From: Jiri J. <jja...@re...> - 2013-02-26 16:49:39
|
Hi, during our audit-test porting for RHEL7, we (me, Miroslav Vadkerti and Ondrej Moris) identified several areas, where the current suite could be improved, while retaining full compatibility with the current suite version. The changes have undergone "retention" testing on RHEL6, ensuring that the compatibility is indeed retained. Please feel free to comment any of them. The patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
From: Jiri J. <jja...@re...> - 2013-02-26 16:52:26
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/system/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index e7334ba..dc8a8ff 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -75,6 +75,7 @@ install_setrans: echo "s1:c1.c3=NetIncomp1"; \ echo "s1:c4.c6=NetIncomp2"; \ echo "s0:c0=NetLowIncomp") >> /etc/selinux/mls/setrans.conf + chkconfig mcstrans on install_netlabel: install -o root -g root -m 640 --backup=t netlabel.rules /etc -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:52:26
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 12e0075..86aa53b 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ run: done make report -.PHONE: report +.PHONY: report report: systeminfo summary @tarball="logs-$$(date +'%m%d%Y_%H%M').tar.gz"; \ tar zcvf logs-$$(date +"%m%d%Y_%H%M").tar.gz $$(find . -name "*.log"); \ -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:52:27
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/trustedprograms/tests/tp_auth_functions.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit-test/trustedprograms/tests/tp_auth_functions.bash b/audit-test/trustedprograms/tests/tp_auth_functions.bash index 1c4939b..9f0ffee 100644 --- a/audit-test/trustedprograms/tests/tp_auth_functions.bash +++ b/audit-test/trustedprograms/tests/tp_auth_functions.bash @@ -82,8 +82,8 @@ function user_cleanup { read group gid <<<"$(generate_unique_group)" read user uid <<<"$(generate_unique_user)" +prepend_cleanup "grep -q '^$user:' /etc/passwd && { killall -9 -u '$user' ; userdel -r '$user'; }" prepend_cleanup "grep -q '^$group:' /etc/group && groupdel '$group'" -prepend_cleanup "grep -q '^$user:' /etc/passwd && userdel -r '$user'" set -x -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:53:10
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/run.bash | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index bab0f18..74f8c5f 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -272,6 +272,8 @@ function cleanup { # XXX use prepend_cleanup in startup if [[ -n $TEST_USER ]]; then # Remove the test user + dmsg "Killing all processes for $TEST_USER" + killall -9 -u "$TEST_USER" dmsg "Removing user $TEST_USER" userdel -r "$TEST_USER" &>/dev/null dmsg "Removing group $TEST_USER" @@ -282,6 +284,8 @@ function cleanup { # XXX use prepend_cleanup in startup if [[ -n $TEST_ADMIN ]]; then # Remove the test user + dmsg "Killing all processes for $TEST_ADMIN" + killall -9 -u "$TEST_ADMIN" dmsg "Removing user $TEST_ADMIN" userdel -r "$TEST_ADMIN" &>/dev/null dmsg "Removing group $TEST_ADMIN" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:53:11
|
Might happen if the environment is not pristine. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/run.bash | 2 ++ 1 file changed, 2 insertions(+) diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index 586f231..bab0f18 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -245,6 +245,7 @@ function startup { dmsg "Adding user $TEST_USER" useradd -g "$TEST_USER" -G wheel -m "$TEST_USER" || die echo "$TEST_USER_PASSWD" | passwd --stdin $TEST_USER + faillock --user "$TEST_USER" --reset # Add the test user which is in sysadm_r userdel -r "$TEST_ADMIN" &>/dev/null @@ -258,6 +259,7 @@ function startup { useradd -g "$TEST_ADMIN" -G wheel -m "$TEST_ADMIN" || die fi echo "$TEST_ADMIN_PASSWD" | passwd --stdin $TEST_ADMIN + faillock --user "$TEST_ADMIN" --reset startup_hook } -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:53:11
|
Allows for more customizable test environment. (ie. -j TRACE as first rule, before test) Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 64 +++++++++++++++--------------- audit-test/netfilter/run.conf | 92 +++++++++++++++++++++---------------------- 2 files changed, 78 insertions(+), 78 deletions(-) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 0f81483..5366ef6 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -623,100 +623,100 @@ function run_test { case $tnum in 2) - ebtables -I INPUT 1 -i $LOCAL_SEC_DEV -j AUDIT_DROP + ebtables -A INPUT -i $LOCAL_SEC_DEV -j AUDIT_DROP ;; 4) - ebtables -I INPUT 1 -p IPv4 --ip-source $SECNET_SVR_IPV4 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-source $SECNET_SVR_IPV4 -j AUDIT_DROP ;; 5) - ebtables -I INPUT 1 -p IPv4 --ip-destination $LOCAL_SEC_IPV4 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-destination $LOCAL_SEC_IPV4 -j AUDIT_DROP ;; 7) - ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-source-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-source-port $tst_port1 -j AUDIT_DROP ;; 8) - ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP ;; 10) - ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP ;; 11) - ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP ;; 13) - ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT - ebtables -I INPUT 2 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_ACCEPT ebtables -P INPUT DROP ;; 14) - ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT ebtables -P INPUT DROP ;; 15) - ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT + ebtables -A INPUT --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT ;; 16) - ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP + ebtables -A INPUT --logical-in $BRIDGE_FILTER -j AUDIT_DROP ;; 17) - ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT + ebtables -A INPUT -s $SECNET_SVR_MAC -j AUDIT_ACCEPT ;; 18) - ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP + ebtables -A INPUT -s $SECNET_SVR_MAC -j AUDIT_DROP ;; 19) - ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT + ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT ;; 20) - ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP + ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_DROP ;; 22) - ebtables -I INPUT 1 -i $LOCAL_SEC_DEV -j AUDIT_DROP + ebtables -A INPUT -i $LOCAL_SEC_DEV -j AUDIT_DROP ;; 24) - ebtables -I INPUT 1 -p IPv6 --ip6-source $SECNET_SVR_IPV6 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-source $SECNET_SVR_IPV6 -j AUDIT_DROP ;; 25) - ebtables -I INPUT 1 -p IPv6 --ip6-destination $LOCAL_SEC_IPV6 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-destination $LOCAL_SEC_IPV6 -j AUDIT_DROP ;; 27) - ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-source-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-source-port $tst_port1 -j AUDIT_DROP ;; 28) - ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP ;; 30) - ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP ;; 31) - ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP + ebtables -A INPUT -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP ;; 33) - ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT - ebtables -I INPUT 2 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT ebtables -P INPUT DROP ;; 34) - ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT + ebtables -A INPUT -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT ebtables -P INPUT DROP ;; 35) - ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT + ebtables -A INPUT --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT ;; 36) - ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP + ebtables -A INPUT --logical-in $BRIDGE_FILTER -j AUDIT_DROP ;; 37) - ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT + ebtables -A INPUT -s $SECNET_SVR_MAC -j AUDIT_ACCEPT ;; 38) - ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP + ebtables -A INPUT -s $SECNET_SVR_MAC -j AUDIT_DROP ;; 39) - ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT + ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT ;; 40) - ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP + ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_DROP ;; *) sleep 1 diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 1979445..3331a4d 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -695,7 +695,7 @@ function run_test { actv=1 ;; 6) - iptables -I INPUT 1 -p tcp --sport $tst_port1 -j AUDIT_REJECT + iptables -A INPUT -p tcp --sport $tst_port1 -j AUDIT_REJECT protov=6 actv=2 ;; @@ -705,7 +705,7 @@ function run_test { actv=1 ;; 10) - iptables -I INPUT 1 -p tcp --dport $tst_port1 -j AUDIT_REJECT + iptables -A INPUT -p tcp --dport $tst_port1 -j AUDIT_REJECT proto=6 actv=2 ;; @@ -715,17 +715,17 @@ function run_test { actv=2 ;; 14) - iptables -I OUTPUT 1 -p udp --sport 30000:60000 -j AUDIT_DROP + iptables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP proto=17 actv=1 ;; 16) - ip6tables -I OUTPUT 1 -p udp --sport 30000:60000 -j AUDIT_DROP + ip6tables -A OUTPUT -p udp --sport 30000:60000 -j AUDIT_DROP proto=17 actv=1 ;; 18) - iptables -I OUTPUT 1 -p udp --dport $tst_port1 -j AUDIT_REJECT + iptables -A OUTPUT -p udp --dport $tst_port1 -j AUDIT_REJECT proto=17 actv=2 ;; @@ -735,12 +735,12 @@ function run_test { actv=2 ;; 22) - iptables -I INPUT 1 -d 127.0.0.1 -j AUDIT_DROP + iptables -A INPUT -d 127.0.0.1 -j AUDIT_DROP proto=6 actv=1 ;; 24) - ip6tables -I INPUT 1 -d ::1 -j AUDIT_DROP + ip6tables -A INPUT -d ::1 -j AUDIT_DROP protov=6 actv=1 ;; @@ -755,12 +755,12 @@ function run_test { actv=2 ;; 29) - iptables -I INPUT 1 -p icmp --icmp-type echo-reply -j AUDIT_DROP + iptables -A INPUT -p icmp --icmp-type echo-reply -j AUDIT_DROP protov=1 actv=1 ;; 30) - iptables -I INPUT 1 -p icmp --icmp-type echo-reply -j AUDIT_ACCEPT + iptables -A INPUT -p icmp --icmp-type echo-reply -j AUDIT_ACCEPT protov=1 actv=0 ;; @@ -785,9 +785,9 @@ function run_test { 33 | 34) iptables -P INPUT DROP # add rule to make sure our ssh session stays alive - iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --dport 22 -j ACCEPT sleep 1 - iptables -I INPUT 2 -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT + iptables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT iptables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT sleep 1 setup_default @@ -805,124 +805,124 @@ function run_test { protov=6 ;; 38) - iptables -I INPUT 1 -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT + iptables -A INPUT -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT actv=2 protov=6 ;; 40) - ip6tables -I INPUT 1 -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT + ip6tables -A INPUT -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT actv=2 protov=6 ;; 42) - iptables -I INPUT 1 -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv4" - iptables -I INPUT 2 -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT + iptables -A INPUT -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv4" + iptables -A INPUT -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 44) - ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv6" - ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv6" + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 45) - ip6tables -I INPUT 1 -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6" - ip6tables -I INPUT 2 -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT + ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6" + ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 46) - iptables -I INPUT 1 -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4" - iptables -I INPUT 2 -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT + iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4" + iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 47) - iptables -I INPUT 1 -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv4" - iptables -I INPUT 2 -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT + iptables -A INPUT -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv4" + iptables -A INPUT -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 48) - ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv6" - ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv6" + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 49) - iptables -I INPUT 1 -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j LOG --log-prefix "fin received ipv4" - iptables -I INPUT 2 -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j AUDIT_ACCEPT + iptables -A INPUT -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j LOG --log-prefix "fin received ipv4" + iptables -A INPUT -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 50) - ip6tables -I INPUT 1 -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j LOG --log-prefix "fin received ipv6" - ip6tables -I INPUT 2 -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j AUDIT_ACCEPT + ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j LOG --log-prefix "fin received ipv6" + ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 51) - iptables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv4" - iptables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT + iptables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv4" + iptables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 52) - ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv6" - ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv6" + ip6tables -A INPUT -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 ;; 53) - iptables -I INPUT 1 -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j LOG --log-prefix "NEW state ipv4" - iptables -I INPUT 2 -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j AUDIT_ACCEPT + iptables -A INPUT -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j LOG --log-prefix "NEW state ipv4" + iptables -A INPUT -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j AUDIT_ACCEPT actv=0 protov=6 ;; 54) - iptables -I INPUT 1 -i lo -m conntrack --ctstate RELATED -j LOG --log-prefix "RELATED state ipv4" - iptables -I INPUT 2 -p tcp --dport $tst_port1 -j AUDIT_REJECT + iptables -A INPUT -i lo -m conntrack --ctstate RELATED -j LOG --log-prefix "RELATED state ipv4" + iptables -A INPUT -p tcp --dport $tst_port1 -j AUDIT_REJECT actv=2 protov=6 ;; 55) - ip6tables -I INPUT 1 -p tcp --dport $tst_port1 -m state --state NEW -j LOG --log-prefix "NEW state ipv6" - ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -m state --state NEW -j AUDIT_ACCEPT + ip6tables -A INPUT -p tcp --dport $tst_port1 -m state --state NEW -j LOG --log-prefix "NEW state ipv6" + ip6tables -A INPUT -p tcp --dport $tst_port1 -m state --state NEW -j AUDIT_ACCEPT actv=0 protov=6 ;; 56) - ip6tables -I INPUT 1 -i lo -m state --state RELATED -j LOG --log-prefix "RELATED state ipv6" - ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -j AUDIT_REJECT + ip6tables -A INPUT -i lo -m state --state RELATED -j LOG --log-prefix "RELATED state ipv6" + ip6tables -A INPUT -p tcp --dport $tst_port1 -j AUDIT_REJECT actv=2 protov=6 ;; 57) - iptables -I INPUT 1 -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv4" - iptables -I INPUT 2 -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j AUDIT_ACCEPT + iptables -A INPUT -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv4" + iptables -A INPUT -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j AUDIT_ACCEPT actv=0 protov=6 ;; 58) - ip6tables -I INPUT 1 -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv6" - ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j AUDIT_ACCEPT + ip6tables -A INPUT -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv6" + ip6tables -A INPUT -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j AUDIT_ACCEPT actv=0 protov=6 ;; 60) # put in rule to prevent ssh session packets from dropping. - iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $LOCAL_DEV -j DROP ;; 62) -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:53:11
|
The deprecated -L display doesn't print additional information like interfaces and possibly other advanced options one might have used. Not to mention tables other than 'filter'. xtables-save has none of these disadvantages and furthermore prints rules in a more friendly way. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 34 ++++----------------------------- audit-test/netfilter/run.conf | 44 ++++++------------------------------------- 2 files changed, 10 insertions(+), 68 deletions(-) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 34e9408..0f81483 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -624,129 +624,99 @@ function run_test { case $tnum in 2) ebtables -I INPUT 1 -i $LOCAL_SEC_DEV -j AUDIT_DROP - ebtables -L --Ln ;; 4) ebtables -I INPUT 1 -p IPv4 --ip-source $SECNET_SVR_IPV4 -j AUDIT_DROP - ebtables -L --Ln ;; 5) ebtables -I INPUT 1 -p IPv4 --ip-destination $LOCAL_SEC_IPV4 -j AUDIT_DROP - ebtables -L --Ln ;; 7) ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-source-port $tst_port1 -j AUDIT_DROP - ebtables -L --Ln ;; 8) ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP - iptables -L --line-numbers -n ;; 10) ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP - ebtables -L --Ln ;; 11) ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP - ebtables -L --Ln ;; 13) ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT ebtables -I INPUT 2 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_ACCEPT ebtables -P INPUT DROP - ebtables -L --Ln ;; 14) ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT ebtables -P INPUT DROP - ebtables -L --Ln ;; 15) ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT - ebtables -L --Ln ;; 16) ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP - ebtables -L --Ln ;; 17) ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT - ebtables -L --Ln ;; 18) ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP - ebtables -L --Ln ;; 19) ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT - ebtables -L --Ln ;; 20) ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP - ebtables -L --Ln ;; 22) ebtables -I INPUT 1 -i $LOCAL_SEC_DEV -j AUDIT_DROP - ebtables -L --Ln ;; 24) ebtables -I INPUT 1 -p IPv6 --ip6-source $SECNET_SVR_IPV6 -j AUDIT_DROP - ebtables -L --Ln ;; 25) ebtables -I INPUT 1 -p IPv6 --ip6-destination $LOCAL_SEC_IPV6 -j AUDIT_DROP - ebtables -L --Ln ;; 27) ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-source-port $tst_port1 -j AUDIT_DROP - ebtables -L --Ln ;; 28) ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP - iptables -L --line-numbers -n ;; 30) ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP - ebtables -L --Ln ;; 31) ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP - ebtables -L --Ln ;; 33) ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT ebtables -I INPUT 2 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT ebtables -P INPUT DROP - ebtables -L --Ln ;; 34) ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT ebtables -P INPUT DROP - ebtables -L --Ln ;; 35) ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT - ebtables -L --Ln ;; 36) ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP - ebtables -L --Ln ;; 37) ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT - ebtables -L --Ln ;; 38) ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP - ebtables -L --Ln ;; 39) ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT - ebtables -L --Ln ;; 40) ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP - ebtables -L --Ln ;; *) sleep 1 @@ -754,6 +724,10 @@ function run_test { ;; esac + # display ruleset in use + echo "=== ebtables ===" + ebtables-save + # force the audit log to rotate rotate_audit_logs || exit_error diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 794a88c..1979445 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -686,109 +686,91 @@ function run_test { case $tnum in 2) iptables -A INPUT -i lo -j AUDIT_DROP - iptables -L --line-numbers -n inifv="lo" actv=1 ;; 4) ip6tables -A INPUT -i lo -j AUDIT_DROP - ip6tables -L --line-numbers -n inifv="lo" actv=1 ;; 6) iptables -I INPUT 1 -p tcp --sport $tst_port1 -j AUDIT_REJECT - iptables -L --line-numbers -n protov=6 actv=2 ;; 8) ip6tables -A OUTPUT -p tcp --sport $tst_port1 -j AUDIT_DROP - ip6tables -L --line-numbers -n proto=6 actv=1 ;; 10) iptables -I INPUT 1 -p tcp --dport $tst_port1 -j AUDIT_REJECT - iptables -L --line-numbers -n proto=6 actv=2 ;; 12) ip6tables -A INPUT -p tcp --dport $tst_port1 -j AUDIT_REJECT - ip6tables -L --line-numbers -n proto=6 actv=2 ;; 14) iptables -I OUTPUT 1 -p udp --sport 30000:60000 -j AUDIT_DROP - iptables -L --line-numbers -n proto=17 actv=1 ;; 16) ip6tables -I OUTPUT 1 -p udp --sport 30000:60000 -j AUDIT_DROP - ip6tables -L --line-numbers -n proto=17 actv=1 ;; 18) iptables -I OUTPUT 1 -p udp --dport $tst_port1 -j AUDIT_REJECT - iptables -L --line-numbers -n proto=17 actv=2 ;; 20) ip6tables -A OUTPUT -p udp --dport $tst_port1 -j AUDIT_REJECT - ip6tables -L --line-numbers -n proto=17 actv=2 ;; 22) iptables -I INPUT 1 -d 127.0.0.1 -j AUDIT_DROP - iptables -L --line-numbers -n proto=6 actv=1 ;; 24) ip6tables -I INPUT 1 -d ::1 -j AUDIT_DROP - ip6tables -L --line-numbers -n protov=6 actv=1 ;; 26) iptables -A OUTPUT -s 127.0.0.1 -j AUDIT_REJECT - iptables -L --line-numbers -n protov=6 actv=2 ;; 28) ip6tables -A OUTPUT -s ::1 -j AUDIT_REJECT - ip6tables -L --line-numbers -n protov=6 actv=2 ;; 29) iptables -I INPUT 1 -p icmp --icmp-type echo-reply -j AUDIT_DROP - iptables -L --line-numbers -n protov=1 actv=1 ;; 30) iptables -I INPUT 1 -p icmp --icmp-type echo-reply -j AUDIT_ACCEPT - iptables -L --line-numbers -n protov=1 actv=0 ;; 31) ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j AUDIT_DROP - ip6tables -L --line-numbers -n protov=58 actv=1 ;; 32) ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n protov=58 actv=0 ;; @@ -824,20 +806,17 @@ function run_test { ;; 38) iptables -I INPUT 1 -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT - iptables -L --line-numbers -n actv=2 protov=6 ;; 40) ip6tables -I INPUT 1 -p tcp --tcp-flags ALL SYN -j AUDIT_REJECT - ip6tables -L --line-numbers -n actv=2 protov=6 ;; 42) iptables -I INPUT 1 -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv4" iptables -I INPUT 2 -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT - iptables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -845,7 +824,6 @@ function run_test { 44) ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j LOG --log-prefix "ack received ipv6" ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags ALL ACK -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -853,7 +831,6 @@ function run_test { 45) ip6tables -I INPUT 1 -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6" ip6tables -I INPUT 2 -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -861,7 +838,6 @@ function run_test { 46) iptables -I INPUT 1 -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4" iptables -I INPUT 2 -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT - iptables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -869,7 +845,6 @@ function run_test { 47) iptables -I INPUT 1 -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv4" iptables -I INPUT 2 -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT - iptables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -877,7 +852,6 @@ function run_test { 48) ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j LOG --log-prefix "push received ipv6" ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags PSH PSH -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -885,7 +859,6 @@ function run_test { 49) iptables -I INPUT 1 -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j LOG --log-prefix "fin received ipv4" iptables -I INPUT 2 -p tcp --sport $tst_port1 --tcp-flags FIN FIN -j AUDIT_ACCEPT - iptables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -893,7 +866,6 @@ function run_test { 50) ip6tables -I INPUT 1 -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j LOG --log-prefix "fin received ipv6" ip6tables -I INPUT 2 -i lo -p tcp --sport $tst_port1 --tcp-flags ALL FIN,ACK -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -901,7 +873,6 @@ function run_test { 51) iptables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv4" iptables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT - iptables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -909,7 +880,6 @@ function run_test { 52) ip6tables -I INPUT 1 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j LOG --log-prefix "urgent received ipv6" ip6tables -I INPUT 2 -i lo -p tcp --dport $tst_port1 --tcp-flags URG URG -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n logrotate -f /etc/logrotate.d/syslog actv=0 protov=6 @@ -917,42 +887,36 @@ function run_test { 53) iptables -I INPUT 1 -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j LOG --log-prefix "NEW state ipv4" iptables -I INPUT 2 -p tcp --dport $tst_port1 -m conntrack --ctstate NEW -j AUDIT_ACCEPT - iptables -L --line-numbers -n actv=0 protov=6 ;; 54) iptables -I INPUT 1 -i lo -m conntrack --ctstate RELATED -j LOG --log-prefix "RELATED state ipv4" iptables -I INPUT 2 -p tcp --dport $tst_port1 -j AUDIT_REJECT - iptables -L --line-numbers -n actv=2 protov=6 ;; 55) ip6tables -I INPUT 1 -p tcp --dport $tst_port1 -m state --state NEW -j LOG --log-prefix "NEW state ipv6" ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -m state --state NEW -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n actv=0 protov=6 ;; 56) ip6tables -I INPUT 1 -i lo -m state --state RELATED -j LOG --log-prefix "RELATED state ipv6" ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -j AUDIT_REJECT - ip6tables -L --line-numbers -n actv=2 protov=6 ;; 57) iptables -I INPUT 1 -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv4" iptables -I INPUT 2 -p tcp --dport $tst_port1 -m conntrack --ctstate ESTABLISHED -j AUDIT_ACCEPT - iptables -L --line-numbers -n actv=0 protov=6 ;; 58) ip6tables -I INPUT 1 -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j LOG --log-prefix "ESTABLISHED state ipv6" ip6tables -I INPUT 2 -p tcp --dport $tst_port1 -m state --state ESTABLISHED -j AUDIT_ACCEPT - ip6tables -L --line-numbers -n actv=0 protov=6 ;; @@ -960,11 +924,9 @@ function run_test { # put in rule to prevent ssh session packets from dropping. iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $LOCAL_DEV -j DROP - iptables -L --line-numbers -n ;; 62) ip6tables -A INPUT -i $LOCAL_DEV -j DROP - ip6tables -L --line-numbers -n ;; *) sleep 1 @@ -972,6 +934,12 @@ function run_test { ;; esac + # display ruleset in use + echo "=== iptables ===" + iptables-save + echo "=== ip6tables ===" + ip6tables-save + # force the audit log to rotate rotate_audit_logs || exit_error -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:01
|
This also fixes a bug where get_ipv4_addr uses incorrect address in setups where eth0 is not used for testing. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/addr_filter.bash | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash index e419ac2..e59b6b6 100755 --- a/audit-test/network/addr_filter.bash +++ b/audit-test/network/addr_filter.bash @@ -26,18 +26,15 @@ set -x # function get_ipv6_iface { - ip -o -f inet6 addr show scope global to $LBLNET_PREFIX_IPV6 | \ - head -n 1 | awk '{ print $2 }' + echo "$LOCAL_DEV" } function get_ipv4_addr { - ip -o -f inet addr show scope global | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' + echo "$LOCAL_IPV4" } function get_ipv6_addr { - ip -o -f inet6 addr show scope global to $LBLNET_PREFIX_IPV6 | \ - head -n 1 | awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' + echo "$LOCAL_IPV6" } #### -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:01
|
This fixes the random ERRORs on some tests. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 5366ef6..28fbe3c 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -545,6 +545,8 @@ prepend_cleanup 'network_cleanup' # function ebtaudit_setup { +ebtables -A INPUT -p arp -j ACCEPT + ebtables -N AUDIT_DROP ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP ebtables -A AUDIT_DROP -j DROP -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:02
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.run | 8 ++-- .../tests/audisp-remote_functions.bash | 7 +--- .../audit-remote/tests/test_remote_system.bash | 2 +- audit-test/netfilebt/run.conf | 31 +------------- audit-test/netfilter/run.conf | 47 ++-------------------- audit-test/network/addr_filter.bash | 23 ++--------- audit-test/trustedprograms/tests/test_ip_xfrm.bash | 21 +--------- audit-test/trustedprograms/tests/test_ipsec.bash | 34 ++-------------- 8 files changed, 18 insertions(+), 155 deletions(-) diff --git a/audit-test/README.run b/audit-test/README.run index 0365c95..761b017 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -401,11 +401,9 @@ Audit-remote tests FIX: Follow related steps in README.run or reinstall if nothing helps :) 5) TOE or NS unable to reach each other when using virt guests. This is - probably due to what `get_ipv4_addr` gives you for local_audit_server_ip. - FIX: Set local_audit_server_ip manually in audisp-remote_functions.bash to - local IPv4 address of global scope (if there are more of them, try them all - iteratively). Notice that you have to do this for both TOE and NS (they have - different setting for this variable!). + probably due to incorrectly set LOCAL_IPV4 environment variable. + Use only unicast addresses of global scope (if there are more of them, try + them all iteratively). 6) NS fails to run init script via run_init due to bad password. FIX: Make sure you have correctly set password in profile.bash, which should diff --git a/audit-test/audit-remote/tests/audisp-remote_functions.bash b/audit-test/audit-remote/tests/audisp-remote_functions.bash index 67df5c0..2259bf0 100644 --- a/audit-test/audit-remote/tests/audisp-remote_functions.bash +++ b/audit-test/audit-remote/tests/audisp-remote_functions.bash @@ -33,11 +33,6 @@ source testcase.bash || exit 2 -function get_ipv4_addr { - ip -o -f inet addr show scope global | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - # # Global variables # @@ -60,7 +55,7 @@ total_written=0 # Variables used by basic connection for TOE acting as server and client -local_audit_server_ip=$(get_ipv4_addr) +local_audit_server_ip="$LOCAL_IPV4" ping $local_audit_server_ip -c 1 || exit_error "Unable to ping audit server" auditd_conf="/etc/audit/auditd.conf" diff --git a/audit-test/audit-remote/tests/test_remote_system.bash b/audit-test/audit-remote/tests/test_remote_system.bash index 8773f3d..af3d9df 100755 --- a/audit-test/audit-remote/tests/test_remote_system.bash +++ b/audit-test/audit-remote/tests/test_remote_system.bash @@ -51,7 +51,7 @@ call_remote_function_seq=0 call_remote_function() { local call_function="$1" - local my_ip=$(get_ipv4_addr) + local my_ip="$LOCAL_IPV4" # the mode variable will get here from audisp-remote_functions.bash echo "---- START [$call_remote_function_seq] call_remote_function($call_function) ----" # /usr/bin/nc -v $LBLNET_SVR_IPV4 4000 <<< "exec: bash -c \"$remote_script $call_function $mode $my_ip \";" diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 28fbe3c..6ee1096 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -827,33 +827,6 @@ function run_test { return $status } -########## -# -# more helper functions (in place of addr_loop and addr_filter -# since we already needed environmental variables for the iptables -# and ip6tables filtering tests.) -# -########## - -function get_ipv6_iface { - if [[ $local_ipv6_prefix == "fe80" ]]; then - ip -o -f inet6 addr show scope link | \ - grep $prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' - else - ip -o -f inet6 addr show scope global | \ - grep $prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' - fi -} - -function get_ipv4_addr { - declare ip4prefix=$LOCAL_SEC_IPV4 - ip -o -f inet addr show scope global | \ - grep $ip4prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - ###################################################################### # pre-testrun checks/configuration ###################################################################### @@ -885,7 +858,7 @@ fi # get ipv4 addresses # -local_ipv4="$(get_ipv4_addr)" +local_ipv4="$LOCAL_SEC_IPV4" remote_ipv4="$SECNET_SVR_IPV4" address_ipv4="$ADDRESS_IPV4" @@ -907,7 +880,7 @@ address_ipv6_prefix=$(echo $LBLNET_SVR_IPV6 | head -c 4) if [[ -n $BRIDGE_FILTER ]]; then local_ipv6_if=$BRIDGE_FILTER else - local_ipv6_if="$(get_ipv6_iface)" + die "error: bridge interface not specified (BRIDGE_FILTER undefined)" fi # adjust link-local addresses diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 3331a4d..2c72d4c 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -1246,47 +1246,6 @@ function run_test { return $status } -######### -# -# more helper functions (in place of addr_loop and addr_filter -# since we already needed environmental variables for the iptables -# and ip6tables filtering tests.) -# -########## -function get_ipv6_prefix { - if [[ -n $LBLNET_SVR_IPV6 ]]; then - echo $LBLNET_SVR_IPV6 | \ - awk 'BEGIN { FS = ":" } { print $1":" }' - else - ip -o -f inet6 addr show scope global | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ - awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":"$4":" }' | \ - head -n 1 - fi -} - -function get_ipv6_iface { - declare prefix=$(get_ipv6_prefix) - ip -o -f inet6 addr show scope link | \ - grep $prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' -} - -function get_ipv4_addr { - declare ip4prefix=$LOCAL_IPV4 - ip -o -f inet addr show scope global | \ - grep $ip4prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - -function get_ipv6_addr { - declare prefix=$(get_ipv6_prefix) - ip -o -f inet6 addr show scope link | \ - grep $prefix | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - - ###################################################################### # pre-testrun checks/configuration ###################################################################### @@ -1315,7 +1274,7 @@ fi # get ipv4 addresses # -local_ipv4="$(get_ipv4_addr)" +local_ipv4="$LOCAL_IPV4" remote_ipv4="$LBLNET_SVR_IPV4" echo $local_ipv4 @@ -1324,14 +1283,14 @@ echo $local_ipv4 # # interface/scope -local_ipv6_if="$(get_ipv6_iface)" +local_ipv6_if="$LOCAL_DEV" # raw addresses local_ipv6_raw="$LOCAL_IPV6" remote_ipv6_raw="$LBLNET_SVR_IPV6" # prefix to determine if addresses are link local or global -local_ipv6_prefix=$(get_ipv6_prefix | head -c 4) +local_ipv6_prefix=$(echo $LOCAL_IPV6 | head -c 4) remote_ipv6_prefix=$(echo $LBLNET_SVR_IPV6 | head -c 4) # adjust link-local addresses diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash index e59b6b6..cf62a51 100755 --- a/audit-test/network/addr_filter.bash +++ b/audit-test/network/addr_filter.bash @@ -22,23 +22,6 @@ set -x #### # -# helper functions -# - -function get_ipv6_iface { - echo "$LOCAL_DEV" -} - -function get_ipv4_addr { - echo "$LOCAL_IPV4" -} - -function get_ipv6_addr { - echo "$LOCAL_IPV6" -} - -#### -# # main # @@ -54,7 +37,7 @@ unset address address_raw # get ipv4 addresses # -local_ipv4="$(get_ipv4_addr)" +local_ipv4="$LOCAL_IPV4" remote_ipv4="$LBLNET_SVR_IPV4" address_ipv4="$ADDRESS_IPV4" @@ -63,10 +46,10 @@ address_ipv4="$ADDRESS_IPV4" # # interface/scope -local_ipv6_if="$(get_ipv6_iface)" +local_ipv6_if="$LOCAL_DEV" # raw addresses -local_ipv6_raw="$(get_ipv6_addr)" +local_ipv6_raw="$LOCAL_IPV6" remote_ipv6_raw="$LBLNET_SVR_IPV6" address_ipv6_raw="$ADDRESS_IPV6" diff --git a/audit-test/trustedprograms/tests/test_ip_xfrm.bash b/audit-test/trustedprograms/tests/test_ip_xfrm.bash index 01cdccf..18b09ea 100755 --- a/audit-test/trustedprograms/tests/test_ip_xfrm.bash +++ b/audit-test/trustedprograms/tests/test_ip_xfrm.bash @@ -72,25 +72,6 @@ unset sad_add_cmd sad_del_cmd # helper functions ###################################################################### -# -# get_ipv4_addr - Get the local system's glboal IPv4 address -# -# INPUT -# none -# -# OUTPUT -# Writes the first global IPv4 address on the local system to stdout -# -# DESCRIPTION -# This function queries the local system, through the "ip" command, for a list -# of global IPv4 addresses, it then selects the first address in the list and -# writes it to stdout. -# -function get_ipv4_addr { - ip -o -f inet addr show scope global | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - ###################################################################### # functions ###################################################################### @@ -233,7 +214,7 @@ ip xfrm policy flush || exit_error # setup the global variables ctx=$(secon -RP) -ip_src=$(get_ipv4_addr) +ip_src=$LOCAL_IPV4 ip_dst=$LBLNET_SVR_IPV4 spd_entry="src $ip_src dst $ip_dst proto icmp ctx $ctx dir out" spd_entry_detail="tmpl proto ah mode transport level required" diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash index c0ed127..289642b 100755 --- a/audit-test/trustedprograms/tests/test_ipsec.bash +++ b/audit-test/trustedprograms/tests/test_ipsec.bash @@ -54,32 +54,6 @@ unset cmd_nc ###################################################################### # -# get_ip_addr - Get the local system's glboal IPv4 or IPv6 address -# -# INPUT -# X - 4 for IPv4 or 6 for IPv6 -# -# OUTPUT -# Writes the first global IPvX address on the local system to stdout -# -# DESCRIPTION -# This function queries the local system, through the "ip" command, for a list -# of global IPvX addresses, it then selects the first address in the list and -# writes it to stdout. -# -function get_ip_addr { - if [ $1 == "4" ]; then - ip -o -f inet addr show scope global | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' - elif [ $1 == "6" ]; then - ip -o -f inet6 addr show scope global to $LBLNET_PREFIX_IPV6 | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' - else - die "error: expected parameter 4 | 6 not given" - fi -} - -# # normalize_addr - Add leading zeros to a comparessed IPv6 address # # INPUT @@ -266,17 +240,17 @@ function ipsec_remove_verify { set -x -if [ $1 == "6" ]; then +if [ "$1" == "6" ]; then [[ -n $(eval echo \$LBLNET_SVR_IPV6) ]] || exit_error # setup the global variables - ip_src=$(normalize_addr $(get_ip_addr $1)) + ip_src=$(normalize_addr $(eval echo \$LOCAL_IPV6)) ip_dst=$(normalize_addr $(eval echo \$LBLNET_SVR_IPV6)) -elif [ $1 == "4" ]; then +elif [ "$1" == "4" ]; then [[ -n $(eval echo \$LBLNET_SVR_IPV4) ]] || exit_error # setup the global variables - ip_src=$(get_ip_addr $1) + ip_src=$LOCAL_IPV4 ip_dst=$LBLNET_SVR_IPV4 else die "error: expected parameter 4 | 6 not given" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:46
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 10 ++++++++-- audit-test/netfilter/run.conf | 18 ++++++++++++------ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 99a8e66..1daf2d6 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -596,6 +596,14 @@ function run_test { return $? fi + # backup original ruleset, schedule ruleset restoration, clean current one + # NOTE: clean the ruleset before original -restore, to clean tables used by + # this test, but unused/unspecified by original ruleset + original_rules="$(mktemp)" + ebtables-save > "$original_rules" + append_cleanup "{ ebtables-save | xtables_empty | ebtables-restore; cat $original_rules | ebtables-restore; rm -f $original_rules; }" + ebtables-save | xtables_empty | ebtables-restore + # get the derived variables # NOTE: the $test_domain variable is always using the "local" version of # the test domain because the value is always only used on the @@ -608,7 +616,6 @@ function run_test { # run the # default setup - ebtables-save | xtables_empty | ebtables-restore ebtaudit_setup sleep 4 setup_default @@ -791,7 +798,6 @@ function run_test { ) status=$? - ebtables-save | xtables_empty | ebtables-restore # whenever the test fails, pause so the test server can cleanup [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10 diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 6d8e14d..81166a7 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -557,9 +557,6 @@ prepend_cleanup 'network_cleanup' # function iptables_setup { -# start with clean ruleset -iptables-save | xtables_empty | iptables-restore - iptables -N AUDIT_DROP iptables -A AUDIT_DROP -j AUDIT --type DROP iptables -A AUDIT_DROP -j DROP @@ -579,9 +576,6 @@ iptables -A AUDIT_ACCEPT -j ACCEPT # function ip6tables_setup { -# start with clean ruleset -ip6tables-save | xtables_empty | ip6tables-restore - ip6tables -N AUDIT_DROP ip6tables -A AUDIT_DROP -j AUDIT --type DROP ip6tables -A AUDIT_DROP -j DROP @@ -650,6 +644,18 @@ function run_test { host_local=$(get_host_local $ipv $host) host_remote=$(get_host_remote $ipv $host) + # backup original ruleset, schedule ruleset restoration, clean current one + # NOTE: clean the ruleset before original -restore, to clean tables used by + # this test, but unused/unspecified by original ruleset + original_rules4="$(mktemp)" + original_rules6="$(mktemp)" + iptables-save > "$original_rules4" + ip6tables-save > "$original_rules6" + append_cleanup "{ iptables-save | xtables_empty | iptables-restore; cat $original_rules4 | iptables-restore; rm -f $original_rules4; }" + append_cleanup "{ ip6tables-save | xtables_empty | ip6tables-restore; cat $original_rules6 | ip6tables-restore; rm -f $original_rules6; }" + iptables-save | xtables_empty | iptables-restore + ip6tables-save | xtables_empty | ip6tables-restore + # run the setup callback (which has access to the named params) # default setup iptables_setup -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:46
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 4 ---- audit-test/README.netwk_svr | 5 ----- audit-test/README.run | 3 --- audit-test/network/system/Makefile | 7 +------ audit-test/utils/netfilter/profile.sample | 1 - 5 files changed, 1 insertion(+), 19 deletions(-) diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 12af3d0..8766d26 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -162,9 +162,6 @@ LBLNET_SVR_IPV4 IPv4 address for the primary network on the NS LBLNET_SVR_IPV6 IPv6 address for the primary device on the NS -LBLNET_PREFIX_IPV6 IPv6 prefix for the primary network, such - as "2600::/64" - LBLNET_SVR_DEV Device for the NS primary network, such as "eth0" LNET4MASK Network mask for the primary IPv4 network, such as @@ -219,7 +216,6 @@ export LOCAL_SEC_IPV4="10.0.1.2" export LOCAL_SEC_IPV6="2600:1::2" export LBLNET_SVR_IPV4="10.0.0.1" export LBLNET_SVR_IPV6="2600::1" -export LBLNET_PREFIX_IPV6="2600::/64" export LBLNET_SVR_DEV="eth0" export LNET4MASK="255.255.255.0" export LNET6MASK="64" diff --git a/audit-test/README.netwk_svr b/audit-test/README.netwk_svr index c1b28cd..036a14b 100644 --- a/audit-test/README.netwk_svr +++ b/audit-test/README.netwk_svr @@ -38,11 +38,6 @@ below: # bar.domain.com 10.0.0.3 2600::3 -Set the LBLNET_PREFIX_IPV6 environment variable to the IPV6 prefix to be -used for testing. An example variable value is "2600::/64". - -# export LBLNET_PREFIX_IPV6="<the IPV6 prefix to be used for testing>" - Generate and install the system's labeled network configuration as shown below: diff --git a/audit-test/README.run b/audit-test/README.run index 761b017..9ff1894 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -210,7 +210,6 @@ commands to setup the required configuration for the labeled networking tests: # export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" -# export LBLNET_PREFIX_IPV6="<the IPV6 prefix to be used for testing>" # export PATH="$PATH:." # make netconfig @@ -264,7 +263,6 @@ environment variables: # export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" -# export LBLNET_PREFIX_IPV6="<the IPV6 prefix to be used for testing>" # export PATH="$PATH:." # export PASSWD=<root/admin user password> @@ -337,7 +335,6 @@ workaround if you experience these failures. # export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" - # export LBLNET_PREFIX_IPV6="<the IPV6 prefix to be used for testing>" # export PATH="$PATH:." 7. Change to the '/usr/local/eal4_testing/audit-test/network' directory 8. Type './run.bash host=remote*type=ipsec'. There may be a few failures; diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index dc8a8ff..ff2285a 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -61,11 +61,6 @@ install_check: @[[ -n $$LBLNET_SVR_IPV6 ]] || \ (echo "error: variable LBLNET_SVR_IPV6 is not set"; /bin/false) -install_check_server: - @[[ -n $$LBLNET_PREFIX_IPV6 ]] || \ - (echo "error: variable LBLNET_PREFIX_IPV6 is not set"; \ - /bin/false) - install_setrans: grep -q "# labeled networking" /etc/selinux/mls/setrans.conf || \ (echo ""; \ @@ -86,7 +81,7 @@ install_ipsec_client: install_check install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets -install_ipsec_server: install_check_server +install_ipsec_server: if [[ ! -f client_list.txt ]]; then \ echo "error: file client_list.txt does not exist"; \ exit 1; \ diff --git a/audit-test/utils/netfilter/profile.sample b/audit-test/utils/netfilter/profile.sample index d4d2d97..5a44638 100644 --- a/audit-test/utils/netfilter/profile.sample +++ b/audit-test/utils/netfilter/profile.sample @@ -16,7 +16,6 @@ export LOCAL_SEC_IPV4="10.0.1.2" export LOCAL_SEC_IPV6="2600:1::2" export LBLNET_SVR_IPV4="10.0.0.1" export LBLNET_SVR_IPV6="2600::1" -export LBLNET_PREFIX_IPV6="2600::/64" export LBLNET_SVR_DEV="eth0" export LNET4MASK="255.255.255.0" export LNET6MASK="64" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:46
|
Both offer routable IPv6 addresses and behave exactly the same in terms of actual usage. The only difference is that fd00::/8 has been reserved for "Unique Local Addresses" and it therefore doesn't violate the address allocation policies. fd00::/8 (or fc00::/7 as per RFC 4193) are NOT link-local addresses. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 20 ++++++++++---------- audit-test/README.netwk_svr | 4 ++-- audit-test/utils/netfilter/profile.sample | 8 ++++---- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 8766d26..9308568 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -52,12 +52,12 @@ renaming will be the default in RHEL7 for all network interfaces. |-----+ | / \ | +----| | eth3 |>> NOTE: <<| eth0 | | IPv4 10.0.0.2 | Device eth4 | IPv4 10.0.0.1 | - | IPv6 2600::2 | is enslaved | IPv6 2600::1 | + | IPv6 fd00::2 | is enslaved | IPv6 fd00::1 | | | to bridge toebr | | | | on machine TOE | | | toebr (eth4) |>> <<| eth1 | | IPv4 10.0.1.2 | \ / | IPv4 10.0.1.1 | - | IPv6 2600:1::2 | \ / | IPv6 2600:1::1 | + | IPv6 fd00:1::2 | \ / | IPv6 fd00:1::1 | | | \ / | | +----------------+ +~~~~~~~~~~~+ +----------------+ | secondary | @@ -211,16 +211,16 @@ export LOCAL_DEV="eth3" export LOCAL_SEC_DEV="eth4" export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" export LOCAL_IPV4="10.0.0.2" -export LOCAL_IPV6="2600::2" +export LOCAL_IPV6="fd00::2" export LOCAL_SEC_IPV4="10.0.1.2" -export LOCAL_SEC_IPV6="2600:1::2" +export LOCAL_SEC_IPV6="fd00:1::2" export LBLNET_SVR_IPV4="10.0.0.1" -export LBLNET_SVR_IPV6="2600::1" +export LBLNET_SVR_IPV6="fd00::1" export LBLNET_SVR_DEV="eth0" export LNET4MASK="255.255.255.0" export LNET6MASK="64" export SECNET_SVR_IPV4="10.0.1.1" -export SECNET_SVR_IPV6="2600:1::1" +export SECNET_SVR_IPV6="fd00:1::1" export SECNET_SVR_DEV="eth1" export SECNET_SVR_MAC="00:04:23:B3:B5:83" export SNET4MASK="255.255.255.0" @@ -245,7 +245,7 @@ BOOTPROTO="static" IPADDR="10.0.0.2" NETMASK="255.255.255.0" IPV6INIT="yes" -IPV6ADDR=2600::2 +IPV6ADDR=fd00::2 TYPE="Ethernet" # cat /etc/sysconfig/network-scripts/ifcfg-eth4 @@ -262,7 +262,7 @@ BOOTPROTO="static" IPADDR="10.0.1.2" NETMASK="255.255.255.0" IPV6INIT="yes" -IPV6ADDR=2600:1::2 +IPV6ADDR=fd00:1::2 === NS network interfaces configuration === @@ -274,7 +274,7 @@ BOOTPROTO="static" IPADDR="10.0.0.1" NETMASK="255.255.255.0" IPV6INIT="yes" -IPV6ADDR=2600::1 +IPV6ADDR=fd00::1 TYPE="Ethernet" # cat /etc/sysconfig/network-scripts/ifcfg-eth1 @@ -285,7 +285,7 @@ BOOTPROTO="static" IPADDR="10.0.1.1" NETMASK="255.255.255.0" IPV6INIT="yes" -IPV6ADDR=2600:1::1 +IPV6ADDR=fd00:1::1 TYPE="Ethernet" For details on configuring the network interfaces in general refer to: diff --git a/audit-test/README.netwk_svr b/audit-test/README.netwk_svr index 036a14b..b223162 100644 --- a/audit-test/README.netwk_svr +++ b/audit-test/README.netwk_svr @@ -33,10 +33,10 @@ below: # A file containing the IPv4|6 addresses of all the test machines # foo.domain.com -10.0.0.2 2600::2 +10.0.0.2 fd00::2 # bar.domain.com -10.0.0.3 2600::3 +10.0.0.3 fd00::3 Generate and install the system's labeled network configuration as shown below: diff --git a/audit-test/utils/netfilter/profile.sample b/audit-test/utils/netfilter/profile.sample index 5a44638..ba749b1 100644 --- a/audit-test/utils/netfilter/profile.sample +++ b/audit-test/utils/netfilter/profile.sample @@ -11,16 +11,16 @@ export LOCAL_DEV="eth3" export LOCAL_SEC_DEV="eth4" export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" export LOCAL_IPV4="10.0.0.2" -export LOCAL_IPV6="2600::2" +export LOCAL_IPV6="fd00::2" export LOCAL_SEC_IPV4="10.0.1.2" -export LOCAL_SEC_IPV6="2600:1::2" +export LOCAL_SEC_IPV6="fd00:1::2" export LBLNET_SVR_IPV4="10.0.0.1" -export LBLNET_SVR_IPV6="2600::1" +export LBLNET_SVR_IPV6="fd00::1" export LBLNET_SVR_DEV="eth0" export LNET4MASK="255.255.255.0" export LNET6MASK="64" export SECNET_SVR_IPV4="10.0.1.1" -export SECNET_SVR_IPV6="2600:1::1" +export SECNET_SVR_IPV6="fd00:1::1" export SECNET_SVR_DEV="eth1" export SECNET_SVR_MAC="00:04:23:B3:B5:83" export SNET4MASK="255.255.255.0" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:46
|
The default behavior has changed on RHEL7, making relro enabled by default. This caused the supposedly no-relro binary to be compiled with relro as well. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/misc/tests/relro.c | 2 +- audit-test/misc/tests/test_relro-pie.bash | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/audit-test/misc/tests/relro.c b/audit-test/misc/tests/relro.c index 8413639..1e4643e 100644 --- a/audit-test/misc/tests/relro.c +++ b/audit-test/misc/tests/relro.c @@ -20,7 +20,7 @@ * Segmentation fault (core dumped) * * Test without RELRO should pass: - * $ gcc -pie -fPIE -g -o no-relro relro.c + * $ gcc -pie -fPIE -g -Wl,-z,norelro -o no-relro relro.c * $ ./no-relro * **/ diff --git a/audit-test/misc/tests/test_relro-pie.bash b/audit-test/misc/tests/test_relro-pie.bash index 3c9c722..ffbf2df 100755 --- a/audit-test/misc/tests/test_relro-pie.bash +++ b/audit-test/misc/tests/test_relro-pie.bash @@ -33,7 +33,7 @@ # Segmentation fault (core dumped) # # Test without RELRO should pass: -# $ gcc -pie -fPIE -g -o no-relro relro.c +# $ gcc -pie -fPIE -g -Wl,-z,norelro -o no-relro relro.c # $ ./no-relro # @@ -55,7 +55,7 @@ set -x [ ! $? -eq 139 ] && exit_fail "Test is expected to crash with segmentation fault" # Bad case -/usr/bin/gcc -pie -fPIE -g -o no-relro relro.c || \ +/usr/bin/gcc -pie -fPIE -g -Wl,-z,norelro -o no-relro relro.c || \ exit_error "Failed to build test program" ./no-relro || exit_fail "Test is expected to pass without RELRO" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:54:46
|
Service restart does not always guarantee empty ruleset. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 24 ++---------------------- audit-test/netfilter/run.conf | 30 ++++++------------------------ audit-test/utils/functions.bash | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 46 deletions(-) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 6ee1096..99a8e66 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -608,17 +608,7 @@ function run_test { # run the # default setup - if [[ $PPROFILE = lspp ]] ; then - expect -c' - spawn run_init service ebtables restart - expect "Password:" - sleep 1 - send "$env(PASSWD)\r" - wait - close' - else - service ebtables restart - fi + ebtables-save | xtables_empty | ebtables-restore ebtaudit_setup sleep 4 setup_default @@ -801,17 +791,7 @@ function run_test { ) status=$? - if [[ $PPROFILE = lspp ]] ; then - expect -c' - spawn run_init service ebtables restart - expect "Password:" - sleep 1 - send "$env(PASSWD)\r" - wait - close' - else - service ebtables restart - fi + ebtables-save | xtables_empty | ebtables-restore # whenever the test fails, pause so the test server can cleanup [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10 diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 2c72d4c..6d8e14d 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -557,6 +557,9 @@ prepend_cleanup 'network_cleanup' # function iptables_setup { +# start with clean ruleset +iptables-save | xtables_empty | iptables-restore + iptables -N AUDIT_DROP iptables -A AUDIT_DROP -j AUDIT --type DROP iptables -A AUDIT_DROP -j DROP @@ -576,6 +579,9 @@ iptables -A AUDIT_ACCEPT -j ACCEPT # function ip6tables_setup { +# start with clean ruleset +ip6tables-save | xtables_empty | ip6tables-restore + ip6tables -N AUDIT_DROP ip6tables -A AUDIT_DROP -j AUDIT --type DROP ip6tables -A AUDIT_DROP -j DROP @@ -646,31 +652,7 @@ function run_test { # run the setup callback (which has access to the named params) # default setup - if [[ $PPROFILE = lspp ]] ; then - expect -c' - spawn run_init service iptables restart - expect "Password:" - sleep 1 - send "$env(PASSWD)\r" - wait - close' - else - service iptables restart - fi - sleep 1 iptables_setup - if [[ $PPROFILE = lspp ]] ; then - expect -c' - spawn run_init service ip6tables restart - expect "Password:" - sleep 1 - send "$env(PASSWD)\r" - wait - close' - else - service ip6tables restart - fi - sleep 1 ip6tables_setup sleep 3 if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash index 5581b3f..bb82632 100644 --- a/audit-test/utils/functions.bash +++ b/audit-test/utils/functions.bash @@ -95,6 +95,38 @@ function exit_error { exit $status } +# xtables_empty - based on xtables-save input, makes a clean ruleset, ready +# to be used with xtables-restore +# +# INPUT: xtables-save format, preferably unmodified +# OUTPUT: xtables-restore format, ready to be used +# +# DESCRIPTION: +# The problem with xtables -F ; xtables -X ; xtables -P ... ACCEPT is that +# they're related only to the `filter' table by default - they would need to +# be called a lot more times to clean other used tables like `raw', `mangle', +# `nat' and `security', finding out somehow whether any of them is used first. +# +# A simple xtables-restore solution, restoring empty ruleset, is also not easy +# - if you specify ie. only the `filter' table, no other table gets touched. +# If you specify all possible tables, all modules related to those tables get +# loaded, even if they weren't originally loaded (ie. iptable_* modules). +# +# The solution is therefore to parse xtables-save output to find out which +# tables are used and generate empty ruleset to zero them. +# This solution can be generic enough to work for iptables, ip6tables, +# ebtables, arptables and any other tables there might be. +function xtables_empty { + # grep: + # - currently loaded table names + # - only predefined chains (no user chains) + # - include COMMIT statements for each table + # sed: + # - replace DROP default policies by ACCEPT + # - zero packet and byte counters + grep -e '^\*' -e '^:[^ ]* [^-]' -e '^COMMIT$' | sed 's/DROP/ACCEPT/ ; s/\[[0-9]*:[0-9]*\]/\[0:0\]/' +} + # parse_named - Parse key=value test arguments # # INPUT -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:55:26
|
From: Miroslav Vadkerti <mva...@re...> The removed cleanup was redundant - each loop iteration cleans after the previous one and there's already append_cleanup catch for the last iteration / interrupt. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_resource_mount_readonly.bash | 4 ---- 1 file changed, 4 deletions(-) diff --git a/audit-test/kvm/test_resource_mount_readonly.bash b/audit-test/kvm/test_resource_mount_readonly.bash index 22aec73..3b5c96c 100755 --- a/audit-test/kvm/test_resource_mount_readonly.bash +++ b/audit-test/kvm/test_resource_mount_readonly.bash @@ -50,10 +50,6 @@ for i in $(seq $first $last); do if [[ $? -eq 0 ]]; then exit_fail fi - - umount /mnt - kpartx -d $LOOPDEV - losetup -d $LOOPDEV done exit_pass -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:55:26
|
From: Miroslav Vadkerti <mva...@re...> kvm/test_resource_mount_readonly A sleep needed after kpartx for the test to pass. Without it the mount didn't automatically recognize the file system type which should be mounted. kvm/test_selinux_trans_from_qemu.bash A new selinux type virt_bridgehelper_t added in RHEL6.4. This is another trusted domain which qemu_t and svirt_t may transition to. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_resource_mount_readonly.bash | 4 ++++ audit-test/kvm/test_selinux_trans_from_qemu.bash | 2 +- audit-test/kvm/test_selinux_trans_from_svirt.bash | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/audit-test/kvm/test_resource_mount_readonly.bash b/audit-test/kvm/test_resource_mount_readonly.bash index 4874763..22aec73 100755 --- a/audit-test/kvm/test_resource_mount_readonly.bash +++ b/audit-test/kvm/test_resource_mount_readonly.bash @@ -39,6 +39,10 @@ for i in $(seq $first $last); do eval "losetup $LOOPDEV \$kvm_guest_${i}_resource" kpartx -a $LOOPDEV + # starting from RHEL6.4 a sleep here was needed for the test to pass + # without it the mount below didn't automatically recognize file system + # type which should be mounted + sleep 1 mount -o ro /dev/mapper/$(basename $LOOPDEV)p1 /mnt touch /mnt/testfile diff --git a/audit-test/kvm/test_selinux_trans_from_qemu.bash b/audit-test/kvm/test_selinux_trans_from_qemu.bash index fc2ba75..b9c8118 100755 --- a/audit-test/kvm/test_selinux_trans_from_qemu.bash +++ b/audit-test/kvm/test_selinux_trans_from_qemu.bash @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then fi for type in $allowed; do - if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t ]]; then + if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t|virt_bridgehelper_t ]]; then exit_fail fi done diff --git a/audit-test/kvm/test_selinux_trans_from_svirt.bash b/audit-test/kvm/test_selinux_trans_from_svirt.bash index 04bf343..7f82fbe 100755 --- a/audit-test/kvm/test_selinux_trans_from_svirt.bash +++ b/audit-test/kvm/test_selinux_trans_from_svirt.bash @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then fi for type in $allowed; do - if [[ ! "$type" =~ ptchown_t|abrt_helper_t ]]; then + if [[ ! "$type" =~ ptchown_t|abrt_helper_t|virt_bridgehelper_t ]]; then exit_fail fi done -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-02-26 17:20:00
|
Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > kvm/test_resource_mount_readonly > A sleep needed after kpartx for the test to pass. Without it the mount > didn't automatically recognize the file system type which should be mounted. > > kvm/test_selinux_trans_from_qemu.bash > A new selinux type virt_bridgehelper_t added in RHEL6.4. This is another trusted > domain which qemu_t and svirt_t may transition to. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/kvm/test_resource_mount_readonly.bash | 4 ++++ > audit-test/kvm/test_selinux_trans_from_qemu.bash | 2 +- > audit-test/kvm/test_selinux_trans_from_svirt.bash | 2 +- > 3 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/audit-test/kvm/test_resource_mount_readonly.bash b/audit-test/kvm/test_resource_mount_readonly.bash > index 4874763..22aec73 100755 > --- a/audit-test/kvm/test_resource_mount_readonly.bash > +++ b/audit-test/kvm/test_resource_mount_readonly.bash > @@ -39,6 +39,10 @@ for i in $(seq $first $last); do > > eval "losetup $LOOPDEV \$kvm_guest_${i}_resource" > kpartx -a $LOOPDEV > + # starting from RHEL6.4 a sleep here was needed for the test to pass > + # without it the mount below didn't automatically recognize file system > + # type which should be mounted > + sleep 1 Is there something we can do here besides sleep? What changed to make the sleep necessary? Is there something else we could check? Is one second always enough? Should we check the status of the mount request and report an error in case it starts failing? Or could we just specify the fs type as part of the mount command? > mount -o ro /dev/mapper/$(basename $LOOPDEV)p1 /mnt > > touch /mnt/testfile > diff --git a/audit-test/kvm/test_selinux_trans_from_qemu.bash b/audit-test/kvm/test_selinux_trans_from_qemu.bash > index fc2ba75..b9c8118 100755 > --- a/audit-test/kvm/test_selinux_trans_from_qemu.bash > +++ b/audit-test/kvm/test_selinux_trans_from_qemu.bash > @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then > fi > > for type in $allowed; do > - if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t ]]; then > + if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t|virt_bridgehelper_t ]]; then > exit_fail > fi > done > diff --git a/audit-test/kvm/test_selinux_trans_from_svirt.bash b/audit-test/kvm/test_selinux_trans_from_svirt.bash > index 04bf343..7f82fbe 100755 > --- a/audit-test/kvm/test_selinux_trans_from_svirt.bash > +++ b/audit-test/kvm/test_selinux_trans_from_svirt.bash > @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then > fi > > for type in $allowed; do > - if [[ ! "$type" =~ ptchown_t|abrt_helper_t ]]; then > + if [[ ! "$type" =~ ptchown_t|abrt_helper_t|virt_bridgehelper_t ]]; then > exit_fail > fi > done |
From: Miroslav V. <mva...@re...> - 2013-03-04 12:25:37
Attachments:
0001-kvm-retention-fixes-for-RHEL6.4.patch
|
Hi Linda, I missed that kpartx contains a sync mode option. This resolves the issues we were seeing without the sleep. The attached patch can be used as a replacement of the previous patch. Best regards, /M ----- Original Message ----- > Jiri Jaburek wrote: > > From: Miroslav Vadkerti <mva...@re...> > > > > kvm/test_resource_mount_readonly > > A sleep needed after kpartx for the test to pass. Without it the > > mount > > didn't automatically recognize the file system type which should be > > mounted. > > > > kvm/test_selinux_trans_from_qemu.bash > > A new selinux type virt_bridgehelper_t added in RHEL6.4. This is > > another trusted > > domain which qemu_t and svirt_t may transition to. > > > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > > --- > > audit-test/kvm/test_resource_mount_readonly.bash | 4 ++++ > > audit-test/kvm/test_selinux_trans_from_qemu.bash | 2 +- > > audit-test/kvm/test_selinux_trans_from_svirt.bash | 2 +- > > 3 files changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/audit-test/kvm/test_resource_mount_readonly.bash > > b/audit-test/kvm/test_resource_mount_readonly.bash > > index 4874763..22aec73 100755 > > --- a/audit-test/kvm/test_resource_mount_readonly.bash > > +++ b/audit-test/kvm/test_resource_mount_readonly.bash > > @@ -39,6 +39,10 @@ for i in $(seq $first $last); do > > > > eval "losetup $LOOPDEV \$kvm_guest_${i}_resource" > > kpartx -a $LOOPDEV > > + # starting from RHEL6.4 a sleep here was needed for the test to > > pass > > + # without it the mount below didn't automatically recognize file > > system > > + # type which should be mounted > > + sleep 1 > > Is there something we can do here besides sleep? What changed to > make the > sleep necessary? Is there something else we could check? Is one > second > always enough? Should we check the status of the mount request and > report > an error in case it starts failing? Or could we just specify the fs > type > as part of the mount command? > > > mount -o ro /dev/mapper/$(basename $LOOPDEV)p1 /mnt > > > > touch /mnt/testfile > > diff --git a/audit-test/kvm/test_selinux_trans_from_qemu.bash > > b/audit-test/kvm/test_selinux_trans_from_qemu.bash > > index fc2ba75..b9c8118 100755 > > --- a/audit-test/kvm/test_selinux_trans_from_qemu.bash > > +++ b/audit-test/kvm/test_selinux_trans_from_qemu.bash > > @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then > > fi > > > > for type in $allowed; do > > - if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t ]]; then > > + if [[ ! "$type" =~ > > smbd_t|ptchown_t|abrt_helper_t|virt_bridgehelper_t ]]; then > > exit_fail > > fi > > done > > diff --git a/audit-test/kvm/test_selinux_trans_from_svirt.bash > > b/audit-test/kvm/test_selinux_trans_from_svirt.bash > > index 04bf343..7f82fbe 100755 > > --- a/audit-test/kvm/test_selinux_trans_from_svirt.bash > > +++ b/audit-test/kvm/test_selinux_trans_from_svirt.bash > > @@ -38,7 +38,7 @@ if [[ $allowed_count -eq 0 ]]; then > > fi > > > > for type in $allowed; do > > - if [[ ! "$type" =~ ptchown_t|abrt_helper_t ]]; then > > + if [[ ! "$type" =~ ptchown_t|abrt_helper_t|virt_bridgehelper_t > > ]]; then > > exit_fail > > fi > > done > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic |
From: Linda K. <lin...@hp...> - 2013-03-04 16:51:36
|
Hi Miroslav, That looks good. Thanks very much. -- ljk On 03/04/13 07:25, Miroslav Vadkerti wrote: > Hi Linda, > > I missed that kpartx contains a sync mode option. This resolves the issues > we were seeing without the sleep. > > The attached patch can be used as a replacement of the previous patch. > > Best regards, > /M |
From: Jiri J. <jja...@re...> - 2013-02-26 16:55:27
|
From: Miroslav Vadkerti <mva...@re...> Tests 2 and 3 started failing because of missing colon after a part of audit message. As discussed previously with the audit developer, both cases are acceptable. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/audit-remote/tests/test_remote_system.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/audit-remote/tests/test_remote_system.bash b/audit-test/audit-remote/tests/test_remote_system.bash index af3d9df..f818a99 100755 --- a/audit-test/audit-remote/tests/test_remote_system.bash +++ b/audit-test/audit-remote/tests/test_remote_system.bash @@ -207,7 +207,7 @@ check_client_disconnected() { check_message_arrived() { local rc=0 /sbin/ausearch -n "REMOTE_LOGGING_CLIENT" -m "USER" \ - -ts $test_time_start | grep -e "type=USER .*${1}" || { rc=1 ; + -ts $test_time_start | egrep "type=USER .*${1}" || { rc=1 ; echo "Missing USER record from remote client" ; } #if [ $rc == 1 ] ; then @@ -309,7 +309,7 @@ test_server_msg_sequence() { sleep 5 for i in `seq 1 $max_audit_log_dump_seq` ; do #echo -n "[$i]" >> /tmp/seq.l g # Uncomment for easier debugging - check_message_arrived "$remote_client_test_string SEQ_NUM=$i:" || \ + check_message_arrived "$remote_client_test_string SEQ_NUM=$i:?" || \ ((missing_count+=1)) done [ $missing_count -gt 0 ] && exit_error \ -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:56:11
|
From: Miroslav Vadkerti <mva...@re...> The iptables firewall is not properly cleaned after iptables stop in RHEL7. This fix makes sure firewall is clean before testing. The default configuration is restored after the testing. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_network_export_source_ip.bash | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/audit-test/kvm/test_network_export_source_ip.bash b/audit-test/kvm/test_network_export_source_ip.bash index 93a1d36..5e06165 100755 --- a/audit-test/kvm/test_network_export_source_ip.bash +++ b/audit-test/kvm/test_network_export_source_ip.bash @@ -27,10 +27,13 @@ source testcase.bash || exit 2 set -x -append_cleanup "/etc/init.d/iptables stop &> /dev/null" +# clean all iptables rules at the end of the testing +append_cleanup "iptables-save | xtables_empty | iptables-restore" for i in $(seq $first $last); do - /etc/init.d/iptables stop &> /dev/null + + # clean all iptables rules + iptables-save | xtables_empty | iptables-restore # Check the host IP address of the virtual network associated with the # virtual machine environment. @@ -65,19 +68,19 @@ for i in $(seq $first $last); do eval "ping -c 5 -I \$kvm_guest_${i}_hostaddr \$kvm_guest_${i}_hostaddr" if [[ $? -ne 0 ]]; then - exit_fail + exit_fail "Cannot ping guest host address" fi eval "ping -c 5 -I \$kvm_guest_${i}_hostaddr \$kvm_guest_${i}_addr" if [[ $? -eq 0 ]]; then - exit_fail + exit_fail "Cannot ping guest address" fi log_count=$(eval "grep -c -E \"$log_prefix: .* SRC=\$kvm_guest_${i}_addr\" /var/log/messages") if [[ $log_count -eq 0 ]]; then - exit_fail + exit_fail "log count is 0" fi done -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:56:11
|
Libvirt will fill in the missing entries. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/kvm-cgroups/guest1-template.xml | 9 +++------ audit-test/kvm-iommu/guest1-dynamic-template.xml | 9 +++------ audit-test/kvm-iommu/guest1-template.xml | 9 +++------ audit-test/kvm-iommu/guest2-dynamic-template.xml | 9 +++------ audit-test/kvm-iommu/guest2-template.xml | 9 +++------ 5 files changed, 15 insertions(+), 30 deletions(-) diff --git a/audit-test/kvm-cgroups/guest1-template.xml b/audit-test/kvm-cgroups/guest1-template.xml index faba4ae..6dbb057 100644 --- a/audit-test/kvm-cgroups/guest1-template.xml +++ b/audit-test/kvm-cgroups/guest1-template.xml @@ -1,10 +1,10 @@ <domain type='kvm'> <name>guest1</name> - <memory>256000</memory> - <currentMemory>256000</currentMemory> + <memory unit='MiB'>256</memory> + <currentMemory unit='MiB'>256</currentMemory> <vcpu>1</vcpu> <os> - <type arch='x86_64' machine='rhel6.0.0'>hvm</type> + <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> @@ -17,12 +17,10 @@ <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> - <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/var/lib/libvirt/images/guest1.img'/> <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <serial type='pty'> <target port='0'/> @@ -35,7 +33,6 @@ <graphics type='vnc' port='-1' autoport='yes'/> <video> <model type='cirrus' vram='9216' heads='1'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> CGROUP_DEV_CONFIG </devices> diff --git a/audit-test/kvm-iommu/guest1-dynamic-template.xml b/audit-test/kvm-iommu/guest1-dynamic-template.xml index 5ed1218..d981efe 100644 --- a/audit-test/kvm-iommu/guest1-dynamic-template.xml +++ b/audit-test/kvm-iommu/guest1-dynamic-template.xml @@ -1,10 +1,10 @@ <domain type='kvm'> <name>guest1-dynamic</name> - <memory>256000</memory> - <currentMemory>256000</currentMemory> + <memory unit='MiB'>256</memory> + <currentMemory unit='MiB'>256</currentMemory> <vcpu>1</vcpu> <os> - <type arch='x86_64' machine='rhel6.0.0'>hvm</type> + <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> @@ -17,12 +17,10 @@ <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> - <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/var/lib/libvirt/images/guest1-dynamic.img'/> <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <serial type='pty'> <target port='0'/> @@ -35,7 +33,6 @@ <graphics type='vnc' port='-1' autoport='yes'/> <video> <model type='cirrus' vram='9216' heads='1'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> HOSTDEV_CONFIG </devices> diff --git a/audit-test/kvm-iommu/guest1-template.xml b/audit-test/kvm-iommu/guest1-template.xml index acf11c0..7bb69e2 100644 --- a/audit-test/kvm-iommu/guest1-template.xml +++ b/audit-test/kvm-iommu/guest1-template.xml @@ -1,10 +1,10 @@ <domain type='kvm'> <name>guest1</name> - <memory>256000</memory> - <currentMemory>256000</currentMemory> + <memory unit='MiB'>256</memory> + <currentMemory unit='MiB'>256</currentMemory> <vcpu>1</vcpu> <os> - <type arch='x86_64' machine='rhel6.0.0'>hvm</type> + <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> @@ -17,12 +17,10 @@ <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> - <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/var/lib/libvirt/images/guest1.img'/> <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <serial type='pty'> <target port='0'/> @@ -35,7 +33,6 @@ <graphics type='vnc' port='-1' autoport='yes'/> <video> <model type='cirrus' vram='9216' heads='1'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> HOSTDEV_CONFIG </devices> diff --git a/audit-test/kvm-iommu/guest2-dynamic-template.xml b/audit-test/kvm-iommu/guest2-dynamic-template.xml index c502634..7ad0b5f 100644 --- a/audit-test/kvm-iommu/guest2-dynamic-template.xml +++ b/audit-test/kvm-iommu/guest2-dynamic-template.xml @@ -1,10 +1,10 @@ <domain type='kvm'> <name>guest2-dynamic</name> - <memory>256000</memory> - <currentMemory>256000</currentMemory> + <memory unit='MiB'>256</memory> + <currentMemory unit='MiB'>256</currentMemory> <vcpu>1</vcpu> <os> - <type arch='x86_64' machine='rhel6.0.0'>hvm</type> + <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> @@ -17,12 +17,10 @@ <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> - <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/var/lib/libvirt/images/guest2-dynamic.img'/> <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <serial type='pty'> <target port='0'/> @@ -35,7 +33,6 @@ <graphics type='vnc' port='-1' autoport='yes'/> <video> <model type='cirrus' vram='9216' heads='1'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> </devices> </domain> diff --git a/audit-test/kvm-iommu/guest2-template.xml b/audit-test/kvm-iommu/guest2-template.xml index 235352b..9981f54 100644 --- a/audit-test/kvm-iommu/guest2-template.xml +++ b/audit-test/kvm-iommu/guest2-template.xml @@ -1,10 +1,10 @@ <domain type='kvm'> <name>guest2</name> - <memory>256000</memory> - <currentMemory>256000</currentMemory> + <memory unit='MiB'>256</memory> + <currentMemory unit='MiB'>256</currentMemory> <vcpu>1</vcpu> <os> - <type arch='x86_64' machine='rhel6.0.0'>hvm</type> + <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> @@ -17,12 +17,10 @@ <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> - <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='raw' cache='none'/> <source file='/var/lib/libvirt/images/guest2.img'/> <target dev='vda' bus='virtio'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </disk> <serial type='pty'> <target port='0'/> @@ -35,7 +33,6 @@ <graphics type='vnc' port='-1' autoport='yes'/> <video> <model type='cirrus' vram='9216' heads='1'/> - <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> HOSTDEV_CONFIG </devices> -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-02-26 16:56:11
|
From: Miroslav Vadkerti <mva...@re...> During RHEL6.4 CC retention testing we found that ausearch is run before required AVC msgs appear in audit log. Added 1s sleep seems to mitigate this issue. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/netfilter/run.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 81166a7..1d21cd1 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -1031,6 +1031,7 @@ function run_test { xndrst=0 fi + sleep 1 asreturn=$(ausearch -m NETFILTER_PKT -if /var/log/audit/audit.log \ | grep action=$actv | grep -m 1 proto=$protov) if [[ -n $asreturn ]]; then -- 1.7.11.7 |