Migrate test_analysisd documentation to qa-docs
#2047
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The following tests have been documentated: * test_check_rare_socket_responses.py * test_check_socket_responses.py * test_validate_linux_analysisd_alerts.py * test_validate_rare_analysisd_alerts.py * test_validate_win32_analysisd_alerts.py * test_validate_win32_analysisd_registry_alerts.py * test_error_messages.py * test_event_messages.py * test_integrity_messages.py * test_mitre_check_alert.py * test_scan_messages.py The current scheme of the issue #1694 has been used. PEP-8 fixes. Related: #1796
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
As part of epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694
Generated documentation
test_all_syscheckd_configurationstest_check_rare_socket_responses.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon correctly handles 'syscheck' events considered rare.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_check_rare_socket_responses.py", "id": 1, "group_id": 0, "tests": [ { "description": "Validate each response from the 'wazuh-analysisd' daemon socket to the 'wazuh-db' daemon socket using rare 'syscheck' events that include weird characters.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the output logs are consistent with the syscheck events received." ], "input_description": "Different test cases that are contained in an external YAML file (syscheck_rare_events.yaml) that includes 'syscheck' events data and the expected output.", "expected_output": [ "Multiple messages (event logs) corresponding to each test case, located in the external input data file." ], "tags": [ "man_in_the_middle", "wdb_socket" ], "name": "test_validate_rare_socket_responses", "inputs": [ "Added0", "Modified0", "Deleted0", "Added1", "Modified1", "Deleted1", "Added2", "Modified2", "Deleted2", "Added3", "Modified3", "Deleted3", "Added4", "Modified4", "Deleted4", "Added5", "Modified5", "Deleted5" ] } ] }test_check_rare_socket_responses.yaml
test_check_socket_responses.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon correctly handles 'syscheck' common events.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_check_socket_responses.py", "id": 3, "group_id": 0, "tests": [ { "description": "Validate every response from the 'wazuh-analysisd' daemon socket to the 'wazuh-db' daemon socket using 'syscheck' common events.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the output logs are consistent with the syscheck events received." ], "input_description": "Different test cases that are contained in an external 'YAML' file (syscheck_events.yaml) that includes 'syscheck' events data and the expected output.", "inputs": [ "4096 test cases distributed among 'syscheck' events of type 'added', 'modified', and 'deleted'." ], "expected_output": [ "Multiple messages (event logs) corresponding to each test case, located in the external input data file." ], "tags": [ "man_in_the_middle", "wdb_socket" ], "name": "test_validate_socket_responses" } ] }test_check_socket_responses.yaml
test_validate_linux_analysisd_alerts.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon generates valid alerts from Linux 'syscheck' events.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_validate_linux_analysisd_alerts.py", "id": 4, "group_id": 0, "tests": [ { "description": "Check if the alerts generated by the 'wazuh-analysisd' daemon from Linux 'syscheck' events are valid. The 'validate_analysis_alert_complex' function checks if an 'analysisd' alert is properly formatted in reference to its 'syscheck' event.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "generate_events_and_alerts": { "type": "fixture", "brief": "Read the specified YAML and generate every event and alert using the input from every test case." } }, { "get_alert": { "type": "fixture", "brief": "List of alerts to be validated." } } ], "assertions": [ "Verify that the alerts generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (syscheck_events.yaml) that includes 'syscheck' events data and the expected output.", "inputs": [ "12280 test cases distributed among 'syscheck' events of type 'added', 'modified', and 'deleted'." ], "expected_output": [ "Multiple messages (alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_validate_all_linux_alerts" } ] }test_validate_linux_analysisd_alerts.yaml
test_validate_rare_analysisd_alerts.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon generates valid alerts from Linux 'syscheck' events considered rare.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_validate_rare_analysisd_alerts.py", "id": 2, "group_id": 0, "tests": [ { "description": "Check if the alerts generated by the 'wazuh-analysisd' daemon from Linux 'syscheck' events considered rare are valid. The 'validate_analysis_alert_complex' function checks if an 'analysisd' alert is properly formatted in reference to its 'syscheck' event.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "generate_events_and_alerts": { "type": "fixture", "brief": "Read the specified YAML and generate every event and alert using the input from every test case." } }, { "get_alert": { "type": "fixture", "brief": "List of alerts to be validated." } } ], "assertions": [ "Verify that the alerts generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (syscheck_rare_events.yaml) that includes 'syscheck' events data and the expected output.", "inputs": [ "12298 test cases distributed among 'syscheck' events of type 'added', 'modified', and 'deleted'." ], "expected_output": [ "Multiple messages (alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_validate_all_linux_alerts" } ] }test_validate_rare_analysisd_alerts.yaml
test_validate_win32_analysisd_alerts.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon generates valid alerts from Windows 'syscheck' events.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_validate_win32_analysisd_alerts.py", "id": 6, "group_id": 0, "tests": [ { "description": "Check if the alerts generated by the 'wazuh-analysisd' daemon from Windows 'syscheck' events are valid. The 'validate_analysis_alert_complex' function checks if an 'analysisd' alert is properly formatted in reference to its 'syscheck' event.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "generate_events_and_alerts": { "type": "fixture", "brief": "Read the specified YAML and generate every event and alert using the input from every test case." } }, { "get_alert": { "type": "fixture", "brief": "List of alerts to be validated." } } ], "assertions": [ "Verify that the alerts generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (syscheck_events_win32.yaml) that includes 'syscheck' events data and the expected output.", "inputs": [ "12272 test cases distributed among 'syscheck' events of type 'added', 'modified', and 'deleted'." ], "expected_output": [ "Multiple messages (alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_validate_all_win32_alerts" } ] }test_validate_win32_analysisd_alerts.yaml
test_validate_win32_analysisd_registry_alerts.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will verify if the 'wazuh-analysisd' daemon generates valid alerts from Windows registry-related 'syscheck' events.", "tier": 2, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_validate_win32_analysisd_registry_alerts.py", "id": 5, "group_id": 0, "tests": [ { "description": "Check if the alerts generated by the 'wazuh-analysisd' daemon from Windows registry-related 'syscheck' events are valid. The 'validate_analysis_alert_complex' function checks if an 'analysisd' alert is properly formatted in reference to its 'syscheck' event.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "generate_events_and_alerts": { "type": "fixture", "brief": "Read the specified YAML and generate every event and alert using the input from every test case." } }, { "get_alert": { "type": "fixture", "brief": "List of alerts to be validated." } } ], "assertions": [ "Verify that the alerts generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (syscheck_registry_events_win32.yaml) that includes 'syscheck' events data and the expected output.", "inputs": [ "20254 test cases distributed among 'syscheck' events of type 'added', 'modified', and 'deleted'." ], "expected_output": [ "Multiple messages (alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_validate_all_win32_registry_alerts" } ] }test_validate_win32_analysisd_registry_alerts.yaml
test_error_messagestest_error_messages.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will check if the 'wazuh-analysisd' daemon handles correctly the invalid events it receives.", "tier": 0, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_error_messages.py", "id": 9, "group_id": 0, "tests": [ { "description": "Check if when the 'wazuh-analysisd' daemon socket receives a message with an invalid event, it generates the corresponding error that sends to the 'wazuh-db' daemon socket.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the errors messages generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (error_messages.yaml) that includes 'syscheck' events data and the expected output.", "expected_output": [ "Multiple messages (error logs) corresponding to each test case, located in the external input data file." ], "tags": [ "errors", "man_in_the_middle", "wdb_socket" ], "name": "test_error_messages", "inputs": [ "Event message errors", "dbsync errors" ] } ] }test_error_messages.yaml
test_event_messagestest_event_messages.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will check if the 'wazuh-analysisd' daemon correctly handles incoming events related to file modification.", "tier": 0, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events", "fim" ], "name": "test_event_messages.py", "id": 7, "group_id": 0, "tests": [ { "description": "Check if when the 'wazuh-analysisd' daemon socket receives a message with a file modification-related event, it generates the corresponding alert that sends to the 'wazuh-db' daemon socket. The 'validate_analysis_alert' function checks if an 'analysisd' event is properly formatted.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the alerts generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (event_messages.yaml) that includes 'syscheck' events data and the expected output.", "expected_output": [ "Multiple messages (alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_event_messages", "inputs": [ "Add", "Modify", "Delete", "Modify - Large inodes" ] } ] }test_event_messages.yaml
test_integrity_messagestest_integrity_messages.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will check if the 'wazuh-analysisd' daemon correctly handles incoming events related to file integrity.", "tier": 0, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events", "fim" ], "name": "test_integrity_messages.py", "id": 10, "group_id": 0, "tests": [ { "description": "Check if when the 'wazuh-analysisd' daemon socket receives a message with a file integrity-related event, it generates the corresponding alert that sends to the 'wazuh-db' daemon socket. The 'validate_analysis_integrity_state' function checks if an 'analysisd' integrity message is properly formatted.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the integrity messages generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (integrity_messages.yaml) that includes 'syscheck' events data and the expected output.", "expected_output": [ "Multiple messages (integrity logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_integrity_messages", "inputs": [ "Integrity_check_global", "Integrity_check_left", "Integrity_check_right", "Integrity_clear" ] } ] }test_integrity_messages.yaml
test_mitretest_mitre_check_alert.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will check if the 'wazuh-analysisd' daemon generates alerts using custom rules that contains the 'mitre' field to enrich those alerts with MITREs IDs, techniques and tactics.", "tier": 0, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html", "https://attack.mitre.org/" ], "tags": [ "events", "mitre" ], "name": "test_mitre_check_alert.py", "id": 8, "group_id": 0, "tests": [ { "description": "Check if MITRE alerts are syntactically and semantically correct. For this purpose, customized rules with MITRE fields are inserted, so that the alerts generated include this information which will be finally validated.", "wazuh_min_version": "4.2.0", "parameters": [ { "get_configuration": { "type": "fixture", "brief": "Get configurations from the module." } }, { "configure_local_rules": { "type": "fixture", "brief": "Configure a custom rule in 'local_rules.xml' for testing." } }, { "restart_wazuh_alerts": { "type": "fixture", "brief": "Reset 'alerts.json' and start a new monitor." } } ], "assertions": [ "Verify that the MITRE alerts are generated and are correct." ], "input_description": "Different test cases that are contained in an external XML files ('data' directory) that include both valid and invalid rules for detecting MITRE events.", "expected_output": [ "Multiple messages (mitre alert logs) corresponding to each test case, located in the external input data file." ], "tags": [ "alerts", "man_in_the_middle", "wdb_socket" ], "name": "test_mitre_check_alert", "inputs": [ "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test1.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test2.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test3.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test4.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test5.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test6.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test7.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test8.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test9.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test10.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test11.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test12.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test13.xml", "/home/m/Escritorio/WAZUH/issues/1796/test_analysisd/wazuh-qa/tests/integration/test_analysisd/test_mitre/data/test14.xml" ] } ] }test_mitre_check_alert.yaml
test_scan_messagestest_scan_messages.json
{ "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <info@wazuh.com>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2", "type": "integration", "brief": "The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. It then creates an alert when a log message matches an applicable rule. Specifically, these tests will check if the 'wazuh-analysisd' daemon correctly handles incoming events related to file scanning.", "tier": 0, "modules": [ "analysisd" ], "components": [ "manager" ], "daemons": [ "wazuh-analysisd", "wazuh-db" ], "os_platform": [ "linux" ], "os_version": [ "Arch Linux", "Amazon Linux 2", "Amazon Linux 1", "CentOS 8", "CentOS 7", "CentOS 6", "Ubuntu Focal", "Ubuntu Bionic", "Ubuntu Xenial", "Ubuntu Trusty", "Debian Buster", "Debian Stretch", "Debian Jessie", "Debian Wheezy", "Red Hat 8", "Red Hat 7", "Red Hat 6" ], "references": [ "https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html" ], "tags": [ "events" ], "name": "test_scan_messages.py", "id": 11, "group_id": 0, "tests": [ { "description": "Check if when the 'wazuh-analysisd' daemon socket receives a message with a file scanning-related event, it generates the corresponding alert that sends to the 'wazuh-db' daemon socket.", "wazuh_min_version": "4.2.0", "parameters": [ { "configure_sockets_environment": { "type": "fixture", "brief": "Configure environment for sockets and MITM." } }, { "connect_to_sockets_module": { "type": "fixture", "brief": "Module scope version of 'connect_to_sockets' fixture." } }, { "wait_for_analysisd_startup": { "type": "fixture", "brief": "Wait until the 'wazuh-analysisd' has begun and the 'alerts.json' file is created." } }, { "test_case": { "type": "list", "brief": "List of tests to be performed." } } ], "assertions": [ "Verify that the messages generated are consistent with the events received." ], "input_description": "Different test cases that are contained in an external YAML file (scan_messages.yaml) that includes 'syscheck' events data and the expected output.", "expected_output": [ "Multiple messages (scan status logs) corresponding to each test case, located in the external input data file." ], "tags": [ "man_in_the_middle", "wdb_socket" ], "name": "test_scan_messages", "inputs": [ "Scan start", "Scan end" ] } ] }test_scan_messages.yaml
Tests
pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.python3 DocGenerator.py -s