PS2-1243-tier0-centos-manager.html

get_configuration = {'apply_to_modules': ['test_alert_vulnerability_removal'], 'metadata': {'NVD_JSON_FEED_PATH': '/home/vagrant/wazuh-qa/...syscheck'}, {'elements': [{'disabled': {'value': 'no'}}], 'section': 'auth'}], 'tags': ['alert_vulnerability_removal']}
configure_environment = None, restart_modulesd = None, mock_system = '002'

def test_alert_vulnerability_removal(get_configuration, configure_environment, restart_modulesd, mock_system):
"""Check if the Vulnerability Detector module generates an alert when a vulnerability is removed from the inventory.

For this purpose, the manager is configured to use custom feeds that include vulnerabilities associated
with two test packages. Those packages are added to the database of the simulated agent and, after enrollment
of the agent, the vulnerability detector must launch the first scan on it, which is of BASELINE type.

When the BASELINE scan is done, it will check that the vulnerabilities are added to the vuln_cves table.
This will be verified by checking the log file. After this, one of the test packages will be removed
and the other will be upgraded to a non-vulnerable version. These situations should generate alerts.

Finally, it waits for the next scan, which should be of PARTIAL_SCAN type and, after it is finished,
the alerts that should have been generated after the removal of the vulnerabilities are searched for.

Args:
get_configuration (fixture): Get configurations from the module.
configure_environment (fixture): Configure a custom environment for testing.
restart_modulesd (fixture): Reset wazuh_modulesd daemon, truncates ossec.log file and starts a new monitor.
mock_system (fixture): Add a simulated agent to the manager for testing.
"""
check_apply_test({'alert_vulnerability_removal'}, get_configuration['tags'])
agent_id = mock_system

# Set TIMESTAMP to the current time on METADATA of CVEs DB to simulate the feeds update.
vd.modify_metadata_vuldet_feed('RHEL8', int(time.time()))

# Callbacks
callback_detect_baseline_scan_start = vd.make_vuln_callback(f"A baseline scan will be run on agent '{agent_id}'")
callback_detect_partial_scan_start = vd.make_vuln_callback(f"A partial scan will be run on agent '{agent_id}'")
callback_detect_scan_end = vd.make_vuln_callback(f"Finished vulnerability assessment for agent '{agent_id}'")
callback_detect_test_package_0_alert = vd.make_vuln_callback(
pattern=f"{test_packet_0_cve} affecting {test_packet_0_name} was eliminated", prefix='.*')
callback_detect_test_package_1_alert = vd.make_vuln_callback(
pattern=f"{test_packet_1_cve} affecting {test_packet_1_name} was eliminated", prefix='.*')

# Detect the baseline scan.
wazuh_log_monitor.start(timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT,
callback=callback_detect_baseline_scan_start,
error_message='No baseline scan start has been detected in the log.')

# Check if the NVD vulnerabilities are detected.
vd.check_detected_vulnerabilities_number(agent=agent_id,
wazuh_log_monitor=wazuh_log_monitor,
expected_vulnerabilities_number=2,
feed_source='NVD', timeout=vd.VULN_DETECTOR_SCAN_TIMEOUT)

# Check the vulnerabilities in the inventory
severity, cvss2_score, cvss3_score = vd.find_rhel_cve_severity_score(cve_nvd_array=nvd_vulnerabilities['CVE_Items'],
cve_rhel_array=rhel_vulnerabilities,
cve_id=test_packet_0_cve)

vd.check_vulnerability_scan_inventory(agent=agent_id, package=test_packet_0_name, version=test_packet_version,
arch='x86_64', cve=test_packet_0_cve, condition='inserted', severity=severity,
cvss2=cvss2_score, cvss3=cvss3_score)

severity, cvss2_score, cvss3_score = vd.find_rhel_cve_severity_score(cve_nvd_array=nvd_vulnerabilities['CVE_Items'],
cve_rhel_array=rhel_vulnerabilities,
cve_id=test_packet_1_cve)

vd.check_vulnerability_scan_inventory(agent=agent_id, package=test_packet_1_name, version=test_packet_version,
arch='x86_64', cve=test_packet_1_cve, condition='inserted', severity=severity,
> cvss2=cvss2_score, cvss3=cvss3_score)

tests/integration/test_vulnerability_detector/test_scan_results/test_alert_vulnerability_removal.py:142:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

agent = '002', package = 'wazuhintegrationpackage-1', version = '1.0.0', arch = 'x86_64'
cve = 'CVE-001', condition = 'inserted', severity = 'High', cvss2 = 10, cvss3 = 7.2

def check_vulnerability_scan_inventory(agent, package, version, arch, cve, condition, severity='-', cvss2=0, cvss3=0):
"""Checks the existence or lack of a vulnerability in the agent's DB

Args:
agent (str) = Id of the agent.
package (str) = Vulnerable package to look for.
version (str) = Version of the vulnerable package to look for.
arch (str) = Architecture of the vulnerable package to look for.
cve (str) = Vulnerability ID associated to the vulnerable package to look for.
condition (str) = This parameter is used to check if the vulnerability exists ('inserted') or
not ('removed') in the inventory
severity (str,optional) = Severity of the vulnerable package to look for.
cvss2 (str,optional) = CVSS2 score of the vulnerable package to look for.
cvss3 (str,optional) = CVSS3 score of the vulnerable package to look for.
"""

if condition == 'inserted':
query = f"""agent {agent} sql SELECT CASE WHEN EXISTS
(select 1 FROM vuln_cves WHERE cve = '{cve}' AND name = '{package}' AND version = '{version}' AND architecture = '{arch}'
AND severity = '{severity}' AND cvss2_score = {cvss2} AND cvss3_score = {cvss3})
THEN 'true' ELSE 'false' END as 'result'"""
elif condition == 'removed':
query = f"""agent {agent} sql SELECT CASE WHEN NOT EXISTS
(select 1 FROM vuln_cves WHERE cve = '{cve}' AND name = '{package}' AND version = '{version}' AND architecture = '{arch}')
THEN 'true' ELSE 'false' END as 'result'"""
else:
raise Exception(f'The "condition" parameter has an unexpected value: {condition}')

wdb_result = query_wdb(query)
if wdb_result[0]['result'] == 'false':
> raise Exception(f'The vulnerability {cve} has not been {condition} as expected')
E Exception: The vulnerability CVE-001 has not been inserted as expected

/usr/local/lib/python3.6/site-packages/wazuh_testing-4.3.0-py3.6.egg/wazuh_testing/vulnerability_detector.py:1131: Exception
-----------------------------Captured stderr setup------------------------------
2021/11/15 16:36:53 wazuh-modulesd[183541] debug_op.c:70 at _log(): DEBUG: Logging module auto-initialized 2021/11/15 16:36:53 wazuh-modulesd[183541] main.c:76 at main(): DEBUG: Wazuh home directory: /var/ossec 2021/11/15 16:36:53 wazuh-modulesd[183541] wmodules-osquery-monitor.c:78 at wm_osquery_monitor_read(): DEBUG: Logpath read: /var/log/osquery/osqueryd.results.log 2021/11/15 16:36:53 wazuh-modulesd[183541] wmodules-osquery-monitor.c:84 at wm_osquery_monitor_read(): DEBUG: configPath read: /etc/osquery/osquery.conf 2021/11/15 16:36:53 wazuh-modulesd[183541] wmodules-vuln-detector.c:596 at wm_vuldet_read_provider(): DEBUG: Added redhat (8) feed. Interval: 2592000s | Path: '/home/vagrant/wazuh-qa/tests/integration/test_vulnerability_detector/test_scan_results/../data/feeds/custom_redhat_oval_feed.xml' | Url: 'none' | Timeout: 300s 2021/11/15 16:36:53 wazuh-modulesd[183541] wmodules-vuln-detector.c:654 at wm_vuldet_read_provider(): DEBUG: Added jredhat feed. Interval: 2592000s | Multi path: '/home/vagrant/wazuh-qa/tests/integration/test_vulnerability_detector/test_scan_results/../data/feeds/custom_redhat_json_feed.json' | Multi url: 'none' | Update since: 1999 | Timeout: 300s 2021/11/15 16:36:53 wazuh-modulesd[183541] wmodules-vuln-detector.c:654 at wm_vuldet_read_provider(): DEBUG: Added nvd feed. Interval: 2592000s | Multi path: '/home/vagrant/wazuh-qa/tests/integration/test_vulnerability_detector/test_scan_results/../data/feeds/custom_nvd_feed.json' | Multi url: 'none' | Update since: 2010 | Timeout: 300s