Removed config.rs, changed windows WXS Rules ID, fixed unit tests Win…

…dows and Linux, Added ruleset match to auditevents

.github/workflows/install-test.yml

@@ -47,6 +47,7 @@ jobs:
         run: sudo systemctl status fim
 
       - name: Remove package installation
+        if: always()
         run: sudo dpkg --purge fim
 
 
@@ -71,6 +72,7 @@ jobs:
         run: sudo systemctl status fim
 
       - name: Remove package installation
+        if: always()
         run: sudo yum remove -y fim
 
 

pkg/msi/fim.wxs

@@ -33,7 +33,7 @@ https://github.com/Achiefs/fim/wiki" />
                         <File Id='CONFIG' Name='config.yml' DiskId='1' Source='config.yml' KeyPath='yes'></File>
                     </Component>
                     <Component Id='RulesFile' Guid='*' Win64="yes">
-                        <File Id='CONFIG' Name='rules.yml' DiskId='1' Source='rules.yml' KeyPath='yes'></File>
+                        <File Id='RULES' Name='rules.yml' DiskId='1' Source='rules.yml' KeyPath='yes'></File>
                     </Component>
                 </Directory>
             </Directory>

src/appconfig.rs

@@ -563,19 +563,22 @@ mod tests {
     #[cfg(target_os = "windows")]
     #[test]
     fn test_new_config_windows() {
+        let dir = utils::get_current_dir();
+        let disk = dir.get(0..1).unwrap();
         let cfg = AppConfig::new("windows", None);
+
         assert_eq!(cfg.version, String::from(VERSION));
         assert_eq!(cfg.events_destination, String::from("file"));
         assert_eq!(cfg.endpoint_address, String::from("Not_defined"));
         assert_eq!(cfg.endpoint_type, String::from("Not_defined"));
         assert_eq!(cfg.endpoint_user, String::from("Not_defined"));
         assert_eq!(cfg.endpoint_pass, String::from("Not_defined"));
         assert_eq!(cfg.endpoint_token, String::from("Not_defined"));
-        assert_eq!(cfg.events_file, String::from("C:\\ProgramData\\fim\\events.json"));
+        assert_eq!(cfg.events_file, format!("{}:\\ProgramData\\fim\\events.json", disk) );
         // monitor
         // audit
         assert_eq!(cfg.node, String::from("FIM"));
-        assert_eq!(cfg.log_file, String::from("C:\\ProgramData\\fim\\fim.log"));
+        assert_eq!(cfg.log_file, format!("{}:\\ProgramData\\fim\\fim.log", disk) );
         assert_eq!(cfg.log_level, String::from("info"));
         assert_eq!(cfg.log_max_file_size, 64);
         assert_eq!(cfg.system, String::from("windows"));
@@ -1108,20 +1111,22 @@ mod tests {
     #[cfg(target_os = "windows")]
     #[test]
     fn test_read_config_windows() {
+        let dir = utils::get_current_dir();
+        let disk = dir.get(0..1).unwrap();
         let yaml = read_config(String::from("config/windows/config.yml"));
 
         assert_eq!(yaml[0]["node"].as_str().unwrap(), "FIM");
         assert_eq!(yaml[0]["events"]["destination"].as_str().unwrap(), "file");
-        assert_eq!(yaml[0]["events"]["file"].as_str().unwrap(), "C:\\ProgramData\\fim\\events.json");
+        assert_eq!(yaml[0]["events"]["file"].as_str().unwrap(), format!("{}:\\ProgramData\\fim\\events.json", disk) );
 
-        assert_eq!(yaml[0]["monitor"][0]["path"].as_str().unwrap(), "C:\\Program Files\\");
+        assert_eq!(yaml[0]["monitor"][0]["path"].as_str().unwrap(), format!("{}:\\Program Files\\", disk) );
         assert_eq!(yaml[0]["monitor"][0]["labels"][0].as_str().unwrap(), "Program Files");
         assert_eq!(yaml[0]["monitor"][0]["labels"][1].as_str().unwrap(), "windows");
-        assert_eq!(yaml[0]["monitor"][1]["path"].as_str().unwrap(), "C:\\Users\\");
+        assert_eq!(yaml[0]["monitor"][1]["path"].as_str().unwrap(), format!("{}:\\Users\\", disk) );
         assert_eq!(yaml[0]["monitor"][1]["labels"][0].as_str().unwrap(), "Users");
         assert_eq!(yaml[0]["monitor"][1]["labels"][1].as_str().unwrap(), "windows");
 
-        assert_eq!(yaml[0]["log"]["file"].as_str().unwrap(), "C:\\ProgramData\\fim\\fim.log");
+        assert_eq!(yaml[0]["log"]["file"].as_str().unwrap(), format!("{}:\\ProgramData\\fim\\fim.log", disk) );
         assert_eq!(yaml[0]["log"]["level"].as_str().unwrap(), "info");
     }
 

src/auditevent.rs

@@ -8,9 +8,11 @@ use log::*;
 use serde_json::{json, to_string};
 use reqwest::Client;
 use std::collections::HashMap;
+use std::path::PathBuf;
 
 use crate::appconfig;
 use crate::appconfig::*;
+use crate::ruleset::*;
 use crate::utils;
 use crate::hash;
 
@@ -396,17 +398,19 @@ impl Event {
     // ------------------------------------------------------------------------
 
     // Function to manage event destination
-    pub async fn process(&self, destination: &str, index_name: String, cfg: AppConfig){
+    pub async fn process(&self, destination: &str, index_name: String, cfg: AppConfig, ruleset: Ruleset){
         match destination {
             appconfig::BOTH_MODE => {
                 self.log(&cfg.get_events_file());
-                self.send(index_name, cfg).await;
+                self.send(index_name, cfg.clone()).await;
             },
             appconfig::NETWORK_MODE => {
-                self.send(index_name, cfg).await;
+                self.send(index_name, cfg.clone()).await;
             },
             _ => self.log(&cfg.get_events_file())
         }
+        let filepath = PathBuf::from(self.path.clone());
+        ruleset.match_rule(cfg, filepath.join(self.file.clone())).await;
     }
 }