FTT1 - FIM system testing

[juliamagan]

Overview

This issue is dedicated to the comprehensive end-to-end functionality system testing of the FIM feature. The aim is to ensure the correct operation of all interconnected components and processes involved in the FIM feature, with a focus on its alerting and state management capabilities. The test coverage spans across multiple operating systems, simulating real-world use and ensuring the robustness of the system across various scenarios.

Feature Architecture and Components

The Wazuh FIM module monitors files and directories and triggers an alert when a user or process creates, modifies, and deletes monitored files. It runs a baseline scan, storing the cryptographic checksum and other attributes of the monitored files. When a user or process changes a file, the module compares its checksum and attributes to the baseline. It triggers an alert if it finds a mismatch. The FIM module performs real-time and scheduled scans depending on the FIM configuration for agents and manager.

The architecture includes:

1. Syscheck module: This module is the core of the feature, which looks for file modifications by comparing the checksums of a file to its stored checksums and attribute values. It keeps the Wazuh agent and the Wazuh server databases synchronized with each other.
2. Alerts index: This manages alerts generated based on changes detected in the databases by the FIM module. These alerts track status changes.

Test Design

The test design ensures that all components work as intended in an integrated, real-world context. We aim to ensure that the FIM feature behaves reliably, issuing appropriate alerts and maintaining accurate state information across various scenarios.

Chosen Families

• Windows
• MacOS
• Redhat based
• Debian based

Initial Coverage OS

• Windows 11
• Windows Server 2022
• MacOS Ventura or Sonoma (Latest available at tests delivery)
• CentOS 7
• Ubuntu 22.04

This list will be updated accordingly following the new compatibility matrix and tiers system.

Test Cases

Trigger/Condition	Preconditions	Expected Outcome	Type
First syscheck scan	TBD	The files configured to be monitored appear in the inventory	Event driven
Subsequent scan without any modification	TBD	The files inventory remains unchanged and file attributes are the expected ones	Time driven
Creation of a file	Real time, different attributes	New entry appears in files inventory and a FIM "added" alert triggered	Event driven
Modification of a file	Real time, different attributes	A FIM "modified" alert triggered	Event driven
Deletion of a file	Real time, different attributes	A FIM "deleted" alert triggered	Event driven
Creation of a file	Whodata, different attritubes	New entry appears in files inventory and a FIM "added" alert triggered	Event driven
Modification of a file	Whodata, different attritubes	A FIM "modified" alert triggered	Event driven
Deletion of a file	Whodata, different attritubes	A FIM "deleted" alert triggered	Event driven
Creation of a file	Scheduled, different atrributes	New entry appears in files inventory and a FIM "added" alert triggered	Event driven
Modification of a file	Scheduled, different atrributes	A FIM "modified" alert triggered	Event driven
Deletion of a file	Scheduled, different atrributes	A FIM "deleted" alert triggered	Event driven
Modification of a file with report changes enabled	TBD	A FIM "modified" alert triggered and modified text is reported	Event driven
Modification of a file with report changes enabled and nodiff	TBD	A FIM "modified" alert triggered and modified text is not reported	Event driven
Creation of a file with ignore configuration	TBD	No alerts should appear	Time driven
Modification of a file with ignore configuration	TBD	No alerts should appear	Time driven
Deletion of a file with ignore configuration	TBD	No alerts should appear	Time driven
Creation of a registry key	TBD	New entry appears in files inventory and a FIM "added" alert triggered	Event driven
Modification of a registry key	TBD	A FIM "modified" alert triggered	Event driven
Deletion of a registry key	TBD	A FIM "deleted" alert triggered	Event driven
Creation of a registry key with ignore configuration	TBD	No alerts should appear	Time driven
Modification of a registry key with ignore configuration	TBD	No alerts should appear	Time driven
Deletion of a registry key with ignore configuration	TBD	No alerts should appear	Time driven

Test Execution

Security Implications:

• TBD

Performance Expectations:

• TBD

Edge Cases/Exception Cases:

• TBD

Regression Scenarios:

• TBD

Tasks

• Design test module structure
• Design test documentation structure
• Create module testing framework
• TBD

[davidjiglesias]

To be done as part of 5.0 when time comes.