wazuh · snaow · Nov 2, 2021 · Oct 26, 2021
diff --git a/tests/integration/test_fim/test_files/test_tags/test_tags.py b/tests/integration/test_fim/test_files/test_tags/test_tags.py
@@ -1,6 +1,77 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <info@wazuh.com>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+'''
+copyright: Copyright (C) 2015-2021, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when
+       these files are modified. Specifically, these tests will check if FIM events include
+       all tags set in the 'tags' attribute.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+tier: 1
+
+modules:
+    - fim
+
+components:
+    - agent
+    - manager
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - CentOS 6
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Ubuntu Xenial
+    - Ubuntu Trusty
+    - Debian Buster
+    - Debian Stretch
+    - Debian Jessie
+    - Debian Wheezy
+    - Red Hat 8
+    - Red Hat 7
+    - Red Hat 6
+    - Windows 10
+    - Windows 8
+    - Windows 7
+    - Windows Server 2019
+    - Windows Server 2016
+    - Windows Server 2012
+    - Windows Server 2003
+    - Windows XP
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_tags
+'''
 import os
 
 import pytest
@@ -58,19 +129,53 @@ def get_configuration(request):
 ])
 def test_tags(folder, name, content,
               get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start):
-    """
-    Check the tags functionality by applying some tags an ensuring the events raised for the monitored directory has
-    the expected tags.
-
-    Parameters
-    ----------
-    folder : str
-        Directory where the file is being created.
-    name : str
-        Name of the file to be created.
-    content : str, bytes
-        Content to fill the new file.
-    """
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon generates the tags required for each event
+                 depending on the values set in the 'tags' attribute. This attribute allows adding
+                 tags to alerts for monitored directories. For this purpose, the test will monitor a
+                 folder and make file operations inside it. Finally, it will verify that FIM events
+                 generated include in the 'tags' field all tags set in the configuration.
+
+    wazuh_min_version: 4.2.0
+
+    parameters:
+        - folder:
+            type: str
+            brief: Monitored directory.
+        - name:
+            type: str
+            brief: Name of the testing file to be created.
+        - content:
+            type: str
+            brief: Content to fill the testing file.
+        - get_configuration:
+            type: fixture
+            brief: Get configurations from the module.
+        - configure_environment:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - restart_syscheckd:
+            type: fixture
+            brief: Clear the `ossec.log` file and start a new monitor.
+        - wait_for_fim_start:
+            type: fixture
+            brief: Wait for realtime start, whodata start, or end of initial FIM scan.
+
+    assertions:
+        - Verify that FIM events include all tags set in the 'tags' attribute.
+
+    input_description: A test case is contained in external YAML file (wazuh_conf.yaml) which
+                       includes configuration settings for the 'wazuh-syscheckd' daemon and,
+                       it is combined with the testing directory to be monitored defined
+                       in this module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added', 'modified' and 'deleted' events)
+
+    tags:
+        - scheduled
+        - time_travel
+    '''
     defined_tags = get_configuration['metadata']['fim_tags']
 
     def tag_validator(event):

diff --git a/tests/integration/test_fim/test_files/test_timezone_changes/test_timezone_changes.py b/tests/integration/test_fim/test_files/test_timezone_changes/test_timezone_changes.py
@@ -1,7 +1,77 @@
-# Copyright (C) 2015-2021, Wazuh Inc.
-# Created by Wazuh, Inc. <info@wazuh.com>.
-# This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
-
+'''
+copyright: Copyright (C) 2015-2021, Wazuh Inc.
+
+           Created by Wazuh, Inc. <info@wazuh.com>.
+
+           This program is free software; you can redistribute it and/or modify it under the terms of GPLv2
+
+type: integration
+
+brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these
+       files are modified. Specifically, these tests will check that the modifications made on monitored
+       files during the initial scan ('baseline') generate FIM events after that scan.
+       The FIM capability is managed by the 'wazuh-syscheckd' daemon, which checks configured files
+       for changes to the checksums, permissions, and ownership.
+
+tier: 2
+
+modules:
+    - fim
+
+components:
+    - agent
+    - manager
+
+daemons:
+    - wazuh-syscheckd
+
+os_platform:
+    - linux
+    - windows
+
+os_version:
+    - Arch Linux
+    - Amazon Linux 2
+    - Amazon Linux 1
+    - CentOS 8
+    - CentOS 7
+    - CentOS 6
+    - Ubuntu Focal
+    - Ubuntu Bionic
+    - Ubuntu Xenial
+    - Ubuntu Trusty
+    - Debian Buster
+    - Debian Stretch
+    - Debian Jessie
+    - Debian Wheezy
+    - Red Hat 8
+    - Red Hat 7
+    - Red Hat 6
+    - Windows 10
+    - Windows 8
+    - Windows 7
+    - Windows Server 2019
+    - Windows Server 2016
+    - Windows Server 2012
+    - Windows Server 2003
+    - Windows XP
+
+references:
+    - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html
+    - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html
+
+pytest_args:
+    - fim_mode:
+        realtime: Enable real-time monitoring on Linux (using the 'inotify' system calls) and Windows systems.
+        whodata: Implies real-time monitoring but adding the 'who-data' information.
+    - tier:
+        0: Only level 0 tests are performed, they check basic functionalities and are quick to perform.
+        1: Only level 1 tests are performed, they check functionalities of medium complexity.
+        2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform.
+
+tags:
+    - fim_timezone_changes
+'''
 import os
 import sys
 import time
@@ -80,14 +150,44 @@ def extra_configuration_after_yield():
 
 
 def test_timezone_changes(get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start):
-    """
-    Check if events are appearing after the baseline
-    The message 'File integrity monitoring scan ended' informs about the end of the first scan,
-    which generates the baseline
-
-    It creates a file, checks if the baseline has generated before the file addition event, and then
-    if this event has generated.
-    """
+    '''
+    description: Check if the 'wazuh-syscheckd' daemon' detects events when they appear after the 'baseline' scan.
+                 The log message 'File integrity monitoring scan ended' informs about the end of the first scan,
+                 which generates the 'baseline'. For this purpose, the test creates a test file while the initial
+                 scan is being performed. When the baseline has been generated it checks if the FIM 'added' event
+                 has been triggered.
+
+    wazuh_min_version: 4.2.0
+
+    parameters:
+        - get_configuration:
+            type: fixture
+            brief: Get configurations from the module.
+        - configure_environment:
+            type: fixture
+            brief: Configure a custom environment for testing.
+        - restart_syscheckd:
+            type: fixture
+            brief: Clear the 'ossec.log' file and start a new monitor.
+        - wait_for_fim_start:
+            type: fixture
+            brief: Wait for realtime start, whodata start, or end of initial FIM scan.
+
+    assertions:
+        - Verify that an FIM 'added' event is generated after the initial scan when the related file operation
+          is made before the scan ends.
+
+    input_description: A test case (timezone_conf) is contained in external YAML file (wazuh_timezone_conf.yaml)
+                       which includes configuration settings for the 'wazuh-syscheckd' daemon and, it is
+                       combined with the testing directory to be monitored defined in this module.
+
+    expected_output:
+        - r'.*Sending FIM event: (.+)$' ('added' event)
+
+    tags:
+        - scheduled
+        - time_travel
+    '''
     check_apply_test({'timezone_conf'}, get_configuration['tags'])
 
     # Change time zone