Fix FIM test_large_changes test suite

CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Fix FIM test_large_changes test suite ([#3948](https:/wazuh/wazuh-qa/pull/3948)) \- (Tests)
 - Update `get_test_cases_data` function so it handles fim_mode parameter ([#4185](https:/wazuh/wazuh-qa/pull/4185)) \- (Framework)
 - Change FIM `regular_file_cud` and `EventChecker` file modification steps ([#4183](https:/wazuh/wazuh-qa/pull/4183)) \- (Framework + Tests)
 - Refactor library to change the environment ([#4145](https:/wazuh/wazuh-qa/pull/4145)) \- (Framework)

deps/wazuh_testing/wazuh_testing/__init__.py

@@ -109,6 +109,7 @@
 VALID_FIM_MODES = ['scheduled', 'realtime', 'whodata']
 OS_EXCLUDED_FROM_RT_WD = ['darwin', 'sunos5']
 
+
 def is_udp(protocol):
  return protocol.upper() == UDP
 

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

@@ -193,6 +193,7 @@ def callback_integrity_sync_message(line):
  Args:
  line (String): string line to be checked by callback in FileMonitor.
  Returns:
+
  List: returns a list with formated datetime, And the event's JSON data.
  """
  if callback_detect_integrity_control_event(line):
@@ -205,6 +206,7 @@ def callback_detect_integrity_check_global(line):
  """ Callback that detects if a line contains an 'integrity_check_global' event
  Args:
  line (String): string line to be checked by callback in FileMonitor.
+
  Returns:
  JSON: returns event's JSON data.
  """
@@ -309,6 +311,7 @@ def callback_real_time_whodata_started(line):
  match = re.match(CB_REALTIME_WHODATA_ENGINE_STARTED, line)
  if match:
  return True
+ return None
 
  return None
 
@@ -388,6 +391,21 @@ def callback_detect_file_deleted_event(line):
  return None
 
 
+def callback_detect_file_more_changes(line):
+ """ Callback that detects if a line in a log contains 'More changes' in content_changes.
+
+ Args:
+ line (String): string line to be checked by callback in FileMonitor.
+
+ Returns:
+ returns JSON string from log.
+ """
+ json_event = callback_detect_event(line)
+ if json_event is not None and 'content_changes' in json_event['data']:
+ if 'More changes' in json_event['data']['content_changes']:
+ return json_event
+
+
 def callback_audit_cannot_start(line):
  """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime.
 
@@ -435,6 +453,30 @@ def check_fim_event(file_monitor=None, callback='', error_message=None, update_p
  callback=generate_monitoring_callback(callback), error_message=error_message)
 
 
+def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True,
+ timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
+ """ Check if FIM event occurs and return it according to the callback.
+
+ Args:
+ file_monitor (FileMonitor): FileMonitor object to monitor the file content.
+ callback (str): log regex to check in Wazuh log
+ error_message (str): error message to show in case of expected event does not occur
+ update_position (boolean): filter configuration parameter to search in Wazuh log
+ timeout (str): timeout to check the event in Wazuh log
+ accum_results (int): Accumulation of matches.
+
+ Returns:
+ returns the value given by the callback used. Default None.
+ """
+ file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor
+ error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \
+ error_message
+
+ result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results,
+ callback=callback, error_message=error_message).result()
+ return result
+
+
 def detect_initial_scan(file_monitor):
  """Detect initial scan when restarting Wazuh.
 

deps/wazuh_testing/wazuh_testing/tools/configuration.py

@@ -718,6 +718,7 @@ def get_test_cases_data(data_file_path):
  configuration_parameters = []
  configuration_metadata = []
  test_cases_ids = []
+
  def set_test_case_data():
  configuration_parameters.append(test_case['configuration_parameters'])
  metadata_parameters = {'name': test_case['name'], 'description': test_case['description']}

tests/integration/test_fim/test_files/test_report_changes/data/configuration_template/configuration_large_changes.yaml

@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: INTERVAL
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - check_all: 'yes'
+ - realtime: REALTIME
+ - whodata: WHODATA
+ - report_changes: 'yes'
+ - diff_size_limit: 200KB
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_report_changes/data/test_cases/cases_large_changes.yaml

@@ -0,0 +1,155 @@
+- name: Test changes smaller than limit (Scheduled mode)
+ description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+ configuration_parameters:
+ INTERVAL: 4
+ REALTIME: 'no'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_1
+ original_size: 500
+ modified_size: 500
+ has_more_changes: false
+ fim_mode: scheduled
+
+- name: Test changes smaller than limit (Realtime mode)
+ description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_1
+ original_size: 500
+ modified_size: 500
+ has_more_changes: false
+ fim_mode: realtime
+
+- name: Test changes smaller than limit (Whodata mode)
+ description: Test that changes are smaller than limit, 'More changes' does not appear in content_changes
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ metadata:
+ filename: regular_1
+ original_size: 500
+ modified_size: 500
+ has_more_changes: false
+ fim_mode: whodata
+
+- name: Test large changes - Same size (Scheduled mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes
+ configuration_parameters:
+ INTERVAL: 4
+ REALTIME: 'no'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_2
+ original_size: 200000
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: scheduled
+
+- name: Test large changes - Same size (Realtime mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_2
+ original_size: 200000
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: realtime
+
+- name: Test large changes - Same size (Whodata mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ metadata:
+ filename: regular_2
+ original_size: 200000
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: whodata
+
+- name: Test large changes - File bigger after change (Scheduled mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 4
+ REALTIME: 'no'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_3
+ original_size: 10
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: scheduled
+
+- name: Test large changes - File bigger after change (Realtime mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_3
+ original_size: 10
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: realtime
+
+- name: Test large changes - File bigger after change (Whodata mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ metadata:
+ filename: regular_3
+ original_size: 10
+ modified_size: 200000
+ has_more_changes: true
+ fim_mode: whodata
+
+- name: Test large changes - File smaller after change (Scheduled mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 4
+ REALTIME: 'no'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_4
+ original_size: 200000
+ modified_size: 10
+ has_more_changes: true
+ fim_mode: scheduled
+
+- name: Test large changes - File smaller after change (Realtime mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'yes'
+ WHODATA: 'no'
+ metadata:
+ filename: regular_4
+ original_size: 200000
+ modified_size: 10
+ has_more_changes: true
+ fim_mode: realtime
+
+- name: Test large changes - File smaller after change (Whodata mode)
+ description: Test that changes are bigger than limit, 'More changes' appears in content_changes.
+ configuration_parameters:
+ INTERVAL: 10000
+ REALTIME: 'no'
+ WHODATA: 'yes'
+ metadata:
+ filename: regular_4
+ original_size: 200000
+ modified_size: 10
+ has_more_changes: true
+ fim_mode: whodata