[New] tests: UAT for monitor+root-owned EICAR under prod default; issue #485

[New] tests/uat/05-monitor-mode.bats: @test asserting monitor
      quarantines a root-owned EICAR in a webuser-owned docroot
      under scan_ignore_root=1 (explicit re-set overrides Dockerfile
      bake); regression test closes the coverage hole that let the
      tier-2 ownership filter regression ship through rc1..rc3;
      issue #485

Author: rfxn

CHANGELOG

@@ -81,6 +81,11 @@ v2.0.1 | Mar 25 2026:
       admits all files regardless of owner so root-owned malware is not silently
       dropped; when 1, scan_ignore_root/user/group ownership filters are applied
       in monitor mode (opt-in, matches rc1..rc3 behavior); issue #485
+[New] tests/uat/05-monitor-mode.bats: UAT scenario asserting monitor quarantines
+      a root-owned EICAR dropped into a webuser-owned docroot under reporter's
+      config (scan_ignore_root=1 + monitor_scan_owner_filters=0 default);
+      regression test closing the coverage hole that let rc1..rc3 ship with the
+      filter bug; issue #485
 
   -- Changes --
 

CHANGELOG.RELEASE

@@ -81,6 +81,11 @@ v2.0.1 | Mar 25 2026:
       admits all files regardless of owner so root-owned malware is not silently
       dropped; when 1, scan_ignore_root/user/group ownership filters are applied
       in monitor mode (opt-in, matches rc1..rc3 behavior); issue #485
+[New] tests/uat/05-monitor-mode.bats: UAT scenario asserting monitor quarantines
+      a root-owned EICAR dropped into a webuser-owned docroot under reporter's
+      config (scan_ignore_root=1 + monitor_scan_owner_filters=0 default);
+      regression test closing the coverage hole that let rc1..rc3 ship with the
+      filter bug; issue #485
 
   -- Changes --
 
@@ -336,3 +341,4 @@ v2.0.1 | Mar 25 2026:
 [Fix] RPM/DEB %pre: defensive detection for dir-vs-symlink cpio conflict; install
       no longer fails with "rename failed - Is a directory" when prior install.sh
       or partial install left real directories at symlink-target paths
+

tests/uat/05-monitor-mode.bats

@@ -93,6 +93,64 @@ teardown_file() {
     [ "$status" -eq 0 ] || [ "$status" -eq 124 ]
 }
 
+# bats test_tags=uat,uat:monitor-mode,uat:issue-485,regression
+@test "UAT: monitor quarantines root-owned EICAR in webuser docroot under scan_ignore_root=1" {
+    if ! command -v inotifywait >/dev/null 2>&1; then
+        skip "inotifywait not available"
+    fi
+
+    # Ensure webuser-like account exists for docroot ownership
+    if ! id webuser >/dev/null 2>&1; then
+        useradd -m -s /bin/bash webuser 2>/dev/null || skip "useradd unavailable"
+    fi
+
+    # Mirror reporter's config: scan_ignore_root=1 (override Dockerfile bake)
+    # + monitor_scan_owner_filters=0 (the new default post-fix; pin explicitly
+    # for defense against image-cache variance). Together: scan -a would filter
+    # root-owned, but monitor should NOT under the fix.
+    uat_lmd_set_config scan_ignore_root 1
+    uat_lmd_set_config monitor_scan_owner_filters 0
+
+    # Create webuser-owned docroot inside the monitored tree
+    local _docroot="$MONITOR_DIR/webuser-docroot"
+    mkdir -p "$_docroot"
+    chown webuser:webuser "$_docroot"
+    chmod 755 "$_docroot"
+
+    # Start monitor
+    maldet -b -m "$MONITOR_DIR" > /dev/null 2>&1
+
+    if ! uat_wait_for_log "$MALDET_LOG" "inotify startup successful" 15; then
+        skip "Monitor did not start in time (Docker limitation)"
+    fi
+
+    # Drop a root-owned EICAR into the webuser docroot — exact compromise
+    # shape targeted by issue #485 fix
+    local _eicar_path="$_docroot/root-payload.php"
+    # shellcheck disable=SC2016
+    printf '%s' 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' \
+        > "$_eicar_path"
+    # File is root-owned by default
+
+    # Wait for monitor cycle to detect + quarantine
+    if ! uat_wait_for_condition \
+            "grep -rl 'root-payload.php' '$LMD_INSTALL/sess/' 2>/dev/null" 30; then
+        skip "Monitor detection did not trigger in time (Docker limitation)"
+    fi
+
+    # Assert hit in session files
+    run grep -rl "root-payload.php" "$LMD_INSTALL/sess/" 2>/dev/null
+    assert_success
+
+    # Assert quarantine actually occurred (file no longer in docroot)
+    [ ! -f "$_eicar_path" ] || {
+        echo "file still present in docroot — quarantine did not fire" >&2
+        false
+    }
+
+    rm -rf "$_docroot"
+}
+
 # bats test_tags=uat,uat:monitor-mode
 @test "UAT: monitor stop kills inotify processes" {
     if ! command -v inotifywait >/dev/null 2>&1; then