Compliance Tests
A Test is the fundamental building block of OpenSCM compliance auditing. Each test defines a single automated check — what to inspect, how to evaluate it, and what the expected state should be.
Tests are executed locally by the agent. Only the result (PASS, FAIL, or NA)
is sent back to the server — no raw file contents, logs, or system data ever leaves
the endpoint.
Test Structure
Each test consists of up to 5 conditions combined with ALL or ANY logic:
Test: "Ensure SSH root login is disabled"
Filter: ALL conditions must pass
Condition 1:
Element: File
Input: /etc/ssh/sshd_config
Sub-Element: Content
Condition: Contains
Expected: PermitRootLogin no
| Field | Description |
|---|---|
| Element | What to inspect (file, process, package, registry...) |
| Input | The target — file path, process name, package name, etc. |
| Sub-Element | What aspect to check (content, exists, permissions...) |
| Condition | How to evaluate (equals, contains, greater than...) |
| Expected | The value that constitutes a passing result |
Supported Elements
File
Checks properties of files on the filesystem.
| Sub-Element | Description | Example Input |
|---|---|---|
Exists |
File exists | /etc/shadow |
Not Exists |
File does not exist | /etc/telnet.conf |
Content |
File contains a string | /etc/ssh/sshd_config |
Permissions |
Octal permission string | /etc/shadow → 0640 |
Owner |
File owner username | /etc/shadow → root |
Group |
File group name — supports equals, contains, regex |
/etc/shadow → shadow |
SHA1 |
SHA1 hash of file | /bin/su |
SHA256 |
SHA256 hash of file | /bin/su |
Directory
Checks properties of directories.
| Sub-Element | Description |
|---|---|
Exists |
Directory exists |
Not Exists |
Directory does not exist |
Content |
Directory contains a file with the given name |
Permissions |
Octal permission string |
Owner |
Directory owner |
Group |
Directory group — supports equals, contains, regex |
Package
Checks installed software packages.
| Sub-Element | Description | Platforms |
|---|---|---|
Exists |
Package is installed | Linux, Windows |
Not Exists |
Package is not installed | Linux, Windows |
Version |
Installed version comparison | Linux, Windows |
Process
Checks running processes.
| Sub-Element | Description |
|---|---|
Exists |
Process is running |
Not Exists |
Process is not running |
Port
Checks TCP port availability on localhost.
| Sub-Element | Description |
|---|---|
Exists |
Port is open and listening |
Not Exists |
Port is not listening |
User
Checks local user accounts.
| Sub-Element | Description |
|---|---|
Exists |
User account exists |
Not Exists |
User account does not exist |
Group
Checks local groups and membership.
| Sub-Element | Description |
|---|---|
Exists |
Group exists |
Not Exists |
Group does not exist |
Content |
User is a member of the group — set Expected to the username |
CMD (opt-in)
Runs a shell command on the agent and evaluates its output against a string condition.
| Sub-Element | Description |
|---|---|
Output |
The stdout output of the command |
Requires explicit opt-in
CMD tests return NA unless cmd_enabled = true is set in the server configuration.
This is an intentional safety gate — an administrator must explicitly permit
command execution on agents before any CMD test will run.
Example use cases:
- Check sysctl kernel parameters (
sysctl net.ipv4.conf.all.forwarding) - Verify firewall rules (
iptables -L) - Read values not exposed via files or packages
Registry (Windows only)
Validates Windows Registry values.
| Sub-Element | Description | Example Input |
|---|---|---|
Content |
Registry value data | HKLM\SYSTEM\CurrentControlSet\...\path\|ValueName |
Exists |
Registry key or value exists | |
Not Exists |
Registry key or value does not exist |
Registry Input Format
Use path|ValueName format for the input field.
Example: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate|DisableWindowsUpdateAccess
OS
Checks operating system information.
| Sub-Element | Description |
|---|---|
Content |
OS name string — supports equals, contains, regex |
Version |
OS version comparison |
Hostname
Checks the system hostname.
| Sub-Element | Description |
|---|---|
Content |
Hostname string — supports equals, contains, regex |
IP
Checks IP address presence on the system.
| Sub-Element | Description |
|---|---|
Exists |
IP address is assigned to the system |
Content |
IP address matches condition — supports equals, contains, regex |
Domain
Checks domain or workgroup membership.
| Sub-Element | Description |
|---|---|
Content |
Domain or workgroup name — supports equals, contains, regex |
Architecture
Checks CPU architecture.
| Sub-Element | Description |
|---|---|
Content |
Architecture string (e.g. x86_64, aarch64) |
Agent
Checks the installed agent version.
| Sub-Element | Description |
|---|---|
Version |
Agent version comparison |
Content |
Agent version string — supports equals, contains, regex |
Supported Conditions
| Condition | Description | Example |
|---|---|---|
Contains |
Value contains the expected string | File content contains PermitRootLogin no |
Not Contains |
Value does not contain the string | Config does not contain PermitRootLogin yes |
Equals |
Exact match | Hostname equals web-server-01 |
Not Equals |
Does not match | OS is not Windows XP |
More Than |
Numeric greater than | Agent version > 0.1.0 |
Less Than |
Numeric less than | Open ports < 10 |
Regular Expression |
PCRE regex pattern match | Content matches ^Protocol\s+2$ |
Test Logic (Filter)
Each test uses one of two filter modes to evaluate its conditions:
| Filter | Behaviour |
|---|---|
ALL |
Every condition must pass for the test to pass |
ANY |
At least one condition must pass for the test to pass |
Execution Flow
sequenceDiagram
participant S as OpenSCM Server
participant A as Agent
A->>S: Heartbeat (signed with agent Ed25519 key)
S-->>A: Pending test commands (signed with server Ed25519 key)
Note right of A: Agent executes tests locally
A->>S: Results: PASS / FAIL / NA (signed)
Note over S: Dashboard and reports updatedCreating a Test
- Navigate to Tests in the sidebar
- Click New Test
- Fill in the metadata — name, severity, description, rationale, remediation
- Set the filter mode (ALL or ANY)
- Add one or more conditions using the condition builder
- Click Save Test Definition
Severity Levels
Assign severity to help prioritize remediation efforts:
- Critical — immediate risk, must be remediated urgently
- High — significant risk, remediate as soon as possible
- Medium — moderate risk, schedule remediation
- Low — minor risk, remediate when convenient
- Information — informational only, no direct risk
Once created, tests can be added to one or more Policies for deployment across your infrastructure.
Bulk Actions
Select multiple tests using the checkboxes on the left of each row, then use the bulk toolbar that appears at the top of the table:
| Action | Description |
|---|---|
| Add to Policy | Add all selected tests to a chosen policy |
| Delete | Permanently remove all selected tests |
The Select All checkbox in the header selects all rows matching the current search filter, not just the visible page.
Editor role required
Bulk actions require at least the Editor role.