Add Windows System folders monitoring test support

CHANGELOG.md

@@ -9,7 +9,8 @@ Release report: TBD
 
 ### Added
 
-- Add 'test_whodata_policy_changes' tests ([#3627](https:/wazuh/wazuh-qa/pull/3627)) \- (Framework + Tests)
+- Add Windows System folders FIM monitoring tests ([#3720](https:/wazuh/wazuh-qa/pull/3720)) \- (Tests)
+- Add 'test_whodata_policy_changes' tests ([#3627](https:/wazuh/wazuh-qa/pull/3627)) \- (Framework + Tests) 
 - Add test to check if active-response netsh generates alerts when firewall is disabled. ([#3787](https:/wazuh/wazuh-qa/pull/3787)) \- (Framework + Tests)
 - Add new tests for logcollector 'ignore' and 'restrict' options ([#3582](https:/wazuh/wazuh-qa/pull/3582)) \- (Tests)
 - Add 'Force reconnect' feature to agent_simulator tool. ([#3111](https:/wazuh/wazuh-qa/pull/3111)) \- (Tools)

deps/wazuh_testing/wazuh_testing/modules/fim/classes.py

@@ -145,7 +145,8 @@ def __init__(self, log_monitor, folder, file_list=['testfile0'], options=None, c
  self.events = None
  self.callback = callback
 
- def fetch_and_check(self, event_type, min_timeout=1, triggers_event=True, extra_timeout=0, event_mode=None):
+ def fetch_and_check(self, event_type, min_timeout=1, triggers_event=True, extra_timeout=0, event_mode=None,
+ escaped=False):
  """Call both 'fetch_events' and 'check_events'.
 
  Args:
@@ -164,7 +165,7 @@ def fetch_and_check(self, event_type, min_timeout=1, triggers_event=True, extra_
  error_msg += " but were not detected." if len(self.file_list) > 1 else " but was not detected."
 
  self.events = self.fetch_events(min_timeout, triggers_event, extra_timeout, error_message=error_msg)
- self.check_events(event_type, mode=event_mode)
+ self.check_events(event_type, mode=event_mode, escaped=escaped)
 
  def fetch_events(self, min_timeout=1, triggers_event=True, extra_timeout=0, error_message=''):
  """Try to fetch events on a given log monitor. Will return a list with the events detected.
@@ -221,12 +222,13 @@ def clean_results(event_list):
  raise
  logger.info("TimeoutError was expected and correctly caught.")
 
- def check_events(self, event_type, mode=None):
+ def check_events(self, event_type, mode=None, escaped=False):
  """Check and validate all events in the 'events' list.
 
  Args:
  event_type (str): Expected type of the raised event {'added', 'modified', 'deleted'}.
  mode (str, optional): Specifies the FIM scan mode to check in the events
+ escaped (Boolean): check if file path has to be escaped.
  """
 
  def validate_checkers_per_event(events, options, mode):
@@ -245,11 +247,13 @@ def check_events_type(events, ev_type, file_list=['testfile0']):
  msg = f"Non expected number of events. {event_types[ev_type]} != {len(file_list)}"
  assert (event_types[ev_type] == len(file_list)), msg
 
- def check_events_path(events, folder, file_list=['testfile0'], mode=None):
+ def check_events_path(events, folder, file_list=['testfile0'], mode=None, escaped=False):
  mode = global_parameters.current_configuration['metadata']['fim_mode'] if mode is None else mode
  data_path = filter_events(events, ".[].data.path")
  for file_name in file_list:
  expected_path = os.path.join(folder, file_name)
+ if escaped:
+ expected_path = expected_path.replace("\\", "\\\\")
  if self.encoding is not None:
  for index, item in enumerate(data_path):
  data_path[index] = item.encode(encoding=self.encoding)
@@ -258,7 +262,7 @@ def check_events_path(events, folder, file_list=['testfile0'], mode=None):
  f'Reason: using non-utf-8 encoding in darwin.')
  else:
  error_msg = f"Expected data path was '{expected_path}' but event data path is '{data_path}'"
- assert (expected_path in data_path), error_msg
+ assert (expected_path in str(data_path)), error_msg
 
  def filter_events(events, mask):
  """Returns a list of elements matching a specified mask in the events list using jq module."""
@@ -271,7 +275,7 @@ def filter_events(events, mask):
  if self.events is not None:
  validate_checkers_per_event(self.events, self.options, mode)
  check_events_type(self.events, event_type, self.file_list)
- check_events_path(self.events, self.folder, file_list=self.file_list, mode=mode)
+ check_events_path(self.events, self.folder, file_list=self.file_list, mode=mode, escaped=escaped)
 
  if self.custom_validator is not None:
  self.custom_validator.validate_after_cud(self.events)

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

@@ -10,8 +10,11 @@
 from wazuh_testing.tools.monitoring import generate_monitoring_callback, FileMonitor
 from wazuh_testing.modules import fim
 
+# Callback Messages
+CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events."
 
-# Callbacks
+
+# Callback functions
 def callback_detect_event(line):
  """
  Detect an 'event' type FIM log.
@@ -153,8 +156,8 @@ def callback_detect_file_deleted_event(line):
 
 # Event checkers
 def check_fim_event(file_monitor=None, callback='', error_message=None, update_position=True,
- timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH):
- """Check if a vulnerability event occurs
+ timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+ """Check if a analysisd event occurs
 
  Args:
  file_monitor (FileMonitor): FileMonitor object to monitor the file content.

deps/wazuh_testing/wazuh_testing/modules/fim/utils.py

@@ -225,9 +225,8 @@ def get_fim_mode_param(mode, key='FIM_MODE'):
 
 
 def regular_file_cud(folder, log_monitor, file_list=['testfile0'], min_timeout=1, options=None,
- triggers_event=True, encoding=None, callback=ev.callback_detect_file_added_event,
- validators_after_create=None, validators_after_update=None, validators_after_delete=None,
- validators_after_cud=None, event_mode=None):
+ triggers_event=True, encoding=None, validators_after_create=None, validators_after_update=None,
+ validators_after_delete=None, validators_after_cud=None, event_mode=None, escaped=False):
  """Check if creation, update and delete events are detected by syscheck.
 
  This function provides multiple tools to validate events with custom validators.
@@ -270,7 +269,7 @@ def regular_file_cud(folder, log_monitor, file_list=['testfile0'], min_timeout=1
  create_file(REGULAR, folder, name, content=content)
 
  event_checker.fetch_and_check('added', min_timeout=min_timeout, triggers_event=triggers_event,
- event_mode=event_mode)
+ event_mode=event_mode, escaped=escaped)
  if triggers_event:
  logger.info("'added' {} detected as expected.\n".format("events" if len(file_list) > 1 else "event"))
 
@@ -282,7 +281,7 @@ def regular_file_cud(folder, log_monitor, file_list=['testfile0'], min_timeout=1
  custom_validator=custom_validator, encoding=encoding,
  callback=ev.callback_detect_file_modified_event)
  event_checker.fetch_and_check('modified', min_timeout=min_timeout, triggers_event=triggers_event,
- event_mode=event_mode)
+ event_mode=event_mode, escaped=escaped)
  if triggers_event:
  logger.info("'modified' {} detected as expected.\n".format("events" if len(file_list) > 1 else "event"))
 
@@ -294,7 +293,7 @@ def regular_file_cud(folder, log_monitor, file_list=['testfile0'], min_timeout=1
  custom_validator=custom_validator, encoding=encoding,
  callback=ev.callback_detect_file_deleted_event)
  event_checker.fetch_and_check('deleted', min_timeout=min_timeout, triggers_event=triggers_event,
- event_mode=event_mode)
+ event_mode=event_mode, escaped=escaped)
  if triggers_event:
  logger.info("'deleted' {} detected as expected.\n".format("events" if len(file_list) > 1 else "event"))
 

tests/integration/test_fim/test_files/test_env_variables/test_nodiff.py

@@ -202,6 +202,6 @@ def no_diff_validator(event):
  assert '<Diff truncated because nodiff option>' not in event['data'].get('content_changes'), \
  'content_changes is truncated'
 
- regular_file_cud(directory, wazuh_log_monitor, file_list=files, time_travel=False,
+ regular_file_cud(directory, wazuh_log_monitor, file_list=files,
  min_timeout=global_parameters.default_timeout*2, triggers_event=True,
  validators_after_update=[report_changes_validator, no_diff_validator])

tests/integration/test_fim/test_files/test_report_changes/test_report_changes_and_diff.py

@@ -65,6 +65,7 @@
  - fim_report_changes
 '''
 import os
+import sys
 
 import pytest
 from wazuh_testing.tools import PREFIX, configuration
@@ -170,6 +171,7 @@ def test_reports_file_and_nodiff(configuration, metadata, set_wazuh_configuratio
  file_list = [f"regular_file"]
  is_truncated = metadata['folder'] == 'testdir_nodiff'
  folder = os.path.join(PREFIX, metadata['folder'])
+ escaped = True if sys.platform == 'win32' else False
 
  def report_changes_validator(event):
  """Validate content_changes attribute exists in the event"""
@@ -189,4 +191,5 @@ def no_diff_validator(event):
 
  wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
  regular_file_cud(folder, wazuh_log_monitor, file_list=file_list, min_timeout=global_parameters.default_timeout*4,
- triggers_event=True, validators_after_update=[report_changes_validator, no_diff_validator])
+ triggers_event=True, validators_after_update=[report_changes_validator, no_diff_validator],
+ escaped=escaped)

tests/integration/test_fim/test_files/test_whodata_policy_change/test_whodata_policy_change.py

@@ -186,4 +186,4 @@ def test_whodata_policy_change(configuration, metadata, set_wazuh_configuration,
  # Create/Update/Delete file and check events
  wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
  regular_file_cud(folder, wazuh_log_monitor, file_list=file_list, event_mode=fim.REALTIME_MODE,
- min_timeout=global_parameters.default_timeout*4, triggers_event=True)
+ escaped=True, min_timeout=global_parameters.default_timeout*4, triggers_event=True)

tests/integration/test_fim/test_files/test_windows_system_folder_redirection/data/configuration_template/configuration_windows_system_folder_redirection.yaml

@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: INTERVAL
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - realtime: REALTIME
+ - whodata: WHODATA
+ - recursion_level: 0
+ - windows_audit_interval:
+ value: 500
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_windows_system_folder_redirection/data/test_cases/cases_windows_system_folder_redirection.yaml

@@ -0,0 +1,116 @@
+- name: monitor /Windows/System32 - scheduled
+ description: Monitor the System32 folder without redirection in Scheduled mode
+ configuration_parameters:
+ INTERVAL: 3
+ REALTIME: 'no'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+ fim_mode: scheduled
+ metadata:
+ folder: system32
+ fim_mode: scheduled
+ redirected: false
+
+- name: monitor /Windows/System32 - realtime
+ description: Monitor the System32 folder without redirection in Realtime mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+ fim_mode: realtime
+ metadata:
+ folder: system32
+ fim_mode: realtime
+ redirected: false
+
+- name: monitor /Windows/System32 - whodata
+ description: Monitor the System32 folder without redirection in Whodata mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ TEST_DIRECTORIES: '%WINDIR%\System32\testdir1'
+ fim_mode: whodata
+ metadata:
+ folder: system32
+ fim_mode: whodata
+ redirected: false
+
+- name: monitor /Windows/Sysnative - scheduled
+ description: Monitor the System32 through Sysnative redirection in Scheduled mode
+ configuration_parameters:
+ INTERVAL: 3
+ REALTIME: 'no'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+ fim_mode: scheduled
+ metadata:
+ folder: system32
+ fim_mode: scheduled
+ redirected: true
+
+- name: monitor /Windows/Sysnative - realtime
+ description: Monitor the System32 through Sysnative redirection in Realtime mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+ fim_mode: realtime
+ metadata:
+ folder: system32
+ fim_mode: realtime
+ redirected: true
+
+- name: monitor /Windows/Sysnative - whodata
+ description: Monitor the System32 through Sysnative redirection in Whodata mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ TEST_DIRECTORIES: '%WINDIR%\Sysnative\testdir1'
+ fim_mode: whodata
+ metadata:
+ folder: system32
+ fim_mode: whodata
+ redirected: true
+
+- name: monitor SyWOW64 - scheduled
+ description: Monitor the SysWOW64 without redirection in Scheduled mode
+ configuration_parameters:
+ INTERVAL: 3
+ REALTIME: 'no'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+ fim_mode: scheduled
+ metadata:
+ folder: syswow64
+ fim_mode: scheduled
+ redirected: false
+
+- name: monitor SysWOW64 - realtime
+ description: Monitor the SysWOW64 without redirection in Realtime mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+ fim_mode: realtime
+ metadata:
+ folder: syswow64
+ fim_mode: realtime
+ redirected: false
+
+- name: monitor SysWOW64 - whodata
+ description: Monitor the SysWOW64 without redirection in Whodata mode
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ TEST_DIRECTORIES: '%WINDIR%\SysWOW64\testdir1'
+ fim_mode: whodata
+ metadata:
+ folder: syswow64
+ fim_mode: whodata
+ redirected: false