예제 #1
0
def test_audit_key(audit_key, path, get_configuration, configure_environment,
                   restart_syscheckd):
    """Checks <audit_key> functionality by adding a audit rule and checking if alerts with that key are triggered when
    a file is created.

    This test is intended to be used with valid configurations

    Parameters
    ----------
    audit_key : str
        Name of the audit_key to monitor
    path : str
        Path of the folder to be monitored
    """
    check_apply_test({audit_key}, get_configuration['tags'])

    # Add watch rule
    os.system("auditctl -w " + path + " -p wa -k " + audit_key)

    # Restart and for wazuh
    truncate_file(LOG_FILE_PATH)
    control_service('restart')
    wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
    detect_initial_scan(wazuh_log_monitor)

    # Look for audit_key word
    create_file(REGULAR, path, "testfile")
    events = wazuh_log_monitor.start(timeout=30,
                                     callback=callback_audit_key,
                                     accum_results=1).result()
    assert audit_key in events

    # Remove watch rule
    os.system("auditctl -W " + path + " -p wa -k " + audit_key)
예제 #2
0
def restart_wazuh(get_configuration, request):
    # Reset ossec.log and start a new monitor
    truncate_file(LOG_FILE_PATH)
    file_monitor = FileMonitor(LOG_FILE_PATH)
    setattr(request.module, 'wazuh_log_monitor', file_monitor)

    # Restart Wazuh and wait for the command to end
    control_service('restart')
예제 #3
0
def test_invalid(tags_to_apply, get_configuration, configure_environment):
    """ Checks if an invalid configuration is detected

    Using invalid configurations with different attributes, expect an error message and syscheck unable to restart.

    * This test is intended to be used with invalid configurations files. Each execution of this test will fail to
     configure the environment properly.
    """
    check_apply_test(tags_to_apply, get_configuration['tags'])
    # Configuration error -> ValueError raised
    with pytest.raises(ValueError):
        control_service('restart')
    wazuh_log_monitor.start(timeout=3, callback=callback_configuration_error)
예제 #4
0
def test_windows_audit_restore_sacl(tags_to_apply, get_configuration,
                                    configure_environment, restart_syscheckd,
                                    wait_for_initial_scan):
    """Check that Wazuh restores previous SACL rules when the service is stopped."""
    check_apply_test(tags_to_apply, get_configuration['tags'])

    with Privilege('SeSecurityPrivilege'):
        lfss = get_file_security_descriptor(testdir_restore)
        dir_rules = set(get_sacl(lfss))
        assert dir_rules - previous_rules == WAZUH_RULES

        # Stop Wazuh service to force SACL rules to be restored
        control_service('stop')
        event = wazuh_log_monitor.start(
            timeout=5, callback=callback_sacl_restored).result()
        assert testdir_restore in event, f'{testdir_restore} not detected in SACL restore event'
        dir_rules = set(get_sacl(lfss))
        assert dir_rules == previous_rules

    # Start Wazuh service again so the fixture does not crash
    control_service('start')
예제 #5
0
def configure_local_rules(get_configuration, request):
    """Configure a custom rule in local_rules.xml for testing. Restart Wazuh is needed for applying the configuration."""

    # save current configuration
    shutil.copy('/var/ossec/etc/rules/local_rules.xml',
                '/var/ossec/etc/rules/local_rules.xml.cpy')

    # configuration for testing
    file_test = str(get_configuration)
    shutil.copy(file_test, '/var/ossec/etc/rules/local_rules.xml')

    # restart wazuh service
    control_service('restart')

    yield

    # restore previous configuration
    shutil.move('/var/ossec/etc/rules/local_rules.xml.cpy',
                '/var/ossec/etc/rules/local_rules.xml')

    # restart wazuh service
    control_service('restart')
예제 #6
0
def test_restart_audit(tags_to_apply, should_restart, get_configuration,
                       configure_environment, restart_syscheckd):
    """Checks <restart_audit> functionality by removing the plugin and monitoring audit to see if it restart and create 
    the file again.

    This test is intended to be used with valid configurations

    Parameters
    ----------
    tags_to_apply : set
        Run test if matches with a configuration identifier, skip otherwise
    should_restart : boolean
        True if Auditd should restart, False otherwise
    """
    def get_audit_creation_time():
        for proc in psutil.process_iter(attrs=['name']):
            if proc.name() == "auditd":
                return proc.create_time()
        pytest.fail("Auditd is not running")

    plugin_path = "/etc/audisp/plugins.d/af_wazuh.conf"

    check_apply_test(tags_to_apply, get_configuration['tags'])

    os.remove(plugin_path)

    time_before_restart = get_audit_creation_time()
    control_service('restart')
    time.sleep(10)

    time_after_restart = get_audit_creation_time()

    if should_restart:
        assert time_before_restart != time_after_restart
    else:
        assert time_before_restart == time_after_restart

    assert os.path.isfile(plugin_path)
예제 #7
0
def configure_environment(get_configuration, request):
    """Configure a custom environment for testing. Restart Wazuh is needed for applying the configuration."""

    # save current configuration
    backup_config = get_wazuh_conf()

    # configuration for testing
    test_config = set_section_wazuh_conf(get_configuration.get('section'),
                                         get_configuration.get('elements'))

    # create test directories
    test_directories = getattr(request.module, 'test_directories')
    for test_dir in test_directories:
        os.makedirs(test_dir, exist_ok=True, mode=0o777)

    # set new configuration
    write_wazuh_conf(test_config)

    # Call extra functions before yield
    if hasattr(request.module, 'extra_configuration_before_yield'):
        func = getattr(request.module, 'extra_configuration_before_yield')
        func()

    yield

    # remove created folders (parents)
    if sys.platform == 'win32':
        control_service('stop')

    for test_dir in test_directories:
        shutil.rmtree(test_dir, ignore_errors=True)

    if sys.platform == 'win32':
        control_service('start')

    # restore previous configuration
    write_wazuh_conf(backup_config)

    # Call extra functions after yield
    if hasattr(request.module, 'extra_configuration_after_yield'):
        func = getattr(request.module, 'extra_configuration_after_yield')
        func()

    if hasattr(request.module, 'force_restart_after_restoring'):
        if getattr(request.module, 'force_restart_after_restoring'):
            control_service('restart')
예제 #8
0
def restart_syscheckd(get_configuration, request):
    # Reset ossec.log and start a new monitor
    truncate_file(LOG_FILE_PATH)
    file_monitor = FileMonitor(LOG_FILE_PATH)
    setattr(request.module, 'wazuh_log_monitor', file_monitor)
    control_service('restart', daemon='ossec-syscheckd')