diff --git a/CHANGELOG.md b/CHANGELOG.md index a37595b484..ff68bdb6d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,11 @@ # Change Log All notable changes to this project will be documented in this file. -## [v4.3.0] +## [v1.0.0] ### Added ### Changed - -### Fixed +- Refactor: FIM `test_synchronization` according to new standard. Phase 1. ([#2358](https://github.com/wazuh/wazuh-qa/pull/2358)) ### Deleted diff --git a/deps/wazuh_testing/wazuh_testing/fim.py b/deps/wazuh_testing/wazuh_testing/fim.py index a0db616954..c34cfcbf1f 100644 --- a/deps/wazuh_testing/wazuh_testing/fim.py +++ b/deps/wazuh_testing/wazuh_testing/fim.py @@ -1339,13 +1339,6 @@ def callback_detect_max_files_per_second(line): return match is not None -def callback_dbsync_no_data(line): - match = re.match(r'.*#!-fim_registry dbsync no_data (.+)', line) - if match: - return match.group(1) - return None - - def callback_detect_end_runtime_wildcards(line): match = re.match(r".*Configuration wildcards update finalize\.", line) return match is not None diff --git a/deps/wazuh_testing/wazuh_testing/fim_module/__init__.py b/deps/wazuh_testing/wazuh_testing/fim_module/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/deps/wazuh_testing/wazuh_testing/fim_module/fim_synchronization.py b/deps/wazuh_testing/wazuh_testing/fim_module/fim_synchronization.py new file mode 100644 index 0000000000..a62d4b044c --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/fim_module/fim_synchronization.py @@ -0,0 +1,58 @@ +# Copyright (C) 2015-2021, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +from wazuh_testing.fim import LOG_FILE_PATH, callback_detect_registry_integrity_state_event +from wazuh_testing import global_parameters +from wazuh_testing.fim_module.fim_variables import MAX_EVENTS_VALUE, REGISTRY_DBSYNC_NO_DATA +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator + + +def get_sync_msgs(tout, new_data=True): + """Look for as many synchronization events as possible. + This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. + Params: + tout (int): Timeout that will be used to get the dbsync_no_data message. + new_data (bool): Specifies if the test will wait the event `dbsync_no_data` + Returns: + A list with all the events in json format. + """ + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + events = [] + if new_data: + wazuh_log_monitor.start(timeout=tout, + callback=callback_generator(REGISTRY_DBSYNC_NO_DATA), + error_message='Did not receive expected ' + '"db sync no data" event') + for _ in range(0, MAX_EVENTS_VALUE): + try: + sync_event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_detect_registry_integrity_state_event, + accum_results=1, + error_message='Did not receive expected ' + 'Sending integrity control message"').result() + except TimeoutError: + break + + events.append(sync_event) + + return events + + +def find_value_in_event_list(key_path, value_name, event_list): + """Function that looks for a key path and value_name in a list of json events. + Params: + path (str): Path of the registry key. + value_name (str): Name of the value + event_list (list): List containing the events in JSON format. + Returns: + The event that matches the specified path. None if no event was found. + """ + for event in event_list: + if 'value_name' not in event.keys(): + continue + + if event['path'] == key_path and event['value_name'] == value_name: + return event + + return None diff --git a/deps/wazuh_testing/wazuh_testing/fim_module/fim_variables.py b/deps/wazuh_testing/wazuh_testing/fim_module/fim_variables.py new file mode 100644 index 0000000000..6bafa35a18 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/fim_module/fim_variables.py @@ -0,0 +1,40 @@ +# Copyright (C) 2015-2021, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +''' +The purpose of this file is to contain all the variables necessary for FIM in order to be easier to +maintain if one of them changes in the future. +''' + +# Variables + +# Key variables +WINDOWS_HKEY_LOCAL_MACHINE = 'HKEY_LOCAL_MACHINE' +MONITORED_KEY = 'SOFTWARE\\random_key' +WINDOWS_REGISTRY = 'WINDOWS_REGISTRY' + + +# Value key +SYNC_INTERVAL = 'SYNC_INTERVAL' +SYNC_INTERVAL_VALUE = MAX_EVENTS_VALUE = 20 + +# Folders variables +TEST_DIR_1 = 'testdir1' +TEST_DIRECTORIES = 'TEST_DIRECTORIES' +TEST_REGISTRIES = 'TEST_REGISTRIES' + +# FIM modules +SCHEDULE_MODE = 'scheduled' + +# Yaml Configuration +YAML_CONF_REGISTRY_RESPONSE = 'wazuh_conf_registry_responses_win32.yaml' +YAML_CONF_SYNC_WIN32 = 'wazuh_sync_conf_win32.yaml' + +# Synchronization options +SYNCHRONIZATION_ENABLED = 'SYNCHRONIZATION_ENABLED' +SYNCHRONIZATION_REGISTRY_ENABLED = 'SYNCHRONIZATION_REGISTRY_ENABLED' + +# Callbacks message +INTEGRITY_CONTROL_MESSAGE = r'.*Sending integrity control message: (.+)$' +REGISTRY_DBSYNC_NO_DATA = r'.*#!-fim_registry dbsync no_data (.+)' diff --git a/deps/wazuh_testing/wazuh_testing/wazuh_variables.py b/deps/wazuh_testing/wazuh_testing/wazuh_variables.py new file mode 100644 index 0000000000..7f1c52d023 --- /dev/null +++ b/deps/wazuh_testing/wazuh_testing/wazuh_variables.py @@ -0,0 +1,18 @@ +# Copyright (C) 2015-2021, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +''' +The purpose of this file is to contain all the variables necessary for Wazuh in order to be easier +to maintain if one of them changes in the future. +''' +# Local internal options +WINDOWS_DEBUG = 'windows.debug' +VERBOSE_DEBUG_OUTPUT = 2 + +WAZUH_SERVICES_STOP = 'stop' +WAZUH_SERVICES_START = 'start' + +# Configurations +DATA = 'data' +WAZUH_LOG_MONITOR = 'wazuh_log_monitor' diff --git a/tests/integration/test_fim/conftest.py b/tests/integration/test_fim/conftest.py new file mode 100644 index 0000000000..7c821808aa --- /dev/null +++ b/tests/integration/test_fim/conftest.py @@ -0,0 +1,36 @@ +# Copyright (C) 2015-2021, Wazuh Inc. +# Created by Wazuh, Inc. . +# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.tools.services import control_service +from wazuh_testing.fim import (create_registry, registry_parser, KEY_WOW64_64KEY, delete_registry, + LOG_FILE_PATH, callback_detect_registry_integrity_clear_event) +from wazuh_testing.tools.file import truncate_file +from wazuh_testing.fim_module.fim_variables import WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, SYNC_INTERVAL_VALUE +from wazuh_testing.wazuh_variables import WAZUH_SERVICES_START, WAZUH_SERVICES_STOP, WAZUH_LOG_MONITOR +from wazuh_testing.tools.monitoring import FileMonitor + + +@pytest.fixture(scope='function') +def create_key(request): + """Fixture that create the test key And then delete the key and truncate the file. The aim of this + fixture is to avoid false positives if the manager still has the test key + in it's DB. + """ + control_service(WAZUH_SERVICES_STOP) + create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], MONITORED_KEY, KEY_WOW64_64KEY) + + yield + delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], MONITORED_KEY, KEY_WOW64_64KEY) + control_service(WAZUH_SERVICES_STOP) + truncate_file(LOG_FILE_PATH) + file_monitor = FileMonitor(LOG_FILE_PATH) + setattr(request.module, WAZUH_LOG_MONITOR, file_monitor) + control_service(WAZUH_SERVICES_START) + + # wait until the sync is done. + file_monitor.start(timeout=SYNC_INTERVAL_VALUE + global_parameters.default_timeout, + callback=callback_detect_registry_integrity_clear_event, + error_message='Did not receive expected "integrity clear" event') diff --git a/tests/integration/test_fim/test_synchronization/data/wazuh_disabled_sync_conf_win32.yaml b/tests/integration/test_fim/test_synchronization/data/wazuh_disabled_sync_conf_win32.yaml deleted file mode 100644 index 9b6b7054ac..0000000000 --- a/tests/integration/test_fim/test_synchronization/data/wazuh_disabled_sync_conf_win32.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -# Configuration for sync disabled -- tags: - - sync_disabled - apply_to_modules: - - test_sync_disabled_win32 - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - synchronization: - elements: - - enabled: - value: 'no' - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - windows_registry: - value: TEST_REGISTRIES - attributes: - - arch: "both" -# Configuration for registry sync disabled -- tags: - - sync_registry_disabled - apply_to_modules: - - test_sync_disabled_win32 - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - synchronization: - elements: - - enabled: - value: 'yes' - - registry_enabled: - value: 'no' - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - windows_registry: - value: TEST_REGISTRIES - attributes: - - arch: "both" -# Configuration for registry sync enabled -- tags: - - sync_registry_enabled - apply_to_modules: - - test_sync_disabled_win32 - sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - synchronization: - elements: - - enabled: - value: 'yes' - - registry_enabled: - value: 'yes' - - directories: - value: TEST_DIRECTORIES - attributes: - - FIM_MODE - - windows_registry: - value: TEST_REGISTRIES - attributes: - - arch: "both" diff --git a/tests/integration/test_fim/test_synchronization/data/wazuh_sync_conf_win32.yaml b/tests/integration/test_fim/test_synchronization/data/wazuh_sync_conf_win32.yaml new file mode 100644 index 0000000000..c0d6b4e811 --- /dev/null +++ b/tests/integration/test_fim/test_synchronization/data/wazuh_sync_conf_win32.yaml @@ -0,0 +1,28 @@ + +# Configuration for sync disabled +- tags: + - sync_disabled + apply_to_modules: + - test_sync_disabled_win32 + - test_sync_enabled_win32 + - test_sync_registry_disabled_win32 + - test_sync_registry_enabled_win32 + sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - synchronization: + elements: + - enabled: + value: SYNCHRONIZATION_ENABLED + - registry_enabled: + value: SYNCHRONIZATION_REGISTRY_ENABLED + - directories: + value: TEST_DIRECTORIES + attributes: + - FIM_MODE + - windows_registry: + value: TEST_REGISTRIES + attributes: + - arch: "both" \ No newline at end of file diff --git a/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py b/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py index d16810c9d2..0e8bc20126 100644 --- a/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py +++ b/tests/integration/test_fim/test_synchronization/test_registry_responses_win32.py @@ -56,33 +56,36 @@ ''' import os import pytest -import wazuh_testing.fim as fim -from wazuh_testing import global_parameters -from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test +from wazuh_testing.fim import (generate_params, create_registry, modify_registry_value, registry_parser, + KEY_WOW64_64KEY, REG_SZ) +from wazuh_testing.tools.configuration import load_wazuh_configurations from wazuh_testing.tools.monitoring import FileMonitor from wazuh_testing.tools.services import control_service -from wazuh_testing.tools.file import truncate_file +from wazuh_testing.fim_module.fim_synchronization import find_value_in_event_list, get_sync_msgs +from wazuh_testing.fim_module.fim_variables import (SCHEDULE_MODE, WINDOWS_REGISTRY, SYNC_INTERVAL, SYNC_INTERVAL_VALUE, + YAML_CONF_REGISTRY_RESPONSE, WINDOWS_HKEY_LOCAL_MACHINE, + MONITORED_KEY) +from wazuh_testing.wazuh_variables import DATA, WAZUH_SERVICES_START, WINDOWS_DEBUG, VERBOSE_DEBUG_OUTPUT + # Marks pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] # variables -key = "HKEY_LOCAL_MACHINE" -monitored_key = "SOFTWARE\\random_key" -sync_interval = 20 -max_events = 20 -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -configurations_path = os.path.join(test_data_path, 'wazuh_conf_registry_responses_win32.yaml') -conf_params = {'WINDOWS_REGISTRY': os.path.join(key, monitored_key), 'SYNC_INTERVAL': sync_interval} -wazuh_log_monitor = FileMonitor(fim.LOG_FILE_PATH) +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), DATA) +configurations_path = os.path.join(test_data_path, YAML_CONF_REGISTRY_RESPONSE) +conf_params = {WINDOWS_REGISTRY: os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY), + SYNC_INTERVAL: SYNC_INTERVAL_VALUE} + # configurations -conf_params, conf_metadata = fim.generate_params(extra_params=conf_params, modes=['scheduled']) +conf_params, conf_metadata = generate_params(extra_params=conf_params, modes=[SCHEDULE_MODE]) configurations = load_wazuh_configurations(configurations_path, __name__, params=conf_params, metadata=conf_metadata) +local_internal_options = {WINDOWS_DEBUG: VERBOSE_DEBUG_OUTPUT} # fixtures @@ -93,100 +96,13 @@ def get_configuration(request): return request.param -def get_sync_msgs(tout, new_data=True): - """Look for as many synchronization events as possible. - This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. - Params: - tout (int): Timeout that will be used to get the dbsync_no_data message. - new_data (bool): Specifies if the test will wait the event `dbsync_no_data` - Returns: - A list with all the events in json format. - """ - events = [] - if new_data: - wazuh_log_monitor.start(timeout=tout, - callback=fim.callback_dbsync_no_data, - error_message='Did not receive expected ' - '"db sync no data" event') - for _ in range(0, max_events): - try: - sync_event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, - callback=fim.callback_detect_registry_integrity_state_event, - accum_results=1, - error_message='Did not receive expected ' - 'Sending integrity control message"').result() - except TimeoutError: - break - - events.append(sync_event) - - return events - - -def find_path_in_event_list(path, event_list): - """Function that looks for a key path in a list of json events. - Params: - path (str): Path of the registry key. - event_list (list): List containing the events in JSON format. - Returns: - The event that matches the specified path. None if no event was found. - """ - for event in event_list: - if event['path'] == path: - return event - return None - - -def find_value_in_event_list(key_path, value_name, event_list): - """Function that looks for a key path and value_name in a list of json events. - Params: - path (str): Path of the registry key. - value_name (str): Name of the value - event_list (list): List containing the events in JSON format. - Returns: - The event that matches the specified path. None if no event was found. - """ - for event in event_list: - if 'value_name' not in event.keys(): - continue - - if event['path'] == key_path and event['value_name'] == value_name: - return event - - return None - - -def extra_configuration_after_yield(): - """Remove the registry key when the test ends""" - fim.delete_registry(fim.registry_parser[key], monitored_key, fim.KEY_WOW64_64KEY) - - -@pytest.fixture(scope='function', params=configurations) -def remove_key_and_restart(request): - """Fixture that removes the test key and restart the agent. The aim of this - fixture is to avoid false positives if the manager still has the test key - in it's DB. - """ - fim.delete_registry(fim.registry_parser[key], monitored_key, fim.KEY_WOW64_64KEY) - control_service('stop') - truncate_file(fim.LOG_FILE_PATH) - file_monitor = FileMonitor(fim.LOG_FILE_PATH) - setattr(request.module, 'wazuh_log_monitor', file_monitor) - control_service('start') - - # wait until the sync is done. - wazuh_log_monitor.start(timeout=sync_interval + global_parameters.default_timeout, - callback=fim.callback_detect_registry_integrity_clear_event, - error_message='Did not receive expected "integrity clear" event') - - # tests -@pytest.mark.parametrize('tags_to_apply', [{'registry_sync_responses'}]) + @pytest.mark.parametrize('key_name', [':subkey1', 'subkey2:', ':subkey3:']) @pytest.mark.parametrize('value_name', [':value1', 'value2:', ':value3:']) -def test_registry_sync_after_restart(key_name, value_name, tags_to_apply, get_configuration, configure_environment, - remove_key_and_restart): +def test_registry_sync_after_restart(key_name, value_name, configure_local_internal_options_module, + get_configuration, configure_environment, create_key): ''' description: Check if the 'wazuh-syscheckd' daemon synchronizes the registry DB when a modification is performed while the agent is down. For this purpose, the test will monitor a key and @@ -204,18 +120,18 @@ def test_registry_sync_after_restart(key_name, value_name, tags_to_apply, get_co - value_name: type: str brief: Name of the value that will be created in the test. - - tags_to_apply: - type: set - brief: Run test if matches with a configuration identifier, skip otherwise. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. - get_configuration: type: fixture brief: Get configurations from the module. - configure_environment: type: fixture brief: Configure a custom environment for testing. - - remove_key_and_restart: + - create_key: type: fixture - brief: Remove the test key and restart the agent. + brief: Create the test key. assertions: - Verify that FIM sync events generated include the monitored value path and @@ -234,19 +150,17 @@ def test_registry_sync_after_restart(key_name, value_name, tags_to_apply, get_co - scheduled - time_travel ''' - check_apply_test(tags_to_apply, get_configuration['tags']) - key_path = os.path.join(monitored_key, key_name) - value_path = os.path.join(key, key_path, value_name) + key_path = os.path.join(MONITORED_KEY, key_name) + value_path = os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, key_path, value_name) # stops syscheckd - control_service('stop') - fim.create_registry(fim.registry_parser[key], monitored_key, fim.KEY_WOW64_64KEY) - key_handle = fim.create_registry(fim.registry_parser[key], key_path, fim.KEY_WOW64_64KEY) + key_handle = create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], key_path, KEY_WOW64_64KEY) - fim.modify_registry_value(key_handle, value_name, fim.REG_SZ, 'This is a test with syscheckd down.') - control_service('start') + modify_registry_value(key_handle, value_name, REG_SZ, 'This is a test with syscheckd down.') + control_service(WAZUH_SERVICES_START) - events = get_sync_msgs(sync_interval) + events = get_sync_msgs(SYNC_INTERVAL_VALUE) assert find_value_in_event_list( - os.path.join(key, key_path), value_name, events) is not None, f"No sync event was found for {value_path}" + os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, key_path), value_name, + events) is not None, f"No sync event was found for {value_path}" diff --git a/tests/integration/test_fim/test_synchronization/test_sync_disabled_win32.py b/tests/integration/test_fim/test_synchronization/test_sync_disabled_win32.py index 2214ff7a09..a7c651d79b 100644 --- a/tests/integration/test_fim/test_synchronization/test_sync_disabled_win32.py +++ b/tests/integration/test_fim/test_synchronization/test_sync_disabled_win32.py @@ -10,7 +10,7 @@ brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are modified. Specifically, these tests will check if FIM disables the synchronization of file/registry on Windows systems when the 'enabled' tag of the synchronization option is - set to 'no', and vice versa. + set to 'no'. The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files for changes to the checksums, permissions, and ownership. @@ -58,40 +58,44 @@ import pytest from wazuh_testing import global_parameters -from wazuh_testing.fim import LOG_FILE_PATH, callback_detect_integrity_event, generate_params +from wazuh_testing.fim import LOG_FILE_PATH, generate_params from wazuh_testing.tools import PREFIX -from wazuh_testing.tools.configuration import load_wazuh_configurations, check_apply_test -from wazuh_testing.tools.monitoring import FileMonitor - +from wazuh_testing.tools.configuration import load_wazuh_configurations +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.wazuh_variables import DATA +from wazuh_testing.fim_module.fim_variables import (TEST_DIR_1, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, + YAML_CONF_SYNC_WIN32, TEST_DIRECTORIES, TEST_REGISTRIES, + SYNCHRONIZATION_ENABLED, INTEGRITY_CONTROL_MESSAGE, + SYNCHRONIZATION_REGISTRY_ENABLED) # Marks pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] # variables -test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -key = "HKEY_LOCAL_MACHINE" -subkey = "SOFTWARE\\test" +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), DATA) + -configurations_path = os.path.join(test_data_path, 'wazuh_disabled_sync_conf_win32.yaml') +configurations_path = os.path.join(test_data_path, YAML_CONF_SYNC_WIN32) -test_directories = [os.path.join(PREFIX, 'testdir1')] -test_regs = [os.path.join(key, subkey)] +test_directories = [os.path.join(PREFIX, TEST_DIR_1)] +test_regs = [os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY)] wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) -conf_params = {'TEST_DIRECTORIES': test_directories[0], - 'TEST_REGISTRIES': test_regs[0]} +conf_params = {TEST_DIRECTORIES: test_directories[0], + TEST_REGISTRIES: test_regs[0], + SYNCHRONIZATION_ENABLED: 'no', + SYNCHRONIZATION_REGISTRY_ENABLED: 'no'} # configurations -p, m = generate_params(extra_params=conf_params, modes=['scheduled', 'realtime', 'whodata']) +parameters, metadata = generate_params(extra_params=conf_params) -configurations = load_wazuh_configurations(configurations_path, __name__, params=p, metadata=m) +configurations = load_wazuh_configurations(configurations_path, __name__, params=parameters, metadata=metadata) # fixtures - @pytest.fixture(scope='module', params=configurations) def get_configuration(request): """Get configurations from the module.""" @@ -100,33 +104,16 @@ def get_configuration(request): # Tests - -@pytest.mark.parametrize('tags_to_apply, file_sync, registry_sync, ', [ - ({'sync_disabled'}, False, False), - ({'sync_registry_disabled'}, True, False), - ({'sync_registry_enabled'}, True, True) -]) -def test_sync_disabled(tags_to_apply, file_sync, registry_sync, - get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start_sync_disabled): +def test_sync_disabled(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start_sync_disabled): ''' description: Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to start/stop the file/registry synchronization. For this purpose, the test will monitor a directory/key. Finally, it will verify that no FIM 'integrity' event is generated when the synchronization - is disabled, and verify that the FIM 'integrity' event generated corresponds with a - file or a registry when the synchronization is enabled, depending on the test case. + is disablede. wazuh_min_version: 4.2.0 parameters: - - tags_to_apply: - type: set - brief: Run test if matches with a configuration identifier, skip otherwise. - - file_sync: - type: bool - brief: True if file synchronization is enabled. False otherwise. - - registry_sync: - type: bool - brief: True if registry synchronization is enabled. False otherwise. - get_configuration: type: fixture brief: Get configurations from the module. @@ -139,45 +126,22 @@ def test_sync_disabled(tags_to_apply, file_sync, registry_sync, - wait_for_fim_start_sync_disabled: type: fixture brief: Wait for end of initial FIM scan. - assertions: - Verify that no FIM 'integrity' events are generated when the value - of the 'enabled' tag is set yo 'no' (synchronization disabled). - - Verify that FIM 'integrity' events generated correspond to a file/registry depending on - the value of the 'enabled' and the 'registry_enabled' tags (synchronization enabled). - - input_description: Different test cases are contained in external YAML file (wazuh_disabled_sync_conf_win32.yaml) + of the 'enabled' tag is set to 'no' (synchronization disabled). + input_description: Different test cases are contained in external YAML file (wazuh_sync_conf_win32.yaml) which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with the testing directory/key to be monitored defined in this module. - expected_output: - r'.*Sending integrity control message' - tags: - scheduled - time_travel - realtime - who_data ''' - check_apply_test(tags_to_apply, get_configuration['tags']) - if not file_sync: - # The file synchronization event shouldn't be triggered - with pytest.raises(TimeoutError): - event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_detect_integrity_event, update_position=True).result() - else: - # The file synchronization event should be triggered + # The file synchronization event shouldn't be triggered + with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, - callback=callback_detect_integrity_event, update_position=True).result() - assert event['component'] == 'fim_file', 'Wrong event component' - - if not registry_sync: - # The registry synchronization event shouldn't be triggered - with pytest.raises(TimeoutError): - event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, update_position=True, - callback=callback_detect_integrity_event).result() - else: - # The registry synchronization event should be triggered - event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, update_position=True, - callback=callback_detect_integrity_event).result() - assert event['component'] == 'fim_registry', 'Wrong event component' + callback=callback_generator(INTEGRITY_CONTROL_MESSAGE), + update_position=True).result() diff --git a/tests/integration/test_fim/test_synchronization/test_sync_enabled_win32.py b/tests/integration/test_fim/test_synchronization/test_sync_enabled_win32.py new file mode 100644 index 0000000000..f41b29e0dc --- /dev/null +++ b/tests/integration/test_fim/test_synchronization/test_sync_enabled_win32.py @@ -0,0 +1,151 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM enable the synchronization + of file/registry on Windows systems when the 'enabled' tag of the synchronization option is + set to 'yes'. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - windows + +os_version: + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_synchronization +''' + +import os + +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, callback_detect_integrity_event +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import load_wazuh_configurations +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.wazuh_variables import DATA +from wazuh_testing.fim_module.fim_variables import (TEST_DIR_1, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, + YAML_CONF_SYNC_WIN32, TEST_DIRECTORIES, TEST_REGISTRIES, + SYNCHRONIZATION_ENABLED, SYNCHRONIZATION_REGISTRY_ENABLED) +# Marks + +pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] + +# variables +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), DATA) + + +configurations_path = os.path.join(test_data_path, YAML_CONF_SYNC_WIN32) + +test_directories = [os.path.join(PREFIX, TEST_DIR_1)] +test_regs = [os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY)] + +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + +conf_params = {TEST_DIRECTORIES: test_directories[0], + TEST_REGISTRIES: test_regs[0], + SYNCHRONIZATION_ENABLED: 'yes', + SYNCHRONIZATION_REGISTRY_ENABLED: 'yes'} + +# configurations + +parameters, metadata = generate_params(extra_params=conf_params) + +configurations = load_wazuh_configurations(configurations_path, __name__, params=parameters, metadata=metadata) + + +# fixtures + +@pytest.fixture(scope='module', params=configurations) +def get_configuration(request): + """Get configurations from the module.""" + return request.param + + +# Tests + +def test_sync_disabled(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start_sync_disabled): + ''' + description: Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to start/stop + the file/registry synchronization. For this purpose, the test will monitor a directory/key. + Finally, it will verify that the FIM 'integrity' event generated corresponds with a + file or a registry when the synchronization is enabled, depending on the test case. + wazuh_min_version: 4.2.0 + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start_sync_disabled: + type: fixture + brief: Wait for end of initial FIM scan. + assertions: + - Verify that FIM 'integrity' events generated correspond to a file/registry depending on + the value of the 'enabled' and the 'registry_enabled' tags (synchronization enabled). + input_description: Different test cases are contained in external YAML file (wazuh_sync_conf_win32.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with + the testing directory/key to be monitored defined in this module. + expected_output: + - r'.*Sending integrity control message' + tags: + - scheduled + - time_travel + - realtime + - who_data + ''' + # The file synchronization event should be triggered + event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_detect_integrity_event, update_position=True).result() + + assert event['component'] == 'fim_file', 'Wrong event component' + + # The registry synchronization event should be triggered + event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, update_position=True, + callback=callback_detect_integrity_event).result() + + assert event['component'] == 'fim_registry', 'Wrong event component' diff --git a/tests/integration/test_fim/test_synchronization/test_sync_registry_disabled_win32.py b/tests/integration/test_fim/test_synchronization/test_sync_registry_disabled_win32.py new file mode 100644 index 0000000000..c8a800110b --- /dev/null +++ b/tests/integration/test_fim/test_synchronization/test_sync_registry_disabled_win32.py @@ -0,0 +1,153 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM disables the synchronization + of file/registry on Windows systems when the 'enabled' tag of the synchronization registry option is + set to 'no'. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - windows + +os_version: + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_synchronization +''' + +import os + +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.fim import LOG_FILE_PATH, generate_params, callback_detect_integrity_event +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import load_wazuh_configurations +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.wazuh_variables import DATA +from wazuh_testing.fim_module.fim_variables import (TEST_DIR_1, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, + YAML_CONF_SYNC_WIN32, TEST_DIRECTORIES, TEST_REGISTRIES, + SYNCHRONIZATION_ENABLED, INTEGRITY_CONTROL_MESSAGE, + SYNCHRONIZATION_REGISTRY_ENABLED) +# Marks + +pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] + +# variables +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), DATA) + + +configurations_path = os.path.join(test_data_path, YAML_CONF_SYNC_WIN32) + +test_directories = [os.path.join(PREFIX, TEST_DIR_1)] +test_regs = [os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY)] + +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + +conf_params = {TEST_DIRECTORIES: test_directories[0], + TEST_REGISTRIES: test_regs[0], + SYNCHRONIZATION_ENABLED: 'yes', + SYNCHRONIZATION_REGISTRY_ENABLED: 'no'} + +# configurations + +parameters, metadata = generate_params(extra_params=conf_params) + +configurations = load_wazuh_configurations(configurations_path, __name__, params=parameters, metadata=metadata) + + +# fixtures + +@pytest.fixture(scope='module', params=configurations) +def get_configuration(request): + """Get configurations from the module.""" + return request.param + + +# Tests + +def test_sync_disabled(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start_sync_disabled): + ''' + description: Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to start/stop + the file/registry synchronization. For this purpose, the test will monitor a directory/key. + Finally, it will verify that no FIM 'integrity' event is generated when the registry + synchronization is disablede. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start_sync_disabled: + type: fixture + brief: Wait for end of initial FIM scan. + assertions: + - Verify that no FIM 'integrity' events are generated when the value + of the 'enabled' tag is set to 'no' (registry synchronization disabled). + + input_description: Different test cases are contained in external YAML file (wazuh_sync_conf_win32.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with + the testing directory/key to be monitored defined in this module. + expected_output: + - r'.*Sending integrity control message' + tags: + - scheduled + - time_travel + - realtime + - who_data + ''' + # The file synchronization event should be triggered + event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_detect_integrity_event, update_position=True).result() + assert event['component'] == 'fim_file', 'Wrong event component' + + # The registry synchronization event shouldn't be triggered + with pytest.raises(TimeoutError): + event = wazuh_log_monitor.start(timeout=global_parameters.default_timeout, update_position=True, + callback=callback_generator(INTEGRITY_CONTROL_MESSAGE)).result() diff --git a/tests/integration/test_fim/test_synchronization/test_sync_registry_enabled_win32.py b/tests/integration/test_fim/test_synchronization/test_sync_registry_enabled_win32.py new file mode 100644 index 0000000000..3175f909c9 --- /dev/null +++ b/tests/integration/test_fim/test_synchronization/test_sync_registry_enabled_win32.py @@ -0,0 +1,149 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these + files are modified. Specifically, these tests will check if FIM enables the synchronization + of file/registry on Windows systems when the 'enabled' tag of the synchronization registry option is + set to 'yes'. + The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured + files for changes to the checksums, permissions, and ownership. + +tier: 1 + +modules: + - fim + +components: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - windows + +os_version: + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#synchronization + +pytest_args: + - fim_mode: + realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems. + whodata: Implies real-time monitoring but adding the 'who-data' information. + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_synchronization +''' + +import os + +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.fim import LOG_FILE_PATH, generate_params +from wazuh_testing.tools import PREFIX +from wazuh_testing.tools.configuration import load_wazuh_configurations +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.wazuh_variables import DATA +from wazuh_testing.fim_module.fim_variables import (TEST_DIR_1, WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY, + YAML_CONF_SYNC_WIN32, TEST_DIRECTORIES, TEST_REGISTRIES, + SYNCHRONIZATION_ENABLED, INTEGRITY_CONTROL_MESSAGE, + SYNCHRONIZATION_REGISTRY_ENABLED) +# Marks + +pytestmark = [pytest.mark.win32, pytest.mark.tier(level=1)] + +# variables +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), DATA) + + +configurations_path = os.path.join(test_data_path, YAML_CONF_SYNC_WIN32) + +test_directories = [os.path.join(PREFIX, TEST_DIR_1)] +test_regs = [os.path.join(WINDOWS_HKEY_LOCAL_MACHINE, MONITORED_KEY)] + +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + +conf_params = {TEST_DIRECTORIES: test_directories[0], + TEST_REGISTRIES: test_regs[0], + SYNCHRONIZATION_ENABLED: 'no', + SYNCHRONIZATION_REGISTRY_ENABLED: 'yes'} + +# configurations + +parameters, metadata = generate_params(extra_params=conf_params) + +configurations = load_wazuh_configurations(configurations_path, __name__, params=parameters, metadata=metadata) + + +# fixtures + +@pytest.fixture(scope='module', params=configurations) +def get_configuration(request): + """Get configurations from the module.""" + return request.param + + +# Tests + +def test_sync_disabled(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start_sync_disabled): + ''' + description: Check if the 'wazuh-syscheckd' daemon uses the value of the 'enabled' tag to start/stop + the file/registry synchronization. For this purpose, the test will monitor a directory/key. + Finally, it will verify that no FIM 'integrity' event is generated when the synchronization + is disabled and registry synchronization is enabled. + + wazuh_min_version: 4.2.0 + + parameters: + - get_configuration: + type: fixture + brief: Get configurations from the module. + - configure_environment: + type: fixture + brief: Configure a custom environment for testing. + - restart_syscheckd: + type: fixture + brief: Clear the 'ossec.log' file and start a new monitor. + - wait_for_fim_start_sync_disabled: + type: fixture + brief: Wait for end of initial FIM scan. + assertions: + - Verify that no FIM 'integrity' events are generated when the value + of the 'enabled' tag is set to 'no' (synchronization disabled). + + input_description: Different test cases are contained in external YAML file (wazuh_sync_conf_win32.yaml) + which includes configuration settings for the 'wazuh-syscheckd' daemon. That is combined with + the testing directory/key to be monitored defined in this module. + expected_output: + - r'.*Sending integrity control message' + tags: + - scheduled + - time_travel + - realtime + - who_data + ''' + # The file synchronization event shouldn't be triggered + with pytest.raises(TimeoutError): + event = (wazuh_log_monitor.start(timeout=global_parameters.default_timeout, + callback=callback_generator(INTEGRITY_CONTROL_MESSAGE), + update_position=True).result())