Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Audit Buffer IT support #4399

Merged
merged 8 commits into from
Aug 31, 2023
Merged

Add Audit Buffer IT support #4399

merged 8 commits into from
Aug 31, 2023

Conversation

Deblintrake09
Copy link
Contributor

@Deblintrake09 Deblintrake09 commented Aug 4, 2023
edited
Loading

Related issue
#3963

Description

This Issue aims to add IT support for the new Audit whodata buffer. This is managed by the whodata->queue_size tag that limits the amount of audit events that are received by syscheck. When the queue is full, events are dropped and the files modification are detected through scheduled mode instead of whodata.

Added

  • test_audit_buffer_configuration.py module containing 7 cases related to queue_size configuration values
  • test_audit_buffer_behavior.py module containing 2 cases related to queue_size basic behavior
  • test_audit_buffer_over_time.py module containing 2 cases related to queue_size's behavior in relation to max_eps
  • Added new callbacks and functions

NOTE: Originally development was handled and Reviewed in PR #4227.

Testing performed

Tester Test path Jenkins Local OS Commit Notes
@Deblintrake09 (Developer) test_fim 🟢🟢🟢 Manager 0338b0a Nothing to highlight
@Deblintrake09 (Developer) test_fim 🟢🟢🟢 Linux Agent 0338b0a Nothing to highlight
@Deblintrake09 (Developer) test_fim 🟢🟢🟢 WindowsAgent 0338b0a Nothing to highlight
@Deblintrake09 (Developer) test_fim 🟢🟢🟢 🚫 Solaris & MacOS Agent 0338b0a Nothing to highlight

@Deblintrake09 Deblintrake09 self-assigned this Aug 4, 2023
@Deblintrake09 Deblintrake09 mentioned this pull request Aug 4, 2023
Closed
@Deblintrake09 Deblintrake09 linked an issue Aug 4, 2023 that may be closed by this pull request
Add IT support for FIM whodata buffer #3963
Closed
damarisg
damarisg requested changes Aug 30, 2023
View reviewed changes
Copy link
Member

@damarisg damarisg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GJ! I remember that we talk about these cases.

I would like to know what happens if:

  • Case 1: I configure EPS invalid.
  • Case 2: I add the startup_healthcheck (with 'no') and remove the queue_size value.
  • Case 3: I add the whodata section without startup_healthcheck section.

Should Core add these cases in the future?

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Show resolved Hide resolved
deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py Outdated Show resolved Hide resolved
@Deblintrake09
Copy link
Contributor Author

Deblintrake09 commented Aug 30, 2023
edited by damarisg
Loading

GJ! I remember that we talk about these cases.

I would like to know what happens if:

* Case 1: I configure EPS invalid.

* Case 2: I add the startup_healthcheck (with 'no') and remove the  queue_size value.

* Case 3: I add the whodata section without startup_healthcheck  section.

Should Core add these cases in the future?

This cases were not considered during testing. From knowledge on the behavior they would be something like:

  • Case 1: should show Invalid value for element 'EPS':invalid_value event. Do not know if the value would cause the Agent to fail to start or be ignored and use the default.
  • Case 2: removing the queue_size would make the agent work with default size. agent could be flooded and events lost if the auditd internal queue is folded.
  • Case 3: the healthcheck will be executed. If the queue_size is too small, the healthcheck will fail.

This cases require further research, and since this tests need to be moved to the wazuh/wazuh repository as part of the migration of ITs, considering if this cases are valid and developing them should be up to Core.

@davidjiglesias davidjiglesias merged commit fdd3969 into 4.7.0 Aug 31, 2023
4 checks passed
@davidjiglesias davidjiglesias deleted the 3963-audit-buffer branch August 31, 2023 07:33
@Deblintrake09 Deblintrake09 mentioned this pull request Sep 1, 2023
Merged
@Deblintrake09 Deblintrake09 restored the 3963-audit-buffer branch September 1, 2023 11:13
@Deblintrake09 Deblintrake09 deleted the 3963-audit-buffer branch September 1, 2023 11:25
@Deblintrake09 Deblintrake09 mentioned this pull request Sep 1, 2023
Merged
@Deblintrake09 Deblintrake09 removed a link to an issue Sep 1, 2023
Add IT support for FIM whodata buffer #3963
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@damarisg damarisg damarisg approved these changes

Assignees

@Deblintrake09 Deblintrake09

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Deblintrake09 @damarisg @davidjiglesias