Add Audit Buffer IT support

CHANGELOG.md

@@ -9,6 +9,7 @@ Release report: TBD
 
 ### Added
 
+- Add tests for new FIM audit buffer option. ([#4399](https:/wazuh/wazuh-qa/pull/4399)) \- (Framework + tests)
 - Add callbacks and IT tests for Integratord options tag. ([#4108](https:/wazuh/wazuh-qa/pull/4108)) \- (Framework + tests)
 
 ### Changed

deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py

@@ -175,7 +175,7 @@
 # Syscheck values
 DIFF_LIMIT_VALUE = 2
 DIFF_DEFAULT_LIMIT_VALUE = 51200
-
+AUDIT_QUEUE_SIZE_DEFAULT_VALUE = 16384
 
 # FIM modes
 SCHEDULED_MODE = 'scheduled'

deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py

@@ -7,8 +7,9 @@
 
 from sys import platform
 from datetime import datetime
-from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30
+from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30, T_10
 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback
+from wazuh_testing.modules.fim import MAX_EVENTS_VALUE
 
 
 # Variables
@@ -56,6 +57,9 @@
 CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime'
 CB_FIM_REGISTRY_ENTRIES_COUNT = r".*Fim registry entries count: '(.*)'"
 CB_FIM_REGISTRY_VALUES_ENTRIES_COUNT = r".*Fim registry values entries count: '(.*)'"
+CB_WHODATA_QUEUE_SIZE = r".*Internal audit queue size set to \'(.*)\'."
+CB_WHODATA_QUEUE_FULL = r".*(Internal audit queue is full). Some events may be lost.*"
+CB_AUDIT_HEALTHCHECK_FAILED = r".*(Audit health check couldn't be completed correctly)."
 
 # Error message
 ERR_MSG_REALTIME_FOLDERS_EVENT = 'Did not receive expected "Folders monitored with real-time engine" event'
@@ -111,6 +115,19 @@
 ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT = 'Expected "directory starts to monitored in real-time" event not received'
 
 
+def create_error_message(message, source=LOG_FILE_PATH):
+ """
+ Creates an error message from an event.
+ Args:
+ message(str): Message that will be shown in error message
+ source(str): name of log file where the event was expected from (default: LOG_FILE_PATH).
+
+ Returns:
+ string: A string containing the error message to be shown
+ """
+ return fr'Did not receive the expected "{message}" event in "{source}" file.'
+
+
 # Callback functions
 def callback_detect_event(line):
  """
@@ -469,13 +486,14 @@ def detect_initial_scan(file_monitor):
  error_message=ERR_MSG_SCHEDULED_SCAN_ENDED)
 
 
-def detect_initial_scan_start(file_monitor):
+def detect_initial_scan_start(file_monitor, timeout=T_60):
  """Detect initial scan start when restarting Wazuh.
 
  Args:
  file_monitor (FileMonitor): file log monitor to detect events
+ timeout (str): timeout to check the event in Wazuh log
  """
- file_monitor.start(timeout=T_60, callback=callback_detect_scan_start,
+ file_monitor.start(timeout=timeout, callback=callback_detect_scan_start,
  error_message=ERR_MSG_SCHEDULED_SCAN_STARTED)
 
 
@@ -500,19 +518,20 @@ def detect_whodata_start(file_monitor, timeout=T_60):
  error_message=ERR_MSG_WHODATA_ENGINE_EVENT)
 
 
-def get_messages(callback, timeout=T_30):
+def get_messages(callback, timeout=T_30, max_events=MAX_EVENTS_VALUE):
  """Look for as many synchronization events as possible.
  This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached.
  Args:
  callback (str): Callback to be used to detect the event.
  timeout (int): Timeout that will be used to get the dbsync_no_data message.
+ max_events (int): maximum amount of events that will be detected will be detected.
 
  Returns:
  A list with all the events in json format.
  """
  wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
  events = []
- for _ in range(0, MAX_EVENTS_VALUE):
+ for _ in range(0, max_events):
  event = None
  try:
  event = wazuh_log_monitor.start(timeout=timeout, accum_results=1,
@@ -574,6 +593,48 @@ def detect_windows_whodata_mode_change(file_monitor, file='.*'):
  error_message=ERR_MSG_WHODATA_REALTIME_MODE_CHANGE_EVENT)
 
 
+def detect_audit_queue_full(file_monitor, update_position=True):
+ """Detects the event generated when the whodata_queue is full
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ update_position (bool, optional): True if we pop items from the queue once they are read. False otherwise.
+ Default `True`
+ """
+
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_FULL),
+ error_message=create_error_message(CB_WHODATA_QUEUE_FULL),
+ update_position=update_position).result()
+
+
+def detect_invalid_conf_value(file_monitor, element):
+ """Detects the error generated when a configuration element has an invalid value.
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ element (str): Element name that is being detected
+ """
+ pattern = fr".*Invalid value for element (\'{element}\': .*)"
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(pattern),
+ error_message=create_error_message(pattern)).result()
+
+
+def detect_audit_healthcheck_failed(file_monitor):
+ """Detects if the initial audit healtcheck has failed
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ """
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_AUDIT_HEALTHCHECK_FAILED),
+ error_message=create_error_message(CB_AUDIT_HEALTHCHECK_FAILED)).result()
+
+
+def get_configured_whodata_queue_size(file_monitor):
+ """Detects the configured value for the whodata queue
+ Args:
+ file_monitor (FileMonitor): file log monitor to detect events
+ """
+ return file_monitor.start(timeout=T_10, callback=generate_monitoring_callback(CB_WHODATA_QUEUE_SIZE),
+ error_message=create_error_message(CB_WHODATA_QUEUE_SIZE)).result()
+
+
 def get_fim_event(file_monitor=None, callback='', error_message=None, update_position=True,
  timeout=T_60, accum_results=1, file_to_monitor=LOG_FILE_PATH):
  """ Check if FIM event occurs and return it according to the callback.

tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_behavior.yaml

@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 2
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - whodata:
+ elements:
+ - queue_size:
+ value: 10
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_default.yaml

@@ -0,0 +1,28 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 5
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_over_time.yaml

@@ -0,0 +1,36 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: FREQUENCY
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - max_eps:
+ value: MAX_EPS
+ - whodata:
+ elements:
+ - queue_size:
+ value: QUEUE_SIZE
+ - startup_healthcheck:
+ value: 'no'
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_audit_buffer/data/configuration_templates/configuration_audit_buffer_values.yaml

@@ -0,0 +1,32 @@
+- sections:
+ - section: syscheck
+ elements:
+ - disabled:
+ value: 'no'
+ - frequency:
+ value: 5
+ - directories:
+ value: TEST_DIRECTORIES
+ attributes:
+ - whodata: 'yes'
+ - whodata:
+ elements:
+ - queue_size:
+ value: QUEUE_SIZE
+
+ - section: sca
+ elements:
+ - enabled:
+ value: 'no'
+
+ - section: rootcheck
+ elements:
+ - disabled:
+ value: 'yes'
+
+ - section: wodle
+ attributes:
+ - name: syscollector
+ elements:
+ - disabled:
+ value: 'yes'

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_default.yaml

@@ -0,0 +1,6 @@
+- name: verify_queue_size_default_value
+ description: Verify when not setting queue_size it's default value is set and whodata starts correctly.
+ configuration_parameters:
+ TEST_DIRECTORIES: /testdir1
+ metadata:
+ audit_starts: 16384

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_no_overflow.yaml

@@ -0,0 +1,7 @@
+- name: audit_buffer_does_not_overflow
+ description: Verify if files are equal to queue_size, it does not overflow and files are detected in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ metadata:
+ files_to_add: 10
+ fim_mode: whodata

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_no_overflow.yaml

@@ -0,0 +1,12 @@
+- name: audit_buffer_full_all_files_detected_in_whodata
+ description: Verify if files are added below the queue's size, after space is freed, all files appear in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ QUEUE_SIZE: 50
+ MAX_EPS: 6
+ FREQUENCY: 20
+ metadata:
+ files_first_insert: 50 # Fills queue 100% - log is only generated when it overflows.
+ wait_time: 5 # Time to wait between inserts to allow for files to be processed
+ files_second_insert: 20 # Insert files to check that files are still being detected in whodata
+ fim_mode: whodata

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_over_time_overflow.yaml

@@ -0,0 +1,13 @@
+- name: audit_buffer_overflows_new_files_in_whodata
+ description: Verify if files are added over the queue's size, and time passes, new files are detected in whodata mode
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ QUEUE_SIZE: 20
+ MAX_EPS: 4
+ FREQUENCY: 10
+ metadata:
+ files_first_insert: 24
+ queue_size: 20
+ wait_time: 5
+ files_second_insert: 10
+ fim_mode: whodata

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_overflow.yaml

@@ -0,0 +1,8 @@
+- name: audit_buffer_overflows
+ description: Verify if files are added over the queue's size, it overflows and files are detected in scheduled mode.
+ configuration_parameters:
+ TEST_DIRECTORIES: /
+ metadata:
+ files_to_add: 15
+ whodata_events: 10
+ fim_mode: whodata

tests/integration/test_fim/test_files/test_audit_buffer/data/test_cases/cases_audit_buffer_values.yaml

@@ -0,0 +1,56 @@
+- name: queue_size_100_value_inside_range_starts_properly
+ description: Verify if value set is inside valid range it is configured and whodata starts correctly.
+ configuration_parameters:
+ QUEUE_SIZE: 100
+ metadata:
+ queue_size: 100
+ audit_starts: true
+ valid_range: true
+
+- name: queue_size_10_Lower_limit_starts_properly
+ description: Verify if value set is the lower allowed limit, whodata starts correctly
+ configuration_parameters:
+ QUEUE_SIZE: 10
+ metadata:
+ queue_size: 10
+ valid_range: true
+ audit_starts: true
+
+- name: queue_size_1048576_upper_limit_starts_properly
+ description: Verify if value set to the upper limit whodata starts correctly.
+ configuration_parameters:
+ QUEUE_SIZE: 1048576
+ metadata:
+ queue_size: 1048576
+ audit_starts: true
+ valid_range: true
+
+- name: queue_size_invalid_value_below_minimum
+ description: Verify if value set is below allowed minimum, whodata fails to start.
+ configuration_parameters:
+ QUEUE_SIZE: 9
+ metadata:
+ queue_size: 9
+ valid_range: false
+ audit_starts: false
+ fail_reason: invalid_value
+
+- name: queue_size_invalid_value_above_maximum
+ description: Verify if value set is above allowed minimum, whodata fails to start.
+ configuration_parameters:
+ QUEUE_SIZE: 1048577
+ metadata:
+ queue_size: 1048577
+ valid_range: false
+ audit_starts: false
+ fail_reason: invalid_value
+
+- name: queue_size_invalid_value_invalid_characters
+ description: Verify if value set using characters instead of only numbers, whodata fails to start.
+ configuration_parameters:
+ QUEUE_SIZE: 100c
+ metadata:
+ queue_size: 100c
+ valid_range: false
+ audit_starts: false
+ fail_reason: invalid_value