diff --git a/tests/integration/test_analysisd/test_error_messages/test_error_messages.py b/tests/integration/test_analysisd/test_error_messages/test_error_messages.py index 8ccf786cd0..2bb17ffbf5 100644 --- a/tests/integration/test_analysisd/test_error_messages/test_error_messages.py +++ b/tests/integration/test_analysisd/test_error_messages/test_error_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon handles correctly the invalid events it receives. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_error_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -48,13 +94,45 @@ ids=[test_case['name'] for test_case in test_cases]) def test_error_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket + ''' + description: + Check if when the `analysisd` socket receives a message with an invalid event, + it generates the corresponding error that sends to the `wazuh-db` socket. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the error messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (error_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `error_messages.yaml` file." + + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: receiver_sockets[0].send(stage['input']) result = log_monitors[0].start(timeout=4 * global_parameters.default_timeout, diff --git a/tests/integration/test_analysisd/test_event_messages/test_event_messages.py b/tests/integration/test_analysisd/test_event_messages/test_event_messages.py index 70f6a99a12..cdf8ba9477 100644 --- a/tests/integration/test_analysisd/test_event_messages/test_event_messages.py +++ b/tests/integration/test_analysisd/test_event_messages/test_event_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file modification. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_event_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +97,49 @@ ids=[test_case['name'] for test_case in test_cases]) def test_event_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket. + ''' + description: + Check if when the `analysisd` socket receives a message with a file modification-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + The `validate_analysis_alert` function checks if an `analysisd` event is properly formatted. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (event_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `event_messages.yaml` file." + + - alerts.json: + -"Multiple values located in the `event_messages.yaml` file." - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input']) diff --git a/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py b/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py index 1ebacfa462..b22c20e1cc 100644 --- a/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py +++ b/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file integrity. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_integrity_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +97,50 @@ ids=[test_case['name'] for test_case in test_cases]) def test_integrity_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket. + ''' + description: + Check if when the `analysisd` socket receives a message with a file integrity-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + The `validate_analysis_integrity_state` function checks if an + `analysisd` integrity message is properly formatted. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (integrity_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `integrity_messages.yaml` file." + + - alerts.json: + - "Multiple values located in the `integrity_messages.yaml` file." - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input']) diff --git a/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py b/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py index abfe85d0bc..0c267d7502 100644 --- a/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py +++ b/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py @@ -1,7 +1,55 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + Check if `analysisd` generates alerts enriching its fields with `MITRE` information. + The objective consists on checking if `analysisd` can generate alerts using custom rules + that contains the `mitre` field to enrich those alerts with MITREs IDs, techniques and tactics. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_mitre/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import jsonschema @@ -40,8 +88,43 @@ def get_configuration(request): # tests def test_mitre_check_alert(get_configuration, configure_local_rules, restart_wazuh_alerts): - """Check Mitre alerts have correct format in accordance with configuration""" + ''' + description: + Check if `MITRE` alerts are syntactically and semantically correct. + + wazuh_min_version: + 4.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + + - configure_local_rules: + type: fixture + brief: Configure a custom rule in `local_rules.xml` for testing. + + - restart_wazuh_alerts: + type: fixture + brief: Reset `alerts.json` and start a new monitor. + + assertions: + - Check that the `MITRE` alerts are generated and that they are correct. + test_input: + Different test cases that are contained in external `XML` files (data directory) + that include both valid and invalid rules for detecting `MITRE` events. + + logging: + - ossec.log: + - r".*Ossec server started.*" + + - alerts.json: + -"Multiple alerts related to MITRE events." + + tags: + + ''' # Wait until Mitre's event is detected if get_configuration not in invalid_configurations: event = wazuh_alert_monitor.start(timeout=30, callback=callback_detect_mitre_event).result() @@ -50,4 +133,3 @@ def test_mitre_check_alert(get_configuration, configure_local_rules, restart_waz with pytest.raises(jsonschema.exceptions.ValidationError): event = wazuh_alert_monitor.start(timeout=30, callback=callback_detect_mitre_event).result() validate_mitre_event(event) - diff --git a/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py b/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py index ee650db784..1f2b36f48b 100644 --- a/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py +++ b/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file scanning. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_scan_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -50,13 +96,48 @@ ids=[test_case['name'] for test_case in test_cases]) def test_scan_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket + ''' + description: + Check if when the `analysisd` socket receives a message with a file scanning-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (scan_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `scan_messages.yaml` file." + + - alerts.json: + -"Multiple values located in the `scan_messages.yaml` file." + + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input'])