This article covers the steps on how to trigger an event for each Cloud One - Workload Security module.
Download eicar test file:
curl -LO https://secure.eicar.org/eicar.com
Web Reputation Service
Access WRS test website:
Before testing this module, make sure you have the following test requirements:
- Selected a network protocol, such as TCP/UDP, to test
- Disabled host-based firewall such as Linux iptables (optional)
- Rule sets in Cloud One console:
- IP address
- MAC address
- TCP/UDP port
To check, you can go to the Cloud One console. Select a computer or policy, then click Firewall > Firewall rule > Assign/Unassign.
To test procedure for firewall, evaluate the Secure Shell (SSH) and Remote Desktop Protocol (RDP) rules. To test the SSH rule (port 22):
- Make sure a firewall ruleset to Deny SSH access from your test server is applied.
- Activate a Windows or Linux virtual machine with the SSH rule.
- Using another machine, try to establish SSH connection to the virtual machine.
- On the Cloud One console, go to Events & Reports > Firewall events to view the denied event.
The eicar IPS rule does not apply anymore as eicar.org updated their download format. To test IPS, create a new custom rule blocking (detect only) any website you specified.
- Create a custom IPS rule with similar configuration:
- Make sure that the rule is applied on the server.
- Access the website via cURL:
For integrity monitoring, create a custom rule that will monitor a test file created:
- To create IM rule, refer to this Cloud One article.
- Make sure that the IM rule is applied on the server and included in Integrity Baseline.
- Modify the test file you created.
- If IM Real-time is not enabled, trigger "Scan for Integrity Changes".
- There should be an IM event.
For Log Inspection, you can create a custom rule that will inspect a test log file:
- Create Log Inspection rule that will monitor /tmp/test_access.log for "200" entry. Follow the configuration from the following screenshot:
- Apply the rule on server, make sure to apply LI rule "Default Rules Configuration" as it is a dependency for LI to work properly.
- On the server, add the entry "200" on /tmp/test_access.log:
echo "200" >> /tmp/test_access.log
- Back to web console, go to Computers, open Computer properties > Log Inspection > Log Inspection Events. Wait for 10 minutes or click Get Events to see the test LI rule event.
- Install the DSA on Linux machine (feature currently not available for Windows) and turn on the application control feature.
- Create a test .jar file and execute it. You will find that it is blocked.
[root@localhost ~]# echo abc > test.jar
[root@localhost ~]# chmod 777 test.jar
[root@localhost ~]# ./test.jar
-bash: ./test.jar: Operation not permitted
- It will be recorded in application control events.
- Click Allow All and then run the file again. It should turn out successful.