Add Audit buffer IT suite #3990

Deblintrake09 · 2023-03-02T19:16:16Z

Related issue
#3963

Description

This Issue aims to add IT support for the new Audit whodata buffer. This is managed by the whodata->queue_size tag that limits the amount of audit events that are received by syscheck. When the queue is full, events are dropped and the files modification are detected through scheduled mode instead of whodata.

Added

test_audit_buffer_configuration.py module containing 7 cases related to queue_size configuration values
test_audit_buffer_behavior.py module containing 2 cases related to queue_size basic behavior
test_audit_buffer_over_time.py module containing 2 cases related to queue_size's behavior in relation to max_eps
Added new callbacks and functions

Changed

Fixed test_sync_max_eps.py

Testing performed

Tester	Jenkins	Local	OS	Commit	Notes
@Deblintrake09 (Developer)	🟢🟢🟢	🟢🟢🟢	Manager	`f13f4c5`	Nothing to highlight
@Deblintrake09 (Developer)	🟢🟢🟢	🔵	Linux Agent	`f13f4c5`	Nothing to highlight
@Deblintrake09 (Developer)	🟢🟢🟢	🟢🟢🟢	Windows Agent	`f13f4c5`	Nothing to highlight
@Deblintrake09 (Developer)	🟢🟢🟢	🚫	Solaris & macOS Agent	`f13f4c5`	Nothing to highlight

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

...m/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml

...gration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml

tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavoir.py

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

Deblintrake09 · 2023-06-05T21:25:12Z

This branch has been closed because of unsigned commits. Replaced by #4227.

Deblintrake09 added 10 commits February 24, 2023 14:37

feat(#3963): add new callbacks and event_checkers

1d7711f

feat(#3963): add new test modules and cases

336122f

feat(#3963): add test audit_buffer_behavior

f2105ed

feat(#3963): add audit_buffer_behavior module

e65401f

feat(#3963): Updated and added new test cases

ebfadcc

refactor(#3963): move tests to own folder

1f9915b

fix(#3963): fix test cases

e9c3cda

style(#3963): fix whitespaces

6aeabae

style(#3963): update style and spacing

790305a

docs(#3963): Improve docs and comments

169ef58

Deblintrake09 added the pull-request/production label Mar 2, 2023

Deblintrake09 requested review from damarisg and jmv74211 March 2, 2023 19:16

Deblintrake09 self-assigned this Mar 2, 2023

Deblintrake09 changed the base branch from master to 4.5 March 2, 2023 19:16

Deblintrake09 linked an issue Mar 2, 2023 that may be closed by this pull request

Add IT support for FIM whodata buffer #3963

Closed

Deblintrake09 added 3 commits March 3, 2023 09:13

fix(#3963): update cases

2af54ad

fix(#3963): update test case metadata

237271c

fix(#3963): skip flaky test

b4db1fa

Deblintrake09 marked this pull request as ready for review March 6, 2023 20:09

Deblintrake09 added 2 commits March 7, 2023 17:02

fix(#3963): fix test_sync_max_eps_scheduled

ba25334

fix(#3963): remove test windows support

bb216d3

damarisg requested changes Mar 13, 2023

View reviewed changes

jmv74211 removed the pull-request/production label Mar 14, 2023

Deblintrake09 added 5 commits March 14, 2023 09:50

docs(#3963): updated changelog.md

098913f

docs(#3591): improve documentation

2eb80e3

style(#3963): fix spacing and whitespaces

6038f67

docs(#3696): improve method description

8744817

docs(#3963): improve cases descriptions

7e1dbb3

damarisg reviewed Mar 14, 2023

View reviewed changes

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Outdated Show resolved Hide resolved

Deblintrake09 added 6 commits March 14, 2023 15:23

docs(#3963): fix docu typo

57b4a50

merge(#3963) '4.5' to 3963-whodata-buffer-support

ac13140

fix(#3963): fix failing tests

05191d3

fix(#3963): fix create_registry function

384be15

fix(#3963): fix test_synchronize_integrity_win32

f13f4c5

fix(#3963): fix file_limit confs

7e16d63

Deblintrake09 removed a link to an issue Jun 5, 2023

Add IT support for FIM whodata buffer #3963

Closed

Deblintrake09 closed this Jun 5, 2023

Deblintrake09 deleted the 3963-whodata-buffer-support branch July 4, 2023 12:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Audit buffer IT suite #3990

Add Audit buffer IT suite #3990

Deblintrake09 commented Mar 2, 2023 •

edited by damarisg

Loading

Deblintrake09 commented Jun 5, 2023

Add Audit buffer IT suite #3990

Add Audit buffer IT suite #3990

Conversation

Deblintrake09 commented Mar 2, 2023 • edited by damarisg Loading

Description

Added

Changed

Testing performed

Deblintrake09 commented Jun 5, 2023

Deblintrake09 commented Mar 2, 2023 •

edited by damarisg

Loading