Download eicar test file:

curl -LO https://secure.eicar.org/eicar.com

Access WRS test website:

curl http://wrs21.winshipway.com

Before testing this module, make sure you have the following test requirements:

• Selected a network protocol, such as TCP/UDP, to test
• Disabled host-based firewall such as Linux iptables (optional)
• Rule sets in Cloud One console:
  • IP address
  • MAC address
  • TCP/UDP port

  To check, you can go to the Cloud One console. Select a computer or policy, then click Firewall > Firewall rule > Assign/Unassign.

To test procedure for firewall, evaluate the Secure Shell (SSH) and Remote Desktop Protocol (RDP) rules. To test the SSH rule (port 22):

1. Make sure a firewall ruleset to Deny SSH access from your test server is applied.
2. Activate a Windows or Linux virtual machine with the SSH rule.
3. Using another machine, try to establish SSH connection to the virtual machine.
4. On the Cloud One console, go to Events & Reports > Firewall events to view the denied event.

The eicar IPS rule does not apply anymore as eicar.org updated their download format. To test IPS, create a new custom rule blocking (detect only) any website you specified.

1. Create a custom IPS rule with similar configuration:

   

   ^{Click the image to enlarge.}

   

   ^{Click the image to enlarge.}

2. Make sure that the rule is applied on the server.
3. Access the website via cURL:

   curl http://www.example.com

For integrity monitoring, create a custom rule that will monitor a test file created:

1. To create IM rule, refer to this Cloud One article.
2. Make sure that the IM rule is applied on the server and included in Integrity Baseline.
3. Modify the test file you created.
4. If IM Real-time is not enabled, trigger "Scan for Integrity Changes".
5. There should be an IM event.

For Log Inspection, you can create a custom rule that will inspect a test log file:

1. Create Log Inspection rule that will monitor /tmp/test_access.log for "200" entry. Follow the configuration from the following screenshot:

   

   ^{Click the image to enlarge.}

   

   ^{Click the image to enlarge.}

2. Apply the rule on server, make sure to apply LI rule "Default Rules Configuration" as it is a dependency for LI to work properly.

   

   ^{Click the image to enlarge.}

3. On the server, add the entry "200" on /tmp/test_access.log:

   echo "200" >> /tmp/test_access.log

4. Back to web console, go to Computers, open Computer properties > Log Inspection > Log Inspection Events. Wait for 10 minutes or click Get Events to see the test LI rule event.

   

   ^{Click the image to enlarge.}

1. Install the DSA on Linux machine (feature currently not available for Windows) and turn on the application control feature.

   

   ^{Click the image to enlarge.}

   

   ^{Click the image to enlarge.}

2. Create a test .jar file and execute it. You will find that it is blocked.

   [root@localhost ~]# echo abc > test.jar
   [root@localhost ~]# chmod 777 test.jar
   [root@localhost ~]# ./test.jar
   -bash: ./test.jar: Operation not permitted

3. It will be recorded in application control events.

   

   ^{Click the image to enlarge.}

4. Click Allow All and then run the file again. It should turn out successful.