def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db,
mock_vulnerability_scan):
"""
Check if inserted vulnerable packages are reported by vulnerability detector
"""
vulnerabilities_number = mock_vulnerability_scan["vulnerabilities_number"]
if mock_vulnerability_scan['format'] == 'pkg' and mock_vulnerability_scan['version'] == 'Wazuh v4.0':
version = mock_vulnerability_scan['version']
wazuh_log_monitor.start(
timeout=SCAN_TIMEOUT,
update_position=False,
callback=vd.make_vuln_callback(fr"Agent .* has an unsupported Wazuh version: '{version}'"),
error_message="The expected event 'Agent .* has an unsupported Wazuh version' not found"
)
return
# Check the vulnerabilities of inserted packages
try:
for item in nvd_vulnerabilities['vulnerabilities_nvd']:
vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid'])
except TimeoutError:
check_time_travel(time_travel=True, interval=timedelta(seconds=300))
for item in nvd_vulnerabilities['vulnerabilities_nvd']:
vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid'])
# Check that the number of NVD vulnerabilities is the expected
if mock_vulnerability_scan["format"] != "win":
vd.check_detected_vulnerabilities_number(wazuh_log_monitor=wazuh_log_monitor,
expected_vulnerabilities_number=vulnerabilities_number,
feed_source='NVD', timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT)
vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db,
mock_vulnerability_scan):
"""
Check if inserted vulnerable packages are reported by vulnerability detector
"""
provider_vulnerabilities_number = mock_vulnerability_scan["provider_vulnerabilities_number"]
nvd_vulnerabilities_number = mock_vulnerability_scan["nvd_vulnerabilities_number"]
# Check the vulnerabilities of packages inserted
for item in vulnerabilities_provider:
if item['vulnerable'] == mock_vulnerability_scan["format"] or item['vulnerable'] == 'all':
vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid'])
for item in vulnerabilities_nvd:
if item['vulnerable'] == mock_vulnerability_scan["format"] or item['vulnerable'] == 'all':
vd.check_vulnerability_scan_event(wazuh_log_monitor, item['package']['name'], item['cve']['cveid'])
# Check that the number of provider vulnerabilities is the expected
vd.check_log_event(wazuh_log_monitor=wazuh_log_monitor,
log_event=f"A total of '{nvd_vulnerabilities_number}' vulnerabilities have been reported "
"for agent '.*' thanks to the 'NVD' feed.")
# Check that the number of NVD vulnerabilities is the expected
vd.check_log_event(wazuh_log_monitor=wazuh_log_monitor,
log_event=f"A total of '{provider_vulnerabilities_number}' vulnerabilities have been reported "
"for agent '.*' thanks to the 'vendor' feed.")
vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment,
restart_modulesd, check_cve_db, mock_agent,
mock_vulnerability_scan):
"""
Check if a missing patch triggers a vulnerability(only windows).
"""
hotfixes = mock_vulnerability_scan['hotfixes']
dep = vulnerabilities['dependencies']
for cve, item in vulnerabilities['vulnerabilities'].items():
installed, hotfix = is_hotfix_installed(item[0]['patch'], dep,
hotfixes)
if installed:
wazuh_log_monitor.start(
timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT,
update_position=False,
callback=vd.make_vuln_callback(
f"Agent '{mock_agent}' has installed '{hotfix}' that corrects the vulnerability '{cve}'"
),
error_message=
f"Could not find the report which says that the patch {hotfix} solves {cve}"
)
else:
wazuh_log_monitor.start(
timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT,
update_position=False,
callback=vd.make_vuln_callback(
f"Agent '{mock_agent}' is vulnerable to '{cve}'. Condition: 'KB{hotfix} patch is not installed'"
),
error_message=
f"Could not find the report which says that the system" +
f" is vulnerable to {cve} due to missing {hotfix}")
vd.check_if_modulesd_is_running()
def test_invalid_msu_feed(clean_vuln_tables, get_configuration, configure_environment, remove_field_feed):
"""
Check if vulnerability detector behaves as expected when importing MSU feed with missing fields
"""
vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.MSU_LOG,
expected_vulnerabilities_number=0)
vd.check_if_modulesd_is_running()
def test_extra_tags_debian_feed(test_values, clean_vuln_tables, get_configuration, configure_environment, modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Debian OVAL feed with extra tags
"""
vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BUSTER_LOG,
expected_vulnerabilities_number=vd.DEBIAN_NUM_CUSTOM_VULNERABILITIES,
timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT,
check_vuln_number=False)
vd.check_if_modulesd_is_running()
def test_invalid_values_msu_feed(test_data, custom_input, clean_vuln_tables,
get_configuration, configure_environment,
modify_feed):
"""
Check if vulnerability detector behaves as expected when importing MSU feed with wrong field values
"""
# If the field is "key" and the input type is not the field type, then look for error messages
vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.MSU_LOG,
expected_vulnerabilities_number=0)
vd.check_if_modulesd_is_running()
def test_missing_canonical_feed(clean_vuln_tables, get_configuration, configure_environment, remove_tag_feed):
"""Test to check vulnerability detector behavior when importing Debian feed with missing tags"""
if remove_tag_feed['name'] in xfail_list:
pytest.xfail('Xfailing due to issue: https://github.com/wazuh/wazuh/issues/5322')
if remove_tag_feed['name'] in key_tags:
# It is necessary increase timeout due to the download of a JSON aux file for Debian
vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor, timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT)
else:
# It is necessary increase timeout due to the download of a JSON aux file for Debian
vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor, log_system_name=vd.BUSTER_LOG,
expected_vulnerabilities_number=vd.DEBIAN_NUM_CUSTOM_VULNERABILITIES,
timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT,
check_vuln_number=False)
vd.check_if_modulesd_is_running()
def test_missing_canonical_feed(clean_vuln_tables, get_configuration,
configure_environment, remove_tag_feed):
"""Test to check vulnerability detector behavior when importing canonical feed with missing tags"""
if remove_tag_feed['name'] in xfail_tags:
pytest.xfail("Xfailing due https://github.com/wazuh/wazuh/issues/5275")
if remove_tag_feed['name'] in key_tags:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
else:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.BIONIC_LOG,
expected_vulnerabilities_number=vd.
CANONICAL_NUM_CUSTOM_VULNERABILITIES)
vd.check_if_modulesd_is_running()
def test_extra_tags_arch_linux_feed(test_values, clean_vuln_tables,
get_configuration, configure_environment,
modify_feed):
"""Check if Vulnerability Detector behaves as expected while importing Arch Linux JSON feed with extra tags."""
inserted_tag = test_values[0]
if type(inserted_tag) in [str]:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.ARCH_LOG,
expected_vulnerabilities_number=vd.ARCH_NUM_CUSTOM_VULNERABILITIES)
else:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
vd.check_if_modulesd_is_running()
def test_invalid_syntax_canonical_feed(test_data, clean_vuln_tables,
get_configuration,
configure_environment, modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Canonical OVAL feeds with syntax errors
"""
if test_data['expected_fail']:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
else:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.BIONIC_LOG,
expected_vulnerabilities_number=vd.
CANONICAL_NUM_CUSTOM_VULNERABILITIES)
vd.check_if_modulesd_is_running()
def test_extra_fields_redhat_feed(test_data, clean_vuln_tables,
get_configuration, configure_environment,
modify_feed):
"""
Check if vulnerability detector behaves as expected when importing redhat OVAL feed with syntax errors
"""
if test_data['expected_fail']:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
else:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name='Red Hat Enterprise Linux 8',
expected_vulnerabilities_number=vd.
REDHAT_NUM_CUSTOM_VULNERABILITIES,
check_vuln_number=False)
vd.check_if_modulesd_is_running()
def test_redhat_vulnerabilities_report(get_configuration, configure_environment, restart_modulesd, check_cve_db,
mock_vulnerability_scan):
"""
Check if inserted vulnerable packages are reported by vulnerability detector
"""
vulnerabilities_number = len(mock_vulnerability_scan['vulnerabilities'])
# Check that the number of OVAL vulnerabilities is the expected
vd.check_detected_vulnerabilities_number(wazuh_log_monitor=wazuh_log_monitor,
expected_vulnerabilities_number=vulnerabilities_number,
feed_source='OVAL', timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT)
# Check the vulnerabilities of packages inserted
for item in mock_vulnerability_scan['vulnerabilities']:
vd.check_vulnerability_scan_event(wazuh_log_monitor=wazuh_log_monitor, package=item['package']['name'],
cve=item['cve']['cveid'])
vd.check_if_modulesd_is_running()
def test_invalid_archlinux_feed(clean_vuln_tables, get_configuration,
configure_environment, remove_field_feed):
"""Check if the feed is imported successfully by default."""
if remove_field_feed not in key_tags:
expected_vulnerabilities = vd.ARCH_NUM_CUSTOM_VULNERABILITIES
if remove_field_feed == 'issues':
expected_vulnerabilities -= 4
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.ARCH_LOG,
expected_vulnerabilities_number=expected_vulnerabilities,
timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT)
vd.check_if_modulesd_is_running()
else:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
def test_extra_fields_msu_feed(clean_vuln_tables, test_values,
get_configuration, configure_environment,
modify_feed):
"""
Check if vulnerability detector behaves as expected when importing MSU feed with extra fields
"""
field = test_values[0]
if type(field) in [str]:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.MSU_LOG,
expected_vulnerabilities_number=0)
else:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor, parser_error=True)
vd.check_if_modulesd_is_running()
def test_extra_fields_redhat_feed(clean_vuln_tables, test_values, get_configuration, configure_environment,
modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Red Hat OVAL feed with extra fields
"""
inserted_tag = test_values[0]
if inserted_tag != ' ' and type(inserted_tag) in [str, int]:
vd.check_feed_imported_successfully(wazuh_log_monitor=wazuh_log_monitor,
log_system_name='Red Hat Enterprise Linux 8',
expected_vulnerabilities_number=vd.REDHAT_NUM_CUSTOM_VULNERABILITIES,
timeout=vd.VULN_DETECTOR_GLOBAL_TIMEOUT,
check_vuln_number=False)
else:
vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor,
timeout=vd.VULN_DETECTOR_GLOBAL_TIMEOUT)
vd.check_if_modulesd_is_running()
def test_invalid_values_debian_feed(test_data, custom_input, clean_vuln_tables,
get_configuration, configure_environment,
restart_modulesd, modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Debian OVAL feed with wrong tag values
"""
if test_data['expected_fail']:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor,
timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT)
else:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.BUSTER_LOG,
expected_vulnerabilities_number=vd.
DEBIAN_NUM_CUSTOM_VULNERABILITIES,
timeout=vd.DEBIAN_IMPORT_FEED_TIMEOUT,
check_vuln_number=False)
vd.check_if_modulesd_is_running()
def test_extra_tags_canonical_feed(test_values, clean_vuln_tables,
get_configuration, configure_environment,
modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Canonical OVAL feed with extra tags
"""
inserted_tag = test_values[0]
if inserted_tag != ' ' and type(inserted_tag) in [str, int]:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.BIONIC_LOG,
expected_vulnerabilities_number=vd.
CANONICAL_NUM_CUSTOM_VULNERABILITIES)
else:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
vd.check_if_modulesd_is_running()
def test_macos_vulnerabilities_report(get_configuration, configure_environment,
restart_modulesd, check_cve_db,
mock_vulnerability_scan):
"""
Check if inserted vulnerable packages are reported by vulnerability detector
"""
if mock_vulnerability_scan['os_name'] == "Mac OS X":
vd.check_vulnerability_scan_event(wazuh_log_monitor, "mac_os_x",
mock_vulnerability_scan['cve'])
else:
vd.check_vulnerability_scan_event(wazuh_log_monitor, "mac_os_x_server",
mock_vulnerability_scan['cve'])
for item in mock_vulnerability_scan['vulnerabilities']:
vd.check_vulnerability_scan_event(wazuh_log_monitor,
item['package']['name'],
item['cve']['cveid'])
vd.check_if_modulesd_is_running()
def test_invalid_values_arch_linux_feed(test_data, custom_input,
clean_vuln_tables, get_configuration,
configure_environment, modify_feed):
"""Check if Vulnerability Detector behaves as expected while importing Arch Linux feed with syntax errors."""
if any(isinstance(custom_input, x) for x in test_data['type']):
expected_vulnerabilities = vd.ARCH_NUM_CUSTOM_VULNERABILITIES
if test_data['field'] == 'packages' and isinstance(custom_input, list):
# In this case, wazuh have to think that there are multiples packages with the 5 example vulnerabilities,
# instead of only one package. For this reason we have to increase the number of expected vulnerabilities.
expected_vulnerabilities = expected_vulnerabilities + 5 * (
len(custom_input) - 1)
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.ARCH_LOG,
expected_vulnerabilities_number=expected_vulnerabilities)
else:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor, timeout=10)
vd.check_if_modulesd_is_running()
def test_invalid_values_canonical_feed(test_data, custom_input,
clean_vuln_tables, get_configuration,
configure_environment, modify_feed):
"""
Check if vulnerability detector behaves as expected when importing Canonical OVAL feed with wrong tag values
"""
if test_data['name'] == 'dpkginfo_test':
pytest.xfail(
'Xfailing due to issue: https://github.com/wazuh/wazuh/issues/5275'
)
if test_data['expected_fail']:
vd.check_failure_when_importing_feed(
wazuh_log_monitor=wazuh_log_monitor)
else:
vd.check_feed_imported_successfully(
wazuh_log_monitor=wazuh_log_monitor,
log_system_name=vd.BIONIC_LOG,
expected_vulnerabilities_number=vd.
CANONICAL_NUM_CUSTOM_VULNERABILITIES)
vd.check_if_modulesd_is_running()
def test_vulnerabilities_report(get_configuration, configure_environment,
restart_modulesd, check_cve_db,
mock_vulnerability_scan):
"""
Check if inserted vulnerable packages are reported by vulnerability detector
"""
provider_vulnerabilities_number = mock_vulnerability_scan[
"provider_vulnerabilities_number"]
nvd_vulnerabilities_number = mock_vulnerability_scan[
"nvd_vulnerabilities_number"]
# Check the vulnerabilities of packages inserted
try:
for item in vulnerabilities['vulnerabilities_provider']:
vd.check_vulnerability_scan_event(wazuh_log_monitor,
item['package']['name'],
item['cve']['cveid'])
except TimeoutError:
check_time_travel(time_travel=True, interval=timedelta(seconds=300))
for item in vulnerabilities['vulnerabilities_provider']:
vd.check_vulnerability_scan_event(wazuh_log_monitor,
item['package']['name'],
item['cve']['cveid'])
if mock_vulnerability_scan["format"] != "rpm":
try:
for item in vulnerabilities['vulnerabilities_nvd']:
vd.check_vulnerability_scan_event(wazuh_log_monitor,
item['package']['name'],
item['cve']['cveid'])
except TimeoutError:
check_time_travel(time_travel=True,
interval=timedelta(seconds=300))
for item in vulnerabilities['vulnerabilities_nvd']:
vd.check_vulnerability_scan_event(wazuh_log_monitor,
item['package']['name'],
item['cve']['cveid'])
# Check that the number of provider vulnerabilities is the expected
wazuh_log_monitor.start(
timeout=SCAN_TIMEOUT,
update_position=False,
callback=vd.make_vuln_callback(
f"A total of '{provider_vulnerabilities_number}' vulnerabilities have been reported for agent '.*' "
+ "thanks to the 'vendor' feed."),
error_message=
f"The expected number of vulnerabilities for vendor have not been found",
)
# Check that the number of NVD vulnerabilities is the expected
wazuh_log_monitor.start(
timeout=SCAN_TIMEOUT,
update_position=False,
callback=vd.make_vuln_callback(
f"A total of '{nvd_vulnerabilities_number}' vulnerabilities have been reported for agent '.*' "
+ "thanks to the 'NVD' feed."),
error_message=
f"The expected number of vulnerabilities for NVD have not been found",
)
vd.check_if_modulesd_is_running()
def test_invalid_syntax_arch_linux_feed(test_data, clean_vuln_tables, get_configuration, configure_environment,
modify_feed):
"""Check if the feed is imported successfully by default"""
vd.check_failure_when_importing_feed(wazuh_log_monitor=wazuh_log_monitor, parser_error=True)
vd.check_if_modulesd_is_running()
