🥒 CCC.VM Test: avmvm20260611

Test Parameters

ServiceType	virtual-machines
ProviderServiceType	Microsoft.Compute/virtualMachines
CatalogTypes	CCC.VM
TagFilter	@Behavioural, @virtual-machines, @Behavioural
UID	avmvm20260611
ResourceName	avmvm20260611
Config	{}
allowed-source-cidr	10.0.0.0/8
azure-resource-group	avm-testing
azure-subscription-id	c1cedd8e-bf91-4d7d-a4cc-45700402a2a1
catalog-versions	{ "CCC.Core": "v2025.10", "CCC.VM": "DEV" }
permitted-regions	[ "westus2" ]
port-number	22
provider	azure
region	westus2
resource	avmvm20260611
service	virtual-machines
service-type	virtual-machines
tags	@Behavioural @virtual-machines
test-listener-port	22

Summary

Generated: 2026-06-18 15:30:49

Total Run Time: 32s

Features: 16

Scenarios: 27 (✅ 11 | ❌ 16)

Steps: 140 (✅ 108 | ❌ 16 | ⏭️ 16 | ❓ 0)

Filter by Tag:

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage

Scenario: VM attached volumes report encryption enabled @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @virtual-machines

Given a cloud api for "{config}" in "api"41µs

Given I call "{api}" with "GetServiceAPI" using argument "virtual-machines"99µs

And I refer to "{result}" as "vmService"15µs

When I call "{vmService}" with "GetVolumeEncryptionStatus" using argument "{uid}"35µs

Then "{result}" is not an error15µs

And I refer to "{result}" as "encryption"12µs

And I attach "{encryption}" to the test output as "Volume Encryption Status"40µs

Then "{encryption.Volumes}" is an array of objects with at least the following contents40µs

Encrypted
true

📎 Attachments:

Volume Encryption Status

View JSON (119 bytes)

{"Volumes":[{"VolumeID":"azure-managed-disk","Encrypted":true,"EncryptionAlgorithm":"platform-managed","KMSKeyID":""}]}

Feature: CCC.Core.CN12.AR01 - Deny Unauthorized IP Connection

Scenario: Unauthorized inbound connection attempt is denied @CCC.Core @CCC.Core.CN12 @PerService @tlp-amber @tlp-red @Behavioural @virtual-machines

Given a cloud api for "{config}" in "api"25µs

Given I call "{api}" with "GetServiceAPI" using argument "virtual-machines"22µs

And I refer to "{result}" as "vmService"23µs

When I call "{vmService}" with "AttemptInboundConnection" using arguments "{uid}" and "{test-listener-port}"63µs

Then "{result}" is not an error29µs

expected {result} to not be an error, but got: hostName is required for inbound connection checks

And I refer to "{result}" as "probe"10µs

And I attach "{probe}" to the test output as "Inbound Connection Probe"12µs

Then "{probe.Connected}" is "false"13µs

Feature: CCC.Core.CN01.AR01

Scenario: Service accepts TLS 1.3 encrypted traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"24µs

Given an openssl s_client request using "tls1_3" to "{port-number}" on "{host-name}" protocol "{protocol}"459µs

And I refer to "{result}" as "connection"28µs

And "{connection}" state is open30µs

And "{connection.State}" is "open"30µs

And I close connection "{connection}"30µs

Then "{connection}" state is closed43µs

Scenario: Service rejects TLS 1.2 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"41µs

Given an openssl s_client request using "tls1_2" to "{port-number}" on "{host-name}" protocol "{protocol}"374µs

And I refer to "{result}" as "connection"27µs

And we wait for a period of "40" ms40ms

Then "{connection.State}" is "closed"25µs

Scenario: Service rejects TLS 1.1 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"27µs

Given an openssl s_client request using "tls1_1" to "{port-number}" on "{host-name}" protocol "{protocol}"417µs

And I refer to "{result}" as "connection"18µs

And we wait for a period of "40" ms40ms

Then "{connection.State}" is "closed"56µs

Scenario: Service rejects TLS 1.0 traffic @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"27µs

Given an openssl s_client request using "tls1" to "{port-number}" on "{host-name}" protocol "{protocol}"416µs

And I refer to "{result}" as "connection"19µs

And we wait for a period of "40" ms41ms

Then "{connection.State}" is "closed"21µs

Scenario: Verify SSL/TLS protocol support @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"39µs

Given "report" contains details of SSL Support type "protocols" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_protocols__22.json: no such file or directory

Then "{report}" is an array of objects which doesn't contain any of14µs

id	finding
SSLv2	offered
SSLv3	offered
TLS1	offered
TLS1_1	offered
TLS1_2	offered

And "{report}" is an array of objects with at least the following contents12µs

id	finding
TLS1_3	offered with final

Scenario: Verify no known SSL/TLS vulnerabilities @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"28µs

Given "report" contains details of SSL Support type "vulnerable" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_vulnerable__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents14µs

id	severity
heartbleed	OK
CCS	OK
ticketbleed	OK
ROBOT	OK
secure_renego	OK

Scenario: Verify TLS 1.3 only certificate validity @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @Behavioural @PerPort @tls @object-storage @virtual-machines

Given a cloud api for "{config}" in "api"27µs

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents14µs

id	severity
cert_expirationStatus	OK
cert_chain_of_trust	OK

Feature: CCC.Core.CN01.AR02

Scenario: Verify SSH protocol version @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given an openssl s_client request to "{port-number}" on "{host-name}" protocol "ssh"380µs

And I refer to "{result}" as "connection"28µs

And "{connection}" state is open32µs

And I close connection "{connection}"32µs

Then "{connection}" state is closed45µs

Scenario: Verify SSH uses strong ciphers @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given "report" contains details of SSL Support type "each-cipher" for "{host-name}" on port "{port-number}"1ms

failed to read testssl.sh output: open /tmp/testssl_each-cipher__22.json: no such file or directory

Then "{report}" is an array of objects which doesn't contain any of14µs

id	finding
3DES-CBC	offered
RC4	offered
DES-CBC3-SHA	offered

Scenario: Verify SSH server configuration @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @tls @Behavioural @PerPort @ssh @virtual-machines

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"1ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents13µs

id	finding
cert_expirationStatus	ok
cert_chain_of_trust	passed.

Feature: CCC.Core.CN01.AR03

Scenario: HTTP redirects to HTTPS @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @http @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "http" on port "80"771µs

And I refer to "{result}" as "connection"25µs

And "{connection}" is not an error42µs

And I transmit "GET / HTTP/1.1\r\nHost: {host-name}\r\n\r\n" to "{connection}"500ms

And I attach "{connection}" to the test output as "HTTP response"133µs

And "{connection.Output}" contains "301"56µs

expected {connection.Output} to contain '301', but got ''

And I call "{connection}" with "Close"16µs

Then "{connection.State}" is "closed"20µs

📎 Attachments:

HTTP response

View JSON (41 bytes)

{"State":"closed","Input":{},"Output":""}

Scenario: FTP traffic is blocked or not exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @ftp @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "ftp" on port "21"465µs

And I attach "{connection}" to the test output as "FTP response"58µs

And I refer to "{result}" as "connection"27µs

Then "{connection}" is an error30µs

expected {connection} to be an error, got *cloud.Connection

📎 Attachments:

FTP response

View JSON (4 bytes)

null

Scenario: Telnet traffic is blocked or not exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @telnet @tls @object-storage @virtual-machines

Given a client connects to "{host-name}" with protocol "telnet" on port "23"426µs

And I attach "{connection}" to the test output as "Telnet response"45µs

And I refer to "{result}" as "connection"28µs

Then "{connection}" is an error31µs

expected {connection} to be an error, got *cloud.Connection

📎 Attachments:

Telnet response

View JSON (4 bytes)

null

Scenario: Only secure protocols are exposed @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-green @tlp-red @PerPort @Behavioural @tls @object-storage @virtual-machines

Given "report" contains details of SSL Support type "protocols" for "{host-name}" on port "{port-number}"2ms

failed to read testssl.sh output: open /tmp/testssl_protocols__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents14µs

id	severity
TLS1_2	OK
TLS1_3	OK

Feature: CCC.Core.CN01.AR07

Scenario: Verify HTTPS uses IANA-assigned port 443 @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @PerPort @http @tls @object-storage @virtual-machines

Then "{port-number}" is "443"22µs

expected {port-number} to equal '443', got '22'

Feature: CCC.Core.CN01.AR08

Scenario: Verify mTLS requires client certificate authentication @CCC.Core @CCC.Core.CN01 @tlp-amber @tlp-red @tls @Behavioural @PerPort @tls @object-storage @virtual-machines

Given "report" contains details of SSL Support type "server-defaults" for "{host-name}" on port "{port-number}"1ms

failed to read testssl.sh output: open /tmp/testssl_server-defaults__22.json: no such file or directory

Then "{report}" is an array of objects with at least the following contents13µs

id	finding
clientAuth	required

Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations

Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable

Given a cloud api for "{config}" in "api"66µs

Then no-op required289µs

Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts

Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"29µs

And I call "{api}" with "GetServiceAPI" using argument "{service-type}"33µs

And I refer to "{result}" as "theService"25µs

Given I call "{api}" with "GetServiceAPI" using argument "logging"163µs

And I refer to "{result}" as "loggingService"14µs

When I call "{theService}" with "UpdateResourcePolicy"49µs

Then "{result}" is not an error15µs

And I attach "{result}" to the test output as "Policy Update Result"26µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"2s

Then "{result}" is not an error24µs

And I refer to "{result}" as "adminLogs"24µs

And I attach "{adminLogs}" to the test output as "Admin Activity Logs"81µs

Then "{adminLogs}" is an array of objects with at least the following contents65µs

result
Succeeded

expected row not found: map[result:Succeeded]

📎 Attachments:

Policy Update Result

View JSON (4 bytes)

null

Admin Activity Logs

View JSON (2 bytes)

[]

Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts

Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"31µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"56µs

And I refer to "{result}" as "theService"28µs

And I call "{api}" with "GetServiceAPI" using argument "logging"30µs

And I refer to "{result}" as "loggingService"15µs

When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"60µs

And I attach "{result}" to the test output as "Data Write Trigger Result"28µs

And we wait for a period of "10000" ms10s

Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"58µs

And I refer to "{result}" as "dataLogs"19µs

And I attach "{dataLogs}" to the test output as "Data Write Logs"56µs

Then "{dataLogs}" is an array of objects with at least the following contents40µs

result
Succeeded

field {dataLogs} is not an array

📎 Attachments:

Data Write Trigger Result

View Content (50 bytes)

hostName is required for inbound connection checks

Data Write Logs

View Content (88 bytes)

azure-log-analytics-workspace-id is required to query data logs but is not set in config

Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts

Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"76µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"37µs

And I refer to "{result}" as "theService"55µs

And I call "{api}" with "GetServiceAPI" using argument "logging"223µs

And I refer to "{result}" as "loggingService"26µs

When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"38µs

And I attach "{result}" to the test output as "Data Read Trigger Result"31µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"64µs

Then "{result}" is not an error32µs

expected {result} to not be an error, but got: azure-log-analytics-workspace-id is required to query data logs but is not set in config

And I refer to "{result}" as "readLogs"19µs

And I attach "{readLogs}" to the test output as "Data Read Logs"21µs

Then "{readLogs}" is an array of objects with at least the following contents20µs

result
Succeeded

📎 Attachments:

Data Read Trigger Result

View Content (50 bytes)

hostName is required for inbound connection checks

Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests

Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"46µs

And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"78µs

And "{result}" is not an error56µs

And I refer to "{result}" as "userReadableService"19µs

When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"25µs

Then "{result}" is an error14µs

And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"25µs

📎 Attachments:

no-access-trigger-data-read-error.txt

View Content (50 bytes)

hostName is required for inbound connection checks

Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events

Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"46µs

Then no-op required13µs

Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities

Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"25µs

Then no-op required12µs

Feature: CCC.Core.CN10.AR01 - Replication Destination Trust

Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"26µs

Then no-op required14µs

Feature: CCC.Core.CN06.AR01 - Resource Location Compliance

Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"60µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"109µs

And I refer to "{result}" as "theService"44µs

When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"54µs

Then "{result}" is not an error49µs

And I refer to "{result}" as "region"36µs

And I attach "{region}" to the test output as "Resource Region"50µs

Then "{permitted-regions}" is an array of objects with at least the following contents79µs

value
{region}

expected row not found: map[value:{region}]

📎 Attachments:

Resource Region

View Content (7 bytes)

westus2