From c23637196fe174cc7ff211ee9988b21e009f88e7 Mon Sep 17 00:00:00 2001 From: fedepacher Date: Thu, 27 Oct 2022 13:27:43 -0300 Subject: [PATCH 01/14] refactor(#3298): refactor integratord tests to use slack --- .../modules/analysisd/__init__.py | 5 ++ .../modules/integratord/__init__.py | 32 +++---- .../wazuh_testing/tools/__init__.py | 3 +- tests/integration/conftest.py | 50 ++++++++--- .../integration/test_integratord/conftest.py | 15 +++- .../config_integratord_read_json_alerts.yaml | 28 ++----- .../cases_integratord_change_inode_alert.yaml | 33 ++++---- ..._integratord_read_invalid_json_alerts.yaml | 66 ++++++++------- ...es_integratord_read_json_file_deleted.yaml | 33 ++++---- ...es_integratord_read_valid_json_alerts.yaml | 33 ++++---- .../test_integratord_change_inode_alert.py | 83 +++++++------------ .../test_integratord_read_json_alerts.py | 77 +++++++---------- ...test_integratord_read_json_file_deleted.py | 80 ++++++++---------- 13 files changed, 271 insertions(+), 267 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py index dd2a5835b3..b729a40641 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py @@ -8,3 +8,8 @@ 'analysisd.sca_threads': '1', 'analysisd.hostinfo_threads': '1', 'analysisd.winevt_threads': '1', 'analysisd.rule_matching_threads': '1', 'analysisd.dbsync_threads': '1', 'remoted.worker_pool': '1'} +# Callback Messages +CB_ANALYSISD_STARTUP_COMPLETED = fr".*{ANALYSISD_PREFIX}.*DEBUG: Startup completed. Waiting for new messages.*" + +# Error messages +ERR_MSG_STARTUP_COMPLETED_NOT_FOUND = fr'Did not recieve the expected "{CB_ANALYSISD_STARTUP_COMPLETED}"' \ No newline at end of file diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index a417bbf7a5..8cad1f9c89 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -3,29 +3,31 @@ Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 ''' +from wazuh_testing.tools import ANALYSISD_DAEMON, DB_DAEMON, INTEGRATOR_DAEMON # Variables -INTEGRATORD_PREFIX = 'wazuh-integratord' +INTEGRATORD_PREFIX = INTEGRATOR_DAEMON +REQUIRED_DAEMONS = [INTEGRATOR_DAEMON, DB_DAEMON, ANALYSISD_DAEMON] +TIME_TO_DETECT_FILE = 2 # Callback Messages -CB_VIRUSTOTAL_ENABLED = r".*(wazuh-integratord.*Enabling integration for: 'virustotal').*" -CB_INTEGRATORD_SENDING_ALERT = r'(.*wazuh-integratord.*DEBUG: sending new alert).*' -CB_PROCESSING_ALERT = r'.*(wazuh-integratord.*Processing alert.*)' -CB_INTEGRATORD_THREAD_READY = r'.*(wazuh-integratord.*DEBUG: Local requests thread ready).*' -CB_VIRUSTOTAL_ALERT = r'.*(wazuh-integratord.*alert_id.*\"integration\": \"virustotal\").*' -CB_VIRUSTOTAL_ALERT_JSON = r'.*(VirusTotal: Alert.*\"integration\":\"virustotal\").*' -CB_INVALID_JSON_ALERT_READ = r'.*(wazuh-integratord.*WARNING: Invalid JSON alert read).*' -CB_OVERLONG_JSON_ALERT_READ = r'.*(wazuh-integratord.*WARNING: Overlong JSON alert read).*' -CB_ALERTS_FILE_INODE_CHANGED = r'.*(wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed).*' -CB_CANNOT_RETRIEVE_JSON_FILE = r'.*(wazuh-integratord.*WARNING.*Could not retrieve information of file).*'\ +CB_SLACK_ENABLED = fr".*{INTEGRATORD_PREFIX}.*Enabling integration for: 'slack'.*" +CB_INTEGRATORD_SENDING_ALERT = fr".*{INTEGRATORD_PREFIX}.*DEBUG: sending new alert" +CB_PROCESSING_ALERT = fr".*{INTEGRATORD_PREFIX}.*Processing alert.*" +CB_INTEGRATORD_THREAD_READY = fr".*{INTEGRATORD_PREFIX}.*DEBUG: Local requests thread ready" +CB_SLACK_ALERT = fr".*{INTEGRATORD_PREFIX}.*" +CB_INVALID_JSON_ALERT_READ = fr".*{INTEGRATORD_PREFIX}.*WARNING: Invalid JSON alert read.*" +CB_OVERLONG_JSON_ALERT_READ = fr".*{INTEGRATORD_PREFIX}.*WARNING: Overlong JSON alert read.*" +CB_ALERTS_FILE_INODE_CHANGED = fr".*{INTEGRATORD_PREFIX}.*DEBUG: jqueue_next.*Alert file inode changed.*" +CB_CANNOT_RETRIEVE_JSON_FILE = fr".*{INTEGRATORD_PREFIX}.*WARNING.*Could not retrieve information of file.*"\ r'alerts\.json.*No such file.*' # Error messages -ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND = r'Did not recieve the expected "Enabling integration for virustotal"' -ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED = r'Did not recieve the expected VirusTotal alert in alerts.json' +ERR_MSG_SLACK_ENABLED_NOT_FOUND = r'Did not recieve the expected "Enabling integration for slack"' +ERR_MSG_SENDING_ALERT_NOT_FOUND = r'Did not recieve the expected "...sending new alert" event' +ERR_MSG_PROCESSING_ALERT_NOT_FOUND = r'Did not recieve the expected "...Procesing alert" event' +ERR_MSG_SLACK_ALERT_NOT_DETECTED = r'Did not recieve the expected Slack alert in alerts.json' ERR_MSG_INVALID_ALERT_NOT_FOUND = r'Did not recieve the expected "...Invalid JSON alert read..." event' ERR_MSG_OVERLONG_ALERT_NOT_FOUND = r'Did not recieve the expected "...Overlong JSON alert read..." event' ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = r'Did not recieve the expected "...Alert file inode changed..." event' ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = r'Did not recieve the expected "...Could not retrieve information/open file"' -ERR_MSG_SENDING_ALERT_NOT_FOUND = r'Did not recieve the expected "...sending new alert" event' -ERR_MSG_PROCESSING_ALERT_NOT_FOUND = r'Did not recieve the expected "...Procesing alert" event' diff --git a/deps/wazuh_testing/wazuh_testing/tools/__init__.py b/deps/wazuh_testing/wazuh_testing/tools/__init__.py index 60fa272e99..a0925262f5 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/tools/__init__.py @@ -176,7 +176,8 @@ def get_service(): MODULESD_CONTROL_SOCKET_PATH, MODULESD_KREQUEST_SOCKET_PATH ], - 'wazuh-clusterd': [MODULESD_C_INTERNAL_SOCKET_PATH] + 'wazuh-clusterd': [MODULESD_C_INTERNAL_SOCKET_PATH], + 'wazuh-integratord': [] } # These sockets do not exist with default Wazuh configuration diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 99d1749ee4..1d1ba9d49c 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -123,11 +123,39 @@ def restart_wazuh_daemon_function(daemon=None): @pytest.fixture(scope='function') -def restart_wazuh_function(daemon=None): - """Restart all Wazuh daemons""" - control_service("restart", daemon=daemon) +def restart_wazuh_function(request): + """Restart before starting a test, and stop it after finishing. + + Args: + request (fixture): Provide information on the executing test function. + """ + # If there is a list of required daemons defined in the test module, restart daemons, else restart all daemons. + try: + daemons = request.module.REQUIRED_DAEMONS + except AttributeError: + daemons = [] + + if len(daemons) == 0: + logger.debug(f"Restarting all daemon") + control_service('restart') + else: + for daemon in daemons: + logger.debug(f"Restarting {daemon}") + # Restart daemon instead of starting due to legacy used fixture in the test suite. + control_service('restart', daemon=daemon) + yield - control_service('stop', daemon=daemon) + + # Stop all daemons by default (daemons = None) + if len(daemons) == 0: + logger.debug(f"Stopping all daemons") + control_service('stop') + else: + # Stop a list daemons in order (as Wazuh does) + daemons.reverse() + for daemon in daemons: + logger.debug(f"Stopping {daemon}") + control_service('stop', daemon=daemon) @pytest.fixture(scope='module') @@ -301,12 +329,12 @@ def pytest_addoption(parser): help="run tests using a specific WPK package path" ) parser.addoption( - "--integration-api-key", + "--slack-webhook-url", action="store", - metavar="integration_api_key", + metavar="slack_webhook_url", default=None, type=str, - help="pass api key required for integratord tests." + help="pass webhook url required for integratord tests." ) @@ -365,10 +393,10 @@ def pytest_configure(config): # Set WPK package version global_parameters.wpk_version = config.getoption("--wpk_version") - # Set integration_api_key if it is passed through command line args - integration_api_key = config.getoption("--integration-api-key") - if integration_api_key: - global_parameters.integration_api_key = integration_api_key + # Set slack_webhook_url if it is passed through command line args + slack_webhook_url = config.getoption("--slack-webhook-url") + if slack_webhook_url: + global_parameters.slack_webhook_url = slack_webhook_url # Set files to add to the HTML report set_report_files(config.getoption("--save-file")) diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 1243d020fa..c78171a5c0 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -8,15 +8,22 @@ import pytest from wazuh_testing.tools import LOG_FILE_PATH -from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.modules import analysisd +from wazuh_testing.modules.analysisd.event_monitor import check_analysisd_event from wazuh_testing.modules import integratord as integrator from wazuh_testing.modules.integratord.event_monitor import check_integratord_event +from wazuh_testing import T_5, T_20 @pytest.fixture(scope='function') def wait_for_start_module(request): # Wait for integratord thread to start file_monitor = FileMonitor(LOG_FILE_PATH) - check_integratord_event(file_monitor=file_monitor, timeout=20, - callback=generate_monitoring_callback(integrator.CB_INTEGRATORD_THREAD_READY), - error_message=integrator.ERR_MSG_VIRUST_TOTAL_ENABLED_NOT_FOUND) + check_integratord_event(file_monitor=file_monitor, timeout=T_20, + callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), + error_message=integrator.ERR_MSG_SLACK_ENABLED_NOT_FOUND) + # Wait for analysisd to start successfully (to detect changes in the alerts.json file) + check_analysisd_event(file_monitor=file_monitor, timeout=T_5, + callback=callback_generator(analysisd.CB_ANALYSISD_STARTUP_COMPLETED), + error_message=analysisd.ERR_MSG_STARTUP_COMPLETED_NOT_FOUND) diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml index acf8a61bfb..9f26cc4860 100644 --- a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml @@ -8,32 +8,16 @@ - section: integration elements: - name: - value: virustotal - - api_key: - value: API_KEY + value: slack + - hook_url: + value: WEBHOOK_URL - rule_id: - value: '554' + value: 5712 + - level: + value: 10 - alert_format: value: json - section: sca elements: - enabled: value: 'no' - - section: rootcheck - elements: - - disabled: - value: 'yes' - - section: syscheck - elements: - - disabled: - value: 'yes' - - section: wodle - attributes: - - name: syscollector - elements: - - disabled: - value: 'yes' - - section: auth - elements: - - disabled: - value: 'yes' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml index 58b53b1702..c3b3691da9 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_change_inode_alert.yaml @@ -1,17 +1,22 @@ -- name: Cannot read alerts - Inode changed +- name: cannot_read_alerts_file_inode_changed description: The alerts.json file inode has changed and it cannot read alerts from it until it reloads. configuration_parameters: - API_KEY: Insert using --integration-api-key parameter + WEBHOOK_URL: Insert using --slack-webhook-url parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": - "File added to the system.", "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", - "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], - "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", - "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_CHANGED_INODE_ALERT.txt added\nMode: - scheduled\n","syscheck":{"path":"/test_folder/TEST_CHANGED_INODE_ALERT.txt","mode":"scheduled", - "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": - "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description": + "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", + "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, + "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": + ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": + ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": + "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", + "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port + 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay + 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 + localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost + sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: + Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user + paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user + paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", + "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", + "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml index d8fa3d4196..65c2c501f3 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_invalid_json_alerts.yaml @@ -1,37 +1,47 @@ -- name: Read invalid json alert +- name: read_invalid_json_alert description: Read a invalid alert from alerts.json - removed rule key name - Integration fails configuration_parameters: - API_KEY: Insert using --integration-api-key parameter + WEBHOOK_URL: Insert using --slack-webhook-url parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000",:{"level":5,"description":"File added to the system.", - "id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added", - "syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1", - "164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]}, - "agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id":"1657551196.2754", - "full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n","syscheck":{"path": - "/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16","perm_after":"rw-r--r--" - ,"uid_after":"0","gid_after":"0","md5_after":"2982666f29e2736e7ca0e12dd638d433", - "sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000",:{"level":10,"description": + "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", + "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, + "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": + ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": + ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": + "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", + "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port + 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay + 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 + localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost + sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: + Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user + paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user + paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", + "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", + "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' alert_type: invalid -- name: Read Overlong json alert +- name: read_overlong_json_alert description: Read a an alert that is over 64kb alert from alerts.json - Integration fails configuration_parameters: - API_KEY: Insert using --integration-api-key parameter + WEBHOOK_URL: Insert using --slack-webhook-url parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": - "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", - "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], - "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", - "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_INVALID_ALERT.txt added\nMode: scheduled\n", - "syscheck":{"path":"/test_folder/TEST_INVALID_ALERT.txt","mode":"scheduled","size_after":"16", - "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": - "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description": + "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", + "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, + "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": + ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": + ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": + "padding_input"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", + "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port + 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay + 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 + localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost + sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: + Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user + paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user + paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", + "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", + "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' alert_type: overlong diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml index 330f623cde..fe9f962456 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml @@ -1,17 +1,22 @@ -- name: Cannot read alerts - Json File Deleted +- name: cannot_read_alerts_file_deleted description: The alerts.json file is missing and it cannot read alerts from it. configuration_parameters: - API_KEY: Insert using --integration-api-key parameter + WEBHOOK_URL: Insert using --slack-webhook-url parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": - "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", - "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], - "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", - "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_FILE_DELETED_ALERT.txt added\nMode: - scheduled\n","syscheck":{"path":"/test_folder/TEST_FILE_DELETED_ALERT.txt","mode":"scheduled", - "size_after":"16","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": - "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description": + "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", + "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, + "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": + ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": + ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": + "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", + "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port + 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay + 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 + localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost + sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: + Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user + paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user + paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", + "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", + "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml index f1fabd521c..8ee984321a 100644 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml +++ b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_valid_json_alerts.yaml @@ -1,17 +1,22 @@ -- name: Read valid json alert +- name: read_valid_json_alert description: Read a valid alert from alerts.json configuration_parameters: - API_KEY: Insert using --integration-api-key parameter + WEBHOOK_URL: Insert using --slack-webhook-url parameter metadata: - alert_sample: '{"timestamp":"2022-07-20T14:53:16.482+0000","rule":{"level":5,"description": - "File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck", - "syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"], - "hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8", - "CC7.2","CC7.3"]},"agent":{"id":"000","name":"padding_input"},"manager":{"name":"c3"},"id": - "1657551196.2754","full_log":"File /test_folder/TEST_VALID_ALERT.txt added\nMode: scheduled\n", - "syscheck":{"path":"/test_folder/TEST_VALID_ALERT.txt","mode":"scheduled","size_after":"16", - "perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after": - "2982666f29e2736e7ca0e12dd638d433","sha1_after":"49999430cc5652dedd26352b0342097e8fa3affe", - "sha256_after":"32bc19c9406a98ab21e5ec79fbd5bba2cb79755607a9f382c662d37b5bf5d8ea","uname_after": - "root","gname_after":"root","mtime_after":"2022-07-11T14:53:07","inode_after":9793,"event":"added"}, - "decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}' + alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description": + "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", + "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, + "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": + ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": + ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": + "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", + "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port + 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay + 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 + localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost + sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: + Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user + paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user + paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", + "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", + "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 4c35546427..8feb320e3e 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -3,44 +3,33 @@ Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - type: integration - -brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an overlong alert (64kb+) or what happens when it cannot read the file because it is missing. - components: - integratord - -suite: integratord_change_inode_alert - +suite: integratord_read_json_alerts targets: - agent - daemons: - wazuh-integratord - os_platform: - Linux - os_version: - Centos 8 - Ubuntu Focal - references: - - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm - + - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html pytest_args: - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - tags: - - virustotal + - slack ''' import os import time @@ -52,7 +41,7 @@ from wazuh_testing.modules import integratord as integrator from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator # Marks @@ -64,18 +53,19 @@ TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_change_inode_alert.yaml') # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) -configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key +configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) -local_internal_options = {'integrator.debug': '2'} +local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1'} # Variables TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') +REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS # Tests @@ -83,24 +73,12 @@ @pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_integratord_change_json_inode(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_daemon_function, + configure_local_internal_options_module, restart_wazuh_function, wait_for_start_module): ''' - description: Check that if when reading the alerts.json file, the inode for the file changes, integratord will - reload the file and continue reading from it. - - test_phases: - - Insert an alert alerts.json file. - - Replace the alerts.json file while it being read. - - Check integratord detects the file's inode has changed. - - Wait for integratord to start reading from the file again. - - Insert an alert - - Check virustotal response is added in ossec.log - - wazuh_min_version: 4.3.7 - + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. + wazuh_min_version: 4.3.5 tier: 1 - parameters: - configuration: type: dict @@ -117,22 +95,21 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. - - restart_wazuh_daemon_function: + - restart_wazuh_function: type: fixture - brief: Restart wazuh's daemon before starting a test. + brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log - assertions: - Verify the expected response with for a given alert is recieved - input_description: - - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_json_alerts` file provides the test cases. - expected_output: - - r'.*(wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed).*' + - r'.*wazuh-integratord.*DEBUG: sending new alert' + - r'.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' + - r'.*wazuh-integratord.*Processing alert.*' ''' wazuh_monitor = FileMonitor(LOG_FILE_PATH) @@ -140,9 +117,9 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config # Insert Alerts run_local_command_returning_output(command) - # Get that alert is read + # Check that the alert was read check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=generate_monitoring_callback(integrator.CB_INTEGRATORD_SENDING_ALERT), + callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, update_position=False) @@ -151,16 +128,20 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config remove_file(ALERT_FILE_PATH) copy(TEMP_FILE_PATH, ALERT_FILE_PATH) - # Wait for Inode change to be detected and insert new alert - time.sleep(3) - run_local_command_returning_output(command) + # Wait for Inode change to be detected + # The `integratord` library tries to read alerts from the file every 1 second. So, the test waits 1 second + 1 + # until the file is reloaded. + time.sleep(integrator.TIME_TO_DETECT_FILE) # Monitor Inode Changed - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout * 2, - callback=generate_monitoring_callback(integrator.CB_ALERTS_FILE_INODE_CHANGED), + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) + # Insert a new alert + run_local_command_returning_output(command) + # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=generate_monitoring_callback(integrator.CB_PROCESSING_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) + callback=callback_generator(integrator.CB_PROCESSING_ALERT), + error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 6a3a3e3dff..a191ca8bc2 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -4,42 +4,32 @@ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 type: integration - -brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an overlong alert (64kb+) or what happens when it cannot read the file because it is missing. - components: - integratord - suite: integratord_read_json_alerts - targets: - agent - daemons: - wazuh-integratord - os_platform: - Linux - os_version: - Centos 8 - Ubuntu Focal - references: - - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm - + - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html pytest_args: - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - tags: - - virustotal + - slack ''' import os import pytest @@ -51,7 +41,7 @@ from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator # Marks @@ -63,21 +53,27 @@ TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_valid_json_alerts.yaml') t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_invalid_json_alerts.yaml') # Configurations t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -t1_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key +t1_configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, t1_configuration_metadata) t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -t2_configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key +# Replace the Webhook URL in each test case +for i, test_case in enumerate(t2_case_ids): + t2_configuration_parameters[i]['WEBHOOK_URL'] = global_parameters.slack_webhook_url t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, t2_configuration_metadata) -local_internal_options = {'integrator.debug': '2'} + +local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1'} + +# Variables +REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS # Tests @@ -85,19 +81,13 @@ @pytest.mark.parametrize('configuration, metadata', zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_daemon_function, + configure_local_internal_options_module, restart_wazuh_function, wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case - of a valid alert, a virustotal integration alert is expected in the alerts.json file. + of a valid alert, a slack integration alert is expected in the alerts.json file. wazuh_min_version: 4.3.7 - - test_phases: - - Insert an alert alerts.json file. - - Check virustotal response is added in ossec.log - tier: 1 - parameters: - configuration: type: dict @@ -114,50 +104,43 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. - - restart_wazuh_daemon_function: + - restart_wazuh_function: type: fixture - brief: Restart wazuh daemon before starting a test. + brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log - assertions: - Verify the expected response with for a given alert is recieved - input_description: - - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_valid_json_alerts` file provides the test cases. - expected_output: - - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' + - r'.*wazuh-integratord.*alert_id.*\"integration\": \"slack\".*' ''' sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) + time.sleep(5) run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=generate_monitoring_callback(integrator.CB_VIRUSTOTAL_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) + callback=callback_generator(integrator.CB_SLACK_ALERT), + error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) @pytest.mark.tier(level=1) @pytest.mark.parametrize('configuration, metadata', zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_daemon_function, + configure_local_internal_options_module, restart_wazuh_function, wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case - of a valid alert, a virustotal integration alert is expected in the alerts.json file. If the alert is invalid or + of a valid alert, a slack integration alert is expected in the alerts.json file. If the alert is invalid or broken, or overly long a message will appear in the ossec.log file. wazuh_min_version: 4.3.7 - - test_phases: - - Insert an alert alerts.json file. - - Check that the expected response message is given for an invalid alert. - tier: 1 parameters: - configuration: @@ -175,16 +158,16 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. - - restart_wazuh_daemon_function: + - restart_wazuh_function: type: fixture - brief: Restart wazuh daemon before starting a test. + brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log assertions: - Verify the expected response with for a given alert is recieved input_description: - - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_invalid_json_alerts` file provides the test cases. expected_output: - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' @@ -209,4 +192,4 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=generate_monitoring_callback(callback), error_message=error_message) + callback=callback_generator(callback), error_message=error_message) diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index d9dfc68c56..d339b2c67b 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -3,44 +3,33 @@ Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - type: integration - -brief: Integratord manages wazuh integrations with other applications such as Yara or Virustotal, by feeding +brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an overlong alert (64kb+) or what happens when it cannot read the file because it is missing. - components: - integratord - -suite: integratord_read_json_file_deleted - +suite: integratord_read_json_alerts targets: - agent - daemons: - wazuh-integratord - os_platform: - Linux - os_version: - Centos 8 - Ubuntu Focal - references: - - https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.htm - + - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html pytest_args: - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - tags: - - virustotal + - slack ''' import os import time @@ -53,7 +42,7 @@ from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, generate_monitoring_callback +from wazuh_testing.tools.monitoring import FileMonitor, callback_generator # Marks @@ -65,37 +54,32 @@ TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') # Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'config_integratord_read_json_alerts.yaml') +configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_json_file_deleted.yaml') # Configurations configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) -configuration_parameters[0]['API_KEY'] = global_parameters.integration_api_key +configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url configurations = load_configuration_template(configurations_path, configuration_parameters, configuration_metadata) -local_internal_options = {'integrator.debug': '2'} +local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1', 'monitord.rotate_log': '0'} + +# Variables +REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS # Tests @pytest.mark.tier(level=1) -@pytest.mark.parametrize('configuration, metadata', - zip(configurations, configuration_metadata), ids=case_ids) +@pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_daemon_function, + configure_local_internal_options_module, restart_wazuh_function, wait_for_start_module): ''' - description: Check that if while integratord is reading from the alerts.json file, it is deleted, the expected - error message is displayed, and if the file is created again and alerts are inserted, integratord continues - working and alerts are read. - wazuh_min_version: 4.3.7 - - test_phases: - - Remove alerts.json file. - - Wait for integratord to detect the file was removed. - - Create new alerts.json file. - - Wait for the new file to be detected. - - Insert an alert - - Check virustotal response is added in ossec.log + description: Check that integratord reads the alerts.json file and, when the file is deleted, the expected + warning message is shown. Then, the file is created and alerts are inserted, check if integratord + keeps working and alerts are read. + + wazuh_min_version: 4.3.5 tier: 1 @@ -115,9 +99,9 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c - configure_local_internal_options_module: type: fixture brief: Configure the local internal options file. - - restart_wazuh_daemon_function: + - restart_wazuh_function: type: fixture - brief: Restart wazuh daemon before starting a test. + brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log @@ -126,29 +110,33 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c - Verify the expected response with for a given alert is recieved input_description: - - The `config_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_json_file_deleted` file provides the test cases. expected_output: - - r'.*wazuh-integratord.*ERROR.*Could not retrieve information of file.*alerts.json.*No such file.*' - - r'.*wazuh-integratord.*alert_id.*\"integration\": \"virustotal\".*' + - r'.*wazuh-integratord.*WARNING.*Could not retrieve information of file.*' + - r'.*wazuh-integratord.*Response [200].*' ''' wazuh_monitor = FileMonitor(LOG_FILE_PATH) + command = f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}" + # Delete alerts.json file remove_file(ALERT_FILE_PATH) check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=generate_monitoring_callback(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), + callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) - # Create file new alerts.json file. + # Create alerts.json file run_local_command_returning_output(command) - # Wait for Integratord to detect the file before the inserting the alert - time.sleep(2) + # Waiting time so Integrator detects the file before the insertion + time.sleep(integrator.TIME_TO_DETECT_FILE) + + # Insert alert to the alerts.json run_local_command_returning_output(f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=generate_monitoring_callback(integrator.CB_VIRUSTOTAL_ALERT), - error_message=integrator.ERR_MSG_VIRUSTOTAL_ALERT_NOT_DETECTED) + callback=callback_generator(integrator.CB_SLACK_ALERT), + error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) From 0696b337e363faf915ee668499d11334f4c4e44e Mon Sep 17 00:00:00 2001 From: fedepacher Date: Thu, 27 Oct 2022 15:23:52 -0300 Subject: [PATCH 02/14] refactor(#3298): refactor test variables and add callback function --- .../wazuh_testing/modules/analysisd/__init__.py | 2 +- deps/wazuh_testing/wazuh_testing/tools/monitoring.py | 9 +++++++++ tests/integration/test_integratord/conftest.py | 2 +- ...l => configuration_integratord_read_json_alerts.yaml} | 0 4 files changed, 11 insertions(+), 2 deletions(-) rename tests/integration/test_integratord/data/configuration_template/{config_integratord_read_json_alerts.yaml => configuration_integratord_read_json_alerts.yaml} (100%) diff --git a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py index b729a40641..fce7f8aadb 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py @@ -9,7 +9,7 @@ 'analysisd.winevt_threads': '1', 'analysisd.rule_matching_threads': '1', 'analysisd.dbsync_threads': '1', 'remoted.worker_pool': '1'} # Callback Messages -CB_ANALYSISD_STARTUP_COMPLETED = fr".*{ANALYSISD_PREFIX}.*DEBUG: Startup completed. Waiting for new messages.*" +CB_ANALYSISD_STARTUP_COMPLETED = fr"DEBUG: Startup completed. Waiting for new messages.*" # Error messages ERR_MSG_STARTUP_COMPLETED_NOT_FOUND = fr'Did not recieve the expected "{CB_ANALYSISD_STARTUP_COMPLETED}"' \ No newline at end of file diff --git a/deps/wazuh_testing/wazuh_testing/tools/monitoring.py b/deps/wazuh_testing/wazuh_testing/tools/monitoring.py index 87e0472c3f..fba95fbac1 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/monitoring.py +++ b/deps/wazuh_testing/wazuh_testing/tools/monitoring.py @@ -874,6 +874,15 @@ def new_callback(line): return new_callback +def callback_generator(regex): + def new_callback(line): + match = re.match(regex, line) + if match: + return line + + return new_callback + + class HostMonitor: """This class has the capability to monitor remote host. This monitoring consists of reading the specified files to check that the expected message arrives to them. diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index c78171a5c0..997bd007fb 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -25,5 +25,5 @@ def wait_for_start_module(request): error_message=integrator.ERR_MSG_SLACK_ENABLED_NOT_FOUND) # Wait for analysisd to start successfully (to detect changes in the alerts.json file) check_analysisd_event(file_monitor=file_monitor, timeout=T_5, - callback=callback_generator(analysisd.CB_ANALYSISD_STARTUP_COMPLETED), + callback=analysisd.CB_ANALYSISD_STARTUP_COMPLETED, error_message=analysisd.ERR_MSG_STARTUP_COMPLETED_NOT_FOUND) diff --git a/tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration_template/configuration_integratord_read_json_alerts.yaml similarity index 100% rename from tests/integration/test_integratord/data/configuration_template/config_integratord_read_json_alerts.yaml rename to tests/integration/test_integratord/data/configuration_template/configuration_integratord_read_json_alerts.yaml From adb6a6958d5094d022114ac95fc16e1927b5d95d Mon Sep 17 00:00:00 2001 From: fedepacher Date: Mon, 31 Oct 2022 15:11:34 -0300 Subject: [PATCH 03/14] refactor(#3298): refactor test timeout --- .../test_integratord/test_integratord_change_inode_alert.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 8feb320e3e..432d4dc459 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -118,7 +118,7 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config run_local_command_returning_output(command) # Check that the alert was read - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, update_position=False) @@ -134,7 +134,7 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config time.sleep(integrator.TIME_TO_DETECT_FILE) # Monitor Inode Changed - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) @@ -142,6 +142,6 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config run_local_command_returning_output(command) # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, callback=callback_generator(integrator.CB_PROCESSING_ALERT), error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) From 70ea041ce4c2577e7b604538d426a35ba233b51c Mon Sep 17 00:00:00 2001 From: fedepacher Date: Mon, 31 Oct 2022 15:56:14 -0300 Subject: [PATCH 04/14] refactor(#3298): add new line to changelog file --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d0adcfbb8..d73d7108c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ Release report: TBD - Fix wazuh-db integration tests for agent-groups ([#3926](https://github.com/wazuh/wazuh-qa/pull/3926)) \- (Tests + Framework) - Fix `test_set_agent_groups` ([#3920](https://github.com/wazuh/wazuh-qa/pull/3920)) \- (Tests) - Improve `test_assign_groups_guess` ([#3901](https://github.com/wazuh/wazuh-qa/pull/3901)) \- (Tests) +- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Tests) - Update `test_cluster_worker_logs_order` test ([#3896](https://github.com/wazuh/wazuh-qa/pull/3896)) \- (Tests) - Fix `test_agent_groups` ([#3889](https://github.com/wazuh/wazuh-qa/pull/3889)) \- (Tests + Framework) - Increase NVE download feed test timeout([#3769](https://github.com/wazuh/wazuh-qa/pull/3769)) \- (Tests) From 5d7b1d0b667f2cd5987b75ae62b8e124c77cadcd Mon Sep 17 00:00:00 2001 From: fedepacher Date: Mon, 31 Oct 2022 15:59:28 -0300 Subject: [PATCH 05/14] refactor(#3298): refactor code style --- CHANGELOG.md | 2 +- deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d73d7108c8..29d07c1583 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,7 +53,7 @@ Release report: TBD - Fix wazuh-db integration tests for agent-groups ([#3926](https://github.com/wazuh/wazuh-qa/pull/3926)) \- (Tests + Framework) - Fix `test_set_agent_groups` ([#3920](https://github.com/wazuh/wazuh-qa/pull/3920)) \- (Tests) - Improve `test_assign_groups_guess` ([#3901](https://github.com/wazuh/wazuh-qa/pull/3901)) \- (Tests) -- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Tests) +- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Framework + Tests) - Update `test_cluster_worker_logs_order` test ([#3896](https://github.com/wazuh/wazuh-qa/pull/3896)) \- (Tests) - Fix `test_agent_groups` ([#3889](https://github.com/wazuh/wazuh-qa/pull/3889)) \- (Tests + Framework) - Increase NVE download feed test timeout([#3769](https://github.com/wazuh/wazuh-qa/pull/3769)) \- (Tests) diff --git a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py index fce7f8aadb..351128ac38 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/analysisd/__init__.py @@ -12,4 +12,4 @@ CB_ANALYSISD_STARTUP_COMPLETED = fr"DEBUG: Startup completed. Waiting for new messages.*" # Error messages -ERR_MSG_STARTUP_COMPLETED_NOT_FOUND = fr'Did not recieve the expected "{CB_ANALYSISD_STARTUP_COMPLETED}"' \ No newline at end of file +ERR_MSG_STARTUP_COMPLETED_NOT_FOUND = fr'Did not recieve the expected "{CB_ANALYSISD_STARTUP_COMPLETED}"' From 825fbe9880d8c84caeab2dcd31edad8a7621d696 Mon Sep 17 00:00:00 2001 From: fedepacher Date: Tue, 22 Nov 2022 16:45:47 -0300 Subject: [PATCH 06/14] refactor(#3298): create event_monitor function for each log to find. --- .../modules/integratord/__init__.py | 22 ---- .../modules/integratord/event_monitor.py | 118 +++++++++++++++++- .../wazuh_testing/tools/monitoring.py | 9 -- .../integration/test_integratord/conftest.py | 12 +- .../test_integratord_change_inode_alert.py | 18 +-- .../test_integratord_read_json_alerts.py | 19 ++- ...test_integratord_read_json_file_deleted.py | 11 +- 7 files changed, 140 insertions(+), 69 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index 8cad1f9c89..a3d98aff2d 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -9,25 +9,3 @@ INTEGRATORD_PREFIX = INTEGRATOR_DAEMON REQUIRED_DAEMONS = [INTEGRATOR_DAEMON, DB_DAEMON, ANALYSISD_DAEMON] TIME_TO_DETECT_FILE = 2 - -# Callback Messages -CB_SLACK_ENABLED = fr".*{INTEGRATORD_PREFIX}.*Enabling integration for: 'slack'.*" -CB_INTEGRATORD_SENDING_ALERT = fr".*{INTEGRATORD_PREFIX}.*DEBUG: sending new alert" -CB_PROCESSING_ALERT = fr".*{INTEGRATORD_PREFIX}.*Processing alert.*" -CB_INTEGRATORD_THREAD_READY = fr".*{INTEGRATORD_PREFIX}.*DEBUG: Local requests thread ready" -CB_SLACK_ALERT = fr".*{INTEGRATORD_PREFIX}.*" -CB_INVALID_JSON_ALERT_READ = fr".*{INTEGRATORD_PREFIX}.*WARNING: Invalid JSON alert read.*" -CB_OVERLONG_JSON_ALERT_READ = fr".*{INTEGRATORD_PREFIX}.*WARNING: Overlong JSON alert read.*" -CB_ALERTS_FILE_INODE_CHANGED = fr".*{INTEGRATORD_PREFIX}.*DEBUG: jqueue_next.*Alert file inode changed.*" -CB_CANNOT_RETRIEVE_JSON_FILE = fr".*{INTEGRATORD_PREFIX}.*WARNING.*Could not retrieve information of file.*"\ - r'alerts\.json.*No such file.*' - -# Error messages -ERR_MSG_SLACK_ENABLED_NOT_FOUND = r'Did not recieve the expected "Enabling integration for slack"' -ERR_MSG_SENDING_ALERT_NOT_FOUND = r'Did not recieve the expected "...sending new alert" event' -ERR_MSG_PROCESSING_ALERT_NOT_FOUND = r'Did not recieve the expected "...Procesing alert" event' -ERR_MSG_SLACK_ALERT_NOT_DETECTED = r'Did not recieve the expected Slack alert in alerts.json' -ERR_MSG_INVALID_ALERT_NOT_FOUND = r'Did not recieve the expected "...Invalid JSON alert read..." event' -ERR_MSG_OVERLONG_ALERT_NOT_FOUND = r'Did not recieve the expected "...Overlong JSON alert read..." event' -ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND = r'Did not recieve the expected "...Alert file inode changed..." event' -ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND = r'Did not recieve the expected "...Could not retrieve information/open file"' diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py index 0e9697ab2c..b0d1f2b155 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py @@ -3,13 +3,37 @@ Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 ''' +import re +from wazuh_testing import T_20, T_30 from wazuh_testing.tools import LOG_FILE_PATH from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.integratord import INTEGRATORD_PREFIX + + +def make_integratord_callback(pattern, prefix=INTEGRATORD_PREFIX): + """Create a callback function from a text pattern. + + It already contains the vulnerability-detector prefix. + + Args: + pattern (str): String to match on the log. + prefix (str): regular expression used as prefix before the pattern. + + Returns: + lambda: function that returns if there's a match in the file + + Examples: + >>> callback_bionic_update_started = make_vuln_callback("Starting Ubuntu Bionic database update") + """ + pattern = r'\s+'.join(pattern.split()) + regex = re.compile(r'{}{}'.format(prefix, pattern)) + + return lambda line: regex.match(line) is not None def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position=True, - timeout=30, accum_results=1, file_to_monitor=LOG_FILE_PATH): + timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH, prefix=INTEGRATORD_PREFIX): """Check if an event occurs Args: file_monitor (FileMonitor): FileMonitor object to monitor the file content. @@ -18,10 +42,100 @@ def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position (boolean): filter configuration parameter to search in Wazuh log timeout (str): timeout to check the event in Wazuh log accum_results (int): Accumulation of matches. + prefix (str): log pattern regex """ file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ error_message file_monitor.start(timeout=timeout, update_position=update_position, accum_results=accum_results, - callback=callback, error_message=error_message) + callback=make_integratord_callback(callback, prefix), error_message=error_message) + + +def check_integratord_thread_ready(file_monitor=None, timeout=T_20): + """Check if a local requests thread ready in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=f"DEBUG: Local requests thread ready", + error_message='Did not recieve the expected "Enabling integration for slack"') + + +def check_send_new_alers(file_monitor=None, timeout=T_20, update_position=False): + """Check for sending new alert in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + update_position (boolean): filter configuration parameter to search in Wazuh log + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=f"DEBUG: sending new alert", + error_message='Did not recieve the expected "...sending new alert" event', + update_position=update_position) + + +def check_file_inode_changed(file_monitor=None, timeout=T_20): + """Check for Alert file inode changed in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=fr".*DEBUG: jqueue_next.*Alert file inode changed.*", + error_message='Did not recieve the expected "...Alert file inode changed..." event') + + +def check_process_alert(file_monitor=None, timeout=T_20): + """Check for Processing alert in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=fr".*Processing alert.*", + error_message='Did not recieve the expected Slack alert in alerts.json') + + +def check_response(file_monitor=None, timeout=T_20): + """Check for response in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=fr".*", + error_message='Did not recieve the expected Slack alert in alerts.json') + + +def check_alert_read(file_monitor=None, timeout=T_20, callback='', error_message=None): + """Check for alert read in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + callback (str): log regex to check in Wazuh log + error_message (str): error message to show in case of expected event does not occur + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=callback, + error_message=error_message) + + +def check_file_information(file_monitor=None, timeout=T_20): + """Check for information of file in the logs. + + Args: + log_monitor (FileMonitor): Log monitor. + timeout (int): Event timeout. + """ + check_integratord_event(file_monitor=file_monitor, timeout=timeout, + callback=fr".*{INTEGRATORD_PREFIX}.*WARNING.*Could not retrieve information of file.*"\ + r'alerts\.json.*No such file.*', + error_message='Did not recieve the expected "...Could not retrieve information/open file"') diff --git a/deps/wazuh_testing/wazuh_testing/tools/monitoring.py b/deps/wazuh_testing/wazuh_testing/tools/monitoring.py index fba95fbac1..87e0472c3f 100644 --- a/deps/wazuh_testing/wazuh_testing/tools/monitoring.py +++ b/deps/wazuh_testing/wazuh_testing/tools/monitoring.py @@ -874,15 +874,6 @@ def new_callback(line): return new_callback -def callback_generator(regex): - def new_callback(line): - match = re.match(regex, line) - if match: - return line - - return new_callback - - class HostMonitor: """This class has the capability to monitor remote host. This monitoring consists of reading the specified files to check that the expected message arrives to them. diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 997bd007fb..952b84194c 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -7,22 +7,20 @@ import pytest +from wazuh_testing import T_5 from wazuh_testing.tools import LOG_FILE_PATH -from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.tools.monitoring import FileMonitor from wazuh_testing.modules import analysisd from wazuh_testing.modules.analysisd.event_monitor import check_analysisd_event -from wazuh_testing.modules import integratord as integrator -from wazuh_testing.modules.integratord.event_monitor import check_integratord_event -from wazuh_testing import T_5, T_20 +from wazuh_testing.modules.integratord import event_monitor as evm @pytest.fixture(scope='function') def wait_for_start_module(request): # Wait for integratord thread to start file_monitor = FileMonitor(LOG_FILE_PATH) - check_integratord_event(file_monitor=file_monitor, timeout=T_20, - callback=callback_generator(integrator.CB_INTEGRATORD_THREAD_READY), - error_message=integrator.ERR_MSG_SLACK_ENABLED_NOT_FOUND) + evm.check_integratord_thread_ready(ile_monitor=file_monitor) + # Wait for analysisd to start successfully (to detect changes in the alerts.json file) check_analysisd_event(file_monitor=file_monitor, timeout=T_5, callback=analysisd.CB_ANALYSISD_STARTUP_COMPLETED, diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 432d4dc459..67cdcfcc30 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -39,9 +39,9 @@ from wazuh_testing.tools.file import remove_file, copy from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.modules import integratord as integrator -from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.integratord import event_monitor as evm # Marks @@ -118,10 +118,8 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config run_local_command_returning_output(command) # Check that the alert was read - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_INTEGRATORD_SENDING_ALERT), - error_message=integrator.ERR_MSG_SENDING_ALERT_NOT_FOUND, - update_position=False) + evm.check_send_new_alers(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, + update_position=False) # Change file to change inode copy(ALERT_FILE_PATH, TEMP_FILE_PATH) @@ -134,14 +132,10 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config time.sleep(integrator.TIME_TO_DETECT_FILE) # Monitor Inode Changed - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_ALERTS_FILE_INODE_CHANGED), - error_message=integrator.ERR_MSG_ALERT_INODE_CHANGED_NOT_FOUND) + evm.check_file_inode_changed(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) # Insert a new alert run_local_command_returning_output(command) # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_PROCESSING_ALERT), - error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) + evm.check_process_alert(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index a191ca8bc2..8d9a0ee7ff 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -41,7 +41,8 @@ from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.modules.integratord import event_monitor as evm +from wazuh_testing.tools.monitoring import FileMonitor # Marks @@ -125,9 +126,7 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback_generator(integrator.CB_SLACK_ALERT), - error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) + evm.check_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) @pytest.mark.tier(level=1) @@ -178,12 +177,12 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf wazuh_monitor = FileMonitor(LOG_FILE_PATH) if metadata['alert_type'] == 'invalid': - callback = integrator.CB_INVALID_JSON_ALERT_READ - error_message = integrator.ERR_MSG_INVALID_ALERT_NOT_FOUND + callback = fr".*WARNING: Invalid JSON alert read.*" + error_message = 'Did not recieve the expected "...Invalid JSON alert read..." event' elif metadata['alert_type'] == 'overlong': - callback = integrator.CB_OVERLONG_JSON_ALERT_READ - error_message = integrator. ERR_MSG_OVERLONG_ALERT_NOT_FOUND + callback = fr".*WARNING: Overlong JSON alert read.*" + error_message = 'Did not recieve the expected "...Overlong JSON alert read..." event' # Add 90kb of padding to alert to make it go over the allowed value of 64KB. padding = "0"*90000 sample = sample.replace("padding_input", "agent_" + padding) @@ -191,5 +190,5 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback_generator(callback), error_message=error_message) + evm.check_alert_read(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + callback=callback, error_message=error_message) diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index d339b2c67b..b5c5b9a3b3 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -42,7 +42,8 @@ from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor, callback_generator +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.integratord import event_monitor as evm # Marks @@ -123,9 +124,7 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c # Delete alerts.json file remove_file(ALERT_FILE_PATH) - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_CANNOT_RETRIEVE_JSON_FILE), - error_message=integrator.ERR_MSG_CANNOT_RETRIEVE_MSG_NOT_FOUND) + evm.check_file_information(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) # Create alerts.json file run_local_command_returning_output(command) @@ -137,6 +136,4 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c run_local_command_returning_output(f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log - check_integratord_event(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - callback=callback_generator(integrator.CB_SLACK_ALERT), - error_message=integrator.ERR_MSG_SLACK_ALERT_NOT_DETECTED) + evm.check_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) From 3d8a6a81fbcdca520346c14f5915088e1ea3f94f Mon Sep 17 00:00:00 2001 From: jmv74211 Date: Thu, 2 Feb 2023 17:50:20 +0100 Subject: [PATCH 07/14] refactor: make some improvements to integratord tests --- .../modules/integratord/event_monitor.py | 24 +++++++------- .../integration/test_integratord/conftest.py | 2 +- .../test_integratord_change_inode_alert.py | 7 +++- .../test_integratord_read_json_alerts.py | 32 ++++++++++++++++--- ...test_integratord_read_json_file_deleted.py | 12 ++++++- 5 files changed, 57 insertions(+), 20 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py index b0d1f2b155..926303359b 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py @@ -60,8 +60,8 @@ def check_integratord_thread_ready(file_monitor=None, timeout=T_20): timeout (int): Event timeout. """ check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=f"DEBUG: Local requests thread ready", - error_message='Did not recieve the expected "Enabling integration for slack"') + callback='DEBUG: Local requests thread ready', + error_message='Did not receive the expected "Enabling integration for slack"') def check_send_new_alers(file_monitor=None, timeout=T_20, update_position=False): @@ -73,8 +73,8 @@ def check_send_new_alers(file_monitor=None, timeout=T_20, update_position=False) update_position (boolean): filter configuration parameter to search in Wazuh log """ check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=f"DEBUG: sending new alert", - error_message='Did not recieve the expected "...sending new alert" event', + callback='DEBUG: sending new alert', + error_message='Did not receive the expected "...sending new alert" event', update_position=update_position) @@ -86,8 +86,8 @@ def check_file_inode_changed(file_monitor=None, timeout=T_20): timeout (int): Event timeout. """ check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=fr".*DEBUG: jqueue_next.*Alert file inode changed.*", - error_message='Did not recieve the expected "...Alert file inode changed..." event') + callback=r".*DEBUG: jqueue_next.*Alert file inode changed.*", + error_message='Did not receive the expected "...Alert file inode changed..." event') def check_process_alert(file_monitor=None, timeout=T_20): @@ -98,8 +98,8 @@ def check_process_alert(file_monitor=None, timeout=T_20): timeout (int): Event timeout. """ check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=fr".*Processing alert.*", - error_message='Did not recieve the expected Slack alert in alerts.json') + callback=r".*Processing alert.*", + error_message='Did not receive the expected Slack alert in alerts.json') def check_response(file_monitor=None, timeout=T_20): @@ -110,8 +110,8 @@ def check_response(file_monitor=None, timeout=T_20): timeout (int): Event timeout. """ check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=fr".*", - error_message='Did not recieve the expected Slack alert in alerts.json') + callback=r".*", + error_message='Could not send the alert to slack') def check_alert_read(file_monitor=None, timeout=T_20, callback='', error_message=None): @@ -128,7 +128,7 @@ def check_alert_read(file_monitor=None, timeout=T_20, callback='', error_message error_message=error_message) -def check_file_information(file_monitor=None, timeout=T_20): +def check_file_warning(file_monitor=None, timeout=T_20): """Check for information of file in the logs. Args: @@ -138,4 +138,4 @@ def check_file_information(file_monitor=None, timeout=T_20): check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=fr".*{INTEGRATORD_PREFIX}.*WARNING.*Could not retrieve information of file.*"\ r'alerts\.json.*No such file.*', - error_message='Did not recieve the expected "...Could not retrieve information/open file"') + error_message='Did not receive the expected "...Could not retrieve information/open file"') diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 952b84194c..765051faea 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -19,7 +19,7 @@ def wait_for_start_module(request): # Wait for integratord thread to start file_monitor = FileMonitor(LOG_FILE_PATH) - evm.check_integratord_thread_ready(ile_monitor=file_monitor) + evm.check_integratord_thread_ready(file_monitor=file_monitor) # Wait for analysisd to start successfully (to detect changes in the alerts.json file) check_analysisd_event(file_monitor=file_monitor, timeout=T_5, diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py index 67cdcfcc30..6744137ef8 100644 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ b/tests/integration/test_integratord/test_integratord_change_inode_alert.py @@ -77,8 +77,11 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config wait_for_start_module): ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. + wazuh_min_version: 4.3.5 + tier: 1 + parameters: - configuration: type: dict @@ -101,16 +104,18 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log + assertions: - Verify the expected response with for a given alert is recieved + input_description: - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_json_alerts` file provides the test cases. + expected_output: - r'.*wazuh-integratord.*DEBUG: sending new alert' - r'.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' - r'.*wazuh-integratord.*Processing alert.*' - ''' wazuh_monitor = FileMonitor(LOG_FILE_PATH) command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py index 8d9a0ee7ff..5c61f3ff73 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ b/tests/integration/test_integratord/test_integratord_read_json_alerts.py @@ -4,30 +4,40 @@ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 type: integration + brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an overlong alert (64kb+) or what happens when it cannot read the file because it is missing. + components: - integratord + suite: integratord_read_json_alerts + targets: - agent + daemons: - wazuh-integratord + os_platform: - Linux + os_version: - Centos 8 - Ubuntu Focal + references: - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html + pytest_args: - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + tags: - slack ''' @@ -38,7 +48,6 @@ from wazuh_testing import global_parameters from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH from wazuh_testing.modules import integratord as integrator -from wazuh_testing.modules.integratord.event_monitor import check_integratord_event from wazuh_testing.tools.local_actions import run_local_command_returning_output from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template from wazuh_testing.modules.integratord import event_monitor as evm @@ -87,8 +96,11 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config ''' description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a slack integration alert is expected in the alerts.json file. + wazuh_min_version: 4.3.7 + tier: 1 + parameters: - configuration: type: dict @@ -111,18 +123,22 @@ def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_config - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log + assertions: - Verify the expected response with for a given alert is recieved + input_description: - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_valid_json_alerts` file provides the test cases. + expected_output: - r'.*wazuh-integratord.*alert_id.*\"integration\": \"slack\".*' ''' - sample = metadata['alert_sample'] wazuh_monitor = FileMonitor(LOG_FILE_PATH) + time.sleep(5) + run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") # Read Response in ossec.log @@ -139,8 +155,11 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case of a valid alert, a slack integration alert is expected in the alerts.json file. If the alert is invalid or broken, or overly long a message will appear in the ossec.log file. + wazuh_min_version: 4.3.7 + tier: 1 + parameters: - configuration: type: dict @@ -163,11 +182,14 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf - wait_for_start_module: type: fixture brief: Detect the start of the Integratord module in the ossec.log + assertions: - Verify the expected response with for a given alert is recieved + input_description: - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - The `cases_integratord_read_invalid_json_alerts` file provides the test cases. + expected_output: - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' - r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' @@ -177,14 +199,14 @@ def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_conf wazuh_monitor = FileMonitor(LOG_FILE_PATH) if metadata['alert_type'] == 'invalid': - callback = fr".*WARNING: Invalid JSON alert read.*" + callback = r".*WARNING: Invalid JSON alert read.*" error_message = 'Did not recieve the expected "...Invalid JSON alert read..." event' elif metadata['alert_type'] == 'overlong': - callback = fr".*WARNING: Overlong JSON alert read.*" + callback = r".*WARNING: Overlong JSON alert read.*" error_message = 'Did not recieve the expected "...Overlong JSON alert read..." event' # Add 90kb of padding to alert to make it go over the allowed value of 64KB. - padding = "0"*90000 + padding = "0" * 90000 sample = sample.replace("padding_input", "agent_" + padding) run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py index b5c5b9a3b3..1dad648f29 100644 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py @@ -4,30 +4,40 @@ This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 type: integration + brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an overlong alert (64kb+) or what happens when it cannot read the file because it is missing. + components: - integratord + suite: integratord_read_json_alerts + targets: - agent + daemons: - wazuh-integratord + os_platform: - Linux + os_version: - Centos 8 - Ubuntu Focal + references: - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html + pytest_args: - tier: 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. 1: Only level 1 tests are performed, they check functionalities of medium complexity. 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + tags: - slack ''' @@ -124,7 +134,7 @@ def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_c # Delete alerts.json file remove_file(ALERT_FILE_PATH) - evm.check_file_information(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) + evm.check_file_warning(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) # Create alerts.json file run_local_command_returning_output(command) From fdee9e21ea19ad0e8ad5beb9a581682a19fd2fd4 Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 14:03:13 +0000 Subject: [PATCH 08/14] refactor(#3298): remove json_file_deleted test. --- ...es_integratord_read_json_file_deleted.yaml | 22 --- ...test_integratord_read_json_file_deleted.py | 149 ------------------ 2 files changed, 171 deletions(-) delete mode 100644 tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml delete mode 100644 tests/integration/test_integratord/test_integratord_read_json_file_deleted.py diff --git a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml b/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml deleted file mode 100644 index fe9f962456..0000000000 --- a/tests/integration/test_integratord/data/test_cases/cases_integratord_read_json_file_deleted.yaml +++ /dev/null @@ -1,22 +0,0 @@ -- name: cannot_read_alerts_file_deleted - description: The alerts.json file is missing and it cannot read alerts from it. - configuration_parameters: - WEBHOOK_URL: Insert using --slack-webhook-url parameter - metadata: - alert_sample: '{"timestamp":"2022-05-11T12:29:19.905+0000","rule":{"level":10,"description": - "sshd: brute force trying to get access to the system. Non existent user.","id":"5712", - "mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"frequency":8, - "firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failures"],"gdpr": - ["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["SI.4","AU.14","AC.7"],"pci_dss": - ["11.4","10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name": - "localhost.localdomain"},"manager":{"name":"localhost.localdomain"},"id":"1652272159.1549653", - "previous_output":"May 11 12:29:16 localhost sshd[17582]: Invalid user paco from 172.17.1.1 port - 56402\nMay 11 12:29:14 localhost sshd[17580]: Invalid user paco from 172.17.1.1 port 56400\nMay - 11 12:29:11 localhost sshd[17578]: Invalid user paco from 172.17.1.1 port 56398\nMay 11 12:29:09 - localhost sshd[17576]: Invalid user paco from 172.17.1.1 port 56396\nMay 11 12:29:07 localhost - sshd[17574]: Invalid user paco from 172.17.1.1 port 56394\nMay 11 12:29:04 localhost sshd[17572]: - Invalid user paco from 172.17.1.1 port 56392\nMay 11 12:29:00 localhost sshd[17570]: Invalid user - paco from 172.17.1.1 port 56390","full_log":"May 11 12:29:18 localhost sshd[17584]: Invalid user - paco from 172.17.1.1 port 56404","predecoder":{"program_name":"sshd","timestamp":"May 11 12:29:18", - "hostname":"localhost"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"172.17.1.1", - "srcport":"56404","srcuser":"paco"},"location":"/var/log/secure"}' diff --git a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py b/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py deleted file mode 100644 index 1dad648f29..0000000000 --- a/tests/integration/test_integratord/test_integratord_read_json_file_deleted.py +++ /dev/null @@ -1,149 +0,0 @@ -''' -copyright: Copyright (C) 2015-2022, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - -type: integration - -brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding -the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that -given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an -overlong alert (64kb+) or what happens when it cannot read the file because it is missing. - -components: - - integratord - -suite: integratord_read_json_alerts - -targets: - - agent - -daemons: - - wazuh-integratord - -os_platform: - - Linux - -os_version: - - Centos 8 - - Ubuntu Focal - -references: - - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html - -pytest_args: - - tier: - 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. - 1: Only level 1 tests are performed, they check functionalities of medium complexity. - 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - -tags: - - slack -''' -import os -import time -import pytest - -from wazuh_testing import global_parameters -from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH -from wazuh_testing.tools.file import remove_file -from wazuh_testing.modules import integratord as integrator -from wazuh_testing.modules.integratord.event_monitor import check_integratord_event -from wazuh_testing.tools.local_actions import run_local_command_returning_output -from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor -from wazuh_testing.modules.integratord import event_monitor as evm - - -# Marks -pytestmark = [pytest.mark.server] - -# Reference paths -TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') -TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') - -# Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') -cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_json_file_deleted.yaml') - -# Configurations -configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) -configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url -configurations = load_configuration_template(configurations_path, configuration_parameters, - configuration_metadata) -local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1', 'monitord.rotate_log': '0'} - -# Variables -REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS - - -# Tests -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('configuration, metadata', zip(configurations, configuration_metadata), ids=case_ids) -def test_integratord_read_json_file_deleted(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): - ''' - description: Check that integratord reads the alerts.json file and, when the file is deleted, the expected - warning message is shown. Then, the file is created and alerts are inserted, check if integratord - keeps working and alerts are read. - - wazuh_min_version: 4.3.5 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration loaded from `configuration_template`. - - metadata: - type: dict - brief: Test case metadata. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh configuration. - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - configure_local_internal_options_module: - type: fixture - brief: Configure the local internal options file. - - restart_wazuh_function: - type: fixture - brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - - wait_for_start_module: - type: fixture - brief: Detect the start of the Integratord module in the ossec.log - - assertions: - - Verify the expected response with for a given alert is recieved - - input_description: - - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_json_file_deleted` file provides the test cases. - - expected_output: - - r'.*wazuh-integratord.*WARNING.*Could not retrieve information of file.*' - - r'.*wazuh-integratord.*Response [200].*' - ''' - wazuh_monitor = FileMonitor(LOG_FILE_PATH) - - command = f"touch {ALERT_FILE_PATH} && chmod 640 {ALERT_FILE_PATH} && chown wazuh:wazuh {ALERT_FILE_PATH}" - - # Delete alerts.json file - remove_file(ALERT_FILE_PATH) - evm.check_file_warning(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) - - # Create alerts.json file - run_local_command_returning_output(command) - - # Waiting time so Integrator detects the file before the insertion - time.sleep(integrator.TIME_TO_DETECT_FILE) - - # Insert alert to the alerts.json - run_local_command_returning_output(f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}") - - # Read Response in ossec.log - evm.check_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) From 96aa5aaa7720184adeef7475ca775b968b69edba Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 14:08:05 +0000 Subject: [PATCH 09/14] refactor(#3298): add a daemons_handler function-scoped. --- tests/integration/conftest.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/conftest.py b/tests/integration/conftest.py index 1d1ba9d49c..d3f5ab3c95 100644 --- a/tests/integration/conftest.py +++ b/tests/integration/conftest.py @@ -933,7 +933,7 @@ def create_file_structure_function(get_files_list): @pytest.fixture(scope='module') -def daemons_handler(get_configuration, request): +def daemons_handler(request): """Handler of Wazuh daemons. It uses `daemons_handler_configuration` of each module in order to configure the behavior of the fixture. @@ -945,7 +945,6 @@ def daemons_handler(get_configuration, request): in order to use this fixture along with invalid configuration. Default `False` Args: - get_configuration (fixture): Gets the current configuration of the test. request (fixture): Provide information on the executing test function. """ daemons = [] @@ -1003,6 +1002,9 @@ def daemons_handler(get_configuration, request): control_service('stop', daemon=daemon) +daemons_handler_function = pytest.fixture(daemons_handler.__wrapped__, scope='function') + + @pytest.fixture(scope='function') def file_monitoring(request): """Fixture to handle the monitoring of a specified file. From 1202581bd132f05fa989f798d4a562b295f75a31 Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 14:09:53 +0000 Subject: [PATCH 10/14] refactor(#3298): apply multiple changes to integratord monitor. --- .../modules/integratord/__init__.py | 11 ++- .../modules/integratord/event_monitor.py | 83 +++++++------------ 2 files changed, 42 insertions(+), 52 deletions(-) diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py index a3d98aff2d..5895a9aa26 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/__init__.py @@ -6,6 +6,15 @@ from wazuh_testing.tools import ANALYSISD_DAEMON, DB_DAEMON, INTEGRATOR_DAEMON # Variables -INTEGRATORD_PREFIX = INTEGRATOR_DAEMON +INTEGRATORD_PREFIX = fr".+{INTEGRATOR_DAEMON}" REQUIRED_DAEMONS = [INTEGRATOR_DAEMON, DB_DAEMON, ANALYSISD_DAEMON] TIME_TO_DETECT_FILE = 2 + +# Callbacks +CB_INVALID_ALERT_READ = r'.*WARNING: Invalid JSON alert read.*' +CB_OVERLONG_ALERT_READ = r'.*WARNING: Overlong JSON alert read.*' +CB_ALERT_JSON_FILE_NOT_FOUND = r'.+WARNING.*Could not retrieve information of file.*alerts\.json.*No such file.*' +CB_THIRD_PARTY_RESPONSE = r'.*' +CB_PROCESSING_ALERT = r'.*Processing alert.*' +CB_INODE_CHANGED = r'.*DEBUG: jqueue_next.*Alert file inode changed.*' +CB_INTEGRATORD_THREAD_IS_READY = r'.*DEBUG: Local requests thread ready.*' diff --git a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py index 926303359b..e3682e886d 100644 --- a/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py +++ b/deps/wazuh_testing/wazuh_testing/modules/integratord/event_monitor.py @@ -5,14 +5,14 @@ ''' import re -from wazuh_testing import T_20, T_30 +from wazuh_testing import T_5, T_20, T_30 from wazuh_testing.tools import LOG_FILE_PATH from wazuh_testing.tools.monitoring import FileMonitor -from wazuh_testing.modules.integratord import INTEGRATORD_PREFIX +from wazuh_testing.modules import integratord -def make_integratord_callback(pattern, prefix=INTEGRATORD_PREFIX): - """Create a callback function from a text pattern. +def make_integratord_callback(pattern, prefix=integratord.INTEGRATORD_PREFIX): + '''Create a callback function from a text pattern. It already contains the vulnerability-detector prefix. @@ -25,7 +25,7 @@ def make_integratord_callback(pattern, prefix=INTEGRATORD_PREFIX): Examples: >>> callback_bionic_update_started = make_vuln_callback("Starting Ubuntu Bionic database update") - """ + ''' pattern = r'\s+'.join(pattern.split()) regex = re.compile(r'{}{}'.format(prefix, pattern)) @@ -33,8 +33,9 @@ def make_integratord_callback(pattern, prefix=INTEGRATORD_PREFIX): def check_integratord_event(file_monitor=None, callback='', error_message=None, update_position=True, - timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH, prefix=INTEGRATORD_PREFIX): - """Check if an event occurs + timeout=T_30, accum_results=1, file_to_monitor=LOG_FILE_PATH, + prefix=integratord.INTEGRATORD_PREFIX): + '''Check if an event occurs Args: file_monitor (FileMonitor): FileMonitor object to monitor the file content. callback (str): log regex to check in Wazuh log @@ -43,7 +44,7 @@ def check_integratord_event(file_monitor=None, callback='', error_message=None, timeout (str): timeout to check the event in Wazuh log accum_results (int): Accumulation of matches. prefix (str): log pattern regex - """ + ''' file_monitor = FileMonitor(file_to_monitor) if file_monitor is None else file_monitor error_message = f"Could not find this event in {file_to_monitor}: {callback}" if error_message is None else \ error_message @@ -52,90 +53,70 @@ def check_integratord_event(file_monitor=None, callback='', error_message=None, callback=make_integratord_callback(callback, prefix), error_message=error_message) -def check_integratord_thread_ready(file_monitor=None, timeout=T_20): - """Check if a local requests thread ready in the logs. +def check_integratord_thread_ready(file_monitor=None, timeout=T_5): + '''Check if a local requests thread ready in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. - """ + ''' check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback='DEBUG: Local requests thread ready', - error_message='Did not receive the expected "Enabling integration for slack"') - - -def check_send_new_alers(file_monitor=None, timeout=T_20, update_position=False): - """Check for sending new alert in the logs. - - Args: - log_monitor (FileMonitor): Log monitor. - timeout (int): Event timeout. - update_position (boolean): filter configuration parameter to search in Wazuh log - """ - check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback='DEBUG: sending new alert', - error_message='Did not receive the expected "...sending new alert" event', - update_position=update_position) + callback=integratord.CB_INTEGRATORD_THREAD_IS_READY, + error_message='Did not receive the expected "Local requests thread ready"') def check_file_inode_changed(file_monitor=None, timeout=T_20): - """Check for Alert file inode changed in the logs. + '''Check for Alert file inode changed in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. - """ - check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=r".*DEBUG: jqueue_next.*Alert file inode changed.*", + ''' + check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_INODE_CHANGED, error_message='Did not receive the expected "...Alert file inode changed..." event') -def check_process_alert(file_monitor=None, timeout=T_20): - """Check for Processing alert in the logs. +def check_alert_processing(file_monitor=None, timeout=T_20): + '''Check for Processing alert message in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. - """ - check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=r".*Processing alert.*", + ''' + check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_PROCESSING_ALERT, error_message='Did not receive the expected Slack alert in alerts.json') -def check_response(file_monitor=None, timeout=T_20): - """Check for response in the logs. +def check_third_party_response(file_monitor=None, timeout=T_20): + '''Check for response message in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. - """ - check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=r".*", + ''' + check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=integratord.CB_THIRD_PARTY_RESPONSE, error_message='Could not send the alert to slack') -def check_alert_read(file_monitor=None, timeout=T_20, callback='', error_message=None): - """Check for alert read in the logs. +def check_invalid_alert_read(file_monitor=None, timeout=T_20, callback='', error_message=None): + '''Check for invalid alert read message in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. callback (str): log regex to check in Wazuh log error_message (str): error message to show in case of expected event does not occur - """ - check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=callback, - error_message=error_message) + ''' + check_integratord_event(file_monitor=file_monitor, timeout=timeout, callback=callback, error_message=error_message) def check_file_warning(file_monitor=None, timeout=T_20): - """Check for information of file in the logs. + '''Check for information of file in the logs. Args: log_monitor (FileMonitor): Log monitor. timeout (int): Event timeout. - """ + ''' check_integratord_event(file_monitor=file_monitor, timeout=timeout, - callback=fr".*{INTEGRATORD_PREFIX}.*WARNING.*Could not retrieve information of file.*"\ - r'alerts\.json.*No such file.*', + callback=integratord.CB_ALERT_JSON_FILE_NOT_FOUND, error_message='Did not receive the expected "...Could not retrieve information/open file"') From b00e663a4983f48972a464b7a036dad455d99d4d Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 14:11:36 +0000 Subject: [PATCH 11/14] refactor(#3298): refactor, fix, and unified several tests. --- .../integration/test_integratord/conftest.py | 2 - .../configuration_analysisd_integration.yaml} | 26 +- .../test_integratord/test_alerts_reading.py | 358 ++++++++++++++++++ .../test_integratord_change_inode_alert.py | 146 ------- .../test_integratord_read_json_alerts.py | 216 ----------- 5 files changed, 377 insertions(+), 371 deletions(-) rename tests/integration/test_integratord/data/{configuration_template/configuration_integratord_read_json_alerts.yaml => configuration/configuration_analysisd_integration.yaml} (51%) create mode 100644 tests/integration/test_integratord/test_alerts_reading.py delete mode 100644 tests/integration/test_integratord/test_integratord_change_inode_alert.py delete mode 100644 tests/integration/test_integratord/test_integratord_read_json_alerts.py diff --git a/tests/integration/test_integratord/conftest.py b/tests/integration/test_integratord/conftest.py index 765051faea..64db4af575 100644 --- a/tests/integration/test_integratord/conftest.py +++ b/tests/integration/test_integratord/conftest.py @@ -3,8 +3,6 @@ Created by Wazuh, Inc. . This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 ''' - - import pytest from wazuh_testing import T_5 diff --git a/tests/integration/test_integratord/data/configuration_template/configuration_integratord_read_json_alerts.yaml b/tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml similarity index 51% rename from tests/integration/test_integratord/data/configuration_template/configuration_integratord_read_json_alerts.yaml rename to tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml index 9f26cc4860..43e10a873a 100644 --- a/tests/integration/test_integratord/data/configuration_template/configuration_integratord_read_json_alerts.yaml +++ b/tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml @@ -1,10 +1,4 @@ -- tags: - - all - apply_to_modules: - - test_integratord_read_json_alerts - - test_integratord_change_inode_alert - - test_integratord_read_json_file_deleted - sections: +- sections: - section: integration elements: - name: @@ -17,7 +11,25 @@ value: 10 - alert_format: value: json + - section: sca elements: - enabled: value: 'no' + + - section: syscheck + elements: + - disabled: + value: 'yes' + + - section: wodle + attributes: + - name: vulnerability-detector + elements: + - disabled: + value: 'yes' + + - section: rootcheck + elements: + - disabled: + value: 'yes' diff --git a/tests/integration/test_integratord/test_alerts_reading.py b/tests/integration/test_integratord/test_alerts_reading.py new file mode 100644 index 0000000000..b7e2ecef85 --- /dev/null +++ b/tests/integration/test_integratord/test_alerts_reading.py @@ -0,0 +1,358 @@ +''' +copyright: Copyright (C) 2015-2022, Wazuh Inc. + Created by Wazuh, Inc. . + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: Integratord manages Wazuh integrations with other applications such as Yara or Slack, by feeding +the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that +given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an +overlong alert (64kb+) or what happens when it cannot read the file because it is missing. + +components: + - integratord + +suite: test_integratord + +targets: + - manager + +daemons: + - wazuh-integratord + +os_platform: + - Linux + +os_version: + - Centos 8 + - Ubuntu Focal + +references: + - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html + +pytest_args: + - tier: + 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. + 1: Only level 1 tests are performed, they check functionalities of medium complexity. + 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. + +tags: + - slack +''' +import os +import time + +import pytest +from wazuh_testing import global_parameters +from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH +from wazuh_testing.tools.file import remove_file, copy +from wazuh_testing.tools.local_actions import run_local_command_returning_output +from wazuh_testing.modules import integratord as integrator +from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template +from wazuh_testing.tools.monitoring import FileMonitor +from wazuh_testing.modules.integratord import event_monitor as evm + + +# Marks +pytestmark = [pytest.mark.server] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + + +def replace_webhook_url(ids, configurations): + '''Replace the Webhook URL in each test case configuration parameters. + + Args: + ids (list): List of ids of test cases. + configurations (list): List of test's configuration parameters. + + Returns: + configurations (list): List of + ''' + for i in range(0, len(ids)): + configurations[i]['WEBHOOK_URL'] = global_parameters.slack_webhook_url + + return configurations + + +# Configuration and test cases paths +configurations_template = os.path.join(CONFIGURATIONS_PATH, 'configuration_analysisd_integration.yaml') +t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_change_inode_alert.yaml') +t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_valid_json_alerts.yaml') +t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_invalid_json_alerts.yaml') + +# Get configurations and test cases +t1_config_params, t1_metadata, t1_cases_ids = get_test_cases_data(t1_cases_path) +t2_config_params, t2_metadata, t2_cases_ids = get_test_cases_data(t2_cases_path) +t3_config_params, t3_metadata, t3_cases_ids = get_test_cases_data(t3_cases_path) + +t1_config_params = replace_webhook_url(t1_cases_ids, t1_config_params) +t2_config_params = replace_webhook_url(t2_cases_ids, t2_config_params) +t3_config_params = replace_webhook_url(t3_cases_ids, t3_config_params) + +# Load tests configurations +t1_config = load_configuration_template(configurations_template, t1_config_params, t1_metadata) +t2_config = load_configuration_template(configurations_template, t2_config_params, t2_metadata) +t3_config = load_configuration_template(configurations_template, t3_config_params, t3_metadata) + +# Variables +TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') +daemons_handler_configuration = {'daemons': integrator.REQUIRED_DAEMONS} +local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1', 'monitord.rotate_log': '0'} + + +# Tests +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', zip(t1_config, t1_metadata), ids=t1_cases_ids) +def test_integratord_change_json_inode(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, daemons_handler_function, + wait_for_start_module): + ''' + description: Check that wazuh-integratord detects a change in the inode of the alerts.json and continues reading + alerts. + + test_phases: + - setup: + - Apply ossec.conf configuration changes according to the configuration template and use case. + - Truncate Wazuh's logs. + - Configure internal options. + - Restart the daemons defined in `daemons_handler_configuration`. + - Wait for the restarted modules to start correctly. + - test: + - Wait until integratord is ready to read alerts. + - Insert an alert in the `alerts.json` file. + - Check if the alert was received by Slack. + - Replace the `alerts.json` file while wazuh-integratord is reading it. + - Wait for the inode change to be detected by wazuh-integratord. + - Check if wazuh-integratord detects that the file's inode has changed. + - Insert an alert in the `alerts.json` file. + - Check if the alert is processed. + - Check alert was received by Slack. + - teardown: + - Truncate Wazuh's logs. + - Restore initial configuration, both `ossec.conf` and `local_internal_options.conf`. + + wazuh_min_version: 4.3.5 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - daemons_handler_function: + type: fixture + brief: Handler of Wazuh daemons. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log + + assertions: + - Verify the expected response with for a given alert is recieved + + input_description: + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_json_alerts` file provides the test cases. + + expected_output: + - r'.+wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' + - r'.+wazuh-integratord.*Processing alert.*' + - r'.+wazuh-integratord.*' + ''' + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" + + # Wait until integratord is ready to read alerts + time.sleep(integrator.TIME_TO_DETECT_FILE) + + # Insert a new alert + run_local_command_returning_output(command) + + evm.check_third_party_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) + + # Change file to change inode + copy(ALERT_FILE_PATH, TEMP_FILE_PATH) + remove_file(ALERT_FILE_PATH) + copy(TEMP_FILE_PATH, ALERT_FILE_PATH) + + # Wait for Inode change to be detected + # The `integratord` library tries to read alerts from the file every 1 second. So, the test waits 1 second + 1 + # until the file is reloaded. + time.sleep(integrator.TIME_TO_DETECT_FILE) + + evm.check_file_inode_changed(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) + + # Insert a new alert + run_local_command_returning_output(command) + + evm.check_alert_processing(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) + + # Check if the alert was correctly sent to Slack + evm.check_third_party_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) + + +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', zip(t2_config, t2_metadata), ids=t2_cases_ids) +def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, daemons_handler_function, + wait_for_start_module): + ''' + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case + of a valid alert, a slack integration alert is expected in the alerts.json file. + + test_phases: + - setup: + - Apply ossec.conf configuration changes according to the configuration template and use case. + - Truncate Wazuh's logs. + - Configure internal options. + - Restart the daemons defined in `daemons_handler_configuration`. + - Wait for the restarted modules to start correctly. + - test: + - Insert a valid alert in the alerts.json file. + - Check if the alert was received by Slack correctly (HTTP response status code: 200) + - teardown: + - Truncate Wazuh's logs. + - Restore initial configuration, both `ossec.conf` and `local_internal_options.conf`. + + wazuh_min_version: 4.3.7 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - daemons_handler_function: + type: fixture + brief: Handler of Wazuh daemons. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log + + assertions: + - Verify the expected response with for a given alert is recieved + + input_description: + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_valid_json_alerts` file provides the test cases. + + expected_output: + - r'.+wazuh-integratord.*alert_id.*\"integration\": \"slack\".*' + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + + run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Read Response in ossec.log + evm.check_third_party_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) + + +@pytest.mark.tier(level=1) +@pytest.mark.parametrize('configuration, metadata', zip(t3_config, t3_metadata), ids=t3_cases_ids) +def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, + configure_local_internal_options_module, daemons_handler_function, + wait_for_start_module): + ''' + description: Check that when a given alert is inserted into alerts.json, integratord works as expected. If the alert + is invalid, broken, or overlong a message will appear in the ossec.log file. + + test_phases: + - setup: + - Apply ossec.conf configuration changes according to the configuration template and use case. + - Truncate Wazuh's logs. + - Configure internal options. + - Restart the daemons defined in `daemons_handler_configuration`. + - Wait for the restarted modules to start correctly. + - test: + - Insert an invalid alert in the alerts.json file. + - Check if wazuh-integratord process the alert and report an error. + - teardown: + - Truncate Wazuh's logs. + - Restore initial configuration, both `ossec.conf` and `local_internal_options.conf`. + + wazuh_min_version: 4.3.7 + + tier: 1 + + parameters: + - configuration: + type: dict + brief: Configuration loaded from `configuration_template`. + - metadata: + type: dict + brief: Test case metadata. + - set_wazuh_configuration: + type: fixture + brief: Set wazuh configuration. + - truncate_monitored_files: + type: fixture + brief: Truncate all the log files and json alerts files before and after the test execution. + - configure_local_internal_options_module: + type: fixture + brief: Configure the local internal options file. + - daemons_handler_function: + type: fixture + brief: Handler of Wazuh daemons. + - wait_for_start_module: + type: fixture + brief: Detect the start of the Integratord module in the ossec.log + + assertions: + - Verify the expected response with for a given alert is recieved + + input_description: + - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. + - The `cases_integratord_read_invalid_json_alerts` file provides the test cases. + + expected_output: + - r'.+wazuh-integratord.*WARNING: Invalid JSON alert read.*' + - r'.+wazuh-integratord.*WARNING: Overlong JSON alert read.*' + + ''' + sample = metadata['alert_sample'] + wazuh_monitor = FileMonitor(LOG_FILE_PATH) + + if metadata['alert_type'] == 'invalid': + callback = integrator.CB_INVALID_ALERT_READ + else: + callback = integrator.CB_OVERLONG_ALERT_READ + # Add 90kb of padding to alert to make it go over the allowed value of 64KB. + padding = "0" * 90000 + sample = sample.replace("padding_input", "agent_" + padding) + + run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") + + # Read Response in ossec.log + evm.check_invalid_alert_read(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, + callback=callback, + error_message=f"Did not recieve the expected '{callback}' event") diff --git a/tests/integration/test_integratord/test_integratord_change_inode_alert.py b/tests/integration/test_integratord/test_integratord_change_inode_alert.py deleted file mode 100644 index 6744137ef8..0000000000 --- a/tests/integration/test_integratord/test_integratord_change_inode_alert.py +++ /dev/null @@ -1,146 +0,0 @@ -''' -copyright: Copyright (C) 2015-2022, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - -type: integration -brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding -the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that -given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an -overlong alert (64kb+) or what happens when it cannot read the file because it is missing. -components: - - integratord -suite: integratord_read_json_alerts -targets: - - agent -daemons: - - wazuh-integratord -os_platform: - - Linux -os_version: - - Centos 8 - - Ubuntu Focal -references: - - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html -pytest_args: - - tier: - 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. - 1: Only level 1 tests are performed, they check functionalities of medium complexity. - 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. -tags: - - slack -''' -import os -import time -import pytest -from wazuh_testing import global_parameters -from wazuh_testing.tools import WAZUH_PATH, LOG_FILE_PATH, ALERT_FILE_PATH -from wazuh_testing.tools.file import remove_file, copy -from wazuh_testing.tools.local_actions import run_local_command_returning_output -from wazuh_testing.modules import integratord as integrator -from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.tools.monitoring import FileMonitor -from wazuh_testing.modules.integratord import event_monitor as evm - - -# Marks -pytestmark = [pytest.mark.server] - -# Reference paths -TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') -TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') - -# Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') -cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_change_inode_alert.yaml') - -# Configurations -configuration_parameters, configuration_metadata, case_ids = get_test_cases_data(cases_path) -configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url -configurations = load_configuration_template(configurations_path, configuration_parameters, - configuration_metadata) -local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1'} - -# Variables -TEMP_FILE_PATH = os.path.join(WAZUH_PATH, 'logs/alerts/alerts.json.tmp') -REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS - - -# Tests -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('configuration, metadata', - zip(configurations, configuration_metadata), ids=case_ids) -def test_integratord_change_json_inode(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): - ''' - description: Check that when a given alert is inserted into alerts.json, integratord works as expected. - - wazuh_min_version: 4.3.5 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration loaded from `configuration_template`. - - metadata: - type: dict - brief: Test case metadata. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh configuration. - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - configure_local_internal_options_module: - type: fixture - brief: Configure the local internal options file. - - restart_wazuh_function: - type: fixture - brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - - wait_for_start_module: - type: fixture - brief: Detect the start of the Integratord module in the ossec.log - - assertions: - - Verify the expected response with for a given alert is recieved - - input_description: - - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_json_alerts` file provides the test cases. - - expected_output: - - r'.*wazuh-integratord.*DEBUG: sending new alert' - - r'.*wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' - - r'.*wazuh-integratord.*Processing alert.*' - ''' - wazuh_monitor = FileMonitor(LOG_FILE_PATH) - command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" - # Insert Alerts - run_local_command_returning_output(command) - - # Check that the alert was read - evm.check_send_new_alers(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2, - update_position=False) - - # Change file to change inode - copy(ALERT_FILE_PATH, TEMP_FILE_PATH) - remove_file(ALERT_FILE_PATH) - copy(TEMP_FILE_PATH, ALERT_FILE_PATH) - - # Wait for Inode change to be detected - # The `integratord` library tries to read alerts from the file every 1 second. So, the test waits 1 second + 1 - # until the file is reloaded. - time.sleep(integrator.TIME_TO_DETECT_FILE) - - # Monitor Inode Changed - evm.check_file_inode_changed(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) - - # Insert a new alert - run_local_command_returning_output(command) - - # Read Response in ossec.log - evm.check_process_alert(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout*2) diff --git a/tests/integration/test_integratord/test_integratord_read_json_alerts.py b/tests/integration/test_integratord/test_integratord_read_json_alerts.py deleted file mode 100644 index 5c61f3ff73..0000000000 --- a/tests/integration/test_integratord/test_integratord_read_json_alerts.py +++ /dev/null @@ -1,216 +0,0 @@ -''' -copyright: Copyright (C) 2015-2022, Wazuh Inc. - Created by Wazuh, Inc. . - This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 - -type: integration - -brief: Integratord manages wazuh integrations with other applications such as Yara or Slack, by feeding -the integrated aplications with the alerts located in alerts.json file. This test module aims to validate that -given a specific alert, the expected response is recieved, depending if it is a valid/invalid json alert, an -overlong alert (64kb+) or what happens when it cannot read the file because it is missing. - -components: - - integratord - -suite: integratord_read_json_alerts - -targets: - - agent - -daemons: - - wazuh-integratord - -os_platform: - - Linux - -os_version: - - Centos 8 - - Ubuntu Focal - -references: - - https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#slack - - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-integratord.html - -pytest_args: - - tier: - 0: Only level 0 tests are performed, they check basic functionalities and are quick to perform. - 1: Only level 1 tests are performed, they check functionalities of medium complexity. - 2: Only level 2 tests are performed, they check advanced functionalities and are slow to perform. - -tags: - - slack -''' -import os -import pytest -import time - -from wazuh_testing import global_parameters -from wazuh_testing.tools import LOG_FILE_PATH, ALERT_FILE_PATH -from wazuh_testing.modules import integratord as integrator -from wazuh_testing.tools.local_actions import run_local_command_returning_output -from wazuh_testing.tools.configuration import get_test_cases_data, load_configuration_template -from wazuh_testing.modules.integratord import event_monitor as evm -from wazuh_testing.tools.monitoring import FileMonitor - - -# Marks -pytestmark = [pytest.mark.server] - -# Reference paths -TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration_template') -TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') - -# Configuration and cases data -configurations_path = os.path.join(CONFIGURATIONS_PATH, 'configuration_integratord_read_json_alerts.yaml') -t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_valid_json_alerts.yaml') -t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_invalid_json_alerts.yaml') - - -# Configurations -t1_configuration_parameters, t1_configuration_metadata, t1_case_ids = get_test_cases_data(t1_cases_path) -t1_configuration_parameters[0]['WEBHOOK_URL'] = global_parameters.slack_webhook_url -t1_configurations = load_configuration_template(configurations_path, t1_configuration_parameters, - t1_configuration_metadata) -t2_configuration_parameters, t2_configuration_metadata, t2_case_ids = get_test_cases_data(t2_cases_path) -# Replace the Webhook URL in each test case -for i, test_case in enumerate(t2_case_ids): - t2_configuration_parameters[i]['WEBHOOK_URL'] = global_parameters.slack_webhook_url -t2_configurations = load_configuration_template(configurations_path, t2_configuration_parameters, - t2_configuration_metadata) - -local_internal_options = {'integrator.debug': '2', 'analysisd.debug': '1'} - -# Variables -REQUIRED_DAEMONS = integrator.REQUIRED_DAEMONS - - -# Tests -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('configuration, metadata', - zip(t1_configurations, t1_configuration_metadata), ids=t1_case_ids) -def test_integratord_read_valid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): - ''' - description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case - of a valid alert, a slack integration alert is expected in the alerts.json file. - - wazuh_min_version: 4.3.7 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration loaded from `configuration_template`. - - metadata: - type: dict - brief: Test case metadata. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh configuration. - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - configure_local_internal_options_module: - type: fixture - brief: Configure the local internal options file. - - restart_wazuh_function: - type: fixture - brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - - wait_for_start_module: - type: fixture - brief: Detect the start of the Integratord module in the ossec.log - - assertions: - - Verify the expected response with for a given alert is recieved - - input_description: - - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_valid_json_alerts` file provides the test cases. - - expected_output: - - r'.*wazuh-integratord.*alert_id.*\"integration\": \"slack\".*' - ''' - sample = metadata['alert_sample'] - wazuh_monitor = FileMonitor(LOG_FILE_PATH) - - time.sleep(5) - - run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") - - # Read Response in ossec.log - evm.check_response(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout) - - -@pytest.mark.tier(level=1) -@pytest.mark.parametrize('configuration, metadata', - zip(t2_configurations, t2_configuration_metadata), ids=t2_case_ids) -def test_integratord_read_invalid_alerts(configuration, metadata, set_wazuh_configuration, truncate_monitored_files, - configure_local_internal_options_module, restart_wazuh_function, - wait_for_start_module): - ''' - description: Check that when a given alert is inserted into alerts.json, integratord works as expected. In case - of a valid alert, a slack integration alert is expected in the alerts.json file. If the alert is invalid or - broken, or overly long a message will appear in the ossec.log file. - - wazuh_min_version: 4.3.7 - - tier: 1 - - parameters: - - configuration: - type: dict - brief: Configuration loaded from `configuration_template`. - - metadata: - type: dict - brief: Test case metadata. - - set_wazuh_configuration: - type: fixture - brief: Set wazuh configuration. - - truncate_monitored_files: - type: fixture - brief: Truncate all the log files and json alerts files before and after the test execution. - - configure_local_internal_options_module: - type: fixture - brief: Configure the local internal options file. - - restart_wazuh_function: - type: fixture - brief: Restart a list of daemons (defined in REQUIRED_DAEMONS variable) and stop them after finishing. - - wait_for_start_module: - type: fixture - brief: Detect the start of the Integratord module in the ossec.log - - assertions: - - Verify the expected response with for a given alert is recieved - - input_description: - - The `configuration_integratord_read_json_alerts.yaml` file provides the module configuration for this test. - - The `cases_integratord_read_invalid_json_alerts` file provides the test cases. - - expected_output: - - r'.*wazuh-integratord.*WARNING: Invalid JSON alert read.*' - - r'.*wazuh-integratord.*WARNING: Overlong JSON alert read.*' - - ''' - sample = metadata['alert_sample'] - wazuh_monitor = FileMonitor(LOG_FILE_PATH) - - if metadata['alert_type'] == 'invalid': - callback = r".*WARNING: Invalid JSON alert read.*" - error_message = 'Did not recieve the expected "...Invalid JSON alert read..." event' - - elif metadata['alert_type'] == 'overlong': - callback = r".*WARNING: Overlong JSON alert read.*" - error_message = 'Did not recieve the expected "...Overlong JSON alert read..." event' - # Add 90kb of padding to alert to make it go over the allowed value of 64KB. - padding = "0" * 90000 - sample = sample.replace("padding_input", "agent_" + padding) - - run_local_command_returning_output(f"echo '{sample}' >> {ALERT_FILE_PATH}") - - # Read Response in ossec.log - evm.check_alert_read(file_monitor=wazuh_monitor, timeout=global_parameters.default_timeout, - callback=callback, error_message=error_message) From 020d61eacc8ffc45c333251cefa0837695a89ab9 Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 15:20:46 +0000 Subject: [PATCH 12/14] fix(#3298): apply linter corrections. --- ...yaml => configuration_alerts_reading.yaml} | 2 +- .../test_integratord/test_alerts_reading.py | 23 +++++++++---------- 2 files changed, 12 insertions(+), 13 deletions(-) rename tests/integration/test_integratord/data/configuration/{configuration_analysisd_integration.yaml => configuration_alerts_reading.yaml} (97%) diff --git a/tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml b/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml similarity index 97% rename from tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml rename to tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml index 43e10a873a..7339e8faba 100644 --- a/tests/integration/test_integratord/data/configuration/configuration_analysisd_integration.yaml +++ b/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml @@ -31,5 +31,5 @@ - section: rootcheck elements: - - disabled: + - disabled: value: 'yes' diff --git a/tests/integration/test_integratord/test_alerts_reading.py b/tests/integration/test_integratord/test_alerts_reading.py index b7e2ecef85..c3507f9ca9 100644 --- a/tests/integration/test_integratord/test_alerts_reading.py +++ b/tests/integration/test_integratord/test_alerts_reading.py @@ -55,15 +55,6 @@ from wazuh_testing.modules.integratord import event_monitor as evm -# Marks -pytestmark = [pytest.mark.server] - -# Reference paths -TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') -CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration') -TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') - - def replace_webhook_url(ids, configurations): '''Replace the Webhook URL in each test case configuration parameters. @@ -72,7 +63,7 @@ def replace_webhook_url(ids, configurations): configurations (list): List of test's configuration parameters. Returns: - configurations (list): List of + configurations (list): List of configurations. ''' for i in range(0, len(ids)): configurations[i]['WEBHOOK_URL'] = global_parameters.slack_webhook_url @@ -80,8 +71,16 @@ def replace_webhook_url(ids, configurations): return configurations +# Marks +pytestmark = [pytest.mark.server] + +# Reference paths +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +CONFIGURATIONS_PATH = os.path.join(TEST_DATA_PATH, 'configuration') +TEST_CASES_PATH = os.path.join(TEST_DATA_PATH, 'test_cases') + # Configuration and test cases paths -configurations_template = os.path.join(CONFIGURATIONS_PATH, 'configuration_analysisd_integration.yaml') +configurations_template = os.path.join(CONFIGURATIONS_PATH, 'configuration_alerts_reading.yaml') t1_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_change_inode_alert.yaml') t2_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_valid_json_alerts.yaml') t3_cases_path = os.path.join(TEST_CASES_PATH, 'cases_integratord_read_invalid_json_alerts.yaml') @@ -174,7 +173,7 @@ def test_integratord_change_json_inode(configuration, metadata, set_wazuh_config expected_output: - r'.+wazuh-integratord.*DEBUG: jqueue_next.*Alert file inode changed.*' - r'.+wazuh-integratord.*Processing alert.*' - - r'.+wazuh-integratord.*' + - r'.+wazuh-integratord.*' ''' wazuh_monitor = FileMonitor(LOG_FILE_PATH) command = f"echo '{metadata['alert_sample']}' >> {ALERT_FILE_PATH}" From 13d40bccdff4d88da3ccfafb67063f7a00b1dc6e Mon Sep 17 00:00:00 2001 From: mauromalara Date: Tue, 7 Feb 2023 17:49:16 +0000 Subject: [PATCH 13/14] fix(#3298): fix identation error in config file. --- .../data/configuration/configuration_alerts_reading.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml b/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml index 7339e8faba..f68eba1317 100644 --- a/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml +++ b/tests/integration/test_integratord/data/configuration/configuration_alerts_reading.yaml @@ -32,4 +32,4 @@ - section: rootcheck elements: - disabled: - value: 'yes' + value: 'yes' From e80ff777e6c3c92f59bea817ce6b2e2073666e1a Mon Sep 17 00:00:00 2001 From: mauromalara Date: Wed, 10 May 2023 20:08:45 +0000 Subject: [PATCH 14/14] docs(#3298): update change in changelog. --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66ad5efaee..0667f4f197 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,10 @@ All notable changes to this project will be documented in this file. - Add test to check the Syscollector configuration. ([#3584](https://github.com/wazuh/wazuh-qa/pull/3584)) \- (Framework + Tests) - Add system tests for groups deletion ([#4057](https://github.com/wazuh/wazuh-qa/pull/4057)) \- (Tests) +### Changed + +- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Framework + Tests) + ### Fixed - Fix daemons_handler fixture (fix GCP IT) ([#4134](https://github.com/wazuh/wazuh-qa/pull/4134)) \- (Tests) @@ -68,7 +72,6 @@ Release report: https://github.com/wazuh/wazuh/issues/15504 - Improve `test_agent_groups_new_cluster_node` ([#3971](https://github.com/wazuh/wazuh-qa/pull/3971)) \- (Tests) - Improve `test_assign_groups_guess` ([#3901](https://github.com/wazuh/wazuh-qa/pull/3901)) \- (Tests) -- Change integratord test to use slack instead of virustotal ([#3540](https://github.com/wazuh/wazuh-qa/pull/3540)) \- (Framework + Tests) - Update `test_cluster_worker_logs_order` test ([#3896](https://github.com/wazuh/wazuh-qa/pull/3896)) \- (Tests) - Increase NVE download feed test timeout([#3769](https://github.com/wazuh/wazuh-qa/pull/3769)) \- (Tests) - Adapt wazuhdb integration tests for auto-vacuum ([#3613](https://github.com/wazuh/wazuh-qa/issues/3613)) \- (Tests)