def test_symbolic_revert_symlink(tags_to_apply, get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """ Check if syscheck detects new targets properly CHECK: Having a symbolic link pointing to a file/folder, change its target to a folder. Check that the old file is not being monitored anymore and the new folder is. Revert the target change and ensure the file is being monitored and the folder is not. """ def modify_and_assert(file): modify_file_content(testdir1, file, new_content='Sample modification') check_time_travel(scheduled, monitor=wazuh_log_monitor) ev = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event).result() assert 'modified' in ev['data']['type'] and os.path.join(testdir1, file) in ev['data']['path'], \ f"'modified' event not matching for {testdir1} {file}" check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' whodata = get_configuration['metadata']['fim_mode'] == 'whodata' file1 = 'regular1' file2 = 'regular2' # Don't expect an event since it is not being monitored yet modify_file_content(testdir1, file2, new_content='Sample modification') check_time_travel(scheduled, monitor=wazuh_log_monitor) with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) logger.error(f'Unexpected event {event.result()}') raise AttributeError(f'Unexpected event {event.result()}') # Change the target to the folder and now expect an event modify_symlink(testdir1, os.path.join(testdir_link, 'symlink')) wait_for_symlink_check(wazuh_log_monitor) wait_for_audit(whodata, wazuh_log_monitor) modify_and_assert(file2) # Modify symlink target, wait for sym_check to update it modify_symlink(os.path.join(testdir1, file1), os.path.join(testdir_link, 'symlink')) wait_for_symlink_check(wazuh_log_monitor) modify_file_content(testdir1, file2, new_content='Sample modification2') check_time_travel(scheduled, monitor=wazuh_log_monitor) with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) logger.error(f'Unexpected event {event.result()}') raise AttributeError(f'Unexpected event {event.result()}') modify_and_assert(file1)
def test_symbolic_change_target_inside_folder(tags_to_apply, previous_target, new_target, get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """ Check if syscheck stops detecting events from previous target when pointing to a new folder CHECK: Having a symbolic link pointing to a file/folder, change its target to another file/folder inside a monitored folder. After symlink_checker runs check that no events for the previous target file are detected while events for the new target are still being raised. Parameters ---------- previous_target : str Previous symlink target (path) new_target : str New symlink target (path). """ check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' whodata = get_configuration['metadata']['fim_mode'] == 'whodata' file1 = 'regular1' symlink = 'symlink' if tags_to_apply == {'monitored_file'} else 'symlink2' # Check create event if it's pointing to a directory if tags_to_apply == {'monitored_dir'}: create_file(REGULAR, previous_target, file1, content='') check_time_travel(scheduled, monitor=wazuh_log_monitor) wazuh_log_monitor.start(timeout=3, callback=callback_detect_event, error_message='Did not receive expected "Sending FIM event: ..." event') # Change the target to another file and wait the symcheck to update the link information modify_symlink(new_target, os.path.join(testdir_link, symlink)) wait_for_symlink_check(wazuh_log_monitor) wait_for_audit(whodata, wazuh_log_monitor) # Modify the content of the previous target and don't expect events. Modify the new target and expect an event modify_file_content(previous_target, file1, new_content='Sample modification') check_time_travel(scheduled, monitor=wazuh_log_monitor) with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) logger.error(f'Unexpected event {event.result()}') raise AttributeError(f'Unexpected event {event.result()}') modify_file_content(testdir2, file1, new_content='Sample modification') check_time_travel(scheduled, monitor=wazuh_log_monitor) modify = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event, error_message='Did not receive expected ' '"Sending FIM event: ..." event').result() assert 'modified' in modify['data']['type'] and os.path.join(testdir2, file1) in modify['data']['path'], \ f"'modified' event not matching for {testdir2} {file1}"
def test_symbolic_change_target_inside_folder(tags_to_apply, previous_target, new_target, get_configuration, configure_environment, restart_syscheckd, wait_for_initial_scan): """ Check if syscheck stops detecting events from previous target when pointing to a new folder CHECK: Having a symbolic link pointing to a file/folder, change its target to another file/folder inside a monitored folder. After symlink_checker runs check that no events for the previous target file are detected while events for the new target are still being raised. :param previous_target: Previous symlink target (path) :param new_target: New symlink target (path) * This test is intended to be used with valid configurations files. Each execution of this test will configure the environment properly, restart the service and wait for the initial scan. """ check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' whodata = get_configuration['metadata']['fim_mode'] == 'whodata' file1 = 'regular1' symlink = 'symlink' if tags_to_apply == {'monitored_file'} else 'symlink2' # Check create event if it's pointing to a directory if tags_to_apply == {'monitored_dir'}: create_file(REGULAR, previous_target, file1, content='') check_time_travel(scheduled) wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) # Change the target to another file and wait the symcheck to update the link information modify_symlink(new_target, os.path.join(testdir_link, symlink)) wait_for_symlink_check(wazuh_log_monitor) wait_for_audit(whodata, wazuh_log_monitor) # Modify the content of the previous target and don't expect events. Modify the new target and expect an event modify_file_content(previous_target, file1, new_content='Sample modification') check_time_travel(scheduled) with pytest.raises(TimeoutError): wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) modify_file_content(testdir2, file1, new_content='Sample modification') check_time_travel(scheduled) modify = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event).result() assert 'modified' in modify['data']['type'] and os.path.join(testdir2, file1) in modify['data']['path'], \ f"'modified' event not matching for {testdir2} {file1}"
def test_symbolic_monitor_directory_with_symlink( monitored_dir, non_monitored_dir1, non_monitored_dir2, sym_target, tags_to_apply, get_configuration, configure_environment, clean_directories, restart_syscheckd, wait_for_initial_scan): """ Check what happens with a symlink and its target when syscheck monitors a directory with a symlink and not the symlink itself. When this happens, the symbolic link is considered a regular file and it will not follow its target path. It will only generate events if it changes somehow, not its target (file or directory) Parameters ---------- monitored_dir : str Monitored directory. non_monitored_dir1 : str Non-monitored directory. non_monitored_dir2 : str Non-monitored directory. """ check_apply_test(tags_to_apply, get_configuration['tags']) name1 = 'regular1' name2 = 'regular2' sl_name = 'symlink' a_path = os.path.join(non_monitored_dir1, name1) b_path = os.path.join( non_monitored_dir1, name2) if sym_target == 'file' else non_monitored_dir2 sl_path = os.path.join(monitored_dir, sl_name) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' # Create regular files out of the monitored directory and don't expect its event create_file(REGULAR, non_monitored_dir1, name1, content='') create_file(REGULAR, non_monitored_dir1, name2, content='') target = a_path if sym_target == 'file' else non_monitored_dir1 create_file(SYMLINK, monitored_dir, sl_name, target=target) # Create the syslink and expect its event, since it's withing the monitored directory check_time_travel(scheduled, monitor=wazuh_log_monitor) wazuh_log_monitor.start( timeout=global_parameters.default_timeout, callback=callback_detect_event, error_message='Did not receive expected "Sending FIM event: ..." event' ) # Modify the target file and don't expect any event modify_file(non_monitored_dir1, name1, new_content='Modify sample') check_time_travel(scheduled, monitor=wazuh_log_monitor) with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=5, callback=callback_detect_event) logger.error(f'Unexpected event {event.result()}') raise AttributeError(f'Unexpected event {event.result()}') # Modify the target of the symlink and expect the modify event modify_symlink(target=b_path, path=sl_path) check_time_travel(scheduled, monitor=wazuh_log_monitor) result = wazuh_log_monitor.start( timeout=global_parameters.default_timeout, callback=callback_detect_event, error_message='Did not receive expected ' '"Sending FIM event: ..." event').result() assert 'modified' in result['data'][ 'type'], f"No 'modified' event when modifying symlink" # Remove and restore the target file. Don't expect any events delete_file(b_path, name2) create_file(REGULAR, non_monitored_dir1, name2, content='') check_time_travel(scheduled, monitor=wazuh_log_monitor) with pytest.raises(TimeoutError): event = wazuh_log_monitor.start(timeout=5, callback=callback_detect_event) logger.error(f'Unexpected event {event.result()}') raise AttributeError(f'Unexpected event {event.result()}')
def test_symbolic_change_target(tags_to_apply, main_folder, aux_folder, get_configuration, configure_environment, restart_wazuh, wait_for_initial_scan): """ Check if syscheck updates the symlink target properly CHECK: Having a symbolic link pointing to a file/folder, change the target of the link to another file/folder. Ensure that the old file is being monitored and the new one is not before symlink_checker runs. Wait until symlink_checker runs and ensure that the new file is being monitored and the old one is not. :param main_folder: Directory that is being pointed at or contains the pointed file :param aux_folder: Directory that will be pointed at or will contain the future pointed file * This test is intended to be used with valid configurations files. Each execution of this test will configure the environment properly, restart the service and wait for the initial scan. """ def modify_and_check_events(f1, f2, text): """ Modify the content of 2 given files. We assume the first one is being monitored and the other one is not. We expect a 'modified' event for the first one and a timeout for the second one. """ modify_file_content(f1, file1, text) modify_file_content(f2, file1, text) check_time_travel(scheduled) modify = wazuh_log_monitor.start( timeout=3, callback=callback_detect_event).result() assert 'modified' in modify['data']['type'] and f1 in modify['data']['path'], \ f"'modified' event not matching for {file1}" with pytest.raises(TimeoutError): wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) check_apply_test(tags_to_apply, get_configuration['tags']) scheduled = get_configuration['metadata']['fim_mode'] == 'scheduled' whodata = get_configuration['metadata']['fim_mode'] == 'whodata' file1 = 'regular1' # If symlink is pointing to a directory, we need to add files and expect their 'added' event (only if the file # is being created withing the pointed directory if main_folder == testdir_target: create_file(REGULAR, main_folder, file1, content='') create_file(REGULAR, aux_folder, file1, content='') check_time_travel(scheduled) add = wazuh_log_monitor.start(timeout=3, callback=callback_detect_event).result() assert 'added' in add['data']['type'] and file1 in add['data']['path'], \ f"'added' event not matching for {file1}" with pytest.raises(TimeoutError): wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) else: create_file(REGULAR, aux_folder, file1, content='') with pytest.raises(TimeoutError): wazuh_log_monitor.start(timeout=3, callback=callback_detect_event) # Change the target of the symlink and expect events while there's no symcheck scan # Don't expect events from the new target if tags_to_apply == {'monitored_dir'}: modify_symlink(aux_folder, os.path.join(testdir_link, 'symlink2')) else: modify_symlink(aux_folder, os.path.join(testdir_link, 'symlink'), file=file1) modify_and_check_events(main_folder, aux_folder, 'Sample number one') wait_for_symlink_check(wazuh_log_monitor) wait_for_audit(whodata, wazuh_log_monitor) # Expect events the other way around now modify_and_check_events(aux_folder, main_folder, 'Sample number two')