-
Notifications
You must be signed in to change notification settings - Fork 32
FIM System tests: Scenarios list
- 0201 - Default syscheck configuration: Linux/Windows
- 0202 - Real time monitoring - add: Linux/Windows
- 0203 - Whodata Linux/Windows
- 0204 - Whodata Linux - no audit installed
- 0205 - Use of restrict option: Linux/Windows
- 0206 - Use of tags: Linux/Windows
- 0207 - Use of report changes: Linux/Windows
- 0208 - Use of ignore files: Linux/Windows
- 0209 - Recursion level
- 0210 - Scheduled scan
- 0211 - Custom configuration
- 0212 - Check overlap of scheduled syscheck scan and realtime scan
To ensure that the same number of syscheck alerts are produced in the same environment, so no false positives are reported. Default syscheck configuration
<frequency>10</frequency><directories>/opt/fim_testing</directories>
<frequency>10</frequency><directories recursion_level="320">C:\fim_testing</directories>
A static number of syscheck alerts correctly indexed in the alerts.json file and the Elasticsearch indices.
related issue: #531
To ensure the 'realtime' feature takes effect in time.
<frequency>1000000</frequency><directories realtime="yes" check_all="yes" recursion_level="4">/opt/fim_testing</directories>
<frequency>1000000</frequency><directories recursion_level="320" check_all="yes" realtime="yes">C:\fim_testing</directories>
- Generate 1,100, 1000 and 10.000 files at the same time.
The number of alerts must ONLY match in Elasticsearch to the number of added files. Also the timestamp should be close in time to the timestamp of the alert generation.
related issue: #528
To ensure the 'whodata' feature takes effect in time.
<frequency>43200</frequency><directories recursion_level="320" check_all="yes" whodata="yes">/opt/fim_testing</directories>
<frequency>43200</frequency><directories recursion_level="320" check_all="yes" whodata="yes">C:\fim_testing</directories>
- Generate 1,100, 1000 and 10.000 files at the same time.
The number of alerts must ONLY match in Elasticsearch to the number of added files. Also the timestamp should be close in time to the timestamp of the alert generation, and the fields of the alerts must be matching to Whodata fields.
related issue: [#520](https://github.com/wazuh/wazuh-qa/issues/520
To ensure the missing dependency is properly handled.
<frequency>43200</frequency><directories recursion_level="320" check_all="yes" whodata="yes">/opt/fim_testing</directories>
- Generate 1,100, 1000 and 10.000 files at the same time.
An Error log must be provoked in the alerts.log, and realtime mode should be switched to.
related issue: #526
To ensure that only restricted files are effectively monitored.
<frequency>10</frequency><directories recursion_level="320" check_all="yes" restrict="fimtest">/opt/fim_testing</directories>
<frequency>10</frequency><directories recursion_level="320" check_all="yes" restrict="fimtest">C:\fim_testing</directories>
Create an 'ignoredfile.txt' file within /opt/fim_testing while creating other files.
There should only be one alert related to the restricted file.
related issue: #524
Ensure that alerts are generated with the specified tags
<frequency>10</frequency><directories tags="test_tag">/opt/fim_testing</directories>
<frequency>10</frequency><directories recursion_level="320" tags="test_tag">C:\fim_testing</directories>
Create a test file.
There should be one alert with the specified tag within its body.
related issue: #523
To be sure that the content of the change is in the alert.
<frequency>10</frequency><directories recursion_level="320" check_all="yes" realtime="yes" report_changes="yes">/opt/fim_testing</directories>
<frequency>10</frequency><directories recursion_level="320" check_all="yes" realtime="yes" report_changes="yes">C:\fim_testing</directories>
Modify a monitored file.
There should be one alert with the text change within the body.
related issue: #538
To be sure that specified files are ignored and not monitored.
<frequency>10</frequency><directories>/opt/fim_testing</directories>
<frequency>10</frequency><directories recursion_level="320">C:\fim_testing</directories>
Create a file that satisfies the ignored type regex.
There should not be any alert related to this action.
related issue: #540
Check the behavior of the recursion_level option.
- Monitor
/opt/fim_testingwith 4 recursion level. -
frequency="10", check_all="yes"
"Create files at level 4. Also create a level 5 folder with some files."
related issue: #553
"Check that the scans are effectively launched when reached the specified time."
- Monitor
/opt/fim_testingwith 320 recursion level. -
frequency="10", check_all="yes"
- Generate 1,100, 1000 and 10.000 files at the same time.
"After the specified time, the scan must launch and the alerts must be triggered. "
Check the filters applied and the custom configuration works properly
- Monitor different folder
- Generate 1,100, 1000 and 10.000 files at the same time.
After the specified time, the scan must launch and the alerts must be triggered.
related issue: #556
Determine how does the periodic fim scan affect to realtime and if the overlap produces failures in alert generation or big delays.
<frequency>600</frequency><directories realtime="yes" check_all="yes" recursion_level="4">/opt/fim_testing</directories>
<frequency>600</frequency><directories recursion_level="320" check_all="yes" realtime="yes">C:\fim_testing</directories>
- Generate 1,100, 1000 and 10.000 files at the same time.