def test_checkers(key, subkey, arch, key_attrs, value_attrs, tags_to_apply, triggers_modification,
get_configuration, configure_environment, restart_syscheckd, wait_for_fim_start):
"""
Test the functionality of `check_all` option is activated/desactivated alone and together with other
`check_*` options.
Example:
<windows_registry check_all="yes">HKEY_SOME_KEY</windows_registry>.
Parameters
----------
key: str
Root key (HKEY_* constants).
subkey: str
Path of the key.
arch: int
Architecture of the key.
key_attrs: set
Attributes for the key events.
value_attrs: set
Attributes for the value events.
tags_to_apply: set
Configuration that will be applied for every case.
triggers_modification: boolean
True if the given attributes trigger modification events.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
# Test registry keys.
registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch, min_timeout=global_parameters.default_timeout,
options=key_attrs, triggers_event_modified=triggers_modification, time_travel=True)
# Test registry values.
registry_value_cud(key, subkey, wazuh_log_monitor, min_timeout=global_parameters.default_timeout,
options=value_attrs, triggers_event_modified=triggers_modification, time_travel=True)
def test_ignore_over_restrict_key(key, subkey, key_name, arch,
get_configuration, configure_environment,
restart_syscheckd, wait_for_fim_start):
"""
Check registry values are ignored according to configuration.
Parameters
----------
key : str
Root key (HKEY_*)
subkey : str
path of the registry where the test will be executed.
arch : str
Architecture of the registry.
"""
check_apply_test({"ambiguous_ignore_restrict_key"},
get_configuration['tags'])
# Test registry keys.
registry_key_cud(key,
subkey,
wazuh_log_monitor,
arch=arch,
key_list=[key_name],
min_timeout=global_parameters.default_timeout,
time_travel=True,
triggers_event=False)
def test_ambiguous_complex_checks(key, subkey, key_checkers, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check if the events of every configured key has the proper check attributes.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_key: str
Path of the configured key.
key_checkers: set
Set of checks that are expected.
"""
check_apply_test({"complex_checks"}, get_configuration['tags'])
# Test registry keys.
registry_key_cud(key,
subkey,
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=key_checkers,
time_travel=True)
# Test registry values.
registry_value_cud(key,
subkey,
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=key_checkers,
time_travel=True)
def test_ambiguous_report_tags(key, subkey, tag, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check if syscheck detects the event property 'tags' for each configured entry.
This test validates both situations, making sure that if tags='no', there won't be a
tags event property.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_key: str
Path of the configured key.
tag: str
Tag that is configured for each entry. If None, the entry isn't configured with a tag.
"""
check_apply_test({'complex_tags'}, get_configuration['tags'])
def no_tag_validator(event):
"""Validate tags event property does not exist in the event."""
assert 'tags' not in event['data'].keys(
), "'Tags' attribute found in event"
def tag_validator(event):
"""Validate tags event property exists in the event."""
assert tag == event['data']['tags'], 'Defined_tags are not equal'
validator_after_create = [no_tag_validator]
validator_after_update = [no_tag_validator]
validator_after_delete = [no_tag_validator]
if tag is not None:
validator_after_create = [tag_validator]
validator_after_update = [tag_validator]
validator_after_delete = [tag_validator]
# Test registry values.
registry_key_cud(key,
subkey,
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
time_travel=True,
validators_after_create=validator_after_create,
validators_after_update=validator_after_update,
validators_after_delete=validator_after_delete)
# Test registry values.
registry_value_cud(key,
subkey,
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
time_travel=True,
validators_after_create=validator_after_create,
validators_after_update=validator_after_update,
validators_after_delete=validator_after_delete)
def test_ambiguous_restrict(key, sub_keys, is_key, name, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check restrict configuration events.
Check if syscheck detects changes (add, modify, delete) of key/events depending on its restrict configuration.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_keys: tuple
Tuple where the first element is the path of a key that won't raise alerts due to the restrict and the
second element is a key that will raise alerts.
is_key: boolean
Variable to distinguish if the restrict is for keys or for values.
name: str
String with the name of the value/key that will be created.
"""
check_apply_test({"ambiguous_restrict"}, get_configuration['tags'])
if is_key:
registry_key_cud(key,
sub_keys[0],
wazuh_log_monitor,
key_list=[name],
arch=KEY_WOW64_64KEY,
triggers_event=False,
time_travel=True,
min_timeout=global_parameters.default_timeout)
registry_key_cud(key,
sub_keys[1],
wazuh_log_monitor,
key_list=[name],
arch=KEY_WOW64_64KEY,
triggers_event=True,
time_travel=True,
min_timeout=global_parameters.default_timeout)
else:
registry_value_cud(key,
sub_keys[0],
wazuh_log_monitor,
value_list=[name],
arch=KEY_WOW64_64KEY,
triggers_event=False,
time_travel=True,
min_timeout=global_parameters.default_timeout)
registry_value_cud(key,
sub_keys[1],
wazuh_log_monitor,
value_list=[name],
triggers_event=True,
time_travel=True,
min_timeout=global_parameters.default_timeout)
def test_ambiguous_checks(key, subkey, key_checkers, subkey_checkers,
get_configuration, configure_environment,
restart_syscheckd, wait_for_fim_start):
"""
Check if syscheck detects the event property 'tags' for each event.
This test validates both situations, making sure that if tags='no', there won't be a
tags event property.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_keys: tuple
Tuple where ther first element is the configured key and the second is the configured subkey.
arch: int
Architecture of the key.
"""
check_apply_test({"ambiguous_checks"}, get_configuration['tags'])
# Test registry keys.
registry_key_cud(
key,
subkey[0],
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=key_checkers,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled')
# Test registry values.
registry_value_cud(
key,
subkey[0],
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=key_checkers,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled')
# Test registry keys.
registry_key_cud(
key,
subkey[1],
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=subkey_checkers,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled')
# Test registry values.
registry_value_cud(
key,
subkey[1],
wazuh_log_monitor,
min_timeout=global_parameters.default_timeout,
options=subkey_checkers,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled')
def test_registry_changes(key, subkey, arch, value_type, get_configuration, configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check if events appear for subkeys/values of a monitored key
"""
registry_key_cud(key, subkey, wazuh_log_monitor, arch=arch,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled',
min_timeout=global_parameters.default_timeout,
triggers_event=True)
registry_value_cud(key, subkey, wazuh_log_monitor, arch=arch,
time_travel=get_configuration['metadata']['fim_mode'] == 'scheduled',
min_timeout=global_parameters.default_timeout,
triggers_event=True, value_type=value_type)
def test_ambiguous_recursion(key, subkey, arch, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check if syscheck detects the event property 'tags' for each event.
This test validates both situations, making sure that if tags='no', there won't be a
tags event property.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_keys: str
Path of the subkey that will be used for the test (must have a higher recursion level than the configured key).
Example:
<windows_registry recursion_level="2">HKLM//some_key</windows_registry>
subkey = HKLM//some_key//1//2//3
arch: int
Architecture of the key.
"""
expected_recursion_key = os.path.join(subkey, key_name)
check_apply_test({"ambiguous_recursion"}, get_configuration['tags'])
registry_key_cud(key,
subkey,
wazuh_log_monitor,
arch=arch,
time_travel=True,
triggers_event=False,
min_timeout=global_parameters.default_timeout)
registry_key_cud(key,
expected_recursion_key,
wazuh_log_monitor,
arch=arch,
time_travel=True,
triggers_event=True,
min_timeout=global_parameters.default_timeout)
registry_value_cud(key,
expected_recursion_key,
wazuh_log_monitor,
arch=arch,
time_travel=True,
triggers_event=True,
min_timeout=global_parameters.default_timeout)
def test_duplicate_entries(key, subkey, arch, key_list, value_list, checkers,
tags_to_apply, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""
Check that duplicate antries are overwritten by the last entry.
Parameters
----------
key: str
Root key (HKEY_*)
subkey: str
path of the registry where the test will be executed.
arch: str
Architecture of the registry.
key_list: list
List with the name of the keys that will be used for cud. If None, registry_key_cud won't be executed.
value_list: list
List with the name of the values that will be used for cud. If None, registry_value_cud won't be executed.
checkers: set
Set with the checkers that are expected in the events.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
# Test registry keys.
if key_list is not None:
registry_key_cud(key,
subkey,
wazuh_log_monitor,
arch=arch,
key_list=key_list,
options=checkers,
min_timeout=global_parameters.default_timeout,
time_travel=True,
triggers_event=True)
if value_list is not None:
registry_value_cud(key,
subkey,
wazuh_log_monitor,
arch=arch,
value_list=value_list,
options=checkers,
min_timeout=global_parameters.default_timeout,
time_travel=True,
triggers_event=True)
def test_ambiguous_tags(key, sub_keys, arch, get_configuration,
configure_environment, restart_syscheckd,
wait_for_fim_start):
"""Check if syscheck detects the event property 'tags' for each event.
This test validates both situations, making sure that if tags='no', there won't be a
tags event property.
Parameters
----------
key: str
Key of the registry (HKEY_* constants).
sub_keys: tuple
Tuple where the first element is the path of a key that will have the tag attribute
and the second won't have the tag attribute.
arch: int
Architecture of the key.
"""
def tag_validator(event):
"""Validate tags event property exists in the event."""
assert tag == event['data']['tags'], 'Defined_tags are not equal'
def no_tag_validator(event):
"""Validate tags event property does not exist in the event."""
assert 'tags' not in event['data'].keys(
), "'Tags' attribute found in event"
check_apply_test({"ambiguous_tag"}, get_configuration['tags'])
registry_key_cud(key,
sub_keys[0],
wazuh_log_monitor,
arch=arch,
time_travel=True,
min_timeout=global_parameters.default_timeout,
validators_after_cud=[tag_validator])
registry_key_cud(key,
sub_keys[1],
wazuh_log_monitor,
arch=arch,
time_travel=True,
min_timeout=global_parameters.default_timeout,
validators_after_cud=[no_tag_validator])
