diff --git a/CHANGELOG.md b/CHANGELOG.md index 496466410a..44c8fe2e34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Release report: TBD ### Added +- Add tests for new FIM audit buffer option. ([#4399](https://github.com/wazuh/wazuh-qa/pull/4399)) \- (Framework + tests) - Add callbacks and IT tests for Integratord options tag. ([#4108](https://github.com/wazuh/wazuh-qa/pull/4108)) \- (Framework + tests) ### Changed diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 5a8af08e85..5fea0bb68a 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -175,7 +175,7 @@ # Syscheck values DIFF_LIMIT_VALUE = 2 DIFF_DEFAULT_LIMIT_VALUE = 51200 - +AUDIT_QUEUE_SIZE_DEFAULT_VALUE = 16384 # FIM modes SCHEDULED_MODE = 'scheduled' diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index 2ec0f10099..461a338d7f 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -7,8 +7,9 @@ from sys import platform from datetime import datetime -from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30 +from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30, T_10 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.modules.fim import MAX_EVENTS_VALUE # Variables @@ -56,6 +57,9 @@ CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime' CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'" CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'" +CB_WHODATA_QUEUE_SIZE = r".*Internal audit queue size set to \'(.*)\'." +CB_WHODATA_QUEUE_FULL = r".*(Internal audit queue is full). Some events may be lost.*" +CB_AUDIT_HEALTHCHECK_FAILED = r".*(Audit health check couldn't be completed correctly)." # Error message ERR_MSG_REALTIME_FOLDERS_EVENT = 'Did not receive expected "Folders monitored with real-time engine" event' @@ -111,6 +115,19 @@ ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT = 'Expected "directory starts to monitored in real-time" event not received' +def create_error_message(message, source=LOG_FILE_PATH): + """ + Creates an error message from an event. + Args: + message(str): Message that will be shown in error message + source(str): name of log file where the event was expected from (default: LOG_FILE_PATH). + + Returns: + string: A string containing the error message to be shown + """ + return fr'Did not receive the expected "{message}" event in "{source}" file.' + + # Callback functions def callback_detect_event(line): """ @@ -469,13 +486,14 @@ def detect_initial_scan(file_monitor): error_message=ERR_MSG_SCHEDULED_SCAN_ENDED) -def detect_initial_scan_start(file_monitor): +def detect_initial_scan_start(file_monitor, timeout=T_60): """Detect initial scan start when restarting Wazuh. Args: file_monitor (FileMonitor): file log monitor to detect events + timeout (str): timeout to check the event in Wazuh log """ - file_monitor.start(timeout=T_60, callback=callback_detect_scan_start, + file_monitor.start(timeout=timeout, callback=callback_detect_scan_start, error_message=ERR_MSG_SCHEDULED_SCAN_STARTED) @@ -500,19 +518,20 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) -def get_messages(callback, timeout=T_30): +def get_messages(callback, timeout=T_30, max_events=MAX_EVENTS_VALUE): """Look for as many synchronization events as possible. This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. Args: callback (str): Callback to be used to detect the event. timeout (int): Timeout that will be used to get the dbsync_no_data message. + max_events (int): maximum amount of events that will be detected will be detected. Returns: A list with all the events in json format. """ wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) events = [] - for _ in range(0, MAX_EVENTS_VALUE): + for _ in range(0, max_events): event = None try: event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, @@ -574,6 +593,48 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'): error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT) +def detect_audit_queue_full(file_monitor, update_position=True): + """Detects the event generated when the whodata_queue is full + Args: + file_monitor (FileMonitor): file log monitor to detect events + update_position (bool, optional): True if we pop items from the queue once they are read. False otherwise. + Default `True` + """ + + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_FULL), + error_message=create_error_message(CB_WHODATA_QUEUE_FULL), + update_position=update_position).result() + + +def detect_invalid_conf_value(file_monitor, element): + """Detects the error generated when a configuration element has an invalid value. + Args: + file_monitor (FileMonitor): file log monitor to detect events + element (str): Element name that is being detected + """ + pattern = fr".*Invalid value for element (\'{element}\': .*)" + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern), + error_message=create_error_message(pattern)).result() + + +def detect_audit_healthcheck_failed(file_monitor): + """Detects if the initial audit healtcheck has failed + Args: + file_monitor (FileMonitor): file log monitor to detect events + """ + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_AUDIT_HEALTHCHECK_FAILED), + error_message=create_error_message(CB_AUDIT_HEALTHCHECK_FAILED)).result() + + +def get_configured_whodata_queue_size(file_monitor): + """Detects the configured value for the whodata queue + Args: + file_monitor (FileMonitor): file log monitor to detect events + """ + return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE), + error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result() + + def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True, timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH): """ Check if FIM event occurs and return it according to the callback. diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml new file mode 100644 index 0000000000..8d484ec24c --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml @@ -0,0 +1,32 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 2 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - whodata: + elements: + - queue_size: + value: 10 + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml new file mode 100644 index 0000000000..cc64da732c --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml @@ -0,0 +1,28 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 5 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml new file mode 100644 index 0000000000..902a35f2bb --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml @@ -0,0 +1,36 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: FREQUENCY + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - max_eps: + value: MAX_EPS + - whodata: + elements: + - queue_size: + value: QUEUE_SIZE + - startup_healthcheck: + value: 'no' + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml new file mode 100644 index 0000000000..8221b52622 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml @@ -0,0 +1,32 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: 5 + - directories: + value: TEST_DIRECTORIES + attributes: + - whodata: 'yes' + - whodata: + elements: + - queue_size: + value: QUEUE_SIZE + + - section: sca + elements: + - enabled: + value: 'no' + + - section: rootcheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml new file mode 100644 index 0000000000..54c2195838 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml @@ -0,0 +1,6 @@ +- name: verify_queue_size_default_value + description: Verify when not setting queue_size it's default value is set and whodata starts correctly. + configuration_parameters: + TEST_DIRECTORIES: /testdir1 + metadata: + audit_starts: 16384 diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml new file mode 100644 index 0000000000..c55647da60 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml @@ -0,0 +1,7 @@ +- name: audit_buffer_does_not_overflow + description: Verify if files are equal to queue_size, it does not overflow and files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml new file mode 100644 index 0000000000..1d86a0fa29 --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml @@ -0,0 +1,12 @@ +- name: audit_buffer_full_all_files_detected_in_whodata + description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 50 + MAX_EPS: 6 + FREQUENCY: 20 + metadata: + files_first_insert: 50 # Fills queue 100% - log is only generated when it overflows. + wait_time: 5 # Time to wait between inserts to allow for files to be processed + files_second_insert: 20 # Insert files to check that files are still being detected in whodata + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml new file mode 100644 index 0000000000..cb19bd747a --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml @@ -0,0 +1,13 @@ +- name: audit_buffer_overflows_new_files_in_whodata + description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode + configuration_parameters: + TEST_DIRECTORIES: / + QUEUE_SIZE: 20 + MAX_EPS: 4 + FREQUENCY: 10 + metadata: + files_first_insert: 24 + queue_size: 20 + wait_time: 5 + files_second_insert: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml new file mode 100644 index 0000000000..d4030b14ea --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml @@ -0,0 +1,8 @@ +- name: audit_buffer_overflows + description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode. + configuration_parameters: + TEST_DIRECTORIES: / + metadata: + files_to_add: 15 + whodata_events: 10 + fim_mode: whodata diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml new file mode 100644 index 0000000000..83635eb1dd --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml @@ -0,0 +1,56 @@ +- name: queue_size_100_value_inside_range_starts_properly + description: Verify if value set is inside valid range it is configured and whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 100 + metadata: + queue_size: 100 + audit_starts: true + valid_range: true + +- name: queue_size_10_Lower_limit_starts_properly + description: Verify if value set is the lower allowed limit, whodata starts correctly + configuration_parameters: + QUEUE_SIZE: 10 + metadata: + queue_size: 10 + valid_range: true + audit_starts: true + +- name: queue_size_1048576_upper_limit_starts_properly + description: Verify if value set to the upper limit whodata starts correctly. + configuration_parameters: + QUEUE_SIZE: 1048576 + metadata: + queue_size: 1048576 + audit_starts: true + valid_range: true + +- name: queue_size_invalid_value_below_minimum + description: Verify if value set is below allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 9 + metadata: + queue_size: 9 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: queue_size_invalid_value_above_maximum + description: Verify if value set is above allowed minimum, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 1048577 + metadata: + queue_size: 1048577 + valid_range: false + audit_starts: false + fail_reason: invalid_value + +- name: queue_size_invalid_value_invalid_characters + description: Verify if value set using characters instead of only numbers, whodata fails to start. + configuration_parameters: + QUEUE_SIZE: 100c + metadata: + queue_size: 100c + valid_range: false + audit_starts: false + fail_reason: invalid_value diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py new file mode 100644 index 0000000000..1667a207fd --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_behavior.py @@ -0,0 +1,308 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. This tests aim to test the behavior of the queue, by inserting files above or below the set + value for queue_size, and verify if events were detected in whodata or scheduled mode appropiately. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_10, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + detect_initial_scan_start, get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_behavior.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_overflow.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are added equal to the whodata "queue_size", the queue does not overflow, all + files are detected in whodata mode, and after the next scan no file is detected in scheduled mode. + + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given amount of files + - Check that no "queue full" message is detected (Queue has not overflown) + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify the queue does not overflow after inserting files + - Verify all files are detected in whodata mode + + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_no_overflow.yaml' provides the test cases details for each case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + whodata_events = files_to_add + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Check that queue has not been overflown + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_10, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected {whodata_events} amount of \ + whodata file added events").result() + # Check all files are detected in whodata mode + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + # Detect next scheduled scan + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Check no events are found after scan. + with pytest.raises(TimeoutError): + wazuh_log_monitor.start(timeout=T_20, callback=callback_detect_file_added_event, + accum_results=1, error_message="Found unexpected file added event \ + in during scheduled scan") + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: Check that when files are exceeding the whodata "queue_size" value the queue overflows, and the + excess files files are detected in scheduled mode, and after the next scheduled scan. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert a given number of files + - Check that the "queue_full" event appears + - Check the amount of files that were detected prior to the queue being full + - Check the excess files are detected in scheduled mode after the following scan + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders: + type: fixture + brief: Create a given list of folders when the test starts. Delete the folders at the end of the test. + - configure_local_internal_options_function: + type: fixture + brief: Set local internal options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify that files detected in whodata mode before it being full are equal or more than the configured value + - Verify the excess files inserted after queue full are detected in scheduled mode. + + input_description: The file 'configuration_audit_buffer_behavior' provides the configuration template. + The file 'cases_audit_buffer_overflow.yaml' provides the test cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_to_add = metadata['files_to_add'] + + # Insert an ammount of files + for file in range(0, files_to_add): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10) + + # Check the ammount of added events in whodata mode is equal or more than the expected value + found_whodata_events = 0 + for result in results: + if result['data']['mode'] == 'whodata': + found_whodata_events = found_whodata_events + 1 + assert found_whodata_events >= metadata['whodata_events'], f"Found less whodata File added events \ + than the expected {metadata['whodata_events']}" + + # Wait for scheduled scan so the rest of file events are generated + detect_initial_scan_start(wazuh_log_monitor, timeout=T_10) + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_10) + + # Check the amount of added events in scheduled mode is equal to the amount of files created + # minus the generated whodata events + scheduled_events = files_to_add - found_whodata_events + found_scheduled_events = 0 + for result in results: + if result['data']['mode'] == 'scheduled': + found_scheduled_events += 1 + + assert found_scheduled_events == scheduled_events, f"Wrong amount of scheduled events found. Found \ + {found_scheduled_events}, Expected {scheduled_events}" diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py new file mode 100644 index 0000000000..f49af1c36a --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_configuration.py @@ -0,0 +1,270 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. + +components: + - fim + +suite: audit_buffer + +targets: + - manager + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os + + +import pytest +from wazuh_testing import LOG_FILE_PATH, T_5 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.fim import TEST_DIR_1, AUDIT_QUEUE_SIZE_DEFAULT_VALUE +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (get_configured_whodata_queue_size, detect_audit_queue_full, + detect_invalid_conf_value, detect_audit_healthcheck_failed, + detect_whodata_start) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# ---------------------------------------TEST_AUDIT_BUFFER_DEFAULT------------------------------------------- +# Configuration and cases data +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_default.yaml') +t1_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_default.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(t1_configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# ---------------------------------------TEST_AUDIT_BUFFER_VALUES------------------------------------------- +# Configuration and cases data +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_values.yaml') +t2_configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_values.yaml') + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(t2_configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_default(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check if the default configured value for whodata's 'queue_size' option. Also verify that the whodata + thread is started correctly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 0 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + + assertions: + - Verify configured queue_size value is default value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_default.yaml' provides the configuration + template. + The file 'cases_audit_buffer_default.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(AUDIT_QUEUE_SIZE_DEFAULT_VALUE) in configured_value, 'Unexpected "queue_size" value found in ossec.log' + + # Detect real-time whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='', scope='module') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_values(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders_module, configure_local_internal_options_function, + restart_syscheck_function): + ''' + description: Check when setting values to whodata's 'queue_size' option. The value is configured correctly.Also, + verify that the whodata thread is started correctly when value is inside valid range, and it fails + to start with values outside range and error messages are shown accordingly. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Assert configured queue_size value is default value + - Validate real-time whodata thread is started correctly + - On invalid values, validate error and that whodata does not start. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local internal options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_values' provides the configuration template. + The file 'cases_audit_buffer_values.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + + if metadata['valid_range']: + # Detect configured value + configured_value = get_configured_whodata_queue_size(wazuh_log_monitor) + assert str(metadata['queue_size']) in configured_value, 'Unexpected value found in "queue_size" in ossec.conf' + + if not metadata['audit_starts']: + # Detect cause of failure + if metadata['fail_reason'] == 'queue_full': + detect_audit_queue_full(wazuh_log_monitor) + detect_audit_healthcheck_failed(wazuh_log_monitor) + elif metadata['fail_reason'] == 'invalid_value': + detect_invalid_conf_value(wazuh_log_monitor, element='queue_size') + with pytest.raises(TimeoutError): + # Detect real-time whodata thread does not start + detect_whodata_start(wazuh_log_monitor, timeout=T_5) + else: + # Detect whodata thread started correctly + detect_whodata_start(wazuh_log_monitor) diff --git a/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py new file mode 100644 index 0000000000..801dcd267d --- /dev/null +++ b/tests/integration/test_fim/test_files/test_audit_buffer/test_audit_buffer_over_time.py @@ -0,0 +1,322 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + added, modified or deleted. It can monitor using Audit information (whodata mode). Whodata mode has an option + 'queue_size' that will save whodata events up until it is full so it can decode them and generate alerts. Events + in excess of the queue will be dropped and handled in the next scheduled scan. This is done to avoid blocking + the audit socket. Events in the queue are processed and removed from the queue, at a rate set my the max_eps tag. + This tests aim to test the behavior of the queue in conjunction with max_eps, that fill/overflow the queue, then + waiting for events to be processed and inserting files again, to verify files are processed in expected modes. + +components: + - fim + +suite: audit_buffer + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - Debian Buster + - Red Hat 8 + - Ubuntu Focal + - Ubuntu Bionic + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + +pytest_args: + - fim_mode: + scheduled: File monitoring is done after every configured interval elapses. + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - windows_folder_redirection +''' +import os +import time + +import pytest +from wazuh_testing import LOG_FILE_PATH, REGULAR, T_60, T_20 +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.tools.file import create_file +from wazuh_testing.modules.fim import TEST_DIR_1 +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (callback_detect_file_added_event, detect_audit_queue_full, + get_messages) + + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=1)] + +# Variables +test_folders = [os.path.join(PREFIX, TEST_DIR_1)] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_audit_buffer_over_time.yaml') +t1_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_no_overflow.yaml') +t2_test_cases_path = os.path.join(TEST_CASES_PATH, 'cases_audit_buffer_over_time_overflow.yaml') + +# Test configurations +t1_configuration_parameters, t1_configuration_metadata, t1_test_case_ids = get_test_cases_data(t1_test_cases_path) +for count, value in enumerate(t1_configuration_parameters): + t1_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +# Test configurations +t2_configuration_parameters, t2_configuration_metadata, t2_test_case_ids = get_test_cases_data(t2_test_cases_path) +for count, value in enumerate(t2_configuration_parameters): + t2_configuration_parameters[count]['TEST_DIRECTORIES'] = test_folders[0] +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + + +# Tests +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), + ids=t1_test_case_ids) +def test_audit_buffer_over_time_no_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added equal to the whodata "queue_size" the queue does not overflow, after some files are processed + adding new files that do not exceed the empty space in the queue, all files are detected in whodata + mode. + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Wait x seconds for space to be freed in queue + - Insert enough files to fill queue again + - Validate queue was full + - Validate no event was dropped and all events were detected in whodata mode + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify whadata queue is full + - Verify all inserted files are detected in whodata mode if files are inserted after queue space is freed + + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration + template. + The file 'cases_audit_buffer_over_time_no_overflow.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*Sending FIM event: (.+)$" + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + whodata_events = metadata['files_first_insert'] + metadata['files_second_insert'] + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an amount of files + for file in range(0, metadata['files_first_insert']): + create_file(REGULAR, test_folders[0], f'test_file_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata['wait_time']) + + # Insert a second amount of files + for file in range(0, metadata['files_second_insert']): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Detect audit queue is full + with pytest.raises(TimeoutError): + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Get all file events + results = wazuh_log_monitor.start(timeout=T_60, callback=callback_detect_file_added_event, + accum_results=whodata_events, + error_message=f"Did not receive the expected amount of \ + whodata file added events").result() + # Validate all files where found in whodata mode - no files where dropped + for result in results: + assert result['data']['mode'] == 'whodata', f"Expected whodata event, found {result['data']['mode']} event" + + +@pytest.mark.parametrize('test_folders', [test_folders], ids='') +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), + ids=t2_test_case_ids) +def test_audit_buffer_overflow(configuration, metadata, test_folders, set_wazuh_configuration, + create_monitored_folders, configure_local_internal_options_function, + restart_syscheck_function, wait_syscheck_start): + ''' + description: This test validates the behavior of "queue_size" in tandem with "max_eps". Check that when files are + added causing whodata queue to overflow, and after some files are processed, if new files are added + that do not exceed the empty space in the queue, only the files from the first insertion, that caused + the overflow are detected in scheduled mode. All files from second insertion are detected in whodata. + + test_phases: + - setup: + - Set wazuh configuration and local_internal_options. + - Create custom folder for monitoring + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Insert enough files to fill queue + - Detect if whodata queue has overflowed + - Wait x seconds for space to be freed in queue + - Insert files a second time + - Validate only files from the first insert were detected in scheduled mode + - Validate a all files from the second insert are detected. + - teardown: + - Delete custom monitored folder + - Restore configuration + - Stop wazuh + + wazuh_min_version: 4.5.0 + + tier: 2 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to wazuh. + - metadata: + type: dict + brief: Test case data. + - test_folders: + type: dict + brief: List of folders to be created for monitoring. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - create_monitored_folders_module: + type: fixture + brief: Create a given list of folders when the module starts. Delete the folders at the end of the module. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options file. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the log files. + - wait_syscheck_start: + type: fixture + brief: check that the starting FIM scan is detected. + + assertions: + - Verify when queue is full an event informs audit events may be lost + - Verify when queue is full at start up audit healthcheck fails and does not start + - Verify when using invalid values an error message is shown and does not start + - Verify configured queue_size value + - Verify real-time whodata thread is started correctly + + input_description: The file 'configuration_audit_buffer_over_time.yaml' provides the configuration template. + The file 'cases_audit_buffer_over_time_overflow.yaml' provides the tes cases configuration + details for each test case. + + expected_output: + - r".*(Internal audit queue is full). Some events may be lost. Next scheduled scan will recover lost data." + - r".*(Audit health check couldn't be completed correctly)." + - fr".*Invalid value for element (\'{element}\': .*)" + - r".*Internal audit queue size set to \'(.*)\'." + - r'.*File integrity monitoring (real-time Whodata) engine started.*' + ''' + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + files_first_insert = metadata['files_first_insert'] + files_second_insert = metadata['files_second_insert'] + total_files = files_first_insert + files_second_insert + + # Wait for FIM to process all initial whodata messages + time.sleep(2) + + # Insert an ammount of files + for file in range(0, files_first_insert): + create_file(REGULAR, test_folders[0], f'test_file_first_insert_{file}', content='') + + # Wait for files to be processed + time.sleep(metadata["wait_time"]) + + # Detect If queue_full message has been generated + detect_audit_queue_full(wazuh_log_monitor, update_position=False) + + # Insert a second amount of files + for file in range(0, files_second_insert): + create_file(REGULAR, test_folders[0], f'test_file_second_insert_{file}', content='') + + # Get all file added events + results = get_messages(callback_detect_file_added_event, timeout=T_20, max_events=total_files) + + second_set_events = 0 + for result in results: + # Check that all of the files processed in scheduled mode where from the first batch only + if result['data']['mode'] == 'scheduled': + assert 'test_file_first_insert_' in result['data']['path'], "Expected only files from first set to be in\ + scheduled mode, found file from second set" + # Count the events detected from second batch of files. Will only contain whodata because of previous assert + if 'test_file_second_insert_' in result['data']['path']: + second_set_events += 1 + + # Check that all the files from the second insert have been detected + assert second_set_events == files_second_insert, f"Unexpected amount of files detected from second insert, found: \ + {second_set_events}, expected: {files_second_insert}" diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py index 68ff46df9a..648793fbe5 100644 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py @@ -72,7 +72,7 @@ # Reference paths TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # Configuration and cases data