Merge pull request #4 from ADORSYS-GIS/yaratest

Add YARA Tests and GitHub Actions for Automated Verification

.github/workflows/yara-test.yml

@@ -0,0 +1,38 @@
+name: Run Pytest
+
+on: [push, pull_request]
+
+jobs:
+  run-pytest:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.9'
+
+    - name: Install dependencies and Wazuh agent
+      run: |
+        # Install dependencies
+        sudo apt-get update
+        sudo apt-get install -y curl gnupg2 
+        pip install pytest pytest-testinfra
+
+        # Install wazuh-agent
+        wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.8.1-1_amd64.deb 
+        sudo WAZUH_MANAGER='10.0.0.2' WAZUH_AGENT_NAME='test' dpkg -i ./wazuh-agent_4.8.1-1_amd64.deb
+        sudo systemctl daemon-reload
+        sudo systemctl enable wazuh-agent
+        sudo systemctl start wazuh-agent
+
+    - name: Run yara install script
+      run: |
+        sudo bash scripts/install.sh
+
+    - name: Run tests 
+      run: |
+        sudo $(which pytest) -vv scripts/tests/yara.py

README.md

@@ -1,6 +1,5 @@
 # Wazuh Yara
-
-[![Test YARA Script](https://github.com/ADORSYS-GIS/wazuh-yara/actions/workflows/test-script.yml/badge.svg)](https://github.com/ADORSYS-GIS/wazuh-yara/actions/workflows/test-script.yml)
+[![Run Pytest](https://github.com/ADORSYS-GIS/wazuh-yara/actions/workflows/yara-test.yml/badge.svg)](https://github.com/ADORSYS-GIS/wazuh-yara/actions/workflows/yara-test.yml)
 
 
 ## Overview
@@ -30,3 +29,15 @@ Install using this command:
    ```bash
    curl -SL --progress-bar https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-yara/main/scripts/install.sh | sh
    ```
+
+## YARA Tests
+
+To ensure the correct installation and configuration of YARA and Wazuh, we have implemented a set of automated tests. These tests verify the presence and proper configuration of essential components such as users, groups, configuration files, and installed packages.
+
+For a detailed description of these tests and how to execute them, please refer to the [YARA Tests README](scripts/tests/README.md).
+
+## GitHub Actions
+
+The repository includes a GitHub Actions workflow that automatically runs the tests on every push or pull request. This helps maintain the integrity of the system by validating the setup continuously.
+
+For more information on the test workflow, see the [GitHub Actions Workflow](https://github.com/ADORSYS-GIS/wazuh-yara/actions/workflows/yara-test.yml).

scripts/tests/README.md

@@ -1,10 +1,84 @@
-# Script testing
+# Project Testing Guide
 
-## Bash Automated Testing System (BATS)
+This README explains the tests provided in the `tests` directory, how to run them, and why they are necessary. The tests focus on ensuring that Wazuh and its related components, such as YARA, are correctly installed and configured on the system. We also provide a GitHub Action for automating the test execution on every push or pull request.
 
-The BATS framework is used to test the scripts in this project. The tests are written in the BATS language and are
-located in the `scripts/tests` directory.
+## Prerequisites
+
+The tests are written using `pytest` and `pytest-testinfra` to interact with the system's infrastructure. Make sure you have the following dependencies installed:
+
+- Python 3.9+
+- `pytest`
+- `pytest-testinfra`
+- Wazuh agent
+- YARA (for malware detection)
+
+## Installing Dependencies
+
+To install the necessary Python dependencies, run:
+
+```bash
+pip install pytest pytest-testinfra
+```
+
+To install Wazuh and YARA, follow the steps outlined in the GitHub Action provided later in this README.
+
+## Running the Tests
+
+Run the tests with the following command:
 
 ```bash
-docker run --rm -it -v "$PWD:/app" ghcr.io/stephane-segning/bats-docker:alpine-latest bats /app/scripts/tests/test-script.bats
-```
+pytest -vv
+```
+
+### Explanation of Each Test
+
+#### 1. **`test_user_exists`**
+   - **Description**: Verifies that the `root` user exists on the system.
+   - **Reason**: The `root` user is crucial for administrative tasks, and its absence might indicate misconfigurations.
+
+#### 2. **`test_group_exists`**
+   - **Description**: Ensures that the `wazuh` group exists.
+   - **Reason**: The Wazuh agent needs to operate under this group for proper permissions management.
+
+#### 3. **`test_ossec_conf_exists`**
+   - **Description**: Checks if the `ossec.conf` file exists, which is the main configuration file for Wazuh.
+   - **Reason**: The Wazuh agent cannot function without its configuration file. This test supports multiple operating systems.
+
+#### 4. **`test_ossec_conf_content`**
+   - **Description**: Validates that the `ossec.conf` contains the expected directories and settings.
+   - **Reason**: Ensures the configuration file is properly set up to monitor important directories (`/home`, `/root`, `/bin`, `/sbin`) and that the correct scan frequency is applied.
+
+#### 5. **`test_yara_installed`**
+   - **Description**: Verifies that the YARA package is installed.
+   - **Reason**: YARA is necessary for malware detection, and this test ensures it's present on the system.
+
+#### 6. **`test_yara_script_downloaded`**
+   - **Description**: Ensures the YARA active-response script is downloaded and has the correct permissions.
+   - **Reason**: This script is essential for active malware response, so its presence and permissions are crucial.
+
+#### 7. **`test_wazuh_agent_restarted`**
+   - **Description**: Checks if the Wazuh agent service is running and enabled.
+   - **Reason**: The Wazuh agent must be actively running to monitor the system.
+
+#### 8. **`test_yara_rules_file_exists`**
+   - **Description**: Confirms that the YARA rules file exists.
+   - **Reason**: YARA rules are essential for detecting malware, so this file must exist.
+
+#### 9. **`test_yara_rules_directory_permissions`**
+   - **Description**: Ensures that the YARA rules directory has the correct owner and group permissions (`root` and `wazuh`).
+   - **Reason**: Proper permissions are necessary to ensure the integrity of the rules and system security.
+
+## GitHub Actions Workflow
+
+The GitHub Actions configuration (`.github/workflows/pytest.yml`) is designed to run the tests automatically on every push or pull request. It performs the following steps:
+
+1. **Checkout the code**: The repository is cloned into the runner.
+2. **Set up Python 3.9**: Ensures the correct Python version is available.
+3. **Install dependencies**: Installs the required dependencies (`pytest`, `pytest-testinfra`, Wazuh agent, etc.).
+4. **Install Wazuh agent**: Installs and starts the Wazuh agent service.
+5. **Run YARA install script**: Executes a script to install YARA.
+6. **Run tests**: Executes the `pytest` suite.
+
+## Conclusion
+
+These tests help ensure that the Wazuh agent and YARA are properly installed and configured on the system, which is essential for system security and malware detection. Running these tests regularly through GitHub Actions ensures that every change to the repository is automatically verified.

scripts/tests/yara.py

@@ -0,0 +1,78 @@
+import os
+import pytest
+import testinfra
+
+@pytest.fixture
+def host():
+    return testinfra.get_host("local://")
+
+def test_user_exists(host):
+    user = host.user("root")
+    assert user.exists
+
+def test_group_exists(host):
+    group = host.group("wazuh")
+    assert group.exists
+
+def test_ossec_conf_exists(host):
+    if host.system_info.type == "linux":
+        ossec_conf_path = "/var/ossec/etc/ossec.conf"
+    elif host.system_info.type == "darwin":
+        ossec_conf_path = "/Library/Ossec/etc/ossec.conf"
+    else:
+        pytest.skip("Unsupported OS")
+
+    file = host.file(ossec_conf_path)
+    assert file.exists, f"{ossec_conf_path} does not exist"
+
+
+def test_ossec_conf_content(host):
+    if host.system_info.type == "linux":
+        ossec_conf_path = "/var/ossec/etc/ossec.conf"
+    elif host.system_info.type == "darwin":
+        ossec_conf_path = "/Library/Ossec/etc/ossec.conf"
+    else:
+        pytest.skip("Unsupported OS")
+
+    file = host.file(ossec_conf_path)
+    assert file.contains('<directories realtime="yes">/home, /root, /bin, /sbin</directories>'), \
+        "Missing expected directories configuration"
+    assert file.contains('<frequency>300</frequency>'), "Missing expected frequency setting"
+
+
+def test_yara_installed(host):
+    yara = host.package("yara")
+    assert yara.is_installed
+
+def test_yara_script_downloaded(host):
+    if host.system_info.type == "linux":
+        yara_script_path = "/var/ossec/active-response/bin/yara.sh"
+    elif host.system_info.type == "darwin":
+        yara_script_path = "/Library/Ossec/active-response/bin/yara.sh"
+    else:
+        pytest.skip("Unsupported OS")
+
+    file = host.file(yara_script_path)
+    assert file.exists
+    assert file.user == "root"
+    assert file.group == "wazuh"
+    assert file.mode == 0o750
+
+def test_wazuh_agent_restarted(host):
+    # Adjust this command based on how Wazuh agent is restarted.
+    service = host.service("wazuh-agent")
+    assert service.is_running
+    assert service.is_enabled
+
+def test_yara_rules_file_exists(host):
+    yara_rules_file = host.file("/var/ossec/ruleset/yara/rules/yara_rules.yar")
+    assert yara_rules_file.exists, "YARA rules file does not exist"
+    assert yara_rules_file.is_file, "YARA rules file is not a regular file"
+
+def test_yara_rules_directory_permissions(host):
+    yara_rules_dir = host.file("/var/ossec/ruleset/yara/rules")
+    assert yara_rules_dir.is_directory, "YARA rules directory does not exist"
+    assert yara_rules_dir.user == "root", "YARA rules directory is not owned by root"
+    assert yara_rules_dir.group == "wazuh", "YARA rules directory is not owned by the wazuh group"
+
+