Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Audit Buffer IT support #4227

Closed
wants to merge 27 commits into from
Closed

Add Audit Buffer IT support #4227

wants to merge 27 commits into from

Conversation

Deblintrake09
Copy link
Contributor

@Deblintrake09 Deblintrake09 commented Jun 5, 2023
edited
Loading

Related issue
#3963

Description

This Issue aims to add IT support for the new Audit whodata buffer. This is managed by the whodata->queue_size tag that limits the amount of audit events that are received by syscheck. When the queue is full, events are dropped and the files modification are detected through scheduled mode instead of whodata.

Added

  • test_audit_buffer_configuration.py module containing 7 cases related to queue_size configuration values
  • test_audit_buffer_behavior.py module containing 2 cases related to queue_size basic behavior
  • test_audit_buffer_over_time.py module containing 2 cases related to queue_size's behavior in relation to max_eps
  • Added new callbacks and functions

Changed

  • refactored test_file_limit's conf file to different files to avoid duplicated and skipped cases

Testing performed

Tester Test path Jenkins Local OS Commit Notes
@Deblintrake09 (Developer) 🟢🟢🟢 🟢🟢🟢 Manager 7fae44c Nothing to highlight
@Deblintrake09 (Developer) 🟢🟢🟢 🔵 Linux Agent 7fae44c Nothing to highlight
@Deblintrake09 (Developer) 🟢🟢🟢 🟢🟢🟢 Windows Agent 7fae44c Nothing to highlight
@Deblintrake09 (Developer) 🟢🟢🟢 🚫 Solaris & macOS Agent f13f4c5 Nothing to highlight

@Deblintrake09 Deblintrake09 linked an issue Jun 5, 2023 that may be closed by this pull request
Add IT support for FIM whodata buffer #3963
Closed
@Deblintrake09 Deblintrake09 mentioned this pull request Jun 5, 2023
Closed
damarisg
damarisg requested changes Jun 6, 2023
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Outdated Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py Show resolved Hide resolved
tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py Outdated Show resolved Hide resolved
damarisg
damarisg requested changes Jun 9, 2023
View reviewed changes
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Outdated Show resolved Hide resolved
...gration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml Outdated Show resolved Hide resolved
tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py Outdated
@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module')
@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata),
ids=t2_test_case_ids)
def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name was changed.

tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py Outdated Show resolved Hide resolved
@Deblintrake09
Copy link
Contributor Author

Deblintrake09 commented Jun 9, 2023
edited
Loading

Execution after requested changes

System Results Notes
Manager Centos 🟢
Agent Centos 🟢
Agent Windows 🟢

damarisg
damarisg previously approved these changes Jun 13, 2023
View reviewed changes
juliamagan
juliamagan requested changes Jun 14, 2023
View reviewed changes
Copy link
Member

@juliamagan juliamagan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could some tests be unified for simplification? For example, default and values could go in the same, and one of the values to test could be the default.

CHANGELOG.md Outdated Show resolved Hide resolved
...gration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml Show resolved Hide resolved
juliamagan
juliamagan previously approved these changes Jun 15, 2023
View reviewed changes
@Deblintrake09 Deblintrake09 changed the base branch from 4.6.0 to 4.7.0 August 3, 2023 18:35
@Deblintrake09 Deblintrake09 dismissed juliamagan’s stale review August 3, 2023 18:35

The base branch was changed.

@Deblintrake09 Deblintrake09 mentioned this pull request Aug 4, 2023
Merged
@Deblintrake09
Copy link
Contributor Author

PR has unverified commits caused by changed Github key. They cannot be fixed due to merge commits, so is dropped. New PR #4399 has been created.

@Deblintrake09 Deblintrake09 removed a link to an issue Aug 4, 2023
Add IT support for FIM whodata buffer #3963
Closed
@Deblintrake09 Deblintrake09 deleted the 3963-whodata-buffer branch September 1, 2023 11:25
@Deblintrake09 Deblintrake09 mentioned this pull request Sep 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damarisg damarisg damarisg left review comments

@juliamagan juliamagan juliamagan left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Deblintrake09 @damarisg @juliamagan