def test_checkers(key, subkey, arch, key_attrs, value_attrs, tags_to_apply, triggers_modification, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Test the functionality of `check_all` option is activated/desactivated alone and together with other `check_*` options. Example: <windows_registry check_all="yes">HKEY_SOME_KEY</windows_registry>. Parameters ---------- key: str Root key (HKEY_* constants). subkey: str Path of the key. arch: int Architecture of the key. key_attrs: set Attributes for the key events. value_attrs: set Attributes for the value events. tags_to_apply: set Configuration that will be applied for every case. triggers_modification: boolean True if the given attributes trigger modification events. """ check_apply_test(tags_to_apply, get_configuration['tags']) # Test registry keys. registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, min_timeout=global_parameters.default_timeout, options=key_attrs, triggers_event_modified=triggers_modification, time_travel=True) # Test registry values. registry_value_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=value_attrs, triggers_event_modified=triggers_modification, time_travel=True)
def test_ignore_over_restrict_key(key, subkey, key_name, arch, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check registry values are ignored according to configuration. Parameters ---------- key : str Root key (HKEY_*) subkey : str path of the registry where the test will be executed. arch : str Architecture of the registry. """ check_apply_test({"ambiguous_ignore_restrict_key"}, get_configuration['tags']) # Test registry keys. registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, key_list=[key_name], min_timeout=global_parameters.default_timeout, time_travel=True, triggers_event=False)
def test_ambiguous_complex_checks(key, subkey, key_checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check if the events of every configured key has the proper check attributes. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_key: str Path of the configured key. key_checkers: set Set of checks that are expected. """ check_apply_test({"complex_checks"}, get_configuration['tags']) # Test registry keys. registry_key_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=key_checkers, time_travel=True) # Test registry values. registry_value_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=key_checkers, time_travel=True)
def test_ambiguous_report_tags(key, subkey, tag, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check if syscheck detects the event property 'tags' for each configured entry. This test validates both situations, making sure that if tags='no', there won't be a tags event property. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_key: str Path of the configured key. tag: str Tag that is configured for each entry. If None, the entry isn't configured with a tag. """ check_apply_test({'complex_tags'}, get_configuration['tags']) def no_tag_validator(event): """Validate tags event property does not exist in the event.""" assert 'tags' not in event['data'].keys( ), "'Tags' attribute found in event" def tag_validator(event): """Validate tags event property exists in the event.""" assert tag == event['data']['tags'], 'Defined_tags are not equal' validator_after_create = [no_tag_validator] validator_after_update = [no_tag_validator] validator_after_delete = [no_tag_validator] if tag is not None: validator_after_create = [tag_validator] validator_after_update = [tag_validator] validator_after_delete = [tag_validator] # Test registry values. registry_key_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, time_travel=True, validators_after_create=validator_after_create, validators_after_update=validator_after_update, validators_after_delete=validator_after_delete) # Test registry values. registry_value_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout, time_travel=True, validators_after_create=validator_after_create, validators_after_update=validator_after_update, validators_after_delete=validator_after_delete)
def test_ambiguous_restrict(key, sub_keys, is_key, name, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check restrict configuration events. Check if syscheck detects changes (add, modify, delete) of key/events depending on its restrict configuration. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_keys: tuple Tuple where the first element is the path of a key that won't raise alerts due to the restrict and the second element is a key that will raise alerts. is_key: boolean Variable to distinguish if the restrict is for keys or for values. name: str String with the name of the value/key that will be created. """ check_apply_test({"ambiguous_restrict"}, get_configuration['tags']) if is_key: registry_key_cud(key, sub_keys[0], wazuh_log_monitor, key_list=[name], arch=KEY_WOW64_64KEY, triggers_event=False, time_travel=True, min_timeout=global_parameters.default_timeout) registry_key_cud(key, sub_keys[1], wazuh_log_monitor, key_list=[name], arch=KEY_WOW64_64KEY, triggers_event=True, time_travel=True, min_timeout=global_parameters.default_timeout) else: registry_value_cud(key, sub_keys[0], wazuh_log_monitor, value_list=[name], arch=KEY_WOW64_64KEY, triggers_event=False, time_travel=True, min_timeout=global_parameters.default_timeout) registry_value_cud(key, sub_keys[1], wazuh_log_monitor, value_list=[name], triggers_event=True, time_travel=True, min_timeout=global_parameters.default_timeout)
def test_ambiguous_checks(key, subkey, key_checkers, subkey_checkers, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check if syscheck detects the event property 'tags' for each event. This test validates both situations, making sure that if tags='no', there won't be a tags event property. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_keys: tuple Tuple where ther first element is the configured key and the second is the configured subkey. arch: int Architecture of the key. """ check_apply_test({"ambiguous_checks"}, get_configuration['tags']) # Test registry keys. registry_key_cud( key, subkey[0], wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=key_checkers, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') # Test registry values. registry_value_cud( key, subkey[0], wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=key_checkers, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') # Test registry keys. registry_key_cud( key, subkey[1], wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=subkey_checkers, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled') # Test registry values. registry_value_cud( key, subkey[1], wazuh_log_monitor, min_timeout=global_parameters.default_timeout, options=subkey_checkers, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled')
def test_registry_changes(key, subkey, arch, value_type, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check if events appear for subkeys/values of a monitored key """ registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled', min_timeout=global_parameters.default_timeout, triggers_event=True) registry_value_cud(key, subkey, wazuh_log_monitor, arch=arch, time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled', min_timeout=global_parameters.default_timeout, triggers_event=True, value_type=value_type)
def test_ambiguous_recursion(key, subkey, arch, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check if syscheck detects the event property 'tags' for each event. This test validates both situations, making sure that if tags='no', there won't be a tags event property. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_keys: str Path of the subkey that will be used for the test (must have a higher recursion level than the configured key). Example: <windows_registry recursion_level="2">HKLM//some_key</windows_registry> subkey = HKLM//some_key//1//2//3 arch: int Architecture of the key. """ expected_recursion_key = os.path.join(subkey, key_name) check_apply_test({"ambiguous_recursion"}, get_configuration['tags']) registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, time_travel=True, triggers_event=False, min_timeout=global_parameters.default_timeout) registry_key_cud(key, expected_recursion_key, wazuh_log_monitor, arch=arch, time_travel=True, triggers_event=True, min_timeout=global_parameters.default_timeout) registry_value_cud(key, expected_recursion_key, wazuh_log_monitor, arch=arch, time_travel=True, triggers_event=True, min_timeout=global_parameters.default_timeout)
def test_duplicate_entries(key, subkey, arch, key_list, value_list, checkers, tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """ Check that duplicate antries are overwritten by the last entry. Parameters ---------- key: str Root key (HKEY_*) subkey: str path of the registry where the test will be executed. arch: str Architecture of the registry. key_list: list List with the name of the keys that will be used for cud. If None, registry_key_cud won't be executed. value_list: list List with the name of the values that will be used for cud. If None, registry_value_cud won't be executed. checkers: set Set with the checkers that are expected in the events. """ check_apply_test(tags_to_apply, get_configuration['tags']) # Test registry keys. if key_list is not None: registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, key_list=key_list, options=checkers, min_timeout=global_parameters.default_timeout, time_travel=True, triggers_event=True) if value_list is not None: registry_value_cud(key, subkey, wazuh_log_monitor, arch=arch, value_list=value_list, options=checkers, min_timeout=global_parameters.default_timeout, time_travel=True, triggers_event=True)
def test_ambiguous_tags(key, sub_keys, arch, get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start): """Check if syscheck detects the event property 'tags' for each event. This test validates both situations, making sure that if tags='no', there won't be a tags event property. Parameters ---------- key: str Key of the registry (HKEY_* constants). sub_keys: tuple Tuple where the first element is the path of a key that will have the tag attribute and the second won't have the tag attribute. arch: int Architecture of the key. """ def tag_validator(event): """Validate tags event property exists in the event.""" assert tag == event['data']['tags'], 'Defined_tags are not equal' def no_tag_validator(event): """Validate tags event property does not exist in the event.""" assert 'tags' not in event['data'].keys( ), "'Tags' attribute found in event" check_apply_test({"ambiguous_tag"}, get_configuration['tags']) registry_key_cud(key, sub_keys[0], wazuh_log_monitor, arch=arch, time_travel=True, min_timeout=global_parameters.default_timeout, validators_after_cud=[tag_validator]) registry_key_cud(key, sub_keys[1], wazuh_log_monitor, arch=arch, time_travel=True, min_timeout=global_parameters.default_timeout, validators_after_cud=[no_tag_validator])