From: Jiri J. <jja...@re...> - 2013-08-21 16:19:22
|
Hi, another batch of smaller changes preparing the suite for RHEL7 is here. This batch focuses more on RHEL7 specifics, so RHEL6 doesn't always benefit from the fixes, even though all changes should be at least RHEL6-compatible. 4.4% audit-test/filter/tests/ 10.9% audit-test/libpam/tests/ 4.9% audit-test/trustedprograms/tests/ 70.5% audit-test/utils/ 9.1% audit-test/ The majority of the changes are a result of the two new major features (stored in utils/): - environment sanity-checking script - run/rollup log separation and merging (see commit messages of patch 01 and 02 for more info) The rest of the changes consist mostly of random smaller fixes all over the place. The changes have been tested on RHEL 6.2 (6.2.z) and 6.4 (6.4.z) by Miroslav Vadkerti and don't seem to cause any regressions for RHEL6. The patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:15
|
The idea is to catch various configuration or setup errors and give useful hints, so that the user doesn't have to debug the system/suite to find out what could possibly go wrong. This script is not supposed to replace or duplicate functionality provided by the suite itself, it should be only used for basic sanity verification of the environment. It doesn't claim to reveal all configuration errors, but it can still be useful. Because of the reasons mentioned above, running this script is purely optional. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/Makefile | 6 + audit-test/README.run | 6 + audit-test/utils/envcheck | 425 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 437 insertions(+) create mode 100755 audit-test/utils/envcheck diff --git a/audit-test/Makefile b/audit-test/Makefile index c8e6477..28a80af 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -124,3 +124,9 @@ policy: netconfig: cd network/system && $(MAKE) install cd utils/network-server && $(MAKE) install + +.PHONY: envcheck +envcheck: + @$(check_set_PPROFILE); \ + $(check_set_PASSWD); + utils/envcheck diff --git a/audit-test/README.run b/audit-test/README.run index 276364c..d9311bd 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -265,6 +265,12 @@ environment variables: Verify that the time on the test system is synchronized with the time on the network test server. +As an additional sanity check, you can run: + +# make envcheck +or +# make envcheck | less -R + Run the tests ------------- diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck new file mode 100755 index 0000000..5b79b35 --- /dev/null +++ b/audit-test/utils/envcheck @@ -0,0 +1,425 @@ +#!/bin/bash +############################################################################### +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +############################################################################### +# +# AUTHOR: Jiri Jaburek <jja...@re...> +# +# This script checks whether the environment on TOE and NS has all +# the prerequisities for audit-test suite run met. +# This ranges from initial environment variable checking to ensuring proper +# routing between TOE and NS. + +## COLORS +# +# attributes: +# 0=none, 1=bold, 4=underscore, 5=blink, 7=reverse, 8=concealed +# +# text/foreground: +# 30=black, 31=red, 32=green, 33=yellow, 34=blue, 35=magenta, 36=cyan, 37=white +# +# background: +# 40=black, 41=red, 42=green, 43=yellow, 44=blue, 45=magenta, 46=cyan, 47=white +# +# format: +# \e[<code>[;<code2>]m +# ie.: +# echo -e '\e[1;4;31;43mred bold underlined text on yellow background\e[0m' +## + +# run a given command to verify/check something +# $1 = command with arguments +# $2 = expected exit code (leave empty if irrelevant) +# $3 = optional cmd text to show instead of $1 +# returns the command's exit code +# and sets CHECK_FAILED var to nonempty value upon fail +check() +{ + [ $# -lt 1 ] && return 1 + [ $# -ge 2 ] && cmpret="$2" || cmpret=0 + [ $# -ge 3 ] && msg="$3" || msg= + + # echo initial msg + if [ "$msg" ]; then + echo -ne "\e[1m$msg\e[0m ..." + else + echo -ne "> \e[1m$1\e[0m ..." + fi + + # run cmd, capture stderr + out=$(eval "$1" 2>&1) + + # show result + ret=$? + if [ -z "$cmpret" ]; then + # ignored + echo -e "\e[1;34mignored\e[0m" + elif [ "$cmpret" -eq $ret ]; then + # pass + echo -e "\e[1;32mpassed\e[0m" + else + if [ "$WARNONLY" ]; then + # warn + echo -e "\e[1;33mwarn\e[0m" + [ "$out" ] && echo "$out" + else + # fail + echo -e "\e[1;31mfailed\e[0m" + [ "$out" ] && echo "$out" + CHECK_FAILED=1 + fi + fi + + return $ret +} + + +### EXAMPLE +#check "sleep 2" # pass +#WARNONLY=1 check "sleep 0.5" # pass +#WARNONLY=1 check "sleep 0,5" # warn +#check "sleep abcd" 0 "running sleep abcd" # fail with msg +#check "sleep -2" '' # ignored result + + +AUDITDIR="/usr/local/eal4_testing" + + +### VARIABLES +check_variables() { + local CHECK_FAILED + local vars + + # basic variables + vars="DISTRO MODE PPROFILE PASSWD" + #vars="PASSWD" + + for i in $vars; do + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" + done; + + # sanity PPROFILE check + check "[ \"$PPROFILE\" = \"capp\" -o \"$PPROFILE\" = \"lspp\" ]" 0 \ + "Var PPROFILE is either capp or lspp" + + [ -z "$CHECK_FAILED" ] && check_variables_ok_nonet=1 + + # networking variables + vars="LOCAL_DEV LOCAL_IPV4 LOCAL_IPV6" + vars="$vars LOCAL_SEC_MAC LOCAL_SEC_IPV4 LOCAL_SEC_IPV6 BRIDGE_FILTER" + vars="$vars LBLNET_SVR_IPV4 LBLNET_SVR_IPV6" + vars="$vars SECNET_SVR_MAC SECNET_SVR_IPV4 SECNET_SVR_IPV6" + + for i in $vars; do + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" + done; + + # s390x / ppc64 check? (ARCH variable) + + if [ "$CHECK_FAILED" ]; then + echo + echo "Variable checking failed, please make sure to export all required" + echo "environment variables specified in README.run." + echo "Also make sure the networking variables are set according" + echo "to README.netfilter." + return 1 + else + check_variables_ok=1 + fi +} + + +### USER SESSION +check_user_session() { + local CHECK_FAILED + + # requires for this check + [ "$check_variables_ok_nonet" ] || return 2 + + check "[ \"$(whoami)\" = \"root\" ]" 0 \ + "Logged in as root" + check "[ -z \"$(faillock | grep -v '^\([^ ]*:\|When\)')\" ]" 0 \ + "Faillock is empty" + check "[ ! -e \"$HOME/.ssh/id_rsa\" ]" 0 \ + "~/.ssh/id_rsa doesn't exist (testsuite reasons)" + + [ "$PPROFILE" = "lspp" ] && \ + check "[ \"$(id -Z)\" = \"staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh\" ]" 0 \ + "id -Z is staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh" + + check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \ + "\$(pwd) is /usr/local/eal4_testing/audit-test" + + if [ "$CHECK_FAILED" ]; then + echo + echo "User session checking failed, please make sure the system" + echo "is in evaluated configuration, double check whether all steps" + echo "required by README.run have been performed." + return 1 + else + check_user_session_ok=1 + fi +} + + +### SUITE LOCATION +check_suite_loc() { + local CHECK_FAILED + + # requires for this check + [ "$AUDITDIR" ] || return 2 + + check "[ -d \"$AUDITDIR\" ]" + check "[ -d \"$AUDITDIR/audit-test\" ]" + check "[ -d \"$AUDITDIR/ltp\" ]" + #DIRS="audit-remote audit-tools audit-trail-protection crypto docs fail-safe filter kvm kvm-cgroups kvm-iommu libpam misc netfilebt netfilter network syscalls trustedprograms utils" + #for i in $DIRS; do + # check "[ -d \"$AUDITDIR/audit-test/$i\" ]" + #done; + + [ -d "$AUDITDIR" ] && \ + check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755" + + if [ "$CHECK_FAILED" ]; then + echo + echo "Suite not found or incorrectly installed at $AUDITDIR." + echo "This is important because of the hardcoded paths in the testing policy." + echo "Please install/extract the suite according to README.run." + return 1 + else + check_suite_loc_ok=1 + fi +} + + +### NETWORKING - interfaces +check_networking_if() { + local CHECK_FAILED + + # requires for this check + [ "$check_variables_ok" ] || return 2 + + # interface checks + check "ip -o link show dev $LOCAL_DEV" 0 \ + "Device $LOCAL_DEV exists" + check "ip -o link show dev $LOCAL_SEC_DEV" 0 \ + "Device $LOCAL_SEC_DEV exists" + check "ip -o link show dev $BRIDGE_FILTER" 0 \ + "Device $BRIDGE_FILTER exists" + check "brctl show $BRIDGE_FILTER | grep $LOCAL_SEC_DEV" 0 \ + "Device $LOCAL_SEC_DEV is enslaved in bridge $BRIDGE_FILTER" + + check "ip -o -4 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV4\"" 0 \ + "Device $LOCAL_DEV has IPv4 address: $LOCAL_IPV4" + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\"" 0 \ + "Device $LOCAL_DEV has IPv6 address: $LOCAL_IPV6" + check "ip -o link show dev $BRIDGE_FILTER | grep \"$(sed 's/\(.*\)/\L\1/' <<<$LOCAL_SEC_MAC)\"" 0 \ + "Device $BRIDGE_FILTER has MAC address: $LOCAL_SEC_MAC" + check "ip -o -4 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV4\"" 0 \ + "Device $BRIDGE_FILTER has IPv4 address: $LOCAL_SEC_IPV4" + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\"" 0 \ + "Device $BRIDGE_FILTER has IPv6 address: $LOCAL_SEC_IPV6" + + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\" | grep -v deprecated" 0 \ + "IPv6 address $LOCAL_IPV6 on $LOCAL_DEV is not deprecated" + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\" | grep -v deprecated" 0 \ + "IPv6 address $LOCAL_SEC_IPV6 on $BRIDGE_FILTER is not deprecated" + + if [ "$CHECK_FAILED" ]; then + echo + echo "Network interfaces are not configured correctly." + echo "Make sure the networking is set according to README.netfilter" + echo "(including the bridge) and that all addresses assigned to" + echo "network interfaces match those exported in env variables." + return 1 + else + check_networking_if_ok=1 + fi +} + + +### NETWORKING - probe +check_networking_probe() { + local CHECK_FAILED + + # requires for this check + [ "$check_variables_ok" -a "$check_networking_if_ok" ] || return 2 + + check "ping -I lo -q -c1 127.0.0.1" 0 \ + "127.0.0.1 reachable via lo" + check "ping6 -I lo -q -c1 ::1" 0 \ + "::1 reachable via lo" + check "ping -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV4" 0 \ + "$LBLNET_SVR_IPV4 reachable via $LOCAL_DEV" + check "ping6 -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV6" 0 \ + "$LBLNET_SVR_IPV6 reachable via $LOCAL_DEV" + check "ping -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV4" 0 \ + "$SECNET_SVR_IPV4 reachable via $BRIDGE_FILTER" + check "ping6 -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV6" 0 \ + "$SECNET_SVR_IPV6 reachable via $BRIDGE_FILTER" + + check "nc $LOCAL_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ + "lblnet_tst_server on TOE responds over unlabeled IPv4" + check "nc $LOCAL_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ + "lblnet_tst_server on TOE responds over unlabeled IPv6" + check "nc $LBLNET_SVR_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ + "lblnet_tst_server on NS responds over unlabeled IPv4" + check "nc $LBLNET_SVR_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ + "lblnet_tst_server on NS responds over unlabeled IPv6" + + if [ "$CHECK_FAILED" ]; then + echo + echo "Some services on the NS are not reachable." + echo "Make sure the NS is configured correctly and reachable" + echo "via the interfaces and addresses exported as env variables." + return 1 + else + check_networking_probe_ok=1 + fi +} + + +### SERVICES +check_services() { + local CHECK_FAILED + + # requires for this check + [ "$check_variables_ok" ] || return 2 + + local daem daems + daems="auditd rsyslogd mcstransd" + [ "$PPROFILE" = "lspp" ] && daems="$daems xinetd pluto" + for daem in $daems; do + check "pidof \"$daem\"" 0 \ + "daemon \"$daem\" is running" + done; + + if [ "$PPROFILE" = "lspp" ]; then + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_xfrm)\" = \"0\" ]" 0 \ + "ipsec: XFRM is not disabled on loopback" + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_policy)\" = \"0\" ]" 0 \ + "ipsec: XFRM policy is not disabled on loopback" + + check "[ \"$(ip xfrm policy list)\" ]" 0 \ + "ipsec: XFRM policy is not empty" + check "[ -z \"$(ip xfrm state list)\" ]" 0 \ + "ipsec: XFRM state / association database is empty" + + local addr + for addr in "$LOCAL_IPV4" "$LOCAL_IPV6" "127.0.0.1" "::1"; do + check "grep \"left=$addr\" /etc/ipsec.conf" 0 \ + "ipsec.conf contains left=$addr" + done; + for addr in "$LBLNET_SVR_IPV4" "$LBLNET_SVR_IPV6" "127.0.0.1" "::1"; do + check "grep \"right=$addr\" /etc/ipsec.conf" 0 \ + "ipsec.conf contains right=$addr" + done; + check "egrep -n \"(right|left)=[ \t]*$\" /etc/ipsec.conf" 1 \ + "ipsec.conf doesn't contain empty left= or right=" + + check "netlabelctl map list | grep \"lspp_test_netlabel_t\"" 0 \ + "netlabel: lspp_test_netlabel_t mapping present" + fi + + if [ "$CHECK_FAILED" ]; then + echo + echo "Services check failed - either one or more essential daemons are" + echo "not running or service-related files are not set up correctly." + echo "Please make sure you have gone through all required steps" + echo "described in README.run." + return 1 + else + check_services_ok=1 + fi + +} + + +### KVM +check_kvm() { + local CHECK_FAILED + + # requires for this check + [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2 + [ "$(uname -m)" = "x86_64" ] || { + echo "KVM tests not supported on $(uname -m) architecture" + return 2 + } + + check "[ -d \"$AUDITDIR/audit-test/kvm\" ]" + check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]" + check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \ + "install_media specified in kvm config" + check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \ + "Host cpu has HW virt support" + + check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \ + "usb_device_id specified in kvm-iommu/usb_device.conf" + check "grep '^pci_device_id' \"$AUDITDIR/audit-test/kvm-iommu/pci_device.conf\" | grep -v XXXX:XX:XX.X" '' \ + "pci_device_id specified in kvm-iommu/pci_device.conf" + + if [ "$CHECK_FAILED" ]; then + echo + echo "KVM sanity check failed - make sure you have the hardware with" + echo "HW virtualization support and that you have configured the kvm" + echo "test bucket in kvm/config.bash (install_media at least)." + return 1 + else + check_kvm_ok=1 + fi +} + +### END + +# checks to be run, ordering is important +CHECKS=" +check_variables +check_user_session +check_suite_loc +check_networking_if +check_networking_probe +check_services +check_kvm +" + +fails=0 +skips=0 +for check in $CHECKS; do + echo "::::::::::::::::::::::::::::::::::::::::::" + echo -e "::: \e[1m$check\e[0m" + echo "::::::::::::::::::::::::::::::::::::::::::" + "$check" + case "$?" in + 1) fails=$((fails+1)) ;; + 2) echo "SKIPPED due to unmet dependencies"; skips=$((skips+1)) ;; + *) ;; + esac + echo +done; + +echo "==========================================" +echo -n "OVERALL: " +[ $fails -eq 0 ] && \ + echo -ne "\e[1;32mPASSED\e[0m" || \ + echo -ne "\e[1;31mFAILED\e[0m ($fails checks failed)" +[ $skips -eq 0 ] && \ + echo || + echo " ($skips checks skipped)" + +exit 0 + +# vim: sts=4 sw=4 et : -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:23:21
|
Hi Jiri, I really like the idea of having a script that validates the configuration. I haven't run the script so I'm only looking at the code but it looks like the script is reporting specific output for all the items that are right but a generic message when something is wrong. I note a few instances inline below. It seems like it would be more helpful if we issue specific messages for the things that are wrong. Am I reading the script right? Thanks, -- ljk On 08/21/13 12:21, Jiri Jaburek wrote: > The idea is to catch various configuration or setup errors > and give useful hints, so that the user doesn't have to debug > the system/suite to find out what could possibly go wrong. > > This script is not supposed to replace or duplicate functionality > provided by the suite itself, it should be only used for basic sanity > verification of the environment. It doesn't claim to reveal all > configuration errors, but it can still be useful. > > Because of the reasons mentioned above, running this script > is purely optional. > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/Makefile | 6 + > audit-test/README.run | 6 + > audit-test/utils/envcheck | 425 ++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 437 insertions(+) > create mode 100755 audit-test/utils/envcheck > > diff --git a/audit-test/Makefile b/audit-test/Makefile > index c8e6477..28a80af 100644 > --- a/audit-test/Makefile > +++ b/audit-test/Makefile > @@ -124,3 +124,9 @@ policy: > netconfig: > cd network/system && $(MAKE) install > cd utils/network-server && $(MAKE) install > + > +.PHONY: envcheck > +envcheck: > + @$(check_set_PPROFILE); \ > + $(check_set_PASSWD); > + utils/envcheck > diff --git a/audit-test/README.run b/audit-test/README.run > index 276364c..d9311bd 100644 > --- a/audit-test/README.run > +++ b/audit-test/README.run > @@ -265,6 +265,12 @@ environment variables: > Verify that the time on the test system is synchronized with the time > on the network test server. > > +As an additional sanity check, you can run: > + > +# make envcheck > +or > +# make envcheck | less -R > + > Run the tests > ------------- > > diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck > new file mode 100755 > index 0000000..5b79b35 > --- /dev/null > +++ b/audit-test/utils/envcheck > @@ -0,0 +1,425 @@ > +#!/bin/bash > +############################################################################### > +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. > +# > +# This copyrighted material is made available to anyone wishing > +# to use, modify, copy, or redistribute it subject to the terms > +# and conditions of the GNU General Public License version 2. > +# > +# This program is distributed in the hope that it will be > +# useful, but WITHOUT ANY WARRANTY; without even the implied > +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR > +# PURPOSE. See the GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public > +# License along with this program; if not, write to the Free > +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, > +# Boston, MA 02110-1301, USA. > +############################################################################### > +# > +# AUTHOR: Jiri Jaburek <jja...@re...> > +# > +# This script checks whether the environment on TOE and NS has all > +# the prerequisities for audit-test suite run met. > +# This ranges from initial environment variable checking to ensuring proper > +# routing between TOE and NS. > + > +## COLORS > +# > +# attributes: > +# 0=none, 1=bold, 4=underscore, 5=blink, 7=reverse, 8=concealed > +# > +# text/foreground: > +# 30=black, 31=red, 32=green, 33=yellow, 34=blue, 35=magenta, 36=cyan, 37=white > +# > +# background: > +# 40=black, 41=red, 42=green, 43=yellow, 44=blue, 45=magenta, 46=cyan, 47=white > +# > +# format: > +# \e[<code>[;<code2>]m > +# ie.: > +# echo -e '\e[1;4;31;43mred bold underlined text on yellow background\e[0m' > +## > + > +# run a given command to verify/check something > +# $1 = command with arguments > +# $2 = expected exit code (leave empty if irrelevant) > +# $3 = optional cmd text to show instead of $1 > +# returns the command's exit code > +# and sets CHECK_FAILED var to nonempty value upon fail > +check() > +{ > + [ $# -lt 1 ] && return 1 > + [ $# -ge 2 ] && cmpret="$2" || cmpret=0 > + [ $# -ge 3 ] && msg="$3" || msg= > + > + # echo initial msg > + if [ "$msg" ]; then > + echo -ne "\e[1m$msg\e[0m ..." > + else > + echo -ne "> \e[1m$1\e[0m ..." > + fi > + > + # run cmd, capture stderr > + out=$(eval "$1" 2>&1) > + > + # show result > + ret=$? > + if [ -z "$cmpret" ]; then > + # ignored > + echo -e "\e[1;34mignored\e[0m" > + elif [ "$cmpret" -eq $ret ]; then > + # pass > + echo -e "\e[1;32mpassed\e[0m" > + else > + if [ "$WARNONLY" ]; then > + # warn > + echo -e "\e[1;33mwarn\e[0m" > + [ "$out" ] && echo "$out" > + else > + # fail > + echo -e "\e[1;31mfailed\e[0m" > + [ "$out" ] && echo "$out" > + CHECK_FAILED=1 > + fi > + fi > + > + return $ret > +} > + > + > +### EXAMPLE > +#check "sleep 2" # pass > +#WARNONLY=1 check "sleep 0.5" # pass > +#WARNONLY=1 check "sleep 0,5" # warn > +#check "sleep abcd" 0 "running sleep abcd" # fail with msg > +#check "sleep -2" '' # ignored result > + > + > +AUDITDIR="/usr/local/eal4_testing" > + > + > +### VARIABLES > +check_variables() { > + local CHECK_FAILED > + local vars > + > + # basic variables > + vars="DISTRO MODE PPROFILE PASSWD" > + #vars="PASSWD" > + > + for i in $vars; do > + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" > + done; > + > + # sanity PPROFILE check > + check "[ \"$PPROFILE\" = \"capp\" -o \"$PPROFILE\" = \"lspp\" ]" 0 \ > + "Var PPROFILE is either capp or lspp" > + > + [ -z "$CHECK_FAILED" ] && check_variables_ok_nonet=1 > + > + # networking variables > + vars="LOCAL_DEV LOCAL_IPV4 LOCAL_IPV6" > + vars="$vars LOCAL_SEC_MAC LOCAL_SEC_IPV4 LOCAL_SEC_IPV6 BRIDGE_FILTER" > + vars="$vars LBLNET_SVR_IPV4 LBLNET_SVR_IPV6" > + vars="$vars SECNET_SVR_MAC SECNET_SVR_IPV4 SECNET_SVR_IPV6" > + > + for i in $vars; do > + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" > + done; It looks like display a message for each env variable that is set. Do they also get a message if an env variable is not set? Or do they just get the generic message that the check failed below? If would be nice if we tell them specifically which ones are missing. > + > + # s390x / ppc64 check? (ARCH variable) > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "Variable checking failed, please make sure to export all required" > + echo "environment variables specified in README.run." > + echo "Also make sure the networking variables are set according" > + echo "to README.netfilter." > + return 1 > + else > + check_variables_ok=1 > + fi > +} > + > + > +### USER SESSION > +check_user_session() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$check_variables_ok_nonet" ] || return 2 > + > + check "[ \"$(whoami)\" = \"root\" ]" 0 \ > + "Logged in as root" > + check "[ -z \"$(faillock | grep -v '^\([^ ]*:\|When\)')\" ]" 0 \ > + "Faillock is empty" > + check "[ ! -e \"$HOME/.ssh/id_rsa\" ]" 0 \ > + "~/.ssh/id_rsa doesn't exist (testsuite reasons)" > + > + [ "$PPROFILE" = "lspp" ] && \ > + check "[ \"$(id -Z)\" = \"staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh\" ]" 0 \ > + "id -Z is staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh" > + > + check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \ > + "\$(pwd) is /usr/local/eal4_testing/audit-test" Some comment here. If the checks fail, do we tell them that they're not in /usr/local/eal4_testing/audit-test? > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "User session checking failed, please make sure the system" > + echo "is in evaluated configuration, double check whether all steps" > + echo "required by README.run have been performed." > + return 1 > + else > + check_user_session_ok=1 > + fi > +} > + > + > +### SUITE LOCATION > +check_suite_loc() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$AUDITDIR" ] || return 2 > + > + check "[ -d \"$AUDITDIR\" ]" > + check "[ -d \"$AUDITDIR/audit-test\" ]" > + check "[ -d \"$AUDITDIR/ltp\" ]" > + #DIRS="audit-remote audit-tools audit-trail-protection crypto docs fail-safe filter kvm kvm-cgroups kvm-iommu libpam misc netfilebt netfilter network syscalls trustedprograms utils" > + #for i in $DIRS; do > + # check "[ -d \"$AUDITDIR/audit-test/$i\" ]" > + #done; > + > + [ -d "$AUDITDIR" ] && \ > + check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755" > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "Suite not found or incorrectly installed at $AUDITDIR." > + echo "This is important because of the hardcoded paths in the testing policy." > + echo "Please install/extract the suite according to README.run." > + return 1 > + else > + check_suite_loc_ok=1 > + fi > +} > + > + > +### NETWORKING - interfaces > +check_networking_if() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$check_variables_ok" ] || return 2 > + > + # interface checks > + check "ip -o link show dev $LOCAL_DEV" 0 \ > + "Device $LOCAL_DEV exists" > + check "ip -o link show dev $LOCAL_SEC_DEV" 0 \ > + "Device $LOCAL_SEC_DEV exists" > + check "ip -o link show dev $BRIDGE_FILTER" 0 \ > + "Device $BRIDGE_FILTER exists" > + check "brctl show $BRIDGE_FILTER | grep $LOCAL_SEC_DEV" 0 \ > + "Device $LOCAL_SEC_DEV is enslaved in bridge $BRIDGE_FILTER" > + > + check "ip -o -4 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV4\"" 0 \ > + "Device $LOCAL_DEV has IPv4 address: $LOCAL_IPV4" > + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\"" 0 \ > + "Device $LOCAL_DEV has IPv6 address: $LOCAL_IPV6" > + check "ip -o link show dev $BRIDGE_FILTER | grep \"$(sed 's/\(.*\)/\L\1/' <<<$LOCAL_SEC_MAC)\"" 0 \ > + "Device $BRIDGE_FILTER has MAC address: $LOCAL_SEC_MAC" > + check "ip -o -4 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV4\"" 0 \ > + "Device $BRIDGE_FILTER has IPv4 address: $LOCAL_SEC_IPV4" > + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\"" 0 \ > + "Device $BRIDGE_FILTER has IPv6 address: $LOCAL_SEC_IPV6" > + > + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\" | grep -v deprecated" 0 \ > + "IPv6 address $LOCAL_IPV6 on $LOCAL_DEV is not deprecated" > + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\" | grep -v deprecated" 0 \ > + "IPv6 address $LOCAL_SEC_IPV6 on $BRIDGE_FILTER is not deprecated" > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "Network interfaces are not configured correctly." > + echo "Make sure the networking is set according to README.netfilter" > + echo "(including the bridge) and that all addresses assigned to" > + echo "network interfaces match those exported in env variables." > + return 1 > + else > + check_networking_if_ok=1 > + fi > +} > + > + > +### NETWORKING - probe > +check_networking_probe() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$check_variables_ok" -a "$check_networking_if_ok" ] || return 2 > + > + check "ping -I lo -q -c1 127.0.0.1" 0 \ > + "127.0.0.1 reachable via lo" > + check "ping6 -I lo -q -c1 ::1" 0 \ > + "::1 reachable via lo" > + check "ping -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV4" 0 \ > + "$LBLNET_SVR_IPV4 reachable via $LOCAL_DEV" > + check "ping6 -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV6" 0 \ > + "$LBLNET_SVR_IPV6 reachable via $LOCAL_DEV" > + check "ping -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV4" 0 \ > + "$SECNET_SVR_IPV4 reachable via $BRIDGE_FILTER" > + check "ping6 -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV6" 0 \ > + "$SECNET_SVR_IPV6 reachable via $BRIDGE_FILTER" > + > + check "nc $LOCAL_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ > + "lblnet_tst_server on TOE responds over unlabeled IPv4" > + check "nc $LOCAL_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ > + "lblnet_tst_server on TOE responds over unlabeled IPv6" > + check "nc $LBLNET_SVR_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ > + "lblnet_tst_server on NS responds over unlabeled IPv4" > + check "nc $LBLNET_SVR_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \ > + "lblnet_tst_server on NS responds over unlabeled IPv6" > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "Some services on the NS are not reachable." > + echo "Make sure the NS is configured correctly and reachable" > + echo "via the interfaces and addresses exported as env variables." > + return 1 > + else > + check_networking_probe_ok=1 > + fi > +} > + > + > +### SERVICES > +check_services() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$check_variables_ok" ] || return 2 > + > + local daem daems > + daems="auditd rsyslogd mcstransd" > + [ "$PPROFILE" = "lspp" ] && daems="$daems xinetd pluto" > + for daem in $daems; do > + check "pidof \"$daem\"" 0 \ > + "daemon \"$daem\" is running" > + done; > + > + if [ "$PPROFILE" = "lspp" ]; then > + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_xfrm)\" = \"0\" ]" 0 \ > + "ipsec: XFRM is not disabled on loopback" > + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_policy)\" = \"0\" ]" 0 \ > + "ipsec: XFRM policy is not disabled on loopback" > + > + check "[ \"$(ip xfrm policy list)\" ]" 0 \ > + "ipsec: XFRM policy is not empty" > + check "[ -z \"$(ip xfrm state list)\" ]" 0 \ > + "ipsec: XFRM state / association database is empty" > + > + local addr > + for addr in "$LOCAL_IPV4" "$LOCAL_IPV6" "127.0.0.1" "::1"; do > + check "grep \"left=$addr\" /etc/ipsec.conf" 0 \ > + "ipsec.conf contains left=$addr" > + done; > + for addr in "$LBLNET_SVR_IPV4" "$LBLNET_SVR_IPV6" "127.0.0.1" "::1"; do > + check "grep \"right=$addr\" /etc/ipsec.conf" 0 \ > + "ipsec.conf contains right=$addr" > + done; > + check "egrep -n \"(right|left)=[ \t]*$\" /etc/ipsec.conf" 1 \ > + "ipsec.conf doesn't contain empty left= or right=" > + > + check "netlabelctl map list | grep \"lspp_test_netlabel_t\"" 0 \ > + "netlabel: lspp_test_netlabel_t mapping present" > + fi > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "Services check failed - either one or more essential daemons are" > + echo "not running or service-related files are not set up correctly." > + echo "Please make sure you have gone through all required steps" > + echo "described in README.run." > + return 1 > + else > + check_services_ok=1 > + fi > + > +} > + > + > +### KVM > +check_kvm() { > + local CHECK_FAILED > + > + # requires for this check > + [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2 > + [ "$(uname -m)" = "x86_64" ] || { > + echo "KVM tests not supported on $(uname -m) architecture" > + return 2 > + } > + > + check "[ -d \"$AUDITDIR/audit-test/kvm\" ]" > + check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]" > + check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \ > + "install_media specified in kvm config" > + check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \ > + "Host cpu has HW virt support" > + > + check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \ > + "usb_device_id specified in kvm-iommu/usb_device.conf" > + check "grep '^pci_device_id' \"$AUDITDIR/audit-test/kvm-iommu/pci_device.conf\" | grep -v XXXX:XX:XX.X" '' \ > + "pci_device_id specified in kvm-iommu/pci_device.conf" > + > + if [ "$CHECK_FAILED" ]; then > + echo > + echo "KVM sanity check failed - make sure you have the hardware with" > + echo "HW virtualization support and that you have configured the kvm" > + echo "test bucket in kvm/config.bash (install_media at least)." > + return 1 > + else > + check_kvm_ok=1 > + fi > +} > + > +### END > + > +# checks to be run, ordering is important > +CHECKS=" > +check_variables > +check_user_session > +check_suite_loc > +check_networking_if > +check_networking_probe > +check_services > +check_kvm > +" > + > +fails=0 > +skips=0 > +for check in $CHECKS; do > + echo "::::::::::::::::::::::::::::::::::::::::::" > + echo -e "::: \e[1m$check\e[0m" > + echo "::::::::::::::::::::::::::::::::::::::::::" > + "$check" > + case "$?" in > + 1) fails=$((fails+1)) ;; > + 2) echo "SKIPPED due to unmet dependencies"; skips=$((skips+1)) ;; > + *) ;; > + esac > + echo > +done; > + > +echo "==========================================" > +echo -n "OVERALL: " > +[ $fails -eq 0 ] && \ > + echo -ne "\e[1;32mPASSED\e[0m" || \ > + echo -ne "\e[1;31mFAILED\e[0m ($fails checks failed)" > +[ $skips -eq 0 ] && \ > + echo || > + echo " ($skips checks skipped)" > + > +exit 0 > + > +# vim: sts=4 sw=4 et : > |
From: Jiri J. <jja...@re...> - 2013-08-28 11:57:56
|
On 08/27/2013 07:23 PM, Linda Knippers wrote: > Hi Jiri, > > I really like the idea of having a script that validates the configuration. > I haven't run the script so I'm only looking at the code but it looks like > the script is reporting specific output for all the items that are right but > a generic message when something is wrong. I note a few instances inline below. > It seems like it would be more helpful if we issue specific messages for the > things that are wrong. > > Am I reading the script right? > > Thanks, > > -- ljk Hi Linda, let me show you a quick demo: http://i.imgur.com/kBzlChy.png http://i.imgur.com/aIl7FVp.png It isn't really intended to perform *validation* of the environment, it's more like a configuration helper that can point out some things that were perhaps forgotten/skipped during the setup. Because of that, it mainly centers around the things that have a good probability of being forgotten or incorrectly configured by the user. The idea was to show which items pass/fail and if fails occur, help the user resolve those fails, even in cases when the user is not too much familiar with the suite. The idea of using generic messages per groups of checks was implemented mainly to reduce the overhead of creating specific messages for tiny checks. The per-group messages should at least point out what might be wrong, so the user can fix it. It's not supposed to be a zero-user-effort kind of thing. I wanted to keep the envcheck quite generic, not lock it down to a specific known-good configuration as the suite itself is (in its current form) also quite generic. > > On 08/21/13 12:21, Jiri Jaburek wrote: >> The idea is to catch various configuration or setup errors >> and give useful hints, so that the user doesn't have to debug >> the system/suite to find out what could possibly go wrong. >> >> This script is not supposed to replace or duplicate functionality >> provided by the suite itself, it should be only used for basic sanity >> verification of the environment. It doesn't claim to reveal all >> configuration errors, but it can still be useful. >> >> Because of the reasons mentioned above, running this script >> is purely optional. >> <snip> >> + for i in $vars; do >> + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" >> + done; > > It looks like display a message for each env variable that is set. > Do they also get a message if an env variable is not set? Or do they > just get the generic message that the check failed below? If would > be nice if we tell them specifically which ones are missing. (see above) >> + >> + # s390x / ppc64 check? (ARCH variable) >> + <snip> >> + check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \ >> + "\$(pwd) is /usr/local/eal4_testing/audit-test" > > Some comment here. If the checks fail, do we tell them that they're not in > /usr/local/eal4_testing/audit-test? > I took extra care to ensure the consistency of things that are being reported as passed/failed to the user. That means I explicitly crafted the messages to provide a fact, an expected environment state, which is then validated as pass/fail. IOW, I wanted to avoid negatives, double negatives, ..., to keep the meaning of "pass" and "fail" as simple as possible. In this particular case, the check would print out "$(pwd) is /usr/local/eal4_testing/audit-test ...passed/failed", which has a binary meaning - the shell either is in that directory or it isn't. Generally speaking, if the check fails, the statement is false. This applies to all checks done by envcheck - again, to avoid confusion over the meaning of pass/fail. As for comments in the code of envcheck itself - I kind of hoped that the messages used for the "check" function would be descriptive enough, even for code purposes. In some cases, I let the checking command itself be a "documentation", for example "[ -d /some/dir ]" doesn't seem to need further explanation, but it shouldn't be a problem to add an equivalent message in English. Thanks, Jiri PS: Looking at the final envcheck output one more time, I plan to do some final minor polishing, like @ in Makefile, "daemon" -> "Daemon" and a few grammar fixes. |
From: Linda K. <lin...@hp...> - 2013-08-28 16:26:45
|
Hi Jiri, Thanks so much for the pictures. That makes it clear to me. This is really nice. Thanks again. -- ljk Jiri Jaburek wrote: > On 08/27/2013 07:23 PM, Linda Knippers wrote: >> Hi Jiri, >> >> I really like the idea of having a script that validates the configuration. >> I haven't run the script so I'm only looking at the code but it looks like >> the script is reporting specific output for all the items that are right but >> a generic message when something is wrong. I note a few instances inline below. >> It seems like it would be more helpful if we issue specific messages for the >> things that are wrong. >> >> Am I reading the script right? >> >> Thanks, >> >> -- ljk > > Hi Linda, > let me show you a quick demo: > http://i.imgur.com/kBzlChy.png > http://i.imgur.com/aIl7FVp.png > > It isn't really intended to perform *validation* of the environment, > it's more like a configuration helper that can point out some things > that were perhaps forgotten/skipped during the setup. > Because of that, it mainly centers around the things that have a good > probability of being forgotten or incorrectly configured by the user. > > The idea was to show which items pass/fail and if fails occur, help > the user resolve those fails, even in cases when the user is not too > much familiar with the suite. > The idea of using generic messages per groups of checks was implemented > mainly to reduce the overhead of creating specific messages for tiny > checks. The per-group messages should at least point out what might be > wrong, so the user can fix it. It's not supposed to be > a zero-user-effort kind of thing. > I wanted to keep the envcheck quite generic, not lock it down to > a specific known-good configuration as the suite itself is (in its > current form) also quite generic. > >> On 08/21/13 12:21, Jiri Jaburek wrote: >>> The idea is to catch various configuration or setup errors >>> and give useful hints, so that the user doesn't have to debug >>> the system/suite to find out what could possibly go wrong. >>> >>> This script is not supposed to replace or duplicate functionality >>> provided by the suite itself, it should be only used for basic sanity >>> verification of the environment. It doesn't claim to reveal all >>> configuration errors, but it can still be useful. >>> >>> Because of the reasons mentioned above, running this script >>> is purely optional. >>> > <snip> >>> + for i in $vars; do >>> + check "env | grep \"^$i=\"" 0 "Var $i is present in environment" >>> + done; >> It looks like display a message for each env variable that is set. >> Do they also get a message if an env variable is not set? Or do they >> just get the generic message that the check failed below? If would >> be nice if we tell them specifically which ones are missing. > > (see above) > >>> + >>> + # s390x / ppc64 check? (ARCH variable) >>> + > <snip> >>> + check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \ >>> + "\$(pwd) is /usr/local/eal4_testing/audit-test" >> Some comment here. If the checks fail, do we tell them that they're not in >> /usr/local/eal4_testing/audit-test? >> > > I took extra care to ensure the consistency of things that are being > reported as passed/failed to the user. That means I explicitly crafted > the messages to provide a fact, an expected environment state, which > is then validated as pass/fail. IOW, I wanted to avoid negatives, double > negatives, ..., to keep the meaning of "pass" and "fail" as simple > as possible. > In this particular case, the check would print out > "$(pwd) is /usr/local/eal4_testing/audit-test ...passed/failed", > which has a binary meaning - the shell either is in that directory > or it isn't. > > Generally speaking, if the check fails, the statement is false. This > applies to all checks done by envcheck - again, to avoid confusion over > the meaning of pass/fail. > > As for comments in the code of envcheck itself - I kind of hoped > that the messages used for the "check" function would be descriptive > enough, even for code purposes. > In some cases, I let the checking command itself be a "documentation", > for example "[ -d /some/dir ]" doesn't seem to need further explanation, > but it shouldn't be a problem to add an equivalent message in English. > > Thanks, > Jiri > > > PS: Looking at the final envcheck output one more time, I plan to do > some final minor polishing, like @ in Makefile, "daemon" -> "Daemon" > and a few grammar fixes. > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Jiri J. <jja...@re...> - 2013-08-28 15:03:18
Attachments:
diff.txt
|
On 08/28/2013 01:57 PM, Jiri Jaburek wrote: > > PS: Looking at the final envcheck output one more time, I plan to do > some final minor polishing, like @ in Makefile, "daemon" -> "Daemon" > and a few grammar fixes. > Done, attached. Jiri |
From: Linda K. <lin...@hp...> - 2013-08-28 16:27:35
|
Great, thanks. - ljk Jiri Jaburek wrote: > On 08/28/2013 01:57 PM, Jiri Jaburek wrote: >> PS: Looking at the final envcheck output one more time, I plan to do >> some final minor polishing, like @ in Makefile, "daemon" -> "Daemon" >> and a few grammar fixes. >> > > Done, attached. > > Jiri > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > > > ------------------------------------------------------------------------ > > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:23
|
From: Miroslav Vadkerti <mva...@re...> This patch incorporates changes that make possible merging of subsequent test runs. The logs are now stored also separately for each test in the logs subdirectory of the test bucket. The run and rollup logs are generated from these logs. The output of the run.bash should remain the same. This patch also fixes the --list option that now does not delete the contents of run and rollup log. This patch adds generate (-g|--generate) option that generates the total run and rollup logs. This might be useful if these were deleted or not created after aborting testing with SIGINT. The distclean make target removes the new logs directory. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/rules.mk | 4 +- audit-test/utils/run.bash | 132 +++++++++++++++++++++++++++++++++++----------- 2 files changed, 104 insertions(+), 32 deletions(-) diff --git a/audit-test/rules.mk b/audit-test/rules.mk index 1534c66..a53d979 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -194,14 +194,14 @@ _clean: clean: _clean -ALL_LOGS += run.log rollup.log +ALL_LOGS += run.log rollup.log logs _distclean: clean @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \ for x in $(SUB_DIRS); do \ make -C $$x distclean; \ done; \ fi - $(RM) $(ALL_LOGS) + $(RM) -r $(ALL_LOGS) if [[ -L run.bash ]]; then $(RM) run.bash; fi distclean: _distclean diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index f70b79a..890f84a 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -51,6 +51,7 @@ source functions.bash || exit 2 unset logging unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width +echoing=true logging=false opt_avc=false opt_verbose=false @@ -59,6 +60,7 @@ opt_quiet=false opt_config=run.conf opt_list=false opt_log=run.log +opt_logdir=logs opt_rollup=rollup.log opt_timeout=30 opt_width=$(stty size 2>/dev/null | cut -d' ' -f2) @@ -140,9 +142,8 @@ function dmsg { } function prf { - printf "$(colorize "$1")" "${@:2}" - $logging || return - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log" + $echoing && printf "$(colorize "$1")" "${@:2}" + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log" } #---------------------------------------------------------------------- @@ -219,6 +220,11 @@ function startup { trap - 1 2; fi + # Create log directory if needed + if [[ ! -d "$opt_logdir" ]]; then + mkdir "$opt_logdir" + fi + # Initialize audit configuration and make sure auditd is running auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2 cp -a "$auditd_conf" "$auditd_orig" || return 2 @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]... Run a set of test cases, reporting pass/fail and tallying results. -f --config=FILE Use a config file other than run.conf + -g --generate Generate run.log and rollup.log from $opt_logdir --header Don't run anything, just output the log header -l --log=FILE Output to a log other than run.log -r --rollup=FILE Output to a rollup other than rollup.log -t --timeout=SEC Seconds to wait for a test to timeout, default 30 + -o --logdir=DIR Output directory of per test logs -w --width=COLS Set COLS output width instead of auto-detect -h --help Show this help @@ -364,8 +372,8 @@ function parse_cmdline { declare args conf x # Use /usr/bin/getopt which supports GNU-style long options - args=$(getopt -o adf:hl:qr:vw: \ - --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \ + args=$(getopt -o adf:ghl:qr:o:vw: \ + --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \ -n "$0" -- "$@") || die eval set -- "$args" @@ -374,6 +382,7 @@ function parse_cmdline { -a|--avc) opt_avc=true; shift ;; -d|--debug) opt_debug=true; opt_verbose=true; shift ;; -f|--config) opt_config=$2; shift 2 ;; + -g|--generate) logging=true; generate_logs; exit 0 ;; -h|--help) usage; exit 0 ;; --header) show_header; exit 0 ;; --list) opt_list=true; shift ;; @@ -381,6 +390,7 @@ function parse_cmdline { -q|--quiet) opt_quiet=true; shift ;; -r|--rollup) opt_rollup=$2; shift 2 ;; -t|--timeout) opt_timeout=$2; shift 2 ;; + -o|--logdir) opt_logdir=$2; shift 2 ;; --nocolor) colorize() { monoize "$@"; }; shift ;; -v|--verbose) opt_verbose=true; shift ;; -w|--width) opt_width=$2; shift 2 ;; @@ -389,9 +399,6 @@ function parse_cmdline { esac done - # Open the logs now that opt_log and opt_rollup are set - open_log - # Load the config dmsg "Loading config from $opt_config" conf="$(<$opt_config) @@ -413,8 +420,10 @@ function parse_cmdline { done else # add by number - dmsg " [$1] ${TESTS[$1]}" - TNUMS[$1]=$1 + if [ $1 -lt ${#TESTS[@]} ]; then + dmsg " [$1] ${TESTS[$1]}" + TNUMS[$1]=$1 + fi fi shift done @@ -435,21 +444,24 @@ function parse_cmdline { done exit 0 fi + + # Open the logs before running the tests + open_log } function show_header { - prf "\n" - prf "%-32s %s\n" Started: "$(date)" - prf "%-32s %s\n" Kernel: "$(uname -r)" - prf "%-32s %s\n" Architecture: "$(uname -m)" - prf "%-32s %s\n" Mode: "${MODE:-(native)}" - prf "%-32s %s\n" Hostname: "$(uname -n)" - prf "%-32s %s\n" Profile: "$PPROFILE" - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" + nolog prf "\n" + nolog prf "%-32s %s\n" Started: "$(date)" + nolog prf "%-32s %s\n" Kernel: "$(uname -r)" + nolog prf "%-32s %s\n" Architecture: "$(uname -m)" + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}" + nolog prf "%-32s %s\n" Hostname: "$(uname -n)" + nolog prf "%-32s %s\n" Profile: "$PPROFILE" + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)" if [[ $PPROFILE == lspp ]] ; then - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')" fi - prf "\n%s\n" "$(sestatus)" + nolog prf "\n%s\n" "$(sestatus)" } function fmt_test { @@ -485,20 +497,55 @@ function show_test { fmt_test "[$TESTNUM]" "$@" } +function noecho { + declare echoing=false + "$@" +} + function nolog { declare logging=false "$@" } +function generate_logs { + declare pass fail error + + # clear run and rollup logs + echo -n > $opt_log + echo -n > $opt_rollup + + # create total run log + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do + cat $log >> $opt_log + echo >> $opt_log + done + + # create total rollup log + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do + cat $log | sed '1,/--------/d' >> $opt_rollup + done + + pass=$(grep "PASS" $opt_rollup | wc -l) + fail=$(grep "FAIL" $opt_rollup | wc -l) + error=$(grep "ERROR" $opt_rollup | wc -l) + (( total = pass + fail + error )) + llmsg + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total)) + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total)) + prf "%4d error (%d%%)\n" $error $((error * 100 / total)) + prf "%s\n" "------------------" + prf "%4d total\n" $total +} + function run_tests { - declare TESTNUM output status hee s + declare TESTNUM output status hee s log stats header declare begin_output="<blue>--- begin output -----------------------------------------------------------" declare end_output="<blue>--- end output -------------------------------------------------------------" show_header - msg - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result" - prf "%-$((opt_width-7))s %s\n" "--------" "------" + nolog msg + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result" + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------" if $opt_debug; then hee=/dev/stderr @@ -507,6 +554,11 @@ function run_tests { fi for TESTNUM in "${TNUMS[@]}"; do + noecho prf "$(show_header)\n" "" + llmsg + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result" + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------" + eval "set -- ${TESTS[TESTNUM]}" if $opt_debug; then @@ -587,15 +639,35 @@ function run_tests { msg "<blue>-- audit2allow -------------------------------------------------------------" msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)" fi + + # copy header to run and rollup log + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM + echo >> $opt_logdir/$opt_log.$TESTNUM + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM + echo >> $opt_logdir/$opt_rollup.$TESTNUM + + # copy test output to own log file + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM + + # clear log and rollup + echo -n > $opt_log + echo -n > $opt_rollup done + # create current stats (( total = pass + fail + error )) - msg - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total)) - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total)) - prf "%4d error (%d%%)\n" $error $((error * 100 / total)) - prf "%s\n" "------------------" - prf "%4d total\n" $total + nolog msg + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total)) + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total)) + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total)) + nolog prf "%s\n" "------------------" + nolog prf "%4d total\n" $total + + # create silently run and rollup logs + noecho generate_logs return 0 } -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:35
|
From: Miroslav Vadkerti <mva...@re...> When DISTRO env var is not used an error occurs because of missing double apostrophes in if statments. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/libpam/run.conf | 4 ++-- audit-test/libpam/tests/pam_functions.bash | 2 +- audit-test/utils/functions.bash | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/audit-test/libpam/run.conf b/audit-test/libpam/run.conf index 6f74c64..6e79aab 100644 --- a/audit-test/libpam/run.conf +++ b/audit-test/libpam/run.conf @@ -47,11 +47,11 @@ function run_test { + ssh04 + ssh04_fail -if [[ $DISTRO != "SUSE" ]] ; then +if [[ "$DISTRO" != "SUSE" ]] ; then + pamfaillock_lock + pamfaillock_unlock fi -if [[ $DISTRO != "RHEL" ]] ; then +if [[ "$DISTRO" != "RHEL" ]] ; then + vsftpd + vsftpd_fail fi diff --git a/audit-test/libpam/tests/pam_functions.bash b/audit-test/libpam/tests/pam_functions.bash index 4cdf975..d44c2e8 100644 --- a/audit-test/libpam/tests/pam_functions.bash +++ b/audit-test/libpam/tests/pam_functions.bash @@ -21,7 +21,7 @@ source testcase.bash || exit 2 # global variables ###################################################################### -if [[ $DISTRO != "RHEL" ]] ; then +if [[ "$DISTRO" != "RHEL" ]] ; then if [ -f /etc/vsftpd/vsftpd.conf ]; then vsftpd_conf=/etc/vsftpd/vsftpd.conf elif [ -f /etc/vsftpd.conf ]; then diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash index bb82632..ed197fd 100644 --- a/audit-test/utils/functions.bash +++ b/audit-test/utils/functions.bash @@ -194,7 +194,7 @@ function start_auditd { local log_file=${1:-"/var/log/audit/audit.log"} if ! pidof auditd &>/dev/null; then - if [ $DISTRO = "SUSE" ]; then + if [ "$DISTRO" = "SUSE" ]; then rcauditd start || return 2 auditctl -e 1 || return 2 else @@ -226,7 +226,7 @@ function stop_auditd { declare i auditctl -D &>/dev/null - if [ $DISTRO = "SUSE" ]; then + if [ "$DISTRO" = "SUSE" ]; then rcauditd stop || killall auditd else service auditd stop || killall auditd -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:39:07
|
Looks good, thanks. -- ljk On 08/21/13 12:21, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > When DISTRO env var is not used an error occurs because of missing > double apostrophes in if statments. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/libpam/run.conf | 4 ++-- > audit-test/libpam/tests/pam_functions.bash | 2 +- > audit-test/utils/functions.bash | 4 ++-- > 3 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/audit-test/libpam/run.conf b/audit-test/libpam/run.conf > index 6f74c64..6e79aab 100644 > --- a/audit-test/libpam/run.conf > +++ b/audit-test/libpam/run.conf > @@ -47,11 +47,11 @@ function run_test { > + ssh04 > + ssh04_fail > > -if [[ $DISTRO != "SUSE" ]] ; then > +if [[ "$DISTRO" != "SUSE" ]] ; then > + pamfaillock_lock > + pamfaillock_unlock > fi > -if [[ $DISTRO != "RHEL" ]] ; then > +if [[ "$DISTRO" != "RHEL" ]] ; then > + vsftpd > + vsftpd_fail > fi > diff --git a/audit-test/libpam/tests/pam_functions.bash b/audit-test/libpam/tests/pam_functions.bash > index 4cdf975..d44c2e8 100644 > --- a/audit-test/libpam/tests/pam_functions.bash > +++ b/audit-test/libpam/tests/pam_functions.bash > @@ -21,7 +21,7 @@ source testcase.bash || exit 2 > # global variables > ###################################################################### > > -if [[ $DISTRO != "RHEL" ]] ; then > +if [[ "$DISTRO" != "RHEL" ]] ; then > if [ -f /etc/vsftpd/vsftpd.conf ]; then > vsftpd_conf=/etc/vsftpd/vsftpd.conf > elif [ -f /etc/vsftpd.conf ]; then > diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash > index bb82632..ed197fd 100644 > --- a/audit-test/utils/functions.bash > +++ b/audit-test/utils/functions.bash > @@ -194,7 +194,7 @@ function start_auditd { > local log_file=${1:-"/var/log/audit/audit.log"} > > if ! pidof auditd &>/dev/null; then > - if [ $DISTRO = "SUSE" ]; then > + if [ "$DISTRO" = "SUSE" ]; then > rcauditd start || return 2 > auditctl -e 1 || return 2 > else > @@ -226,7 +226,7 @@ function stop_auditd { > declare i > > auditctl -D &>/dev/null > - if [ $DISTRO = "SUSE" ]; then > + if [ "$DISTRO" = "SUSE" ]; then > rcauditd stop || killall auditd > else > service auditd stop || killall auditd > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:47
|
From: Miroslav Vadkerti <mva...@re...> Tool netstat from net-tools package is in optional channel for RHEL7. We can use ss instead of it without big changes and it is from more standard iproute package. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/crypto/tests/test_ssh_sym.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/crypto/tests/test_ssh_sym.bash b/audit-test/crypto/tests/test_ssh_sym.bash index e713c98..0e89b6f 100755 --- a/audit-test/crypto/tests/test_ssh_sym.bash +++ b/audit-test/crypto/tests/test_ssh_sym.bash @@ -60,8 +60,8 @@ ssh_remove_screen $MPROFILE ssh_restart_daemon # get the pid of sshd process running on port 22 -SSHDPID=$(netstat -putna | grep ":22" | grep -m1 LISTEN | \ - sed 's/.*\(\b[0-9]\+\)\/sshd\b.*/\1/') +SSHDPID=$(ss -4 -ltnp | grep sshd | sed 's/.*sshd",\([0-9]\+\),.*/\1/') +[ -z "$SSHDPID" ] && exit_error "could not find sshd process pid" # check if SSH_USE_STRONG_RNG set in environemnt of the sshd process grep "SSH_USE_STRONG_RNG" /proc/$SSHDPID/environ -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:49:01
|
Looks good. I didn't know about ss. -- ljk On 08/21/13 12:21, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > Tool netstat from net-tools package is in optional channel for RHEL7. > We can use ss instead of it without big changes and it is from more > standard iproute package. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/crypto/tests/test_ssh_sym.bash | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/audit-test/crypto/tests/test_ssh_sym.bash b/audit-test/crypto/tests/test_ssh_sym.bash > index e713c98..0e89b6f 100755 > --- a/audit-test/crypto/tests/test_ssh_sym.bash > +++ b/audit-test/crypto/tests/test_ssh_sym.bash > @@ -60,8 +60,8 @@ ssh_remove_screen $MPROFILE > ssh_restart_daemon > > # get the pid of sshd process running on port 22 > -SSHDPID=$(netstat -putna | grep ":22" | grep -m1 LISTEN | \ > - sed 's/.*\(\b[0-9]\+\)\/sshd\b.*/\1/') > +SSHDPID=$(ss -4 -ltnp | grep sshd | sed 's/.*sshd",\([0-9]\+\),.*/\1/') > +[ -z "$SSHDPID" ] && exit_error "could not find sshd process pid" > > # check if SSH_USE_STRONG_RNG set in environemnt of the sshd process > grep "SSH_USE_STRONG_RNG" /proc/$SSHDPID/environ > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:59
|
This supplements commit d3e623abc0 by allowing an IPv6 version of (IPv4) ARP, making discovery of IPv6:MAC possible on a link. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 14318be..290bb5e 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -526,6 +526,8 @@ prepend_cleanup 'network_cleanup' function ebtaudit_setup { ebtables -A INPUT -p arp -j ACCEPT +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT ebtables -N AUDIT_DROP ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:50:26
|
Not my area but I trust you. :-) -- ljk On 08/21/13 12:21, Jiri Jaburek wrote: > This supplements commit d3e623abc0 by allowing an IPv6 version > of (IPv4) ARP, making discovery of IPv6:MAC possible on a link. > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/netfilebt/run.conf | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf > index 14318be..290bb5e 100644 > --- a/audit-test/netfilebt/run.conf > +++ b/audit-test/netfilebt/run.conf > @@ -526,6 +526,8 @@ prepend_cleanup 'network_cleanup' > function ebtaudit_setup { > > ebtables -A INPUT -p arp -j ACCEPT > +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT > +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT > > ebtables -N AUDIT_DROP > ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP > |
From: Jiri J. <jja...@re...> - 2013-08-28 12:11:46
|
On 08/27/2013 07:50 PM, Linda Knippers wrote: > Not my area but I trust you. :-) > > -- ljk > I believe that this part of README.netfilter was originally made up to work around the fact that no ARP/ND packets could get through: Setting the aging timer to a high value is helpful to the testing as it prevents the learned mac addresses in the bridge's forwarding database from being deleted when it hasn't seen a frame from that mac address in the timer number of seconds. The following command is recommended. # brctl setageing <bridge name> 3600 This workaround shouldn't be needed anymore as basic link discovery now works. To my best knowledge, these rules shouldn't interfere with anything, since they're mandatory for vast majority of traffic to work. They would present a problem only when doing something like static ARP/neighbor assignment testing (and checking that no requests are being sent). >> >> ebtables -A INPUT -p arp -j ACCEPT >> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT >> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT >> Jiri |
From: Linda K. <lin...@hp...> - 2013-08-28 16:24:08
|
Thanks for the additional information. -- ljk Jiri Jaburek wrote: > On 08/27/2013 07:50 PM, Linda Knippers wrote: >> Not my area but I trust you. :-) >> >> -- ljk >> > > I believe that this part of README.netfilter was originally made up > to work around the fact that no ARP/ND packets could get through: > > Setting the aging timer to a high value is helpful to the testing as > it prevents the learned mac addresses in the bridge's forwarding > database from being deleted when it hasn't seen a frame from that mac > address in the timer number of seconds. The following command is > recommended. > > # brctl setageing <bridge name> 3600 > > This workaround shouldn't be needed anymore as basic link discovery > now works. > > To my best knowledge, these rules shouldn't interfere with anything, > since they're mandatory for vast majority of traffic to work. > They would present a problem only when doing something like static > ARP/neighbor assignment testing (and checking that no requests > are being sent). > >>> >>> ebtables -A INPUT -p arp -j ACCEPT >>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT >>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT >>> > > Jiri > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:11
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/kvm-iommu/test_usb_passthrough.bash | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash index e9cf702..f3d0198 100755 --- a/audit-test/kvm-iommu/test_usb_passthrough.bash +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash @@ -230,19 +230,6 @@ check_usb_device_dynamic() { return $rc } -# Check if USB device has the owner and SELinux label -# set to the host system and no guest -check_usb_device() { - local owner label - owner=$(stat -c "%U:%G" /dev/bus/usb/$usb_bus/$usb_device) - [ $owner != "qemu:qemu" ] && ((rc+=1)) - - label=$(stat -c "%C" /dev/bus/usb/$usb_bus/$usb_device) - echo $label | grep "svirt_image_t:s0:c50,c70" || ((rc+=1)) - - return $rc -} - # Check if USB device cannot be accessed by an rogue VM # This test expects rogue_usb_device_access() { -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:53:27
|
Thanks for the cleanup. -- ljk On 08/21/13 12:22, Jiri Jaburek wrote: > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/kvm-iommu/test_usb_passthrough.bash | 13 ------------- > 1 file changed, 13 deletions(-) > > diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash > index e9cf702..f3d0198 100755 > --- a/audit-test/kvm-iommu/test_usb_passthrough.bash > +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash > @@ -230,19 +230,6 @@ check_usb_device_dynamic() { > return $rc > } > > -# Check if USB device has the owner and SELinux label > -# set to the host system and no guest > -check_usb_device() { > - local owner label > - owner=$(stat -c "%U:%G" /dev/bus/usb/$usb_bus/$usb_device) > - [ $owner != "qemu:qemu" ] && ((rc+=1)) > - > - label=$(stat -c "%C" /dev/bus/usb/$usb_bus/$usb_device) > - echo $label | grep "svirt_image_t:s0:c50,c70" || ((rc+=1)) > - > - return $rc > -} > - > # Check if USB device cannot be accessed by an rogue VM > # This test expects > rogue_usb_device_access() { > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:25
|
From: Miroslav Vadkerti <mva...@re...> For specifying USB passthrough device the USB bus and device numbers need to be specified in the xml for RHEL7. This change should be backward compatible. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm-iommu/test_usb_passthrough.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash index f3d0198..1d256a2 100755 --- a/audit-test/kvm-iommu/test_usb_passthrough.bash +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash @@ -113,6 +113,7 @@ generate_usb_dev_file() { <source> <vendor id='0x$usb_vendor'/> <product id='0x$usb_product'/> + <address bus='$usb_bus' device='$usb_device'/> </source> </hostdev> EOX -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:53:49
|
Looks good, thanks. -- ljk On 08/21/13 12:22, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > For specifying USB passthrough device the USB bus and device numbers > need to be specified in the xml for RHEL7. > > This change should be backward compatible. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/kvm-iommu/test_usb_passthrough.bash | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash > index f3d0198..1d256a2 100755 > --- a/audit-test/kvm-iommu/test_usb_passthrough.bash > +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash > @@ -113,6 +113,7 @@ generate_usb_dev_file() { > <source> > <vendor id='0x$usb_vendor'/> > <product id='0x$usb_product'/> > + <address bus='$usb_bus' device='$usb_device'/> > </source> > </hostdev> > EOX > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:35
|
From: Miroslav Vadkerti <mva...@re...> Starting from RHEL6.3 the clearpart --initlabel does not initialize devices. The zerombr command is needed for the installation to work with guests >= RHEL6.3. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/KVM-Guest-N-ks.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/audit-test/kvm/KVM-Guest-N-ks.cfg b/audit-test/kvm/KVM-Guest-N-ks.cfg index db11011..f54d1bf 100644 --- a/audit-test/kvm/KVM-Guest-N-ks.cfg +++ b/audit-test/kvm/KVM-Guest-N-ks.cfg @@ -32,6 +32,7 @@ poweroff for i in $(find /dev -regex '^/dev/\(hd\|sd\|vd\|xvd\)[a-z]+$' -print | sort); do dev=$(basename $i) echo "clearpart --all --drives=$dev --initlabel" > /tmp/part-include + echo "zerombr" >> /tmp/part-include echo "part /boot --fstype ext3 --size=100 --ondisk=$dev" >> /tmp/part-include echo "part pv.1 --size=1 --grow --ondisk=$dev" >> /tmp/part-include echo "volgroup VolGroup00 --pesize=32768 pv.1" >> /tmp/part-include -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:54:25
|
Thanks for the fix. -- ljk On 08/21/13 12:22, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > Starting from RHEL6.3 the clearpart --initlabel does not initialize > devices. The zerombr command is needed for the installation to work > with guests >= RHEL6.3. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/kvm/KVM-Guest-N-ks.cfg | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/audit-test/kvm/KVM-Guest-N-ks.cfg b/audit-test/kvm/KVM-Guest-N-ks.cfg > index db11011..f54d1bf 100644 > --- a/audit-test/kvm/KVM-Guest-N-ks.cfg > +++ b/audit-test/kvm/KVM-Guest-N-ks.cfg > @@ -32,6 +32,7 @@ poweroff > for i in $(find /dev -regex '^/dev/\(hd\|sd\|vd\|xvd\)[a-z]+$' -print | sort); do > dev=$(basename $i) > echo "clearpart --all --drives=$dev --initlabel" > /tmp/part-include > + echo "zerombr" >> /tmp/part-include > echo "part /boot --fstype ext3 --size=100 --ondisk=$dev" >> /tmp/part-include > echo "part pv.1 --size=1 --grow --ondisk=$dev" >> /tmp/part-include > echo "volgroup VolGroup00 --pesize=32768 pv.1" >> /tmp/part-include > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:49
|
From: Miroslav Vadkerti <mva...@re...> In RHEL7 qemu_t became an alias to the svirt_t domain. This patch fixes expected AVC scontext because of this change. This change is backward compatible with RHEL6. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_selinux_chcon_resource.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/audit-test/kvm/test_selinux_chcon_resource.bash b/audit-test/kvm/test_selinux_chcon_resource.bash index e9646d3..edf4517 100755 --- a/audit-test/kvm/test_selinux_chcon_resource.bash +++ b/audit-test/kvm/test_selinux_chcon_resource.bash @@ -64,7 +64,8 @@ for i in $(seq $first $last); do exit_fail fi - expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~qemu_t" + # We need to check for svirt_t starting from RHEL7 too because qemu_t became an alias to it + expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~(qemu_t|svirt_t)" if [[ $(augrok -c --seek $offset $expression) -eq 0 ]]; then exit_fail -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-08-27 17:55:02
|
Looks good, thanks. -- ljk On 08/21/13 12:22, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > In RHEL7 qemu_t became an alias to the svirt_t domain. This patch > fixes expected AVC scontext because of this change. > > This change is backward compatible with RHEL6. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/kvm/test_selinux_chcon_resource.bash | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/audit-test/kvm/test_selinux_chcon_resource.bash b/audit-test/kvm/test_selinux_chcon_resource.bash > index e9646d3..edf4517 100755 > --- a/audit-test/kvm/test_selinux_chcon_resource.bash > +++ b/audit-test/kvm/test_selinux_chcon_resource.bash > @@ -64,7 +64,8 @@ for i in $(seq $first $last); do > exit_fail > fi > > - expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~qemu_t" > + # We need to check for svirt_t starting from RHEL7 too because qemu_t became an alias to it > + expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~(qemu_t|svirt_t)" > > if [[ $(augrok -c --seek $offset $expression) -eq 0 ]]; then > exit_fail > |
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:01
|
The old password were detected as dictionary ones by newer PAM versions, probably due to 'paSs' substring. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/crypto/tests/test_cryptsetup_access.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/audit-test/crypto/tests/test_cryptsetup_access.bash b/audit-test/crypto/tests/test_cryptsetup_access.bash index c41adef..af275e3 100755 --- a/audit-test/crypto/tests/test_cryptsetup_access.bash +++ b/audit-test/crypto/tests/test_cryptsetup_access.bash @@ -37,9 +37,9 @@ source tp_luks_functions.bash || exit 2 ### defaults DMCRYPT="cryptfs" DMCRYPTDEV="/dev/mapper/$DMCRYPT" -LUKSPASS="7k+paSs" -LUKSPASSND="2nd7k+paSs!!!" -LUKSPASSRD="paSs!!1444b_" +LUKSPASS="kc3%a9?cF]X" +LUKSPASSND="2nd7k+meSs!!!" +LUKSPASSRD="meSs!!1444b_" MOUNT="/mnt/crypt" ### functions -- 1.8.3.1 |