def test_report_changes_after_restart(get_configuration, configure_environment,
restart_syscheckd, wait_for_fim_start):
"""
Check if diff directories are removed after disabling report_changes and Wazuh is restarted.
"""
check_apply_test({'test_delete_after_restart'}, get_configuration['tags'])
value_name = 'random_value'
folder_path_key1, diff_file_key_1 = calculate_registry_diff_paths(
key, sub_key_1, KEY_WOW64_64KEY, value_name)
folder_path_key2, diff_file_key_2 = calculate_registry_diff_paths(
key, sub_key_1, KEY_WOW64_64KEY, value_name)
# Open key
key1_h = create_registry(registry_parser[key], sub_key_1, KEY_WOW64_64KEY)
key2_h = create_registry(registry_parser[key], sub_key_2, KEY_WOW64_64KEY)
# Modify the registry
modify_registry_value(key1_h, value_name, REG_SZ, "some_content")
modify_registry_value(key2_h, value_name, REG_SZ, "some_content")
# Travel to future
check_time_travel(True, monitor=wazuh_log_monitor)
assert os.path.exists(
diff_file_key_1), f'{diff_file_key_1} does not exists'
assert os.path.exists(
diff_file_key_2), f'{diff_file_key_2} does not exists'
reload_new_conf('no', test_regs[0], test_regs[1])
assert not os.path.exists(
folder_path_key1), f'{folder_path_key1} does exists'
assert not os.path.exists(
folder_path_key2), f'{folder_path_key2} does exists'
def report_changes_validator(event):
"""Validate content_changes attribute exists in the event"""
for value in values:
_, diff_file = calculate_registry_diff_paths(
key, subkey, arch, value)
assert os.path.exists(diff_file), '{diff_file} does not exist'
assert event['data'].get('content_changes')[
-len(MORE_CHANGES_STR):] == MORE_CHANGES_STR, error_str
def test_disk_quota_values(key, subkey, arch, value_name, tags_to_apply, size,
get_configuration, configure_environment,
restart_syscheckd, wait_for_fim_start):
"""
Check that no events are sent when the disk_quota exceeded
Parameters
----------
key : str
Root key (HKEY_*)
subkey : str
path of the registry.
arch : str
Architecture of the registry.
value_name : str
Name of the value that will be created
tags_to_apply : set
Run test if match with a configuration identifier, skip otherwise.
size : int
Size of the content to write in value
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
value_content = generate_string(size, '0')
values = {value_name: value_content}
_, diff_file = calculate_registry_diff_paths(key, subkey, arch, value_name)
def report_changes_validator_no_diff(event):
"""Validate content_changes attribute exists in the event"""
assert event['data'].get(
'content_changes') is None, 'content_changes isn\'t empty'
def report_changes_validator_diff(event):
"""Validate content_changes attribute exists in the event"""
assert os.path.exists(diff_file), '{diff_file} does not exist'
assert event['data'].get(
'content_changes') is not None, 'content_changes is empty'
if size > size_limit_configured:
callback_test = report_changes_validator_no_diff
else:
callback_test = report_changes_validator_diff
create_registry(registry_parser[key], subkey, arch)
registry_value_cud(
key,
subkey,
wazuh_log_monitor,
arch=arch,
value_list=values,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled',
min_timeout=global_parameters.default_timeout,
triggers_event=True,
validators_after_update=[callback_test])
delete_registry(registry_parser[key], subkey, arch)
check_time_travel(True, monitor=wazuh_log_monitor)
def report_changes_validator(event):
"""Validate content_changes attribute exists in the event"""
for value in values:
_, diff_file = calculate_registry_diff_paths(
key, subkey, arch, value)
assert os.path.exists(diff_file), '{diff_file} does not exist'
assert event['data'].get(
'content_changes') is not None, 'content_changes is empty'
def test_report_when_deleted_key(key, subkey, arch, value_name, enabled,
tags_to_apply, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check that the diff files are generated when there is a modification in a value and these files are deleted when
the value is deleted.
It also checks that the diff folder of the key is deleted when the key is deleted.
Parameters
----------
key : str
Root key (HKEY_*)
subkey : str
path of the registry.
arch : str
Architecture of the registry.
value_name : str
Name of the value that will be created
enabled: boolean
True if report_changes is enabled
tags_to_apply : set
Run test if match with a configuration identifier, skip otherwise.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
vals_after_update = None
vals_after_delete = None
folder_path, diff_file = calculate_registry_diff_paths(
key, subkey, arch, value_name)
def report_changes_diff_file_validator(unused_param):
"""
Validator that checks if the files are created.
"""
assert os.path.exists(diff_file), f'{diff_file} does not exist'
def report_changes_removed_diff_file_validator(unused_param):
"""
Validator that checks if the files are removed when the values are removed.
"""
assert not os.path.exists(diff_file), f'{diff_file} does exist'
if enabled:
vals_after_update = [report_changes_diff_file_validator]
vals_after_delete = [report_changes_removed_diff_file_validator]
else:
vals_after_update = [report_changes_removed_diff_file_validator]
vals_after_delete = [report_changes_removed_diff_file_validator]
registry_value_cud(key,
subkey,
wazuh_log_monitor,
arch=arch,
value_list={value_name: "some content"},
time_travel=True,
min_timeout=global_parameters.default_timeout,
validators_after_update=vals_after_update,
validators_after_delete=vals_after_delete)
delete_registry(registry_parser[key], subkey, arch)
assert not os.path.exists(folder_path), f'{folder_path} exists'