wazuh-qa
wazuh-qa copied to clipboard
wazuh
FTT1 - FIM system testing
Overview
This issue is dedicated to the comprehensive end-to-end functionality system testing of the FIM feature. The aim is to ensure the correct operation of all interconnected components and processes involved in the FIM feature, with a focus on its alerting and state management capabilities. The test coverage spans across multiple operating systems, simulating real-world use and ensuring the robustness of the system across various scenarios.
Feature Architecture and Components
The Wazuh FIM module monitors files and directories and triggers an alert when a user or process creates, modifies, and deletes monitored files. It runs a baseline scan, storing the cryptographic checksum and other attributes of the monitored files. When a user or process changes a file, the module compares its checksum and attributes to the baseline. It triggers an alert if it finds a mismatch. The FIM module performs real-time and scheduled scans depending on the FIM configuration for agents and manager.
The architecture includes:
- Syscheck module: This module is the core of the feature, which looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It keeps the Wazuh agent and the Wazuh server databases synchronized with each other.
- Alerts index: This manages alerts generated based on changes detected in the databases by the FIM module. These alerts track status changes.
Test Design
The test design ensures that all components work as intended in an integrated, real-world context. We aim to ensure that the FIM feature behaves reliably, issuing appropriate alerts and maintaining accurate state information across various scenarios.
Chosen Families
- Windows
- MacOS
- Redhat based
- Debian based
Initial Coverage OS
- Windows 11
- Windows Server 2022
- MacOS Ventura or Sonoma (Latest available at tests delivery)
- CentOS 7
- Ubuntu 22.04
This list will be updated accordingly following the new compatibility matrix and tiers system.
Test Cases
| Trigger/Condition | Preconditions | Expected Outcome | Type |
|---|---|---|---|
| First syscheck scan | TBD | The files configured to be monitored appear in the inventory | Event driven |
| Subsequent scan without any modification | TBD | The files inventory remains unchanged and file attributes are the expected ones | Time driven |
| Creation of a file | Real time, different attributes | New entry appears in files inventory and a FIM "added" alert triggered | Event driven |
| Modification of a file | Real time, different attributes | A FIM "modified" alert triggered | Event driven |
| Deletion of a file | Real time, different attributes | A FIM "deleted" alert triggered | Event driven |
| Creation of a file | Whodata, different attritubes | New entry appears in files inventory and a FIM "added" alert triggered | Event driven |
| Modification of a file | Whodata, different attritubes | A FIM "modified" alert triggered | Event driven |
| Deletion of a file | Whodata, different attritubes | A FIM "deleted" alert triggered | Event driven |
| Creation of a file | Scheduled, different atrributes | New entry appears in files inventory and a FIM "added" alert triggered | Event driven |
| Modification of a file | Scheduled, different atrributes | A FIM "modified" alert triggered | Event driven |
| Deletion of a file | Scheduled, different atrributes | A FIM "deleted" alert triggered | Event driven |
| Modification of a file with report changes enabled | TBD | A FIM "modified" alert triggered and modified text is reported | Event driven |
| Modification of a file with report changes enabled and nodiff | TBD | A FIM "modified" alert triggered and modified text is not reported | Event driven |
| Creation of a file with ignore configuration | TBD | No alerts should appear | Time driven |
| Modification of a file with ignore configuration | TBD | No alerts should appear | Time driven |
| Deletion of a file with ignore configuration | TBD | No alerts should appear | Time driven |
| Creation of a registry key | TBD | New entry appears in files inventory and a FIM "added" alert triggered | Event driven |
| Modification of a registry key | TBD | A FIM "modified" alert triggered | Event driven |
| Deletion of a registry key | TBD | A FIM "deleted" alert triggered | Event driven |
| Creation of a registry key with ignore configuration | TBD | No alerts should appear | Time driven |
| Modification of a registry key with ignore configuration | TBD | No alerts should appear | Time driven |
| Deletion of a registry key with ignore configuration | TBD | No alerts should appear | Time driven |
Test Execution
Security Implications:
- TBD
Performance Expectations:
- TBD
Edge Cases/Exception Cases:
- TBD
Regression Scenarios:
- TBD
Tasks
- Design test module structure
- Design test documentation structure
- Create module testing framework
- TBD
