Merge pull request #997 from wazuh/5761-fix-not-removed-audit-rules-a…

…fter-updating-link

Add new test to check if the audit rule is removed after a symlink is updated

deps/wazuh_testing/wazuh_testing/fim.py

@@ -1096,6 +1096,13 @@ def callback_audit_loaded_rule(line):
     return None
 
 
+def callback_end_audit_reload_rules(line):
+    match = re.match(r'.*Audit rules reloaded\. Rules loaded: (.+)', line)
+    if match:
+        return match.group(1)
+    return None
+
+
 def callback_audit_event_too_long(line):
     if 'Caching Audit message: event too long' in line:
         return True
@@ -1109,7 +1116,7 @@ def callback_audit_reloading_rules(line):
 
 
 def callback_audit_reloaded_rule(line):
-    match = re.match(r'.*Reloaded audit rule for monitoring directory: \'(.+)\'', line)
+    match = re.match(r'.*Already added audit rule for monitoring directory: \'(.+)\'', line)
     if match:
         return match.group(1)
     return None
@@ -2185,6 +2192,17 @@ def detect_whodata_start(file_monitor):
                                      '"File integrity monitoring real-time Whodata engine started" event')
 
 
+def wait_for_audit(whodata, monitor):
+    """Wait for the audit callback if we are using whodata monitoring.
+    Args:
+        whodata (boolean): True if whodata is active.
+        monitor (FileMonitor): LogMonitor to use.
+    """
+    if whodata:
+        monitor.start(timeout=35, callback=callback_end_audit_reload_rules, update_position=False,
+                      error_message='Did not receive expected "Audit rules reloaded..." event')
+
+
 def generate_params(extra_params: dict = None, apply_to_all: Union[Sequence[Any], Generator[dict, None, None]] = None,
                     modes: list = None):
     """

docs/tests/integration/test_fim/test_files/test_audit/test_audit.md

@@ -0,0 +1,75 @@
+# Test audit
+This test file has several tests:
+- `test_audit_health_check`: Checks the behavior of the FIM audit health check.
+- `test_added_rules`: Checks if FIM adds the rules for monitored directories using whodata.
+- `test_readded_rules`: Checks that FIM is able to re-add the rule of a directory if it's removed.
+- `test_readded_rules_on_restart`: Check if FIM is able to add the audit rules when auditd is restarted.
+- `test_move_rules_to_realtime`: Checks that FIM moves the monitored directories using `whodata` to realtime when auditd is stopped.
+- `test_audit_key`: Checks that the `<audit_key>` functionality works.
+- `test_restart_audit`: Checks that the `<restart_audit>` functionality works.
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux | 00:01:20 | [test_audit.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit.py)|
+
+## Test logic
+
+### test_audit_health_check
+- The test will monitor a folder using `whodata`
+- It will check that the health check passed.
+
+### test_added_rules
+- The test will monitor several folders using `whodata`
+- Once FIM starts, the test will check if the a rule for every monitored directory is added
+
+### test_readded_rules
+- The test will monitor a folder using `whodata`.
+- Once FIM starts, the test will remove the audit rule (using `auditctl`) and will wait until the manipulation event is triggered.
+- Finally, the test will check that the audit rule is added again.
+
+### test_readded_rules_on_restart
+- The test will monitor a folder using `whodata`.
+- Once FIM starts, the test will restart auditd and it will wait until auditd has started.
+- After auditd is running, he test will wait for the `connect` and the `load rule` events.
+
+### test_move_rules_realtime
+- The test will monitor several folders using `whodata`
+- Once FIM starts, the test will stop the auditd service.
+- Then it will wait until the monitored directories using `whodata` are monitored with `realtime`
+
+### test_audit_key
+- The test will manually add a rule for a monitored path using a custom audit key.
+- After FIM starts, the test will check that the events that are generated with the custom key are processed.
+
+### test_restart_audit
+- The test removes the audit plugin file.
+- Then it will check the audit creation time.
+## Checks
+
+- [x] Checks that FIM audit health check works.
+- [X] Checks that FIM adds audit rules for monitored directories.
+- [X] Checks that FIM is able to re-add audit rules.
+- [X] Checks that FIM moves the directories to realtime when whodata is not available.
+- [X] Checks the FIM behavior of the `audit_key` and `restart_audit` options.
+
+
+## Execution result
+
+```
+python3 -m pytest test_files/test_audit/test_audit.py
+======================================================= test session starts ========================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 24 items
+
+test_files/test_audit/test_audit.py .....sssssssss.ssssssss.                                                                 [100%]
+
+============================================= 7 passed, 17 skipped in 80.86s (0:01:20) =============================================
+
+```
+
+## Code documentation
+
+::: tests.integration.test_fim.test_files.test_audit.test_audit

docs/tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.md

@@ -0,0 +1,47 @@
+# Test audit after initial scan
+This test file has two tests:
+
+The first one, called `test_remove_and_read_folder` checks that FIM monitors a folder if it's removed and created.
+The second one, restarts `auditd` and checks if `whodata` works.
+
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux | 00:01:33 | [test_audit_after_initial_scan.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py)|
+
+## Test logic
+
+### test_remove_and_read_folder
+- The test will monitor a folder using `whodata`
+- Once FIM starts, the test will remove the folder and checks if the audit rule associated to that folder has been removed.
+- Finally, it creates again the same folder and checks that the audit rule is added.
+
+### test_reconnect_to_audit
+- The test will monitor a folder using `whodata`
+- Then it will restart the `auditd` daemon.
+- Finally, the test waits until FIM is able connect to audit.
+
+## Checks
+
+- [x] Checks that FIM can recover from loosing it's connection to audit.
+- [x] Checks that FIM is able to monitor the folders using whodata after they are removed and created again.
+
+## Execution result
+
+```
+python3 -m pytest test_files/test_audit/test_audit_after_initial_scan.py
+======================================================= test session starts ========================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 4 items
+
+test_files/test_audit/test_audit_after_initial_scan.py ....                                                                  [100%]
+
+=================================================== 4 passed in 93.54s (0:01:33) ===================================================
+```
+
+## Code documentation
+
+::: tests.integration.test_fim.test_files.test_audit.test_audit_after_initial_scan

docs/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.md

@@ -0,0 +1,38 @@
+# Test audit no dir
+This test checks that FIM doesn't add audit rules for non-existing directories.
+
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux | 00:00:32 | [test_audit_no_dir.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py)|
+
+## Test logic
+
+### test_remove_and_read_folder
+- The test will monitor a non-existing folder using `whodata`
+- Once FIM starts, the test will check that the audit rule is not added.
+- Then, it will create the folder and wait until the rule is added again.
+
+## Checks
+
+- [x] Checks that FIM doesn't add rules for non-existing directories.
+- [x] Checks that FIM is able to monitor a folder after it's creation.
+## Execution result
+
+```
+python3 -m pytest test_files/test_audit/test_audit_no_dir.py
+======================================================= test session starts ========================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 1 item
+
+test_files/test_audit/test_audit_no_dir.py .                                                                                 [100%]
+
+======================================================== 1 passed in 31.96s ========================================================
+```
+
+## Code documentation
+
+<!-- ::: tests.integration.test_fim.test_files.test_audit.test_audit_no_dir -->

docs/tests/integration/test_fim/test_files/test_audit/test_remove_audit.md

@@ -0,0 +1,38 @@
+# Test remove audit
+
+The test checks that if audit is not installed, FIM switches from `whodata` to `realtime`.
+
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux | 00:00:05 | [test_remove_rule_five_times.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py)|
+
+## Test logic
+
+- The test will uninstall `auditd`.
+- The test will check that FIM is able to switch from `whodata` to `realtime`.
+- Finally, the test will install again `auditd`
+
+## Checks
+
+- [x] Checks that FIM is able to switch from `whodata` to `realtime` if auditd is not installed.
+
+## Execution result
+
+```
+python3 -m pytest test_files/test_audit/test_remove_audit.py
+======================================================= test session starts ========================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 1 item
+
+test_files/test_audit/test_remove_audit.py .                                                                                 [100%]
+
+======================================================== 1 passed in 5.95s =========================================================
+```
+
+## Code documentation
+
+::: tests.integration.test_fim.test_files.test_audit.test_remove_audit

docs/tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.md

@@ -0,0 +1,37 @@
+# Test audit remove rule five times
+
+The test checks that FIM stops monitoring with `whodata` when at least 5 manipulation in the audit rules has been done by a user.
+
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux | 00:00:06 | [test_remove_rule_five_times.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py)|
+
+## Test logic
+
+- The test will monitor a folder using `whodata`.
+- The test will modify five times the audit rules and it will check that `whodata` switches to `realtime` .
+
+## Checks
+
+- [x] Checks that FIM is able to switch from `whodata` to `realtime` when an user edits the audit rules.
+
+## Execution result
+
+```
+python3 -m pytest test_files/test_audit/test_remove_rule_five_times.py
+======================================================= test session starts ========================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 1 item
+
+test_files/test_audit/test_remove_rule_five_times.py .                                                                       [100%]
+
+======================================================== 1 passed in 4.34s =========================================================
+```
+
+## Code documentation
+
+::: tests.integration.test_fim.test_files.test_audit.test_remove_rule_five_times

docs/tests/integration/test_fim/test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.md

@@ -0,0 +1,40 @@
+# Test audit rules removed after change link
+
+This test checks that FIM removes automatically the audit rule of the target of a monitored symbolic link  when the link's target is replaced.
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux/UNIX | 00:00:33 | [test_audit_rules_removed_after_change_link.py](../../../../../../tests/integration/test_fim/test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py)|
+
+## Test logic
+
+
+- The test will monitor a symbolic link pointing to a directory using `whodata`.
+- Once FIM starts, it will create and expect events inside the pointed folder.
+- After the events are processed, the test will change the target of the link to another  folder, it will wait until the thread that checks the symbolic links updates the link's target.
+- Finally, it will generate some events inside the new target and it will check that the audit rule of the previous target folder has been removed (by using `auditctl -l`).
+
+## Checks
+
+- [x] The rule is removed.
+- [x] The events are triggered for all the link's targets
+
+## Execution result
+
+```
+ python3 -m pytest test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py
+===================================================== test session starts ======================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 1 item
+
+test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py .                                     [100%]
+
+====================================================== 1 passed in 33.48s ======================================================
+```
+
+## Code documentation
+
+<!-- ::: tests.integration.test_fim.test_files.test_follow_symbolic_link.test_audit_rules_removed_after_change_link -->

docs/tests/integration/test_fim/test_files/test_follow_symbolic_link/test_change_target.md

@@ -0,0 +1,41 @@
+# Test change target
+
+Checks if FIM updates the symbolic link's target properly.
+
+## General info
+
+| Tier | Platforms | Time spent| Test file |
+|:--:|:--:|:--:|:--:|
+| 1 | Linux/UNIX | 00:03:00 | [test_change_target.py](../../../../../../tests/integration/test_fim/test_files/test_follow_symbolic_link/test_change_target.py)|
+
+## Test logic
+
+- The test will monitor a symbolic link pointing to a file/directory.
+- Once FIM starts, it will create and expect events inside the pointed folder and will create files inside the new target making sure that it won't generate any alerts.
+- After the events are processed, the test will change the target of the link to another folder, it will wait until the thread that checks the symbolic links updates the link's target.
+- Then, the test checks the new file is being monitored and the old one is not.
+
+## Checks
+
+- [x] The rule is removed.
+- [x] The events are triggered for all the link's targets
+
+## Execution result
+
+```
+python3 -m pytest test_files/test_follow_symbolic_link/test_change_target.py
+===================================================== test session starts ======================================================
+platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1
+rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini
+plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0
+collected 12 items
+
+test_files/test_follow_symbolic_link/test_change_target.py .ss..ss..ss.                                                  [100%]
+
+=========================================== 6 passed, 6 skipped in 176.83s (0:02:56) ===========================================
+
+```
+
+## Code documentation
+
+<!-- ::: tests.integration.test_fim.test_files.test_follow_symbolic_link.test_change_target -->