def test_audit_key(audit_key, path, get_configuration, configure_environment,
restart_syscheckd):
"""Checks <audit_key> functionality by adding a audit rule and checking if alerts with that key are triggered when
a file is created.
This test is intended to be used with valid configurations
Parameters
----------
audit_key : str
Name of the audit_key to monitor
path : str
Path of the folder to be monitored
"""
check_apply_test({audit_key}, get_configuration['tags'])
# Add watch rule
os.system("auditctl -w " + path + " -p wa -k " + audit_key)
# Restart and for wazuh
truncate_file(LOG_FILE_PATH)
control_service('restart')
wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
detect_initial_scan(wazuh_log_monitor)
# Look for audit_key word
create_file(REGULAR, path, "testfile")
events = wazuh_log_monitor.start(timeout=30,
callback=callback_audit_key,
accum_results=1).result()
assert audit_key in events
# Remove watch rule
os.system("auditctl -W " + path + " -p wa -k " + audit_key)
def restart_wazuh(get_configuration, request):
# Reset ossec.log and start a new monitor
truncate_file(LOG_FILE_PATH)
file_monitor = FileMonitor(LOG_FILE_PATH)
setattr(request.module, 'wazuh_log_monitor', file_monitor)
# Restart Wazuh and wait for the command to end
control_service('restart')
# variables
test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)),
'data')
test_directories = [
os.path.join(PREFIX, 'testdir_reports'),
os.path.join(PREFIX, 'testdir_nodiff')
]
nodiff_file = os.path.join(PREFIX, 'testdir_nodiff', 'regular_file')
directory_str = ','.join(test_directories)
testdir_reports, testdir_nodiff = test_directories
configurations_path = os.path.join(test_data_path, 'wazuh_conf.yaml')
options = {CHECK_ALL}
wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
# configurations
conf_params, conf_metadata = generate_params(
{
'REPORT_CHANGES': {
'report_changes': 'yes'
},
'TEST_DIRECTORIES': directory_str,
'NODIFF_FILE': nodiff_file,
'MODULE_NAME': __name__
}, {
'report_changes': 'yes',
'test_directories': directory_str,
'nodiff_file': nodiff_file,
def test_hard_link(path_file, path_link, num_links, get_configuration,
configure_environment, restart_syscheckd,
wait_for_initial_scan):
"""Test the check_inode option when used with Hard links by creating a hard link file inside and outside the
monitored directory.
This test is intended to be used with valid configurations files. Each execution of this test will configure the
environment properly, restart the service and wait for the initial scan.
:param path_file: The path to the regular file to be created
:param path_link: The path to the Hard links to be created
:param num_links: Number of hard links to create. All of them will be pointing to the same regular file.
:param checkers: Dict with all the check options to be used
"""
truncate_file(LOG_FILE_PATH)
wazuh_log_monitor = FileMonitor(LOG_FILE_PATH)
is_scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
regular_file_name = "testregularfile"
file_list = [regular_file_name]
hardlinks_list = []
try:
event_checker = EventChecker(wazuh_log_monitor, path_file, file_list)
# Create the regular file
create_file(REGULAR,
path_file,
regular_file_name,
content='test content')
check_time_travel(is_scheduled)
event_checker.fetch_and_check('added', min_timeout=DEFAULT_TIMEOUT)
# Create as many links pointing to the regular file as num_links
for link in range(0, num_links):
hardlinks_list.append("HardLink" + str(link))
create_file(HARDLINK,
path_link,
"HardLink" + str(link),
target=os.path.join(path_file, regular_file_name))
# Try to detect the creation events for all the created links
if path_file == path_link:
check_time_travel(is_scheduled)
event_checker.file_list = hardlinks_list
event_checker.fetch_and_check('added', min_timeout=DEFAULT_TIMEOUT)
# Update file_list with the links if these were created in the monitored folder
event_checker.file_list = file_list + hardlinks_list if path_file == path_link else file_list
# Modify the original file and detect the events for the entire file_list
modify_file_content(path_file,
regular_file_name,
new_content="modified testregularfile")
check_time_travel(is_scheduled)
event_checker.fetch_and_check('modified', min_timeout=DEFAULT_TIMEOUT)
# Modify one of the hard links
modify_file_content(path_link,
"HardLink0",
new_content="modified HardLink0")
# If the hard link is inside the monitored dir alerts should be triggered for the entire file_list
# Scheduled run should ALWAYS detect the modification of the file, even if we are using Real-time or Whodata.
check_time_travel(path_file != path_link or is_scheduled)
event_checker.fetch_and_check('modified', min_timeout=DEFAULT_TIMEOUT)
finally:
# Clean up
delete_file(path_file, regular_file_name)
for link in hardlinks_list:
delete_file(path_link, link)
check_time_travel(True)
def restart_syscheckd(get_configuration, request):
# Reset ossec.log and start a new monitor
truncate_file(LOG_FILE_PATH)
file_monitor = FileMonitor(LOG_FILE_PATH)
setattr(request.module, 'wazuh_log_monitor', file_monitor)
control_service('restart', daemon='ossec-syscheckd')
def truncate_log():
truncate_file(LOG_FILE_PATH)
return FileMonitor(LOG_FILE_PATH)