wazuh · Deblintrake09 · Jun 5, 2023 · Jun 5, 2023 · Jun 5, 2023 · Jun 5, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Release report: TBD
 
 ### Added
 
+- Add tests for new FIM audit buffer option. ([#4227](https:/wazuh/wazuh-qa/pull/4227)) \- (Framework + tests)
 - Add callbacks and IT tests for Integratord options tag. ([#4108](https:/wazuh/wazuh-qa/pull/4108)) \- (Framework + tests)
 
 ### Changed
@@ -28,6 +29,7 @@ Release report: TBD
 
 ### Added
 
+- Add tests for new FIM audit buffer option. ([#4227](https:/wazuh/wazuh-qa/pull/4227)) \- (Framework + tests)
 - New 'SCA' test suite and framework. ([#3566](https:/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests)
 - Add integration tests for AWS module. ([#3911](https:/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation)
 - Add tests for msu patches with no associated CVE . ([#4009](https:/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests)

diff --git a/deps/wazuh_testing/wazuh_testing/__init__.py b/deps/wazuh_testing/wazuh_testing/__init__.py
@@ -76,6 +76,7 @@
 T_10 = 10
 T_20 = 20
 T_30 = 30
+T_40 = 40
 T_60 = 60
 
 

diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py
@@ -175,7 +175,7 @@
 # Syscheck values
 DIFF_LIMIT_VALUE = 2
 DIFF_DEFAULT_LIMIT_VALUE = 51200
-
+AUDIT_QUEUE_SIZE_DEFAULT_VALUE = 16384
 
 # FIM modes
 SCHEDULED_MODE = 'scheduled'

diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py
@@ -7,8 +7,9 @@
 
 from sys import platform
 from datetime import datetime
-from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30
+from wazuh_testing import LOG_FILE_PATH, logger, T_30, T_60, T_10
 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback
+from wazuh_testing.modules.fim import MAX_EVENTS_VALUE
 
 
 # Variables
@@ -48,12 +49,16 @@
 CB_FILE_EXCEEDS_DISK_QUOTA = r'.*The (.*) of the file size \'(.*)\' exceeds the disk_quota.*'
 CB_FILE_SIZE_LIMIT_REACHED = r'.*File \'(.*)\' is too big for configured maximum size to perform diff operation\.'
 CB_DIFF_FOLDER_DELETED = r'.*Folder \'(.*)\' has been deleted.*'
+CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events."
 CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events."
 CB_STARTING_WINDOWS_AUDIT = r'.*state_checker.*(Starting check of Windows Audit Policies and SACLs)'
 CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events."
 CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\
  Switching directories to realtime)'
 CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime'
+CB_WHODATA_QUEUE_SIZE = r".*Internal audit queue size set to \'(.*)\'."
+CB_WHODATA_QUEUE_FULL = r".*(Internal audit queue is full). Some events may be lost.*"
+CB_AUDIT_HEALTHCHECK_FAILED = r".*(Audit health check couldn't be completed correctly)."
 CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'"
 CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'"
 
@@ -108,7 +113,18 @@
 ERR_MSG_FILE_LIMIT_REACHED = 'Did not receive "File ... is too big ... to perform diff operation" event.'
 ERR_MSG_FOLDER_DELETED = 'Did not receive expected "Folder ... has been deleted." event.'
 ERR_MSG_SACL_CONFIGURED_EVENT = 'Did not receive the expected "The SACL of <file> will be configured" event'
-ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT = 'Expected "directory starts to monitored in real-time" event not received'
+
+
+def create_error_message(message, source=LOG_FILE_PATH):
+ """
+ Creates an error message from an event.
+ Args:
+ message(str): Message that will be shown in error message
+ source(str): name of log file where the event was expected from (default: LOG_FILE_PATH).
+ Returns:
+ string: A string containing the error message to be shown
+ """
+ return fr'Did not receive the expected "{message}" event in "{source}" file.'
 
 
 # Callback functions
@@ -469,13 +485,13 @@ def detect_initial_scan(file_monitor):
  error_message=ERR_MSG_SCHEDULED_SCAN_ENDED)
 
 
-def detect_initial_scan_start(file_monitor):
+def detect_initial_scan_start(file_monitor, timeout=T_60):
  """Detect initial scan start when restarting Wazuh.
 
  Args:
  file_monitor (FileMonitor): file log monitor to detect events
  """
- file_monitor.start(timeout=T_60, callback=callback_detect_scan_start,
+ file_monitor.start(timeout=timeout, callback=callback_detect_scan_start,
  error_message=ERR_MSG_SCHEDULED_SCAN_STARTED)
 
 
@@ -500,19 +516,20 @@ def detect_whodata_start(file_monitor, timeout=T_60):
  error_message=ERR_MSG_WHODATA_ENGINE_EVENT)
 
 
-def get_messages(callback, timeout=T_30):
+def get_messages(callback, timeout=T_30, max_events=MAX_EVENTS_VALUE):
  """Look for as many synchronization events as possible.
  This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached.
  Args:
  callback (str): Callback to be used to detect the event.
  timeout (int): Timeout that will be used to get the dbsync_no_data message.
+ max_events (int): Maximum number of events to be returned.
 
  Returns:
  A list with all the events in json format.
  """
  wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
  events = []
- for _ in range(0, MAX_EVENTS_VALUE):
+ for _ in range(0, max_events):
  event = None
  try:
  event = wazuh_log_monitor.start(timeout=timeout, accum_results=1,
@@ -574,6 +591,48 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'):
  error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT)
 
 
+def detect_audit_queue_full(file_monitor, update_position=True):
+ """Detects the configured value for the whodata queue
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ update_position (bool, optional): True if we pop items from the queue once they are read. False otherwise.
+ Default `True`
+ """
+
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_FULL),
+ error_message=create_error_message(CB_WHODATA_QUEUE_FULL),
+ update_position=update_position).result()
+
+
+def detect_invalid_conf_value(file_monitor, element):
+ """Detects the configured value for the whodata queue
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ element (str): Element name that is being detected
+ """
+ pattern = fr".*Invalid value for element (\'{element}\': .*)"
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern),
+ error_message=create_error_message(pattern)).result()
+
+
+def detect_audit_healthcheck_failed(file_monitor):
+ """Detects if the initial audit healtcheck has failed
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ """
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_AUDIT_HEALTHCHECK_FAILED),
+ error_message=create_error_message(CB_AUDIT_HEALTHCHECK_FAILED)).result()
+
+
+def get_configured_whodata_queue_size(file_monitor):
+ """Detects the configured value for the whodata queue
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ """
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE),
+ error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result()
+
+
 def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True,
  timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
  """ Check if FIM event occurs and return it according to the callback.

diff --git a/...s/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml b/...s/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml
@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 2
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - whodata:
+ elements:
+ - queue_size:
+ value: 10
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'
diff --git a/...es/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml b/...es/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml
@@ -0,0 +1,28 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 5
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'
diff --git a/.../test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml b/.../test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml
@@ -0,0 +1,36 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: FREQUENCY
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - max_eps:
+ value: MAX_EPS
+ - whodata:
+ elements:
+ - queue_size:
+ value: QUEUE_SIZE
+ - startup_healthcheck:
+ value: 'no'
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'
diff --git a/...les/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml b/...les/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml
@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 5
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - whodata:
+ elements:
+ - queue_size:
+ value: QUEUE_SIZE
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'
diff --git a/...ion/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml b/...ion/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml
@@ -0,0 +1,6 @@
+- name: verify_queue_size_default_value
+ description: Verify when not setting queue_size it's default value is set and whodata starts correctly.
+ configuration_parameters:
+ TEST_DIRECTORIES: /testdir1
+ metadata:
+ audit_starts: 16384
diff --git a/...test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml b/...test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml
@@ -0,0 +1,7 @@
+- name: audit_buffer_does_not_overflow
+ description: Verify if files are equal to queue_size, it does not overflow and files are detected in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ metadata:
+ files_to_add: 10
+ fim_mode: whodata
diff --git a/...est_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml b/...est_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml
@@ -0,0 +1,12 @@
+- name: audit_buffer_full_all_files_detected_in_whodata
+ description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ QUEUE_SIZE: 50
+ MAX_EPS: 6
+ FREQUENCY: 20
+ metadata:
+ files_first_insert: 50 # Fills queue 100% - log is only generated when it overflows.
+ wait_time: 5 # Time to wait between inserts to allow for files to be processed
+ files_second_insert: 20 # Insert files to check that files are still being detected in whodata
+ fim_mode: whodata
diff --git a/...m/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml b/...m/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml
@@ -0,0 +1,13 @@
+- name: audit_buffer_overflows_new_files_in_whodata
+ description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ QUEUE_SIZE: 20
+ MAX_EPS: 4
+ FREQUENCY: 10
+ metadata:
+ files_first_insert: 24
+ queue_size: 20
+ wait_time: 5
+ files_second_insert: 10
+ fim_mode: whodata
diff --git a/...on/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml b/...on/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml
@@ -0,0 +1,8 @@
+- name: audit_buffer_overflows
+ description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode.
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ metadata:
+ files_to_add: 15
+ whodata_events: 10
+ fim_mode: whodata