWy?mpxN?I{EiIt-4RY^}rc@7trNsK!GZ3_s;g@WO`JNYg{B3vA8x=#$sACi?`6o+JjLhHhv6)*Y0@6 zqMH~Q#xv4l42(@DV~J!8g|hz6*z~^9nRH?}mXrfV)(zm~QIL^`No$a`d$xs&-rg zTT-6)TI1>ARDwrH(P#FLCx#(O(_fkbpk*|cYRA~i`0!|a_ykg|n5@N#_)LOkJ>YF8 z5gkn_yfOqNJ8KTwl8cG`nB%MowK?acA zeTm@{7pv>;IEMDbu;@snGpON&RSZqlM6$EAreafg#fjX3ImE&w5*%I1mYL*1*!t|(SEJoDudTH_P=jt$4j zh_w;{l3kxf(>zA>#77b-L`i%^MAO}q87zkuklIoyGnGeak9M>T_8r=XIjC!ISNDM~ zk)yOmd-vv{Eqj`J^3Z)z{E%f%xTmeNyRVIwNm#(`>+c)f)6~_9hY>{R?(bVfku!lM zf`-F<$(Akda7bq~Z+!& zHhr;tYl8c3EH!gvBbG?k(yu)cPmbhwS7gVEDz`S09eTlvMYT`w3M`Ap?3ha#!Po^knIT5#po@4P$c3!0+oN_d!7l<4{uDD>xK4hhga#Q6{ zPE8z@qP9;YW;rw`YqcB`WF02tx^FUJ_wLn>?bW48z)n8g>I%2$1wROFGlN+ z=2Lf1CPu{A3_2GoI=C;DIEjwTEB?V@x#Z{J0>)zPP9m5IX!&XB$R}kLGch`z#`HQI zw={Rf(61>!q8fEg)3TjVJKaWW@~${`03%jww@oK93kY3iCUJD8IgXlP`;f#u%u5ML zZW|xTCt^OuG%=YRAuWiFT(uV2Z=pHc^Xz7uVecSZPPSgOH`1JXQARe$;-JswSj?at zuh5Tq=Dv6r&&#z~VP3AqEXsA!QGoJXl#$J`SXDO1Vg}`~;(GCbKzUw)m6vO=!n|CI zS(MA}Q5P%hm3aC27VD(q?0k!PlrJyBNHh;6E=3+~%z4$7Me>BQv~(^~<94P_TEO>@ zkMi~!Q9O*94t*v!HCurzm->SjN{V5OgNaOkkI2MQu!n;gd;56mWPGGSBsgZpByi@8 z#inTw!RZNm>j`3Z?3*~+8#|dDD|@gAz)W4wn`3jL7g}+&kQSY>RC+X)Y)Us}@N)Ig zB*w-5@iE@CkMNPf(PRwECwnlqhhk|WTf=tC9kR()PRkvvpc!1Q*VE=?3Y&MFd1PpZ zK|{%KGBF{JCa|oRL!ZFlC71H)ObSC#+FAfxV@q1DuZH9>E@DlS>8aRgQX~e<)G;h# z#MD3{mBD&WO!eaTtGOAI6ToRP6BiRx>1$}MEU=i!RdjfGl!;UAT*ni%vK;CiO&raL zp{8VJHiN#xN0BGh{58#8J}7;-iP7i)QnoMLR?3V7LuFr{!G?r!@$ov_0|k z#E)95ZqbxZ$H#_}Gwk1-FKjaWJu*3*=OmlaVouCpk{Z1Tt1pG)v9Va{#D(he76lhF zX&oCIpUE+-wYD9r#E0Kf*<8$aP*~eo?5DYRQxOMQ-64j1;+&1h2NEM#s$-6} z4kt+If-#Jhx2F>56UiAKhiGtW+*m(?UQPaKXL~U&#?du$hSND9I%zWAiUDby78W>u zwrR8*WJ?xO=!lFCKbt2}(Qy{wQ?q?$0-GB$x5KoS7uc@HJVsy{v-YS!@+ISnN$qJKss#>CoqDJFqNvDO>|=WHwIr(vk-%Q zY2i`XPPYGv-84)yVqW{T&|(wED%_x$Wv8TPWDwI)t@Jo;UVCCA3Dc77GtFcl=8hBr(E`OT5fa6iWWL3z_yZfTd^*a$qDOhmRip)!y1orQIO6rR&<&t z<6UHFv^9~&M8F46GAU!2YSomSieX;i%2jYV|y60A_m`Ylu^{FXl2*YEN%gdjaKX(-M^m zY+}CB1vK>B#L)yDl2B32NlZ~zYEo__T4rK&#EFR$6UKNtNlnMybWdh1$)cUHW9R`f zPGft|_XDG}S0j~&Flf<1(qwu9LyjCyt;0F;{DNTP;e?LuxPG)2l#?^ZfUJ;wtdd3$ zS*r36Q}SEIqO&GmKAnt7wKQ7bh$~J{70~_I$S6G#;fA79d~8{dV%QyJ3Xj9Yq9M8+ zMsNmB5XkS~c?ULFSL8Uk6fK!^RpLQ|TirUx!BW6p2+PF?kM<;yhvEze5p1s!Xx8LY zCHp|mK4g+&O;k&3Zn@xC2Yax%6G?~s@1Tb}99IHX>NKs%iZZ$3zb|%K> z?6H!dbERG^4>(7knTaL$U=@iDIG$HRNHnbQ4)@G;4E3I_Y}4^f)Z*#j&b5n~(}&(KOQSC`(tCYdF-RNH>p z@ZcZ~@yXasOEQ*DZ^HCF4j1t_z`-QOQgJ~CGML2kk7l>i4)L;~!NCn8+LWFdA4V2B z9naD?V#zKpC}6W_>0Pz`vMqyy_6u$h#{q&aO3@+{KYijXU# zh!Gjl(X`$7Mg-e@AeP8jq1ub#tZkeIR4g!2F&=X8toq_RTbW7DUKfhkL(4@U0@tJC zq_NUPY}=`JOi5;HCX3VaSu8$mHWs58W~rTcdg4KK5eeOVT;xBEX9X;o)gt|eMS47j zhsWfZ{IuL==TFV>FHOkVCPffi0~aN5#%JvmB$h~H`NZ=<`al9f4Bd#vUL1dA><3GX zh`v-J`;;6@pJU^A?41}+3qH#^hF;han;ah=MPm$OW<@}grTu;FTX@cFj-}(5ULuuK zFSk-wFNk*YGk{=`AV2zIRKEG^g>)2myca9gAHJoiSR2TV5_F+v9kl&2>iqc*0by=J7Qr=2Q~-LzcJjTrPQiXy6e>Cgc0 z*3jWW81L$g<6WFdym7M)82yRr=mj*%v7vBw<9#ww)Pi?{aDDcms=Va5dpQs}Xpk4?3HW6N4Lhvp`Bq zJH2?7w``t;Ag%C&ESVJGzD9z?bSAUi@&uKD<@7QMBQW#WuVIiC_#PGZj6IEJs13#-YlD@jBYV%wfn+fSce- zXzO~4qtQU>KwNK-{^2ZR^tv~^Kn$dak4!d!(Jytw5>n*J8svQ4bOtDUy? zag<5nbQ!3Mhh)cLgHlun7#BmRdlJ zr4v!p565-lJ-sH_(1~)VplblF*e))Gkq3YsL#rNuw&RG`{BpXvoWm%A?7W=qNU)wR zOOMn$jW-b!c=wg436x>qshr(t(h1l}^`ByUx58esyB&5#!B65l;&eX@nZqcjA2tlb zzO9fMLA^$xf#mV6Mab=e{7KMyq3<~R=Mt75Ls=)_hl4161Iy#E7IFvKf3lnn@XCIK z&~YxW9gTAs7H@?<3c+UBGlX(`VDDkrh}|UXqjn)bZ32bbDatt2E6MiA_8CK~%6gF9 zWM>abI?Q(NK`SJ=UOmu1z~vr#le2oe>uW0hH~=#*T?=j4n0)kzU&_85c6HNY4P;rvu&?K*W$eUC5V{Pr@HmAIg6mU5MJb1^0uv zQ@tADpJSZ=Ft^(n@+Yl!mG*Q&R`v_(SG~}_5Bez%rua_n8AV%CJ5!vsqt3ECiU-+G zsU4`jsh^E-yS70-2|oFqU{HP+_ZNx-s&6m+C;cePC!4S@fq!Xyqj`$#q;ata`G;}u#CX?%y3zO}{XzZc z0CZ2nk2Kz7z~2DBPQw2OQ7(R{N9xsl68VGrJx3LofBV0rm&^bsV~e;ai&DGH4I#ZzRzOoa$l6 zYZBg~v55Sbf_|DGr+~FV7me2>p9H<#@;CLvM$S+D;ULnB<3{#ts)Ou*_;xe&jH8T` zuwx_qfp?2>9{|4}^&EgkiW6$z5!9FZAJv2Ua};=f+|jru`wQ7j@w^+9V~{1g^ZQW~ zyuTOTl=IO5>?D0uKPtZuIK@51t&IN`@b>|yIGaSdi|bGG$ijG}a!KD7+z)eosK3g2 zN0xJp<7JxTd>r+l`AhcW%h~7BekzaRipDi+&k*?3f2Mxg3O(JBAzR6>8{x;RL8p0##+4TEkE0wakMxYedK%BE-yh4<(}MUU zOKBXG^EAa3`BBbu$3d0z58lgVeKfC8zb5~Y&o-b3=IkPUG{0;_u6#KfrzSzC^&PFd z@L~z%Xnw^RFx$O}{X+eI!m2NoOMRC5Gqo?xuLHoP`~doktS7ZE_51(&c-;?sgG7Vu^OICy<9u0BCbWn=9Iq(cZ3}|HNzip>-4`(1wRLTC@!# znZ;$u4Oafnk&Y;yEBs&YTp2jI=cZq{fAo&;J^4xD{^B)P43uB;)Q#?jd$$aH^3twN zCG_i~#YUm8%wHSpaI-CtT5R!WSmDj8(#07uos ziqT}W6@)d#*kNqKwbd0?DZRCb?wf3J2>VElPm7>H0u2NT13;%gG_(Cc3c<_6x zQJ=5ar@Ha0d7LVQZ%X~0ihsY`=PMAp+vBNp!o?n!aQKXVRmI(C^7&L%S5c=X9VJ)z z55eFoU3#fMrWlvFKeKc2^~U$S+sNR!Q71(bWNR_FR8{{NGF**o5?_idH+BIU+sol5 zsP#bYc8$J-rHMIq+%E0+_;pn6cLZJlK)wop*iq`AQGNbdpO5XGn=cG&u-P)cD6ISE zZm{FQ6V@yY-u4?#fVmspVFy~ms6&AGH;|ED{}}w_H-PWM)v7_oY5chE+%06ge;+8w zI1AP+Yd8%ECK1b-@GijaoP4M;qs%bD;lt~WF&ii+yGD}63OuA4gpHz~&4?TV_D zI#G_#jkZyJdNJZ)xzN0dQMknA@>lz-jY7n^QQ|L?IetXaZVs3tx83%zwAk3{c2kr% zsCLHO(}gaF&4#!OkwT!sDPZTbq@=J=YJ6VaUgX=n69+v0d5?eY=Ty)6B1vWE&6g4a zjtj-O@qx*{GOD2w#n;?Ga3Ng@0hy^%-m0m{`PDk(63VL%CC9@*gu%56e_0Mlr0>Z_2|9-e12x@`Se5+kc{H2xt`3C>|CggX!{a54K z?{-5A{#jXcm+G&sbb4G4f35#&(8&oE>{kDL6bg-gv=hE=h)Ou5>7DF@P7R$gj^;Ds zKJsB5S2-@LaL9^(&;kNsj;dbiA-m?UH0EPc=1Qq8&e{@`J0K|Z+;nr0E75t2Ttf5t zDk>`AN<=Unt=73pz(en$k1UFt>@;^z2QGfP&3RM z^EYsN%=_5ld3;-ydW|PcOn7qMsS^yK2hE>0=5O)Ozl-onWBv@xuc)lx3>6iK=86h1 zio(tcpOgcWJXk@E6A%H#gYFFp{NsvI^-#adTp{YUY$L3a0t`=AxP4IhVgLN?6+ZM| z^jToG`3^Rt!r@ZTPNLF5r9kS&0+-WYhP$KE;Re%(+8OhoRN3R7)dYq`xY*%F2+Z9G zh6mzvH~JhtH-OFwy#At8-Yz5leKZ_w@{w$RQyB?BF`Y6VOgKo6_ z{P!S0-o<_XaSBf&NTG8sa`w}Ht0O$i>bbjt%8vh?mm{0=l9Cr8|4;$kXQyQe6b-17 z10$UZJ5-qa7jM{6>8td)jq4ROiLcT@+OPM(>`MHP5JbU`io-e7XlZtv^y zdzw&EOr6_*eL1=kYU6`qCo*6|yJ;bqX89|n@i@OZMiMWt7U5kv(f^nFPdq@sV9M^FE5m(@5OWJNP(uo=zb{T7y$GH1 z&k#kpwZPOITG`1CYIK44%0 z@fq!hP>Nq)0^MGvU#RIWmZ4`?^6wJtGd4g$Ef$ALw&Yfnj@NlvPi`$w<%Dr!)%+Ot4D|bMVO&>m+1(bM_6a0y`-QOo za~m#UKhTp(I^~;$zv$Fvp*M1VAfHeilkb|~FWPC1!TU*A9sW=AA*=Z9m+#%ab9yWp z#)~fWRC~vYhWZUF!g1?i`i>QNl3urEML3OD)JO1L#qs!#6*KYlik+7gdAH-e4t_^E z3>!4}#Xr^x19NQL4kJX=SSP{m9>cmmJ-j1(G>o{cLwAIeT! z-;lC!P*QlI$NJI^zVMgClm7Ip)Y@ok4dav3W4%pkj(5aQ#*^VB!5u4N_#z*@YLr?L zo=niIpJ}-9C|+NQTa{uZ>n~!BZTk8Jwr^jbbpiyoueVzW2(|YAg`W?~-==?R" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - - name: Copy trigger_emotet.exe in the agent - win_copy: - src: "{{ emotet_file }}" - dest: C:\temp + - name: Download trigger_emotet.exe + win_shell: | + Set-Location C:\temp + Write-Host "Location set $path" + Write-Host "Retrieving trigger-emotet.exe..." + Invoke-WebRequest -Uri https://s3.amazonaws.com/ci.wazuh.com/qa/testing_files/end_to_end/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - name: Restart wazuh-agent (Windows) win_shell: | diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 7d6d2bcde0..74f074f8d0 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -13,9 +13,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') configuration_playbooks = ['configuration.yaml'] -emotet_file_path = os.path.join(test_data_path, 'configuration', 'trigger-emotet.exe') -sysmon_config = os.path.join(test_data_path, 'configuration', 'sysconfig.xml') -configuration_extra_vars = {'emotet_file': emotet_file_path, 'sysmon_config': sysmon_config} events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] From 0c78961176ba0f1bccc328802c3c12c996a2d849 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:24:31 +0200 Subject: [PATCH 344/552] fix: Fix lines that are too long --- .../data/playbooks/configuration.yaml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index 1522b45481..ef2c4d938a 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -22,9 +22,7 @@ - name: Download PSTools win_shell: | Set-Location C:\temp - Write-Host "Location set $path" - Write-Host "Retrieving PSTools..." - Invoke-WebRequest -Uri https://s3.amazonaws.com/ci.wazuh.com/qa/testing_files/end_to_end/emotet/PSTools.zip -Outfile PSTools.zip + Invoke-WebRequest -Uri {{ s3_url }}emotet/PSTools.zip -Outfile PSTools.zip - name: Unzip PSTools win_shell: | @@ -39,9 +37,7 @@ - name: Download sysmon win_shell: | Set-Location C:\temp - Write-Host "Location set $path" - Write-Host "Retrieving Sysmon..." - Invoke-WebRequest -Uri https://s3.amazonaws.com/ci.wazuh.com/qa/testing_files/end_to_end/emotet/Sysmon.zip -Outfile Sysmon.zip + Invoke-WebRequest -Uri {{ s3_url }}emotet/Sysmon.zip -Outfile Sysmon.zip - name: Unzip sysmon win_shell: | @@ -50,9 +46,7 @@ - name: Download Sysmon configuration file win_shell: | Set-Location C:\temp\Sysmon - Write-Host "Location set $path" - Write-Host "Retrieving Sysmon configuration..." - Invoke-WebRequest -Uri https://s3.amazonaws.com/ci.wazuh.com/qa/testing_files/end_to_end/emotet/sysconfig.xml -Outfile sysconfig.xml + Invoke-WebRequest -Uri {{ s3_url }}emotet/sysconfig.xml -Outfile sysconfig.xml - name: Install sysmon win_shell: | @@ -72,9 +66,7 @@ - name: Download trigger_emotet.exe win_shell: | Set-Location C:\temp - Write-Host "Location set $path" - Write-Host "Retrieving trigger-emotet.exe..." - Invoke-WebRequest -Uri https://s3.amazonaws.com/ci.wazuh.com/qa/testing_files/end_to_end/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe + Invoke-WebRequest -Uri {{ s3_url }}emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - name: Restart wazuh-agent (Windows) win_shell: | From f6ad3ef2d15d522783470218a993d19233944fdc Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:40:48 +0200 Subject: [PATCH 345/552] fix: Upload external files to S3 --- .../test_ip_reputation/data/playbooks/configuration.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index e351a87884..bc507c6767 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -13,13 +13,12 @@ - name: Download Alienvault IP set become: true - shell: > - curl https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/alienvault_reputation.ipset - -o /var/ossec/etc/lists/alienvault_reputation.ipset + shell: | + curl {{ s3_url }}ip_reputation/alienvault_reputation.ipset -o /var/ossec/etc/lists/alienvault_reputation.ipset - name: Download script to convert from ipset format to cdblist format become: true - shell: curl https://wazuh.com/resources/iplist-to-cdblist.py -o /tmp/iplist-to-cdblist.py + shell: curl {{ s3_url }}ip_reputation/iplist-to-cdblist.py -o /tmp/iplist-to-cdblist.py - name: Add the attacker IP to the list become: true From 36f28ae98c707f90d0999230f7ac0767030afcf6 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:48:26 +0200 Subject: [PATCH 346/552] add: Add reference to audit test --- tests/end_to_end/test_audit/test_audit.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index f1df35352d..740b16f1cd 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -29,6 +29,7 @@ references: - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#audit - https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html + - https://documentation.wazuh.com/current/learning-wazuh/audit-commands.html#learning-wazuh-audit-commands tags: - demo From 158553312115215000b873981aee4ad84d53c238 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:48:46 +0200 Subject: [PATCH 347/552] fix: Specify which command to run --- tests/end_to_end/test_audit/test_audit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py index 740b16f1cd..f2cf9b5026 100644 --- a/tests/end_to_end/test_audit/test_audit.py +++ b/tests/end_to_end/test_audit/test_audit.py @@ -65,7 +65,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener test_phases: - Set a custom Wazuh configuration. - - Generate an event. + - Run ping command to generate event. - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. - Check that the obtained alert from alerts.json has been indexed. From 8ed0f93dd529df890f93b58a02dd6700b3b5be1c Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 12:55:56 +0200 Subject: [PATCH 348/552] add: Add AWS test documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_aws_infrastructure_monitoring.py | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index d26e224799..8d942ababd 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -56,6 +56,7 @@ predefined_values: - analysisd - api - authd + - aws_s3 - cluster - fim - gcloud diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 32fe9f06d1..9b2fd0b0ec 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -1,3 +1,40 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the AWS-S3 module is working correctly.The AWS S3 wodle allows you to gather and parse + logs from multiple AWS services, such as Guard Duty, Macie, VPC Flow, etc. + +components: + - aws_s3 + +targets: + - manager + +daemons: + - wazuh-modulesd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#aws + - https://documentation.wazuh.com/current/proof-of-concept-guide/aws-infrastructure-monitoring.html + - https://documentation.wazuh.com/current/amazon/index.html + +tags: + - demo + - aws +''' import os import json import re @@ -37,6 +74,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated and indexed when an event obtained from AWS services matches a rule. + + test_phases: + - Set a custom Wazuh configuration. + - Create a bucket to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From d243b0ab2c7d5cf3a82aa691c8ddd0838ff97ac1 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 13:03:19 +0200 Subject: [PATCH 349/552] rm: Delete AWS readme --- .../README.md | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 tests/end_to_end/test_aws_infrastructure_monitoring/README.md diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md b/tests/end_to_end/test_aws_infrastructure_monitoring/README.md deleted file mode 100644 index 820754195a..0000000000 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md +++ /dev/null @@ -1,37 +0,0 @@ -## Description - -The `test_aws_infrastructure_monitoring.py` module checks if alerts are triggered in the manager when an event obtained -from AWS services matches a rule. - -## Global requirements - -- Python 3 installed in the managed node -- Credentials (access key ID and secret access key) of an IAM User with permissions to: - - Create S3 Buckets - - Get data from S3 Buckets - - Create and configure a Trail - -### Use case: CloudTrail - -**Preconditions**: -- Create and configure a Trail (you will create an S3 bucket in this process) -- Create an inventory as follows: - ``` - all: - hosts: - wazuh-manager: - ansible_connection: ssh - ansible_user: USER - ansible_password: PASSWORD - ansible_ssh_private_key_file: PATH_TO_PRIVATE_KEY - ansible_python_interpreter: /usr/bin/python - dashboard_user: WAZUH_DASHBOARD_USER - dashboard_password: WAZUH_DASHBOARD_PASS - vars: - bucket_name: S3_BUCKET_OF_THE_TRAIL - aws_region: S3_BUCKET_REGION - aws_access_key_id: IAM_USER_ACCESS_KEY_ID - aws_secret_access_key: IAM_USER_SECRET_ACCESS_KEY - ``` - -**How to run**: `python -m pytest -s tests/end_to_end/test_aws_infrastructure_monitoring/ --inventory_path ` From 23aefe8655657b9452bc534875103683dffc0944 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 13:26:13 +0200 Subject: [PATCH 350/552] add: Add suspicious binaries documentation --- .../test_detecting_suspicious_binaries.py | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 3c633e341b..a7de285054 100644 --- a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -1,3 +1,42 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the anomaly and malware detection works correctly. Anomaly detection refers to the + action of finding patterns in the system that do not match the expected behavior. Once malware (e.g., a rootkit) + is installed on a system, it modifies the system to hide itself from the user. Although malware uses a variety of + techniques to accomplish this, Wazuh uses a broad spectrum approach to finding anomalous patterns that indicate + possible intruders. + +components: + - rootcheck + +targets: + - manager + +daemons: + - wazuh-syscheckd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#trojan + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-detect-trojan.html + +tags: + - demo + - rootcheck +''' import os import json import re @@ -29,6 +68,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated and indexed when there is a trojaned system binary. + + test_phases: + - Set a custom Wazuh configuration. + - Replace the content of a system binary to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From db57f28ff1bfa99aab0a65c326768bb604aab06a Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 13:37:14 +0200 Subject: [PATCH 351/552] add: Add Docker documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + .../test_aws_infrastructure_monitoring.py | 4 +- .../test_docker_monitoring.py | 75 +++++++++++++++++++ 3 files changed, 79 insertions(+), 2 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 8d942ababd..1bc5713dba 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -58,6 +58,7 @@ predefined_values: - authd - aws_s3 - cluster + - docker_listener - fim - gcloud - github @@ -213,6 +214,7 @@ predefined_values: - demo - diff - disk_quota + - docker - dos_attack - download - enrollment diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 9b2fd0b0ec..61f39ecbad 100644 --- a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -7,8 +7,8 @@ type: end_to_end -brief: This test will verify that the AWS-S3 module is working correctly.The AWS S3 wodle allows you to gather and parse - logs from multiple AWS services, such as Guard Duty, Macie, VPC Flow, etc. +brief: This test will verify that the AWS-S3 module is working correctly. The AWS S3 wodle allows you to gather and + parse logs from multiple AWS services, such as Guard Duty, Macie, VPC Flow, etc. components: - aws_s3 diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py index eb65293a5d..6e7ac81fbe 100644 --- a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py @@ -1,3 +1,40 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the Docker module is working correctly. The Wazuh module for Docker is a subscriber to + the Docker Engine API that identifies security incidents across containers and alerts in real time. + +components: + - docker_listener + +targets: + - manager + +daemons: + - wazuh-modulesd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#Docker + - https://documentation.wazuh.com/current/proof-of-concept-guide/monitoring-docker.html + - https://documentation.wazuh.com/current/container-security/docker-monitor/index.html#docker-monitor-index + +tags: + - demo + - docker +''' import os import json import re @@ -27,6 +64,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated for Docker events. + + test_phases: + - Set a custom Wazuh configuration. + - Pull a Docker image, start the container, run a Docker command or delete the container. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From c87a903f03bf847d8901c1ee90553ea5cf4c832e Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 13:56:29 +0200 Subject: [PATCH 352/552] add: Add Netcat documentation --- tests/end_to_end/test_netcat/test_netcat.py | 63 -------- .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 ...ses_unauthorized_processes_detection.yaml} | 4 +- .../test_unauthorized_processes_detection.py | 139 ++++++++++++++++++ 6 files changed, 141 insertions(+), 65 deletions(-) delete mode 100644 tests/end_to_end/test_netcat/test_netcat.py rename tests/end_to_end/{test_netcat => test_unauthorized_processes_detection}/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{test_netcat => test_unauthorized_processes_detection}/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{test_netcat => test_unauthorized_processes_detection}/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{test_netcat/data/test_cases/cases_netcat.yaml => test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml} (79%) create mode 100644 tests/end_to_end/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/test_netcat/test_netcat.py deleted file mode 100644 index 23e4d785f1..0000000000 --- a/tests/end_to_end/test_netcat/test_netcat.py +++ /dev/null @@ -1,63 +0,0 @@ -import os -import json -import re -import pytest -from tempfile import gettempdir - -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') - -# Playbooks -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbooks = ['teardown.yaml'] - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_netcat(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) - - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/configuration.yaml rename to tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/teardown.yaml rename to tests/end_to_end/test_unauthorized_processes_detection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml similarity index 79% rename from tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml rename to tests/end_to_end/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml index e84915df00..49370794ba 100644 --- a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml +++ b/tests/end_to_end/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml @@ -1,5 +1,5 @@ -- name: Netcat - description: Detecting unauthorized processes +- name: netcat + description: Detect if Netcat is running configuration_parameters: null metadata: extra_vars: diff --git a/tests/end_to_end/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py new file mode 100644 index 0000000000..d4da0abe02 --- /dev/null +++ b/tests/end_to_end/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -0,0 +1,139 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the command monitoring capability to detect unauthorized processes is working + correctly. Netcat is a computer networking utility that functions as a back-end tool that allows for port + scanning and port listening. + +components: + - logcollector + +targets: + - manager + +daemons: + - wazuh-logcolletor + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#netcat + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-unauthorized-processes-netcat.html + +tags: + - demo + - logcollector_cmd_exec +''' +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_unauthorized_processes_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): + ''' + description: Check that an alert is generated if an unauthorized process is running. + + test_phases: + - Set a custom Wazuh configuration. + - Run netcat command to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_id = metadata['rule.id'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 5fefe6d2482efa2880ade06207e899c15246e0d9 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 14:09:12 +0200 Subject: [PATCH 353/552] fix: Add `/` to URL --- .../test_ip_reputation/data/playbooks/configuration.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml index bc507c6767..25b0c0cd4f 100644 --- a/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_ip_reputation/data/playbooks/configuration.yaml @@ -14,11 +14,11 @@ - name: Download Alienvault IP set become: true shell: | - curl {{ s3_url }}ip_reputation/alienvault_reputation.ipset -o /var/ossec/etc/lists/alienvault_reputation.ipset + curl {{ s3_url }}/ip_reputation/alienvault_reputation.ipset -o /var/ossec/etc/lists/alienvault_reputation.ipset - name: Download script to convert from ipset format to cdblist format become: true - shell: curl {{ s3_url }}ip_reputation/iplist-to-cdblist.py -o /tmp/iplist-to-cdblist.py + shell: curl {{ s3_url }}/ip_reputation/iplist-to-cdblist.py -o /tmp/iplist-to-cdblist.py - name: Add the attacker IP to the list become: true From 0ffb6fc48bd4888274bcc0884df01cbdbc477e7f Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 14:10:37 +0200 Subject: [PATCH 354/552] fix: Add `/` to URL --- .../test_emotet/data/playbooks/configuration.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml index ef2c4d938a..c50589b9b4 100644 --- a/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_emotet/data/playbooks/configuration.yaml @@ -22,7 +22,7 @@ - name: Download PSTools win_shell: | Set-Location C:\temp - Invoke-WebRequest -Uri {{ s3_url }}emotet/PSTools.zip -Outfile PSTools.zip + Invoke-WebRequest -Uri {{ s3_url }}/emotet/PSTools.zip -Outfile PSTools.zip - name: Unzip PSTools win_shell: | @@ -37,7 +37,7 @@ - name: Download sysmon win_shell: | Set-Location C:\temp - Invoke-WebRequest -Uri {{ s3_url }}emotet/Sysmon.zip -Outfile Sysmon.zip + Invoke-WebRequest -Uri {{ s3_url }}/emotet/Sysmon.zip -Outfile Sysmon.zip - name: Unzip sysmon win_shell: | @@ -46,7 +46,7 @@ - name: Download Sysmon configuration file win_shell: | Set-Location C:\temp\Sysmon - Invoke-WebRequest -Uri {{ s3_url }}emotet/sysconfig.xml -Outfile sysconfig.xml + Invoke-WebRequest -Uri {{ s3_url }}/emotet/sysconfig.xml -Outfile sysconfig.xml - name: Install sysmon win_shell: | @@ -66,7 +66,7 @@ - name: Download trigger_emotet.exe win_shell: | Set-Location C:\temp - Invoke-WebRequest -Uri {{ s3_url }}emotet/trigger-emotet.exe -Outfile trigger-emotet.exe + Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - name: Restart wazuh-agent (Windows) win_shell: | From 5df088a2e5e1bdf9ef57937c90e27d504f6f9c5b Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 11 Aug 2022 14:33:00 +0200 Subject: [PATCH 355/552] add: Add Osquery documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + .../test_osquery_integration.py | 76 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 1bc5713dba..81b050c51a 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -65,6 +65,7 @@ predefined_values: - logcollector - logtest - office365 + - osquery - remoted - rids - rootcheck @@ -321,6 +322,7 @@ predefined_values: - nvd - office365 - on_start + - osquery - oval - prelink - providers diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py index 3fa1906a84..43e9810fba 100644 --- a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_osquery_integration/test_osquery_integration.py @@ -1,3 +1,41 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the Osquery integration is working correctly. This integration can be helpful for + telemetry and threat hinging. Osquery can be used to expose an operating system as a high-performance relational + database. This allows you to write SQL-based queries to explore operating system data. + +components: + - osquery + +targets: + - manager + +daemons: + - wazuh-modulesd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#osquery + - https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-osquery.html + - https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html#osquery + +tags: + - demo + - osquery +''' import os import json import re @@ -25,6 +63,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated when the host is stressed. + + test_phases: + - Set a custom Wazuh configuration. + - Run stress command to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From b7d1ff8fa9944efff74490f161c1f4b45bfc0db6 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 10:43:16 +0200 Subject: [PATCH 356/552] add: Add Shellshock documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_shellshock_attack_detection.py | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 81b050c51a..3adb099e34 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -344,6 +344,7 @@ predefined_values: - session_error - session_limit - settings + - shellshock - simulator - ssl - stats_file diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 6d2795e752..b05c848c27 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -1,3 +1,43 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that a shellshock attack is detected correctly. Shellshock represents a family of + vulnerabilities disclosed in late 2014 involving the Linux Bash shell. These vulnerabilities made it possible to + inject shell commands via maliciously crafted web requests sent to Linux web servers. The pattern in such web + requests is quite distinctive, and any instance of your servers being probed with Shellshock requests are fairly + strong indicators of malicious probing worthy of automated countermeasures. + +components: + - logcollector + +targets: + - manager + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#shellshock + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-web-attack-shellshock.html + - https://documentation.wazuh.com/current/learning-wazuh/shellshock.html#learning-wazuh-shellshock + +tags: + - demo + - shellshock +''' import os import json import re @@ -23,6 +63,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated when the host is stressed. + + test_phases: + - Set a custom Wazuh configuration. + - Execute a request to the web server to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From 95a474264531ec5d702dedb311f8c194696d49d6 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 11:10:24 +0200 Subject: [PATCH 357/552] fix: Change shellshock description --- .../test_shellshock_attack_detection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py index b05c848c27..f27d6f4c74 100644 --- a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -64,7 +64,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): ''' - description: Check that an alert is generated when the host is stressed. + description: Check that an alert is generated when a shellshock attack is performed. test_phases: - Set a custom Wazuh configuration. From 984d4ad8e23a4215fdf7a2eda588670865d878f7 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 11:16:15 +0200 Subject: [PATCH 358/552] add: Add SQL injection documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_sql_injection/test_sql_injection.py | 78 ++++++++++++++++++- 2 files changed, 76 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 3adb099e34..d165d51c0f 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -346,6 +346,7 @@ predefined_values: - settings - shellshock - simulator + - sql_injection - ssl - stats_file - system_inventory diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_sql_injection/test_sql_injection.py index 1c3f0a39ff..355988d0aa 100644 --- a/tests/end_to_end/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_sql_injection/test_sql_injection.py @@ -1,3 +1,40 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that a SQL injection attack is detected correctly. Wazuh is able to detect an SQL Injection + attack from web server logs showing patterns like select, union, and other common SQL patterns of attack in a + monitored endpoint. + +components: + - logcollector + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#sql_injection + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-web-attack-sql-injection.html +tags: + - demo + - sql_injection +''' import os import json import re @@ -22,9 +59,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a SQL injection attack - """ + ''' + description: Check that an alert is generated when a SQL injection attack is performed. + + test_phases: + - Set a custom Wazuh configuration. + - Execute a request to the web server to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] From 8bedc526e387e84859eae481f1aee1e459c2c668 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 11:37:44 +0200 Subject: [PATCH 359/552] add: Add Emotet documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + tests/end_to_end/test_emotet/test_emotet.py | 80 ++++++++++++++++++- 2 files changed, 79 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index d165d51c0f..1f0e80818d 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -218,6 +218,7 @@ predefined_values: - docker - dos_attack - download + - emotet - enrollment - errors - events @@ -349,6 +350,7 @@ predefined_values: - sql_injection - ssl - stats_file + - sysmon - system_inventory - time_travel - token diff --git a/tests/end_to_end/test_emotet/test_emotet.py b/tests/end_to_end/test_emotet/test_emotet.py index 74f074f8d0..ef891122f1 100644 --- a/tests/end_to_end/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_emotet/test_emotet.py @@ -1,3 +1,42 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that a Sysmon events are detected correctly. Sysmon monitors system activity as + process creation and termination, network connection and file changes. + +components: + - logcollector + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + - windows + +os_version: + - CentOS 8 + - Windows Server 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#emotet + - https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/ +tags: + - demo + - sysmon + - emotet +''' import json import os import re @@ -23,9 +62,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect an emotet attack - """ + ''' + description: Check that an alert is generated when Emotet malware is executed. + + test_phases: + - Set a custom Wazuh configuration. + - Execute Emotet malware to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' regsvr32_alert = metadata['regsvr32'] word_executing_script_alert = metadata['word_executing_script'] expected_alerts = [regsvr32_alert, word_executing_script_alert] From d9d1f469b38db12ea0ce32c6f2bb53d89d27890e Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 12:06:23 +0200 Subject: [PATCH 360/552] add: Add IP Reputation documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + .../test_ip_reputation/test_ip_reputation.py | 80 ++++++++++++++++++- 2 files changed, 79 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 1f0e80818d..d93177ca33 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -286,9 +286,11 @@ predefined_values: - interval - invalid - invalid_settings + - ip_reputation - keys - key_polling - limits + - lists - logcollector - logcollector_location - logcollector_log_format diff --git a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py index 073932012d..41ef344c67 100644 --- a/tests/end_to_end/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_ip_reputation/test_ip_reputation.py @@ -1,3 +1,43 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the use of lists in the rules and active response works correctly. + +components: + - logcollector + - active_response + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-execd + - wazuh-analysisd + +os_platform: + - linux + - windows + +os_version: + - CentOS 8 + - Windows Server 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#ip_reputation + - https://documentation.wazuh.com/current/proof-of-concept-guide/block-malicious-actor-ip-reputation.html +tags: + - demo + - ip_reputation + - lists +''' import os import json import re @@ -22,10 +62,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a IP Reputation - """ + ''' + description: Check that alerts are generated when accessing the web server with an ip with a bad reputation. + + test_phases: + - Set a custom Wazuh configuration. + - Execute a request to the web server to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' malicious_ip_alert = metadata['malicious_ip'] active_response_alert = metadata['active_response'] expected_alerts = [malicious_ip_alert, active_response_alert] From 4765d72f8cfc1932cef59044ec3b710059fd363a Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 12:20:32 +0200 Subject: [PATCH 361/552] add: Add Slack documentation --- .../wazuh_testing/qa_docs/schema.yaml | 3 + .../test_slack_integration.py | 81 +++++++++++++++++++ 2 files changed, 84 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index d93177ca33..8321842c00 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -62,6 +62,7 @@ predefined_values: - fim - gcloud - github + - integration - logcollector - logtest - office365 @@ -282,6 +283,7 @@ predefined_values: - github - github_configuration - inactivity + - integration - integrity - interval - invalid @@ -349,6 +351,7 @@ predefined_values: - settings - shellshock - simulator + - slack - sql_injection - ssl - stats_file diff --git a/tests/end_to_end/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_slack_integration/test_slack_integration.py index d4ae6acd8a..e81220fcba 100644 --- a/tests/end_to_end/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_slack_integration/test_slack_integration.py @@ -1,3 +1,41 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the Slack integeration works correctly. This integration allows reporting alerts + through messages sent to Slack. + +components: + - logcollector + - integration + +targets: + - manager + +daemons: + - wazuh-logcollector + - wazuh-integratord + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#slack + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-integrate-slack.html +tags: + - demo + - slack + - integration +''' import os import json import re @@ -46,6 +84,49 @@ def remove_slack_log(): @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, remove_slack_log, clean_alerts_index): + ''' + description: Check that an alert is generated and sent to Slack. + + test_phases: + - Set a custom Wazuh configuration. + - Execute a brute force attack to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + - Check that the alert was sent to Slack. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - remove_slack_log: + type: fixture + brief: Deleted obtained Slack log. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + - Verify that the same alert was sent to Slack. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From 7d0af1a117fee449fd34994a6e2134c5eb466b7b Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 12:35:12 +0200 Subject: [PATCH 362/552] add: Add Suricata documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + .../test_suricata_integration.py | 78 +++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 8321842c00..0daf4c71b4 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -324,6 +324,7 @@ predefined_values: - mitre - msu - msu_feeds + - nids - nvd - office365 - on_start @@ -355,6 +356,7 @@ predefined_values: - sql_injection - ssl - stats_file + - suricata - sysmon - system_inventory - time_travel diff --git a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py index 3b7e3d2244..d58c12aeb2 100644 --- a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_suricata_integration/test_suricata_integration.py @@ -1,3 +1,43 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the integeration with Suricata works correctly. Suricata is a network-based intrusion + detection system (NIDS), to detect threats by monitoring network traffic. This solution can generate JSON logs + of NIDS events and provide additional insight into your network's security with its network traffic inspection + capabilities. + +components: + - logcollector + - integration + +targets: + - manager + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Ubuntu Focal + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#suricata + - https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html + - https://documentation.wazuh.com/current/learning-wazuh/suricata.html#learning-wazuh-suricata +tags: + - demo + - suricata + - nids +''' import os import json import re @@ -23,6 +63,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated when a specific web request is executed. + + test_phases: + - Set a custom Wazuh configuration. + - Execute a web request known to trip NIDS rules to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] From 1cca919f038d4d4f098115e8d615096a1db7c90f Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 12 Aug 2022 15:06:42 +0200 Subject: [PATCH 363/552] fix: Unify test and create two test cases --- .../data/test_cases/cases_virustotal.yaml | 13 ---- .../data/playbooks/configuration.yaml | 42 ------------- .../data/playbooks/generate_events.yaml | 24 ------- .../data/playbooks/teardown.yaml | 37 ----------- .../data/test_cases/cases_virustotal.yaml | 12 ---- .../test_virustotal_fim.py | 63 ------------------- .../active_response_script/remove-threat.sh | 0 .../data/playbooks/configuration.yaml | 2 + .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 5 ++ .../cases_virustotal_integration.yaml | 23 +++++++ .../test_virustotal_integration.py} | 11 ++-- 12 files changed, 35 insertions(+), 197 deletions(-) delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml delete mode 100644 tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py rename tests/end_to_end/{test_virustotal/test_virustotal_active_response => test_virustotal_integration}/data/active_response_script/remove-threat.sh (100%) rename tests/end_to_end/{test_virustotal/test_virustotal_active_response => test_virustotal_integration}/data/playbooks/configuration.yaml (99%) rename tests/end_to_end/{test_virustotal/test_virustotal_active_response => test_virustotal_integration}/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{test_virustotal/test_virustotal_active_response => test_virustotal_integration}/data/playbooks/teardown.yaml (91%) create mode 100644 tests/end_to_end/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml rename tests/end_to_end/{test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py => test_virustotal_integration/test_virustotal_integration.py} (84%) diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml deleted file mode 100644 index b7cac764c8..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: remove_malicious_file - description: Detecting and removing malware - configuration_parameters: null - metadata: - extra_vars: - event_description: Run malicious file - shell: | - cd /root - curl -LO http://www.eicar.org/download/eicar.com - rule.id: 100092 - rule.level: 12 - rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " - program: active-response/bin/remove-threat.sh diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml deleted file mode 100644 index 1c3a72fba9..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml +++ /dev/null @@ -1,42 +0,0 @@ -- name: Test manager configuration - hosts: wazuh-manager - become: true - tasks: - - - name: Configure Virustotal integration - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - - virustotal - {{ virustotal_key }} - syscheck - json - - marker: - - - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - - - name: Restart the manager - shell: systemctl restart wazuh-manager - -- name: Test agent configuration - hosts: wazuh-agent - become: true - tasks: - - - name: Create folder - command: mkdir /test - - - name: Configure syscheck - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | - /test - marker: - - - name: Restart the agent - shell: systemctl restart wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml deleted file mode 100644 index 686e26cd0e..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,24 +0,0 @@ -- name: Generate events - hosts: wazuh-agent - tasks: - - - name: "{{ event_description }}" - become: true - copy: - dest: "{{ path }}" - content: "{{ content }}" - - - name: Wait for alert - wait_for: - timeout: 5 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml deleted file mode 100644 index 3b14451252..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Cleanup manager environment - hosts: wazuh-manager - become: True - tasks: - - - name: Delete Virustotal integration - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - block: '' - - - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager - -- name: Cleanup agent environment - hosts: wazuh-agent - become: True - tasks: - - - name: Delete syscheck configuration - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - block: '' - - - name: Delete folder - file: - path: /test - state: absent - - - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml deleted file mode 100644 index d045286713..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml +++ /dev/null @@ -1,12 +0,0 @@ -- name: scanning_file - description: Scanning a file and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - event_description: Create a file into the monitored folder - path: /test/virus_total.txt - content: | - test_virus_total - rule.id: 87103 - rule.level: 3 - rule.description: "VirusTotal: Alert - No records in VirusTotal database" diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py deleted file mode 100644 index 90b133cd82..0000000000 --- a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py +++ /dev/null @@ -1,63 +0,0 @@ -import os -import json -import re -import pytest -from tempfile import gettempdir - -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm -from wazuh_testing.tools import configuration as config - - -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_general_configuration_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbooks = ['teardown.yaml'] - -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to scanning a file using FIM and then do a request to virustotal to check if it is malicious - """ - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) - - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh b/tests/end_to_end/test_virustotal_integration/data/active_response_script/remove-threat.sh similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh rename to tests/end_to_end/test_virustotal_integration/data/active_response_script/remove-threat.sh diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml similarity index 99% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml rename to tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml index 4e99ce5e95..df54e4902e 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml @@ -14,11 +14,13 @@ 100200,100201 json + remove-threat remove-threat.sh no + no remove-threat diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml similarity index 91% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml rename to tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml index 6d9b34e9c8..a9c23406ec 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml @@ -37,6 +37,11 @@ path: /var/ossec/active-response/remove-threat.sh state: absent + - name: Delete created file + file: + path: /root/harmless_file.txt + state: absent + - name: Restart wazuh-agent systemd: state: restarted diff --git a/tests/end_to_end/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml b/tests/end_to_end/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml new file mode 100644 index 0000000000..aa3a0c58c7 --- /dev/null +++ b/tests/end_to_end/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml @@ -0,0 +1,23 @@ +- name: remove_malicious_file + description: Detecting and removing malware + configuration_parameters: null + metadata: + extra_vars: + event_description: Download malicious file + shell: | + cd /root + curl -LO http://www.eicar.org/download/eicar.com + rule.id: 100092 + rule.level: 12 + rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " + +- name: harmless_file + description: Scanning a file and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + event_description: Create harmless file + shell: echo "Just a simple text file" > /root/harmless_file.txt + rule.id: 87103 + rule.level: 3 + rule.description: "VirusTotal: Alert - No records in VirusTotal database" diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py similarity index 84% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py rename to tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py index 8c56e9ad44..761d2b8f7b 100644 --- a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py +++ b/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py @@ -11,7 +11,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal_integration.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -23,7 +23,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_virustotal_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to delete a malicious file detected by virustotal """ @@ -31,14 +32,12 @@ def test_virustotal(configure_environment, metadata, get_dashboard_credentials, rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] - program = metadata['program'] expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' - expected_indexed_alert = fr'.*"program": "{program}".*"rule":.*"level": {rule_level},' \ - fr'.*"description": "{rule_description}"' \ - r'.*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"id": "{rule_id}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From f3e90da07eb91d05656b0863d1cbefed76b354fa Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 12 Aug 2022 11:39:45 -0300 Subject: [PATCH 364/552] add: ansible roles folder --- .../restart_wazuh/tasks/get_alert_json.yaml | 0 .../restart_wazuh/tasks/restart_wazuh.yaml | 30 +++++++++++++++++++ .../data/playbooks/configuration.yaml | 10 +++++-- 3 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml create mode 100644 tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml diff --git a/tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml b/tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml new file mode 100644 index 0000000000..ccbd0c95bb --- /dev/null +++ b/tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml @@ -0,0 +1,30 @@ +--- + + # REQUIRED VARIABLES + #------------------- + # + # GENERIC: + # - (String) os: Target operating system + # + # LINUX + # - (String) target: [manager,agent] + + - name: Restart manager service on linux + become: true + service: + name: wazuh-manager + state: restarted + when: os == 'linux' and target == 'manager' + + - name: Restart agent service on linux + become: true + service: + name: "wazuh-agent" + state: restarted + when: os == 'linux' and target == 'agent' + + - name: Restart wazuh on Windows + win_shell: "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" + args: + executable: powershell.exe + when: os == 'windows' and target == 'agent' diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml index c921cd8087..55ccf89804 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml @@ -23,6 +23,10 @@ marker: - - name: Restart wazuh-agent - become: true - shell: systemctl restart wazuh-agent + - name: Restart agent + include_role: + name: "/home/belen/Repositories/wazuh-qa/tests/end_to_end/ansible-roles/restart_wazuh" + tasks_from: "restart_wazuh.yaml" + vars: + os: 'linux' + target: 'agent' From 82feb0ca1bce1a9eb21d41691c5297bf22f55841 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 12 Aug 2022 12:29:43 -0300 Subject: [PATCH 365/552] fix: os validation deleted --- .../data/playbooks/configuration.yaml | 10 +++ .../data/playbooks/generate_events.yaml | 41 ++++++++++++ .../data/test_cases/cases_brute_force.yaml | 11 +++ .../test_brute_force_rdp.py | 67 +++++++++++++++++++ .../data/playbooks/generate_events.yaml | 46 +++++++++++++ .../data/test_cases/cases_brute_force.yaml | 11 +++ .../test_brute_force_ssh.py | 66 ++++++++++++++++++ 7 files changed, 252 insertions(+) create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml create mode 100644 tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..58928acd9b --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -0,0 +1,10 @@ +- name: Configure environment + hosts: localhost + become: true + tasks: + + # Install hydra to attempt the RDP brute force attack + - name: Install hydra + package: + name: hydra + state: present diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..9b9b0fda70 --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -0,0 +1,41 @@ +- name: Truncate file + hosts: wazuh-manager + tasks: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: localhost + tasks: + + - name: Attempt a RDP brute force attack + shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + register: result + failed_when: + - "'0 valid passwords found' not in result.stdout" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml new file mode 100644 index 0000000000..4d1eca08e9 --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml @@ -0,0 +1,11 @@ +- name: rdp_brute_force + description: Check if the alert is generated when executing a brute force attack via RDP. + configuration_parameters: null + metadata: + rule.id: 60204 + rule.level: 10 + rule.description: Multiple Windows logon failures. + extra: + mitre_technique: Brute Force + extra_vars: + agent_os: Windows diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py new file mode 100644 index 0000000000..c6f395d63f --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -0,0 +1,67 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') + +# Playbooks +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = None + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + """ + Test to detect a RDP Brute Force attack + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_mitre_technique = metadata['extra']['mitre_technique'] + timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + + expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..b3a9595cf8 --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -0,0 +1,46 @@ +- name: Truncate file + hosts: wazuh-manager + tasks: + + - name: Truncate alert.json + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true + +- name: Generate events + hosts: localhost + tasks: + + - name: SSH connection + expect: + command: ssh {{item}}@wazuh-agent -i {{hostvars['wazuh-agent']['ansible_ssh_private_key_file']}} + responses: + (.*)continue connecting(.*): 'yes' + (?i)password: 1 + timeout: 5 + loop: + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + - test_user + register: result + failed_when: + - "'Permission denied' not in result.stdout" + + - name: Wait for alert + wait_for: + timeout: 5 + +- name: Get logs + hosts: wazuh-manager + tasks: + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml new file mode 100644 index 0000000000..961242a177 --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml @@ -0,0 +1,11 @@ +- name: ssh_brute_force + description: Execute brute force attacks using SSH and check generated alerts + configuration_parameters: null + metadata: + rule.id: 5712 + rule.level: 10 + rule.description: "sshd: brute force trying to get access to the system. Non existent user." + extra: + mitre_technique: Brute Force + extra_vars: + agent_os: Linux diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py new file mode 100644 index 0000000000..e17168384d --- /dev/null +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -0,0 +1,66 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing.tools import configuration as config +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm + +# Test cases data +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') + +# Playbooks +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = None + +# Configuration +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + """ + Test to detect a SSH Brute Force attack + """ + rule_id = metadata['rule.id'] + rule_level = metadata['rule.level'] + rule_description = metadata['rule.description'] + rule_mitre_technique = metadata['extra']['mitre_technique'] + timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + + expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' + + expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ + fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 3ab2c547ca3e4707f7602319810a1af21759b638 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 12 Aug 2022 12:32:34 -0300 Subject: [PATCH 366/552] fix: deleted old structure --- .../linux/data/playbooks/generate_events.yaml | 48 ------------- .../data/test_cases/cases_brute_force.yaml | 11 --- .../linux/test_brute_force_linux.py | 66 ------------------ .../windows/data/playbooks/configuration.yaml | 10 --- .../data/playbooks/generate_events.yaml | 43 ------------ .../data/test_cases/cases_brute_force.yaml | 11 --- .../windows/test_brute_force_windows.py | 67 ------------------- 7 files changed, 256 deletions(-) delete mode 100644 tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml delete mode 100644 tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py delete mode 100644 tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml delete mode 100644 tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py diff --git a/tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml deleted file mode 100644 index 5bad2651c0..0000000000 --- a/tests/end_to_end/test_brute_force/linux/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,48 +0,0 @@ -- name: Truncate file - hosts: wazuh-manager - tasks: - - - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true - -- name: Generate events - hosts: localhost - tasks: - - # Case: Unix agent - - name: SSH connection - expect: - command: ssh {{item}}@wazuh-agent -i {{hostvars['wazuh-agent']['ansible_ssh_private_key_file']}} - responses: - (.*)continue connecting(.*): 'yes' - (?i)password: 1 - timeout: 5 - loop: - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - register: result - failed_when: - - "'Permission denied' not in result.stdout" - when: agent_os == "Linux" - - - name: Wait for alert - wait_for: - timeout: 5 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml deleted file mode 100644 index 961242a177..0000000000 --- a/tests/end_to_end/test_brute_force/linux/data/test_cases/cases_brute_force.yaml +++ /dev/null @@ -1,11 +0,0 @@ -- name: ssh_brute_force - description: Execute brute force attacks using SSH and check generated alerts - configuration_parameters: null - metadata: - rule.id: 5712 - rule.level: 10 - rule.description: "sshd: brute force trying to get access to the system. Non existent user." - extra: - mitre_technique: Brute Force - extra_vars: - agent_os: Linux diff --git a/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py b/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py deleted file mode 100644 index e17168384d..0000000000 --- a/tests/end_to_end/test_brute_force/linux/test_brute_force_linux.py +++ /dev/null @@ -1,66 +0,0 @@ -import os -import json -import re -import pytest -from tempfile import gettempdir - -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') - -# Playbooks -events_playbooks = ['generate_events.yaml'] -teardown_playbooks = None - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a SSH Brute Force attack - """ - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - - expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) - - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' diff --git a/tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml deleted file mode 100644 index 58928acd9b..0000000000 --- a/tests/end_to_end/test_brute_force/windows/data/playbooks/configuration.yaml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Configure environment - hosts: localhost - become: true - tasks: - - # Install hydra to attempt the RDP brute force attack - - name: Install hydra - package: - name: hydra - state: present diff --git a/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml deleted file mode 100644 index eb0640edbf..0000000000 --- a/tests/end_to_end/test_brute_force/windows/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,43 +0,0 @@ -- name: Truncate file - hosts: wazuh-manager - tasks: - - - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true - -- name: Generate events - hosts: localhost - tasks: - - # Case: Windows agent - - name: Attempt a RDP brute force attack - shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows - loop: - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - - test_user - register: result - failed_when: - - "'0 valid passwords found' not in result.stdout" - when: agent_os == "Windows" - - - name: Wait for alert - wait_for: - timeout: 5 - -- name: Get logs - hosts: wazuh-manager - tasks: - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true diff --git a/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml deleted file mode 100644 index 4d1eca08e9..0000000000 --- a/tests/end_to_end/test_brute_force/windows/data/test_cases/cases_brute_force.yaml +++ /dev/null @@ -1,11 +0,0 @@ -- name: rdp_brute_force - description: Check if the alert is generated when executing a brute force attack via RDP. - configuration_parameters: null - metadata: - rule.id: 60204 - rule.level: 10 - rule.description: Multiple Windows logon failures. - extra: - mitre_technique: Brute Force - extra_vars: - agent_os: Windows diff --git a/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py b/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py deleted file mode 100644 index c6f395d63f..0000000000 --- a/tests/end_to_end/test_brute_force/windows/test_brute_force_windows.py +++ /dev/null @@ -1,67 +0,0 @@ -import os -import json -import re -import pytest -from tempfile import gettempdir - -from wazuh_testing.tools import configuration as config -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm - -# Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') - -# Playbooks -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbooks = None - -# Configuration -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a RDP Brute Force attack - """ - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - - expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ - fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' - - expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) - - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' From 120b98baefa7de45eccf4ba7af53802d6fa912c4 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 12 Aug 2022 14:30:37 -0300 Subject: [PATCH 367/552] fix: renamed test suite linux and windows fim tests --- .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 5 +---- .../{linux => test_fim_linux}/data/playbooks/teardown.yaml | 0 .../{linux => test_fim_linux}/data/test_cases/cases_fim.yaml | 3 --- .../test_fim/{linux => test_fim_linux}/test_fim_linux.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 5 +---- .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_fim.yaml | 3 --- .../{windows => test_fim_windows}/test_fim_windows.py | 0 10 files changed, 2 insertions(+), 14 deletions(-) rename tests/end_to_end/test_fim/{linux => test_fim_linux}/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/test_fim/{linux => test_fim_linux}/data/playbooks/generate_events.yaml (90%) rename tests/end_to_end/test_fim/{linux => test_fim_linux}/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/test_fim/{linux => test_fim_linux}/data/test_cases/cases_fim.yaml (96%) rename tests/end_to_end/test_fim/{linux => test_fim_linux}/test_fim_linux.py (100%) rename tests/end_to_end/test_fim/{windows => test_fim_windows}/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/test_fim/{windows => test_fim_windows}/data/playbooks/generate_events.yaml (86%) rename tests/end_to_end/test_fim/{windows => test_fim_windows}/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/test_fim/{windows => test_fim_windows}/data/test_cases/cases_fim.yaml (96%) rename tests/end_to_end/test_fim/{windows => test_fim_windows}/test_fim_windows.py (100%) diff --git a/tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_fim/linux/data/playbooks/configuration.yaml rename to tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/generate_events.yaml similarity index 90% rename from tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index ecb5668c41..7d6dd17779 100644 --- a/tests/end_to_end/test_fim/linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -7,9 +7,7 @@ become: True - name: Generate events - hosts: agents - vars: - os: "{{ os }}" + hosts: wazuh-agent tasks: - name: "{{ event_description }}" @@ -18,7 +16,6 @@ path: "{{ path }}" state: "{{ state }}" mode: "{{ mode }}" - when: os == "Linux" - name: Get alerts hosts: wazuh-manager diff --git a/tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_fim/linux/data/playbooks/teardown.yaml rename to tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim.yaml similarity index 96% rename from tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml rename to tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim.yaml index 64de2cdb5f..22930d37b5 100644 --- a/tests/end_to_end/test_fim/linux/data/test_cases/cases_fim.yaml +++ b/tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim.yaml @@ -3,7 +3,6 @@ configuration_parameters: null metadata: extra_vars: - os: Linux event_description: Create a file into the monitored folder path: /tmp/test_demo_fim/monitored_file.txt state: touch @@ -19,7 +18,6 @@ configuration_parameters: null metadata: extra_vars: - os: Linux event_description: Modify a file from the monitored folder path: /tmp/test_demo_fim/monitored_file.txt state: file @@ -35,7 +33,6 @@ configuration_parameters: null metadata: extra_vars: - os: Linux event_description: Delete a file from the monitored folder path: /tmp/test_demo_fim/monitored_file.txt state: absent diff --git a/tests/end_to_end/test_fim/linux/test_fim_linux.py b/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py similarity index 100% rename from tests/end_to_end/test_fim/linux/test_fim_linux.py rename to tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py diff --git a/tests/end_to_end/test_fim/windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_fim/windows/data/playbooks/configuration.yaml rename to tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml similarity index 86% rename from tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 33aba8f51c..dfe9c48f57 100644 --- a/tests/end_to_end/test_fim/windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -7,16 +7,13 @@ become: True - name: Generate events - hosts: agents - vars: - os: "{{ os }}" + hosts: wazuh-windows tasks: - name: "{{ event_description }}" win_file: path: "{{ path }}" state: "{{ state }}" - when: os == ansible_facts['os_family'] - name: Get alerts hosts: wazuh-manager diff --git a/tests/end_to_end/test_fim/windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_fim/windows/data/playbooks/teardown.yaml rename to tests/end_to_end/test_fim/test_fim_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim.yaml similarity index 96% rename from tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml rename to tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim.yaml index 1233e78df8..7e7d935212 100644 --- a/tests/end_to_end/test_fim/windows/data/test_cases/cases_fim.yaml +++ b/tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim.yaml @@ -3,7 +3,6 @@ configuration_parameters: null metadata: extra_vars: - os: Windows event_description: Create a file into the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: touch @@ -18,7 +17,6 @@ configuration_parameters: null metadata: extra_vars: - os: Windows event_description: Modify a file from the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: touch @@ -33,7 +31,6 @@ configuration_parameters: null metadata: extra_vars: - os: Windows event_description: Delete a file from the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: absent diff --git a/tests/end_to_end/test_fim/windows/test_fim_windows.py b/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py similarity index 100% rename from tests/end_to_end/test_fim/windows/test_fim_windows.py rename to tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py From da97c6610ef81a7cabd08dd7b15e0fb4de5a142d Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 12 Aug 2022 16:01:08 -0300 Subject: [PATCH 368/552] fix: renamed test suite vulnerability detector --- .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 5 +---- .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector.yaml | 1 - .../test_vulnerability_detector_linux.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 3 --- .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector.yaml | 1 - .../test_vulnerability_detection_windows.py | 0 10 files changed, 1 insertion(+), 9 deletions(-) rename tests/end_to_end/test_vulnerability_detector/{linux => test_vulnerability_detector_linux}/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/test_vulnerability_detector/{linux => test_vulnerability_detector_linux}/data/playbooks/generate_events.yaml (86%) rename tests/end_to_end/test_vulnerability_detector/{linux => test_vulnerability_detector_linux}/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/test_vulnerability_detector/{linux => test_vulnerability_detector_linux}/data/test_cases/cases_vulnerability_detector.yaml (95%) rename tests/end_to_end/test_vulnerability_detector/{linux => test_vulnerability_detector_linux}/test_vulnerability_detector_linux.py (100%) rename tests/end_to_end/test_vulnerability_detector/{windows => test_vulnerability_detector_windows}/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/test_vulnerability_detector/{windows => test_vulnerability_detector_windows}/data/playbooks/generate_events.yaml (89%) rename tests/end_to_end/test_vulnerability_detector/{windows => test_vulnerability_detector_windows}/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/test_vulnerability_detector/{windows => test_vulnerability_detector_windows}/data/test_cases/cases_vulnerability_detector.yaml (97%) rename tests/end_to_end/test_vulnerability_detector/{windows => test_vulnerability_detector_windows}/test_vulnerability_detection_windows.py (100%) diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/configuration.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml similarity index 86% rename from tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 4a2c06d40d..ac6b1f174d 100644 --- a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -7,15 +7,12 @@ become: true - name: Generate events - hosts: agents - vars: - os: "{{ os }}" + hosts: wazuh-agent tasks: - name: "{{ event_description }}" become: true command: "{{ command }}" - when: os == ansible_facts['distribution'] - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/linux/data/playbooks/teardown.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml similarity index 95% rename from tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml index 3c47b28c8b..b0130dfdeb 100644 --- a/tests/end_to_end/test_vulnerability_detector/linux/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml @@ -3,7 +3,6 @@ configuration_parameters: null metadata: extra_vars: - os: Ubuntu event_description: Install vulnerable vim package command: apt install -y vim=2:8.1.2269-1ubuntu5.7 rule.id: 23505 diff --git a/tests/end_to_end/test_vulnerability_detector/linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/linux/test_vulnerability_detector_linux.py rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py diff --git a/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/configuration.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml similarity index 89% rename from tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index cf308ee624..425c6d146c 100644 --- a/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -8,13 +8,10 @@ - name: Generate events hosts: wazuh-windows - vars: - os: "{{ os }}" tasks: - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" - when: os == ansible_facts['os_family'] - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/windows/data/playbooks/teardown.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml similarity index 97% rename from tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml index d891e85bab..9a7b94c9b0 100644 --- a/tests/end_to_end/test_vulnerability_detector/windows/data/test_cases/cases_vulnerability_detector.yaml +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml @@ -3,7 +3,6 @@ configuration_parameters: null metadata: extra_vars: - os: Windows event_description: Install vulnerable Mozilla package command: | Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` diff --git a/tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/windows/test_vulnerability_detection_windows.py rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py From 8b8f33e7cc5da5af841e46c8459f08837757e9c1 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 15 Aug 2022 19:31:58 -0300 Subject: [PATCH 369/552] feat: add validation phase. #3142 --- tests/end_to_end/conftest.py | 108 ++++++++++++++++++ tests/end_to_end/data/environment.json | 58 ++++++++++ .../data/generate_general_play.yaml | 10 ++ tests/end_to_end/data/validation_template.j2 | 12 ++ .../host_checker/tasks/check_connection.yaml | 27 +++++ .../roles/host_checker/tasks/check_os.yaml | 15 +++ .../host_checker/tasks/check_python.yaml | 20 ++++ .../roles/host_checker/tasks/main.yaml | 24 ++++ 8 files changed, 274 insertions(+) create mode 100644 tests/end_to_end/data/environment.json create mode 100644 tests/end_to_end/data/generate_general_play.yaml create mode 100644 tests/end_to_end/data/validation_template.j2 create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_connection.yaml create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_os.yaml create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_python.yaml create mode 100644 tests/end_to_end/roles/host_checker/tasks/main.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c1d6fe70c5..b18f65a104 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -4,6 +4,7 @@ import os import ansible_runner import pytest +import json from tempfile import gettempdir from wazuh_testing.tools.file import remove_file @@ -11,6 +12,104 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') +suite_path = os.path.dirname(os.path.realpath(__file__)) + + +@pytest.fixture(scope='session', autouse=True) +def validate_environments(request): + """Fixture with session scope to validate the environments before run the E2E tests. + + This phase is divided in 4 steps: + Step 1: Collect the data related with the selected tests that will be executed. + Step 2: Generate a playbook with general validations containing cross-checks for selected tests. + Step 3: Run the generated playbook. + Step 4: Execute test-specific validations (if any). It will run one validation for each selected test set. + + Args: + request (fixture): Gives access to the requesting test context. + """ + collected_items = request.session.items + roles_path = request.config.getoption('--roles-path') + inventory_path = request.config.getoption('--inventory_path') + environment_file = os.path.join(suite_path, 'data', 'environment.json') + environment_metadata = json.load(open(environment_file)) + playbook_generator = os.path.join(suite_path, 'data', 'generate_general_play.yaml') + playbook_template = os.path.join(suite_path, 'data', 'validation_template.j2') + general_playbook = os.path.join(suite_path, 'data', 'general_validation.yaml') + + if not inventory_path: + raise ValueError('Inventory not specified') + + # -------------------------- Step 1: Prepare the necessary data ---------------- + # Get the path of the tests from collected items. + collected_paths = [item.fspath for item in collected_items] + # Remove duplicates caused by the existence of 2 or more test cases + collected_paths = list(dict.fromkeys(collected_paths)) + test_suites_paths = [] + manager_instances = [] + agent_instances = [] + + for path in collected_paths: + # Remove the name of the file from the path + path = str(path).rsplit('/', 1)[0] + # Add the test suite path + test_suites_paths.append(path) + # Get the test suite name + test_suite_name = path.split('/')[-1:][0] + # Save the test environment metadata in lists + manager_instances.append(environment_metadata[test_suite_name]['managers']) + agent_instances.append(environment_metadata[test_suite_name]['agents']) + + # Get the largest number of manager/agent instances + num_of_managers = max(manager_instances) + num_of_agents = max(agent_instances) + # -------------------------- End of Step 1 ------------------------------------- + + # ---- Step 2: Run the playbook to generate the general validation playbook ---- + parameters = { + 'playbook': playbook_generator, 'inventory': inventory_path, + 'extravars': { + 'template_path': playbook_template, 'dest_path': general_playbook, + 'num_of_managers': num_of_managers, 'num_of_agents': num_of_agents + } + } + ansible_runner.run(**parameters) + # -------------------------- End of Step 2 ------------------------------------- + + # -------------------- Step 3: Run the general validation playbook ------------- + parameters = { + 'playbook': general_playbook, + 'inventory': inventory_path, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } + general_validation_runner = ansible_runner.run(**parameters) + # Remove the generated playbook + remove_file(general_playbook) + # If the general validations have failed, then abort the execution finishing with an error. Else, continue. + if general_validation_runner.status == 'failed': + raise Exception(f"The general validations have failed. Please check that the environments meet the expected " \ + 'requirements.') + # -------------------------- End of Step 3 ------------------------------------- + + # Step 4: Execute test-specific validations (if any) + for path in test_suites_paths: + validation_playbook = os.path.join(path, 'data', 'playbooks', 'validation.yaml') + + if os.path.exists(validation_playbook): + # Set Ansible parameters + parameters = { + 'playbook': validation_playbook, + 'inventory': inventory_path, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } + # Run the validations of the test suite. + validation_runner = ansible_runner.run(**parameters) + + # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. + if validation_runner.status == 'failed': + raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " \ + 'meet the expected requirements.') + # -------------------------- End of Step 4 ------------------------------------- @pytest.fixture(scope='function') @@ -126,3 +225,12 @@ def pytest_addoption(parser): type=str, help='Inventory path', ) + + parser.addoption( + '--roles-path', + action='store', + metavar='ROLES_PATH', + default=os.path.join(suite_path, 'roles'), + type=str, + help='Ansible roles path.', + ) diff --git a/tests/end_to_end/data/environment.json b/tests/end_to_end/data/environment.json new file mode 100644 index 0000000000..bdb65b1183 --- /dev/null +++ b/tests/end_to_end/data/environment.json @@ -0,0 +1,58 @@ +{ + "test_audit": { + "managers": 1, + "agents": 0 + }, + "test_aws_infrastructure_monitoring": { + "managers": 1, + "agents": 0 + }, + "test_brute_force": { + "managers": 1, + "agents": 1 + }, + "test_detecting_suspicious_binaries": { + "managers": 1, + "agents": 0 + }, + "test_docker_monitoring": { + "managers": 1, + "agents": 0 + }, + "test_fim": { + "managers": 1, + "agents": 2 + }, + "test_netcat": { + "managers": 1, + "agents": 1 + }, + "test_osquery_integration": { + "managers": 1, + "agents": 0 + }, + "test_shellshock_attack_detection": { + "managers": 1, + "agents": 0 + }, + "test_sql_injection": { + "managers": 1, + "agents": 1 + }, + "test_virustotal": { + "managers": 1, + "agents": 1 + }, + "test_vulnerability_detector": { + "managers": 1, + "agents": 2 + }, + "test_windows_defender": { + "managers": 1, + "agents": 1 + }, + "test_yara_integration": { + "managers": 1, + "agents": 0 + } +} \ No newline at end of file diff --git a/tests/end_to_end/data/generate_general_play.yaml b/tests/end_to_end/data/generate_general_play.yaml new file mode 100644 index 0000000000..d025f3da65 --- /dev/null +++ b/tests/end_to_end/data/generate_general_play.yaml @@ -0,0 +1,10 @@ +--- +- hosts: localhost + vars: + num_of_managers: "{{ num_of_managers }}" + num_of_agents: "{{ num_of_agents }}" + tasks: + - name: Generate a general validation playbook + template: + src: "{{ template_path }}" + dest: "{{ dest_path }}" diff --git a/tests/end_to_end/data/validation_template.j2 b/tests/end_to_end/data/validation_template.j2 new file mode 100644 index 0000000000..c6d0d6e590 --- /dev/null +++ b/tests/end_to_end/data/validation_template.j2 @@ -0,0 +1,12 @@ +{% if num_of_agents == 0 %} +- hosts: managers +{% elif num_of_managers == 0 %} +- hosts: agents +{% else %} +- hosts: managers:agents +{% endif %} + any_errors_fatal: true + roles: + - role: host_checker + vars: + os: "{% raw %}{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}{% endraw %}" diff --git a/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml new file mode 100644 index 0000000000..0774e4147b --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml @@ -0,0 +1,27 @@ +# REQUIRED VARIABLES +#------------------- +# (String) os: Target operating system + +- name: Try connection (Linux) + ping: + when: os == 'Linux' + ignore_errors: true + register: result + +- name: Check if host is reachable (Linux) + set_fact: + failed: true + errors: "{{ inventory_hostname }} is unreachable." + when: '"ping" not in result.keys() and os == "Linux"' + +- name: Try connection (Windows) + win_ping: + when: os == 'Windows' + ignore_errors: true + register: result + +- name: Check if host is reachable (Windows) + set_fact: + failed: true + errors: "{{ inventory_hostname }} is unreachable." + when: '"ping" not in result.keys() and os == "Windows"' diff --git a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml new file mode 100644 index 0000000000..0575103567 --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml @@ -0,0 +1,15 @@ +# REQUIRED VARIABLES +#------------------- +# (String) os: Target operating system + +- name: Check OS (Linux) + set_fact: + failed: true + errors: "{{ errors }}\nThe {{ ansible_system }} OS was not expected, but the {{ os }} OS." + when: (os != ansible_system and os == "Linux") + +- name: Check OS (Windows) + set_fact: + failed: true + errors: "{{ errors }}\nThe {{ ansible_os_family }} OS was not expected, but the {{ os }} OS." + when: (os != ansible_os_family and os == "Windows") diff --git a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml new file mode 100644 index 0000000000..1809eb3d27 --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml @@ -0,0 +1,20 @@ +# REQUIRED VARIABLES +#------------------- +# (String) os: Target operating system + +- name: Check default Python version (Linux) + set_fact: + failed: true + errors: "{{ errors }}\nPython version is less than 3. Current version: {{ ansible_python_version }}" + when: (os == "Linux" and ansible_python['version']['major'] < 3) + +- name: Get Python version (Windows) + win_shell: python -V + register: version + when: os == 'Windows' + +- name: Check default Python version (Linux) + set_fact: + failed: true + errors: "{{ errors }}\nPython version is less than 3. Current version: {{ version.stdout }}" + when: (os == "Windows" and version.stdout.split(" ")[1].split(".")[0] | int < 3) diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/roles/host_checker/tasks/main.yaml new file mode 100644 index 0000000000..f4c4281f2e --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/main.yaml @@ -0,0 +1,24 @@ +# -------- Task to identify whether the validation step fails or not. -------- +- name: Set flag and informative variable + set_fact: + failed: false + errors: null +# ---------------------------------------------------------------------------- + +# -------- Checks ------------------------------------------------------------ +- name: Check host connection + include_tasks: check_connection.yaml + +- name: Check Python + import_tasks: check_python.yaml + +- name: Check OS + import_tasks: check_os.yaml +# ---------------------------------------------------------------------------- + +# -------- Task to identify whether the validation step fails or not. -------- +- name: Verify if any check have failed + fail: + msg: "Some validations were fail:\n'{{ errors }}'" + when: failed == true +# ---------------------------------------------------------------------------- From 5fb7fdea534419eadedc639a7b7c2f3b650d1330 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 15 Aug 2022 19:33:26 -0300 Subject: [PATCH 370/552] fix: test_fim fixed. #2830 --- .../end_to_end/test_fim/data/playbooks/generate_events.yaml | 4 ++-- tests/end_to_end/test_fim/test_fim.py | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml index 4ddc7c0196..200187088f 100644 --- a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml @@ -18,13 +18,13 @@ path: "{{ path }}" state: "{{ state }}" mode: "{{ mode }}" - when: os == "Linux" + when: ansible_system == os - name: "{{ event_description }}" win_file: path: "{{ path }}" state: "{{ state }}" - when: os == ansible_facts['os_family'] + when: ansible_facts['os_family'] == os - name: Get alerts hosts: wazuh-manager diff --git a/tests/end_to_end/test_fim/test_fim.py b/tests/end_to_end/test_fim/test_fim.py index d46bb6dd33..6adaee3e48 100644 --- a/tests/end_to_end/test_fim/test_fim.py +++ b/tests/end_to_end/test_fim/test_fim.py @@ -28,13 +28,14 @@ def test_fim(configure_environment, metadata, get_dashboard_credentials, generat rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] syscheck_path = metadata['extra']['syscheck.path'] + timestamp = r'\d+\-\d+\-\w+\:\d+\:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + expected_alert_json = fr'.*\{{"timestamp":"({timestamp})","rule":{{"level":{rule_level},' \ fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ fr'"{syscheck_path}".*\}}' expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ - fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"{rule_description}".*"timestamp": "({timestamp})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From e907f8b769503ae684be1f2faf730f73cfc91bc8 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 15 Aug 2022 19:41:42 -0300 Subject: [PATCH 371/552] fix: grammatical errors corrected. #3142 --- tests/end_to_end/conftest.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index b18f65a104..5f612f6dd7 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -19,9 +19,9 @@ def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. - This phase is divided in 4 steps: - Step 1: Collect the data related with the selected tests that will be executed. - Step 2: Generate a playbook with general validations containing cross-checks for selected tests. + This phase is divided into 4 steps: + Step 1: Collect the data related to the selected tests that will be executed. + Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. Step 4: Execute test-specific validations (if any). It will run one validation for each selected test set. From 0a18b9de6ed66c045156ccdbd4836ff94deb78e0 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 16 Aug 2022 11:05:25 +0200 Subject: [PATCH 372/552] add: Add Virustotal documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_virustotal_integration.py | 85 ++++++++++++++++++- 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 0daf4c71b4..e327bd1d62 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -361,6 +361,7 @@ predefined_values: - system_inventory - time_travel - token + - virustotal - vulnerability - vulnerability_detector - wazuh_db diff --git a/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py index 761d2b8f7b..f9fb6ffe0a 100644 --- a/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_virustotal_integration/test_virustotal_integration.py @@ -1,3 +1,48 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the integeration with Virustotal works correctly. Syscheck scans a directory for + changes and make the wazuh-integratord component query VirusTotal for threat results using the VirusTotal API. + Once VirusTotal identifies a file as a threat, Wazuh is configured to trigger an active response to remove the + file from the system. + +components: + - syscheck + - integration + - active_response + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + - wazuh-integratord + - wazuh-execd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#-virustotal + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html + - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/index.html#virustotal-scan + +tags: + - demo + - virustotal + - active_response +''' import os import json import re @@ -25,10 +70,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_virustotal_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to delete a malicious file detected by virustotal - """ + ''' + description: Check that an alert is generated and the active response executed if the file is malicious. + + test_phases: + - Set a custom Wazuh configuration. + - Add a file to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] From 13e67d51c9d9791ef1a1be44589a0922e62b1a3f Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 16 Aug 2022 11:21:50 +0200 Subject: [PATCH 373/552] add: Add Windows Defender documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_windows_defender.py | 77 ++++++++++++++++++- 2 files changed, 75 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index e327bd1d62..5ab1a96bb3 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -369,5 +369,6 @@ predefined_values: - week_day - who_data - windows + - windows_defender - worker - wpk diff --git a/tests/end_to_end/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_windows_defender/test_windows_defender.py index a5f373e452..40f90c8538 100644 --- a/tests/end_to_end/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_windows_defender/test_windows_defender.py @@ -1,3 +1,39 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that Windows Defender logs are collected correctly. + +components: + - logcollector + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + - Windows Server 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#defender + +tags: + - demo + - windows_defender +''' import os import json import re @@ -26,9 +62,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_windows_defender(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a vulnerability - """ + ''' + description: Check that an alert is generated for Windows Defender logs. + + test_phases: + - Set a custom Wazuh configuration. + - Disable Windows Defender real-time monitoring to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] From 99fd5ed4cf19372219adcdb6a5b1db60fc3139d5 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 16 Aug 2022 11:53:35 +0200 Subject: [PATCH 374/552] add: Add Yara documentation --- .../wazuh_testing/qa_docs/schema.yaml | 1 + .../test_yara_integration.py | 77 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 5ab1a96bb3..23b1dacd0a 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -372,3 +372,4 @@ predefined_values: - windows_defender - worker - wpk + - yara diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_yara_integration/test_yara_integration.py index 32418abe9b..7bb545b2fa 100644 --- a/tests/end_to_end/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_yara_integration/test_yara_integration.py @@ -1,3 +1,42 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that YARA integration works correctly. YARA is a tool aimed at, but not limited to, helping + identify and classify malware artifacts. With this integration, we are able to scan files added or modified and + check if they contain malware. + +components: + - syscheck + - active_response + +targets: + - manager + +daemons: + - wazuh-syscheckd + - wazuh-execd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#yara + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html + +tags: + - demo + - yara +''' import os import json import re @@ -32,6 +71,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + ''' + description: Check that an alert is generated when malware is downloaded. + + test_phases: + - Set a custom Wazuh configuration. + - Download to generate the event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] From 123ef4c40e7ce10616c8601a498cd48decfe62e7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 16 Aug 2022 10:50:28 -0300 Subject: [PATCH 375/552] fix: rename files amd deleted os checks in brute force tests --- .../{cases_brute_force.yaml => cases_brute_force_rdp.yaml} | 3 +-- .../test_brute_force_rdp/test_brute_force_rdp.py | 4 ++-- .../{cases_brute_force.yaml => cases_brute_force_ssh.yaml} | 3 +-- .../test_brute_force_ssh/test_brute_force_ssh.py | 4 ++-- 4 files changed, 6 insertions(+), 8 deletions(-) rename tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/{cases_brute_force.yaml => cases_brute_force_rdp.yaml} (88%) rename tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/{cases_brute_force.yaml => cases_brute_force_ssh.yaml} (89%) diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml similarity index 88% rename from tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml rename to tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml index 4d1eca08e9..6c7e678745 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml @@ -7,5 +7,4 @@ rule.description: Multiple Windows logon failures. extra: mitre_technique: Brute Force - extra_vars: - agent_os: Windows + diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index c6f395d63f..64cb8806d1 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -11,7 +11,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force_rdp.yaml') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -24,7 +24,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a RDP Brute Force attack """ diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml similarity index 89% rename from tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml rename to tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml index 961242a177..7413df8fb4 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force.yaml +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml @@ -7,5 +7,4 @@ rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force - extra_vars: - agent_os: Linux + diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index e17168384d..eee77d81bf 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -11,7 +11,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force_ssh.yaml') # Playbooks events_playbooks = ['generate_events.yaml'] @@ -23,7 +23,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_brute_force_ssh(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a SSH Brute Force attack """ From 32249dfa1d732e79983d294b7848c8f12e53a5cf Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 16 Aug 2022 11:42:51 -0300 Subject: [PATCH 376/552] fix: rename files and deleted os checks fim tests --- .../test_fim_linux/data/playbooks/configuration.yaml | 6 ++---- .../test_cases/{cases_fim.yaml => cases_fim_linux.yaml} | 0 .../end_to_end/test_fim/test_fim_linux/test_fim_linux.py | 4 ++-- .../test_fim_windows/data/playbooks/configuration.yaml | 8 ++------ .../test_cases/{cases_fim.yaml => cases_fim_windows.yaml} | 0 .../test_fim/test_fim_windows/test_fim_windows.py | 4 ++-- 6 files changed, 8 insertions(+), 14 deletions(-) rename tests/end_to_end/test_fim/test_fim_linux/data/test_cases/{cases_fim.yaml => cases_fim_linux.yaml} (100%) rename tests/end_to_end/test_fim/test_fim_windows/data/test_cases/{cases_fim.yaml => cases_fim_windows.yaml} (100%) diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 59b98055a7..5d417cf4cc 100644 --- a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -1,6 +1,6 @@ --- - name: Test case configuration - hosts: agents + hosts: wazuh-agent tasks: - name: Create directory to monitor (Linux) @@ -8,7 +8,6 @@ file: path: /tmp/test_demo_fim state: directory - when: ansible_facts['system'] == "Linux" - name: Add directory to syscheck configuration (Linux) become: True @@ -18,11 +17,10 @@ block: | /tmp/test_demo_fim marker: - when: ansible_facts['system'] == "Linux" - name: Restart Wazuh (Linux) become: True systemd: name: wazuh-agent state: restarted - when: ansible_facts['system'] == "Linux" + diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim.yaml rename to tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml diff --git a/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py index 6bc4b08f27..d483f4161c 100644 --- a/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py @@ -10,7 +10,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim_linux.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -20,7 +20,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to scanning a file in Linux using FIM """ diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml index 152ecd3a31..e0da32bd3f 100644 --- a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -1,13 +1,12 @@ --- - name: Test case configuration - hosts: agents + hosts: wazuh-windows tasks: - name: Create directory to monitor (Windows) win_file: path: C:\Test\test_demo_fim state: directory - when: ansible_facts['os_family'] == "Windows" - name: Add directory to syscheck configuration (Windows) win_lineinfile: @@ -15,23 +14,20 @@ insertafter: line: | C:\\Test\\test_demo_fim - when: ansible_facts['os_family'] == "Windows" - name: Truncate ossec.log win_file: path: C:\Program Files (x86)\ossec-agent\ossec.log state: absent - when: ansible_facts['os_family'] == "Windows" - name: Restart Wazuh (Windows) win_shell: | net stop wazuh net start wazuh - when: ansible_facts['os_family'] == "Windows" - name: Wait for whodata start win_wait_for: path: C:\Program Files (x86)\ossec-agent\ossec.log search_regex: File integrity monitoring real-time Whodata engine started. timeout: 20 - when: ansible_facts['os_family'] == "Windows" + diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim.yaml rename to tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml diff --git a/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py index 1d376b60e2..249e09b2a7 100644 --- a/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py @@ -10,7 +10,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim_windows.yaml') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -20,7 +20,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to scanning a file in Windows using FIM """ From 412dcd8eb09b2cbcaf302661aec2ef65a8137dca Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 16 Aug 2022 12:41:59 -0300 Subject: [PATCH 377/552] fix: renamed files and deleted os checks vulnerability detetcor tests --- ..._detector.yaml => cases_vulnerability_detector_linux.yaml} | 0 .../test_vulnerability_detector_linux.py | 4 ++-- ...etector.yaml => cases_vulnerability_detector_windows.yaml} | 0 .../test_vulnerability_detection_windows.py | 4 ++-- 4 files changed, 4 insertions(+), 4 deletions(-) rename tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/{cases_vulnerability_detector.yaml => cases_vulnerability_detector_linux.yaml} (100%) rename tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/{cases_vulnerability_detector.yaml => cases_vulnerability_detector_windows.yaml} (100%) diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index d8a1c66ce3..57703bdd01 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -11,7 +11,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector_linux.yaml') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -24,7 +24,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a vulnerability diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector.yaml rename to tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index d8a1c66ce3..3c8022ff70 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -11,7 +11,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector_windows.yaml') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -24,7 +24,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): """ Test to detect a vulnerability From 169c9200752fc07a4d07ccc854ec7d59179d7ac2 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 16 Aug 2022 12:58:20 -0300 Subject: [PATCH 378/552] fix: linter errors --- .../data/test_cases/cases_brute_force_rdp.yaml | 1 - .../data/test_cases/cases_brute_force_ssh.yaml | 1 - .../test_fim_linux/data/playbooks/configuration.yaml | 8 +++----- .../test_fim/test_fim_linux/data/playbooks/teardown.yaml | 3 +-- .../test_fim_windows/data/playbooks/configuration.yaml | 2 -- .../test_fim_windows/data/playbooks/generate_events.yaml | 2 +- .../test_vulnerability_detection_windows.py | 2 +- 7 files changed, 6 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml index 6c7e678745..0d2bfb9feb 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml @@ -7,4 +7,3 @@ rule.description: Multiple Windows logon failures. extra: mitre_technique: Brute Force - diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml index 7413df8fb4..d58f3ff6dd 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml +++ b/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml @@ -7,4 +7,3 @@ rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force - diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 5d417cf4cc..32a12480af 100644 --- a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -1,16 +1,15 @@ ---- - name: Test case configuration hosts: wazuh-agent tasks: - name: Create directory to monitor (Linux) - become: True + become: true file: path: /tmp/test_demo_fim state: directory - name: Add directory to syscheck configuration (Linux) - become: True + become: true blockinfile: path: /var/ossec/etc/ossec.conf insertafter: @@ -19,8 +18,7 @@ marker: - name: Restart Wazuh (Linux) - become: True + become: true systemd: name: wazuh-agent state: restarted - diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml index 69e7ecd2c5..d66fe3af54 100644 --- a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml @@ -1,7 +1,6 @@ ---- - name: Cleanup Linux agent environment hosts: wazuh-agent - become: True + become: true tasks: - name: Delete syscheck configuration diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml index e0da32bd3f..a04a1e298e 100644 --- a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -1,4 +1,3 @@ ---- - name: Test case configuration hosts: wazuh-windows tasks: @@ -30,4 +29,3 @@ path: C:\Program Files (x86)\ossec-agent\ossec.log search_regex: File integrity monitoring real-time Whodata engine started. timeout: 20 - diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index dfe9c48f57..696adc6b1d 100644 --- a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -4,7 +4,7 @@ - name: Truncate file shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + become: true - name: Generate events hosts: wazuh-windows diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 3c8022ff70..143381f6f4 100644 --- a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -25,7 +25,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): + clean_alerts_index): """ Test to detect a vulnerability """ From f84dc10a45d7b37e84182cbd8f55552c8ab12d5a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 16 Aug 2022 16:11:11 -0300 Subject: [PATCH 379/552] feat and fix: several tasks and changes. #3142 Tasks to check filebeat-indexer and controller-indexer connections. New role related to Wazuh services added. Some changes related to linter corrections. --- tests/end_to_end/conftest.py | 4 ++-- .../data/generate_general_play.yaml | 1 - tests/end_to_end/data/validation_template.j2 | 7 +++--- .../host_checker/tasks/check_connection.yaml | 4 ++-- .../tasks/check_controller_indexer.yaml | 22 +++++++++++++++++++ .../tasks/check_filebeat_indexer.yaml | 21 ++++++++++++++++++ .../roles/host_checker/tasks/check_os.yaml | 4 ++-- .../host_checker/tasks/check_python.yaml | 4 ++-- .../roles/host_checker/tasks/main.yaml | 6 +++++ .../tasks/get_installation_type.yaml | 9 ++++++++ .../data/playbooks/generate_events.yaml | 4 ++-- 11 files changed, 72 insertions(+), 14 deletions(-) create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml create mode 100644 tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 5f612f6dd7..fa975e4f5f 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -87,7 +87,7 @@ def validate_environments(request): remove_file(general_playbook) # If the general validations have failed, then abort the execution finishing with an error. Else, continue. if general_validation_runner.status == 'failed': - raise Exception(f"The general validations have failed. Please check that the environments meet the expected " \ + raise Exception(f"The general validations have failed. Please check that the environments meet the expected " 'requirements.') # -------------------------- End of Step 3 ------------------------------------- @@ -107,7 +107,7 @@ def validate_environments(request): # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. if validation_runner.status == 'failed': - raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " \ + raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " 'meet the expected requirements.') # -------------------------- End of Step 4 ------------------------------------- diff --git a/tests/end_to_end/data/generate_general_play.yaml b/tests/end_to_end/data/generate_general_play.yaml index d025f3da65..ada390fb1e 100644 --- a/tests/end_to_end/data/generate_general_play.yaml +++ b/tests/end_to_end/data/generate_general_play.yaml @@ -1,4 +1,3 @@ ---- - hosts: localhost vars: num_of_managers: "{{ num_of_managers }}" diff --git a/tests/end_to_end/data/validation_template.j2 b/tests/end_to_end/data/validation_template.j2 index c6d0d6e590..fe2d3829c0 100644 --- a/tests/end_to_end/data/validation_template.j2 +++ b/tests/end_to_end/data/validation_template.j2 @@ -1,9 +1,10 @@ +- name: General validation phase {% if num_of_agents == 0 %} -- hosts: managers + hosts: managers {% elif num_of_managers == 0 %} -- hosts: agents + hosts: agents {% else %} -- hosts: managers:agents + hosts: managers:agents {% endif %} any_errors_fatal: true roles: diff --git a/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml index 0774e4147b..b9926b1aa3 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml @@ -1,6 +1,6 @@ # REQUIRED VARIABLES -#------------------- -# (String) os: Target operating system +# ------------------- +# (String) os: Target operating system - name: Try connection (Linux) ping: diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml new file mode 100644 index 0000000000..cc73eb9122 --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -0,0 +1,22 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system + +- name: Get Wazuh installation + include_role: + name: service_controller + tasks_from: get_installation_type + +- name: Test connection with host + shell: nc -v -4 {{ inventory_hostname }} 9200 + timeout: 3 + ignore_errors: true + register: test_result + delegate_to: localhost + when: (os == 'Linux' and 'server' in wazuh_info.stdout) + +- name: Check the connection between Controller node and Wazuh Indexer + set_fact: + failed: true + errors: "{{ errors }}\nAnsible Controller node cannot connect correctly with Wazuh Indexer." + when: (test_result is failed and test_result.stdout is defined and 'refused' in test_result.stdout) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml new file mode 100644 index 0000000000..1e4adbcd12 --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml @@ -0,0 +1,21 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system + +- name: Get Wazuh installation + include_role: + name: service_controller + tasks_from: get_installation_type + +- name: Run filebeat test + become: true + shell: filebeat test output + register: test_result + ignore_errors: true + when: (os == 'Linux' and 'server' in wazuh_info.stdout) + +- name: Check the connection between Filebeat and Wazuh Indexer + set_fact: + failed: true + errors: "{{ errors }}\nFilebeat cannot connect correctly with Wazuh Indexer." + when: (os == 'Linux' and 'server' in wazuh_info.stdout and 'ERROR' in test_result.stdout) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml index 0575103567..129caefccf 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml @@ -1,6 +1,6 @@ # REQUIRED VARIABLES -#------------------- -# (String) os: Target operating system +# ------------------- +# (String) os: Target operating system - name: Check OS (Linux) set_fact: diff --git a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml index 1809eb3d27..9a30ecf5bf 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml @@ -1,6 +1,6 @@ # REQUIRED VARIABLES -#------------------- -# (String) os: Target operating system +# ------------------- +# (String) os: Target operating system - name: Check default Python version (Linux) set_fact: diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/roles/host_checker/tasks/main.yaml index f4c4281f2e..4bb3e9ec30 100644 --- a/tests/end_to_end/roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/main.yaml @@ -14,6 +14,12 @@ - name: Check OS import_tasks: check_os.yaml + +- name: Check the connection between Filebeat and Wazuh Indexer + import_tasks: check_filebeat_indexer.yaml + +- name: Check the connection between Controller node and Wazuh Indexer + import_tasks: check_controller_indexer.yaml # ---------------------------------------------------------------------------- # -------- Task to identify whether the validation step fails or not. -------- diff --git a/tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml b/tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml new file mode 100644 index 0000000000..7396a6aea7 --- /dev/null +++ b/tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml @@ -0,0 +1,9 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system + +- name: Get installation type + become: true + shell: /var/ossec/bin/wazuh-control info + register: wazuh_info + when: os == 'Linux' diff --git a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml index 200187088f..a2a1ac2005 100644 --- a/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_fim/data/playbooks/generate_events.yaml @@ -4,7 +4,7 @@ - name: Truncate file shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + become: true - name: Generate events hosts: agents @@ -13,7 +13,7 @@ tasks: - name: "{{ event_description }}" - become: True + become: true file: path: "{{ path }}" state: "{{ state }}" From bae1f316c5bcb97a8cf81a4020c70826b9fd7853 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 16 Aug 2022 16:55:34 -0300 Subject: [PATCH 380/552] add: changes in conftest.py to real role folder in configuration environment, teardown and generate events --- .../restart_wazuh/tasks/get_alert_json.yaml | 0 tests/end_to_end/conftest.py | 30 ++++++++++++++++--- .../manage_wazuh}/tasks/restart_wazuh.yaml | 15 ++++++---- .../data/playbooks/configuration.yaml | 5 ++-- .../data/playbooks/generate_events.yaml | 11 ++++--- .../data/playbooks/configuration.yaml | 16 +++++++--- .../data/playbooks/generate_events.yaml | 10 +++---- .../data/playbooks/teardown.yaml | 20 ++++++++----- .../data/playbooks/configuration.yaml | 19 +++++++----- .../data/playbooks/generate_events.yaml | 10 +++---- .../data/playbooks/teardown.yaml | 10 ++++--- 11 files changed, 92 insertions(+), 54 deletions(-) delete mode 100644 tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml rename tests/end_to_end/{ansible-roles/restart_wazuh => roles/manage_wazuh}/tasks/restart_wazuh.yaml (65%) diff --git a/tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml b/tests/end_to_end/ansible-roles/restart_wazuh/tasks/get_alert_json.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c1d6fe70c5..f87dc16f59 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -11,7 +11,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') - +suite_path = os.path.dirname(os.path.realpath(__file__)) @pytest.fixture(scope='function') def clean_alerts_index(get_dashboard_credentials): @@ -56,6 +56,7 @@ def configure_environment(request): request (fixture): Provide information on the executing test function. """ inventory_playbook = request.config.getoption('--inventory_path') + roles_path = request.config.getoption('--roles_path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -63,7 +64,10 @@ def configure_environment(request): # For each configuration playbook previously declared in the test, get the complete path and run it for playbook in getattr(request.module, 'configuration_playbooks'): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook} + parameters = {'playbook': configuration_playbook_path, + 'inventory': inventory_playbook, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -81,7 +85,11 @@ def configure_environment(request): for playbook in teardown_playbooks: teardown_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook} + parameters = {'playbook': teardown_playbook_path, + 'inventory': inventory_playbook, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } + # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -101,6 +109,8 @@ def generate_events(request, metadata): metadata (dict): Dictionary with test case metadata. """ inventory_playbook = request.config.getoption('--inventory_path') + roles_path = request.config.getoption('--roles_path') + if not inventory_playbook: raise ValueError('Inventory not specified') @@ -109,7 +119,10 @@ def generate_events(request, metadata): for playbook in getattr(request.module, 'events_playbooks'): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) - parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook} + parameters = {'playbook': events_playbook_path, + 'inventory': inventory_playbook, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) @@ -126,3 +139,12 @@ def pytest_addoption(parser): type=str, help='Inventory path', ) + + parser.addoption( + '--roles_path', + action='store', + metavar='ROLES_PATH', + default=os.path.join(suite_path, 'roles'), + type=str, + help='Ansible roles path.', + ) diff --git a/tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml similarity index 65% rename from tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml rename to tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml index ccbd0c95bb..878923a8ce 100644 --- a/tests/end_to_end/ansible-roles/restart_wazuh/tasks/restart_wazuh.yaml +++ b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml @@ -5,26 +5,29 @@ # # GENERIC: # - (String) os: Target operating system - # - # LINUX - # - (String) target: [manager,agent] + + - name: Get installation type + become: true + shell: /var/ossec/bin/wazuh-control info + register: wazuh_info + when: os == 'linux' - name: Restart manager service on linux become: true service: name: wazuh-manager state: restarted - when: os == 'linux' and target == 'manager' + when: (os == 'linux' and 'server' in wazuh_info.stdout) - name: Restart agent service on linux become: true service: name: "wazuh-agent" state: restarted - when: os == 'linux' and target == 'agent' + when: (os == 'linux' and 'agent' in wazuh_info.stdout) - name: Restart wazuh on Windows win_shell: "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" args: executable: powershell.exe - when: os == 'windows' and target == 'agent' + when: os == 'windows' diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml index 55ccf89804..f1ba8e8c01 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml @@ -25,8 +25,7 @@ - name: Restart agent include_role: - name: "/home/belen/Repositories/wazuh-qa/tests/end_to_end/ansible-roles/restart_wazuh" - tasks_from: "restart_wazuh.yaml" + name: manage_wazuh + tasks_from: restart_wazuh.yaml vars: os: 'linux' - target: 'agent' diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml index f4c58677dc..708db24b28 100644 --- a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml @@ -21,9 +21,8 @@ hosts: wazuh-manager tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: get_alerts + tasks_from: get_alert_json.yaml + diff --git a/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml index df54e4902e..060d3dac8f 100644 --- a/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_virustotal_integration/data/playbooks/configuration.yaml @@ -66,8 +66,12 @@ - name: Truncate alert.json shell: echo "" > /var/ossec/logs/alerts/alerts.json - - name: Restart the manager - shell: systemctl restart wazuh-manager + - name: Restart manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Test agent configuration hosts: wazuh-agent @@ -99,5 +103,9 @@ chmod 750 /var/ossec/active-response/bin/remove-threat.sh chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh - - name: Restart the agent - shell: systemctl restart wazuh-agent + - name: Restart agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml index b2da1fc4d2..2a59c87521 100644 --- a/tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -14,9 +14,7 @@ hosts: wazuh-manager tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: get_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml index a9c23406ec..314d5f349d 100644 --- a/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_virustotal_integration/data/playbooks/teardown.yaml @@ -16,10 +16,12 @@ block: '' marker: - - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + - name: Restart manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Cleanup agent environment hosts: wazuh-agent @@ -42,7 +44,9 @@ path: /root/harmless_file.txt state: absent - - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent + - name: Restart agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml index f7757ab10a..04c27547e6 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml @@ -23,10 +23,12 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | - net stop wazuh - net start wazuh + - name: Restart agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' - name: Test manager configuration hosts: wazuh-manager @@ -48,6 +50,9 @@ marker: - - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager + - name: Restart manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml index 622c79ea24..4838db7e8d 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml @@ -21,9 +21,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: get_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml index 545714f280..33686140f7 100644 --- a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml @@ -16,7 +16,9 @@ - name: Enable Windows Defender ansible.windows.win_shell: set-MpPreference -DisableRealtimeMonitoring $False - - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | - net stop wazuh - net start wazuh + - name: Restart agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' From 76764fc0abd3f388f9597da5f60a16133758a94b Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 17 Aug 2022 10:35:43 +0200 Subject: [PATCH 381/552] fix: Fix error message --- .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 9b9b0fda70..3306ed72df 100644 --- a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -23,7 +23,7 @@ - test_user register: result failed_when: - - "'0 valid passwords found' not in result.stdout" + - "'0 valid password found' not in result.stdout" - name: Wait for alert wait_for: From 0b4b996c2e7ff7ccc458cb9af388454dd429af7f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 17 Aug 2022 11:26:20 -0300 Subject: [PATCH 382/552] add: added basic cases folder and moved all tests into it --- .../test_aws_infrastructure_monitoring/README.md | 0 .../data/configuration/aws_cloudtrail_event.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_aws_infrastructure_monitoring.yaml | 0 .../test_aws_infrastructure_monitoring.py | 0 .../test_brute_force_rdp/data/playbooks/configuration.yaml | 0 .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 0 .../data/test_cases/cases_brute_force_rdp.yaml | 0 .../test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py | 0 .../test_brute_force_ssh/data/playbooks/generate_events.yaml | 0 .../data/test_cases/cases_brute_force_ssh.yaml | 0 .../test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py | 0 .../data/configuration/trojan_script.sh | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_detecting_suspicious_binaries.yaml | 0 .../test_detecting_suspicious_binaries.py | 0 .../test_docker_monitoring/data/playbooks/configuration.yaml | 0 .../test_docker_monitoring/data/playbooks/generate_events.yaml | 0 .../test_docker_monitoring/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_docker_monitoring.yaml | 0 .../test_docker_monitoring/test_docker_monitoring.py | 0 .../test_fim/test_fim_linux/data/playbooks/configuration.yaml | 0 .../test_fim/test_fim_linux/data/playbooks/generate_events.yaml | 0 .../test_fim/test_fim_linux/data/playbooks/teardown.yaml | 0 .../test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml | 0 .../{ => basic_cases}/test_fim/test_fim_linux/test_fim_linux.py | 0 .../test_fim/test_fim_windows/data/playbooks/configuration.yaml | 0 .../test_fim/test_fim_windows/data/playbooks/generate_events.yaml | 0 .../test_fim/test_fim_windows/data/playbooks/teardown.yaml | 0 .../test_fim_windows/data/test_cases/cases_fim_windows.yaml | 0 .../test_fim/test_fim_windows/test_fim_windows.py | 0 .../test_netcat/data/playbooks/configuration.yaml | 0 .../test_netcat/data/playbooks/generate_events.yaml | 0 .../{ => basic_cases}/test_netcat/data/playbooks/teardown.yaml | 0 .../test_netcat/data/test_cases/cases_netcat.yaml | 0 tests/end_to_end/{ => basic_cases}/test_netcat/test_netcat.py | 0 .../data/configuration/osquery_integration.json | 0 .../test_osquery_integration/data/playbooks/configuration.yaml | 0 .../test_osquery_integration/data/playbooks/generate_events.yaml | 0 .../test_osquery_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_osquery_integration.yaml | 0 .../test_osquery_integration/test_osquery_integration.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../test_shellshock_attack_detection/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_shellshock_attack_detection.yaml | 0 .../test_shellshock_attack_detection.py | 0 .../test_sql_injection/data/playbooks/configuration.yaml | 0 .../test_sql_injection/data/playbooks/generate_events.yaml | 0 .../test_sql_injection/data/playbooks/teardown.yaml | 0 .../test_sql_injection/data/test_cases/cases_sql_injection.yaml | 0 .../{ => basic_cases}/test_sql_injection/test_sql_injection.py | 0 .../test_suricata_integration/data/playbooks/configuration.yaml | 0 .../test_suricata_integration/data/playbooks/generate_events.yaml | 0 .../test_suricata_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_suricata_integration.yaml | 0 .../test_suricata_integration/test_suricata_integration.py | 0 .../data/active_response_script/remove-threat.sh | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../test_virustotal_active_response/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_virustotal.yaml | 0 .../test_virustotal_active_response.py | 0 .../test_virustotal_fim/data/playbooks/configuration.yaml | 0 .../test_virustotal_fim/data/playbooks/generate_events.yaml | 0 .../test_virustotal_fim/data/playbooks/teardown.yaml | 0 .../test_virustotal_fim/data/test_cases/cases_virustotal.yaml | 0 .../test_virustotal/test_virustotal_fim/test_virustotal_fim.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector_linux.yaml | 0 .../test_vulnerability_detector_linux.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector_windows.yaml | 0 .../test_vulnerability_detection_windows.py | 0 .../test_windows_defender/data/playbooks/configuration.yaml | 0 .../test_windows_defender/data/playbooks/generate_events.yaml | 0 .../test_windows_defender/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_windows_defender.yaml | 0 .../test_windows_defender/test_windows_defender.py | 0 .../test_yara_integration/data/configuration/yara.sh | 0 .../test_yara_integration/data/playbooks/configuration.yaml | 0 .../test_yara_integration/data/playbooks/generate_events.yaml | 0 .../test_yara_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_yara_integration.yaml | 0 .../test_yara_integration/test_yara_integration.py | 0 93 files changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/README.md (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py (100%) rename tests/end_to_end/{ => basic_cases}/test_docker_monitoring/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_docker_monitoring/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_docker_monitoring/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_docker_monitoring/test_docker_monitoring.py (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_linux/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_linux/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_linux/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_linux/test_fim_linux.py (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_windows/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_windows/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_windows/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_fim/test_fim_windows/test_fim_windows.py (100%) rename tests/end_to_end/{ => basic_cases}/test_netcat/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_netcat/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_netcat/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_netcat/data/test_cases/cases_netcat.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_netcat/test_netcat.py (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/data/configuration/osquery_integration.json (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_osquery_integration/test_osquery_integration.py (100%) rename tests/end_to_end/{ => basic_cases}/test_shellshock_attack_detection/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_shellshock_attack_detection/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_shellshock_attack_detection/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_shellshock_attack_detection/test_shellshock_attack_detection.py (100%) rename tests/end_to_end/{ => basic_cases}/test_sql_injection/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_sql_injection/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_sql_injection/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_sql_injection/data/test_cases/cases_sql_injection.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_sql_injection/test_sql_injection.py (100%) rename tests/end_to_end/{ => basic_cases}/test_suricata_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_suricata_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_suricata_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_suricata_integration/test_suricata_integration.py (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_virustotal/test_virustotal_fim/test_virustotal_fim.py (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py (100%) rename tests/end_to_end/{ => basic_cases}/test_windows_defender/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_windows_defender/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_windows_defender/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_windows_defender/data/test_cases/cases_windows_defender.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_windows_defender/test_windows_defender.py (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/data/configuration/yara.sh (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/data/test_cases/cases_yara_integration.yaml (100%) rename tests/end_to_end/{ => basic_cases}/test_yara_integration/test_yara_integration.py (100%) diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/README.md b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/README.md similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/README.md rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/README.md diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml diff --git a/tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py similarity index 100% rename from tests/end_to_end/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py rename to tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml diff --git a/tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml diff --git a/tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py similarity index 100% rename from tests/end_to_end/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py rename to tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml diff --git a/tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py similarity index 100% rename from tests/end_to_end/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py rename to tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_docker_monitoring/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_docker_monitoring/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_docker_monitoring/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml similarity index 100% rename from tests/end_to_end/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml rename to tests/end_to_end/basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml diff --git a/tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py similarity index 100% rename from tests/end_to_end/test_docker_monitoring/test_docker_monitoring.py rename to tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml diff --git a/tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py similarity index 100% rename from tests/end_to_end/test_fim/test_fim_linux/test_fim_linux.py rename to tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml rename to tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml diff --git a/tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py similarity index 100% rename from tests/end_to_end/test_fim/test_fim_windows/test_fim_windows.py rename to tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py diff --git a/tests/end_to_end/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml b/tests/end_to_end/basic_cases/test_netcat/data/test_cases/cases_netcat.yaml similarity index 100% rename from tests/end_to_end/test_netcat/data/test_cases/cases_netcat.yaml rename to tests/end_to_end/basic_cases/test_netcat/data/test_cases/cases_netcat.yaml diff --git a/tests/end_to_end/test_netcat/test_netcat.py b/tests/end_to_end/basic_cases/test_netcat/test_netcat.py similarity index 100% rename from tests/end_to_end/test_netcat/test_netcat.py rename to tests/end_to_end/basic_cases/test_netcat/test_netcat.py diff --git a/tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/basic_cases/test_osquery_integration/data/configuration/osquery_integration.json similarity index 100% rename from tests/end_to_end/test_osquery_integration/data/configuration/osquery_integration.json rename to tests/end_to_end/basic_cases/test_osquery_integration/data/configuration/osquery_integration.json diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_osquery_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_osquery_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_osquery_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml similarity index 100% rename from tests/end_to_end/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml rename to tests/end_to_end/basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml diff --git a/tests/end_to_end/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py similarity index 100% rename from tests/end_to_end/test_osquery_integration/test_osquery_integration.py rename to tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_shellshock_attack_detection/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_shellshock_attack_detection/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_shellshock_attack_detection/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml similarity index 100% rename from tests/end_to_end/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml rename to tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml diff --git a/tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py similarity index 100% rename from tests/end_to_end/test_shellshock_attack_detection/test_shellshock_attack_detection.py rename to tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_sql_injection/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_sql_injection/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_sql_injection/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml similarity index 100% rename from tests/end_to_end/test_sql_injection/data/test_cases/cases_sql_injection.yaml rename to tests/end_to_end/basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml diff --git a/tests/end_to_end/test_sql_injection/test_sql_injection.py b/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py similarity index 100% rename from tests/end_to_end/test_sql_injection/test_sql_injection.py rename to tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_suricata_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_suricata_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_suricata_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml similarity index 100% rename from tests/end_to_end/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml rename to tests/end_to_end/basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml diff --git a/tests/end_to_end/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py similarity index 100% rename from tests/end_to_end/test_suricata_integration/test_suricata_integration.py rename to tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/active_response_script/remove-threat.sh diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/data/test_cases/cases_virustotal.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_active_response/test_virustotal_active_response.py diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/data/test_cases/cases_virustotal.yaml diff --git a/tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py b/tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/test_virustotal_fim.py similarity index 100% rename from tests/end_to_end/test_virustotal/test_virustotal_fim/test_virustotal_fim.py rename to tests/end_to_end/basic_cases/test_virustotal/test_virustotal_fim/test_virustotal_fim.py diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml diff --git a/tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py similarity index 100% rename from tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py rename to tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_windows_defender/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_windows_defender/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_windows_defender/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml similarity index 100% rename from tests/end_to_end/test_windows_defender/data/test_cases/cases_windows_defender.yaml rename to tests/end_to_end/basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml diff --git a/tests/end_to_end/test_windows_defender/test_windows_defender.py b/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py similarity index 100% rename from tests/end_to_end/test_windows_defender/test_windows_defender.py rename to tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py diff --git a/tests/end_to_end/test_yara_integration/data/configuration/yara.sh b/tests/end_to_end/basic_cases/test_yara_integration/data/configuration/yara.sh similarity index 100% rename from tests/end_to_end/test_yara_integration/data/configuration/yara.sh rename to tests/end_to_end/basic_cases/test_yara_integration/data/configuration/yara.sh diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/test_yara_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/test_yara_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/test_yara_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml similarity index 100% rename from tests/end_to_end/test_yara_integration/data/test_cases/cases_yara_integration.yaml rename to tests/end_to_end/basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml diff --git a/tests/end_to_end/test_yara_integration/test_yara_integration.py b/tests/end_to_end/basic_cases/test_yara_integration/test_yara_integration.py similarity index 100% rename from tests/end_to_end/test_yara_integration/test_yara_integration.py rename to tests/end_to_end/basic_cases/test_yara_integration/test_yara_integration.py From c0bb3b4a9b2dcaaaa5d9b12cf4da4aae79d51355 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 17 Aug 2022 11:31:10 -0300 Subject: [PATCH 383/552] add: moved audit test into basic cases folder --- .../get_alerts/tasks/get_alert_json.yaml | 6 ++ .../write_wazuh_config.yaml | 8 +++ .../data/playbooks/configuration.yaml | 26 -------- .../data/playbooks/generate_events.yaml | 21 ------ .../test_audit/data/playbooks/teardown.yaml | 14 ---- .../data/test_cases/cases_audit.yaml | 13 ---- tests/end_to_end/test_audit/test_audit.py | 66 ------------------- 7 files changed, 14 insertions(+), 140 deletions(-) create mode 100644 tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml create mode 100644 tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml delete mode 100644 tests/end_to_end/test_audit/data/playbooks/configuration.yaml delete mode 100644 tests/end_to_end/test_audit/data/playbooks/generate_events.yaml delete mode 100644 tests/end_to_end/test_audit/data/playbooks/teardown.yaml delete mode 100644 tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml delete mode 100644 tests/end_to_end/test_audit/test_audit.py diff --git a/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml b/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml new file mode 100644 index 0000000000..a9b0c6d280 --- /dev/null +++ b/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml @@ -0,0 +1,6 @@ + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true \ No newline at end of file diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml new file mode 100644 index 0000000000..8f7149114f --- /dev/null +++ b/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml @@ -0,0 +1,8 @@ +- name: Configure ossec.conf + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: | + '{{ block }}' + marker: \ No newline at end of file diff --git a/tests/end_to_end/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_audit/data/playbooks/configuration.yaml deleted file mode 100644 index 1be76127a5..0000000000 --- a/tests/end_to_end/test_audit/data/playbooks/configuration.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Test case configuration - hosts: wazuh-manager - tasks: - - - name: Get euid - shell: echo $EUID - register: euid - - debug: - var: euid.stdout - - - name: Create wazuh audit rules file - become: True - copy: - dest: /etc/audit/rules.d/wazuh.rules - content: | - -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c - -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c - - - name: Delete previous audit rules - become: True - shell: auditctl -D - - - name: Load audit rules - become: True - shell: auditctl -R /etc/audit/rules.d/wazuh.rules diff --git a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml deleted file mode 100644 index e692cd879b..0000000000 --- a/tests/end_to_end/test_audit/data/playbooks/generate_events.yaml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Generate events - hosts: wazuh-manager - tasks: - - - name: Truncate file - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True - - - name: "{{ event_description }}" - shell: "{{ command }}" - - - name: Wait for alert to be generated - wait_for: - timeout: 5 - - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: yes - become: True diff --git a/tests/end_to_end/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_audit/data/playbooks/teardown.yaml deleted file mode 100644 index 35081c89ac..0000000000 --- a/tests/end_to_end/test_audit/data/playbooks/teardown.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Cleanup environment - hosts: wazuh-manager - tasks: - - - name: Delete wazuh audit rules file - become: True - file: - path: /etc/audit/rules.d/wazuh.rules - state: absent - - - name: Delete audit rules - become: True - shell: auditctl -D diff --git a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml b/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml deleted file mode 100644 index bb46aa7e91..0000000000 --- a/tests/end_to_end/test_audit/data/test_cases/cases_audit.yaml +++ /dev/null @@ -1,13 +0,0 @@ -- name: ping_google - description: Ping www.google.com and check generated alerts - configuration_parameters: null - metadata: - extra_vars: - event_description: Ping google - command: ping -c 1 www.google.com - rule.id: 80792 - level: 3 - description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." - extra: - a3: \\"www\.google\.com\\" - data.audit.command: ping diff --git a/tests/end_to_end/test_audit/test_audit.py b/tests/end_to_end/test_audit/test_audit.py deleted file mode 100644 index f74b82233a..0000000000 --- a/tests/end_to_end/test_audit/test_audit.py +++ /dev/null @@ -1,66 +0,0 @@ -import os -import json -import re -import pytest -from tempfile import gettempdir - -from wazuh_testing import end_to_end as e2e -from wazuh_testing import event_monitor as evm -from wazuh_testing.tools import configuration as config - - -alerts_json = os.path.join(gettempdir(), 'alerts.json') -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') -configuration_playbooks = ['configuration.yaml'] -events_playbooks = ['generate_events.yaml'] -teardown_playbooks = ['teardown.yaml'] - -configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) - - -@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - level = metadata['level'] - description = metadata['description'] - rule_id = metadata['rule.id'] - a3 = metadata['extra']['a3'] - data_audit_command = metadata['extra']['data.audit.command'] - - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{level},' \ - fr'"description"\:"{description}","id"\:"{rule_id}".*a3={a3}.*\}}' - expected_indexed_alert = fr'.*"rule":.*"level": {level}, "description": "{description}".*"id": "{rule_id}".*' \ - fr'comm=\\"{data_audit_command}\\".*a3={a3}.*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' - - # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() - raised_alert_timestamp = raised_alert.group(1) - - query = e2e.make_query([ - { - "term": { - "rule.id": f"{rule_id}" - } - }, - { - "term": { - "data.audit.command": f"{data_audit_command}" - } - }, - { - "term": { - "timestamp": f"{raised_alert_timestamp}" - } - } - ]) - - # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) - indexed_alert = json.dumps(response.json()) - - # Check that the alert data is the expected one - alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' From 732f92eaf3d93b3a18d30d10346c11a0cb9cc02f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 17 Aug 2022 11:34:45 -0300 Subject: [PATCH 384/552] fix: deleted wrong files --- .../end_to_end/roles/get_alerts/tasks/get_alert_json.yaml | 6 ------ .../manage_wazuh_configurations/write_wazuh_config.yaml | 8 -------- 2 files changed, 14 deletions(-) delete mode 100644 tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml delete mode 100644 tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml diff --git a/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml b/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml deleted file mode 100644 index a9b0c6d280..0000000000 --- a/tests/end_to_end/roles/get_alerts/tasks/get_alert_json.yaml +++ /dev/null @@ -1,6 +0,0 @@ - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true \ No newline at end of file diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml deleted file mode 100644 index 8f7149114f..0000000000 --- a/tests/end_to_end/roles/manage_wazuh_configurations/write_wazuh_config.yaml +++ /dev/null @@ -1,8 +0,0 @@ -- name: Configure ossec.conf - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - '{{ block }}' - marker: \ No newline at end of file From b33c8037567c33497a639ec846308177fbca9075 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 17 Aug 2022 11:37:03 -0300 Subject: [PATCH 385/552] add: audit tests into basic cases --- .../data/playbooks/configuration.yaml | 26 ++++++++ .../data/playbooks/generate_events.yaml | 21 ++++++ .../test_audit/data/playbooks/teardown.yaml | 14 ++++ .../data/test_cases/cases_audit.yaml | 13 ++++ .../basic_cases/test_audit/test_audit.py | 66 +++++++++++++++++++ 5 files changed, 140 insertions(+) create mode 100644 tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml create mode 100644 tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml create mode 100644 tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml create mode 100644 tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml create mode 100644 tests/end_to_end/basic_cases/test_audit/test_audit.py diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml new file mode 100644 index 0000000000..1be76127a5 --- /dev/null +++ b/tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml @@ -0,0 +1,26 @@ +--- +- name: Test case configuration + hosts: wazuh-manager + tasks: + + - name: Get euid + shell: echo $EUID + register: euid + - debug: + var: euid.stdout + + - name: Create wazuh audit rules file + become: True + copy: + dest: /etc/audit/rules.d/wazuh.rules + content: | + -a exit,always -F euid={{euid.stdout}} -F arch=b32 -S execve -k audit-wazuh-c + -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c + + - name: Delete previous audit rules + become: True + shell: auditctl -D + + - name: Load audit rules + become: True + shell: auditctl -R /etc/audit/rules.d/wazuh.rules diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml new file mode 100644 index 0000000000..e692cd879b --- /dev/null +++ b/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -0,0 +1,21 @@ +- name: Generate events + hosts: wazuh-manager + tasks: + + - name: Truncate file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: True + + - name: "{{ event_description }}" + shell: "{{ command }}" + + - name: Wait for alert to be generated + wait_for: + timeout: 5 + + - name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: yes + become: True diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml new file mode 100644 index 0000000000..35081c89ac --- /dev/null +++ b/tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml @@ -0,0 +1,14 @@ +--- +- name: Cleanup environment + hosts: wazuh-manager + tasks: + + - name: Delete wazuh audit rules file + become: True + file: + path: /etc/audit/rules.d/wazuh.rules + state: absent + + - name: Delete audit rules + become: True + shell: auditctl -D diff --git a/tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml b/tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml new file mode 100644 index 0000000000..bb46aa7e91 --- /dev/null +++ b/tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml @@ -0,0 +1,13 @@ +- name: ping_google + description: Ping www.google.com and check generated alerts + configuration_parameters: null + metadata: + extra_vars: + event_description: Ping google + command: ping -c 1 www.google.com + rule.id: 80792 + level: 3 + description: "Audit\\: Command\\: \\/usr\\/bin\\/ping." + extra: + a3: \\"www\.google\.com\\" + data.audit.command: ping diff --git a/tests/end_to_end/basic_cases/test_audit/test_audit.py b/tests/end_to_end/basic_cases/test_audit/test_audit.py new file mode 100644 index 0000000000..f74b82233a --- /dev/null +++ b/tests/end_to_end/basic_cases/test_audit/test_audit.py @@ -0,0 +1,66 @@ +import os +import json +import re +import pytest +from tempfile import gettempdir + +from wazuh_testing import end_to_end as e2e +from wazuh_testing import event_monitor as evm +from wazuh_testing.tools import configuration as config + + +alerts_json = os.path.join(gettempdir(), 'alerts.json') +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') +configuration_playbooks = ['configuration.yaml'] +events_playbooks = ['generate_events.yaml'] +teardown_playbooks = ['teardown.yaml'] + +configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) + + +@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') +@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) +def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): + level = metadata['level'] + description = metadata['description'] + rule_id = metadata['rule.id'] + a3 = metadata['extra']['a3'] + data_audit_command = metadata['extra']['data.audit.command'] + + expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{level},' \ + fr'"description"\:"{description}","id"\:"{rule_id}".*a3={a3}.*\}}' + expected_indexed_alert = fr'.*"rule":.*"level": {level}, "description": "{description}".*"id": "{rule_id}".*' \ + fr'comm=\\"{data_audit_command}\\".*a3={a3}.*' \ + r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + + # Check that alert has been raised and save timestamp + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + error_message='The alert has not occurred').result() + raised_alert_timestamp = raised_alert.group(1) + + query = e2e.make_query([ + { + "term": { + "rule.id": f"{rule_id}" + } + }, + { + "term": { + "data.audit.command": f"{data_audit_command}" + } + }, + { + "term": { + "timestamp": f"{raised_alert_timestamp}" + } + } + ]) + + # Check if the alert has been indexed and get its data + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + indexed_alert = json.dumps(response.json()) + + # Check that the alert data is the expected one + alert_data = re.search(expected_indexed_alert, indexed_alert) + assert alert_data is not None, 'Alert triggered, but not indexed' From 34a8b67099db9cc5a6295973383f011d3d2381ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 17 Aug 2022 09:38:00 +0100 Subject: [PATCH 386/552] feat: create environment configuration file for manager_agent --- provisioning/environments/manager_agent.yaml | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 provisioning/environments/manager_agent.yaml diff --git a/provisioning/environments/manager_agent.yaml b/provisioning/environments/manager_agent.yaml new file mode 100644 index 0000000000..eaae063ae8 --- /dev/null +++ b/provisioning/environments/manager_agent.yaml @@ -0,0 +1,23 @@ +wazuh-manager: + roles: [manager] + +wazuh-agent1: + roles: [agent] + manager: [wazuh-manager] + version: 4.1.5 + revision: 1 + repository: live + +wazuh-agent2: + roles: [agent] + manager: wazuh-manager + version: 4.2.2 + revision: 1 + repository: live + +wazuh-agent3: + manager: wazuh-manager + roles: [agent] + version: 4.2.5 + revision: 1 + repository: live \ No newline at end of file From 583d11c706b70ffc57e23e7e1ab3736ed9fc9bcf Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 17 Aug 2022 15:06:36 -0300 Subject: [PATCH 387/552] feat: the task in each test to validate the supported OS was added. #3142 --- tests/end_to_end/conftest.py | 69 +++++++++++++------ tests/end_to_end/data/env_requirements.json | 62 +++++++++++++++++ tests/end_to_end/data/environment.json | 58 ---------------- .../generate_general_play.yaml | 0 .../generate_test_specific_play.yaml | 10 +++ .../general_validation.j2} | 0 .../test_specific_validation.j2 | 19 +++++ .../tasks/check_supported_distro.yaml | 24 +++++++ 8 files changed, 162 insertions(+), 80 deletions(-) create mode 100644 tests/end_to_end/data/env_requirements.json delete mode 100644 tests/end_to_end/data/environment.json rename tests/end_to_end/data/{ => validation_playbooks}/generate_general_play.yaml (100%) create mode 100644 tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml rename tests/end_to_end/data/{validation_template.j2 => validation_templates/general_validation.j2} (100%) create mode 100644 tests/end_to_end/data/validation_templates/test_specific_validation.j2 create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index fa975e4f5f..fb1b54aa42 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -31,11 +31,11 @@ def validate_environments(request): collected_items = request.session.items roles_path = request.config.getoption('--roles-path') inventory_path = request.config.getoption('--inventory_path') - environment_file = os.path.join(suite_path, 'data', 'environment.json') + environment_file = os.path.join(suite_path, 'data', 'env_requirements.json') environment_metadata = json.load(open(environment_file)) - playbook_generator = os.path.join(suite_path, 'data', 'generate_general_play.yaml') - playbook_template = os.path.join(suite_path, 'data', 'validation_template.j2') - general_playbook = os.path.join(suite_path, 'data', 'general_validation.yaml') + playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_general_play.yaml') + playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'general_validation.j2') + general_playbook = os.path.join(suite_path, 'data', 'validation_playbooks', 'general_validation.yaml') if not inventory_path: raise ValueError('Inventory not specified') @@ -56,9 +56,9 @@ def validate_environments(request): test_suites_paths.append(path) # Get the test suite name test_suite_name = path.split('/')[-1:][0] - # Save the test environment metadata in lists - manager_instances.append(environment_metadata[test_suite_name]['managers']) - agent_instances.append(environment_metadata[test_suite_name]['agents']) + # Save the test environment metadata + manager_instances.append(environment_metadata[test_suite_name]['manager']['instances']) + agent_instances.append(environment_metadata[test_suite_name]['agent']['instances']) # Get the largest number of manager/agent instances num_of_managers = max(manager_instances) @@ -66,14 +66,14 @@ def validate_environments(request): # -------------------------- End of Step 1 ------------------------------------- # ---- Step 2: Run the playbook to generate the general validation playbook ---- - parameters = { + gen_parameters = { 'playbook': playbook_generator, 'inventory': inventory_path, 'extravars': { 'template_path': playbook_template, 'dest_path': general_playbook, 'num_of_managers': num_of_managers, 'num_of_agents': num_of_agents } } - ansible_runner.run(**parameters) + ansible_runner.run(**gen_parameters) # -------------------------- End of Step 2 ------------------------------------- # -------------------- Step 3: Run the general validation playbook ------------- @@ -91,24 +91,49 @@ def validate_environments(request): 'requirements.') # -------------------------- End of Step 3 ------------------------------------- - # Step 4: Execute test-specific validations (if any) + # ---------------- Step 4: Execute test-specific validations (if any) ---------- + playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_test_specific_play.yaml') + playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'test_specific_validation.j2') + for path in test_suites_paths: + validation_template = os.path.join(path, 'data', 'playbooks', 'validation.j2') + validation_template = validation_template if os.path.exists(validation_template) else '' + # Define the path where the resulting playbook will be stored validation_playbook = os.path.join(path, 'data', 'playbooks', 'validation.yaml') - if os.path.exists(validation_playbook): - # Set Ansible parameters - parameters = { - 'playbook': validation_playbook, - 'inventory': inventory_path, - 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + # Get distros by instances type + test_suite_name = path.split('/')[-1:][0] + target_hosts = [] + distros = {"manager": [], "agent": []} + for key in environment_metadata[test_suite_name]: + if environment_metadata[test_suite_name][key]['instances'] > 0: + # Save manager/agent distros for the current test + distros[key] = environment_metadata[test_suite_name][key]['distros'] + # Add the target host to the list (following the standard host name: "-*") + target_hosts.extend([distro.lower() + f"-{key}*" for distro in distros[key]]) + + # Generate test_specific validation playbook + gen_parameters = { + 'playbook': playbook_generator, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, + 'extravars': { + 'template_path': playbook_template, 'dest_path': validation_playbook, + 'num_of_managers': num_of_managers, 'num_of_agents': num_of_agents, + 'validation_template': validation_template, 'target_hosts': ','.join(target_hosts), + 'manager_distros': distros['manager'], 'agent_distros': distros['agent'] } - # Run the validations of the test suite. - validation_runner = ansible_runner.run(**parameters) + } + ansible_runner.run(**gen_parameters) + + # Run test_specific validation playbook + parameters = { + 'playbook': validation_playbook, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} + } + validation_runner = ansible_runner.run(**parameters) - # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. - if validation_runner.status == 'failed': - raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " - 'meet the expected requirements.') + # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. + if validation_runner.status == 'failed': + raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " + 'meet the expected requirements.') # -------------------------- End of Step 4 ------------------------------------- diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json new file mode 100644 index 0000000000..2325494b9d --- /dev/null +++ b/tests/end_to_end/data/env_requirements.json @@ -0,0 +1,62 @@ +{ + "test_audit": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_aws_infrastructure_monitoring": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_brute_force": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 2, "distros": ["CentOS", "Windows"]} + }, + "test_detecting_suspicious_binaries": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_docker_monitoring": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_emotet": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 1, "distros": ["Windows"]} + }, + "test_fim": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 2, "distros": ["CentOS", "Windows"]} + }, + "test_netcat": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 1, "distros": [""]} + }, + "test_osquery_integration": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_shellshock_attack_detection": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + }, + "test_sql_injection": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 1, "distros": [""]} + }, + "test_virustotal": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 1, "distros": [""]} + }, + "test_vulnerability_detector": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 2, "distros": [""]} + }, + "test_windows_defender": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 1, "distros": [""]} + }, + "test_yara_integration": { + "manager": {"instances": 1, "distros": ["CentOS"]}, + "agent": {"instances": 0, "distros": [""]} + } +} \ No newline at end of file diff --git a/tests/end_to_end/data/environment.json b/tests/end_to_end/data/environment.json deleted file mode 100644 index bdb65b1183..0000000000 --- a/tests/end_to_end/data/environment.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "test_audit": { - "managers": 1, - "agents": 0 - }, - "test_aws_infrastructure_monitoring": { - "managers": 1, - "agents": 0 - }, - "test_brute_force": { - "managers": 1, - "agents": 1 - }, - "test_detecting_suspicious_binaries": { - "managers": 1, - "agents": 0 - }, - "test_docker_monitoring": { - "managers": 1, - "agents": 0 - }, - "test_fim": { - "managers": 1, - "agents": 2 - }, - "test_netcat": { - "managers": 1, - "agents": 1 - }, - "test_osquery_integration": { - "managers": 1, - "agents": 0 - }, - "test_shellshock_attack_detection": { - "managers": 1, - "agents": 0 - }, - "test_sql_injection": { - "managers": 1, - "agents": 1 - }, - "test_virustotal": { - "managers": 1, - "agents": 1 - }, - "test_vulnerability_detector": { - "managers": 1, - "agents": 2 - }, - "test_windows_defender": { - "managers": 1, - "agents": 1 - }, - "test_yara_integration": { - "managers": 1, - "agents": 0 - } -} \ No newline at end of file diff --git a/tests/end_to_end/data/generate_general_play.yaml b/tests/end_to_end/data/validation_playbooks/generate_general_play.yaml similarity index 100% rename from tests/end_to_end/data/generate_general_play.yaml rename to tests/end_to_end/data/validation_playbooks/generate_general_play.yaml diff --git a/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml b/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml new file mode 100644 index 0000000000..53cc6e8ac4 --- /dev/null +++ b/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml @@ -0,0 +1,10 @@ +- hosts: localhost + vars: + validation_template: "{{ validation_template }}" + num_of_managers: "{{ num_of_managers }}" + num_of_agents: "{{ num_of_agents }}" + tasks: + - name: Generate a test specific validation playbook + template: + src: "{{ template_path }}" + dest: "{{ dest_path }}" diff --git a/tests/end_to_end/data/validation_template.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 similarity index 100% rename from tests/end_to_end/data/validation_template.j2 rename to tests/end_to_end/data/validation_templates/general_validation.j2 diff --git a/tests/end_to_end/data/validation_templates/test_specific_validation.j2 b/tests/end_to_end/data/validation_templates/test_specific_validation.j2 new file mode 100644 index 0000000000..d39b93c04c --- /dev/null +++ b/tests/end_to_end/data/validation_templates/test_specific_validation.j2 @@ -0,0 +1,19 @@ +- name: Check supported distros + hosts: {{ target_hosts }} + any_errors_fatal: true + tasks: + + - name: Check if the host distribution is compatible + include_role: + name: host_checker + tasks_from: check_supported_distro + vars: + os: "{% raw %}{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}{% endraw %}" + dist: "{% raw %}{{ ansible_distribution if ansible_os_family != 'Windows' else 'Windows' }}{% endraw %}" + manager_distros: {{ manager_distros }} + agent_distros: {{ agent_distros }} + +{# Include the test-specific validation tasks if exist #} +{% if validation_template != '' %} +{% include validation_template %} +{% endif %} diff --git a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml new file mode 100644 index 0000000000..dafecaae0f --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml @@ -0,0 +1,24 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system +# (String) dist: Target distribution +# (String) supported_dist: List of ditros supported by the current test + +- name: Get Wazuh installation + include_role: + name: service_controller + tasks_from: get_installation_type + +- debug: var=wazuh_info.stdout + +- debug: var=manager_distros + +- debug: var=agent_distros + +- fail: + msg: "{{ dist }} is not supported by this test: {{ manager_distros }}" + when: ('server' in wazuh_info.stdout and dist not in manager_distros) + +- fail: + msg: "{{ dist }} is not supported by this test: {{ manager_distros }}" + when: ('agent' in wazuh_info.stdout and dist not in manager_distros) From 7b5819b58623cda73f3a1c5abd9ad825dca57ac0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 17 Aug 2022 16:26:33 -0300 Subject: [PATCH 388/552] add: manage wazuh configurations role and manage alerts role --- .../data/playbooks/configuration.yaml | 23 ++++++--- .../data/playbooks/generate_events.yaml | 9 ++-- .../data/playbooks/configuration.yaml | 48 +++++++++++++------ .../data/playbooks/generate_events.yaml | 9 ++-- .../manage_alerts/tasks/get_alert_json.yaml | 6 +++ .../tasks/truncate_alert_json.yaml | 3 ++ .../tasks/write_local_rules.yaml | 7 +++ .../tasks/write_wazuh_config.yaml | 12 +++++ 8 files changed, 89 insertions(+), 28 deletions(-) create mode 100644 tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml create mode 100644 tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml create mode 100644 tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml create mode 100644 tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml index f1ba8e8c01..5f9c710be9 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml @@ -11,17 +11,28 @@ become: true shell: systemctl start httpd + # - name: Configure agent to monitor the Apache access logs + # become: true + # blockinfile: + # path: /var/ossec/etc/ossec.conf + # insertbefore: + # block: | + # + # apache + # /var/log/httpd/access_log + # + # marker: - name: Configure agent to monitor the Apache access logs - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | apache /var/log/httpd/access_log - marker: + os: 'linux' - name: Restart agent include_role: diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index 708db24b28..751904f04a 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -3,8 +3,9 @@ tasks: - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: localhost @@ -15,7 +16,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 30 - name: Get logs hosts: wazuh-manager @@ -23,6 +24,6 @@ - name: Get alert json include_role: - name: get_alerts + name: manage_alerts tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml index 04c27547e6..d8e49aef53 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -14,14 +14,19 @@ remote_src: true - name: Enable the agent to collect Windows Defender logs - ansible.windows.win_shell: | - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` - "`nMicrosoft-Windows-Windows Defender/Operational" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` + "`nMicrosoft-Windows-Windows Defender/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + os: 'windows' - name: Restart agent include_role: @@ -35,11 +40,11 @@ tasks: - name: Configure local rules - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | 62100 @@ -48,7 +53,22 @@ defender,attack.t1089 - marker: + + # - name: Configure local rules + # become: true + # blockinfile: + # path: /var/ossec/etc/rules/local_rules.xml + # insertafter: + # block: | + # + # + # 62100 + # ^5001$ + # Windows Defender Real-time Protection was disabled. + # defender,attack.t1089 + # + # + # marker: - name: Restart manager include_role: diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml index 4838db7e8d..b76e732677 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-windows @@ -23,5 +24,5 @@ - name: Get alert json include_role: - name: get_alerts + name: manage_alerts tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml b/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml new file mode 100644 index 0000000000..684f41b76d --- /dev/null +++ b/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml @@ -0,0 +1,6 @@ +- name: Get alerts.json + fetch: + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true \ No newline at end of file diff --git a/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml b/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml new file mode 100644 index 0000000000..7230e5b58d --- /dev/null +++ b/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml @@ -0,0 +1,3 @@ +- name: Truncate file + shell: echo "" > /var/ossec/logs/alerts/alerts.json + become: true \ No newline at end of file diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml new file mode 100644 index 0000000000..a7f6ebbd9d --- /dev/null +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml @@ -0,0 +1,7 @@ +- name: Configure local rules + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + insertafter: + block: "{{ config_block }}" + marker: \ No newline at end of file diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml new file mode 100644 index 0000000000..2cf8bee559 --- /dev/null +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml @@ -0,0 +1,12 @@ +- name: Configure ossec.conf linux + become: true + blockinfile: + path: /var/ossec/etc/ossec.conf + insertbefore: + block: "{{ config_block }}" + marker: + when: os == 'linux' + +- name: Configure ossec.conf windows + ansible.windows.win_shell: "{{ config_block }}" + when: os == 'windows' \ No newline at end of file From 6418025c26952ef65fe51547430a73b7bc5b5bea Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 11:28:02 +0200 Subject: [PATCH 389/552] add: Change default timeout --- tests/end_to_end/basic_cases/test_audit/test_audit.py | 3 ++- .../test_aws_infrastructure_monitoring.py | 3 ++- .../test_brute_force_rdp/test_brute_force_rdp.py | 6 ++++-- .../test_brute_force_ssh/test_brute_force_ssh.py | 3 ++- .../test_detecting_suspicious_binaries.py | 3 ++- .../test_docker_monitoring/test_docker_monitoring.py | 3 ++- tests/end_to_end/basic_cases/test_emotet/test_emotet.py | 4 +++- .../basic_cases/test_fim/test_fim_linux/test_fim_linux.py | 3 ++- .../test_fim/test_fim_windows/test_fim_windows.py | 3 ++- .../basic_cases/test_ip_reputation/test_ip_reputation.py | 4 +++- tests/end_to_end/basic_cases/test_netcat/test_netcat.py | 3 ++- .../test_osquery_integration/test_osquery_integration.py | 3 ++- .../test_shellshock_attack_detection.py | 3 ++- .../basic_cases/test_sql_injection/test_sql_injection.py | 3 ++- .../test_suricata_integration/test_suricata_integration.py | 3 ++- .../test_virustotal_integration.py | 3 ++- .../test_vulnerability_detector_linux.py | 5 +++-- .../test_vulnerability_detection_windows.py | 3 ++- .../test_windows_defender/test_windows_defender.py | 3 ++- 19 files changed, 43 insertions(+), 21 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_audit/test_audit.py b/tests/end_to_end/basic_cases/test_audit/test_audit.py index f74b82233a..6ff14d5397 100644 --- a/tests/end_to_end/basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/basic_cases/test_audit/test_audit.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -36,7 +37,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 32fe9f06d1..ea25eaec81 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -5,6 +5,7 @@ from datetime import datetime from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -50,7 +51,7 @@ def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dash # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index 64cb8806d1..86974641f3 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -24,7 +25,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, generate_events, + clean_alerts_index): """ Test to detect a RDP Brute Force attack """ @@ -42,7 +44,7 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index eee77d81bf..72e3dfd3f3 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -41,7 +42,7 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, generate_events, c # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index 3c633e341b..bca9982108 100644 --- a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -44,7 +45,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py index eb65293a5d..6f2a4c3986 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -41,7 +42,7 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/basic_cases/test_emotet/test_emotet.py index 74f074f8d0..cc80694030 100644 --- a/tests/end_to_end/basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/basic_cases/test_emotet/test_emotet.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -47,7 +48,8 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, gene # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message=f"The alert '{rule_description}' has not occurred").result() + timeout=fw.T_5, error_message=f"The alert '{rule_description}'" + ' has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py index d483f4161c..13451694c1 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -38,7 +39,7 @@ def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, g # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 249e09b2a7..27d2af2c10 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -38,7 +39,7 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py index 073932012d..3e81f730e0 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -46,7 +47,8 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message=f"The alert '{rule_description}' has not occurred").result() + timeout=fw.T_5, error_message=f"The alert '{rule_description}'" + ' has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_netcat/test_netcat.py b/tests/end_to_end/basic_cases/test_netcat/test_netcat.py index 23e4d785f1..0ba23cf091 100644 --- a/tests/end_to_end/basic_cases/test_netcat/test_netcat.py +++ b/tests/end_to_end/basic_cases/test_netcat/test_netcat.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -38,7 +39,7 @@ def test_netcat(configure_environment, metadata, get_dashboard_credentials, gene # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py index 3fa1906a84..e2b97483f3 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -39,7 +40,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 6d2795e752..c3a0e1df68 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -36,7 +37,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py index 1c3f0a39ff..a742e3d7bf 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -39,7 +40,7 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py index 3b7e3d2244..9155c2c795 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -36,7 +37,7 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py index 761d2b8f7b..43904644d6 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -41,7 +42,7 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 57703bdd01..1b85411fe8 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -25,7 +26,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): + clean_alerts_index): """ Test to detect a vulnerability """ @@ -43,7 +44,7 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_dashb # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 143381f6f4..b692de19f8 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -43,7 +44,7 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_das # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ diff --git a/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py index a5f373e452..aad4df8ff1 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py @@ -4,6 +4,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -43,7 +44,7 @@ def test_windows_defender(configure_environment, metadata, get_dashboard_credent # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From 3591628e579727c5547b9e2854b4e7d2fe1202a7 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 12:08:55 +0200 Subject: [PATCH 390/552] add: Add brute force documentation --- .../wazuh_testing/qa_docs/schema.yaml | 2 + .../test_brute_force_rdp.py | 80 ++++++++++++++++++- .../test_brute_force_ssh.py | 74 ++++++++++++++++- 3 files changed, 150 insertions(+), 6 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 23b1dacd0a..88c2d4e3ea 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -334,6 +334,7 @@ predefined_values: - providers - pull - rbac + - rdp - realtime - redhat - redhat_feeds @@ -354,6 +355,7 @@ predefined_values: - simulator - slack - sql_injection + - ssh - ssl - stats_file - suricata diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index 64cb8806d1..4126129f21 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -1,3 +1,42 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the detection of brute force attacks is working correctly. + +components: + - logcollector + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + - windows + +os_version: + - CentOS 8 + - Windows Server 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#brute-force + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html + +tags: + - demo + - brute_force_attack + - rdp +''' import os import json import re @@ -25,9 +64,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a RDP Brute Force attack - """ + ''' + description: Check that an alert is generated and indexed when a brute force attack is perfomed. + + test_phases: + - Set a custom Wazuh configuration. + - Run hydra command to attempt an invalid RDP connection and generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index eee77d81bf..5e273d95d1 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -1,3 +1,40 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that the detection of brute force attacks is working correctly. + +components: + - logcollector + +targets: + - manager + - agent + +daemons: + - wazuh-logcollector + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#brute-force + - https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html + +tags: + - demo + - brute_force_attack + - ssh +''' import os import json import re @@ -24,9 +61,40 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_brute_force_ssh(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a SSH Brute Force attack - """ + ''' + description: Check that an alert is generated and indexed when a brute force attack is perfomed. + + test_phases: + - Set a custom Wazuh configuration. + - Run ssh command to attempt an invalid SSH connection and generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] From 5d165d2c6dab11a1b53ceb6d67a3613e6236a461 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 12:16:59 +0200 Subject: [PATCH 391/552] add: Add FIM documentation --- .../test_fim/test_fim_linux/test_fim_linux.py | 80 +++++++++++++++++- .../test_fim_windows/test_fim_windows.py | 82 ++++++++++++++++++- 2 files changed, 156 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py index d483f4161c..6e3fe7cce7 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -1,3 +1,42 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that File Integrity Monitoring is working correctly. File Integrity Monitoring (FIM) system + watches for modifying files in the monitored directories. Then FIM triggers alerts when these files are modified. + Additionally, it enriches alert data by fetching information about the user who made the changes and the process + at play. + +components: + - fim + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#-fim + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html + +tags: + - demo + - fim +''' import os import json import re @@ -21,9 +60,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to scanning a file in Linux using FIM - """ + ''' + description: Check that an alert is generated and indexed for FIM events. + + test_phases: + - Set a custom Wazuh configuration. + - Create, modify and delete a file to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 249e09b2a7..c271a7117a 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -1,3 +1,44 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that File Integrity Monitoring is working correctly. File Integrity Monitoring (FIM) system + watches for modifying files in the monitored directories. Then FIM triggers alerts when these files are modified. + Additionally, it enriches alert data by fetching information about the user who made the changes and the process + at play. + +components: + - fim + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + - wazuh-analysisd + +os_platform: + - linux + - windows + +os_version: + - CentOS 8 + - Windows Sever 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#-fim + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-file-integrity-monitoring.html + +tags: + - demo + - fim +''' import os import json import re @@ -21,9 +62,44 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to scanning a file in Windows using FIM - """ + ''' + description: Check that an alert is generated and indexed for FIM events. + + test_phases: + - Set a custom Wazuh configuration. + - Create, modify and delete a file to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] From 6ac4e95ffd42fda9d8ed98341f976813823204d7 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 12:27:10 +0200 Subject: [PATCH 392/552] add: Add Vulnerability Detector documentation --- .../test_vulnerability_detector_linux.py | 83 +++++++++++++++++- .../test_vulnerability_detection_windows.py | 84 ++++++++++++++++++- 2 files changed, 161 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 57703bdd01..384fdbdfca 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -1,3 +1,45 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, +agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager +(where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database +from publicly available CVE repositories, using it later to cross-correlate this information with the agent's +applications inventory data. + +components: + - vulnerability_detector + +targets: + - manager + - agent + +daemons: + - wazuh-modulesd + - wazuh-db + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - CentOS 8 + - Ubuntu Focal + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#vulnerability_detector + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html + +tags: + - demo + - vulnerability_detector +''' import os import json import re @@ -26,9 +68,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a vulnerability - """ + ''' + description: Check that an alert is generated and indexed when a vulnerable package is present. + + test_phases: + - Set a custom Wazuh configuration. + - Install a vulnerable package to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 143381f6f4..8db07a6db5 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -1,3 +1,46 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: end_to_end + +brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, +agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager +(where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database +from publicly available CVE repositories, using it later to cross-correlate this information with the agent's +applications inventory data. + +components: + - vulnerability_detector + +targets: + - manager + - agent + +daemons: + - wazuh-modulesd + - wazuh-db + - wazuh-analysisd + +os_platform: + - linux + - windows + +os_version: + - CentOS 8 + - Windows 2019 + +references: + - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#vulnerability_detector + - https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html + +tags: + - demo + - vulnerability_detector +''' import os import json import re @@ -26,9 +69,44 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): - """ - Test to detect a vulnerability - """ + ''' + description: Check that an alert is generated and indexed when a vulnerable package is present. + + test_phases: + - Set a custom Wazuh configuration. + - Install a vulnerable package to generate event. + - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. + - Check that the obtained alert from alerts.json has been indexed. + + wazuh_min_version: 4.4.0 + + tier: 0 + + parameters: + - configurate_environment: + type: fixture + brief: Set the wazuh configuration according to the configuration playbook. + - metadata: + type: dict + brief: Wazuh configuration metadata. + - get_dashboard_credentials: + type: fixture + brief: Get the wazuh dashboard credentials. + - generate_events: + type: fixture + brief: Generate events that will trigger the alert according to the generate_events playbook. + - clean_alerts_index: + type: fixture + brief: Delete obtained alerts.json and alerts index. + + assertions: + - Verify that the alert has been triggered. + - Verify that the same alert has been indexed. + + input_description: + - The `configuration.yaml` file provides the module configuration for this test. + - The `generate_events.yaml`file provides the function configuration for this test. + ''' rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] From a7aacddba1bd55bc45b5a629368c2509348942bd Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 12:28:50 +0200 Subject: [PATCH 393/552] fix: Rename `basic_cases` folder to `test_basic_cases` --- .../test_audit/data/playbooks/configuration.yaml | 0 .../test_audit/data/playbooks/generate_events.yaml | 0 .../test_audit/data/playbooks/teardown.yaml | 0 .../test_audit/data/test_cases/cases_audit.yaml | 0 .../{basic_cases => test_basic_cases}/test_audit/test_audit.py | 0 .../data/configuration/aws_cloudtrail_event.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_aws_infrastructure_monitoring.yaml | 0 .../test_aws_infrastructure_monitoring.py | 0 .../test_brute_force_rdp/data/playbooks/configuration.yaml | 0 .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 0 .../data/test_cases/cases_brute_force_rdp.yaml | 0 .../test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py | 0 .../test_brute_force_ssh/data/playbooks/generate_events.yaml | 0 .../data/test_cases/cases_brute_force_ssh.yaml | 0 .../test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py | 0 .../data/configuration/trojan_script.sh | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_detecting_suspicious_binaries.yaml | 0 .../test_detecting_suspicious_binaries.py | 0 .../test_docker_monitoring/data/playbooks/configuration.yaml | 0 .../test_docker_monitoring/data/playbooks/generate_events.yaml | 0 .../test_docker_monitoring/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_docker_monitoring.yaml | 0 .../test_docker_monitoring/test_docker_monitoring.py | 0 .../test_emotet/data/playbooks/configuration.yaml | 0 .../test_emotet/data/playbooks/generate_events.yaml | 0 .../test_emotet/data/playbooks/teardown.yaml | 0 .../test_emotet/data/test_cases/cases_emotet.yaml | 0 .../{basic_cases => test_basic_cases}/test_emotet/test_emotet.py | 0 .../test_fim/test_fim_linux/data/playbooks/configuration.yaml | 0 .../test_fim/test_fim_linux/data/playbooks/generate_events.yaml | 0 .../test_fim/test_fim_linux/data/playbooks/teardown.yaml | 0 .../test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml | 0 .../test_fim/test_fim_linux/test_fim_linux.py | 0 .../test_fim/test_fim_windows/data/playbooks/configuration.yaml | 0 .../test_fim/test_fim_windows/data/playbooks/generate_events.yaml | 0 .../test_fim/test_fim_windows/data/playbooks/teardown.yaml | 0 .../test_fim_windows/data/test_cases/cases_fim_windows.yaml | 0 .../test_fim/test_fim_windows/test_fim_windows.py | 0 .../test_ip_reputation/data/playbooks/configuration.yaml | 0 .../test_ip_reputation/data/playbooks/generate_events.yaml | 0 .../test_ip_reputation/data/playbooks/teardown.yaml | 0 .../test_ip_reputation/data/test_cases/cases_ip_reputation.yaml | 0 .../test_ip_reputation/test_ip_reputation.py | 0 .../data/configuration/osquery_integration.json | 0 .../test_osquery_integration/data/playbooks/configuration.yaml | 0 .../test_osquery_integration/data/playbooks/generate_events.yaml | 0 .../test_osquery_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_osquery_integration.yaml | 0 .../test_osquery_integration/test_osquery_integration.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../test_shellshock_attack_detection/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_shellshock_attack_detection.yaml | 0 .../test_shellshock_attack_detection.py | 0 .../test_slack_integration/data/configuration/slack_api_script.py | 0 .../test_slack_integration/data/playbooks/configuration.yaml | 0 .../test_slack_integration/data/playbooks/generate_events.yaml | 0 .../test_slack_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_slack_integration.yaml | 0 .../test_slack_integration/test_slack_integration.py | 0 .../test_sql_injection/data/playbooks/configuration.yaml | 0 .../test_sql_injection/data/playbooks/generate_events.yaml | 0 .../test_sql_injection/data/playbooks/teardown.yaml | 0 .../test_sql_injection/data/test_cases/cases_sql_injection.yaml | 0 .../test_sql_injection/test_sql_injection.py | 0 .../test_suricata_integration/data/playbooks/configuration.yaml | 0 .../test_suricata_integration/data/playbooks/generate_events.yaml | 0 .../test_suricata_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_suricata_integration.yaml | 0 .../test_suricata_integration/test_suricata_integration.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_unauthorized_processes_detection.yaml | 0 .../test_unauthorized_processes_detection.py | 0 .../data/active_response_script/remove-threat.sh | 0 .../test_virustotal_integration/data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../test_virustotal_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_virustotal_integration.yaml | 0 .../test_virustotal_integration/test_virustotal_integration.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector_linux.yaml | 0 .../test_vulnerability_detector_linux.py | 0 .../data/playbooks/configuration.yaml | 0 .../data/playbooks/generate_events.yaml | 0 .../data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_vulnerability_detector_windows.yaml | 0 .../test_vulnerability_detection_windows.py | 0 .../test_windows_defender/data/playbooks/configuration.yaml | 0 .../test_windows_defender/data/playbooks/generate_events.yaml | 0 .../test_windows_defender/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_windows_defender.yaml | 0 .../test_windows_defender/test_windows_defender.py | 0 .../test_yara_integration/data/configuration/yara.sh | 0 .../test_yara_integration/data/playbooks/configuration.yaml | 0 .../test_yara_integration/data/playbooks/generate_events.yaml | 0 .../test_yara_integration/data/playbooks/teardown.yaml | 0 .../data/test_cases/cases_yara_integration.yaml | 0 .../test_yara_integration/test_yara_integration.py | 0 108 files changed, 0 insertions(+), 0 deletions(-) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_audit/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_audit/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_audit/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_audit/data/test_cases/cases_audit.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_audit/test_audit.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_docker_monitoring/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_docker_monitoring/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_docker_monitoring/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_docker_monitoring/test_docker_monitoring.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_emotet/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_emotet/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_emotet/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_emotet/data/test_cases/cases_emotet.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_emotet/test_emotet.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_linux/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_linux/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_linux/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_linux/test_fim_linux.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_windows/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_windows/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_windows/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_fim/test_fim_windows/test_fim_windows.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_ip_reputation/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_ip_reputation/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_ip_reputation/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_ip_reputation/test_ip_reputation.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/data/configuration/osquery_integration.json (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_osquery_integration/test_osquery_integration.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_shellshock_attack_detection/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_shellshock_attack_detection/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_shellshock_attack_detection/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_shellshock_attack_detection/test_shellshock_attack_detection.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/data/configuration/slack_api_script.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/data/test_cases/cases_slack_integration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_slack_integration/test_slack_integration.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_sql_injection/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_sql_injection/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_sql_injection/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_sql_injection/data/test_cases/cases_sql_injection.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_sql_injection/test_sql_injection.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_suricata_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_suricata_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_suricata_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_suricata_integration/test_suricata_integration.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_unauthorized_processes_detection/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_unauthorized_processes_detection/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/data/active_response_script/remove-threat.sh (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_virustotal_integration/test_virustotal_integration.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_windows_defender/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_windows_defender/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_windows_defender/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_windows_defender/data/test_cases/cases_windows_defender.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_windows_defender/test_windows_defender.py (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/data/configuration/yara.sh (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/data/playbooks/configuration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/data/playbooks/generate_events.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/data/playbooks/teardown.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/data/test_cases/cases_yara_integration.yaml (100%) rename tests/end_to_end/{basic_cases => test_basic_cases}/test_yara_integration/test_yara_integration.py (100%) diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_audit/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_audit/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/test_cases/cases_audit.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_audit/data/test_cases/cases_audit.yaml rename to tests/end_to_end/test_basic_cases/test_audit/data/test_cases/cases_audit.yaml diff --git a/tests/end_to_end/basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py similarity index 100% rename from tests/end_to_end/basic_cases/test_audit/test_audit.py rename to tests/end_to_end/test_basic_cases/test_audit/test_audit.py diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/configuration/aws_cloudtrail_event.py diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/test_cases/cases_aws_infrastructure_monitoring.yaml diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py similarity index 100% rename from tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py rename to tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py similarity index 100% rename from tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py rename to tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/test_cases/cases_detecting_suspicious_binaries.yaml diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py similarity index 100% rename from tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py rename to tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml rename to tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py similarity index 100% rename from tests/end_to_end/basic_cases/test_docker_monitoring/test_docker_monitoring.py rename to tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_emotet/data/test_cases/cases_emotet.yaml rename to tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml diff --git a/tests/end_to_end/basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py similarity index 100% rename from tests/end_to_end/basic_cases/test_emotet/test_emotet.py rename to tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_linux/test_fim_linux.py rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py similarity index 100% rename from tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py rename to tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml rename to tests/end_to_end/test_basic_cases/test_ip_reputation/data/test_cases/cases_ip_reputation.yaml diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py similarity index 100% rename from tests/end_to_end/basic_cases/test_ip_reputation/test_ip_reputation.py rename to tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/data/configuration/osquery_integration.json rename to tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml rename to tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py similarity index 100% rename from tests/end_to_end/basic_cases/test_osquery_integration/test_osquery_integration.py rename to tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml rename to tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/test_cases/cases_shellshock_attack_detection.yaml diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py similarity index 100% rename from tests/end_to_end/basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py rename to tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/configuration/slack_api_script.py b/tests/end_to_end/test_basic_cases/test_slack_integration/data/configuration/slack_api_script.py similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/data/configuration/slack_api_script.py rename to tests/end_to_end/test_basic_cases/test_slack_integration/data/configuration/slack_api_script.py diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/test_cases/cases_slack_integration.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/test_cases/cases_slack_integration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/data/test_cases/cases_slack_integration.yaml rename to tests/end_to_end/test_basic_cases/test_slack_integration/data/test_cases/cases_slack_integration.yaml diff --git a/tests/end_to_end/basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py similarity index 100% rename from tests/end_to_end/basic_cases/test_slack_integration/test_slack_integration.py rename to tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml rename to tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml diff --git a/tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py similarity index 100% rename from tests/end_to_end/basic_cases/test_sql_injection/test_sql_injection.py rename to tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml rename to tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py similarity index 100% rename from tests/end_to_end/basic_cases/test_suricata_integration/test_suricata_integration.py rename to tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py diff --git a/tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml rename to tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/test_cases/cases_unauthorized_processes_detection.yaml diff --git a/tests/end_to_end/basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py similarity index 100% rename from tests/end_to_end/basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py rename to tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py similarity index 100% rename from tests/end_to_end/basic_cases/test_virustotal_integration/test_virustotal_integration.py rename to tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py similarity index 100% rename from tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py rename to tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml rename to tests/end_to_end/test_basic_cases/test_windows_defender/data/test_cases/cases_windows_defender.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py similarity index 100% rename from tests/end_to_end/basic_cases/test_windows_defender/test_windows_defender.py rename to tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/configuration/yara.sh b/tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/data/configuration/yara.sh rename to tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml rename to tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml rename to tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/teardown.yaml rename to tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml rename to tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml diff --git a/tests/end_to_end/basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py similarity index 100% rename from tests/end_to_end/basic_cases/test_yara_integration/test_yara_integration.py rename to tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py From 8f4b66f443fcdbf9f77b49d8f71d6f1e84ac4c61 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 12:42:17 +0200 Subject: [PATCH 394/552] fix: Fix some documentation errors --- .../test_fim/test_fim_windows/test_fim_windows.py | 2 +- .../test_unauthorized_processes_detection.py | 4 ++-- .../test_vulnerability_detector_linux.py | 8 ++++---- .../test_vulnerability_detection_windows.py | 10 +++++----- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index c271a7117a..64d53ec075 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -29,7 +29,7 @@ os_version: - CentOS 8 - - Windows Sever 2019 + - Windows Server 2019 references: - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#-fim diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index d4da0abe02..e32dee3ab7 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -18,7 +18,7 @@ - manager daemons: - - wazuh-logcolletor + - wazuh-logcollector - wazuh-analysisd os_platform: @@ -48,7 +48,7 @@ # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_netcat.yaml') +test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_unauthorized_processes_detection.yaml') # Playbooks configuration_playbooks = ['configuration.yaml'] diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 384fdbdfca..b4c5e6bea3 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -8,10 +8,10 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, -agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager -(where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database -from publicly available CVE repositories, using it later to cross-correlate this information with the agent's -applications inventory data. + agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager + (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database + from publicly available CVE repositories, using it later to cross-correlate this information with the agent's + applications inventory data. components: - vulnerability_detector diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 8db07a6db5..6fab37a6af 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -8,10 +8,10 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, -agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager -(where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database -from publicly available CVE repositories, using it later to cross-correlate this information with the agent's -applications inventory data. + agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager + (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database + from publicly available CVE repositories, using it later to cross-correlate this information with the agent's + applications inventory data. components: - vulnerability_detector @@ -31,7 +31,7 @@ os_version: - CentOS 8 - - Windows 2019 + - Windows Server 2019 references: - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#vulnerability_detector From 952bebcec4b106ad56b8ec031b31cb4d8ae68ba9 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 13:30:33 +0200 Subject: [PATCH 395/552] add: Add README.md --- tests/end_to_end/README.md | 161 +++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 tests/end_to_end/README.md diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md new file mode 100644 index 0000000000..bc2eae0ce0 --- /dev/null +++ b/tests/end_to_end/README.md @@ -0,0 +1,161 @@ +# wazuh-qa + +Wazuh - Quality assurance automation templates + +## Setting up a test environment + +To run these tests we need to use a **Linux** machine and install the following tools: + +- [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) + +Then, you will need to have an inventory with the needed hosts and variables. For example: + +``` +managers: + hosts: + wazuh-manager: + ansible_host: + ansible_connection: ssh + ansible_user: + ansible_ssh_private_key_file: + ansible_python_interpreter: /usr/bin/python3 + dashboard_user: + dashboard_password: + +agents: + children: + linux-agents: + hosts: + ubuntu-agent: + ansible_host: + ansible_connection: ssh + ansible_user: + ansible_ssh_private_key_file: + ansible_python_interpreter: /usr/bin/python3 + centos-agent: + ansible_host: + ansible_connection: ssh + ansible_user: + ansible_ssh_private_key_file: + ansible_python_interpreter: /usr/bin/python3 + windows-agents: + hosts: + windows-agent: + ansible_host: + ansible_user: + ansible_password: + ansible_connection: winrm + ansible_winrm_server_cert_validation: ignore + ansible_winrm_transport: basic + ansible_winrm_port: 5985 (Only in local executions) + ansible_python_interpreter: C:\Users\vagrant\AppData\Local\Programs\Pyhton\Python39\python.exe + +all: + vars: + virustotal_key: + bucket_name: + aws_region: + aws_access_key_id: + aws_secret_access_key: + web_hook_url: + slack_token: + slack_channel: + s3_url: (Should be always present) + +``` + +Variables required by the tests: + +- **test_aws_infrastructure_monitoring**: + + bucket_name: + + aws_region: + + aws_access_key_id: + + aws_secret_access_key: + +- **test_slack_integration**: + + web_hook_url: + + slack_token: + + slack_channel: + +- **test_virustotal_integration**: + + virustotal_key: + +> Note: For the Emotet test, the Windows machine must have Office installed. + +## E2E tests + +**DISCLAIMER:** this guide assumes you have a proper testing environment. If you do not, please check +our [testing environment guide](#setting-up-a-test-environment). + +Our newest integration tests are located in `wazuh-qa/tests/end_to_end/test_basic_cases`: + +- _test_audit_ +- _test_aws_infrastructure_monitoring_ +- _test_brute_force_ +- _test_detecting_suspicious_binaries_ +- _test_docker_monitoring_ +- _test_emotet_ +- _test_fim_ +- _test_ip_reputation_ +- _test_osquery_integration_ +- _test_shellshock_attack_detection_ +- _test_slack_integration_ +- _test_sql_injection_ +- _test_suricata_integration_ +- _test_unauthorized_processes_detection_ +- _test_virustotal_integration_ +- _test_vulnerability_detector_ +- _test_windows_defender_ +- _test_yara_integration_ + +Every group will have the following structure: + +```bash +├── test_ +│   ├── data +│   │   ├── playbooks +│   │   │   ├── .yaml +│   │   │   └── .yaml +│   │   ├── test_cases +│   │   │   └── .yaml +└── └── └── test_.py +``` + +Audit test structure example: + +```bash +test_basic_cases/ +└── test_audit/ + ├── data/ + │ ├── playbooks/ + │ │ ├── configuration.yaml + │ │ ├── generate_events.yaml + │ │ └── teardown.yaml + │ └── test_cases/ + │ └── cases_audit.yaml + └── test_audit.py +``` + +### Tests execution + +To execute these tests, we need to run the following command: + +``` +python -m pytest --inventory_path= +``` + +#### Audit tests examples + +```shell script +python3 -m pytest tests/end_to_end/test_basic_cases/test_audit/ --inventory_path=/home/juliamagan/Desktop/QA/2893/inventory.yml +======================================================================== test session starts ======================================================================== +platform linux -- Python 3.9.7, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 +rootdir: /home/juliamagan/Desktop/QA/wazuh-qa +plugins: metadata-2.0.1, html-3.1.1, testinfra-5.0.0 +collected 1 item + +tests/end_to_end/test_basic_cases/test_audit/test_audit.py . [100%] + +======================================================================== 1 passed in 16.05s ========================================================================= + +``` From 2c92567c12d5a6cdd6d6f2220e40d630dfcfdd4c Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 13:31:48 +0200 Subject: [PATCH 396/552] fix: Add `agent` to documentation --- .../test_unauthorized_processes_detection.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index e32dee3ab7..6efb8a713a 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -16,6 +16,7 @@ targets: - manager + - agent daemons: - wazuh-logcollector From 4f7475cfd1b5bc2e2bf3a84181874acc38592415 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 18 Aug 2022 14:06:38 +0200 Subject: [PATCH 397/552] fix: Fix linter errors --- deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py | 7 +++---- .../test_vulnerability_detector_linux.py | 10 +++++----- .../test_vulnerability_detection_windows.py | 8 ++++---- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py b/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py index c1e1935517..55eb94b052 100644 --- a/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py +++ b/deps/wazuh_testing/wazuh_testing/scripts/qa_docs.py @@ -150,7 +150,7 @@ def check_incompatible_parameters(parameters): parameters (argparse.Namespace): The parameters that the tool receives. """ default_run = parameters.test_types or parameters.test_components or parameters.test_suites or \ - parameters.test_modules + parameters.test_modules api_run = parameters.index_name or parameters.app_index_name or parameters.launching_index_name test_run = parameters.test_exist @@ -260,9 +260,8 @@ def check_incompatible_parameters(parameters): if parameters.check_doc: if not parameters.test_modules: - raise QAValueError('The --check-documentation option needs the modules to be checked. You must specify it by' - ' using -m.', - qadocs_logger.error) + raise QAValueError('The --check-documentation option needs the modules to be checked. You must specify it ' + 'by using -m.', qadocs_logger.error) qadocs_logger.debug('Parameters incompatibilities checked.') diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index b4c5e6bea3..a942379e04 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -8,10 +8,10 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, - agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager - (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database - from publicly available CVE repositories, using it later to cross-correlate this information with the agent's - applications inventory data. + agents can natively collect a list of installed applications (System inventory), sending it periodically to the + manager (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global + vulnerability database from publicly available CVE repositories, using it later to cross-correlate this + information with the agent's applications inventory data. components: - vulnerability_detector @@ -67,7 +67,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): + clean_alerts_index): ''' description: Check that an alert is generated and indexed when a vulnerable package is present. diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 6fab37a6af..8834e11514 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -8,10 +8,10 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, - agents can natively collect a list of installed applications (System inventory), sending it periodically to the manager - (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database - from publicly available CVE repositories, using it later to cross-correlate this information with the agent's - applications inventory data. + agents can natively collect a list of installed applications (System inventory), sending it periodically to the + manager (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global + vulnerability database from publicly available CVE repositories, using it later to cross-correlate this + information with the agent's applications inventory data. components: - vulnerability_detector From 605842ea6458c0b258c01735e59263f66df5c8e1 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 18 Aug 2022 09:13:32 -0300 Subject: [PATCH 398/552] fix(#3142): check fixed and some other changes were made. --- tests/end_to_end/data/env_requirements.json | 256 +++++++++++++++--- .../tasks/check_supported_distro.yaml | 12 +- .../test_fim/data/playbooks/validation.yaml | 15 + 3 files changed, 241 insertions(+), 42 deletions(-) create mode 100644 tests/end_to_end/test_fim/data/playbooks/validation.yaml diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index 2325494b9d..10bc1694ac 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -1,62 +1,252 @@ { "test_audit": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_aws_infrastructure_monitoring": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_brute_force": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 2, "distros": ["CentOS", "Windows"]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 2, + "distros": [ + "CentOS", + "Windows" + ] + } }, "test_detecting_suspicious_binaries": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_docker_monitoring": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_emotet": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 1, "distros": ["Windows"]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "Windows" + ] + } }, "test_fim": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 2, "distros": ["CentOS", "Windows"]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 2, + "distros": [ + "CentOS", + "Windows" + ] + } + }, + "test_ip_reputation": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "Windows" + ] + } }, "test_netcat": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 1, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "CentOS" + ] + } }, "test_osquery_integration": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_shellshock_attack_detection": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } + }, + "test_slack_integration": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } }, "test_sql_injection": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 1, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "CentOS" + ] + } + }, + "test_suricata_integration": { + "manager": { + "instances": 1, + "distros": [ + "Ubuntu" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } + }, + "test_virustotal_integration": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "CentOS" + ] + } }, - "test_virustotal": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 1, "distros": [""]} + "test_vulnerability_detector_linux": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "Ubuntu" + ] + } }, - "test_vulnerability_detector": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 2, "distros": [""]} + "test_vulnerability_detector_windows": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "Windows" + ] + } }, "test_windows_defender": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 1, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "Windows" + ] + } }, "test_yara_integration": { - "manager": {"instances": 1, "distros": ["CentOS"]}, - "agent": {"instances": 0, "distros": [""]} + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 0, + "distros": [] + } } -} \ No newline at end of file +} diff --git a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml index dafecaae0f..ec0bff2209 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml @@ -9,16 +9,10 @@ name: service_controller tasks_from: get_installation_type -- debug: var=wazuh_info.stdout - -- debug: var=manager_distros - -- debug: var=agent_distros - - fail: msg: "{{ dist }} is not supported by this test: {{ manager_distros }}" - when: ('server' in wazuh_info.stdout and dist not in manager_distros) + when: (os == 'Linux' and 'server' in wazuh_info.stdout and dist not in manager_distros) - fail: - msg: "{{ dist }} is not supported by this test: {{ manager_distros }}" - when: ('agent' in wazuh_info.stdout and dist not in manager_distros) + msg: "{{ dist }} is not supported by this test: {{ agent_distros }}" + when: (os == 'Linux' and 'agent' in wazuh_info.stdout and dist not in agent_distros) diff --git a/tests/end_to_end/test_fim/data/playbooks/validation.yaml b/tests/end_to_end/test_fim/data/playbooks/validation.yaml new file mode 100644 index 0000000000..3d8e1158b0 --- /dev/null +++ b/tests/end_to_end/test_fim/data/playbooks/validation.yaml @@ -0,0 +1,15 @@ +- name: Check supported distros + hosts: centos-manager*,centos-agent*,windows-agent* + any_errors_fatal: true + tasks: + + - name: Check if the host distribution is compatible + include_role: + name: host_checker + tasks_from: check_supported_distro + vars: + os: "{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}" + dist: "{{ ansible_distribution if ansible_os_family != 'Windows' else 'Windows' }}" + manager_distros: ['CentOS'] + agent_distros: ['CentOS', 'Windows'] + From 642e3bde77f70e0052f110bf6a27b96f2e97fbe3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 18 Aug 2022 10:46:58 -0300 Subject: [PATCH 399/552] fix(#3142): test_fim_windows fixed. The alert timestamp was corrected to allow for negative and positive offsets. Timeout for a task has been removed because it already had an implicit timeout. --- .../test_fim_windows/data/playbooks/configuration.yaml | 1 - .../test_fim/test_fim_windows/test_fim_windows.py | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index a04a1e298e..44b5cda65e 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -28,4 +28,3 @@ win_wait_for: path: C:\Program Files (x86)\ossec-agent\ossec.log search_regex: File integrity monitoring real-time Whodata engine started. - timeout: 20 diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 249e09b2a7..186e109298 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -28,13 +28,14 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] syscheck_path = metadata['extra']['syscheck.path'] + timestamp = r'\d+\-\d+\-\w+\:\d+\:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule":{{"level":{rule_level},' \ fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ fr'"{syscheck_path}".*\}}' expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ - fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"{rule_description}".*"timestamp": "({timestamp})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From 880d931fe2520f3ba288bd73c4faf2787aea7f77 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 18 Aug 2022 10:52:02 -0300 Subject: [PATCH 400/552] fix(#3142): the generation of test-specific validation was fixed. Now this phase deletes the generated file at the end of the execution. --- tests/end_to_end/conftest.py | 4 +++- tests/end_to_end/data/env_requirements.json | 19 ++++++++++++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index fb1b54aa42..3b4e495dcd 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -129,10 +129,12 @@ def validate_environments(request): 'playbook': validation_playbook, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} } validation_runner = ansible_runner.run(**parameters) + # Remove the generated playbook + remove_file(validation_playbook) # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. if validation_runner.status == 'failed': - raise Exception(f"The validation phase of {{ path }} has failed. Please check that the environments " + raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the environments " 'meet the expected requirements.') # -------------------------- End of Step 4 ------------------------------------- diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index 10bc1694ac..991a844c32 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -76,7 +76,7 @@ ] } }, - "test_fim": { + "test_fim_linux": { "manager": { "instances": 1, "distros": [ @@ -84,9 +84,22 @@ ] }, "agent": { - "instances": 2, + "instances": 1, + "distros": [ + "CentOS" + ] + } + }, + "test_fim_windows": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, "distros": [ - "CentOS", "Windows" ] } From 53a34f375d47750fe26fb514332180dcafcb50c3 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 10:22:36 +0200 Subject: [PATCH 401/552] refactor(#3187): change required environment for suricata test --- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 14 +++++++++++++- .../data/playbooks/teardown.yaml | 4 ++-- .../test_suricata_integration.py | 2 ++ 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml index 115fa8a16e..b692e43321 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Prepare environment - hosts: wazuh-manager + hosts: ubuntu-agent become: true vars: suricata_conf_path: /etc/suricata/suricata.yaml @@ -20,7 +20,7 @@ - name: Restart Wazuh to apply the change systemd: state: restarted - name: wazuh-manager + name: wazuh-agent - name: Check if Suricata is installed shell: dpkg -l suricata | grep suricata diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index fe1866327b..d9b4e03d3a 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Generate events +- name: Truncate alerts file hosts: wazuh-manager become: true vars: @@ -8,9 +8,21 @@ - name: Truncate alerts file shell: echo "" > {{ alerts_path }} +- name: Generate events + hosts: ubuntu-agent + become: true + tasks: + - name: Run command to generate an alert shell: curl http://testmynids.org/uid/index.html +- name: Get alerts + hosts: wazuh-manager + become: true + vars: + alerts_path: /var/ossec/logs/alerts/alerts.json + tasks: + - name: Wait for alerts to be generated wait_for: timeout: 10 diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml index a4f2285252..37c8b7ef04 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Configure environment - hosts: wazuh-manager + hosts: ubuntu-agent become: true tasks: @@ -12,4 +12,4 @@ - name: Restart Wazuh to apply the change systemd: state: restarted - name: wazuh-manager + name: wazuh-agent diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index d58c12aeb2..5a16a43f21 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -18,6 +18,7 @@ targets: - manager + - agent daemons: - wazuh-logcollector @@ -27,6 +28,7 @@ - linux os_version: + - CentOS 8 - Ubuntu Focal references: From 89208d4e2f09327a6414aa081cdefbc52aef41f5 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 10:45:13 +0200 Subject: [PATCH 402/552] fix(#3165): decrease timeout --- .../test_suricata_integration/test_suricata_integration.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index 5a16a43f21..2f6835a71f 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -46,6 +46,7 @@ import pytest from tempfile import gettempdir +import wazuh_testing as fw from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config @@ -116,7 +117,7 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, - error_message='The alert has not occurred').result() + timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) query = e2e.make_query([ From d106d40d77f0fcccb8954d7016bab4851966bd65 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 12:23:26 +0200 Subject: [PATCH 403/552] refac(#3165): upload to s3 external files --- .../data/configuration/trojan_script.sh | 5 -- .../data/playbooks/configuration.yaml | 5 +- .../configuration/osquery_integration.json | 22 -------- .../data/playbooks/configuration.yaml | 13 ++--- .../data/playbooks/teardown.yaml | 2 +- .../active_response_script/remove-threat.sh | 37 -------------- .../data/playbooks/configuration.yaml | 5 +- .../data/playbooks/generate_events.yaml | 2 +- .../cases_vulnerability_detector_linux.yaml | 4 +- .../cases_vulnerability_detector_windows.yaml | 6 +-- .../data/configuration/yara.sh | 51 ------------------- .../data/playbooks/configuration.yaml | 23 +++------ 12 files changed, 23 insertions(+), 152 deletions(-) delete mode 100644 tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh delete mode 100644 tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json delete mode 100644 tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh delete mode 100644 tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh deleted file mode 100644 index 34b1cc9792..0000000000 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/configuration/trojan_script.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -echo "`date` this is evil" > /tmp/trojan_created_file -echo 'test for /usr/bin/w trojaned file' >> /tmp/trojan_created_file -#Now running original binary -/usr/bin/w.copy diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index 0350b4eca3..223c258069 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -11,6 +11,5 @@ remote_src: true - name: Replace the content of the system binary with the trojan script - copy: - src: "{{ trojan_script_path }}" - dest: /usr/bin/w + shell: | + curl {{ s3_url }}/detecting_suspicious_binaries/trojan_script.sh -o /usr/bin/w diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json deleted file mode 100644 index d25a9e649e..0000000000 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/configuration/osquery_integration.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "options": { - "config_plugin": "filesystem", - "logger_plugin": "filesystem", - "utc": "true" - }, - "schedule": { - "low_free_memory": { - "query": "SELECT memory_total, memory_free, CAST(memory_free AS real) / memory_total AS memory_free_perc, '10%' AS threshold FROM memory_info WHERE memory_free_perc < 0.1;", - "interval": 60, - "description": "Free RAM is under 10%." - } - }, - "packs": { - "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf", - "incident-response": "/usr/share/osquery/packs/incident-response.conf", - "it-compliance": "/usr/share/osquery/packs/it-compliance.conf", - "vuln-management": "/usr/share/osquery/packs/vuln-management.conf", - "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf", - "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf" - } -} diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index f294228a6c..6861069df6 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -12,7 +12,7 @@ - name: Install Osquery on CentOS shell: | - curl -LO https://pkg.osquery.io/rpm/osquery-4.5.1-1.linux.x86_64.rpm + curl -LO {{ s3_url }}/osquery_integration/osquery-4.5.1-1.linux.x86_64.rpm rpm -ivh ./osquery-4.5.1-1.linux.x86_64.rpm register: installation # If the return code is 0, it means that Osquery is already installed and running. @@ -20,13 +20,10 @@ when: (ansible_facts['distribution'] == "CentOS" and osquery_check.rc != 0 and osquery_check.rc != 3) - name: Configure Osquery - copy: - src: "{{ configuration_file }}" - dest: /etc/osquery/osquery.conf - owner: root - group: root - mode: '0644' - backup: true + shell: | + curl {{ s3_url }}/osquery_integration/osquery_integration.json -o /etc/osquery/osquery.conf + chown root:root /etc/osquery/osquery.conf + chmod 0644 /etc/osquery/osquery.conf # If the installation return code is 0, it means that the installation was successful. when: (osquery_check.rc == 3 or osquery_check.rc == 0 or installation.rc == 0) diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index 71d1aab929..366c787132 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -27,4 +27,4 @@ - name: Uninstall stress shell: yum remove -y stress - when: (ansible_facts['distribution'] == "CentOS" + when: ansible_facts['distribution'] == "CentOS" diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh deleted file mode 100644 index 7b94933d39..0000000000 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/active_response_script/remove-threat.sh +++ /dev/null @@ -1,37 +0,0 @@ - #!/bin/bash - - LOCAL=`dirname $0`; - cd $LOCAL - cd ../ - - PWD=`pwd` - - read INPUT_JSON - FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file) - COMMAND=$(echo $INPUT_JSON | jq -r .command) - LOG_FILE="${PWD}/../logs/active-responses.log" - - #------------------------ Analyze command -------------------------# - if [ ${COMMAND} = "add" ] - then - # Send control message to execd - printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n' - - read RESPONSE - COMMAND2=$(echo $RESPONSE | jq -r .command) - if [ ${COMMAND2} != "continue" ] - then - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE} - exit 0; - fi - fi - - # Removing file - rm -f $FILENAME - if [ $? -eq 0 ]; then - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE} - else - echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE} - fi - - exit 0; diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index df54e4902e..4332a9f74f 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -84,9 +84,8 @@ - name: Add active response script become: true - copy: - src: "{{ active_response_script }}" - dest: /var/ossec/active-response/bin + shell: | + curl {{ s3_url }}/virustotal_integration/remove-threat.sh -o /var/ossec/active-response/bin/remote-threat.sh - name: Install jq (CentOS) become: true diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index ac6b1f174d..6f2ca54a86 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -12,7 +12,7 @@ - name: "{{ event_description }}" become: true - command: "{{ command }}" + shell: "{{ shell }}" - name: Wait alert hosts: wazuh-manager diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml index b0130dfdeb..527d4c1ab8 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml @@ -4,7 +4,9 @@ metadata: extra_vars: event_description: Install vulnerable vim package - command: apt install -y vim=2:8.1.2269-1ubuntu5.7 + shell: | + curl {{ s3_url }}/vulnerability_detector/vim_vulnerable_package.deb -o vim_vulnerable_package.deb + dpkg -i vim_vulnerable_package.deb rule.id: 23505 rule.level: 10 rule.description: CVE-2022-1621 affects vim diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml index 9a7b94c9b0..f961aa1661 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/test_cases/cases_vulnerability_detector_windows.yaml @@ -5,9 +5,9 @@ extra_vars: event_description: Install vulnerable Mozilla package command: | - Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" ` - -OutFile "C:\temp\test.exe" - Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru + Invoke-WebRequest -Uri "{{ s3_url }}/vulnerability_detector/firefox_vulnerable_package.exe" ` + -OutFile "C:\temp\firefox_vulnerable_package.exe" + Start-Process -Wait -FilePath "C:\temp\firefox_vulnerable_package.exe" -ArgumentList "/S" -PassThru rule.id: 23505 rule.level: 10 rule.description: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\) diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh b/tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh deleted file mode 100644 index 68934dd07c..0000000000 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/configuration/yara.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -# Wazuh - Yara active response -# Copyright (C) 2015-2022, Wazuh Inc. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. - - -#------------------------- Gather parameters -------------------------# - -# Extra arguments -read INPUT_JSON -YARA_PATH=$(echo $INPUT_JSON | jq -r .parameters.extra_args[1]) -YARA_RULES=$(echo $INPUT_JSON | jq -r .parameters.extra_args[3]) -FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.syscheck.path) - -# Set LOG_FILE path -LOG_FILE="logs/active-responses.log" - -size=0 -actual_size=$(stat -c %s ${FILENAME}) -while [ ${size} -ne ${actual_size} ]; do - sleep 1 - size=${actual_size} - actual_size=$(stat -c %s ${FILENAME}) -done - -#----------------------- Analyze parameters -----------------------# - -if [[ ! $YARA_PATH ]] || [[ ! $YARA_RULES ]] -then - echo "wazuh-yara: ERROR - Yara active response error. Yara path and rules parameters are mandatory." >> ${LOG_FILE} - exit 1 -fi - -#------------------------- Main workflow --------------------------# - -# Execute Yara scan on the specified filename -yara_output="$("${YARA_PATH}"/yara -w -r "$YARA_RULES" "$FILENAME")" - -if [[ $yara_output != "" ]] -then - # Iterate every detected rule and append it to the LOG_FILE - while read -r line; do - echo "wazuh-yara: INFO - Scan result: $line" >> ${LOG_FILE} - done <<< "$yara_output" -fi - -exit 0; diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 7d2dbcffcd..98422092b6 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -83,17 +83,8 @@ state: directory - name: Download Yara rules - uri: - url: https://valhalla.nextron-systems.com/api/v1/get - method: POST - headers: - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - Accept-Language: en-US,en;q=0.5 - Referer: https://valhalla.nextron-systems.com/ - Content-Type: application/x-www-form-urlencoded - DNT: "1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1" - body: demo=demo&apikey=1111111111111111111111111111111111111111111111111111111111111111&format=text - dest: /tmp/yara/rules/yara_rules.yar + shell: | + curl {{ s3_url }}/yara_integration/yara_rules.yar -o /tmp/yara/rules/yara_rules.yar - name: Check if epel-release is installed shell: rpm -qa epel-release @@ -123,12 +114,10 @@ state: directory - name: Copy the Yara script - copy: - src: "{{ yara_script }}" - dest: /var/ossec/active-response/bin/ - owner: root - group: wazuh - mode: '0750' + shell: | + curl {{ s3_url }}/yara_integration/yara.sh -o /var/ossec/active-response/bin/yara.sh + chown root:wazuh /var/ossec/active-response/bin/yara.sh + chmod 0750 /var/ossec/active-response/bin/yara.sh - name: Check if jq is installed shell: rpm -qa jq From 8c7b88cdeaacc021160dc0d4af760fb2a74423ea Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 13:08:34 +0200 Subject: [PATCH 404/552] refac(#3165): rename hosts and tasks --- .../test_audit/data/playbooks/configuration.yaml | 4 +--- .../test_audit/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 10 ++++++---- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_emotet/data/playbooks/configuration.yaml | 10 +++++----- .../test_emotet/data/playbooks/generate_events.yaml | 8 ++++---- .../test_emotet/data/playbooks/teardown.yaml | 6 +++--- .../test_fim_linux/data/playbooks/configuration.yaml | 10 +++++----- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_fim_linux/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 10 +++++----- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_fim_windows/data/playbooks/teardown.yaml | 5 +---- .../data/playbooks/configuration.yaml | 10 +++++----- .../data/playbooks/generate_events.yaml | 6 +++--- .../test_ip_reputation/data/playbooks/teardown.yaml | 8 ++------ .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 6 +++--- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_sql_injection/data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 6 +++--- .../data/playbooks/generate_events.yaml | 6 +++--- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 8 ++++---- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 12 ++++++------ .../data/playbooks/generate_events.yaml | 6 +++--- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 8 ++++---- .../data/playbooks/generate_events.yaml | 6 +++--- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 6 +++--- .../data/playbooks/generate_events.yaml | 6 +++--- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- 50 files changed, 115 insertions(+), 122 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml index 1be76127a5..916b90519c 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml @@ -1,13 +1,11 @@ --- -- name: Test case configuration +- name: Configure manager environment hosts: wazuh-manager tasks: - name: Get euid shell: echo $EUID register: euid - - debug: - var: euid.stdout - name: Create wazuh audit rules file become: True diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml index 35081c89ac..00ad9a010b 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ --- -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 6443f0e648..e1e370d063 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index 17c9bab1ea..554c28d91e 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -1,4 +1,4 @@ -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index 58928acd9b..c37d81d4d0 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Configure local environment hosts: localhost become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 3306ed72df..2b0b02dfc3 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate file +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -29,7 +29,7 @@ wait_for: timeout: 5 -- name: Get logs +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index b3a9595cf8..099bf6aa0e 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate file +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -10,9 +10,11 @@ hosts: localhost tasks: - - name: SSH connection + - name: Attempt a SSH brute force attack expect: - command: ssh {{item}}@wazuh-agent -i {{hostvars['wazuh-agent']['ansible_ssh_private_key_file']}} + command: > + ssh {{item}}@{{ hostvars['centos-agent']['ansible_host'] }} + -i {{ hostvars['centos-agent']['ansible_ssh_private_key_file'] }} responses: (.*)continue connecting(.*): 'yes' (?i)password: 1 @@ -34,7 +36,7 @@ wait_for: timeout: 5 -- name: Get logs +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index 223c258069..5114a7297c 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml index 3fccb59588..f41e620138 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml @@ -1,4 +1,4 @@ -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index 1db8bcd16d..b0f3c0c233 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Test case configuration +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 962aaeb874..1ecd32b352 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Generate events in the manager +- name: Generate events hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index 59c8906f9a..f6ee38dbfa 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ --- -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml index c50589b9b4..8f27ed7c54 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -1,8 +1,8 @@ -- name: Test agent configuration - hosts: wazuh-windows +- name: Configure Windows agent environment + hosts: windows-agent tasks: - - name: Auto logon + - name: Enable auto logon community.windows.win_auto_logon: username: "{{ ansible_user }}" password: "{{ ansible_password }}" @@ -68,12 +68,12 @@ Set-Location C:\temp Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - - name: Restart wazuh-agent (Windows) + - name: Restart wazuh-agent win_shell: | net stop wazuh net start wazuh -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index df7da79516..25525573d1 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -6,8 +6,8 @@ shell: echo "" > /var/ossec/logs/alerts/alerts.json become: true -- name: Generate events windows - hosts: wazuh-windows +- name: Generate events + hosts: windows-agent tasks: - name: Execute trigger-emotet.exe @@ -15,7 +15,7 @@ register: output failed_when: '"with process ID" not in output.stderr' -- name: Wait alert +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml index c19b003aea..fba806b032 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ -- name: Cleanup environment - hosts: wazuh-windows +- name: Cleanup Windows agent environment + hosts: windows-agent tasks: - name: Restore ossec.conf without changes @@ -25,7 +25,7 @@ path: C:\temp state: absent - - name: Restart wazuh-agent (Windows) + - name: Restart wazuh-agent win_shell: | net stop wazuh net start wazuh diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 32a12480af..726d20c597 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -1,14 +1,14 @@ -- name: Test case configuration - hosts: wazuh-agent +- name: Configure Linux agent environment + hosts: agents:&linux tasks: - - name: Create directory to monitor (Linux) + - name: Create directory to monitor become: true file: path: /tmp/test_demo_fim state: directory - - name: Add directory to syscheck configuration (Linux) + - name: Add directory to syscheck configuration become: true blockinfile: path: /var/ossec/etc/ossec.conf @@ -17,7 +17,7 @@ /tmp/test_demo_fim marker: - - name: Restart Wazuh (Linux) + - name: Restart Wazuh become: true systemd: name: wazuh-agent diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 7d6dd17779..ba6600d826 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: True - name: Generate events - hosts: wazuh-agent + hosts: agents:&linux tasks: - name: "{{ event_description }}" @@ -17,7 +17,7 @@ state: "{{ state }}" mode: "{{ mode }}" -- name: Get alerts +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml index d66fe3af54..d21e552028 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup Linux agent environment - hosts: wazuh-agent + hosts: agents:&linux become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index a04a1e298e..7506050f29 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -1,13 +1,13 @@ -- name: Test case configuration - hosts: wazuh-windows +- name: Configure Windows agent environment + hosts: windows-agent tasks: - - name: Create directory to monitor (Windows) + - name: Create directory to monitor win_file: path: C:\Test\test_demo_fim state: directory - - name: Add directory to syscheck configuration (Windows) + - name: Add directory to syscheck configuration win_lineinfile: path: C:\Program Files (x86)\ossec-agent\ossec.conf insertafter: @@ -19,7 +19,7 @@ path: C:\Program Files (x86)\ossec-agent\ossec.log state: absent - - name: Restart Wazuh (Windows) + - name: Restart Wazuh win_shell: | net stop wazuh net start wazuh diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 696adc6b1d..13f38e8aeb 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: wazuh-windows + hosts: windows-agent tasks: - name: "{{ event_description }}" @@ -15,7 +15,7 @@ path: "{{ path }}" state: "{{ state }}" -- name: Get alerts +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml index 71f1722e53..2c37172e4b 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup Windows agent environment - hosts: wazuh-windows + hosts: windows-agent tasks: - name: Delete syscheck configuration @@ -8,16 +8,13 @@ path: C:\Program Files (x86)\ossec-agent\ossec.conf regex: C\:\\\\Test\\\\test_demo_fim state: absent - when: ansible_facts['os_family'] == "Windows" - name: Delete directory to monitor (Windows) win_file: path: C:\Test state: absent - when: ansible_facts['os_family'] == "Windows" - name: Restart Wazuh (Windows) win_shell: | net stop wazuh net start wazuh - when: ansible_facts['os_family'] == "Windows" diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index 25b0c0cd4f..a4b4bb181c 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager become: true tasks: @@ -22,7 +22,7 @@ - name: Add the attacker IP to the list become: true - shell: echo "{{ hostvars['wazuh-windows']['ip_address'] }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset + shell: echo "{{ hostvars['wazuh-windows']['ansible_host'] }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset - name: Convert .ipset to .cdb using script become: true @@ -97,12 +97,12 @@ become: true shell: systemctl restart wazuh-manager -- name: Windows agent configuration - hosts: wazuh-windows +- name: Configure Windows agent environment + hosts: windows-agent tasks: - name: Add hostname to hosts file win_lineinfile: path: C:\Windows\System32\drivers\etc\hosts line: | - {{ hostvars['wazuh-manager']['ip_address'] }} wazuh-manager + {{ hostvars['wazuh-manager']['ansible_host'] }} wazuh-manager diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml index 7c70a9baab..607045187c 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: wazuh-windows + hosts: windows-agent tasks: - name: "{{ event_description }}" @@ -15,7 +15,7 @@ register: result failed_when: "'Forbidden' not in result.stderr" -- name: Wait alert +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml index 975ebe08eb..c275949e50 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml @@ -1,4 +1,4 @@ -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager tasks: @@ -6,10 +6,6 @@ become: true command: yum remove httpd -y - - name: Uninstall python - become: true - command: yum remove python39 -y - - name: Delete added rules become: true blockinfile: @@ -29,7 +25,7 @@ shell: systemctl restart wazuh-manager - name: Cleanup Windows agent environment - hosts: wazuh-windows + hosts: windows-agent tasks: - name: Delete syscheck configuration diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index 6861069df6..6d47c392e1 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Test configuration +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml index a49b02da38..3437ae2ab9 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Test setup +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml index 0949898f33..2a4fea6e68 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Configure manager environment hosts: wazuh-manager become: true vars: diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml index e3b07973b4..655f587545 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml @@ -1,4 +1,4 @@ -- name: Cleanup environment +- name: Cleanup manager environment hosts: wazuh-manager become: true vars: diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml index c921cd8087..c4bf7108b1 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/configuration.yaml @@ -1,8 +1,8 @@ -- name: Test agent configuration - hosts: wazuh-agent +- name: Configure CentOS agent environment + hosts: centos-agent tasks: - - name: Install apache (CentOS) + - name: Install apache become: true shell: dnf install httpd -y when: ansible_facts['distribution'] == "CentOS" diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index f4c58677dc..95ddb3701d 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate file +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -17,7 +17,7 @@ wait_for: timeout: 5 -- name: Get logs +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml index b22e1ff754..d1c694ee9e 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- -- name: Cleanup agent environment - hosts: wazuh-agent +- name: Cleanup CentOS agent environment + hosts: centos-agent become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml index b692e43321..e833514f88 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Prepare environment +- name: Configure Ubuntu agent environment hosts: ubuntu-agent become: true vars: diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index d9b4e03d3a..8c559d0cdf 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate alerts file +- name: Clean alerts file hosts: wazuh-manager become: true vars: @@ -16,7 +16,7 @@ - name: Run command to generate an alert shell: curl http://testmynids.org/uid/index.html -- name: Get alerts +- name: Get alerts file hosts: wazuh-manager become: true vars: diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml index 0f2be15765..e8e4ed0c22 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ -- name: Test agent configuration - hosts: wazuh-agent +- name: Configure Linux agent environment + hosts: agents:&linux tasks: - name: Configure agent to get a list of running processes @@ -30,7 +30,7 @@ shell: apt install ncat nmap -y when: ansible_facts['distribution'] == "Ubuntu" -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml index 9ec5373f32..bcc12958e7 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: wazuh-agent + hosts: agents:&linux tasks: - name: "{{ event_description_netcat }}" @@ -23,7 +23,7 @@ become: true command: pkill -fx 'nc -l 8000' -- name: Get logs +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml index 30dd19616b..f6dd34747c 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- -- name: Cleanup agent environment - hosts: wazuh-agent +- name: Cleanup Linux agent environment + hosts: agents:$linux become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 4332a9f74f..82b7d2be9d 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager become: true tasks: @@ -69,8 +69,8 @@ - name: Restart the manager shell: systemctl restart wazuh-manager -- name: Test agent configuration - hosts: wazuh-agent +- name: Configure CentOS agent environment + hosts: centos-agent become: true tasks: @@ -87,7 +87,7 @@ shell: | curl {{ s3_url }}/virustotal_integration/remove-threat.sh -o /var/ossec/active-response/bin/remote-threat.sh - - name: Install jq (CentOS) + - name: Install jq become: true shell: yum install -y jq when: ansible_facts['distribution'] == "CentOS" diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index b2da1fc4d2..ed28ef7d0c 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-agent + hosts: centos-agent tasks: - name: "{{ event_description }}" @@ -10,7 +10,7 @@ wait_for: timeout: 5 -- name: Get logs +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index a9c23406ec..fbe68a4414 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -22,7 +22,7 @@ name: wazuh-manager - name: Cleanup agent environment - hosts: wazuh-agent + hosts: centos-agent become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index ed2ccc359e..b8c0f18c8c 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -1,8 +1,8 @@ -- name: Test agent configuration - hosts: wazuh-agent +- name: Configure Ubuntu agent environment + hosts: ubuntu-agent tasks: - - name: Enable the agent module to collect installed packages (Ubuntu) + - name: Enable the agent module to collect installed packages become: true blockinfile: path: /var/ossec/etc/ossec.conf @@ -16,15 +16,15 @@ marker: - - name: Restart wazuh-agent (Ubuntu) + - name: Restart wazuh-agent become: true shell: systemctl restart wazuh-agent -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager tasks: - - name: Truncate file ossec.log + - name: Truncate ossec.log shell: echo "" > /var/ossec/logs/ossec.log become: true diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 6f2ca54a86..7e62e52eed 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -7,14 +7,14 @@ become: true - name: Generate events - hosts: wazuh-agent + hosts: ubuntu-agent tasks: - name: "{{ event_description }}" become: true shell: "{{ shell }}" -- name: Wait alert +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml index 13cdcc0590..d3cee4151e 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ -- name: Cleanup environment - hosts: wazuh-agent +- name: Cleanup Ubuntu agent environment + hosts: ubuntu-agent tasks: - name: Uninstall vim vulnerable package diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index 754cdbfb17..9f49fcf915 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ -- name: Test agent configuration - hosts: wazuh-windows +- name: Configure Windows agent environment + hosts: windows-agent tasks: - name: Create temp folder @@ -30,7 +30,7 @@ net stop wazuh net start wazuh -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager tasks: @@ -38,7 +38,7 @@ shell: echo "" > /var/ossec/logs/ossec.log become: true - - name: Enabled vulnerability detector module + - name: Enable vulnerability detector module become: true blockinfile: path: /var/ossec/etc/ossec.conf diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index 425c6d146c..3d66b7561e 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -7,13 +7,13 @@ become: true - name: Generate events - hosts: wazuh-windows + hosts: windows-agent tasks: - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" -- name: Wait alert +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml index f51902df42..8390903b0a 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ -- name: Cleanup environment - hosts: wazuh-windows +- name: Cleanup Windows agent environment + hosts: windows-agent tasks: - name: Uninstall Mozilla Firefox vulnerable package diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml index f7757ab10a..caca6674e9 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ -- name: Test agent configuration - hosts: wazuh-windows +- name: TConfigure Windows agent environment + hosts: windows-agent tasks: - name: Create temp folder @@ -28,7 +28,7 @@ net stop wazuh net start wazuh -- name: Test manager configuration +- name: Configure manager environment hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml index 622c79ea24..a0cd3814c9 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml @@ -1,4 +1,4 @@ -- name: Truncate files +- name: Clean alerts file hosts: wazuh-manager tasks: @@ -7,13 +7,13 @@ become: true - name: Generate events - hosts: wazuh-windows + hosts: windows-agent tasks: - name: "{{ event_description }}" ansible.windows.win_shell: "{{ command }}" -- name: Wait alert +- name: Get alerts file hosts: wazuh-manager tasks: diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml index 545714f280..94940513ce 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ -- name: Cleanup environment - hosts: wazuh-windows +- name: Cleanup Windows agent environment + hosts: windows-agent tasks: - name: Restore ossec.conf without changes diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 98422092b6..53f5686661 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Configure manager environment hosts: wazuh-manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml index 2671bac892..6c926d79dd 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml @@ -1,4 +1,4 @@ -- name: Configure environment +- name: Cleanup manager environment hosts: wazuh-manager become: true tasks: From 49aceb0865f89457e9e53eaa14d1d7382142c6b5 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 08:29:27 -0300 Subject: [PATCH 405/552] fix(#3142): several fixes were applied. Debug tasks removed. New task to check Wazuh components added. The error when setting a variable used to search for failures was fixed. --- .../data/playbooks/validation.yaml | 15 +++++++++ tests/end_to_end/conftest.py | 23 +++++++------ .../host_checker/tasks/check_connection.yaml | 27 ---------------- .../tasks/check_controller_indexer.yaml | 11 +++++-- .../tasks/check_filebeat_indexer.yaml | 4 +-- .../roles/host_checker/tasks/check_os.yaml | 8 ++--- .../host_checker/tasks/check_python.yaml | 8 ++--- .../tasks/check_supported_distro.yaml | 4 +-- .../tasks/check_wazuh_components.yaml | 32 +++++++++++++++++++ .../roles/host_checker/tasks/main.yaml | 14 ++++---- 10 files changed, 88 insertions(+), 58 deletions(-) create mode 100644 tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml delete mode 100644 tests/end_to_end/roles/host_checker/tasks/check_connection.yaml create mode 100644 tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml new file mode 100644 index 0000000000..ed7ced1d05 --- /dev/null +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml @@ -0,0 +1,15 @@ +- name: Check supported distros + hosts: centos-manager*,windows-agent* + any_errors_fatal: true + tasks: + + - name: Check if the host distribution is compatible + include_role: + name: host_checker + tasks_from: check_supported_distro + vars: + os: "{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}" + dist: "{{ ansible_distribution if ansible_os_family != 'Windows' else 'Windows' }}" + manager_distros: ['CentOS'] + agent_distros: ['Windows'] + diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 3b4e495dcd..3ff4ceab83 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -23,7 +23,12 @@ def validate_environments(request): Step 1: Collect the data related to the selected tests that will be executed. Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. - Step 4: Execute test-specific validations (if any). It will run one validation for each selected test set. + Step 4: Generate a test-specific playbook to validate the environment required by that test, then execute that + playbook. This will run one validation for each selected test set. + To add specific validation tasks to a test its only necessary to add a new jinja2 template inside the + `playbooks` folder in the test suite. E.g: + test_basic_cases/test_fim/test_fim_linux/data/playbooks/validation.j2 + (See end_to_end/data/validation_templates for a guide to create the file) Args: request (fixture): Gives access to the requesting test context. @@ -40,7 +45,7 @@ def validate_environments(request): if not inventory_path: raise ValueError('Inventory not specified') - # -------------------------- Step 1: Prepare the necessary data ---------------- + #--------------------------------------- Step 1: Prepare the necessary data ---------------------------------------- # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] # Remove duplicates caused by the existence of 2 or more test cases @@ -63,9 +68,9 @@ def validate_environments(request): # Get the largest number of manager/agent instances num_of_managers = max(manager_instances) num_of_agents = max(agent_instances) - # -------------------------- End of Step 1 ------------------------------------- + #-------------------------------------------------- End of Step 1 -------------------------------------------------- - # ---- Step 2: Run the playbook to generate the general validation playbook ---- + #---------------------- Step 2: Run the playbook to generate the general validation playbook ----------------------- gen_parameters = { 'playbook': playbook_generator, 'inventory': inventory_path, 'extravars': { @@ -74,9 +79,9 @@ def validate_environments(request): } } ansible_runner.run(**gen_parameters) - # -------------------------- End of Step 2 ------------------------------------- + #-------------------------------------------------- End of Step 2 -------------------------------------------------- - # -------------------- Step 3: Run the general validation playbook ------------- + #----------------------------------- Step 3: Run the general validation playbook ----------------------------------- parameters = { 'playbook': general_playbook, 'inventory': inventory_path, @@ -89,9 +94,9 @@ def validate_environments(request): if general_validation_runner.status == 'failed': raise Exception(f"The general validations have failed. Please check that the environments meet the expected " 'requirements.') - # -------------------------- End of Step 3 ------------------------------------- + #-------------------------------------------------- End of Step 3 -------------------------------------------------- - # ---------------- Step 4: Execute test-specific validations (if any) ---------- + #------------------------------------ Step 4: Execute test-specific validations ------------------------------------ playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_test_specific_play.yaml') playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'test_specific_validation.j2') @@ -136,7 +141,7 @@ def validate_environments(request): if validation_runner.status == 'failed': raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the environments " 'meet the expected requirements.') - # -------------------------- End of Step 4 ------------------------------------- + #-------------------------------------------------- End of Step 4 -------------------------------------------------- @pytest.fixture(scope='function') diff --git a/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml deleted file mode 100644 index b9926b1aa3..0000000000 --- a/tests/end_to_end/roles/host_checker/tasks/check_connection.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# REQUIRED VARIABLES -# ------------------- -# (String) os: Target operating system - -- name: Try connection (Linux) - ping: - when: os == 'Linux' - ignore_errors: true - register: result - -- name: Check if host is reachable (Linux) - set_fact: - failed: true - errors: "{{ inventory_hostname }} is unreachable." - when: '"ping" not in result.keys() and os == "Linux"' - -- name: Try connection (Windows) - win_ping: - when: os == 'Windows' - ignore_errors: true - register: result - -- name: Check if host is reachable (Windows) - set_fact: - failed: true - errors: "{{ inventory_hostname }} is unreachable." - when: '"ping" not in result.keys() and os == "Windows"' diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml index cc73eb9122..982342f859 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -15,8 +15,13 @@ delegate_to: localhost when: (os == 'Linux' and 'server' in wazuh_info.stdout) +- debug: var=test_result + when: test_result is failed + +- debug: var=test_result.stderr + - name: Check the connection between Controller node and Wazuh Indexer set_fact: - failed: true - errors: "{{ errors }}\nAnsible Controller node cannot connect correctly with Wazuh Indexer." - when: (test_result is failed and test_result.stdout is defined and 'refused' in test_result.stdout) + check_result: 'true' + errors: "{{ errors }}Ansible Controller node cannot connect correctly with Wazuh Indexer.\n" + when: (test_result is failed and test_result.stdout is defined and 'refused' in test_result.stderr) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml index 1e4adbcd12..5a4981a8e2 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml @@ -16,6 +16,6 @@ - name: Check the connection between Filebeat and Wazuh Indexer set_fact: - failed: true - errors: "{{ errors }}\nFilebeat cannot connect correctly with Wazuh Indexer." + check_result: 'true' + errors: "{{ errors }}Filebeat cannot connect correctly with Wazuh Indexer.\n" when: (os == 'Linux' and 'server' in wazuh_info.stdout and 'ERROR' in test_result.stdout) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml index 129caefccf..028e9b57fe 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml @@ -4,12 +4,12 @@ - name: Check OS (Linux) set_fact: - failed: true - errors: "{{ errors }}\nThe {{ ansible_system }} OS was not expected, but the {{ os }} OS." + check_result: 'true' + errors: "{{ errors }}The {{ ansible_system }} OS was not expected, but the {{ os }} OS.\n" when: (os != ansible_system and os == "Linux") - name: Check OS (Windows) set_fact: - failed: true - errors: "{{ errors }}\nThe {{ ansible_os_family }} OS was not expected, but the {{ os }} OS." + check_result: 'true' + errors: "{{ errors }}The {{ ansible_os_family }} OS was not expected, but the {{ os }} OS.\n" when: (os != ansible_os_family and os == "Windows") diff --git a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml index 9a30ecf5bf..452ae7e773 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_python.yaml @@ -4,8 +4,8 @@ - name: Check default Python version (Linux) set_fact: - failed: true - errors: "{{ errors }}\nPython version is less than 3. Current version: {{ ansible_python_version }}" + check_result: 'true' + errors: "{{ errors }}Python version is less than 3. Current version: {{ ansible_python_version }}\n" when: (os == "Linux" and ansible_python['version']['major'] < 3) - name: Get Python version (Windows) @@ -15,6 +15,6 @@ - name: Check default Python version (Linux) set_fact: - failed: true - errors: "{{ errors }}\nPython version is less than 3. Current version: {{ version.stdout }}" + check_result: 'true' + errors: "{{ errors }}Python version is less than 3. Current version: {{ version.stdout }}\n" when: (os == "Windows" and version.stdout.split(" ")[1].split(".")[0] | int < 3) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml index ec0bff2209..d8abbf11e7 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml @@ -10,9 +10,9 @@ tasks_from: get_installation_type - fail: - msg: "{{ dist }} is not supported by this test: {{ manager_distros }}" + msg: "{{ dist }} is not supported by this test: {{ manager_distros }}\n" when: (os == 'Linux' and 'server' in wazuh_info.stdout and dist not in manager_distros) - fail: - msg: "{{ dist }} is not supported by this test: {{ agent_distros }}" + msg: "{{ dist }} is not supported by this test: {{ agent_distros }}\n" when: (os == 'Linux' and 'agent' in wazuh_info.stdout and dist not in agent_distros) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml new file mode 100644 index 0000000000..a6a69c3167 --- /dev/null +++ b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml @@ -0,0 +1,32 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system + +- name: Get Wazuh installation + include_role: + name: service_controller + tasks_from: get_installation_type + +- name: Populate services facts + service_facts: + when: os == 'Linux' + +- name: Check the status of Wazuh components (Manager) + set_fact: + check_result: 'true' + errors: "{{ errors }}{{ ansible_facts.services[item] }} is not running.\n" + when: (os == 'Linux' and 'server' in wazuh_info.stdout and ansible_facts.services[item].state != 'running') + with_items: + - 'wazuh-manager.service' + - 'wazuh-indexer.service' + - 'filebeat.service' + +- set_fact: + service: 'wazuh-agent.service' + when: (os == 'Linux' and 'agent' in wazuh_info.stdout) + +- name: Check the status of Wazuh Agent + set_fact: + check_result: 'true' + errors: "{{ errors }}{{ ansible_facts.services[service].name }} is not running.\n" + when: (os == 'Linux' and 'agent' in wazuh_info.stdout and ansible_facts.services[service].state != 'running') diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/roles/host_checker/tasks/main.yaml index 4bb3e9ec30..71794d7eb4 100644 --- a/tests/end_to_end/roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/main.yaml @@ -1,30 +1,30 @@ # -------- Task to identify whether the validation step fails or not. -------- - name: Set flag and informative variable set_fact: - failed: false - errors: null + check_result: 'false' + errors: '' # ---------------------------------------------------------------------------- # -------- Checks ------------------------------------------------------------ -- name: Check host connection - include_tasks: check_connection.yaml - - name: Check Python import_tasks: check_python.yaml - name: Check OS import_tasks: check_os.yaml +- name: Check the status of Wazuh components + import_tasks: check_wazuh_components.yaml + - name: Check the connection between Filebeat and Wazuh Indexer import_tasks: check_filebeat_indexer.yaml - name: Check the connection between Controller node and Wazuh Indexer import_tasks: check_controller_indexer.yaml # ---------------------------------------------------------------------------- - +- debug: var=errors # -------- Task to identify whether the validation step fails or not. -------- - name: Verify if any check have failed fail: msg: "Some validations were fail:\n'{{ errors }}'" - when: failed == true + when: (check_result == 'true' or errors != '') # ---------------------------------------------------------------------------- From 59ba41eed0a969d3ceafeb3f4bdec34b4739de15 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 08:39:42 -0300 Subject: [PATCH 406/552] docs(#3142): grammatical errors fixed. --- tests/end_to_end/conftest.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 3ff4ceab83..8fc5eb4b81 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -24,9 +24,8 @@ def validate_environments(request): Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. Step 4: Generate a test-specific playbook to validate the environment required by that test, then execute that - playbook. This will run one validation for each selected test set. - To add specific validation tasks to a test its only necessary to add a new jinja2 template inside the - `playbooks` folder in the test suite. E.g: + playbook. This will run one validation for each selected test set. To add specific validation tasks to a + test,a new jinja2 template must be added inside the `playbooks` folder in the test suite. E.g: test_basic_cases/test_fim/test_fim_linux/data/playbooks/validation.j2 (See end_to_end/data/validation_templates for a guide to create the file) From b2f2689d016e70203d1039a22be376350269e394 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 14:09:59 +0200 Subject: [PATCH 407/552] fix(#3165): adapt tests to get manager ip --- .../wazuh_testing/end_to_end/__init__.py | 2 +- tests/end_to_end/conftest.py | 22 ++++++++++++++++++- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_audit/data/playbooks/teardown.yaml | 2 +- .../test_basic_cases/test_audit/test_audit.py | 5 +++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_aws_infrastructure_monitoring.py | 6 ++--- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_brute_force_rdp.py | 4 ++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_brute_force_ssh.py | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_detecting_suspicious_binaries.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_docker_monitoring.py | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_emotet/test_emotet.py | 6 +++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_fim/test_fim_linux/test_fim_linux.py | 5 +++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_fim_windows/test_fim_windows.py | 5 +++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- .../test_ip_reputation/test_ip_reputation.py | 8 ++++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_osquery_integration.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_shellshock_attack_detection.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_slack_integration.py | 4 ++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_sql_injection/test_sql_injection.py | 5 +++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_suricata_integration.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- .../test_unauthorized_processes_detection.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_virustotal_integration.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_vulnerability_detector_linux.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_vulnerability_detection_windows.py | 6 ++--- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_windows_defender.py | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../test_yara_integration.py | 4 ++-- 70 files changed, 141 insertions(+), 113 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index a1622b2979..2c53eb37a7 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -8,7 +8,7 @@ @retry(Exception, attempts=3, delay=5) -def get_alert_indexer_api(query, credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): +def get_alert_indexer_api(query, credentials, ip_address, index='wazuh-alerts-4.x-*'): """Get an alert from the wazuh-indexer API Make a request to the wazuh-indexer API to get the last indexed alert that matches the values passed in diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c1d6fe70c5..4fa87950e1 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -38,7 +38,7 @@ def get_dashboard_credentials(request): raise ValueError('Inventory not specified') inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', - host='wazuh-manager') + host='managers') # Inventory is a tuple, with the second value empty, so we must access inventory[0] dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} @@ -116,6 +116,26 @@ def generate_events(request, metadata): ansible_runner.run(**parameters) +@pytest.fixture(scope='module') +def get_manager_ip(request): + """Get manager IP. + + Returns: + str: Manager IP. + """ + inventory_playbook = [request.config.getoption('--inventory_path')] + + if not inventory_playbook: + raise ValueError('Inventory not specified') + + inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', + host='managers') + + # Inventory is a tuple, with the second value empty, so we must access inventory[0] + manager_ip = inventory[0]['ansible_host'] + + yield manager_ip + def pytest_addoption(parser): parser.addoption( diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml index 916b90519c..2c7d81e2a3 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml @@ -1,6 +1,6 @@ --- - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Get euid diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml index e692cd879b..4d9ef48cd8 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml index 00ad9a010b..8a07ede65c 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Delete wazuh audit rules file diff --git a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py index 60eb083ab2..0c74c28ba6 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py @@ -60,7 +60,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_audit(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that an alert is generated and indexed when a command is executed. @@ -135,7 +136,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, gener ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index e1e370d063..48c53bb35f 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 9a174ad899..bee6e0dd21 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers vars: alerts_path: /var/ossec/logs/alerts/alerts.json become: true diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index 554c28d91e..ce20cf7a3f 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 26b22a886e..2c750b876c 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -73,8 +73,8 @@ @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when an event obtained from AWS services matches a rule. @@ -148,7 +148,7 @@ def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dash ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 2b0b02dfc3..450c09a4e6 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate alert.json @@ -30,7 +30,7 @@ timeout: 5 - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index c3ae01e848..923e82ced9 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -64,7 +64,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a brute force attack is perfomed. @@ -135,7 +135,7 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 099bf6aa0e..7f0d87d65d 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate alert.json @@ -37,7 +37,7 @@ timeout: 5 - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index bb1836238e..dfa2bf5916 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -61,7 +61,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force_ssh(metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a brute force attack is perfomed. @@ -127,7 +127,7 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, generate_events, c ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index 5114a7297c..1651d8200e 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index ede64103d2..3565ae14df 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml index f41e620138..31392786a9 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index dab4353cdd..e8fedddcb8 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -67,8 +67,8 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when there is a trojaned system binary. @@ -149,7 +149,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index b0f3c0c233..fed43bc7ea 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 1ecd32b352..6f99c71188 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index f6ee38dbfa..2919e9981c 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index f79fe5087f..977fb207e4 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -63,7 +63,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated for Docker events. @@ -144,7 +144,7 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml index 8f27ed7c54..e835eceb29 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -74,7 +74,7 @@ net start wazuh - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index 25525573d1..0a07685d12 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -16,7 +16,7 @@ failed_when: '"with process ID" not in output.stderr' - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Wait for alert diff --git a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py index bafd9a6387..52ae8f0c4b 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py @@ -62,7 +62,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_emotet(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_emotet(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that an alert is generated when Emotet malware is executed. @@ -140,7 +141,8 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, gene ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, + ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index ba6600d826..8b77b8826d 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file @@ -18,7 +18,7 @@ mode: "{{ mode }}" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Wait for alert to be generated diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 5b55513d86..ff2effd5ed 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -60,7 +60,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that an alert is generated and indexed for FIM events. @@ -130,7 +131,7 @@ def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, g ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 13f38e8aeb..7ea454276f 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file @@ -16,7 +16,7 @@ state: "{{ state }}" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Wait for alert to be generated diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index f8a75fcfdb..de7fbc82c0 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -62,7 +62,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that an alert is generated and indexed for FIM events. @@ -132,7 +133,7 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index a4b4bb181c..c1ee7f6bad 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml index 607045187c..890fb9928c 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -16,7 +16,7 @@ failed_when: "'Forbidden' not in result.stderr" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Waiting for alert diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml index c275949e50..8ce15bed84 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Uninstall apache diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py index d2fd6c5329..4eab5a8dab 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py @@ -62,7 +62,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that alerts are generated when accessing the web server with an ip with a bad reputation. @@ -140,9 +141,10 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, + ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one alert_data = re.search(expected_indexed_alert, indexed_alert) - assert alert_data is not None, 'Alert triggered, but not indexed' + assert alert_data is not None, f"Alert '{rule_description}' triggered, but not indexed" diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index 6d47c392e1..8e3f238312 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 85ad397bf5..66d5ef93f2 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index 366c787132..cb6a49ea71 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 9b4e976b11..2bb866b7ff 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -62,8 +62,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated when the host is stressed. @@ -138,7 +138,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml index 3437ae2ab9..6107d3d415 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index 94388a6066..9bb4048510 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index 41cc05337c..d4afcd1465 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index f27d6f4c74..90061f74ec 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -61,8 +61,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated when a shellshock attack is performed. @@ -136,7 +136,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml index 2a4fea6e68..d3090abaea 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml index c3b93e89d3..00fc96bd14 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers vars: alerts_path: /var/ossec/logs/alerts/alerts.json integrations_log: /var/ossec/logs/integrations.log diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml index 655f587545..0c1036099d 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: true vars: conf_path: /var/ossec/etc/ossec.conf diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index e81220fcba..a406685881 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -82,7 +82,7 @@ def remove_slack_log(): @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, generate_events, +def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, get_manager_ip, generate_events, remove_slack_log, clean_alerts_index): ''' description: Check that an alert is generated and sent to Slack. @@ -165,7 +165,7 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index 95ddb3701d..1e7d4aecd5 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate alert.json @@ -18,7 +18,7 @@ timeout: 5 - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py index ed39c708b7..12117e8147 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py @@ -59,7 +59,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, generate_events, clean_alerts_index): +def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, + clean_alerts_index): ''' description: Check that an alert is generated when a SQL injection attack is performed. @@ -130,7 +131,7 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index 8c559d0cdf..babf2a8bf8 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json @@ -17,7 +17,7 @@ shell: curl http://testmynids.org/uid/index.html - name: Get alerts file - hosts: wazuh-manager + hosts: managers become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index 2f6835a71f..90f2d17af4 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -64,8 +64,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated when a specific web request is executed. @@ -139,7 +139,7 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml index e8e4ed0c22..95b77ea956 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml @@ -31,7 +31,7 @@ when: ansible_facts['distribution'] == "Ubuntu" - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml index bcc12958e7..42bd4bb28b 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -24,7 +24,7 @@ command: pkill -fx 'nc -l 8000' - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml index f6dd34747c..5421fd5d4a 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml @@ -16,7 +16,7 @@ name: wazuh-agent - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index 6efb8a713a..ebce27042d 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -62,8 +62,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_unauthorized_processes_detection(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_unauthorized_processes_detection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated if an unauthorized process is running. @@ -132,7 +132,7 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_d ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 82b7d2be9d..5974213ec5 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index ed28ef7d0c..182a5d7b1b 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -11,7 +11,7 @@ timeout: 5 - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index fbe68a4414..9eefe9b765 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index f9fb6ffe0a..d4e3d03fdf 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -68,8 +68,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_virustotal_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated and the active response executed if the file is malicious. @@ -137,7 +137,7 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index b8c0f18c8c..0a6213eb39 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -21,7 +21,7 @@ shell: systemctl restart wazuh-agent - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate ossec.log diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 7e62e52eed..baa5825f8d 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -15,7 +15,7 @@ shell: "{{ shell }}" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Waiting for vulnerability scan, alert reporting and indexing diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index a942379e04..0285b9950a 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -66,8 +66,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a vulnerable package is present. @@ -137,7 +137,7 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_dashb ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index 9f49fcf915..14ee240a75 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -31,7 +31,7 @@ net start wazuh - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file ossec.log diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index 3d66b7561e..74422c754a 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -14,7 +14,7 @@ ansible.windows.win_shell: "{{ command }}" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Waiting for vulnerability scan, alert reporting and indexing diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 8834e11514..4cd11c7076 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -67,8 +67,8 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, generate_events, - clean_alerts_index): +def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, + generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a vulnerable package is present. @@ -138,7 +138,7 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_das ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml index caca6674e9..cd31920ee6 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -29,7 +29,7 @@ net start wazuh - name: Configure manager environment - hosts: wazuh-manager + hosts: managers tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml index a0cd3814c9..f7df755e3f 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Truncate file alert.json @@ -14,7 +14,7 @@ ansible.windows.win_shell: "{{ command }}" - name: Get alerts file - hosts: wazuh-manager + hosts: managers tasks: - name: Waiting for alert diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py index bc344c004c..584d58e5bb 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py @@ -61,7 +61,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_windows_defender(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_windows_defender(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated for Windows Defender logs. @@ -132,7 +132,7 @@ def test_windows_defender(configure_environment, metadata, get_dashboard_credent ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 53f5686661..53979ca86c 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 50119374dd..98bc141632 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: wazuh-manager + hosts: managers vars: alerts_path: /var/ossec/logs/alerts/alerts.json become: true diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml index 6c926d79dd..9fadf8faa5 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: wazuh-manager + hosts: managers become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index 7bb545b2fa..0618c63c90 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -69,7 +69,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, generate_events, +def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when malware is downloaded. @@ -150,7 +150,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials) + response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one From e365c7734c37b0a2049f8dcfa833950866aee179 Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 14:34:50 +0200 Subject: [PATCH 408/552] fix(#3165): fix timestamp regex --- .../end_to_end/test_basic_cases/test_audit/test_audit.py | 5 +++-- .../test_brute_force_rdp/test_brute_force_rdp.py | 4 ++-- .../test_brute_force_ssh/test_brute_force_ssh.py | 4 ++-- .../test_docker_monitoring/test_docker_monitoring.py | 8 ++++---- .../test_basic_cases/test_emotet/test_emotet.py | 5 +++-- .../test_fim/test_fim_linux/test_fim_linux.py | 5 +++-- .../test_fim/test_fim_windows/test_fim_windows.py | 5 +++-- .../test_ip_reputation/test_ip_reputation.py | 5 +++-- .../test_osquery_integration/test_osquery_integration.py | 7 ++++--- .../test_shellshock_attack_detection.py | 8 ++++---- .../test_sql_injection/test_sql_injection.py | 5 +++-- .../test_suricata_integration.py | 6 +++--- .../test_unauthorized_processes_detection.py | 5 +++-- .../test_virustotal_integration.py | 5 +++-- .../test_vulnerability_detector_linux.py | 5 +++-- .../test_vulnerability_detection_windows.py | 5 +++-- .../test_windows_defender/test_windows_defender.py | 5 +++-- 17 files changed, 52 insertions(+), 40 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py index 0c74c28ba6..9344f2f41e 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py @@ -105,12 +105,13 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, get_m rule_id = metadata['rule.id'] a3 = metadata['extra']['a3'] data_audit_command = metadata['extra']['data.audit.command'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{level},' \ fr'"description"\:"{description}","id"\:"{rule_id}".*a3={a3}.*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {level}, "description": "{description}".*"id": "{rule_id}".*' \ fr'comm=\\"{data_audit_command}\\".*a3={a3}.*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index 923e82ced9..ae627ccd8a 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -108,9 +108,9 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index dfa2bf5916..1c93269d78 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -100,9 +100,9 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, ge rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] - timestamp = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"({timestamp})","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index 977fb207e4..4514c71608 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -107,13 +107,13 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] docker_action = metadata['extra']['data.docker.Action'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' - expected_alert_json = fr".+timestamp\":\"(.+)\",.+level.+{rule_level}.+description.+{rule_description}.+" \ - fr"id.+{rule_id}.+Action.+{docker_action}.+" + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level.+{rule_level}.+description.+" \ + fr"{rule_description}.+id.+{rule_id}.+Action.+{docker_action}.+" expected_indexed_alert = fr".+Action.+{docker_action}.+level.+{rule_level}.+description.+{rule_description}.+" \ - fr"id.+{rule_id}.+timestamp\": \"(.+)\"" \ - r'},.+' + fr"id.+{rule_id}.+timestamp\": \"({timestamp_regex})\".+" # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py index 52ae8f0c4b..53efeb5967 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py @@ -111,15 +111,16 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, get_ rule_id = alert['rule.id'] rule_description = alert['rule.description'] rule_groups = alert['extra']['groups'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})",' \ fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*' \ fr'"groups"\:\["{rule_groups}"\].*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level}, "description": "{rule_description}".*'\ fr'"groups": \["{rule_groups}"\].*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index ff2effd5ed..2c1eab628e 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -104,13 +104,14 @@ def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, g rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] syscheck_path = metadata['extra']['syscheck.path'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule":{{"level":{rule_level},' \ fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ fr'"{syscheck_path}".*\}}' expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ - fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"{rule_description}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index de7fbc82c0..127e103a25 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -106,13 +106,14 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] syscheck_path = metadata['extra']['syscheck.path'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule":{{"level":{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule":{{"level":{rule_level},' \ fr'"description":"{rule_description}","id":"{rule_id}".*"syscheck":{{"path":' \ fr'"{syscheck_path}".*\}}' expected_indexed_alert = fr'.*"path": "{syscheck_path}".*"rule":.*"level": {rule_level},.*"description": ' \ - fr'"{rule_description}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"{rule_description}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py index 4eab5a8dab..fced37c566 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py @@ -105,20 +105,21 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential malicious_ip_alert = metadata['malicious_ip'] active_response_alert = metadata['active_response'] expected_alerts = [malicious_ip_alert, active_response_alert] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' for alert in expected_alerts: rule_level = alert['rule.level'] rule_id = alert['rule.id'] rule_description = alert['rule.description'] - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})",' \ fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},' \ fr'.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*'\ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 2bb866b7ff..68a3e62cbb 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -106,13 +106,14 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] osquery_name = metadata['extra']['data.osquery.name'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr".+timestamp\":\"(.+)\",.+level\":{rule_level},\"description\":\"{rule_description}\"," \ - fr"\"id\":\"{rule_id}\".+osquery\":.+\"name\":\"{osquery_name}\"" + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level},\"description\":" \ + fr"\"{rule_description}\",\"id\":\"{rule_id}\".+osquery\":.+\"name\":\"{osquery_name}\"" expected_indexed_alert = fr".+osquery\":.+\"name\": \"{osquery_name}\".+level\": {rule_level}, " \ fr"\"description\": \"{rule_description}\".+\"id\": \"{rule_id}\"" \ - r'.+timestamp\": \"(.+)\"},.+' + fr'.+timestamp\": \"({timestamp_regex})\".+' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 90061f74ec..8b1ef6d451 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -104,13 +104,13 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr".+timestamp\":\"(.+)\",.+level\":{rule_level},\"description\":\"{rule_description}\"," \ - fr"\"id\":\"{rule_id}\"" + expected_alert_json = fr".+timestamp\":\"({timestamp_regex})\",.+level\":{rule_level},\"description\":" \ + fr"\"{rule_description}\",\"id\":\"{rule_id}\"" expected_indexed_alert = fr".+level\": {rule_level}.+\"description\": \"{rule_description}\"" \ - fr".+\"id\": \"{rule_id}\".+timestamp\": \"(.+)\"" \ - r'},.+' + fr".+\"id\": \"{rule_id}\".+timestamp\": \"({timestamp_regex})\".+" # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py index 12117e8147..0118e4d778 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py @@ -103,13 +103,14 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_mitre_technique = metadata['extra']['mitre_technique'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*'\ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index 90f2d17af4..f71937725c 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -108,10 +108,10 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] data_hostname = metadata['extra']['data.hostname'] - timestamp = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' + timestamp_regex = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr".*timestamp.+({timestamp}).+level.+{rule_level}.+description.+{rule_description}.+id.+" \ - fr"{rule_id}.+hostname.+{data_hostname}" + expected_alert_json = fr".*timestamp.+({timestamp_regex}).+level.+{rule_level}.+description.+{rule_description}.+" \ + fr"id.+{rule_id}.+hostname.+{data_hostname}" expected_indexed_alert = fr".*hostname.*{data_hostname}.+level.+{rule_level}.+description.+" \ fr"{rule_description}.+id.+{rule_id}" diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index ebce27042d..db164ea93d 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -105,13 +105,14 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_d rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] rule_id = metadata['rule.id'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex}+)","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index d4e3d03fdf..2f8bd0ecb7 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -111,12 +111,13 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c rule_id = metadata['rule.id'] rule_level = metadata['rule.level'] rule_description = metadata['rule.description'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ - fr'.*"id": "{rule_id}".*"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'.*"id": "{rule_id}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 0285b9950a..7e1754132e 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -109,14 +109,15 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_dashb rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})",' \ fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 4cd11c7076..4967e06a36 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -110,14 +110,15 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_das rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})",' \ fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py index 584d58e5bb..14163f322a 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py @@ -104,14 +104,15 @@ def test_windows_defender(configure_environment, metadata, get_dashboard_credent rule_level = metadata['rule.level'] rule_id = metadata['rule.id'] rule_description = metadata['rule.description'] + timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})",' \ fr'"rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ fr'.*"id": "{rule_id}".*' \ - r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*' + fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, From 1e5065c882ff72fd022940f75446b71e41114aac Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 14:36:29 +0200 Subject: [PATCH 409/552] fix(#3165): add new line --- tests/end_to_end/conftest.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 4fa87950e1..604fb2f95e 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -116,6 +116,7 @@ def generate_events(request, metadata): ansible_runner.run(**parameters) + @pytest.fixture(scope='module') def get_manager_ip(request): """Get manager IP. From f8cc724035edfdf3337684489c47b13a97cfcfbf Mon Sep 17 00:00:00 2001 From: Julia Date: Fri, 19 Aug 2022 14:45:52 +0200 Subject: [PATCH 410/552] fix(#2983): change hosts names --- tests/end_to_end/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index bc2eae0ce0..485faa2ce3 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -13,7 +13,7 @@ Then, you will need to have an inventory with the needed hosts and variables. Fo ``` managers: hosts: - wazuh-manager: + centos-manager: ansible_host: ansible_connection: ssh ansible_user: @@ -24,7 +24,7 @@ managers: agents: children: - linux-agents: + linux: hosts: ubuntu-agent: ansible_host: @@ -38,7 +38,7 @@ agents: ansible_user: ansible_ssh_private_key_file: ansible_python_interpreter: /usr/bin/python3 - windows-agents: + windows: hosts: windows-agent: ansible_host: From 2c4f175a7a9bb520419ed6ef046dbadc407f5d47 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 09:48:15 -0300 Subject: [PATCH 411/552] style(#3142): linter corrections applied. --- .../data/playbooks/validation.yaml | 15 --------------- tests/end_to_end/conftest.py | 16 ++++++++-------- .../tasks/check_wazuh_components.yaml | 8 ++++---- 3 files changed, 12 insertions(+), 27 deletions(-) delete mode 100644 tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml deleted file mode 100644 index ed7ced1d05..0000000000 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/validation.yaml +++ /dev/null @@ -1,15 +0,0 @@ -- name: Check supported distros - hosts: centos-manager*,windows-agent* - any_errors_fatal: true - tasks: - - - name: Check if the host distribution is compatible - include_role: - name: host_checker - tasks_from: check_supported_distro - vars: - os: "{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}" - dist: "{{ ansible_distribution if ansible_os_family != 'Windows' else 'Windows' }}" - manager_distros: ['CentOS'] - agent_distros: ['Windows'] - diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 8fc5eb4b81..5b3fd363f2 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -44,7 +44,7 @@ def validate_environments(request): if not inventory_path: raise ValueError('Inventory not specified') - #--------------------------------------- Step 1: Prepare the necessary data ---------------------------------------- + # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] # Remove duplicates caused by the existence of 2 or more test cases @@ -67,9 +67,9 @@ def validate_environments(request): # Get the largest number of manager/agent instances num_of_managers = max(manager_instances) num_of_agents = max(agent_instances) - #-------------------------------------------------- End of Step 1 -------------------------------------------------- + # -------------------------------------------------- End of Step 1 ------------------------------------------------- - #---------------------- Step 2: Run the playbook to generate the general validation playbook ----------------------- + # ---------------------- Step 2: Run the playbook to generate the general validation playbook ---------------------- gen_parameters = { 'playbook': playbook_generator, 'inventory': inventory_path, 'extravars': { @@ -78,9 +78,9 @@ def validate_environments(request): } } ansible_runner.run(**gen_parameters) - #-------------------------------------------------- End of Step 2 -------------------------------------------------- + # -------------------------------------------------- End of Step 2 ------------------------------------------------- - #----------------------------------- Step 3: Run the general validation playbook ----------------------------------- + # ----------------------------------- Step 3: Run the general validation playbook ---------------------------------- parameters = { 'playbook': general_playbook, 'inventory': inventory_path, @@ -93,9 +93,9 @@ def validate_environments(request): if general_validation_runner.status == 'failed': raise Exception(f"The general validations have failed. Please check that the environments meet the expected " 'requirements.') - #-------------------------------------------------- End of Step 3 -------------------------------------------------- + # -------------------------------------------------- End of Step 3 ------------------------------------------------- - #------------------------------------ Step 4: Execute test-specific validations ------------------------------------ + # ------------------------------------ Step 4: Execute test-specific validations ----------------------------------- playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_test_specific_play.yaml') playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'test_specific_validation.j2') @@ -140,7 +140,7 @@ def validate_environments(request): if validation_runner.status == 'failed': raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the environments " 'meet the expected requirements.') - #-------------------------------------------------- End of Step 4 -------------------------------------------------- + # -------------------------------------------------- End of Step 4 ------------------------------------------------- @pytest.fixture(scope='function') diff --git a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml index a6a69c3167..c0e33ef6ae 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml @@ -17,12 +17,12 @@ errors: "{{ errors }}{{ ansible_facts.services[item] }} is not running.\n" when: (os == 'Linux' and 'server' in wazuh_info.stdout and ansible_facts.services[item].state != 'running') with_items: - - 'wazuh-manager.service' - - 'wazuh-indexer.service' - - 'filebeat.service' + - wazuh-manager.service + - wazuh-indexer.service + - filebeat.service - set_fact: - service: 'wazuh-agent.service' + service: wazuh-agent.service when: (os == 'Linux' and 'agent' in wazuh_info.stdout) - name: Check the status of Wazuh Agent From a5bb947e58428ba174fb0865a0f5ad43aaaa3972 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 10:09:06 -0300 Subject: [PATCH 412/552] feat(#3144): add roles in test ip reputation --- .../data/playbooks/configuration.yaml | 31 ++++++++++--------- .../data/playbooks/generate_events.yaml | 17 +++++----- .../data/playbooks/teardown.yaml | 9 ++++-- 3 files changed, 31 insertions(+), 26 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index 25b0c0cd4f..8ff48718f1 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -43,10 +43,11 @@ chmod 660 /var/ossec/etc/lists/blacklist-alienvault - name: Configure ossec.conf - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | apache /var/log/httpd/access_log @@ -76,14 +77,14 @@ 100100 10s - marker: + os: 'linux' - name: Configure local rules - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | web|attack|attacks @@ -91,11 +92,13 @@ IP address found in AlienVault reputation database. - marker: - - name: Restart the manager - become: true - shell: systemctl restart wazuh-manager + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Windows agent configuration hosts: wazuh-windows diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml index 7c70a9baab..7bd864ddd1 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-windows @@ -23,9 +24,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml index 975ebe08eb..b6c081224b 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml @@ -24,9 +24,12 @@ block: '' marker: - - name: Restart the manager - become: true - shell: systemctl restart wazuh-manager + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Cleanup Windows agent environment hosts: wazuh-windows From e6d11cd5e878157b6852beee1b62a426145bcae4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 10:35:56 -0300 Subject: [PATCH 413/552] fix(#3142): debug task deleted. --- tests/end_to_end/roles/host_checker/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/roles/host_checker/tasks/main.yaml index 71794d7eb4..644a41f2b7 100644 --- a/tests/end_to_end/roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/main.yaml @@ -21,7 +21,7 @@ - name: Check the connection between Controller node and Wazuh Indexer import_tasks: check_controller_indexer.yaml # ---------------------------------------------------------------------------- -- debug: var=errors + # -------- Task to identify whether the validation step fails or not. -------- - name: Verify if any check have failed fail: From 8fde4356c06b0645b9d675d6ddfae252e39d826a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 11:14:47 -0300 Subject: [PATCH 414/552] feat(#3144): add roles in test emotet --- .../data/playbooks/configuration.yaml | 49 +++++++++++-------- .../data/playbooks/generate_events.yaml | 19 ++++--- .../test_emotet/data/playbooks/teardown.yaml | 10 ++-- 3 files changed, 44 insertions(+), 34 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml index c50589b9b4..59c5496646 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -54,35 +54,42 @@ ./Sysmon64.exe -accepteula -i sysconfig.xml - name: Configure Wazuh to collect Sysmon events - win_shell: | - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` - "`nMicrosoft-Windows-Sysmon/Operational" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` + "`nMicrosoft-Windows-Sysmon/Operational" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + os: 'windows' - name: Download trigger_emotet.exe win_shell: | Set-Location C:\temp Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - - name: Restart wazuh-agent (Windows) - win_shell: | - net stop wazuh - net start wazuh + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' - name: Test manager configuration hosts: wazuh-manager tasks: - name: Configure local rules - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | sysmon @@ -111,8 +118,10 @@ - marker: - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml index df7da79516..93c3f7cf2b 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events windows hosts: wazuh-windows @@ -21,11 +22,9 @@ - name: Wait for alert wait_for: - timeout: 10 + timeout: 30 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml index c19b003aea..9503acfab4 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml @@ -25,10 +25,12 @@ path: C:\temp state: absent - - name: Restart wazuh-agent (Windows) - win_shell: | - net stop wazuh - net start wazuh + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' - name: Enable Windows Defender win_shell: set-MpPreference -DisableRealtimeMonitoring $False From c0d9c8adc33fc0e65114296f0200f8990b66889b Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 11:19:25 -0300 Subject: [PATCH 415/552] fix: timeout --- .../basic_cases/test_emotet/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml index 93c3f7cf2b..b9367d8086 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -22,7 +22,7 @@ - name: Wait for alert wait_for: - timeout: 30 + timeout: 10 - name: Get alert json include_role: From 0d81f1b1949ea38b057a879d7df67267326c175a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 12:15:00 -0300 Subject: [PATCH 416/552] refactor(#3142): collection of errors and some fixes. --- tests/end_to_end/conftest.py | 9 ++++++++- tests/end_to_end/data/env_requirements.json | 17 +++++++++++++++-- .../tasks/check_controller_indexer.yaml | 5 ----- .../roles/host_checker/tasks/main.yaml | 4 ++++ 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 5b3fd363f2..2324b0083c 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -91,8 +91,15 @@ def validate_environments(request): remove_file(general_playbook) # If the general validations have failed, then abort the execution finishing with an error. Else, continue. if general_validation_runner.status == 'failed': + # Collect inventory_hostnames with errors + hosts_with_errors = [key for key in general_validation_runner.stats['failures']] + # Collect list of errors + errors = [] + errors.extend([general_validation_runner.get_fact_cache(host)['phase_results'] for host in hosts_with_errors]) + errors = ''.join(errors) + # Raise the exception with errors details raise Exception(f"The general validations have failed. Please check that the environments meet the expected " - 'requirements.') + f"requirements. Result:\n{errors}") # -------------------------------------------------- End of Step 3 ------------------------------------------------- # ------------------------------------ Step 4: Execute test-specific validations ----------------------------------- diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index 991a844c32..57c7d09292 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -23,7 +23,21 @@ "distros": [] } }, - "test_brute_force": { + "test_brute_force_ssh": { + "manager": { + "instances": 1, + "distros": [ + "CentOS" + ] + }, + "agent": { + "instances": 1, + "distros": [ + "CentOS" + ] + } + }, + "test_brute_force_rdp": { "manager": { "instances": 1, "distros": [ @@ -33,7 +47,6 @@ "agent": { "instances": 2, "distros": [ - "CentOS", "Windows" ] } diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml index 982342f859..ced42bf37c 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -15,11 +15,6 @@ delegate_to: localhost when: (os == 'Linux' and 'server' in wazuh_info.stdout) -- debug: var=test_result - when: test_result is failed - -- debug: var=test_result.stderr - - name: Check the connection between Controller node and Wazuh Indexer set_fact: check_result: 'true' diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/roles/host_checker/tasks/main.yaml index 644a41f2b7..20933d8e4e 100644 --- a/tests/end_to_end/roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/main.yaml @@ -23,6 +23,10 @@ # ---------------------------------------------------------------------------- # -------- Task to identify whether the validation step fails or not. -------- +- set_fact: + phase_results: "{{ errors }}" + cacheable: yes + - name: Verify if any check have failed fail: msg: "Some validations were fail:\n'{{ errors }}'" From 49f9c9f1fe752bdbd003831d3cd28184aa0f94f6 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 12:21:51 -0300 Subject: [PATCH 417/552] feat(#3144): add roles in test yara integration --- .../data/playbooks/configuration.yaml | 47 ++++++++++--------- .../data/playbooks/generate_events.yaml | 17 ++++--- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 7d2dbcffcd..ed750c479f 100644 --- a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -4,10 +4,11 @@ tasks: - name: Configure local rules for Yara - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - marker: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | 550 @@ -33,10 +34,11 @@ - name: Configure local decoders for Yara - blockinfile: - path: /var/ossec/etc/decoders/local_decoder.xml - marker: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_decoders.yaml + vars: + config_block: | wazuh-yara: @@ -46,12 +48,12 @@ log_type, yara_rule, yara_scanned_file - - name: Configure an active response for Yara - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | + - name: Configure an active response and syscheck + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | yara yara.sh @@ -64,18 +66,17 @@ 100300,100301 - - name: Configure syscheck - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - marker: - block: | + /tmp/yara/malware + + os: 'linux' - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Create a directory to store Yara rules file: diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 50119374dd..00c2205190 100644 --- a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -1,12 +1,12 @@ - name: Generate events hosts: wazuh-manager - vars: - alerts_path: /var/ossec/logs/alerts/alerts.json become: true tasks: - - name: Truncate alerts file - shell: echo "" > {{ alerts_path }} + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Wait until the server is ready wait_for: @@ -19,8 +19,7 @@ wait_for: timeout: 15 - - name: Get alerts.json - fetch: - src: "{{ alerts_path }}" - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml From 333ce4c46004bffb571b117512eea6982afa884f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 12:40:58 -0300 Subject: [PATCH 418/552] feat(#3144): add roles in test audit and test windows defender --- .../data/playbooks/generate_events.yaml | 17 ++++++++--------- .../data/playbooks/configuration.yaml | 16 ---------------- 2 files changed, 8 insertions(+), 25 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml index e692cd879b..c215f2a1e3 100644 --- a/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: "{{ event_description }}" shell: "{{ command }}" @@ -13,9 +14,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: yes - become: True + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml index d8e49aef53..53fd51487f 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -54,22 +54,6 @@ - # - name: Configure local rules - # become: true - # blockinfile: - # path: /var/ossec/etc/rules/local_rules.xml - # insertafter: - # block: | - # - # - # 62100 - # ^5001$ - # Windows Defender Real-time Protection was disabled. - # defender,attack.t1089 - # - # - # marker: - - name: Restart manager include_role: name: manage_wazuh From 0322d2845a4d91fef3294d1ae1197cc7a6f248c7 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 12:46:12 -0300 Subject: [PATCH 419/552] fix(#3142): minor fixes applied. --- .../roles/host_checker/tasks/check_controller_indexer.yaml | 2 +- .../roles/host_checker/tasks/check_wazuh_components.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml index ced42bf37c..991f6ef1a9 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -7,7 +7,7 @@ name: service_controller tasks_from: get_installation_type -- name: Test connection with host +- name: Test connection with Wazuh Indexer shell: nc -v -4 {{ inventory_hostname }} 9200 timeout: 3 ignore_errors: true diff --git a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml index c0e33ef6ae..88ead12940 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml @@ -14,7 +14,7 @@ - name: Check the status of Wazuh components (Manager) set_fact: check_result: 'true' - errors: "{{ errors }}{{ ansible_facts.services[item] }} is not running.\n" + errors: "{{ errors }}{{ ansible_facts.services[item].name }} is not running.\n" when: (os == 'Linux' and 'server' in wazuh_info.stdout and ansible_facts.services[item].state != 'running') with_items: - wazuh-manager.service From 7bf00364703749ad96a7d8a4c5a5f019b76b479c Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 12:59:09 -0300 Subject: [PATCH 420/552] feat(#3144): add roles in test virustotal integration --- .../data/playbooks/configuration.yaml | 41 +++++++++++-------- .../data/playbooks/generate_events.yaml | 2 +- 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 060d3dac8f..c386444f44 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -4,10 +4,11 @@ tasks: - name: Configure Virustotal integration and active response - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | virustotal {{ virustotal_key }} @@ -27,14 +28,14 @@ local 87105 - marker: + os: 'linux' - - name: Configure local rules virus total integration - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | + - name: Configure local rules virustotal integration + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | @@ -61,10 +62,11 @@ Error removing threat located at $(parameters.alert.data.virustotal.source.file) - marker: - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Restart manager include_role: @@ -79,12 +81,15 @@ tasks: - name: Configure syscheck - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + /root - marker: + + os: 'linux' - name: Add active response script become: true diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index 2a59c87521..118cbd2aee 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -16,5 +16,5 @@ - name: Get alert json include_role: - name: get_alerts + name: manage_alerts tasks_from: get_alert_json.yaml From 5694f39982aa4c0db0e44e1dde93ad0d901c1b6e Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 13:40:54 -0300 Subject: [PATCH 421/552] feat(#3144): add roles test slack integration --- .../data/playbooks/configuration.yaml | 28 ++++++++++--------- .../data/playbooks/generate_events.yaml | 9 +++--- .../data/playbooks/teardown.yaml | 8 ++++-- 3 files changed, 24 insertions(+), 21 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml index 0949898f33..4c9ea49be3 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml @@ -1,17 +1,14 @@ - name: Configure environment hosts: wazuh-manager become: true - vars: - alerts_path: /var/ossec/logs/alerts/alerts.json - conf_path: /var/ossec/etc/ossec.conf tasks: - name: Set the Slack integration block - blockinfile: - path: "{{ conf_path }}" - marker: - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | slack {{ web_hook_url }} @@ -19,11 +16,16 @@ {{ RULE_ID }} json + os: 'linux' - - name: Truncate alerts log - shell: echo "" > {{ alerts_path }} + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml index c3b93e89d3..359e28c0cf 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml @@ -39,11 +39,10 @@ search_regex: hooks.slack.com timeout: 5 - - name: Get alerts.json - fetch: - src: "{{ alerts_path }}" - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml # Get messages from Slack channel using the API of Slack - name: Run the script using python3 (Get messages from Slack channel) diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml index e3b07973b4..cf59562e76 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml @@ -15,6 +15,8 @@ state: absent - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From f67290b763d5f052f1a7d59043121724b62bae31 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 13:50:52 -0300 Subject: [PATCH 422/552] feat(#3144): add roles sql injection test --- .../data/playbooks/configuration.yaml | 11 ----------- .../data/playbooks/generate_events.yaml | 2 +- .../test_sql_injection/data/playbooks/teardown.yaml | 8 +++++--- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml index 5f9c710be9..2a4295dff2 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml @@ -11,17 +11,6 @@ become: true shell: systemctl start httpd - # - name: Configure agent to monitor the Apache access logs - # become: true - # blockinfile: - # path: /var/ossec/etc/ossec.conf - # insertbefore: - # block: | - # - # apache - # /var/log/httpd/access_log - # - # marker: - name: Configure agent to monitor the Apache access logs include_role: name: manage_wazuh_configurations diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index 751904f04a..f3212fcf7a 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -16,7 +16,7 @@ - name: Wait for alert wait_for: - timeout: 30 + timeout: 5 - name: Get logs hosts: wazuh-manager diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml index b22e1ff754..0a3fb64f60 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml @@ -11,6 +11,8 @@ block: '' - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From f90ae7a14a3407726e16a0207441cdcc9b6ef8f7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 14:05:10 -0300 Subject: [PATCH 423/552] feat(#3144): add roles shellshock attack detection test --- .../data/playbooks/configuration.yaml | 19 +++++++++++-------- .../data/playbooks/generate_events.yaml | 15 ++++++++------- .../data/playbooks/teardown.yaml | 8 +++++--- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml index a49b02da38..694a69d42d 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -4,20 +4,23 @@ tasks: - name: Configure a localfile instance to collect the logs from Apache - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | apache /var/log/httpd/access_log + os: 'linux' - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Check if Firewalld is installed on CentOS shell: systemctl status firewalld --no-pager diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index 94388a6066..d43bf43aeb 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -3,8 +3,10 @@ become: true tasks: - - name: Truncate alerts file - shell: echo "" > /var/ossec/logs/alerts/alerts.json + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: "{{ event_description }}" shell: "{{ command }}" @@ -13,8 +15,7 @@ wait_for: timeout: 10 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index 41cc05337c..807364645e 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -11,6 +11,8 @@ block: '' - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From 1a25dbc59b6e2595a222a0e904ef71517e9176c5 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 14:08:16 -0300 Subject: [PATCH 424/552] feat(#3144): add role task to write local decoders --- .../tasks/write_local_decoders.yaml | 6 ++++++ .../tasks/write_local_rules.yaml | 2 +- .../tasks/write_wazuh_config.yaml | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml new file mode 100644 index 0000000000..9f82151434 --- /dev/null +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml @@ -0,0 +1,6 @@ +- name: Configure local decoders + become: true + blockinfile: + path: /var/ossec/etc/decoders/local_decoder.xml + marker: + block: "{{ config_block }}" diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml index a7f6ebbd9d..0142f17ef4 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml @@ -4,4 +4,4 @@ path: /var/ossec/etc/rules/local_rules.xml insertafter: block: "{{ config_block }}" - marker: \ No newline at end of file + marker: diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml index 2cf8bee559..71c73ddc0b 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml @@ -9,4 +9,4 @@ - name: Configure ossec.conf windows ansible.windows.win_shell: "{{ config_block }}" - when: os == 'windows' \ No newline at end of file + when: os == 'windows' From 17881e7e3c6706eacebf2fa1b1fe37764144e46f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 14:27:55 -0300 Subject: [PATCH 425/552] feat(#3144): add roles osquery integration test --- .../data/playbooks/configuration.yaml | 19 ++++++++++++------- .../data/playbooks/generate_events.yaml | 15 ++++++++------- .../data/playbooks/teardown.yaml | 8 +++++--- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index f294228a6c..cc5cf3a3cb 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -31,11 +31,11 @@ when: (osquery_check.rc == 3 or osquery_check.rc == 0 or installation.rc == 0) - name: Configure the Osquery module - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | no yes @@ -44,13 +44,18 @@ /etc/osquery/osquery.conf no + os: 'linux' - name: Start Osquery shell: systemctl start osqueryd when: (osquery_check.rc == 3 or osquery_check.rc == 0) - - name: Restart the manager - shell: systemctl restart wazuh-manager + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Check if stress is installed or not on CentOS command: rpm -q stress diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 85ad397bf5..89f5088925 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -3,8 +3,10 @@ become: true tasks: - - name: Truncate alerts file - shell: echo "" > /var/ossec/logs/alerts/alerts.json + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Truncate osquery results file shell: echo "" > /var/log/osquery/osqueryd.results.log @@ -16,8 +18,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index 71d1aab929..f04ce97312 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -21,9 +21,11 @@ name: osqueryd - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Uninstall stress shell: yum remove -y stress From 8f5ca884a7cbfcd4780379c4e7d5b23421fecbf0 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 14:32:09 -0300 Subject: [PATCH 426/552] fix(#3144): fix gen event slack test --- .../test_slack_integration/data/playbooks/generate_events.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml index 359e28c0cf..969311bd79 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/generate_events.yaml @@ -1,7 +1,6 @@ - name: Generate events hosts: wazuh-manager vars: - alerts_path: /var/ossec/logs/alerts/alerts.json integrations_log: /var/ossec/logs/integrations.log slack_messages_log: /tmp/slack_messages.log become: true From b4f02b61170783fdc7218384a942ad3f90080713 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 14:57:10 -0300 Subject: [PATCH 427/552] feat(#3144): add roles netcat tests --- .../data/playbooks/configuration.yaml | 37 +++++++++++-------- .../data/playbooks/generate_events.yaml | 17 ++++----- .../test_netcat/data/playbooks/teardown.yaml | 16 +++++--- 3 files changed, 39 insertions(+), 31 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml index 0f2be15765..09f23ca4cc 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml @@ -3,22 +3,25 @@ tasks: - name: Configure agent to get a list of running processes - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | full_command process list ps -e -o pid,uname,command 30 - marker: + os: 'linux' - name: Restart wazuh-agent - become: true - shell: systemctl restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Install netcat (CentOS) become: true @@ -35,11 +38,11 @@ tasks: - name: Configure local rules - become: true - blockinfile: - path: /var/ossec/etc/rules/local_rules.xml - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | 530 @@ -54,8 +57,10 @@ process_monitor, - marker: - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml index 9ec5373f32..302fde9de3 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-agent @@ -27,9 +28,7 @@ hosts: wazuh-manager tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml index 30dd19616b..596801a8bb 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml @@ -11,9 +11,11 @@ marker: - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Cleanup manager environment hosts: wazuh-manager @@ -27,6 +29,8 @@ marker: - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From d36f4d81b50e19fe1c01952c2411413c4ba4a0af Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 15:32:19 -0300 Subject: [PATCH 428/552] feat(#3144): add roles vulnerability detector tests --- .../data/playbooks/configuration.yaml | 40 ++++++++------ .../data/playbooks/generate_events.yaml | 17 +++--- .../data/playbooks/teardown.yaml | 7 +++ .../data/playbooks/configuration.yaml | 54 +++++++++++-------- .../data/playbooks/generate_events.yaml | 17 +++--- .../data/playbooks/teardown.yaml | 10 ++-- 6 files changed, 84 insertions(+), 61 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index ed2ccc359e..995fef01aa 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -3,22 +3,25 @@ tasks: - name: Enable the agent module to collect installed packages (Ubuntu) - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | no 10s yes yes - marker: + os: 'linux' - name: Restart wazuh-agent (Ubuntu) - become: true - shell: systemctl restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Test manager configuration hosts: wazuh-manager @@ -29,12 +32,12 @@ become: true - name: Enabled vulnerability detector module - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | - + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + yes 10s 10s @@ -54,11 +57,14 @@ 1h - marker: + os: 'linux' - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Wait until the feeds were downloaded and the first scan was completed become: true diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index ac6b1f174d..fabf3ece43 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-agent @@ -22,9 +23,7 @@ wait_for: timeout: 60 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml index 13cdcc0590..94f469edb1 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml @@ -12,3 +12,10 @@ path: /var/ossec/etc/ossec.conf block: '' marker: + + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index 754cdbfb17..a1f1adff83 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -14,21 +14,28 @@ remote_src: true - name: Enable the agent module to collect installed packages (Windows) - ansible.windows.win_shell: | - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nno" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n10s" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nno" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n10s" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + os: 'windows' - - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | - net stop wazuh - net start wazuh + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' - name: Test manager configuration hosts: wazuh-manager @@ -39,11 +46,11 @@ become: true - name: Enabled vulnerability detector module - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | yes 10s @@ -63,11 +70,14 @@ 1h - marker: + os: 'linux' - name: Restart wazuh-manager - become: true - shell: systemctl restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Wait until the feeds were downloaded and the first scan was completed become: true diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index 425c6d146c..3e0512872b 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-windows @@ -21,9 +22,7 @@ wait_for: timeout: 60 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml index f51902df42..99a5d4400b 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml @@ -17,7 +17,9 @@ path: C:\temp state: absent - - name: Restart wazuh-agent (Windows) - ansible.windows.win_shell: | - net stop wazuh - net start wazuh + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' From eeedf27baaba36ca23bad1dfee098e232e8f8563 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 15:52:12 -0300 Subject: [PATCH 429/552] feat:(#3144): add roles fim tests --- .../data/playbooks/configuration.yaml | 25 +++++++++-------- .../data/playbooks/generate_events.yaml | 17 ++++++------ .../data/playbooks/teardown.yaml | 8 +++--- .../data/playbooks/configuration.yaml | 27 ++++++++++++------- .../data/playbooks/generate_events.yaml | 17 ++++++------ .../data/playbooks/teardown.yaml | 13 +++++---- 6 files changed, 59 insertions(+), 48 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 32a12480af..608305e8fd 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -9,16 +9,19 @@ state: directory - name: Add directory to syscheck configuration (Linux) - become: true - blockinfile: - path: /var/ossec/etc/ossec.conf - insertafter: - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + /tmp/test_demo_fim - marker: + + os: 'linux' - - name: Restart Wazuh (Linux) - become: true - systemd: - name: wazuh-agent - state: restarted + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 7d6dd17779..eda444c717 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: True + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-agent @@ -25,9 +26,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml index d66fe3af54..0192e6f020 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml @@ -15,6 +15,8 @@ state: absent - name: Restart wazuh-agent - systemd: - state: restarted - name: wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index a04a1e298e..cdd985579c 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -8,21 +8,30 @@ state: directory - name: Add directory to syscheck configuration (Windows) - win_lineinfile: - path: C:\Program Files (x86)\ossec-agent\ossec.conf - insertafter: - line: | - C:\\Test\\test_demo_fim + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' ` + '`nC:\\Test\\test_demo_fim' + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" + os: 'windows' - name: Truncate ossec.log win_file: path: C:\Program Files (x86)\ossec-agent\ossec.log state: absent - - name: Restart Wazuh (Windows) - win_shell: | - net stop wazuh - net start wazuh + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' - name: Wait for whodata start win_wait_for: diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 696adc6b1d..bd466af866 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -2,9 +2,10 @@ hosts: wazuh-manager tasks: - - name: Truncate file - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: wazuh-windows @@ -23,9 +24,7 @@ wait_for: timeout: 5 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml index 71f1722e53..b529b643cd 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml @@ -8,16 +8,15 @@ path: C:\Program Files (x86)\ossec-agent\ossec.conf regex: C\:\\\\Test\\\\test_demo_fim state: absent - when: ansible_facts['os_family'] == "Windows" - name: Delete directory to monitor (Windows) win_file: path: C:\Test state: absent - when: ansible_facts['os_family'] == "Windows" - - name: Restart Wazuh (Windows) - win_shell: | - net stop wazuh - net start wazuh - when: ansible_facts['os_family'] == "Windows" + - name: Restart wazuh-agent + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'windows' From 1db095392232de5b05395f0bb920ab17189be292 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 16:35:08 -0300 Subject: [PATCH 430/552] feat(#3144): add roles suspicious binaries tests --- .../data/playbooks/generate_events.yaml | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index ede64103d2..c1f65b3d2d 100644 --- a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -3,20 +3,23 @@ become: true tasks: - - name: Truncate alerts file - shell: echo "" > /var/ossec/logs/alerts/alerts.json + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - - name: Restart manager to run the rootcheck scan - systemd: - state: restarted - name: wazuh-manager + - name: Restart manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Wait for alerts to be generated wait_for: timeout: 10 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml From 8ba34ae869efb0717ccb1430fea8c959748b626b Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 17:12:12 -0300 Subject: [PATCH 431/552] feat(#3144): add roles docker tests --- .../data/playbooks/configuration.yaml | 19 +++++++++++-------- .../data/playbooks/generate_events.yaml | 15 ++++++++------- .../data/playbooks/teardown.yaml | 8 +++++--- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index 1db8bcd16d..079f5aad1d 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -4,22 +4,25 @@ tasks: - name: Configure the docker-listener module - blockinfile: - path: /var/ossec/etc/ossec.conf - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | 10m 5 yes no - marker: + os: 'linux' - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Force systemd to reread configs systemd: diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 962aaeb874..774d5018e6 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -3,8 +3,10 @@ become: true tasks: - - name: Truncate alerts file - shell: echo "" > /var/ossec/logs/alerts/alerts.json + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: "{{ event_description }}" shell: "{{ command }}" @@ -13,8 +15,7 @@ wait_for: timeout: 20 - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index 59c8906f9a..d3b0dabb37 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -11,6 +11,8 @@ marker: - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From bcbfab2e8ec228e7e28f8b010aad57bbb12b1f48 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 19 Aug 2022 17:59:19 -0300 Subject: [PATCH 432/552] refactor(#3142): check distro and OS unified. --- tests/end_to_end/conftest.py | 92 +++++++++---------- .../generate_general_play.yaml | 4 +- .../generate_test_specific_play.yaml | 10 -- .../general_validation.j2 | 9 +- .../test_specific_validation.j2 | 19 ---- .../roles/host_checker/tasks/check_os.yaml | 9 +- .../tasks/check_supported_distro.yaml | 18 ---- 7 files changed, 50 insertions(+), 111 deletions(-) delete mode 100644 tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml delete mode 100644 tests/end_to_end/data/validation_templates/test_specific_validation.j2 delete mode 100644 tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 2324b0083c..b1aad716f4 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -23,11 +23,7 @@ def validate_environments(request): Step 1: Collect the data related to the selected tests that will be executed. Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. - Step 4: Generate a test-specific playbook to validate the environment required by that test, then execute that - playbook. This will run one validation for each selected test set. To add specific validation tasks to a - test,a new jinja2 template must be added inside the `playbooks` folder in the test suite. E.g: - test_basic_cases/test_fim/test_fim_linux/data/playbooks/validation.j2 - (See end_to_end/data/validation_templates for a guide to create the file) + Step 4: Execute a test-specific playbook (if any). This will run one validation for each selected test set. Args: request (fixture): Gives access to the requesting test context. @@ -45,13 +41,26 @@ def validate_environments(request): raise ValueError('Inventory not specified') # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- + test_suites_paths = [] + manager_instances = [] + agent_instances = [] + target_hosts = [] + target_distros = [] + distros_by = {'manager': [], 'agent': []} + + def set_target_and_distros(suite): + for key in environment_metadata[test_suite_name]: + if environment_metadata[test_suite_name][key]['instances'] > 0: + # Save manager/agent distros + distros_by[key] = environment_metadata[test_suite_name][key]['distros'] + target_distros.extend(environment_metadata[test_suite_name][key]['distros']) + # Add the target host to the list (following the standard host name: "-*") + target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) + # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] # Remove duplicates caused by the existence of 2 or more test cases collected_paths = list(dict.fromkeys(collected_paths)) - test_suites_paths = [] - manager_instances = [] - agent_instances = [] for path in collected_paths: # Remove the name of the file from the path @@ -63,18 +72,22 @@ def validate_environments(request): # Save the test environment metadata manager_instances.append(environment_metadata[test_suite_name]['manager']['instances']) agent_instances.append(environment_metadata[test_suite_name]['agent']['instances']) + set_target_and_distros(test_suite_name) + + # Remove duplicates + target_distros = list(dict.fromkeys(target_distros)) + target_hosts = list(dict.fromkeys(target_hosts)) - # Get the largest number of manager/agent instances - num_of_managers = max(manager_instances) - num_of_agents = max(agent_instances) # -------------------------------------------------- End of Step 1 ------------------------------------------------- # ---------------------- Step 2: Run the playbook to generate the general validation playbook ---------------------- gen_parameters = { 'playbook': playbook_generator, 'inventory': inventory_path, 'extravars': { - 'template_path': playbook_template, 'dest_path': general_playbook, - 'num_of_managers': num_of_managers, 'num_of_agents': num_of_agents + 'template_path': playbook_template, + 'dest_path': general_playbook, + 'target_hosts': ','.join(target_hosts), + 'distros': target_distros } } ansible_runner.run(**gen_parameters) @@ -102,51 +115,28 @@ def validate_environments(request): f"requirements. Result:\n{errors}") # -------------------------------------------------- End of Step 3 ------------------------------------------------- - # ------------------------------------ Step 4: Execute test-specific validations ----------------------------------- - playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_test_specific_play.yaml') - playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'test_specific_validation.j2') - + # -------------------------------- Step 4: Execute test-specific validations (if any) ------------------------------ for path in test_suites_paths: - validation_template = os.path.join(path, 'data', 'playbooks', 'validation.j2') - validation_template = validation_template if os.path.exists(validation_template) else '' - # Define the path where the resulting playbook will be stored validation_playbook = os.path.join(path, 'data', 'playbooks', 'validation.yaml') - # Get distros by instances type test_suite_name = path.split('/')[-1:][0] target_hosts = [] - distros = {"manager": [], "agent": []} - for key in environment_metadata[test_suite_name]: - if environment_metadata[test_suite_name][key]['instances'] > 0: - # Save manager/agent distros for the current test - distros[key] = environment_metadata[test_suite_name][key]['distros'] - # Add the target host to the list (following the standard host name: "-*") - target_hosts.extend([distro.lower() + f"-{key}*" for distro in distros[key]]) - - # Generate test_specific validation playbook - gen_parameters = { - 'playbook': playbook_generator, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, - 'extravars': { - 'template_path': playbook_template, 'dest_path': validation_playbook, - 'num_of_managers': num_of_managers, 'num_of_agents': num_of_agents, - 'validation_template': validation_template, 'target_hosts': ','.join(target_hosts), - 'manager_distros': distros['manager'], 'agent_distros': distros['agent'] + distros_by = {"manager": [], "agent": []} + set_target_and_distros(test_suite_name) + + # Run test-specific validation playbook (if any) + if os.path.exists(validation_playbook): + parameters = { + 'playbook': validation_playbook, 'inventory': inventory_path, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, + 'extravars': {'target_hosts': ','.join(target_hosts)} } - } - ansible_runner.run(**gen_parameters) + validation_runner = ansible_runner.run(**parameters) - # Run test_specific validation playbook - parameters = { - 'playbook': validation_playbook, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } - validation_runner = ansible_runner.run(**parameters) - # Remove the generated playbook - remove_file(validation_playbook) - - # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. - if validation_runner.status == 'failed': - raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the environments " - 'meet the expected requirements.') + # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. + if validation_runner.status == 'failed': + raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the " + 'environments meet the expected requirements.') # -------------------------------------------------- End of Step 4 ------------------------------------------------- diff --git a/tests/end_to_end/data/validation_playbooks/generate_general_play.yaml b/tests/end_to_end/data/validation_playbooks/generate_general_play.yaml index ada390fb1e..214fcabd0e 100644 --- a/tests/end_to_end/data/validation_playbooks/generate_general_play.yaml +++ b/tests/end_to_end/data/validation_playbooks/generate_general_play.yaml @@ -1,7 +1,7 @@ - hosts: localhost vars: - num_of_managers: "{{ num_of_managers }}" - num_of_agents: "{{ num_of_agents }}" + target_hosts: "{{ target_hosts }}" + distros: "{{ distros }}" tasks: - name: Generate a general validation playbook template: diff --git a/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml b/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml deleted file mode 100644 index 53cc6e8ac4..0000000000 --- a/tests/end_to_end/data/validation_playbooks/generate_test_specific_play.yaml +++ /dev/null @@ -1,10 +0,0 @@ -- hosts: localhost - vars: - validation_template: "{{ validation_template }}" - num_of_managers: "{{ num_of_managers }}" - num_of_agents: "{{ num_of_agents }}" - tasks: - - name: Generate a test specific validation playbook - template: - src: "{{ template_path }}" - dest: "{{ dest_path }}" diff --git a/tests/end_to_end/data/validation_templates/general_validation.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 index fe2d3829c0..27c54dc219 100644 --- a/tests/end_to_end/data/validation_templates/general_validation.j2 +++ b/tests/end_to_end/data/validation_templates/general_validation.j2 @@ -1,13 +1,8 @@ - name: General validation phase -{% if num_of_agents == 0 %} - hosts: managers -{% elif num_of_managers == 0 %} - hosts: agents -{% else %} - hosts: managers:agents -{% endif %} + hosts: {{ target_hosts }} any_errors_fatal: true roles: - role: host_checker vars: os: "{% raw %}{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}{% endraw %}" + supported_distros: {{ distros }} diff --git a/tests/end_to_end/data/validation_templates/test_specific_validation.j2 b/tests/end_to_end/data/validation_templates/test_specific_validation.j2 deleted file mode 100644 index d39b93c04c..0000000000 --- a/tests/end_to_end/data/validation_templates/test_specific_validation.j2 +++ /dev/null @@ -1,19 +0,0 @@ -- name: Check supported distros - hosts: {{ target_hosts }} - any_errors_fatal: true - tasks: - - - name: Check if the host distribution is compatible - include_role: - name: host_checker - tasks_from: check_supported_distro - vars: - os: "{% raw %}{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}{% endraw %}" - dist: "{% raw %}{{ ansible_distribution if ansible_os_family != 'Windows' else 'Windows' }}{% endraw %}" - manager_distros: {{ manager_distros }} - agent_distros: {{ agent_distros }} - -{# Include the test-specific validation tasks if exist #} -{% if validation_template != '' %} -{% include validation_template %} -{% endif %} diff --git a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml index 028e9b57fe..fdaaeb9d21 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_os.yaml @@ -1,15 +1,16 @@ # REQUIRED VARIABLES # ------------------- # (String) os: Target operating system +# (String) supported_distros: List of ditros supported by the current test - name: Check OS (Linux) set_fact: check_result: 'true' - errors: "{{ errors }}The {{ ansible_system }} OS was not expected, but the {{ os }} OS.\n" - when: (os != ansible_system and os == "Linux") + errors: "{{ errors }}The {{ ansible_distribution }} distro isn't supported for the selected tests currently.\n" + when: (ansible_distribution not in supported_distros and os == "Linux") - name: Check OS (Windows) set_fact: check_result: 'true' - errors: "{{ errors }}The {{ ansible_os_family }} OS was not expected, but the {{ os }} OS.\n" - when: (os != ansible_os_family and os == "Windows") + errors: "{{ errors }}The {{ os }} OS isn't supported for the selected tests currently.\n" + when: (os == "Windows" and os not in supported_distros) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml b/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml deleted file mode 100644 index d8abbf11e7..0000000000 --- a/tests/end_to_end/roles/host_checker/tasks/check_supported_distro.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# REQUIRED VARIABLES -# ------------------- -# (String) os: Target operating system -# (String) dist: Target distribution -# (String) supported_dist: List of ditros supported by the current test - -- name: Get Wazuh installation - include_role: - name: service_controller - tasks_from: get_installation_type - -- fail: - msg: "{{ dist }} is not supported by this test: {{ manager_distros }}\n" - when: (os == 'Linux' and 'server' in wazuh_info.stdout and dist not in manager_distros) - -- fail: - msg: "{{ dist }} is not supported by this test: {{ agent_distros }}\n" - when: (os == 'Linux' and 'agent' in wazuh_info.stdout and dist not in agent_distros) From 649c066f03e228c78b9647de9f297b32928ad750 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 19:52:28 -0300 Subject: [PATCH 433/552] feat(#3144): add roles aws tests --- .../data/playbooks/configuration.yaml | 19 +++++++++++-------- .../data/playbooks/generate_events.yaml | 15 ++++++++------- .../data/playbooks/teardown.yaml | 8 +++++--- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 6443f0e648..b892cef7c5 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -4,11 +4,11 @@ tasks: - name: Configure the aws-s3 wodle - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | no no @@ -23,11 +23,14 @@ {{ aws_region }} + os: 'linux' - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Install boto3 python package (script dependency) shell: python3 -m pip install boto3 diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index 9a174ad899..07a544bf1f 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -5,8 +5,10 @@ become: true tasks: - - name: Truncate alerts file - shell: echo "" > {{ alerts_path }} + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml # Create a bucket using the AWS API - name: Run the script using python3 (create S3 bucket) @@ -23,8 +25,7 @@ wait_for: timeout: 10 - - name: Get alerts.json - fetch: - src: "{{ alerts_path }}" - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index 17c9bab1ea..6f7c19b1aa 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -13,6 +13,8 @@ script: "{{ AWS_API_SCRIPT }} -i {{ aws_access_key_id }} -k {{ aws_secret_access_key }} -b {{ bucket }}" - name: Restart wazuh-manager - systemd: - state: restarted - name: wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From d1f85ff293db52c9aa7635b479b4d62785d198e9 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 20:15:58 -0300 Subject: [PATCH 434/552] feat(#3144): add roles brute force tests --- .../data/playbooks/generate_events.yaml | 15 +++++++-------- .../data/playbooks/generate_events.yaml | 15 +++++++-------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 3306ed72df..db4c6a8523 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -3,8 +3,9 @@ tasks: - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: localhost @@ -33,9 +34,7 @@ hosts: wazuh-manager tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index b3a9595cf8..d831bff11f 100644 --- a/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -3,8 +3,9 @@ tasks: - name: Truncate alert.json - shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Generate events hosts: localhost @@ -38,9 +39,7 @@ hosts: wazuh-manager tasks: - - name: Get alerts.json - fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml From a677b244ce72d16b8cc141fdefcdfe92bdb32022 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 20:31:26 -0300 Subject: [PATCH 435/552] feat(#3144): add roles suricata tests --- .../data/playbooks/configuration.yaml | 21 +++++++++++-------- .../data/playbooks/generate_events.yaml | 17 +++++++-------- .../data/playbooks/teardown.yaml | 10 +++++---- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml index 115fa8a16e..b8e3f251a1 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml @@ -7,20 +7,23 @@ tasks: - name: Configure Wazuh to read Suricata logs file - blockinfile: - path: /var/ossec/etc/ossec.conf - marker: - insertbefore: ^ - block: | + include_role: + name: manage_wazuh_configurations + tasks_from: write_wazuh_config.yaml + vars: + config_block: | syslog /var/log/suricata/eve.json + os: 'linux' - - name: Restart Wazuh to apply the change - systemd: - state: restarted - name: wazuh-manager + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' - name: Check if Suricata is installed shell: dpkg -l suricata | grep suricata diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index fe1866327b..0457013896 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -1,12 +1,12 @@ - name: Generate events hosts: wazuh-manager become: true - vars: - alerts_path: /var/ossec/logs/alerts/alerts.json tasks: - - name: Truncate alerts file - shell: echo "" > {{ alerts_path }} + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml - name: Run command to generate an alert shell: curl http://testmynids.org/uid/index.html @@ -15,8 +15,7 @@ wait_for: timeout: 10 - - name: Get alerts.json - fetch: - src: "{{ alerts_path }}" - dest: /tmp/ - flat: true + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml index a4f2285252..7e3d28ee1c 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml @@ -9,7 +9,9 @@ marker: state: absent - - name: Restart Wazuh to apply the change - systemd: - state: restarted - name: wazuh-manager + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: 'linux' From 14040ebf72f8a55a304169c080ce65728c540737 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 21:10:58 -0300 Subject: [PATCH 436/552] fix(#3144): fix linter error in confest.py --- tests/end_to_end/conftest.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index f87dc16f59..2a2dbfae4d 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -13,6 +13,7 @@ alerts_json = os.path.join(gettempdir(), 'alerts.json') suite_path = os.path.dirname(os.path.realpath(__file__)) + @pytest.fixture(scope='function') def clean_alerts_index(get_dashboard_credentials): """Remove the temporary file that contains the alerts and delete indices using the API. @@ -67,7 +68,7 @@ def configure_environment(request): parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + } # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -88,8 +89,7 @@ def configure_environment(request): parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } - + } # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -111,7 +111,6 @@ def generate_events(request, metadata): inventory_playbook = request.config.getoption('--inventory_path') roles_path = request.config.getoption('--roles_path') - if not inventory_playbook: raise ValueError('Inventory not specified') @@ -122,7 +121,7 @@ def generate_events(request, metadata): parameters = {'playbook': events_playbook_path, 'inventory': inventory_playbook, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + } # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) From 5c700570ea0c98949020cf1796677a10dbec7489 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 21:26:55 -0300 Subject: [PATCH 437/552] fix: fix linter errors aws test --- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- tests/end_to_end/conftest.py | 10 ++++------ 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index b892cef7c5..562f596b64 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -23,14 +23,14 @@ {{ aws_region }} - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Install boto3 python package (script dependency) shell: python3 -m pip install boto3 diff --git a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index 6f7c19b1aa..ed18212eaa 100644 --- a/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -17,4 +17,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index c1f65b3d2d..f0a294df22 100644 --- a/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -13,7 +13,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Wait for alerts to be generated wait_for: diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 2a2dbfae4d..e1ed92af98 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -67,8 +67,7 @@ def configure_environment(request): configuration_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': configuration_playbook_path, 'inventory': inventory_playbook, - 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}} # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -89,7 +88,7 @@ def configure_environment(request): parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + } # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) @@ -119,9 +118,8 @@ def generate_events(request, metadata): events_playbook_path = os.path.join(getattr(request.module, 'test_data_path'), 'playbooks', playbook) parameters = {'playbook': events_playbook_path, - 'inventory': inventory_playbook, - 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + 'inventory': inventory_playbook, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}} # Check if the test case has extra variables to pass to the playbook and add them to the parameters in that case if 'extra_vars' in metadata: parameters.update({'extravars': metadata['extra_vars']}) From 4eccd38a11149558b55cbf8296bdce2612083125 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:03:23 -0300 Subject: [PATCH 438/552] fix(#3144): fixed linter errors --- .../data/playbooks/configuration.yaml | 6 +++--- .../test_docker_monitoring/data/playbooks/teardown.yaml | 5 ++--- .../test_emotet/data/playbooks/configuration.yaml | 6 +++--- .../basic_cases/test_emotet/data/playbooks/teardown.yaml | 4 ++-- .../test_fim_linux/data/playbooks/configuration.yaml | 4 ++-- .../test_fim_linux/data/playbooks/generate_events.yaml | 2 +- .../test_fim/test_fim_linux/data/playbooks/teardown.yaml | 2 +- .../test_fim_windows/data/playbooks/configuration.yaml | 4 ++-- .../test_fim/test_fim_windows/data/playbooks/teardown.yaml | 3 +-- .../test_ip_reputation/data/playbooks/configuration.yaml | 4 ++-- .../test_ip_reputation/data/playbooks/teardown.yaml | 2 +- tests/end_to_end/conftest.py | 3 +-- 12 files changed, 21 insertions(+), 24 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index 079f5aad1d..0798454e4e 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -15,18 +15,18 @@ yes no - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Force systemd to reread configs systemd: - daemon_reload: yes + daemon_reload: true - name: Check if Docker is installed or not on CentOS command: systemctl status docker --no-pager diff --git a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index d3b0dabb37..07fee57549 100644 --- a/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,7 +1,6 @@ ---- - name: Cleanup environment hosts: wazuh-manager - become: True + become: true tasks: - name: Delete the docker-listener module configuration @@ -15,4 +14,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml index 59c5496646..b3548f7923 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -66,7 +66,7 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - os: 'windows' + os: windows - name: Download trigger_emotet.exe win_shell: | @@ -78,7 +78,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows - name: Test manager configuration hosts: wazuh-manager @@ -124,4 +124,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml index 9503acfab4..31284734a4 100644 --- a/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_emotet/data/playbooks/teardown.yaml @@ -16,7 +16,7 @@ - name: Kill trigger-emotet.exe win_shell: | taskkill /im trigger-emotet.exe /f - become: yes + become: true become_method: runas become_user: Administrator @@ -30,7 +30,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows - name: Enable Windows Defender win_shell: set-MpPreference -DisableRealtimeMonitoring $False diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 608305e8fd..70a4918a42 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -17,11 +17,11 @@ /tmp/test_demo_fim - os: 'linux' + os: linux - name: Restart wazuh-agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index eda444c717..bf8bfa81f0 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -12,7 +12,7 @@ tasks: - name: "{{ event_description }}" - become: True + become: true file: path: "{{ path }}" state: "{{ state }}" diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml index 0192e6f020..24e6f74701 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml @@ -19,4 +19,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index cdd985579c..a0750024bc 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -19,7 +19,7 @@ '`nC:\\Test\\test_demo_fim' Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - os: 'windows' + os: windows - name: Truncate ossec.log win_file: @@ -31,7 +31,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows - name: Wait for whodata start win_wait_for: diff --git a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml index b529b643cd..8597fc28eb 100644 --- a/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_fim/test_fim_windows/data/playbooks/teardown.yaml @@ -1,4 +1,3 @@ ---- - name: Cleanup Windows agent environment hosts: wazuh-windows tasks: @@ -19,4 +18,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index 8ff48718f1..fb5f67fabc 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -77,7 +77,7 @@ 100100 10s - os: 'linux' + os: linux - name: Configure local rules include_role: @@ -98,7 +98,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Windows agent configuration hosts: wazuh-windows diff --git a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml index b6c081224b..84af7ab876 100644 --- a/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_ip_reputation/data/playbooks/teardown.yaml @@ -29,7 +29,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Cleanup Windows agent environment hosts: wazuh-windows diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e1ed92af98..2bf84520eb 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -87,8 +87,7 @@ def configure_environment(request): parameters = {'playbook': teardown_playbook_path, 'inventory': inventory_playbook, - 'envvars': {'ANSIBLE_ROLES_PATH': roles_path} - } + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}} # Check if the module has extra variables to pass to the playbook configuration_extra_vars = getattr(request.module, 'configuration_extra_vars', None) From fda82e2b4ee0e41e4d6e5be5f4e229e6527c6079 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:09:50 -0300 Subject: [PATCH 439/552] fix(#3144): fix linter errors netcat tests --- .../test_netcat/data/playbooks/configuration.yaml | 6 +++--- .../test_netcat/data/playbooks/generate_events.yaml | 2 +- .../basic_cases/test_netcat/data/playbooks/teardown.yaml | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml index 09f23ca4cc..523b692715 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/configuration.yaml @@ -14,14 +14,14 @@ ps -e -o pid,uname,command 30 - os: 'linux' + os: linux - name: Restart wazuh-agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Install netcat (CentOS) become: true @@ -63,4 +63,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml index 302fde9de3..af11c14ccd 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml @@ -14,7 +14,7 @@ - name: "{{ event_description_netcat }}" command: "{{ command_netcat }}" timeout: 30 - ignore_errors: true # Added 'ignore errors' because the command nc -l 8000 continues running after the timeout + ignore_errors: true #Added 'ignore errors' because the command nc -l 8000 continues running after the timeout - name: Wait for alert wait_for: diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml index 596801a8bb..4d8102fc84 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml @@ -1,4 +1,3 @@ ---- - name: Cleanup agent environment hosts: wazuh-agent become: True From fe0df1f50e9203870a28689c431c5b1350cb5080 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:15:30 -0300 Subject: [PATCH 440/552] fix: linter error --- .../test_netcat/data/playbooks/generate_events.yaml | 3 ++- .../basic_cases/test_netcat/data/playbooks/teardown.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml index af11c14ccd..6de7818b38 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/generate_events.yaml @@ -14,7 +14,8 @@ - name: "{{ event_description_netcat }}" command: "{{ command_netcat }}" timeout: 30 - ignore_errors: true #Added 'ignore errors' because the command nc -l 8000 continues running after the timeout + # Added 'ignore errors' because the command nc -l 8000 continues running after the timeout + ignore_errors: true - name: Wait for alert wait_for: diff --git a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml index 4d8102fc84..acb8f15d5c 100644 --- a/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_netcat/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup agent environment hosts: wazuh-agent - become: True + become: true tasks: - name: Delete agent configuration @@ -14,11 +14,11 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Cleanup manager environment hosts: wazuh-manager - become: True + become: true tasks: - name: Delete added rules @@ -32,4 +32,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux From 126b2f49e65bb2d9ff9ce53ab11eb546996f546f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:29:39 -0300 Subject: [PATCH 441/552] fix(#3144): linter errors --- .../data/playbooks/configuration.yaml | 4 ++-- .../test_osquery_integration/data/playbooks/teardown.yaml | 5 ++--- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 4 ++-- .../test_slack_integration/data/playbooks/teardown.yaml | 2 +- .../test_sql_injection/data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 1 - .../test_sql_injection/data/playbooks/teardown.yaml | 5 ++--- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 8 ++++---- .../data/playbooks/teardown.yaml | 8 ++++---- 13 files changed, 26 insertions(+), 29 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index cc5cf3a3cb..1b1ae719c2 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -44,7 +44,7 @@ /etc/osquery/osquery.conf no - os: 'linux' + os: linux - name: Start Osquery shell: systemctl start osqueryd @@ -55,7 +55,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Check if stress is installed or not on CentOS command: rpm -q stress diff --git a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index f04ce97312..2df484f628 100644 --- a/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -1,7 +1,6 @@ ---- - name: Cleanup manager environment hosts: wazuh-manager - become: True + become: true tasks: - name: Delete Osquery configuration file @@ -25,7 +24,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Uninstall stress shell: yum remove -y stress diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml index 694a69d42d..60108d8b4d 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -13,14 +13,14 @@ apache /var/log/httpd/access_log - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Check if Firewalld is installed on CentOS shell: systemctl status firewalld --no-pager diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index 807364645e..082f7b6b73 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -1,7 +1,7 @@ --- - name: Cleanup manager environment hosts: wazuh-manager - become: True + become: true tasks: - name: Delete localfile configuration @@ -15,4 +15,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml index 4c9ea49be3..d386f8be93 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/configuration.yaml @@ -16,7 +16,7 @@ {{ RULE_ID }} json - os: 'linux' + os: linux - name: Truncate alert.json include_role: @@ -28,4 +28,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml index cf59562e76..d171dfbd66 100644 --- a/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_slack_integration/data/playbooks/teardown.yaml @@ -19,4 +19,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml index 2a4295dff2..78edb1bcbe 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/configuration.yaml @@ -21,11 +21,11 @@ apache /var/log/httpd/access_log - os: 'linux' + os: linux - name: Restart agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index f3212fcf7a..582c61552f 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -26,4 +26,3 @@ include_role: name: manage_alerts tasks_from: get_alert_json.yaml - diff --git a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml index 0a3fb64f60..5ef77951c2 100644 --- a/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_sql_injection/data/playbooks/teardown.yaml @@ -1,7 +1,6 @@ ---- - name: Cleanup agent environment hosts: wazuh-agent - become: True + become: true tasks: - name: Delete localfile configuration @@ -15,4 +14,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml index b8e3f251a1..203530186e 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/configuration.yaml @@ -16,14 +16,14 @@ syslog /var/log/suricata/eve.json - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Check if Suricata is installed shell: dpkg -l suricata | grep suricata diff --git a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml index 7e3d28ee1c..3ec5579641 100644 --- a/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_suricata_integration/data/playbooks/teardown.yaml @@ -14,4 +14,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index c386444f44..a8ffa9ea2b 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -28,7 +28,7 @@ local 87105 - os: 'linux' + os: linux - name: Configure local rules virustotal integration include_role: @@ -73,7 +73,7 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Test agent configuration hosts: wazuh-agent @@ -89,7 +89,7 @@ /root - os: 'linux' + os: linux - name: Add active response script become: true @@ -113,4 +113,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index 314d5f349d..ac70b88708 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -1,7 +1,7 @@ --- - name: Cleanup manager environment hosts: wazuh-manager - become: True + become: true tasks: - name: Delete Virustotal integration and active response configuration @@ -21,11 +21,11 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Cleanup agent environment hosts: wazuh-agent - become: True + become: true tasks: - name: Delete syscheck configuration @@ -49,4 +49,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux From 8cecf7601b27302f1a9c9ff74f74b64ef0ff73d3 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:37:42 -0300 Subject: [PATCH 442/552] fix(#3244): fix linter error vulnerability detector --- .../data/playbooks/teardown.yaml | 1 - .../data/playbooks/teardown.yaml | 1 - .../data/playbooks/configuration.yaml | 10 +++++----- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 8 ++++---- .../data/playbooks/teardown.yaml | 2 +- 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index 082f7b6b73..747f00f0c0 100644 --- a/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -1,4 +1,3 @@ ---- - name: Cleanup manager environment hosts: wazuh-manager become: true diff --git a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index ac70b88708..c4fd47be6f 100644 --- a/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -1,4 +1,3 @@ ---- - name: Cleanup manager environment hosts: wazuh-manager become: true diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index 995fef01aa..35618b9ef8 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -14,14 +14,14 @@ yes yes - os: 'linux' + os: linux - name: Restart wazuh-agent (Ubuntu) include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Test manager configuration hosts: wazuh-manager @@ -37,7 +37,7 @@ tasks_from: write_wazuh_config.yaml vars: config_block: | - + yes 10s 10s @@ -57,14 +57,14 @@ 1h - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Wait until the feeds were downloaded and the first scan was completed become: true diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml index 94f469edb1..847b92e458 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml @@ -18,4 +18,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index a1f1adff83..0a965ec43a 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -28,14 +28,14 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`nyes" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - os: 'windows' + os: windows - name: Restart wazuh-agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows - name: Test manager configuration hosts: wazuh-manager @@ -70,14 +70,14 @@ 1h - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Wait until the feeds were downloaded and the first scan was completed become: true diff --git a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml index 99a5d4400b..2427b58cb7 100644 --- a/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/teardown.yaml @@ -22,4 +22,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows From d8cc21bb73f086796b4026d84ff2582cc2e238ab Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 22:46:55 -0300 Subject: [PATCH 443/552] fix: linter error --- .../data/playbooks/configuration.yaml | 4 ++-- .../test_windows_defender/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 4 ++-- .../roles/manage_alerts/tasks/get_alert_json.yaml | 8 ++++---- .../roles/manage_alerts/tasks/truncate_alert_json.yaml | 2 +- .../roles/manage_wazuh/tasks/restart_wazuh.yaml | 2 -- .../tasks/write_wazuh_config.yaml | 6 ++++++ 7 files changed, 16 insertions(+), 12 deletions(-) diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml index 53fd51487f..1a902bd69e 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -26,14 +26,14 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`neventchannel" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" - os: 'windows' + os: windows - name: Restart agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows - name: Test manager configuration hosts: wazuh-manager diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml index 33686140f7..14202fbf0f 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/teardown.yaml @@ -21,4 +21,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'windows' + os: windows diff --git a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml index ed750c479f..21856ff8a4 100644 --- a/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -69,14 +69,14 @@ /tmp/yara/malware - os: 'linux' + os: linux - name: Restart wazuh-manager include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux - name: Create a directory to store Yara rules file: diff --git a/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml b/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml index 684f41b76d..13325cac00 100644 --- a/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml +++ b/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml @@ -1,6 +1,6 @@ - name: Get alerts.json fetch: - src: /var/ossec/logs/alerts/alerts.json - dest: /tmp/ - flat: true - become: true \ No newline at end of file + src: /var/ossec/logs/alerts/alerts.json + dest: /tmp/ + flat: true + become: true diff --git a/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml b/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml index 7230e5b58d..e7d5b2b3c9 100644 --- a/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml +++ b/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml @@ -1,3 +1,3 @@ - name: Truncate file shell: echo "" > /var/ossec/logs/alerts/alerts.json - become: true \ No newline at end of file + become: true diff --git a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml index 878923a8ce..5c6d4e66a5 100644 --- a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml +++ b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml @@ -1,5 +1,3 @@ ---- - # REQUIRED VARIABLES #------------------- # diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml index 71c73ddc0b..a96b22730f 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml @@ -1,3 +1,9 @@ + # REQUIRED VARIABLES + #------------------- + # + # GENERIC: + # - (String) os: Target operating system + - name: Configure ossec.conf linux become: true blockinfile: From a759eaae80b84d29e73eaaffa24695ae340ff9f7 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 23:14:07 -0300 Subject: [PATCH 444/552] fix:(#3144): linter error in roles --- .../manage_wazuh/tasks/restart_wazuh.yaml | 55 ++++++++++--------- .../tasks/write_wazuh_config.yaml | 10 ++-- 2 files changed, 33 insertions(+), 32 deletions(-) diff --git a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml index 5c6d4e66a5..e5d46b1619 100644 --- a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml +++ b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml @@ -1,31 +1,32 @@ - # REQUIRED VARIABLES - #------------------- - # - # GENERIC: - # - (String) os: Target operating system +# REQUIRED VARIABLES +# ------------------- +# +# GENERIC: +# - (String) os: Target operating system - - name: Get installation type - become: true - shell: /var/ossec/bin/wazuh-control info - register: wazuh_info - when: os == 'linux' +- name: Get installation type + become: true + shell: /var/ossec/bin/wazuh-control info + register: wazuh_info + when: os == 'linux' - - name: Restart manager service on linux - become: true - service: - name: wazuh-manager - state: restarted - when: (os == 'linux' and 'server' in wazuh_info.stdout) +- name: Restart manager service on linux + become: true + service: + name: wazuh-manager + state: restarted + when: (os == 'linux' and 'server' in wazuh_info.stdout) - - name: Restart agent service on linux - become: true - service: - name: "wazuh-agent" - state: restarted - when: (os == 'linux' and 'agent' in wazuh_info.stdout) +- name: Restart agent service on linux + become: true + service: + name: "wazuh-agent" + state: restarted + when: (os == 'linux' and 'agent' in wazuh_info.stdout) - - name: Restart wazuh on Windows - win_shell: "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" - args: - executable: powershell.exe - when: os == 'windows' +- name: Restart wazuh on Windows + win_shell: | + "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" + args: + executable: powershell.exe + when: os == 'windows' diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml index a96b22730f..b87b6422f6 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml +++ b/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml @@ -1,8 +1,8 @@ - # REQUIRED VARIABLES - #------------------- - # - # GENERIC: - # - (String) os: Target operating system +# REQUIRED VARIABLES +# ------------------- +# +# GENERIC: +# - (String) os: Target operating system - name: Configure ossec.conf linux become: true From ac8dfae3efb51aec3aa889e5ca6c1a8e35e9e4f9 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 23:24:05 -0300 Subject: [PATCH 445/552] fix(#3144): linter errors in restart wazuh yaml --- .../end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml index e5d46b1619..67d6d6102d 100644 --- a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml +++ b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml @@ -20,13 +20,13 @@ - name: Restart agent service on linux become: true service: - name: "wazuh-agent" + name: wazuh-agent state: restarted when: (os == 'linux' and 'agent' in wazuh_info.stdout) - name: Restart wazuh on Windows win_shell: | - "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" + "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" args: - executable: powershell.exe + executable: powershell.exe when: os == 'windows' From 9595bc9c5d1484f172d4d199ae69050fba23ca9e Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Fri, 19 Aug 2022 23:27:39 -0300 Subject: [PATCH 446/552] fix(#3144): fix linder error windows defender config --- .../test_windows_defender/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml index 1a902bd69e..6abd22287f 100644 --- a/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -59,4 +59,4 @@ name: manage_wazuh tasks_from: restart_wazuh.yaml vars: - os: 'linux' + os: linux From f8751779aa717b6167d89d6fec59afe281236cbe Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 22 Aug 2022 11:18:27 +0200 Subject: [PATCH 447/552] docs(#2983): improve E2E documentation --- tests/end_to_end/README.md | 15 +++++++++++++-- .../test_yara_integration.py | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 485faa2ce3..38e1dfec9c 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -1,6 +1,17 @@ -# wazuh-qa +# E2E tests -Wazuh - Quality assurance automation templates +End-to-end testing is a technique that tests the entire software product from beginning to end to ensure the application flow behaves as expected. + +The main purpose of End-to-end (E2E) testing is to test from the end user’s experience by simulating the real user scenario and validating the system under test and its components for integration and data integrity. + +The Wazuh architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage. The Wazuh indexer cluster is a collection of one or more nodes that communicate with each other to perform read and write operations on indices. + +The diagram below represents the Wazuh components and data flow. + +![wazuh-data-flow](https://documentation.wazuh.com/current/_images/data-flow1.png) + + +Our E2E tests will verify that, after generating an event, an alert will be triggered and correctly indexed. ## Setting up a test environment diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index 7bb545b2fa..ea98e969b1 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -76,7 +76,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent test_phases: - Set a custom Wazuh configuration. - - Download to generate the event. + - Download malware to generate the event. - Check in the alerts.json log that the expected alert has been triggered and get its timestamp. - Check that the obtained alert from alerts.json has been indexed. From a3a88f06e8e87619217986677d4ba2ee85849dcb Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 22 Aug 2022 12:17:25 +0200 Subject: [PATCH 448/552] fix(#3165): get manager ip to delete index --- deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py | 2 +- tests/end_to_end/conftest.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index 2c53eb37a7..db1c7b2814 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -36,7 +36,7 @@ def get_alert_indexer_api(query, credentials, ip_address, index='wazuh-alerts-4. return response -def delete_index_api(credentials, ip_address='wazuh-manager', index='wazuh-alerts-4.x-*'): +def delete_index_api(credentials, ip_address, index='wazuh-alerts-4.x-*'): """Delete indices from wazuh-indexer using its API. Make a request to the wazuh-indexer API to delete indices that match a given name. diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 604fb2f95e..bd236d3019 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -14,7 +14,7 @@ @pytest.fixture(scope='function') -def clean_alerts_index(get_dashboard_credentials): +def clean_alerts_index(get_dashboard_credentials, get_manager_ip): """Remove the temporary file that contains the alerts and delete indices using the API. Args: @@ -22,7 +22,7 @@ def clean_alerts_index(get_dashboard_credentials): """ yield remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials) + e2e.delete_index_api(credentials=get_dashboard_credentials, ip_address=get_manager_ip) @pytest.fixture(scope='module') From bc8a6716fa31e99320420eaaf92e04c092b14027 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 22 Aug 2022 08:06:01 -0300 Subject: [PATCH 449/552] fix(#3142): unnecessary function and some code have been removed. --- tests/end_to_end/conftest.py | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index b1aad716f4..5e44be613b 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -42,21 +42,10 @@ def validate_environments(request): # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- test_suites_paths = [] - manager_instances = [] - agent_instances = [] target_hosts = [] target_distros = [] distros_by = {'manager': [], 'agent': []} - def set_target_and_distros(suite): - for key in environment_metadata[test_suite_name]: - if environment_metadata[test_suite_name][key]['instances'] > 0: - # Save manager/agent distros - distros_by[key] = environment_metadata[test_suite_name][key]['distros'] - target_distros.extend(environment_metadata[test_suite_name][key]['distros']) - # Add the target host to the list (following the standard host name: "-*") - target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) - # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] # Remove duplicates caused by the existence of 2 or more test cases @@ -69,15 +58,17 @@ def set_target_and_distros(suite): test_suites_paths.append(path) # Get the test suite name test_suite_name = path.split('/')[-1:][0] - # Save the test environment metadata - manager_instances.append(environment_metadata[test_suite_name]['manager']['instances']) - agent_instances.append(environment_metadata[test_suite_name]['agent']['instances']) - set_target_and_distros(test_suite_name) - + # Set target hosts and distros + for key in environment_metadata[test_suite_name]: + if environment_metadata[test_suite_name][key]['instances'] > 0: + # Save manager/agent distros + distros_by[key] = environment_metadata[test_suite_name][key]['distros'] + target_distros.extend(environment_metadata[test_suite_name][key]['distros']) + # Add the target host to the list (following the standard host name: "-*") + target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) # Remove duplicates target_distros = list(dict.fromkeys(target_distros)) target_hosts = list(dict.fromkeys(target_hosts)) - # -------------------------------------------------- End of Step 1 ------------------------------------------------- # ---------------------- Step 2: Run the playbook to generate the general validation playbook ---------------------- @@ -119,17 +110,12 @@ def set_target_and_distros(suite): for path in test_suites_paths: validation_playbook = os.path.join(path, 'data', 'playbooks', 'validation.yaml') - test_suite_name = path.split('/')[-1:][0] - target_hosts = [] - distros_by = {"manager": [], "agent": []} - set_target_and_distros(test_suite_name) - # Run test-specific validation playbook (if any) if os.path.exists(validation_playbook): parameters = { 'playbook': validation_playbook, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, - 'extravars': {'target_hosts': ','.join(target_hosts)} + 'extravars': {'target_hosts': ','.join(target_hosts), 'distros': target_distros} } validation_runner = ansible_runner.run(**parameters) From 646f97977e570d31c33a47c6ccaa818c6b1a2075 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 22 Aug 2022 09:35:20 -0300 Subject: [PATCH 450/552] refactor(#3142): some changes were made on env_requirements. --- tests/end_to_end/data/env_requirements.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index 57c7d09292..ad9baf33cc 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -131,7 +131,7 @@ ] } }, - "test_netcat": { + "test_unauthorized_processes_detection": { "manager": { "instances": 1, "distros": [ @@ -199,12 +199,14 @@ "manager": { "instances": 1, "distros": [ - "Ubuntu" + "CentOS" ] }, "agent": { - "instances": 0, - "distros": [] + "instances": 1, + "distros": [ + "Ubuntu" + ] } }, "test_virustotal_integration": { From ba5a70e00dce87e479ae0e4f073df8a2b29a0108 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 22 Aug 2022 14:49:05 +0200 Subject: [PATCH 451/552] fix(#3165): fix hosts and vars --- .../test_ip_reputation/data/playbooks/configuration.yaml | 4 ++-- .../data/test_cases/cases_sql_injection.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index c1ee7f6bad..0929ed64c7 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -22,7 +22,7 @@ - name: Add the attacker IP to the list become: true - shell: echo "{{ hostvars['wazuh-windows']['ansible_host'] }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset + shell: echo "{{ hostvars['windows-agent']['ansible_host'] }}" >> /var/ossec/etc/lists/alienvault_reputation.ipset - name: Convert .ipset to .cdb using script become: true @@ -105,4 +105,4 @@ win_lineinfile: path: C:\Windows\System32\drivers\etc\hosts line: | - {{ hostvars['wazuh-manager']['ansible_host'] }} wazuh-manager + {{ hostvars['centos-manager']['ansible_host'] }} wazuh-manager diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml index 2869de8e4e..5bb5ed5473 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/test_cases/cases_sql_injection.yaml @@ -4,7 +4,7 @@ metadata: extra_vars: event_description: Run SQL injection - command: curl -XGET "http://wazuh-agent/?id=SELECT+*+FROM+users"; + command: curl -XGET 'http://{{ hostvars['centos-agent']['ansible_host'] }}/?id=SELECT+*+FROM+users'; rule.id: 31103 rule.level: 7 rule.description: SQL injection attempt. diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml index 5421fd5d4a..6f5b463626 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup Linux agent environment - hosts: agents:$linux + hosts: agents:&linux become: True tasks: From 3eee263c7e1edccf269697526ca86a489d19657a Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 22 Aug 2022 14:52:34 +0200 Subject: [PATCH 452/552] fix(#3165): fix netcat test --- .../data/playbooks/configuration.yaml | 10 ++++++++-- .../test_unauthorized_processes_detection.py | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml index 95b77ea956..20ca09d595 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml @@ -22,12 +22,18 @@ - name: Install netcat (CentOS) become: true - shell: yum install -y nmap-ncat + package: + name: nmap-ncat + state: present when: ansible_facts['distribution'] == "CentOS" - name: Install netcat (Ubuntu) become: true - shell: apt install ncat nmap -y + package: + name: + - ncat + - nmap + state: present when: ansible_facts['distribution'] == "Ubuntu" - name: Configure manager environment diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index db164ea93d..78c933749e 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -107,7 +107,7 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_d rule_id = metadata['rule.id'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' - expected_alert_json = fr'\{{"timestamp":"({timestamp_regex}+)","rule"\:{{"level"\:{rule_level},' \ + expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}' expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \ From ee2973fb91e77e06767998c349ce7bc4fc999b68 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 22 Aug 2022 15:05:31 +0200 Subject: [PATCH 453/552] fix(#3165): fix script name --- .../data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 5974213ec5..67be2936ba 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -85,7 +85,7 @@ - name: Add active response script become: true shell: | - curl {{ s3_url }}/virustotal_integration/remove-threat.sh -o /var/ossec/active-response/bin/remote-threat.sh + curl {{ s3_url }}/virustotal_integration/remove-threat.sh -o /var/ossec/active-response/bin/remove-threat.sh - name: Install jq become: true From 50608300b557c4e54350eba3b64fb59b239f054a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 22 Aug 2022 11:08:29 -0300 Subject: [PATCH 454/552] fix(#3142): hostname replaced by ip address in netcat command. --- .../roles/host_checker/tasks/check_controller_indexer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml index 991f6ef1a9..ddb7e71675 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -8,7 +8,7 @@ tasks_from: get_installation_type - name: Test connection with Wazuh Indexer - shell: nc -v -4 {{ inventory_hostname }} 9200 + shell: nc -v -4 {{ hostvars[inventory_hostname]['ansible_host'] }} 9200 timeout: 3 ignore_errors: true register: test_result From 8d1c71dd799b953e3165f500fe62483678882895 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 22 Aug 2022 12:19:40 -0300 Subject: [PATCH 455/552] fix(#3142): stdout validation changed by stderr. --- .../roles/host_checker/tasks/check_controller_indexer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml index ddb7e71675..686d837ae5 100644 --- a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml @@ -19,4 +19,4 @@ set_fact: check_result: 'true' errors: "{{ errors }}Ansible Controller node cannot connect correctly with Wazuh Indexer.\n" - when: (test_result is failed and test_result.stdout is defined and 'refused' in test_result.stderr) + when: (test_result is failed and test_result.stderr is defined and 'refused' in test_result.stderr) From a10d101ee5fcd3e834de719084459f5167f359e4 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Mon, 22 Aug 2022 16:01:13 -0300 Subject: [PATCH 456/552] fix(#3144): deleted alerts path in generate events yaml --- .../data/playbooks/generate_events.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index 3c5ec00008..2941f900b9 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -20,7 +20,6 @@ hosts: wazuh-manager become: true vars: - alerts_path: /var/ossec/logs/alerts/alerts.json tasks: - name: Wait for alerts to be generated From 99eaafc4879d121ddde78e3b3093d126dbe08882 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 23 Aug 2022 01:04:15 -0300 Subject: [PATCH 457/552] fix(#3142): replace the inventory_hostname with IP. --- .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 450c09a4e6..a83d9b8653 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -11,7 +11,7 @@ tasks: - name: Attempt a RDP brute force attack - shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows + shell: hydra -l {{ item }} -p invalid_password rdp://{{ hostvars['windows-agent']['ansible_host'] }} loop: - test_user - test_user From 721d856d49412a7a8060eb8f63d7f2ca97116861 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 23 Aug 2022 01:04:15 -0300 Subject: [PATCH 458/552] fix(#3142): replace the inventory_hostname with IP. --- .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 450c09a4e6..a83d9b8653 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -11,7 +11,7 @@ tasks: - name: Attempt a RDP brute force attack - shell: hydra -l {{ item }} -p invalid_password rdp://wazuh-windows + shell: hydra -l {{ item }} -p invalid_password rdp://{{ hostvars['windows-agent']['ansible_host'] }} loop: - test_user - test_user From 5386bc94ffc9df0e92cccd5dda80907ecb78e9ef Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 23 Aug 2022 12:16:30 +0200 Subject: [PATCH 459/552] fix(#3165): revert upload vim package to S3 --- .../data/playbooks/generate_events.yaml | 2 +- .../data/test_cases/cases_vulnerability_detector_linux.yaml | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index baa5825f8d..3aedb196b7 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -12,7 +12,7 @@ - name: "{{ event_description }}" become: true - shell: "{{ shell }}" + shell: "{{ command }}" - name: Get alerts file hosts: managers diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml index 527d4c1ab8..b0130dfdeb 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml @@ -4,9 +4,7 @@ metadata: extra_vars: event_description: Install vulnerable vim package - shell: | - curl {{ s3_url }}/vulnerability_detector/vim_vulnerable_package.deb -o vim_vulnerable_package.deb - dpkg -i vim_vulnerable_package.deb + command: apt install -y vim=2:8.1.2269-1ubuntu5.7 rule.id: 23505 rule.level: 10 rule.description: CVE-2022-1621 affects vim From 72c4915d520dbd81359da0f67f71b0572d3cbb3f Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Tue, 23 Aug 2022 11:20:32 -0300 Subject: [PATCH 460/552] fix(#3144): changed command to restart windows --- tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml index 67d6d6102d..87e7462201 100644 --- a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml +++ b/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml @@ -26,7 +26,8 @@ - name: Restart wazuh on Windows win_shell: | - "Get-Service -Name WazuhSvc -ErrorAction SilentlyContinue | Restart-Service -ErrorAction SilentlyContinue" + net stop Wazuh + net start Wazuh args: executable: powershell.exe when: os == 'windows' From 9c69f645e44d70994d33336ab378a957594e6877 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 24 Aug 2022 10:41:14 +0200 Subject: [PATCH 461/552] fix(#3165): check if the inventory is specified correctly --- tests/end_to_end/conftest.py | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index bd236d3019..29f6b8137f 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -32,16 +32,19 @@ def get_dashboard_credentials(request): Returns: dict: wazuh-dashboard credentials. """ - inventory_playbook = [request.config.getoption('--inventory_path')] + inventory_playbook = request.config.getoption('--inventory_path') if not inventory_playbook: raise ValueError('Inventory not specified') - inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', - host='managers') + inventories = [inventory_playbook] + + inventory_data = ansible_runner.get_inventory(action='host', inventories=inventories, response_format='json', + host='managers') - # Inventory is a tuple, with the second value empty, so we must access inventory[0] - dashboard_credentials = {'user': inventory[0]['dashboard_user'], 'password': inventory[0]['dashboard_password']} + # inventory_data is a tuple, with the second value empty, so we must access inventory[0] + dashboard_credentials = {'user': inventory_data[0]['dashboard_user'], + 'password': inventory_data[0]['dashboard_password']} yield dashboard_credentials @@ -124,16 +127,18 @@ def get_manager_ip(request): Returns: str: Manager IP. """ - inventory_playbook = [request.config.getoption('--inventory_path')] + inventory_playbook = request.config.getoption('--inventory_path') if not inventory_playbook: raise ValueError('Inventory not specified') - inventory = ansible_runner.get_inventory(action='host', inventories=inventory_playbook, response_format='json', - host='managers') + inventories = [inventory_playbook] + + inventory_data = ansible_runner.get_inventory(action='host', inventories=inventories, response_format='json', + host='managers') - # Inventory is a tuple, with the second value empty, so we must access inventory[0] - manager_ip = inventory[0]['ansible_host'] + # inventory_data is a tuple, with the second value empty, so we must access inventory[0] + manager_ip = inventory_data[0]['ansible_host'] yield manager_ip From e4d4b48246cfd570db00d8692fcb04ae26a71ada Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 24 Aug 2022 08:40:31 -0300 Subject: [PATCH 462/552] refactor(#3142): split phase into 2 fixtures with different scopes. This change allows no stopping all execution when 1 specific validation fails. --- tests/end_to_end/README.md | 34 ++++++++ tests/end_to_end/conftest.py | 80 ++++++++++++------- .../tasks/check_controller_indexer.yaml | 0 .../tasks/check_filebeat_indexer.yaml | 0 .../host_checker/tasks/check_os.yaml | 0 .../host_checker/tasks/check_python.yaml | 0 .../tasks/check_wazuh_components.yaml | 0 .../host_checker/tasks/main.yaml | 0 .../tasks/get_installation_type.yaml | 0 9 files changed, 83 insertions(+), 31 deletions(-) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/check_controller_indexer.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/check_filebeat_indexer.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/check_os.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/check_python.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/check_wazuh_components.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/host_checker/tasks/main.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/service_controller/tasks/get_installation_type.yaml (100%) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 38e1dfec9c..1e51b4bb2e 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -18,6 +18,7 @@ Our E2E tests will verify that, after generating an event, an alert will be trig To run these tests we need to use a **Linux** machine and install the following tools: - [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) +- [netcat](https://en.wikipedia.org/wiki/Netcat) Then, you will need to have an inventory with the needed hosts and variables. For example: @@ -155,6 +156,39 @@ To execute these tests, we need to run the following command: python -m pytest --inventory_path= ``` +### Adding or modifying E2E tests + +When adding or modifying any test it is necesry to modify the file with the environment data, placed in `tests/end_to_end/data/env_requirements.json` + +This file is used to validate the environments where the selected tests will be executed and it follows this structure: +``` +"": { + "manager": { + "instances": , + "distros": + }, + "agent": { + "instances": , + "distros": + } +} +``` + +### Add specific validation tasks (for a test module) + +To add specific validation tasks to a test, its necessary to add a new playbook inside the test module, in the playbook folder with the default Play structure: + +``` +- name: + hosts: "{{ target_hosts }}" + tasks: + +``` + +E.g: Add validation tasks for test_audit by creating a playbook called `validation.yaml` in `tests/end_to_end/test_basic_cases/test_audit/data/playbooks` + +> The file name must always be "validation.yaml" + #### Audit tests examples ```shell script diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 8238d22a70..9dcfe69226 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -15,6 +15,25 @@ suite_path = os.path.dirname(os.path.realpath(__file__)) +def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_hosts=[]): + environment_file = os.path.join(suite_path, 'data', 'env_requirements.json') + environment_metadata = json.load(open(environment_file)) + distros_by = {'manager': [], 'agent': []} + + for key in environment_metadata[test_suite_name]: + if environment_metadata[test_suite_name][key]['instances'] > 0: + # Save manager/agent distros + distros_by[key] = environment_metadata[test_suite_name][key]['distros'] + target_distros.extend(environment_metadata[test_suite_name][key]['distros']) + # Add the target host to the list (following the standard host name: "-*") + target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) + # Remove duplicates + target_hosts = list(dict.fromkeys(target_hosts)) + target_distros = list(dict.fromkeys(target_distros)) + + return target_hosts, target_distros + + @pytest.fixture(scope='session', autouse=True) def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. @@ -23,7 +42,6 @@ def validate_environments(request): Step 1: Collect the data related to the selected tests that will be executed. Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. - Step 4: Execute a test-specific playbook (if any). This will run one validation for each selected test set. Args: request (fixture): Gives access to the requesting test context. @@ -31,8 +49,6 @@ def validate_environments(request): collected_items = request.session.items roles_path = request.config.getoption('--roles-path') inventory_path = request.config.getoption('--inventory_path') - environment_file = os.path.join(suite_path, 'data', 'env_requirements.json') - environment_metadata = json.load(open(environment_file)) playbook_generator = os.path.join(suite_path, 'data', 'validation_playbooks', 'generate_general_play.yaml') playbook_template = os.path.join(suite_path, 'data', 'validation_templates', 'general_validation.j2') general_playbook = os.path.join(suite_path, 'data', 'validation_playbooks', 'general_validation.yaml') @@ -44,7 +60,6 @@ def validate_environments(request): test_suites_paths = [] target_hosts = [] target_distros = [] - distros_by = {'manager': [], 'agent': []} # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] @@ -59,16 +74,7 @@ def validate_environments(request): # Get the test suite name test_suite_name = path.split('/')[-1:][0] # Set target hosts and distros - for key in environment_metadata[test_suite_name]: - if environment_metadata[test_suite_name][key]['instances'] > 0: - # Save manager/agent distros - distros_by[key] = environment_metadata[test_suite_name][key]['distros'] - target_distros.extend(environment_metadata[test_suite_name][key]['distros']) - # Add the target host to the list (following the standard host name: "-*") - target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) - # Remove duplicates - target_distros = list(dict.fromkeys(target_distros)) - target_hosts = list(dict.fromkeys(target_hosts)) + target_hosts, target_distros = get_target_hosts_and_distros(test_suite_name, target_distros, target_hosts) # -------------------------------------------------- End of Step 1 ------------------------------------------------- # ---------------------- Step 2: Run the playbook to generate the general validation playbook ---------------------- @@ -106,24 +112,36 @@ def validate_environments(request): f"requirements. Result:\n{errors}") # -------------------------------------------------- End of Step 3 ------------------------------------------------- - # -------------------------------- Step 4: Execute test-specific validations (if any) ------------------------------ - for path in test_suites_paths: - validation_playbook = os.path.join(path, 'data', 'playbooks', 'validation.yaml') - # Run test-specific validation playbook (if any) - if os.path.exists(validation_playbook): - parameters = { - 'playbook': validation_playbook, 'inventory': inventory_path, - 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, - 'extravars': {'target_hosts': ','.join(target_hosts), 'distros': target_distros} - } - validation_runner = ansible_runner.run(**parameters) +@pytest.fixture(scope='module', autouse=True) +def run_specific_validations(request): + """Fixture with module scope to validate the environment of an specific tests with specific validation tasks. + + Execute a test-specific playbook (if any). This will run one validation playbook for each test module. + + Args: + request (fixture): Gives access to the requesting test context. + """ + roles_path = request.config.getoption('--roles-path') + inventory_path = request.config.getoption('--inventory_path') + test_suite_path = os.path.dirname(request.fspath) + test_suite_name = test_suite_path.split('/')[-1:][0] + target_hosts, target_distros = get_target_hosts_and_distros(test_suite_name) + validation_playbook = os.path.join(test_suite_path, 'data', 'playbooks', 'validation.yaml') + + # Run test-specific validation playbook (if any) + if os.path.exists(validation_playbook): + parameters = { + 'playbook': validation_playbook, 'inventory': inventory_path, + 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, + 'extravars': {'target_hosts': ','.join(target_hosts), 'distros': target_distros} + } + validation_runner = ansible_runner.run(**parameters) - # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. - if validation_runner.status == 'failed': - raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the " - 'environments meet the expected requirements.') - # -------------------------------------------------- End of Step 4 ------------------------------------------------- + # If the validation phase has failed, then abort the execution finishing with an error. Else, continue. + if validation_runner.status == 'failed': + raise Exception(f"The validation phase of {test_suite_name} has failed. Please check that the " + 'environments meet the expected requirements.') @pytest.fixture(scope='function') @@ -265,7 +283,7 @@ def pytest_addoption(parser): '--roles-path', action='store', metavar='ROLES_PATH', - default=os.path.join(suite_path, 'roles'), + default=os.path.join(suite_path, 'data', 'ansible_roles'), type=str, help='Ansible roles path.', ) diff --git a/tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/check_controller_indexer.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml diff --git a/tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/check_filebeat_indexer.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml diff --git a/tests/end_to_end/roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/check_os.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml diff --git a/tests/end_to_end/roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/check_python.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml diff --git a/tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/check_wazuh_components.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml diff --git a/tests/end_to_end/roles/host_checker/tasks/main.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml similarity index 100% rename from tests/end_to_end/roles/host_checker/tasks/main.yaml rename to tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml diff --git a/tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml similarity index 100% rename from tests/end_to_end/roles/service_controller/tasks/get_installation_type.yaml rename to tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml From 8d0920ee161007aa3306a75e1ee04c60eabaf188 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 24 Aug 2022 08:47:04 -0300 Subject: [PATCH 463/552] style(#3142): linter corrections applied. --- tests/end_to_end/conftest.py | 12 ++++++------ .../data/ansible_roles/host_checker/tasks/main.yaml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c3695f6c25..4763cc8545 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -21,12 +21,12 @@ def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_host distros_by = {'manager': [], 'agent': []} for key in environment_metadata[test_suite_name]: - if environment_metadata[test_suite_name][key]['instances'] > 0: - # Save manager/agent distros - distros_by[key] = environment_metadata[test_suite_name][key]['distros'] - target_distros.extend(environment_metadata[test_suite_name][key]['distros']) - # Add the target host to the list (following the standard host name: "-*") - target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) + if environment_metadata[test_suite_name][key]['instances'] > 0: + # Save manager/agent distros + distros_by[key] = environment_metadata[test_suite_name][key]['distros'] + target_distros.extend(environment_metadata[test_suite_name][key]['distros']) + # Add the target host to the list (following the standard host name: "-*") + target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) # Remove duplicates target_hosts = list(dict.fromkeys(target_hosts)) target_distros = list(dict.fromkeys(target_distros)) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml index 20933d8e4e..761337e6ee 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml @@ -25,7 +25,7 @@ # -------- Task to identify whether the validation step fails or not. -------- - set_fact: phase_results: "{{ errors }}" - cacheable: yes + cacheable: true - name: Verify if any check have failed fail: From 1c4424cab00f2b684ab74cdcfba30648f996fc1e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 24 Aug 2022 08:52:03 -0300 Subject: [PATCH 464/552] fix(#3142): typo fixed. --- .../data/ansible_roles/host_checker/tasks/check_python.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml index 452ae7e773..6c20df37bc 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml @@ -13,7 +13,7 @@ register: version when: os == 'Windows' -- name: Check default Python version (Linux) +- name: Check default Python version (Windows) set_fact: check_result: 'true' errors: "{{ errors }}Python version is less than 3. Current version: {{ version.stdout }}\n" From eeda10a3dc53eddcd4fdd92b0df52a6810268d9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 25 Aug 2022 11:40:52 +0100 Subject: [PATCH 465/552] feat(#3165): include E2E to provisioning file --- .../provisioning/provisioning_data.json | 79 ++++++++++++------- 1 file changed, 51 insertions(+), 28 deletions(-) diff --git a/tests/system/provisioning/provisioning_data.json b/tests/system/provisioning/provisioning_data.json index 24045c2c9b..e1703ad045 100644 --- a/tests/system/provisioning/provisioning_data.json +++ b/tests/system/provisioning/provisioning_data.json @@ -1,46 +1,69 @@ { "agentless_cluster": [ - "test_jwt_invalidation/test_change_rbac_mode.py", - "test_jwt_invalidation/test_change_security_resources.py", - "test_jwt_invalidation/test_disconnected_nodes.py", - "test_jwt_invalidation/test_revoke_endpoint.py", - "test_jwt_invalidation/test_update_password.py", - "test_cluster/test_integrity_sync/test_integrity_sync.py" + "test_system/test_jwt_invalidation/test_change_rbac_mode.py", + "test_system/test_jwt_invalidation/test_change_security_resources.py", + "test_system/test_jwt_invalidation/test_disconnected_nodes.py", + "test_system/test_jwt_invalidation/test_revoke_endpoint.py", + "test_system/test_jwt_invalidation/test_update_password.py", + "test_system/test_cluster/test_integrity_sync/test_integrity_sync.py" ], "basic_cluster": [ - "test_cluster/test_agent_groups/test_agent_groups.py", - "test_cluster/test_agent_files_deletion/test_agent_files_deletion.py", - "test_cluster/test_agent_info_sync/test_agent_info_sync.py", - "test_cluster/test_agent_key_polling/test_agent_key_polling.py", - "test_multigroups/test_multigroups.py", - "test_cluster/test_agent_groups/test_agent_groups_forced_change.py" + "test_system/test_cluster/test_agent_groups/test_agent_groups.py", + "test_system/test_cluster/test_agent_files_deletion/test_agent_files_deletion.py", + "test_system/test_cluster/test_agent_info_sync/test_agent_info_sync.py", + "test_system/test_cluster/test_agent_key_polling/test_agent_key_polling.py", + "test_system/multigroups/test_multigroups.py", + "test_system/cluster/test_agent_groups/test_agent_groups_forced_change.py" ], "basic_environment": [ - "test_agent_auth/test_agent_auth.py", - "test_enrollment/test_enrollment.py" + "test_system/test_agent_auth/test_agent_auth.py", + "test_system/test_enrollment/test_enrollment.py" ], "enrollment_cluster": [ - "test_cluster/test_agent_enrollment/test_agent_enrollment.py", - "test_cluster/test_agent_groups/test_agent_default_group_added.py", - "test_cluster/test_agent_groups/test_assign_agent_group_with_enrollment.py", - "test_cluster/test_agent_groups/test_assign_agent_never_connected_to_group.py", - "test_cluster/test_agent_groups/test_assign_agent_to_a_group_api.py", - "test_cluster/test_agent_groups/test_assign_agent_to_a_group_by_tool.py", - "test_cluster/test_agent_groups/test_assign_agent_to_a_group.py", - "test_cluster/test_agent_groups/test_assign_groups_guess.py" + "test_system/test_cluster/test_agent_enrollment/test_agent_enrollment.py", + "test_system/test_cluster/test_agent_groups/test_agent_default_group_added.py", + "test_system/test_cluster/test_agent_groups/test_assign_agent_group_with_enrollment.py", + "test_system/test_cluster/test_agent_groups/test_assign_agent_never_connected_to_group.py", + "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_api.py", + "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_by_tool.py", + "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group.py", + "test_system/test_cluster/test_agent_groups/test_assign_groups_guess.py" ], "manager_agent": [ - "test_active_response_log_format/test_active_response_log_format.py" + "test_system/test_active_response_log_format/test_active_response_log_format.py" ], "one_manager_agent": [ - "test_fim/test_files/test_files_cud.py", - "test_fim/test_synchronization/test_synchronization.py" + "test_system/test_fim/test_files/test_files_cud.py", + "test_system/test_fim/test_synchronization/test_synchronization.py" ], "four_manager_disconnected_node": [ - "test_cluster/test_agent_groups/test_agent_groups_new_cluster_node.py" + "test_system/test_cluster/test_agent_groups/test_agent_groups_new_cluster_node.py" ], "big_cluster_40_agents": [ - "test_cluster/test_agent_groups/test_groups_sync_default.py", - "test_cluster/test_agent_groups/test_groups_sync_time.py" + "test_system/test_cluster/test_agent_groups/test_groups_sync_default.py", + "test_system/test_cluster/test_agent_groups/test_groups_sync_time.py" + ], + "end_to_end_environment": [ + "end_to_end/test_basic_cases/test_audit/test_audit.py", + "end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py", + "end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py", + "end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py", + "end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py", + "end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py", + "end_to_end/test_basic_cases/test_emotet/test_emotet.py", + "end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py", + "end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py", + "end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py", + "end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py", + "end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py", + "end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py", + "end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py", + "end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py", + "end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py", + "end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py", + "end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py", + "end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py", + "end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py", + "end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py", ] } From 8f0a8dc600dfaae4b7b90d9f6a0302ed7b55f256 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 25 Aug 2022 11:42:14 +0100 Subject: [PATCH 466/552] feat(#3165): include E2E env configuration file --- .../environments/end_to_end_environment.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 provisioning/environments/end_to_end_environment.yaml diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml new file mode 100644 index 0000000000..6685a7c1ac --- /dev/null +++ b/provisioning/environments/end_to_end_environment.yaml @@ -0,0 +1,18 @@ +centos-manager: + os: amazonlinux + roles: [aio] + +ubuntu-agent: + os: ubuntu + roles: [agent] + manager: centos-manager + +centos-agent: + os: amazonlinux + roles: [agent] + manager: centos-manager + +windows-agent: + os: windows + roles: [agent] + manager: centos-manager From 7975458f77896c84cdb30044c596d3177f4fe126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 25 Aug 2022 11:46:32 +0100 Subject: [PATCH 467/552] feat(#3165): adapt E2E to Jenkins inv --- tests/end_to_end/README.md | 6 +++--- tests/end_to_end/conftest.py | 4 ++-- .../test_audit/data/playbooks/configuration.yaml | 2 +- .../test_audit/data/playbooks/generate_events.yaml | 2 +- .../test_audit/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_docker_monitoring/data/playbooks/teardown.yaml | 2 +- .../test_emotet/data/playbooks/configuration.yaml | 2 +- .../test_emotet/data/playbooks/generate_events.yaml | 4 ++-- .../test_fim_linux/data/playbooks/configuration.yaml | 2 +- .../test_fim_linux/data/playbooks/generate_events.yaml | 6 +++--- .../test_fim/test_fim_linux/data/playbooks/teardown.yaml | 2 +- .../test_fim_windows/data/playbooks/generate_events.yaml | 4 ++-- .../test_ip_reputation/data/playbooks/configuration.yaml | 2 +- .../test_ip_reputation/data/playbooks/generate_events.yaml | 4 ++-- .../test_ip_reputation/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_osquery_integration/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_slack_integration/data/playbooks/teardown.yaml | 2 +- .../test_sql_injection/data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 6 +++--- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_vulnerability_detector_linux.py | 2 +- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_vulnerability_detection_windows.py | 2 +- .../test_windows_defender/data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 ++-- .../test_yara_integration/data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_yara_integration/data/playbooks/teardown.yaml | 2 +- 53 files changed, 72 insertions(+), 72 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 38e1dfec9c..a952fab337 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -4,7 +4,7 @@ End-to-end testing is a technique that tests the entire software product from be The main purpose of End-to-end (E2E) testing is to test from the end user’s experience by simulating the real user scenario and validating the system under test and its components for integration and data integrity. -The Wazuh architecture is based on agents, running on the monitored endpoints, that forward security data to a central server. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage. The Wazuh indexer cluster is a collection of one or more nodes that communicate with each other to perform read and write operations on indices. +The Wazuh architecture is based on agent, running on the monitored endpoints, that forward security data to a central server. The central server decodes and analyzes the incoming information and passes the results along to the Wazuh indexer for indexing and storage. The Wazuh indexer cluster is a collection of one or more nodes that communicate with each other to perform read and write operations on indices. The diagram below represents the Wazuh components and data flow. @@ -22,7 +22,7 @@ To run these tests we need to use a **Linux** machine and install the following Then, you will need to have an inventory with the needed hosts and variables. For example: ``` -managers: +manager: hosts: centos-manager: ansible_host: @@ -33,7 +33,7 @@ managers: dashboard_user: dashboard_password: -agents: +agent: children: linux: hosts: diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 29f6b8137f..fa4ebb7dca 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -40,7 +40,7 @@ def get_dashboard_credentials(request): inventories = [inventory_playbook] inventory_data = ansible_runner.get_inventory(action='host', inventories=inventories, response_format='json', - host='managers') + host='dashboard') # inventory_data is a tuple, with the second value empty, so we must access inventory[0] dashboard_credentials = {'user': inventory_data[0]['dashboard_user'], @@ -135,7 +135,7 @@ def get_manager_ip(request): inventories = [inventory_playbook] inventory_data = ansible_runner.get_inventory(action='host', inventories=inventories, response_format='json', - host='managers') + host='manager') # inventory_data is a tuple, with the second value empty, so we must access inventory[0] manager_ip = inventory_data[0]['ansible_host'] diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml index 2c7d81e2a3..a78ea53692 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml @@ -1,6 +1,6 @@ --- - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Get euid diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml index 4d9ef48cd8..907f3fa593 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager tasks: - name: Truncate file diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml index 8a07ede65c..eec5626e05 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: managers + hosts: manager tasks: - name: Delete wazuh audit rules file diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml index 48c53bb35f..de2f0ba481 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index bee6e0dd21..3ba712dccc 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager vars: alerts_path: /var/ossec/logs/alerts/alerts.json become: true diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml index ce20cf7a3f..7c3b7be780 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index a83d9b8653..82a75026c3 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate alert.json @@ -30,7 +30,7 @@ timeout: 5 - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 7f0d87d65d..301819da8a 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate alert.json @@ -37,7 +37,7 @@ timeout: 5 - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml index 1651d8200e..c7b50ad065 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index 3565ae14df..e8f1f8cf29 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml index 31392786a9..bcc1b72b47 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index fed43bc7ea..d31c6db5c5 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 6f99c71188..f6102dcb4f 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index 2919e9981c..c8901f9833 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: managers + hosts: manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml index e835eceb29..58bf732e34 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -74,7 +74,7 @@ net start wazuh - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index 0a07685d12..c06ef0ee68 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -16,7 +16,7 @@ failed_when: '"with process ID" not in output.stderr' - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Wait for alert diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 726d20c597..1ba93baa14 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure Linux agent environment - hosts: agents:&linux + hosts: agent:&linux tasks: - name: Create directory to monitor diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 8b77b8826d..fbc4955d20 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file @@ -7,7 +7,7 @@ become: True - name: Generate events - hosts: agents:&linux + hosts: agent:&linux tasks: - name: "{{ event_description }}" @@ -18,7 +18,7 @@ mode: "{{ mode }}" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Wait for alert to be generated diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml index d21e552028..57dde09e4b 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup Linux agent environment - hosts: agents:&linux + hosts: agent:&linux become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 7ea454276f..a3bb7a014d 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file @@ -16,7 +16,7 @@ state: "{{ state }}" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Wait for alert to be generated diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml index 0929ed64c7..831e05d184 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml index 890fb9928c..33859547f1 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -16,7 +16,7 @@ failed_when: "'Forbidden' not in result.stderr" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Waiting for alert diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml index 8ce15bed84..eca0779dd6 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: managers + hosts: manager tasks: - name: Uninstall apache diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml index 8e3f238312..937df899f6 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 66d5ef93f2..b9d5a0d9f1 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index cb6a49ea71..1e382c6e11 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: managers + hosts: manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml index 6107d3d415..3acc4f76ef 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index 9bb4048510..58d19a412d 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index d4afcd1465..1a6c460184 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: managers + hosts: manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml index d3090abaea..b525045f0b 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml index 00fc96bd14..3b1a2f04c3 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager vars: alerts_path: /var/ossec/logs/alerts/alerts.json integrations_log: /var/ossec/logs/integrations.log diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml index 0c1036099d..5d41054bdc 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: managers + hosts: manager become: true vars: conf_path: /var/ossec/etc/ossec.conf diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index 1e7d4aecd5..9ecc68a7c3 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate alert.json @@ -18,7 +18,7 @@ timeout: 5 - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index babf2a8bf8..b0b345e4ea 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json @@ -17,7 +17,7 @@ shell: curl http://testmynids.org/uid/index.html - name: Get alerts file - hosts: managers + hosts: manager become: true vars: alerts_path: /var/ossec/logs/alerts/alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml index 20ca09d595..6df5009295 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure Linux agent environment - hosts: agents:&linux + hosts: agent:&linux tasks: - name: Configure agent to get a list of running processes @@ -37,7 +37,7 @@ when: ansible_facts['distribution'] == "Ubuntu" - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml index 42bd4bb28b..03c0e05b91 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: agents:&linux + hosts: agent:&linux tasks: - name: "{{ event_description_netcat }}" @@ -24,7 +24,7 @@ command: pkill -fx 'nc -l 8000' - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml index 6f5b463626..681d0d6941 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup Linux agent environment - hosts: agents:&linux + hosts: agent:&linux become: True tasks: @@ -16,7 +16,7 @@ name: wazuh-agent - name: Cleanup manager environment - hosts: managers + hosts: manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 67be2936ba..eb1a5ed9f6 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index 182a5d7b1b..a6e8c889e2 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -11,7 +11,7 @@ timeout: 5 - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Get alerts.json diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index 9eefe9b765..c3dd724568 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ --- - name: Cleanup manager environment - hosts: managers + hosts: manager become: True tasks: diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index 0a6213eb39..aec7971740 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -21,7 +21,7 @@ shell: systemctl restart wazuh-agent - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Truncate ossec.log diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 3aedb196b7..7f9e5510b7 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -15,7 +15,7 @@ shell: "{{ command }}" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Waiting for vulnerability scan, alert reporting and indexing diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 7e1754132e..857051bbbb 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -8,7 +8,7 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, - agents can natively collect a list of installed applications (System inventory), sending it periodically to the + agent can natively collect a list of installed applications (System inventory), sending it periodically to the manager (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database from publicly available CVE repositories, using it later to cross-correlate this information with the agent's applications inventory data. diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index 14ee240a75..e4df6c2ce8 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -31,7 +31,7 @@ net start wazuh - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Truncate file ossec.log diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index 74422c754a..a2c5ff7296 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -14,7 +14,7 @@ ansible.windows.win_shell: "{{ command }}" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Waiting for vulnerability scan, alert reporting and indexing diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 4967e06a36..16a9d8abf9 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -8,7 +8,7 @@ type: end_to_end brief: This test will verify that Vulnerability Detector is working correctly. To be able to detect vulnerabilities, - agents can natively collect a list of installed applications (System inventory), sending it periodically to the + agent can natively collect a list of installed applications (System inventory), sending it periodically to the manager (where it is stored in local SQLite databases, one per agent). Also, the manager builds a global vulnerability database from publicly available CVE repositories, using it later to cross-correlate this information with the agent's applications inventory data. diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml index cd31920ee6..160320975a 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/configuration.yaml @@ -29,7 +29,7 @@ net start wazuh - name: Configure manager environment - hosts: managers + hosts: manager tasks: - name: Configure local rules diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml index f7df755e3f..52afaee332 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Clean alerts file - hosts: managers + hosts: manager tasks: - name: Truncate file alert.json @@ -14,7 +14,7 @@ ansible.windows.win_shell: "{{ command }}" - name: Get alerts file - hosts: managers + hosts: manager tasks: - name: Waiting for alert diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 53979ca86c..e6065043cd 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -1,5 +1,5 @@ - name: Configure manager environment - hosts: managers + hosts: manager become: true tasks: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 98bc141632..a25584b76c 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -1,5 +1,5 @@ - name: Generate events - hosts: managers + hosts: manager vars: alerts_path: /var/ossec/logs/alerts/alerts.json become: true diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml index 9fadf8faa5..03cc55e941 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml @@ -1,5 +1,5 @@ - name: Cleanup manager environment - hosts: managers + hosts: manager become: true tasks: From 2b4eb7b12aaa84c76809e3ab43358f34b8e3689e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 25 Aug 2022 12:13:47 +0100 Subject: [PATCH 468/552] fix(#3165): E2E renamed inventory parameter --- tests/end_to_end/README.md | 4 ++-- tests/end_to_end/conftest.py | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index a952fab337..d1400f03d7 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -152,13 +152,13 @@ test_basic_cases/ To execute these tests, we need to run the following command: ``` -python -m pytest --inventory_path= +python -m pytest --inventory-path= ``` #### Audit tests examples ```shell script -python3 -m pytest tests/end_to_end/test_basic_cases/test_audit/ --inventory_path=/home/juliamagan/Desktop/QA/2893/inventory.yml +python3 -m pytest tests/end_to_end/test_basic_cases/test_audit/ --inventory-path=/home/juliamagan/Desktop/QA/2893/inventory.yml ======================================================================== test session starts ======================================================================== platform linux -- Python 3.9.7, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 rootdir: /home/juliamagan/Desktop/QA/wazuh-qa diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index fa4ebb7dca..cd7390b52f 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -32,7 +32,7 @@ def get_dashboard_credentials(request): Returns: dict: wazuh-dashboard credentials. """ - inventory_playbook = request.config.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -58,7 +58,7 @@ def configure_environment(request): Args: request (fixture): Provide information on the executing test function. """ - inventory_playbook = request.config.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -103,7 +103,7 @@ def generate_events(request, metadata): request (fixture): Provide information on the executing test function. metadata (dict): Dictionary with test case metadata. """ - inventory_playbook = request.config.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -127,7 +127,7 @@ def get_manager_ip(request): Returns: str: Manager IP. """ - inventory_playbook = request.config.getoption('--inventory_path') + inventory_playbook = request.config.getoption('--inventory-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -145,7 +145,7 @@ def get_manager_ip(request): def pytest_addoption(parser): parser.addoption( - '--inventory_path', + '--inventory-path', action='store', metavar='INVENTORY_PATH', default=None, From 4bf678883f2085dd60f5bd3ab01f0f5089dd1e33 Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 25 Aug 2022 08:18:33 -0300 Subject: [PATCH 469/552] fix(#3144): rename task vulnerability detector windows --- .../data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml index 1b52c5bbbc..31811203e6 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/configuration.yaml @@ -45,7 +45,7 @@ shell: echo "" > /var/ossec/logs/ossec.log become: true - - name: Enabled vulnerability detector module + - name: Enable vulnerability detector module include_role: name: manage_wazuh_configurations tasks_from: write_wazuh_config.yaml From b12b68b88506ad1cd666db23ffdf1693f0abad0a Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Thu, 25 Aug 2022 10:41:35 -0300 Subject: [PATCH 470/552] feat(#3144): add config_block documentation and directory data/ansible_roles --- tests/end_to_end/conftest.py | 2 +- .../ansible_roles}/manage_alerts/tasks/get_alert_json.yaml | 0 .../manage_alerts/tasks/truncate_alert_json.yaml | 0 .../ansible_roles}/manage_wazuh/tasks/restart_wazuh.yaml | 0 .../tasks/write_local_decoders.yaml | 6 ++++++ .../tasks/write_local_rules.yaml | 6 ++++++ .../tasks/write_wazuh_config.yaml | 1 + 7 files changed, 14 insertions(+), 1 deletion(-) rename tests/end_to_end/{roles => data/ansible_roles}/manage_alerts/tasks/get_alert_json.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/manage_alerts/tasks/truncate_alert_json.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/manage_wazuh/tasks/restart_wazuh.yaml (100%) rename tests/end_to_end/{roles => data/ansible_roles}/manage_wazuh_configurations/tasks/write_local_decoders.yaml (64%) rename tests/end_to_end/{roles => data/ansible_roles}/manage_wazuh_configurations/tasks/write_local_rules.yaml (67%) rename tests/end_to_end/{roles => data/ansible_roles}/manage_wazuh_configurations/tasks/write_wazuh_config.yaml (89%) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index d355ef7d0f..ee827420db 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -166,7 +166,7 @@ def pytest_addoption(parser): '--roles_path', action='store', metavar='ROLES_PATH', - default=os.path.join(suite_path, 'roles'), + default=os.path.join(suite_path, 'data', 'ansible_roles'), type=str, help='Ansible roles path.', ) diff --git a/tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/get_alert_json.yaml similarity index 100% rename from tests/end_to_end/roles/manage_alerts/tasks/get_alert_json.yaml rename to tests/end_to_end/data/ansible_roles/manage_alerts/tasks/get_alert_json.yaml diff --git a/tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/truncate_alert_json.yaml similarity index 100% rename from tests/end_to_end/roles/manage_alerts/tasks/truncate_alert_json.yaml rename to tests/end_to_end/data/ansible_roles/manage_alerts/tasks/truncate_alert_json.yaml diff --git a/tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml b/tests/end_to_end/data/ansible_roles/manage_wazuh/tasks/restart_wazuh.yaml similarity index 100% rename from tests/end_to_end/roles/manage_wazuh/tasks/restart_wazuh.yaml rename to tests/end_to_end/data/ansible_roles/manage_wazuh/tasks/restart_wazuh.yaml diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml similarity index 64% rename from tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml rename to tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml index 9f82151434..a8dde2a922 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml +++ b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_decoders.yaml @@ -1,3 +1,9 @@ +# REQUIRED VARIABLES +# ------------------- +# +# GENERIC: +# - (String) config_block: Custom Wazuh decoders + - name: Configure local decoders become: true blockinfile: diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_rules.yaml similarity index 67% rename from tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml rename to tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_rules.yaml index 0142f17ef4..a068916fb5 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_local_rules.yaml +++ b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_local_rules.yaml @@ -1,3 +1,9 @@ +# REQUIRED VARIABLES +# ------------------- +# +# GENERIC: +# - (String) config_block: Custom Wazuh rules + - name: Configure local rules become: true blockinfile: diff --git a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml similarity index 89% rename from tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml rename to tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml index b87b6422f6..0a01730a8f 100644 --- a/tests/end_to_end/roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml +++ b/tests/end_to_end/data/ansible_roles/manage_wazuh_configurations/tasks/write_wazuh_config.yaml @@ -3,6 +3,7 @@ # # GENERIC: # - (String) os: Target operating system +# - (String) config_block: Wazuh configuration block - name: Configure ossec.conf linux become: true From b157bd7bd724dc3402e99904c7e9b1297dbbd66c Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 25 Aug 2022 10:46:55 -0300 Subject: [PATCH 471/552] docs(#3142): README modified, minor changes were made. --- tests/end_to_end/README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 1e51b4bb2e..c304301192 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -18,7 +18,7 @@ Our E2E tests will verify that, after generating an event, an alert will be trig To run these tests we need to use a **Linux** machine and install the following tools: - [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) -- [netcat](https://en.wikipedia.org/wiki/Netcat) +- [Netcat](https://www.tecmint.com/netcat-nc-command-examples/) Then, you will need to have an inventory with the needed hosts and variables. For example: @@ -156,6 +156,22 @@ To execute these tests, we need to run the following command: python -m pytest --inventory_path= ``` +#### Audit tests examples + +```shell script +python3 -m pytest tests/end_to_end/test_basic_cases/test_audit/ --inventory_path=/home/juliamagan/Desktop/QA/2893/inventory.yml +======================================================================== test session starts ======================================================================== +platform linux -- Python 3.9.7, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 +rootdir: /home/juliamagan/Desktop/QA/wazuh-qa +plugins: metadata-2.0.1, html-3.1.1, testinfra-5.0.0 +collected 1 item + +tests/end_to_end/test_basic_cases/test_audit/test_audit.py . [100%] + +======================================================================== 1 passed in 16.05s ========================================================================= + +``` + ### Adding or modifying E2E tests When adding or modifying any test it is necesry to modify the file with the environment data, placed in `tests/end_to_end/data/env_requirements.json` @@ -188,19 +204,3 @@ To add specific validation tasks to a test, its necessary to add a new playbook E.g: Add validation tasks for test_audit by creating a playbook called `validation.yaml` in `tests/end_to_end/test_basic_cases/test_audit/data/playbooks` > The file name must always be "validation.yaml" - -#### Audit tests examples - -```shell script -python3 -m pytest tests/end_to_end/test_basic_cases/test_audit/ --inventory_path=/home/juliamagan/Desktop/QA/2893/inventory.yml -======================================================================== test session starts ======================================================================== -platform linux -- Python 3.9.7, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -rootdir: /home/juliamagan/Desktop/QA/wazuh-qa -plugins: metadata-2.0.1, html-3.1.1, testinfra-5.0.0 -collected 1 item - -tests/end_to_end/test_basic_cases/test_audit/test_audit.py . [100%] - -======================================================================== 1 passed in 16.05s ========================================================================= - -``` From 0e9681e65c80d9a8bcd3449ce976b4fb643a7274 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 25 Aug 2022 12:21:00 -0300 Subject: [PATCH 472/552] fix(#3142)!: roles path option fixed. --- tests/end_to_end/conftest.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 5e502c3448..1ea1fa841e 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -190,7 +190,7 @@ def configure_environment(request): request (fixture): Provide information on the executing test function. """ inventory_playbook = request.config.getoption('--inventory_path') - roles_path = request.config.getoption('--roles_path') + roles_path = request.config.getoption('--roles-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -240,7 +240,7 @@ def generate_events(request, metadata): metadata (dict): Dictionary with test case metadata. """ inventory_playbook = request.config.getoption('--inventory_path') - roles_path = request.config.getoption('--roles_path') + roles_path = request.config.getoption('--roles-path') if not inventory_playbook: raise ValueError('Inventory not specified') @@ -291,3 +291,12 @@ def pytest_addoption(parser): type=str, help='Inventory path', ) + + parser.addoption( + '--roles-path', + action='store', + metavar='ROLES_PATH', + default=os.path.join(suite_path, 'data', 'ansible_roles'), + type=str, + help='Ansible roles path.', + ) From 47c199b80ea907e21cc8d14f8c6fedcd084ca485 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 25 Aug 2022 13:51:24 -0300 Subject: [PATCH 473/552] docs(#3142): fix typo in README.md --- tests/end_to_end/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index c304301192..e72f579fd2 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -174,7 +174,7 @@ tests/end_to_end/test_basic_cases/test_audit/test_audit.py . ### Adding or modifying E2E tests -When adding or modifying any test it is necesry to modify the file with the environment data, placed in `tests/end_to_end/data/env_requirements.json` +When adding or modifying any test it is necessary to modify the file with the environment data, placed in `tests/end_to_end/data/env_requirements.json` This file is used to validate the environments where the selected tests will be executed and it follows this structure: ``` From f44f8b15a528839f30b11baa4a3ec84de7876255 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 25 Aug 2022 14:02:44 -0300 Subject: [PATCH 474/552] fix(#3142): fix OS nomenclature --- .../host_checker/tasks/check_controller_indexer.yaml | 2 +- .../host_checker/tasks/check_filebeat_indexer.yaml | 4 ++-- .../data/ansible_roles/host_checker/tasks/check_os.yaml | 4 ++-- .../ansible_roles/host_checker/tasks/check_python.yaml | 6 +++--- .../host_checker/tasks/check_wazuh_components.yaml | 8 ++++---- .../service_controller/tasks/get_installation_type.yaml | 2 +- .../data/validation_templates/general_validation.j2 | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index 686d837ae5..7508c51c3f 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -13,7 +13,7 @@ ignore_errors: true register: test_result delegate_to: localhost - when: (os == 'Linux' and 'server' in wazuh_info.stdout) + when: (os == 'linux' and 'server' in wazuh_info.stdout) - name: Check the connection between Controller node and Wazuh Indexer set_fact: diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml index 5a4981a8e2..16021dc517 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_filebeat_indexer.yaml @@ -12,10 +12,10 @@ shell: filebeat test output register: test_result ignore_errors: true - when: (os == 'Linux' and 'server' in wazuh_info.stdout) + when: (os == 'linux' and 'server' in wazuh_info.stdout) - name: Check the connection between Filebeat and Wazuh Indexer set_fact: check_result: 'true' errors: "{{ errors }}Filebeat cannot connect correctly with Wazuh Indexer.\n" - when: (os == 'Linux' and 'server' in wazuh_info.stdout and 'ERROR' in test_result.stdout) + when: (os == 'linux' and 'server' in wazuh_info.stdout and 'ERROR' in test_result.stdout) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml index fdaaeb9d21..c4f2b30719 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml @@ -7,10 +7,10 @@ set_fact: check_result: 'true' errors: "{{ errors }}The {{ ansible_distribution }} distro isn't supported for the selected tests currently.\n" - when: (ansible_distribution not in supported_distros and os == "Linux") + when: (ansible_distribution not in supported_distros and os == "linux") - name: Check OS (Windows) set_fact: check_result: 'true' errors: "{{ errors }}The {{ os }} OS isn't supported for the selected tests currently.\n" - when: (os == "Windows" and os not in supported_distros) + when: (os == "windows" and os not in supported_distros) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml index 6c20df37bc..03a8f03393 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_python.yaml @@ -6,15 +6,15 @@ set_fact: check_result: 'true' errors: "{{ errors }}Python version is less than 3. Current version: {{ ansible_python_version }}\n" - when: (os == "Linux" and ansible_python['version']['major'] < 3) + when: (os == "linux" and ansible_python['version']['major'] < 3) - name: Get Python version (Windows) win_shell: python -V register: version - when: os == 'Windows' + when: os == 'windows' - name: Check default Python version (Windows) set_fact: check_result: 'true' errors: "{{ errors }}Python version is less than 3. Current version: {{ version.stdout }}\n" - when: (os == "Windows" and version.stdout.split(" ")[1].split(".")[0] | int < 3) + when: (os == "windows" and version.stdout.split(" ")[1].split(".")[0] | int < 3) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml index 88ead12940..b62a8e81cb 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml @@ -9,13 +9,13 @@ - name: Populate services facts service_facts: - when: os == 'Linux' + when: os == 'linux' - name: Check the status of Wazuh components (Manager) set_fact: check_result: 'true' errors: "{{ errors }}{{ ansible_facts.services[item].name }} is not running.\n" - when: (os == 'Linux' and 'server' in wazuh_info.stdout and ansible_facts.services[item].state != 'running') + when: (os == 'linux' and 'server' in wazuh_info.stdout and ansible_facts.services[item].state != 'running') with_items: - wazuh-manager.service - wazuh-indexer.service @@ -23,10 +23,10 @@ - set_fact: service: wazuh-agent.service - when: (os == 'Linux' and 'agent' in wazuh_info.stdout) + when: (os == 'linux' and 'agent' in wazuh_info.stdout) - name: Check the status of Wazuh Agent set_fact: check_result: 'true' errors: "{{ errors }}{{ ansible_facts.services[service].name }} is not running.\n" - when: (os == 'Linux' and 'agent' in wazuh_info.stdout and ansible_facts.services[service].state != 'running') + when: (os == 'linux' and 'agent' in wazuh_info.stdout and ansible_facts.services[service].state != 'running') diff --git a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml index 7396a6aea7..76b7285be7 100644 --- a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml +++ b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml @@ -6,4 +6,4 @@ become: true shell: /var/ossec/bin/wazuh-control info register: wazuh_info - when: os == 'Linux' + when: os == 'linux' diff --git a/tests/end_to_end/data/validation_templates/general_validation.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 index 27c54dc219..767aa3ba60 100644 --- a/tests/end_to_end/data/validation_templates/general_validation.j2 +++ b/tests/end_to_end/data/validation_templates/general_validation.j2 @@ -4,5 +4,5 @@ roles: - role: host_checker vars: - os: "{% raw %}{{ 'Windows' if ansible_os_family == 'Windows' else 'Linux' }}{% endraw %}" + os: "{% raw %}{{ 'windows' if ansible_os_family == 'Windows' else 'linux' }}{% endraw %}" supported_distros: {{ distros }} From 13ba02d0297928121532f3102c485bf53c9dda51 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 25 Aug 2022 14:30:44 -0300 Subject: [PATCH 475/552] fix(#3142)!: fix distribution name in check_os validation --- .../data/ansible_roles/host_checker/tasks/check_os.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml index c4f2b30719..9d559e9cc8 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml @@ -13,4 +13,4 @@ set_fact: check_result: 'true' errors: "{{ errors }}The {{ os }} OS isn't supported for the selected tests currently.\n" - when: (os == "windows" and os not in supported_distros) + when: (os == "windows" and os|capitalize not in supported_distros) From dc973dddaf65977723112e430ff133eb2a1d0ef1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 26 Aug 2022 11:13:46 +0100 Subject: [PATCH 476/552] fix: change alas with centos --- provisioning/environments/end_to_end_environment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 6685a7c1ac..a214269487 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -8,7 +8,7 @@ ubuntu-agent: manager: centos-manager centos-agent: - os: amazonlinux + os: centos roles: [agent] manager: centos-manager From 5edb73d711ae779bb4c447f88273ff005e019659 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Fri, 26 Aug 2022 12:13:42 +0100 Subject: [PATCH 477/552] fix(#3165): change centos with alas --- provisioning/environments/end_to_end_environment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index a214269487..6685a7c1ac 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -8,7 +8,7 @@ ubuntu-agent: manager: centos-manager centos-agent: - os: centos + os: amazonlinux roles: [agent] manager: centos-manager From 0d6b9e5c078a781c778cd9dadda685fb95e1cf2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Mon, 29 Aug 2022 16:51:55 +0100 Subject: [PATCH 478/552] fix: add end_to_end with centos os --- provisioning/environments/end_to_end_environment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 6685a7c1ac..e7b1ac329e 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,5 +1,5 @@ centos-manager: - os: amazonlinux + os: centos roles: [aio] ubuntu-agent: @@ -8,7 +8,7 @@ ubuntu-agent: manager: centos-manager centos-agent: - os: amazonlinux + os: centos roles: [agent] manager: centos-manager From 7848975f06c399df618faf5436ef5c497852d50f Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 30 Aug 2022 10:12:12 +0200 Subject: [PATCH 479/552] refactor(#3199): skip VD tests until issues are resolved --- .../test_vulnerability_detector_linux.py | 1 + .../test_vulnerability_detection_windows.py | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 7e1754132e..ebce404970 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -64,6 +64,7 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +@pytest.mark.skip(reason="It will be blocked by wazuh/wazuh-jenkins#3897, when it is resolved, we can enable the test") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 4967e06a36..34cf174d36 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -65,6 +65,7 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +@pytest.mark.skip(reason="It will be blocked by wazuh/wazuh#14736, when it is resolved, we can enable the test") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, From b89351d052abf5446b507198a30c907a3af34992 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 30 Aug 2022 10:48:39 +0200 Subject: [PATCH 480/552] refactor(#3199): change skip to xfail --- .../test_vulnerability_detection_windows.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 34cf174d36..c61b8531f7 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -65,7 +65,7 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.skip(reason="It will be blocked by wazuh/wazuh#14736, when it is resolved, we can enable the test") +@pytest.mark.xfail(reason="It will be blocked by wazuh/wazuh#14736, when it is resolved, we can enable the test") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, From c45958ae864717c473e36f3e624d98fb0236f708 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 09:49:16 -0300 Subject: [PATCH 481/552] feat(#3203): add a function to validate the inventory. Check that the names of the groups are valid. --- tests/end_to_end/conftest.py | 32 +++++++++++++++++++++ tests/end_to_end/data/env_requirements.json | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 1ea1fa841e..862a973264 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -5,6 +5,7 @@ import ansible_runner import pytest import json +import yaml from tempfile import gettempdir from wazuh_testing.tools.file import remove_file @@ -33,12 +34,39 @@ def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_host return target_hosts, target_distros +def validate_inventory(inventory_path): + """Check if the Ansible inventory follows our standard defined in the README.md file, inside the E2E suite. + + This function validate if the groups/subgroups in the inventory are in our list of valid groups. + + Args: + inventory_path (str): Path to Ansible inventory. + """ + valid_groups = ['managers', 'agents', 'linux', 'windows', 'all'] + inventory_dict = yaml.safe_load(open(inventory_path)) + + for group in inventory_dict: + # Check if the current group is valid + if group not in valid_groups: + raise Exception(f"'{group}' is not a valid group for E2E tests. Read the README.md file " + "to build a valid inventory.") + try: + # Check if the subgroups are valid (if any) + for subgroup in inventory_dict[group]['children']: + if subgroup not in valid_groups: + raise Exception(f"'{subgroup}' is not a valid group for E2E tests. Read the README.md file " + "to build a valid inventory.") + except KeyError: + # Do not throw an exception if the group has no subgroups within it + pass + @pytest.fixture(scope='session', autouse=True) def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. This phase is divided into 4 steps: + Step 0: Check the Ansible inventory. Step 1: Collect the data related to the selected tests that will be executed. Step 2: Generate a playbook containing cross-checks for selected tests. Step 3: Run the generated playbook. @@ -56,6 +84,10 @@ def validate_environments(request): if not inventory_path: raise ValueError('Inventory not specified') + # -------------------------------------- Step 0: Check the Ansible inventory --------------------------------------- + validate_inventory(inventory_path) + # -------------------------------------------------- End of Step 0 ------------------------------------------------- + # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- test_suites_paths = [] target_hosts = [] diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index ad9baf33cc..cb3ef640b3 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -45,7 +45,7 @@ ] }, "agent": { - "instances": 2, + "instances": 1, "distros": [ "Windows" ] From 24fcdb953e35b93240de262c717cfc67bd9220f3 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 10:56:29 -0300 Subject: [PATCH 482/552] refactor(#3203): add hostname's format check. --- tests/end_to_end/conftest.py | 61 ++++++++++++++++++++++++------------ 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 862a973264..1aa6f9a934 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -34,42 +34,63 @@ def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_host return target_hosts, target_distros -def validate_inventory(inventory_path): + +def validate_inventory(inventory_path, valid_hosts): """Check if the Ansible inventory follows our standard defined in the README.md file, inside the E2E suite. - This function validate if the groups/subgroups in the inventory are in our list of valid groups. + This function checks: + 1. If the groups/subgroups in the inventory are in our list of valid groups. + 2. If the hostnames follow our standard (-) Args: - inventory_path (str): Path to Ansible inventory. + inventory_path (str): Path to Ansible inventory. + valid_hosts (list[str]): List of valid hosts for the selected tests. """ valid_groups = ['managers', 'agents', 'linux', 'windows', 'all'] inventory_dict = yaml.safe_load(open(inventory_path)) + errors = [] + default_err_msg = 'Read the README.md file inside the E2E suite to build a valid inventory.' for group in inventory_dict: # Check if the current group is valid if group not in valid_groups: - raise Exception(f"'{group}' is not a valid group for E2E tests. Read the README.md file " - "to build a valid inventory.") + errors.append(f"'{group}' isn't a valid group for E2E tests.") + # Check if the hosts of the group have valid names + if 'hosts' in inventory_dict[group]: + for hostname in inventory_dict[group]['hosts']: + if hostname not in valid_hosts: + errors.append(f"The hostname '{hostname}' doesn't follow our standard: - or" + " isn't a necessary host for the execution of the selected tests.") + # Check if the subgroups are valid (if any) try: - # Check if the subgroups are valid (if any) - for subgroup in inventory_dict[group]['children']: + subgroups = inventory_dict[group]['children'] + for subgroup in subgroups: if subgroup not in valid_groups: - raise Exception(f"'{subgroup}' is not a valid group for E2E tests. Read the README.md file " - "to build a valid inventory.") + errors.append(f"'{subgroup}' is not a valid subgroup for E2E tests.") + # Check if the hosts of the subgroup have valid names + for hostname in subgroups[subgroup]['hosts']: + if hostname not in valid_hosts: + errors.append(f"The hostname '{hostname}' doesn't follow our standard: -" + " or isn't a necessary host for the execution of the selected tests.") except KeyError: # Do not throw an exception if the group has no subgroups within it pass + if errors != []: + errors.append(default_err_msg) + error_msg = '\n'.join(errors) + raise Exception(error_msg) + @pytest.fixture(scope='session', autouse=True) def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. This phase is divided into 4 steps: - Step 0: Check the Ansible inventory. Step 1: Collect the data related to the selected tests that will be executed. - Step 2: Generate a playbook containing cross-checks for selected tests. - Step 3: Run the generated playbook. + Step 2: Check the Ansible inventory. + Step 3: Generate a playbook containing cross-checks for selected tests. + Step 4: Run the generated playbook. Args: request (fixture): Gives access to the requesting test context. @@ -84,10 +105,6 @@ def validate_environments(request): if not inventory_path: raise ValueError('Inventory not specified') - # -------------------------------------- Step 0: Check the Ansible inventory --------------------------------------- - validate_inventory(inventory_path) - # -------------------------------------------------- End of Step 0 ------------------------------------------------- - # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- test_suites_paths = [] target_hosts = [] @@ -109,7 +126,11 @@ def validate_environments(request): target_hosts, target_distros = get_target_hosts_and_distros(test_suite_name, target_distros, target_hosts) # -------------------------------------------------- End of Step 1 ------------------------------------------------- - # ---------------------- Step 2: Run the playbook to generate the general validation playbook ---------------------- + # -------------------------------------- Step 2: Check the Ansible inventory --------------------------------------- + validate_inventory(inventory_path, target_hosts) + # -------------------------------------------------- End of Step 2 ------------------------------------------------- + + # ---------------------- Step 3: Run the playbook to generate the general validation playbook ---------------------- gen_parameters = { 'playbook': playbook_generator, 'inventory': inventory_path, 'extravars': { @@ -120,9 +141,9 @@ def validate_environments(request): } } ansible_runner.run(**gen_parameters) - # -------------------------------------------------- End of Step 2 ------------------------------------------------- + # -------------------------------------------------- End of Step 3 ------------------------------------------------- - # ----------------------------------- Step 3: Run the general validation playbook ---------------------------------- + # ----------------------------------- Step 4: Run the general validation playbook ---------------------------------- parameters = { 'playbook': general_playbook, 'inventory': inventory_path, @@ -142,7 +163,7 @@ def validate_environments(request): # Raise the exception with errors details raise Exception(f"The general validations have failed. Please check that the environments meet the expected " f"requirements. Result:\n{errors}") - # -------------------------------------------------- End of Step 3 ------------------------------------------------- + # -------------------------------------------------- End of Step 4 ------------------------------------------------- @pytest.fixture(scope='module', autouse=True) From 5e0c26e5ba4819adc4fac59f99f63594fc295442 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 30 Aug 2022 16:42:59 +0100 Subject: [PATCH 483/552] fix(#3165): error in system test collection --- deps/wazuh_testing/wazuh_testing/fim.py | 43 ++++++++++++++----- tests/system/test_fim/__init__.py | 26 ----------- .../test_fim/test_files/test_files_cud.py | 8 ++-- .../test_synchronization.py | 8 ++-- .../test_multigroups/test_multigroups.py | 21 ++++++--- 5 files changed, 54 insertions(+), 52 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/fim.py b/deps/wazuh_testing/wazuh_testing/fim.py index fdf16b54d8..445eb85bc3 100644 --- a/deps/wazuh_testing/wazuh_testing/fim.py +++ b/deps/wazuh_testing/wazuh_testing/fim.py @@ -176,16 +176,16 @@ def registry_value_cud(): def registry_key_cud(): pass - + def registry_value_create(): pass def registry_value_update(): pass - + def registry_value_delete(): pass - + def create_values_content(): pass @@ -1968,7 +1968,7 @@ def transform_registry_list(value_list=['test_value'], value_type=win32con.REG_S value_default_content = '' else: value_default_content = 1 - + aux_dict = {} if isinstance(value_list, list): for elem in value_list: @@ -1980,7 +1980,7 @@ def transform_registry_list(value_list=['test_value'], value_type=win32con.REG_S else: raise ValueError('It can only be a list or dictionary') - + return aux_dict @@ -2033,7 +2033,7 @@ def registry_value_create(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 value_added_content = 'added' else: value_added_content = 0 - + options_set = set_check_options(options) custom_validator = CustomValidator(validators_after_create, None, None, None) @@ -2051,7 +2051,7 @@ def registry_value_create(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 if name in registry_path: continue modify_registry_value(key_handle, name, value_type, value_added_content) - + wait_for_scheduled_scan(wait_for_scan=wait_for_scan, interval=scan_delay, monitor=log_monitor) registry_event_checker.fetch_and_check('added', min_timeout=min_timeout, triggers_event=triggers_event) @@ -2102,9 +2102,9 @@ def registry_value_update(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 registry_dict=value_list, options=options_set, custom_validator=custom_validator, encoding=encoding, callback=callback, is_value=True) - + key_handle = create_registry(registry_parser[root_key], registry_sub_key, arch) - + # Modify previous registry values for name, content in value_list.items(): if name in registry_path: @@ -2160,9 +2160,9 @@ def registry_value_delete(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 registry_dict=value_list, options=options_set, custom_validator=custom_validator, encoding=encoding, callback=callback, is_value=True) - + key_handle = create_registry(registry_parser[root_key], registry_sub_key, arch) - + # Delete previous registry values for name, _ in value_list.items(): if name in registry_path: @@ -2710,3 +2710,24 @@ def check_fim_start(file_monitor): detect_whodata_start(file_monitor) else: detect_initial_scan(file_monitor) + + +# Create folder and file inside +def create_folder_file(host_manager, folder_path): + # Create folder + host_manager.run_command('wazuh-agent1', f'mkdir {folder_path}') + + # Create file + host_manager.run_command('wazuh-agent1', f'touch {folder_path}/{folder_path}.txt') + + +# Check that fim scan end +def wait_for_fim_scan_end(HostMonitor, inventory_path, messages_path, tmp_path): + HostMonitor(inventory_path=inventory_path, + messages_path=messages_path, + tmp_path=tmp_path).run() + + +# Function that use to run a script inside remote host to execute queries to DB +def query_db(host_manager, script, db_path, query): + return host_manager.run_command('wazuh-manager', "python {} --db_path {} --query {}".format(script, db_path, query)) \ No newline at end of file diff --git a/tests/system/test_fim/__init__.py b/tests/system/test_fim/__init__.py index 3e3cacd2eb..e69de29bb2 100644 --- a/tests/system/test_fim/__init__.py +++ b/tests/system/test_fim/__init__.py @@ -1,26 +0,0 @@ -# copyright: Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 -import os -from wazuh_testing.tools import WAZUH_LOGS_PATH - - -# Create folder and file inside -def create_folder_file(host_manager, folder_path): - # Create folder - host_manager.run_command('wazuh-agent1', f'mkdir {folder_path}') - - # Create file - host_manager.run_command('wazuh-agent1', f'touch {folder_path}/{folder_path}.txt') - - -# Check that fim scan end -def wait_for_fim_scan_end(HostMonitor, inventory_path, messages_path, tmp_path): - HostMonitor(inventory_path=inventory_path, - messages_path=messages_path, - tmp_path=tmp_path).run() - - -# Function that use to run a script inside remote host to execute queries to DB -def query_db(host_manager, script, db_path, query): - return host_manager.run_command('wazuh-manager', "python {} --db_path {} --query {}".format(script, db_path, query)) diff --git a/tests/system/test_fim/test_files/test_files_cud.py b/tests/system/test_fim/test_files/test_files_cud.py index 912f7f8c41..0d45911f8a 100644 --- a/tests/system/test_fim/test_files/test_files_cud.py +++ b/tests/system/test_fim/test_files/test_files_cud.py @@ -46,7 +46,7 @@ from wazuh_testing.tools.monitoring import HostMonitor from wazuh_testing.tools.system import HostManager, clean_environment from wazuh_testing.tools import WAZUH_LOGS_PATH -from test_fim import create_folder_file, wait_for_fim_scan_end +from wazuh_testing.fim import create_folder_file, wait_for_fim_scan_end # Hosts @@ -67,7 +67,7 @@ @pytest.mark.parametrize('folder_path', ['testdir1', 'testdir2', 'testdir3']) def test_file_cud(folder_path, case): ''' - + description: The test will monitor a directory. Finally, it will verify that the FIM event is generated in agent and manager side. @@ -84,10 +84,10 @@ def test_file_cud(folder_path, case): assertions: - Verify that FIM events are generated correctly on the manager and agent sides. - + input_description: Different test cases are included with Pytest parametrize. The test cases are: add, modify and delete files. - + expected_output: - Different test cases are contained in external YAML file (delete_message.yml and messages.yml) diff --git a/tests/system/test_fim/test_synchronization/test_synchronization.py b/tests/system/test_fim/test_synchronization/test_synchronization.py index 65a41a75a5..58eb6e9ee5 100644 --- a/tests/system/test_fim/test_synchronization/test_synchronization.py +++ b/tests/system/test_fim/test_synchronization/test_synchronization.py @@ -49,7 +49,7 @@ from wazuh_testing.tools.monitoring import HostMonitor from wazuh_testing.tools.system import HostManager, clean_environment from wazuh_testing.tools import WAZUH_LOGS_PATH -from test_fim import create_folder_file, query_db +from wazuh_testing.fim import create_folder_file, query_db # Hosts @@ -95,12 +95,12 @@ def test_synchronization(folder_path, case, host): assertions: - Verify that FIM sync events are generated correctly on the manager and agent sides. - + input_description: Different test cases are included with Pytest parametrize. The test cases are: add, modify and delete files. - + expected_output: - - Different test cases are contained in external YAML file + - Different test cases are contained in external YAML file (agent_initializing_synchronization.yml and manager_initializing_synchronization.yml) tags: - fim_basic_usage diff --git a/tests/system/test_multigroups/test_multigroups.py b/tests/system/test_multigroups/test_multigroups.py index 9beda5942b..b720c02ed5 100644 --- a/tests/system/test_multigroups/test_multigroups.py +++ b/tests/system/test_multigroups/test_multigroups.py @@ -24,11 +24,18 @@ inventory_path = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'provisioning', 'basic_cluster', 'inventory.yml') host_manager = HostManager(inventory_path) -token = host_manager.get_api_token(test_hosts[0]) + + time_to_update = 10 time_to_sync = 20 +@pytest.fixture(scope="session") +def get_api_token(): + global host_manager + return host_manager.get_api_token(test_hosts[0]) + + # Functions def calculate_mg_name(groups_list): @@ -153,7 +160,7 @@ def create_multigroups(): # Tests -def test_multigroups_not_reloaded(clean_environment, agent_healthcheck, create_multigroups): +def test_multigroups_not_reloaded(get_api_token, clean_environment, agent_healthcheck, create_multigroups): """Check that the files are not regenerated when there are no changes. Check and store the modification time of all group and multigroup files. Wait 10 seconds @@ -180,7 +187,7 @@ def test_multigroups_not_reloaded(clean_environment, agent_healthcheck, create_m agent_groups['wazuh-agent1'][1], 'default' ]) -def test_multigroups_updated(clean_environment, agent_healthcheck, create_multigroups, target_group): +def test_multigroups_updated(get_api_token, clean_environment, agent_healthcheck, create_multigroups, target_group): """Check that only the appropriate multi-groups are regenerated when a group file is created. Check and store the modification time of all group and multigroup files. Create a new file inside @@ -226,7 +233,7 @@ def test_multigroups_updated(clean_environment, agent_healthcheck, create_multig assert mtime == host_files[host][file], f"This file changed its modification time in {host}: {file}" -def test_multigroups_deleted(clean_environment, agent_healthcheck, create_multigroups): +def test_multigroups_deleted(get_api_token, clean_environment, agent_healthcheck, create_multigroups): """Check that multigroups are removed when expected. Unassign an agent from their groups or delete the groups. Check that the associated multigroup disappears @@ -235,19 +242,19 @@ def test_multigroups_deleted(clean_environment, agent_healthcheck, create_multig for agent_name, groups in agent_groups.items(): # Check that multigroups exists for each agent. mg_name = os.path.join(mg_folder_path, calculate_mg_name(groups)) - agent_id = get_agent_id(token=token, agent_name=agent_name) + agent_id = get_agent_id(token=get_api_token, agent_name=agent_name) for group in groups: if group != 'default': if agent_name == 'wazuh-agent1': # Unassign agent. - response = host_manager.make_api_call(host=test_hosts[0], token=token, method='DELETE', + response = host_manager.make_api_call(host=test_hosts[0], token=get_api_token, method='DELETE', endpoint=f"/agents/{agent_id}/group/{group}") assert response['status'] == 200, f"Failed when unassigning {agent_name} agent from " \ f"group {group}: {response}" else: # Delete group. - response = host_manager.make_api_call(host=test_hosts[0], token=token, method='DELETE', + response = host_manager.make_api_call(host=test_hosts[0], token=get_api_token, method='DELETE', endpoint=f"/groups?groups_list={group}") assert response['status'] == 200, f"Failed to delete {group} group: {response}" From 567582fb51750ae5253239a47b2630778643e47c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 30 Aug 2022 16:44:44 +0100 Subject: [PATCH 484/552] refac(#3165): rename provision file --- .../{provisioning_data.json => environment_test_dictionary.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/system/provisioning/{provisioning_data.json => environment_test_dictionary.json} (100%) diff --git a/tests/system/provisioning/provisioning_data.json b/tests/system/provisioning/environment_test_dictionary.json similarity index 100% rename from tests/system/provisioning/provisioning_data.json rename to tests/system/provisioning/environment_test_dictionary.json From dfbf5cf58803f9844a832f673ffdfe259f8115c8 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 12:57:35 -0300 Subject: [PATCH 485/552] feat(#3203): add a connection checker. --- .../host_checker/tasks/check_connection.yaml | 37 +++++++++++++++++++ .../host_checker/tasks/main.yaml | 9 ++++- .../general_validation.j2 | 4 +- 3 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml new file mode 100644 index 0000000000..a27457eb92 --- /dev/null +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml @@ -0,0 +1,37 @@ +# REQUIRED VARIABLES +# ------------------- +# (String) os: Target operating system + +- name: Try connection (Linux) + ping: + when: os == 'linux' + register: ping_result + ignore_unreachable: true + +- name: Check if host is reachable (Linux) + set_fact: + check_result: 'true' + errors: "{{ inventory_hostname }} is unreachable.\n" + when: 'ping_result.unreachable is defined and os == "linux"' + +- name: Try connection (Windows) + win_ping: + when: os == 'windows' + register: ping_result + ignore_unreachable: true + +- name: Check if host is reachable (Windows) + set_fact: + check_result: 'true' + errors: "{{ inventory_hostname }} is unreachable.\n" + when: 'ping_result.unreachable is defined and os == "windows"' + +# Collect the current errors +- set_fact: + phase_results: "{{ errors }}" + cacheable: true + +- name: Verify if any check have failed + fail: + msg: "Some validations failed:\n'{{ errors }}'" + when: (check_result == 'true' or errors != '') diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml index 761337e6ee..286d6c2c76 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/main.yaml @@ -6,6 +6,13 @@ # ---------------------------------------------------------------------------- # -------- Checks ------------------------------------------------------------ +- name: Check connection + import_tasks: check_connection.yaml + +# Once the connection was checked, it's possible to gather all facts from the reachable hosts +- name: Gather facts + setup: + - name: Check Python import_tasks: check_python.yaml @@ -29,6 +36,6 @@ - name: Verify if any check have failed fail: - msg: "Some validations were fail:\n'{{ errors }}'" + msg: "Some validations failed:\n'{{ errors }}'" when: (check_result == 'true' or errors != '') # ---------------------------------------------------------------------------- diff --git a/tests/end_to_end/data/validation_templates/general_validation.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 index 767aa3ba60..5eb1a0f6fc 100644 --- a/tests/end_to_end/data/validation_templates/general_validation.j2 +++ b/tests/end_to_end/data/validation_templates/general_validation.j2 @@ -1,8 +1,8 @@ - name: General validation phase hosts: {{ target_hosts }} - any_errors_fatal: true + gather_facts: false roles: - role: host_checker vars: - os: "{% raw %}{{ 'windows' if ansible_os_family == 'Windows' else 'linux' }}{% endraw %}" + os: "{% raw %}{{ hostvars[inventory_hostname]['os'] }}{% endraw %}" supported_distros: {{ distros }} From d235a4c3a2606a45f69f9edc941155e80ccc64dc Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 13:24:00 -0300 Subject: [PATCH 486/552] refactor(#3203): change the name of an inventory variable. --- .../end_to_end/data/validation_templates/general_validation.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/data/validation_templates/general_validation.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 index 5eb1a0f6fc..6ba82593da 100644 --- a/tests/end_to_end/data/validation_templates/general_validation.j2 +++ b/tests/end_to_end/data/validation_templates/general_validation.j2 @@ -4,5 +4,5 @@ roles: - role: host_checker vars: - os: "{% raw %}{{ hostvars[inventory_hostname]['os'] }}{% endraw %}" + os: "{% raw %}{{ hostvars[inventory_hostname]['os_name'] }}{% endraw %}" supported_distros: {{ distros }} From 1d6c21bcd6b2cb1d5e125444b44992034542c0cc Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 13:26:56 -0300 Subject: [PATCH 487/552] style(#3203): apply linter corrections. --- .../ansible_roles/host_checker/tasks/check_connection.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml index a27457eb92..3bb0fea348 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml @@ -12,7 +12,7 @@ set_fact: check_result: 'true' errors: "{{ inventory_hostname }} is unreachable.\n" - when: 'ping_result.unreachable is defined and os == "linux"' + when: (ping_result.unreachable is defined and os == "linux") - name: Try connection (Windows) win_ping: @@ -24,7 +24,7 @@ set_fact: check_result: 'true' errors: "{{ inventory_hostname }} is unreachable.\n" - when: 'ping_result.unreachable is defined and os == "windows"' + when: (ping_result.unreachable is defined and os == "windows") # Collect the current errors - set_fact: From e0f3fae4a5d8eefac681c2635fa6737a63fe5c1e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 15:11:49 -0300 Subject: [PATCH 488/552] feat(#3203): add a task to check the indexer credentials. --- .../tasks/check_controller_indexer.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index 7508c51c3f..c5760f2743 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -20,3 +20,24 @@ check_result: 'true' errors: "{{ errors }}Ansible Controller node cannot connect correctly with Wazuh Indexer.\n" when: (test_result is failed and test_result.stderr is defined and 'refused' in test_result.stderr) + +- name: Test Wazuh Indexer credentials + uri: + url: "https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200" + user: "{{ hostvars[inventory_hostname]['dashboard_user'] }}" + password: "{{ hostvars[inventory_hostname]['dashboard_password'] }}" + method: GET + status_code: 200 + force_basic_auth: true + return_content: true + validate_certs: false + ignore_errors: true + register: api_response + delegate_to: localhost + when: (os == 'linux' and 'server' in wazuh_info.stdout) + +- name: Check the Wazuh Indexer API response + set_fact: + check_result: 'true' + errors: "{{ errors }}The Wazuh Indexer credentials are invalid, please check the inventory.\n" + when: (api_response is defined and 'Unauthorized' in api_response.content) From c0b4ed54fb64b0916ca7a540f5fce98d34a79fbb Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 15:14:25 -0300 Subject: [PATCH 489/552] style(#3203): apply linter correction. --- .../host_checker/tasks/check_controller_indexer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index c5760f2743..7c0719f9ad 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -23,7 +23,7 @@ - name: Test Wazuh Indexer credentials uri: - url: "https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200" + url: https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200 user: "{{ hostvars[inventory_hostname]['dashboard_user'] }}" password: "{{ hostvars[inventory_hostname]['dashboard_password'] }}" method: GET From 87fca60586308a9f2e8d39f51d9c863a074154e4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 15:25:04 -0300 Subject: [PATCH 490/552] fix(#3203): fix the credentials check. --- .../host_checker/tasks/check_controller_indexer.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index 7c0719f9ad..e128724715 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -40,4 +40,4 @@ set_fact: check_result: 'true' errors: "{{ errors }}The Wazuh Indexer credentials are invalid, please check the inventory.\n" - when: (api_response is defined and 'Unauthorized' in api_response.content) + when: (os == 'linux' and api_response is defined and 'Unauthorized' in api_response.content) From df829503f21697b39f4645c99efb571794562c06 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 30 Aug 2022 16:31:59 -0300 Subject: [PATCH 491/552] refactor(#3203): change the way it checks the OS distribution. --- tests/end_to_end/conftest.py | 18 ++++++++----- .../tasks/check_controller_indexer.yaml | 2 +- .../host_checker/tasks/check_os.yaml | 26 ++++++++++++++----- .../tasks/get_installation_type.yaml | 8 +++++- .../general_validation.j2 | 3 ++- 5 files changed, 41 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 1aa6f9a934..c1f6a21db3 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -16,7 +16,7 @@ suite_path = os.path.dirname(os.path.realpath(__file__)) -def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_hosts=[]): +def get_target_hosts_and_distros(test_suite_name, target_distros={}, target_hosts=[]): environment_file = os.path.join(suite_path, 'data', 'env_requirements.json') environment_metadata = json.load(open(environment_file)) distros_by = {'manager': [], 'agent': []} @@ -25,12 +25,13 @@ def get_target_hosts_and_distros(test_suite_name, target_distros=[], target_host if environment_metadata[test_suite_name][key]['instances'] > 0: # Save manager/agent distros distros_by[key] = environment_metadata[test_suite_name][key]['distros'] - target_distros.extend(environment_metadata[test_suite_name][key]['distros']) + target_distros[key].extend(environment_metadata[test_suite_name][key]['distros']) # Add the target host to the list (following the standard host name: "-*") target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) # Remove duplicates target_hosts = list(dict.fromkeys(target_hosts)) - target_distros = list(dict.fromkeys(target_distros)) + target_distros['manager'] = list(dict.fromkeys(target_distros['manager'])) + target_distros['agent'] = list(dict.fromkeys(target_distros['agent'])) return target_hosts, target_distros @@ -108,7 +109,7 @@ def validate_environments(request): # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- test_suites_paths = [] target_hosts = [] - target_distros = [] + target_distros = {'manager': [], 'agent': []} # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] @@ -137,7 +138,8 @@ def validate_environments(request): 'template_path': playbook_template, 'dest_path': general_playbook, 'target_hosts': ','.join(target_hosts), - 'distros': target_distros + 'manager_distros': target_distros['manager'], + 'agent_distros': target_distros['agent'], } } ansible_runner.run(**gen_parameters) @@ -187,7 +189,11 @@ def run_specific_validations(request): parameters = { 'playbook': validation_playbook, 'inventory': inventory_path, 'envvars': {'ANSIBLE_ROLES_PATH': roles_path}, - 'extravars': {'target_hosts': ','.join(target_hosts), 'distros': target_distros} + 'extravars': { + 'target_hosts': ','.join(target_hosts), + 'manager_distros': target_distros['manager'], + 'agent_distros': target_distros['agent'], + } } validation_runner = ansible_runner.run(**parameters) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index e128724715..520959132e 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -40,4 +40,4 @@ set_fact: check_result: 'true' errors: "{{ errors }}The Wazuh Indexer credentials are invalid, please check the inventory.\n" - when: (os == 'linux' and api_response is defined and 'Unauthorized' in api_response.content) + when: (os == 'linux' and 'server' in wazuh_info.stdout and 'Unauthorized' in api_response.content) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml index 9d559e9cc8..078daced7d 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_os.yaml @@ -1,16 +1,28 @@ # REQUIRED VARIABLES # ------------------- # (String) os: Target operating system -# (String) supported_distros: List of ditros supported by the current test +# (String) manager_distros: List of ditros supported by the current test +# (String) agent_distros: List of ditros supported by the current test -- name: Check OS (Linux) +- name: Get Wazuh installation + include_role: + name: service_controller + tasks_from: get_installation_type + +- name: Check OS Manager (Linux) + set_fact: + check_result: 'true' + errors: "{{ errors }}'{{ ansible_distribution }}' isn't supported for the selected tests currently (Manager).\n" + when: (ansible_distribution not in manager_distros and os == "linux" and 'server' in wazuh_info.stdout) + +- name: Check OS Agent (Linux) set_fact: check_result: 'true' - errors: "{{ errors }}The {{ ansible_distribution }} distro isn't supported for the selected tests currently.\n" - when: (ansible_distribution not in supported_distros and os == "linux") + errors: "{{ errors }}'{{ ansible_distribution }}' isn't supported for the selected tests currently (Agent).\n" + when: (ansible_distribution not in agent_distros and os == "linux" and 'agent' in wazuh_info.stdout) -- name: Check OS (Windows) +- name: Check OS Agent (Windows) set_fact: check_result: 'true' - errors: "{{ errors }}The {{ os }} OS isn't supported for the selected tests currently.\n" - when: (os == "windows" and os|capitalize not in supported_distros) + errors: "{{ errors }}The {{ os }} OS isn't supported for the selected tests currently (Agent).\n" + when: (os == "windows" and os|capitalize not in agent_distros and 'agent' in wazuh_info.stdout) diff --git a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml index 76b7285be7..539b953ddb 100644 --- a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml +++ b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml @@ -2,8 +2,14 @@ # ------------------- # (String) os: Target operating system -- name: Get installation type +- name: Get installation type (Linux) become: true shell: /var/ossec/bin/wazuh-control info register: wazuh_info when: os == 'linux' + +- name: Get installation type (Windows) + set_fact: + wazuh_info: + stdout: 'agent' + when: os == 'windows' diff --git a/tests/end_to_end/data/validation_templates/general_validation.j2 b/tests/end_to_end/data/validation_templates/general_validation.j2 index 6ba82593da..3c3d38e26e 100644 --- a/tests/end_to_end/data/validation_templates/general_validation.j2 +++ b/tests/end_to_end/data/validation_templates/general_validation.j2 @@ -5,4 +5,5 @@ - role: host_checker vars: os: "{% raw %}{{ hostvars[inventory_hostname]['os_name'] }}{% endraw %}" - supported_distros: {{ distros }} + manager_distros: {{ manager_distros }} + agent_distros: {{ agent_distros }} From 0a837fd4183bcec706de17e86739a38d2eab2a46 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 31 Aug 2022 12:13:02 +0200 Subject: [PATCH 492/552] refactor(#3199): delete linux skip --- .../test_vulnerability_detector_linux.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index ebce404970..7e1754132e 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -64,7 +64,6 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) -@pytest.mark.skip(reason="It will be blocked by wazuh/wazuh-jenkins#3897, when it is resolved, we can enable the test") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, From 171743dd08d129976300d92bc21c7b73c358315c Mon Sep 17 00:00:00 2001 From: Luis Gonzalez Date: Wed, 31 Aug 2022 13:12:34 +0200 Subject: [PATCH 493/552] fix: Fix system tests path --- .../environment_test_dictionary.json | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/tests/system/provisioning/environment_test_dictionary.json b/tests/system/provisioning/environment_test_dictionary.json index e1703ad045..cfe55e5323 100644 --- a/tests/system/provisioning/environment_test_dictionary.json +++ b/tests/system/provisioning/environment_test_dictionary.json @@ -1,47 +1,47 @@ { "agentless_cluster": [ - "test_system/test_jwt_invalidation/test_change_rbac_mode.py", - "test_system/test_jwt_invalidation/test_change_security_resources.py", - "test_system/test_jwt_invalidation/test_disconnected_nodes.py", - "test_system/test_jwt_invalidation/test_revoke_endpoint.py", - "test_system/test_jwt_invalidation/test_update_password.py", - "test_system/test_cluster/test_integrity_sync/test_integrity_sync.py" + "system/test_jwt_invalidation/test_change_rbac_mode.py", + "system/test_jwt_invalidation/test_change_security_resources.py", + "system/test_jwt_invalidation/test_disconnected_nodes.py", + "system/test_jwt_invalidation/test_revoke_endpoint.py", + "system/test_jwt_invalidation/test_update_password.py", + "system/test_cluster/test_integrity_sync/test_integrity_sync.py" ], "basic_cluster": [ - "test_system/test_cluster/test_agent_groups/test_agent_groups.py", - "test_system/test_cluster/test_agent_files_deletion/test_agent_files_deletion.py", - "test_system/test_cluster/test_agent_info_sync/test_agent_info_sync.py", - "test_system/test_cluster/test_agent_key_polling/test_agent_key_polling.py", - "test_system/multigroups/test_multigroups.py", - "test_system/cluster/test_agent_groups/test_agent_groups_forced_change.py" + "system/test_cluster/test_agent_groups/test_agent_groups.py", + "system/test_cluster/test_agent_files_deletion/test_agent_files_deletion.py", + "system/test_cluster/test_agent_info_sync/test_agent_info_sync.py", + "system/test_cluster/test_agent_key_polling/test_agent_key_polling.py", + "system/multigroups/test_multigroups.py", + "system/cluster/test_agent_groups/test_agent_groups_forced_change.py" ], "basic_environment": [ - "test_system/test_agent_auth/test_agent_auth.py", - "test_system/test_enrollment/test_enrollment.py" + "system/test_agent_auth/test_agent_auth.py", + "system/test_enrollment/test_enrollment.py" ], "enrollment_cluster": [ - "test_system/test_cluster/test_agent_enrollment/test_agent_enrollment.py", - "test_system/test_cluster/test_agent_groups/test_agent_default_group_added.py", - "test_system/test_cluster/test_agent_groups/test_assign_agent_group_with_enrollment.py", - "test_system/test_cluster/test_agent_groups/test_assign_agent_never_connected_to_group.py", - "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_api.py", - "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_by_tool.py", - "test_system/test_cluster/test_agent_groups/test_assign_agent_to_a_group.py", - "test_system/test_cluster/test_agent_groups/test_assign_groups_guess.py" + "system/test_cluster/test_agent_enrollment/test_agent_enrollment.py", + "system/test_cluster/test_agent_groups/test_agent_default_group_added.py", + "system/test_cluster/test_agent_groups/test_assign_agent_group_with_enrollment.py", + "system/test_cluster/test_agent_groups/test_assign_agent_never_connected_to_group.py", + "system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_api.py", + "system/test_cluster/test_agent_groups/test_assign_agent_to_a_group_by_tool.py", + "system/test_cluster/test_agent_groups/test_assign_agent_to_a_group.py", + "system/test_cluster/test_agent_groups/test_assign_groups_guess.py" ], "manager_agent": [ - "test_system/test_active_response_log_format/test_active_response_log_format.py" + "system/test_active_response_log_format/test_active_response_log_format.py" ], "one_manager_agent": [ - "test_system/test_fim/test_files/test_files_cud.py", - "test_system/test_fim/test_synchronization/test_synchronization.py" + "system/test_fim/test_files/test_files_cud.py", + "system/test_fim/test_synchronization/test_synchronization.py" ], "four_manager_disconnected_node": [ - "test_system/test_cluster/test_agent_groups/test_agent_groups_new_cluster_node.py" + "system/test_cluster/test_agent_groups/test_agent_groups_new_cluster_node.py" ], "big_cluster_40_agents": [ - "test_system/test_cluster/test_agent_groups/test_groups_sync_default.py", - "test_system/test_cluster/test_agent_groups/test_groups_sync_time.py" + "system/test_cluster/test_agent_groups/test_groups_sync_default.py", + "system/test_cluster/test_agent_groups/test_groups_sync_time.py" ], "end_to_end_environment": [ "end_to_end/test_basic_cases/test_audit/test_audit.py", From 256a526b9899f9bdb1165060d041a8bc8dd82bbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 31 Aug 2022 12:37:34 +0100 Subject: [PATCH 494/552] fix(#3165): adapt brute force test Change hydra host to centos-manager --- .../test_brute_force_rdp/data/playbooks/configuration.yaml | 5 ++--- .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index c37d81d4d0..362811de77 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,10 +1,9 @@ - name: Configure local environment - hosts: localhost + hosts: centos-manager become: true tasks: - # Install hydra to attempt the RDP brute force attack - name: Install hydra - package: + ansible.builtin.yum: name: hydra state: present diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 82a75026c3..05c7e76536 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: localhost + hosts: centos-manager tasks: - name: Attempt a RDP brute force attack From 3b79e4827b30336321c5dd848d9b58812c8b4dee Mon Sep 17 00:00:00 2001 From: Belen Valdivia Date: Wed, 31 Aug 2022 08:40:31 -0300 Subject: [PATCH 495/552] feat(#3104): add markers linux, windows --- tests/end_to_end/test_basic_cases/test_audit/test_audit.py | 4 ++++ .../test_aws_infrastructure_monitoring.py | 4 ++++ .../test_brute_force_rdp/test_brute_force_rdp.py | 4 ++++ .../test_brute_force_ssh/test_brute_force_ssh.py | 4 ++++ .../test_detecting_suspicious_binaries.py | 4 ++++ .../test_docker_monitoring/test_docker_monitoring.py | 4 ++++ tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py | 4 ++++ .../test_fim/test_fim_linux/test_fim_linux.py | 5 +++++ .../test_fim/test_fim_windows/test_fim_windows.py | 5 +++++ .../test_ip_reputation/test_ip_reputation.py | 4 ++++ .../test_osquery_integration/test_osquery_integration.py | 4 ++++ .../test_shellshock_attack_detection.py | 4 ++++ .../test_slack_integration/test_slack_integration.py | 5 +++++ .../test_sql_injection/test_sql_injection.py | 4 ++++ .../test_suricata_integration/test_suricata_integration.py | 4 ++++ .../test_unauthorized_processes_detection.py | 5 +++++ .../test_virustotal_integration.py | 4 ++++ .../test_vulnerability_detector_linux.py | 5 +++++ .../test_vulnerability_detection_windows.py | 5 +++++ .../test_windows_defender/test_windows_defender.py | 4 ++++ .../test_yara_integration/test_yara_integration.py | 5 +++++ 21 files changed, 91 insertions(+) diff --git a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py index 9344f2f41e..c9a4a2e747 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py @@ -46,6 +46,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -57,6 +58,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 2c750b876c..7210ac8726 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -46,6 +46,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -70,6 +71,9 @@ bucket_name = metadata[0]['extra_vars']['bucket'] configuration_extra_vars.update({'AWS_API_SCRIPT': aws_api_script, 'bucket': bucket_name}) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index ae627ccd8a..f95ad18455 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -47,6 +47,7 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, WINDOWS # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -61,6 +62,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index 1c93269d78..d29a0b951b 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -45,6 +45,7 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, LINUX # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -58,6 +59,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index e8fedddcb8..46eee732b3 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -47,6 +47,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -64,6 +65,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index 4514c71608..b3f8ca4029 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -45,6 +45,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -60,6 +61,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') diff --git a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py index 53efeb5967..1ee37d2c66 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py @@ -47,6 +47,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, WINDOWS alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -59,6 +60,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 2c1eab628e..5ef962e701 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -47,6 +47,8 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX + alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -57,6 +59,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 127e103a25..8ff5522186 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -49,6 +49,8 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, WINDOWS + alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -59,6 +61,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py index fced37c566..f427136b2a 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py @@ -48,6 +48,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX, WINDOWS alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -59,6 +60,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 68a3e62cbb..415019e411 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -46,6 +46,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -59,6 +60,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 8b1ef6d451..441cb8f5ea 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -47,6 +47,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -58,6 +59,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index a406685881..8cbcc52d5f 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -47,6 +47,8 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX + # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -70,6 +72,9 @@ metadata = config.update_configuration_template(metadata, ['CUSTOM_SLACK_SCRIPT_PATH'], [slack_api_script]) configuration_extra_vars = configuration[0] +# Marks +pytestmark = [TIER0, LINUX] + @pytest.fixture(scope='function') def remove_slack_log(): diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py index 0118e4d778..81341a64c3 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py @@ -45,6 +45,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -56,6 +57,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index f71937725c..1a4e37bf5e 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -50,6 +50,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -61,6 +62,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index 78c933749e..c073cf71bb 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -45,6 +45,8 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, LINUX + # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -59,6 +61,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index 2f8bd0ecb7..345a68c8d0 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -52,6 +52,7 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -65,6 +66,9 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 7e1754132e..20b6fdf27f 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -49,6 +49,8 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, LINUX + # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -63,6 +65,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 4967e06a36..06d04de326 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -50,6 +50,8 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, WINDOWS + # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -64,6 +66,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py index 14163f322a..ccf58bf984 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py @@ -44,6 +44,7 @@ from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm +from wazuh_testing.modules import TIER0, WINDOWS # Test cases data alerts_json = os.path.join(gettempdir(), 'alerts.json') @@ -58,6 +59,9 @@ # Configuration configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +# Marks +pytestmark = [TIER0, WINDOWS] + @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index 0fb404e882..bb2a873d1b 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -47,6 +47,8 @@ from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm from wazuh_testing.tools import configuration as config +from wazuh_testing.modules import TIER0, LINUX + # Test cases data test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') @@ -66,6 +68,9 @@ yara_script = os.path.join(test_data_path, 'configuration', 'yara.sh') configuration_extra_vars = {'yara_script': yara_script} +# Marks +pytestmark = [TIER0, LINUX] + @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') From 804c256509add4a8e6fb196615823ed9f55c55b1 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 31 Aug 2022 14:35:32 +0200 Subject: [PATCH 496/552] fix(#3219): change supported os to Jammy --- .../data/playbooks/configuration.yaml | 2 +- .../data/playbooks/generate_events.yaml | 7 +++++++ .../data/playbooks/teardown.yaml | 4 ++-- .../cases_vulnerability_detector_linux.yaml | 12 ++++++++---- .../test_vulnerability_detector_linux.py | 2 +- 5 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml index 546b496318..bf020fa1b7 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/configuration.yaml @@ -46,7 +46,7 @@ yes - focal + jammy 1h diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 3f54683ead..b157a96524 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -19,9 +19,16 @@ hosts: managers tasks: + - name: Truncate ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + - name: Waiting for vulnerability scan, alert reporting and indexing wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. timeout: 60 + become: true - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml index 0733d45128..93168f51c1 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/teardown.yaml @@ -2,9 +2,9 @@ hosts: ubuntu-agent tasks: - - name: Uninstall vim vulnerable package + - name: Uninstall postgresql vulnerable package become: true - command: apt-get remove vim -y + command: apt-get remove -y postgresql postgresql-* - name: Delete agent configuration become: true diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml index b0130dfdeb..e9e72e991f 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/test_cases/cases_vulnerability_detector_linux.yaml @@ -1,10 +1,14 @@ - name: detect_vulnerability_ubuntu - description: Detect vim vulnerability + description: Detect postgresql vulnerability configuration_parameters: null metadata: extra_vars: - event_description: Install vulnerable vim package - command: apt install -y vim=2:8.1.2269-1ubuntu5.7 + event_description: Install vulnerable postgresql package + command: > + apt update && + curl {{ s3_url }}/vulnerability_detector/postgresql_vulnerable_package.deb + -o /tmp/postgresql_vulnerable_package.deb && + apt install -y /tmp/postgresql_vulnerable_package.deb rule.id: 23505 rule.level: 10 - rule.description: CVE-2022-1621 affects vim + rule.description: CVE-2022-2625 affects postgresql diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 7e1754132e..29f1db1b57 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -30,7 +30,7 @@ os_version: - CentOS 8 - - Ubuntu Focal + - Ubuntu Jammy references: - https://github.com/wazuh/wazuh-automation/wiki/Wazuh-demo:-Execution-guide#vulnerability_detector From 864e4e859e322555a9eb092259f53755f1087a4c Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 31 Aug 2022 09:47:02 -0300 Subject: [PATCH 497/552] feat(#3203): add a validation to check Windows agent status. --- tests/end_to_end/conftest.py | 10 +++------- .../tasks/check_wazuh_components.yaml | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index c1f6a21db3..7f9bde64c1 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -16,18 +16,16 @@ suite_path = os.path.dirname(os.path.realpath(__file__)) -def get_target_hosts_and_distros(test_suite_name, target_distros={}, target_hosts=[]): +def get_target_hosts_and_distros(test_suite_name, target_distros={'manager': [], 'agent': []}, target_hosts=[]): environment_file = os.path.join(suite_path, 'data', 'env_requirements.json') environment_metadata = json.load(open(environment_file)) - distros_by = {'manager': [], 'agent': []} for key in environment_metadata[test_suite_name]: if environment_metadata[test_suite_name][key]['instances'] > 0: # Save manager/agent distros - distros_by[key] = environment_metadata[test_suite_name][key]['distros'] target_distros[key].extend(environment_metadata[test_suite_name][key]['distros']) # Add the target host to the list (following the standard host name: "-*") - target_hosts.extend([distro.lower() + f"-{key}" for distro in distros_by[key]]) + target_hosts.extend([distro.lower() + f"-{key}" for distro in target_distros[key]]) # Remove duplicates target_hosts = list(dict.fromkeys(target_hosts)) target_distros['manager'] = list(dict.fromkeys(target_distros['manager'])) @@ -108,9 +106,7 @@ def validate_environments(request): # --------------------------------------- Step 1: Prepare the necessary data --------------------------------------- test_suites_paths = [] - target_hosts = [] - target_distros = {'manager': [], 'agent': []} - + target_hosts, target_distros = [], {'manager': [], 'agent': []} # Get the path of the tests from collected items. collected_paths = [item.fspath for item in collected_items] # Remove duplicates caused by the existence of 2 or more test cases diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml index b62a8e81cb..1cde4e009f 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_wazuh_components.yaml @@ -11,7 +11,7 @@ service_facts: when: os == 'linux' -- name: Check the status of Wazuh components (Manager) +- name: Check the status of Wazuh components (Manager - Linux) set_fact: check_result: 'true' errors: "{{ errors }}{{ ansible_facts.services[item].name }} is not running.\n" @@ -25,8 +25,20 @@ service: wazuh-agent.service when: (os == 'linux' and 'agent' in wazuh_info.stdout) -- name: Check the status of Wazuh Agent +- name: Check the status of Wazuh Agent (Linux) set_fact: check_result: 'true' errors: "{{ errors }}{{ ansible_facts.services[service].name }} is not running.\n" when: (os == 'linux' and 'agent' in wazuh_info.stdout and ansible_facts.services[service].state != 'running') + +- name: Get the status of Wazuh Agent (Windows) + ansible.windows.win_powershell: + script: Get-Service "WazuhSvc" | select Status + register: script_result + when: os == 'windows' + +- name: Check the status of Wazuh Agent (Windows) + set_fact: + check_result: 'true' + errors: "{{ errors }}WazuhSvc is not running (Windows).\n" + when: (os == 'windows' and 'agent' in wazuh_info.stdout and 'Running' != script_result.output[0].Status.String) From 7fbc61660c84b4fb7a434ef38b500e56805816e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 31 Aug 2022 12:50:37 +0100 Subject: [PATCH 498/552] fix(#): replace hydra host with ubuntu-agent --- .../data/playbooks/configuration.yaml | 8 ++++++-- .../data/playbooks/generate_events.yaml | 2 +- .../test_fim_windows/data/playbooks/configuration.yaml | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index 362811de77..fb0aaea30b 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,9 +1,13 @@ - name: Configure local environment - hosts: centos-manager + hosts: ubuntu-agent become: true tasks: + - name: Update packages list + ansible.builtin.apt: + update_cache: yes + # Install hydra to attempt the RDP brute force attack - name: Install hydra - ansible.builtin.yum: + ansible.builtin.apt: name: hydra state: present diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 05c7e76536..3b84d7bd54 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -7,7 +7,7 @@ become: true - name: Generate events - hosts: centos-manager + hosts: ubuntu-agent tasks: - name: Attempt a RDP brute force attack diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index 7506050f29..0282ac04c8 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -12,7 +12,7 @@ path: C:\Program Files (x86)\ossec-agent\ossec.conf insertafter: line: | - C:\\Test\\test_demo_fim + C:\Test\test_demo_fim - name: Truncate ossec.log win_file: From a6e29c73f66c5839f58bbe31465c1ef213ec9126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 31 Aug 2022 14:39:12 +0100 Subject: [PATCH 499/552] fix(#3165): replace dashboard cred --- .../environments/end_to_end_environment.yaml | 2 +- tests/end_to_end/README.md | 8 ++++++-- tests/end_to_end/conftest.py | 18 +++++++++--------- .../test_basic_cases/test_audit/test_audit.py | 8 ++++---- .../test_aws_infrastructure_monitoring.py | 8 ++++---- .../test_brute_force_rdp.py | 8 ++++---- .../test_brute_force_ssh.py | 8 ++++---- .../test_detecting_suspicious_binaries.py | 8 ++++---- .../test_docker_monitoring.py | 8 ++++---- .../test_emotet/test_emotet.py | 8 ++++---- .../test_fim/test_fim_linux/test_fim_linux.py | 8 ++++---- .../test_fim_windows/test_fim_windows.py | 8 ++++---- .../test_ip_reputation/test_ip_reputation.py | 8 ++++---- .../test_osquery_integration.py | 8 ++++---- .../test_shellshock_attack_detection.py | 8 ++++---- .../test_slack_integration.py | 8 ++++---- .../test_sql_injection/test_sql_injection.py | 8 ++++---- .../test_suricata_integration.py | 8 ++++---- .../test_unauthorized_processes_detection.py | 8 ++++---- .../test_virustotal_integration.py | 8 ++++---- .../test_vulnerability_detector_linux.py | 8 ++++---- .../test_vulnerability_detection_windows.py | 8 ++++---- .../test_windows_defender.py | 8 ++++---- .../test_yara_integration.py | 8 ++++---- 24 files changed, 100 insertions(+), 96 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index e7b1ac329e..7a923e58a8 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,6 +1,6 @@ centos-manager: os: centos - roles: [aio] + roles: [manager, indexer, filebeat] ubuntu-agent: os: ubuntu diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 8d12f3be17..caea9a612d 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -31,8 +31,12 @@ manager: ansible_user: ansible_ssh_private_key_file: ansible_python_interpreter: /usr/bin/python3 - dashboard_user: - dashboard_password: + +indexer: + hosts: + indexer-node-1: + indexer_user: + indexer_password: agent: children: diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 661bf1b3f0..943604d3cc 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -145,7 +145,7 @@ def run_specific_validations(request): @pytest.fixture(scope='function') -def clean_alerts_index(get_dashboard_credentials, get_manager_ip): +def clean_alerts_index(get_indexer_credentials, get_manager_ip): """Remove the temporary file that contains the alerts and delete indices using the API. Args: @@ -153,15 +153,15 @@ def clean_alerts_index(get_dashboard_credentials, get_manager_ip): """ yield remove_file(alerts_json) - e2e.delete_index_api(credentials=get_dashboard_credentials, ip_address=get_manager_ip) + e2e.delete_index_api(credentials=get_indexer_credentials, ip_address=get_manager_ip) @pytest.fixture(scope='module') -def get_dashboard_credentials(request): - """Get wazuh-dashboard username and password. +def get_indexer_credentials(request): + """Get wazuh-indexer username and password. Returns: - dict: wazuh-dashboard credentials. + dict: wazuh-indexer credentials. """ inventory_playbook = request.config.getoption('--inventory-path') @@ -171,13 +171,13 @@ def get_dashboard_credentials(request): inventories = [inventory_playbook] inventory_data = ansible_runner.get_inventory(action='host', inventories=inventories, response_format='json', - host='dashboard') + host='indexer') # inventory_data is a tuple, with the second value empty, so we must access inventory[0] - dashboard_credentials = {'user': inventory_data[0]['dashboard_user'], - 'password': inventory_data[0]['dashboard_password']} + indexer_credentials = {'user': inventory_data[0]['indexer_user'], + 'password': inventory_data[0]['indexer_password']} - yield dashboard_credentials + yield indexer_credentials @pytest.fixture(scope='module') diff --git a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py index 9344f2f41e..ef812fe720 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py @@ -60,7 +60,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_audit(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_audit(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a command is executed. @@ -82,9 +82,9 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, get_m - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -137,7 +137,7 @@ def test_audit(configure_environment, metadata, get_dashboard_credentials, get_m ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 2c750b876c..0338dbee0a 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -73,7 +73,7 @@ @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, get_manager_ip, +def test_aws_infrastructure_monitoring(metadata, configure_environment, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when an event obtained from AWS services matches a rule. @@ -95,9 +95,9 @@ def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dash - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -148,7 +148,7 @@ def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dash ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index ae627ccd8a..6f81b0285b 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -64,7 +64,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_brute_force_rdp(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a brute force attack is perfomed. @@ -86,9 +86,9 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -135,7 +135,7 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index 1c93269d78..15395828ca 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -61,7 +61,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, generate_events, clean_alerts_index): +def test_brute_force_ssh(metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a brute force attack is perfomed. @@ -79,9 +79,9 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, ge - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -127,7 +127,7 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, ge ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index e8fedddcb8..dd9e7ac0cf 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -67,7 +67,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_detecting_suspicious_binaries(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_detecting_suspicious_binaries(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when there is a trojaned system binary. @@ -89,9 +89,9 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -149,7 +149,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_dash ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index 4514c71608..d0dc8f28e1 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -63,7 +63,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_docker_monitoring(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_docker_monitoring(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated for Docker events. @@ -85,9 +85,9 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -144,7 +144,7 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py index 53efeb5967..0bdadbe3b2 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py @@ -62,7 +62,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_emotet(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_emotet(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when Emotet malware is executed. @@ -84,9 +84,9 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, get_ - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -142,7 +142,7 @@ def test_emotet(configure_environment, metadata, get_dashboard_credentials, get_ ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 2c1eab628e..3b99aa7173 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -60,7 +60,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_fim_linux(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed for FIM events. @@ -82,9 +82,9 @@ def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, g - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -132,7 +132,7 @@ def test_fim_linux(configure_environment, metadata, get_dashboard_credentials, g ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 127e103a25..5db459cfdd 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -62,7 +62,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_fim_windows(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed for FIM events. @@ -84,9 +84,9 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -134,7 +134,7 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py index fced37c566..861dfaa7e5 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py @@ -62,7 +62,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_ip_reputation(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_ip_reputation(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that alerts are generated when accessing the web server with an ip with a bad reputation. @@ -84,9 +84,9 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -142,7 +142,7 @@ def test_ip_reputation(configure_environment, metadata, get_dashboard_credential ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 68a3e62cbb..c14457ef75 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -62,7 +62,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_osquery_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_osquery_integration(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when the host is stressed. @@ -84,9 +84,9 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -139,7 +139,7 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 8b1ef6d451..48b7bbe162 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -61,7 +61,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_shellshock_attack_detection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_shellshock_attack_detection(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when a shellshock attack is performed. @@ -83,9 +83,9 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -136,7 +136,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_dashbo ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index a406685881..e4d1cd755e 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -82,7 +82,7 @@ def remove_slack_log(): @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_slack_integration(metadata, configure_environment, get_dashboard_credentials, get_manager_ip, generate_events, +def test_slack_integration(metadata, configure_environment, get_indexer_credentials, get_manager_ip, generate_events, remove_slack_log, clean_alerts_index): ''' description: Check that an alert is generated and sent to Slack. @@ -105,9 +105,9 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -165,7 +165,7 @@ def test_slack_integration(metadata, configure_environment, get_dashboard_creden ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py index 0118e4d778..96cb170fe9 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py @@ -59,7 +59,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_sql_injection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_sql_injection(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when a SQL injection attack is performed. @@ -81,9 +81,9 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -132,7 +132,7 @@ def test_sql_injection(configure_environment, metadata, get_dashboard_credential ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index f71937725c..1746401b17 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -64,7 +64,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_suricata_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_suricata_integration(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when a specific web request is executed. @@ -86,9 +86,9 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -139,7 +139,7 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index 78c933749e..30407c41a9 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -62,7 +62,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_unauthorized_processes_detection(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_unauthorized_processes_detection(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated if an unauthorized process is running. @@ -84,9 +84,9 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_d - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -133,7 +133,7 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_d ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index 2f8bd0ecb7..280b660d59 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -68,7 +68,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_virustotal_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_virustotal_integration(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and the active response executed if the file is malicious. @@ -90,9 +90,9 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -138,7 +138,7 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 857051bbbb..89998b8c01 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -66,7 +66,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_vulnerability_detector_linux(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a vulnerable package is present. @@ -88,9 +88,9 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_dashb - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -138,7 +138,7 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_dashb ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index 16a9d8abf9..76d6f23813 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -67,7 +67,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_vulnerability_detector_windows(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, +def test_vulnerability_detector_windows(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated and indexed when a vulnerable package is present. @@ -89,9 +89,9 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_das - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -139,7 +139,7 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_das ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py index 14163f322a..9c8b64e86b 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py @@ -61,7 +61,7 @@ @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) -def test_windows_defender(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_windows_defender(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated for Windows Defender logs. @@ -83,9 +83,9 @@ def test_windows_defender(configure_environment, metadata, get_dashboard_credent - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -133,7 +133,7 @@ def test_windows_defender(configure_environment, metadata, get_dashboard_credent ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index 0fb404e882..16324b6502 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -69,7 +69,7 @@ @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') -def test_yara_integration(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, generate_events, +def test_yara_integration(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, clean_alerts_index): ''' description: Check that an alert is generated when malware is downloaded. @@ -91,9 +91,9 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent - metadata: type: dict brief: Wazuh configuration metadata. - - get_dashboard_credentials: + - get_indexer_credentials: type: fixture - brief: Get the wazuh dashboard credentials. + brief: Get the wazuh indexer credentials. - generate_events: type: fixture brief: Generate events that will trigger the alert according to the generate_events playbook. @@ -150,7 +150,7 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent ]) # Check if the alert has been indexed and get its data - response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials, ip_address=get_manager_ip) + response = e2e.get_alert_indexer_api(query=query, credentials=get_indexer_credentials, ip_address=get_manager_ip) indexed_alert = json.dumps(response.json()) # Check that the alert data is the expected one From 82c043dcd418741d77c9041a82a7c188b0238bbb Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Wed, 31 Aug 2022 11:04:39 -0300 Subject: [PATCH 500/552] refactor(#3203): change task to check connection with Indexer. Now no error is displayed in Ansible output. --- tests/end_to_end/README.md | 7 ++- .../tasks/check_controller_indexer.yaml | 59 ++++++++----------- .../tasks/get_installation_type.yaml | 2 +- 3 files changed, 33 insertions(+), 35 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index e72f579fd2..a86a4728f2 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -18,7 +18,6 @@ Our E2E tests will verify that, after generating an event, an alert will be trig To run these tests we need to use a **Linux** machine and install the following tools: - [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) -- [Netcat](https://www.tecmint.com/netcat-nc-command-examples/) Then, you will need to have an inventory with the needed hosts and variables. For example: @@ -33,6 +32,8 @@ managers: ansible_python_interpreter: /usr/bin/python3 dashboard_user: dashboard_password: + vars: + os_name: linux agents: children: @@ -50,6 +51,8 @@ agents: ansible_user: ansible_ssh_private_key_file: ansible_python_interpreter: /usr/bin/python3 + vars: + os_name: linux windows: hosts: windows-agent: @@ -61,6 +64,8 @@ agents: ansible_winrm_transport: basic ansible_winrm_port: 5985 (Only in local executions) ansible_python_interpreter: C:\Users\vagrant\AppData\Local\Programs\Pyhton\Python39\python.exe + vars: + os_name: windows all: vars: diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index 520959132e..abec50dd38 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -7,37 +7,30 @@ name: service_controller tasks_from: get_installation_type -- name: Test connection with Wazuh Indexer - shell: nc -v -4 {{ hostvars[inventory_hostname]['ansible_host'] }} 9200 - timeout: 3 - ignore_errors: true - register: test_result - delegate_to: localhost - when: (os == 'linux' and 'server' in wazuh_info.stdout) +- name: Handle API errors + block: + - name: Test Wazuh Indexer connection + uri: + url: https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200 + user: "{{ hostvars[inventory_hostname]['dashboard_user'] }}" + password: "{{ hostvars[inventory_hostname]['dashboard_password'] }}" + method: GET + status_code: 200 + force_basic_auth: true + return_content: true + validate_certs: false + register: api_response + delegate_to: localhost + when: (os == 'linux' and 'server' in wazuh_info.stdout) + rescue: + - name: Check the Wazuh Indexer credentials + set_fact: + check_result: 'true' + errors: "{{ errors }}The Wazuh Indexer credentials are invalid, please check the inventory.\n" + when: (os == 'linux' and 'server' in wazuh_info.stdout and 'Unauthorized' in api_response.content) -- name: Check the connection between Controller node and Wazuh Indexer - set_fact: - check_result: 'true' - errors: "{{ errors }}Ansible Controller node cannot connect correctly with Wazuh Indexer.\n" - when: (test_result is failed and test_result.stderr is defined and 'refused' in test_result.stderr) - -- name: Test Wazuh Indexer credentials - uri: - url: https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200 - user: "{{ hostvars[inventory_hostname]['dashboard_user'] }}" - password: "{{ hostvars[inventory_hostname]['dashboard_password'] }}" - method: GET - status_code: 200 - force_basic_auth: true - return_content: true - validate_certs: false - ignore_errors: true - register: api_response - delegate_to: localhost - when: (os == 'linux' and 'server' in wazuh_info.stdout) - -- name: Check the Wazuh Indexer API response - set_fact: - check_result: 'true' - errors: "{{ errors }}The Wazuh Indexer credentials are invalid, please check the inventory.\n" - when: (os == 'linux' and 'server' in wazuh_info.stdout and 'Unauthorized' in api_response.content) + - name: Check the connection between Controller node and Wazuh Indexer + set_fact: + check_result: 'true' + errors: "{{ errors }}Ansible Controller node cannot connect correctly with Wazuh Indexer.\n" + when: (os == 'linux' and 'server' in wazuh_info.stdout and 'Connection refused' in api_response.msg) diff --git a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml index 539b953ddb..7a210610c4 100644 --- a/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml +++ b/tests/end_to_end/data/ansible_roles/service_controller/tasks/get_installation_type.yaml @@ -11,5 +11,5 @@ - name: Get installation type (Windows) set_fact: wazuh_info: - stdout: 'agent' + stdout: agent when: os == 'windows' From 9210a08f8ef6f79c5e68ca3ce203709d33f62bb4 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 31 Aug 2022 16:40:57 +0200 Subject: [PATCH 501/552] refactor(#3219): mark vd test as xfail --- .../test_vulnerability_detector_linux.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 29f1db1b57..8470a8aeda 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -64,6 +64,7 @@ configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path) +@pytest.mark.xfail(reason="It will be blocked by wazuh/wazuh#14736, when it is resolved, we can enable the test") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_vulnerability_detector_linux(configure_environment, metadata, get_dashboard_credentials, get_manager_ip, From 0ddc870e8a1b56e171d3d954100a0886c5eb01f0 Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 31 Aug 2022 20:42:54 +0200 Subject: [PATCH 502/552] refactor(#3211): skip aws test --- .../test_aws_infrastructure_monitoring.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 7210ac8726..50c259abd0 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -75,6 +75,7 @@ pytestmark = [TIER0, LINUX] +@pytest.mark.skip(reason='It will be blocked by #3211, when it is resolved, we can enable the test') @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_aws_infrastructure_monitoring(metadata, configure_environment, get_dashboard_credentials, get_manager_ip, From 6079bc85e41ea87a30ae9bcac1a56b565225c3b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 1 Sep 2022 14:37:21 +0100 Subject: [PATCH 503/552] fix(#3165): fix install hydra playbook --- .../test_brute_force_rdp/data/playbooks/configuration.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index fb0aaea30b..d670b7427f 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -4,7 +4,7 @@ tasks: - name: Update packages list ansible.builtin.apt: - update_cache: yes + update_cache: yes # Install hydra to attempt the RDP brute force attack - name: Install hydra From b0d16cefd251f2cc03142b819117879fb7834734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 1 Sep 2022 14:37:44 +0100 Subject: [PATCH 504/552] fix(#3165): increase E2E timeouts --- .../test_audit/data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_brute_force_rdp/data/playbooks/generate_events.yaml | 2 +- .../test_brute_force_ssh/data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_emotet/data/playbooks/generate_events.yaml | 2 +- .../test_fim_linux/data/playbooks/generate_events.yaml | 2 +- .../test_fim_windows/data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_sql_injection/data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 4 +--- .../data/playbooks/generate_events.yaml | 2 +- .../data/playbooks/generate_events.yaml | 2 +- .../test_yara_integration/data/playbooks/generate_events.yaml | 2 +- 16 files changed, 16 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml index e3fd4ae1ad..975d06c93c 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -12,7 +12,7 @@ - name: Wait for alert to be generated wait_for: - timeout: 5 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index ae689ef8ca..c597a2ab40 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -23,7 +23,7 @@ - name: Wait for alerts to be indexed wait_for: - timeout: 10 + timeout: 40 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index cad57a7695..e3a9667e17 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -28,7 +28,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 30 - name: Get alerts file hosts: manager diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 01c7b3b47e..4ca92b52d7 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -35,7 +35,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 30 - name: Get alerts file hosts: manager diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index ce86fe96a0..06555c972c 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -17,7 +17,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 10 + timeout: 40 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 1cf3ffb72d..c2bea66243 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -13,7 +13,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 20 + timeout: 50 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index e3938d92af..a2015fc327 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -22,7 +22,7 @@ - name: Wait for alert wait_for: - timeout: 10 + timeout: 40 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 4a01864c34..9065848fe5 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -24,7 +24,7 @@ - name: Wait for alert to be generated wait_for: - timeout: 5 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 1a3179b9c6..3d935747fc 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -22,7 +22,7 @@ - name: Wait for alert to be generated wait_for: - timeout: 5 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 874f8321e7..db30a53e91 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -16,7 +16,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 5 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index c5683f38fe..89a1ae3b02 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -13,7 +13,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 10 + timeout: 40 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index a179a627bf..9e93091aaa 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -16,7 +16,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 30 - name: Get alerts file hosts: manager diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index 4483b19a35..68724a7a46 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -19,12 +19,10 @@ - name: Get alerts file hosts: manager become: true - vars: tasks: - - name: Wait for alerts to be generated wait_for: - timeout: 10 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml index af2a13a522..c5b831ea42 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/generate_events.yaml @@ -19,7 +19,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 40 - name: Kill netcat become: true diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index aba1d2d88d..dbc872d64b 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -8,7 +8,7 @@ - name: Wait for alert wait_for: - timeout: 5 + timeout: 40 - name: Get alerts file hosts: manager diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 9c419d5bd4..ea311e328d 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -19,7 +19,7 @@ - name: Wait for alerts to be generated wait_for: - timeout: 15 + timeout: 50 - name: Get alert json include_role: From 7194025666e64ee4895765bc66b6daebfd88acd9 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 12:21:14 -0300 Subject: [PATCH 505/552] fix(#3208): fix hydra installation and add new role to search for alerts. --- .../manage_alerts/tasks/search_alert.yaml | 12 +++++++++++ tests/end_to_end/data/env_requirements.json | 3 ++- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 20 +++++++++++-------- .../test_cases/cases_brute_force_rdp.yaml | 4 ++++ .../data/playbooks/generate_events.yaml | 19 +++++++++++++----- .../test_cases/cases_brute_force_ssh.yaml | 4 ++++ 7 files changed, 50 insertions(+), 16 deletions(-) create mode 100644 tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml diff --git a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml new file mode 100644 index 0000000000..f3e75c6501 --- /dev/null +++ b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml @@ -0,0 +1,12 @@ +- name: Search alert in alerts log + become: true + lineinfile: + path: /var/ossec/logs/alerts/alerts.json + regexp: "{{ custom_regex }}" + state: absent + check_mode: true + changed_when: false + register: alert + until: alert.found != 0 + retries: "{{ attempts }}" + delay: "{{ time_btw_attempts }}" diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index ad9baf33cc..a07f0b986f 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -47,7 +47,8 @@ "agent": { "instances": 2, "distros": [ - "Windows" + "Windows", + "Ubuntu" ] } }, diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index c37d81d4d0..ea4555f90f 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,10 +1,10 @@ - name: Configure local environment - hosts: localhost + hosts: ubuntu-agent become: true tasks: # Install hydra to attempt the RDP brute force attack - name: Install hydra package: - name: hydra + name: hydra=9.2-1ubuntu1 state: present diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 238b3dd35b..61e176d6bd 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -8,7 +8,7 @@ tasks_from: truncate_alert_json.yaml - name: Generate events - hosts: localhost + hosts: ubuntu-agent tasks: - name: Attempt a RDP brute force attack @@ -22,18 +22,22 @@ - test_user - test_user - test_user - register: result - failed_when: - - "'0 valid password found' not in result.stdout" - - - name: Wait for alert - wait_for: - timeout: 5 - name: Get alerts file hosts: managers tasks: + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml index 0d2bfb9feb..bf6eaace89 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml @@ -7,3 +7,7 @@ rule.description: Multiple Windows logon failures. extra: mitre_technique: Brute Force + extra_vars: + rule_id: 60204 + rule_level: 10 + rule_description: Multiple Windows logon failures. diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index eaa2e16655..9311246dc5 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -19,7 +19,7 @@ responses: (.*)continue connecting(.*): 'yes' (?i)password: 1 - timeout: 5 + timeout: 15 loop: - test_user - test_user @@ -33,14 +33,23 @@ failed_when: - "'Permission denied' not in result.stdout" - - name: Wait for alert - wait_for: - timeout: 5 - - name: Get alerts file hosts: managers + vars: + ts: tasks: + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml index d58f3ff6dd..73288d7db7 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml @@ -7,3 +7,7 @@ rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force + extra_vars: + rule_id: 5712 + rule_level: 10 + rule_description: "sshd: brute force trying to get access to the system. Non existent user." From c80948d8ed1db95aa69cae2c342d9bf9fe22216a Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 12:21:14 -0300 Subject: [PATCH 506/552] fix(#3208): fix hydra installation and add new role to search for alerts. --- .../manage_alerts/tasks/search_alert.yaml | 12 +++++++++++ tests/end_to_end/data/env_requirements.json | 3 ++- .../data/playbooks/configuration.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 20 +++++++++++-------- .../test_cases/cases_brute_force_rdp.yaml | 4 ++++ .../data/playbooks/generate_events.yaml | 19 +++++++++++++----- .../test_cases/cases_brute_force_ssh.yaml | 4 ++++ 7 files changed, 50 insertions(+), 16 deletions(-) create mode 100644 tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml diff --git a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml new file mode 100644 index 0000000000..f3e75c6501 --- /dev/null +++ b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml @@ -0,0 +1,12 @@ +- name: Search alert in alerts log + become: true + lineinfile: + path: /var/ossec/logs/alerts/alerts.json + regexp: "{{ custom_regex }}" + state: absent + check_mode: true + changed_when: false + register: alert + until: alert.found != 0 + retries: "{{ attempts }}" + delay: "{{ time_btw_attempts }}" diff --git a/tests/end_to_end/data/env_requirements.json b/tests/end_to_end/data/env_requirements.json index cb3ef640b3..cf6e8aa8e9 100644 --- a/tests/end_to_end/data/env_requirements.json +++ b/tests/end_to_end/data/env_requirements.json @@ -47,7 +47,8 @@ "agent": { "instances": 1, "distros": [ - "Windows" + "Windows", + "Ubuntu" ] } }, diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index c37d81d4d0..ea4555f90f 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,10 +1,10 @@ - name: Configure local environment - hosts: localhost + hosts: ubuntu-agent become: true tasks: # Install hydra to attempt the RDP brute force attack - name: Install hydra package: - name: hydra + name: hydra=9.2-1ubuntu1 state: present diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 238b3dd35b..61e176d6bd 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -8,7 +8,7 @@ tasks_from: truncate_alert_json.yaml - name: Generate events - hosts: localhost + hosts: ubuntu-agent tasks: - name: Attempt a RDP brute force attack @@ -22,18 +22,22 @@ - test_user - test_user - test_user - register: result - failed_when: - - "'0 valid password found' not in result.stdout" - - - name: Wait for alert - wait_for: - timeout: 5 - name: Get alerts file hosts: managers tasks: + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml index 0d2bfb9feb..bf6eaace89 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml @@ -7,3 +7,7 @@ rule.description: Multiple Windows logon failures. extra: mitre_technique: Brute Force + extra_vars: + rule_id: 60204 + rule_level: 10 + rule_description: Multiple Windows logon failures. diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index eaa2e16655..9311246dc5 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -19,7 +19,7 @@ responses: (.*)continue connecting(.*): 'yes' (?i)password: 1 - timeout: 5 + timeout: 15 loop: - test_user - test_user @@ -33,14 +33,23 @@ failed_when: - "'Permission denied' not in result.stdout" - - name: Wait for alert - wait_for: - timeout: 5 - - name: Get alerts file hosts: managers + vars: + ts: tasks: + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml index d58f3ff6dd..73288d7db7 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml @@ -7,3 +7,7 @@ rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force + extra_vars: + rule_id: 5712 + rule_level: 10 + rule_description: "sshd: brute force trying to get access to the system. Non existent user." From 4cebf5da1bd817c56098b4774e183b959496bc1c Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 12:54:31 -0300 Subject: [PATCH 507/552] fix(#3208): fix timestamp variable in Ansible playbook. --- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/playbooks/generate_events.yaml | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 61e176d6bd..58efbc98d7 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -32,8 +32,8 @@ name: manage_alerts tasks_from: search_alert.yaml vars: - ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" attempts: 15 time_btw_attempts: 2 diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 9311246dc5..4906146562 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -35,8 +35,6 @@ - name: Get alerts file hosts: managers - vars: - ts: tasks: - name: Search alert in alerts log @@ -44,8 +42,8 @@ name: manage_alerts tasks_from: search_alert.yaml vars: - ts: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ ts }}\",\"rule\":{\"level\":{{ rule_level }},\ + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" attempts: 15 time_btw_attempts: 2 From eb541aebed1373daf370d1788529249861cdccb4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 13:11:21 -0300 Subject: [PATCH 508/552] refactor(#3112): replace fixed timout by dynamic alert searching. Signed-off-by: Mauro Malara --- .../data/playbooks/generate_events.yaml | 13 ++++++++++--- .../data/test_cases/cases_osquery_integration.yaml | 4 ++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 70ef697960..cc6db33d2b 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -14,9 +14,16 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Wait for alerts to be generated - wait_for: - timeout: 5 + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: ".+timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" + attempts: 15 + time_btw_attempts: 2 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml index 7c95fe3763..b81ec04b69 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml @@ -8,6 +8,10 @@ extra: data.osquery.name: low_free_memory extra_vars: + rule_id: 24012 + rule_description: "osquery: System memory is under 10%" + rule_level: 4 + osquery_name: low_free_memory event_description: Stress system memory command: > stress --vm-bytes $(awk '/MemAvailable/{printf "%d\n", $2 * 0.98;}' < /proc/meminfo)k --vm-keep -m 1 -t 60 From 589bf01c94605951efec1894f19e2d21a69452ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Thu, 1 Sep 2022 16:44:58 +0100 Subject: [PATCH 509/552] fix: adapt validation to new structure --- tests/end_to_end/README.md | 7 ------- tests/end_to_end/conftest.py | 4 ++-- .../ansible_roles/host_checker/tasks/check_connection.yaml | 4 ++-- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/tests/end_to_end/README.md b/tests/end_to_end/README.md index 783c78d58f..0bff7efa9f 100644 --- a/tests/end_to_end/README.md +++ b/tests/end_to_end/README.md @@ -30,13 +30,6 @@ manager: ansible_user: ansible_ssh_private_key_file: ansible_python_interpreter: /usr/bin/python3 -<<<<<<< HEAD -======= - dashboard_user: - dashboard_password: - vars: - os_name: linux ->>>>>>> 2872-tests-e2e indexer: hosts: diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e25bc97741..a1d9433083 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -45,7 +45,7 @@ def validate_inventory(inventory_path, valid_hosts): inventory_path (str): Path to Ansible inventory. valid_hosts (list[str]): List of valid hosts for the selected tests. """ - valid_groups = ['managers', 'agents', 'linux', 'windows', 'all'] + valid_groups = ['manager', 'agent', 'dashboard', 'indexer', 'filebeat', 'linux', 'windows', 'all', 'solaris', 'macos'] inventory_dict = yaml.safe_load(open(inventory_path)) errors = [] default_err_msg = 'Read the README.md file inside the E2E suite to build a valid inventory.' @@ -81,7 +81,7 @@ def validate_inventory(inventory_path, valid_hosts): raise Exception(error_msg) -@pytest.fixture(scope='session', autouse=True) +@pytest.fixture(scope='session') def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml index 3bb0fea348..f95c0b35cc 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_connection.yaml @@ -4,7 +4,7 @@ - name: Try connection (Linux) ping: - when: os == 'linux' + when: os_name == 'linux' register: ping_result ignore_unreachable: true @@ -16,7 +16,7 @@ - name: Try connection (Windows) win_ping: - when: os == 'windows' + when: os_name == 'windows' register: ping_result ignore_unreachable: true From b87920783fa2964e4058e20464acdf308b0598ec Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 16:40:28 -0300 Subject: [PATCH 510/552] fix(#3209): remove pytest marks warning. --- tests/end_to_end/pytest.ini | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/end_to_end/pytest.ini diff --git a/tests/end_to_end/pytest.ini b/tests/end_to_end/pytest.ini new file mode 100644 index 0000000000..657a32c274 --- /dev/null +++ b/tests/end_to_end/pytest.ini @@ -0,0 +1,10 @@ +[pytest] +addopts = --strict-markers +markers = + tier(level) + darwin + linux + sunos5 + win32 + server + agent From 0c36423570c7d7de53e06e5610bd2f8df77d0aee Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 16:41:11 -0300 Subject: [PATCH 511/552] refactor(#3209): replace fixed timeout by dynamic search. --- .../test_emotet/data/playbooks/generate_events.yaml | 13 ++++++++++--- .../test_emotet/data/test_cases/cases_emotet.yaml | 6 ++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index f3ff7aacd6..8ee6d1341a 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -20,9 +20,16 @@ hosts: managers tasks: - - name: Wait for alert - wait_for: - timeout: 10 + - name: Search alert in alerts log + with_items: "{{ lookup('ansible.builtin.dict', alerts) }}" + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\".*\"id\":\"{{ item.value.rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml index 3ef00c97ad..a9a8d3548e 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/test_cases/cases_emotet.yaml @@ -14,3 +14,9 @@ rule.description: Word Executing WScript C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wscript.exe extra: groups: emotet + extra_vars: + alerts: + regsvr32: + rule_id: 255561 + word_executing_script: + rule_id: 255926 From f5ae7d4f333f69b0c1f56fe9b0f4b6089e06a986 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 16:40:28 -0300 Subject: [PATCH 512/552] fix(#3209): remove pytest marks warning. --- tests/end_to_end/pytest.ini | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/end_to_end/pytest.ini diff --git a/tests/end_to_end/pytest.ini b/tests/end_to_end/pytest.ini new file mode 100644 index 0000000000..657a32c274 --- /dev/null +++ b/tests/end_to_end/pytest.ini @@ -0,0 +1,10 @@ +[pytest] +addopts = --strict-markers +markers = + tier(level) + darwin + linux + sunos5 + win32 + server + agent From 5ee3efa32089b356fbd7afb50593b1f5f599f9ad Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 16:40:28 -0300 Subject: [PATCH 513/552] fix(#3209): remove pytest marks warning. --- tests/end_to_end/pytest.ini | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/end_to_end/pytest.ini diff --git a/tests/end_to_end/pytest.ini b/tests/end_to_end/pytest.ini new file mode 100644 index 0000000000..657a32c274 --- /dev/null +++ b/tests/end_to_end/pytest.ini @@ -0,0 +1,10 @@ +[pytest] +addopts = --strict-markers +markers = + tier(level) + darwin + linux + sunos5 + win32 + server + agent From 8720eee6021fb4accd2cd52a3e6f40826ce9de4e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 16:40:28 -0300 Subject: [PATCH 514/552] fix(#3209): remove pytest marks warning. --- tests/end_to_end/pytest.ini | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/end_to_end/pytest.ini diff --git a/tests/end_to_end/pytest.ini b/tests/end_to_end/pytest.ini new file mode 100644 index 0000000000..657a32c274 --- /dev/null +++ b/tests/end_to_end/pytest.ini @@ -0,0 +1,10 @@ +[pytest] +addopts = --strict-markers +markers = + tier(level) + darwin + linux + sunos5 + win32 + server + agent From 8a5d9debaf5113978b36079dd7ded668f60bea0f Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 17:03:17 -0300 Subject: [PATCH 515/552] refactor(#3205): replace fixed timeout by dynamic search. --- .../data/playbooks/generate_events.yaml | 15 +++++++++++---- .../cases_virustotal_integration.yaml | 18 ++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index dc804586d0..e728614b89 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -6,14 +6,21 @@ become: true shell: "{{ shell }}" - - name: Wait for alert - wait_for: - timeout: 5 - - name: Get alerts file hosts: managers tasks: + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" + attempts: 15 + time_btw_attempts: 2 + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml index aa3a0c58c7..eaa188a601 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml @@ -2,22 +2,28 @@ description: Detecting and removing malware configuration_parameters: null metadata: + rule.id: 100092 + rule.level: 12 + rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " extra_vars: event_description: Download malicious file shell: | cd /root curl -LO http://www.eicar.org/download/eicar.com - rule.id: 100092 - rule.level: 12 - rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " + rule_id: 100092 + rule_level: 12 + rule_description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " - name: harmless_file description: Scanning a file and check generated alerts configuration_parameters: null metadata: - extra_vars: - event_description: Create harmless file - shell: echo "Just a simple text file" > /root/harmless_file.txt rule.id: 87103 rule.level: 3 rule.description: "VirusTotal: Alert - No records in VirusTotal database" + extra_vars: + event_description: Create harmless file + shell: echo "Just a simple text file" > /root/harmless_file.txt + rule_id: 87103 + rule_level: 3 + rule_description: "VirusTotal: Alert - No records in VirusTotal database" From 7a61fe2dfe46454404d553e02c6b711a0cee313e Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 17:16:26 -0300 Subject: [PATCH 516/552] refactor(#3205): change the cases file to avoid duplication. --- .../data/playbooks/generate_events.yaml | 2 +- .../data/test_cases/cases_virustotal_integration.yaml | 6 ------ .../test_virustotal_integration.py | 6 +++--- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index e728614b89..9617f69691 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -17,7 +17,7 @@ vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" attempts: 15 time_btw_attempts: 2 diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml index eaa188a601..31e230c00d 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/test_cases/cases_virustotal_integration.yaml @@ -2,9 +2,6 @@ description: Detecting and removing malware configuration_parameters: null metadata: - rule.id: 100092 - rule.level: 12 - rule.description: "active-response\/bin\/remove-threat.sh removed threat located at \/root\/eicar.com " extra_vars: event_description: Download malicious file shell: | @@ -18,9 +15,6 @@ description: Scanning a file and check generated alerts configuration_parameters: null metadata: - rule.id: 87103 - rule.level: 3 - rule.description: "VirusTotal: Alert - No records in VirusTotal database" extra_vars: event_description: Create harmless file shell: echo "Just a simple text file" > /root/harmless_file.txt diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index 345a68c8d0..970d10c1b0 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -112,9 +112,9 @@ def test_virustotal_integration(configure_environment, metadata, get_dashboard_c - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' expected_alert_json = fr'\{{"timestamp":"({timestamp_regex})","rule"\:{{"level"\:{rule_level},' \ From e8aa3a16371b3c42fe3a97cd02b217a1ed095b5c Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 17:34:25 -0300 Subject: [PATCH 517/552] refactor(#3210): replace fixed timeout by dynamic search. --- .../data/playbooks/generate_events.yaml | 13 +++++++--- .../test_cases/cases_docker_monitoring.yaml | 24 +++++++++---------- .../test_docker_monitoring.py | 6 ++--- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 3001accfa1..ca7b66ab1d 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -11,9 +11,16 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Wait for alerts to be generated - wait_for: - timeout: 20 + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: ".+timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ + {{ rule_description }}.+id.+{{ rule_id }}.+" + attempts: 15 + time_btw_attempts: 2 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml index ca573ecc1b..a70be5f593 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/test_cases/cases_docker_monitoring.yaml @@ -2,51 +2,51 @@ description: Test if an alert is generated when using the `pull` command. configuration_parameters: null metadata: - rule.id: 87932 - rule.description: 'Docker: Image or repository nginx pulled' - rule.level: 3 extra: data.docker.Action: pull extra_vars: event_description: Run 'docker pull nginx' command: docker pull nginx + rule_id: 87932 + rule_description: 'Docker: Image or repository nginx pulled' + rule_level: 3 - name: docker_run description: Test if an alert is generated when using the `run` command. configuration_parameters: null metadata: - rule.id: 87903 - rule.description: 'Docker: Container nginx_container started' - rule.level: 3 extra: data.docker.Action: start extra_vars: event_description: Run 'docker run -d -P --name nginx_container nginx' command: docker run -d -P --name nginx_container nginx + rule_id: 87903 + rule_description: 'Docker: Container nginx_container started' + rule_level: 3 - name: docker_exec description: Test if an alert is generated when using the `exec` command. configuration_parameters: null metadata: - rule.id: 87908 - rule.description: 'Docker: Started shell session in container nginx_container' - rule.level: 5 extra: data.docker.Action: 'exec_start: /bin/bash ' extra_vars: event_description: Run 'docker exec -d nginx_container /bin/bash' command: docker exec -d nginx_container /bin/bash + rule_id: 87908 + rule_description: 'Docker: Started shell session in container nginx_container' + rule_level: 5 - name: docker_rm # Two commands are executed, but only the `destroy` action is tested. description: Test if an alert is generated when using the `rm` command. configuration_parameters: null metadata: - rule.id: 87902 - rule.description: 'Docker: Container nginx_container destroyed' - rule.level: 5 extra: data.docker.Action: destroy extra_vars: event_description: Run 'docker stop `docker ps -a -q` && docker rm `docker ps -a -q`' command: docker stop `docker ps -a -q` && docker rm `docker ps -a -q` + rule_id: 87902 + rule_description: 'Docker: Container nginx_container destroyed' + rule_level: 5 diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index b3f8ca4029..3e519559a4 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -107,9 +107,9 @@ def test_docker_monitoring(configure_environment, metadata, get_dashboard_creden - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] + rule_description = metadata['extra_vars']['rule_description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] docker_action = metadata['extra']['data.docker.Action'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' From 94b0db6190c41e1e90b9409fb8f8c06903b69c90 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 18:01:10 -0300 Subject: [PATCH 518/552] style(#3210): apply linter corrections. --- .../test_docker_monitoring/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index ca7b66ab1d..c68bc4def6 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -17,7 +17,7 @@ tasks_from: search_alert.yaml vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: ".+timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ {{ rule_description }}.+id.+{{ rule_id }}.+" attempts: 15 time_btw_attempts: 2 From 10e21ba7d3a4eb296060658b0af6632097d65857 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 18:35:58 -0300 Subject: [PATCH 519/552] refactor(#3213): replace fixed timeout by dynamic search. fix linter corrections. change test cases files to avoid repeating code. --- .../data/playbooks/generate_events.yaml | 2 +- .../data/test_cases/cases_brute_force_rdp.yaml | 3 --- .../test_brute_force_rdp/test_brute_force_rdp.py | 6 +++--- .../data/playbooks/generate_events.yaml | 2 +- .../data/test_cases/cases_brute_force_ssh.yaml | 3 --- .../test_brute_force_ssh/test_brute_force_ssh.py | 6 +++--- .../data/playbooks/generate_events.yaml | 4 ++-- .../data/test_cases/cases_osquery_integration.yaml | 3 --- .../test_osquery_integration.py | 6 +++--- .../data/playbooks/generate_events.yaml | 13 ++++++++++--- .../data/test_cases/cases_suricata_integration.yaml | 7 ++++--- .../test_suricata_integration.py | 6 +++--- .../data/playbooks/generate_events.yaml | 13 ++++++++++--- .../data/test_cases/cases_yara_integration.yaml | 7 ++++--- .../test_yara_integration/test_yara_integration.py | 6 +++--- 15 files changed, 47 insertions(+), 40 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 58efbc98d7..279c69217e 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -34,7 +34,7 @@ vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" attempts: 15 time_btw_attempts: 2 diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml index bf6eaace89..b6fbbdc2a7 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/test_cases/cases_brute_force_rdp.yaml @@ -2,9 +2,6 @@ description: Check if the alert is generated when executing a brute force attack via RDP. configuration_parameters: null metadata: - rule.id: 60204 - rule.level: 10 - rule.description: Multiple Windows logon failures. extra: mitre_technique: Brute Force extra_vars: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index f95ad18455..85820fbbb0 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -108,9 +108,9 @@ def test_brute_force_rdp(configure_environment, metadata, get_dashboard_credenti - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] rule_mitre_technique = metadata['extra']['mitre_technique'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 4906146562..ebde216c0a 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -44,7 +44,7 @@ vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" attempts: 15 time_btw_attempts: 2 diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml index 73288d7db7..0ac2f3d6af 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/test_cases/cases_brute_force_ssh.yaml @@ -2,9 +2,6 @@ description: Execute brute force attacks using SSH and check generated alerts configuration_parameters: null metadata: - rule.id: 5712 - rule.level: 10 - rule.description: "sshd: brute force trying to get access to the system. Non existent user." extra: mitre_technique: Brute Force extra_vars: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index d29a0b951b..10d4a06e71 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -100,9 +100,9 @@ def test_brute_force_ssh(metadata, get_dashboard_credentials, get_manager_ip, ge input_description: - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] rule_mitre_technique = metadata['extra']['mitre_technique'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index cc6db33d2b..749634f1ef 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -20,8 +20,8 @@ tasks_from: search_alert.yaml vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: ".+timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ - \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" attempts: 15 time_btw_attempts: 2 diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml index b81ec04b69..72be8de947 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/test_cases/cases_osquery_integration.yaml @@ -2,9 +2,6 @@ description: Test if an osquery alert is generated when the host is stressed configuration_parameters: null metadata: - rule.id: "24012" - rule.description: "osquery: System memory is under 10%" - rule.level: 4 extra: data.osquery.name: low_free_memory extra_vars: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 415019e411..d9c1dff9fd 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -106,9 +106,9 @@ def test_osquery_integration(configure_environment, metadata, get_dashboard_cred - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] + rule_id = metadata['extra_vars']['rule_id'] osquery_name = metadata['extra']['data.osquery.name'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index 9da4d828ce..dd306e7602 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -22,9 +22,16 @@ vars: tasks: - - name: Wait for alerts to be generated - wait_for: - timeout: 10 + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp.+{{ timestamp }}.+level.+{{ rule_level }}.+description.+\ + {{ rule_description }}.+id.+{{ rule_id }}.+" + attempts: 15 + time_btw_attempts: 2 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml index f2116417bf..9db64695dd 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/test_cases/cases_suricata_integration.yaml @@ -4,8 +4,9 @@ known to trip NIDS rules. configuration_parameters: null metadata: - rule.id: 86601 - rule.level: 3 - rule.description: "Suricata: Alert - GPL ATTACK_RESPONSE id check returned root" + extra_vars: + rule_id: 86601 + rule_level: 3 + rule_description: "Suricata: Alert - GPL ATTACK_RESPONSE id check returned root" extra: data.hostname: testmynids.org diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index 1a4e37bf5e..37ec0c0698 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -108,9 +108,9 @@ def test_suricata_integration(configure_environment, metadata, get_dashboard_cre - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] + rule_id = metadata['extra_vars']['rule_id'] data_hostname = metadata['extra']['data.hostname'] timestamp_regex = r'\d{4}-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 353cf69b3b..341b97e325 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -15,9 +15,16 @@ - name: Download malware shell: curl -s -XGET {{ url }} -o "/tmp/yara/malware/mirai" - - name: Wait for alerts to be generated - wait_for: - timeout: 15 + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{timestamp}}\",.+level\":{{ rule_level }}.+description\"\ + :\"{{ rule_description }}.+id.+{{ rule_id }}" + attempts: 15 + time_btw_attempts: 2 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml index b65f9bf17e..f3fba106f4 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/test_cases/cases_yara_integration.yaml @@ -4,8 +4,9 @@ metadata: extra_vars: url: https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai - rule.id: 108001 - rule.level: 12 - rule.description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. Yara rule: Mirai_Botnet_Malware_RID2EF6' + rule_id: 108001 + rule_level: 12 + rule_description: 'File \\"/tmp/yara/malware/mirai\\" is a positive match. + Yara rule: Mirai_Botnet_Malware_RID2EF6' extra: data.yara_rule: Mirai_Botnet_Malware_RID2EF6 diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index bb2a873d1b..5022f088d6 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -114,9 +114,9 @@ def test_yara_integration(configure_environment, metadata, get_dashboard_credent - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_description = metadata['rule.description'] - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] + rule_description = metadata['extra_vars']['rule_description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] data_yara_rule = metadata['extra']['data.yara_rule'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[\+|-]\d+' From d93f642f8413342f935f47d1432848167bdc1223 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 1 Sep 2022 19:11:20 -0300 Subject: [PATCH 520/552] style(#3213): apply linter corrections. --- .../test_yara_integration/data/playbooks/generate_events.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 341b97e325..c2c6d99c6f 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -21,7 +21,7 @@ tasks_from: search_alert.yaml vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{timestamp}}\",.+level\":{{ rule_level }}.+description\"\ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }}.+description\"\ :\"{{ rule_description }}.+id.+{{ rule_id }}" attempts: 15 time_btw_attempts: 2 From e0babe3d73334409ace2cbeb82bc1149cf1e5b74 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 2 Sep 2022 11:29:37 -0300 Subject: [PATCH 521/552] refactor(#3237): change inventory validation. now the validation checks only if the required hosts are present in the inventory. groups are not checked anymore. --- tests/end_to_end/conftest.py | 42 +++++++++++++++--------------------- 1 file changed, 17 insertions(+), 25 deletions(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 7f9bde64c1..96f08293f4 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -34,7 +34,7 @@ def get_target_hosts_and_distros(test_suite_name, target_distros={'manager': [], return target_hosts, target_distros -def validate_inventory(inventory_path, valid_hosts): +def validate_inventory(inventory_path, target_hosts): """Check if the Ansible inventory follows our standard defined in the README.md file, inside the E2E suite. This function checks: @@ -43,42 +43,34 @@ def validate_inventory(inventory_path, valid_hosts): Args: inventory_path (str): Path to Ansible inventory. - valid_hosts (list[str]): List of valid hosts for the selected tests. + target_hosts (list[str]): List of valid hosts for the selected tests. """ - valid_groups = ['managers', 'agents', 'linux', 'windows', 'all'] inventory_dict = yaml.safe_load(open(inventory_path)) - errors = [] - default_err_msg = 'Read the README.md file inside the E2E suite to build a valid inventory.' + inventory_hosts = [] + missing_hosts = [] for group in inventory_dict: - # Check if the current group is valid - if group not in valid_groups: - errors.append(f"'{group}' isn't a valid group for E2E tests.") - # Check if the hosts of the group have valid names + # Collect hosts from inventory if 'hosts' in inventory_dict[group]: - for hostname in inventory_dict[group]['hosts']: - if hostname not in valid_hosts: - errors.append(f"The hostname '{hostname}' doesn't follow our standard: - or" - " isn't a necessary host for the execution of the selected tests.") - # Check if the subgroups are valid (if any) + inventory_hosts.extend([hostname for hostname in inventory_dict[group]['hosts']]) try: + # Collect hosts from inventory subgroups (if any) subgroups = inventory_dict[group]['children'] for subgroup in subgroups: - if subgroup not in valid_groups: - errors.append(f"'{subgroup}' is not a valid subgroup for E2E tests.") - # Check if the hosts of the subgroup have valid names - for hostname in subgroups[subgroup]['hosts']: - if hostname not in valid_hosts: - errors.append(f"The hostname '{hostname}' doesn't follow our standard: -" - " or isn't a necessary host for the execution of the selected tests.") + inventory_hosts.extend([hostname for hostname in subgroups[subgroup]['hosts']]) except KeyError: # Do not throw an exception if the group has no subgroups within it pass - if errors != []: - errors.append(default_err_msg) - error_msg = '\n'.join(errors) - raise Exception(error_msg) + for host in target_hosts: + if host not in inventory_hosts: + missing_hosts.extend([host]) + if missing_hosts != []: + raise Exception(f"Not all the hosts required to run the tests are present in the inventory.\n" + f"Hosts in the inventory: {inventory_hosts}\n" + f"Expected hosts: {target_hosts}\n" + f"Missing hosts: {missing_hosts}\n" + "Read the README.md file inside the E2E suite to build a valid inventory.") @pytest.fixture(scope='session', autouse=True) From 2dfcd4e261e7c0d63a6ddd33fd8ec061207e64a0 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 2 Sep 2022 12:48:30 -0300 Subject: [PATCH 522/552] style(#3237): add readme.md file link. --- tests/end_to_end/conftest.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 96f08293f4..4ba3f63020 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -66,11 +66,12 @@ def validate_inventory(inventory_path, target_hosts): if host not in inventory_hosts: missing_hosts.extend([host]) if missing_hosts != []: + readme_file = '[README.md](https://github.com/wazuh/wazuh-qa/blob/master/tests/end_to_end/README.md)' raise Exception(f"Not all the hosts required to run the tests are present in the inventory.\n" f"Hosts in the inventory: {inventory_hosts}\n" f"Expected hosts: {target_hosts}\n" f"Missing hosts: {missing_hosts}\n" - "Read the README.md file inside the E2E suite to build a valid inventory.") + f"Read the {readme_file} file inside the E2E suite to build a valid inventory.") @pytest.fixture(scope='session', autouse=True) From d28fdf7bf43998183cc9d9a0b521b2235e871fa1 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Mon, 5 Sep 2022 15:50:37 +0000 Subject: [PATCH 523/552] fix(#2872): solve Filebeat delay while sending data. --- .../data/playbooks/configuration.yaml | 19 +++++++++++++++ .../data/playbooks/generate_events.yaml | 23 +++++++++++++++++++ .../data/playbooks/teardown.yaml | 12 ++++++++++ 3 files changed, 54 insertions(+) diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml index 06aeb71ce8..7a4380a8c1 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/configuration.yaml @@ -48,3 +48,22 @@ systemctl stop docker systemctl stop docker.socket systemctl start docker + + - name: Remove info mode in Filebeat + lineinfile: + path: /etc/filebeat/filebeat.yml + state: absent + regexp: 'logging.level: info' + + - name: Configure debug mode in Filebeat + blockinfile: + insertbefore: 'logging.to_files: true' + block: | + logging.level: debug + logging.selectors: ["processors"] + path: /etc/filebeat/filebeat.yml + + - name: Restart Filebeat to apply configurations + systemd: + state: restarted + name: filebeat diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index c68bc4def6..84e351dfcd 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -11,6 +11,14 @@ - name: "{{ event_description }}" shell: "{{ command }}" + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + wait_for: + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_id }}" + async: 30 + poll: 0 + register: async_waiter + - name: Search alert in alerts log include_role: name: manage_alerts @@ -22,6 +30,21 @@ attempts: 15 time_btw_attempts: 2 + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_id }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed + - name: Get alert json include_role: name: manage_alerts diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index 7cfeead5c6..3f6b584b48 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -9,6 +9,18 @@ block: '' marker: + - name: Restore Filebeat configuration + blockinfile: + insertbefore: 'logging.to_files: true' + block: 'logging.level: info' + path: /etc/filebeat/filebeat.yml + marker: '# {mark} ANSIBLE MANAGED BLOCK' + + - name: Restart Filebeat to apply configurations + systemd: + state: restarted + name: filebeat + - name: Restart wazuh-manager include_role: name: manage_wazuh From e42fd75ad1cf1a652e7d39ff954e20d4871b4e6b Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 6 Sep 2022 05:14:20 +0000 Subject: [PATCH 524/552] fix(#2872): fix fim e2e test and suricata e2e test. --- .../data/playbooks/configuration.yaml | 17 +++++++ .../data/playbooks/generate_events.yaml | 45 ++++++++++++++----- .../data/test_cases/cases_fim_windows.yaml | 18 ++++---- .../test_fim_windows/test_fim_windows.py | 6 +-- .../data/playbooks/configuration.yaml | 26 +++++++---- .../data/playbooks/start_suricata.yaml | 32 +++++++++++++ .../data/playbooks/teardown.yaml | 5 +++ 7 files changed, 119 insertions(+), 30 deletions(-) create mode 100644 tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/start_suricata.yaml diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml index 0dfaa48fd6..d7e699c851 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/configuration.yaml @@ -37,3 +37,20 @@ win_wait_for: path: C:\Program Files (x86)\ossec-agent\ossec.log search_regex: File integrity monitoring real-time Whodata engine started. + + - name: Configure debug mode in Filebeat + become: true + blockinfile: + insertbefore: 'logging.to_files: true' + block: | + logging.level: debug + logging.selectors: ["processors"] + path: /etc/filebeat/filebeat.yml + delegate_to: centos-manager + + - name: Restart Filebeat to apply configurations + become: true + systemd: + state: restarted + name: filebeat + delegate_to: centos-manager diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 1ca4af8942..e15b480324 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -7,22 +7,47 @@ name: manage_alerts tasks_from: truncate_alert_json.yaml -- name: Generate events - hosts: windows-agent - tasks: - - name: "{{ event_description }}" win_file: path: "{{ path }}" state: "{{ state }}" + delegate_to: windows-agent -- name: Get alerts file - hosts: managers - tasks: - - - name: Wait for alert to be generated + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + become: true wait_for: - timeout: 5 + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_description }}" + async: 30 + poll: 0 + register: async_waiter + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + attempts: 15 + time_btw_attempts: 2 + + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + become: true + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_description }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml index 7e7d935212..557726e39e 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/test_cases/cases_fim_windows.yaml @@ -6,9 +6,9 @@ event_description: Create a file into the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: touch - rule.id: 554 - rule.level: 5 - rule.description: File added to the system\. + rule_id: 554 + rule_level: 5 + rule_description: File added to the system\. extra: syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt @@ -20,9 +20,9 @@ event_description: Modify a file from the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: touch - rule.id: 550 - rule.level: 7 - rule.description: Integrity checksum changed\. + rule_id: 550 + rule_level: 7 + rule_description: Integrity checksum changed\. extra: syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt @@ -34,8 +34,8 @@ event_description: Delete a file from the monitored folder path: C:\Test\test_demo_fim\monitored_file.txt state: absent - rule.id: 553 - rule.level: 7 - rule.description: File deleted\. + rule_id: 553 + rule_level: 7 + rule_description: File deleted\. extra: syscheck.path: c:\\\\test\\\\test_demo_fim\\\\monitored_file.txt diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 8ff5522186..66b710c622 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -107,9 +107,9 @@ def test_fim_windows(configure_environment, metadata, get_dashboard_credentials, - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] syscheck_path = metadata['extra']['syscheck.path'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml index 0524e6ee22..5ec628ea4e 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/configuration.yaml @@ -78,12 +78,22 @@ - name: Updating Suricata rules shell: suricata-update - - name: Start Suricata - systemd: - state: started - name: suricata + - name: Set flag to control the next loop + set_fact: + loop_finished: false + + - name: Ensuring Suricata's start-up + vars: + sleep_durations: + - 30 + - 40 + - 60 + durations: "{{ item }}" + loop_status: "{{ loop_finished }}" + include_tasks: start_suricata.yaml + loop: "{{ sleep_durations | batch(1) | list }}" + register: result - - name: Wait for Suricata to start completely - wait_for: - path: "{{ suricata_log_path }}" - search_regex: - All AFP capture threads are running. + - name: Fail if Suricata refuses to start + fail: msg="Suricata refuses to start after 3 attempts." + when: not (loop_finished | bool) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/start_suricata.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/start_suricata.yaml new file mode 100644 index 0000000000..bc39c03198 --- /dev/null +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/start_suricata.yaml @@ -0,0 +1,32 @@ +- name: Wait for Suricata to start completely + become: true + wait_for: + path: "{{ suricata_log_path }}" + search_regex: - All AFP capture threads are running. + async: "{{ durations[0] }}" + poll: 0 + register: async_results + when: not (loop_status | bool) + +- name: Restart Suricata + become: true + systemd: + state: restarted + name: suricata + when: not (loop_status | bool) + +- name: Check if Suricata has started completely + become: true + async_status: + jid: "{{ async_results.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: "{{ durations[0] }}" + delay: 1 + ignore_errors: true + when: not (loop_status | bool) + +- name: Stop loop if the regex have matched + set_fact: + loop_finished: true + when: not (loop_status | bool) and wait_result.finished is defined diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml index 4f1eb5cbf9..5f320a6bd6 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/teardown.yaml @@ -3,6 +3,11 @@ become: true tasks: + - name: Stop Suricata + systemd: + state: stopped + name: suricata + - name: Remove Wazuh logs configuration blockinfile: path: /var/ossec/etc/ossec.conf From 3e88bba864b4a6a5423dc05e0fc6122631780fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 6 Sep 2022 13:43:43 +0100 Subject: [PATCH 525/552] fix(#3165): increase E2E env resources --- provisioning/environments/end_to_end_environment.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 7a923e58a8..25aa0e7586 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,11 +1,17 @@ centos-manager: os: centos roles: [manager, indexer, filebeat] + resources: + cpu: 4 + memory: 8192 ubuntu-agent: os: ubuntu roles: [agent] manager: centos-manager + resources: + cpu: 2 + memory: 4096 centos-agent: os: centos @@ -16,3 +22,6 @@ windows-agent: os: windows roles: [agent] manager: centos-manager + resources: + cpu: 2 + memory: 4096 From ddb57e3593e95b44225fca193cc892d065b91c92 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 6 Sep 2022 15:26:14 +0200 Subject: [PATCH 526/552] refactor(#3165): change how alerts are checked --- .../manage_alerts/tasks/search_alert.yaml | 12 +-- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 96 ++++++++++--------- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- .../data/playbooks/generate_events.yaml | 3 +- 10 files changed, 61 insertions(+), 71 deletions(-) diff --git a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml index f3e75c6501..d4369a1d0d 100644 --- a/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml +++ b/tests/end_to_end/data/ansible_roles/manage_alerts/tasks/search_alert.yaml @@ -1,12 +1,6 @@ - name: Search alert in alerts log become: true - lineinfile: + wait_for: path: /var/ossec/logs/alerts/alerts.json - regexp: "{{ custom_regex }}" - state: absent - check_mode: true - changed_when: false - register: alert - until: alert.found != 0 - retries: "{{ attempts }}" - delay: "{{ time_btw_attempts }}" + search_regex: "{{ custom_regex }}" + timeout: "{{ timeout }}" diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 5c23e3e6ad..0dd9ed0444 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -35,8 +35,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 8f0ab0149c..12da2ce5df 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -45,8 +45,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index 92e8e02a9a..e669a2c655 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -3,49 +3,53 @@ become: true tasks: - - name: Truncate alert.json - include_role: - name: manage_alerts - tasks_from: truncate_alert_json.yaml - - - name: "{{ event_description }}" - shell: "{{ command }}" - - - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer - wait_for: - path: /var/log/filebeat/filebeat - search_regex: "{{ rule_id }}" - async: 30 - poll: 0 - register: async_waiter - - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ - {{ rule_description }}.+id.+{{ rule_id }}.+" - attempts: 15 - time_btw_attempts: 2 - - - name: Check if Filebeat has sent the alert data to Wazuh Indexer - async_status: - jid: "{{ async_waiter.ansible_job_id }}" - register: wait_result - until: wait_result.finished - retries: 15 - delay: 2 - # Ignore error to display a custom failure message after the current task - ignore_errors: true - - - name: Fail when the alert data does not appear in Filebeat log - fail: - msg: "{{ rule_id }} was not found in '/var/log/filebeat/filebeat' after 30s" - when: wait_result.failed - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml + + - name: "{{ event_description }}" + shell: "{{ command }}" + + - name: Wait for expected alert + block: + + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + wait_for: + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_id }}" + async: 30 + poll: 0 + register: async_waiter + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ + {{ rule_description }}.+id.+{{ rule_id }}.+" + timeout: 30 + + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_id }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index 92e2906069..ceb049e6a8 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -28,8 +28,7 @@ vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\".*\"id\":\"{{ item.value.rule_id }}\".*" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index 8c054dcd52..ca835f0a4f 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -30,8 +30,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\"description\":\ \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Check if Filebeat has sent the alert data to Wazuh Indexer become: true diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index eb04e92568..5e5efb715d 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -22,8 +22,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index b260a7d69e..404eb25db5 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -29,8 +29,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp.+{{ timestamp }}.+level.+{{ rule_level }}.+description.+\ {{ rule_description }}.+id.+{{ rule_id }}.+" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index 1b7140c4ce..904a9f7e89 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -18,8 +18,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 14e40a3b7b..94090dbb85 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -25,8 +25,7 @@ timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }}.+description\"\ :\"{{ rule_description }}.+id.+{{ rule_id }}" - attempts: 15 - time_btw_attempts: 2 + timeout: 30 - name: Get alert json include_role: From 4228d443143490e3c98fa1499dde53d444957840 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 6 Sep 2022 16:47:45 +0200 Subject: [PATCH 527/552] refactor(#3165): get alerts.json always --- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 31 +++--- .../data/playbooks/generate_events.yaml | 33 +++--- .../data/playbooks/generate_events.yaml | 33 +++--- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 100 +++++++++--------- .../data/playbooks/generate_events.yaml | 31 +++--- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 83 ++++++++------- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 31 +++--- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 47 ++++---- .../data/playbooks/generate_events.yaml | 21 ++-- .../data/playbooks/generate_events.yaml | 33 +++--- .../data/playbooks/generate_events.yaml | 31 +++--- .../data/playbooks/generate_events.yaml | 25 +++-- .../data/playbooks/generate_events.yaml | 26 +++-- .../data/playbooks/generate_events.yaml | 19 ++-- .../data/playbooks/generate_events.yaml | 31 +++--- 20 files changed, 386 insertions(+), 284 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml index 975d06c93c..5154e7afe5 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/generate_events.yaml @@ -10,11 +10,16 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Wait for alert to be generated - wait_for: - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for alert to be generated + wait_for: + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml index c597a2ab40..e8c2d5c855 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/data/playbooks/generate_events.yaml @@ -14,18 +14,23 @@ - name: Run the script using python3 (create S3 bucket) script: "{{ AWS_API_SCRIPT }} -i {{ aws_access_key_id }} -k {{ aws_secret_access_key }} -b {{ bucket }} -c" - - name: Wait for the alert to be generated - wait_for: - path: "{{ alerts_path }}" - search_regex: "{{ event_name }}.*{{ bucket }}" - # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. - timeout: 480 + - name: Wait for expected alert + block: - - name: Wait for alerts to be indexed - wait_for: - timeout: 40 + - name: Wait for the alert to be generated + wait_for: + path: "{{ alerts_path }}" + search_regex: "{{ event_name }}.*{{ bucket }}" + # Waiting 8 minutes, because that is the time for Cloudtrail to deliver the logs to the S3 bucket. + timeout: 480 - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for alerts to be indexed + wait_for: + timeout: 40 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml index 0dd9ed0444..88709e8d8c 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/generate_events.yaml @@ -27,17 +27,22 @@ hosts: manager tasks: - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - timeout: 30 - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml index 12da2ce5df..4c805c99d1 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/data/playbooks/generate_events.yaml @@ -37,17 +37,22 @@ hosts: manager tasks: - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - timeout: 30 - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml index 06555c972c..80bec1d6ee 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/data/playbooks/generate_events.yaml @@ -15,11 +15,16 @@ vars: os: linux - - name: Wait for alerts to be generated - wait_for: - timeout: 40 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for alerts to be generated + wait_for: + timeout: 40 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml index e669a2c655..bffd20daf7 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/generate_events.yaml @@ -3,53 +3,53 @@ become: true tasks: - - name: Truncate alert.json - include_role: - name: manage_alerts - tasks_from: truncate_alert_json.yaml - - - name: "{{ event_description }}" - shell: "{{ command }}" - - - name: Wait for expected alert - block: - - - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer - wait_for: - path: /var/log/filebeat/filebeat - search_regex: "{{ rule_id }}" - async: 30 - poll: 0 - register: async_waiter - - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ - {{ rule_description }}.+id.+{{ rule_id }}.+" - timeout: 30 - - - name: Check if Filebeat has sent the alert data to Wazuh Indexer - async_status: - jid: "{{ async_waiter.ansible_job_id }}" - register: wait_result - until: wait_result.finished - retries: 15 - delay: 2 - # Ignore error to display a custom failure message after the current task - ignore_errors: true - - - name: Fail when the alert data does not appear in Filebeat log - fail: - msg: "{{ rule_id }} was not found in '/var/log/filebeat/filebeat' after 30s" - when: wait_result.failed - - always: - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Truncate alert.json + include_role: + name: manage_alerts + tasks_from: truncate_alert_json.yaml + + - name: "{{ event_description }}" + shell: "{{ command }}" + + - name: Wait for expected alert + block: + + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + wait_for: + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_id }}" + async: 30 + poll: 0 + register: async_waiter + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level.+{{ rule_level }}.+description.+\ + {{ rule_description }}.+id.+{{ rule_id }}.+" + timeout: 30 + + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_id }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index ceb049e6a8..df1fc5d2a2 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -20,17 +20,22 @@ hosts: manager tasks: - - name: Search alert in alerts log - with_items: "{{ lookup('ansible.builtin.dict', alerts) }}" - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\".*\"id\":\"{{ item.value.rule_id }}\".*" - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Search alert in alerts log + with_items: "{{ lookup('ansible.builtin.dict', alerts) }}" + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\".*\"id\":\"{{ item.value.rule_id }}\".*" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 9065848fe5..38fb00f233 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -22,11 +22,16 @@ hosts: manager tasks: - - name: Wait for alert to be generated - wait_for: - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for alert to be generated + wait_for: + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml index ca835f0a4f..b2a82f0cf0 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/data/playbooks/generate_events.yaml @@ -13,42 +13,47 @@ state: "{{ state }}" delegate_to: windows-agent - - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer - become: true - wait_for: - path: /var/log/filebeat/filebeat - search_regex: "{{ rule_description }}" - async: 30 - poll: 0 - register: async_waiter - - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\"description\":\ - \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" - timeout: 30 - - - name: Check if Filebeat has sent the alert data to Wazuh Indexer - become: true - async_status: - jid: "{{ async_waiter.ansible_job_id }}" - register: wait_result - until: wait_result.finished - retries: 15 - delay: 2 - # Ignore error to display a custom failure message after the current task - ignore_errors: true - - - name: Fail when the alert data does not appear in Filebeat log - fail: - msg: "{{ rule_description }} was not found in '/var/log/filebeat/filebeat' after 30s" - when: wait_result.failed - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + become: true + wait_for: + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_description }}" + async: 30 + poll: 0 + register: async_waiter + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" + timeout: 30 + + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + become: true + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_description }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml index c9234600fb..ccb6122985 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/data/playbooks/generate_events.yaml @@ -20,11 +20,16 @@ hosts: manager tasks: - - name: Waiting for alert - wait_for: - timeout: 5 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Waiting for alert + wait_for: + timeout: 5 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index 5e5efb715d..c585397239 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -14,17 +14,22 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ - \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml index 89a1ae3b02..43e9e985b5 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/generate_events.yaml @@ -11,11 +11,16 @@ - name: "{{ event_description }}" shell: "{{ command }}" - - name: Wait for alerts to be generated - wait_for: - timeout: 40 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for alerts to be generated + wait_for: + timeout: 40 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml index 07644482fc..09c4e4475a 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/data/playbooks/generate_events.yaml @@ -28,27 +28,32 @@ register: command_result failed_when: "'Permission denied' not in command_result.stdout" - - name: Wait for the alert to be generated - pause: - seconds: 5 - - - name: Check if the alert has been sent to Slack - wait_for: - path: "{{ integrations_log }}" - search_regex: hooks.slack.com - timeout: 5 + - name: Wait for expected alert + block: + + - name: Wait for the alert to be generated + pause: + seconds: 5 + + - name: Check if the alert has been sent to Slack + wait_for: + path: "{{ integrations_log }}" + search_regex: hooks.slack.com + timeout: 5 + + always: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml - # Get messages from Slack channel using the API of Slack - - name: Run the script using python3 (Get messages from Slack channel) - script: "{{ SLACK_API_SCRIPT }} -t {{ slack_token }} -c {{ slack_channel }} -m 1 -p {{ slack_messages_log }}" + # Get messages from Slack channel using the API of Slack + - name: Run the script using python3 (Get messages from Slack channel) + script: "{{ SLACK_API_SCRIPT }} -t {{ slack_token }} -c {{ slack_channel }} -m 1 -p {{ slack_messages_log }}" - - name: Get Slack messages log - fetch: - src: "{{ slack_messages_log }}" - dest: /tmp/ - flat: true + - name: Get Slack messages log + fetch: + src: "{{ slack_messages_log }}" + dest: /tmp/ + flat: true diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml index 9e93091aaa..271ba56d4a 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/data/playbooks/generate_events.yaml @@ -14,15 +14,20 @@ - name: "{{ event_description }}" command: "{{ command }}" - - name: Wait for alert - wait_for: - timeout: 30 - - name: Get alerts file hosts: manager tasks: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Wait for alert + wait_for: + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml index 404eb25db5..58930c2105 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/data/playbooks/generate_events.yaml @@ -21,17 +21,22 @@ become: true tasks: - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp.+{{ timestamp }}.+level.+{{ rule_level }}.+description.+\ - {{ rule_description }}.+id.+{{ rule_id }}.+" - timeout: 30 - - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp.+{{ timestamp }}.+level.+{{ rule_level }}.+description.+\ + {{ rule_description }}.+id.+{{ rule_id }}.+" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml index 904a9f7e89..fe490d0122 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/generate_events.yaml @@ -10,17 +10,22 @@ hosts: manager tasks: - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ - \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\ + \"description\":\"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*}" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml index 30bba260e4..a77a5194b6 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/data/playbooks/generate_events.yaml @@ -23,14 +23,19 @@ shell: echo "" > /var/ossec/logs/ossec.log become: true - - name: Waiting for vulnerability scan, alert reporting and indexing - wait_for: - path: /var/ossec/logs/ossec.log - search_regex: Vulnerability scan finished. - timeout: 60 - become: true + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Waiting for vulnerability scan, alert reporting and indexing + wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. + timeout: 60 + become: true + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml index ac3d427593..d10422acaf 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/data/playbooks/generate_events.yaml @@ -18,11 +18,23 @@ hosts: manager tasks: - - name: Waiting for vulnerability scan, alert reporting and indexing - wait_for: - timeout: 60 + - name: Truncate ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Wait for expected alert + block: + + - name: Waiting for vulnerability scan, alert reporting and indexing + wait_for: + path: /var/ossec/logs/ossec.log + search_regex: Vulnerability scan finished. + timeout: 60 + become: true + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml index cad0153bf8..fe1f1341eb 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/data/playbooks/generate_events.yaml @@ -18,11 +18,16 @@ hosts: manager tasks: - - name: Waiting for alert - wait_for: - timeout: 5 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Waiting for alert + wait_for: + timeout: 5 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 94090dbb85..2a05815a23 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -17,17 +17,22 @@ - name: Download malware shell: curl -s -XGET {{ url }} -o "/tmp/yara/malware/mirai" - - name: Search alert in alerts log - include_role: - name: manage_alerts - tasks_from: search_alert.yaml - vars: - timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ - custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }}.+description\"\ - :\"{{ rule_description }}.+id.+{{ rule_id }}" - timeout: 30 + - name: Wait for expected alert + block: - - name: Get alert json - include_role: - name: manage_alerts - tasks_from: get_alert_json.yaml + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }}.+description\"\ + :\"{{ rule_description }}.+id.+{{ rule_id }}" + timeout: 30 + + always: + + - name: Get alert json + include_role: + name: manage_alerts + tasks_from: get_alert_json.yaml From f2f4098aa51ae6837e987708405095b3887d6c6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 7 Sep 2022 11:26:47 +0100 Subject: [PATCH 528/552] fix(#3165): enable env validation --- tests/end_to_end/conftest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e7ce3e3291..493486b6fc 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -74,7 +74,7 @@ def validate_inventory(inventory_path, target_hosts): f"Read the {readme_file} file inside the E2E suite to build a valid inventory.") -@pytest.fixture(scope='session') +@pytest.fixture(scope='session', autouse=True) def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. From ef475e55449f24f702433a1c78dd2bcbdf1e3631 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Wed, 7 Sep 2022 11:47:29 +0100 Subject: [PATCH 529/552] fix(#3165): disable env validation --- tests/end_to_end/conftest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 493486b6fc..e7ce3e3291 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -74,7 +74,7 @@ def validate_inventory(inventory_path, target_hosts): f"Read the {readme_file} file inside the E2E suite to build a valid inventory.") -@pytest.fixture(scope='session', autouse=True) +@pytest.fixture(scope='session') def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. From f42c6b99e1a560588e84086ad21bc75bf25e3d67 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 8 Sep 2022 17:53:15 +0000 Subject: [PATCH 530/552] refactor(#3165): add task to ensure Filebeat is sending data. --- .../data/playbooks/configuration.yaml | 17 ++++++++++ .../data/playbooks/generate_events.yaml | 33 ++++++++++++++++++- .../data/test_cases/cases_fim_linux.yaml | 18 +++++----- .../test_fim/test_fim_linux/test_fim_linux.py | 6 ++-- 4 files changed, 61 insertions(+), 13 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml index 59cc902fa5..46edd7edf9 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/configuration.yaml @@ -25,3 +25,20 @@ tasks_from: restart_wazuh.yaml vars: os: linux + + - name: Configure debug mode in Filebeat + become: true + blockinfile: + insertbefore: 'logging.to_files: true' + block: | + logging.level: debug + logging.selectors: ["processors"] + path: /etc/filebeat/filebeat.yml + delegate_to: centos-manager + + - name: Restart Filebeat to apply configurations + become: true + systemd: + state: restarted + name: filebeat + delegate_to: centos-manager diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml index 38fb00f233..df734592e8 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/playbooks/generate_events.yaml @@ -25,10 +25,41 @@ - name: Wait for expected alert block: - - name: Wait for alert to be generated + - name: Wait asynchronously for Filebeat to send data to Wazuh Indexer + become: true wait_for: + path: /var/log/filebeat/filebeat + search_regex: "{{ rule_description }}" + async: 30 + poll: 0 + register: async_waiter + + - name: Search alert in alerts log + include_role: + name: manage_alerts + tasks_from: search_alert.yaml + vars: + timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ + custom_regex: "{\"timestamp\":\"{{ timestamp }}\",\"rule\":{\"level\":{{ rule_level }},\"description\":\ + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".*" timeout: 30 + - name: Check if Filebeat has sent the alert data to Wazuh Indexer + become: true + async_status: + jid: "{{ async_waiter.ansible_job_id }}" + register: wait_result + until: wait_result.finished + retries: 15 + delay: 2 + # Ignore error to display a custom failure message after the current task + ignore_errors: true + + - name: Fail when the alert data does not appear in Filebeat log + fail: + msg: "{{ rule_description }} was not found in '/var/log/filebeat/filebeat' after 30s" + when: wait_result.failed + always: - name: Get alert json diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml index 22930d37b5..3a01dfec85 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/data/test_cases/cases_fim_linux.yaml @@ -7,9 +7,9 @@ path: /tmp/test_demo_fim/monitored_file.txt state: touch mode: 0755 - rule.id: 554 - rule.level: 5 - rule.description: File added to the system\. + rule_id: 554 + rule_level: 5 + rule_description: File added to the system\. extra: syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt @@ -22,9 +22,9 @@ path: /tmp/test_demo_fim/monitored_file.txt state: file mode: 0750 - rule.id: 550 - rule.level: 7 - rule.description: Integrity checksum changed\. + rule_id: 550 + rule_level: 7 + rule_description: Integrity checksum changed\. extra: syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt @@ -37,8 +37,8 @@ path: /tmp/test_demo_fim/monitored_file.txt state: absent mode: 0755 - rule.id: 553 - rule.level: 7 - rule.description: File deleted\. + rule_id: 553 + rule_level: 7 + rule_description: File deleted\. extra: syscheck.path: \/tmp\/test_demo_fim\/monitored_file\.txt diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 6f67e130cc..6a58ca35a0 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -105,9 +105,9 @@ def test_fim_linux(configure_environment, metadata, get_indexer_credentials, get - The `configuration.yaml` file provides the module configuration for this test. - The `generate_events.yaml`file provides the function configuration for this test. ''' - rule_id = metadata['rule.id'] - rule_level = metadata['rule.level'] - rule_description = metadata['rule.description'] + rule_id = metadata['extra_vars']['rule_id'] + rule_level = metadata['extra_vars']['rule_level'] + rule_description = metadata['extra_vars']['rule_description'] syscheck_path = metadata['extra']['syscheck.path'] timestamp_regex = r'\d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+' From bb39066cf852e644a3bb514e342bc571e5980856 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 8 Sep 2022 18:00:43 +0000 Subject: [PATCH 531/552] fix(#3165): fix Yara E2E test. --- .../data/playbooks/configuration.yaml | 106 +++++++++--------- .../data/playbooks/generate_events.yaml | 8 +- .../data/playbooks/teardown.yaml | 7 ++ 3 files changed, 67 insertions(+), 54 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml index 2bb510030b..d1f3238b51 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/configuration.yaml @@ -3,6 +3,59 @@ become: true tasks: + - name: Create a directory to store Yara rules + file: + path: /tmp/yara/rules + state: directory + + - name: Download Yara rules + shell: | + curl {{ s3_url }}/yara_integration/yara_rules.yar -o /tmp/yara/rules/yara_rules.yar + + - name: Create a directory to store malware + file: + path: /tmp/yara/malware + state: directory + + - name: Copy the Yara script + shell: | + curl {{ s3_url }}/yara_integration/yara.sh -o /var/ossec/active-response/bin/yara.sh + chown root:wazuh /var/ossec/active-response/bin/yara.sh + chmod 0750 /var/ossec/active-response/bin/yara.sh + + - name: Check if epel-release is installed + shell: rpm -qa epel-release + register: check_epel_release + + - name: Install epel-release + package: + name: + - epel-release + state: present + when: '"epel" not in check_epel_release.stdout' + + - name: Check if yara is installed + shell: rpm -qa yara + register: check_yara + + - name: Install Yara on CentOS + package: + name: + - yara + state: present + when: '"yara" not in check_yara.stdout' + + - name: Check if jq is installed + shell: rpm -qa jq + register: check_jq + + - name: Install jq (JSON Processor) on CentOS + package: + name: + - jq + state: present + when: '"jq" not in check_jq.stdout' + - name: Configure local rules for Yara include_role: name: manage_wazuh_configurations @@ -77,56 +130,3 @@ tasks_from: restart_wazuh.yaml vars: os: linux - - - name: Create a directory to store Yara rules - file: - path: /tmp/yara/rules - state: directory - - - name: Download Yara rules - shell: | - curl {{ s3_url }}/yara_integration/yara_rules.yar -o /tmp/yara/rules/yara_rules.yar - - - name: Check if epel-release is installed - shell: rpm -qa epel-release - register: check_epel_release - - - name: Install epel-release - package: - name: - - epel-release - state: present - when: '"epel" not in check_epel_release.stdout' - - - name: Check if yara is installed - shell: rpm -qa yara - register: check_yara - - - name: Install Yara on CentOS - package: - name: - - yara - state: present - when: '"yara" not in check_yara.stdout' - - - name: Create a directory to store malware - file: - path: /tmp/yara/malware - state: directory - - - name: Copy the Yara script - shell: | - curl {{ s3_url }}/yara_integration/yara.sh -o /var/ossec/active-response/bin/yara.sh - chown root:wazuh /var/ossec/active-response/bin/yara.sh - chmod 0750 /var/ossec/active-response/bin/yara.sh - - - name: Check if jq is installed - shell: rpm -qa jq - register: check_jq - - - name: Install jq (JSON Processor) on CentOS - package: - name: - - jq - state: present - when: '"jq" not in check_jq.stdout' diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml index 2a05815a23..57c142a5ee 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/generate_events.yaml @@ -5,6 +5,10 @@ become: true tasks: + - name: Truncate server log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + - name: Truncate alert.json include_role: name: manage_alerts @@ -12,7 +16,9 @@ - name: Wait until the server is ready wait_for: - timeout: 10 + path: /var/ossec/logs/ossec.log + search_regex: "INFO: Ending rootcheck scan." + timeout: 30 - name: Download malware shell: curl -s -XGET {{ url }} -o "/tmp/yara/malware/mirai" diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml index 03cc55e941..1e55bf2950 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/data/playbooks/teardown.yaml @@ -36,3 +36,10 @@ file: path: /var/ossec/active-response/bin/yara.sh state: absent + + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: linux From 75ed65643bdabda05d3fab540f4ae4e81d073333 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 8 Sep 2022 18:05:12 +0000 Subject: [PATCH 532/552] fix(#3165): fix Virustotal E2E test. --- .../data/playbooks/configuration.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml index 0bed76507b..01b55e97d7 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/configuration.yaml @@ -107,9 +107,20 @@ chmod 750 /var/ossec/active-response/bin/remove-threat.sh chown root:wazuh /var/ossec/active-response/bin/remove-threat.sh + - name: Truncate ossec.log + shell: echo "" > /var/ossec/logs/ossec.log + become: true + - name: Restart agent include_role: name: manage_wazuh tasks_from: restart_wazuh.yaml vars: os: linux + + - name: Wait for Syscheck to end the scan + wait_for: + path: /var/ossec/logs/ossec.log + search_regex: File integrity monitoring scan ended. + timeout: 40 + ignore_errors: true From a5dca58e330aaba834f43cd67e9a82342987dab4 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Thu, 8 Sep 2022 22:04:37 +0000 Subject: [PATCH 533/552] fix(#3165): fix emotet test. --- .../data/playbooks/configuration.yaml | 127 ++++++++++-------- .../data/playbooks/generate_events.yaml | 14 +- .../test_emotet/data/playbooks/teardown.yaml | 22 +++ 3 files changed, 104 insertions(+), 59 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml index 49ecff133f..83028ac4ae 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/configuration.yaml @@ -1,18 +1,75 @@ -- name: Configure Windows agent environment - hosts: windows-agent +- name: Configure manager environment + hosts: manager tasks: - name: Enable auto logon community.windows.win_auto_logon: username: "{{ ansible_user }}" password: "{{ ansible_password }}" + delegate_to: windows-agent - name: Reboot Windows win_reboot: + delegate_to: windows-agent - name: Disable Windows Defender win_shell: | Set-MpPreference -DisableRealtimeMonitoring 1 + delegate_to: windows-agent + + - name: Configure local rules + include_role: + name: manage_wazuh_configurations + tasks_from: write_local_rules.yaml + vars: + config_block: | + + + sysmon + technique_name=Indirect Command Execution + Indirect Command Execution: $(win.eventdata.image) + + T1202 + + + + + sysmon + technique_name=Regsvr32 + Regsvr32: $(win.eventdata.image) + + T1218 + + + + + 255559 + WINWORD.EXE + Word Executing WScript $(win.eventdata.image) + + T1059.005 + + + + + - name: Enable events logging + become: true + lineinfile: + path: /var/ossec/etc/ossec.conf + regexp: 'no' + line: "yes" + backrefs: yes + + - name: Restart wazuh-manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: linux + +- name: Configure Windows agent environment + hosts: windows-agent + tasks: - name: Create temp folder win_file: @@ -28,12 +85,6 @@ win_shell: | Expand-Archive -Path C:\temp\PSTools.zip -DestinationPath C:\temp\PSTools - - name: Copy ossec.conf - win_copy: - src: C:\Program Files (x86)\ossec-agent\ossec.conf - dest: C:\temp - remote_src: true - - name: Download sysmon win_shell: | Set-Location C:\temp @@ -53,6 +104,12 @@ cd C:\temp\Sysmon ./Sysmon64.exe -accepteula -i sysconfig.xml + - name: Copy ossec.conf + win_copy: + src: C:\Program Files (x86)\ossec-agent\ossec.conf + dest: C:\temp + remote_src: true + - name: Configure Wazuh to collect Sysmon events include_role: name: manage_wazuh_configurations @@ -68,11 +125,6 @@ Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n" os: windows - - name: Download trigger_emotet.exe - win_shell: | - Set-Location C:\temp - Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe - - name: Restart wazuh-agent include_role: name: manage_wazuh @@ -80,48 +132,7 @@ vars: os: windows -- name: Configure manager environment - hosts: manager - tasks: - - - name: Configure local rules - include_role: - name: manage_wazuh_configurations - tasks_from: write_local_rules.yaml - vars: - config_block: | - - - sysmon - technique_name=Indirect Command Execution - Indirect Command Execution: $(win.eventdata.image) - - T1202 - - - - - sysmon - technique_name=Regsvr32 - Regsvr32: $(win.eventdata.image) - - T1218 - - - - - 255559 - WINWORD.EXE - Word Executing WScript $(win.eventdata.image) - - T1059.005 - - - - - - name: Restart wazuh-manager - include_role: - name: manage_wazuh - tasks_from: restart_wazuh.yaml - vars: - os: linux + - name: Download trigger_emotet.exe + win_shell: | + Set-Location C:\temp + Invoke-WebRequest -Uri {{ s3_url }}/emotet/trigger-emotet.exe -Outfile trigger-emotet.exe diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml index df1fc5d2a2..4259799c55 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/generate_events.yaml @@ -2,6 +2,10 @@ hosts: manager tasks: + - name: Truncate archives log + shell: echo "" > /var/ossec/logs/archives/archives.json + become: true + - name: Truncate alert.json include_role: name: manage_alerts @@ -20,9 +24,17 @@ hosts: manager tasks: - - name: Wait for expected alert + - name: Wait for expected event and alert block: + - name: Search event in archives + become: true + with_items: "{{ lookup('ansible.builtin.dict', alerts) }}" + wait_for: + path: /var/ossec/logs/archives/archives.json + search_regex: "{{ item.value.rule_id }}" + timeout: 10 + - name: Search alert in alerts log with_items: "{{ lookup('ansible.builtin.dict', alerts) }}" include_role: diff --git a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml index bbca22fa41..1f9c911c56 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_emotet/data/playbooks/teardown.yaml @@ -34,3 +34,25 @@ - name: Enable Windows Defender win_shell: set-MpPreference -DisableRealtimeMonitoring $False + + - name: Disable events logging + lineinfile: + path: /var/ossec/etc/ossec.conf + regexp: 'yes' + line: "no" + delegate_to: centos-manager + + - name: Delete created rules + become: true + blockinfile: + path: /var/ossec/etc/rules/local_rules.xml + block: '' + marker: + delegate_to: centos-manager + + - name: Restart manager + include_role: + name: manage_wazuh + tasks_from: restart_wazuh.yaml + vars: + os: linux From 3c7375b63c041c32051e7705ec333c97f25cf823 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 9 Sep 2022 11:37:04 -0300 Subject: [PATCH 534/552] fix(#3275): remove pytest marks warnings. --- tests/pytest.ini | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/pytest.ini diff --git a/tests/pytest.ini b/tests/pytest.ini new file mode 100644 index 0000000000..657a32c274 --- /dev/null +++ b/tests/pytest.ini @@ -0,0 +1,10 @@ +[pytest] +addopts = --strict-markers +markers = + tier(level) + darwin + linux + sunos5 + win32 + server + agent From 65f4001bd5b543ff1f773dd530fdcd3dae13a129 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 9 Sep 2022 11:38:18 -0300 Subject: [PATCH 535/552] fix(#3275): fix the name of credentials identifiers in role task. --- .../host_checker/tasks/check_controller_indexer.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml index abec50dd38..6809111f5f 100644 --- a/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml +++ b/tests/end_to_end/data/ansible_roles/host_checker/tasks/check_controller_indexer.yaml @@ -12,8 +12,8 @@ - name: Test Wazuh Indexer connection uri: url: https://{{ hostvars[inventory_hostname]['ansible_host'] }}:9200 - user: "{{ hostvars[inventory_hostname]['dashboard_user'] }}" - password: "{{ hostvars[inventory_hostname]['dashboard_password'] }}" + user: "{{ hostvars[inventory_hostname]['indexer_user'] }}" + password: "{{ hostvars[inventory_hostname]['indexer_password'] }}" method: GET status_code: 200 force_basic_auth: true From 44daf5a1ba2c121c3d27a93ff66cae9d8e822979 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 9 Sep 2022 11:40:20 -0300 Subject: [PATCH 536/552] fix(#3275): enable E2E validation stage. --- tests/end_to_end/conftest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index e7ce3e3291..493486b6fc 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -74,7 +74,7 @@ def validate_inventory(inventory_path, target_hosts): f"Read the {readme_file} file inside the E2E suite to build a valid inventory.") -@pytest.fixture(scope='session') +@pytest.fixture(scope='session', autouse=True) def validate_environments(request): """Fixture with session scope to validate the environments before run the E2E tests. From 9543c2f326e7fe3bd96f2351336e03cc914b8968 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 9 Sep 2022 11:41:12 -0300 Subject: [PATCH 537/552] refactor(#3275): mark docker, fim and slack E2E tests as skipped. --- .../test_docker_monitoring/test_docker_monitoring.py | 1 + .../test_fim/test_fim_windows/test_fim_windows.py | 1 + .../test_slack_integration/test_slack_integration.py | 1 + 3 files changed, 3 insertions(+) diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index 321f7e719a..88f57f7a35 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -65,6 +65,7 @@ pytestmark = [TIER0, LINUX] +@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_docker_monitoring(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index aab87daa39..68c43bc13c 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -65,6 +65,7 @@ pytestmark = [TIER0, WINDOWS] +@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_windows(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index e44533c701..ee2341d922 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -85,6 +85,7 @@ def remove_slack_log(): remove_file(slack_messages_log) +@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_indexer_credentials, get_manager_ip, generate_events, From 76d60b4a863d9adb1a7d705cc364a9b5e0464930 Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Fri, 9 Sep 2022 17:20:23 -0300 Subject: [PATCH 538/552] refactor(#3275): mark test_fim_linux as skipped. Reason: It currently fails approximately 52% of the time. --- .../test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 6a58ca35a0..b98b6855c2 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -63,6 +63,7 @@ pytestmark = [TIER0, LINUX] +@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3275).") @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_linux(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, From 57de7df1bf54c290fbcfe34e255973e298c0eb51 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 10:36:56 +0200 Subject: [PATCH 539/552] fix(#3275): fix linter errors in e2e playbooks --- .../test_audit/data/playbooks/configuration.yaml | 7 +++---- .../test_audit/data/playbooks/teardown.yaml | 5 ++--- .../test_brute_force_rdp/data/playbooks/configuration.yaml | 4 ++-- .../test_docker_monitoring/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/generate_events.yaml | 3 ++- .../test_osquery_integration/data/playbooks/teardown.yaml | 2 +- .../data/playbooks/teardown.yaml | 2 +- .../data/playbooks/teardown.yaml | 4 ++-- .../data/playbooks/teardown.yaml | 2 +- 9 files changed, 15 insertions(+), 16 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml index a78ea53692..7587dbaf89 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/configuration.yaml @@ -1,4 +1,3 @@ ---- - name: Configure manager environment hosts: manager tasks: @@ -8,7 +7,7 @@ register: euid - name: Create wazuh audit rules file - become: True + become: true copy: dest: /etc/audit/rules.d/wazuh.rules content: | @@ -16,9 +15,9 @@ -a exit,always -F euid={{euid.stdout}} -F arch=b64 -S execve -k audit-wazuh-c - name: Delete previous audit rules - become: True + become: true shell: auditctl -D - name: Load audit rules - become: True + become: true shell: auditctl -R /etc/audit/rules.d/wazuh.rules diff --git a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml index eec5626e05..d7f157277f 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_audit/data/playbooks/teardown.yaml @@ -1,14 +1,13 @@ ---- - name: Cleanup manager environment hosts: manager tasks: - name: Delete wazuh audit rules file - become: True + become: true file: path: /etc/audit/rules.d/wazuh.rules state: absent - name: Delete audit rules - become: True + become: true shell: auditctl -D diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml index 3d1b0779a5..903461006b 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/data/playbooks/configuration.yaml @@ -1,10 +1,10 @@ - name: Configure local environment - hosts: ubuntu-agent + hosts: ubuntu-agent become: true tasks: - name: Update packages list ansible.builtin.apt: - update_cache: yes + update_cache: true # Install hydra to attempt the RDP brute force attack - name: Install hydra diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml index 3f36fd0b99..c0a89ac024 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup manager environment hosts: manager - become: True + become: true tasks: - name: Delete the docker-listener module configuration diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml index c585397239..1e26c70a46 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/generate_events.yaml @@ -24,7 +24,8 @@ vars: timestamp: \d+-\d+-\d+T\d+:\d+:\d+\.\d+[+|-]\d+ custom_regex: "{\"timestamp\":\"{{ timestamp }}\",.+level\":{{ rule_level }},\"description\":\ - \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\"{{ osquery_name }}\"" + \"{{ rule_description }}\",\"id\":\"{{ rule_id }}\".+osquery\":.+\"name\":\ + \"{{ osquery_name }}\"" timeout: 30 always: diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml index 9b8f3e51c9..1f0f4538a4 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup manager environment hosts: manager - become: True + become: true tasks: - name: Delete Osquery configuration file diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml index 23e652c76b..511faefece 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup manager environment hosts: manager - become: True + become: true tasks: - name: Delete localfile configuration diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml index f116641882..be047b9b00 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup Linux agent environment hosts: agent:&linux - become: True + become: true tasks: - name: Delete agent configuration @@ -18,7 +18,7 @@ - name: Cleanup manager environment hosts: manager - become: True + become: true tasks: - name: Delete added rules diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml index 4d1022851f..ebc021cf6f 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/data/playbooks/teardown.yaml @@ -1,6 +1,6 @@ - name: Cleanup manager environment hosts: manager - become: True + become: true tasks: - name: Delete Virustotal integration and active response configuration From 410298fa640efe812618aa200d19b11d06ee4d6f Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 11:20:47 +0200 Subject: [PATCH 540/552] fix(#3275): fix linter errors in roles --- provisioning/roles.yaml | 16 ++++++++-------- provisioning/roles/apache/tasks/Linux.yml | 4 ++-- provisioning/roles/apache/tasks/MacOS.yml | 2 +- provisioning/roles/apache/tasks/Solaris.yml | 2 +- provisioning/roles/apache/tasks/Windows.yml | 2 +- provisioning/roles/apache/tasks/main.yml | 8 ++++---- provisioning/roles/apache/vars/Debian.yml | 4 ++-- provisioning/roles/apache/vars/MacOS.yml | 4 ++-- provisioning/roles/apache/vars/RedHat.yml | 4 ++-- provisioning/roles/apache/vars/Solaris.yml | 4 ++-- provisioning/roles/apache/vars/Windows.yml | 4 ++-- provisioning/roles/createInventory.yaml | 1 - provisioning/roles/qa_framework/tasks/Unix.yml | 6 ++++-- .../roles/qa_framework/tasks/Windows.yml | 7 +++++-- provisioning/roles/qa_framework/tasks/main.yml | 8 ++++---- 15 files changed, 40 insertions(+), 36 deletions(-) diff --git a/provisioning/roles.yaml b/provisioning/roles.yaml index 9183ba4d99..4c30cdacf2 100644 --- a/provisioning/roles.yaml +++ b/provisioning/roles.yaml @@ -6,14 +6,14 @@ qa_framework: mandatory: qa_repository_reference: QA_REFERENCE -#---------------------- +# ---------------------- apache: playbook: ./playbooks/apache.yml os: LINUX_BASED_OS service: ANY -#---------------------- +# ---------------------- agent: playbook: ./playbooks/wazuh_environment.yaml @@ -26,7 +26,7 @@ agent: repository: REPOSITORY manager: MANAGER_HOST -#---------------------- +# ---------------------- manager: playbook: ./playbooks/wazuh_environment.yaml @@ -42,9 +42,9 @@ manager: revision: REVISION repository: REPOSITORY default: - type: master + type: master -#---------------------- +# ---------------------- indexer: playbook: ./playbooks/wazuh_environment.yaml @@ -60,7 +60,7 @@ indexer: revision: REVISION repository: REPOSITORY -#---------------------- +# ---------------------- dashboard: playbook: ./playbooks/wazuh_environment.yaml @@ -76,7 +76,7 @@ dashboard: revision: REVISION repository: REPOSITORY -#---------------------- +# ---------------------- filebeat: depends: manager @@ -88,4 +88,4 @@ filebeat: cpu: 2 memory: 2048 -#---------------------- +# ---------------------- diff --git a/provisioning/roles/apache/tasks/Linux.yml b/provisioning/roles/apache/tasks/Linux.yml index 76a0a286eb..3ac890b72c 100644 --- a/provisioning/roles/apache/tasks/Linux.yml +++ b/provisioning/roles/apache/tasks/Linux.yml @@ -3,12 +3,12 @@ name: "{{ program }}" state: present -- name: "Start {{ service }} service" +- name: Start {{ service }} service service: name: "{{ service }}" state: started -- name: "Check {{ service }} is running" +- name: Check {{ service }} is running command: systemctl status "{{ service }}" register: service_status failed_when: (service_status.stderr | length > 0) or ("active (running)" not in service_status.stdout ) diff --git a/provisioning/roles/apache/tasks/MacOS.yml b/provisioning/roles/apache/tasks/MacOS.yml index cb611ad60a..000d2110cb 100644 --- a/provisioning/roles/apache/tasks/MacOS.yml +++ b/provisioning/roles/apache/tasks/MacOS.yml @@ -1,7 +1,7 @@ - name: Install {{ program }} with brew | MacOS homebrew: name: "{{ program }}" - update_homebrew: yes + update_homebrew: true - name: Start {{ program }} with brew | MacOS shell: /usr/local/bin/brew services start {{ program }} diff --git a/provisioning/roles/apache/tasks/Solaris.yml b/provisioning/roles/apache/tasks/Solaris.yml index 3a3b4d2631..6e33b60633 100644 --- a/provisioning/roles/apache/tasks/Solaris.yml +++ b/provisioning/roles/apache/tasks/Solaris.yml @@ -4,7 +4,7 @@ - name: Fetch new catalog and descriptions become: true - shell: /opt/csw/bin/pkgutil -U + shell: /opt/csw/bin/pkgutil -U - name: Install apache2 become: true diff --git a/provisioning/roles/apache/tasks/Windows.yml b/provisioning/roles/apache/tasks/Windows.yml index 395a5aa5bf..d9532f5665 100644 --- a/provisioning/roles/apache/tasks/Windows.yml +++ b/provisioning/roles/apache/tasks/Windows.yml @@ -13,7 +13,7 @@ - name: Replace Apache's ServerRoot location community.windows.win_lineinfile: path: "{{ apache_folder_path }}/conf/httpd.conf" - backrefs: yes + backrefs: true regex: Define SRVROOT "c:/Apache24" line: Define SRVROOT "c:/Users/qa/Apache24" diff --git a/provisioning/roles/apache/tasks/main.yml b/provisioning/roles/apache/tasks/main.yml index edc473df4a..0196a1ff9e 100644 --- a/provisioning/roles/apache/tasks/main.yml +++ b/provisioning/roles/apache/tasks/main.yml @@ -28,17 +28,17 @@ # Linux - name: Include Linux custom tasks - include_tasks: "Linux.yml" + include_tasks: Linux.yml when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" # Windows - name: Include Windows custom tasks - include_tasks: "Windows.yml" + include_tasks: Windows.yml when: ansible_os_family == "Windows" # Solaris - name: Include Solaris custom tasks - include_tasks: "Solaris.yml" + include_tasks: Solaris.yml when: ansible_os_family == "Solaris" args: apply: @@ -47,5 +47,5 @@ # macOS - name: Include MacOS custom tasks - include_tasks: "MacOS.yml" + include_tasks: MacOS.yml when: ansible_os_family == "Darwin" diff --git a/provisioning/roles/apache/vars/Debian.yml b/provisioning/roles/apache/vars/Debian.yml index 40e59bbde6..3239efe204 100644 --- a/provisioning/roles/apache/vars/Debian.yml +++ b/provisioning/roles/apache/vars/Debian.yml @@ -1,2 +1,2 @@ -program: "apache2" -service: "apache2" +program: apache2 +service: apache2 diff --git a/provisioning/roles/apache/vars/MacOS.yml b/provisioning/roles/apache/vars/MacOS.yml index 99a8e9c4d6..91d4d1d2f9 100644 --- a/provisioning/roles/apache/vars/MacOS.yml +++ b/provisioning/roles/apache/vars/MacOS.yml @@ -1,3 +1,3 @@ -program: "httpd" -service: "httpd" +program: httpd +service: httpd home_dir: /Users/vagrant diff --git a/provisioning/roles/apache/vars/RedHat.yml b/provisioning/roles/apache/vars/RedHat.yml index 0364124645..4c14545279 100644 --- a/provisioning/roles/apache/vars/RedHat.yml +++ b/provisioning/roles/apache/vars/RedHat.yml @@ -1,2 +1,2 @@ -program: "httpd" -service: "httpd" +program: httpd +service: httpd diff --git a/provisioning/roles/apache/vars/Solaris.yml b/provisioning/roles/apache/vars/Solaris.yml index 53e77171bf..29e8143acc 100644 --- a/provisioning/roles/apache/vars/Solaris.yml +++ b/provisioning/roles/apache/vars/Solaris.yml @@ -1,4 +1,4 @@ -program : apache-24 +program: apache-24 service: apache24 home_dir: /export/home/vagrant -environment_paths: "/opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" +environment_paths: /opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/ diff --git a/provisioning/roles/apache/vars/Windows.yml b/provisioning/roles/apache/vars/Windows.yml index 3a8c53efc7..940c2b2b56 100644 --- a/provisioning/roles/apache/vars/Windows.yml +++ b/provisioning/roles/apache/vars/Windows.yml @@ -4,8 +4,8 @@ service: httpd apache_version: 2.4.54 home_dir: C:\Users/qa # latest stable version -apache_zip_url: "https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip" -apache_algorithm: sha256 +apache_zip_url: https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip +apache_algorithm: sha256 apache_checksum: b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c apache_zip_file: httpd-{{apache_version}}-win64-VS16.zip apache_zip_path: "{{home_dir}}/{{apache_zip_file}}" diff --git a/provisioning/roles/createInventory.yaml b/provisioning/roles/createInventory.yaml index eb1d104009..f5b42b31c1 100644 --- a/provisioning/roles/createInventory.yaml +++ b/provisioning/roles/createInventory.yaml @@ -1,4 +1,3 @@ ---- - name: Creating inventory using templates hosts: localhost diff --git a/provisioning/roles/qa_framework/tasks/Unix.yml b/provisioning/roles/qa_framework/tasks/Unix.yml index 5f71a1afd1..ac8a98922d 100644 --- a/provisioning/roles/qa_framework/tasks/Unix.yml +++ b/provisioning/roles/qa_framework/tasks/Unix.yml @@ -21,11 +21,13 @@ delay: 10 until: clone_result is success environment: - PATH: "/opt/python3/bin/:/usr/bin:/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/" + PATH: /opt/python3/bin/:/usr/bin:/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/ when: ansible_os_family == "Solaris" - name: Install python requirements | UNIX - command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir --only-binary=:cryptography,grpcio: --user" + command: > + {{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir + --only-binary=:cryptography,grpcio: --user args: chdir: "{{ build_dir }}" diff --git a/provisioning/roles/qa_framework/tasks/Windows.yml b/provisioning/roles/qa_framework/tasks/Windows.yml index 66a0689ae4..3561f58ff9 100644 --- a/provisioning/roles/qa_framework/tasks/Windows.yml +++ b/provisioning/roles/qa_framework/tasks/Windows.yml @@ -7,10 +7,13 @@ win_command: powershell.exe - args: chdir: "{{ build_dir }}" - stdin: "git clone {{ qa_repository_url }} -b {{ qa_repository_reference }} --depth=1 {{ build_dir }}/tmp; move tmp/* ./" + stdin: > + git clone {{ qa_repository_url }} -b {{ qa_repository_reference }} --depth=1 {{ build_dir }}/tmp; move tmp/* ./ - name: Install python requirements | Windows - win_command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir --only-binary=:cryptography,grpcio:" + win_command: > + {{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir + --only-binary=:cryptography,grpcio: args: chdir: "{{ build_dir }}" diff --git a/provisioning/roles/qa_framework/tasks/main.yml b/provisioning/roles/qa_framework/tasks/main.yml index e1aa89cfc9..5f9e6ea69c 100644 --- a/provisioning/roles/qa_framework/tasks/main.yml +++ b/provisioning/roles/qa_framework/tasks/main.yml @@ -3,28 +3,28 @@ # Unix - name: Include Unix custom vars include_vars: Unix.yml - when: + when: - customize == false - ansible_os_family != "Windows" # Solaris - name: Include Solaris custom vars include_vars: Solaris.yml - when: + when: - customize == false - ansible_os_family == "Solaris" # macOS - name: Include macOS custom vars include_vars: macOS.yml - when: + when: - customize == false - ansible_os_family == "Darwin" # Windows - name: Include Windows custom vars include_vars: Windows.yml - when: + when: - customize == false - ansible_os_family == "Windows" From 723b56662b39e18d5394cda773456fdb0267038b Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 11:23:17 +0200 Subject: [PATCH 541/552] fix(#3275): fix linter errors in createInventory.yaml --- provisioning/roles/createInventory.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/provisioning/roles/createInventory.yaml b/provisioning/roles/createInventory.yaml index f5b42b31c1..def296f26d 100644 --- a/provisioning/roles/createInventory.yaml +++ b/provisioning/roles/createInventory.yaml @@ -2,7 +2,7 @@ hosts: localhost tasks: - - name: "Template a file" - ansible.builtin.template: - src: "{{ source_template }}" - dest: "{{ dest_inventory}}" + - name: Template a file + ansible.builtin.template: + src: "{{ source_template }}" + dest: "{{ dest_inventory}}" From 3cc183eb285ff19d53f6ad1d4b7191f1b6ec7f53 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 12:05:58 +0200 Subject: [PATCH 542/552] fix(#3275): fix linter errors in playbooks --- provisioning/playbooks/apache.yml | 24 ++-- provisioning/playbooks/qa_framework.yml | 2 +- provisioning/playbooks/wazuh_environment.yaml | 125 +++++++++--------- 3 files changed, 75 insertions(+), 76 deletions(-) diff --git a/provisioning/playbooks/apache.yml b/provisioning/playbooks/apache.yml index d3e2ecc322..3b4fc883cb 100644 --- a/provisioning/playbooks/apache.yml +++ b/provisioning/playbooks/apache.yml @@ -1,14 +1,14 @@ - hosts: apache tasks: - - name: Install apache block - block: - - name: Install apache server in Linux systems - become: yes - become_user: root - import_role: - name: ../roles/apache - when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" - - name: Install apache server in Windows and macOS hosts - import_role: - name: ../roles/apache - when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" + - name: Install apache block + block: + - name: Install apache server in Linux systems + become: true + become_user: root + import_role: + name: ../roles/apache + when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" + - name: Install apache server in Windows and macOS hosts + import_role: + name: ../roles/apache + when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" diff --git a/provisioning/playbooks/qa_framework.yml b/provisioning/playbooks/qa_framework.yml index 779099b4a4..a9ff6239f9 100644 --- a/provisioning/playbooks/qa_framework.yml +++ b/provisioning/playbooks/qa_framework.yml @@ -6,7 +6,7 @@ - port: 1514 protocol: tcp api_port: 55000 - api_proto: 'http' + api_proto: http api_user: ansible max_retries: 5 retry_interval: 5 diff --git a/provisioning/playbooks/wazuh_environment.yaml b/provisioning/playbooks/wazuh_environment.yaml index 9ee160e972..bb0044e3ae 100644 --- a/provisioning/playbooks/wazuh_environment.yaml +++ b/provisioning/playbooks/wazuh_environment.yaml @@ -1,72 +1,71 @@ ---- # Certificates generation - - hosts: wi1 - roles: - - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" - indexer_network_host: "{{ private_ip }}" - perform_installation: false - become: true - vars: - indexer_node_master: true - tags: - - generate-certs +- hosts: wi1 + roles: + - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" + indexer_network_host: "{{ private_ip }}" + perform_installation: false + become: true + vars: + indexer_node_master: true + tags: + - generate-certs # Wazuh indexer cluster - - hosts: wi_cluster - roles: - - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" - indexer_network_host: "{{ private_ip }}" - become: true - become_user: root - vars: - indexer_node_master: true +- hosts: wi_cluster + roles: + - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer" + indexer_network_host: "{{ private_ip }}" + become: true + become_user: root + vars: + indexer_node_master: true - - hosts: manager - roles: - - role: "{{wazuh_ansible_roles }}/wazuh/ansible-wazuh-manager" - become: true - become_user: root +- hosts: manager + roles: + - role: "{{wazuh_ansible_roles }}/wazuh/ansible-wazuh-manager" + become: true + become_user: root - - hosts: filebeat - roles: - - role: "{{wazuh_ansible_roles }}/wazuh/ansible-filebeat-oss" - become: true - become_user: root +- hosts: filebeat + roles: + - role: "{{wazuh_ansible_roles }}/wazuh/ansible-filebeat-oss" + become: true + become_user: root # Indexer + dashboard node - - hosts: dashboard - roles: - - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-indexer" - - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-dashboard" - become: true - become_user: root - vars: - indexer_network_host: "{{ hostvars.dashboard.private_ip }}" - indexer_node_master: false - indexer_node_ingest: false - indexer_node_data: false - indexer_cluster_nodes: "{{ indexer_discovery_nodes }}" - ansible_shell_allow_world_readable_temp: true - wazuh_api_credentials: - - id: default - url: https://{{ hostvars.master.private_ip }} - port: 55000 - username: wazuh - password: wazuh +- hosts: dashboard + roles: + - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-indexer" + - role: "{{wazuh_ansible_roles }}/wazuh/wazuh-dashboard" + become: true + become_user: root + vars: + indexer_network_host: "{{ hostvars.dashboard.private_ip }}" + indexer_node_master: false + indexer_node_ingest: false + indexer_node_data: false + indexer_cluster_nodes: "{{ indexer_discovery_nodes }}" + ansible_shell_allow_world_readable_temp: true + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.master.private_ip }} + port: 55000 + username: wazuh + password: wazuh - # Agent - - hosts: agent - tasks: - - name: Agents - block: - - name: Install UNIX based agents - become: yes - become_user: root - import_role: - name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" - when: ansible_os_family != "Windows" +# Agent +- hosts: agent + tasks: + - name: Agents + block: + - name: Install UNIX based agents + become: yes + become_user: root + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family != "Windows" - - name: Install Windows based agents - import_role: - name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" - when: ansible_os_family == "Windows" \ No newline at end of file + - name: Install Windows based agents + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family == "Windows" From d342a4666073a7616407461992a8d2361b757963 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 12:08:57 +0200 Subject: [PATCH 543/552] fix(#3275): fix linter errors in wazuh_environment.yaml --- provisioning/playbooks/wazuh_environment.yaml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/provisioning/playbooks/wazuh_environment.yaml b/provisioning/playbooks/wazuh_environment.yaml index bb0044e3ae..da6ee2ede8 100644 --- a/provisioning/playbooks/wazuh_environment.yaml +++ b/provisioning/playbooks/wazuh_environment.yaml @@ -56,16 +56,16 @@ # Agent - hosts: agent tasks: - - name: Agents - block: - - name: Install UNIX based agents - become: yes - become_user: root - import_role: - name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" - when: ansible_os_family != "Windows" + - name: Agents + block: + - name: Install UNIX based agents + become: true + become_user: root + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family != "Windows" - - name: Install Windows based agents - import_role: - name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" - when: ansible_os_family == "Windows" + - name: Install Windows based agents + import_role: + name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent" + when: ansible_os_family == "Windows" From 7472a436f4a5567e8eea9bb74d4cf62b113b2cfd Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 13:09:12 +0200 Subject: [PATCH 544/552] fix(#3275): fix linter errors in end_to_end_environment.yaml --- .../environments/end_to_end_environment.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 25aa0e7586..2a7fd63e78 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,13 +1,17 @@ centos-manager: os: centos - roles: [manager, indexer, filebeat] + roles: + - manager + - indexer + - filebeat resources: cpu: 4 memory: 8192 ubuntu-agent: os: ubuntu - roles: [agent] + roles: + - agent manager: centos-manager resources: cpu: 2 @@ -15,12 +19,14 @@ ubuntu-agent: centos-agent: os: centos - roles: [agent] + roles: + - agent manager: centos-manager windows-agent: os: windows - roles: [agent] + roles: + - agent manager: centos-manager resources: cpu: 2 From d44eba19d6c05db5d0c583c6b83d35fb8de7a9f5 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 13:14:33 +0200 Subject: [PATCH 545/552] Revert "fix(#3275): fix linter errors in end_to_end_environment.yaml" This reverts commit 7472a436f4a5567e8eea9bb74d4cf62b113b2cfd. --- .../environments/end_to_end_environment.yaml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 2a7fd63e78..25aa0e7586 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,17 +1,13 @@ centos-manager: os: centos - roles: - - manager - - indexer - - filebeat + roles: [manager, indexer, filebeat] resources: cpu: 4 memory: 8192 ubuntu-agent: os: ubuntu - roles: - - agent + roles: [agent] manager: centos-manager resources: cpu: 2 @@ -19,14 +15,12 @@ ubuntu-agent: centos-agent: os: centos - roles: - - agent + roles: [agent] manager: centos-manager windows-agent: os: windows - roles: - - agent + roles: [agent] manager: centos-manager resources: cpu: 2 From c97ae4fb892727899418bcb8c15abc14bb7955b3 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 13:16:31 +0200 Subject: [PATCH 546/552] fix(#3275): fix linter errors in end_to_end_environment.yaml --- .../environments/end_to_end_environment.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 25aa0e7586..0acff66e9a 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,13 +1,17 @@ centos-manager: os: centos - roles: [manager, indexer, filebeat] + roles: + - manager + indexer + filebeat resources: cpu: 4 memory: 8192 ubuntu-agent: os: ubuntu - roles: [agent] + roles: + - agent manager: centos-manager resources: cpu: 2 @@ -15,12 +19,14 @@ ubuntu-agent: centos-agent: os: centos - roles: [agent] + roles: + - agent manager: centos-manager windows-agent: os: windows - roles: [agent] + roles: + - agent manager: centos-manager resources: cpu: 2 From feac51673d48cfe8b8baaa7d7fc5bb8efd4762c8 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 13:28:55 +0200 Subject: [PATCH 547/552] fix(#3275): fix linter errors --- .../environments/end_to_end_environment.yaml | 6 +-- provisioning/playbooks/apache.yml | 14 ----- provisioning/playbooks/qa_framework.yml | 12 ----- provisioning/roles/apache/tasks/Linux.yml | 14 ----- provisioning/roles/apache/tasks/MacOS.yml | 7 --- provisioning/roles/apache/tasks/Solaris.yml | 19 ------- provisioning/roles/apache/tasks/Windows.yml | 27 ---------- provisioning/roles/apache/tasks/main.yml | 51 ------------------- provisioning/roles/apache/vars/Debian.yml | 2 - provisioning/roles/apache/vars/MacOS.yml | 3 -- provisioning/roles/apache/vars/RedHat.yml | 2 - provisioning/roles/apache/vars/Solaris.yml | 4 -- provisioning/roles/apache/vars/Windows.yml | 13 ----- provisioning/roles/apache/vars/main.yml | 0 .../roles/qa_framework/defaults/main.yml | 8 --- .../roles/qa_framework/tasks/Solaris.yml | 4 -- .../roles/qa_framework/tasks/Unix.yml | 37 -------------- .../roles/qa_framework/tasks/Windows.yml | 23 --------- .../roles/qa_framework/tasks/main.yml | 41 --------------- .../roles/qa_framework/vars/Solaris.yml | 1 - provisioning/roles/qa_framework/vars/Unix.yml | 1 - .../roles/qa_framework/vars/Windows.yml | 2 - .../roles/qa_framework/vars/macOS.yml | 1 - provisioning/roles/qa_framework/vars/main.yml | 0 24 files changed, 3 insertions(+), 289 deletions(-) delete mode 100644 provisioning/playbooks/apache.yml delete mode 100644 provisioning/playbooks/qa_framework.yml delete mode 100644 provisioning/roles/apache/tasks/Linux.yml delete mode 100644 provisioning/roles/apache/tasks/MacOS.yml delete mode 100644 provisioning/roles/apache/tasks/Solaris.yml delete mode 100644 provisioning/roles/apache/tasks/Windows.yml delete mode 100644 provisioning/roles/apache/tasks/main.yml delete mode 100644 provisioning/roles/apache/vars/Debian.yml delete mode 100644 provisioning/roles/apache/vars/MacOS.yml delete mode 100644 provisioning/roles/apache/vars/RedHat.yml delete mode 100644 provisioning/roles/apache/vars/Solaris.yml delete mode 100644 provisioning/roles/apache/vars/Windows.yml delete mode 100644 provisioning/roles/apache/vars/main.yml delete mode 100644 provisioning/roles/qa_framework/defaults/main.yml delete mode 100644 provisioning/roles/qa_framework/tasks/Solaris.yml delete mode 100644 provisioning/roles/qa_framework/tasks/Unix.yml delete mode 100644 provisioning/roles/qa_framework/tasks/Windows.yml delete mode 100644 provisioning/roles/qa_framework/tasks/main.yml delete mode 100644 provisioning/roles/qa_framework/vars/Solaris.yml delete mode 100644 provisioning/roles/qa_framework/vars/Unix.yml delete mode 100644 provisioning/roles/qa_framework/vars/Windows.yml delete mode 100644 provisioning/roles/qa_framework/vars/macOS.yml delete mode 100644 provisioning/roles/qa_framework/vars/main.yml diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 0acff66e9a..3db38e898c 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -1,9 +1,9 @@ centos-manager: os: centos roles: - - manager - indexer - filebeat + - manager + indexer + filebeat resources: cpu: 4 memory: 8192 diff --git a/provisioning/playbooks/apache.yml b/provisioning/playbooks/apache.yml deleted file mode 100644 index 3b4fc883cb..0000000000 --- a/provisioning/playbooks/apache.yml +++ /dev/null @@ -1,14 +0,0 @@ -- hosts: apache - tasks: - - name: Install apache block - block: - - name: Install apache server in Linux systems - become: true - become_user: root - import_role: - name: ../roles/apache - when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" or ansible_os_family == "Solaris" - - name: Install apache server in Windows and macOS hosts - import_role: - name: ../roles/apache - when: ansible_os_family == "Windows" or ansible_os_family == "Darwin" diff --git a/provisioning/playbooks/qa_framework.yml b/provisioning/playbooks/qa_framework.yml deleted file mode 100644 index a9ff6239f9..0000000000 --- a/provisioning/playbooks/qa_framework.yml +++ /dev/null @@ -1,12 +0,0 @@ -- hosts: qa_framework - roles: - - ../roles/qa_framework - vars: - qa_hosts: - - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: http - api_user: ansible - max_retries: 5 - retry_interval: 5 diff --git a/provisioning/roles/apache/tasks/Linux.yml b/provisioning/roles/apache/tasks/Linux.yml deleted file mode 100644 index 3ac890b72c..0000000000 --- a/provisioning/roles/apache/tasks/Linux.yml +++ /dev/null @@ -1,14 +0,0 @@ -- name: Install apache server - package: - name: "{{ program }}" - state: present - -- name: Start {{ service }} service - service: - name: "{{ service }}" - state: started - -- name: Check {{ service }} is running - command: systemctl status "{{ service }}" - register: service_status - failed_when: (service_status.stderr | length > 0) or ("active (running)" not in service_status.stdout ) diff --git a/provisioning/roles/apache/tasks/MacOS.yml b/provisioning/roles/apache/tasks/MacOS.yml deleted file mode 100644 index 000d2110cb..0000000000 --- a/provisioning/roles/apache/tasks/MacOS.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Install {{ program }} with brew | MacOS - homebrew: - name: "{{ program }}" - update_homebrew: true - -- name: Start {{ program }} with brew | MacOS - shell: /usr/local/bin/brew services start {{ program }} diff --git a/provisioning/roles/apache/tasks/Solaris.yml b/provisioning/roles/apache/tasks/Solaris.yml deleted file mode 100644 index 6e33b60633..0000000000 --- a/provisioning/roles/apache/tasks/Solaris.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: Install CSWpkgutil - become: true - shell: pkgadd -d http://get.opencsw.org/now -n - -- name: Fetch new catalog and descriptions - become: true - shell: /opt/csw/bin/pkgutil -U - -- name: Install apache2 - become: true - shell: /opt/csw/bin/pkgutil -y -i apache2 - -- name: List files - become: true - shell: /usr/sbin/pkgchk -L CSWapache2 - -- name: Enable service - become: true - shell: svcadm -v enable /network/http:apache2 diff --git a/provisioning/roles/apache/tasks/Windows.yml b/provisioning/roles/apache/tasks/Windows.yml deleted file mode 100644 index d9532f5665..0000000000 --- a/provisioning/roles/apache/tasks/Windows.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Download the Apache binaries - win_get_url: - url: "{{ apache_zip_url }}" - dest: "{{ home_dir }}" - checksum: "{{apache_algorithm}}:{{apache_checksum}}" - -- name: Unzip Apache binaries zip - community.windows.win_unzip: - src: "{{ apache_zip_path }}" - dest: "{{ home_dir }}" - creates: "{{ apache_folder_path }}" - -- name: Replace Apache's ServerRoot location - community.windows.win_lineinfile: - path: "{{ apache_folder_path }}/conf/httpd.conf" - backrefs: true - regex: Define SRVROOT "c:/Apache24" - line: Define SRVROOT "c:/Users/qa/Apache24" - -- name: Verify httpd.conf - ansible.windows.win_shell: "{{ apache_bin_path }} -t" - -- name: Install Apache service - ansible.windows.win_shell: "{{ apache_bin_path }} -k install" - -- name: Start Apache service - ansible.windows.win_shell: "{{ apache_bin_path }} -k start" diff --git a/provisioning/roles/apache/tasks/main.yml b/provisioning/roles/apache/tasks/main.yml deleted file mode 100644 index 0196a1ff9e..0000000000 --- a/provisioning/roles/apache/tasks/main.yml +++ /dev/null @@ -1,51 +0,0 @@ -# vars - -# Linux -- name: Include Debian custom vars - include_vars: ../vars/Debian.yml - when: ansible_os_family == "Debian" - -- name: Include RedHat custom vars - include_vars: ../vars/RedHat.yml - when: ansible_os_family == "RedHat" - -# Windows -- name: Include Windows custom vars - include_vars: ../vars/Windows.yml - when: ansible_os_family == "Windows" - -# Solaris -- name: Include Solaris custom vars - include_vars: ../vars/Solaris.yml - when: ansible_os_family == "Solaris" - -# MacOS -- name: Include MacOS custom vars - include_vars: ../vars/MacOS.yml - when: ansible_os_family == "Darwin" - -# tasks - -# Linux -- name: Include Linux custom tasks - include_tasks: Linux.yml - when: ansible_os_family == "Debian" or ansible_os_family == "RedHat" - -# Windows -- name: Include Windows custom tasks - include_tasks: Windows.yml - when: ansible_os_family == "Windows" - -# Solaris -- name: Include Solaris custom tasks - include_tasks: Solaris.yml - when: ansible_os_family == "Solaris" - args: - apply: - environment: - PATH: "{{ environment_paths }}" - -# macOS -- name: Include MacOS custom tasks - include_tasks: MacOS.yml - when: ansible_os_family == "Darwin" diff --git a/provisioning/roles/apache/vars/Debian.yml b/provisioning/roles/apache/vars/Debian.yml deleted file mode 100644 index 3239efe204..0000000000 --- a/provisioning/roles/apache/vars/Debian.yml +++ /dev/null @@ -1,2 +0,0 @@ -program: apache2 -service: apache2 diff --git a/provisioning/roles/apache/vars/MacOS.yml b/provisioning/roles/apache/vars/MacOS.yml deleted file mode 100644 index 91d4d1d2f9..0000000000 --- a/provisioning/roles/apache/vars/MacOS.yml +++ /dev/null @@ -1,3 +0,0 @@ -program: httpd -service: httpd -home_dir: /Users/vagrant diff --git a/provisioning/roles/apache/vars/RedHat.yml b/provisioning/roles/apache/vars/RedHat.yml deleted file mode 100644 index 4c14545279..0000000000 --- a/provisioning/roles/apache/vars/RedHat.yml +++ /dev/null @@ -1,2 +0,0 @@ -program: httpd -service: httpd diff --git a/provisioning/roles/apache/vars/Solaris.yml b/provisioning/roles/apache/vars/Solaris.yml deleted file mode 100644 index 29e8143acc..0000000000 --- a/provisioning/roles/apache/vars/Solaris.yml +++ /dev/null @@ -1,4 +0,0 @@ -program: apache-24 -service: apache24 -home_dir: /export/home/vagrant -environment_paths: /opt/python3/bin/:/usr/sbin:/usr/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/ diff --git a/provisioning/roles/apache/vars/Windows.yml b/provisioning/roles/apache/vars/Windows.yml deleted file mode 100644 index 940c2b2b56..0000000000 --- a/provisioning/roles/apache/vars/Windows.yml +++ /dev/null @@ -1,13 +0,0 @@ -# https://archive.apache.org/dist/httpd/binaries/win32/?C=M;O=D openssl msi with its sha file -# https://www.apachelounge.com/download/VS16/binaries binaries and checksums -service: httpd -apache_version: 2.4.54 -home_dir: C:\Users/qa -# latest stable version -apache_zip_url: https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.54-win64-VS16.zip -apache_algorithm: sha256 -apache_checksum: b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c -apache_zip_file: httpd-{{apache_version}}-win64-VS16.zip -apache_zip_path: "{{home_dir}}/{{apache_zip_file}}" -apache_folder_path: "{{home_dir}}/Apache24" -apache_bin_path: "{{apache_folder_path}}/bin/httpd.exe" diff --git a/provisioning/roles/apache/vars/main.yml b/provisioning/roles/apache/vars/main.yml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/provisioning/roles/qa_framework/defaults/main.yml b/provisioning/roles/qa_framework/defaults/main.yml deleted file mode 100644 index 7aaa295c68..0000000000 --- a/provisioning/roles/qa_framework/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ -qa_repository_url: https://github.com/wazuh/wazuh-qa.git -qa_repository_reference: master -qa_requirements_file: requirements.txt -test_setup_qa_path: deps/wazuh_testing -setup_installer: setup.py -build_dir: /tmp/wazuh-qa -# This flag allows modifying any var -customize: false diff --git a/provisioning/roles/qa_framework/tasks/Solaris.yml b/provisioning/roles/qa_framework/tasks/Solaris.yml deleted file mode 100644 index fc4b0471ba..0000000000 --- a/provisioning/roles/qa_framework/tasks/Solaris.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: Install python requirements on Solaris - command: "{{ python_executable }} -m pip install -r {{ qa_requirements_file }}" - args: - chdir: "{{ build_dir }}" diff --git a/provisioning/roles/qa_framework/tasks/Unix.yml b/provisioning/roles/qa_framework/tasks/Unix.yml deleted file mode 100644 index ac8a98922d..0000000000 --- a/provisioning/roles/qa_framework/tasks/Unix.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: Clone Wazuh-QA repo | UNIX - git: - repo: "{{ qa_repository_url }}" - dest: "{{ build_dir }}" - version: "{{ qa_repository_reference }}" - depth: 1 - register: clone_result - retries: 6 - delay: 10 - until: clone_result is success - when: ansible_os_family != "Solaris" - -- name: Clone Wazuh-QA repo | Solaris - git: - repo: "{{ qa_repository_url }}" - dest: "{{ build_dir }}" - version: "{{ qa_repository_reference }}" - depth: 1 - register: clone_result - retries: 6 - delay: 10 - until: clone_result is success - environment: - PATH: /opt/python3/bin/:/usr/bin:/bin:/usr/sbin/:/opt/csw/gnu/:/usr/sfw/bin/:/opt/csw/bin/ - when: ansible_os_family == "Solaris" - -- name: Install python requirements | UNIX - command: > - {{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir - --only-binary=:cryptography,grpcio: --user - args: - chdir: "{{ build_dir }}" - -- name: Install setup.py | UNIX - command: "{{ python_executable }} {{ setup_installer }} install --user" - args: - chdir: "{{ build_dir }}/{{ test_setup_qa_path }}" diff --git a/provisioning/roles/qa_framework/tasks/Windows.yml b/provisioning/roles/qa_framework/tasks/Windows.yml deleted file mode 100644 index 3561f58ff9..0000000000 --- a/provisioning/roles/qa_framework/tasks/Windows.yml +++ /dev/null @@ -1,23 +0,0 @@ -- name: Create {{ build_dir }} if does not exist - ansible.windows.win_file: - path: "{{ build_dir }}" - state: directory - -- name: Clone Wazuh-QA repo | Windows - win_command: powershell.exe - - args: - chdir: "{{ build_dir }}" - stdin: > - git clone {{ qa_repository_url }} -b {{ qa_repository_reference }} --depth=1 {{ build_dir }}/tmp; move tmp/* ./ - -- name: Install python requirements | Windows - win_command: > - {{ python_executable }} -m pip install -r {{ qa_requirements_file }} --no-cache-dir - --only-binary=:cryptography,grpcio: - args: - chdir: "{{ build_dir }}" - -- name: Install setup.py | Windows - win_command: "{{ python_executable }} {{ setup_installer }} install" - args: - chdir: "{{ build_dir }}\\{{ test_setup_qa_path }}" diff --git a/provisioning/roles/qa_framework/tasks/main.yml b/provisioning/roles/qa_framework/tasks/main.yml deleted file mode 100644 index 5f9e6ea69c..0000000000 --- a/provisioning/roles/qa_framework/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ -# vars - -# Unix -- name: Include Unix custom vars - include_vars: Unix.yml - when: - - customize == false - - ansible_os_family != "Windows" - -# Solaris -- name: Include Solaris custom vars - include_vars: Solaris.yml - when: - - customize == false - - ansible_os_family == "Solaris" - -# macOS -- name: Include macOS custom vars - include_vars: macOS.yml - when: - - customize == false - - ansible_os_family == "Darwin" - -# Windows -- name: Include Windows custom vars - include_vars: Windows.yml - when: - - customize == false - - ansible_os_family == "Windows" - -# tasks - -# Unix|Solaris|macOS -- name: Include Unix custom tasks - include_tasks: Unix.yml - when: ansible_os_family != "Windows" - -# Windows -- name: Include Windows custom tasks - include_tasks: Windows.yml - when: ansible_os_family == "Windows" diff --git a/provisioning/roles/qa_framework/vars/Solaris.yml b/provisioning/roles/qa_framework/vars/Solaris.yml deleted file mode 100644 index 0abc152641..0000000000 --- a/provisioning/roles/qa_framework/vars/Solaris.yml +++ /dev/null @@ -1 +0,0 @@ -python_executable: /opt/python3/bin/python3 diff --git a/provisioning/roles/qa_framework/vars/Unix.yml b/provisioning/roles/qa_framework/vars/Unix.yml deleted file mode 100644 index d7ccd9d41b..0000000000 --- a/provisioning/roles/qa_framework/vars/Unix.yml +++ /dev/null @@ -1 +0,0 @@ -python_executable: /usr/local/bin/python3.10 diff --git a/provisioning/roles/qa_framework/vars/Windows.yml b/provisioning/roles/qa_framework/vars/Windows.yml deleted file mode 100644 index 3bfbd88b1e..0000000000 --- a/provisioning/roles/qa_framework/vars/Windows.yml +++ /dev/null @@ -1,2 +0,0 @@ -build_dir: C:\Users\qa\AppData\Local\Temp\wazuh-qa -python_executable: C:\Users\qa\AppData\Local\Programs\Python\Python310\python.exe diff --git a/provisioning/roles/qa_framework/vars/macOS.yml b/provisioning/roles/qa_framework/vars/macOS.yml deleted file mode 100644 index fc4312d0aa..0000000000 --- a/provisioning/roles/qa_framework/vars/macOS.yml +++ /dev/null @@ -1 +0,0 @@ -python_executable: /Library/Developer/CommandLineTools/usr/bin/python3 diff --git a/provisioning/roles/qa_framework/vars/main.yml b/provisioning/roles/qa_framework/vars/main.yml deleted file mode 100644 index e69de29bb2..0000000000 From cee80718082a4a96dd7372ff38c24d697f78799e Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 13:48:51 +0200 Subject: [PATCH 548/552] fix(#3275): fix linter errors --- deps/wazuh_testing/wazuh_testing/fim.py | 48 ++++++++++++------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/fim.py b/deps/wazuh_testing/wazuh_testing/fim.py index 445eb85bc3..0ff0924825 100644 --- a/deps/wazuh_testing/wazuh_testing/fim.py +++ b/deps/wazuh_testing/wazuh_testing/fim.py @@ -169,11 +169,9 @@ REG_QWORD = 0 KEY_ALL_ACCESS = 0 - def registry_value_cud(): pass - def registry_key_cud(): pass @@ -192,7 +190,6 @@ def create_values_content(): def validate_registry_event(): pass - RegOpenKeyEx = 0 RegCloseKey = 0 @@ -1612,8 +1609,8 @@ def _get_file_list(self): return result_list -def wait_for_scheduled_scan(wait_for_scan=False, interval: timedelta = timedelta(seconds=20), monitor: FileMonitor = None, - timeout=global_parameters.default_timeout): +def wait_for_scheduled_scan(wait_for_scan=False, interval: timedelta = timedelta(seconds=20), + monitor: FileMonitor = None, timeout=global_parameters.default_timeout): """Checks if the conditions for waiting for a new scheduled scan. Optionally, a monitor may be used to check if a scheduled scan has been performed. @@ -1622,7 +1619,8 @@ def wait_for_scheduled_scan(wait_for_scan=False, interval: timedelta = timedelta Args: wait_scan (boolean): True if we need to update time. False otherwise. - interval (timedelta, optional): time interval that will be waited for the scheduled scan to start. Default: 20 seconds. + interval (timedelta, optional): time interval that will be waited for the scheduled scan to start. + Default: 20 seconds. monitor (FileMonitor, optional): if passed, after changing system clock it will check for the end of the scheduled scan. The `monitor` will not consume any log line. Default `None`. timeout (int, optional): If a monitor is provided, this parameter sets how long to wait for the end of scan. @@ -1641,8 +1639,8 @@ def wait_for_scheduled_scan(wait_for_scan=False, interval: timedelta = timedelta time.sleep(interval) if monitor: monitor.start(timeout=timeout, callback=callback_detect_end_scan, - update_position=False, - error_message=f"End of scheduled scan not detected after {timeout} seconds") + update_position=False, + error_message=f"End of scheduled scan not detected after {timeout} seconds") if sys.platform == 'win32': @@ -1961,7 +1959,6 @@ def registry_value_cud(root_key, registry_sub_key, log_monitor, arch=KEY_WOW64_6 error_message=f'End of scheduled scan not detected after ' f"{global_parameters.default_timeout} seconds") - def transform_registry_list(value_list=['test_value'], value_type=win32con.REG_SZ, callback=callback_value_event): if value_type in [win32con.REG_SZ, win32con.REG_MULTI_SZ]: @@ -1983,7 +1980,6 @@ def transform_registry_list(value_list=['test_value'], value_type=win32con.REG_S return aux_dict - def set_check_options(options): """ Return set of check options. If options given is none, it will return check_all""" options_set = REQUIRED_REG_VALUE_ATTRIBUTES[CHECK_ALL] @@ -1991,14 +1987,14 @@ def set_check_options(options): options_set = options_set.intersection(options) return options_set - def create_values_content(value_name, size): """ Create a string of data content of a given size for a specific key value""" return {value_name: generate_string(size, '0')} def registry_value_create(root_key, registry_sub_key, log_monitor, arch=KEY_WOW64_64KEY, value_list=['test_value'], - min_timeout=1, options=None, wait_for_scan=False, scan_delay=10, triggers_event=True, encoding=None, - callback=callback_value_event, validators_after_create=None, value_type=win32con.REG_SZ): + min_timeout=1, options=None, wait_for_scan=False, scan_delay=10, triggers_event=True, + encoding=None, callback=callback_value_event, validators_after_create=None, + value_type=win32con.REG_SZ): """Check if creation of registry value events are detected by syscheck. This function provides multiple tools to validate events with custom validators. @@ -2012,7 +2008,8 @@ def registry_value_create(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 strings in each value. Default `['test_value']` min_timeout (int, optional): Minimum timeout. Default `1` options (set, optional): Set with all the checkers. Default `None` - wait_for_scan (boolean, optional): Boolean to determine if there will be time travels or not. Default `False` + wait_for_scan (boolean, optional): Boolean to determine if there will be time travels or not. + Default `False` scan_delay (int, optional): time the test sleeps waiting for scan to be triggered. triggers_event (boolean, optional): Boolean to determine if the event should be raised or not. Default `True` @@ -2059,10 +2056,10 @@ def registry_value_create(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 if triggers_event: logger.info("'added' {} detected as expected.\n".format("events" if len(value_list) > 1 else "event")) - def registry_value_update(root_key, registry_sub_key, log_monitor, arch=KEY_WOW64_64KEY, value_list=['test_value'], - wait_for_scan=False, scan_delay=10, min_timeout=1, options=None, triggers_event=True, encoding=None, - callback=callback_value_event, validators_after_update=None, value_type=win32con.REG_SZ): + wait_for_scan=False, scan_delay=10, min_timeout=1, options=None, triggers_event=True, + encoding=None, callback=callback_value_event, validators_after_update=None, + value_type=win32con.REG_SZ): """Check if update registry value events are detected by syscheck. This function provides multiple tools to validate events with custom validators. @@ -2074,7 +2071,8 @@ def registry_value_update(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 arch (int): Architecture of the registry key (KEY_WOW64_32KEY or KEY_WOW64_64KEY). Default `KEY_WOW64_64KEY` value_list (list(str) or dict, optional): If it is a list, it will be transformed to a dict with empty strings in each value. Default `['test_value']` - wait_for_scan (boolean, optional): Boolean to determine if there will waits for scheduled scans. Default `False` + wait_for_scan (boolean, optional): Boolean to determine if there will waits for scheduled scans. + Default `False` scan_delay (int, optional): time the test sleeps waiting for scan to be triggered. min_timeout (int, optional): Minimum timeout. Default `1` options (set, optional): Set with all the checkers. Default `None` @@ -2119,8 +2117,9 @@ def registry_value_update(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 logger.info("'modified' {} detected as expected.\n".format("events" if len(value_list) > 1 else "event")) def registry_value_delete(root_key, registry_sub_key, log_monitor, arch=KEY_WOW64_64KEY, value_list=['test_value'], - wait_for_scan=False, scan_delay=10, min_timeout=1, options=None, triggers_event=True, encoding=None, - callback=callback_value_event, validators_after_delete=None, value_type=win32con.REG_SZ): + wait_for_scan=False, scan_delay=10, min_timeout=1, options=None, triggers_event=True, + encoding=None, callback=callback_value_event, validators_after_delete=None, + value_type=win32con.REG_SZ): """Check if delete registry value events are detected by syscheck. This function provides multiple tools to validate events with custom validators. @@ -2132,7 +2131,8 @@ def registry_value_delete(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 arch (int): Architecture of the registry key (KEY_WOW64_32KEY or KEY_WOW64_64KEY). Default `KEY_WOW64_64KEY` value_list (list(str) or dict, optional): If it is a list, it will be transformed to a dict with empty strings in each value. Default `['test_value']` - wait_for_scan (boolean, optional): Boolean to determine if there will waits for scheduled scans. Default `False` + wait_for_scan (boolean, optional): Boolean to determine if there will waits for scheduled scans. + Default `False` scan_delay (int, optional): time the test sleeps waiting for scan to be triggered. min_timeout (int, optional): Minimum timeout. Default `1` options (set, optional): Set with all the checkers. Default `None` @@ -2175,7 +2175,6 @@ def registry_value_delete(root_key, registry_sub_key, log_monitor, arch=KEY_WOW6 if triggers_event: logger.info("'deleted' {} detected as expected.\n".format("events" if len(value_list) > 1 else "event")) - def registry_key_cud(root_key, registry_sub_key, log_monitor, arch=KEY_WOW64_64KEY, key_list=['test_key'], time_travel=False, min_timeout=1, options=None, triggers_event=True, triggers_event_add=True, triggers_event_modified=True, triggers_event_delete=True, encoding=None, @@ -2535,7 +2534,8 @@ def get_scan_timestamp(file_monitor): file_monitor (FileMonitor): file log monitor to detect events """ timestamp = file_monitor.start(timeout=60, callback=callback_get_scan_timestap, - error_message='Did not receive expected "File integrity monitoring scan ended" event').result() + error_message='Did not receive expected ' + '"File integrity monitoring scan ended" event').result() return timestamp @@ -2730,4 +2730,4 @@ def wait_for_fim_scan_end(HostMonitor, inventory_path, messages_path, tmp_path): # Function that use to run a script inside remote host to execute queries to DB def query_db(host_manager, script, db_path, query): - return host_manager.run_command('wazuh-manager', "python {} --db_path {} --query {}".format(script, db_path, query)) \ No newline at end of file + return host_manager.run_command('wazuh-manager', "python {} --db_path {} --query {}".format(script, db_path, query)) From 15a8cc6237ef3ec91933a795013d626256854942 Mon Sep 17 00:00:00 2001 From: Julia Date: Mon, 12 Sep 2022 17:21:32 +0200 Subject: [PATCH 549/552] fix(#3275): fix roles in end_to_end_environment.yaml --- provisioning/environments/end_to_end_environment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/provisioning/environments/end_to_end_environment.yaml b/provisioning/environments/end_to_end_environment.yaml index 3db38e898c..2a7fd63e78 100644 --- a/provisioning/environments/end_to_end_environment.yaml +++ b/provisioning/environments/end_to_end_environment.yaml @@ -2,8 +2,8 @@ centos-manager: os: centos roles: - manager - indexer - filebeat + - indexer + - filebeat resources: cpu: 4 memory: 8192 From 1d59e45e690cbcfcf713e6c507ceddd3bc069fee Mon Sep 17 00:00:00 2001 From: Mauro Malara Date: Tue, 13 Sep 2022 16:00:01 -0300 Subject: [PATCH 550/552] refactor(#3275): add issue reference to each skip reason. --- .../test_aws_infrastructure_monitoring.py | 2 +- .../test_docker_monitoring/test_docker_monitoring.py | 2 +- .../test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py | 2 +- .../test_fim/test_fim_windows/test_fim_windows.py | 2 +- .../test_slack_integration/test_slack_integration.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 6bcf30fa76..4c504482f2 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -75,7 +75,7 @@ pytestmark = [TIER0, LINUX] -@pytest.mark.skip(reason='It will be blocked by #3211, when it is resolved, we can enable the test') +@pytest.mark.skip(reason='https://github.com/wazuh/wazuh-qa/issues/3211') @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_aws_infrastructure_monitoring(metadata, configure_environment, get_indexer_credentials, get_manager_ip, diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index 88f57f7a35..d0abe4a848 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -65,7 +65,7 @@ pytestmark = [TIER0, LINUX] -@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") +@pytest.mark.skip(reason='https://github.com/wazuh/wazuh-qa/issues/3210') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_docker_monitoring(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index b98b6855c2..6631e5ee2d 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -63,7 +63,7 @@ pytestmark = [TIER0, LINUX] -@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3275).") +@pytest.mark.skip(reason='https://github.com/wazuh/wazuh-qa/issues/3207') @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_linux(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index 68c43bc13c..e39d45d1db 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -65,7 +65,7 @@ pytestmark = [TIER0, WINDOWS] -@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") +@pytest.mark.skip(reason='https://github.com/wazuh/wazuh-qa/issues/3207') @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') @pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids) def test_fim_windows(configure_environment, metadata, get_indexer_credentials, get_manager_ip, generate_events, diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index ee2341d922..3d0ffe8d47 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -85,7 +85,7 @@ def remove_slack_log(): remove_file(slack_messages_log) -@pytest.mark.skip(reason="The tests are not stable enough to be added to the automated execution (#3274).") +@pytest.mark.skip(reason='https://github.com/wazuh/wazuh-qa/issues/3286') @pytest.mark.parametrize('metadata', metadata, ids=cases_ids) @pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning') def test_slack_integration(metadata, configure_environment, get_indexer_credentials, get_manager_ip, generate_events, From 8f6f62ea3e8b759f42e951a16141f0b6ede34be7 Mon Sep 17 00:00:00 2001 From: Julia Date: Thu, 15 Sep 2022 13:35:26 +0200 Subject: [PATCH 551/552] refactor(#2830): add e2e tests to changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae6c1debbe..b0b95a441e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ Wazuh commit: TBD \ Release report: TBD ### Added +- Add E2E tests for demo cases ([#3293](https://github.com/wazuh/wazuh-qa/pull/3293)) \- (Framework + Tests) - Add configuration files for Jenkins automation of system/E2E tests ([#3221](https://github.com/wazuh/wazuh-qa/pull/3221)) \- (Framework) - New vulnerability Detector integration tests for Ubuntu 22.04 ([#2957](https://github.com/wazuh/wazuh-qa/pull/2957)) \- (Framework + Tests) - New vulnerability Detector integration tests for Amazon Linux 2022 ([#2955](https://github.com/wazuh/wazuh-qa/pull/2955)) \- (Framework + Tests) From 5ce31b09f96808dc39d6ed92ab88aca62e3823de Mon Sep 17 00:00:00 2001 From: Julia Date: Wed, 21 Sep 2022 10:28:43 +0200 Subject: [PATCH 552/552] refactor(#2830): set common variable for fetched alerts file --- deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py | 5 +++++ tests/end_to_end/conftest.py | 4 +--- tests/end_to_end/test_basic_cases/test_audit/test_audit.py | 4 +--- .../test_aws_infrastructure_monitoring.py | 4 +--- .../test_brute_force_rdp/test_brute_force_rdp.py | 4 +--- .../test_brute_force_ssh/test_brute_force_ssh.py | 4 +--- .../test_detecting_suspicious_binaries.py | 4 +--- .../test_docker_monitoring/test_docker_monitoring.py | 4 +--- tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py | 4 +--- .../test_fim/test_fim_linux/test_fim_linux.py | 4 +--- .../test_fim/test_fim_windows/test_fim_windows.py | 4 +--- .../test_ip_reputation/test_ip_reputation.py | 4 +--- .../test_osquery_integration/test_osquery_integration.py | 4 +--- .../test_shellshock_attack_detection.py | 4 +--- .../test_slack_integration/test_slack_integration.py | 3 +-- .../test_sql_injection/test_sql_injection.py | 4 +--- .../test_suricata_integration/test_suricata_integration.py | 4 +--- .../test_unauthorized_processes_detection.py | 4 +--- .../test_virustotal_integration.py | 4 +--- .../test_vulnerability_detector_linux.py | 4 +--- .../test_vulnerability_detection_windows.py | 4 +--- .../test_windows_defender/test_windows_defender.py | 4 +--- .../test_yara_integration/test_yara_integration.py | 4 +--- 23 files changed, 27 insertions(+), 65 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py index db1c7b2814..cafbf7f4ee 100644 --- a/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/end_to_end/__init__.py @@ -1,12 +1,17 @@ # Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +import os import requests from http import HTTPStatus +from tempfile import gettempdir from wazuh_testing.tools.utils import retry +fetched_alerts_json_path = os.path.join(gettempdir(), 'alerts.json') + + @retry(Exception, attempts=3, delay=5) def get_alert_indexer_api(query, credentials, ip_address, index='wazuh-alerts-4.x-*'): """Get an alert from the wazuh-indexer API diff --git a/tests/end_to_end/conftest.py b/tests/end_to_end/conftest.py index 493486b6fc..32a4e450e2 100644 --- a/tests/end_to_end/conftest.py +++ b/tests/end_to_end/conftest.py @@ -6,13 +6,11 @@ import pytest import json import yaml -from tempfile import gettempdir from wazuh_testing.tools.file import remove_file from wazuh_testing import end_to_end as e2e -alerts_json = os.path.join(gettempdir(), 'alerts.json') suite_path = os.path.dirname(os.path.realpath(__file__)) @@ -200,7 +198,7 @@ def clean_alerts_index(get_indexer_credentials, get_manager_ip): credentials (dict): wazuh-indexer credentials. """ yield - remove_file(alerts_json) + remove_file(e2e.fetched_alerts_json_path) e2e.delete_index_api(credentials=get_indexer_credentials, ip_address=get_manager_ip) diff --git a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py index d139e201f1..1a3e1af9d5 100644 --- a/tests/end_to_end/test_basic_cases/test_audit/test_audit.py +++ b/tests/end_to_end/test_basic_cases/test_audit/test_audit.py @@ -40,7 +40,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -49,7 +48,6 @@ from wazuh_testing.modules import TIER0, LINUX -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_audit.yaml') configuration_playbooks = ['configuration.yaml'] @@ -118,7 +116,7 @@ def test_audit(configure_environment, metadata, get_indexer_credentials, get_man fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py index 4c504482f2..6f71f55a82 100644 --- a/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_aws_infrastructure_monitoring/test_aws_infrastructure_monitoring.py @@ -40,7 +40,6 @@ import re import pytest from datetime import datetime -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -52,7 +51,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_aws_infrastructure_monitoring.yaml') -alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -130,7 +128,7 @@ def test_aws_infrastructure_monitoring(metadata, configure_environment, get_inde fr"timestamp\": \"({timestamp_regex})\"" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py index 41859015f7..e3bf6ecdcc 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_rdp/test_brute_force_rdp.py @@ -41,7 +41,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing.tools import configuration as config @@ -50,7 +49,6 @@ from wazuh_testing.modules import TIER0, WINDOWS # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force_rdp.yaml') @@ -121,7 +119,7 @@ def test_brute_force_rdp(configure_environment, metadata, get_indexer_credential fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py index 0f79615eae..a37cc69163 100644 --- a/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py +++ b/tests/end_to_end/test_basic_cases/test_brute_force/test_brute_force_ssh/test_brute_force_ssh.py @@ -39,7 +39,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing.tools import configuration as config @@ -48,7 +47,6 @@ from wazuh_testing.modules import TIER0, LINUX # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_brute_force_ssh.yaml') @@ -113,7 +111,7 @@ def test_brute_force_ssh(metadata, get_indexer_credentials, get_manager_ip, gene fr'.*"mitre":.*"{rule_mitre_technique}".*"id": "{rule_id}".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py index cd87f0df35..ff38c61d25 100644 --- a/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py +++ b/tests/end_to_end/test_basic_cases/test_detecting_suspicious_binaries/test_detecting_suspicious_binaries.py @@ -41,7 +41,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -54,7 +53,6 @@ test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_detecting_suspicious_binaries.yaml') trojan_script_path = os.path.join(test_data_path, 'configuration', 'trojan_script.sh') -alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -125,7 +123,7 @@ def test_detecting_suspicious_binaries(configure_environment, metadata, get_inde fr"description.+{rule_description}.+id.+{rule_id}.+timestamp\": \"({timestamp_regex})\"" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py index d0abe4a848..191f794cd5 100644 --- a/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py +++ b/tests/end_to_end/test_basic_cases/test_docker_monitoring/test_docker_monitoring.py @@ -39,7 +39,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -51,7 +50,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_docker_monitoring.yaml') -alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -121,7 +119,7 @@ def test_docker_monitoring(configure_environment, metadata, get_indexer_credenti fr"id.+{rule_id}.+timestamp\": \"({timestamp_regex})\".+" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py index f5fa2cfc11..190edced51 100644 --- a/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py +++ b/tests/end_to_end/test_basic_cases/test_emotet/test_emotet.py @@ -41,7 +41,6 @@ import os import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -50,7 +49,6 @@ from wazuh_testing.modules import TIER0, WINDOWS -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_emotet.yaml') configuration_playbooks = ['configuration.yaml'] @@ -127,7 +125,7 @@ def test_emotet(configure_environment, metadata, get_indexer_credentials, get_ma fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message=f"The alert '{rule_description}'" ' has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py index 6631e5ee2d..55b7d4e80f 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_linux/test_fim_linux.py @@ -41,7 +41,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -50,7 +49,6 @@ from wazuh_testing.modules import TIER0, LINUX -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim_linux.yaml') configuration_playbooks = ['configuration.yaml'] @@ -120,7 +118,7 @@ def test_fim_linux(configure_environment, metadata, get_indexer_credentials, get fr'"{rule_description}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py index e39d45d1db..6d2d2da893 100644 --- a/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py +++ b/tests/end_to_end/test_basic_cases/test_fim/test_fim_windows/test_fim_windows.py @@ -43,7 +43,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -52,7 +51,6 @@ from wazuh_testing.modules import TIER0, WINDOWS -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_fim_windows.yaml') configuration_playbooks = ['configuration.yaml'] @@ -122,7 +120,7 @@ def test_fim_windows(configure_environment, metadata, get_indexer_credentials, g fr'"{rule_description}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py index de1353de84..401c726937 100644 --- a/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py +++ b/tests/end_to_end/test_basic_cases/test_ip_reputation/test_ip_reputation.py @@ -42,7 +42,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -51,7 +50,6 @@ from wazuh_testing.modules import TIER0, LINUX, WINDOWS -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_ip_reputation.yaml') configuration_playbooks = ['configuration.yaml'] @@ -126,7 +124,7 @@ def test_ip_reputation(configure_environment, metadata, get_indexer_credentials, fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message=f"The alert '{rule_description}'" ' has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py index 3e4e337361..11ce94cc85 100644 --- a/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py +++ b/tests/end_to_end/test_basic_cases/test_osquery_integration/test_osquery_integration.py @@ -40,7 +40,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -52,7 +51,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_osquery_integration.yaml') osquery_configuration_file_path = os.path.join(test_data_path, 'configuration', 'osquery_integration.json') -alerts_json = os.path.join(gettempdir(), 'alerts.json') configuration_playbooks = ['configuration.yaml'] configuration_extra_vars = {'configuration_file': osquery_configuration_file_path} events_playbooks = ['generate_events.yaml'] @@ -120,7 +118,7 @@ def test_osquery_integration(configure_environment, metadata, get_indexer_creden fr'.+timestamp\": \"({timestamp_regex})\".+' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py index 85ef8a406a..dd81c8700d 100644 --- a/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py +++ b/tests/end_to_end/test_basic_cases/test_shellshock_attack_detection/test_shellshock_attack_detection.py @@ -42,7 +42,6 @@ import json import re import pytest -from tempfile import gettempdir from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -52,7 +51,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_shellshock_attack_detection.yaml') -alerts_json = os.path.join(gettempdir(), 'alerts.json') configuration_playbooks = ['configuration.yaml'] events_playbooks = ['generate_events.yaml'] teardown_playbooks = ['teardown.yaml'] @@ -117,7 +115,7 @@ def test_shellshock_attack_detection(configure_environment, metadata, get_indexe fr".+\"id\": \"{rule_id}\".+timestamp\": \"({timestamp_regex})\".+" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py index 3d0ffe8d47..3b20deec85 100644 --- a/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py +++ b/tests/end_to_end/test_basic_cases/test_slack_integration/test_slack_integration.py @@ -54,7 +54,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_slack_integration.yaml') -alerts_json = os.path.join(gettempdir(), 'alerts.json') slack_messages_log = os.path.join(gettempdir(), 'slack_messages.log') # Playbooks @@ -148,7 +147,7 @@ def test_slack_integration(metadata, configure_environment, get_indexer_credenti expected_slack_log = fr".*{rule_description}.+{rule_id} _\(Level {rule_level}\)" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py index 54892d6be0..073609e1c2 100644 --- a/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py +++ b/tests/end_to_end/test_basic_cases/test_sql_injection/test_sql_injection.py @@ -39,7 +39,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -48,7 +47,6 @@ from wazuh_testing.modules import TIER0, LINUX -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_sql_injection.yaml') configuration_playbooks = ['configuration.yaml'] @@ -117,7 +115,7 @@ def test_sql_injection(configure_environment, metadata, get_indexer_credentials, fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py index d8c9ba7612..aef06c7622 100644 --- a/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py +++ b/tests/end_to_end/test_basic_cases/test_suricata_integration/test_suricata_integration.py @@ -44,7 +44,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -53,7 +52,6 @@ from wazuh_testing.modules import TIER0, LINUX -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_suricata_integration.yaml') configuration_playbooks = ['configuration.yaml'] @@ -120,7 +118,7 @@ def test_suricata_integration(configure_environment, metadata, get_indexer_crede fr"{rule_description}.+id.+{rule_id}" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py index 2b237ad6a6..2f5ee4df35 100644 --- a/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py +++ b/tests/end_to_end/test_basic_cases/test_unauthorized_processes_detection/test_unauthorized_processes_detection.py @@ -40,7 +40,6 @@ import json import re import pytest -from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e @@ -49,7 +48,6 @@ # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_unauthorized_processes_detection.yaml') @@ -120,7 +118,7 @@ def test_unauthorized_processes_detection(configure_environment, metadata, get_i fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py index 913f03e125..97d94ef3ba 100644 --- a/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py +++ b/tests/end_to_end/test_basic_cases/test_virustotal_integration/test_virustotal_integration.py @@ -47,7 +47,6 @@ import json import re import pytest -from tempfile import gettempdir from wazuh_testing import end_to_end as e2e from wazuh_testing import event_monitor as evm @@ -55,7 +54,6 @@ from wazuh_testing.modules import TIER0, LINUX -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_virustotal_integration.yaml') configuration_playbooks = ['configuration.yaml'] @@ -124,7 +122,7 @@ def test_virustotal_integration(configure_environment, metadata, get_indexer_cre fr'.*"id": "{rule_id}".*"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py index 2abe3a4102..36671d668b 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_linux/test_vulnerability_detector_linux.py @@ -44,7 +44,6 @@ import json import re import pytest -from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e @@ -53,7 +52,6 @@ # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector_linux.yaml') @@ -126,7 +124,7 @@ def test_vulnerability_detector_linux(configure_environment, metadata, get_index fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py index e3512ebd4d..7da416b866 100644 --- a/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py +++ b/tests/end_to_end/test_basic_cases/test_vulnerability_detector/test_vulnerability_detector_windows/test_vulnerability_detection_windows.py @@ -45,7 +45,6 @@ import json import re import pytest -from tempfile import gettempdir from wazuh_testing.tools import configuration as config from wazuh_testing import end_to_end as e2e @@ -54,7 +53,6 @@ # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector_windows.yaml') @@ -127,7 +125,7 @@ def test_vulnerability_detector_windows(configure_environment, metadata, get_ind fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py index 73e59df1c8..4fbca0e0f4 100644 --- a/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py +++ b/tests/end_to_end/test_basic_cases/test_windows_defender/test_windows_defender.py @@ -38,7 +38,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing.tools import configuration as config @@ -47,7 +46,6 @@ from wazuh_testing.modules import TIER0, WINDOWS # Test cases data -alerts_json = os.path.join(gettempdir(), 'alerts.json') test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_windows_defender.yaml') @@ -119,7 +117,7 @@ def test_windows_defender(configure_environment, metadata, get_indexer_credentia fr'"timestamp": "({timestamp_regex})".*' # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1) diff --git a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py index ee0dd377da..284d9ff70a 100644 --- a/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py +++ b/tests/end_to_end/test_basic_cases/test_yara_integration/test_yara_integration.py @@ -41,7 +41,6 @@ import json import re import pytest -from tempfile import gettempdir import wazuh_testing as fw from wazuh_testing import end_to_end as e2e @@ -54,7 +53,6 @@ test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') test_cases_path = os.path.join(test_data_path, 'test_cases') test_cases_file_path = os.path.join(test_cases_path, 'cases_yara_integration.yaml') -alerts_json = os.path.join(gettempdir(), 'alerts.json') # Playbooks configuration_playbooks = ['configuration.yaml'] @@ -127,7 +125,7 @@ def test_yara_integration(configure_environment, metadata, get_indexer_credentia fr"timestamp\": \"({timestamp_regex})\"" # Check that alert has been raised and save timestamp - raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json, + raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=e2e.fetched_alerts_json_path, timeout=fw.T_5, error_message='The alert has not occurred').result() raised_alert_timestamp = raised_alert.group(1)