🥒 CCC.VM Test: avmvm20260611

Test Parameters

ServiceType	virtual-machines
ProviderServiceType	Microsoft.Compute/virtualMachines
CatalogTypes	CCC.VM
TagFilter	@Behavioural, @virtual-machines, @Behavioural
UID	avmvm20260611
ResourceName	avmvm20260611
Config	{}
allowed-source-cidr	10.0.0.0/8
azure-resource-group	avm-testing
azure-subscription-id	c1cedd8e-bf91-4d7d-a4cc-45700402a2a1
catalog-versions	{ "CCC.Core": "v2025.10", "CCC.VM": "DEV" }
permitted-regions	[ "westus2" ]
port-number	22
provider	azure
region	westus2
resource	avmvm20260611
service	virtual-machines
service-type	virtual-machines
tags	@Behavioural @virtual-machines
test-listener-port	22

Summary

Generated: 2026-06-22 17:09:39

Total Run Time: 32s

Features: 16

Scenarios: 27 (✅ 11 | ❌ 16)

Steps: 140 (✅ 108 | ❌ 16 | ⏭️ 16 | ❓ 0)

Filter by Tag:

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage

Scenario: VM attached volumes report encryption enabled @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @virtual-machines

Given a cloud api for "{config}" in "api"49µs

Given I call "{api}" with "GetServiceAPI" using argument "virtual-machines"146µs

And I refer to "{result}" as "vmService"24µs

When I call "{vmService}" with "GetVolumeEncryptionStatus" using argument "{uid}"41µs

Then "{result}" is not an error15µs

And I refer to "{result}" as "encryption"11µs

And I attach "{encryption}" to the test output as "Volume Encryption Status"48µs

Then "{encryption.Volumes}" is an array of objects with at least the following contents48µs

Encrypted
true

📎 Attachments:

Volume Encryption Status

View JSON (119 bytes)

{"Volumes":[{"VolumeID":"azure-managed-disk","Encrypted":true,"EncryptionAlgorithm":"platform-managed","KMSKeyID":""}]}

Feature: CCC.Core.CN12.AR01 - Deny Unauthorized IP Connection

Scenario: Unauthorized inbound connection attempt is denied @CCC.Core @CCC.Core.CN12 @PerService @tlp-amber @tlp-red @Behavioural @virtual-machines

Given a cloud api for "{config}" in "api"26µs

Given I call "{api}" with "GetServiceAPI" using argument "virtual-machines"27µs

And I refer to "{result}" as "vmService"25µs

When I call "{vmService}" with "AttemptInboundConnection" using arguments "{uid}" and "{test-listener-port}"70µs

Then "{result}" is not an error20µs

expected {result} to not be an error, but got: hostName is required for inbound connection checks

And I refer to "{result}" as "probe"12µs

And I attach "{probe}" to the test output as "Inbound Connection Probe"14µs

Then "{probe.Connected}" is "false"15µs

Feature: CCC.Core.CN01.AR01

Scenario: Service accepts TLS 1.3 encrypted traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"25µs

Given an openssl s_client request using "tls1_3" to "{port-number}" on "{host-name}" protocol "{protocol}"618µs

And I refer to "{result}" as "connection"26µs

And "{connection}" state is open35µs

And "{connection.State}" is "open"30µs

And I close connection "{connection}"64µs

Then "{connection}" state is closed46µs

Scenario: Service rejects TLS 1.2 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"32µs

Given an openssl s_client request using "tls1_2" to "{port-number}" on "{host-name}" protocol "{protocol}"549µs

And I refer to "{result}" as "connection"34µs

And we wait for a period of "40" ms40ms

Then "{connection.State}" is "closed"37µs

Scenario: Service rejects TLS 1.1 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"38µs

Given an openssl s_client request using "tls1_1" to "{port-number}" on "{host-name}" protocol "{protocol}"642µs

And I refer to "{result}" as "connection"38µs

And we wait for a period of "40" ms40ms

Then "{connection.State}" is "closed"33µs

Scenario: Service rejects TLS 1.0 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"48µs

Given an openssl s_client request using "tls1" to "{port-number}" on "{host-name}" protocol "{protocol}"612µs

And I refer to "{result}" as "connection"27µs

And we wait for a period of "40" ms41ms

Then "{connection.State}" is "closed"38µs

Scenario: Verify SSL/TLS protocol support @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"56µs

Given "report" contains details of SSL Support type "protocols" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_protocols__22.json: no such file or directory

Then "{report}" is an array of objects which doesn't contain any of15µs

id	finding
SSLv2	offered
SSLv3	offered
TLS1	offered
TLS1_1	offered
TLS1_2	offered

And "{report}" is an array of objects with at least the following contents14µs

id	finding
TLS1_3	offered with final

Scenario: Verify no known SSL/TLS vulnerabilities @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"34µs

Given "report" contains details of SSL Support type "vulnerable" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_vulnerable__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents16µs

id	severity
heartbleed	OK
CCS	OK
ticketbleed	OK
ROBOT	OK
secure_renego	OK

Scenario: Verify TLS 1.3 only certificate validity @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"44µs

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents15µs

id	severity
cert_expirationStatus	OK
cert_chain_of_trust	OK

Feature: CCC.Core.CN01.AR02

Scenario: Verify SSH protocol version @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given an openssl s_client request to "{port-number}" on "{host-name}" protocol "ssh"391µs

And I refer to "{result}" as "connection"26µs

And "{connection}" state is open39µs

And I close connection "{connection}"39µs

Then "{connection}" state is closed49µs

Scenario: Verify SSH uses strong ciphers @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given "report" contains details of SSL Support type "each-cipher" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_each-cipher__22.json: no such file or directory

Then "{report}" is an array of objects which doesn't contain any of15µs

id	finding
3DES-CBC	offered
RC4	offered
DES-CBC3-SHA	offered

Scenario: Verify SSH server configuration @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents14µs

id	finding
cert_expirationStatus	ok
cert_chain_of_trust	passed.

Feature: CCC.Core.CN01.AR03

Scenario: HTTP redirects to HTTPS @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @http @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "http" on port "80"768µs

And I refer to "{result}" as "connection"21µs

And "{connection}" is not an error35µs

And I transmit "GET / HTTP/1.1\r\nHost: {host-name}\r\n\r\n" to "{connection}"501ms

And I attach "{connection}" to the test output as "HTTP response"112µs

And "{connection.Output}" contains "301"87µs

expected {connection.Output} to contain '301', but got ''

And I call "{connection}" with "Close"28µs

Then "{connection.State}" is "closed"34µs

📎 Attachments:

HTTP response

View JSON (41 bytes)

{"State":"closed","Input":{},"Output":""}

Scenario: FTP traffic is blocked or not exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @ftp @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "ftp" on port "21"643µs

And I attach "{connection}" to the test output as "FTP response"52µs

And I refer to "{result}" as "connection"28µs

Then "{connection}" is an error33µs

expected {connection} to be an error, got *cloud.Connection

📎 Attachments:

FTP response

View JSON (4 bytes)

null

Scenario: Telnet traffic is blocked or not exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @telnet @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "telnet" on port "23"480µs

And I attach "{connection}" to the test output as "Telnet response"47µs

And I refer to "{result}" as "connection"34µs

Then "{connection}" is an error31µs

expected {connection} to be an error, got *cloud.Connection

📎 Attachments:

Telnet response

View JSON (4 bytes)

null

Scenario: Only secure protocols are exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @tls @object-storage @virtual-machines

Given "report" contains details of SSL Support type "protocols" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_protocols__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents17µs

id	severity
TLS1_2	OK
TLS1_3	OK

Feature: CCC.Core.CN01.AR07

Scenario: Verify HTTPS uses IANA-assigned port 443 @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @PerPort @http @tls @object-storage @virtual-machines

Then "{port-number}" is "443"25µs

expected {port-number} to equal '443', got '22'

Feature: CCC.Core.CN01.AR08

Scenario: Verify mTLS requires client certificate authentication @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-red @tls @Behavioural @PerPort @tls @object-storage @virtual-machines

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents15µs

id	finding
clientAuth	required

Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations

Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable

Given a cloud api for "{config}" in "api"72µs

Then no-op required51µs

Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts

Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"34µs

And I call "{api}" with "GetServiceAPI" using argument "{service-type}"40µs

And I refer to "{result}" as "theService"25µs

Given I call "{api}" with "GetServiceAPI" using argument "logging"254µs

And I refer to "{result}" as "loggingService"16µs

When I call "{theService}" with "UpdateResourcePolicy"56µs

Then "{result}" is not an error18µs

And I attach "{result}" to the test output as "Policy Update Result"36µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"1s

Then "{result}" is not an error26µs

And I refer to "{result}" as "adminLogs"20µs

And I attach "{adminLogs}" to the test output as "Admin Activity Logs"94µs

Then "{adminLogs}" is an array of objects with at least the following contents66µs

result
Succeeded

expected row not found: map[result:Succeeded]

📎 Attachments:

Policy Update Result

View JSON (4 bytes)

null

Admin Activity Logs

View JSON (2 bytes)

[]

Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts

Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"54µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"46µs

And I refer to "{result}" as "theService"20µs

And I call "{api}" with "GetServiceAPI" using argument "logging"19µs

And I refer to "{result}" as "loggingService"13µs

When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"89µs

And I attach "{result}" to the test output as "Data Write Trigger Result"40µs

And we wait for a period of "10000" ms10s

Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"58µs

And I refer to "{result}" as "dataLogs"20µs

And I attach "{dataLogs}" to the test output as "Data Write Logs"47µs

Then "{dataLogs}" is an array of objects with at least the following contents34µs

result
Succeeded

field {dataLogs} is not an array

📎 Attachments:

Data Write Trigger Result

View Content (50 bytes)

hostName is required for inbound connection checks

Data Write Logs

View Content (88 bytes)

azure-log-analytics-workspace-id is required to query data logs but is not set in config

Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts

Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"78µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"62µs

And I refer to "{result}" as "theService"45µs

And I call "{api}" with "GetServiceAPI" using argument "logging"49µs

And I refer to "{result}" as "loggingService"37µs

When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"50µs

And I attach "{result}" to the test output as "Data Read Trigger Result"49µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"57µs

Then "{result}" is not an error45µs

expected {result} to not be an error, but got: azure-log-analytics-workspace-id is required to query data logs but is not set in config

And I refer to "{result}" as "readLogs"16µs

And I attach "{readLogs}" to the test output as "Data Read Logs"19µs

Then "{readLogs}" is an array of objects with at least the following contents16µs

result
Succeeded

📎 Attachments:

Data Read Trigger Result

View Content (50 bytes)

hostName is required for inbound connection checks

Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests

Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"46µs

And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"82µs

And "{result}" is not an error55µs

And I refer to "{result}" as "userReadableService"26µs

When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"35µs

Then "{result}" is an error32µs

And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"46µs

📎 Attachments:

no-access-trigger-data-read-error.txt

View Content (50 bytes)

hostName is required for inbound connection checks

Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events

Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"44µs

Then no-op required28µs

Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities

Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"42µs

Then no-op required24µs

Feature: CCC.Core.CN10.AR01 - Replication Destination Trust

Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"38µs

Then no-op required23µs

Feature: CCC.Core.CN06.AR01 - Resource Location Compliance

Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"54µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"43µs

And I refer to "{result}" as "theService"17µs

When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"54µs

Then "{result}" is not an error36µs

And I refer to "{result}" as "region"15µs

And I attach "{region}" to the test output as "Resource Region"39µs

Then "{permitted-regions}" is an array of objects with at least the following contents59µs

value
{region}

expected row not found: map[value:{region}]

📎 Attachments:

Resource Region

View Content (7 bytes)

westus2