Menu
▾
▴
audit-test-developer — Communicate about status of bugs, patches, and features
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(8) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(8) |
Feb
(23) |
Mar
(11) |
Apr
(8) |
May
(2) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(23) |
Mar
(140) |
Apr
(35) |
May
(49) |
Jun
(176) |
Jul
(73) |
Aug
(50) |
Sep
(78) |
Oct
(102) |
Nov
(150) |
Dec
(94) |
| 2012 |
Jan
(120) |
Feb
(77) |
Mar
(29) |
Apr
(4) |
May
(19) |
Jun
|
Jul
(19) |
Aug
(9) |
Sep
|
Oct
(6) |
Nov
(3) |
Dec
|
| 2013 |
Jan
(4) |
Feb
(28) |
Mar
(5) |
Apr
(69) |
May
(34) |
Jun
(11) |
Jul
(13) |
Aug
(55) |
Sep
(5) |
Oct
(31) |
Nov
|
Dec
(25) |
| 2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(53) |
Aug
(17) |
Sep
(50) |
Oct
(15) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(3) |
Apr
(9) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:49:01
|
Looks good. I didn't know about ss. -- ljk On 08/21/13 12:21, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > Tool netstat from net-tools package is in optional channel for RHEL7. > We can use ss instead of it without big changes and it is from more > standard iproute package. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/crypto/tests/test_ssh_sym.bash | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/audit-test/crypto/tests/test_ssh_sym.bash b/audit-test/crypto/tests/test_ssh_sym.bash > index e713c98..0e89b6f 100755 > --- a/audit-test/crypto/tests/test_ssh_sym.bash > +++ b/audit-test/crypto/tests/test_ssh_sym.bash > @@ -60,8 +60,8 @@ ssh_remove_screen $MPROFILE > ssh_restart_daemon > > # get the pid of sshd process running on port 22 > -SSHDPID=$(netstat -putna | grep ":22" | grep -m1 LISTEN | \ > - sed 's/.*\(\b[0-9]\+\)\/sshd\b.*/\1/') > +SSHDPID=$(ss -4 -ltnp | grep sshd | sed 's/.*sshd",\([0-9]\+\),.*/\1/') > +[ -z "$SSHDPID" ] && exit_error "could not find sshd process pid" > > # check if SSH_USE_STRONG_RNG set in environemnt of the sshd process > grep "SSH_USE_STRONG_RNG" /proc/$SSHDPID/environ > |
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:39:07
|
Looks good, thanks.
-- ljk
On 08/21/13 12:21, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> When DISTRO env var is not used an error occurs because of missing
> double apostrophes in if statments.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/libpam/run.conf | 4 ++--
> audit-test/libpam/tests/pam_functions.bash | 2 +-
> audit-test/utils/functions.bash | 4 ++--
> 3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/audit-test/libpam/run.conf b/audit-test/libpam/run.conf
> index 6f74c64..6e79aab 100644
> --- a/audit-test/libpam/run.conf
> +++ b/audit-test/libpam/run.conf
> @@ -47,11 +47,11 @@ function run_test {
> + ssh04
> + ssh04_fail
>
> -if [[ $DISTRO != "SUSE" ]] ; then
> +if [[ "$DISTRO" != "SUSE" ]] ; then
> + pamfaillock_lock
> + pamfaillock_unlock
> fi
> -if [[ $DISTRO != "RHEL" ]] ; then
> +if [[ "$DISTRO" != "RHEL" ]] ; then
> + vsftpd
> + vsftpd_fail
> fi
> diff --git a/audit-test/libpam/tests/pam_functions.bash b/audit-test/libpam/tests/pam_functions.bash
> index 4cdf975..d44c2e8 100644
> --- a/audit-test/libpam/tests/pam_functions.bash
> +++ b/audit-test/libpam/tests/pam_functions.bash
> @@ -21,7 +21,7 @@ source testcase.bash || exit 2
> # global variables
> ######################################################################
>
> -if [[ $DISTRO != "RHEL" ]] ; then
> +if [[ "$DISTRO" != "RHEL" ]] ; then
> if [ -f /etc/vsftpd/vsftpd.conf ]; then
> vsftpd_conf=/etc/vsftpd/vsftpd.conf
> elif [ -f /etc/vsftpd.conf ]; then
> diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash
> index bb82632..ed197fd 100644
> --- a/audit-test/utils/functions.bash
> +++ b/audit-test/utils/functions.bash
> @@ -194,7 +194,7 @@ function start_auditd {
> local log_file=${1:-"/var/log/audit/audit.log"}
>
> if ! pidof auditd &>/dev/null; then
> - if [ $DISTRO = "SUSE" ]; then
> + if [ "$DISTRO" = "SUSE" ]; then
> rcauditd start || return 2
> auditctl -e 1 || return 2
> else
> @@ -226,7 +226,7 @@ function stop_auditd {
> declare i
>
> auditctl -D &>/dev/null
> - if [ $DISTRO = "SUSE" ]; then
> + if [ "$DISTRO" = "SUSE" ]; then
> rcauditd stop || killall auditd
> else
> service auditd stop || killall auditd
>
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:37:56
|
On 08/21/13 12:21, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> This patch incorporates changes that make possible
> merging of subsequent test runs.
>
> The logs are now stored also separately for each test
> in the logs subdirectory of the test bucket. The run and
> rollup logs are generated from these logs. The output
> of the run.bash should remain the same.
So this is for the case where you might need to re-run a particular
test case? So you don't have to run the complete bucket to get
a good log?
>
> This patch also fixes the --list option that now does
> not delete the contents of run and rollup log.
>
> This patch adds generate (-g|--generate) option that generates
> the total run and rollup logs. This might be useful if these
> were deleted or not created after aborting testing with SIGINT.
Does this option catch the case where a specific test result might be missing?
Is there any way to know that not all the test cases were run?
-- ljk
>
> The distclean make target removes the new logs directory.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/rules.mk | 4 +-
> audit-test/utils/run.bash | 132 +++++++++++++++++++++++++++++++++++-----------
> 2 files changed, 104 insertions(+), 32 deletions(-)
>
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index 1534c66..a53d979 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -194,14 +194,14 @@ _clean:
>
> clean: _clean
>
> -ALL_LOGS += run.log rollup.log
> +ALL_LOGS += run.log rollup.log logs
> _distclean: clean
> @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
> for x in $(SUB_DIRS); do \
> make -C $$x distclean; \
> done; \
> fi
> - $(RM) $(ALL_LOGS)
> + $(RM) -r $(ALL_LOGS)
> if [[ -L run.bash ]]; then $(RM) run.bash; fi
>
> distclean: _distclean
> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> index f70b79a..890f84a 100755
> --- a/audit-test/utils/run.bash
> +++ b/audit-test/utils/run.bash
> @@ -51,6 +51,7 @@ source functions.bash || exit 2
>
> unset logging
> unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width
> +echoing=true
> logging=false
> opt_avc=false
> opt_verbose=false
> @@ -59,6 +60,7 @@ opt_quiet=false
> opt_config=run.conf
> opt_list=false
> opt_log=run.log
> +opt_logdir=logs
> opt_rollup=rollup.log
> opt_timeout=30
> opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
> @@ -140,9 +142,8 @@ function dmsg {
> }
>
> function prf {
> - printf "$(colorize "$1")" "${@:2}"
> - $logging || return
> - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> + $echoing && printf "$(colorize "$1")" "${@:2}"
> + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> }
>
> #----------------------------------------------------------------------
> @@ -219,6 +220,11 @@ function startup {
> trap - 1 2;
> fi
>
> + # Create log directory if needed
> + if [[ ! -d "$opt_logdir" ]]; then
> + mkdir "$opt_logdir"
> + fi
> +
> # Initialize audit configuration and make sure auditd is running
> auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
> cp -a "$auditd_conf" "$auditd_orig" || return 2
> @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
> Run a set of test cases, reporting pass/fail and tallying results.
>
> -f --config=FILE Use a config file other than run.conf
> + -g --generate Generate run.log and rollup.log from $opt_logdir
> --header Don't run anything, just output the log header
> -l --log=FILE Output to a log other than run.log
> -r --rollup=FILE Output to a rollup other than rollup.log
> -t --timeout=SEC Seconds to wait for a test to timeout, default 30
> + -o --logdir=DIR Output directory of per test logs
> -w --width=COLS Set COLS output width instead of auto-detect
> -h --help Show this help
>
> @@ -364,8 +372,8 @@ function parse_cmdline {
> declare args conf x
>
> # Use /usr/bin/getopt which supports GNU-style long options
> - args=$(getopt -o adf:hl:qr:vw: \
> - --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \
> + args=$(getopt -o adf:ghl:qr:o:vw: \
> + --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \
> -n "$0" -- "$@") || die
> eval set -- "$args"
>
> @@ -374,6 +382,7 @@ function parse_cmdline {
> -a|--avc) opt_avc=true; shift ;;
> -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
> -f|--config) opt_config=$2; shift 2 ;;
> + -g|--generate) logging=true; generate_logs; exit 0 ;;
> -h|--help) usage; exit 0 ;;
> --header) show_header; exit 0 ;;
> --list) opt_list=true; shift ;;
> @@ -381,6 +390,7 @@ function parse_cmdline {
> -q|--quiet) opt_quiet=true; shift ;;
> -r|--rollup) opt_rollup=$2; shift 2 ;;
> -t|--timeout) opt_timeout=$2; shift 2 ;;
> + -o|--logdir) opt_logdir=$2; shift 2 ;;
> --nocolor) colorize() { monoize "$@"; }; shift ;;
> -v|--verbose) opt_verbose=true; shift ;;
> -w|--width) opt_width=$2; shift 2 ;;
> @@ -389,9 +399,6 @@ function parse_cmdline {
> esac
> done
>
> - # Open the logs now that opt_log and opt_rollup are set
> - open_log
> -
> # Load the config
> dmsg "Loading config from $opt_config"
> conf="$(<$opt_config)
> @@ -413,8 +420,10 @@ function parse_cmdline {
> done
> else
> # add by number
> - dmsg " [$1] ${TESTS[$1]}"
> - TNUMS[$1]=$1
> + if [ $1 -lt ${#TESTS[@]} ]; then
> + dmsg " [$1] ${TESTS[$1]}"
> + TNUMS[$1]=$1
> + fi
> fi
> shift
> done
> @@ -435,21 +444,24 @@ function parse_cmdline {
> done
> exit 0
> fi
> +
> + # Open the logs before running the tests
> + open_log
> }
>
> function show_header {
> - prf "\n"
> - prf "%-32s %s\n" Started: "$(date)"
> - prf "%-32s %s\n" Kernel: "$(uname -r)"
> - prf "%-32s %s\n" Architecture: "$(uname -m)"
> - prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> - prf "%-32s %s\n" Hostname: "$(uname -n)"
> - prf "%-32s %s\n" Profile: "$PPROFILE"
> - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + nolog prf "\n"
> + nolog prf "%-32s %s\n" Started: "$(date)"
> + nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
> + nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
> + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> + nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
> + nolog prf "%-32s %s\n" Profile: "$PPROFILE"
> + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> if [[ $PPROFILE == lspp ]] ; then
> - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> fi
> - prf "\n%s\n" "$(sestatus)"
> + nolog prf "\n%s\n" "$(sestatus)"
> }
>
> function fmt_test {
> @@ -485,20 +497,55 @@ function show_test {
> fmt_test "[$TESTNUM]" "$@"
> }
>
> +function noecho {
> + declare echoing=false
> + "$@"
> +}
> +
> function nolog {
> declare logging=false
> "$@"
> }
>
> +function generate_logs {
> + declare pass fail error
> +
> + # clear run and rollup logs
> + echo -n > $opt_log
> + echo -n > $opt_rollup
> +
> + # create total run log
> + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
> + cat $log >> $opt_log
> + echo >> $opt_log
> + done
> +
> + # create total rollup log
> + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
> + cat $log | sed '1,/--------/d' >> $opt_rollup
> + done
> +
> + pass=$(grep "PASS" $opt_rollup | wc -l)
> + fail=$(grep "FAIL" $opt_rollup | wc -l)
> + error=$(grep "ERROR" $opt_rollup | wc -l)
> + (( total = pass + fail + error ))
> + llmsg
> + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> + prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> + prf "%s\n" "------------------"
> + prf "%4d total\n" $total
> +}
> +
> function run_tests {
> - declare TESTNUM output status hee s
> + declare TESTNUM output status hee s log stats header
> declare begin_output="<blue>--- begin output -----------------------------------------------------------"
> declare end_output="<blue>--- end output -------------------------------------------------------------"
>
> show_header
> - msg
> - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> - prf "%-$((opt_width-7))s %s\n" "--------" "------"
> + nolog msg
> + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
>
> if $opt_debug; then
> hee=/dev/stderr
> @@ -507,6 +554,11 @@ function run_tests {
> fi
>
> for TESTNUM in "${TNUMS[@]}"; do
> + noecho prf "$(show_header)\n" ""
> + llmsg
> + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
> +
> eval "set -- ${TESTS[TESTNUM]}"
>
> if $opt_debug; then
> @@ -587,15 +639,35 @@ function run_tests {
> msg "<blue>-- audit2allow -------------------------------------------------------------"
> msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
> fi
> +
> + # copy header to run and rollup log
> + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
> + echo >> $opt_logdir/$opt_log.$TESTNUM
> + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
> + echo >> $opt_logdir/$opt_rollup.$TESTNUM
> +
> + # copy test output to own log file
> + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
> + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
> + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
> + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
> +
> + # clear log and rollup
> + echo -n > $opt_log
> + echo -n > $opt_rollup
> done
>
> + # create current stats
> (( total = pass + fail + error ))
> - msg
> - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> - prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> - prf "%s\n" "------------------"
> - prf "%4d total\n" $total
> + nolog msg
> + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> + nolog prf "%s\n" "------------------"
> + nolog prf "%4d total\n" $total
> +
> + # create silently run and rollup logs
> + noecho generate_logs
>
> return 0
> }
>
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:23:21
|
Hi Jiri,
I really like the idea of having a script that validates the configuration.
I haven't run the script so I'm only looking at the code but it looks like
the script is reporting specific output for all the items that are right but
a generic message when something is wrong. I note a few instances inline below.
It seems like it would be more helpful if we issue specific messages for the
things that are wrong.
Am I reading the script right?
Thanks,
-- ljk
On 08/21/13 12:21, Jiri Jaburek wrote:
> The idea is to catch various configuration or setup errors
> and give useful hints, so that the user doesn't have to debug
> the system/suite to find out what could possibly go wrong.
>
> This script is not supposed to replace or duplicate functionality
> provided by the suite itself, it should be only used for basic sanity
> verification of the environment. It doesn't claim to reveal all
> configuration errors, but it can still be useful.
>
> Because of the reasons mentioned above, running this script
> is purely optional.
>
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
> audit-test/Makefile | 6 +
> audit-test/README.run | 6 +
> audit-test/utils/envcheck | 425 ++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 437 insertions(+)
> create mode 100755 audit-test/utils/envcheck
>
> diff --git a/audit-test/Makefile b/audit-test/Makefile
> index c8e6477..28a80af 100644
> --- a/audit-test/Makefile
> +++ b/audit-test/Makefile
> @@ -124,3 +124,9 @@ policy:
> netconfig:
> cd network/system && $(MAKE) install
> cd utils/network-server && $(MAKE) install
> +
> +.PHONY: envcheck
> +envcheck:
> + @$(check_set_PPROFILE); \
> + $(check_set_PASSWD);
> + utils/envcheck
> diff --git a/audit-test/README.run b/audit-test/README.run
> index 276364c..d9311bd 100644
> --- a/audit-test/README.run
> +++ b/audit-test/README.run
> @@ -265,6 +265,12 @@ environment variables:
> Verify that the time on the test system is synchronized with the time
> on the network test server.
>
> +As an additional sanity check, you can run:
> +
> +# make envcheck
> +or
> +# make envcheck | less -R
> +
> Run the tests
> -------------
>
> diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
> new file mode 100755
> index 0000000..5b79b35
> --- /dev/null
> +++ b/audit-test/utils/envcheck
> @@ -0,0 +1,425 @@
> +#!/bin/bash
> +###############################################################################
> +# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
> +#
> +# This copyrighted material is made available to anyone wishing
> +# to use, modify, copy, or redistribute it subject to the terms
> +# and conditions of the GNU General Public License version 2.
> +#
> +# This program is distributed in the hope that it will be
> +# useful, but WITHOUT ANY WARRANTY; without even the implied
> +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
> +# PURPOSE. See the GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public
> +# License along with this program; if not, write to the Free
> +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
> +# Boston, MA 02110-1301, USA.
> +###############################################################################
> +#
> +# AUTHOR: Jiri Jaburek <jja...@re...>
> +#
> +# This script checks whether the environment on TOE and NS has all
> +# the prerequisities for audit-test suite run met.
> +# This ranges from initial environment variable checking to ensuring proper
> +# routing between TOE and NS.
> +
> +## COLORS
> +#
> +# attributes:
> +# 0=none, 1=bold, 4=underscore, 5=blink, 7=reverse, 8=concealed
> +#
> +# text/foreground:
> +# 30=black, 31=red, 32=green, 33=yellow, 34=blue, 35=magenta, 36=cyan, 37=white
> +#
> +# background:
> +# 40=black, 41=red, 42=green, 43=yellow, 44=blue, 45=magenta, 46=cyan, 47=white
> +#
> +# format:
> +# \e[<code>[;<code2>]m
> +# ie.:
> +# echo -e '\e[1;4;31;43mred bold underlined text on yellow background\e[0m'
> +##
> +
> +# run a given command to verify/check something
> +# $1 = command with arguments
> +# $2 = expected exit code (leave empty if irrelevant)
> +# $3 = optional cmd text to show instead of $1
> +# returns the command's exit code
> +# and sets CHECK_FAILED var to nonempty value upon fail
> +check()
> +{
> + [ $# -lt 1 ] && return 1
> + [ $# -ge 2 ] && cmpret="$2" || cmpret=0
> + [ $# -ge 3 ] && msg="$3" || msg=
> +
> + # echo initial msg
> + if [ "$msg" ]; then
> + echo -ne "\e[1m$msg\e[0m ..."
> + else
> + echo -ne "> \e[1m$1\e[0m ..."
> + fi
> +
> + # run cmd, capture stderr
> + out=$(eval "$1" 2>&1)
> +
> + # show result
> + ret=$?
> + if [ -z "$cmpret" ]; then
> + # ignored
> + echo -e "\e[1;34mignored\e[0m"
> + elif [ "$cmpret" -eq $ret ]; then
> + # pass
> + echo -e "\e[1;32mpassed\e[0m"
> + else
> + if [ "$WARNONLY" ]; then
> + # warn
> + echo -e "\e[1;33mwarn\e[0m"
> + [ "$out" ] && echo "$out"
> + else
> + # fail
> + echo -e "\e[1;31mfailed\e[0m"
> + [ "$out" ] && echo "$out"
> + CHECK_FAILED=1
> + fi
> + fi
> +
> + return $ret
> +}
> +
> +
> +### EXAMPLE
> +#check "sleep 2" # pass
> +#WARNONLY=1 check "sleep 0.5" # pass
> +#WARNONLY=1 check "sleep 0,5" # warn
> +#check "sleep abcd" 0 "running sleep abcd" # fail with msg
> +#check "sleep -2" '' # ignored result
> +
> +
> +AUDITDIR="/usr/local/eal4_testing"
> +
> +
> +### VARIABLES
> +check_variables() {
> + local CHECK_FAILED
> + local vars
> +
> + # basic variables
> + vars="DISTRO MODE PPROFILE PASSWD"
> + #vars="PASSWD"
> +
> + for i in $vars; do
> + check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
> + done;
> +
> + # sanity PPROFILE check
> + check "[ \"$PPROFILE\" = \"capp\" -o \"$PPROFILE\" = \"lspp\" ]" 0 \
> + "Var PPROFILE is either capp or lspp"
> +
> + [ -z "$CHECK_FAILED" ] && check_variables_ok_nonet=1
> +
> + # networking variables
> + vars="LOCAL_DEV LOCAL_IPV4 LOCAL_IPV6"
> + vars="$vars LOCAL_SEC_MAC LOCAL_SEC_IPV4 LOCAL_SEC_IPV6 BRIDGE_FILTER"
> + vars="$vars LBLNET_SVR_IPV4 LBLNET_SVR_IPV6"
> + vars="$vars SECNET_SVR_MAC SECNET_SVR_IPV4 SECNET_SVR_IPV6"
> +
> + for i in $vars; do
> + check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
> + done;
It looks like display a message for each env variable that is set.
Do they also get a message if an env variable is not set? Or do they
just get the generic message that the check failed below? If would
be nice if we tell them specifically which ones are missing.
> +
> + # s390x / ppc64 check? (ARCH variable)
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "Variable checking failed, please make sure to export all required"
> + echo "environment variables specified in README.run."
> + echo "Also make sure the networking variables are set according"
> + echo "to README.netfilter."
> + return 1
> + else
> + check_variables_ok=1
> + fi
> +}
> +
> +
> +### USER SESSION
> +check_user_session() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$check_variables_ok_nonet" ] || return 2
> +
> + check "[ \"$(whoami)\" = \"root\" ]" 0 \
> + "Logged in as root"
> + check "[ -z \"$(faillock | grep -v '^\([^ ]*:\|When\)')\" ]" 0 \
> + "Faillock is empty"
> + check "[ ! -e \"$HOME/.ssh/id_rsa\" ]" 0 \
> + "~/.ssh/id_rsa doesn't exist (testsuite reasons)"
> +
> + [ "$PPROFILE" = "lspp" ] && \
> + check "[ \"$(id -Z)\" = \"staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh\" ]" 0 \
> + "id -Z is staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh"
> +
> + check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \
> + "\$(pwd) is /usr/local/eal4_testing/audit-test"
Some comment here. If the checks fail, do we tell them that they're not in
/usr/local/eal4_testing/audit-test?
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "User session checking failed, please make sure the system"
> + echo "is in evaluated configuration, double check whether all steps"
> + echo "required by README.run have been performed."
> + return 1
> + else
> + check_user_session_ok=1
> + fi
> +}
> +
> +
> +### SUITE LOCATION
> +check_suite_loc() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$AUDITDIR" ] || return 2
> +
> + check "[ -d \"$AUDITDIR\" ]"
> + check "[ -d \"$AUDITDIR/audit-test\" ]"
> + check "[ -d \"$AUDITDIR/ltp\" ]"
> + #DIRS="audit-remote audit-tools audit-trail-protection crypto docs fail-safe filter kvm kvm-cgroups kvm-iommu libpam misc netfilebt netfilter network syscalls trustedprograms utils"
> + #for i in $DIRS; do
> + # check "[ -d \"$AUDITDIR/audit-test/$i\" ]"
> + #done;
> +
> + [ -d "$AUDITDIR" ] && \
> + check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755"
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "Suite not found or incorrectly installed at $AUDITDIR."
> + echo "This is important because of the hardcoded paths in the testing policy."
> + echo "Please install/extract the suite according to README.run."
> + return 1
> + else
> + check_suite_loc_ok=1
> + fi
> +}
> +
> +
> +### NETWORKING - interfaces
> +check_networking_if() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$check_variables_ok" ] || return 2
> +
> + # interface checks
> + check "ip -o link show dev $LOCAL_DEV" 0 \
> + "Device $LOCAL_DEV exists"
> + check "ip -o link show dev $LOCAL_SEC_DEV" 0 \
> + "Device $LOCAL_SEC_DEV exists"
> + check "ip -o link show dev $BRIDGE_FILTER" 0 \
> + "Device $BRIDGE_FILTER exists"
> + check "brctl show $BRIDGE_FILTER | grep $LOCAL_SEC_DEV" 0 \
> + "Device $LOCAL_SEC_DEV is enslaved in bridge $BRIDGE_FILTER"
> +
> + check "ip -o -4 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV4\"" 0 \
> + "Device $LOCAL_DEV has IPv4 address: $LOCAL_IPV4"
> + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\"" 0 \
> + "Device $LOCAL_DEV has IPv6 address: $LOCAL_IPV6"
> + check "ip -o link show dev $BRIDGE_FILTER | grep \"$(sed 's/\(.*\)/\L\1/' <<<$LOCAL_SEC_MAC)\"" 0 \
> + "Device $BRIDGE_FILTER has MAC address: $LOCAL_SEC_MAC"
> + check "ip -o -4 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV4\"" 0 \
> + "Device $BRIDGE_FILTER has IPv4 address: $LOCAL_SEC_IPV4"
> + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\"" 0 \
> + "Device $BRIDGE_FILTER has IPv6 address: $LOCAL_SEC_IPV6"
> +
> + check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\" | grep -v deprecated" 0 \
> + "IPv6 address $LOCAL_IPV6 on $LOCAL_DEV is not deprecated"
> + check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\" | grep -v deprecated" 0 \
> + "IPv6 address $LOCAL_SEC_IPV6 on $BRIDGE_FILTER is not deprecated"
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "Network interfaces are not configured correctly."
> + echo "Make sure the networking is set according to README.netfilter"
> + echo "(including the bridge) and that all addresses assigned to"
> + echo "network interfaces match those exported in env variables."
> + return 1
> + else
> + check_networking_if_ok=1
> + fi
> +}
> +
> +
> +### NETWORKING - probe
> +check_networking_probe() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$check_variables_ok" -a "$check_networking_if_ok" ] || return 2
> +
> + check "ping -I lo -q -c1 127.0.0.1" 0 \
> + "127.0.0.1 reachable via lo"
> + check "ping6 -I lo -q -c1 ::1" 0 \
> + "::1 reachable via lo"
> + check "ping -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV4" 0 \
> + "$LBLNET_SVR_IPV4 reachable via $LOCAL_DEV"
> + check "ping6 -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV6" 0 \
> + "$LBLNET_SVR_IPV6 reachable via $LOCAL_DEV"
> + check "ping -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV4" 0 \
> + "$SECNET_SVR_IPV4 reachable via $BRIDGE_FILTER"
> + check "ping6 -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV6" 0 \
> + "$SECNET_SVR_IPV6 reachable via $BRIDGE_FILTER"
> +
> + check "nc $LOCAL_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
> + "lblnet_tst_server on TOE responds over unlabeled IPv4"
> + check "nc $LOCAL_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
> + "lblnet_tst_server on TOE responds over unlabeled IPv6"
> + check "nc $LBLNET_SVR_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
> + "lblnet_tst_server on NS responds over unlabeled IPv4"
> + check "nc $LBLNET_SVR_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
> + "lblnet_tst_server on NS responds over unlabeled IPv6"
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "Some services on the NS are not reachable."
> + echo "Make sure the NS is configured correctly and reachable"
> + echo "via the interfaces and addresses exported as env variables."
> + return 1
> + else
> + check_networking_probe_ok=1
> + fi
> +}
> +
> +
> +### SERVICES
> +check_services() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$check_variables_ok" ] || return 2
> +
> + local daem daems
> + daems="auditd rsyslogd mcstransd"
> + [ "$PPROFILE" = "lspp" ] && daems="$daems xinetd pluto"
> + for daem in $daems; do
> + check "pidof \"$daem\"" 0 \
> + "daemon \"$daem\" is running"
> + done;
> +
> + if [ "$PPROFILE" = "lspp" ]; then
> + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_xfrm)\" = \"0\" ]" 0 \
> + "ipsec: XFRM is not disabled on loopback"
> + check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_policy)\" = \"0\" ]" 0 \
> + "ipsec: XFRM policy is not disabled on loopback"
> +
> + check "[ \"$(ip xfrm policy list)\" ]" 0 \
> + "ipsec: XFRM policy is not empty"
> + check "[ -z \"$(ip xfrm state list)\" ]" 0 \
> + "ipsec: XFRM state / association database is empty"
> +
> + local addr
> + for addr in "$LOCAL_IPV4" "$LOCAL_IPV6" "127.0.0.1" "::1"; do
> + check "grep \"left=$addr\" /etc/ipsec.conf" 0 \
> + "ipsec.conf contains left=$addr"
> + done;
> + for addr in "$LBLNET_SVR_IPV4" "$LBLNET_SVR_IPV6" "127.0.0.1" "::1"; do
> + check "grep \"right=$addr\" /etc/ipsec.conf" 0 \
> + "ipsec.conf contains right=$addr"
> + done;
> + check "egrep -n \"(right|left)=[ \t]*$\" /etc/ipsec.conf" 1 \
> + "ipsec.conf doesn't contain empty left= or right="
> +
> + check "netlabelctl map list | grep \"lspp_test_netlabel_t\"" 0 \
> + "netlabel: lspp_test_netlabel_t mapping present"
> + fi
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "Services check failed - either one or more essential daemons are"
> + echo "not running or service-related files are not set up correctly."
> + echo "Please make sure you have gone through all required steps"
> + echo "described in README.run."
> + return 1
> + else
> + check_services_ok=1
> + fi
> +
> +}
> +
> +
> +### KVM
> +check_kvm() {
> + local CHECK_FAILED
> +
> + # requires for this check
> + [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2
> + [ "$(uname -m)" = "x86_64" ] || {
> + echo "KVM tests not supported on $(uname -m) architecture"
> + return 2
> + }
> +
> + check "[ -d \"$AUDITDIR/audit-test/kvm\" ]"
> + check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]"
> + check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \
> + "install_media specified in kvm config"
> + check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \
> + "Host cpu has HW virt support"
> +
> + check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \
> + "usb_device_id specified in kvm-iommu/usb_device.conf"
> + check "grep '^pci_device_id' \"$AUDITDIR/audit-test/kvm-iommu/pci_device.conf\" | grep -v XXXX:XX:XX.X" '' \
> + "pci_device_id specified in kvm-iommu/pci_device.conf"
> +
> + if [ "$CHECK_FAILED" ]; then
> + echo
> + echo "KVM sanity check failed - make sure you have the hardware with"
> + echo "HW virtualization support and that you have configured the kvm"
> + echo "test bucket in kvm/config.bash (install_media at least)."
> + return 1
> + else
> + check_kvm_ok=1
> + fi
> +}
> +
> +### END
> +
> +# checks to be run, ordering is important
> +CHECKS="
> +check_variables
> +check_user_session
> +check_suite_loc
> +check_networking_if
> +check_networking_probe
> +check_services
> +check_kvm
> +"
> +
> +fails=0
> +skips=0
> +for check in $CHECKS; do
> + echo "::::::::::::::::::::::::::::::::::::::::::"
> + echo -e "::: \e[1m$check\e[0m"
> + echo "::::::::::::::::::::::::::::::::::::::::::"
> + "$check"
> + case "$?" in
> + 1) fails=$((fails+1)) ;;
> + 2) echo "SKIPPED due to unmet dependencies"; skips=$((skips+1)) ;;
> + *) ;;
> + esac
> + echo
> +done;
> +
> +echo "=========================================="
> +echo -n "OVERALL: "
> +[ $fails -eq 0 ] && \
> + echo -ne "\e[1;32mPASSED\e[0m" || \
> + echo -ne "\e[1;31mFAILED\e[0m ($fails checks failed)"
> +[ $skips -eq 0 ] && \
> + echo ||
> + echo " ($skips checks skipped)"
> +
> +exit 0
> +
> +# vim: sts=4 sw=4 et :
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:51
|
From: Miroslav Vadkerti <mva...@re...>
In RHEL6.2 the unit attribute of the memory and currentMemory
elemnts is not recognized and the units used are always in KiB.
Previous commit 4a54cf0e broke this for RHEL6.2 and this patch
brings back the XML to compatibility through all RHEL6+ releases.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/kvm-cgroups/guest1-template.xml | 4 ++--
audit-test/kvm-iommu/guest1-template.xml | 4 ++--
audit-test/kvm-iommu/guest2-template.xml | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/audit-test/kvm-cgroups/guest1-template.xml b/audit-test/kvm-cgroups/guest1-template.xml
index 6dbb057..7780fcf 100644
--- a/audit-test/kvm-cgroups/guest1-template.xml
+++ b/audit-test/kvm-cgroups/guest1-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest1-template.xml b/audit-test/kvm-iommu/guest1-template.xml
index 7bb69e2..827d98e 100644
--- a/audit-test/kvm-iommu/guest1-template.xml
+++ b/audit-test/kvm-iommu/guest1-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest2-template.xml b/audit-test/kvm-iommu/guest2-template.xml
index 9981f54..fcda695 100644
--- a/audit-test/kvm-iommu/guest2-template.xml
+++ b/audit-test/kvm-iommu/guest2-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest2</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:38
|
This fixes the following warning:
WARNING - 32/64 bit syscall mismatch, you should specify an arch
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/filter/tests/test_auid.bash | 4 ++--
audit-test/filter/tests/test_dev_inode.bash | 8 ++++----
audit-test/filter/tests/test_success.bash | 2 +-
audit-test/filter/tests/test_syscall.bash | 2 +-
audit-test/filter/tests/test_type.bash | 4 ++--
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index 297ebbf..c165cf3 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,8 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index ae818c6..30ea580 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,12 +34,12 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -S open -F key=$tmp1 -F inode=$inode \
- -F devmajor=$major -F devminor=$minor
+auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
- auditctl -d exit,always -S open -F key=$tmp1 -F inode=$inode \
--F devmajor=$major -F devminor=$minor"
+auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index aa8d1b4..497959b 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -37,7 +37,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -S open"
+filter_rule="exit,always -F arch=b$MODE -S open"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 3c96628..8159b92 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -27,7 +27,7 @@ syscall_num=$(augrok --resolve $syscall_name) \
op=$1
case $op in
- name) filter_rule="exit,always -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 4318428..16c63f4 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -29,8 +29,8 @@ source filter_functions.bash || exit 2
user_auid=$(cat /proc/self/loginuid)
# setup auditctl
-auditctl -a exit,always -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:27
|
From: Miroslav Vadkerti <mva...@re...>
This patch enhances the detection of clear screen after locking
idle screen session.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
.../trustedprograms/tests/test_screen_locking.bash | 2 +-
.../trustedprograms/tests/tp_screen_functions.bash | 26 +++++++++++++---------
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/audit-test/trustedprograms/tests/test_screen_locking.bash b/audit-test/trustedprograms/tests/test_screen_locking.bash
index 5e86dc7..ba4c69d 100755
--- a/audit-test/trustedprograms/tests/test_screen_locking.bash
+++ b/audit-test/trustedprograms/tests/test_screen_locking.bash
@@ -85,7 +85,7 @@ screen_check_badpass $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
# check if
# + escape sequence for clearing the screen sent if screen locked
# + kernel boot options contain "no-scroll" and "fbcon=scrollback:0"
-screen_check_clear $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
+screen_check_clear $TEST_USER $TEST_USER_PASSWD 5 || exit_fail \
"screen clear before locking failed ($?)"
# checks if
diff --git a/audit-test/trustedprograms/tests/tp_screen_functions.bash b/audit-test/trustedprograms/tests/tp_screen_functions.bash
index 853e1d6..c28f363 100644
--- a/audit-test/trustedprograms/tests/tp_screen_functions.bash
+++ b/audit-test/trustedprograms/tests/tp_screen_functions.bash
@@ -182,13 +182,13 @@ function screen_check_clear {
# To check you terminal type use the command
# echo $TERM
#
+ prepend_cleanup "rm -f $EXPSCRIPT"
cat > $EXPSCRIPT << EOT
set timeout $(($3+1))
spawn screen $4
-expect {
- -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x4a.*" { send -- $2\r }
- -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x32\\x4a.*" { send -- $2\r }
- default { exit 1 }
+expect {$1} {
+ sleep 4
+ send { send -- $2\r }
}
expect {
{$1} { send -- exit\r }
@@ -200,16 +200,20 @@ EOT
# run the expect script as user
chown ${1}:$1 $EXPSCRIPT
- /bin/su - -c "expect $EXPSCRIPT" $1
- RET=$?
+ EXPOUT=$(mktemp)
+ prepend_cleanup "rm -f $EXPOUT"
+ /bin/su - -c "expect $EXPSCRIPT" $1 &> $EXPOUT
+ hexdump -C $EXPOUT
+ # count the number of lines with clear screen
+ # screen should clear the screen 2 times after running
+ # and once after locking the screen
+ CLRCNT=$(cat $EXPOUT | xxd -p | tr -d '\n' | grep -o "$(clear | xxd -p)" | wc -l)
+ [ "$CLRCNT" -eq 3 ] && RET=0 || RET=1
# check if kernel cmdline contains required options for
# disabling framebuffer scrolling
- grep "no-scroll" /proc/cmdline || RET=4
- grep "fbcon=scrollback:0" /proc/cmdline || RET=5
-
- # remove the expect script
- rm -f $EXPSCRIPT
+ grep "no-scroll" /proc/cmdline || RET=2
+ grep "fbcon=scrollback:0" /proc/cmdline || RET=3
return $RET
}
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:15
|
From: Miroslav Vadkerti <mva...@re...>
In recent RHEL7 kernel changes the loginuid call fails with
pam_loginuid where loginuid already set in session.
This fix temporarily disables pam_loginuid in /etc/pam.d/login
as a workaround. This has no effect on testing purpose of
this test.
The check for auid in augrok is not needed for this test.
The loginuid remains unchanged because of this workaround.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/libpam/tests/test_login.bash | 4 ++++
audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
6 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/audit-test/libpam/tests/test_login.bash b/audit-test/libpam/tests/test_login.bash
index 3d05afa..d834900 100755
--- a/audit-test/libpam/tests/test_login.bash
+++ b/audit-test/libpam/tests/test_login.bash
@@ -26,7 +26,11 @@ chmod 666 $localtmp
# turn off screen in /etc/profile
backup /etc/profile
+backup /etc/pam.d/login
sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
# if in LSPP mode, map the TEST_USER to staff_u
if [[ $PPROFILE == "lspp" ]]; then
diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
index 6fca015..ac7f2b7 100755
--- a/audit-test/libpam/tests/test_mls_default_login.bash
+++ b/audit-test/libpam/tests/test_mls_default_login.bash
@@ -44,6 +44,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -63,11 +68,11 @@ pts=${pts##*/}
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
# Check for ROLE_ASSIGN event for testuser
augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
# Check for USER_ROLE_CHANGE for login command
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
index 436bcda..063647f 100755
--- a/audit-test/libpam/tests/test_mls_level_login.bash
+++ b/audit-test/libpam/tests/test_mls_level_login.bash
@@ -42,6 +42,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -68,7 +73,7 @@ fi
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
index 92562f9..ba04604 100755
--- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
+++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
@@ -42,6 +42,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -52,11 +57,14 @@ backup /var/run/utmp
expect -nocase {level} {send "Y\r"}
expect -nocase {role:} {send "\r"}
expect -nocase {level:} {send "s15\r"}
- expect -nocase {"authentication failure"} {close; wait}'
+ expect {
+ -nocase {"authentication failure"} {close; wait}
+ -nocase {"Cannot make/remove"} {close; wait}
+ }'
)
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_namespace.bash b/audit-test/libpam/tests/test_namespace.bash
index 6fb20da..6642350 100755
--- a/audit-test/libpam/tests/test_namespace.bash
+++ b/audit-test/libpam/tests/test_namespace.bash
@@ -59,6 +59,11 @@ backup /var/run/utmp
backup /etc/security/namespace.conf
echo "/tmp /tmp-parent/tmp-inst/ level root,adm" > /etc/security/namespace.conf
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
tmpinstdir=/tmp-parent/tmp-inst/
tmpnewfile=/tmp/newfile
@@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open -F uid=$auid || \
)
# Check the path and context in the audit record.
augrok type==SYSCALL \
- subj=$s0_context auid=$auid success=yes \
+ subj=$s0_context success=yes \
name=$tmpnewfile obj=$s0_obj\
|| exit_fail "missing audit record"
@@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
# Check the path and context in the audit record.
augrok --seek=$log_mark type==SYSCALL \
- subj=$s2_context auid=$auid success=yes \
+ subj=$s2_context success=yes \
name=$tmpnewfile obj=$s2_obj\
|| exit_fail "missing audit record"
diff --git a/audit-test/trustedprograms/tests/test_lpq.bash b/audit-test/trustedprograms/tests/test_lpq.bash
index 0cbd45f..ee0f60d 100755
--- a/audit-test/trustedprograms/tests/test_lpq.bash
+++ b/audit-test/trustedprograms/tests/test_lpq.bash
@@ -50,6 +50,11 @@ backup /var/run/utmp
semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
exit_error "unable to set $TEST_USER to staff_u"
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
prepend_cleanup rm -f $CON1OUT $CON2OUT
runcon $LPQ1CON lpq -P $printer > $CON1OUT
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:02
|
From: Miroslav Vadkerti <mva...@re...>
Due to the /bin->/usr/bin move these tests needed update. They
are now backward compatible and accept login binary paths
for both RHEL6 and RHEL7.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/libpam/tests/test_mls_default_login.bash | 4 ++--
audit-test/libpam/tests/test_mls_level_login.bash | 4 ++--
audit-test/libpam/tests/test_mls_level_login_fail.bash | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
index d964446..6fca015 100755
--- a/audit-test/libpam/tests/test_mls_default_login.bash
+++ b/audit-test/libpam/tests/test_mls_default_login.bash
@@ -60,7 +60,7 @@ backup /var/run/utmp
pts=$(<$localtmp)
pts=${pts##*/}
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* terminal=pts/$pts res=success.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
@@ -68,6 +68,6 @@ augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
# Check for ROLE_ASSIGN event for testuser
augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
# Check for USER_ROLE_CHANGE for login command
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
index dfc0fe0..436bcda 100755
--- a/audit-test/libpam/tests/test_mls_level_login.bash
+++ b/audit-test/libpam/tests/test_mls_level_login.bash
@@ -65,10 +65,10 @@ if [[ $sel_context != $sel_context2 ]]; then
exit_fail;
fi
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=success.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=success.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
index bad9a54..92562f9 100755
--- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
+++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
@@ -55,8 +55,8 @@ backup /var/run/utmp
expect -nocase {"authentication failure"} {close; wait}'
)
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
exit_pass
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:51
|
The test description states that:
"Verify that the tar program preserves file security contexts."
and tar has an explicit option for that:
--selinux
Save the SELinux context to the archive.
This change fixes the test for RHEL7, but also makes sense for RHEL6.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/misc/tests/test_tar.bash | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash
index 8ea8da9..7b2d735 100755
--- a/audit-test/misc/tests/test_tar.bash
+++ b/audit-test/misc/tests/test_tar.bash
@@ -56,7 +56,7 @@ chmod 744 $FILE_DIR/fileSecret || exit_fail
chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail
# Pack up the files in the test_files directory
-tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR .
+tar cf $TAR_FILE --selinux -H posix -C $FILE_DIR .
# Verify the files were successfully packed
if [ $? != 0 ]; then
@@ -64,7 +64,7 @@ if [ $? != 0 ]; then
fi
# Unpack the files
-tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR
+tar xvf $TAR_FILE --selinux -C $EXTRACT_DIR
if [ $? != 0 ]; then
exit_error "Error unpacking tar archive"
fi
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:38
|
From: Miroslav Vadkerti <mva...@re...>
The option --xattr is a typo. The correct option is --xattrs.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/audit-remote/tests/remote_call.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/audit-remote/tests/remote_call.bash b/audit-test/audit-remote/tests/remote_call.bash
index 3a6e7ad..77a4080 100755
--- a/audit-test/audit-remote/tests/remote_call.bash
+++ b/audit-test/audit-remote/tests/remote_call.bash
@@ -58,7 +58,7 @@ conf_backup="/tmp/audit_conf_backup.tgz"
# Configuration related functions
remote_audit_backup() {
- tar -cvz --xattr -f $conf_backup $audit_files
+ tar -cvz --xattrs -f $conf_backup $audit_files
}
# Configure NS to act as a server
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:27
|
From: Miroslav Vadkerti <mva...@re...>
The new cryptsetup package changed the string that is asking
for LUKS password. The patch now expectes smaller string and
so accepts all previously used strings.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/tp_luks_functions.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
index 3a1a928..34d594e 100644
--- a/audit-test/utils/tp_luks_functions.bash
+++ b/audit-test/utils/tp_luks_functions.bash
@@ -33,7 +33,7 @@ function create_luks {
set timeout $TIMEOUT
spawn cryptsetup luksFormat $LOOPDEV
expect {Are you sure} {send \"YES\r\"}
- expect {Enter LUKS} {send \"$1\r\"}
+ expect {Enter} {send \"$1\r\"}
expect {Verify} {send \"$1\r\"}
expect eof
"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:13
|
From: Miroslav Vadkerti <mva...@re...>
Starting from RHEL7 the default cipher mode for LUKS devices has
changed. The change is in conformance with the accepted ciphers in RHEL6
Security Target document.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/tp_luks_functions.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
index 1099496..3a1a928 100644
--- a/audit-test/utils/tp_luks_functions.bash
+++ b/audit-test/utils/tp_luks_functions.bash
@@ -58,7 +58,7 @@ function check_luks {
# Check for correct parameters
egrep "Cipher name.*aes" $TMP || exit_fail "Failed check on cipher name"
- egrep "Cipher mode.*cbc-essiv:sha256" $TMP || \
+ egrep "Cipher mode.*(cbc-essiv:sha256|xts-plain64)" $TMP || \
exit_fail "Failed check on cipher mode"
egrep "Hash spec.*sha1" $TMP || exit_fail "Failed check on hash spec"
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:01
|
The old password were detected as dictionary ones by newer PAM versions, probably due to 'paSs' substring. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/crypto/tests/test_cryptsetup_access.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/audit-test/crypto/tests/test_cryptsetup_access.bash b/audit-test/crypto/tests/test_cryptsetup_access.bash index c41adef..af275e3 100755 --- a/audit-test/crypto/tests/test_cryptsetup_access.bash +++ b/audit-test/crypto/tests/test_cryptsetup_access.bash @@ -37,9 +37,9 @@ source tp_luks_functions.bash || exit 2 ### defaults DMCRYPT="cryptfs" DMCRYPTDEV="/dev/mapper/$DMCRYPT" -LUKSPASS="7k+paSs" -LUKSPASSND="2nd7k+paSs!!!" -LUKSPASSRD="paSs!!1444b_" +LUKSPASS="kc3%a9?cF]X" +LUKSPASSND="2nd7k+meSs!!!" +LUKSPASSRD="meSs!!1444b_" MOUNT="/mnt/crypt" ### functions -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:49
|
From: Miroslav Vadkerti <mva...@re...> In RHEL7 qemu_t became an alias to the svirt_t domain. This patch fixes expected AVC scontext because of this change. This change is backward compatible with RHEL6. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_selinux_chcon_resource.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/audit-test/kvm/test_selinux_chcon_resource.bash b/audit-test/kvm/test_selinux_chcon_resource.bash index e9646d3..edf4517 100755 --- a/audit-test/kvm/test_selinux_chcon_resource.bash +++ b/audit-test/kvm/test_selinux_chcon_resource.bash @@ -64,7 +64,8 @@ for i in $(seq $first $last); do exit_fail fi - expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~qemu_t" + # We need to check for svirt_t starting from RHEL7 too because qemu_t became an alias to it + expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~(qemu_t|svirt_t)" if [[ $(augrok -c --seek $offset $expression) -eq 0 ]]; then exit_fail -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:35
|
From: Miroslav Vadkerti <mva...@re...> Starting from RHEL6.3 the clearpart --initlabel does not initialize devices. The zerombr command is needed for the installation to work with guests >= RHEL6.3. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/KVM-Guest-N-ks.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/audit-test/kvm/KVM-Guest-N-ks.cfg b/audit-test/kvm/KVM-Guest-N-ks.cfg index db11011..f54d1bf 100644 --- a/audit-test/kvm/KVM-Guest-N-ks.cfg +++ b/audit-test/kvm/KVM-Guest-N-ks.cfg @@ -32,6 +32,7 @@ poweroff for i in $(find /dev -regex '^/dev/\(hd\|sd\|vd\|xvd\)[a-z]+$' -print | sort); do dev=$(basename $i) echo "clearpart --all --drives=$dev --initlabel" > /tmp/part-include + echo "zerombr" >> /tmp/part-include echo "part /boot --fstype ext3 --size=100 --ondisk=$dev" >> /tmp/part-include echo "part pv.1 --size=1 --grow --ondisk=$dev" >> /tmp/part-include echo "volgroup VolGroup00 --pesize=32768 pv.1" >> /tmp/part-include -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:25
|
From: Miroslav Vadkerti <mva...@re...>
For specifying USB passthrough device the USB bus and device numbers
need to be specified in the xml for RHEL7.
This change should be backward compatible.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/kvm-iommu/test_usb_passthrough.bash | 1 +
1 file changed, 1 insertion(+)
diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash
index f3d0198..1d256a2 100755
--- a/audit-test/kvm-iommu/test_usb_passthrough.bash
+++ b/audit-test/kvm-iommu/test_usb_passthrough.bash
@@ -113,6 +113,7 @@ generate_usb_dev_file() {
<source>
<vendor id='0x$usb_vendor'/>
<product id='0x$usb_product'/>
+ <address bus='$usb_bus' device='$usb_device'/>
</source>
</hostdev>
EOX
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:22:11
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm-iommu/test_usb_passthrough.bash | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash
index e9cf702..f3d0198 100755
--- a/audit-test/kvm-iommu/test_usb_passthrough.bash
+++ b/audit-test/kvm-iommu/test_usb_passthrough.bash
@@ -230,19 +230,6 @@ check_usb_device_dynamic() {
return $rc
}
-# Check if USB device has the owner and SELinux label
-# set to the host system and no guest
-check_usb_device() {
- local owner label
- owner=$(stat -c "%U:%G" /dev/bus/usb/$usb_bus/$usb_device)
- [ $owner != "qemu:qemu" ] && ((rc+=1))
-
- label=$(stat -c "%C" /dev/bus/usb/$usb_bus/$usb_device)
- echo $label | grep "svirt_image_t:s0:c50,c70" || ((rc+=1))
-
- return $rc
-}
-
# Check if USB device cannot be accessed by an rogue VM
# This test expects
rogue_usb_device_access() {
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:59
|
This supplements commit d3e623abc0 by allowing an IPv6 version
of (IPv4) ARP, making discovery of IPv6:MAC possible on a link.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 14318be..290bb5e 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -526,6 +526,8 @@ prepend_cleanup 'network_cleanup'
function ebtaudit_setup {
ebtables -A INPUT -p arp -j ACCEPT
+ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
+ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
ebtables -N AUDIT_DROP
ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:47
|
From: Miroslav Vadkerti <mva...@re...> Tool netstat from net-tools package is in optional channel for RHEL7. We can use ss instead of it without big changes and it is from more standard iproute package. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/crypto/tests/test_ssh_sym.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/crypto/tests/test_ssh_sym.bash b/audit-test/crypto/tests/test_ssh_sym.bash index e713c98..0e89b6f 100755 --- a/audit-test/crypto/tests/test_ssh_sym.bash +++ b/audit-test/crypto/tests/test_ssh_sym.bash @@ -60,8 +60,8 @@ ssh_remove_screen $MPROFILE ssh_restart_daemon # get the pid of sshd process running on port 22 -SSHDPID=$(netstat -putna | grep ":22" | grep -m1 LISTEN | \ - sed 's/.*\(\b[0-9]\+\)\/sshd\b.*/\1/') +SSHDPID=$(ss -4 -ltnp | grep sshd | sed 's/.*sshd",\([0-9]\+\),.*/\1/') +[ -z "$SSHDPID" ] && exit_error "could not find sshd process pid" # check if SSH_USE_STRONG_RNG set in environemnt of the sshd process grep "SSH_USE_STRONG_RNG" /proc/$SSHDPID/environ -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:35
|
From: Miroslav Vadkerti <mva...@re...>
When DISTRO env var is not used an error occurs because of missing
double apostrophes in if statments.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/libpam/run.conf | 4 ++--
audit-test/libpam/tests/pam_functions.bash | 2 +-
audit-test/utils/functions.bash | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/audit-test/libpam/run.conf b/audit-test/libpam/run.conf
index 6f74c64..6e79aab 100644
--- a/audit-test/libpam/run.conf
+++ b/audit-test/libpam/run.conf
@@ -47,11 +47,11 @@ function run_test {
+ ssh04
+ ssh04_fail
-if [[ $DISTRO != "SUSE" ]] ; then
+if [[ "$DISTRO" != "SUSE" ]] ; then
+ pamfaillock_lock
+ pamfaillock_unlock
fi
-if [[ $DISTRO != "RHEL" ]] ; then
+if [[ "$DISTRO" != "RHEL" ]] ; then
+ vsftpd
+ vsftpd_fail
fi
diff --git a/audit-test/libpam/tests/pam_functions.bash b/audit-test/libpam/tests/pam_functions.bash
index 4cdf975..d44c2e8 100644
--- a/audit-test/libpam/tests/pam_functions.bash
+++ b/audit-test/libpam/tests/pam_functions.bash
@@ -21,7 +21,7 @@ source testcase.bash || exit 2
# global variables
######################################################################
-if [[ $DISTRO != "RHEL" ]] ; then
+if [[ "$DISTRO" != "RHEL" ]] ; then
if [ -f /etc/vsftpd/vsftpd.conf ]; then
vsftpd_conf=/etc/vsftpd/vsftpd.conf
elif [ -f /etc/vsftpd.conf ]; then
diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash
index bb82632..ed197fd 100644
--- a/audit-test/utils/functions.bash
+++ b/audit-test/utils/functions.bash
@@ -194,7 +194,7 @@ function start_auditd {
local log_file=${1:-"/var/log/audit/audit.log"}
if ! pidof auditd &>/dev/null; then
- if [ $DISTRO = "SUSE" ]; then
+ if [ "$DISTRO" = "SUSE" ]; then
rcauditd start || return 2
auditctl -e 1 || return 2
else
@@ -226,7 +226,7 @@ function stop_auditd {
declare i
auditctl -D &>/dev/null
- if [ $DISTRO = "SUSE" ]; then
+ if [ "$DISTRO" = "SUSE" ]; then
rcauditd stop || killall auditd
else
service auditd stop || killall auditd
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:23
|
From: Miroslav Vadkerti <mva...@re...>
This patch incorporates changes that make possible
merging of subsequent test runs.
The logs are now stored also separately for each test
in the logs subdirectory of the test bucket. The run and
rollup logs are generated from these logs. The output
of the run.bash should remain the same.
This patch also fixes the --list option that now does
not delete the contents of run and rollup log.
This patch adds generate (-g|--generate) option that generates
the total run and rollup logs. This might be useful if these
were deleted or not created after aborting testing with SIGINT.
The distclean make target removes the new logs directory.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/rules.mk | 4 +-
audit-test/utils/run.bash | 132 +++++++++++++++++++++++++++++++++++-----------
2 files changed, 104 insertions(+), 32 deletions(-)
diff --git a/audit-test/rules.mk b/audit-test/rules.mk
index 1534c66..a53d979 100644
--- a/audit-test/rules.mk
+++ b/audit-test/rules.mk
@@ -194,14 +194,14 @@ _clean:
clean: _clean
-ALL_LOGS += run.log rollup.log
+ALL_LOGS += run.log rollup.log logs
_distclean: clean
@if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
for x in $(SUB_DIRS); do \
make -C $$x distclean; \
done; \
fi
- $(RM) $(ALL_LOGS)
+ $(RM) -r $(ALL_LOGS)
if [[ -L run.bash ]]; then $(RM) run.bash; fi
distclean: _distclean
diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
index f70b79a..890f84a 100755
--- a/audit-test/utils/run.bash
+++ b/audit-test/utils/run.bash
@@ -51,6 +51,7 @@ source functions.bash || exit 2
unset logging
unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width
+echoing=true
logging=false
opt_avc=false
opt_verbose=false
@@ -59,6 +60,7 @@ opt_quiet=false
opt_config=run.conf
opt_list=false
opt_log=run.log
+opt_logdir=logs
opt_rollup=rollup.log
opt_timeout=30
opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
@@ -140,9 +142,8 @@ function dmsg {
}
function prf {
- printf "$(colorize "$1")" "${@:2}"
- $logging || return
- printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
+ $echoing && printf "$(colorize "$1")" "${@:2}"
+ $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
}
#----------------------------------------------------------------------
@@ -219,6 +220,11 @@ function startup {
trap - 1 2;
fi
+ # Create log directory if needed
+ if [[ ! -d "$opt_logdir" ]]; then
+ mkdir "$opt_logdir"
+ fi
+
# Initialize audit configuration and make sure auditd is running
auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
cp -a "$auditd_conf" "$auditd_orig" || return 2
@@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
Run a set of test cases, reporting pass/fail and tallying results.
-f --config=FILE Use a config file other than run.conf
+ -g --generate Generate run.log and rollup.log from $opt_logdir
--header Don't run anything, just output the log header
-l --log=FILE Output to a log other than run.log
-r --rollup=FILE Output to a rollup other than rollup.log
-t --timeout=SEC Seconds to wait for a test to timeout, default 30
+ -o --logdir=DIR Output directory of per test logs
-w --width=COLS Set COLS output width instead of auto-detect
-h --help Show this help
@@ -364,8 +372,8 @@ function parse_cmdline {
declare args conf x
# Use /usr/bin/getopt which supports GNU-style long options
- args=$(getopt -o adf:hl:qr:vw: \
- --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \
+ args=$(getopt -o adf:ghl:qr:o:vw: \
+ --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \
-n "$0" -- "$@") || die
eval set -- "$args"
@@ -374,6 +382,7 @@ function parse_cmdline {
-a|--avc) opt_avc=true; shift ;;
-d|--debug) opt_debug=true; opt_verbose=true; shift ;;
-f|--config) opt_config=$2; shift 2 ;;
+ -g|--generate) logging=true; generate_logs; exit 0 ;;
-h|--help) usage; exit 0 ;;
--header) show_header; exit 0 ;;
--list) opt_list=true; shift ;;
@@ -381,6 +390,7 @@ function parse_cmdline {
-q|--quiet) opt_quiet=true; shift ;;
-r|--rollup) opt_rollup=$2; shift 2 ;;
-t|--timeout) opt_timeout=$2; shift 2 ;;
+ -o|--logdir) opt_logdir=$2; shift 2 ;;
--nocolor) colorize() { monoize "$@"; }; shift ;;
-v|--verbose) opt_verbose=true; shift ;;
-w|--width) opt_width=$2; shift 2 ;;
@@ -389,9 +399,6 @@ function parse_cmdline {
esac
done
- # Open the logs now that opt_log and opt_rollup are set
- open_log
-
# Load the config
dmsg "Loading config from $opt_config"
conf="$(<$opt_config)
@@ -413,8 +420,10 @@ function parse_cmdline {
done
else
# add by number
- dmsg " [$1] ${TESTS[$1]}"
- TNUMS[$1]=$1
+ if [ $1 -lt ${#TESTS[@]} ]; then
+ dmsg " [$1] ${TESTS[$1]}"
+ TNUMS[$1]=$1
+ fi
fi
shift
done
@@ -435,21 +444,24 @@ function parse_cmdline {
done
exit 0
fi
+
+ # Open the logs before running the tests
+ open_log
}
function show_header {
- prf "\n"
- prf "%-32s %s\n" Started: "$(date)"
- prf "%-32s %s\n" Kernel: "$(uname -r)"
- prf "%-32s %s\n" Architecture: "$(uname -m)"
- prf "%-32s %s\n" Mode: "${MODE:-(native)}"
- prf "%-32s %s\n" Hostname: "$(uname -n)"
- prf "%-32s %s\n" Profile: "$PPROFILE"
- prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
+ nolog prf "\n"
+ nolog prf "%-32s %s\n" Started: "$(date)"
+ nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
+ nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
+ nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
+ nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
+ nolog prf "%-32s %s\n" Profile: "$PPROFILE"
+ nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
if [[ $PPROFILE == lspp ]] ; then
- prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
+ nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
fi
- prf "\n%s\n" "$(sestatus)"
+ nolog prf "\n%s\n" "$(sestatus)"
}
function fmt_test {
@@ -485,20 +497,55 @@ function show_test {
fmt_test "[$TESTNUM]" "$@"
}
+function noecho {
+ declare echoing=false
+ "$@"
+}
+
function nolog {
declare logging=false
"$@"
}
+function generate_logs {
+ declare pass fail error
+
+ # clear run and rollup logs
+ echo -n > $opt_log
+ echo -n > $opt_rollup
+
+ # create total run log
+ for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
+ cat $log >> $opt_log
+ echo >> $opt_log
+ done
+
+ # create total rollup log
+ for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
+ cat $log | sed '1,/--------/d' >> $opt_rollup
+ done
+
+ pass=$(grep "PASS" $opt_rollup | wc -l)
+ fail=$(grep "FAIL" $opt_rollup | wc -l)
+ error=$(grep "ERROR" $opt_rollup | wc -l)
+ (( total = pass + fail + error ))
+ llmsg
+ prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
+ prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
+ prf "%4d error (%d%%)\n" $error $((error * 100 / total))
+ prf "%s\n" "------------------"
+ prf "%4d total\n" $total
+}
+
function run_tests {
- declare TESTNUM output status hee s
+ declare TESTNUM output status hee s log stats header
declare begin_output="<blue>--- begin output -----------------------------------------------------------"
declare end_output="<blue>--- end output -------------------------------------------------------------"
show_header
- msg
- prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
- prf "%-$((opt_width-7))s %s\n" "--------" "------"
+ nolog msg
+ nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
+ nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
if $opt_debug; then
hee=/dev/stderr
@@ -507,6 +554,11 @@ function run_tests {
fi
for TESTNUM in "${TNUMS[@]}"; do
+ noecho prf "$(show_header)\n" ""
+ llmsg
+ noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
+ noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
+
eval "set -- ${TESTS[TESTNUM]}"
if $opt_debug; then
@@ -587,15 +639,35 @@ function run_tests {
msg "<blue>-- audit2allow -------------------------------------------------------------"
msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
fi
+
+ # copy header to run and rollup log
+ echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
+ echo >> $opt_logdir/$opt_log.$TESTNUM
+ echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
+ echo >> $opt_logdir/$opt_rollup.$TESTNUM
+
+ # copy test output to own log file
+ cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
+ sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
+ cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
+ sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
+
+ # clear log and rollup
+ echo -n > $opt_log
+ echo -n > $opt_rollup
done
+ # create current stats
(( total = pass + fail + error ))
- msg
- prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
- prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
- prf "%4d error (%d%%)\n" $error $((error * 100 / total))
- prf "%s\n" "------------------"
- prf "%4d total\n" $total
+ nolog msg
+ nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
+ nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
+ nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
+ nolog prf "%s\n" "------------------"
+ nolog prf "%4d total\n" $total
+
+ # create silently run and rollup logs
+ noecho generate_logs
return 0
}
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:21:15
|
The idea is to catch various configuration or setup errors
and give useful hints, so that the user doesn't have to debug
the system/suite to find out what could possibly go wrong.
This script is not supposed to replace or duplicate functionality
provided by the suite itself, it should be only used for basic sanity
verification of the environment. It doesn't claim to reveal all
configuration errors, but it can still be useful.
Because of the reasons mentioned above, running this script
is purely optional.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/Makefile | 6 +
audit-test/README.run | 6 +
audit-test/utils/envcheck | 425 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 437 insertions(+)
create mode 100755 audit-test/utils/envcheck
diff --git a/audit-test/Makefile b/audit-test/Makefile
index c8e6477..28a80af 100644
--- a/audit-test/Makefile
+++ b/audit-test/Makefile
@@ -124,3 +124,9 @@ policy:
netconfig:
cd network/system && $(MAKE) install
cd utils/network-server && $(MAKE) install
+
+.PHONY: envcheck
+envcheck:
+ @$(check_set_PPROFILE); \
+ $(check_set_PASSWD);
+ utils/envcheck
diff --git a/audit-test/README.run b/audit-test/README.run
index 276364c..d9311bd 100644
--- a/audit-test/README.run
+++ b/audit-test/README.run
@@ -265,6 +265,12 @@ environment variables:
Verify that the time on the test system is synchronized with the time
on the network test server.
+As an additional sanity check, you can run:
+
+# make envcheck
+or
+# make envcheck | less -R
+
Run the tests
-------------
diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck
new file mode 100755
index 0000000..5b79b35
--- /dev/null
+++ b/audit-test/utils/envcheck
@@ -0,0 +1,425 @@
+#!/bin/bash
+###############################################################################
+# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+# This copyrighted material is made available to anyone wishing
+# to use, modify, copy, or redistribute it subject to the terms
+# and conditions of the GNU General Public License version 2.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301, USA.
+###############################################################################
+#
+# AUTHOR: Jiri Jaburek <jja...@re...>
+#
+# This script checks whether the environment on TOE and NS has all
+# the prerequisities for audit-test suite run met.
+# This ranges from initial environment variable checking to ensuring proper
+# routing between TOE and NS.
+
+## COLORS
+#
+# attributes:
+# 0=none, 1=bold, 4=underscore, 5=blink, 7=reverse, 8=concealed
+#
+# text/foreground:
+# 30=black, 31=red, 32=green, 33=yellow, 34=blue, 35=magenta, 36=cyan, 37=white
+#
+# background:
+# 40=black, 41=red, 42=green, 43=yellow, 44=blue, 45=magenta, 46=cyan, 47=white
+#
+# format:
+# \e[<code>[;<code2>]m
+# ie.:
+# echo -e '\e[1;4;31;43mred bold underlined text on yellow background\e[0m'
+##
+
+# run a given command to verify/check something
+# $1 = command with arguments
+# $2 = expected exit code (leave empty if irrelevant)
+# $3 = optional cmd text to show instead of $1
+# returns the command's exit code
+# and sets CHECK_FAILED var to nonempty value upon fail
+check()
+{
+ [ $# -lt 1 ] && return 1
+ [ $# -ge 2 ] && cmpret="$2" || cmpret=0
+ [ $# -ge 3 ] && msg="$3" || msg=
+
+ # echo initial msg
+ if [ "$msg" ]; then
+ echo -ne "\e[1m$msg\e[0m ..."
+ else
+ echo -ne "> \e[1m$1\e[0m ..."
+ fi
+
+ # run cmd, capture stderr
+ out=$(eval "$1" 2>&1)
+
+ # show result
+ ret=$?
+ if [ -z "$cmpret" ]; then
+ # ignored
+ echo -e "\e[1;34mignored\e[0m"
+ elif [ "$cmpret" -eq $ret ]; then
+ # pass
+ echo -e "\e[1;32mpassed\e[0m"
+ else
+ if [ "$WARNONLY" ]; then
+ # warn
+ echo -e "\e[1;33mwarn\e[0m"
+ [ "$out" ] && echo "$out"
+ else
+ # fail
+ echo -e "\e[1;31mfailed\e[0m"
+ [ "$out" ] && echo "$out"
+ CHECK_FAILED=1
+ fi
+ fi
+
+ return $ret
+}
+
+
+### EXAMPLE
+#check "sleep 2" # pass
+#WARNONLY=1 check "sleep 0.5" # pass
+#WARNONLY=1 check "sleep 0,5" # warn
+#check "sleep abcd" 0 "running sleep abcd" # fail with msg
+#check "sleep -2" '' # ignored result
+
+
+AUDITDIR="/usr/local/eal4_testing"
+
+
+### VARIABLES
+check_variables() {
+ local CHECK_FAILED
+ local vars
+
+ # basic variables
+ vars="DISTRO MODE PPROFILE PASSWD"
+ #vars="PASSWD"
+
+ for i in $vars; do
+ check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
+ done;
+
+ # sanity PPROFILE check
+ check "[ \"$PPROFILE\" = \"capp\" -o \"$PPROFILE\" = \"lspp\" ]" 0 \
+ "Var PPROFILE is either capp or lspp"
+
+ [ -z "$CHECK_FAILED" ] && check_variables_ok_nonet=1
+
+ # networking variables
+ vars="LOCAL_DEV LOCAL_IPV4 LOCAL_IPV6"
+ vars="$vars LOCAL_SEC_MAC LOCAL_SEC_IPV4 LOCAL_SEC_IPV6 BRIDGE_FILTER"
+ vars="$vars LBLNET_SVR_IPV4 LBLNET_SVR_IPV6"
+ vars="$vars SECNET_SVR_MAC SECNET_SVR_IPV4 SECNET_SVR_IPV6"
+
+ for i in $vars; do
+ check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
+ done;
+
+ # s390x / ppc64 check? (ARCH variable)
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "Variable checking failed, please make sure to export all required"
+ echo "environment variables specified in README.run."
+ echo "Also make sure the networking variables are set according"
+ echo "to README.netfilter."
+ return 1
+ else
+ check_variables_ok=1
+ fi
+}
+
+
+### USER SESSION
+check_user_session() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$check_variables_ok_nonet" ] || return 2
+
+ check "[ \"$(whoami)\" = \"root\" ]" 0 \
+ "Logged in as root"
+ check "[ -z \"$(faillock | grep -v '^\([^ ]*:\|When\)')\" ]" 0 \
+ "Faillock is empty"
+ check "[ ! -e \"$HOME/.ssh/id_rsa\" ]" 0 \
+ "~/.ssh/id_rsa doesn't exist (testsuite reasons)"
+
+ [ "$PPROFILE" = "lspp" ] && \
+ check "[ \"$(id -Z)\" = \"staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh\" ]" 0 \
+ "id -Z is staff_u:lspp_test_r:lspp_harness_t:SystemLow-SystemHigh"
+
+ check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \
+ "\$(pwd) is /usr/local/eal4_testing/audit-test"
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "User session checking failed, please make sure the system"
+ echo "is in evaluated configuration, double check whether all steps"
+ echo "required by README.run have been performed."
+ return 1
+ else
+ check_user_session_ok=1
+ fi
+}
+
+
+### SUITE LOCATION
+check_suite_loc() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$AUDITDIR" ] || return 2
+
+ check "[ -d \"$AUDITDIR\" ]"
+ check "[ -d \"$AUDITDIR/audit-test\" ]"
+ check "[ -d \"$AUDITDIR/ltp\" ]"
+ #DIRS="audit-remote audit-tools audit-trail-protection crypto docs fail-safe filter kvm kvm-cgroups kvm-iommu libpam misc netfilebt netfilter network syscalls trustedprograms utils"
+ #for i in $DIRS; do
+ # check "[ -d \"$AUDITDIR/audit-test/$i\" ]"
+ #done;
+
+ [ -d "$AUDITDIR" ] && \
+ check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755"
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "Suite not found or incorrectly installed at $AUDITDIR."
+ echo "This is important because of the hardcoded paths in the testing policy."
+ echo "Please install/extract the suite according to README.run."
+ return 1
+ else
+ check_suite_loc_ok=1
+ fi
+}
+
+
+### NETWORKING - interfaces
+check_networking_if() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$check_variables_ok" ] || return 2
+
+ # interface checks
+ check "ip -o link show dev $LOCAL_DEV" 0 \
+ "Device $LOCAL_DEV exists"
+ check "ip -o link show dev $LOCAL_SEC_DEV" 0 \
+ "Device $LOCAL_SEC_DEV exists"
+ check "ip -o link show dev $BRIDGE_FILTER" 0 \
+ "Device $BRIDGE_FILTER exists"
+ check "brctl show $BRIDGE_FILTER | grep $LOCAL_SEC_DEV" 0 \
+ "Device $LOCAL_SEC_DEV is enslaved in bridge $BRIDGE_FILTER"
+
+ check "ip -o -4 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV4\"" 0 \
+ "Device $LOCAL_DEV has IPv4 address: $LOCAL_IPV4"
+ check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\"" 0 \
+ "Device $LOCAL_DEV has IPv6 address: $LOCAL_IPV6"
+ check "ip -o link show dev $BRIDGE_FILTER | grep \"$(sed 's/\(.*\)/\L\1/' <<<$LOCAL_SEC_MAC)\"" 0 \
+ "Device $BRIDGE_FILTER has MAC address: $LOCAL_SEC_MAC"
+ check "ip -o -4 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV4\"" 0 \
+ "Device $BRIDGE_FILTER has IPv4 address: $LOCAL_SEC_IPV4"
+ check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\"" 0 \
+ "Device $BRIDGE_FILTER has IPv6 address: $LOCAL_SEC_IPV6"
+
+ check "ip -o -6 addr show dev $LOCAL_DEV | grep \"$LOCAL_IPV6\" | grep -v deprecated" 0 \
+ "IPv6 address $LOCAL_IPV6 on $LOCAL_DEV is not deprecated"
+ check "ip -o -6 addr show dev $BRIDGE_FILTER | grep \"$LOCAL_SEC_IPV6\" | grep -v deprecated" 0 \
+ "IPv6 address $LOCAL_SEC_IPV6 on $BRIDGE_FILTER is not deprecated"
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "Network interfaces are not configured correctly."
+ echo "Make sure the networking is set according to README.netfilter"
+ echo "(including the bridge) and that all addresses assigned to"
+ echo "network interfaces match those exported in env variables."
+ return 1
+ else
+ check_networking_if_ok=1
+ fi
+}
+
+
+### NETWORKING - probe
+check_networking_probe() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$check_variables_ok" -a "$check_networking_if_ok" ] || return 2
+
+ check "ping -I lo -q -c1 127.0.0.1" 0 \
+ "127.0.0.1 reachable via lo"
+ check "ping6 -I lo -q -c1 ::1" 0 \
+ "::1 reachable via lo"
+ check "ping -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV4" 0 \
+ "$LBLNET_SVR_IPV4 reachable via $LOCAL_DEV"
+ check "ping6 -I $LOCAL_DEV -q -c1 $LBLNET_SVR_IPV6" 0 \
+ "$LBLNET_SVR_IPV6 reachable via $LOCAL_DEV"
+ check "ping -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV4" 0 \
+ "$SECNET_SVR_IPV4 reachable via $BRIDGE_FILTER"
+ check "ping6 -I $BRIDGE_FILTER -q -c1 $SECNET_SVR_IPV6" 0 \
+ "$SECNET_SVR_IPV6 reachable via $BRIDGE_FILTER"
+
+ check "nc $LOCAL_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
+ "lblnet_tst_server on TOE responds over unlabeled IPv4"
+ check "nc $LOCAL_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
+ "lblnet_tst_server on TOE responds over unlabeled IPv6"
+ check "nc $LBLNET_SVR_IPV4 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
+ "lblnet_tst_server on NS responds over unlabeled IPv4"
+ check "nc $LBLNET_SVR_IPV6 4000 <<<\"echo:testme;\" | grep -a testme" 0 \
+ "lblnet_tst_server on NS responds over unlabeled IPv6"
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "Some services on the NS are not reachable."
+ echo "Make sure the NS is configured correctly and reachable"
+ echo "via the interfaces and addresses exported as env variables."
+ return 1
+ else
+ check_networking_probe_ok=1
+ fi
+}
+
+
+### SERVICES
+check_services() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$check_variables_ok" ] || return 2
+
+ local daem daems
+ daems="auditd rsyslogd mcstransd"
+ [ "$PPROFILE" = "lspp" ] && daems="$daems xinetd pluto"
+ for daem in $daems; do
+ check "pidof \"$daem\"" 0 \
+ "daemon \"$daem\" is running"
+ done;
+
+ if [ "$PPROFILE" = "lspp" ]; then
+ check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_xfrm)\" = \"0\" ]" 0 \
+ "ipsec: XFRM is not disabled on loopback"
+ check "[ \"$(cat /proc/sys/net/ipv4/conf/lo/disable_policy)\" = \"0\" ]" 0 \
+ "ipsec: XFRM policy is not disabled on loopback"
+
+ check "[ \"$(ip xfrm policy list)\" ]" 0 \
+ "ipsec: XFRM policy is not empty"
+ check "[ -z \"$(ip xfrm state list)\" ]" 0 \
+ "ipsec: XFRM state / association database is empty"
+
+ local addr
+ for addr in "$LOCAL_IPV4" "$LOCAL_IPV6" "127.0.0.1" "::1"; do
+ check "grep \"left=$addr\" /etc/ipsec.conf" 0 \
+ "ipsec.conf contains left=$addr"
+ done;
+ for addr in "$LBLNET_SVR_IPV4" "$LBLNET_SVR_IPV6" "127.0.0.1" "::1"; do
+ check "grep \"right=$addr\" /etc/ipsec.conf" 0 \
+ "ipsec.conf contains right=$addr"
+ done;
+ check "egrep -n \"(right|left)=[ \t]*$\" /etc/ipsec.conf" 1 \
+ "ipsec.conf doesn't contain empty left= or right="
+
+ check "netlabelctl map list | grep \"lspp_test_netlabel_t\"" 0 \
+ "netlabel: lspp_test_netlabel_t mapping present"
+ fi
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "Services check failed - either one or more essential daemons are"
+ echo "not running or service-related files are not set up correctly."
+ echo "Please make sure you have gone through all required steps"
+ echo "described in README.run."
+ return 1
+ else
+ check_services_ok=1
+ fi
+
+}
+
+
+### KVM
+check_kvm() {
+ local CHECK_FAILED
+
+ # requires for this check
+ [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2
+ [ "$(uname -m)" = "x86_64" ] || {
+ echo "KVM tests not supported on $(uname -m) architecture"
+ return 2
+ }
+
+ check "[ -d \"$AUDITDIR/audit-test/kvm\" ]"
+ check "[ -f \"$AUDITDIR/audit-test/kvm/config.bash\" ]"
+ check "grep '^install_media' \"$AUDITDIR/audit-test/kvm/config.bash\"" 0 \
+ "install_media specified in kvm config"
+ check "grep '\(vmx\|svm\)' /proc/cpuinfo" 0 \
+ "Host cpu has HW virt support"
+
+ check "grep '^usb_device_id' \"$AUDITDIR/audit-test/kvm-iommu/usb_device.conf\" | grep -v XXXX:XXXX" 0 \
+ "usb_device_id specified in kvm-iommu/usb_device.conf"
+ check "grep '^pci_device_id' \"$AUDITDIR/audit-test/kvm-iommu/pci_device.conf\" | grep -v XXXX:XX:XX.X" '' \
+ "pci_device_id specified in kvm-iommu/pci_device.conf"
+
+ if [ "$CHECK_FAILED" ]; then
+ echo
+ echo "KVM sanity check failed - make sure you have the hardware with"
+ echo "HW virtualization support and that you have configured the kvm"
+ echo "test bucket in kvm/config.bash (install_media at least)."
+ return 1
+ else
+ check_kvm_ok=1
+ fi
+}
+
+### END
+
+# checks to be run, ordering is important
+CHECKS="
+check_variables
+check_user_session
+check_suite_loc
+check_networking_if
+check_networking_probe
+check_services
+check_kvm
+"
+
+fails=0
+skips=0
+for check in $CHECKS; do
+ echo "::::::::::::::::::::::::::::::::::::::::::"
+ echo -e "::: \e[1m$check\e[0m"
+ echo "::::::::::::::::::::::::::::::::::::::::::"
+ "$check"
+ case "$?" in
+ 1) fails=$((fails+1)) ;;
+ 2) echo "SKIPPED due to unmet dependencies"; skips=$((skips+1)) ;;
+ *) ;;
+ esac
+ echo
+done;
+
+echo "=========================================="
+echo -n "OVERALL: "
+[ $fails -eq 0 ] && \
+ echo -ne "\e[1;32mPASSED\e[0m" || \
+ echo -ne "\e[1;31mFAILED\e[0m ($fails checks failed)"
+[ $skips -eq 0 ] && \
+ echo ||
+ echo " ($skips checks skipped)"
+
+exit 0
+
+# vim: sts=4 sw=4 et :
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:19:22
|
Hi, another batch of smaller changes preparing the suite for RHEL7 is here. This batch focuses more on RHEL7 specifics, so RHEL6 doesn't always benefit from the fixes, even though all changes should be at least RHEL6-compatible. 4.4% audit-test/filter/tests/ 10.9% audit-test/libpam/tests/ 4.9% audit-test/trustedprograms/tests/ 70.5% audit-test/utils/ 9.1% audit-test/ The majority of the changes are a result of the two new major features (stored in utils/): - environment sanity-checking script - run/rollup log separation and merging (see commit messages of patch 01 and 02 for more info) The rest of the changes consist mostly of random smaller fixes all over the place. The changes have been tested on RHEL 6.2 (6.2.z) and 6.4 (6.4.z) by Miroslav Vadkerti and don't seem to cause any regressions for RHEL6. The patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
|
From: Linda K. <lin...@hp...> - 2013-07-15 17:15:55
|
An Yang wrote: > Hi all, > > I have run all the test cases in capp/lspp modes and 64/32 bits > successfully under RHEL6.4, thanks for your kindly help. Great, that's good to know. > And could you show me the mapping which lists the SFR and the TSF the > test cases are associated with? That's not something that's published as part of our open source test suite. Something like that is highly dependent on the specific protection profile and evaluation circumstances. Our test suite is more general purpose than that. -- ljk > > Sincerely, > An Yang > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > ------------------------------------------------------------------------ > > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
5 messages has been excluded from this view by a project administrator.
