def test_audit_key(audit_key, path, get_configuration, configure_environment,
restart_syscheckd):
"""Checks <audit_key> functionality by adding a audit rule and checking if alerts with that key are triggered when
a file is created.
This test is intended to be used with valid configurations
Parameters
----------
audit_key : str
Name of the audit_key to monitor
path : str
Path of the folder to be monitored
"""
check_apply_test({audit_key}, get_configuration['tags'])
# Add watch rule
os.system("auditctl -w " + path + " -p wa -k " + audit_key)
# Restart and for wazuh
truncate_file(LOG_FILE_PATH)
control_service('restart')
wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
detect_initial_scan(wazuh_log_monitor)
# Look for audit_key word
create_file(REGULAR, path, "testfile")
events = wazuh_log_monitor.start(timeout=30,
callback=callback_audit_key,
accum_results=1).result()
assert audit_key in events
# Remove watch rule
os.system("auditctl -W " + path + " -p wa -k " + audit_key)
def restart_wazuh(get_configuration, request):
# Reset ossec.log and start a new monitor
truncate_file(LOG_FILE_PATH)
file_monitor = FileMonitor(LOG_FILE_PATH)
setattr(request.module, 'wazuh_log_monitor', file_monitor)
# Restart Wazuh and wait for the command to end
control_service('restart')
def test_invalid(tags_to_apply, get_configuration, configure_environment):
""" Checks if an invalid configuration is detected
Using invalid configurations with different attributes, expect an error message and syscheck unable to restart.
* This test is intended to be used with invalid configurations files. Each execution of this test will fail to
configure the environment properly.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
# Configuration error -> ValueError raised
with pytest.raises(ValueError):
control_service('restart')
wazuh_log_monitor.start(timeout=3, callback=callback_configuration_error)
def test_windows_audit_restore_sacl(tags_to_apply, get_configuration,
configure_environment, restart_syscheckd,
wait_for_initial_scan):
"""Check that Wazuh restores previous SACL rules when the service is stopped."""
check_apply_test(tags_to_apply, get_configuration['tags'])
with Privilege('SeSecurityPrivilege'):
lfss = get_file_security_descriptor(testdir_restore)
dir_rules = set(get_sacl(lfss))
assert dir_rules - previous_rules == WAZUH_RULES
# Stop Wazuh service to force SACL rules to be restored
control_service('stop')
event = wazuh_log_monitor.start(
timeout=5, callback=callback_sacl_restored).result()
assert testdir_restore in event, f'{testdir_restore} not detected in SACL restore event'
dir_rules = set(get_sacl(lfss))
assert dir_rules == previous_rules
# Start Wazuh service again so the fixture does not crash
control_service('start')
def configure_local_rules(get_configuration, request):
"""Configure a custom rule in local_rules.xml for testing. Restart Wazuh is needed for applying the configuration."""
# save current configuration
shutil.copy('/var/ossec/etc/rules/local_rules.xml',
'/var/ossec/etc/rules/local_rules.xml.cpy')
# configuration for testing
file_test = str(get_configuration)
shutil.copy(file_test, '/var/ossec/etc/rules/local_rules.xml')
# restart wazuh service
control_service('restart')
yield
# restore previous configuration
shutil.move('/var/ossec/etc/rules/local_rules.xml.cpy',
'/var/ossec/etc/rules/local_rules.xml')
# restart wazuh service
control_service('restart')
def test_restart_audit(tags_to_apply, should_restart, get_configuration,
configure_environment, restart_syscheckd):
"""Checks <restart_audit> functionality by removing the plugin and monitoring audit to see if it restart and create
the file again.
This test is intended to be used with valid configurations
Parameters
----------
tags_to_apply : set
Run test if matches with a configuration identifier, skip otherwise
should_restart : boolean
True if Auditd should restart, False otherwise
"""
def get_audit_creation_time():
for proc in psutil.process_iter(attrs=['name']):
if proc.name() == "auditd":
return proc.create_time()
pytest.fail("Auditd is not running")
plugin_path = "/etc/audisp/plugins.d/af_wazuh.conf"
check_apply_test(tags_to_apply, get_configuration['tags'])
os.remove(plugin_path)
time_before_restart = get_audit_creation_time()
control_service('restart')
time.sleep(10)
time_after_restart = get_audit_creation_time()
if should_restart:
assert time_before_restart != time_after_restart
else:
assert time_before_restart == time_after_restart
assert os.path.isfile(plugin_path)
def configure_environment(get_configuration, request):
"""Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration."""
# save current configuration
backup_config = get_wazuh_conf()
# configuration for testing
test_config = set_section_wazuh_conf(get_configuration.get('section'),
get_configuration.get('elements'))
# create test directories
test_directories = getattr(request.module, 'test_directories')
for test_dir in test_directories:
os.makedirs(test_dir, exist_ok=True, mode=0o777)
# set new configuration
write_wazuh_conf(test_config)
# Call extra functions before yield
if hasattr(request.module, 'extra_configuration_before_yield'):
func = getattr(request.module, 'extra_configuration_before_yield')
func()
yield
# remove created folders (parents)
if sys.platform == 'win32':
control_service('stop')
for test_dir in test_directories:
shutil.rmtree(test_dir, ignore_errors=True)
if sys.platform == 'win32':
control_service('start')
# restore previous configuration
write_wazuh_conf(backup_config)
# Call extra functions after yield
if hasattr(request.module, 'extra_configuration_after_yield'):
func = getattr(request.module, 'extra_configuration_after_yield')
func()
if hasattr(request.module, 'force_restart_after_restoring'):
if getattr(request.module, 'force_restart_after_restoring'):
control_service('restart')
def restart_syscheckd(get_configuration, request):
# Reset ossec.log and start a new monitor
truncate_file(LOG_FILE_PATH)
file_monitor = FileMonitor(LOG_FILE_PATH)
setattr(request.module, 'wazuh_log_monitor', file_monitor)
control_service('restart', daemon='ossec-syscheckd')