From c84adc8cdffa0df4fbbd3b2d4a01e64c8749f66c Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:16:23 -0300 Subject: [PATCH 01/25] docs(#3963): update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d5393357c..80710bfa90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ All notable changes to this project will be documented in this file. ### Added + +- Add tests for new FIM audit buffer option. ([#3990](https://github.com/wazuh/wazuh-qa/pull/3990)) \- (Framework + tests) - Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation) - Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests) - Add tests with new options to avoid FIM synchronization overlapping. ([#3318](https://github.com/wazuh/wazuh-qa/pull/3318)) \- (Framework + tests) From 455c86608dc9e4c1bee7af1e52f0b9b7f3bf60d0 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:16:42 -0300 Subject: [PATCH 02/25] feat(#3963): add new callbacks --- deps/wazuh_testing/wazuh_testing/__init__.py | 1 + .../wazuh_testing/modules/fim/__init__.py | 2 +- .../modules/fim/event_monitor.py | 143 +++++++++++++----- 3 files changed, 110 insertions(+), 36 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py index bf72e1e136..737e564e04 100644 --- a/deps/wazuh_testing/wazuh_testing/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/__init__.py @@ -75,6 +75,7 @@ T_10 = 10 T_20 = 20 T_30 = 30 +T_40 = 40 T_60 = 60 diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 842cde0c5a..7236414690 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -175,7 +175,7 @@ # Syscheck values DIFF_LIMIT_VALUE = 2 DIFF_DEFAULT_LIMIT_VALUE = 51200 - +AUDIT_QUEUE_SIZE_DEFAULT_VALUE = 16384 # FIM modes SCHEDULED_MODE = 'scheduled' diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index a972ee78da..61c0108914 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2022, Wazuh Inc. +# Copyright (C) 2015-2023, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 @@ -7,8 +7,9 @@ from sys import platform from datetime import datetime -from wazuh_testing import LOG_FILE_PATH, logger, T_60 +from wazuh_testing import LOG_FILE_PATH, logger, T_30, T_60, T_10 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.modules.fim import MAX_EVENTS_VALUE # Variables @@ -43,18 +44,20 @@ CB_SYNC_INTERVAL_RESET = r".*Previous sync was successful. Sync interval is reset to: '(\d+)s'" CB_IGNORING_DUE_TO_SREGEX = r".*?Ignoring path '(.*)' due to sregex '(.*)'.*" CB_IGNORING_DUE_TO_PATTERN = r".*?Ignoring path '(.*)' due to pattern '(.*)'.*" -CB_MAXIMUM_FILE_SIZE = r'.*Maximum file size limit to generate diff information configured to \'(\d+) KB\'.*' -CB_AGENT_CONNECT = r'.* Connected to the server .*' CB_REALTIME_WHODATA_ENGINE_STARTED = r'.*File integrity monitoring (real-time Whodata) engine started.*' CB_DISK_QUOTA_LIMIT_CONFIGURED_VALUE = r'.*Maximum disk quota size limit configured to \'(\d+) KB\'.*' CB_FILE_EXCEEDS_DISK_QUOTA = r'.*The (.*) of the file size \'(.*)\' exceeds the disk_quota.*' CB_FILE_SIZE_LIMIT_REACHED = r'.*File \'(.*)\' is too big for configured maximum size to perform diff operation\.' CB_DIFF_FOLDER_DELETED = r'.*Folder \'(.*)\' has been deleted.*' +CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events." CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events." CB_STARTING_WINDOWS_AUDIT = r'.*state_checker.*(Starting check of Windows Audit Policies and SACLs)' CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\ Switching directories to realtime)' CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime' +CB_WHODATA_QUEUE_SIZE = r".*Internal audit queue size set to \'(.*)\'." +CB_WHODATA_QUEUE_FULL = r".*(Internal audit queue is full). Some events may be lost.*" +CB_AUDIT_HEALTHCHECK_FAILED = r".*(Audit health check couldn't be completed correctly)." CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'" CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'" @@ -109,7 +112,17 @@ ERR_MSG_FILE_LIMIT_REACHED = 'Did not receive "File ... is too big ... to perform diff operation" event.' ERR_MSG_FOLDER_DELETED = 'Did not receive expected "Folder ... has been deleted." event.' ERR_MSG_SACL_CONFIGURED_EVENT = 'Did not receive the expected "The SACL of will be configured" event' -ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT = 'Expected "directory starts to monitored in real-time" event not received' + + +def create_error_message(message, source=LOG_FILE_PATH): + """ + Creates an error message from an event. + Args: + message(str): Message that will be shown in error message + Returns: + string: A string containing the error message to be shown + """ + return fr'Did not receive the expected "{message}" event in "{source}" file.' # Callback functions @@ -227,6 +240,18 @@ def callback_detect_file_integrity_event(line): return None +def callback_key_event(line): + """ Callback that detects if a line contains a registry integrity event for a registry_key + Args: + line (String): string line to be checked by callback in File_Monitor. + """ + event = callback_detect_event(line) + if event is None or event['data']['attributes']['type'] != 'registry_key': + return None + + return event + + def callback_value_event(line): event = callback_detect_event(line) @@ -388,19 +413,6 @@ def callback_detect_file_deleted_event(line): return None -def callback_detect_file_more_changes(line): - """ Callback that detects if a line in a log contains 'More changes' in content_changes. - Args: - line (String): string line to be checked by callback in FileMonitor. - Returns: - returns JSON string from log. - """ - json_event = callback_detect_event(line) - if json_event is not None and 'content_changes' in json_event['data']: - if 'More changes' in json_event['data']['content_changes']: - return json_event - - def callback_audit_cannot_start(line): """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime. @@ -489,6 +501,46 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) +def get_messages(callback, timeout=T_30): + """Look for as many synchronization events as possible. + This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. + Args: + timeout (int): Timeout that will be used to get the dbsync_no_data message. + Returns: + A list with all the events in json format. + """ + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + events = [] + for _ in range(0, MAX_EVENTS_VALUE): + event = None + try: + event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, + callback=callback, + error_message=f"Did not receive expected {callback} event").result() + except TimeoutError: + break + if event is not None: + events.append(event) + return events + + +def check_registry_crud_event(callback, path, timeout=T_30, type='added', arch='x32', value_name=None): + """Detect realtime engine start when restarting Wazuh. + Args: + file_monitor (FileMonitor): file log monitor to detect events + """ + events = get_messages(callback=callback, timeout=timeout) + for event in events: + if event['data']['type'] == type and arch in event['data']['arch'] and event['data']['path'] == path: + if value_name is not None: + if 'value_name' in event and event['data']['value_name'] == value_name: + return event + else: + return event + + return None + + def detect_windows_sacl_configured(file_monitor, file='.*'): """Detects when windows permision checks have been configured for a given file. @@ -516,23 +568,44 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'): error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT) -def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, - timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): - """ Check if FIM event occurs and return it according to the callback. +def detect_audit_queue_full(file_monitor, update_position=True): + """Detects the configured value for the whodata queue Args: - file_monitor (FileMonitor): FileMonitor object to monitor the file content. - callback (str): log regex to check in Wazuh log - error_message (str): error message to show in case of expected event does not occur - update_position (boolean): filter configuration parameter to search in Wazuh log - timeout (str): timeout to check the event in Wazuh log - accum_results (int): Accumulation of matches. - Returns: - returns the value given by the callback used. Default None. + file_monitor (FileMonitor): file log monitor to detect events + update_position (bool, optional): True if we pop items from the queue once they are read. False otherwise. + Default `True` + """ + + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_FULL), + error_message=create_error_message(CB_WHODATA_QUEUE_FULL), + update_position=update_position).result() + + +def detect_invalid_conf_value(file_monitor, element): + """Detects the configured value for the whodata queue + Args: + file_monitor (FileMonitor): file log monitor to detect events + element (str): Elementa name that is being detected + """ + pattern = fr".*Invalid value for element (\'{element}\': .*)" + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern), + error_message=create_error_message(pattern)).result() + + +def detect_audit_healthcheck_failed(file_monitor): + """Detects if the initial audit healtcheck has failed + Args: + file_monitor (FileMonitor): file log monitor to detect events + """ + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_AUDIT_HEALTHCHECK_FAILED), + error_message=create_error_message(CB_AUDIT_HEALTHCHECK_FAILED)).result() + + +def get_configured_whodata_queue_size(file_monitor): + """Detects the configured value for the whodata queue + Args: + file_monitor (FileMonitor): file log monitor to detect events """ - file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor - error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ - error_message - result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, - callback=callback, error_message=error_message).result() - return result + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), + error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() From a67c99026abf076c7ce385d6a777a05d2a3e229e Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:16:58 -0300 Subject: [PATCH 03/25] feat(#3963): add test modules and cases --- .../configuration_audit_buffer_behavior.yaml | 33 ++ .../configuration_audit_buffer_default.yaml | 28 ++ .../configuration_audit_buffer_over_time.yaml | 37 ++ .../configuration_audit_buffer_values.yaml | 33 ++ .../cases_audit_buffer_default.yaml | 6 + .../cases_audit_buffer_no_overflow.yaml | 7 + ...es_audit_buffer_over_time_no_overflow.yaml | 12 + ...ases_audit_buffer_over_time_overflown.yaml | 13 + .../cases_audit_buffer_overflown.yaml | 8 + .../test_cases/cases_audit_buffer_values.yaml | 56 +++ .../test_audit_buffer_behavior.py | 310 +++++++++++++++++ .../test_audit_buffer_configuration.py | 270 +++++++++++++++ .../test_audit_buffer_over_time.py | 323 ++++++++++++++++++ 13 files changed, 1136 insertions(+) create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml new file mode 100644 index 0000000000..2c5b32146c --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml @@ -0,0 +1,33 @@ + +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 2 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - whodata: + elements: + - queue_size: + value: 10 + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml new file mode 100644 index 0000000000..cc64da732c --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml @@ -0,0 +1,28 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 5 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml new file mode 100644 index 0000000000..29b44ee8ed --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml @@ -0,0 +1,37 @@ + +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: FREQUENCY + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - max_eps: + value: MAX_EPS + - whodata: + elements: + - queue_size: + value: QUEUE_SIZE + - startup_healthcheck: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml new file mode 100644 index 0000000000..676190070f --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml @@ -0,0 +1,33 @@ + +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 5 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - whodata: + elements: + - queue_size: + value: QUEUE_SIZE + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml new file mode 100644 index 0000000000..ef835d0984 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml @@ -0,0 +1,6 @@ +- name: Verify_queue_size_default_value + description: Verify when not setting queue_size it's default value is set and whodata starts correctly. + configuration_parameters: + TEST_DIRECTORIES: /testdir1 + metadata: + audit_starts: 16384 diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml new file mode 100644 index 0000000000..cf885ae296 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml @@ -0,0 +1,7 @@ +- name: Audit_Buffer_does_not_overflow + description: Verify if files are equal to queue_size, it does not everflow and files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml new file mode 100644 index 0000000000..cd0c8ce9c3 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml @@ -0,0 +1,12 @@ +- name: Audit_Buffer_full-all_files_detected_in_whodata + description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 50 + MAX_EPS: 6 + FREQUENCY: 20 + metadata: + files_first_insert: 50 # Fills queue 100% - log is only generated when it overflows. + wait_time: 5 # Time to wait between inserts to allow for files to be processed + files_second_insert: 20 # Insert files to check that files are still being detected in whodata + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml new file mode 100644 index 0000000000..c895b78daa --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml @@ -0,0 +1,13 @@ +- name: Audit_Buffer_overflows-New_files_in_whodata + description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 20 + MAX_EPS: 4 + FREQUENCY: 10 + metadata: + files_first_insert: 24 + queue_size: 20 + wait_time: 5 + files_second_insert: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml new file mode 100644 index 0000000000..51d11126f3 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml @@ -0,0 +1,8 @@ +- name: Audit_buffer_overflowns + description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode. + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 15 + whodata_events: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml new file mode 100644 index 0000000000..2fa84aadb9 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -0,0 +1,56 @@ +- name: Queue_Size_100-value_inside_range_starts_properly + description: Verify if value set is inside valid range it is configured and whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 100 + metadata: + queue_size: 100 + audit_starts: true + valid_range: true + +- name: Queue_Size_10-Lower_limit_starts_properly + description: Verify if value set is the lower allowed limit, whodata starts correctly + configuration_parameters: + QUEUE_SIZE: 10 + metadata: + queue_size: 10 + valid_range: true + audit_starts: true + +- name: Queue_Size_1048576-Upper_limit_starts_properly + description: Verify if value set to the upper limit whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 1048576 + metadata: + queue_size: 1048576 + audit_starts: true + valid_range: true + +- name: Queue_Size_Invalid_value_below_minimum + description: Verify if value set is below allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 9 + metadata: + queue_size: 9 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: Queue_Size_Invalid_value_above_maximum + description: Verify if value set is above allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 1048577 + metadata: + queue_size: 1048577 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: Queue_Size_Invalid_value_Invalid_characters + description: Verify if value set using characters instead of only numbers, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 100c + metadata: + queue_size: 100c + valid_range: false + audit_starts: false + fail_reason: invalid_value diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py new file mode 100644 index 0000000000..64a7bf2a3e --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -0,0 +1,310 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. This tests aim to test the behavior of the queue, by inserting files above or below the set + value for queue_size, and verify if events were detected in whodata or scheduled mode appropiately. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_10, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + detect_initial_scan_start, get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_behavior.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_overflown.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are added equal to the whodata "queue_size", the queue does not overflow, all + files are detected in whodata mode, and after the next scan no file is detected in scheduled mode. + + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given amount of files + - Check that no "queue full" message is detected (Queue has not overflown) + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify the queue does not overflow after inserting files + - Verify all files are detected in whodata mode + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the test cases details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + whodata_events = files_to_add + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Check that queue has not been overflown + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_10, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected {whodata_events} amount of \ + whodata file added events").result() + # Check all files are detected in whodata mode + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + # Detect next scheduled scan + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Check no events are found after scan. + with pytest.raises(TimeoutError): + wazuh_log_monitor.start(timeout=T_20, callback=callback_detect_file_added_event, + accum_results=1, error_message="Found unexpected file added event \ + in during scheduled scan") + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are exceeding the whodata "queue_size" value the queue overflows, and the + excess files files are detected in scheduled mode, and after the next scheduled scan. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given number of files + - Check that the "queue_full" event appears + - Check the amount of files that were detected prior to the queue being full + - Check the excess files are detected in scheduled mode after the following scan + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify that files detected in whodata mode before it being full are equal or more than the configured value + - Verify the excess files inserted after queue full are detected in scheduled mode. + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10, + error_message=f"Did not receive the expected file added events") + + # Check the ammount of added events in whodata mode is equal or more than the expected value + found_whodata_events = 0 + for result in results: + if result['data']['mode'] == 'whodata': + found_whodata_events = found_whodata_events + 1 + assert found_whodata_events >= metadata['whodata_events'], f"Found less whodata File added events \ + than the expected {metadata['whodata_events']}" + + # Wait for scheduled scan so the rest of file events are generated + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10, + error_message=f"Did not receive the expected file added events") + + # Check the amount of added events in scheduled mode is equal to the amount of files created + # minus the generated whodata events + scheduled_events = files_to_add - found_whodata_events + found_scheduled_events = 0 + for result in results: + if result['data']['mode'] == 'scheduled': + found_scheduled_events += 1 + + assert found_scheduled_events == scheduled_events, f"Wrong amount of scheduled events found. Found \ + {found_scheduled_events}, Expected {scheduled_events}" diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py new file mode 100644 index 0000000000..a5b13be611 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -0,0 +1,270 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. + +components: + - fim + +suite: audit_buffer + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, T_5 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.fim import TEST_DIR_1, AUDIT_QUEUE_SIZE_DEFAULT_VALUE +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (get_configured_whodata_queue_size, detect_audit_queue_full, + detect_invalid_conf_value, detect_audit_healthcheck_failed, + detect_whodata_start) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# ---------------------------------------TEST_AUDIT_BUFFER_DEFAULT------------------------------------------- +# Configuration and cases data +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_default.yaml') +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_default.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# ---------------------------------------TEST_AUDIT_BUFFER_VALUES------------------------------------------- +# Configuration and cases data +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_values.yaml') +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_values.yaml') + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_default(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check if the default configured value for whodata's 'queue_size' option. Also verify that the whodata + thread is started correctly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 0 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + + assertions: + - Verify configured queue_size value is default value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_default.yaml' provides the configuration + template. + The file 'cases_audit_buffer_default.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(AUDIT_QUEUE_SIZE_DEFAULT_VALUE) in configured_value, 'Unexpected "queue_size" value found in ossec.log' + + # Detect real-time whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check when setting values to whodata's 'queue_size' option. The value is configured correctly.Also, + verify that the whodata thread is started correctly when value is inside valid range, and it fails + to start with values outside range and error messages are shown accordingly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + if metadata['valid_range']: + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(metadata['queue_size']) in configured_value, 'Unexpected value found in "queue_size" in ossec.conf' + + if not metadata['audit_starts']: + # Detect cause of failure + if metadata['fail_reason'] == 'queue_full': + detect_audit_queue_full(wazuh_log_monitor) + detect_audit_healthcheck_failed(wazuh_log_monitor) + elif metadata['fail_reason'] == 'invalid_value': + detect_invalid_conf_value(wazuh_log_monitor, element='queue_size') + with pytest.raises(TimeoutError): + # Detect real-time whodata thread does not start + detect_whodata_start(wazuh_log_monitor, timeout=T_5) + else: + # Detect real-time whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py new file mode 100644 index 0000000000..45cb6cdb1c --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -0,0 +1,323 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. Events in the queue are processed and removed from the queue, at a rate set my the max_eps tag. + This tests aim to test the behavior of the queue in conjunction with max_eps, that fill/overflow the queue, then + waiting for events to be processed and inserting files again, to verify files are processed in expected modes. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os +import time + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_60, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_over_time.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_overflown.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added equal to the whodata "queue_size" the queue does not overflow, after some files are processed + adding new files that do not exceed the empty space in the queue, all files are detected in whodata + mode. + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Wait x seconds for space to be freed in queue + - Insert enough files to fill queue again + - Validate queue was full + - Validate no event was dropped and all events were detected in whodata mode + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify whadata queue is full + - Verify all inserted files are detected in whodata mode if files are inserted after queue space is freed + + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration + template. + The file 'cases_audit_buffer_over_time_no_overflow.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + whodata_events = metadata['files_first_insert'] + metadata['files_second_insert'] + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an amount of files + for file in range(0, metadata['files_first_insert']): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata['wait_time']) + + # Insert a second amount of files + for file in range(0, metadata['files_second_insert']): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Detect audit queue is full + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_60, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected amount of \ + whodata file added events").result() + # Validate all files where found in whodata mode - no files where dropped + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added causing whodata queue to overflow, and after some files are processed, if new files are added + that do not exceed the empty space in the queue, only the files from the first insertion, that caused + the overflow are detected in scheduled mode. All files from second insertion are detected in whodata. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Detect if whodata queue has overflowed + - Wait x seconds for space to be freed in queue + - Insert files a second time + - Validate only files from the first insert were detected in scheduled mode + - Validate a all files from the second insert are detected. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values for ossec.conf. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set ossec.conf configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options.conf file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the ossec.log. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_first_insert = metadata['files_first_insert'] + files_second_insert = metadata['files_second_insert'] + total_files = files_first_insert + files_second_insert + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an ammount of files + for file in range(0, files_first_insert): + create_file(REGULAR, test_folders[0], f'test_file_first_insert_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata["wait_time"]) + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Insert a second amount of files + for file in range(0, files_second_insert): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files, + error_message=f"Did not receive the expected file added events") + + second_set_events = 0 + for result in results: + # Check that all of the files processed in scheduled mode where from the first batch only + if result['data']['mode'] == 'scheduled': + assert 'test_file_first_insert_' in result['data']['path'], "Expected only files from first set to be in\ + scheduled mode, found file from second set" + # Count the events detected from second batch of files. Will only contain whodata because of previous assert + if 'test_file_second_insert_' in result['data']['path']: + second_set_events += 1 + + # Check that all the files from the second insert have been detected + assert second_set_events == files_second_insert, f"Unexpected amount of files detected from second insert, found: \ + {second_set_events}, expected: {files_second_insert}" From 3261284c7ef0df98da3c5bd54fb0cc1ececac059 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:17:14 -0300 Subject: [PATCH 04/25] fix(#3963): update test_file_limit confs --- .../test_file_limit/data/wazuh_conf.yaml | 96 ------------------- .../data/wazuh_conf_file_limit.yaml | 35 +++++++ .../data/wazuh_conf_limit_default.yaml | 25 +++++ .../data/wazuh_conf_no_limit.yaml | 32 +++++++ .../test_file_limit_capacity_alerts.py | 2 +- .../test_file_limit_default.py | 5 +- .../test_file_limit/test_file_limit_full.py | 5 +- .../test_file_limit_no_limit.py | 6 +- .../test_file_limit/test_file_limit_values.py | 5 +- 9 files changed, 105 insertions(+), 106 deletions(-) delete mode 100644 tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf.yaml create mode 100644 tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit.yaml create mode 100644 tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_limit_default.yaml create mode 100644 tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf.yaml deleted file mode 100644 index e79be5bb4f..0000000000 --- a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# conf 1 -- tags: - - no_file_limit - apply_to_modules: - - test_file_limit_no_limit - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - file_limit: - elements: - - enabled: - value: 'no' - - entries: - value: 10 - - section: sca - elements: - - enabled: - value: 'no' - - section: rootcheck - elements: - - disabled: - value: 'yes' - - section: active-response - elements: - - disabled: - value: 'yes' - -# conf 2 -- tags: - - file_limit_default - apply_to_modules: - - test_file_limit_default - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - section: sca - elements: - - enabled: - value: 'no' - - section: rootcheck - elements: - - disabled: - value: 'yes' - - section: active-response - elements: - - disabled: - value: 'yes' - -# conf 3 -- tags: - - file_limit_conf - apply_to_modules: - - test_file_limit_full - - test_file_limit_values - - test_file_limit_capacity_alerts - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - frequency: - value: 10 - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - file_limit: - elements: - - enabled: - value: 'yes' - - entries: - value: FILE_LIMIT - - section: sca - elements: - - enabled: - value: 'no' - - section: rootcheck - elements: - - disabled: - value: 'yes' - - section: active-response - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit.yaml new file mode 100644 index 0000000000..733d0a10c4 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit.yaml @@ -0,0 +1,35 @@ +- tags: + - file_limit_conf + apply_to_modules: + - test_file_limit_full + - test_file_limit_values + - test_file_limit_capacity_alerts + sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 10 + - directories: + value: TEST_DIRECTORIES + attributes: + - FIM_MODE + - file_limit: + elements: + - enabled: + value: 'yes' + - entries: + value: FILE_LIMIT + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: active-response + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_limit_default.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_limit_default.yaml new file mode 100644 index 0000000000..7403c75345 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_limit_default.yaml @@ -0,0 +1,25 @@ +- tags: + - file_limit_default + apply_to_modules: + - test_file_limit_default + sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - directories: + value: TEST_DIRECTORIES + attributes: + - FIM_MODE + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: active-response + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml new file mode 100644 index 0000000000..08a69ed2b5 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml @@ -0,0 +1,32 @@ +# conf 1 +- tags: + - no_file_limit + apply_to_modules: + - test_file_limit_no_limit + sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - directories: + value: TEST_DIRECTORIES + attributes: + - FIM_MODE + - file_limit: + elements: + - enabled: + value: 'no' + - entries: + value: 10 + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: active-response + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py index 673d82460f..96bbc1e6d5 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_capacity_alerts.py @@ -89,7 +89,7 @@ directory_str = ','.join(test_directories) wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_file_limit.yaml') testdir1 = test_directories[0] scan_delay = 10 diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py index ecc5d41912..34cf10ed48 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_default.py @@ -80,9 +80,8 @@ # Variables test_directories = [os.path.join(PREFIX, 'testdir1')] directory_str = ','.join(test_directories) -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_limit_default.yaml') testdir1 = test_directories[0] NUM_FILES = 100000 @@ -145,6 +144,8 @@ def test_file_limit_default(configure_local_internal_options_module, get_configu - realtime - who_data ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + # Check the file limit configured and that it matches expected value (100000) file_limit_value = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_VALUE), diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py index a47ab6aa7a..1e54169167 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_full.py @@ -84,9 +84,8 @@ # Variables test_directories = [os.path.join(PREFIX, 'testdir1')] directory_str = ','.join(test_directories) -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_file_limit.yaml') testdir1 = test_directories[0] NUM_FILES = 10 monitor_timeout = 40 @@ -170,6 +169,8 @@ def test_file_limit_full(configure_local_internal_options_module, get_configurat - who_data - realtime ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + # Check that database is full and assert database usage percentage is 100% database_state = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_CAPACITY), diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py index 267ebd3172..84bbac12dd 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py @@ -93,9 +93,8 @@ test_directories = [os.path.join(PREFIX, 'testdir1')] directory_str = ','.join(test_directories) -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_no_limit.yaml') testdir1 = test_directories[0] @@ -156,7 +155,8 @@ def test_file_limit_no_limit(configure_local_internal_options_module, get_config - realtime - who_data ''' - + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_DISABLED), error_message=ERR_MSG_FILE_LIMIT_DISABLED) diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py index 833a15e1d3..7c4c475d56 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_values.py @@ -85,9 +85,8 @@ # Variables test_directories = [os.path.join(PREFIX, 'testdir1')] directory_str = ','.join(test_directories) -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_file_limit.yaml') testdir1 = test_directories[0] monitor_timeout = 40 @@ -163,6 +162,8 @@ def test_file_limit_values(configure_local_internal_options_module, get_configur tags: - scheduled ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + # Get the file_limit value configured from the wazuh logs file_limit_value = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_VALUE), From 7fae44c3a0959ff7fc9becbb0a7a7e6de2fe1c07 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:21:11 -0300 Subject: [PATCH 05/25] fix(#3963): fix missing imports --- .../modules/fim/event_monitor.py | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 61c0108914..53915751a8 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -413,6 +413,19 @@ def callback_detect_file_deleted_event(line): return None +def callback_detect_file_more_changes(line): + """ Callback that detects if a line in a log contains 'More changes' in content_changes. + Args: + line (String): string line to be checked by callback in FileMonitor. + Returns: + returns JSON string from log. + """ + json_event = callback_detect_event(line) + if json_event is not None and 'content_changes' in json_event['data']: + if 'More changes' in json_event['data']['content_changes']: + return json_event + + def callback_audit_cannot_start(line): """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime. @@ -609,3 +622,24 @@ def get_configured_whodata_queue_size(file_monitor): return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() + +def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, + timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): + """ Check if FIM event occurs and return it according to the callback. + Args: + file_monitor (FileMonitor): FileMonitor object to monitor the file content. + callback (str): log regex to check in Wazuh log + error_message (str): error message to show in case of expected event does not occur + update_position (boolean): filter configuration parameter to search in Wazuh log + timeout (str): timeout to check the event in Wazuh log + accum_results (int): Accumulation of matches. + Returns: + returns the value given by the callback used. Default None. + """ + file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor + error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ + error_message + + result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=callback, error_message=error_message).result() + return result \ No newline at end of file From e0740f2e74f87da542edcc2105001de9cc512327 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:22:09 -0300 Subject: [PATCH 06/25] style(#3963): add whiteline at file end --- deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 53915751a8..bd5d425305 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -642,4 +642,4 @@ def get_fim_event(file_monitor=None, callback='', error_message=None, update_pos result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, callback=callback, error_message=error_message).result() - return result \ No newline at end of file + return result From e79ea7929129921429554eb07d2dbe1280d5af88 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:27:28 -0300 Subject: [PATCH 07/25] style(#3963): fix whitelines and spacing --- deps/wazuh_testing/wazuh_testing/__init__.py | 1 + deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py | 1 + .../configuration_audit_buffer_behavior.yaml | 1 - .../configuration_audit_buffer_over_time.yaml | 1 - .../configuration_audit_buffer_values.yaml | 1 - .../test_files/test_file_limit/test_file_limit_no_limit.py | 2 +- 6 files changed, 3 insertions(+), 4 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py index 737e564e04..13bf37e22b 100644 --- a/deps/wazuh_testing/wazuh_testing/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/__init__.py @@ -110,6 +110,7 @@ VALID_FIM_MODES = ['scheduled', 'realtime', 'whodata'] OS_EXCLUDED_FROM_RT_WD = ['darwin', 'sunos5'] + def is_udp(protocol): return protocol.upper() == UDP diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index bd5d425305..4a839fce04 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -623,6 +623,7 @@ def get_configured_whodata_queue_size(file_monitor): return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() + def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): """ Check if FIM event occurs and return it according to the callback. diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml index 2c5b32146c..8d484ec24c 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml @@ -1,4 +1,3 @@ - - sections: - section: syscheck elements: diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml index 29b44ee8ed..902a35f2bb 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml @@ -1,4 +1,3 @@ - - sections: - section: syscheck elements: diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml index 676190070f..8221b52622 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml @@ -1,4 +1,3 @@ - - sections: - section: syscheck elements: diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py index 84bbac12dd..9b81d28206 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py @@ -156,7 +156,7 @@ def test_file_limit_no_limit(configure_local_internal_options_module, get_config - who_data ''' wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) - + wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_DISABLED), error_message=ERR_MSG_FILE_LIMIT_DISABLED) From 818122a07a426d23dde0fb26954da571040cd55b Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 11:15:46 -0300 Subject: [PATCH 08/25] docs(#3963): update documentation and case names --- .../modules/fim/event_monitor.py | 11 +++++--- .../cases_audit_buffer_default.yaml | 2 +- .../cases_audit_buffer_no_overflow.yaml | 4 +-- ...es_audit_buffer_over_time_no_overflow.yaml | 2 +- ...ases_audit_buffer_over_time_overflow.yaml} | 2 +- ....yaml => cases_audit_buffer_overflow.yaml} | 2 +- .../test_cases/cases_audit_buffer_values.yaml | 12 ++++----- .../test_audit_buffer_behavior.py | 26 +++++++++---------- .../test_audit_buffer_configuration.py | 18 ++++++------- .../test_audit_buffer_over_time.py | 20 +++++++------- 10 files changed, 52 insertions(+), 47 deletions(-) rename tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/{cases_audit_buffer_over_time_overflown.yaml => cases_audit_buffer_over_time_overflow.yaml} (87%) rename tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/{cases_audit_buffer_overflown.yaml => cases_audit_buffer_overflow.yaml} (88%) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 4a839fce04..7cd695ce8c 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -518,6 +518,7 @@ def get_messages(callback, timeout=T_30): """Look for as many synchronization events as possible. This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. Args: + callback (str): Callback to be used to detect the event. timeout (int): Timeout that will be used to get the dbsync_no_data message. Returns: A list with all the events in json format. @@ -538,9 +539,14 @@ def get_messages(callback, timeout=T_30): def check_registry_crud_event(callback, path, timeout=T_30, type='added', arch='x32', value_name=None): - """Detect realtime engine start when restarting Wazuh. + """Get all events matching the callback and validate the type, path and architecture of event Args: - file_monitor (FileMonitor): file log monitor to detect events + callback (str): Callback to be used to detect the event. + path (str): path to be checked. + timeout (int): Timeout that will be used to try and get the expected messages. + type (str): type of event to be checked. + arch (str): architecture of the event to be checked. + value_name (str): name of the value to be checked. """ events = get_messages(callback=callback, timeout=timeout) for event in events: @@ -619,7 +625,6 @@ def get_configured_whodata_queue_size(file_monitor): Args: file_monitor (FileMonitor): file log monitor to detect events """ - return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml index ef835d0984..54c2195838 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml @@ -1,4 +1,4 @@ -- name: Verify_queue_size_default_value +- name: verify_queue_size_default_value description: Verify when not setting queue_size it's default value is set and whodata starts correctly. configuration_parameters: TEST_DIRECTORIES: /testdir1 diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml index cf885ae296..c55647da60 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml @@ -1,5 +1,5 @@ -- name: Audit_Buffer_does_not_overflow - description: Verify if files are equal to queue_size, it does not everflow and files are detected in whodata mode +- name: audit_buffer_does_not_overflow + description: Verify if files are equal to queue_size, it does not overflow and files are detected in whodata mode configuration_parameters: TEST_DIRECTORIES: / metadata: diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml index cd0c8ce9c3..1d86a0fa29 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml @@ -1,4 +1,4 @@ -- name: Audit_Buffer_full-all_files_detected_in_whodata +- name: audit_buffer_full_all_files_detected_in_whodata description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode configuration_parameters: TEST_DIRECTORIES: / diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml similarity index 87% rename from tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml rename to tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml index c895b78daa..cb19bd747a 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflown.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml @@ -1,4 +1,4 @@ -- name: Audit_Buffer_overflows-New_files_in_whodata +- name: audit_buffer_overflows_new_files_in_whodata description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode configuration_parameters: TEST_DIRECTORIES: / diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml similarity index 88% rename from tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml rename to tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml index 51d11126f3..d4030b14ea 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflown.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml @@ -1,4 +1,4 @@ -- name: Audit_buffer_overflowns +- name: audit_buffer_overflows description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode. configuration_parameters: TEST_DIRECTORIES: / diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml index 2fa84aadb9..cf747fc77f 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -1,4 +1,4 @@ -- name: Queue_Size_100-value_inside_range_starts_properly +- name: queue_size_100_value_inside_range_starts_properly description: Verify if value set is inside valid range it is configured and whodata starts correctly. configuration_parameters: QUEUE_SIZE: 100 @@ -7,7 +7,7 @@ audit_starts: true valid_range: true -- name: Queue_Size_10-Lower_limit_starts_properly +- name: queue_size_10_Lower_limit_starts_properly description: Verify if value set is the lower allowed limit, whodata starts correctly configuration_parameters: QUEUE_SIZE: 10 @@ -16,7 +16,7 @@ valid_range: true audit_starts: true -- name: Queue_Size_1048576-Upper_limit_starts_properly +- name: queue_size_1048576_Upper_limit_starts_properly description: Verify if value set to the upper limit whodata starts correctly. configuration_parameters: QUEUE_SIZE: 1048576 @@ -25,7 +25,7 @@ audit_starts: true valid_range: true -- name: Queue_Size_Invalid_value_below_minimum +- name: queue_size_invalid_value_below_minimum description: Verify if value set is below allowed minimum, whodata fails to start. configuration_parameters: QUEUE_SIZE: 9 @@ -35,7 +35,7 @@ audit_starts: false fail_reason: invalid_value -- name: Queue_Size_Invalid_value_above_maximum +- name: queue_size_invalid_value_above_maximum description: Verify if value set is above allowed minimum, whodata fails to start. configuration_parameters: QUEUE_SIZE: 1048577 @@ -45,7 +45,7 @@ audit_starts: false fail_reason: invalid_value -- name: Queue_Size_Invalid_value_Invalid_characters +- name: queue_size_invalid_value_Invalid_characters description: Verify if value set using characters instead of only numbers, whodata fails to start. configuration_parameters: QUEUE_SIZE: 100c diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 64a7bf2a3e..1bf9bffd5e 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -85,7 +85,7 @@ # Configuration and cases data configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_behavior.yaml') t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_no_overflow.yaml') -t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_overflown.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_overflow.yaml') # Test configurations t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) @@ -136,7 +136,7 @@ def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_waz parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply. - metadata: type: dict brief: Test case data. @@ -145,16 +145,16 @@ def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_waz brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders: type: fixture brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local_internal_options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. - wait_syscheck_start: type: fixture brief: check that the starting FIM scan is detected. @@ -163,8 +163,8 @@ def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_waz - Verify the queue does not overflow after inserting files - Verify all files are detected in whodata mode - input_description: The file 'configuration_audit_buffer_values' provides the configuration template. - The file 'cases_audit_buffer_values.yaml' provides the test cases details for each test case. + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_no_overflow.yaml' provides the test cases details for each test case. expected_output: - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." @@ -233,7 +233,7 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply to wazuh. - metadata: type: dict brief: Test case data. @@ -242,16 +242,16 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders: type: fixture brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local internal options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. - wait_syscheck_start: type: fixture brief: check that the starting FIM scan is detected. @@ -261,8 +261,8 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh - Verify that files detected in whodata mode before it being full are equal or more than the configured value - Verify the excess files inserted after queue full are detected in scheduled mode. - input_description: The file 'configuration_audit_buffer_values' provides the configuration template. - The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_overflow.yaml' provides the tes cases configuration details for each test case. expected_output: diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py index a5b13be611..027745b9cb 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -135,7 +135,7 @@ def test_audit_buffer_default(configuration, metadata, test_folders, set_wazuh_c parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply. - metadata: type: dict brief: Test case data. @@ -144,16 +144,16 @@ def test_audit_buffer_default(configuration, metadata, test_folders, set_wazuh_c brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders_module: type: fixture brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local_internal_options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. assertions: - Verify configured queue_size value is default value @@ -210,7 +210,7 @@ def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_co parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply. - metadata: type: dict brief: Test case data. @@ -219,16 +219,16 @@ def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_co brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders_module: type: fixture brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local internal options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. assertions: - Verify when queue is full an event informs audit events may be lost @@ -266,5 +266,5 @@ def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_co # Detect real-time whodata thread does not start detect_whodata_start(wazuh_log_monitor, timeout=T_5) else: - # Detect real-time whodata thread started correctly + # Detect whodata thread started correctly detect_whodata_start(wazuh_log_monitor) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py index 45cb6cdb1c..e0f9089f90 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -86,7 +86,7 @@ # Configuration and cases data configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_over_time.yaml') t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_no_overflow.yaml') -t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_overflown.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_overflow.yaml') # Test configurations t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) @@ -138,7 +138,7 @@ def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folder parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply to wazuh. - metadata: type: dict brief: Test case data. @@ -147,16 +147,16 @@ def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folder brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders_module: type: fixture brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local_internal_options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. - wait_syscheck_start: type: fixture brief: check that the starting FIM scan is detected. @@ -208,7 +208,7 @@ def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folder @pytest.mark.parametrize('test_folders', [test_folders], ids='') @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_test_case_ids) -def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, create_monitored_folders, configure_local_internal_options_function, restart_syscheck_function, wait_syscheck_start): ''' @@ -241,7 +241,7 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh parameters: - configuration: type: dict - brief: Configuration values for ossec.conf. + brief: Configuration values to apply to wazuh. - metadata: type: dict brief: Test case data. @@ -250,16 +250,16 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh brief: List of folders to be created for monitoring. - set_wazuh_configuration: type: fixture - brief: Set ossec.conf configuration. + brief: Set wazuh configuration. - create_monitored_folders_module: type: fixture brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. - configure_local_internal_options_function: type: fixture - brief: Set local_internal_options.conf file. + brief: Set local_internal_options file. - restart_syscheck_function: type: fixture - brief: restart syscheckd daemon, and truncate the ossec.log. + brief: restart syscheckd daemon, and truncate the log files. - wait_syscheck_start: type: fixture brief: check that the starting FIM scan is detected. From 830d20d1754ea25633b33549e86f38bcb9d810e5 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 11:16:03 -0300 Subject: [PATCH 09/25] style(#3963): rename test for clarity --- ...conf_no_limit.yaml => wazuh_conf_file_limit_disabled.yaml} | 0 ...est_file_limit_no_limit.py => test_file_limit_disabled.py} | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename tests/integration/test_fim/test_files/test_file_limit/data/{wazuh_conf_no_limit.yaml => wazuh_conf_file_limit_disabled.yaml} (100%) rename tests/integration/test_fim/test_files/test_file_limit/{test_file_limit_no_limit.py => test_file_limit_disabled.py} (97%) diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml similarity index 100% rename from tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_no_limit.yaml rename to tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py similarity index 97% rename from tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py rename to tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py index 9b81d28206..cd172964ef 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py @@ -94,7 +94,7 @@ directory_str = ','.join(test_directories) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf_no_limit.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_file_limit_disabled.yaml') testdir1 = test_directories[0] @@ -115,7 +115,7 @@ def get_configuration(request): # Tests -def test_file_limit_no_limit(configure_local_internal_options_module, get_configuration, configure_environment, +def test_file_limit_disabled(configure_local_internal_options_module, get_configuration, configure_environment, restart_syscheckd): ''' description: Check if the 'wazuh-syscheckd' daemon detects that the 'file_limit' feature of FIM is disabled. From 839d2480db36bc3b80c0984d0e9c8d8224ab7752 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 12:43:28 -0300 Subject: [PATCH 10/25] fix(#3963): fix imports --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 2 +- .../test_audit_buffer/test_audit_buffer_configuration.py | 2 +- .../test_files/test_audit_buffer/test_audit_buffer_over_time.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 1bf9bffd5e..52316d3b99 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -78,7 +78,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py index 027745b9cb..f49af1c36a 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -76,7 +76,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # ---------------------------------------TEST_AUDIT_BUFFER_DEFAULT------------------------------------------- diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py index e0f9089f90..c60ab3b794 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -79,7 +79,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') From 10a2e19b4799376e43befef4d7ccc4b94b98d1ed Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 16:21:02 -0300 Subject: [PATCH 11/25] fix(#3963): fix callback variables --- .../wazuh_testing/modules/fim/event_monitor.py | 12 +++++++----- .../data/test_cases/cases_audit_buffer_values.yaml | 4 ++-- .../test_audit_buffer/test_audit_buffer_behavior.py | 5 ++--- .../test_audit_buffer/test_audit_buffer_over_time.py | 7 +++---- .../data/wazuh_conf_file_limit_disabled.yaml | 2 +- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 7cd695ce8c..6e3db82ff7 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -119,6 +119,7 @@ def create_error_message(message, source=LOG_FILE_PATH): Creates an error message from an event. Args: message(str): Message that will be shown in error message + source(str): name of log file where the event was expected from (default: LOG_FILE_PATH). Returns: string: A string containing the error message to be shown """ @@ -483,13 +484,13 @@ def detect_initial_scan(file_monitor): error_message=ERR_MSG_SCHEDULED_SCAN_ENDED) -def detect_initial_scan_start(file_monitor): +def detect_initial_scan_start(file_monitor, timeout=T_60): """Detect initial scan start when restarting Wazuh. Args: file_monitor (FileMonitor): file log monitor to detect events """ - file_monitor.start(timeout=T_60, callback=callback_detect_scan_start, + file_monitor.start(timeout=timeout, callback=callback_detect_scan_start, error_message=ERR_MSG_SCHEDULED_SCAN_STARTED) @@ -514,18 +515,19 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) -def get_messages(callback, timeout=T_30): +def get_messages(callback, timeout=T_30, max_events=MAX_EVENTS_VALUE): """Look for as many synchronization events as possible. This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. Args: callback (str): Callback to be used to detect the event. timeout (int): Timeout that will be used to get the dbsync_no_data message. + max_events (int): Maximum number of events to be returned. Returns: A list with all the events in json format. """ wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) events = [] - for _ in range(0, MAX_EVENTS_VALUE): + for _ in range(0, max_events): event = None try: event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, @@ -604,7 +606,7 @@ def detect_invalid_conf_value(file_monitor, element): """Detects the configured value for the whodata queue Args: file_monitor (FileMonitor): file log monitor to detect events - element (str): Elementa name that is being detected + element (str): Element name that is being detected """ pattern = fr".*Invalid value for element (\'{element}\': .*)" return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern), diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml index cf747fc77f..83635eb1dd 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -16,7 +16,7 @@ valid_range: true audit_starts: true -- name: queue_size_1048576_Upper_limit_starts_properly +- name: queue_size_1048576_upper_limit_starts_properly description: Verify if value set to the upper limit whodata starts correctly. configuration_parameters: QUEUE_SIZE: 1048576 @@ -45,7 +45,7 @@ audit_starts: false fail_reason: invalid_value -- name: queue_size_invalid_value_Invalid_characters +- name: queue_size_invalid_value_invalid_characters description: Verify if value set using characters instead of only numbers, whodata fails to start. configuration_parameters: QUEUE_SIZE: 100c diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 52316d3b99..c19470640b 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -204,7 +204,7 @@ def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_waz @pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_test_case_ids) -def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, create_monitored_folders_module, configure_local_internal_options_function, restart_syscheck_function, wait_syscheck_start): ''' @@ -295,8 +295,7 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_10, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_10) # Check the amount of added events in scheduled mode is equal to the amount of files created # minus the generated whodata events diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py index c60ab3b794..a0829e07e4 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -271,8 +271,8 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ - Verify configured queue_size value - Verify real-time whodata thread is started correctly - input_description: The file 'configuration_audit_buffer_values' provides the configuration template. - The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration template. + The file 'cases_audit_buffer_over_time_overflow.yaml' provides the tes cases configuration details for each test case. expected_output: @@ -305,8 +305,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files) second_set_events = 0 for result in results: diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml index 08a69ed2b5..361459ecde 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml +++ b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml @@ -2,7 +2,7 @@ - tags: - no_file_limit apply_to_modules: - - test_file_limit_no_limit + - test_file_limit_disabled sections: - section: syscheck elements: From 46b8ae35dc8a3292421251217d6bd213f9af133a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 16:34:51 -0300 Subject: [PATCH 12/25] fix(#3963): fix callback variables --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index c19470640b..3ace00c9ca 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -280,8 +280,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ detect_audit_queue_full(wazuh_log_monitor, update_position=False) # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_10, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_10) # Check the ammount of added events in whodata mode is equal or more than the expected value found_whodata_events = 0 From 9377b8e75a34367e039e0551c19f44b28ff7b251 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi=20Casali?= Date: Tue, 13 Jun 2023 13:02:01 -0300 Subject: [PATCH 13/25] docs(#3963): fix typo --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 3ace00c9ca..bddf629a3a 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -262,7 +262,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ - Verify the excess files inserted after queue full are detected in scheduled mode. input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. - The file 'cases_audit_buffer_overflow.yaml' provides the tes cases configuration + The file 'cases_audit_buffer_overflow.yaml' provides the test cases configuration details for each test case. expected_output: From 6e184c515b7af59320972a8e85d20f57dc7680f6 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 14 Jun 2023 08:38:40 -0300 Subject: [PATCH 14/25] docs(#3963): update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8743cae34..0c1c5de544 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Added -- Add tests for new FIM audit buffer option. ([#3990](https://github.com/wazuh/wazuh-qa/pull/3990)) \- (Framework + tests) +- Add tests for new FIM audit buffer option. ([#4227](https://github.com/wazuh/wazuh-qa/pull/4227)) \- (Framework + tests) - New 'SCA' test suite and framework. ([#3566](https://github.com/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests) - Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation) - Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests) From e072e044ed143ab10a3e08f71f96efe01621e07a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:16:42 -0300 Subject: [PATCH 15/25] feat(#3963): add new callbacks --- deps/wazuh_testing/wazuh_testing/__init__.py | 1 + .../wazuh_testing/modules/fim/__init__.py | 2 +- .../modules/fim/event_monitor.py | 87 ++++++++++++------- 3 files changed, 57 insertions(+), 33 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py index 7513b00dc1..02e2a22b33 100644 --- a/deps/wazuh_testing/wazuh_testing/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/__init__.py @@ -76,6 +76,7 @@ T_10 = 10 T_20 = 20 T_30 = 30 +T_40 = 40 T_60 = 60 diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 5a8af08e85..5fea0bb68a 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -175,7 +175,7 @@ # Syscheck values DIFF_LIMIT_VALUE = 2 DIFF_DEFAULT_LIMIT_VALUE = 51200 - +AUDIT_QUEUE_SIZE_DEFAULT_VALUE = 16384 # FIM modes SCHEDULED_MODE = 'scheduled' diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 2ec0f10099..0777d2a4af 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -7,8 +7,9 @@ from sys import platform from datetime import datetime -from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30 +from wazuh_testing import LOG_FILE_PATH, logger, T_30, T_60, T_10 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.modules.fim import MAX_EVENTS_VALUE # Variables @@ -48,12 +49,16 @@ CB_FILE_EXCEEDS_DISK_QUOTA = r'.*The (.*) of the file size \'(.*)\' exceeds the disk_quota.*' CB_FILE_SIZE_LIMIT_REACHED = r'.*File \'(.*)\' is too big for configured maximum size to perform diff operation\.' CB_DIFF_FOLDER_DELETED = r'.*Folder \'(.*)\' has been deleted.*' +CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events." CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events." CB_STARTING_WINDOWS_AUDIT = r'.*state_checker.*(Starting check of Windows Audit Policies and SACLs)' CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events." CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\ Switching directories to realtime)' CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime' +CB_WHODATA_QUEUE_SIZE = r".*Internal audit queue size set to \'(.*)\'." +CB_WHODATA_QUEUE_FULL = r".*(Internal audit queue is full). Some events may be lost.*" +CB_AUDIT_HEALTHCHECK_FAILED = r".*(Audit health check couldn't be completed correctly)." CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'" CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'" @@ -108,7 +113,17 @@ ERR_MSG_FILE_LIMIT_REACHED = 'Did not receive "File ... is too big ... to perform diff operation" event.' ERR_MSG_FOLDER_DELETED = 'Did not receive expected "Folder ... has been deleted." event.' ERR_MSG_SACL_CONFIGURED_EVENT = 'Did not receive the expected "The SACL of will be configured" event' -ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT = 'Expected "directory starts to monitored in real-time" event not received' + + +def create_error_message(message, source=LOG_FILE_PATH): + """ + Creates an error message from an event. + Args: + message(str): Message that will be shown in error message + Returns: + string: A string containing the error message to be shown + """ + return fr'Did not receive the expected "{message}" event in "{source}" file.' # Callback functions @@ -399,19 +414,6 @@ def callback_detect_file_deleted_event(line): return None -def callback_detect_file_more_changes(line): - """ Callback that detects if a line in a log contains 'More changes' in content_changes. - Args: - line (String): string line to be checked by callback in FileMonitor. - Returns: - returns JSON string from log. - """ - json_event = callback_detect_event(line) - if json_event is not None and 'content_changes' in json_event['data']: - if 'More changes' in json_event['data']['content_changes']: - return json_event - - def callback_audit_cannot_start(line): """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime. @@ -574,23 +576,44 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'): error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT) -def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, - timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): - """ Check if FIM event occurs and return it according to the callback. +def detect_audit_queue_full(file_monitor, update_position=True): + """Detects the configured value for the whodata queue Args: - file_monitor (FileMonitor): FileMonitor object to monitor the file content. - callback (str): log regex to check in Wazuh log - error_message (str): error message to show in case of expected event does not occur - update_position (boolean): filter configuration parameter to search in Wazuh log - timeout (str): timeout to check the event in Wazuh log - accum_results (int): Accumulation of matches. - Returns: - returns the value given by the callback used. Default None. + file_monitor (FileMonitor): file log monitor to detect events + update_position (bool, optional): True if we pop items from the queue once they are read. False otherwise. + Default `True` + """ + + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_FULL), + error_message=create_error_message(CB_WHODATA_QUEUE_FULL), + update_position=update_position).result() + + +def detect_invalid_conf_value(file_monitor, element): + """Detects the configured value for the whodata queue + Args: + file_monitor (FileMonitor): file log monitor to detect events + element (str): Elementa name that is being detected + """ + pattern = fr".*Invalid value for element (\'{element}\': .*)" + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern), + error_message=create_error_message(pattern)).result() + + +def detect_audit_healthcheck_failed(file_monitor): + """Detects if the initial audit healtcheck has failed + Args: + file_monitor (FileMonitor): file log monitor to detect events + """ + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_AUDIT_HEALTHCHECK_FAILED), + error_message=create_error_message(CB_AUDIT_HEALTHCHECK_FAILED)).result() + + +def get_configured_whodata_queue_size(file_monitor): + """Detects the configured value for the whodata queue + Args: + file_monitor (FileMonitor): file log monitor to detect events """ - file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor - error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ - error_message - result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, - callback=callback, error_message=error_message).result() - return result + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), + error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() From eab536713a763f12d11cc5562c0f6756d093d047 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:21:11 -0300 Subject: [PATCH 16/25] fix(#3963): fix missing imports --- .../modules/fim/event_monitor.py | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 0777d2a4af..611a652bca 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -414,6 +414,19 @@ def callback_detect_file_deleted_event(line): return None +def callback_detect_file_more_changes(line): + """ Callback that detects if a line in a log contains 'More changes' in content_changes. + Args: + line (String): string line to be checked by callback in FileMonitor. + Returns: + returns JSON string from log. + """ + json_event = callback_detect_event(line) + if json_event is not None and 'content_changes' in json_event['data']: + if 'More changes' in json_event['data']['content_changes']: + return json_event + + def callback_audit_cannot_start(line): """ Callback that detects if a line shows whodata engine could not start and monitoring switched to realtime. @@ -617,3 +630,24 @@ def get_configured_whodata_queue_size(file_monitor): return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() + +def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, + timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): + """ Check if FIM event occurs and return it according to the callback. + Args: + file_monitor (FileMonitor): FileMonitor object to monitor the file content. + callback (str): log regex to check in Wazuh log + error_message (str): error message to show in case of expected event does not occur + update_position (boolean): filter configuration parameter to search in Wazuh log + timeout (str): timeout to check the event in Wazuh log + accum_results (int): Accumulation of matches. + Returns: + returns the value given by the callback used. Default None. + """ + file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor + error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ + error_message + + result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, + callback=callback, error_message=error_message).result() + return result \ No newline at end of file From b88f0881ef41ff4ecef36ee981116b2f46796eb5 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:22:09 -0300 Subject: [PATCH 17/25] style(#3963): add whiteline at file end --- deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 611a652bca..c0bcdba16a 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -650,4 +650,4 @@ def get_fim_event(file_monitor=None, callback='', error_message=None, update_pos result = file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, callback=callback, error_message=error_message).result() - return result \ No newline at end of file + return result From 5003f5beba4b57c87ac9ba632700fa8e95cadfd0 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Mon, 5 Jun 2023 18:27:28 -0300 Subject: [PATCH 18/25] style(#3963): fix whitelines and spacing --- .../modules/fim/event_monitor.py | 1 + .../configuration_audit_buffer_over_time.yaml | 36 +++++++++++++++++++ .../test_file_limit_no_limit.py | 1 + 3 files changed, 38 insertions(+) create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index c0bcdba16a..48c663379e 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -631,6 +631,7 @@ def get_configured_whodata_queue_size(file_monitor): return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() + def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): """ Check if FIM event occurs and return it according to the callback. diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml new file mode 100644 index 0000000000..902a35f2bb --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml @@ -0,0 +1,36 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: FREQUENCY + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - max_eps: + value: MAX_EPS + - whodata: + elements: + - queue_size: + value: QUEUE_SIZE + - startup_healthcheck: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py index 0ad9554a86..46fb3fe9d6 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py @@ -156,6 +156,7 @@ def test_file_limit_no_limit(configure_local_internal_options_module, get_config - realtime - who_data ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) wazuh_log_monitor.start(timeout=global_parameters.default_timeout, callback=generate_monitoring_callback(CB_FILE_LIMIT_DISABLED), From 3e3d3ddf4dd3bdb2bc95bb23af27dceb7e3ed974 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 11:15:46 -0300 Subject: [PATCH 19/25] docs(#3963): update documentation and case names --- .../modules/fim/event_monitor.py | 1 - .../cases_audit_buffer_default.yaml | 6 + .../cases_audit_buffer_no_overflow.yaml | 7 + ...es_audit_buffer_over_time_no_overflow.yaml | 12 + ...cases_audit_buffer_over_time_overflow.yaml | 13 + .../cases_audit_buffer_overflow.yaml | 8 + .../test_cases/cases_audit_buffer_values.yaml | 56 +++ .../test_audit_buffer_behavior.py | 310 +++++++++++++++++ .../test_audit_buffer_configuration.py | 270 +++++++++++++++ .../test_audit_buffer_over_time.py | 323 ++++++++++++++++++ 10 files changed, 1005 insertions(+), 1 deletion(-) create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py create mode 100644 tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 48c663379e..5ed780cfb2 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -627,7 +627,6 @@ def get_configured_whodata_queue_size(file_monitor): Args: file_monitor (FileMonitor): file log monitor to detect events """ - return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml new file mode 100644 index 0000000000..54c2195838 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml @@ -0,0 +1,6 @@ +- name: verify_queue_size_default_value + description: Verify when not setting queue_size it's default value is set and whodata starts correctly. + configuration_parameters: + TEST_DIRECTORIES: /testdir1 + metadata: + audit_starts: 16384 diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml new file mode 100644 index 0000000000..c55647da60 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml @@ -0,0 +1,7 @@ +- name: audit_buffer_does_not_overflow + description: Verify if files are equal to queue_size, it does not overflow and files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml new file mode 100644 index 0000000000..1d86a0fa29 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml @@ -0,0 +1,12 @@ +- name: audit_buffer_full_all_files_detected_in_whodata + description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 50 + MAX_EPS: 6 + FREQUENCY: 20 + metadata: + files_first_insert: 50 # Fills queue 100% - log is only generated when it overflows. + wait_time: 5 # Time to wait between inserts to allow for files to be processed + files_second_insert: 20 # Insert files to check that files are still being detected in whodata + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml new file mode 100644 index 0000000000..cb19bd747a --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml @@ -0,0 +1,13 @@ +- name: audit_buffer_overflows_new_files_in_whodata + description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 20 + MAX_EPS: 4 + FREQUENCY: 10 + metadata: + files_first_insert: 24 + queue_size: 20 + wait_time: 5 + files_second_insert: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml new file mode 100644 index 0000000000..d4030b14ea --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml @@ -0,0 +1,8 @@ +- name: audit_buffer_overflows + description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode. + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 15 + whodata_events: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml new file mode 100644 index 0000000000..cf747fc77f --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -0,0 +1,56 @@ +- name: queue_size_100_value_inside_range_starts_properly + description: Verify if value set is inside valid range it is configured and whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 100 + metadata: + queue_size: 100 + audit_starts: true + valid_range: true + +- name: queue_size_10_Lower_limit_starts_properly + description: Verify if value set is the lower allowed limit, whodata starts correctly + configuration_parameters: + QUEUE_SIZE: 10 + metadata: + queue_size: 10 + valid_range: true + audit_starts: true + +- name: queue_size_1048576_Upper_limit_starts_properly + description: Verify if value set to the upper limit whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 1048576 + metadata: + queue_size: 1048576 + audit_starts: true + valid_range: true + +- name: queue_size_invalid_value_below_minimum + description: Verify if value set is below allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 9 + metadata: + queue_size: 9 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: queue_size_invalid_value_above_maximum + description: Verify if value set is above allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 1048577 + metadata: + queue_size: 1048577 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: queue_size_invalid_value_Invalid_characters + description: Verify if value set using characters instead of only numbers, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 100c + metadata: + queue_size: 100c + valid_range: false + audit_starts: false + fail_reason: invalid_value diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py new file mode 100644 index 0000000000..1bf9bffd5e --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -0,0 +1,310 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. This tests aim to test the behavior of the queue, by inserting files above or below the set + value for queue_size, and verify if events were detected in whodata or scheduled mode appropiately. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_10, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + detect_initial_scan_start, get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_behavior.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_overflow.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are added equal to the whodata "queue_size", the queue does not overflow, all + files are detected in whodata mode, and after the next scan no file is detected in scheduled mode. + + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given amount of files + - Check that no "queue full" message is detected (Queue has not overflown) + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify the queue does not overflow after inserting files + - Verify all files are detected in whodata mode + + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_no_overflow.yaml' provides the test cases details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + whodata_events = files_to_add + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Check that queue has not been overflown + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_10, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected {whodata_events} amount of \ + whodata file added events").result() + # Check all files are detected in whodata mode + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + # Detect next scheduled scan + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Check no events are found after scan. + with pytest.raises(TimeoutError): + wazuh_log_monitor.start(timeout=T_20, callback=callback_detect_file_added_event, + accum_results=1, error_message="Found unexpected file added event \ + in during scheduled scan") + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are exceeding the whodata "queue_size" value the queue overflows, and the + excess files files are detected in scheduled mode, and after the next scheduled scan. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given number of files + - Check that the "queue_full" event appears + - Check the amount of files that were detected prior to the queue being full + - Check the excess files are detected in scheduled mode after the following scan + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local internal options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify that files detected in whodata mode before it being full are equal or more than the configured value + - Verify the excess files inserted after queue full are detected in scheduled mode. + + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_overflow.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10, + error_message=f"Did not receive the expected file added events") + + # Check the ammount of added events in whodata mode is equal or more than the expected value + found_whodata_events = 0 + for result in results: + if result['data']['mode'] == 'whodata': + found_whodata_events = found_whodata_events + 1 + assert found_whodata_events >= metadata['whodata_events'], f"Found less whodata File added events \ + than the expected {metadata['whodata_events']}" + + # Wait for scheduled scan so the rest of file events are generated + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10, + error_message=f"Did not receive the expected file added events") + + # Check the amount of added events in scheduled mode is equal to the amount of files created + # minus the generated whodata events + scheduled_events = files_to_add - found_whodata_events + found_scheduled_events = 0 + for result in results: + if result['data']['mode'] == 'scheduled': + found_scheduled_events += 1 + + assert found_scheduled_events == scheduled_events, f"Wrong amount of scheduled events found. Found \ + {found_scheduled_events}, Expected {scheduled_events}" diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py new file mode 100644 index 0000000000..027745b9cb --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -0,0 +1,270 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. + +components: + - fim + +suite: audit_buffer + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, T_5 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.fim import TEST_DIR_1, AUDIT_QUEUE_SIZE_DEFAULT_VALUE +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (get_configured_whodata_queue_size, detect_audit_queue_full, + detect_invalid_conf_value, detect_audit_healthcheck_failed, + detect_whodata_start) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# ---------------------------------------TEST_AUDIT_BUFFER_DEFAULT------------------------------------------- +# Configuration and cases data +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_default.yaml') +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_default.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# ---------------------------------------TEST_AUDIT_BUFFER_VALUES------------------------------------------- +# Configuration and cases data +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_values.yaml') +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_values.yaml') + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_default(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check if the default configured value for whodata's 'queue_size' option. Also verify that the whodata + thread is started correctly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 0 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + + assertions: + - Verify configured queue_size value is default value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_default.yaml' provides the configuration + template. + The file 'cases_audit_buffer_default.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(AUDIT_QUEUE_SIZE_DEFAULT_VALUE) in configured_value, 'Unexpected "queue_size" value found in ossec.log' + + # Detect real-time whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check when setting values to whodata's 'queue_size' option. The value is configured correctly.Also, + verify that the whodata thread is started correctly when value is inside valid range, and it fails + to start with values outside range and error messages are shown accordingly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local internal options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + if metadata['valid_range']: + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(metadata['queue_size']) in configured_value, 'Unexpected value found in "queue_size" in ossec.conf' + + if not metadata['audit_starts']: + # Detect cause of failure + if metadata['fail_reason'] == 'queue_full': + detect_audit_queue_full(wazuh_log_monitor) + detect_audit_healthcheck_failed(wazuh_log_monitor) + elif metadata['fail_reason'] == 'invalid_value': + detect_invalid_conf_value(wazuh_log_monitor, element='queue_size') + with pytest.raises(TimeoutError): + # Detect real-time whodata thread does not start + detect_whodata_start(wazuh_log_monitor, timeout=T_5) + else: + # Detect whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py new file mode 100644 index 0000000000..e0f9089f90 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -0,0 +1,323 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. Events in the queue are processed and removed from the queue, at a rate set my the max_eps tag. + This tests aim to test the behavior of the queue in conjunction with max_eps, that fill/overflow the queue, then + waiting for events to be processed and inserting files again, to verify files are processed in expected modes. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os +import time + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_60, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_over_time.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_overflow.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added equal to the whodata "queue_size" the queue does not overflow, after some files are processed + adding new files that do not exceed the empty space in the queue, all files are detected in whodata + mode. + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Wait x seconds for space to be freed in queue + - Insert enough files to fill queue again + - Validate queue was full + - Validate no event was dropped and all events were detected in whodata mode + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify whadata queue is full + - Verify all inserted files are detected in whodata mode if files are inserted after queue space is freed + + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration + template. + The file 'cases_audit_buffer_over_time_no_overflow.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + whodata_events = metadata['files_first_insert'] + metadata['files_second_insert'] + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an amount of files + for file in range(0, metadata['files_first_insert']): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata['wait_time']) + + # Insert a second amount of files + for file in range(0, metadata['files_second_insert']): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Detect audit queue is full + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_60, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected amount of \ + whodata file added events").result() + # Validate all files where found in whodata mode - no files where dropped + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added causing whodata queue to overflow, and after some files are processed, if new files are added + that do not exceed the empty space in the queue, only the files from the first insertion, that caused + the overflow are detected in scheduled mode. All files from second insertion are detected in whodata. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Detect if whodata queue has overflowed + - Wait x seconds for space to be freed in queue + - Insert files a second time + - Validate only files from the first insert were detected in scheduled mode + - Validate a all files from the second insert are detected. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_first_insert = metadata['files_first_insert'] + files_second_insert = metadata['files_second_insert'] + total_files = files_first_insert + files_second_insert + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an ammount of files + for file in range(0, files_first_insert): + create_file(REGULAR, test_folders[0], f'test_file_first_insert_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata["wait_time"]) + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Insert a second amount of files + for file in range(0, files_second_insert): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files, + error_message=f"Did not receive the expected file added events") + + second_set_events = 0 + for result in results: + # Check that all of the files processed in scheduled mode where from the first batch only + if result['data']['mode'] == 'scheduled': + assert 'test_file_first_insert_' in result['data']['path'], "Expected only files from first set to be in\ + scheduled mode, found file from second set" + # Count the events detected from second batch of files. Will only contain whodata because of previous assert + if 'test_file_second_insert_' in result['data']['path']: + second_set_events += 1 + + # Check that all the files from the second insert have been detected + assert second_set_events == files_second_insert, f"Unexpected amount of files detected from second insert, found: \ + {second_set_events}, expected: {files_second_insert}" From 6f2cfb74f644cef77966f71020539ba83a902cdb Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 11:16:03 -0300 Subject: [PATCH 20/25] style(#3963): rename test for clarity --- .../data/wazuh_conf_file_limit_disabled.yaml | 30 +++++++++++++++++++ ...o_limit.py => test_file_limit_disabled.py} | 4 +-- 2 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml rename tests/integration/test_fim/test_files/test_file_limit/{test_file_limit_no_limit.py => test_file_limit_disabled.py} (97%) diff --git a/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml new file mode 100644 index 0000000000..a5fc64c6af --- /dev/null +++ b/tests/integration/test_fim/test_files/test_file_limit/data/wazuh_conf_file_limit_disabled.yaml @@ -0,0 +1,30 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: FREQUENCY + - windows_registry: + value: WINDOWS_REGISTRY + attributes: + - arch: both + + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' + - section: active-response + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py similarity index 97% rename from tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py rename to tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py index 46fb3fe9d6..f66ec1ac4a 100644 --- a/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_no_limit.py +++ b/tests/integration/test_fim/test_files/test_file_limit/test_file_limit_disabled.py @@ -95,7 +95,7 @@ directory_str = ','.join(test_directories) wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml') +configurations_path = os.path.join(test_data_path, 'wazuh_conf_file_limit_disabled.yaml') testdir1 = test_directories[0] @@ -116,7 +116,7 @@ def get_configuration(request): # Tests -def test_file_limit_no_limit(configure_local_internal_options_module, get_configuration, configure_environment, +def test_file_limit_disabled(configure_local_internal_options_module, get_configuration, configure_environment, restart_syscheckd): ''' description: Check if the 'wazuh-syscheckd' daemon detects that the 'file_limit' feature of FIM is disabled. From 656145f2cf71e40891422b4397942450e4d52603 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 12:43:28 -0300 Subject: [PATCH 21/25] fix(#3963): fix imports --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 2 +- .../test_audit_buffer/test_audit_buffer_configuration.py | 2 +- .../test_files/test_audit_buffer/test_audit_buffer_over_time.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 1bf9bffd5e..52316d3b99 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -78,7 +78,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py index 027745b9cb..f49af1c36a 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -76,7 +76,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # ---------------------------------------TEST_AUDIT_BUFFER_DEFAULT------------------------------------------- diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py index e0f9089f90..c60ab3b794 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -79,7 +79,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') From f3ee1614e8086737110d901b600c92deadb8f654 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 16:21:02 -0300 Subject: [PATCH 22/25] fix(#3963): fix callback variables --- .../wazuh_testing/modules/fim/event_monitor.py | 12 +++++++----- .../data/test_cases/cases_audit_buffer_values.yaml | 4 ++-- .../test_audit_buffer/test_audit_buffer_behavior.py | 5 ++--- .../test_audit_buffer/test_audit_buffer_over_time.py | 7 +++---- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 5ed780cfb2..45d50c377c 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -120,6 +120,7 @@ def create_error_message(message, source=LOG_FILE_PATH): Creates an error message from an event. Args: message(str): Message that will be shown in error message + source(str): name of log file where the event was expected from (default: LOG_FILE_PATH). Returns: string: A string containing the error message to be shown """ @@ -484,13 +485,13 @@ def detect_initial_scan(file_monitor): error_message=ERR_MSG_SCHEDULED_SCAN_ENDED) -def detect_initial_scan_start(file_monitor): +def detect_initial_scan_start(file_monitor, timeout=T_60): """Detect initial scan start when restarting Wazuh. Args: file_monitor (FileMonitor): file log monitor to detect events """ - file_monitor.start(timeout=T_60, callback=callback_detect_scan_start, + file_monitor.start(timeout=timeout, callback=callback_detect_scan_start, error_message=ERR_MSG_SCHEDULED_SCAN_STARTED) @@ -515,19 +516,20 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) -def get_messages(callback, timeout=T_30): +def get_messages(callback, timeout=T_30, max_events=MAX_EVENTS_VALUE): """Look for as many synchronization events as possible. This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. Args: callback (str): Callback to be used to detect the event. timeout (int): Timeout that will be used to get the dbsync_no_data message. + max_events (int): Maximum number of events to be returned. Returns: A list with all the events in json format. """ wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) events = [] - for _ in range(0, MAX_EVENTS_VALUE): + for _ in range(0, max_events): event = None try: event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, @@ -606,7 +608,7 @@ def detect_invalid_conf_value(file_monitor, element): """Detects the configured value for the whodata queue Args: file_monitor (FileMonitor): file log monitor to detect events - element (str): Elementa name that is being detected + element (str): Element name that is being detected """ pattern = fr".*Invalid value for element (\'{element}\': .*)" return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern), diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml index cf747fc77f..83635eb1dd 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -16,7 +16,7 @@ valid_range: true audit_starts: true -- name: queue_size_1048576_Upper_limit_starts_properly +- name: queue_size_1048576_upper_limit_starts_properly description: Verify if value set to the upper limit whodata starts correctly. configuration_parameters: QUEUE_SIZE: 1048576 @@ -45,7 +45,7 @@ audit_starts: false fail_reason: invalid_value -- name: queue_size_invalid_value_Invalid_characters +- name: queue_size_invalid_value_invalid_characters description: Verify if value set using characters instead of only numbers, whodata fails to start. configuration_parameters: QUEUE_SIZE: 100c diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 52316d3b99..c19470640b 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -204,7 +204,7 @@ def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_waz @pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_test_case_ids) -def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh_configuration, +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, create_monitored_folders_module, configure_local_internal_options_function, restart_syscheck_function, wait_syscheck_start): ''' @@ -295,8 +295,7 @@ def test_audit_buffer_overflown(configuration, metadata, test_folders, set_wazuh detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_10, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_10) # Check the amount of added events in scheduled mode is equal to the amount of files created # minus the generated whodata events diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py index c60ab3b794..a0829e07e4 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -271,8 +271,8 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ - Verify configured queue_size value - Verify real-time whodata thread is started correctly - input_description: The file 'configuration_audit_buffer_values' provides the configuration template. - The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration template. + The file 'cases_audit_buffer_over_time_overflow.yaml' provides the tes cases configuration details for each test case. expected_output: @@ -305,8 +305,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files) second_set_events = 0 for result in results: From b77e066ce01f15db81a5e2e9acda19fc31f7b3c1 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Fri, 9 Jun 2023 16:34:51 -0300 Subject: [PATCH 23/25] fix(#3963): fix callback variables --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index c19470640b..3ace00c9ca 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -280,8 +280,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ detect_audit_queue_full(wazuh_log_monitor, update_position=False) # Get all file added events - results = get_messages(callback_detect_file_added_event, timeout=T_10, - error_message=f"Did not receive the expected file added events") + results = get_messages(callback_detect_file_added_event, timeout=T_10) # Check the ammount of added events in whodata mode is equal or more than the expected value found_whodata_events = 0 From 776489ad765b97059883d916945fc2d8d8696f44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi=20Casali?= Date: Tue, 13 Jun 2023 13:02:01 -0300 Subject: [PATCH 24/25] docs(#3963): fix typo --- .../test_files/test_audit_buffer/test_audit_buffer_behavior.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py index 3ace00c9ca..bddf629a3a 100644 --- a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -262,7 +262,7 @@ def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_ - Verify the excess files inserted after queue full are detected in scheduled mode. input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. - The file 'cases_audit_buffer_overflow.yaml' provides the tes cases configuration + The file 'cases_audit_buffer_overflow.yaml' provides the test cases configuration details for each test case. expected_output: From aee7d26fc303022e0a32e68b505f4c4340fa5e3a Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Wed, 14 Jun 2023 08:38:40 -0300 Subject: [PATCH 25/25] docs(#3963): update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 496466410a..01155369e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Release report: TBD ### Added +- Add tests for new FIM audit buffer option. ([#4227](https://github.com/wazuh/wazuh-qa/pull/4227)) \- (Framework + tests) - Add callbacks and IT tests for Integratord options tag. ([#4108](https://github.com/wazuh/wazuh-qa/pull/4108)) \- (Framework + tests) ### Changed