From 73fd6d42a8d582caf71f0f3329eea8a95bab0b9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Tue, 13 Jun 2023 17:34:37 +0100 Subject: [PATCH 01/17] refactor: bump 4.4.4 revision (#4234) --- version.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.json b/version.json index 7f8c7e423c..539267a4f8 100644 --- a/version.json +++ b/version.json @@ -1,4 +1,4 @@ { "version": "4.4.4", - "revision": "40410" + "revision": "40411" } From 68f93978fe3364c19c95fea8140ec137adbd4a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Mon, 26 Jun 2023 11:17:20 +0100 Subject: [PATCH 02/17] refactor: bump 4.5.0 --- CHANGELOG.md | 5 +++++ deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml | 3 +++ version.json | 4 ++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e88094f153..1ddfffce5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ All notable changes to this project will be documented in this file. +## [4.5.0] - TBD + +Wazuh commit: TBD +Release report: TBD + ## [4.4.4] - TBD Wazuh commit: TBD diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 5a27d8828a..7626161832 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -186,6 +186,9 @@ predefined_values: - 4.4.1 - 4.4.2 - 4.4.3 + - 4.4.4 + - 4.4.5 + - 4.5.0 tags: - active_response - agentd diff --git a/version.json b/version.json index 539267a4f8..da2c152cda 100644 --- a/version.json +++ b/version.json @@ -1,4 +1,4 @@ { - "version": "4.4.4", - "revision": "40411" + "version": "4.5.0", + "revision": "40500" } From 770c8e115bf974e76138be0bfe96fd77b0c80a33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Rebollo=20P=C3=A9rez?= Date: Mon, 26 Jun 2023 17:33:15 +0100 Subject: [PATCH 03/17] bump: 4.5.1 into 4.5.1 --- CHANGELOG.md | 2 +- deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml | 3 +++ version.json | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a58a3d0489..4466b2f43e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ All notable changes to this project will be documented in this file. -## [4.4.5] - TBD +## [4.5.1] - TBD Wazuh commit: TBD Release report: TBD diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 5a27d8828a..7ab8632f7a 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -186,6 +186,9 @@ predefined_values: - 4.4.1 - 4.4.2 - 4.4.3 + - 4.4.4 + - 4.5.0 + - 4.5.1 tags: - active_response - agentd diff --git a/version.json b/version.json index b66939fd10..b02b9b68c6 100644 --- a/version.json +++ b/version.json @@ -1,4 +1,4 @@ { - "version": "4.4.5", - "revision": "40412" + "version": "4.5.1", + "revision": "40501" } From 68bb968a53fb999604e71e9e2b7b1dc38b5f16c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julia=20Mag=C3=A1n?= <80041853+juliamagan@users.noreply.github.com> Date: Mon, 3 Jul 2023 19:45:52 +0200 Subject: [PATCH 04/17] Revert " Add FIM Windows Registry wildcard support" (#4266) --- CHANGELOG.md | 1 - .../wazuh_testing/modules/fim/__init__.py | 2 +- .../modules/fim/event_monitor.py | 66 +--- .../wazuh_testing/modules/fim/utils.py | 37 +-- .../test_fim/test_registry/conftest.py | 2 +- .../configuration_registry_wildcards.yaml | 30 -- .../cases_registry_key_wildcards.yaml | 23 -- .../cases_registry_value_wildcards.yaml | 23 -- .../test_registry_wildcards.py | 290 ------------------ 9 files changed, 7 insertions(+), 467 deletions(-) delete mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml delete mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml delete mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml delete mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 760d4c7f27..cadd7b3cc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,6 @@ Release report: TBD Wazuh commit: TBD \ Release report: TBD -- Add IT tests FIM registry monitoring using wildcards. ([#4220](https://github.com/wazuh/wazuh-qa/pull/4220)) \- (Framework + Tests) - New 'SCA' test suite and framework. ([#3566](https://github.com/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests) - Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation) - Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 5a8af08e85..842cde0c5a 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2023, Wazuh Inc. +# Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index a79edc7eb2..a972ee78da 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2023, Wazuh Inc. +# Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 @@ -7,9 +7,8 @@ from sys import platform from datetime import datetime -from wazuh_testing import LOG_FILE_PATH, logger, T_30, T_60 +from wazuh_testing import LOG_FILE_PATH, logger, T_60 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback -from wazuh_testing.modules.fim import MAX_EVENTS_VALUE # Variables @@ -44,12 +43,13 @@ CB_SYNC_INTERVAL_RESET = r".*Previous sync was successful. Sync interval is reset to: '(\d+)s'" CB_IGNORING_DUE_TO_SREGEX = r".*?Ignoring path '(.*)' due to sregex '(.*)'.*" CB_IGNORING_DUE_TO_PATTERN = r".*?Ignoring path '(.*)' due to pattern '(.*)'.*" +CB_MAXIMUM_FILE_SIZE = r'.*Maximum file size limit to generate diff information configured to \'(\d+) KB\'.*' +CB_AGENT_CONNECT = r'.* Connected to the server .*' CB_REALTIME_WHODATA_ENGINE_STARTED = r'.*File integrity monitoring (real-time Whodata) engine started.*' CB_DISK_QUOTA_LIMIT_CONFIGURED_VALUE = r'.*Maximum disk quota size limit configured to \'(\d+) KB\'.*' CB_FILE_EXCEEDS_DISK_QUOTA = r'.*The (.*) of the file size \'(.*)\' exceeds the disk_quota.*' CB_FILE_SIZE_LIMIT_REACHED = r'.*File \'(.*)\' is too big for configured maximum size to perform diff operation\.' CB_DIFF_FOLDER_DELETED = r'.*Folder \'(.*)\' has been deleted.*' -CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events." CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events." CB_STARTING_WINDOWS_AUDIT = r'.*state_checker.*(Starting check of Windows Audit Policies and SACLs)' CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\ @@ -227,18 +227,6 @@ def callback_detect_file_integrity_event(line): return None -def callback_key_event(line): - """ Callback that detects if a line contains a registry integrity event for a registry_key - Args: - line (String): string line to be checked by callback in File_Monitor. - """ - event = callback_detect_event(line) - if event is None or event['data']['attributes']['type'] != 'registry_key': - return None - - return event - - def callback_value_event(line): event = callback_detect_event(line) @@ -501,52 +489,6 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) -def get_messages(callback, timeout=T_30): - """Look for as many synchronization events as possible. - This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. - Args: - callback (str): Callback to be used to detect the event. - timeout (int): Timeout that will be used to get the dbsync_no_data message. - Returns: - A list with all the events in json format. - """ - wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) - events = [] - for _ in range(0, MAX_EVENTS_VALUE): - event = None - try: - event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, - callback=callback, - error_message=f"Did not receive expected {callback} event").result() - except TimeoutError: - break - if event is not None: - events.append(event) - return events - - -def check_registry_crud_event(callback, path, timeout=T_30, type='added', arch='x32', value_name=None): - """Get all events matching the callback and validate the type, path and architecture of event - Args: - callback (str): Callback to be used to detect the event. - path (str): path to be checked - timeout (int): Timeout that will be used to try and get the expected messages - type (str): type of event to be checked - arch (str): architecture of the event to be checked - value_name (str): name of the value to be checked - """ - events = get_messages(callback=callback, timeout=timeout) - for event in events: - if event['data']['type'] == type and arch in event['data']['arch'] and event['data']['path'] == path: - if value_name is not None: - if 'value_name' in event and event['data']['value_name'] == value_name: - return event - else: - return event - - return None - - def detect_windows_sacl_configured(file_monitor, file='.*'): """Detects when windows permision checks have been configured for a given file. diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py index 36b649581f..7ab62543ee 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2023, Wazuh Inc. +# Copyright (C) 2015-2022, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 @@ -298,16 +298,6 @@ def calculate_registry_diff_paths(reg_key, reg_subkey, arch, value_name): def transform_registry_list(value_list=['test_value'], value_type=fim.REG_SZ, callback=ev.callback_value_event): - """Transform a list of registry values into a dictionary. - - Args: - value list (List): list of string value names - value type (str): type of registry value that is expected. - Callback (object): Callback to pair with the value to be monitored. - - Returns: - Dict: dictionary with the values and the corresponding callbacks to monitor them. - """ if sys.platform == 'win32': if value_type in [win32con.REG_SZ, win32con.REG_MULTI_SZ]: value_default_content = '' @@ -329,31 +319,6 @@ def transform_registry_list(value_list=['test_value'], value_type=fim.REG_SZ, ca return aux_dict -def transform_registry_key_list(key_list=['test_key'], callback=ev.callback_key_event): - """Transform a list of registry keys into a dictionary. - - Args: - key_list list (List): list of strings with the key names names - Callback (object): Callback to pair with the key to be monitored. - - Returns: - Dict: dictionary with the keys and the corresponding callbacks to monitor them. - """ - if sys.platform == 'win32': - aux_dict = {} - if isinstance(key_list, list): - for elem in key_list: - aux_dict[elem] = ('', callback) - - elif isinstance(key_list, dict): - for key, elem in key_list.items(): - aux_dict[key] = (elem, callback) - else: - raise ValueError('It can only be a list or dictionary') - - return aux_dict - - def set_check_options(options): """ Return set of check options. If options given is none, it will return check_all""" options_set = fim.REQUIRED_REG_VALUE_ATTRIBUTES[fim.CHECK_ALL] diff --git a/tests/integration/test_fim/test_registry/conftest.py b/tests/integration/test_fim/test_registry/conftest.py index dce777ac08..72934c965e 100644 --- a/tests/integration/test_fim/test_registry/conftest.py +++ b/tests/integration/test_fim/test_registry/conftest.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2023, Wazuh Inc. +# Copyright (C) 2015-2021, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml deleted file mode 100644 index a5fc64c6af..0000000000 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml +++ /dev/null @@ -1,30 +0,0 @@ -- sections: - - section: syscheck - elements: - - disabled: - value: 'no' - - frequency: - value: FREQUENCY - - windows_registry: - value: WINDOWS_REGISTRY - attributes: - - arch: both - - - section: sca - elements: - - enabled: - value: 'no' - - section: rootcheck - elements: - - disabled: - value: 'yes' - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' - - section: active-response - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml deleted file mode 100644 index 7ce9a46842..0000000000 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml +++ /dev/null @@ -1,23 +0,0 @@ -- name: Test key with question mark wildcard (Scheduled) - description: Test path with single question mark wildcard in scheduled mode - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMA? - metadata: - fim_mode: scheduled - -- name: Test key with single asterisk wildcard (Scheduled) - description: Test path with single asterisk wildcard in scheduled mode - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\* - metadata: - fim_mode: scheduled - -- name: Test key with asterisk+question mark (Scheduled) - description: Test path with multiple asterisks and question mark wildcards combined in scheduled mode - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\*\*\PointerClas? - metadata: - fim_mode: scheduled diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml deleted file mode 100644 index 93e679cc6a..0000000000 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml +++ /dev/null @@ -1,23 +0,0 @@ -- name: Test value with question mark wildcard (Scheduled) - description: Test path with single question mark wildcard - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\PointerClas? - metadata: - fim_mode: scheduled - -- name: Test value with single asterisk wildcard (Scheduled) - description: Test path with single asterisk wildcard in scheduled mode - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\* - metadata: - fim_mode: scheduled - -- name: Test3 value with asterisk+question mark (Scheduled) - description: Test path with multiple asterisks and question mark wildcards combined in scheduled mode - configuration_parameters: - FREQUENCY: 2 - WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\*\*\PointerClas? - metadata: - fim_mode: scheduled diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py deleted file mode 100644 index 68ff46df9a..0000000000 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py +++ /dev/null @@ -1,290 +0,0 @@ -''' -copyright: Copyright (C) 2015-2023, Wazuh Inc. - - Created by Wazuh, Inc. . - - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - -type: integration - -brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are - modified. Specifically, these tests will check the use of wildcards '*' or '?' when configuring windows - registries to be monitored. When using wildcards, they should be expanded and matching keys should be - configured to be monitored. The tests will verify registry keys and values events are properly generated - when they are created, modified and deleted in registries configured through wildcards expansion. - -components: - - fim - -suite: registry_wildcards - -targets: - - agent - -daemons: - - wazuh-syscheckd - -os_platform: - - windows - -os_version: - - Windows 10 - - Windows 8 - - Windows 7 - - Windows Server 2019 - - Windows Server 2016 - - Windows Server 2012 - - Windows Server 2003 - - Windows XP - -references: - - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html - - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit - -pytest_args: - - fim_mode: - scheduled: file/registry changes are monitored only at the configured interval - - tier: - 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. - 1: Only level 1 tests are performed, they check functionalities of medium complexity. - 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - -tags: - - fim_registry_wildcards -''' -import os -import time -import pytest -from wazuh_testing import LOG_FILE_PATH, T_10 -from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data -from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback -from wazuh_testing.modules import WINDOWS, TIER1 -from wazuh_testing.modules.fim import (registry_parser, KEY_WOW64_64KEY, REG_SZ, - WINDOWS_HKEY_LOCAL_MACHINE) -from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options -from wazuh_testing.modules.fim.event_monitor import (CB_FIM_WILDCARD_EXPANDING, callback_key_event, get_messages, - check_registry_crud_event, callback_value_event) -from wazuh_testing.modules.fim.utils import (create_registry, modify_registry_value, delete_registry, - delete_registry_value) - -# Marks -pytestmark = [WINDOWS, TIER1] - -# Reference paths -TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') -TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') - -# Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_registry_wildcards.yaml') -t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_registry_key_wildcards.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_registry_value_wildcards.yaml') - -# Enabled test configurations (t1) -t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, - t1_configuration_metadata) - -t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, - t2_configuration_metadata) - -# Variables -wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) -key_name = 'test_key' -value_name = 'test_value' - - -# Tests -@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_registry_key_wildcards(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_function, restart_wazuh_function, - wait_syscheck_start): - ''' - description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate - the keys creation, modification and deletion is detected correctly. - - wazuh_min_version: 4.5.0 - - test_phases: - - setup: - - Set wazuh configuration. - - Clean logs files and restart wazuh to apply the configuration. - - test: - - Check that one or more keys are detected when the configured wildcard is expanded - - Create a subkey inside the first monitored key and check - - Wait for scan and check subkey has been detected as 'added' - - Modify the subkey - - Wait for scan and check subkey has been detected as 'modified' - - Delete the subkey - - Wait for scan and check subkey has been detected as 'deleted' - - teardown: - - Restore configuration - - Stop wazuh - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration values for to apply in agentt. - - metadata: - type: dict - brief: Test case data. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh's configuration. - - truncate_monitored_files: - type: fixture - brief: Truncate the logs and alerts files. - - configure_local_internal_options_function: - type: fixture - brief: Set local_internal_options configuration. - - restart_syscheck_function: - type: fixture - brief: restart syscheckd daemon, and truncate the logs. - - wait_syscheck_start: - type: fixture - brief: check that the starting fim scan is detected. - - assertions: - - One or more keys have been configured after wildcard expansion - - Assert 'registry_key added' event has been detected - - Assert 'registry_key modified' event has been detected - - Assert 'registry_key deleted' event has been detected - - input_description: - - The file 'configuration_registry_wildcards.yaml' contains the configuration template for the test. - - The file 'cases_registry_key_wildcards.yaml' contains test case descriptions, configuration values and - metadata for each case. - - expected_output: - - r".*Expanding entry '.*' to '(.*)' to monitor FIM events." - - r".*Sending FIM event: (.+)$" - For 'registry_key' attributes.type and 'added/modified/deleted' type. - - tags: - - scheduled - ''' - - # Check logs for wildcards expansion and actual monitored keys - monitored_keys = get_messages(generate_monitoring_callback(CB_FIM_WILDCARD_EXPANDING), timeout=T_10) - assert monitored_keys != [], f"Did not receive expected '{CB_FIM_WILDCARD_EXPANDING}' events" - - subkey = monitored_keys[0].replace(f"{WINDOWS_HKEY_LOCAL_MACHINE}\\", "") - subkey = subkey + f"\\{key_name}" - path = monitored_keys[0] + f"\\{key_name}" - - # Create a new key inside monitored key and check it is detected - reg_handle = create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) - event_added = check_registry_crud_event(callback=callback_key_event, path=path, type='added', timeout=T_10, - arch='x64') - assert event_added is not None, 'Did not find the expected "registry_key added" event' - - # Add new value in the key and detect the modification of created monitored key is detected - modify_registry_value(reg_handle, value_name, REG_SZ, 'new_value') - event_modified = check_registry_crud_event(callback=callback_key_event, path=path, type='modified', timeout=T_10, - arch='x64') - assert event_modified is not None, 'Did not find the expected "registry_key modified" event' - - # Delete the created key and check it's deletion is detected - delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) - event_deleted = check_registry_crud_event(callback=callback_key_event, path=path, type='deleted', timeout=T_10, - arch='x64') - assert event_deleted is not None, 'Did not find the expected "registry_key deleted" event' - - -@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_registry_value_wildcards(configuration, metadata, set_wazuh_configuration, - configure_local_internal_options_function, restart_syscheck_function, - wait_syscheck_start): - ''' - description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate - when values are created inside a monitored key, creation, modification and deletion is detected - correctly. - - wazuh_min_version: 4.5.0 - - test_phases: - - setup: - - Set wazuh configuration. - - Clean logs files and restart wazuh to apply the configuration. - - test: - - Check that one or more keys are detected when the configured wildcard is expanded - - Create a registry_value inside the first monitored key and check - - Wait for scan and check registry_value has been detected as 'added' - - Modify the registry_value - - Wait for scan and check registry_value has been detected as 'modified' - - Delete the registry_value - - Wait for scan and check registry_value has been detected as 'deleted' - - teardown: - - Restore configuration - - Stop wazuh - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration values to apply to agent. - - metadata: - type: dict - brief: Test case data. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh's configuration file. - - configure_local_internal_options_function: - type: fixture - brief: Set local_internal_options configuration. - - restart_syscheck_function: - type: fixture - brief: restart syscheckd daemon, and truncate the logs. - - wait_syscheck_start: - type: fixture - brief: check that the starting fim scan is detected. - - assertions: - - One or more keys have been configured after wildcard expansion - - Assert 'registry_value added' event has been detected - - Assert 'registry_value modified' event has been detected - - Assert 'registry_value deleted' event has been detected - - input_description: - - The file 'configuration_registry_wildcards.yaml' contains the configuration template for the test. - - The file 'cases_registry_value_wildcards.yaml' contains test case descriptions, configuration values and - metadata for each case. - - expected_output: - - r".*Expanding entry '.*' to '(.*)' to monitor FIM events." - - r".*Sending FIM event: (.+)$" - For 'registry_value' attributes.type and 'added/modified/deleted' type. - tags: - - scheduled - ''' - - monitored_keys = get_messages(generate_monitoring_callback(CB_FIM_WILDCARD_EXPANDING), timeout=T_10) - assert monitored_keys != [], f"Did not receive expected '{CB_FIM_WILDCARD_EXPANDING}' events" - - subkey = monitored_keys[0].replace(f"{WINDOWS_HKEY_LOCAL_MACHINE}\\", "") - subkey = subkey + f"\\{key_name}" - path = monitored_keys[0] + f"\\{key_name}" - - # Create custom key and custom value - reg_handle = create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) - modify_registry_value(reg_handle, value_name, REG_SZ, 'added') - event_added = check_registry_crud_event(callback=callback_value_event, path=path, type='added', timeout=T_10, - arch='x64') - assert event_added is not None, 'Did not find the expected "registry_value added" event' - - # Add new value in the key and detect the modification of created monitored key is detected - modify_registry_value(reg_handle, value_name, REG_SZ, 'modified') - event_modified = check_registry_crud_event(callback=callback_value_event, path=path, type='modified', timeout=T_10, - arch='x64') - assert event_modified is not None, 'Did not find the expected "registry_value modified" event' - - # Delete the created key and check it's deletion is detected - delete_registry_value(reg_handle, value_name) - event_deleted = check_registry_crud_event(callback=callback_value_event, path=path, type='deleted', timeout=T_10, - arch='x64') - assert event_deleted is not None, 'Did not find the expected "registry_value deleted" event' - - # Delete key to clean enviroment - delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) From 5add503cd2b713df9add7d93a579b4dc6cacc7b8 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 4 Jul 2023 09:15:03 -0300 Subject: [PATCH 05/17] feat(#3693): add cases and configuration files --- .../configuration_registry_wildcards.yaml | 30 +++++++++++++++++++ .../cases_registry_key_wildcards.yaml | 23 ++++++++++++++ .../cases_registry_value_wildcards.yaml | 23 ++++++++++++++ 3 files changed, 76 insertions(+) create mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml create mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml create mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml new file mode 100644 index 0000000000..935238991b --- /dev/null +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml @@ -0,0 +1,30 @@ +- sections: + - section: syscheck + elements: + - disabled: + value: 'no' + - frequency: + value: FREQUENCY + - windows_registry: + value: WINDOWS_REGISTRY + attributes: + - arch: both + + - section: sca + elements: + - enabled: + value: 'no' + - section: rootcheck + elements: + - disabled: + value: 'yes' + - section: wodle + attributes: + - name: syscollector + elements: + - disabled: + value: 'yes' + - section: active-response + elements: + - disabled: + value: 'yes' \ No newline at end of file diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml new file mode 100644 index 0000000000..7ce9a46842 --- /dev/null +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_key_wildcards.yaml @@ -0,0 +1,23 @@ +- name: Test key with question mark wildcard (Scheduled) + description: Test path with single question mark wildcard in scheduled mode + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMA? + metadata: + fim_mode: scheduled + +- name: Test key with single asterisk wildcard (Scheduled) + description: Test path with single asterisk wildcard in scheduled mode + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\* + metadata: + fim_mode: scheduled + +- name: Test key with asterisk+question mark (Scheduled) + description: Test path with multiple asterisks and question mark wildcards combined in scheduled mode + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\*\*\PointerClas? + metadata: + fim_mode: scheduled diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml new file mode 100644 index 0000000000..68367b86a2 --- /dev/null +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml @@ -0,0 +1,23 @@ +- name: Test value with question mark wildcard (Scheduled) + description: Test path with single question mark wildcard + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\PointerClas? + metadata: + fim_mode: scheduled + +- name: Test value with single asterisk wildcard (Scheduled) + description: Test path with single asterisk wildcard in scheduled mode + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\* + metadata: + fim_mode: scheduled + +- name: Test3 value with asterisk+question mark (Scheduled) + description: Test path with multiple asterisks and question mark wildcards combined in scheduled mode + configuration_parameters: + FREQUENCY: 2 + WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\*\*\PointerClas? + metadata: + fim_mode: scheduled \ No newline at end of file From 7bb1de6433afe0320d538bbdde0cd6b10c9bfe25 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 4 Jul 2023 09:18:30 -0300 Subject: [PATCH 06/17] feat(#3693): add test_registry_wildcards module --- .../test_registry_wildcards.py | 290 ++++++++++++++++++ 1 file changed, 290 insertions(+) create mode 100644 tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py new file mode 100644 index 0000000000..ec23823dc9 --- /dev/null +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py @@ -0,0 +1,290 @@ +''' +copyright: Copyright (C) 2015-2023, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: File Integrity Monitoring (FIM) system watches selected files and triggering alerts when these files are + modified. Specifically, these tests will check the use of wildcards '*' or '?' when configuring windows + registries to be monitored. When using wildcards, they should be expanded and matching keys should be + configured to be monitored. The tests will verify registry keys and values events are properly generated + when they are created, modified and deleted in registries configured through wildcards expansion. + +components: + - fim + +suite: registry_wildcards + +targets: + - agent + +daemons: + - wazuh-syscheckd + +os_platform: + - windows + +os_version: + - Windows 10 + - Windows 8 + - Windows 7 + - Windows Server 2019 + - Windows Server 2016 + - Windows Server 2012 + - Windows Server 2003 + - Windows XP + +references: + - https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html + - https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit + +pytest_args: + - fim_mode: + scheduled: file/registry changes are monitored only at the configured interval + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - fim_registry_wildcards +''' +import os +import time +import pytest +from wazuh_testing import LOG_FILE_PATH, T_10 +from wazuh_testing.tools.configuration import load_configuration_template, get_test_cases_data +from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.modules import WINDOWS, TIER1 +from wazuh_testing.modules.fim import (registry_parser, KEY_WOW64_64KEY, REG_SZ, + WINDOWS_HKEY_LOCAL_MACHINE) +from wazuh_testing.modules.fim import FIM_DEFAULT_LOCAL_INTERNAL_OPTIONS as local_internal_options +from wazuh_testing.modules.fim.event_monitor import (CB_FIM_WILDCARD_EXPANDING, callback_key_event, get_messages, + check_registry_crud_event, callback_value_event) +from wazuh_testing.modules.fim.utils import (create_registry, modify_registry_value, delete_registry, + delete_registry_value) + +# Marks +pytestmark = [WINDOWS, TIER1] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_templates') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + +# Configuration and cases data +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_registry_wildcards.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_registry_key_wildcards.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_registry_value_wildcards.yaml') + +# Enabled test configurations (t1) +t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) +t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, + t1_configuration_metadata) + +t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) +t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, + t2_configuration_metadata) + +# Variables +wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) +key_name = 'test_key' +value_name = 'test_value' + + +# Tests +@pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) +def test_registry_key_wildcards(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_function, restart_wazuh_function, + wait_syscheck_start): + ''' + description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate + the keys creation, modification and deletion is detected correctly. + + wazuh_min_version: 4.5.0 + + test_phases: + - setup: + - Set wazuh configuration. + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Check that one or more keys are detected when the configured wildcard is expanded + - Create a subkey inside the first monitored key and check + - Wait for scan and check subkey has been detected as 'added' + - Modify the subkey + - Wait for scan and check subkey has been detected as 'modified' + - Delete the subkey + - Wait for scan and check subkey has been detected as 'deleted' + - teardown: + - Restore configuration + - Stop wazuh + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values for to apply in agentt. + - metadata: + type: dict + brief: Test case data. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh's configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate the logs and alerts files. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options configuration. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the logs. + - wait_syscheck_start: + type: fixture + brief: check that the starting fim scan is detected. + + assertions: + - One or more keys have been configured after wildcard expansion + - Assert 'registry_key added' event has been detected + - Assert 'registry_key modified' event has been detected + - Assert 'registry_key deleted' event has been detected + + input_description: + - The file 'configuration_registry_wildcards.yaml' contains the configuration template for the test. + - The file 'cases_registry_key_wildcards.yaml' contains test case descriptions, configuration values and + metadata for each case. + + expected_output: + - r".*Expanding entry '.*' to '(.*)' to monitor FIM events." + - r".*Sending FIM event: (.+)$" - For 'registry_key' attributes.type and 'added/modified/deleted' type. + + tags: + - scheduled + ''' + + # Check logs for wildcards expansion and actual monitored keys + monitored_keys = get_messages(generate_monitoring_callback(CB_FIM_WILDCARD_EXPANDING), timeout=T_10) + assert monitored_keys != [], f"Did not receive expected '{CB_FIM_WILDCARD_EXPANDING}' events" + + subkey = monitored_keys[0].replace(f"{WINDOWS_HKEY_LOCAL_MACHINE}\\", "") + subkey = subkey + f"\\{key_name}" + path = monitored_keys[0] + f"\\{key_name}" + + # Create a new key inside monitored key and check it is detected + reg_handle = create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) + event_added = check_registry_crud_event(callback=callback_key_event, path=path, type='added', timeout=T_10, + arch='x64') + assert event_added is not None, 'Did not find the expected "registry_key added" event' + + # Add new value in the key and detect the modification of created monitored key is detected + modify_registry_value(reg_handle, value_name, REG_SZ, 'new_value') + event_modified = check_registry_crud_event(callback=callback_key_event, path=path, type='modified', timeout=T_10, + arch='x64') + assert event_modified is not None, 'Did not find the expected "registry_key modified" event' + + # Delete the created key and check it's deletion is detected + delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) + event_deleted = check_registry_crud_event(callback=callback_key_event, path=path, type='deleted', timeout=T_10, + arch='x64') + assert event_deleted is not None, 'Did not find the expected "registry_key deleted" event' + + +@pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) +def test_registry_value_wildcards(configuration, metadata, set_wazuh_configuration, + configure_local_internal_options_function, restart_syscheck_function, + wait_syscheck_start): + ''' + description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate + when values are created inside a monitored key, creation, modification and deletion is detected + correctly. + + wazuh_min_version: 4.5.0 + + test_phases: + - setup: + - Set wazuh configuration. + - Clean logs files and restart wazuh to apply the configuration. + - test: + - Check that one or more keys are detected when the configured wildcard is expanded + - Create a registry_value inside the first monitored key and check + - Wait for scan and check registry_value has been detected as 'added' + - Modify the registry_value + - Wait for scan and check registry_value has been detected as 'modified' + - Delete the registry_value + - Wait for scan and check registry_value has been detected as 'deleted' + - teardown: + - Restore configuration + - Stop wazuh + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration values to apply to agent. + - metadata: + type: dict + brief: Test case data. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh's configuration file. + - configure_local_internal_options_function: + type: fixture + brief: Set local_internal_options configuration. + - restart_syscheck_function: + type: fixture + brief: restart syscheckd daemon, and truncate the logs. + - wait_syscheck_start: + type: fixture + brief: check that the starting fim scan is detected. + + assertions: + - One or more keys have been configured after wildcard expansion + - Assert 'registry_value added' event has been detected + - Assert 'registry_value modified' event has been detected + - Assert 'registry_value deleted' event has been detected + + input_description: + - The file 'configuration_registry_wildcards.yaml' contains the configuration template for the test. + - The file 'cases_registry_value_wildcards.yaml' contains test case descriptions, configuration values and + metadata for each case. + + expected_output: + - r".*Expanding entry '.*' to '(.*)' to monitor FIM events." + - r".*Sending FIM event: (.+)$" - For 'registry_value' attributes.type and 'added/modified/deleted' type. + tags: + - scheduled + ''' + + monitored_keys = get_messages(generate_monitoring_callback(CB_FIM_WILDCARD_EXPANDING), timeout=T_10) + assert monitored_keys != [], f"Did not receive expected '{CB_FIM_WILDCARD_EXPANDING}' events" + + subkey = monitored_keys[0].replace(f"{WINDOWS_HKEY_LOCAL_MACHINE}\\", "") + subkey = subkey + f"\\{key_name}" + path = monitored_keys[0] + f"\\{key_name}" + + # Create custom key and custom value + reg_handle = create_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) + modify_registry_value(reg_handle, value_name, REG_SZ, 'added') + event_added = check_registry_crud_event(callback=callback_value_event, path=path, type='added', timeout=T_10, + arch='x64') + assert event_added is not None, 'Did not find the expected "registry_value added" event' + + # Add new value in the key and detect the modification of created monitored key is detected + modify_registry_value(reg_handle, value_name, REG_SZ, 'modified') + event_modified = check_registry_crud_event(callback=callback_value_event, path=path, type='modified', timeout=T_10, + arch='x64') + assert event_modified is not None, 'Did not find the expected "registry_value modified" event' + + # Delete the created key and check it's deletion is detected + delete_registry_value(reg_handle, value_name) + event_deleted = check_registry_crud_event(callback=callback_value_event, path=path, type='deleted', timeout=T_10, + arch='x64') + assert event_deleted is not None, 'Did not find the expected "registry_value deleted" event' + + # Delete key to clean enviroment + delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) \ No newline at end of file From da9424362e62b071b12fc343f6734de1dd554e64 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 4 Jul 2023 09:18:58 -0300 Subject: [PATCH 07/17] feat(#3693): add new callbacks and event_monitor --- .../wazuh_testing/modules/fim/__init__.py | 2 +- .../modules/fim/event_monitor.py | 66 +++++++++++++++++-- .../wazuh_testing/modules/fim/utils.py | 33 +++++++++- .../test_fim/test_registry/conftest.py | 2 +- 4 files changed, 96 insertions(+), 7 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py index 842cde0c5a..5a8af08e85 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/__init__.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2022, Wazuh Inc. +# Copyright (C) 2015-2023, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py index a972ee78da..2ec0f10099 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/event_monitor.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2022, Wazuh Inc. +# Copyright (C) 2015-2023, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 @@ -7,7 +7,7 @@ from sys import platform from datetime import datetime -from wazuh_testing import LOG_FILE_PATH, logger, T_60 +from wazuh_testing import LOG_FILE_PATH, logger, T_60, T_30 from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback @@ -43,8 +43,6 @@ CB_SYNC_INTERVAL_RESET = r".*Previous sync was successful. Sync interval is reset to: '(\d+)s'" CB_IGNORING_DUE_TO_SREGEX = r".*?Ignoring path '(.*)' due to sregex '(.*)'.*" CB_IGNORING_DUE_TO_PATTERN = r".*?Ignoring path '(.*)' due to pattern '(.*)'.*" -CB_MAXIMUM_FILE_SIZE = r'.*Maximum file size limit to generate diff information configured to \'(\d+) KB\'.*' -CB_AGENT_CONNECT = r'.* Connected to the server .*' CB_REALTIME_WHODATA_ENGINE_STARTED = r'.*File integrity monitoring (real-time Whodata) engine started.*' CB_DISK_QUOTA_LIMIT_CONFIGURED_VALUE = r'.*Maximum disk quota size limit configured to \'(\d+) KB\'.*' CB_FILE_EXCEEDS_DISK_QUOTA = r'.*The (.*) of the file size \'(.*)\' exceeds the disk_quota.*' @@ -52,6 +50,7 @@ CB_DIFF_FOLDER_DELETED = r'.*Folder \'(.*)\' has been deleted.*' CB_FIM_PATH_CONVERTED = r".*fim_adjust_path.*Convert '(.*) to '(.*)' to process the FIM events." CB_STARTING_WINDOWS_AUDIT = r'.*state_checker.*(Starting check of Windows Audit Policies and SACLs)' +CB_FIM_WILDCARD_EXPANDING = r".*Expanding entry '.*' to '(.*)' to monitor FIM events." CB_SWITCHING_DIRECTORIES_TO_REALTIME = r'.*state_checker.*(Audit policy change detected.\ Switching directories to realtime)' CB_RECIEVED_EVENT_4719 = r'.*win_whodata.*(Event 4719).*Switching directories to realtime' @@ -227,6 +226,18 @@ def callback_detect_file_integrity_event(line): return None +def callback_key_event(line): + """ Callback that detects if a line contains a registry integrity event for a registry_key + Args: + line (String): string line to be checked by callback in File_Monitor. + """ + event = callback_detect_event(line) + if event is None or event['data']['attributes']['type'] != 'registry_key': + return None + + return event + + def callback_value_event(line): event = callback_detect_event(line) @@ -489,6 +500,53 @@ def detect_whodata_start(file_monitor, timeout=T_60): error_message=ERR_MSG_WHODATA_ENGINE_EVENT) +def get_messages(callback, timeout=T_30): + """Look for as many synchronization events as possible. + This function will look for the synchronization messages until a Timeout is raised or 'max_events' is reached. + Args: + callback (str): Callback to be used to detect the event. + timeout (int): Timeout that will be used to get the dbsync_no_data message. + + Returns: + A list with all the events in json format. + """ + wazuh_log_monitor = FileMonitor(LOG_FILE_PATH) + events = [] + for _ in range(0, MAX_EVENTS_VALUE): + event = None + try: + event = wazuh_log_monitor.start(timeout=timeout, accum_results=1, + callback=callback, + error_message=f"Did not receive expected {callback} event").result() + except TimeoutError: + break + if event is not None: + events.append(event) + return events + + +def check_registry_crud_event(callback, path, timeout=T_30, type='added', arch='x32', value_name=None): + """Get all events matching the callback and validate the type, path and architecture of event + Args: + callback (str): Callback to be used to detect the event. + path (str): path to be checked + timeout (int): Timeout that will be used to try and get the expected messages + type (str): type of event to be checked + arch (str): architecture of the event to be checked + value_name (str): name of the value to be checked + """ + events = get_messages(callback=callback, timeout=timeout) + for event in events: + if event['data']['type'] == type and arch in event['data']['arch'] and event['data']['path'] == path: + if value_name is not None: + if 'value_name' in event and event['data']['value_name'] == value_name: + return event + else: + return event + + return None + + def detect_windows_sacl_configured(file_monitor, file='.*'): """Detects when windows permision checks have been configured for a given file. diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py index 7ab62543ee..42efba9496 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2022, Wazuh Inc. +# Copyright (C) 2015-2023, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 @@ -298,6 +298,14 @@ def calculate_registry_diff_paths(reg_key, reg_subkey, arch, value_name): def transform_registry_list(value_list=['test_value'], value_type=fim.REG_SZ, callback=ev.callback_value_event): + """Transform a list of registry values into a dictionary. + Args: + value list (List): list of string value names + value type (str): type of registry value that is expected. + Callback (object): Callback to pair with the value to be monitored. + Returns: + Dict: dictionary with the values and the corresponding callbacks to monitor them. + """ if sys.platform == 'win32': if value_type in [win32con.REG_SZ, win32con.REG_MULTI_SZ]: value_default_content = '' @@ -319,6 +327,29 @@ def transform_registry_list(value_list=['test_value'], value_type=fim.REG_SZ, ca return aux_dict +def transform_registry_key_list(key_list=['test_key'], callback=ev.callback_key_event): + """Transform a list of registry keys into a dictionary. + Args: + key_list list (List): list of strings with the key names names + Callback (object): Callback to pair with the key to be monitored. + Returns: + Dict: dictionary with the keys and the corresponding callbacks to monitor them. + """ + if sys.platform == 'win32': + aux_dict = {} + if isinstance(key_list, list): + for elem in key_list: + aux_dict[elem] = ('', callback) + + elif isinstance(key_list, dict): + for key, elem in key_list.items(): + aux_dict[key] = (elem, callback) + else: + raise ValueError('It can only be a list or dictionary') + + return aux_dict + + def set_check_options(options): """ Return set of check options. If options given is none, it will return check_all""" options_set = fim.REQUIRED_REG_VALUE_ATTRIBUTES[fim.CHECK_ALL] diff --git a/tests/integration/test_fim/test_registry/conftest.py b/tests/integration/test_fim/test_registry/conftest.py index 72934c965e..dce777ac08 100644 --- a/tests/integration/test_fim/test_registry/conftest.py +++ b/tests/integration/test_fim/test_registry/conftest.py @@ -1,4 +1,4 @@ -# Copyright (C) 2015-2021, Wazuh Inc. +# Copyright (C) 2015-2023, Wazuh Inc. # Created by Wazuh, Inc. . # This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 From c50aa1aa5d055b1e30d539fc57c6c7fbbb34fd81 Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 4 Jul 2023 09:19:32 -0300 Subject: [PATCH 08/17] docs(#3693): update changelog.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cadd7b3cc0..efac2dc3df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ All notable changes to this project will be documented in this file. Wazuh commit: TBD \ Release report: TBD +### Added + +- Add IT tests FIM registry monitoring using wildcards. ([#4270](https://github.com/wazuh/wazuh-qa/pull/4270)) \- (Framework + Tests) ## [4.5.0] - TBD Wazuh commit: TBD \ From be7b95b709485b188d7bf8843e9533edb309ff2d Mon Sep 17 00:00:00 2001 From: Deblintrake09 Date: Tue, 4 Jul 2023 09:21:58 -0300 Subject: [PATCH 09/17] style(#3693): fix whitelines --- deps/wazuh_testing/wazuh_testing/modules/fim/utils.py | 3 ++- .../configuration_registry_wildcards.yaml | 2 +- .../data/test_cases/cases_registry_value_wildcards.yaml | 2 +- .../test_registry_wildcards/test_registry_wildcards.py | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py index 42efba9496..02065895e6 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py +++ b/deps/wazuh_testing/wazuh_testing/modules/fim/utils.py @@ -213,7 +213,8 @@ def modify_registry(key, subkey, arch): logger.info(f"Modifying registry key {print_arch}{os.path.join(fim.registry_class_name[key], subkey)}") modify_key_perms(key, subkey, arch, win32sec.LookupAccountName(None, f"{platform.node()}\\{os.getlogin()}")[0]) - modify_registry_owner(key, subkey, arch, win32sec.LookupAccountName(None, f"{platform.node()}\\{os.getlogin()}")[0]) + modify_registry_owner(key, subkey, arch, + win32sec.LookupAccountName(None, f"{platform.node()}\\{os.getlogin()}")[0]) modify_registry_key_mtime(key, subkey, arch) diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml index 935238991b..a5fc64c6af 100644 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml @@ -27,4 +27,4 @@ - section: active-response elements: - disabled: - value: 'yes' \ No newline at end of file + value: 'yes' diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml index 68367b86a2..93e679cc6a 100644 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/test_cases/cases_registry_value_wildcards.yaml @@ -20,4 +20,4 @@ FREQUENCY: 2 WINDOWS_REGISTRY: HKEY_LOCAL_MACHINE\*\*\PointerClas? metadata: - fim_mode: scheduled \ No newline at end of file + fim_mode: scheduled diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py index ec23823dc9..68ff46df9a 100644 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py @@ -287,4 +287,4 @@ def test_registry_value_wildcards(configuration, metadata, set_wazuh_configurati assert event_deleted is not None, 'Did not find the expected "registry_value deleted" event' # Delete key to clean enviroment - delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) \ No newline at end of file + delete_registry(registry_parser[WINDOWS_HKEY_LOCAL_MACHINE], subkey, KEY_WOW64_64KEY) From 420eb03757d561aaf725516c6fec2c9a29406940 Mon Sep 17 00:00:00 2001 From: jnasselle Date: Thu, 6 Jul 2023 16:23:44 -0300 Subject: [PATCH 10/17] Bump version to 4.4.5 --- CHANGELOG.md | 13 +++++++++---- .../wazuh_testing/wazuh_testing/qa_docs/schema.yaml | 2 ++ version.json | 4 ++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e88094f153..fbe7bbb3fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,17 @@ All notable changes to this project will be documented in this file. -## [4.4.4] - TBD +## [4.4.5] - TBD -Wazuh commit: TBD -Release report: TBD +Wazuh commit: TDB +Release report: TDB -## Added +## [4.4.4] - 13-06-2023 + +Wazuh commit: https://github.com/wazuh/wazuh/commit/32b9b4684efb7c21ce71f80d845096549a5b4ed5 +Release report: https://github.com/wazuh/wazuh/issues/17520 + +### Added - Change test_python_flaws.py to accept branch or commit in the same argument. ([#4209](https://github.com/wazuh/wazuh-qa/pull/4209)) (Tests) - Fix test_dependencies.py for the changes in the feature. ([#4210](https://github.com/wazuh/wazuh-qa/pull/4210)) (Tests) diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index 5a27d8828a..101a7ce6a8 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -186,6 +186,8 @@ predefined_values: - 4.4.1 - 4.4.2 - 4.4.3 + - 4.4.4 + - 4.4.5 tags: - active_response - agentd diff --git a/version.json b/version.json index 539267a4f8..b66939fd10 100644 --- a/version.json +++ b/version.json @@ -1,4 +1,4 @@ { - "version": "4.4.4", - "revision": "40411" + "version": "4.4.5", + "revision": "40412" } From 1f2744caf04b11f9e624a972584b5b527131ed56 Mon Sep 17 00:00:00 2001 From: jnasselle Date: Mon, 10 Jul 2023 08:54:50 -0300 Subject: [PATCH 11/17] Bump to 4.4.5-rc2 --- CHANGELOG.md | 4 ++-- version.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbe7bbb3fb..1dfebcd63c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,8 @@ All notable changes to this project will be documented in this file. ## [4.4.5] - TBD -Wazuh commit: TDB -Release report: TDB +Wazuh commit: TBD +Release report: TBD ## [4.4.4] - 13-06-2023 diff --git a/version.json b/version.json index b66939fd10..afa96ad9dd 100644 --- a/version.json +++ b/version.json @@ -1,4 +1,4 @@ { "version": "4.4.5", - "revision": "40412" + "revision": "40413" } From f020d8302b55c2cf03f9817c8be573525ac7ffce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bel=C3=A9n=20Valdivia?= Date: Mon, 10 Jul 2023 06:59:07 -0700 Subject: [PATCH 12/17] Updated database version ` test_agent_database_version` test (#4128) * refactor(#4125): updated database version * refactor(#4125): updated changelog * refactor(#3879): added review changes * refactor(#3879): update wazuh minimal version --------- Co-authored-by: Octavio Valle --- CHANGELOG.md | 2 ++ .../test_wazuh_db/test_agent_database_version.py | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cadd7b3cc0..791a732735 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ All notable changes to this project will be documented in this file. Wazuh commit: TBD \ Release report: TBD +- Update schema database version ([#4128](https://github.com/wazuh/wazuh-qa/pull/4128)) \- (Tests) + ## [4.5.0] - TBD Wazuh commit: TBD \ diff --git a/tests/integration/test_wazuh_db/test_agent_database_version.py b/tests/integration/test_wazuh_db/test_agent_database_version.py index 9a0e9a4512..c7abf3b640 100644 --- a/tests/integration/test_wazuh_db/test_agent_database_version.py +++ b/tests/integration/test_wazuh_db/test_agent_database_version.py @@ -9,7 +9,7 @@ pytestmark = [TIER0, LINUX, SERVER] # Variables -expected_database_version = '10' +expected_database_version = '11' # Fixtures @@ -34,7 +34,7 @@ def test_agent_database_version(restart_wazuh_daemon, remove_agents): - Check that the manager database version is the expected one. - Check that the agent database version is the expected one. - wazuh_min_version: 4.4.0 + wazuh_min_version: 4.6.0 parameters: - restart_wazuh_daemon: @@ -45,7 +45,7 @@ def test_agent_database_version(restart_wazuh_daemon, remove_agents): - Verify that database version is the expected one. expected_output: - - Database version: 10 + - Database version: 11 tags: - wazuh_db From 32efe470f87e7ac5d6ce8143575cea27cd49f2f9 Mon Sep 17 00:00:00 2001 From: Julia Date: Tue, 11 Jul 2023 09:13:52 +0200 Subject: [PATCH 13/17] docs(#4303): update changelog --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1dfebcd63c..e41fef514a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,10 @@ All notable changes to this project will be documented in this file. -## [4.4.5] - TBD +## [4.4.5] - 10-07-2023 -Wazuh commit: TBD -Release report: TBD +Wazuh commit: https://github.com/wazuh/wazuh/commit/8d17d2c9c11bc10be9a31c83bc7c17dfbac0d2a0 \ +Release report: https://github.com/wazuh/wazuh/issues/17844 ## [4.4.4] - 13-06-2023 From 4e75c6ef578b50d2f296da490e3b98b0c93ff1c2 Mon Sep 17 00:00:00 2001 From: Raul Del Pozo Moreno Date: Tue, 11 Jul 2023 19:46:29 +0200 Subject: [PATCH 14/17] Fixed new line --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2781bc9079..94075a8e60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ Release report: https://github.com/wazuh/wazuh/issues/17844 ## [4.4.4] - 13-06-2023 -Wazuh commit: https://github.com/wazuh/wazuh/commit/32b9b4684efb7c21ce71f80d845096549a5b4ed5 +Wazuh commit: https://github.com/wazuh/wazuh/commit/32b9b4684efb7c21ce71f80d845096549a5b4ed5 \ Release report: https://github.com/wazuh/wazuh/issues/17520 ### Added @@ -28,7 +28,7 @@ Release report: https://github.com/wazuh/wazuh/issues/17520 ## [4.4.3] - 25-06-2023 -Wazuh commit: https://github.com/wazuh/wazuh/commit/f7080df56081adaeaad94529522233e2f0bbd577 +Wazuh commit: https://github.com/wazuh/wazuh/commit/f7080df56081adaeaad94529522233e2f0bbd577 \ Release report: https://github.com/wazuh/wazuh/issues/17198 ### Fixed @@ -38,7 +38,7 @@ Release report: https://github.com/wazuh/wazuh/issues/17198 ## [4.4.2] - 18-05-2023 -Wazuh commit: https://github.com/wazuh/wazuh/commit/b2901d5086e7a073d89f4f72827e070ce3abd8e8 +Wazuh commit: https://github.com/wazuh/wazuh/commit/b2901d5086e7a073d89f4f72827e070ce3abd8e8 \ Release report: https://github.com/wazuh/wazuh/issues/17004 ### Added From 1302e986136eda854878a6f0b9ad70d2d168eac7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Seyla=20D=C3=A1maris=20Gomez?= Date: Fri, 21 Jul 2023 11:19:34 -0300 Subject: [PATCH 15/17] Merge 4.5.2 into 4.6.0 (#4348) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(#4281): New invalid decoder test case for wazuh-logtest * fix(#4281): Fix invalid_decoder_syntax.yaml file line lengths * feat(#4325): upgrade pyyaml to 6.0.1 * feat: bump version 4.5.2 * refactor(#4344): Add space to version json * feat(#4344): add Release section --------- Co-authored-by: Vikman Fernandez-Castro Co-authored-by: Victor M. Fernandez-Castro Co-authored-by: jnasselle Co-authored-by: Julia Co-authored-by: Julia Magán <80041853+juliamagan@users.noreply.github.com> Co-authored-by: David Jose Iglesias Lopez Co-authored-by: Víctor Rebollo Pérez --- CHANGELOG.md | 8 +++ .../wazuh_testing/qa_docs/schema.yaml | 1 + requirements.txt | 2 +- .../data/custom_decoder_11.xml | 6 ++ .../data/invalid_decoder_syntax.yaml | 60 +++++++++++++++---- tests/system/requirements.txt | 2 +- .../test_jwt_invalidation/requirements.txt | 2 +- 7 files changed, 65 insertions(+), 16 deletions(-) create mode 100644 tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/custom_decoder_11.xml diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f451f6ce3..d5e36e3821 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,13 @@ Release report: TBD - Add IT tests FIM registry monitoring using wildcards. ([#4270](https://github.com/wazuh/wazuh-qa/pull/4270)) \- (Framework + Tests) - Update schema database version ([#4128](https://github.com/wazuh/wazuh-qa/pull/4128)) \- (Tests) + +## [4.5.2] - TBD + +Wazuh commit: TBD \ +Release report: TBD + + ## [4.5.1] - TBD Wazuh commit: TBD \ @@ -55,6 +62,7 @@ Release report: TBD - Update Authd force_insert tests ([#3379](https://github.com/wazuh/wazuh-qa/pull/3379)) \- (Tests) - Update cluster logs in reliability tests ([#2772](https://github.com/wazuh/wazuh-qa/pull/2772)) \- (Tests) - Use correct version format in agent_simulator tool ([#3198](https://github.com/wazuh/wazuh-qa/pull/3198)) \- (Tools) +- Upgrade PyYAML to 6.0.1. ([#4326](https://github.com/wazuh/wazuh-qa/pull/4326)) \- (Framework) ### Fixed diff --git a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml index ce20e7e2a6..77a672c4a3 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml +++ b/deps/wazuh_testing/wazuh_testing/qa_docs/schema.yaml @@ -190,6 +190,7 @@ predefined_values: - 4.4.5 - 4.5.0 - 4.5.1 + - 4.5.2 - 4.6.0 tags: - active_response diff --git a/requirements.txt b/requirements.txt index f6619465bd..89f96c8f0d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,7 +23,7 @@ pyOpenSSL==19.1.0 pytest-html==3.1.1 pytest==6.2.2 ; python_version <= "3.9" pytest==7.1.2 ; python_version >= "3.10" -pyyaml==5.4 +pyyaml==6.0.1 requests>=2.23.0 scipy>=1.0; platform_system == "Linux" or platform_system == "Darwin" or platform_system=='Windows' seaborn>=0.11.1; platform_system == "Linux" or platform_system == "Darwin" or platform_system=='Windows' diff --git a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/custom_decoder_11.xml b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/custom_decoder_11.xml new file mode 100644 index 0000000000..ff315e9bb9 --- /dev/null +++ b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/custom_decoder_11.xml @@ -0,0 +1,6 @@ + + + sudo + (\S+) + boom + diff --git a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/invalid_decoder_syntax.yaml b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/invalid_decoder_syntax.yaml index 1ba2874481..8089b262da 100644 --- a/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/invalid_decoder_syntax.yaml +++ b/tests/integration/test_logtest/test_invalid_rule_decoders_syntax/data/invalid_decoder_syntax.yaml @@ -2,77 +2,111 @@ - name: "Invalid decoder syntax: garbage file" decoder: "custom_decoder_0.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 - output_data_msg: "(1226): Error reading XML file 'etc/decoders/custom_decoder_0.xml': XMLERR: Attribute 'is' has no value. (line 2)." + output_data_msg: >- + (1226): Error reading XML file 'etc/decoders/custom_decoder_0.xml': XMLERR: Attribute 'is' has no value. (line 2). output_data_codemsg: -1 - name: "Invalid decoder syntax: no closing XML tag" decoder: "custom_decoder_1.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 - output_data_msg: "(1226): Error reading XML file 'etc/decoders/custom_decoder_1.xml': XMLERR: End of file and some elements were not closed. (line 3)." + output: >- + ata_msg: "(1226): Error reading XML file 'etc/decoders/custom_decoder_1.xml': XMLERR: End of file and some elements + were not closed. (line 3). output_data_codemsg: -1 - name: "Invalid decoder syntax: no existing parent" decoder: "custom_decoder_2.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2101): Parent decoder name invalid: 'test-parent'." output_data_codemsg: -1 - name: "Invalid decoder syntax: no existing attribute" decoder: "custom_decoder_3.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "Invalid element 'invalid_field' for decoder 'decoder'" output_data_codemsg: -1 - name: "Invalid decoder syntax: decoder with no name" decoder: "custom_decoder_4.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(1230): Invalid element in the configuration: 'decoder'." output_data_codemsg: -1 - name: "Invalid decoder syntax: regex attribute without order attribute" decoder: "custom_decoder_5.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2107): Decoder configuration error: 'test'." output_data_codemsg: -1 - name: "Invalid decoder syntax: regex attribute without prematch/program_name/parent attribute" decoder: "custom_decoder_6.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2108): No 'prematch' found in decoder: 'test'." output_data_codemsg: -1 - name: "Invalid decoder syntax: order attribute without regex attribute" decoder: "custom_decoder_7.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2107): Decoder configuration error: 'test'." output_data_codemsg: -1 - name: "Invalid decoder syntax: two-level order parenting" decoder: "custom_decoder_8.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2101): Parent decoder name invalid: 'name1'." output_data_codemsg: -1 - name: "Invalid decoder syntax: invalid plugin_decoder" decoder: "custom_decoder_9.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2110): Invalid decoder argument for plugin_decoder: 'INVALID_Decoder'." output_data_codemsg: -1 - name: "Invalid decoder syntax: invalid offset" decoder: "custom_decoder_10.xml" - input: '{"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}}' + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} output_error: 0 output_data_msg: "(2107): Decoder configuration error: 'name'." output_data_codemsg: -1 +- + name: "Invalid decoder syntax: invalid offset" + decoder: "custom_decoder_11.xml" + input: >- + {"version":1,"origin":{"name":"Integration Test","module":"api"},"command":"log_processing","parameters":{"event": + "dummy log","log_format": "syslog","location": "master->/var/log/syslog"}} + output_error: 0 + output_data_msg: "ERROR: (2120): Invalid offset value: 'sudo-fields'" + output_data_codemsg: -1 diff --git a/tests/system/requirements.txt b/tests/system/requirements.txt index ce4131304c..ccf897698f 100644 --- a/tests/system/requirements.txt +++ b/tests/system/requirements.txt @@ -9,5 +9,5 @@ pandas>=1.1.5 psutil==5.6.6 pytest==4.5.0 pytest-html==2.0.1 -PyYAML==5.4 +PyYAML==6.0.1 testinfra==5.0.0 diff --git a/tests/system/test_jwt_invalidation/requirements.txt b/tests/system/test_jwt_invalidation/requirements.txt index 95e3c6b804..15141fb4bb 100644 --- a/tests/system/test_jwt_invalidation/requirements.txt +++ b/tests/system/test_jwt_invalidation/requirements.txt @@ -8,5 +8,5 @@ lockfile==0.12.2 psutil==5.6.6 pytest==4.5.0 pytest-html==2.0.1 -PyYAML==5.4 +PyYAML==6.0.1 testinfra==5.0.0 From 6b81073733b764fd5c689e450b6a8f1e3a30dcbc Mon Sep 17 00:00:00 2001 From: Juan Nicolas Asselle Date: Fri, 21 Jul 2023 11:51:47 -0300 Subject: [PATCH 16/17] Move 4.5.0 `CHANGELOG.md` changes to 4.6.0 (#4331) --- CHANGELOG.md | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5e36e3821..1963d6c0a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,26 +9,6 @@ Release report: TBD ### Added -- Add IT tests FIM registry monitoring using wildcards. ([#4270](https://github.com/wazuh/wazuh-qa/pull/4270)) \- (Framework + Tests) -- Update schema database version ([#4128](https://github.com/wazuh/wazuh-qa/pull/4128)) \- (Tests) - - -## [4.5.2] - TBD - -Wazuh commit: TBD \ -Release report: TBD - - -## [4.5.1] - TBD - -Wazuh commit: TBD \ -Release report: TBD - -## [4.5.0] - TBD - -Wazuh commit: TBD \ -Release report: TBD - - New 'SCA' test suite and framework. ([#3566](https://github.com/wazuh/wazuh-qa/pull/3566)) \- (Framework + Tests) - Add integration tests for AWS module. ([#3911](https://github.com/wazuh/wazuh-qa/pull/3911)) \- (Framework + Tests + Documentation) - Add tests for msu patches with no associated CVE . ([#4009](https://github.com/wazuh/wazuh-qa/pull/4009)) \- (Framework + Tests) @@ -40,6 +20,8 @@ Release report: TBD - Add new tests for logcollector 'ignore' and 'restrict' options ([#3582](https://github.com/wazuh/wazuh-qa/pull/3582)) \- (Tests) - Add 'Force reconnect' feature to agent_simulator tool. ([#3111](https://github.com/wazuh/wazuh-qa/pull/3111)) \- (Tools) - Add new module to support migration tool. ([#3837](https://github.com/wazuh/wazuh-qa/pull/3837)) +- Add IT tests FIM registry monitoring using wildcards. ([#4270](https://github.com/wazuh/wazuh-qa/pull/4270)) \- (Framework + Tests) +- Update schema database version ([#4128](https://github.com/wazuh/wazuh-qa/pull/4128)) \- (Tests) ### Changed @@ -74,6 +56,16 @@ Release report: TBD - Fix an error in the cluster performance tests related to CSV parser ([#2999](https://github.com/wazuh/wazuh-qa/pull/2999)) \- (Framework + Tests) - Fix bug in the framework on migration tool ([#4027](https://github.com/wazuh/wazuh-qa/pull/4027)) \- (Framework) +## [4.5.1] - TBD + +Wazuh commit: TBD \ +Release report: TBD + +## [4.5.0] - TBD + +Wazuh commit: TBD \ +Release report: TBD + ## [4.4.5] - 10-07-2023 Wazuh commit: https://github.com/wazuh/wazuh/commit/8d17d2c9c11bc10be9a31c83bc7c17dfbac0d2a0 \ From 5beb116a640f29f4104f4cbe8613d711a7a04737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Carmelo=20Micalizzi=20Casali?= Date: Mon, 24 Jul 2023 17:34:09 -0300 Subject: [PATCH 17/17] Fix registry wildcards path (#4357) * fix(#4356): fix configuration_templates path * docs(#4356): update test wazuh_min_version --- .../configuration_registry_wildcards.yaml | 0 .../test_registry_wildcards/test_registry_wildcards.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename tests/integration/test_fim/test_registry/test_registry_wildcards/data/{configuration_template => configuration_templates}/configuration_registry_wildcards.yaml (100%) diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml b/tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml similarity index 100% rename from tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_template/configuration_registry_wildcards.yaml rename to tests/integration/test_fim/test_registry/test_registry_wildcards/data/configuration_templates/configuration_registry_wildcards.yaml diff --git a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py index 68ff46df9a..a0bc808d43 100644 --- a/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py +++ b/tests/integration/test_fim/test_registry/test_registry_wildcards/test_registry_wildcards.py @@ -104,7 +104,7 @@ def test_registry_key_wildcards(configuration, metadata, set_wazuh_configuration description: Check the behavior of FIM when using wildcards to configure the path of registry keys, and validate the keys creation, modification and deletion is detected correctly. - wazuh_min_version: 4.5.0 + wazuh_min_version: 4.6.0 test_phases: - setup: