SSH - Secure Shell
What is SSH?
SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage devices over an unsecured network. It allows users to log into remote systems, execute commands, and transfer files securely. Commonly used by system administrators and developers to manage servers.
Why is SSH important?
Security: Encrypts all data, including passwords and commands.
Authentication: Uses passwords or cryptographic keys to verify identity.
Remote Access: Enables secure management of remote machines.
Port Forwarding: Can tunnel other protocols securely.
How SSH works (in simple steps):
You open an SSH client (like ssh in terminal or PuTTY).
You connect to a remote server using its IP address or domain name.
The server and client exchange cryptographic keys.
Once authenticated, you can securely run commands or transfer files.
Where is SSH used?
Remote server management
Secure file transfers (via SCP or SFTP)
Automated scripts and DevOps pipelines
Tunneling and port forwarding
Why OSI Layer: Application Layer (Layer 7)?
SSH operates at the Application Layer because: * It directly interacts with user applications (like terminal emulators). * It provides services (like remote login and file transfer) to the user. * It uses lower layers (like TCP at Layer 4) for transport but itself is an application-level protocol.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
SSH Version |
RFC |
Year |
Core Idea / Contribution |
|---|---|---|---|
SSH-1 (v1) |
|||
No formal RFC (proprietary) |
1995 |
Original version by Tatu Ylnen; had security flaws and was later deprecated. |
|
SSH-2 (v2) |
|||
RFC 4250 |
2006 |
SSH Protocol Assigned Numbers |
|
RFC 4251 |
2006 |
The Secure Shell (SSH) Protocol Architecture |
|
RFC 4252 |
2006 |
The Secure Shell (SSH) Authentication Protocol |
|
RFC 4253 |
2006 |
The Secure Shell (SSH) Transport Layer Protocol |
|
RFC 4254 |
2006 |
The Secure Shell (SSH) Connection Protocol |
|
SSH Extensions & Enhancements |
|||
RFC 4432 |
2006 |
Diffie-Hellman Group Exchange for the SSH Transport Layer Protocol |
|
RFC 5656 |
2009 |
Elliptic Curve Algorithm Integration into SSH |
|
RFC 6187 |
2011 |
X.509v3 Certificates for SSH |
|
RFC 6668 |
2012 |
SHA-2 Data Integrity Verification for SSH |
|
RFC 8308 |
2018 |
Extension Negotiation Mechanism |
|
RFC 8332 |
2018 |
Ed25519 Public Key Algorithm for SSH |
|
RFC 8709 |
2020 |
SHA-2 Message Authentication Code for SSH |
Setup
Setup
SSH Transport Layer Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
1 |
SSH Transport Layer Packet |
Used during the initial connection setup, encryption, and key exchange. |
~40350+ |
Header |
Indicates packet length and padding. |
5 |
|
Packet Length |
Total length of the packet (excluding the length field itself). |
4 |
|
Padding Length |
Length of the padding added to align the packet. |
1 |
|
Payload |
Actual message content (e.g., key exchange, authentication). |
Variable |
|
Padding |
Random bytes to align packet to cipher block size. |
Variable |
|
MAC (optional) |
Message Authentication Code for integrity (if enabled). |
1032 |
SSH Key Exchange Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
2 |
SSH Key Exchange Packet |
Exchanged after connection to establish encryption keys |
~100500+ |
Message Type |
Indicates key exchange message type (e.g., SSH_MSG_KEXINIT). |
1 |
|
Cookie |
Random bytes to prevent replay attacks. |
16 |
|
KEX Algorithms |
List of supported key exchange algorithms |
Variable |
|
Server Host Key Algos |
List of supported host key algorithms |
Variable |
|
Encryption Algos |
Supported encryption algorithms (client/server) |
Variable |
|
MAC Algos |
Supported MAC algorithms (client/server) |
Variable |
|
Compression Algos |
Supported compression algorithms (client/server). |
Variable |
|
Language Tags |
Optional language preferences |
Variable |
|
First KEX Packet Follows |
Indicates if the next packet is part of the key exchange |
1 |
SSH User Authentication Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
3 |
SSH User Authentication Packet |
Used to authenticate the user (e.g., password, public key) |
~50300+ |
Message Type |
Indicates authentication method (e.g., SSH_MSG_USERAUTH_REQUEST). |
1 |
|
Username |
The login name of the user |
Variable |
|
Service Name |
The service being requested (usually “ssh-connection”) |
Variable |
|
Authentication Method |
Method used (e.g., “password”, “publickey”) |
Variable |
|
Credentials |
Password or public key data |
Variable |
SSH Connection Protocol Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
4 |
SSH Connection Protocol Packet |
Used after authentication to open channels, execute commands, etc |
~40300+ |
Message Type |
Indicates action (e.g., SSH_MSG_CHANNEL_OPEN, SSH_MSG_CHANNEL_DATA). |
1 |
|
Channel ID |
Identifier for the communication channel |
4 |
|
Window Size |
Flow control window size |
4 |
|
Payload |
Actual command or data being sent |
Variable |
S.no |
Use Case |
Description |
|---|---|---|
1 |
Remote Server Access |
Securely log into remote machines to manage servers, run commands, and monitor systems. |
2 |
Secure File Transfer |
Transfer files using SCP (Secure Copy) or SFTP (SSH File Transfer Protocol). |
3 |
Automated Scripts & DevOps |
Used in CI/CD pipelines and automation scripts for secure remote execution. |
4 |
Port Forwarding / Tunneling |
Securely tunnel other protocols (e.g., HTTP, database connections) through SSH. |
5 |
Configuration Management |
Tools like Ansible use SSH to push configurations to remote systems. |
6 |
IoT Device Management |
Securely access and control IoT devices deployed in remote or embedded environments. |
7 |
Version Control Systems |
Git and other VCS tools use SSH for secure repository access and commits. |
8 |
Secure Remote Desktop |
Used as a secure transport layer for graphical remote desktop tools (e.g., X11 forwarding). |
9 |
Network Administration |
SSH is used to configure routers, switches, and firewalls securely. |
10 |
VPN-like Secure Access |
SSH can be used to create secure tunnels that mimic VPN behavior for private access. |
S.no |
Feature |
Description |
|---|---|---|
1 |
Secure Remote Access |
Provides encrypted access to remote systems over an unsecured network. |
2 |
Authentication Methods |
Supports password-based, public key, and multi-factor authentication. |
3 |
Encryption |
Ensures confidentiality and integrity of data using strong encryption algorithms. |
4 |
Port Forwarding |
Tunnels other protocols (like HTTP, RDP) securely through SSH. |
5 |
File Transfer |
Enables secure file transfer using SCP (Secure Copy) and SFTP (SSH File Transfer Protocol). |
6 |
Command Execution |
Allows execution of remote shell commands securely. |
7 |
Session Management |
Supports session resumption, multiplexing, and terminal emulation. |
8 |
Key Management |
Manages SSH keys for secure, password-less logins and automation. |
9 |
Access Control |
Restricts user access using configuration files like sshd_config and authorized_keys. |
10 |
Logging & Auditing |
Tracks login attempts, session activity, and command history for security auditing. |
Secure Remote Access - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
SSH Connection with Valid Credentials |
Connect to server using correct username and password |
Connection successful |
2 |
SSH Connection with Invalid Password |
Attempt login with wrong password |
Access denied |
3 |
SSH Connection with Invalid Username |
Attempt login with non-existent user |
Access denied |
4 |
SSH Key-based Authentication |
Connect using valid private key |
Connection successful |
5 |
SSH Key Authentication with Wrong Key |
Use incorrect private key |
Access denied |
6 |
SSH Connection Timeout |
Attempt connection to unreachable host |
Connection times out |
7 |
SSH Port Change |
Connect using custom port (e.g., 2222) |
Connection successful |
8 |
SSH Connection to Disabled Port |
Connect to a closed port |
Connection refused |
9 |
SSH Banner Display |
Check if login banner is shown |
Banner is displayed |
10 |
SSH Login Attempt Logging |
Verify logs for login attempts |
Logs contain attempt details |
11 |
SSH Session Timeout |
Leave session idle beyond timeout |
Session is terminated |
12 |
SSH with Disabled Password Auth |
Disable password auth, try login |
Password login fails |
13 |
SSH with Disabled Root Login |
Try logging in as root |
Access denied |
14 |
SSH with Two-Factor Auth |
Connect with 2FA enabled |
Prompt for second factor |
15 |
SSH with IP Whitelisting |
Connect from allowed IP |
Connection successful |
16 |
SSH from Blocked IP |
Connect from blacklisted IP |
Connection refused |
17 |
SSH File Transfer (SCP) |
Transfer file using SCP |
File transferred successfully |
18 |
SSH File Transfer (SFTP) |
Transfer file using SFTP |
File transferred successfully |
19 |
SSH Connection from Multiple Clients |
Connect from multiple clients simultaneously |
All connections succeed |
20 |
SSH Session Logging |
Check if session commands are logged |
Commands are logged |
21 |
SSH Connection with Hostname |
Connect using hostname instead of IP |
Connection successful |
22 |
SSH Connection with DNS Failure |
Use invalid hostname |
Connection fails |
23 |
SSH Key Revocation |
Revoke key and attempt login |
Access denied |
24 |
SSH with Port Forwarding |
Enable and test port forwarding |
Port forwarding works |
25 |
SSH with X11 Forwarding |
Enable X11 and run GUI app |
GUI app launches |
26 |
SSH with Compression Enabled |
Enable compression and connect |
Connection successful with compression |
27 |
SSH with Compression Disabled |
Disable compression and connect |
Connection successful |
28 |
SSH Connection with Proxy |
Connect via proxy server |
Connection successful |
29 |
SSH Connection with VPN |
Connect over VPN |
Connection successful |
30 |
SSH Connection with Firewall Enabled |
Connect with firewall rules in place |
Connection allowed/blocked as per rules |
31 |
SSH Connection with SELinux Enabled |
Connect with SELinux enforcing |
Connection successful |
32 |
SSH Connection with AppArmor Enabled |
Connect with AppArmor enforcing |
Connection successful |
33 |
SSH Connection with Invalid Host Key |
Server presents wrong host key |
Warning or connection refused |
34 |
SSH Connection with Known Hosts Check |
Connect to known host |
No warning shown |
35 |
SSH Connection with Host Key Change |
Host key changed |
Warning shown |
36 |
SSH Connection with MaxAuthTries Limit |
Exceed allowed auth attempts |
Connection closed |
37 |
SSH Connection with MaxSessions Limit |
Exceed session limit |
New session denied |
38 |
SSH Connection with TCP Wrappers |
Use hosts.allow/deny |
Access allowed/denied |
39 |
SSH Connection with PAM Enabled |
Use PAM for auth |
Auth succeeds/fails per PAM |
40 |
SSH Connection with Kerberos |
Use Kerberos for auth |
Auth succeeds |
41 |
SSH Connection with GSSAPI |
Use GSSAPI for auth |
Auth succeeds |
42 |
SSH Connection with Keyboard-Interactive Auth |
Use keyboard-interactive method |
Auth succeeds |
43 |
SSH Connection with Public Key Only |
Disable all but public key auth |
Only key-based login works |
44 |
SSH Connection with Client Timeout |
Client idle timeout triggers |
Session ends |
45 |
SSH Connection with Server Timeout |
Server idle timeout triggers |
Session ends |
46 |
SSH Connection with Large File Transfer |
Transfer large file |
File transfers successfully |
47 |
SSH Connection with High Latency |
Simulate high latency |
Connection remains stable |
48 |
SSH Connection with Packet Loss |
Simulate packet loss |
Connection retries or fails gracefully |
49 |
SSH Connection with IPv6 |
Connect using IPv6 address |
Connection successful |
50 |
SSH Connection Audit Trail |
Check audit logs for session |
Session details logged |
Authentication Methods - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Password Authentication Enabled |
Login using password |
Login successful |
2 |
Password Authentication Disabled |
Attempt login with password |
Login denied |
3 |
Public Key Authentication Enabled |
Login using valid key pair |
Login successful |
4 |
Public Key Authentication Disabled |
Attempt login with key |
Login denied |
5 |
Invalid Password Attempt |
Use wrong password |
Login denied |
6 |
Invalid Public Key |
Use incorrect private key |
Login denied |
7 |
Missing Private Key |
Attempt login without key |
Login denied |
8 |
Expired Password |
Try login with expired password |
Prompt for password change or deny |
9 |
Locked Account |
Try login with locked user |
Login denied |
10 |
Disabled Account |
Try login with disabled user |
Login denied |
11 |
Keyboard-Interactive Authentication |
Use keyboard-interactive method |
Prompt for input, login successful |
12 |
Keyboard-Interactive Disabled |
Attempt login with method disabled |
Login denied |
13 |
GSSAPI Authentication Enabled |
Use GSSAPI for login |
Login successful |
14 |
GSSAPI Authentication Disabled |
Attempt GSSAPI login |
Login denied |
15 |
Kerberos Authentication Enabled |
Use Kerberos ticket for login |
Login successful |
16 |
Kerberos Authentication Disabled |
Attempt Kerberos login |
Login denied |
17 |
Two-Factor Authentication Enabled |
Login with password + OTP |
Login successful |
18 |
Two-Factor Authentication Missing OTP |
Skip OTP step |
Login denied |
19 |
Two-Factor Authentication Invalid OTP |
Use wrong OTP |
Login denied |
20 |
SSH Agent Forwarding Enabled |
Use agent forwarding |
Key forwarded successfully |
21 |
SSH Agent Forwarding Disabled |
Attempt agent forwarding |
Forwarding fails |
22 |
Authentication Retry Limit |
Exceed MaxAuthTries |
Connection closed |
23 |
Authentication Success Logging |
Check logs for successful login |
Log entry present |
24 |
Authentication Failure Logging |
Check logs for failed login |
Log entry present |
25 |
Authentication with Empty Password |
Try login with empty password |
Login denied |
26 |
Authentication with Long Password |
Use long password string |
Login successful or denied |
27 |
Authentication with Special Characters |
Use password with special chars |
Login successful |
28 |
Authentication with Unicode Password |
Use Unicode characters |
Login successful |
29 |
Authentication with SSH Key Passphrase |
Use key with passphrase |
Prompt for passphrase |
30 |
Authentication with Invalid Key Format |
Use malformed key |
Login denied |
31 |
Authentication with Revoked Key |
Use revoked key |
Login denied |
32 |
Authentication with Multiple Keys |
Provide multiple keys |
Correct key accepted |
33 |
Authentication with SSH Config File |
Use config file for auth |
Login successful |
34 |
Authentication with SSH Certificate |
Use signed certificate |
Login successful |
35 |
Authentication with Expired Certificate |
Use expired cert |
Login denied |
36 |
Authentication with CA-signed Key |
Use CA-signed key |
Login successful |
37 |
Authentication with Host-based Method |
Use host-based auth |
Login successful |
38 |
Authentication with PAM |
Use PAM for auth |
Login successful |
39 |
Authentication with LDAP |
Use LDAP credentials |
Login successful |
40 |
Authentication with RADIUS |
Use RADIUS backend |
Login successful |
41 |
Authentication with MFA via PAM |
Use PAM + OTP |
Login successful |
42 |
Authentication with Biometric via PAM |
Use biometric auth |
Login successful |
43 |
Authentication with Smart Card |
Use smart card |
Login successful |
44 |
Authentication with YubiKey |
Use YubiKey OTP |
Login successful |
45 |
Authentication with SSH Jump Host |
Authenticate via jump host |
Login successful |
46 |
Authentication with Bastion Host |
Authenticate through bastion |
Login successful |
47 |
Authentication with SSH ProxyCommand |
Use ProxyCommand for auth |
Login successful |
48 |
Authentication with SSH ControlMaster |
Use shared connection |
Login successful |
49 |
Authentication with SSH Key from Agent |
Use key from ssh-agent |
Login successful |
50 |
Authentication with SSH Key from File |
Use key from file |
Login successful |
Encryption - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Default Cipher Usage |
Connect using default settings |
Secure connection established |
2 |
Specific Cipher Selection |
Force use of specific cipher (e.g., AES256) |
Cipher used successfully |
3 |
Unsupported Cipher |
Use unsupported cipher |
Connection fails |
4 |
Weak Cipher Disabled |
Disable weak ciphers (e.g., RC4) |
Connection uses strong cipher |
5 |
Cipher Negotiation |
Client and server negotiate cipher |
Strongest common cipher selected |
6 |
MAC Algorithm Selection |
Specify MAC algorithm (e.g., HMAC-SHA2) |
MAC used successfully |
7 |
MAC Algorithm Mismatch |
Use mismatched MACs |
Connection fails |
8 |
Integrity Check |
Modify data in transit |
Integrity check fails |
9 |
Replay Attack Simulation |
Replay encrypted packets |
Replay detected and blocked |
10 |
Packet Tampering |
Alter encrypted packet |
Connection terminated |
11 |
Encryption Enabled |
Verify encryption is active |
Data is encrypted |
12 |
Encryption Disabled |
Attempt connection without encryption |
Connection denied |
13 |
Cipher Suite Logging |
Log cipher used in session |
Cipher logged correctly |
14 |
SSHv2 Encryption |
Use SSH version 2 |
Encryption works as expected |
15 |
SSHv1 Encryption |
Attempt SSHv1 connection |
Connection denied |
16 |
AES-128 Encryption |
Use AES-128 cipher |
Connection successful |
17 |
AES-256 Encryption |
Use AES-256 cipher |
Connection successful |
18 |
ChaCha20 Encryption |
Use ChaCha20 cipher |
Connection successful |
19 |
Blowfish Encryption |
Use Blowfish cipher |
Connection successful |
20 |
Triple DES Encryption |
Use 3DES cipher |
Connection successful |
21 |
RC4 Encryption |
Use RC4 cipher |
Connection denied (if disabled) |
22 |
GCM Mode Encryption |
Use AES-GCM mode |
Connection successful |
23 |
CBC Mode Encryption |
Use AES-CBC mode |
Connection successful |
24 |
ECB Mode Encryption |
Attempt ECB mode |
Connection denied |
25 |
Encryption Performance Test |
Measure encryption overhead |
Acceptable latency |
26 |
Encrypted File Transfer |
Transfer file via SCP/SFTP |
File encrypted in transit |
27 |
Encrypted Command Execution |
Run remote command |
Output encrypted |
28 |
Encrypted Port Forwarding |
Use encrypted tunnel |
Data encrypted |
29 |
Encrypted X11 Forwarding |
Use X11 forwarding |
GUI data encrypted |
30 |
Encrypted Session Timeout |
Idle encrypted session |
Session terminated securely |
31 |
Encrypted Session Resume |
Resume interrupted session |
Session resumes securely |
32 |
Encrypted Session Termination |
Terminate session |
No data leak |
33 |
Encrypted Authentication |
Authenticate over encrypted channel |
Credentials protected |
34 |
Encrypted Key Exchange |
Verify key exchange encryption |
Keys exchanged securely |
35 |
Diffie-Hellman Key Exchange |
Use DH for key exchange |
Secure session established |
36 |
ECDH Key Exchange |
Use ECDH for key exchange |
Secure session established |
37 |
RSA Key Exchange |
Use RSA for key exchange |
Secure session established |
38 |
Key Exchange Logging |
Log key exchange details |
Logged securely |
39 |
Key Exchange Failure |
Simulate failure |
Connection denied |
40 |
Encrypted Session Logging |
Log encrypted session |
Logs show encrypted traffic |
41 |
Encrypted Session Replay |
Replay encrypted session |
Replay blocked |
42 |
Encrypted Session Hijack |
Attempt hijack |
Hijack prevented |
43 |
Encrypted Session Sniffing |
Attempt packet sniffing |
Data unreadable |
44 |
Encrypted Session with VPN |
Use VPN + SSH encryption |
Double encryption successful |
45 |
Encrypted Session with Proxy |
Use proxy + SSH encryption |
Encryption maintained |
46 |
Encrypted Session with Firewall |
Connect through firewall |
Encryption intact |
47 |
Encrypted Session with IDS |
Detect encrypted traffic |
IDS logs encrypted session |
48 |
Encrypted Session with IPS |
IPS inspects encrypted traffic |
No data leak |
49 |
Encrypted Session with TLS |
Use TLS tunnel + SSH |
Encryption layered |
50 |
Encrypted Session with Compression |
Enable compression |
Data encrypted and compressed |
Port Forwarding - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Local Port Forwarding Enabled |
Forward local port to remote service |
Connection successful |
2 |
Remote Port Forwarding Enabled |
Forward remote port to local service |
Connection successful |
3 |
Dynamic Port Forwarding Enabled |
Use SOCKS proxy via SSH |
Proxy works correctly |
4 |
Local Port Forwarding Disabled |
Attempt forwarding when disabled |
Forwarding fails |
5 |
Remote Port Forwarding Disabled |
Attempt remote forwarding when disabled |
Forwarding fails |
6 |
Dynamic Port Forwarding Disabled |
Attempt dynamic forwarding when disabled |
Forwarding fails |
7 |
Forwarding to Open Port |
Forward to a reachable port |
Data transmitted successfully |
8 |
Forwarding to Closed Port |
Forward to an unreachable port |
Connection refused |
9 |
Forwarding to Invalid Host |
Use invalid hostname in forwarding |
Forwarding fails |
10 |
Forwarding with Authentication |
Use forwarding after successful login |
Forwarding works |
11 |
Forwarding with Invalid Credentials |
Attempt forwarding with bad login |
Connection denied |
12 |
Forwarding with SSH Key |
Use key-based auth for forwarding |
Forwarding works |
13 |
Forwarding with Password Auth |
Use password-based auth |
Forwarding works |
14 |
Forwarding with IPv6 |
Use IPv6 address in forwarding |
Forwarding works |
15 |
Forwarding with IPv4 |
Use IPv4 address in forwarding |
Forwarding works |
16 |
Forwarding with DNS Name |
Use hostname in forwarding |
Forwarding works |
17 |
Forwarding with Port Already in Use |
Use a busy local port |
Forwarding fails |
18 |
Forwarding with Firewall Blocking |
Block forwarded port via firewall |
Connection fails |
19 |
Forwarding with SELinux Enabled |
Use forwarding with SELinux enforcing |
Forwarding works or is blocked |
20 |
Forwarding with AppArmor Enabled |
Use forwarding with AppArmor |
Forwarding works or is blocked |
21 |
Forwarding with Logging Enabled |
Check logs for forwarding activity |
Logs show forwarding |
22 |
Forwarding with Logging Disabled |
Check logs when logging off |
No forwarding logs |
23 |
Forwarding with Compression |
Enable compression during forwarding |
Forwarding works with compression |
24 |
Forwarding with No Compression |
Disable compression |
Forwarding works |
25 |
Forwarding with Multiple Sessions |
Use multiple forwarded sessions |
All sessions work |
26 |
Forwarding with SSH Config File |
Use config file to define forwarding |
Forwarding works |
27 |
Forwarding with ProxyCommand |
Use ProxyCommand with forwarding |
Forwarding works |
28 |
Forwarding with Jump Host |
Use jump host for forwarding |
Forwarding works |
29 |
Forwarding with Bastion Host |
Use bastion host |
Forwarding works |
30 |
Forwarding with VPN |
Use VPN with forwarding |
Forwarding works |
31 |
Forwarding with Packet Loss |
Simulate packet loss |
Forwarding retries or fails gracefully |
32 |
Forwarding with High Latency |
Simulate high latency |
Forwarding remains stable |
33 |
Forwarding with Large Data |
Transfer large data through tunnel |
Data transfers successfully |
34 |
Forwarding with Encrypted Traffic |
Ensure traffic is encrypted |
Data is encrypted |
35 |
Forwarding with Unencrypted Traffic |
Attempt unencrypted forwarding |
Traffic is blocked or insecure |
36 |
Forwarding with Port Range |
Forward a range of ports |
All ports forward successfully |
37 |
Forwarding with Port Conflict |
Conflict with existing service |
Forwarding fails |
38 |
Forwarding with SSH Agent |
Use agent with forwarding |
Forwarding works |
39 |
Forwarding with SSH Certificate |
Use cert-based auth |
Forwarding works |
40 |
Forwarding with Expired Certificate |
Use expired cert |
Forwarding fails |
41 |
Forwarding with Host Key Check |
Host key mismatch |
Warning or failure |
42 |
Forwarding with StrictHostKeyChecking |
Enable strict checking |
Forwarding fails on mismatch |
43 |
Forwarding with ControlMaster |
Use shared connection |
Forwarding works |
44 |
Forwarding with ControlPersist |
Use persistent connection |
Forwarding works |
45 |
Forwarding with SOCKS5 Proxy |
Use dynamic forwarding as SOCKS5 |
Proxy works |
46 |
Forwarding with HTTP Proxy |
Use HTTP proxy with forwarding |
Forwarding works |
47 |
Forwarding with Authentication Proxy |
Use proxy with auth |
Forwarding works |
48 |
Forwarding with Port Knocking |
Use port knocking before forwarding |
Forwarding works |
49 |
Forwarding with Fail2Ban |
Trigger ban via failed attempts |
IP is banned |
50 |
Forwarding with Audit Trail |
Check audit logs |
Forwarding activity logged |
File Transfer - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Connect to SSH server |
Attempt to connect to a valid SSH server |
Connection established |
2 |
Invalid SSH credentials |
Use wrong username/password |
Authentication fails |
3 |
Transfer small text file |
Send a small .txt file |
File transferred successfully |
4 |
Transfer large file |
Send a file >1GB |
File transferred without corruption |
5 |
Transfer binary file |
Send a .exe or .bin file |
File integrity maintained |
6 |
Transfer image file |
Send a .jpg or .png file |
Image opens correctly after transfer |
7 |
Transfer with SCP |
Use SCP protocol for file transfer |
File transferred successfully |
8 |
Transfer with SFTP |
Use SFTP protocol for file transfer |
File transferred successfully |
9 |
Transfer with Rsync over SSH |
Use Rsync with SSH |
File synced correctly |
10 |
Transfer with key-based auth |
Use SSH key instead of password |
Authentication succeeds |
11 |
Transfer with expired key |
Use an expired SSH key |
Authentication fails |
12 |
Transfer with revoked key |
Use a revoked SSH key |
Authentication fails |
13 |
Transfer with wrong key |
Use a mismatched SSH key |
Authentication fails |
14 |
Transfer to non-existent path |
Specify invalid destination path |
Transfer fails with error |
15 |
Transfer from non-existent path |
Specify invalid source path |
Transfer fails with error |
16 |
Transfer with read-only source |
Source file has read-only permissions |
Transfer succeeds |
17 |
Transfer with write-protected destination |
Destination is write-protected |
Transfer fails |
18 |
Transfer with network interruption |
Simulate network drop during transfer |
Transfer fails or resumes |
19 |
Resume interrupted transfer |
Resume a previously interrupted transfer |
Transfer resumes correctly |
20 |
Transfer multiple files |
Send multiple files in one command |
All files transferred |
21 |
Transfer directory |
Send a folder recursively |
All contents transferred |
22 |
Transfer with symbolic links |
Include symlinks in transfer |
Links preserved or resolved |
23 |
Transfer with compression |
Use compression during transfer |
Transfer is faster |
24 |
Transfer with encryption |
Ensure SSH encryption is active |
Data is encrypted |
25 |
Transfer with verbose logging |
Enable verbose mode |
Detailed logs generated |
26 |
Transfer with quiet mode |
Enable quiet mode |
Minimal output shown |
27 |
Transfer with progress bar |
Show progress during transfer |
Progress bar updates correctly |
28 |
Transfer with bandwidth limit |
Limit transfer speed |
Speed capped as configured |
29 |
Transfer with timeout |
Set timeout for transfer |
Transfer aborts after timeout |
30 |
Transfer with retry |
Enable retry on failure |
Transfer retries automatically |
31 |
Transfer with checksum verification |
Verify file integrity post-transfer |
Checksums match |
32 |
Transfer with file rename |
Rename file during transfer |
File renamed correctly |
33 |
Transfer with overwrite |
Overwrite existing file |
File replaced successfully |
34 |
Transfer without overwrite |
Prevent overwrite |
Transfer fails or skips file |
35 |
Transfer with file permission change |
Change file permissions post-transfer |
Permissions updated |
36 |
Transfer with ownership change |
Change file owner post-transfer |
Ownership updated |
37 |
Transfer with special characters in filename |
Use filenames with @#$%^&*() |
File transferred correctly |
38 |
Transfer with spaces in filename |
Use filenames with spaces |
File transferred correctly |
39 |
Transfer with unicode filename |
Use non-ASCII characters |
File transferred correctly |
40 |
Transfer with hidden files |
Include hidden files (e.g., .env) |
Hidden files transferred |
41 |
Transfer with file filtering |
Transfer only .txt files |
Only .txt files transferred |
42 |
Transfer with date filtering |
Transfer files modified after a date |
Only recent files transferred |
43 |
Transfer with size filtering |
Transfer files >100MB |
Only large files transferred |
44 |
Transfer with logging enabled |
Enable transfer logs |
Logs created and saved |
45 |
Transfer with audit trail |
Enable audit tracking |
Audit logs updated |
46 |
Transfer with concurrent sessions |
Run multiple transfers simultaneously |
All sessions succeed |
47 |
Transfer with firewall enabled |
SSH through firewall |
Transfer succeeds or blocked |
48 |
Transfer with VPN |
SSH over VPN connection |
Transfer succeeds |
49 |
Transfer with proxy |
SSH through proxy server |
Transfer succeeds |
50 |
Transfer with IPv6 |
Use IPv6 address for SSH |
Transfer succeeds |
Command Execution - Testcases
Sl.No |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Connect to SSH server |
Attempt to connect to a valid SSH server |
Connection established |
2 |
Invalid SSH credentials |
Use wrong username/password |
Authentication fails |
3 |
Execute simple command |
Run ls on remote server |
Directory listing returned |
4 |
Execute command with arguments |
Run ls -l /home/user |
Detailed listing returned |
5 |
Execute command with pipe |
Run “ps aux |
grep ssh” |
6 |
Execute command with redirection |
Run echo “test” > test.txt |
File created with content |
7 |
Execute command with sudo |
Run sudo apt update |
Command executed with elevated privileges |
8 |
Execute command with environment variable |
Run echo $HOME |
Home directory path returned |
9 |
Execute command with special characters |
Run echo “Hello & Goodbye” |
Output displayed correctly |
10 |
Execute command with Unicode |
Run echo “??????” |
Unicode output displayed |
11 |
Execute command with long output |
Run cat largefile.txt |
Full output returned |
12 |
Execute command with error |
Run cat nonexistent.txt |
Error message returned |
13 |
Execute command with exit code |
Run exit 1 |
Exit code captured |
14 |
Execute command with timeout |
Run long-running command with timeout |
Command aborted after timeout |
15 |
Execute background command |
Run sleep 60 & |
Command runs in background |
16 |
Execute command with input |
Run read var and provide input |
Input accepted |
17 |
Execute command with alias |
Run ll if alias is set |
Alias executed correctly |
18 |
Execute command with script |
Run a shell script remotely |
Script executed successfully |
19 |
Execute command with file creation |
Run touch newfile.txt |
File created |
20 |
Execute command with file deletion |
Run rm oldfile.txt |
File deleted |
21 |
Execute command with directory creation |
Run mkdir newdir |
Directory created |
22 |
Execute command with directory deletion |
Run rmdir newdir |
Directory deleted |
23 |
Execute command with file move |
Run mv file1.txt dir/ |
File moved successfully |
24 |
Execute command with file copy |
Run cp file1.txt file2.txt |
File copied successfully |
25 |
Execute command with file permission change |
Run chmod 755 script.sh |
Permissions updated |
26 |
Execute command with file ownership change |
Run chown user:user file.txt |
Ownership updated |
27 |
Execute command with disk usage |
Run df -h |
Disk usage displayed |
28 |
Execute command with memory usage |
Run free -m |
Memory usage displayed |
29 |
Execute command with CPU usage |
Run top -n 1 |
CPU usage displayed |
30 |
Execute command with network info |
Run ifconfig or ip a |
Network info displayed |
31 |
Execute command with hostname |
Run hostname |
Hostname returned |
32 |
Execute command with uptime |
Run uptime |
System uptime displayed |
33 |
Execute command with date/time |
Run date |
Current date/time displayed |
34 |
Execute command with user info |
Run whoami |
Current user displayed |
35 |
Execute command with user list |
Run users |
Logged-in users listed |
36 |
Execute command with process kill |
Run kill PID |
Process terminated |
37 |
Execute command with service start |
Run systemctl start nginx |
Service started |
38 |
Execute command with service stop |
Run systemctl stop nginx |
Service stopped |
39 |
Execute command with service status |
Run systemctl status nginx |
Service status displayed |
40 |
Execute command with package install |
Run apt install curl |
Package installed |
41 |
Execute command with package remove |
Run apt remove curl |
Package removed |
42 |
Execute command with package update |
Run apt update |
Package list updated |
43 |
Execute command with package upgrade |
Run apt upgrade |
Packages upgraded |
44 |
Execute command with log view |
Run tail -n 100 /var/log/syslog |
Log entries displayed |
45 |
Execute command with SSH key auth |
Use SSH key for command execution |
Command executed successfully |
46 |
Execute command with revoked key |
Use revoked SSH key |
Authentication fails |
47 |
Execute command with firewall enabled |
SSH through firewall |
Command executed or blocked |
48 |
Execute command with VPN |
SSH over VPN |
Command executed successfully |
49 |
Execute command with proxy |
SSH through proxy |
Command executed successfully |
50 |
Execute command with IPv6 |
Use IPv6 address for SSH |
Command executed successfully |
Session Management - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Start SSH session |
Initiate a new SSH session |
Session starts successfully |
2 |
End SSH session |
Terminate an active session |
Session ends cleanly |
3 |
Invalid credentials |
Attempt login with wrong password |
Session denied |
4 |
Valid credentials |
Login with correct credentials |
Session established |
5 |
Key-based login |
Authenticate using SSH key |
Session established |
6 |
Expired key |
Use an expired SSH key |
Session denied |
7 |
Revoked key |
Use a revoked SSH key |
Session denied |
8 |
Session timeout |
Leave session idle beyond timeout |
Session auto-terminated |
9 |
Session keep-alive |
Send keep-alive signals |
Session remains active |
10 |
Concurrent sessions |
Open multiple sessions from same user |
All sessions allowed |
11 |
Max session limit |
Exceed allowed concurrent sessions |
New session denied |
12 |
Session from different IPs |
Connect from multiple IPs |
Sessions allowed |
13 |
Session from blocked IP |
Connect from blacklisted IP |
Session denied |
14 |
Session logging |
Enable session logging |
Logs created |
15 |
Session replay |
Replay session from logs |
Session activity visible |
16 |
Session hijack attempt |
Simulate session hijack |
Session terminated or alert triggered |
17 |
Session encryption |
Verify session is encrypted |
Data is secure |
18 |
Session with port forwarding |
Enable port forwarding |
Port forwarding works |
19 |
Session without port forwarding |
Disable port forwarding |
Port forwarding blocked |
20 |
Session with X11 forwarding |
Enable X11 forwarding |
GUI apps open remotely |
21 |
Session with agent forwarding |
Enable agent forwarding |
Agent forwarding works |
22 |
Session with restricted shell |
Use restricted shell |
Limited commands available |
23 |
Session with full shell |
Use full shell |
All commands accessible |
24 |
Session with sudo access |
Use sudo in session |
Elevated access granted |
25 |
Session without sudo access |
Try sudo without rights |
Access denied |
26 |
Session with environment variables |
Set env vars on login |
Variables available |
27 |
Session with login banner |
Display banner on login |
Banner shown |
28 |
Session with MOTD |
Show message of the day |
MOTD displayed |
29 |
Session with audit trail |
Enable auditing |
Session tracked |
30 |
Session with login script |
Run script on login |
Script executes |
31 |
Session with logout script |
Run script on logout |
Script executes |
32 |
Session with restricted user |
Login as restricted user |
Limited access |
33 |
Session with root user |
Login as root |
Full access granted |
34 |
Session with locked user |
Login as locked user |
Access denied |
35 |
Session with expired password |
Login with expired password |
Prompt for password change |
36 |
Session with password change |
Change password during session |
Password updated |
37 |
Session with two-factor auth |
Enable 2FA |
Prompt for second factor |
38 |
Session with OTP |
Use one-time password |
Session established |
39 |
Session with certificate auth |
Use SSH certificate |
Session established |
40 |
Session with invalid certificate |
Use expired/invalid cert |
Session denied |
41 |
Session with IP whitelisting |
Allow only whitelisted IPs |
Session allowed/denied accordingly |
42 |
Session with geo-restriction |
Restrict by region |
Session denied if outside region |
43 |
Session with time restriction |
Allow login only during hours |
Session denied outside hours |
44 |
Session with command restriction |
Allow only specific commands |
Other commands blocked |
45 |
Session with file access restriction |
Restrict file access |
Unauthorized access blocked |
46 |
Session with logging disabled |
Disable session logs |
No logs created |
47 |
Session with logging enabled |
Enable detailed logs |
Logs include all activity |
48 |
Session with alert on login |
Send alert on login |
Alert received |
49 |
Session with alert on logout |
Send alert on logout |
Alert received |
50 |
Session with session ID tracking |
Track session by ID |
Session ID logged and traceable |
Key Management - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Generate RSA key pair |
Create a new RSA key pair |
Key pair generated successfully |
2 |
Generate ECDSA key pair |
Create a new ECDSA key pair |
Key pair generated successfully |
3 |
Generate ED25519 key pair |
Create a new ED25519 key pair |
Key pair generated successfully |
4 |
Generate key with passphrase |
Create key with a passphrase |
Key protected with passphrase |
5 |
Generate key without passphrase |
Create key without passphrase |
Key created without protection |
6 |
View public key |
Display contents of public key |
Public key shown |
7 |
View private key |
Display contents of private key |
Private key shown (restricted) |
8 |
Add public key to authorized_keys |
Add key to server for access |
Key added successfully |
9 |
Remove public key from authorized_keys |
Remove access for a key |
Key removed successfully |
10 |
Use valid key for login |
Authenticate using valid key |
Login successful |
11 |
Use invalid key for login |
Try login with wrong key |
Login denied |
12 |
Use expired key |
Try login with expired key |
Login denied |
13 |
Use revoked key |
Try login with revoked key |
Login denied |
14 |
Use corrupted key |
Try login with malformed key |
Login denied |
15 |
Use key with wrong permissions |
Set wrong file permissions |
SSH warns or denies access |
16 |
Change key permissions to 600 |
Set correct permissions |
SSH accepts key |
17 |
Copy key to remote server |
Use ssh-copy-id to install key |
Key copied successfully |
18 |
Manually install key |
Copy key manually to server |
Key works for login |
19 |
Remove key from server |
Delete key from authorized_keys |
Access revoked |
20 |
Rotate key pair |
Replace old key with new one |
New key works, old one revoked |
21 |
Backup key pair |
Save key to secure location |
Backup created |
22 |
Restore key pair |
Restore from backup |
Key works as expected |
23 |
Use key with SSH agent |
Add key to agent |
Key loaded into agent |
24 |
Remove key from SSH agent |
Unload key from agent |
Key removed |
25 |
List keys in SSH agent |
View loaded keys |
Keys listed |
26 |
Use key with multiple servers |
Use same key on multiple hosts |
Login successful on all |
27 |
Use different keys per server |
Use unique key per host |
Correct key used per host |
28 |
Use key with config file |
Define key in ~/.ssh/config |
SSH uses correct key |
29 |
Use key with alias |
Define host alias in config |
Key used with alias |
30 |
Use key with port forwarding |
Authenticate with key and forward port |
Port forwarding works |
31 |
Use key with SCP |
Transfer file using key |
File transferred |
32 |
Use key with SFTP |
Transfer file using key |
File transferred |
33 |
Use key with Git over SSH |
Clone repo using SSH key |
Repo cloned successfully |
34 |
Use key with CI/CD pipeline |
Automate SSH access |
Key works in pipeline |
35 |
Use key with restricted shell |
Limit access via key |
Restrictions enforced |
36 |
Use key with forced command |
Force command on login |
Command executed |
37 |
Use key with command restrictions |
Restrict commands via key options |
Only allowed commands work |
38 |
Use key with IP restriction |
Limit key usage to IP |
Access denied from other IPs |
39 |
Use key with time restriction |
Limit key usage to time window |
Access denied outside window |
40 |
Use key with certificate |
Sign key with CA |
Certificate-based login works |
41 |
Revoke certificate |
Revoke signed key |
Access denied |
42 |
Audit key usage |
Track key-based logins |
Logs show key usage |
43 |
Detect unused keys |
Identify keys not used recently |
Report generated |
44 |
Detect duplicate keys |
Find reused keys across users |
Duplicates identified |
45 |
Detect weak keys |
Identify short or insecure keys |
Weak keys flagged |
46 |
Enforce key length policy |
Require minimum key length |
Short keys rejected |
47 |
Enforce key type policy |
Allow only specific key types |
Disallowed types rejected |
48 |
Store key in HSM |
Use hardware security module |
Key stored securely |
49 |
Store key in vault |
Use secrets manager |
Key retrieved securely |
50 |
Delete key securely |
Remove key and wipe data |
Key deleted without trace |
Access Control - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
SSH Port Accessibility |
Attempt SSH connection on default port 22 |
Connection succeeds if allowed |
2 |
SSH Port Blocked |
Block port 22 via firewall |
Connection fails |
3 |
Invalid Username |
Try SSH with non-existent user |
Access denied |
4 |
Invalid Password |
Use wrong password for valid user |
Access denied |
5 |
Valid Credentials |
Use correct username and password |
Access granted |
6 |
Public Key Authentication |
Authenticate using valid SSH key |
Access granted |
7 |
Invalid SSH Key |
Use incorrect SSH key |
Access denied |
8 |
Disabled User Account |
Try SSH with disabled user |
Access denied |
9 |
Root Login Disabled |
Attempt root login when disabled |
Access denied |
10 |
Root Login Enabled |
Attempt root login when enabled |
Access granted |
11 |
IP Whitelisting |
Connect from whitelisted IP |
Access granted |
12 |
IP Blacklisting |
Connect from blacklisted IP |
Access denied |
13 |
MaxAuthTries Limit |
Exceed MaxAuthTries |
Connection closed |
14 |
SSH Banner Display |
Connect to SSH server |
Banner message displayed |
15 |
SSH Protocol Version |
Use unsupported SSH version |
Connection refused |
16 |
SSH Protocol Version 2 |
Use SSH version 2 |
Connection succeeds |
17 |
Port Knocking |
Use correct knock sequence |
SSH port opens |
18 |
Port Knocking Failure |
Use incorrect knock sequence |
SSH port remains closed |
19 |
SSH Timeout |
Idle session timeout |
Session terminated |
20 |
SSH Session Limit |
Exceed max sessions per user |
New session denied |
21 |
AllowUsers Directive |
Connect with allowed user |
Access granted |
22 |
DenyUsers Directive |
Connect with denied user |
Access denied |
23 |
AllowGroups Directive |
Connect with user in allowed group |
Access granted |
24 |
DenyGroups Directive |
Connect with user in denied group |
Access denied |
25 |
SSH Access Time Restriction |
Connect outside allowed time window |
Access denied |
26 |
SSH Access Time Allowed |
Connect within allowed time window |
Access granted |
27 |
SSH from VPN |
Connect via VPN |
Access granted if VPN IP is allowed |
28 |
SSH from Public Network |
Connect from public IP |
Access denied if restricted |
29 |
SSH Logging Enabled |
Attempt SSH connection |
Logs are generated |
30 |
SSH Logging Disabled |
Attempt SSH connection |
No logs generated |
31 |
SSH with MFA Enabled |
Connect with MFA |
Access granted after second factor |
32 |
SSH with MFA Disabled |
Connect without MFA |
Access granted if credentials are valid |
33 |
SSH Key Revocation |
Use revoked SSH key |
Access denied |
34 |
SSH Key Expiry |
Use expired SSH key |
Access denied |
35 |
SSH with Port Forwarding |
Enable port forwarding |
Port forwarding works |
36 |
SSH Port Forwarding Disabled |
Attempt port forwarding |
Access denied |
37 |
SSH with X11 Forwarding |
Enable X11 forwarding |
GUI apps launch remotely |
38 |
SSH X11 Forwarding Disabled |
Attempt X11 forwarding |
Access denied |
39 |
SSH with SCP |
Transfer file using SCP |
File transferred successfully |
40 |
SSH with SFTP |
Transfer file using SFTP |
File transferred successfully |
41 |
SSH with Compression |
Enable compression |
Session uses compression |
42 |
SSH with No Compression |
Disable compression |
Session does not use compression |
43 |
SSH Brute Force Detection |
Attempt multiple logins rapidly |
IP blocked or throttled |
44 |
SSH Access from IPv6 |
Connect using IPv6 |
Access granted if allowed |
45 |
SSH Access from IPv4 |
Connect using IPv4 |
Access granted if allowed |
46 |
SSH Daemon Restart |
Restart SSH service |
Service restarts and accepts connections |
47 |
SSH Config Reload |
Reload SSH config without restart |
New config applied |
48 |
SSH Access Audit Trail |
Review audit logs |
All access attempts logged |
49 |
SSH Session Hijack Attempt |
Simulate session hijack |
Session terminated or alert triggered |
50 |
SSH Access Control Backup |
Backup SSH config and keys |
Backup completed successfully |
Logging & Auditing - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Log File Creation |
Trigger an event that should be logged |
Log file is created |
2 |
Log File Rotation |
Generate logs beyond size threshold |
Log file rotates as configured |
3 |
Log File Retention |
Check old logs after retention period |
Old logs are deleted or archived |
4 |
Log Timestamp Format |
Check timestamp in logs |
Timestamp is in correct format |
5 |
Log Severity Levels |
Generate logs of different severities |
Logs show correct severity (INFO, WARN, ERROR) |
6 |
Unauthorized Access Attempt |
Attempt unauthorized access |
Event is logged with alert |
7 |
Successful Login |
Perform successful login |
Login event is logged |
8 |
Failed Login |
Attempt login with wrong credentials |
Failed login is logged |
9 |
File Access Logging |
Access a monitored file |
Access event is logged |
10 |
File Modification Logging |
Modify a monitored file |
Modification is logged |
11 |
File Deletion Logging |
Delete a monitored file |
Deletion is logged |
12 |
Command Execution Logging |
Run a command |
Command is logged |
13 |
Privilege Escalation Logging |
Use sudo or similar |
Escalation is logged |
14 |
SSH Session Logging |
Start and end SSH session |
Session start and end are logged |
15 |
Log Integrity Check |
Tamper with log file |
Integrity check fails or alert is triggered |
16 |
Log Encryption |
Enable log encryption |
Logs are stored encrypted |
17 |
Log Access Control |
Try accessing logs without permission |
Access denied and logged |
18 |
Log Forwarding |
Forward logs to remote server |
Logs appear on remote server |
19 |
Syslog Integration |
Send logs to syslog |
Logs visible in syslog |
20 |
Audit Trail Completeness |
Perform a sequence of actions |
All actions are logged |
21 |
Audit Trail Tampering |
Modify audit trail |
Tampering detected |
22 |
Log Format Compliance |
Check log format against standard |
Format matches standard |
23 |
Log Filtering |
Apply filter to logs |
Only matching entries shown |
24 |
Log Search |
Search for specific event |
Event found in logs |
25 |
Log Archiving |
Archive old logs |
Logs archived successfully |
26 |
Log Compression |
Compress archived logs |
Logs compressed |
27 |
Log Alerting |
Trigger alert condition |
Alert generated |
28 |
Log Alert Suppression |
Suppress repeated alerts |
Only one alert shown |
29 |
Log Dashboard Display |
View logs in dashboard |
Logs displayed correctly |
30 |
Log Export |
Export logs to CSV/JSON |
Export successful |
31 |
Log Import |
Import logs from backup |
Logs imported correctly |
32 |
Log Correlation |
Correlate events across systems |
Correlated view generated |
33 |
Time Sync for Logs |
Check logs across systems |
Timestamps are synchronized |
34 |
Log Anomaly Detection |
Inject unusual behavior |
Anomaly detected |
35 |
Log Volume Spike |
Generate high volume of logs |
System handles load or alerts |
36 |
Log Parsing |
Parse logs with tool |
Parsed correctly |
37 |
Log Retention Policy Violation |
Retain logs beyond policy |
Violation detected |
38 |
Log Access Logging |
Access log files |
Access is logged |
39 |
Log Deletion Attempt |
Attempt to delete logs |
Attempt is logged or blocked |
40 |
Log Backup |
Perform log backup |
Backup completed |
41 |
Log Restore |
Restore logs from backup |
Logs restored correctly |
42 |
Log Source Verification |
Verify source of log entry |
Source is authenticated |
43 |
Log Tamper Detection |
Modify log content |
Tampering detected |
44 |
Log Monitoring Tool Integration |
Use Splunk/ELK to monitor logs |
Logs visible in tool |
45 |
Log Retention Compliance |
Check logs against compliance policy |
Logs meet retention requirements |
46 |
Log Access Review |
Review who accessed logs |
Access records available |
47 |
Log Redaction |
Redact sensitive data in logs |
Sensitive data masked |
48 |
Log Format Conversion |
Convert logs to another format |
Conversion successful |
49 |
Log Collection Agent Failure |
Stop log agent |
Alert or fallback triggered |
50 |
Log Collection Agent Recovery |
Restart log agent |
Logging resumes normally |
Reference links