def disable_report_changes(fim_mode):
"""Change the `report_changes` value in the `ossec.conf` file and then restart `Syscheck` to apply the changes."""
new_conf = change_conf(report_value='no')
new_ossec_conf = set_section_wazuh_conf(new_conf[0].get('sections'))
restart_wazuh_with_new_conf(new_ossec_conf)
# Wait for FIM scan to finish
detect_fim_scan(wazuh_log_monitor, fim_mode)
def reload_new_conf(report_value, reg1, reg2):
""""
Return a new ossec configuration with a changed report_value
Parameters
----------
report_value: str
Value that will be used for the report_changes option.
reg1: str
Registry path that will be written in the configuration for WINDOWS_REGISTRY_1.
reg2: str
Registry path that will be written in the configuration for WINDOWS_REGISTRY_2.
"""
new_conf_params = {
'WINDOWS_REGISTRY_1': reg1,
'WINDOWS_REGISTRY_2': reg2,
'REPORT_CHANGES_1': report_value,
'REPORT_CHANGES_2': report_value
}
conf_params, conf_metadata = generate_params(extra_params=new_conf_params,
modes=['scheduled'])
new_conf = load_wazuh_configurations(configurations_path,
__name__,
params=conf_params,
metadata=conf_metadata)
# Load the third configuration in the yaml
restart_wazuh_with_new_conf(
set_section_wazuh_conf(new_conf[2].get('sections')))
# Wait for FIM scan to finish
detect_initial_scan(wazuh_log_monitor)
def test_skip_proc(get_configuration, configure_environment, restart_syscheckd,
wait_for_initial_scan):
"""Check if syscheckd skips /proc when setting 'skip_proc="yes"'."""
check_apply_test({'skip_proc'}, get_configuration['tags'])
trigger = get_configuration['metadata']['skip'] == 'no'
if trigger:
proc = subprocess.Popen([
"python3",
f"{os.path.dirname(os.path.abspath(__file__))}/data/proc.py"
])
# Change configuration, monitoring the PID path in /proc
# Monitor only /proc/PID to expect only these events. Otherwise, it will fail due to Timeouts since
# integrity scans will take too long
new_conf = change_conf(f'/proc/{proc.pid}')
new_ossec_conf = []
# Get new skip_proc configuration
for conf in new_conf:
if conf['metadata']['skip'] == 'no' and conf['tags'] == [
'skip_proc'
]:
new_ossec_conf = set_section_wazuh_conf(conf.get('sections'))
restart_wazuh_with_new_conf(new_ossec_conf)
truncate_file(LOG_FILE_PATH)
proc_monitor = FileMonitor(LOG_FILE_PATH)
detect_initial_scan(proc_monitor)
# Do not expect any 'Sending event'
with pytest.raises(TimeoutError):
proc_monitor.start(
timeout=3,
callback=callback_detect_event,
error_message=
'Did not receive expected "Sending FIM event: ..." event')
check_time_travel(time_travel=True, monitor=wazuh_log_monitor)
found_event = False
while not found_event:
event = proc_monitor.start(
timeout=5,
callback=callback_detect_event,
error_message='Did not receive expected '
'"Sending FIM event: ..." event').result()
if f'/proc/{proc.pid}/' in event['data'].get('path'):
found_event = True
# Kill the process
subprocess.Popen(["kill", "-9", str(proc.pid)])
else:
with pytest.raises(TimeoutError):
event = wazuh_log_monitor.start(
timeout=3, callback=callback_detect_integrity_state)
raise AttributeError(f'Unexpected event {event}')
def test_no_report_changes(path, get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
"""Check if duplicated directories in diff are deleted when changing `report_changes` to 'no' or deleting the
monitored directories.
Parameters
----------
path : str
Path to the file
"""
fim_mode = get_configuration['metadata']['fim_mode']
diff_file = create_and_check_diff(FILE_NAME, path, fim_mode)
backup_conf = get_wazuh_conf()
try:
disable_report_changes(fim_mode)
assert not os.path.exists(diff_file), f'{diff_file} exists'
finally:
# Restore the original conf file so as not to interfere with other tests
restart_wazuh_with_new_conf(backup_conf)
detect_fim_scan(wazuh_log_monitor, fim_mode)
def test_report_changes_after_restart(get_configuration, configure_environment, restart_syscheckd,
wait_for_initial_scan):
"""Check if duplicated directories in diff are deleted when restarting syscheck.
The duplicated directories in diff will be removed after Syscheck restarts but will be created again if the report
changes is still active. To avoid this we disable turn off report_changes option before restarting Syscheck to
ensure directories won't be created again.
"""
fim_mode = get_configuration['metadata']['fim_mode']
# Create a file in the monitored path to force the creation of a report in diff
diff_file_path = create_and_check_diff(FILE_NAME, testdir_reports, fim_mode)
backup_conf = get_wazuh_conf()
try:
disable_report_changes()
assert not os.path.exists(diff_file_path), f'{diff_file_path} exists'
finally:
# Restore the original conf file so as not to interfere with other tests
restart_wazuh_with_new_conf(backup_conf)
detect_fim_scan(wazuh_log_monitor)