diff --git a/docs/DocGenerator/config.yaml b/docs/DocGenerator/config.yaml index 75a603c6b8..2e17344238 100644 --- a/docs/DocGenerator/config.yaml +++ b/docs/DocGenerator/config.yaml @@ -5,6 +5,7 @@ Output path: "../output" Include paths: - "../../tests/integration/test_active_response" - "../../tests/integration/test_agentd" + - "../../tests/integration/test_analysisd" Include regex: - "^test_.*py$" @@ -19,6 +20,13 @@ Ignore paths: - "../../tests/integration/test_active_response/test_analysisd/data" - "../../tests/integration/test_active_response/test_execd/data" - "../../tests/integration/test_agentd/data" + - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/data" + - "../../tests/integration/test_analysisd/test_all_syscheckd_configurations/yaml_generators" + - "../../tests/integration/test_analysisd/test_error_messages/data" + - "../../tests/integration/test_analysisd/test_event_messages/data" + - "../../tests/integration/test_analysisd/test_integrity_messages/data" + - "../../tests/integration/test_analysisd/test_mitre/data" + - "../../tests/integration/test_analysisd/test_scan_messages/data" Output fields: Module: diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py index 7fd660511a..c2d00e2b0e 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_rare_socket_responses.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `wazuh-db` and `analysisd` daemons + correctly handle `syscheck` events considered rare. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +98,48 @@ ids=[test_case['name'] for test_case in test_cases]) def test_validate_rare_socket_responses(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Validate every response from the analysisd socket to the wazuh-db socket using rare cases with encoded characters. + ''' + description: + Validate every response from the `analysisd` socket to the `wazuh-db` socket + using rare `syscheck` events with encoded characters. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the output logs are consistent with the syscheck events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_rare_events.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_rare_events.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_rare_events.yaml` file." - This test will catch every response from analysisd to wazuh-db in real-time using the yaml - `/data/syscheck_events.yaml`. + tags: - Parameters - ---------- - test_case : dict - Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket. - """ + ''' # There is only one stage per test_case stage = test_case[0] expected = callback_analysisd_message(stage['output']) diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py index 9c26bdb80a..d185ddcdd7 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_check_socket_responses.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `wazuh-db` and `analysisd` daemons + correctly handle common `syscheck` events. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +98,48 @@ ids=[test_case['name'] for test_case in test_cases]) def test_validate_socket_responses(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Validate every response from the analysisd socket to the wazuh-db socket. + ''' + description: + Validate every response from the `analysisd` socket to the `wazuh-db` socket + using common `syscheck` events. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the output logs are consistent with the syscheck events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_events.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_events.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_events.yaml` file." - This test will catch every response from analysisd to wazuh-db in real-time using the yaml - `/data/syscheck_events.yaml`. + tags: - Parameters - ---------- - test_case : dict - Dict with the input to inject to the analysisd socket and output to expect to be sent to the wazuh-db socket. - """ + ''' # There is only one stage per test_case stage = test_case[0] expected = callback_analysisd_message(stage['output']) diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py index 7dae1c66e8..ebcaa7cf05 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_linux_analysisd_alerts.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `analysisd` daemon correctly handles alerts generated + from the received Linux events. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -57,12 +104,53 @@ def get_alert(request): def test_validate_all_linux_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, generate_events_and_alerts, get_alert): - """Check the event messages handling by analysisd. + ''' + description: + Check that the alerts generated by `analysisd` from Linux systems events are valid. + The `validate_analysis_alert_complex` function checks if an `analysisd` alert is + properly formatted in reference to its `syscheck` event. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - generate_events_and_alerts: + type: fixture + brief: Read the specified yaml and generate every event and alert using the input from every test case. + + - get_alert: + type: fixture + brief: List of alerts to be validated. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_events.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_events.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_events.yaml` file." + + tags: - The variable `test_case` is a yaml file that contains the input and the expected output for every test case. - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. - """ + ''' alert = get_alert path = alert['syscheck']['path'] mode = alert['syscheck']['event'].title() diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_rare_analysisd_alerts.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_rare_analysisd_alerts.py index 2738852d26..79c9168dcc 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_rare_analysisd_alerts.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_rare_analysisd_alerts.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `analysisd` daemon correctly handles alerts generated + from the received Linux events considered rare. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -57,12 +104,53 @@ def get_alert(request): def test_validate_all_linux_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, generate_events_and_alerts, get_alert): - """Check the event messages handling by analysisd. + ''' + description: + Check that the alerts generated by `analysisd` from Linux systems events considered rare are valid. + The `validate_analysis_alert_complex` function checks if an `analysisd` alert is + properly formatted in reference to its `syscheck` event. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - generate_events_and_alerts: + type: fixture + brief: Read the specified yaml and generate every event and alert using the input from every test case. + + - get_alert: + type: fixture + brief: List of alerts to be validated. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_rare_events.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_rare_events.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_rare_events.yaml` file." + + tags: - The variable `test_case` is a yaml file that contains the input and the expected output for every test case. - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. - """ + ''' alert = get_alert path = alert['syscheck']['path'] mode = alert['syscheck']['event'].title() diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_alerts.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_alerts.py index e720e5e51d..085c5e35bd 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_alerts.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_alerts.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `analysisd` daemon correctly handles alerts generated + from the received Windows events. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -54,12 +101,53 @@ def get_alert(request): def test_validate_all_win32_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, generate_events_and_alerts, get_alert): - """Check the event messages handling by analysisd with events generated on Windows. + ''' + description: + Check that the alerts generated by `analysisd` from Windows systems events are valid. + The `validate_analysis_alert_complex` function checks if an `analysisd` alert is + properly formatted in reference to its `syscheck` event. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - generate_events_and_alerts: + type: fixture + brief: Read the specified yaml and generate every event and alert using the input from every test case. + + - get_alert: + type: fixture + brief: List of alerts to be validated. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_events_win32.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_events_win32.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_events_win32.yaml` file." + + tags: - The variable `test_case` is a yaml file that contains the input and the expected output for every test case. - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. - """ + ''' alert = get_alert path = alert['syscheck']['path'] mode = alert['syscheck']['event'].title() diff --git a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_registry_alerts.py b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_registry_alerts.py index a6158fa82d..13176627fc 100644 --- a/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_registry_alerts.py +++ b/tests/integration/test_analysisd/test_all_syscheckd_configurations/test_validate_win32_analysisd_registry_alerts.py @@ -1,7 +1,54 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will verify if the `analysisd` daemon correctly handles alerts generated + from the received Windows registry-related events. + +tiers: + - 2 + +component: + manager + +path: + tests/integration/test_analysisd/test_all_syscheckd_configurations/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -55,12 +102,53 @@ def get_alert(request): def test_validate_all_win32_registry_alerts(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, generate_events_and_alerts, get_alert): - """Check the event messages handling by analysisd with events generated on Windows. + ''' + description: + Check that the alerts generated by `analysisd` from Windows systems registry-related events are valid. + The `validate_analysis_alert_complex` function checks if an `analysisd` alert is + properly formatted in reference to its `syscheck` event. + + wazuh_min_version: + 4.1 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - generate_events_and_alerts: + type: fixture + brief: Read the specified yaml and generate every event and alert using the input from every test case. + + - get_alert: + type: fixture + brief: List of alerts to be validated. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (syscheck_events_win32.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `syscheck_events_win32.yaml` file." + + - alerts.json: + -"Multiple values located in the `syscheck_events_win32.yaml` file." + + tags: - The variable `test_case` is a yaml file that contains the input and the expected output for every test case. - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. - """ + ''' alert = get_alert path = alert['syscheck']['path'] mode = alert['syscheck']['event'].title() diff --git a/tests/integration/test_analysisd/test_error_messages/test_error_messages.py b/tests/integration/test_analysisd/test_error_messages/test_error_messages.py index 8ccf786cd0..2bb17ffbf5 100644 --- a/tests/integration/test_analysisd/test_error_messages/test_error_messages.py +++ b/tests/integration/test_analysisd/test_error_messages/test_error_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon handles correctly the invalid events it receives. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_error_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -48,13 +94,45 @@ ids=[test_case['name'] for test_case in test_cases]) def test_error_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket + ''' + description: + Check if when the `analysisd` socket receives a message with an invalid event, + it generates the corresponding error that sends to the `wazuh-db` socket. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the error messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (error_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `error_messages.yaml` file." + + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: receiver_sockets[0].send(stage['input']) result = log_monitors[0].start(timeout=4 * global_parameters.default_timeout, diff --git a/tests/integration/test_analysisd/test_event_messages/test_event_messages.py b/tests/integration/test_analysisd/test_event_messages/test_event_messages.py index 70f6a99a12..cdf8ba9477 100644 --- a/tests/integration/test_analysisd/test_event_messages/test_event_messages.py +++ b/tests/integration/test_analysisd/test_event_messages/test_event_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file modification. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_event_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +97,49 @@ ids=[test_case['name'] for test_case in test_cases]) def test_event_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket. + ''' + description: + Check if when the `analysisd` socket receives a message with a file modification-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + The `validate_analysis_alert` function checks if an `analysisd` event is properly formatted. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the alerts generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (event_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `event_messages.yaml` file." + + - alerts.json: + -"Multiple values located in the `event_messages.yaml` file." - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input']) diff --git a/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py b/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py index 1ebacfa462..b22c20e1cc 100644 --- a/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py +++ b/tests/integration/test_analysisd/test_integrity_messages/test_integrity_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file integrity. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_integrity_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -51,16 +97,50 @@ ids=[test_case['name'] for test_case in test_cases]) def test_integrity_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket. + ''' + description: + Check if when the `analysisd` socket receives a message with a file integrity-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + The `validate_analysis_integrity_state` function checks if an + `analysisd` integrity message is properly formatted. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (integrity_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `integrity_messages.yaml` file." + + - alerts.json: + - "Multiple values located in the `integrity_messages.yaml` file." - The function validate_analysis_integrity_state is a function responsible for checking that the output follows a - certain jsonschema. + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input']) diff --git a/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py b/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py index abfe85d0bc..0c267d7502 100644 --- a/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py +++ b/tests/integration/test_analysisd/test_mitre/test_mitre_check_alert.py @@ -1,7 +1,55 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + Check if `analysisd` generates alerts enriching its fields with `MITRE` information. + The objective consists on checking if `analysisd` can generate alerts using custom rules + that contains the `mitre` field to enrich those alerts with MITREs IDs, techniques and tactics. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_mitre/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import jsonschema @@ -40,8 +88,43 @@ def get_configuration(request): # tests def test_mitre_check_alert(get_configuration, configure_local_rules, restart_wazuh_alerts): - """Check Mitre alerts have correct format in accordance with configuration""" + ''' + description: + Check if `MITRE` alerts are syntactically and semantically correct. + + wazuh_min_version: + 4.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + + - configure_local_rules: + type: fixture + brief: Configure a custom rule in `local_rules.xml` for testing. + + - restart_wazuh_alerts: + type: fixture + brief: Reset `alerts.json` and start a new monitor. + + assertions: + - Check that the `MITRE` alerts are generated and that they are correct. + test_input: + Different test cases that are contained in external `XML` files (data directory) + that include both valid and invalid rules for detecting `MITRE` events. + + logging: + - ossec.log: + - r".*Ossec server started.*" + + - alerts.json: + -"Multiple alerts related to MITRE events." + + tags: + + ''' # Wait until Mitre's event is detected if get_configuration not in invalid_configurations: event = wazuh_alert_monitor.start(timeout=30, callback=callback_detect_mitre_event).result() @@ -50,4 +133,3 @@ def test_mitre_check_alert(get_configuration, configure_local_rules, restart_waz with pytest.raises(jsonschema.exceptions.ValidationError): event = wazuh_alert_monitor.start(timeout=30, callback=callback_detect_mitre_event).result() validate_mitre_event(event) - diff --git a/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py b/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py index ee650db784..1f2b36f48b 100644 --- a/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py +++ b/tests/integration/test_analysisd/test_scan_messages/test_scan_messages.py @@ -1,7 +1,53 @@ -# Copyright (C) 2015-2021, Wazuh Inc. -# Created by Wazuh, Inc. . -# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 +''' +copyright: + Copyright (C) 2015-2021, Wazuh Inc. + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: + integration + +description: + These tests will check if the `analysisd` daemon correctly handles incoming events related to file scanning. + +tiers: + - 0 + +component: + manager + +path: + tests/integration/test_analysisd/test_scan_messages/ + +daemons: + - analysisd + - syscheckd + - wazuh-db + +os_support: + - linux, rhel5 + - linux, rhel6 + - linux, rhel7 + - linux, rhel8 + - linux, amazon linux 1 + - linux, amazon linux 2 + - linux, debian buster + - linux, debian stretch + - linux, debian wheezy + - linux, ubuntu bionic + - linux, ubuntu xenial + - linux, ubuntu trusty + - linux, arch linux + +coverage: + +pytest_args: + +tags: + +''' import os import pytest @@ -50,13 +96,48 @@ ids=[test_case['name'] for test_case in test_cases]) def test_scan_messages(configure_sockets_environment, connect_to_sockets_module, wait_for_analysisd_startup, test_case: list): - """Check that every input message in analysisd socket generates the adequate output to wazuh-db socket + ''' + description: + Check if when the `analysisd` socket receives a message with a file scanning-related event, + it generates the corresponding alert that sends to the `wazuh-db` socket. + + wazuh_min_version: + 3.12 + + parameters: + - configure_sockets_environment: + type: fixture + brief: Configure environment for sockets and MITM. + + - connect_to_sockets_module: + type: fixture + brief: Module scope version of `connect_to_sockets` fixture. + + - wait_for_analysisd_startup: + type: fixture + brief: Wait until analysisd has begun and alerts.json is created. + + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Check that the messages generated are consistent with the events received. + + test_input: + Different test cases that are contained in an external `YAML` file (scan_messages.yaml) + that includes `syscheck` events data and the expected output. + + logging: + - ossec.log: + - "Multiple values located in the `scan_messages.yaml` file." + + - alerts.json: + -"Multiple values located in the `scan_messages.yaml` file." + + tags: - Parameters - ---------- - test_case : list - List of test_case stages (dicts with input, output and stage keys) - """ + ''' for stage in test_case: expected = callback_analysisd_message(stage['output']) receiver_sockets[0].send(stage['input'])