def disable_report_changes(fim_mode): """Change the `report_changes` value in the `ossec.conf` file and then restart `Syscheck` to apply the changes.""" new_conf = change_conf(report_value='no') new_ossec_conf = set_section_wazuh_conf(new_conf[0].get('sections')) restart_wazuh_with_new_conf(new_ossec_conf) # Wait for FIM scan to finish detect_fim_scan(wazuh_log_monitor, fim_mode)
def reload_new_conf(report_value, reg1, reg2): """" Return a new ossec configuration with a changed report_value Parameters ---------- report_value: str Value that will be used for the report_changes option. reg1: str Registry path that will be written in the configuration for WINDOWS_REGISTRY_1. reg2: str Registry path that will be written in the configuration for WINDOWS_REGISTRY_2. """ new_conf_params = { 'WINDOWS_REGISTRY_1': reg1, 'WINDOWS_REGISTRY_2': reg2, 'REPORT_CHANGES_1': report_value, 'REPORT_CHANGES_2': report_value } conf_params, conf_metadata = generate_params(extra_params=new_conf_params, modes=['scheduled']) new_conf = load_wazuh_configurations(configurations_path, __name__, params=conf_params, metadata=conf_metadata) # Load the third configuration in the yaml restart_wazuh_with_new_conf( set_section_wazuh_conf(new_conf[2].get('sections'))) # Wait for FIM scan to finish detect_initial_scan(wazuh_log_monitor)
def test_skip_proc(get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """Check if syscheckd skips /proc when setting 'skip_proc="yes"'.""" check_apply_test({'skip_proc'}, get_configuration['tags']) trigger = get_configuration['metadata']['skip'] == 'no' if trigger: proc = subprocess.Popen([ "python3", f"{os.path.dirname(os.path.abspath(__file__))}/data/proc.py" ]) # Change configuration, monitoring the PID path in /proc # Monitor only /proc/PID to expect only these events. Otherwise, it will fail due to Timeouts since # integrity scans will take too long new_conf = change_conf(f'/proc/{proc.pid}') new_ossec_conf = [] # Get new skip_proc configuration for conf in new_conf: if conf['metadata']['skip'] == 'no' and conf['tags'] == [ 'skip_proc' ]: new_ossec_conf = set_section_wazuh_conf(conf.get('sections')) restart_wazuh_with_new_conf(new_ossec_conf) truncate_file(LOG_FILE_PATH) proc_monitor = FileMonitor(LOG_FILE_PATH) detect_initial_scan(proc_monitor) # Do not expect any 'Sending event' with pytest.raises(TimeoutError): proc_monitor.start( timeout=3, callback=callback_detect_event, error_message= 'Did not receive expected "Sending FIM event: ..." event') check_time_travel(time_travel=True, monitor=wazuh_log_monitor) found_event = False while not found_event: event = proc_monitor.start( timeout=5, callback=callback_detect_event, error_message='Did not receive expected ' '"Sending FIM event: ..." event').result() if f'/proc/{proc.pid}/' in event['data'].get('path'): found_event = True # Kill the process subprocess.Popen(["kill", "-9", str(proc.pid)]) else: with pytest.raises(TimeoutError): event = wazuh_log_monitor.start( timeout=3, callback=callback_detect_integrity_state) raise AttributeError(f'Unexpected event {event}')
def test_no_report_changes(path, get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """Check if duplicated directories in diff are deleted when changing `report_changes` to 'no' or deleting the monitored directories. Parameters ---------- path : str Path to the file """ fim_mode = get_configuration['metadata']['fim_mode'] diff_file = create_and_check_diff(FILE_NAME, path, fim_mode) backup_conf = get_wazuh_conf() try: disable_report_changes(fim_mode) assert not os.path.exists(diff_file), f'{diff_file} exists' finally: # Restore the original conf file so as not to interfere with other tests restart_wazuh_with_new_conf(backup_conf) detect_fim_scan(wazuh_log_monitor, fim_mode)
def test_report_changes_after_restart(get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """Check if duplicated directories in diff are deleted when restarting syscheck. The duplicated directories in diff will be removed after Syscheck restarts but will be created again if the report changes is still active. To avoid this we disable turn off report_changes option before restarting Syscheck to ensure directories won't be created again. """ fim_mode = get_configuration['metadata']['fim_mode'] # Create a file in the monitored path to force the creation of a report in diff diff_file_path = create_and_check_diff(FILE_NAME, testdir_reports, fim_mode) backup_conf = get_wazuh_conf() try: disable_report_changes() assert not os.path.exists(diff_file_path), f'{diff_file_path} exists' finally: # Restore the original conf file so as not to interfere with other tests restart_wazuh_with_new_conf(backup_conf) detect_fim_scan(wazuh_log_monitor)