def configure_mitm_environment_wazuhdb(request):
"""Use MITM to replace analysisd and wazuh-db sockets."""
wdb_path = getattr(request.module, 'wdb_path')
# Stop wazuh-service and ensure all daemons are stopped
control_service('stop')
check_daemon_status(running=False)
remove_logs()
control_service('start', daemon='wazuh-db', debug_mode=True)
check_daemon_status(running=True, daemon='wazuh-db')
mitm_wdb = ManInTheMiddle(socket_path=wdb_path)
wdb_queue = mitm_wdb.queue
mitm_wdb.start()
wdb_monitor = QueueMonitor(queue_item=wdb_queue)
setattr(request.module, 'wdb_monitor', wdb_monitor)
yield
mitm_wdb.shutdown()
for daemon in ['wazuh-db']:
control_service('stop', daemon=daemon)
check_daemon_status(running=False, daemon=daemon)
# Delete all db
delete_dbs()
control_service('start')
def configure_authd_server(request):
"""Initialize a simulated authd connection."""
authd_server.start()
global monitored_sockets
monitored_sockets = QueueMonitor(authd_server.queue)
authd_server.clear()
yield
authd_server.shutdown()
def configure_mitm_environment_analysisd(request):
"""Use MITM to replace analysisd and wazuh-db sockets."""
def remove_logs():
for root, dirs, files in os.walk(WAZUH_LOGS_PATH):
for file in files:
os.remove(os.path.join(root, file))
analysis_path = getattr(request.module, 'analysis_path')
wdb_path = getattr(request.module, 'wdb_path')
# Stop wazuh-service and ensure all daemons are stopped
control_service('stop')
check_daemon_status(running=False)
remove_logs()
control_service('start', daemon='wazuh-db', debug_mode=True)
check_daemon_status(running=True, daemon='wazuh-db')
mitm_wdb = ManInTheMiddle(socket_path=wdb_path)
wdb_queue = mitm_wdb.queue
mitm_wdb.start()
control_service('start', daemon='ossec-analysisd', debug_mode=True)
check_daemon_status(running=True, daemon='ossec-analysisd')
mitm_analysisd = ManInTheMiddle(socket_path=analysis_path, mode='UDP')
analysisd_queue = mitm_analysisd.queue
mitm_analysisd.start()
analysis_monitor = QueueMonitor(queue_item=analysisd_queue)
wdb_monitor = QueueMonitor(queue_item=wdb_queue)
setattr(request.module, 'analysis_monitor', analysis_monitor)
setattr(request.module, 'wdb_monitor', wdb_monitor)
yield
mitm_analysisd.shutdown()
mitm_wdb.shutdown()
for daemon in ['wazuh-db', 'ossec-analysisd']:
control_service('stop', daemon=daemon)
check_daemon_status(running=False, daemon=daemon)
control_service('start')
def configure_mitm_environment(request):
"""Configure environment for sockets and MITM"""
monitored_sockets_params = getattr(request.module,
'monitored_sockets_params')
log_monitor_paths = getattr(request.module, 'log_monitor_paths')
# Stop wazuh-service and ensure all daemons are stopped
control_service('stop')
check_daemon_status(running=False)
monitored_sockets = list()
mitm_list = list()
log_monitors = list()
# Truncate logs and create FileMonitors
for log in log_monitor_paths:
truncate_file(log)
log_monitors.append(FileMonitor(log))
# Start selected daemons and monitored sockets MITM
for daemon, mitm, daemon_first in monitored_sockets_params:
not daemon_first and mitm is not None and mitm.start()
control_service('start', daemon=daemon, debug_mode=True)
check_daemon_status(
running=True,
daemon=daemon,
extra_sockets=[mitm.listener_socket_address]
if mitm is not None and mitm.family == 'AF_UNIX' else None)
daemon_first and mitm is not None and mitm.start()
if mitm is not None:
monitored_sockets.append(QueueMonitor(queue_item=mitm.queue))
mitm_list.append(mitm)
setattr(request.module, 'monitored_sockets', monitored_sockets)
setattr(request.module, 'log_monitors', log_monitors)
yield
# Stop daemons and monitored sockets MITM
for daemon, mitm, _ in monitored_sockets_params:
mitm is not None and mitm.shutdown()
control_service('stop', daemon=daemon)
check_daemon_status(
running=False,
daemon=daemon,
extra_sockets=[mitm.listener_socket_address]
if mitm is not None and mitm.family == 'AF_UNIX' else None)
# Delete all db
delete_dbs()
control_service('start')
def generate_analysisd_yaml(n_events, modify_events):
def parse_events_into_yaml(requests, yaml_file):
yaml_result = []
with open(yaml_file, 'a') as y_f:
id_ev = 0
for req, event in requests:
type_ev = event['data']['type']
stage_ev = type_ev.title()
mode = None
agent_id = callback_analysisd_agent_id(req) or '000'
del event['data']['mode']
del event['data']['type']
if 'tags' in event['data']:
del event['data']['tags']
if type_ev == 'added':
mode = 'save2'
output_ev = json.dumps(event['data'])
elif type_ev == 'deleted':
mode = 'delete'
output_ev = json.dumps(event['data']['path']).replace(
'"', '')
elif type_ev == 'modified':
mode = 'save2'
for field in [
'old_attributes', 'changed_attributes',
'content_changes'
]:
if field in event['data']:
del event['data'][field]
output_ev = json.dumps(event['data'])
yaml_result.append({
'name':
f"{stage_ev}{id_ev}",
'test_case': [{
'input': f"{req}",
'output':
f"agent {agent_id} syscheck {mode} {output_ev}",
'stage': f"{stage_ev}"
}]
})
id_ev += 1
y_f.write(yaml.safe_dump(yaml_result))
def remove_logs():
for root, dirs, files in os.walk(WAZUH_LOGS_PATH):
for file in files:
os.remove(os.path.join(root, file))
# Restart syscheckd with the new configuration
truncate_file(LOG_FILE_PATH)
control_service('stop')
check_daemon_status(running=False)
remove_logs()
control_service('start', daemon='ossec-analysisd', debug_mode=True)
check_daemon_status(running=True, daemon='ossec-analysisd')
mitm_analysisd = ManInTheMiddle(address=analysis_path,
family='AF_UNIX',
connection_protocol='UDP')
analysis_queue = mitm_analysisd.queue
mitm_analysisd.start()
control_service('start', daemon='ossec-remoted', debug_mode=True)
check_daemon_status(running=True, daemon='ossec-remoted')
analysis_monitor = QueueMonitor(analysis_queue)
while True:
try:
grep = subprocess.Popen(['grep', 'deleted', alerts_json],
stdout=subprocess.PIPE)
wc = int(
subprocess.check_output([
'wc',
'-l',
], stdin=grep.stdout).decode())
except subprocess.CalledProcessError:
wc = 0
if wc >= n_events:
logging.debug('All alerts received. Collecting by alert type...')
break
logger.debug(f'{wc} deleted events so far.')
logger.debug('Waiting for alerts. Sleeping 5 seconds.')
time.sleep(5)
added = analysis_monitor.start(timeout=max(0.01 * n_events, 10),
callback=callback_analysisd_event,
accum_results=n_events).result()
logger.debug('"added" alerts collected.')
modified = analysis_monitor.start(timeout=max(0.01 * n_events, 10),
callback=callback_analysisd_event,
accum_results=modify_events).result()
logger.debug('"modified" alerts collected.')
deleted = analysis_monitor.start(timeout=max(0.01 * n_events, 10),
callback=callback_analysisd_event,
accum_results=n_events).result()
logger.debug('"deleted" alerts collected.')
# Truncate file
with open(yaml_file, 'w') as y_f:
y_f.write(f'---\n')
for ev_list in [added, modified, deleted]:
parse_events_into_yaml(ev_list, yaml_file)
logger.debug(f'YAML done: "{yaml_file}"')
return mitm_analysisd
def generate_analysisd_yaml(n_events, modify_events):
def parse_events_into_yaml(requests, yaml_file):
yaml_result = []
with open(yaml_file, 'a') as y_f:
id_ev = 0
for req, event in requests:
type_ev = event['data']['type']
stage_ev = type_ev.title()
mode = None
agent_id = callback_analysisd_agent_id(req) or '000'
del event['data']['mode']
del event['data']['type']
if 'tags' in event['data']:
del event['data']['tags']
if type_ev == 'added':
mode = 'save2'
output_ev = json.dumps(event['data'])
elif type_ev == 'deleted':
mode = 'delete'
output_ev = json.dumps(event['data']['path']).replace(
'"', '')
elif type_ev == 'modified':
mode = 'save2'
for field in [
'old_attributes', 'changed_attributes',
'content_changes'
]:
if field in event['data']:
del event['data'][field]
output_ev = json.dumps(event['data'])
yaml_result.append({
'name':
f"{stage_ev}{id_ev}",
'test_case': [{
'input': f"{req}",
'output':
f"agent {agent_id} syscheck {mode} {output_ev}",
'stage': f"{stage_ev}"
}]
})
id_ev += 1
y_f.write(yaml.safe_dump(yaml_result))
def remove_logs():
for root, dirs, files in os.walk(WAZUH_LOGS_PATH):
for file in files:
os.remove(os.path.join(root, file))
file = 'regular'
# Restart syscheckd with the new configuration
truncate_file(LOG_FILE_PATH)
file_monitor = FileMonitor(LOG_FILE_PATH)
control_service('stop')
check_daemon_status(running=False)
remove_logs()
control_service('start', daemon='wazuh-db', debug_mode=True)
check_daemon_status(running=True, daemon='wazuh-db')
control_service('start', daemon='wazuh-analysisd', debug_mode=True)
check_daemon_status(running=True, daemon='wazuh-analysisd')
mitm_analysisd = ManInTheMiddle(address=analysis_path,
family='AF_UNIX',
connection_protocol='UDP')
analysis_queue = mitm_analysisd.queue
mitm_analysisd.start()
control_service('start', daemon='wazuh-syscheckd', debug_mode=True)
check_daemon_status(running=True, daemon='wazuh-syscheckd')
# Wait for initial scan
detect_initial_scan(file_monitor)
analysis_monitor = QueueMonitor(analysis_queue)
for directory in directories_list:
create_file(REGULAR, directory, file, content='')
time.sleep(0.01)
added = analysis_monitor.start(
timeout=max(0.01 * n_events, 10),
callback=callback_analysisd_event,
accum_results=len(directories_list)).result()
logger.debug('"added" alerts collected.')
for directory in directories_list:
modify_file(directory, file, new_content='Modified')
time.sleep(0.01)
modified = analysis_monitor.start(timeout=max(0.01 * n_events, 10),
callback=callback_analysisd_event,
accum_results=modify_events).result()
logger.debug('"modified" alerts collected.')
for directory in directories_list:
delete_file(directory, file)
time.sleep(0.01)
deleted = analysis_monitor.start(
timeout=max(0.01 * len(directories_list), 10),
callback=callback_analysisd_event,
accum_results=len(directories_list)).result()
logger.debug('"deleted" alerts collected.')
# Truncate file
with open(yaml_file, 'w') as y_f:
y_f.write(f'---\n')
for ev_list in [added, modified, deleted]:
parse_events_into_yaml(ev_list, yaml_file)
logger.debug(f'YAML done: "{yaml_file}"')
return mitm_analysisd