def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_vulnerability_scan): """ Check if inserted vulnerable packages are reported by vulnerability detector """ vulnerabilities_number = mock_vulnerability_scan["vulnerabilities_number"] if mock_vulnerability_scan['format'] == 'pkg' and mock_vulnerability_scan['version'] == 'Wazuh v4.0': version = mock_vulnerability_scan['version'] wazuh_log_monitor.start( timeout=SCAN_TIMEOUT, update_position=False, callback=vd.make_vuln_callback(fr"Agent .* has an unsupported Wazuh version: '{version}'"), error_message="The expected event 'Agent .* has an unsupported Wazuh version' not found" ) return # Check the vulnerabilities of inserted packages try: for item in nvd_vulnerabilities['vulnerabilities_nvd']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) except TimeoutError: check_time_travel(time_travel=True, interval=timedelta(seconds=300)) for item in nvd_vulnerabilities['vulnerabilities_nvd']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) # Check that the number of NVD vulnerabilities is the expected if mock_vulnerability_scan["format"] != "win": vd.check_detected_vulnerabilities_number(wazuh_log_monitor=wazuh_log_monitor, expected_vulnerabilities_number=vulnerabilities_number, feed_source='NVD', timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT) vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_vulnerability_scan): """ Check if inserted vulnerable packages are reported by vulnerability detector """ provider_vulnerabilities_number = mock_vulnerability_scan["provider_vulnerabilities_number"] nvd_vulnerabilities_number = mock_vulnerability_scan["nvd_vulnerabilities_number"] # Check the vulnerabilities of packages inserted for item in vulnerabilities_provider: if item['vulnerable'] == mock_vulnerability_scan["format"] or item['vulnerable'] == 'all': vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) for item in vulnerabilities_nvd: if item['vulnerable'] == mock_vulnerability_scan["format"] or item['vulnerable'] == 'all': vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) # Check that the number of provider vulnerabilities is the expected vd.check_log_event(wazuh_log_monitor=wazuh_log_monitor, log_event=f"A total of '{nvd_vulnerabilities_number}' vulnerabilities have been reported " "for agent '.*' thanks to the 'NVD' feed.") # Check that the number of NVD vulnerabilities is the expected vd.check_log_event(wazuh_log_monitor=wazuh_log_monitor, log_event=f"A total of '{provider_vulnerabilities_number}' vulnerabilities have been reported " "for agent '.*' thanks to the 'vendor' feed.") vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_agent, mock_vulnerability_scan): """ Check if a missing patch triggers a vulnerability(only windows). """ hotfixes = mock_vulnerability_scan['hotfixes'] dep = vulnerabilities['dependencies'] for cve, item in vulnerabilities['vulnerabilities'].items(): installed, hotfix = is_hotfix_installed(item[0]['patch'], dep, hotfixes) if installed: wazuh_log_monitor.start( timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT, update_position=False, callback=vd.make_vuln_callback( f"Agent '{mock_agent}' has installed '{hotfix}' that corrects the vulnerability '{cve}'" ), error_message= f"Could not find the report which says that the patch {hotfix} solves {cve}" ) else: wazuh_log_monitor.start( timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT, update_position=False, callback=vd.make_vuln_callback( f"Agent '{mock_agent}' is vulnerable to '{cve}'. Condition: 'KB{hotfix} patch is not installed'" ), error_message= f"Could not find the report which says that the system" + f" is vulnerable to {cve} due to missing {hotfix}") vd.check_if_modulesd_is_running()
def test_invalid_msu_feed(clean_vuln_tables, get_configuration, configure_environment, remove_field_feed): """ Check if vulnerability detector behaves as expected when importing MSU feed with missing fields """ vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.MSU_LOG, expected_vulnerabilities_number=0) vd.check_if_modulesd_is_running()
def test_extra_tags_debian_feed(test_values, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing Debian OVAL feed with extra tags """ vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BUSTER_LOG, expected_vulnerabilities_number=vd.DEBIAN_NUM_CUSTOM_VULNERABILITIES, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT, check_vuln_number=False) vd.check_if_modulesd_is_running()
def test_invalid_values_msu_feed(test_data, custom_input, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing MSU feed with wrong field values """ # If the field is "key" and the input type is not the field type, then look for error messages vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.MSU_LOG, expected_vulnerabilities_number=0) vd.check_if_modulesd_is_running()
def test_missing_canonical_feed(clean_vuln_tables, get_configuration, configure_environment, remove_tag_feed): """Test to check vulnerability detector behavior when importing Debian feed with missing tags""" if remove_tag_feed['name'] in xfail_list: pytest.xfail('Xfailing due to issue: https://github.com/wazuh/wazuh/issues/5322') if remove_tag_feed['name'] in key_tags: # It is necessary increase timeout due to the download of a JSON aux file for Debian vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT) else: # It is necessary increase timeout due to the download of a JSON aux file for Debian vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BUSTER_LOG, expected_vulnerabilities_number=vd.DEBIAN_NUM_CUSTOM_VULNERABILITIES, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT, check_vuln_number=False) vd.check_if_modulesd_is_running()
def test_missing_canonical_feed(clean_vuln_tables, get_configuration, configure_environment, remove_tag_feed): """Test to check vulnerability detector behavior when importing canonical feed with missing tags""" if remove_tag_feed['name'] in xfail_tags: pytest.xfail("Xfailing due https://github.com/wazuh/wazuh/issues/5275") if remove_tag_feed['name'] in key_tags: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) else: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BIONIC_LOG, expected_vulnerabilities_number=vd. CANONICAL_NUM_CUSTOM_VULNERABILITIES) vd.check_if_modulesd_is_running()
def test_extra_tags_arch_linux_feed(test_values, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """Check if Vulnerability Detector behaves as expected while importing Arch Linux JSON feed with extra tags.""" inserted_tag = test_values[0] if type(inserted_tag) in [str]: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.ARCH_LOG, expected_vulnerabilities_number=vd.ARCH_NUM_CUSTOM_VULNERABILITIES) else: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) vd.check_if_modulesd_is_running()
def test_invalid_syntax_canonical_feed(test_data, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing Canonical OVAL feeds with syntax errors """ if test_data['expected_fail']: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) else: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BIONIC_LOG, expected_vulnerabilities_number=vd. CANONICAL_NUM_CUSTOM_VULNERABILITIES) vd.check_if_modulesd_is_running()
def test_extra_fields_redhat_feed(test_data, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing redhat OVAL feed with syntax errors """ if test_data['expected_fail']: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) else: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name='Red Hat Enterprise Linux 8', expected_vulnerabilities_number=vd. REDHAT_NUM_CUSTOM_VULNERABILITIES, check_vuln_number=False) vd.check_if_modulesd_is_running()
def test_redhat_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_vulnerability_scan): """ Check if inserted vulnerable packages are reported by vulnerability detector """ vulnerabilities_number = len(mock_vulnerability_scan['vulnerabilities']) # Check that the number of OVAL vulnerabilities is the expected vd.check_detected_vulnerabilities_number(wazuh_log_monitor=wazuh_log_monitor, expected_vulnerabilities_number=vulnerabilities_number, feed_source='OVAL', timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT) # Check the vulnerabilities of packages inserted for item in mock_vulnerability_scan['vulnerabilities']: vd.check_vulnerability_scan_event(wazuh_log_monitor=wazuh_log_monitor, package=item['package']['name'], cve=item['cve']['cveid']) vd.check_if_modulesd_is_running()
def test_invalid_archlinux_feed(clean_vuln_tables, get_configuration, configure_environment, remove_field_feed): """Check if the feed is imported successfully by default.""" if remove_field_feed not in key_tags: expected_vulnerabilities = vd.ARCH_NUM_CUSTOM_VULNERABILITIES if remove_field_feed == 'issues': expected_vulnerabilities -= 4 vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.ARCH_LOG, expected_vulnerabilities_number=expected_vulnerabilities, timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT) vd.check_if_modulesd_is_running() else: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor)
def test_extra_fields_msu_feed(clean_vuln_tables, test_values, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing MSU feed with extra fields """ field = test_values[0] if type(field) in [str]: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.MSU_LOG, expected_vulnerabilities_number=0) else: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor, parser_error=True) vd.check_if_modulesd_is_running()
def test_extra_fields_redhat_feed(clean_vuln_tables, test_values, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing Red Hat OVAL feed with extra fields """ inserted_tag = test_values[0] if inserted_tag != ' ' and type(inserted_tag) in [str, int]: vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name='Red Hat Enterprise Linux 8', expected_vulnerabilities_number=vd.REDHAT_NUM_CUSTOM_VULNERABILITIES, timeout=vd.VULN_DETECTOR_GLOBAL_TIMEOUT, check_vuln_number=False) else: vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor, timeout=vd.VULN_DETECTOR_GLOBAL_TIMEOUT) vd.check_if_modulesd_is_running()
def test_invalid_values_debian_feed(test_data, custom_input, clean_vuln_tables, get_configuration, configure_environment, restart_modulesd, modify_feed): """ Check if vulnerability detector behaves as expected when importing Debian OVAL feed with wrong tag values """ if test_data['expected_fail']: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT) else: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BUSTER_LOG, expected_vulnerabilities_number=vd. DEBIAN_NUM_CUSTOM_VULNERABILITIES, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT, check_vuln_number=False) vd.check_if_modulesd_is_running()
def test_extra_tags_canonical_feed(test_values, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing Canonical OVAL feed with extra tags """ inserted_tag = test_values[0] if inserted_tag != ' ' and type(inserted_tag) in [str, int]: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BIONIC_LOG, expected_vulnerabilities_number=vd. CANONICAL_NUM_CUSTOM_VULNERABILITIES) else: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) vd.check_if_modulesd_is_running()
def test_macos_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_vulnerability_scan): """ Check if inserted vulnerable packages are reported by vulnerability detector """ if mock_vulnerability_scan['os_name'] == "Mac OS X": vd.check_vulnerability_scan_event(wazuh_log_monitor, "mac_os_x", mock_vulnerability_scan['cve']) else: vd.check_vulnerability_scan_event(wazuh_log_monitor, "mac_os_x_server", mock_vulnerability_scan['cve']) for item in mock_vulnerability_scan['vulnerabilities']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) vd.check_if_modulesd_is_running()
def test_invalid_values_arch_linux_feed(test_data, custom_input, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """Check if Vulnerability Detector behaves as expected while importing Arch Linux feed with syntax errors.""" if any(isinstance(custom_input, x) for x in test_data['type']): expected_vulnerabilities = vd.ARCH_NUM_CUSTOM_VULNERABILITIES if test_data['field'] == 'packages' and isinstance(custom_input, list): # In this case, wazuh have to think that there are multiples packages with the 5 example vulnerabilities, # instead of only one package. For this reason we have to increase the number of expected vulnerabilities. expected_vulnerabilities = expected_vulnerabilities + 5 * ( len(custom_input) - 1) vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.ARCH_LOG, expected_vulnerabilities_number=expected_vulnerabilities) else: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor, timeout=10) vd.check_if_modulesd_is_running()
def test_invalid_values_canonical_feed(test_data, custom_input, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """ Check if vulnerability detector behaves as expected when importing Canonical OVAL feed with wrong tag values """ if test_data['name'] == 'dpkginfo_test': pytest.xfail( 'Xfailing due to issue: https://github.com/wazuh/wazuh/issues/5275' ) if test_data['expected_fail']: vd.check_failure_when_importing_feed( wazuh_log_monitor=wazuh_log_monitor) else: vd.check_feed_imported_successfully( wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BIONIC_LOG, expected_vulnerabilities_number=vd. CANONICAL_NUM_CUSTOM_VULNERABILITIES) vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db, mock_vulnerability_scan): """ Check if inserted vulnerable packages are reported by vulnerability detector """ provider_vulnerabilities_number = mock_vulnerability_scan[ "provider_vulnerabilities_number"] nvd_vulnerabilities_number = mock_vulnerability_scan[ "nvd_vulnerabilities_number"] # Check the vulnerabilities of packages inserted try: for item in vulnerabilities['vulnerabilities_provider']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) except TimeoutError: check_time_travel(time_travel=True, interval=timedelta(seconds=300)) for item in vulnerabilities['vulnerabilities_provider']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) if mock_vulnerability_scan["format"] != "rpm": try: for item in vulnerabilities['vulnerabilities_nvd']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) except TimeoutError: check_time_travel(time_travel=True, interval=timedelta(seconds=300)) for item in vulnerabilities['vulnerabilities_nvd']: vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid']) # Check that the number of provider vulnerabilities is the expected wazuh_log_monitor.start( timeout=SCAN_TIMEOUT, update_position=False, callback=vd.make_vuln_callback( f"A total of '{provider_vulnerabilities_number}' vulnerabilities have been reported for agent '.*' " + "thanks to the 'vendor' feed."), error_message= f"The expected number of vulnerabilities for vendor have not been found", ) # Check that the number of NVD vulnerabilities is the expected wazuh_log_monitor.start( timeout=SCAN_TIMEOUT, update_position=False, callback=vd.make_vuln_callback( f"A total of '{nvd_vulnerabilities_number}' vulnerabilities have been reported for agent '.*' " + "thanks to the 'NVD' feed."), error_message= f"The expected number of vulnerabilities for NVD have not been found", ) vd.check_if_modulesd_is_running()
def test_invalid_syntax_arch_linux_feed(test_data, clean_vuln_tables, get_configuration, configure_environment, modify_feed): """Check if the feed is imported successfully by default""" vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor, parser_error=True) vd.check_if_modulesd_is_running()