Enhance FIM IT test_ambiguous_confs suite

CHANGELOG.md

@@ -18,7 +18,7 @@ All notable changes to this project will be documented in this file.
 - Add new module to support migration tool. ([#3837](https:/wazuh/wazuh-qa/pull/3837))
 
 ### Changed
-
+- Update FIM test_ambiguous_confs IT to new framework ([#4121](https:/wazuh/wazuh-qa/pull/4121)) \- (Tests + Framework)
 - Update `test_logcollector` invalid configs log level ([#4094](https:/wazuh/wazuh-qa/pull/4094)) \- (Tests)
 - Update `test_office365` to support the new tag `API_TYPE` ([#4065](https:/wazuh/wazuh-qa/pull/4065)) \- (Framework + Tests)
 - Update `test_wazuh_db` & `test_enrollment` to support new column `status_code` and new value on the enrollment `payload`. ([#4021](https:/wazuh/wazuh-qa/pull/4021)) \- (Tests)

deps/wazuh_testing/wazuh_testing/modules/fim/classes.py

@@ -15,8 +15,6 @@
 if sys.platform == 'linux2' or sys.platform == 'linux':
  from jq import jq
 
-_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
-
 
 def validate_event(event, checks=None, mode=None):
  """Check if event is properly formatted according to some checks.
@@ -103,7 +101,7 @@ def get_required_attributes(check_attributes, result=None):
  return result
 
  json_file = 'syscheck_event_windows.json' if sys.platform == "win32" else 'syscheck_event.json'
- with open(os.path.join(_data_path, json_file), 'r') as f:
+ with open(os.path.join(WAZUH_TESTING_DATA_PATH, json_file), 'r') as f:
  schema = json.load(f)
 
  validate(schema=schema, instance=event)

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

@@ -55,6 +55,8 @@
 CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\
  Switching directories to realtime)'
 CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime'
+CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'"
+CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'"
 
 # Error message
 ERR_MSG_REALTIME_FOLDERS_EVENT = 'Did not receive expected "Folders monitored with real-time engine" event'
@@ -78,8 +80,7 @@
 ERR_MSG_REGISTRY_LIMIT_VALUES = 'Did not receive expected "DEBUG: ...: Maximum number of registry values to \
  be monitored: ..." event'
 ERR_MSG_WRONG_REGISTRY_LIMIT_VALUE = 'Wrong value for db_value_limit registries tag.'
-ERR_MSG_FILE_LIMIT_VALUES = 'Did not receive expected "DEBUG: ...: Maximum number of entries to be monitored: \
- ..." event'
+ERR_MSG_FILE_LIMIT_VALUES = 'Did not receive expected "DEBUG: ...: Maximum number of files to be monitored:..." event'
 ERR_MSG_WRONG_FILE_LIMIT_VALUE = 'Wrong value for file_limit.'
 ERR_MSG_FILE_LIMIT_DISABLED = 'Did not receive expected "DEBUG: ...: No limit set to maximum number of entries \
  to be monitored" event'
@@ -187,11 +188,38 @@ def callback_integrity_message(line):
  return datetime.strptime(match.group(1), '%Y/%m/%d %H:%M:%S'), json.dumps(match.group(2))
 
 
+def callback_integrity_sync_message(line):
+ """ Callback that detects if a line contains a integrity sync event
+ Args:
+ line (String): string line to be checked by callback in FileMonitor.
+ Returns:
+ List: returns a list with formated datetime, And the event's JSON data.
+ """
+ if callback_detect_integrity_control_event(line):
+ match = re.match(r"(\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2}).*({.*?})$", line)
+ if match:
+ return datetime.strptime(match.group(1), '%Y/%m/%d %H:%M:%S'), json.dumps(match.group(2))
+
+
+def callback_detect_integrity_check_global(line):
+ """ Callback that detects if a line contains an 'integrity_check_global' event
+ Args:
+ line (String): string line to be checked by callback in FileMonitor.
+ Returns:
+ JSON: returns event's JSON data.
+ """
+ match = callback_detect_integrity_control_event(line)
+ if match:
+ if match['type'] == 'integrity_check_global':
+ return match
+ return None
+
+
 def callback_detect_file_integrity_event(line):
  """ Callback that detects if a line contains a file integrity event
 
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
  event = callback_detect_integrity_control_event(line)
  if event and event['component'] == 'fim_file':
@@ -212,7 +240,7 @@ def callback_detect_registry_integrity_event(line):
  """ Callback that detects if a line contains a registry integrity event for a registry_key or registry_value
 
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
  event = callback_detect_integrity_control_event(line)
  if event and event['component'] == 'fim_registry_key':
@@ -226,7 +254,7 @@ def callback_detect_registry_integrity_state_event(line):
  """ Callback that detects if a line contains a registry integrity event of the state type
 
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
  event = callback_detect_registry_integrity_event(line)
  if event and event['type'] == 'state':
@@ -251,7 +279,7 @@ def callback_num_inotify_watches(line):
  """ Callback that detects if a line contains the folders monitored in realtime event
 
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
  match = re.match(CB_FOLDERS_MONITORED_REALTIME, line)
 
@@ -276,17 +304,20 @@ def callback_state_event_time(line):
 def callback_real_time_whodata_started(line):
  """ Callback that detects if a line contains "Whodata engine started" event
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
- if CB_REALTIME_WHODATA_ENGINE_STARTED in line:
+ match = re.match(CB_REALTIME_WHODATA_ENGINE_STARTED, line)
+ if match:
  return True
 
+ return None
+
 
 def callback_detect_registry_integrity_clear_event(line):
  """ Callback that detects if a line contains a registry integrity_clear event
 
  Args:
- line (String): string line to be checked by callback in File_Monitor.
+ line (String): string line to be checked by callback in FileMonitor.
  """
  event = callback_detect_integrity_control_event(line)
  if event and event['component'] == 'fim_registry_key' and event['type'] == 'integrity_clear':
@@ -434,13 +465,14 @@ def detect_realtime_start(file_monitor):
  error_message=ERR_MSG_FOLDERS_MONITORED_REALTIME)
 
 
-def detect_whodata_start(file_monitor):
+def detect_whodata_start(file_monitor, timeout=T_60):
  """Detect whodata engine start when restarting Wazuh.
 
  Args:
  file_monitor (FileMonitor): file log monitor to detect events
+ timeout (int): timeout for file monitor to try to detect event
  """
- file_monitor.start(timeout=T_60, callback=generate_monitoring_callback(CB_REALTIME_WHODATA_ENGINE_STARTED),
+ file_monitor.start(timeout=timeout, callback=generate_monitoring_callback(CB_REALTIME_WHODATA_ENGINE_STARTED),
  error_message=ERR_MSG_WHODATA_ENGINE_EVENT)
 
 

deps/wazuh_testing/wazuh_testing/modules/fim/utils.py

@@ -17,12 +17,14 @@
 from wazuh_testing.tools.time import TimeMachine
 from wazuh_testing.modules import fim
 from wazuh_testing.modules.fim import event_monitor as ev
-from wazuh_testing.modules.fim.classes import CustomValidator, EventChecker
+from wazuh_testing.modules.fim.classes import CustomValidator, EventChecker, RegistryEventChecker
 
 
 if sys.platform == 'win32':
  import win32con
  import win32api
+ import win32security as win32sec
+ import ntsecuritycon as ntc
  import pywintypes
 
 
@@ -101,15 +103,14 @@ def create_registry(key, subkey, arch):
 
  if sys.platform == 'win32':
  try:
- logger.info("Creating registry key " + str(os.path.join(fim.registry_class_name[key], subkey)))
-
  key = win32api.RegCreateKeyEx(key, subkey, win32con.KEY_ALL_ACCESS | arch)
-
+ logger.info("Created registry key " + str(os.path.join(fim.registry_class_name[key], subkey)))
  return key[0] # Ignore the flag that RegCreateKeyEx returns
  except OSError as e:
  logger.warning(f"Registry could not be created: {e}")
  except pywintypes.error as e:
  logger.warning(f"Registry could not be created: {e}")
+
 
 
 def modify_key_perms(key, subkey, arch, user):

tests/integration/test_fim/conftest.py

@@ -136,12 +136,14 @@ def create_monitored_folders(test_folders):
  test_folders(list): List of folders to create and delete
  """
  for folder in test_folders:
- os.mkdir(folder, mode=0o0777)
+ if not os.path.exists(folder):
+ os.mkdir(folder, mode=0o0777)
 
  yield
 
  for folder in test_folders:
- delete_path_recursively(folder)
+ if os.path.exists(folder):
+ delete_path_recursively(folder)
 
 
 @pytest.fixture(scope='module')
@@ -153,12 +155,14 @@ def create_monitored_folders_module(test_folders):
  test_folders(list): List of folders to create and delete
  """
  for folder in test_folders:
- os.mkdir(folder, mode=0o0777)
+ if not os.path.exists(folder):
+ os.mkdir(folder, mode=0o0777)
 
  yield
 
  for folder in test_folders:
- delete_path_recursively(folder)
+ if os.path.exists(folder):
+ delete_path_recursively(folder)
 
 
 @pytest.fixture()

tests/integration/test_fim/test_files/test_ambiguous_confs/data/configuration_templates/configuration_ignore_works_over_restrict.yaml

@@ -0,0 +1,42 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 3
+ - directories:
+ value: TEST_DIR1
+ attributes:
+ - restrict: testfile$
+ - whodata: WHODATA
+ - realtime: REALTIME
+ - directories:
+ value: TEST_DIR2
+ attributes:
+ - restrict: regex_testfile$
+ - whodata: WHODATA
+ - realtime: REALTIME
+ - ignore:
+ value: /testdir1/testfile
+ - ignore:
+ value: regex_testfile$
+ attributes:
+ - type: sregex
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_ambiguous_confs/data/configuration_templates/configuration_ignore_works_over_restrict_win32.yaml

@@ -0,0 +1,42 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 3
+ - directories:
+ value: TEST_DIR1
+ attributes:
+ - restrict: testfile$
+ - whodata: WHODATA
+ - realtime: REALTIME
+ - directories:
+ value: TEST_DIR2
+ attributes:
+ - restrict: regex_testfile$
+ - whodata: WHODATA
+ - realtime: REALTIME
+ - ignore:
+ value: c:\\testdir1\\testfile
+ - ignore:
+ value: regex_testfile$
+ attributes:
+ - type: sregex
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_prevails_over_realtime.yaml

@@ -0,0 +1,27 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - directories:
+ value: TEST_DIR
+ attributes:
+ - whodata: WHODATA
+ - realtime: REALTIME
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_ambiguous_confs/data/configuration_templates/configuration_whodata_thread.yaml

@@ -0,0 +1,30 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - directories:
+ value: TEST_DIR1
+ attributes:
+ - whodata: WHODATA1
+ - directories:
+ value: TEST_DIR2
+ attributes:
+ - whodata: WHODATA2
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'