def test_symbolic_delete_target(tags_to_apply, main_folder, aux_folder,
get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
""" Check if syscheck detects events properly when removing a target, have the symlink updated and
then recreating the target
CHECK: Having a symbolic link pointing to a file/folder, remove that file/folder and check that deleted event is
detected.
Once symlink_checker runs create the same file. No events should be raised. Wait again for symlink_checker run
and modify the file. Modification event must be detected this time.
:param main_folder: Directory that is being pointed at or contains the pointed file
:param aux_folder: Directory that will be pointed at or will contain the future pointed file
* This test is intended to be used with valid configurations files. Each execution of this test will configure
the environment properly, restart the service and wait for the initial scan.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
whodata = get_configuration['metadata']['fim_mode'] == 'whodata'
file1 = 'regular1'
# If symlink is pointing to a directory, we need to add files and expect their 'added' event (only if the file
# is being created withing the pointed directory. Then, delete the pointed file or directory
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled)
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event)
delete_f(main_folder)
else:
delete_f(main_folder, file1)
check_time_travel(scheduled)
delete = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'deleted' in delete['data']['type'] and file1 in delete['data']['path'], \
f"'deleted' event not matching for {file1}"
# If syscheck is monitoring with whodata, wait for audit to reload rules
wait_for_audit(whodata, wazuh_log_monitor)
wait_for_symlink_check(wazuh_log_monitor)
# Restore the target and don't expect any event since symlink hasn't updated the link information
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled)
with pytest.raises(TimeoutError):
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event)
wait_for_symlink_check(wazuh_log_monitor)
wait_for_audit(whodata, wazuh_log_monitor)
# Modify the files and expect events since symcheck has updated now
modify_file_content(main_folder, file1, 'Sample modification')
check_time_travel(scheduled)
modify = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching for {file1}"
def test_symbolic_delete_symlink(tags_to_apply, main_folder, aux_folder,
get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
"""
Check if syscheck stops detecting events when deleting the monitored symlink.
CHECK: Having a symbolic link pointing to a file/folder, remove that symbolic link file, wait for the symlink
checker runs and modify the target file. No events should be detected. Restore the symbolic link and modify
the target file again once symlink checker runs. Events should be detected now.
Parameters
----------
main_folder : str
Directory that is being pointed at or contains the pointed file.
aux_folder : str
Directory that will be pointed at or will contain the future pointed file.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
file1 = 'regular1'
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
wazuh_log_monitor.start(
timeout=3,
callback=callback_detect_event,
error_message=
'Did not receive expected "Sending FIM event: ..." event')
# Remove symlink and don't expect events
symlink = 'symlink' if tags_to_apply == {'monitored_file'} else 'symlink2'
delete_f(testdir_link, symlink)
wait_for_symlink_check(wazuh_log_monitor)
modify_file_content(main_folder, file1, new_content='Sample modification')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
with pytest.raises(TimeoutError):
event = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event)
logger.error(f'Unexpected event {event.result()}')
raise AttributeError(f'Unexpected event {event.result()}')
# Restore symlink and modify the target again. Expect events now
create_file(SYMLINK,
testdir_link,
symlink,
target=os.path.join(main_folder, file1))
wait_for_symlink_check(wazuh_log_monitor)
modify_file_content(main_folder,
file1,
new_content='Sample modification 2')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
modify = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching for {file1}"
def test_symbolic_monitor_symlink(tags_to_apply, main_folder,
get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
"""
Check what happens with a symlink and its target when syscheck monitors it.
CHECK: Having a symbolic link pointing to a file/folder, modify and delete the file. Check that alerts are
being raised.
Parameters
----------
main_folder : str
Directory that is being pointed at or contains the pointed file.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
file1 = 'regular1'
# Add creation if symlink is pointing to a folder
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
add = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'added' in add['data']['type'] and file1 in add['data']['path'], \
f"'added' event not matching"
# Modify the linked file and expect an event
modify_file_content(main_folder, file1, 'Sample modification')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
modify = wazuh_log_monitor.start(
timeout=3,
callback=callback_detect_event,
error_message='Did not receive expected '
'"Sending FIM event: ..." event').result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching"
# Delete the linked file and expect an event
delete_f(main_folder, file1)
check_time_travel(scheduled, monitor=wazuh_log_monitor)
delete = wazuh_log_monitor.start(
timeout=3,
callback=callback_detect_event,
error_message='Did not receive expected '
'"Sending FIM event: ..." event').result()
assert 'deleted' in delete['data']['type'] and file1 in delete['data']['path'], \
f"'deleted' event not matching"
def test_symbolic_delete_symlink(tags_to_apply, main_folder, aux_folder,
get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
""" Check if syscheck stops detecting events when deleting the monitored symlink.
CHECK: Having a symbolic link pointing to a file/folder, remove that symbolic link file, wait for the symlink
checker runs and modify the target file. No events should be detected. Restore the symbolic link and modify
the target file again once symlink checker runs. Events should be detected now.
:param main_folder: Directory that is being pointed at or contains the pointed file
:param aux_folder: Directory that will be pointed at or will contain the future pointed file
* This test is intended to be used with valid configurations files. Each execution of this test will configure
the environment properly, restart the service and wait for the initial scan.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
file1 = 'regular1'
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled)
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event)
# Remove symlink and don't expect events
symlink = 'symlink' if tags_to_apply == {'monitored_file'} else 'symlink2'
delete_f(testdir_link, symlink)
wait_for_symlink_check(wazuh_log_monitor)
modify_file_content(main_folder, file1, new_content='Sample modification')
check_time_travel(scheduled)
with pytest.raises(TimeoutError):
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event)
# Restore symlink and modify the target again. Expect events now
create_file(SYMLINK,
testdir_link,
symlink,
target=os.path.join(main_folder, file1))
wait_for_symlink_check(wazuh_log_monitor)
modify_file_content(main_folder,
file1,
new_content='Sample modification 2')
check_time_travel(scheduled)
modify = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching for {file1}"
def test_symbolic_monitor_symlink(tags_to_apply, main_folder,
get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
""" Check what happens with a symlink and its target when syscheck monitors it.
CHECK: Having a symbolic link pointing to a file/folder, modify and delete the file. Check that alerts are
being raised.
:param main_folder: Directory that is being pointed at or contains the pointed file
* This test is intended to be used with valid configurations files. Each execution of this test will configure
the environment properly, restart the service and wait for the initial scan.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
file1 = 'regular1'
# Add creation if symlink is pointing to a folder
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled)
add = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'added' in add['data']['type'] and file1 in add['data']['path'], \
f"'added' event not matching"
# Modify the linked file and expect an event
modify_file_content(main_folder, file1, 'Sample modification')
check_time_travel(scheduled)
modify = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching"
# Delete the linked file and expect an event
delete_f(main_folder, file1)
check_time_travel(scheduled)
delete = wazuh_log_monitor.start(timeout=3,
callback=callback_detect_event).result()
assert 'deleted' in delete['data']['type'] and file1 in delete['data']['path'], \
f"'deleted' event not matching"
def test_symbolic_delete_target(tags_to_apply, main_folder, aux_folder, get_configuration, configure_environment,
restart_syscheckd, wait_for_initial_scan):
"""
Check if syscheck detects events properly when removing a target, have the symlink updated and
then recreating the target
CHECK: Having a symbolic link pointing to a file/folder, remove that file/folder and check that deleted event is
detected.
Once symlink_checker runs create the same file. No events should be raised. Wait again for symlink_checker run
and modify the file. Modification event must be detected this time.
Parameters
----------
main_folder : str
Directory that is being pointed at or contains the pointed file.
aux_folder : str
Directory that will be pointed at or will contain the future pointed file.
"""
check_apply_test(tags_to_apply, get_configuration['tags'])
scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled'
whodata = get_configuration['metadata']['fim_mode'] == 'whodata'
file1 = 'regular1'
RELOAD_RULES_INTERVAL = 30
# If symlink is pointing to a directory, we need to add files and expect their 'added' event (only if the file
# is being created withing the pointed directory. Then, delete the pointed file or directory
if tags_to_apply == {'monitored_dir'}:
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event,
error_message='Did not receive expected "Sending FIM event: ..." event')
delete_f(main_folder)
else:
delete_f(main_folder, file1)
check_time_travel(scheduled, monitor=wazuh_log_monitor)
delete = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event,
error_message='Did not receive expected "Sending FIM event: ..." event').result()
assert 'deleted' in delete['data']['type'] and file1 in delete['data']['path'], \
f"'deleted' event not matching for {file1}"
if tags_to_apply == {'monitored_dir'} and whodata:
os.makedirs(main_folder, exist_ok=True, mode=0o777)
wazuh_log_monitor.start(timeout=3, callback=callback_audit_removed_rule,
error_message='Did not receive expected "Monitored directory \'{main_folder}\' was'
'removed: Audit rule removed')
wazuh_log_monitor.start(timeout=RELOAD_RULES_INTERVAL, callback=callback_audit_reloading_rules,
error_message='Did not receive expected "Reloading Audit rules" event')
wazuh_log_monitor.start(timeout=RELOAD_RULES_INTERVAL, callback=callback_audit_reloaded_rule,
error_message='Did not receive expected "Reloaded audit rule for monitoring directory: '
'\'{main_folder}\'" event')
else:
# If syscheck is monitoring with whodata, wait for audit to reload rules
wait_for_audit(whodata, wazuh_log_monitor)
wait_for_symlink_check(wazuh_log_monitor)
# Restore the target
create_file(REGULAR, main_folder, file1, content='')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
if tags_to_apply == {'monitored_dir'} and whodata:
wazuh_log_monitor.start(timeout=3, callback=callback_detect_event,
error_message='Did not receive expected "Sending FIM event: ..." event')
else:
# We don't expect any event since symlink hasn't updated the link information
with pytest.raises(TimeoutError):
event = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event)
logger.error('A "Sending FIM event: ..." event has been detected. No event should be detected as symlink '
'has not updated the link information yet.')
logger.error(f'Unexpected event {event.result()}')
raise AttributeError(f'Unexpected event {event.result()}')
wait_for_symlink_check(wazuh_log_monitor)
wait_for_audit(whodata, wazuh_log_monitor)
# Modify the files and expect events since symcheck has updated now
modify_file_content(main_folder, file1, 'Sample modification')
check_time_travel(scheduled, monitor=wazuh_log_monitor)
modify = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event,
error_message='Did not receive expected "Sending FIM event: ..." event').result()
assert 'modified' in modify['data']['type'] and file1 in modify['data']['path'], \
f"'modified' event not matching for {file1}"