-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #997 from wazuh/5761-fix-not-removed-audit-rules-a…
…fter-updating-link Add new test to check if the audit rule is removed after a symlink is updated
- Loading branch information
Showing
42 changed files
with
1,492 additions
and
395 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 75 additions & 0 deletions
75
docs/tests/integration/test_fim/test_files/test_audit/test_audit.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Test audit | ||
This test file has several tests: | ||
- `test_audit_health_check`: Checks the behavior of the FIM audit health check. | ||
- `test_added_rules`: Checks if FIM adds the rules for monitored directories using whodata. | ||
- `test_readded_rules`: Checks that FIM is able to re-add the rule of a directory if it's removed. | ||
- `test_readded_rules_on_restart`: Check if FIM is able to add the audit rules when auditd is restarted. | ||
- `test_move_rules_to_realtime`: Checks that FIM moves the monitored directories using `whodata` to realtime when auditd is stopped. | ||
- `test_audit_key`: Checks that the `<audit_key>` functionality works. | ||
- `test_restart_audit`: Checks that the `<restart_audit>` functionality works. | ||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux | 00:01:20 | [test_audit.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit.py)| | ||
|
||
## Test logic | ||
|
||
### test_audit_health_check | ||
- The test will monitor a folder using `whodata` | ||
- It will check that the health check passed. | ||
|
||
### test_added_rules | ||
- The test will monitor several folders using `whodata` | ||
- Once FIM starts, the test will check if the a rule for every monitored directory is added | ||
|
||
### test_readded_rules | ||
- The test will monitor a folder using `whodata`. | ||
- Once FIM starts, the test will remove the audit rule (using `auditctl`) and will wait until the manipulation event is triggered. | ||
- Finally, the test will check that the audit rule is added again. | ||
|
||
### test_readded_rules_on_restart | ||
- The test will monitor a folder using `whodata`. | ||
- Once FIM starts, the test will restart auditd and it will wait until auditd has started. | ||
- After auditd is running, he test will wait for the `connect` and the `load rule` events. | ||
|
||
### test_move_rules_realtime | ||
- The test will monitor several folders using `whodata` | ||
- Once FIM starts, the test will stop the auditd service. | ||
- Then it will wait until the monitored directories using `whodata` are monitored with `realtime` | ||
|
||
### test_audit_key | ||
- The test will manually add a rule for a monitored path using a custom audit key. | ||
- After FIM starts, the test will check that the events that are generated with the custom key are processed. | ||
|
||
### test_restart_audit | ||
- The test removes the audit plugin file. | ||
- Then it will check the audit creation time. | ||
## Checks | ||
|
||
- [x] Checks that FIM audit health check works. | ||
- [X] Checks that FIM adds audit rules for monitored directories. | ||
- [X] Checks that FIM is able to re-add audit rules. | ||
- [X] Checks that FIM moves the directories to realtime when whodata is not available. | ||
- [X] Checks the FIM behavior of the `audit_key` and `restart_audit` options. | ||
|
||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_audit/test_audit.py | ||
======================================================= test session starts ======================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 24 items | ||
test_files/test_audit/test_audit.py .....sssssssss.ssssssss. [100%] | ||
============================================= 7 passed, 17 skipped in 80.86s (0:01:20) ============================================= | ||
``` | ||
|
||
## Code documentation | ||
|
||
::: tests.integration.test_fim.test_files.test_audit.test_audit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Test audit after initial scan | ||
This test file has two tests: | ||
|
||
The first one, called `test_remove_and_read_folder` checks that FIM monitors a folder if it's removed and created. | ||
The second one, restarts `auditd` and checks if `whodata` works. | ||
|
||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux | 00:01:33 | [test_audit_after_initial_scan.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit_after_initial_scan.py)| | ||
|
||
## Test logic | ||
|
||
### test_remove_and_read_folder | ||
- The test will monitor a folder using `whodata` | ||
- Once FIM starts, the test will remove the folder and checks if the audit rule associated to that folder has been removed. | ||
- Finally, it creates again the same folder and checks that the audit rule is added. | ||
|
||
### test_reconnect_to_audit | ||
- The test will monitor a folder using `whodata` | ||
- Then it will restart the `auditd` daemon. | ||
- Finally, the test waits until FIM is able connect to audit. | ||
|
||
## Checks | ||
|
||
- [x] Checks that FIM can recover from loosing it's connection to audit. | ||
- [x] Checks that FIM is able to monitor the folders using whodata after they are removed and created again. | ||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_audit/test_audit_after_initial_scan.py | ||
======================================================= test session starts ======================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 4 items | ||
test_files/test_audit/test_audit_after_initial_scan.py .... [100%] | ||
=================================================== 4 passed in 93.54s (0:01:33) =================================================== | ||
``` | ||
|
||
## Code documentation | ||
|
||
::: tests.integration.test_fim.test_files.test_audit.test_audit_after_initial_scan |
38 changes: 38 additions & 0 deletions
38
docs/tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Test audit no dir | ||
This test checks that FIM doesn't add audit rules for non-existing directories. | ||
|
||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux | 00:00:32 | [test_audit_no_dir.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_audit_no_dir.py)| | ||
|
||
## Test logic | ||
|
||
### test_remove_and_read_folder | ||
- The test will monitor a non-existing folder using `whodata` | ||
- Once FIM starts, the test will check that the audit rule is not added. | ||
- Then, it will create the folder and wait until the rule is added again. | ||
|
||
## Checks | ||
|
||
- [x] Checks that FIM doesn't add rules for non-existing directories. | ||
- [x] Checks that FIM is able to monitor a folder after it's creation. | ||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_audit/test_audit_no_dir.py | ||
======================================================= test session starts ======================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 1 item | ||
test_files/test_audit/test_audit_no_dir.py . [100%] | ||
======================================================== 1 passed in 31.96s ======================================================== | ||
``` | ||
|
||
## Code documentation | ||
|
||
<!-- ::: tests.integration.test_fim.test_files.test_audit.test_audit_no_dir --> |
38 changes: 38 additions & 0 deletions
38
docs/tests/integration/test_fim/test_files/test_audit/test_remove_audit.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Test remove audit | ||
|
||
The test checks that if audit is not installed, FIM switches from `whodata` to `realtime`. | ||
|
||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux | 00:00:05 | [test_remove_rule_five_times.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py)| | ||
|
||
## Test logic | ||
|
||
- The test will uninstall `auditd`. | ||
- The test will check that FIM is able to switch from `whodata` to `realtime`. | ||
- Finally, the test will install again `auditd` | ||
|
||
## Checks | ||
|
||
- [x] Checks that FIM is able to switch from `whodata` to `realtime` if auditd is not installed. | ||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_audit/test_remove_audit.py | ||
======================================================= test session starts ======================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 1 item | ||
test_files/test_audit/test_remove_audit.py . [100%] | ||
======================================================== 1 passed in 5.95s ========================================================= | ||
``` | ||
|
||
## Code documentation | ||
|
||
::: tests.integration.test_fim.test_files.test_audit.test_remove_audit |
37 changes: 37 additions & 0 deletions
37
...tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# Test audit remove rule five times | ||
|
||
The test checks that FIM stops monitoring with `whodata` when at least 5 manipulation in the audit rules has been done by a user. | ||
|
||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux | 00:00:06 | [test_remove_rule_five_times.py](../../../../../../tests/integration/test_fim/test_files/test_audit/test_remove_rule_five_times.py)| | ||
|
||
## Test logic | ||
|
||
- The test will monitor a folder using `whodata`. | ||
- The test will modify five times the audit rules and it will check that `whodata` switches to `realtime` . | ||
|
||
## Checks | ||
|
||
- [x] Checks that FIM is able to switch from `whodata` to `realtime` when an user edits the audit rules. | ||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_audit/test_remove_rule_five_times.py | ||
======================================================= test session starts ======================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 1 item | ||
test_files/test_audit/test_remove_rule_five_times.py . [100%] | ||
======================================================== 1 passed in 4.34s ========================================================= | ||
``` | ||
|
||
## Code documentation | ||
|
||
::: tests.integration.test_fim.test_files.test_audit.test_remove_rule_five_times |
40 changes: 40 additions & 0 deletions
40
...t_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Test audit rules removed after change link | ||
|
||
This test checks that FIM removes automatically the audit rule of the target of a monitored symbolic link when the link's target is replaced. | ||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux/UNIX | 00:00:33 | [test_audit_rules_removed_after_change_link.py](../../../../../../tests/integration/test_fim/test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py)| | ||
|
||
## Test logic | ||
|
||
|
||
- The test will monitor a symbolic link pointing to a directory using `whodata`. | ||
- Once FIM starts, it will create and expect events inside the pointed folder. | ||
- After the events are processed, the test will change the target of the link to another folder, it will wait until the thread that checks the symbolic links updates the link's target. | ||
- Finally, it will generate some events inside the new target and it will check that the audit rule of the previous target folder has been removed (by using `auditctl -l`). | ||
|
||
## Checks | ||
|
||
- [x] The rule is removed. | ||
- [x] The events are triggered for all the link's targets | ||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py | ||
===================================================== test session starts ====================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 1 item | ||
test_files/test_follow_symbolic_link/test_audit_rules_removed_after_change_link.py . [100%] | ||
====================================================== 1 passed in 33.48s ====================================================== | ||
``` | ||
|
||
## Code documentation | ||
|
||
<!-- ::: tests.integration.test_fim.test_files.test_follow_symbolic_link.test_audit_rules_removed_after_change_link --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Test change target | ||
|
||
Checks if FIM updates the symbolic link's target properly. | ||
|
||
## General info | ||
|
||
| Tier | Platforms | Time spent| Test file | | ||
|:--:|:--:|:--:|:--:| | ||
| 1 | Linux/UNIX | 00:03:00 | [test_change_target.py](../../../../../../tests/integration/test_fim/test_files/test_follow_symbolic_link/test_change_target.py)| | ||
|
||
## Test logic | ||
|
||
- The test will monitor a symbolic link pointing to a file/directory. | ||
- Once FIM starts, it will create and expect events inside the pointed folder and will create files inside the new target making sure that it won't generate any alerts. | ||
- After the events are processed, the test will change the target of the link to another folder, it will wait until the thread that checks the symbolic links updates the link's target. | ||
- Then, the test checks the new file is being monitored and the old one is not. | ||
|
||
## Checks | ||
|
||
- [x] The rule is removed. | ||
- [x] The events are triggered for all the link's targets | ||
|
||
## Execution result | ||
|
||
``` | ||
python3 -m pytest test_files/test_follow_symbolic_link/test_change_target.py | ||
===================================================== test session starts ====================================================== | ||
platform linux -- Python 3.8.5, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 | ||
rootdir: /vagrant/wazuh-qa/tests/integration, configfile: pytest.ini | ||
plugins: html-2.0.1, testinfra-5.0.0, metadata-1.11.0 | ||
collected 12 items | ||
test_files/test_follow_symbolic_link/test_change_target.py .ss..ss..ss. [100%] | ||
=========================================== 6 passed, 6 skipped in 176.83s (0:02:56) =========================================== | ||
``` | ||
|
||
## Code documentation | ||
|
||
<!-- ::: tests.integration.test_fim.test_files.test_follow_symbolic_link.test_change_target --> |
Oops, something went wrong.