merge: base branch into working branch. #3085

tests/end_to_end/test_vulnerability_detector/data/playbooks/configuration.yaml

@@ -0,0 +1,105 @@
+- name: Test agent configuration
+  hosts: wazuh-agent
+  tasks:
+
+    - name: Enable the agent module to collect installed packages (Ubuntu)
+      become: true
+      blockinfile:
+        path: /var/ossec/etc/ossec.conf
+        insertbefore: </ossec_config>
+        block: |
+          <wodle name="syscollector">
+          <disabled>no</disabled>
+          <interval>10s</interval>
+          <os>yes</os>
+          <packages>yes</packages>
+          </wodle>
+        marker: <!-- {mark} ANSIBLE MANAGED BLOCK -->
+
+    - name: Restart wazuh-agent (Ubuntu)
+      become: true
+      shell: systemctl restart wazuh-agent
+
+- name: Test agent configuration
+  hosts: wazuh-windows
+  tasks:
+
+    - name: Create temp folder
+      win_file:
+        path: C:\temp
+        state: directory
+
+    - name: Copy ossec.conf
+      ansible.windows.win_copy:
+        src: C:\Program Files (x86)\ossec-agent\ossec.conf
+        dest: C:\temp
+        remote_src: true
+
+    - name: Enable the agent module to collect installed packages (Windows)
+      ansible.windows.win_shell: |
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<ossec_config>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<wodle name='syscollector'>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<disabled>no</disabled>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<interval>10s</interval>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<os>yes</os>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<packages>yes</packages>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n<hotfixes>yes</hotfixes>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n</wodle>"
+        Add-Content 'C:\Program Files (x86)\ossec-agent\ossec.conf' "`n</ossec_config>"
+
+    - name: Restart wazuh-agent (Windows)
+      ansible.windows.win_shell: |
+        net stop wazuh
+        net start wazuh
+
+- name: Test manager configuration
+  hosts: wazuh-manager
+  tasks:
+
+    - name: Truncate file ossec.log
+      shell: echo "" > /var/ossec/logs/ossec.log
+      become: true
+
+    - name: Enabled vulnerability detector module
+      become: true
+      blockinfile:
+        path: /var/ossec/etc/ossec.conf
+        insertbefore: </ossec_config>
+        block: |
+          <vulnerability-detector>
+          <enabled>yes</enabled>
+          <interval>10s</interval>
+          <min_full_scan_interval>10s</min_full_scan_interval>
+          <run_on_start>yes</run_on_start>
+
+          <!-- Ubuntu OS vulnerabilities -->
+          <provider name="canonical">
+          <enabled>yes</enabled>
+          <os>focal</os>
+          <update_interval>1h</update_interval>
+          </provider>
+
+          <!-- Windows OS vulnerabilities -->
+          <provider name="msu">
+          <enabled>yes</enabled>
+          <update_interval>1h</update_interval>
+          </provider>
+
+          <!-- Aggregate vulnerabilities -->
+          <provider name="nvd">
+          <enabled>yes</enabled>
+          <update_from_year>2021</update_from_year>
+          <update_interval>1h</update_interval>
+          </provider>
+          </vulnerability-detector>
+        marker: <!-- {mark} ANSIBLE MANAGED BLOCK -->
+
+    - name: Restart wazuh-manager
+      become: true
+      shell: systemctl restart wazuh-manager
+
+    - name: Wait until the feeds were downloaded and the first scan was completed
+      become: true
+      wait_for:
+        path: /var/ossec/logs/ossec.log
+        search_regex: Vulnerability scan finished.

tests/end_to_end/test_vulnerability_detector/data/playbooks/generate_events.yaml

@@ -0,0 +1,37 @@
+- name: Truncate files
+  hosts: wazuh-manager
+  tasks:
+
+    - name: Truncate file alert.json
+      shell: echo "" > /var/ossec/logs/alerts/alerts.json
+      become: true
+
+- name: Generate events
+  hosts: agents
+  vars:
+    os: "{{ os }}"
+  tasks:
+
+    - name: "{{ event_description }}"
+      become: true
+      command: "{{ command }}"
+      when: os == ansible_facts['distribution']
+
+    - name: "{{ event_description }}"
+      ansible.windows.win_shell: "{{ command }}"
+      when: os == ansible_facts['os_family']
+
+- name: Wait alert
+  hosts: wazuh-manager
+  tasks:
+
+    - name: Waiting for vulnerability scan, alert reporting and indexing
+      wait_for:
+        timeout: 60
+
+    - name: Get alerts.json
+      fetch:
+        src: /var/ossec/logs/alerts/alerts.json
+        dest: /tmp/
+        flat: true
+      become: true

tests/end_to_end/test_vulnerability_detector/data/playbooks/teardown.yaml

@@ -0,0 +1,38 @@
+- name: Cleanup environment
+  hosts: wazuh-agent
+  tasks:
+
+    - name: Uninstall vim vulnerable package
+      become: true
+      command: apt-get remove vim -y
+
+    - name: Delete agent configuration
+      become: true
+      blockinfile:
+        path: /var/ossec/etc/ossec.conf
+        block: ''
+        marker: <!-- {mark} ANSIBLE MANAGED BLOCK -->
+
+- name: Cleanup environment
+  hosts: wazuh-windows
+  tasks:
+
+    - name: Uninstall Mozilla Firefox vulnerable package
+      ansible.windows.win_shell: |
+        Start-Process "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" -ArgumentList "/S" -Wait
+
+    - name: Restore ossec.conf without changes
+      ansible.windows.win_copy:
+        src: C:\temp\ossec.conf
+        dest: C:\Program Files (x86)\ossec-agent
+        remote_src: true
+
+    - name: Delete C:\temp folder
+      ansible.windows.win_file:
+        path: C:\temp
+        state: absent
+
+    - name: Restart wazuh-agent (Windows)
+      ansible.windows.win_shell: |
+        net stop wazuh
+        net start wazuh

tests/end_to_end/test_vulnerability_detector/data/test_cases/cases_vulnerability_detector.yaml

@@ -0,0 +1,26 @@
+- name: detect_vulnerability_ubuntu
+  description: Detect vim vulnerability
+  configuration_parameters: null
+  metadata:
+    extra_vars:
+      os: Ubuntu
+      event_description: Install vulnerable vim package
+      command: apt install -y vim=2:8.1.2269-1ubuntu5.7
+    rule.id: 23505
+    rule.level: 10
+    rule.description: CVE-2022-1621 affects vim
+
+- name: detect_vulnerability_windows
+  description: Detect Mozilla Firefox vulnerability
+  configuration_parameters: null
+  metadata:
+    extra_vars:
+      os: Windows
+      event_description: Install vulnerable Mozilla package
+      command: |
+        Invoke-WebRequest -Uri "https://ftp.mozilla.org/pub/firefox/releases/92.0/win64/en-US/Firefox Setup 92.0.exe" `
+        -OutFile "C:\temp\test.exe"
+        Start-Process -Wait -FilePath "C:\temp\test.exe" -ArgumentList "/S" -PassThru
+    rule.id: 23505
+    rule.level: 10
+    rule.description: CVE-2021-30547 affects Mozilla Firefox \(x64 en-US\)

tests/end_to_end/test_vulnerability_detector/test_vulnerability_detector.py

@@ -0,0 +1,68 @@
+import os
+import json
+import re
+import pytest
+from tempfile import gettempdir
+
+from wazuh_testing.tools import configuration as config
+from wazuh_testing import end_to_end as e2e
+from wazuh_testing import event_monitor as evm
+
+# Test cases data
+alerts_json = os.path.join(gettempdir(), 'alerts.json')
+test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data')
+test_cases_file_path = os.path.join(test_data_path, 'test_cases', 'cases_vulnerability_detector.yaml')
+
+# Playbooks
+configuration_playbooks = ['configuration.yaml']
+events_playbooks = ['generate_events.yaml']
+teardown_playbooks = ['teardown.yaml']
+
+# Configuration
+configurations, configuration_metadata, cases_ids = config.get_test_cases_data(test_cases_file_path)
+
+
+@pytest.mark.filterwarnings('ignore::urllib3.exceptions.InsecureRequestWarning')
+@pytest.mark.parametrize('metadata', configuration_metadata, ids=cases_ids)
+def test_vulnerability_detector(configure_environment, metadata, get_dashboard_credentials, generate_events,
+                                clean_alerts_index):
+    """
+    Test to detect a vulnerability
+    """
+    rule_level = metadata['rule.level']
+    rule_id = metadata['rule.id']
+    rule_description = metadata['rule.description']
+
+    expected_alert_json = fr'\{{"timestamp":"(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)",' \
+                          fr'"rule"\:{{"level"\:{rule_level},' \
+                          fr'"description"\:"{rule_description}","id"\:"{rule_id}".*\}}'
+
+    expected_indexed_alert = fr'.*"rule":.*"level": {rule_level},.*"description": "{rule_description}"' \
+                             fr'.*"id": "{rule_id}".*' \
+                             r'"timestamp": "(\d+\-\d+\-\w+\:\d+\:\d+\.\d+\+\d+)".*'
+
+    # Check that alert has been raised and save timestamp
+    raised_alert = evm.check_event(callback=expected_alert_json, file_to_monitor=alerts_json,
+                                   error_message='The alert has not occurred').result()
+    raised_alert_timestamp = raised_alert.group(1)
+
+    query = e2e.make_query([
+        {
+            "term": {
+                "rule.id": f"{rule_id}"
+            }
+        },
+        {
+            "term": {
+                "timestamp": f"{raised_alert_timestamp}"
+            }
+        }
+    ])
+
+    # Check if the alert has been indexed and get its data
+    response = e2e.get_alert_indexer_api(query=query, credentials=get_dashboard_credentials)
+    indexed_alert = json.dumps(response.json())
+
+    # Check that the alert data is the expected one
+    alert_data = re.search(expected_indexed_alert, indexed_alert)
+    assert alert_data is not None, 'Alert triggered, but not indexed'