Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate test_active_response documentation to qa-docs #1960

Merged
merged 2 commits into from
Nov 2, 2021

Conversation

mdengra
Copy link
Contributor

@mdengra mdengra commented Oct 1, 2021

Related issue
#1796

Description

As part of epic #1796, this PR adds the missing documentation and migrates the current documentation to the new format used by qa-docs.
The schema used is the one defined in issue #1694

Generated documentation

test_analysisd

test_os_exec.json

{
    "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2",
    "type": "integration",
    "brief": "Active responses perform various countermeasures to address active threats, such as blocking access to an agent from the threat source when certain criteria are met. These tests will check if the 'wazuh-analysisd' daemon processes 'active response' messages correctly.",
    "tier": 0,
    "modules": [
        "active_response"
    ],
    "components": [
        "manager"
    ],
    "daemons": [
        "wazuh-analysisd"
    ],
    "os_platform": [
        "linux"
    ],
    "os_version": [
        "Arch Linux",
        "Amazon Linux 2",
        "Amazon Linux 1",
        "CentOS 8",
        "CentOS 7",
        "CentOS 6",
        "Ubuntu Focal",
        "Ubuntu Bionic",
        "Ubuntu Xenial",
        "Ubuntu Trusty",
        "Debian Buster",
        "Debian Stretch",
        "Debian Jessie",
        "Debian Wheezy",
        "Red Hat 8",
        "Red Hat 7",
        "Red Hat 6"
    ],
    "references": [
        "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response"
    ],
    "tags": [
        "ar_analysisd"
    ],
    "name": "test_os_exec.py",
    "id": 1,
    "group_id": 0,
    "tests": [
        {
            "description": "Check if 'active response' messages are sent in the correct format depending on the agent version used. For this purpose, simulated agents with different properties are created, and messages in two formats (string and JSON) are sent to the socket of the 'wazuh-analisysd' daemon, which should process them correctly.",
            "wazuh_min_version": "4.2.0",
            "parameters": [
                {
                    "set_debug_mode": {
                        "type": "fixture",
                        "brief": "Set execd daemon in debug mode."
                    }
                },
                {
                    "get_configuration": {
                        "type": "fixture",
                        "brief": "Get configurations from the module."
                    }
                },
                {
                    "configure_environment": {
                        "type": "fixture",
                        "brief": "Configure a custom environment for testing."
                    }
                },
                {
                    "restart_service": {
                        "type": "fixture",
                        "brief": "Restart the Wazuh manager and clean the 'ossec.log' file."
                    }
                },
                {
                    "configure_agents": {
                        "type": "fixture",
                        "brief": "Create simulated agents for testing."
                    }
                }
            ],
            "assertions": [
                "Verify that 'active response' messages in the old string format are valid.",
                "Verify that 'active response' messages in the new JSON format are valid."
            ],
            "input_description": "Different use cases are found in the test module and include parameters for 'active response' messages and metadata to configure the testing environment.",
            "expected_output": [
                "r'Active response request received'",
                "Active response message with the structure defined in the validate_new_ar_message function (for Wazuh versions >= 4.2).",
                "Active response message with the structure defined in the validate_old_ar_message function (for Wazuh versions < 4.2)."
            ],
            "tags": [
                "simulator"
            ],
            "name": "test_os_exec",
            "inputs": [
                "get_configuration0",
                "get_configuration1",
                "get_configuration2",
                "get_configuration3",
                "get_configuration4",
                "get_configuration5"
            ]
        }
    ]
}

test_os_exec.yaml

brief: Active responses perform various countermeasures to address active threats,
  such as blocking access to an agent from the threat source when certain criteria
  are met. These tests will check if the 'wazuh-analysisd' daemon processes 'active
  response' messages correctly.
components:
- manager
copyright: 'Copyright (C) 2015-2021, Wazuh Inc.

  Created by Wazuh, Inc. <[email protected]>.

  This program is free software; you can redistribute it and/or modify it under the
  terms of GPLv2'
daemons:
- wazuh-analysisd
group_id: 0
id: 1
modules:
- active_response
name: test_os_exec.py
os_platform:
- linux
os_version:
- Arch Linux
- Amazon Linux 2
- Amazon Linux 1
- CentOS 8
- CentOS 7
- CentOS 6
- Ubuntu Focal
- Ubuntu Bionic
- Ubuntu Xenial
- Ubuntu Trusty
- Debian Buster
- Debian Stretch
- Debian Jessie
- Debian Wheezy
- Red Hat 8
- Red Hat 7
- Red Hat 6
references:
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response
tags:
- ar_analysisd
tests:
- assertions:
  - Verify that 'active response' messages in the old string format are valid.
  - Verify that 'active response' messages in the new JSON format are valid.
  description: Check if 'active response' messages are sent in the correct format
    depending on the agent version used. For this purpose, simulated agents with different
    properties are created, and messages in two formats (string and JSON) are sent
    to the socket of the 'wazuh-analisysd' daemon, which should process them correctly.
  expected_output:
  - r'Active response request received'
  - Active response message with the structure defined in the validate_new_ar_message
    function (for Wazuh versions >= 4.2).
  - Active response message with the structure defined in the validate_old_ar_message
    function (for Wazuh versions < 4.2).
  input_description: Different use cases are found in the test module and include
    parameters for 'active response' messages and metadata to configure the testing
    environment.
  inputs:
  - get_configuration0
  - get_configuration1
  - get_configuration2
  - get_configuration3
  - get_configuration4
  - get_configuration5
  name: test_os_exec
  parameters:
  - set_debug_mode:
      brief: Set execd daemon in debug mode.
      type: fixture
  - get_configuration:
      brief: Get configurations from the module.
      type: fixture
  - configure_environment:
      brief: Configure a custom environment for testing.
      type: fixture
  - restart_service:
      brief: Restart the Wazuh manager and clean the 'ossec.log' file.
      type: fixture
  - configure_agents:
      brief: Create simulated agents for testing.
      type: fixture
  tags:
  - simulator
  wazuh_min_version: 4.2.0
tier: 0
type: integration

test_execd

test_execd_firewall_drop.json

{
    "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2",
    "type": "integration",
    "brief": "Active responses execute a script in response to the triggering of specific alerts based on the alert level or rule group. These tests will check if the 'active responses', which are executed by the 'wazuh-execd' daemon via scripts, run correctly.",
    "tier": 0,
    "modules": [
        "active_response"
    ],
    "components": [
        "agent"
    ],
    "daemons": [
        "wazuh-analysisd",
        "wazuh-execd"
    ],
    "os_platform": [
        "linux"
    ],
    "os_version": [
        "Arch Linux",
        "Amazon Linux 2",
        "Amazon Linux 1",
        "CentOS 8",
        "CentOS 7",
        "CentOS 6",
        "Ubuntu Focal",
        "Ubuntu Bionic",
        "Ubuntu Xenial",
        "Ubuntu Trusty",
        "Debian Buster",
        "Debian Stretch",
        "Debian Jessie",
        "Debian Wheezy",
        "Red Hat 8",
        "Red Hat 7",
        "Red Hat 6"
    ],
    "references": [
        "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response"
    ],
    "tags": [
        "ar_execd"
    ],
    "name": "test_execd_firewall_drop.py",
    "id": 3,
    "group_id": 0,
    "tests": [
        {
            "description": "Check if 'firewall-drop' command of 'active response' is executed correctly. For this purpose, a simulated agent is used and the 'active response' is sent to it. This response includes an IP address that must be added and removed from 'iptables', the Linux firewall.",
            "wazuh_min_version": "4.2.0",
            "parameters": [
                {
                    "set_debug_mode": {
                        "type": "fixture",
                        "brief": "Set the 'wazuh-execd' daemon in debug mode."
                    }
                },
                {
                    "get_configuration": {
                        "type": "fixture",
                        "brief": "Get configurations from the module."
                    }
                },
                {
                    "test_version": {
                        "type": "fixture",
                        "brief": "Validate the Wazuh version."
                    }
                },
                {
                    "configure_environment": {
                        "type": "fixture",
                        "brief": "Configure a custom environment for testing."
                    }
                },
                {
                    "remove_ip_from_iptables": {
                        "type": "fixture",
                        "brief": "Remove the testing IP address from 'iptables' if it exists."
                    }
                },
                {
                    "start_agent": {
                        "type": "fixture",
                        "brief": "Create 'wazuh-remoted' and 'wazuh-authd' simulators, register agent and start it."
                    }
                },
                {
                    "set_ar_conf_mode": {
                        "type": "fixture",
                        "brief": "Configure the 'active responses' used in the test."
                    }
                }
            ],
            "assertions": [
                "Verify that the testing IP address is added to 'iptables'.",
                "Verify that the testing IP address is removed from 'iptables'."
            ],
            "input_description": "Different use cases are found in the test module and include parameters for 'firewall-drop' command and the expected result.",
            "expected_output": [
                {
                    "r'DEBUG": "Received message'"
                },
                "r'Starting'",
                "r'active-response/bin/firewall-drop'",
                "r'Ended'",
                "r'Cannot read 'srcip' from data' (If the 'active response' fails)"
            ],
            "tags": [
                "simulator"
            ],
            "name": "test_execd_firewall_drop",
            "inputs": [
                "get_configuration0",
                "get_configuration1"
            ]
        }
    ]
}

test_execd_firewall_drop.yaml

brief: Active responses execute a script in response to the triggering of specific
  alerts based on the alert level or rule group. These tests will check if the 'active
  responses', which are executed by the 'wazuh-execd' daemon via scripts, run correctly.
components:
- agent
copyright: 'Copyright (C) 2015-2021, Wazuh Inc.

  Created by Wazuh, Inc. <[email protected]>.

  This program is free software; you can redistribute it and/or modify it under the
  terms of GPLv2'
daemons:
- wazuh-analysisd
- wazuh-execd
group_id: 0
id: 3
modules:
- active_response
name: test_execd_firewall_drop.py
os_platform:
- linux
os_version:
- Arch Linux
- Amazon Linux 2
- Amazon Linux 1
- CentOS 8
- CentOS 7
- CentOS 6
- Ubuntu Focal
- Ubuntu Bionic
- Ubuntu Xenial
- Ubuntu Trusty
- Debian Buster
- Debian Stretch
- Debian Jessie
- Debian Wheezy
- Red Hat 8
- Red Hat 7
- Red Hat 6
references:
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response
tags:
- ar_execd
tests:
- assertions:
  - Verify that the testing IP address is added to 'iptables'.
  - Verify that the testing IP address is removed from 'iptables'.
  description: Check if 'firewall-drop' command of 'active response' is executed correctly.
    For this purpose, a simulated agent is used and the 'active response' is sent
    to it. This response includes an IP address that must be added and removed from
    'iptables', the Linux firewall.
  expected_output:
  - r'DEBUG: Received message'
  - r'Starting'
  - r'active-response/bin/firewall-drop'
  - r'Ended'
  - r'Cannot read 'srcip' from data' (If the 'active response' fails)
  input_description: Different use cases are found in the test module and include
    parameters for 'firewall-drop' command and the expected result.
  inputs:
  - get_configuration0
  - get_configuration1
  name: test_execd_firewall_drop
  parameters:
  - set_debug_mode:
      brief: Set the 'wazuh-execd' daemon in debug mode.
      type: fixture
  - get_configuration:
      brief: Get configurations from the module.
      type: fixture
  - test_version:
      brief: Validate the Wazuh version.
      type: fixture
  - configure_environment:
      brief: Configure a custom environment for testing.
      type: fixture
  - remove_ip_from_iptables:
      brief: Remove the testing IP address from 'iptables' if it exists.
      type: fixture
  - start_agent:
      brief: Create 'wazuh-remoted' and 'wazuh-authd' simulators, register agent and
        start it.
      type: fixture
  - set_ar_conf_mode:
      brief: Configure the 'active responses' used in the test.
      type: fixture
  tags:
  - simulator
  wazuh_min_version: 4.2.0
tier: 0
type: integration

 

test_execd_restart.json

{
    "copyright": "Copyright (C) 2015-2021, Wazuh Inc.\nCreated by Wazuh, Inc. <[email protected]>.\nThis program is free software; you can redistribute it and/or modify it under the terms of GPLv2",
    "type": "integration",
    "brief": "Active responses execute a script in response to the triggering of specific alerts based on the alert level or rule group. These tests will check if the 'active responses', which are executed by the 'wazuh-execd' daemon via scripts, run correctly.",
    "tier": 0,
    "modules": [
        "active_response"
    ],
    "components": [
        "agent"
    ],
    "daemons": [
        "wazuh-analysisd",
        "wazuh-execd"
    ],
    "os_platform": [
        "linux"
    ],
    "os_version": [
        "Arch Linux",
        "Amazon Linux 2",
        "Amazon Linux 1",
        "CentOS 8",
        "CentOS 7",
        "CentOS 6",
        "Ubuntu Focal",
        "Ubuntu Bionic",
        "Ubuntu Xenial",
        "Ubuntu Trusty",
        "Debian Buster",
        "Debian Stretch",
        "Debian Jessie",
        "Debian Wheezy",
        "Red Hat 8",
        "Red Hat 7",
        "Red Hat 6"
    ],
    "references": [
        "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response"
    ],
    "name": "test_execd_restart.py",
    "id": 2,
    "group_id": 0,
    "tests": [
        {
            "description": "Check if 'restart-wazuh' command of 'active response' is executed correctly. For this purpose, a simulated agent is used, to which the active response is sent. This response includes the order to restart the Wazuh agent, which must restart after receiving this response.",
            "wazuh_min_version": "4.2.0",
            "parameters": [
                {
                    "set_debug_mode": {
                        "type": "fixture",
                        "brief": "Set execd daemon in debug mode."
                    }
                },
                {
                    "get_configuration": {
                        "type": "fixture",
                        "brief": "Get configurations from the module."
                    }
                },
                {
                    "test_version": {
                        "type": "fixture",
                        "brief": "Validate Wazuh version."
                    }
                },
                {
                    "configure_environment": {
                        "type": "fixture",
                        "brief": "Configure a custom environment for testing."
                    }
                },
                {
                    "start_agent": {
                        "type": "fixture",
                        "brief": "Create Remoted and Authd simulators, register agent and start it."
                    }
                },
                {
                    "set_ar_conf_mode": {
                        "type": "fixture",
                        "brief": "Configure Active Responses used in tests."
                    }
                }
            ],
            "assertions": [
                "Verify that the 'active response' 'restart-wazuh' is received.",
                "Verify that the agent is ready to restart."
            ],
            "input_description": "Different use cases are found in the test module and include parameters for 'restart-wazuh' command and the expected result.",
            "expected_output": [
                {
                    "r'DEBUG": "Received message'"
                },
                "r'Shutdown received. Deleting responses.'",
                "r'Starting'",
                "r'active-response/bin/restart-wazuh'",
                "r'Ended'",
                "r'Invalid input format' (If the 'active response' fails)"
            ],
            "tags": [
                "simulator"
            ],
            "name": "test_execd_restart",
            "inputs": [
                "get_configuration0",
                "get_configuration1"
            ]
        }
    ]
}

test_execd_restart.yaml

brief: Active responses execute a script in response to the triggering of specific
  alerts based on the alert level or rule group. These tests will check if the 'active
  responses', which are executed by the 'wazuh-execd' daemon via scripts, run correctly.
components:
- agent
copyright: 'Copyright (C) 2015-2021, Wazuh Inc.

  Created by Wazuh, Inc. <[email protected]>.

  This program is free software; you can redistribute it and/or modify it under the
  terms of GPLv2'
daemons:
- wazuh-analysisd
- wazuh-execd
group_id: 0
id: 2
modules:
- active_response
name: test_execd_restart.py
os_platform:
- linux
os_version:
- Arch Linux
- Amazon Linux 2
- Amazon Linux 1
- CentOS 8
- CentOS 7
- CentOS 6
- Ubuntu Focal
- Ubuntu Bionic
- Ubuntu Xenial
- Ubuntu Trusty
- Debian Buster
- Debian Stretch
- Debian Jessie
- Debian Wheezy
- Red Hat 8
- Red Hat 7
- Red Hat 6
references:
- https://documentation.wazuh.com/current/user-manual/capabilities/active-response/#active-response
tests:
- assertions:
  - Verify that the 'active response' 'restart-wazuh' is received.
  - Verify that the agent is ready to restart.
  description: Check if 'restart-wazuh' command of 'active response' is executed correctly.
    For this purpose, a simulated agent is used, to which the active response is sent.
    This response includes the order to restart the Wazuh agent, which must restart
    after receiving this response.
  expected_output:
  - r'DEBUG: Received message'
  - r'Shutdown received. Deleting responses.'
  - r'Starting'
  - r'active-response/bin/restart-wazuh'
  - r'Ended'
  - r'Invalid input format' (If the 'active response' fails)
  input_description: Different use cases are found in the test module and include
    parameters for 'restart-wazuh' command and the expected result.
  inputs:
  - get_configuration0
  - get_configuration1
  name: test_execd_restart
  parameters:
  - set_debug_mode:
      brief: Set execd daemon in debug mode.
      type: fixture
  - get_configuration:
      brief: Get configurations from the module.
      type: fixture
  - test_version:
      brief: Validate Wazuh version.
      type: fixture
  - configure_environment:
      brief: Configure a custom environment for testing.
      type: fixture
  - start_agent:
      brief: Create Remoted and Authd simulators, register agent and start it.
      type: fixture
  - set_ar_conf_mode:
      brief: Configure Active Responses used in tests.
      type: fixture
  tags:
  - simulator
  wazuh_min_version: 4.2.0
tier: 0
type: integration

Tests

  • Python codebase satisfies PEP-8 style style guide. pycodestyle --max-line-length=120 --show-source --show-pep8 file.py.
  • The DocGenerator sanity check test does not return errors. python3 DocGenerator.py -s

The following tests have been documentated:
  * test_os_exec.py
  * test_execd_firewall_drop.py
  * test_execd_restart.py
The current scheme of the issue #1694 has been used.
PEP-8 fixes.

Closes: #1796
@mdengra mdengra requested a review from snaow October 1, 2021 09:10
@mdengra mdengra self-assigned this Oct 1, 2021
@roronoasins roronoasins changed the title Migrate test_active_response documentation to qa-docs Migrate test_active_response documentation to qa-docs Oct 29, 2021
@snaow snaow merged commit 1444528 into master Nov 2, 2021
@snaow snaow deleted the 1796-migrate-doc-active-response branch November 2, 2021 19:37
@snaow snaow mentioned this pull request Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants