Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FTT1 - FIM system testing #4764

Closed
juliamagan opened this issue Dec 12, 2023 · 1 comment
Closed

FTT1 - FIM system testing #4764

juliamagan opened this issue Dec 12, 2023 · 1 comment
Labels
feature/fim level/epic type/enhancement

Comments

@juliamagan
Copy link
Member

juliamagan commented Dec 12, 2023
edited
Loading

Overview

This issue is dedicated to the comprehensive end-to-end functionality system testing of the FIM feature. The aim is to ensure the correct operation of all interconnected components and processes involved in the FIM feature, with a focus on its alerting and state management capabilities. The test coverage spans across multiple operating systems, simulating real-world use and ensuring the robustness of the system across various scenarios.

Feature Architecture and Components

The Wazuh FIM module monitors files and directories and triggers an alert when a user or process creates, modifies, and deletes monitored files. It runs a baseline scan, storing the cryptographic checksum and other attributes of the monitored files. When a user or process changes a file, the module compares its checksum and attributes to the baseline. It triggers an alert if it finds a mismatch. The FIM module performs real-time and scheduled scans depending on the FIM configuration for agents and manager.

The architecture includes:

  1. Syscheck module: This module is the core of the feature, which looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It keeps the Wazuh agent and the Wazuh server databases synchronized with each other.
  2. Alerts index: This manages alerts generated based on changes detected in the databases by the FIM module. These alerts track status changes.

Test Design

The test design ensures that all components work as intended in an integrated, real-world context. We aim to ensure that the FIM feature behaves reliably, issuing appropriate alerts and maintaining accurate state information across various scenarios.

Chosen Families

  • Windows
  • MacOS
  • Redhat based
  • Debian based

Initial Coverage OS

  • Windows 11
  • Windows Server 2022
  • MacOS Ventura or Sonoma (Latest available at tests delivery)
  • CentOS 7
  • Ubuntu 22.04

This list will be updated accordingly following the new compatibility matrix and tiers system.

Test Cases

Trigger/Condition Preconditions Expected Outcome Type
First syscheck scan TBD The files configured to be monitored appear in the inventory Event driven
Subsequent scan without any modification TBD The files inventory remains unchanged and file attributes are the expected ones Time driven
Creation of a file Real time, different attributes New entry appears in files inventory and a FIM "added" alert triggered Event driven
Modification of a file Real time, different attributes A FIM "modified" alert triggered Event driven
Deletion of a file Real time, different attributes A FIM "deleted" alert triggered Event driven
Creation of a file Whodata, different attritubes New entry appears in files inventory and a FIM "added" alert triggered Event driven
Modification of a file Whodata, different attritubes A FIM "modified" alert triggered Event driven
Deletion of a file Whodata, different attritubes A FIM "deleted" alert triggered Event driven
Creation of a file Scheduled, different atrributes New entry appears in files inventory and a FIM "added" alert triggered Event driven
Modification of a file Scheduled, different atrributes A FIM "modified" alert triggered Event driven
Deletion of a file Scheduled, different atrributes A FIM "deleted" alert triggered Event driven
Modification of a file with report changes enabled TBD A FIM "modified" alert triggered and modified text is reported Event driven
Modification of a file with report changes enabled and nodiff TBD A FIM "modified" alert triggered and modified text is not reported Event driven
Creation of a file with ignore configuration TBD No alerts should appear Time driven
Modification of a file with ignore configuration TBD No alerts should appear Time driven
Deletion of a file with ignore configuration TBD No alerts should appear Time driven
Creation of a registry key TBD New entry appears in files inventory and a FIM "added" alert triggered Event driven
Modification of a registry key TBD A FIM "modified" alert triggered Event driven
Deletion of a registry key TBD A FIM "deleted" alert triggered Event driven
Creation of a registry key with ignore configuration TBD No alerts should appear Time driven
Modification of a registry key with ignore configuration TBD No alerts should appear Time driven
Deletion of a registry key with ignore configuration TBD No alerts should appear Time driven

Test Execution

Security Implications:

  • TBD

Performance Expectations:

  • TBD

Edge Cases/Exception Cases:

  • TBD

Regression Scenarios:

  • TBD

Tasks

  • Design test module structure
  • Design test documentation structure
  • Create module testing framework
  • TBD
@juliamagan juliamagan mentioned this issue Dec 12, 2023
Closed
@davidjiglesias
Copy link
Member

To be done as part of 5.0 when time comes.

@davidjiglesias davidjiglesias closed this as not planned Won't fix, can't repro, duplicate, stale Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/fim level/epic type/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidjiglesias @juliamagan