Skip to content

Commit

Permalink
feat: include extra steps to Vulns verifications E2E
Browse files Browse the repository at this point in the history
  • Loading branch information
@Rebits
Rebits committed Nov 14, 2023
1 parent baddbd4 commit 21176da
Show file tree
Hide file tree
Showing 11 changed files with 544 additions and 480 deletions.
7 changes: 6 additions & 1 deletion deps/wazuh_testing/wazuh_testing/tools/monitoring.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -916,7 +916,12 @@ def run(self, update_position=False):
if len(monitored_files) == 0:
raise AttributeError('There is no path to monitor. Exiting...')
for path in monitored_files:
output_path = f'{host}_{path.split("/")[-1]}.tmp'
if '\\' in path:
first_path_element = path.split("\\")[-1]
else:
first_path_element = path.split("/")[-1]

output_path = f'{host}_{first_path_element}.tmp'
self._file_content_collectors.append(self.file_composer(host=host, path=path, output_path=output_path))
logger.debug(f'Add new file composer process for {host} and path: {path}')
self._file_monitors.append(self._start(host=host,
Expand Down
65 changes: 53 additions & 12 deletions deps/wazuh_testing/wazuh_testing/tools/system.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,15 @@ def get_inventory(self) -> dict:
"""
return self.inventory

def get_inventory_path(self) -> str:
"""Get the loaded Ansible inventory.
Returns:
self.inventory: Ansible inventory
"""
return self.inventory_path

def get_group_hosts(self, pattern=None):
def get_group_hosts(self, pattern='None'):
"""Get all hosts from inventory that belong to a group.
Args:
Expand All @@ -68,6 +75,13 @@ def get_group_hosts(self, pattern=None):
else:
return [str(host) for host in self.inventory_manager.get_hosts()]


def get_host_groups(self, host):
"""
"""
group_list = self.inventory_manager.get_host(host).get_groups()
return [str(group) for group in group_list]

def get_host_variables(self, host):
"""Get the variables of the specified host.
Expand All @@ -92,6 +106,10 @@ def get_host(self, host: str):
"""
return testinfra.get_host(f"ansible://{host}?ansible_inventory={self.inventory_path}")

def truncate_file(self, host: str, filepath: str):
self.get_host(host).ansible("command", f"truncate -s 0 {filepath}", check=False)


def move_file(self, host: str, src_path: str, dest_path: str = '/var/ossec/etc/ossec.conf', check: bool = False):
"""Move from src_path to the desired location dest_path for the specified host.
Expand All @@ -101,9 +119,18 @@ def move_file(self, host: str, src_path: str, dest_path: str = '/var/ossec/etc/o
dest_path (str): Destination path
check (bool, optional): Ansible check mode("Dry Run"), by default it is enabled so no changes will be applied.
"""
self.get_host(host).ansible("copy", f"src={src_path} dest={dest_path} owner=wazuh group=wazuh mode=0775",
check=check)

system = 'linux'
if 'os_name' in self.get_host_variables(host):
host_os_name = self.get_host_variables(host)['os_name']
if host_os_name == 'windows':
system = 'windows'

if system == 'linux':
a = self.get_host(host).ansible("copy", f"src={src_path} dest={dest_path} owner=wazuh group=wazuh mode=0644",
check=check)
print(a)
else:
self.get_host(host).ansible("ansible.windows.win_copy", f"src='{src_path}' dest='{dest_path}'", check=check)

def add_block_to_file(self, host: str, path: str, replace: str, before: str, after, check: bool = False):
"""Add text block to desired file.
Expand Down Expand Up @@ -400,24 +427,30 @@ def download_file(self, host, url, dest_path, mode='755'):
a = self.get_host(host).ansible("get_url", f"url={url} dest={dest_path} mode={mode}", check=False)
return a

def install_package(self, host, url, package_manager):
def install_package(self, host, url, system='ubuntu'):
result = False
if package_manager == 'apt':
if system =='windows':
a = self.get_host(host).ansible("win_package", f"path={url} arguments=/S", check=False)
print(a)
elif system == 'ubuntu':
a = self.get_host(host).ansible("apt", f"deb={url}", check=False)
if a['changed'] == True and a['stderr'] == '':
result = True
elif package_manager == 'yum':
elif system == 'centos':
a = self.get_host(host).ansible("yum", f"name={url} state=present sslverify=false disable_gpg_check=True", check=False)
if 'rc' in a and a['rc'] == 0 and a['changed'] == True:
result = True

def remove_package(self, host, package_name, package_manager):

def remove_package(self, host, package_name, system):
result = False
if package_manager == 'apt':
if system == 'windows':
a = self.get_host(host).ansible("win_package", f"path={package_name} state=absent arguments=/S", check=False)
elif system == 'ubuntu':
a = self.get_host(host).ansible("apt", f"name={package_name} state=absent", check=False)
if a['changed'] == True and a['stderr'] == '':
result = True
elif package_manager == 'yum':
elif system == 'centos':
a = self.get_host(host).ansible("yum", f"name={package_name} state=absent", check=False)
if 'rc' in a and a['rc'] == 0 and a['changed'] == True:
result = True
Expand All @@ -427,13 +460,21 @@ def handle_wazuh_services(self, host, operation):
os = self.get_host_variables(host)['os_name']
binary_path = None
if os == 'windows':
self.get_host(host).ansible('ansible.windows.win_command', f"cmd=NET {operation} Wazuh", check=False)
if operation == 'restart':
a = self.get_host(host).ansible('ansible.windows.win_shell', f'NET stop Wazuh', check=False)
b = self.get_host(host).ansible('ansible.windows.win_shell', f'NET start Wazuh', check=False)

print(a)
print(b)
else:
a = self.get_host(host).ansible('ansible.windows.win_shell', f'NET {operation} Wazuh', check=False)
print(a)
else:
if os == 'linux':
binary_path = f"/var/ossec/bin/wazuh-control"
elif os == 'macos':
binary_path = f"/Library/Ossec/bin/wazuh-control"
self.get_host(host).ansible('ansible.builtin.command', f'cmd="{binary_path} {operation}"', check=False)
self.get_host(host).ansible('shell', f"{binary_path} {operation}", check=False)


def clean_environment(host_manager, target_files):
Expand Down
1 change: 1 addition & 0 deletions provisioning/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.
wazuh_winagent_package_name: wazuh-agent-4.8.0-1.msi
wazuh_winagent_package_name_generic: wazuh-agent.msi
wazuh_dir: "/var/ossec"
wazuh_macos_dir: "/Library/Ossec"

# This is deprecated, see: wazuh_agent_address
wazuh_agent_nat: false
Expand Down
3 changes: 3 additions & 0 deletions provisioning/roles/wazuh/ansible-wazuh-agent/handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,6 @@

- name: Windows | Restart Wazuh Agent
win_service: name=WazuhSvc start_mode=auto state=restarted

- name: MacOS | restart wazuh-agent
ansible.builtin.shell: "{{ wazuh_macos_dir }}/bin/wazuh-control restart"
12 changes: 12 additions & 0 deletions provisioning/roles/wazuh/ansible-wazuh-agent/tasks/MacOS.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,15 @@

- include_tasks: "installation_from_custom_packages.yml"
when: wazuh_custom_packages_installation_agent_enabled

- name: MacOS | Installing agent configuration (ossec.conf)
template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_macos_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: restart wazuh-agent
tags:
- init
- config
2 changes: 1 addition & 1 deletion provisioning/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
<manager_address>{{ wazuh_agent_config.enrollment.manager_address }}</manager_address>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_name | length > 0 %}
<agent_name>{{ wazuh_agent_config.enrollment.agent_name }}</agent_name>
<agent_name>{{ ansible_hostname }}</agent_name>
{% endif %}
{% if wazuh_agent_config.enrollment.port is defined > 0 %}
<port>{{ wazuh_agent_config.enrollment.port }}</port>
Expand Down
174 changes: 124 additions & 50 deletions tests/end_to_end/test_vulnerability_detector/cases.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,70 +13,144 @@
amd64: https://downloads.rclone.org/v1.49.5/rclone-v1.49.5-linux-amd64.deb
arm: null
windows:
amd64: http://sourceforge.net/projects/firebird/files/firebird-win32/2.0.7-Release/Firebird-2.0.7.13318_0_win32.exe/download
check_alerts:
amd64: https://get.videolan.org/vlc/3.0.6/win64/vlc-3.0.6-win64.exe
macos:
amd64: https://nodejs.org/dist/v17.0.1/node-v17.0.1.pkg

# {"timestamp":"2023-11-14T10:52:41.932+0000","rule":{"level":10,"description":"CVE-2020-28924 affects rclone","id":"23505","firedtimes":392,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"ip-172-31-12-122.ec2.internal","ip":"172.31.12.122"},"manager":{"name":"ip-172-31-6-24"},"id":"1699959161.19604197","cluster":{"name":"wazuh","node":"master"},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rclone","version":"1.49.5-1","architecture":"x86_64","condition":"Package less than 1.53.3"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5","exploitability_score":"10","impact_score":"2.900000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000","exploitability_score":"3.900000","impact_score":"3.600000"}},"cve":"CVE-2020-28924","title":"CVE-2020-28924 affects rclone","rationale":"An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.","severity":"High","published":"2020-11-19","updated":"2022-04-26","cwe_reference":"CWE-331","status":"Active","type":"PACKAGE","references":["https://github.com/rclone/rclone/issues/4783","https://lists.fedoraproject.org/archives/list/[email protected]/message/UJIFT24Q6EFXLQZ24AER2QGFFZLMIPCD/","https://rclone.org/downloads/","https://security.gentoo.org/glsa/202107-14","https://nvd.nist.gov/vuln/detail/CVE-2020-28924"],"assigner":"[email protected]"}},"location":"vulnerability-detector"}

check_agent_alert_indexer:
centos:
- event: syscollector_install_package_alert_yum
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.49.5"
ubuntu:
- event: syscollector_install_package_alert_apt
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.49.5"
teardown:
- remove_package:
package:
centos: rclone
ubuntu: rclone

- case: "Updating a vulnerable package that remains vulnerable to the same CVE"
id: "update_vuln_package_remain_vulnerable"
description: "Updating a vulnerable package that remains vulnerable to the same CVE"
preconditions:
tasks:
- install_package:
package:
centos:
amd64: https://downloads.rclone.org/v1.49.5/rclone-v1.49.5-linux-amd64.rpm
ubuntu:
amd64: https://downloads.rclone.org/v1.49.5/rclone-v1.49.5-linux-amd64.deb
check_alerts:
centos:
amd64:
- event: syscollector_install_package_alert_yum
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.49.5"
ubuntu:
- event: syscollector_install_package_alert_apt
arm:
- event: syscollector_install_package_alert_yum
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.49.5"
body:
tasks:
- install_package:
package:
centos:
amd64: https://downloads.rclone.org/v1.50.0/rclone-v1.50.0-linux-amd64.rpm
ubuntu:
amd64: https://downloads.rclone.org/v1.50.0/rclone-v1.50.0-linux-amd64.deb
check_alerts:
centos:
- event: upgrade_package
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.50.0"
ubuntu:
- event: upgrade_package
amd64:
- event: syscollector_install_package_alert_apt
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.49.5"
arm:
- event: syscollector_install_package_alert_apt
parameters:
PACKAGE_NAME: "rclone"
PACKAGE_VERSION: "1.50.0"
PACKAGE_VERSION: "1.49.5"
windows:
amd64:
- event: syscollector_install_package_alert_apt
parameters:
PACKAGE_NAME: "VideoLAN"
PACKAGE_VERSION: "3.0.6"
macos:
amd64:
- event: syscollector_install_package_alert_apt
parameters:
PACKAGE_NAME:
PACKAGE_VERSION:


# check_alerts:
# centos:
# amd64:
# - event: syscollector_install_package_alert_yum
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# arm:
# - event: syscollector_install_package_alert_yum
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# ubuntu:
# amd64:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# arm:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# windows:
# amd64:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME: "VideoLAN"
# PACKAGE_VERSION: "3.0.6"
# macos:
# amd64:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME:
# PACKAGE_VERSION:
teardown:
- remove_package:
package:
centos: rclone
ubuntu: rclone
centos:
amd: rclone
arm: rclone
ubuntu:
amd: rclone
arm: rclone
windows:
amd64: C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\uninstall.exe
macos:
amd64:

# - case: "Updating a vulnerable package that remains vulnerable to the same CVE"
# id: "update_vuln_package_remain_vulnerable"
# description: "Updating a vulnerable package that remains vulnerable to the same CVE"
# preconditions:
# tasks:
# - install_package:
# package:
# centos:
# amd64: https://downloads.rclone.org/v1.49.5/rclone-v1.49.5-linux-amd64.rpm
# ubuntu:
# amd64: https://downloads.rclone.org/v1.49.5/rclone-v1.49.5-linux-amd64.deb
# check_alerts:
# centos:
# - event: syscollector_install_package_alert_yum
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# ubuntu:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.49.5"
# body:
# tasks:
# - install_package:
# package:
# centos:
# amd64: https://downloads.rclone.org/v1.50.0/rclone-v1.50.0-linux-amd64.rpm
# ubuntu:
# amd64: https://downloads.rclone.org/v1.50.0/rclone-v1.50.0-linux-amd64.deb
# check_alerts:
# centos:
# - event: syscollector_upgrade_package_alert_yum
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.50.0"
# ubuntu:
# - event: syscollector_install_package_alert_apt
# parameters:
# PACKAGE_NAME: "rclone"
# PACKAGE_VERSION: "1.50.0"
# teardown:
# - remove_package:
# package:
# centos: rclone
# ubuntu: rclone

# ----

Expand Down
Loading

0 comments on commit 21176da

Please sign in to comment.