ATM_ID: B2705776-53A2-11EA-9805-9BD3993DCDB4 MFF: PLANNEDTIMESTAFF: ID: WFAST_Accounting/Testcases/FS_50.001.01_Audit_Log_Events/10714 TESTCASE_HEADLINE: Event ID=157 Event ID=158 Audit Log - Lockdown failure and Remediation success events will be logged with user logged in as administrator. GROUP: FEATURE: SUB_FEATURE: INPUT:

Audit Log:

  1. Ensure Lockdown is in uninstalled state. 2. Ensure that Scan to USB is enabled
    Syslog:

  1. Syslog Destination Server details must be configured.

PROCEDURE:

  


  1. In CWIS - Login as administrator - > Navigate to Properties -- General setup -- Feature Installation -- Enter the lockdown featute installation key. 2. Navigate to Properties -- Security - Audit Log - Export Audit Log 3. Check for details in the Audit Log. 4. Enter the uninstall key for Lockdown. 5. Enable Scan to USB. 6. In LUI Login as administrator-- Goto device--Tools-- Device settings -- General -- Feature Installation -- Enter the lockdown featute installation key-- Select OK 7. In CWIS Navigate to Properties -- Security - Audit Log - Export Audit Log 8. Check for details in the Audit Log.

Note: Validate If an audit log event is generated with a missing entry data field and the feature should display as "Not available" in CEF Keyname display as "Not available" in CEF Keyname

OUTPUT:

The Audit log should display the following 1. Event ID: 157 and the below mentioned details on Lock Down Security Check Complete. User name: Admin Device name Device serial number Completion status (“Failed)

  2. Event ID: 158 and the below mentioned details on Remediation Check Complete. User name: Admin Device name Device serial number Completion status (“Success)


    Sys log Verfication using View Events option:

    Syslog+CEF format shoud be displayed as per the Spec (Refer SIEM Integration and Audit Log Events Spec):

    PRI number; Timestamp; Device name; CEF:0; Xerox; Device Model; Device Software Version; Device Audit log Event ID; Audti log Event Description; Severity)along with CEF Key Name Mapping.

PROCESS: PRIORITY: TEST_TYPE: automated LOE: RESOURCE_HW: RESOURCE_CONSUMEABLES: RESOURCE_MEDIA: SKILL_SET: TEST_CASE_TYPE: testcases TESTCASE_SOURCE: SPEC: FS_55.12_SIEM_Integration SPEC_VERSION: 1.0004999999999999 SPEC_TAG: [55.120.045](FT-26004)[D5.3-*] If an audit log event is generated with a missing entry data field the feature shall use the value “Not Available” to map the CEF Keyname. 50.001.01.161 [R16-11, D3.6-*] | 157 | Lockdown Security Check Complete | User name (if available. “SYSTEM”, if executed as a scheduled event) | Device name | Device serial number | Completion status (“Success” / “Failed” 50.001.01.162 [R16-11, D3.6-*] | 158 | Lockdown Remediation Complete | User name (if available. “SYSTEM”, if executed as a scheduled event) | Device name | Device serial number | Completion status (“Success” / “Failed”) 50.001.01.160 [R16-11, D3.6-*] | 156 | Lockdown and Remediate Security | User name | Device Name | Device Serial number | Completion status: (“Enabled” / “Disabled”) ATM_OWNER: APPROVE_QE: APPROVED_QE: APPROVE_SE: APPROVED_SE: APPROVE_SPAR: APPROVED_SPAR: ASSOCIATED_TESTCASES: TRAINING: TESTCASE_VERSION: TESTCASE_STATE: TESTCASE_PLATFORM: TESTCASE_PRODUCT: canyon, carroll, corvo, corrib, kiska, malawi, mystic, melody, muckross TESTCASE_APPROVALS: CDATE: 1582176883 MDATE: 1582176883 MUSER: q4BVX0J1 AUTHOR: q4BVX0J1 ATM_MCOMMENTS: Imported from spreadsheet HISTORY: ATM_LOCKED: ATM_REQLINK: CAAAE4AE-5461-11EA-9DCE-65D4993DCDB4, 43704636-97F7-11E9-9925-CFADAA3FCFED, 4370A644-97F7-11E9-9925-CFADAA3FCFED, 436FF76C-97F7-11E9-9925-CFADAA3FCFED ATM_REQCOUNT: 4 QA_TEAM: TC_WEIGHTAGE: FILENAME: FILEDESC: FILES: RELEASE: AUTOMATION_GROUP: TC_WORK_LOCATION_CAT: work_from_home_tc DEVICE_CATEGORY: mfp CONSTRAINTS_DAR: Imp_98 . NA Done By Previous Analysis COMPETENCY: wfast_accounting APTEST_TRACKING: yes COMPLEXITY_OUTPUT_VALIDATION: non_outliers AUTOMATION_CANDIDATE: yes AUTOMATABLE: yes SRT_ANALYZATION: analyzed