-
Notifications
You must be signed in to change notification settings - Fork 32
FIM System tests: Scenarios list
- 0201 - Default syscheck configuration: Linux/Windows
- 0202 - Real time monitoring - add: Linux/Windows
- 0203 - Whodata Linux/Windows
- 0204 - Whodata Linux - no audit installed
- 0205 - Use of restrict option: Linux/Windows
- 0206 - Use of tags: Linux/Windows
- 0207 - Use of report changes: Linux/Windows
- 0208 - Use of ignore files: Linux/Windows
- 0209 - Recursion level
- 0210 - Scheduled scan
- 0211 - Custom configuration
- 0212 - Check overlap of scheduled syscheck scan and realtime scan
To ensure that the same number of syscheck alerts are produced in the same environment, so no false positives are reported. Default syscheck configuration
- queue_size: 15000
- events_per_second: 500
"A static number of syscheck alerts indexed in Elasticsearch."
To ensure the 'realtime' feature takes effect in time.
- Monitor
/opt/fim_testingwith 320 recursion level. -
whodata="yes",check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.
The number of alerts must ONLY match in Elasticsearch to the number of added files. Also the timestamp should be close in time to the timestamp of the alert generation.
To ensure the 'whodata' feature takes effect in time.
- Monitor
/opt/fim_testingwith 320 recursion level. -
whodata="yes",check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.
The number of alerts must ONLY match in Elasticsearch to the number of added files. Also the timestamp should be close in time to the timestamp of the alert generation, and the fields of the alerts must be matching to Whodata fields.
To ensure the missing dependency is properly handled.
- Monitor
/opt/fim_testingwith 320 recursion level. - whodata='yes', check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.
An Error log must be provoked in the alerts.log, and realtime mode should be switched to.
To ensure that only restricted files are effectively monitored.
- Monitor
/opt/fim_testingwith 320 recursion level. -
frequency="10"check_all="yes" - restrict="^ignoredfile.txt$"
Create an 'ignoredfile.txt' file within /opt/fim_testing while creating other files.
There should only be one alert related to the restricted file.
Ensure that alerts are generated with the specified tags
- Monitor
/opt/fim_testingwith 320 recursion level. -
frequency="10"check_all="yes"
- tags="tagtest"
Create a test file.
There should be one alert with the specified tag within its body.
To be sure that the content of the change is in the alert.
- Monitor
/opt/fim_testingwith 320 recursion level. -
frequency="10"check_all="yes"
- report_changes="yes"
Modify a monitored file.
There should be one alert with the text change within the body.
To be sure that specified files are ignored and not monitored.
-
<ignore type="sregex">.mp3$|.avi$|.mpg$</ignore>frequency="10"
Create a file that satisfies the ignored type regex.
There should not be any alert related to this action.
Check the behavior of the recursion_level option.
- Monitor
/opt/fim_testingwith 4 recursion level. -
frequency="10", check_all="yes"
"Create files at level 4. Also create a level 5 folder with some files."
"Check that the scans are effectively launched when reached the specified time."
- Monitor
/opt/fim_testingwith 320 recursion level. -
frequency="10", check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.
"After the specified time, the scan must launch and the alerts must be triggered. "
Check the filters applied and the custom configuration works properly
- Monitor different folder
- Generate 1,100, 1000 and 10.000 files at the same time.
After the specified time, the scan must launch and the alerts must be triggered.
Determine how does the periodic fim scan affect to realtime and if the overlap produces failures in alert generation or big delays.
- Monitor
/opt/fim_testingwith 4 recursion level. -
frequency="10",check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.