Menu
▾
▴
audit-test-developer — Communicate about status of bugs, patches, and features
You can subscribe to this list here.
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(8) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(8) |
Feb
(23) |
Mar
(11) |
Apr
(8) |
May
(2) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(23) |
Mar
(140) |
Apr
(35) |
May
(49) |
Jun
(176) |
Jul
(73) |
Aug
(50) |
Sep
(78) |
Oct
(102) |
Nov
(150) |
Dec
(94) |
| 2012 |
Jan
(120) |
Feb
(77) |
Mar
(29) |
Apr
(4) |
May
(19) |
Jun
|
Jul
(19) |
Aug
(9) |
Sep
|
Oct
(6) |
Nov
(3) |
Dec
|
| 2013 |
Jan
(4) |
Feb
(28) |
Mar
(5) |
Apr
(69) |
May
(34) |
Jun
(11) |
Jul
(13) |
Aug
(55) |
Sep
(5) |
Oct
(31) |
Nov
|
Dec
(25) |
| 2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(53) |
Aug
(17) |
Sep
(50) |
Oct
(15) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(3) |
Apr
(9) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:59
|
Original code *relies* on the server giving up sooner than the client:
1. "recv" operation on port 4300 is requested from server
2. client tries to connect() with an invalid context, packets get
dropped on the server side (no replies sent)
3. server times out after 10 seconds (original -t 10 in xinetd conf)
4. when client sends another TCP SYN (conn request), it hits a closed
port and the server replies with TCP RST, which connect()
interprets as ECONNREFUSED, passing the test
This is an incorrect approach, because it doesn't verify the packet
droping behavior, only that the connection didn't succeed. If, for some
unexpected reason, the remote socket never started listening, the test
would pass anyway.
Furthermore, it presumes that the client continues connecting even
after the server times out, which is *not* guaranteed and - in fact -
is the reason that inspired this patch.
The new approach is based on the fact that the testing machine now
controls both start and exit of the test server (after recent changes),
making it possible to keep the remote "recv" operation active until
the expres=fail tests properly time out, verifying the correct behavior.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/network/run.conf | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 3699a60..0a88e17 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -1533,12 +1533,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv4, mac success (domby)
@@ -1553,12 +1553,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv4 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv4, mac success (domby)
@@ -1573,12 +1573,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=local type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: local IPsec IPv6, mac success (domby)
@@ -1593,12 +1593,12 @@ if [[ $PPROFILE == lspp ]]; then
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac failure (incomp)
+ connect \
- mlsop=incomp expres=fail err=ECONNREFUSED \
+ mlsop=incomp expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac failure (dom)
+ connect \
- mlsop=dom expres=fail err=ECONNREFUSED \
+ mlsop=dom expres=fail err=ETIMEDOUT \
host=remote type=ipsec op=recv_tcp ipv=ipv6 port=$tst_port3 \
'$host_remote tcp $port'
## TESTCASE: remote IPsec IPv6, mac success (domby)
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:44
|
The test server is now controlled by the test suite (on TOE), performing both start (via nc to respective ports) and exit (via cleanup on 4009). This makes the test server fully event-based, without the need to wait until the old instance times out. Removing the -t 10 allows for easier and more precise testing of "fail" test cases, which can now control when exactly the server exits. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/network-server/lblnet_tst-tcp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/network-server/lblnet_tst-tcp b/audit-test/utils/network-server/lblnet_tst-tcp index 388e6a1..b8bb0ad 100644 --- a/audit-test/utils/network-server/lblnet_tst-tcp +++ b/audit-test/utils/network-server/lblnet_tst-tcp @@ -18,7 +18,7 @@ service lblnet_tst_unlabeled_ipv6 port = 4000 server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server - server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv + server_args = -i -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv } service lblnet_tst_labeled_ipv4 @@ -37,7 +37,7 @@ service lblnet_tst_labeled_ipv4 port = 4001 server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server - server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv + server_args = -i -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv } service lblnet_tst_cleanup -- 1.8.3.1 |
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:30
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/network/run.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 63258be..3699a60 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -743,6 +743,8 @@ function show_test {
# tstsvr_unlock() function.
#
function network_cleanup {
+ ip xfrm state flush
+ nc -w 3 $lblnet_svr6_host 4000 <<< "ipsec:flush;"
tstsvr_unlock
}
prepend_cleanup 'network_cleanup'
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:20
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/trustedprograms/tests/test_ip_xfrm.bash | 29 ++++++++++++++++++++++
audit-test/trustedprograms/tests/test_ipsec.bash | 20 +++++++++++++++
2 files changed, 49 insertions(+)
diff --git a/audit-test/trustedprograms/tests/test_ip_xfrm.bash b/audit-test/trustedprograms/tests/test_ip_xfrm.bash
index 18b09ea..9a225f6 100755
--- a/audit-test/trustedprograms/tests/test_ip_xfrm.bash
+++ b/audit-test/trustedprograms/tests/test_ip_xfrm.bash
@@ -202,6 +202,35 @@ function ipsec_remove_verify {
src=$ip_src dst=$ip_dst res=1 || exit_fail "missing audit record"
}
+#
+# ipsec_cleanup - Clean up / restore test-related environment
+#
+# INPUT
+# none
+#
+# OUTPUT
+# none
+
+function ipsec_cleanup {
+ # flush xfrm state
+ ip xfrm state flush
+ # reload default xfrm policy
+ if [ "$PASSWD" ]; then
+ expect -c "
+ spawn bash
+ expect {
+ \"]#\" { send -- \"run_init service ipsec restart\r\" }
+ }
+ expect {
+ -nocase password: { send -- \"$PASSWD\r\"; exp_continue }
+ \"]#\" { send -- \"exit\r\" }
+ }"
+ else
+ echo "warning: PASSWD not set, not reloading xfrm policy"
+ fi
+}
+append_cleanup 'ipsec_cleanup'
+
######################################################################
# main
######################################################################
diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash
index 25541fd..3f35d1c 100755
--- a/audit-test/trustedprograms/tests/test_ipsec.bash
+++ b/audit-test/trustedprograms/tests/test_ipsec.bash
@@ -234,6 +234,26 @@ function ipsec_remove_verify {
exit_fail "missing audit record"
}
+#
+# ipsec_cleanup - Clean up / restore test-related environment
+#
+# INPUT
+# none
+#
+# OUTPUT
+# none
+
+function ipsec_cleanup {
+ # flush xfrm state
+ ip xfrm state flush
+ # flush remote xfrm state
+ if [ "$ip_dst" ]; then
+ tstsvr_cleanup "$ip_dst"
+ remote_ipsec_flush "$ip_dst"
+ fi
+}
+append_cleanup 'ipsec_cleanup'
+
######################################################################
# main
######################################################################
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:31:04
|
Instead of waiting "static" 10 seconds, force the test server
to clean up. This not only eliminates the 10 second sleep, but it also
ensures that the server is cleaned up - with the static 10 seconds,
it is just a guess.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 7 ++-----
audit-test/netfilter/run.conf | 4 +---
audit-test/network/run.conf | 8 +++-----
audit-test/utils/functions.bash | 10 ++++++++++
4 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 02712f6..3778fe2 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -597,8 +597,8 @@ function run_test {
host_local=$(get_host_local $ipv $host)
host_remote=$(get_host_remote $ipv $host)
- # run the
- # default setup
+ # prepare cleanup and run the default setup
+ append_cleanup "tstsvr_cleanup $host_remote"
ebtaudit_setup
setup_default
@@ -780,9 +780,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index c1eb65c..a48f400 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -646,6 +646,7 @@ function run_test {
# exclude ping and RST tests
if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
&& ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
+ append_cleanup "tstsvr_cleanup $host_remote"
setup_default
echo "going to setup_default"
fi
@@ -1199,9 +1200,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index d1b11f2..63258be 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -900,8 +900,9 @@ function run_test {
host_local=$(get_host_local $ipv $host)
host_remote=$(get_host_remote $ipv $host)
- # run the setup callback (which has access to the named params) or run the
- # default setup
+ # prepare cleanup and run the setup callback
+ # (which has access to the named params) or run the default setup
+ append_cleanup "tstsvr_cleanup $host_remote"
if [[ -n $setupfunc ]]; then
$setupfunc
else
@@ -946,9 +947,6 @@ function run_test {
)
status=$?
- # whenever the test fails, pause so the test server can cleanup
- [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10
-
# display the audit log items
if [[ $status != 0 ]]; then
echo
diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash
index ed197fd..fece1a6 100644
--- a/audit-test/utils/functions.bash
+++ b/audit-test/utils/functions.bash
@@ -127,6 +127,16 @@ function xtables_empty {
grep -e '^\*' -e '^:[^ ]* [^-]' -e '^COMMIT$' | sed 's/DROP/ACCEPT/ ; s/\[[0-9]*:[0-9]*\]/\[0:0\]/'
}
+# tstsvr_cleanup - cleanup the network server at a specified host
+#
+# DESCRIPTION:
+# This script can be executed after each networking test as a sanity cleanup,
+# to either kill any unfinished lblnet_tst_server instances spawned by xinetd,
+# or to ensure that no remaining instances are frozen even when expres=success.
+function tstsvr_cleanup {
+ nc -w 3 "$1" 4009 </dev/null
+}
+
# parse_named - Parse key=value test arguments
#
# INPUT
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:30:51
|
This mechanism provides a generic way of cleaning up any possible
lblnet_tst_server instances that might be running, and,
due to "instances = 1" xinetd option, blocking the execution of new
instances.
The usage is as simple as
nc <addr> 4009
or
ncat <addr> 4009 < /dev/null
to make ncat quit immediately after opening the connection
(which is enough to spawn the cleanup tool by xinetd on the server).
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/utils/network-server/Makefile | 2 +-
audit-test/utils/network-server/lblnet_tst-tcp | 23 ++++++++++-
audit-test/utils/network-server/pidfile_kill.c | 57 ++++++++++++++++++++++++++
audit-test/utils/selinux-policy/lspp_test.fc | 1 +
4 files changed, 80 insertions(+), 3 deletions(-)
create mode 100644 audit-test/utils/network-server/pidfile_kill.c
diff --git a/audit-test/utils/network-server/Makefile b/audit-test/utils/network-server/Makefile
index 579c9ea..98478d2 100644
--- a/audit-test/utils/network-server/Makefile
+++ b/audit-test/utils/network-server/Makefile
@@ -20,7 +20,7 @@ CPPFLAGS += -I$(UTILSDIR)/include
SRVR_EXE = lblnet_tst_server
-ALL_EXE = $(SRVR_EXE)
+ALL_EXE = $(SRVR_EXE) pidfile_kill
include $(TOPDIR)/rules.mk
diff --git a/audit-test/utils/network-server/lblnet_tst-tcp b/audit-test/utils/network-server/lblnet_tst-tcp
index ee87ccd..388e6a1 100644
--- a/audit-test/utils/network-server/lblnet_tst-tcp
+++ b/audit-test/utils/network-server/lblnet_tst-tcp
@@ -18,7 +18,7 @@ service lblnet_tst_unlabeled_ipv6
port = 4000
server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server
- server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -vv
+ server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server6.pid -vv
}
service lblnet_tst_labeled_ipv4
@@ -37,5 +37,24 @@ service lblnet_tst_labeled_ipv4
port = 4001
server = /usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server
- server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -vv
+ server_args = -i -t 10 -l /var/log/lblnet_tst_server.log -f /var/run/lblnet_tst_server4.pid -vv
+}
+
+service lblnet_tst_cleanup
+{
+ id = lblnet_tst_cleanup
+ type = UNLISTED
+ flags = REUSE
+ wait = no
+ user = root
+ disable = no
+
+ instances = 1
+
+ socket_type = stream
+ protocol = tcp
+ port = 4009
+
+ server = /usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill
+ server_args = /var/run/lblnet_tst_server6.pid /var/run/lblnet_tst_server4.pid
}
diff --git a/audit-test/utils/network-server/pidfile_kill.c b/audit-test/utils/network-server/pidfile_kill.c
new file mode 100644
index 0000000..b6e5763
--- /dev/null
+++ b/audit-test/utils/network-server/pidfile_kill.c
@@ -0,0 +1,57 @@
+/* Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* AUTHOR: Jiri Jaburek <jja...@re...>
+ *
+ * This tool processes a list of pidfiles passed on cmdline,
+ * extracts PIDs from them an issues SIGKILL to those PIDs.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ int fd;
+ pid_t pid;
+ char pidstr[6] = {0};
+
+ for (;--argc;argv++) {
+ /* check if pidfile exists */
+ if (access(argv[1], F_OK) == -1)
+ continue;
+
+ /* read pid from file */
+ if ((fd = open(argv[1], O_RDONLY)) == -1)
+ continue;
+ read(fd, pidstr, sizeof(pidstr)-1);
+ close(fd);
+
+ /* get numeric pid */
+ pid = atoi(pidstr);
+ if (pid == 0)
+ continue;
+
+ /* signal the process, ignore return value
+ * (the process might not exist anymore) */
+ kill(pid, SIGKILL);
+ }
+
+ return 0;
+}
diff --git a/audit-test/utils/selinux-policy/lspp_test.fc b/audit-test/utils/selinux-policy/lspp_test.fc
index ee4dcb9..87493b1 100644
--- a/audit-test/utils/selinux-policy/lspp_test.fc
+++ b/audit-test/utils/selinux-policy/lspp_test.fc
@@ -64,6 +64,7 @@
# network test driver
/usr/local/eal4_testing/audit-test/utils/network-server/lblnet_tst_server -- gen_context(system_u:object_r:lspp_harness_exec_t,s0)
+/usr/local/eal4_testing/audit-test/utils/network-server/pidfile_kill -- gen_context(system_u:object_r:lspp_harness_exec_t,s0)
# unprivileged test applets
/usr/local/eal4_testing/audit-test/utils/bin/do_[a-zA-Z0-9_\-]+ -- gen_context(system_u:object_r:lspp_test_generic_exec_t,s0)
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:30:38
|
This enables the server to write PID of itself into a file, like so:
-f /path/to/file.pid
Signed-off-by: Jiri Jaburek <jja...@re...>
---
.../utils/network-server/lblnet_tst_server.c | 30 ++++++++++++++++++++--
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git a/audit-test/utils/network-server/lblnet_tst_server.c b/audit-test/utils/network-server/lblnet_tst_server.c
index 64faa96..834326f 100644
--- a/audit-test/utils/network-server/lblnet_tst_server.c
+++ b/audit-test/utils/network-server/lblnet_tst_server.c
@@ -104,12 +104,31 @@ void hlp_usage(char *name)
{
SMSG(SMSG_ERR,
fprintf(log_fd,
- "usage: %s [-i] [-l <log_file>] [-p <port>] [-q] [-t <secs>] [-v]\n",
+ "usage: %s [-i] [-l <log_file>] [-p <port>] [-f <pid_file>] [-q] [-t <secs>] [-v]\n",
(name != NULL ? name : "?")));
exit(1);
}
/**
+ * write_pid - Write pid of the current process into a file
+ * @filename - pidfile name / path
+ *
+ */
+int write_pid(char *filename)
+{
+ FILE *pfile;
+
+ pfile = fopen(filename, "w");
+ if (pfile == NULL)
+ return -1;
+
+ fprintf(pfile, "%d\n", getpid());
+ fclose(pfile);
+
+ return 0;
+}
+
+/**
* net_hlp_timeout_rcv - Wait for data on a socket
* @sock: socket
*
@@ -1006,7 +1025,7 @@ int main(int argc, char *argv[])
/* command line arguments */
do {
- arg_iter = getopt(argc, argv, "ip:qt:vl:");
+ arg_iter = getopt(argc, argv, "ip:f:qt:vl:");
switch (arg_iter) {
case 'i':
/* [x]inetd flag */
@@ -1016,6 +1035,13 @@ int main(int argc, char *argv[])
/* control message port */
ctl_port = atoi(optarg);
break;
+ case 'f':
+ /* pid file */
+ if (write_pid(optarg) < 0) {
+ fprintf(stderr,
+ "error: failed to create pidfile %s\n", optarg);
+ }
+ break;
case 'q':
/* quiet */
smsg_level = SMSG_NONE;
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:55
|
The lblnet_tst_server is launched from xinetd with explicit
`-t 10' option, which caused the server to give up after 10 seconds.
It therefore doesn't make sense to wait 90 seconds for a timeout.
Removing $alarmv altogether makes do_accept use its default timer
of 15 seconds, which is already used by the network bucket.
This change saves approximately 23*(90-15) seconds (~29 minutes)
when running netfilter/netfilebt buckets.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 38 +++++++++++++++++++-------------------
audit-test/netfilter/run.conf | 8 ++++----
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index f8676bd..f2cff0d 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -989,7 +989,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=8 alarmv=90 '$ipv $port $alarmv'
+ tnum=8 '$ipv $port'
## TESTCASE: Test #8 tnum 9
## Table Rule no blocking
## Input remote server sends udp packets to bridge ipv4 address
@@ -1024,7 +1024,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=12 alarmv=90 '$ipv $port $alarmv'
+ tnum=12 '$ipv $port'
## TESTCASE: Test #12 tnum 13
## Table Rule INPUT chain policy set to DROP, ACCEPT TCP packets to
## port destination port (tst_port1) and log in audit.log
@@ -1034,7 +1034,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=13 alarmv=90 '$ipv $port $alarmv'
+ tnum=13 '$ipv $port'
## TESTCASE: Test #13 tnum 14
## Table Rule INPUT chain policy set to DROP no other rule
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1044,7 +1044,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=14 alarmv=90 '$ipv $port $alarmv'
+ tnum=14 '$ipv $port'
## TESTCASE: Test #14 tnum 15
## Table Rule accept packets to logical bridge device (BRIDGE_FILTER)
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1052,7 +1052,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=15 alarmv=90 '$ipv $port $alarmv'
+ tnum=15 '$ipv $port'
## TESTCASE: Test #15 tnum 16
## Table Rule drop packets to logical bridge device (BRIDGE_FILTER)
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1060,7 +1060,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=16 alarmv=90 '$ipv $port $alarmv'
+ tnum=16 '$ipv $port'
## TESTCASE: Test #16 tnum 17
## Table Rule accepts packets from mac address of remote server eth1
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1068,7 +1068,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=17 alarmv=90 '$ipv $port $alarmv'
+ tnum=17 '$ipv $port'
## TESTCASE: Test #17 tnum 18
## Table Rule drop packets from mac address of remote server
## Input remote server sends tcp connect to bridge ipv4 address
@@ -1076,7 +1076,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=18 alarmv=90 '$ipv $port $alarmv'
+ tnum=18 '$ipv $port'
## TESTCASE: Test #18 tnum 19
## Table Rule accepts packets to mac address of TOE device enslaved
## to bridge
@@ -1085,7 +1085,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=19 alarmv=90 '$ipv $port $alarmv'
+ tnum=19 '$ipv $port'
## TESTCASE: Test #19 tnum 20
## Table Rule drop packets to mac address of TOE device enslaved
## to bridge
@@ -1094,7 +1094,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=20 alarmv=90 '$ipv $port $alarmv'
+ tnum=20 '$ipv $port'
## TESTCASE: Test #20 tnum 21
## Table Rule no blocking
## Input TOE sends tcp connect (ipv6) to remote server over bridge
@@ -1168,7 +1168,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=28 alarmv=90 '$ipv $port $alarmv'
+ tnum=28 '$ipv $port'
## TESTCASE: Test #28 tnum 29
## Table Rule no blocking
## Input remote server sends udp packets to bridge ipv6 address
@@ -1202,7 +1202,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=32 alarmv=90 '$ipv $port $alarmv'
+ tnum=32 '$ipv $port'
## TESTCASE: Test #32 tnum 33
## Table Rule INPUT chain policy set to DROP, tcp (ipv6) packets to
## TOE port tst_port1 allowed. log of accepted packets to
@@ -1213,7 +1213,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=33 alarmv=90 '$ipv $port $alarmv'
+ tnum=33 '$ipv $port'
## TESTCASE: Test #33 tnum 34
## Table Rule INPUT chain policy set to DROP, only port 22 allowed.
## Input remote server sends tcp connect (ipv6) to TOE port
@@ -1222,7 +1222,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=34 alarmv=90 '$ipv $port $alarmv'
+ tnum=34 '$ipv $port'
## TESTCASE: Test #34 tnum 35
## Table Rule logical bridge device accepts traffic and logs
## to audit.log
@@ -1232,7 +1232,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=35 alarmv=90 '$ipv $port $alarmv'
+ tnum=35 '$ipv $port'
## TESTCASE: Test #35 tnum 36
## Table Rule logical bridge device drops packets and logs to audit.log
## Input remote server sends tcp connect (ipv6) to TOE bridge
@@ -1241,7 +1241,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR\
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=36 alarmv=90 '$ipv $port $alarmv'
+ tnum=36 '$ipv $port'
## TESTCASE: Test #36 tnum 37
## Table Rule accept packets (ipv6) from mac address of remote server
## and log to audit.log
@@ -1259,7 +1259,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=38 alarmv=90 '$ipv $port $alarmv'
+ tnum=38 '$ipv $port'
## TESTCASE: Test #38 tnum 39
## Table Rule accept packets (ipv6) to mac address of TOE device
## enslaved to bridge and log to audit.log
@@ -1268,7 +1268,7 @@ done
+ accept \
mlsop=eq expres=success \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=39 alarmv=90 '$ipv $port $alarmv'
+ tnum=39 '$ipv $port'
## TESTCASE: Test #39 tnum 40
## Table Rule drop packets (ipv6) to mac address of TOE device
## enslaved to bridge and log to audit.log
@@ -1277,7 +1277,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=40 alarmv=90 '$ipv $port $alarmv'
+ tnum=40 '$ipv $port'
## TESTCASE Test #40 tnum 41
## No Table Rule This test insures a normal user does not have
## permision to modify the ebtables
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 762b516..23740c6 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -1444,7 +1444,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=10 alarmv=90 '$ipv $port $alarmv'
+ tnum=10 '$ipv $port'
## TESTCASE Test #10 tnum 11
## Table Rule no blocking
## Input tcp connection request sent (ipv6) from netserver to port
@@ -1463,7 +1463,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=12 alarmv=90 '$ipv $port $alarmv'
+ tnum=12 '$ipv $port'
## TESTCASE Test #12 tnum 13
## Table Rule no blocking
## Input udp packets (ipv4) sent over local loopback device
@@ -1987,7 +1987,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \
- tnum=60 alarmv=90 '$ipv $port $alarmv'
+ tnum=60 '$ipv $port'
## TESTCASE Test #60 tnum 61
## Table Rule no blocking
## Input tcp connect request (ipv6) sent from remote
@@ -2007,7 +2007,7 @@ done
+ accept \
mlsop=eq expres=fail err=EINTR \
host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \
- tnum=62 alarmv=90 '$ipv $port $alarmv'
+ tnum=62 '$ipv $port'
## TESTCASE Test #62 tnum 63
## No Table Rule This test insures a normal user does not have
## permision to modify the iptables
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:53
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilebt/run.conf | 4 +---
audit-test/netfilter/run.conf | 14 ++++----------
2 files changed, 5 insertions(+), 13 deletions(-)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index f2cff0d..02712f6 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -533,7 +533,7 @@ ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-adv
ebtables -N AUDIT_DROP
ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
ebtables -A AUDIT_DROP -j DROP
-sleep 1
+
ebtables -N AUDIT_ACCEPT
ebtables -A AUDIT_ACCEPT -j AUDIT --audit-type ACCEPT
ebtables -A AUDIT_ACCEPT -j ACCEPT
@@ -600,7 +600,6 @@ function run_test {
# run the
# default setup
ebtaudit_setup
- sleep 4
setup_default
case $tnum in
@@ -701,7 +700,6 @@ function run_test {
ebtables -A INPUT -d $LOCAL_SEC_MAC -j AUDIT_DROP
;;
*)
- sleep 1
echo "test case = $tnum"
;;
esac
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 23740c6..af28b90 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -397,10 +397,10 @@ function setup_default {
if [[ ! $xndpid ]]; then
echo "starting local lblnet_tst_server"
- ./do_netfilsvr.bash
+ ./do_netfilsvr.bash
+ sleep 1
fi
fi
- sleep 1
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
@@ -553,7 +553,7 @@ iptables -A AUDIT_DROP -j DROP
iptables -N AUDIT_REJECT
iptables -A AUDIT_REJECT -j AUDIT --type REJECT
iptables -A AUDIT_REJECT -j REJECT
-sleep 1
+
iptables -N AUDIT_ACCEPT
iptables -A AUDIT_ACCEPT -j AUDIT --type ACCEPT
iptables -A AUDIT_ACCEPT -j ACCEPT
@@ -572,7 +572,7 @@ ip6tables -A AUDIT_DROP -j DROP
ip6tables -N AUDIT_REJECT
ip6tables -A AUDIT_REJECT -j AUDIT --type REJECT
ip6tables -A AUDIT_REJECT -j REJECT
-sleep 1
+
ip6tables -N AUDIT_ACCEPT
ip6tables -A AUDIT_ACCEPT -j AUDIT --type ACCEPT
ip6tables -A AUDIT_ACCEPT -j ACCEPT
@@ -649,7 +649,6 @@ function run_test {
# default setup
iptables_setup
ip6tables_setup
- sleep 3
# exclude ping and RST tests
if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
&& ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
@@ -765,20 +764,16 @@ function run_test {
iptables -P INPUT DROP
# add rule to make sure our ssh session stays alive
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- sleep 1
iptables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
iptables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
- sleep 1
setup_default
actv=0
protov=6
;;
35 | 36)
ip6tables -P INPUT DROP
- sleep 1
ip6tables -A INPUT -p tcp -m multiport --dports 4000,$tst_port2 -j AUDIT_ACCEPT
ip6tables -A INPUT -p tcp --dport 30000:60000 -j AUDIT_ACCEPT
- sleep 1
setup_default
actv=0
protov=6
@@ -908,7 +903,6 @@ function run_test {
ip6tables -A INPUT -i $LOCAL_DEV -j DROP
;;
*)
- sleep 1
echo "test case = $tnum"
;;
esac
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:26
|
In RHEL6.3 and newer, the tcp connect timeout derived from
tcp_syn_retries has changed. Here's an example with telnet, connecting
to a destination, which is known to time out:
telnet/rhel6.2 telnet/rhel6.3+,rhel7
retries == 1: 9s 3s
retries == 2: 9s 7s
retries == 3: 9s 15s
retries == 4: 9s 31s
retries == 5: 21s 1m3s
retries == 6: 45s 2m7s
The default on RHEL6 (6.2 and 6.3+) is 5, default on RHEL7 is 6.
This means that all tcp connection timeout testing in the suite is going
to take 1m3s on RHEL6.3+ per test instead of 21s, or 2m7s instead of 21s
on RHEL7.
These timeouts are unnecessarily long for a local network with typical
latency below 1ms and nearly zero packet loss. Using a value of 7s in
those cases should be fine.
My testing shows that even 3s (retries value set to 1) works fine, but
it's always good to have an extra safety measure.
Of course, the suite should work even with default (very long) timeouts.
The benchmarks were done by running the network, netfilter and netfilebt
test buckets, using different values for tcp_syn_retries on RHEL6.4:
retries == 5, RHEL6.3+ default: ~69 minutes
retries == 6, RHEL7 default: ~90 minutes
retries == 2, new explicit val: ~37 minutes
This change therefore saves about 32 minutes on RHEL6.3+ and 53 minutes
on RHEL7. A smaller amount of time is also saved on RHEL6.2, due to the
default being 21s and retries == 2 being 9s there.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/README.run | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/audit-test/README.run b/audit-test/README.run
index d9311bd..22389c3 100644
--- a/audit-test/README.run
+++ b/audit-test/README.run
@@ -67,6 +67,15 @@ require a network test server as well as the target system.
Verify that the target system and the network test server have the same time,
the best way is to use ntpd for such a synchronization.
+To greatly speed up networking-related test buckets, you can decrease
+the number of TCP retries, to make fail (timeout) verification faster.
+Assuming the testing machine is close to the network server (local network)
+and uses a mostly-reliable link layer (Ethernet), the following should
+be safe to do:
+
+# echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf
+# sysctl -p
+
Verify that each ext4 filesystem in /etc/fstab has the 'user_xattr' option.
If you do not have an administrative eal user other than the root user, log
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:12
|
RHEL7 now uses Nmap's "ncat" instead of traditional netcat.
The ncat has a different meaning of the `-w' switch - its original
functionality
-w secs Timeout for connects and final net reads
has been split into `-w' and `-i'
-i, --idle-timeout <time> Idle read/write timeout
-w, --wait <time> Connect timeout
However original nc lines cannot be simply rewritten as `-w 1 -i 1',
because ncat returns 1 and fails with error message as soon as
the idle timeout expires.
The original meaning of `-w' has been used in various use cases
throughout the suite, mostly for its idle-timeout capability:
1. to close conn to lblnet_tst_server when it sleeps
2. to check for listening daemons (and close conn on connect)
3. because it was used elsewhere and somebody just copied it (?)
This patch makes these use cases use proper solutions:
1. use the new detach; command before issuing sleep
2. send ^D to sshd when a connection opens
It also makes use of the new meaning of `-w', to specify conn timeout,
so that tests don't need to wait 30 seconds for timeout.
A new value of 3 seconds is used to mitigate possible first-packet
issues with late delivery because of ARP/ND resolution.
The removal of unnecessary idle waits in network/netfilter/netfilebt
buckets also speeds up the suite execution by several minutes.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm/test_network_export_other_source_ip.exp | 2 +-
audit-test/kvm/test_network_import_other_dest_ip.exp | 2 +-
audit-test/netfilebt/Makefile | 2 +-
audit-test/netfilebt/run.conf | 9 +++++----
audit-test/netfilter/Makefile | 2 +-
audit-test/netfilter/netfilter_functions.bash | 12 ++++++------
audit-test/netfilter/run.conf | 9 +++++----
audit-test/network/Makefile | 4 ++--
audit-test/network/run.conf | 9 +++++----
audit-test/trustedprograms/tests/test_ipsec.bash | 6 +++---
audit-test/trustedprograms/tests/test_xinetd.bash | 4 ++--
11 files changed, 32 insertions(+), 29 deletions(-)
diff --git a/audit-test/kvm/test_network_export_other_source_ip.exp b/audit-test/kvm/test_network_export_other_source_ip.exp
index 2e7bf9f..5926318 100755
--- a/audit-test/kvm/test_network_export_other_source_ip.exp
+++ b/audit-test/kvm/test_network_export_other_source_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/kvm/test_network_import_other_dest_ip.exp b/audit-test/kvm/test_network_import_other_dest_ip.exp
index 1b107b5..9d2171e 100755
--- a/audit-test/kvm/test_network_import_other_dest_ip.exp
+++ b/audit-test/kvm/test_network_import_other_dest_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/netfilebt/Makefile b/audit-test/netfilebt/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilebt/Makefile
+++ b/audit-test/netfilebt/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 290bb5e..f8676bd 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -288,7 +288,7 @@ function tstsvr_lock {
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
echo $lblnet_svr6_host
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -319,7 +319,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -379,6 +379,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -410,11 +411,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 2 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/netfilter/Makefile b/audit-test/netfilter/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilter/Makefile
+++ b/audit-test/netfilter/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilter/netfilter_functions.bash b/audit-test/netfilter/netfilter_functions.bash
index 81211f9..67e0982 100644
--- a/audit-test/netfilter/netfilter_functions.bash
+++ b/audit-test/netfilter/netfilter_functions.bash
@@ -147,20 +147,20 @@ function do_nc {
declare rc
declare data_str="This string simply provides data to send over netcat"
case $ipv_arg in
+ # for tnum 47,48 - listening is set up by setup_default on port 4100
+ # for tnum 45,46 - lblnet_tst_server on port 4000 is used
ipv4)
if [[ $tnum == 47 ]]; then
- nc -l $port &
- rc="$(nc -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -w 1 "$1" "$port")"
+ rc="$(nc -w 3 "$1" "$port")"
fi
;;
ipv6)
if [[ $tnum == 48 ]]; then
- nc -l $port &
- rc="$(nc -6 -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -6 -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -6 -w 1 "$1" "$port")"
+ rc="$(nc -6 -w 3 "$1" "$port")"
fi
;;
*)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index e519a6c..762b516 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -287,7 +287,7 @@ function tstsvr_lock {
declare rc
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -318,7 +318,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -405,6 +405,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -432,11 +433,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/network/Makefile b/audit-test/network/Makefile
index ea7380c..6055de3 100644
--- a/audit-test/network/Makefile
+++ b/audit-test/network/Makefile
@@ -25,8 +25,8 @@ SUB_DIRS = system
unlock:
ifneq ($(DISTRO), SUSE)
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
else
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc6 -t 1 -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc6 -t 1 -w 3 $$LBLNET_SVR_IPV6 4000)
endif
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 307d218..d1b11f2 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -313,7 +313,7 @@ function tstsvr_lock {
declare rc
declare str="lock:set,$tstsvr_lock_timeout;"
- rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
+ rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -344,7 +344,7 @@ function tstsvr_unlock {
declare str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -w 1 $lblnet_svr6_host 4000 <<< $str
+ nc -w 3 $lblnet_svr6_host 4000 <<< $str
fi
}
@@ -451,6 +451,7 @@ set -x
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -1001,9 +1002,9 @@ esac
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash
index 289642b..25541fd 100755
--- a/audit-test/trustedprograms/tests/test_ipsec.bash
+++ b/audit-test/trustedprograms/tests/test_ipsec.bash
@@ -108,7 +108,7 @@ function normalize_addr {
#
function remote_ipsec_flush {
declare str="ipsec:flush;"
- $cmd_nc -w 1 $1 4000 <<< $str
+ $cmd_nc -w 3 $1 4000 <<< $str
}
@@ -144,10 +144,10 @@ function ipsec_add {
# do the setup
if [ $1 == "6" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4000 <<< "recv:ipv6,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4000 <<< "detach;recv:ipv6,tcp,4300,0;"
elif [ $1 == "4" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4001 <<< "recv:ipv4,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4001 <<< "detach;recv:ipv4,tcp,4300,0;"
else
die "error: expected parameter 4 | 6 not given"
fi
diff --git a/audit-test/trustedprograms/tests/test_xinetd.bash b/audit-test/trustedprograms/tests/test_xinetd.bash
index ac778c8..6b65994 100755
--- a/audit-test/trustedprograms/tests/test_xinetd.bash
+++ b/audit-test/trustedprograms/tests/test_xinetd.bash
@@ -75,9 +75,9 @@ function xinetd_test {
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:58
|
This patch adds a new "detach" command, which can be used to close
the connection with the remote (controlling) client. This is useful
for executing commands "in the background" on the server, ie.
"echo:server_works;detach;sleep:5;recv:ipv4,tcp,1234,0;"
which would return "server_works" to the client and then close
the connection, doing recv after 5 second sleep.
The implementation of this command required several additional code
changes / fixes, which should be pretty minor.
Those include:
- `sock' -> `*sock' typo fix
- memory leak fix due to fdopen usage
- *_hlp_* function robustness (`-1' fd value)
- possible segfault when calling shutdown on uninitialized ctl_sock
Signed-off-by: Jiri Jaburek <jja...@re...>
---
.../utils/network-server/lblnet_tst_server.c | 77 ++++++++++++++--------
1 file changed, 49 insertions(+), 28 deletions(-)
diff --git a/audit-test/utils/network-server/lblnet_tst_server.c b/audit-test/utils/network-server/lblnet_tst_server.c
index 94be8f7..64faa96 100644
--- a/audit-test/utils/network-server/lblnet_tst_server.c
+++ b/audit-test/utils/network-server/lblnet_tst_server.c
@@ -115,7 +115,7 @@ void hlp_usage(char *name)
*
* Description:
* Uses select() to wait for data on a socket. Returns the return value from
- * select() or 1 if the value in net_timeout_sec is 0 (no timeout);
+ * select(), 1 if the value in net_timeout_sec is 0 (no timeout) or -1 on error.
*
*/
int net_hlp_timeout_rcv(int sock)
@@ -123,6 +123,9 @@ int net_hlp_timeout_rcv(int sock)
struct timeval timeout;
fd_set sock_fdset;
+ if (sock < 0)
+ return -1;
+
if (net_timeout_sec == 0)
return 1;
@@ -145,7 +148,7 @@ int net_hlp_timeout_rcv(int sock)
*/
void net_hlp_socket_close(int *sock)
{
- if (sock < 0)
+ if (*sock < 0)
return;
shutdown(*sock, SHUT_RDWR);
@@ -164,9 +167,16 @@ void net_hlp_socket_close(int *sock)
*/
void ctl_hlp_sendrc(int sock, int rc)
{
- FILE *fp = fdopen(sock, "a");
+ int tmpfd;
+ FILE *fp;
+
+ if (sock < 0)
+ return;
+
+ tmpfd = dup(sock);
+ fp = fdopen(tmpfd, "a");
fprintf(fp, "%d", rc);
- fflush(fp);
+ fclose(fp);
}
/**
@@ -180,9 +190,16 @@ void ctl_hlp_sendrc(int sock, int rc)
*/
void ctl_hlp_sendstr(int sock, const char *str)
{
- FILE *fp = fdopen(sock, "a");
+ int tmpfd;
+ FILE *fp;
+
+ if (sock < 0)
+ return;
+
+ tmpfd = dup(sock);
+ fp = fdopen(tmpfd, "a");
fprintf(fp, "%s", str);
- fflush(fp);
+ fclose(fp);
}
/**
@@ -201,13 +218,7 @@ void ctl_hlp_sendstr(int sock, const char *str)
*/
void ctl_echo(int sock, char *param)
{
- int rc = write(sock, param, strlen(param) + 1);
- if (rc < 0)
- SMSG(SMSG_WARN,
- fprintf(log_fd,
- "warning(echo): "
- "failed to write to the socket (%d)\n",
- errno));
+ ctl_hlp_sendstr(sock, param);
}
/**
@@ -976,7 +987,7 @@ int main(int argc, char *argv[])
int arg_iter;
int run_loop = 1;
unsigned short ctl_port = CTL_SOCK_PORT_DEFAULT;
- int ctl_sock;
+ int ctl_sock = -1;
int rem_sock = -1;
struct sockaddr_in6 ctl_sockaddr;
struct sockaddr_storage peer_addr;
@@ -1087,20 +1098,26 @@ int main(int argc, char *argv[])
/* loop on incoming messages */
while (run_loop) {
- if (rem_sock < 0 && !inetd_flag) {
- /* get a new connection and don't honor the timeout here, if we are not
- * running in [x]inetd mode assume we are running as a daemon */
- peer_addr_len = sizeof(peer_addr);
- rem_sock = accept(ctl_sock,
- (struct sockaddr *)&peer_addr,
- &peer_addr_len);
- if (rem_sock < 0) {
- SMSG(SMSG_WARN,
- fprintf(log_fd,
- "warning: failed to accept new "
- "control connection (%d)\n",
- errno));
- continue;
+ if (rem_sock < 0) {
+ if (!inetd_flag) {
+ /* get a new connection and don't honor the timeout
+ * here, assume we are running as a daemon */
+ peer_addr_len = sizeof(peer_addr);
+ rem_sock = accept(ctl_sock,
+ (struct sockaddr *)&peer_addr,
+ &peer_addr_len);
+ if (rem_sock < 0) {
+ SMSG(SMSG_WARN,
+ fprintf(log_fd,
+ "warning: failed to accept new "
+ "control connection (%d)\n",
+ errno));
+ continue;
+ }
+ } else {
+ /* running via [x]inetd and the only client conn
+ * got closed, exit */
+ break;
}
}
@@ -1198,6 +1215,8 @@ int main(int argc, char *argv[])
if (ctl_cmd != NULL) {
if (strcasecmp(ctl_cmd, "exit") == 0) {
run_loop = 0;
+ } else if (strcasecmp(ctl_cmd, "detach") == 0) {
+ net_hlp_socket_close(&rem_sock);
} else if (strcasecmp(ctl_cmd, "echo") == 0) {
ctl_echo(rem_sock, ctl_param);
} else if (strcasecmp(ctl_cmd, "sleep") == 0) {
@@ -1240,3 +1259,5 @@ int main(int argc, char *argv[])
return 0;
}
+
+/* vim: set ts=8 sts=8 sw=8 noet: */
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:45
|
The new approach is to *not* set up listening on any port
and send a connection attempt (TCP SYN) to an closed/unused one.
This operation generates a TCP RST response, which gets logged.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 423b3cb..e519a6c 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -395,18 +395,6 @@ function setup_default {
kill -9 $tspid
fi
- # For the RST flag test of IPv4 we do not want to start the netfilter
- # server and we will run a netcat command against the ipv4 loop back
- # address after we set the iptables so just return
-
- if [[ $tnum == 46 ]]; then
- if [[ $xndpid ]]; then
- kill -9 $xndpid
- xndrst=1
- fi
- return
- fi
-
if [[ ! $xndpid ]]; then
echo "starting local lblnet_tst_server"
./do_netfilsvr.bash
@@ -661,7 +649,9 @@ function run_test {
iptables_setup
ip6tables_setup
sleep 3
- if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
+ # exclude ping and RST tests
+ if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
+ && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
setup_default
echo "going to setup_default"
fi
@@ -817,15 +807,15 @@ function run_test {
protov=6
;;
45)
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
;;
46)
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
@@ -1792,32 +1782,30 @@ done
host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
tnum=44 '$host_remote tcp $port'
## TESTCASE Test #44 tnum 45
-## Table Rule received tcp segments (ipv6) to destination port 4000
+## Table Rule received tcp segments (ipv6) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv6" log prefix
## and recorded in audit.log
-## Input nc listen (forced ipv6)is started on TOE on $port and nc
-## connection (forced ipv6) is started on $port, this
-## should generate segment with an RST flag
+## Input tcp connection request (ipv6) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
+ host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
tnum=45 '$host_remote tcp $port'
## TESTCASE Test #45 tnum 46
-## Table Rule received tcp segments (ipv4) to destination port 4000
+## Table Rule received tcp segments (ipv4) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv4" log prefix
## and recorded in audit.log
-## Input nc listen is started on TOE on $port and nc connection
-## initiation is started on $port, this should generate
-## segment with an RST flag
+## Input tcp connection request (ipv4) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
+ host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
tnum=46 '$host_remote tcp $port'
## TESTCASE Test #46 tnum 47
## Table Rule received tcp segments (ipv4) to destination port
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:28:05
|
Hi, yet another batch of changes from our team is here. This time, it's mostly about making the suite faster, with related changes all around the idea. Aside from those, a new "make rerun" feature is included, which re-runs only non-PASSed tests, along with a few generic fix-ups. There are several important things I'd like to point out. First, the discussed issue of "making lblnet_tst_server inetd-only" no longer exists, I managed to create a solution which retains the original standalone daemon functionality, second, the "TCP RST related tests" change is included, and third, there's one more similar change in this patchset I would like to point out explicitly - patch 15. I'd really like some comments on that one. All changes are RHEL-6.2 compatible, I've tested both base and mls runs of the suite without fails or errors. Since this patch series is mainly about suite speedups, I should probably provide some benchmarks. When trying to generate those, I encountered an issue with tcp_syn_retries behaving differently on RHEL6.2, RHEL6.3+ and RHEL7 (described in patch 04), so I had to do three separate runs. The following is a "time make run" of the three networking-related buckets combined (network, netfilter, netfilebt): RHEL6.2, default tcp_syn_retries, upstream suite = 101 minutes RHEL6.2, default tcp_syn_retries, patched suite = 43 minutes RHEL6.2, custom tcp_syn_retries, patched suite = 37 minutes RHEL6.3+, default tcp_syn_retries, upstream suite = 118 minutes RHEL6.3+, default tcp_syn_retries, patched suite = 69 minutes RHEL6.3+, custom tcp_syn_retries, patched suite = 37 minutes and based on known default value of tcp_syn_retries on RHEL7, we can simulate a RHEL7 full-pass run on RHEL6.3+: (RHEL7), default tcp_syn_retries, upstream suite = 136 minutes (RHEL7), default tcp_syn_retries, patched suite = 90 minutes (RHEL7), custom tcp_syn_retries, patched suite = 37 minutes IOW, this patchset speeds up things on RHEL6.2 by 64 minutes, on RHEL6.3+ by 81 minutes and on RHEL7 by 99 minutes (or 1h39m), counting only the networking-related buckets, on our hardware. More speed improvements come from patches 07 and 22. Please see commit messages of respective patches for more information, the patches are attached via In-Reply-To/References to this mail. Thanks for the review, Jiri |
|
From: Stephan M. <ste...@at...> - 2013-09-04 18:30:58
|
Am Mittwoch, 4. September 2013, 09:59:00 schrieb Steve Grubb: Hi Steve, Jiri, (I just registered on the ML) > >====== >I would like to ask whether the following change doesn't break any >requirements that were originally imposed upon the tests. The full >story behind the change can be found on an audit-test sourceforge >mailing list: > >http://sourceforge.net/p/audit-test/mailman/message/31357135/ > >In short - it turns out that the two RST tests are implemented >in a possibly unnecessarily complex way, one of them using very >weird and likely unintentional logic to test the scenario. > >If the only thing that needs to be tested is the ability to log >(via netfilter LOG target into /var/log/messages and via audit >into audit log) TCP RST packets, the current test cases are overly >complex with high potential of breaking in the future due to >involvement of many variables. >My patch (posted above) simplifies the cases by simply trying to >connect to a known closed (unused) port, which generates TCP RST as a >response. > >To be more specific here, the current "implementation" currently blocks >other optimization-related changes, which save nearly an hour during >execution of the suite, which is a significant help not only for RHEL7 >development of the suite, but also for RHEL6 CC retention testing. >Applying the referenced patch would "unblock" those changes. > >With the patch applied, the related tests PASS, the RST packet >is successfully logged into /var/log/messages and into the audit log, >without changing original grep or augrok commands. After looking into the tests, I fully concur with Jiri that the test is strange. Yet, the goal is the validation that RSTs are logged in the audit trail. The syslog is an addition that we would not really care about. Hence, please apply the patch. Ciao Stephan -- atsec information security GmbH, Steinstraße 70, 81667 München, Germany P: +49 89 442 49 830 - F: +49 89 442 49 831 M: +49 172 216 55 78 - HRB: 129439 (Amtsgericht München) GF: Salvatore la Pietra, Staffan Persson atsec it security news blog - atsec-information-security.blogspot.com Please join us at the International Cryptographic Module Conference http://www.icmc-2013.org/ |
|
From: Linda K. <lin...@hp...> - 2013-09-03 14:14:00
|
Hi Jiri,
Based on our previous mail, this looks good to me.
Looking at the code changes, it does look like some things were
missed in earlier changes to those tests. For questions about
whether the test case is sufficient, we may need to send a note to
Stephan.
-- ljk
Jiri Jaburek wrote:
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
> audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
> 1 file changed, 15 insertions(+), 27 deletions(-)
>
> diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
> index 423b3cb..e519a6c 100644
> --- a/audit-test/netfilter/run.conf
> +++ b/audit-test/netfilter/run.conf
> @@ -395,18 +395,6 @@ function setup_default {
> kill -9 $tspid
> fi
>
> - # For the RST flag test of IPv4 we do not want to start the netfilter
> - # server and we will run a netcat command against the ipv4 loop back
> - # address after we set the iptables so just return
> -
> - if [[ $tnum == 46 ]]; then
> - if [[ $xndpid ]]; then
> - kill -9 $xndpid
> - xndrst=1
> - fi
> - return
> - fi
> -
> if [[ ! $xndpid ]]; then
> echo "starting local lblnet_tst_server"
> ./do_netfilsvr.bash
> @@ -661,7 +649,9 @@ function run_test {
> iptables_setup
> ip6tables_setup
> sleep 3
> - if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
> + # exclude ping and RST tests
> + if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
> + && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
> setup_default
> echo "going to setup_default"
> fi
> @@ -817,15 +807,15 @@ function run_test {
> protov=6
> ;;
> 45)
> - ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
> - ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
> + ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
> + ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
> logrotate -f /etc/logrotate.d/syslog
> actv=0
> protov=6
> ;;
> 46)
> - iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
> - iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
> + iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
> + iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
> logrotate -f /etc/logrotate.d/syslog
> actv=0
> protov=6
> @@ -1792,32 +1782,30 @@ done
> host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
> tnum=44 '$host_remote tcp $port'
> ## TESTCASE Test #44 tnum 45
> -## Table Rule received tcp segments (ipv6) to destination port 4000
> +## Table Rule received tcp segments (ipv6) from dst port $tst_port1
> ## with RST flag set are accepted and logged to
> ## /var/log/messages with "rst received ipv6" log prefix
> ## and recorded in audit.log
> -## Input nc listen (forced ipv6)is started on TOE on $port and nc
> -## connection (forced ipv6) is started on $port, this
> -## should generate segment with an RST flag
> +## Input tcp connection request (ipv6) is sent over local
> +## loopback device to port $tst_port1
> ## Expected Result segments pass through, messages file has log, audit.log
> ## has record.
> + connect \
> mlsop=eq expres=success \
> - host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
> + host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
> tnum=45 '$host_remote tcp $port'
> ## TESTCASE Test #45 tnum 46
> -## Table Rule received tcp segments (ipv4) to destination port 4000
> +## Table Rule received tcp segments (ipv4) from dst port $tst_port1
> ## with RST flag set are accepted and logged to
> ## /var/log/messages with "rst received ipv4" log prefix
> ## and recorded in audit.log
> -## Input nc listen is started on TOE on $port and nc connection
> -## initiation is started on $port, this should generate
> -## segment with an RST flag
> +## Input tcp connection request (ipv4) is sent over local
> +## loopback device to port $tst_port1
> ## Expected Result segments pass through, messages file has log, audit.log
> ## has record.
> + connect \
> mlsop=eq expres=success \
> - host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
> + host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
> tnum=46 '$host_remote tcp $port'
> ## TESTCASE Test #46 tnum 47
> ## Table Rule received tcp segments (ipv4) to destination port
|
|
From: Linda K. <lin...@hp...> - 2013-09-03 14:07:28
|
Hi Jiri,
Jiri Jaburek wrote:
> Hi,
> during my recent optimization work on the suite, I've run into problems
> with a few netfilter tests, the "blockers" for me being 44 and 45, both
> testing TCP RST - on ipv6 and ipv4.
>
> For some unknown reason, both are implemented differently. My suspicion
> is that somebody made a typo, but the test worked fine anyway, so the
> typo was never discovered.
Unfortunately, that would not surprise me.
> For the purposes of this email, I'll be referencing line numbers from
> commit 89232060b2, file audit-test/netfilter/run.conf and describing
> the operation on a RHEL6 machine.
>
> Let's start with test 45 (tnum 46). It uses explicitly specified
> port=4000 (line 1820) to connect via nc (line 955). This operation
> has to return RST from port 4000 in order to be logged (lines 827-828).
> However since port 4000 is normally used by xinetd to spawn
> lblnet_tst_server, the test SIGKILLs xinetd (line 402) beforehand.
> This makes port 4000 free (closed), which generates TCP RST as reply
> when something (netcat) tries to connect to it.
>
> In theory, test 44 (tnum 45) could be similar. It, however, isn't.
> Despite the description mentioning port 4000, it uses port=$tst_port1
> (line 1806), which is defined as 4100 (line 26). It then connects
> via nc to that port, which succeeds ('recv' server operation is set up),
> and, one second later (-w 1), closes the connection via FIN.
> No RST is generated, yet the test PASSes. How is this possible?
>
> The answer lies within the setup itself. Netfilter rules are set up
> on port 4000 (lines 820-821), but on "dport", not "sport". This means
> that we would need *something* to send RST to port 4000, which is a lot
> more weird operation to do, and not an easy one.
> Furthermore, xinetd is not killed, line 402 specifies only tnum 46,
> not 45, which means port 4000 is still open, with listening xinetd,
> one more reason why RST shouldn't happen, but it somehow does.
>
> The final piece to the puzzle is the initial lblnet_tst_server setup.
> Test 45 uses (like others) op=recv_tcp (line 1806), which sets up
> "recv" operation on the server (line 433). When this cmd_str line
> is sent to the server via nc (line 451), the connection is left intact,
> even though the client (nc) exits one second later (-w 1). Then the
> test itself proceeds (using port 4100), which makes the server-side
> "recv" operation finish. Upon finishing, the server sends a return code
> to the client, but the client already exited, so the kernel sends,
> on behalf of the client, a TCP RST packet to the server, port 4000,
> ultimately making the test PASS.
>
>
> I admit, it took me several hours to figure this out. I don't really
> know if this approach has been chosen intentionally, or whether somebody
> made several "typos" on several places.
These tests churned quite a bit during development so I suspect that
changes weren't applied consistently and once a test appeared to work
(passed), it was forgotten.
> I would like to ask if either of those approaches is needed for the
> functionality itself to be tested. Do we just need *any* RST packet
> to get logged (to /var/log/messages and audit log)?
I don't know. To get a ruling on what's actually needed, we might need
to ask Atsec (Stephan Mueller).
> Wouldn't simply connecting to an already closed port, matching --sport,
> be enough? Like *not* setting up "recv" on port 4100 and using it
> to match incoming TCP RST packets, generated by a connection attempt?
Sounds reasonable to me. Sorry I can't offer any better advice.
-- ljk
>
> Thanks for any insights,
> Jiri
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
|
|
From: Jiri J. <jja...@re...> - 2013-09-03 11:27:09
|
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
1 file changed, 15 insertions(+), 27 deletions(-)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 423b3cb..e519a6c 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -395,18 +395,6 @@ function setup_default {
kill -9 $tspid
fi
- # For the RST flag test of IPv4 we do not want to start the netfilter
- # server and we will run a netcat command against the ipv4 loop back
- # address after we set the iptables so just return
-
- if [[ $tnum == 46 ]]; then
- if [[ $xndpid ]]; then
- kill -9 $xndpid
- xndrst=1
- fi
- return
- fi
-
if [[ ! $xndpid ]]; then
echo "starting local lblnet_tst_server"
./do_netfilsvr.bash
@@ -661,7 +649,9 @@ function run_test {
iptables_setup
ip6tables_setup
sleep 3
- if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
+ # exclude ping and RST tests
+ if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
+ && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
setup_default
echo "going to setup_default"
fi
@@ -817,15 +807,15 @@ function run_test {
protov=6
;;
45)
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
- ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
+ ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
;;
46)
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
- iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
+ iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
logrotate -f /etc/logrotate.d/syslog
actv=0
protov=6
@@ -1792,32 +1782,30 @@ done
host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
tnum=44 '$host_remote tcp $port'
## TESTCASE Test #44 tnum 45
-## Table Rule received tcp segments (ipv6) to destination port 4000
+## Table Rule received tcp segments (ipv6) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv6" log prefix
## and recorded in audit.log
-## Input nc listen (forced ipv6)is started on TOE on $port and nc
-## connection (forced ipv6) is started on $port, this
-## should generate segment with an RST flag
+## Input tcp connection request (ipv6) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
+ host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
tnum=45 '$host_remote tcp $port'
## TESTCASE Test #45 tnum 46
-## Table Rule received tcp segments (ipv4) to destination port 4000
+## Table Rule received tcp segments (ipv4) from dst port $tst_port1
## with RST flag set are accepted and logged to
## /var/log/messages with "rst received ipv4" log prefix
## and recorded in audit.log
-## Input nc listen is started on TOE on $port and nc connection
-## initiation is started on $port, this should generate
-## segment with an RST flag
+## Input tcp connection request (ipv4) is sent over local
+## loopback device to port $tst_port1
## Expected Result segments pass through, messages file has log, audit.log
## has record.
+ connect \
mlsop=eq expres=success \
- host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
+ host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
tnum=46 '$host_remote tcp $port'
## TESTCASE Test #46 tnum 47
## Table Rule received tcp segments (ipv4) to destination port
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-09-02 16:33:04
|
Hi,
during my recent optimization work on the suite, I've run into problems
with a few netfilter tests, the "blockers" for me being 44 and 45, both
testing TCP RST - on ipv6 and ipv4.
For some unknown reason, both are implemented differently. My suspicion
is that somebody made a typo, but the test worked fine anyway, so the
typo was never discovered.
For the purposes of this email, I'll be referencing line numbers from
commit 89232060b2, file audit-test/netfilter/run.conf and describing
the operation on a RHEL6 machine.
Let's start with test 45 (tnum 46). It uses explicitly specified
port=4000 (line 1820) to connect via nc (line 955). This operation
has to return RST from port 4000 in order to be logged (lines 827-828).
However since port 4000 is normally used by xinetd to spawn
lblnet_tst_server, the test SIGKILLs xinetd (line 402) beforehand.
This makes port 4000 free (closed), which generates TCP RST as reply
when something (netcat) tries to connect to it.
In theory, test 44 (tnum 45) could be similar. It, however, isn't.
Despite the description mentioning port 4000, it uses port=$tst_port1
(line 1806), which is defined as 4100 (line 26). It then connects
via nc to that port, which succeeds ('recv' server operation is set up),
and, one second later (-w 1), closes the connection via FIN.
No RST is generated, yet the test PASSes. How is this possible?
The answer lies within the setup itself. Netfilter rules are set up
on port 4000 (lines 820-821), but on "dport", not "sport". This means
that we would need *something* to send RST to port 4000, which is a lot
more weird operation to do, and not an easy one.
Furthermore, xinetd is not killed, line 402 specifies only tnum 46,
not 45, which means port 4000 is still open, with listening xinetd,
one more reason why RST shouldn't happen, but it somehow does.
The final piece to the puzzle is the initial lblnet_tst_server setup.
Test 45 uses (like others) op=recv_tcp (line 1806), which sets up
"recv" operation on the server (line 433). When this cmd_str line
is sent to the server via nc (line 451), the connection is left intact,
even though the client (nc) exits one second later (-w 1). Then the
test itself proceeds (using port 4100), which makes the server-side
"recv" operation finish. Upon finishing, the server sends a return code
to the client, but the client already exited, so the kernel sends,
on behalf of the client, a TCP RST packet to the server, port 4000,
ultimately making the test PASS.
I admit, it took me several hours to figure this out. I don't really
know if this approach has been chosen intentionally, or whether somebody
made several "typos" on several places.
I would like to ask if either of those approaches is needed for the
functionality itself to be tested. Do we just need *any* RST packet
to get logged (to /var/log/messages and audit log)?
Wouldn't simply connecting to an already closed port, matching --sport,
be enough? Like *not* setting up "recv" on port 4100 and using it
to match incoming TCP RST packets, generated by a connection attempt?
Thanks for any insights,
Jiri
|
|
From: Linda K. <lin...@hp...> - 2013-08-30 13:54:17
|
Thanks Miroslav, I really appreciate all the work. -- ljk On 08/30/13 08:18, Miroslav Vadkerti wrote: > Thanks Linda for the review, > > I pushed upstream 17 patches that we agreed on. 2 patches were removed > and we will get back to the issues later. > > Best regards, > /M > > ----- Original Message ----- >> Hi, >> another batch of smaller changes preparing the suite for RHEL7 is here. >> This batch focuses more on RHEL7 specifics, so RHEL6 doesn't always >> benefit from the fixes, even though all changes should be at least >> RHEL6-compatible. >> >> 4.4% audit-test/filter/tests/ >> 10.9% audit-test/libpam/tests/ >> 4.9% audit-test/trustedprograms/tests/ >> 70.5% audit-test/utils/ >> 9.1% audit-test/ >> >> The majority of the changes are a result of the two new major features >> (stored in utils/): >> >> - environment sanity-checking script >> - run/rollup log separation and merging >> >> (see commit messages of patch 01 and 02 for more info) >> >> The rest of the changes consist mostly of random smaller fixes all >> over the place. >> >> The changes have been tested on RHEL 6.2 (6.2.z) and 6.4 (6.4.z) >> by Miroslav Vadkerti and don't seem to cause any regressions for RHEL6. >> >> The patches are attached via In-Reply-To/References to this mail. >> >> Thanks, >> Jiri >> >> ------------------------------------------------------------------------------ >> Introducing Performance Central, a new site from SourceForge and >> AppDynamics. Performance Central is your source for news, insights, >> analysis and resources for efficient Application Performance Management. >> Visit us today! >> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk >> _______________________________________________ >> Audit-test-developer mailing list >> Aud...@li... >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer >> > |
|
From: Miroslav V. <mva...@re...> - 2013-08-30 12:18:44
|
Thanks Linda for the review, I pushed upstream 17 patches that we agreed on. 2 patches were removed and we will get back to the issues later. Best regards, /M ----- Original Message ----- > Hi, > another batch of smaller changes preparing the suite for RHEL7 is here. > This batch focuses more on RHEL7 specifics, so RHEL6 doesn't always > benefit from the fixes, even though all changes should be at least > RHEL6-compatible. > > 4.4% audit-test/filter/tests/ > 10.9% audit-test/libpam/tests/ > 4.9% audit-test/trustedprograms/tests/ > 70.5% audit-test/utils/ > 9.1% audit-test/ > > The majority of the changes are a result of the two new major features > (stored in utils/): > > - environment sanity-checking script > - run/rollup log separation and merging > > (see commit messages of patch 01 and 02 for more info) > > The rest of the changes consist mostly of random smaller fixes all > over the place. > > The changes have been tested on RHEL 6.2 (6.2.z) and 6.4 (6.4.z) > by Miroslav Vadkerti and don't seem to cause any regressions for RHEL6. > > The patches are attached via In-Reply-To/References to this mail. > > Thanks, > Jiri > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer > -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic |
|
From: Miroslav V. <mva...@re...> - 2013-08-30 07:35:34
|
----- Original Message ----- > On 08/29/13 08:41, Miroslav Vadkerti wrote: > > Hi Linda, let me try to explain in more detail > > > > ----- Original Message ----- > >> On 08/21/13 12:24, Jiri Jaburek wrote: > >>> From: Miroslav Vadkerti <mva...@re...> > >>> > >>> In recent RHEL7 kernel changes the loginuid call fails with > >>> pam_loginuid where loginuid already set in session. > >>> > >>> This fix temporarily disables pam_loginuid in /etc/pam.d/login > >>> as a workaround. This has no effect on testing purpose of > >>> this test. > >>> > >>> The check for auid in augrok is not needed for this test. > >>> The loginuid remains unchanged because of this workaround. > >> > >> Sorry, but I don't understand what you're saying here. > >> > >> What's broken? > > In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set. > > This > > is a change in behavior compared to RHEL6 where this worked. This change is > > not a bug > > but a feature - as I was told from our developers. > > That's bizarre. I wonder what else that's going to break - beyond just the > test cases. Does it really cause the login to fail or does it just not > update > the auid? Causing the login to fail doesn't seem right. Well this change relates to systemd and it is more like a feature [1]. As for the things that might break it is generally all services that support login via PAM. These all need now to be run via systemd to work. We did not find anything else that would break because of this change in the test suite. The login won't fail if used normally (via mingetty/agetty on consoles). The way we are testing the login command is not a supported way as I was told by our developer that maintains util-linux-ng. I know this worked somehow for RHEL6 and earlier. The command is not intended to be run manually. Sorry for not posting examples earlier - the pam session will kick you out like this [2], so you wan't be able to login. I'm thinking that maybe we could use telnet server run from systemd that should use login command. I will also check this possibility. Of course installing telnet-server would break the evaluated configuration AFAICT, but maybe we could do this only for the testing or distribute a small telnet server for this purpose. If it would work. > > > As a consequence all tests that > > use login command (in expect snippets) will fail. > > > >> Why is this workaround ok? > >> Why don't we need to check the auid when having it set correctly > >> is an important part of logging in? > > I think it is enough to test the pam_loginuid functionality with one login > > mechanism. > > In current upstream code this is tested only with the tests that this patch > > touches > > using login command. The truth is I believed also other login mechanism > > (ssh) is used to check > > the correct auid value. So this patch set will need more work. I would > > suggest to move > > the currently removed auid testing to the ssh tests. This should be > > sufficient for checking > > the correct functionality of pam_loginuid. > > I agree that we don't need to test things in multiple places. We have other > tests for pam_loginuid, such as fail-safe/tests/test_loginuid.bash. It uses > ssh > to verify that users can't log in if auditd isn't running, which is something > that is enforced with that pam module. We could have a test case > that uses ssh and explicitly tests auid as a libpam test. I will try to come up with a patch in libpam for pam_loginuid auid functionality in the next round of our patches. This may come handy later if we will not be able to properly workaround this problem. > > >> If something has changed causing us to no longer have a valid > >> login test, I'd rather see the test fail until we do have a valid > >> login test. > > I think when we introduce the auid testing part to the ssh tests the login > > testing is again > > on pair with the current upstream code. > > What's bothering me here is that these login tests are supposed to test the > pam configuration for login, and the first thing it does is modify the pam > configuration for login to not be in the evaluated configuration. It seems > to me like we no longer have a good set of tests for login. For example, if > the system didn't have that session line in /etc/pam.d/login, how would we > know? > The tests would succeed but the system would in fact be broken. Currently I do not see any other way how to test with login command as the one proposed. I will try to discuss this more with our developers and report back. Regarding the missing session line in /etc/pam.d/login we could check before running the test if pam_loginuid is available in the configuration. But lets keep that conversation for later time. > > > Hopefully my intentions are more clear now :) > > They are, and hopefully my concerns are clearer too. I think we're going > to have to figure out how to test login in the evaluated configuration. > In the meantime, I think these tests should just fail if it doesn't work. Yes they are. Lets remove this patch for now. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=633b45454503489209b0d9a45f9e3cd1b852c614 [2] # expect -c ' > spawn login > sleep 1 > expect -nocase {login: $} {send "tester\r"} > expect -nocase {password: $} {send "tester\r"} > expect -nocase {level} {send "\r"} > send "PS1=:\\::\r" > expect {:::$} {close; wait}' spawn login rhel7cc login: tester Password: Unable to get valid context for tester Cannot make/remove an entry for the specified session /M > > -- ljk > > > > > /M > > > >> > >> -- ljk > >> > >>> > >>> Signed-off-by: Miroslav Vadkerti <mva...@re...> > >>> --- > >>> audit-test/libpam/tests/test_login.bash | 4 ++++ > >>> audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++-- > >>> audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++-- > >>> audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 > >>> +++++++++++--- > >>> audit-test/libpam/tests/test_namespace.bash | 9 +++++++-- > >>> audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++ > >>> 6 files changed, 41 insertions(+), 9 deletions(-) > >>> > >>> diff --git a/audit-test/libpam/tests/test_login.bash > >>> b/audit-test/libpam/tests/test_login.bash > >>> index 3d05afa..d834900 100755 > >>> --- a/audit-test/libpam/tests/test_login.bash > >>> +++ b/audit-test/libpam/tests/test_login.bash > >>> @@ -26,7 +26,11 @@ chmod 666 $localtmp > >>> > >>> # turn off screen in /etc/profile > >>> backup /etc/profile > >>> +backup /etc/pam.d/login > >>> sed -i 's/\[ -w $(tty) \]/false/' /etc/profile > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> > >>> # if in LSPP mode, map the TEST_USER to staff_u > >>> if [[ $PPROFILE == "lspp" ]]; then > >>> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash > >>> b/audit-test/libpam/tests/test_mls_default_login.bash > >>> index 6fca015..ac7f2b7 100755 > >>> --- a/audit-test/libpam/tests/test_mls_default_login.bash > >>> +++ b/audit-test/libpam/tests/test_mls_default_login.bash > >>> @@ -44,6 +44,11 @@ fi > >>> # use backup (and automatic restore) to work around this > >>> backup /var/run/utmp > >>> > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +backup /etc/pam.d/login > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> + > >>> # test > >>> ( > >>> export localtmp > >>> @@ -63,11 +68,11 @@ pts=${pts##*/} > >>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts > >>> res=success.*" > >>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail > >>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail > >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \ > >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \ > >>> subj=$login_context || exit_fail > >>> # Check for ROLE_ASSIGN event for testuser > >>> augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range > >>> acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 > >>> new-seuser=staff_u > >>> new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r > >>> new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match" > >>> # Check for USER_ROLE_CHANGE for login command > >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts > >>> res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match" > >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts > >>> res=success.*" || exit_fail "USER_ROLE_CHANGE does not match" > >>> > >>> exit_pass > >>> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash > >>> b/audit-test/libpam/tests/test_mls_level_login.bash > >>> index 436bcda..063647f 100755 > >>> --- a/audit-test/libpam/tests/test_mls_level_login.bash > >>> +++ b/audit-test/libpam/tests/test_mls_level_login.bash > >>> @@ -42,6 +42,11 @@ fi > >>> # use backup (and automatic restore) to work around this > >>> backup /var/run/utmp > >>> > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +backup /etc/pam.d/login > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> + > >>> # test > >>> ( > >>> export localtmp > >>> @@ -68,7 +73,7 @@ fi > >>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*" > >>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail > >>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail > >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \ > >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \ > >>> subj=$login_context || exit_fail > >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" > >>> auid=$auid || exit_fail > >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" || > >>> exit_fail > >>> exit_pass > >>> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash > >>> b/audit-test/libpam/tests/test_mls_level_login_fail.bash > >>> index 92562f9..ba04604 100755 > >>> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash > >>> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash > >>> @@ -42,6 +42,11 @@ fi > >>> # use backup (and automatic restore) to work around this > >>> backup /var/run/utmp > >>> > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +backup /etc/pam.d/login > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> + > >>> # test > >>> ( > >>> export localtmp > >>> @@ -52,11 +57,14 @@ backup /var/run/utmp > >>> expect -nocase {level} {send "Y\r"} > >>> expect -nocase {role:} {send "\r"} > >>> expect -nocase {level:} {send "s15\r"} > >>> - expect -nocase {"authentication failure"} {close; wait}' > >>> + expect { > >>> + -nocase {"authentication failure"} {close; wait} > >>> + -nocase {"Cannot make/remove"} {close; wait} > >>> + }' > >>> ) > >>> > >>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*" > >>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \ > >>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \ > >>> subj=$login_context || exit_fail > >>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" > >>> auid=$auid || exit_fail > >>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: > >>> default-context=$def_context > >>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" || > >>> exit_fail > >>> exit_pass > >>> diff --git a/audit-test/libpam/tests/test_namespace.bash > >>> b/audit-test/libpam/tests/test_namespace.bash > >>> index 6fb20da..6642350 100755 > >>> --- a/audit-test/libpam/tests/test_namespace.bash > >>> +++ b/audit-test/libpam/tests/test_namespace.bash > >>> @@ -59,6 +59,11 @@ backup /var/run/utmp > >>> backup /etc/security/namespace.conf > >>> echo "/tmp /tmp-parent/tmp-inst/ level root,adm" > > >>> /etc/security/namespace.conf > >>> > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +backup /etc/pam.d/login > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> + > >>> tmpinstdir=/tmp-parent/tmp-inst/ > >>> tmpnewfile=/tmp/newfile > >>> > >>> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S > >>> open > >>> -F uid=$auid || \ > >>> ) > >>> # Check the path and context in the audit record. > >>> augrok type==SYSCALL \ > >>> - subj=$s0_context auid=$auid success=yes \ > >>> + subj=$s0_context success=yes \ > >>> name=$tmpnewfile obj=$s0_obj\ > >>> || exit_fail "missing audit record" > >>> > >>> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log) > >>> > >>> # Check the path and context in the audit record. > >>> augrok --seek=$log_mark type==SYSCALL \ > >>> - subj=$s2_context auid=$auid success=yes \ > >>> + subj=$s2_context success=yes \ > >>> name=$tmpnewfile obj=$s2_obj\ > >>> || exit_fail "missing audit record" > >>> > >>> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash > >>> b/audit-test/trustedprograms/tests/test_lpq.bash > >>> index 0cbd45f..ee0f60d 100755 > >>> --- a/audit-test/trustedprograms/tests/test_lpq.bash > >>> +++ b/audit-test/trustedprograms/tests/test_lpq.bash > >>> @@ -50,6 +50,11 @@ backup /var/run/utmp > >>> semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \ > >>> exit_error "unable to set $TEST_USER to staff_u" > >>> > >>> +# In RHEL7 the pam_loginuid fails if loginuid already set > >>> +# for the purpose of this test we disable it temporarily > >>> +backup /etc/pam.d/login > >>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login > >>> + > >>> # test > >>> prepend_cleanup rm -f $CON1OUT $CON2OUT > >>> runcon $LPQ1CON lpq -P $printer > $CON1OUT > >>> > >> > >> > >> ------------------------------------------------------------------------------ > >> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > >> Discover the easy way to master current and previous Microsoft > >> technologies > >> and advance your career. Get an incredible 1,500+ hours of step-by-step > >> tutorial videos with LearnDevNow. Subscribe today and save! > >> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Audit-test-developer mailing list > >> Aud...@li... > >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > >> > > > > -- Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440 IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic |
|
From: Linda K. <lin...@hp...> - 2013-08-29 17:57:47
|
On 08/29/13 08:41, Miroslav Vadkerti wrote:
> Hi Linda, let me try to explain in more detail
>
> ----- Original Message -----
>> On 08/21/13 12:24, Jiri Jaburek wrote:
>>> From: Miroslav Vadkerti <mva...@re...>
>>>
>>> In recent RHEL7 kernel changes the loginuid call fails with
>>> pam_loginuid where loginuid already set in session.
>>>
>>> This fix temporarily disables pam_loginuid in /etc/pam.d/login
>>> as a workaround. This has no effect on testing purpose of
>>> this test.
>>>
>>> The check for auid in augrok is not needed for this test.
>>> The loginuid remains unchanged because of this workaround.
>>
>> Sorry, but I don't understand what you're saying here.
>>
>> What's broken?
> In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set. This
> is a change in behavior compared to RHEL6 where this worked. This change is not a bug
> but a feature - as I was told from our developers.
That's bizarre. I wonder what else that's going to break - beyond just the
test cases. Does it really cause the login to fail or does it just not update
the auid? Causing the login to fail doesn't seem right.
> As a consequence all tests that
> use login command (in expect snippets) will fail.
>
>> Why is this workaround ok?
>> Why don't we need to check the auid when having it set correctly
>> is an important part of logging in?
> I think it is enough to test the pam_loginuid functionality with one login mechanism.
> In current upstream code this is tested only with the tests that this patch touches
> using login command. The truth is I believed also other login mechanism (ssh) is used to check
> the correct auid value. So this patch set will need more work. I would suggest to move
> the currently removed auid testing to the ssh tests. This should be sufficient for checking
> the correct functionality of pam_loginuid.
I agree that we don't need to test things in multiple places. We have other
tests for pam_loginuid, such as fail-safe/tests/test_loginuid.bash. It uses ssh
to verify that users can't log in if auditd isn't running, which is something
that is enforced with that pam module. We could have a test case
that uses ssh and explicitly tests auid as a libpam test.
>> If something has changed causing us to no longer have a valid
>> login test, I'd rather see the test fail until we do have a valid
>> login test.
> I think when we introduce the auid testing part to the ssh tests the login testing is again
> on pair with the current upstream code.
What's bothering me here is that these login tests are supposed to test the
pam configuration for login, and the first thing it does is modify the pam
configuration for login to not be in the evaluated configuration. It seems
to me like we no longer have a good set of tests for login. For example, if
the system didn't have that session line in /etc/pam.d/login, how would we know?
The tests would succeed but the system would in fact be broken.
> Hopefully my intentions are more clear now :)
They are, and hopefully my concerns are clearer too. I think we're going
to have to figure out how to test login in the evaluated configuration.
In the meantime, I think these tests should just fail if it doesn't work.
-- ljk
>
> /M
>
>>
>> -- ljk
>>
>>>
>>> Signed-off-by: Miroslav Vadkerti <mva...@re...>
>>> ---
>>> audit-test/libpam/tests/test_login.bash | 4 ++++
>>> audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
>>> audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
>>> audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
>>> audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
>>> audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
>>> 6 files changed, 41 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/audit-test/libpam/tests/test_login.bash
>>> b/audit-test/libpam/tests/test_login.bash
>>> index 3d05afa..d834900 100755
>>> --- a/audit-test/libpam/tests/test_login.bash
>>> +++ b/audit-test/libpam/tests/test_login.bash
>>> @@ -26,7 +26,11 @@ chmod 666 $localtmp
>>>
>>> # turn off screen in /etc/profile
>>> backup /etc/profile
>>> +backup /etc/pam.d/login
>>> sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>>
>>> # if in LSPP mode, map the TEST_USER to staff_u
>>> if [[ $PPROFILE == "lspp" ]]; then
>>> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash
>>> b/audit-test/libpam/tests/test_mls_default_login.bash
>>> index 6fca015..ac7f2b7 100755
>>> --- a/audit-test/libpam/tests/test_mls_default_login.bash
>>> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
>>> @@ -44,6 +44,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -63,11 +68,11 @@ pts=${pts##*/}
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*"
>>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> # Check for ROLE_ASSIGN event for testuser
>>> augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range
>>> acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0
>>> new-seuser=staff_u
>>> new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r
>>> new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
>>> # Check for USER_ROLE_CHANGE for login command
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
>>>
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash
>>> b/audit-test/libpam/tests/test_mls_level_login.bash
>>> index 436bcda..063647f 100755
>>> --- a/audit-test/libpam/tests/test_mls_level_login.bash
>>> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
>>> @@ -42,6 +42,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -68,7 +73,7 @@ fi
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
>>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*"
>>> auid=$auid || exit_fail
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" ||
>>> exit_fail
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> b/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> index 92562f9..ba04604 100755
>>> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> @@ -42,6 +42,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -52,11 +57,14 @@ backup /var/run/utmp
>>> expect -nocase {level} {send "Y\r"}
>>> expect -nocase {role:} {send "\r"}
>>> expect -nocase {level:} {send "s15\r"}
>>> - expect -nocase {"authentication failure"} {close; wait}'
>>> + expect {
>>> + -nocase {"authentication failure"} {close; wait}
>>> + -nocase {"Cannot make/remove"} {close; wait}
>>> + }'
>>> )
>>>
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*"
>>> auid=$auid || exit_fail
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" ||
>>> exit_fail
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_namespace.bash
>>> b/audit-test/libpam/tests/test_namespace.bash
>>> index 6fb20da..6642350 100755
>>> --- a/audit-test/libpam/tests/test_namespace.bash
>>> +++ b/audit-test/libpam/tests/test_namespace.bash
>>> @@ -59,6 +59,11 @@ backup /var/run/utmp
>>> backup /etc/security/namespace.conf
>>> echo "/tmp /tmp-parent/tmp-inst/ level root,adm" >
>>> /etc/security/namespace.conf
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> tmpinstdir=/tmp-parent/tmp-inst/
>>> tmpnewfile=/tmp/newfile
>>>
>>> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open
>>> -F uid=$auid || \
>>> )
>>> # Check the path and context in the audit record.
>>> augrok type==SYSCALL \
>>> - subj=$s0_context auid=$auid success=yes \
>>> + subj=$s0_context success=yes \
>>> name=$tmpnewfile obj=$s0_obj\
>>> || exit_fail "missing audit record"
>>>
>>> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
>>>
>>> # Check the path and context in the audit record.
>>> augrok --seek=$log_mark type==SYSCALL \
>>> - subj=$s2_context auid=$auid success=yes \
>>> + subj=$s2_context success=yes \
>>> name=$tmpnewfile obj=$s2_obj\
>>> || exit_fail "missing audit record"
>>>
>>> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash
>>> b/audit-test/trustedprograms/tests/test_lpq.bash
>>> index 0cbd45f..ee0f60d 100755
>>> --- a/audit-test/trustedprograms/tests/test_lpq.bash
>>> +++ b/audit-test/trustedprograms/tests/test_lpq.bash
>>> @@ -50,6 +50,11 @@ backup /var/run/utmp
>>> semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
>>> exit_error "unable to set $TEST_USER to staff_u"
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> prepend_cleanup rm -f $CON1OUT $CON2OUT
>>> runcon $LPQ1CON lpq -P $printer > $CON1OUT
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> Discover the easy way to master current and previous Microsoft technologies
>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>> tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
>
|
|
From: Miroslav V. <mva...@re...> - 2013-08-29 12:42:06
|
Hi Linda, let me try to explain in more detail
----- Original Message -----
> On 08/21/13 12:24, Jiri Jaburek wrote:
> > From: Miroslav Vadkerti <mva...@re...>
> >
> > In recent RHEL7 kernel changes the loginuid call fails with
> > pam_loginuid where loginuid already set in session.
> >
> > This fix temporarily disables pam_loginuid in /etc/pam.d/login
> > as a workaround. This has no effect on testing purpose of
> > this test.
> >
> > The check for auid in augrok is not needed for this test.
> > The loginuid remains unchanged because of this workaround.
>
> Sorry, but I don't understand what you're saying here.
>
> What's broken?
In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set. This
is a change in behavior compared to RHEL6 where this worked. This change is not a bug
but a feature - as I was told from our developers. As a consequence all tests that
use login command (in expect snippets) will fail.
> Why is this workaround ok?
> Why don't we need to check the auid when having it set correctly
> is an important part of logging in?
I think it is enough to test the pam_loginuid functionality with one login mechanism.
In current upstream code this is tested only with the tests that this patch touches
using login command. The truth is I believed also other login mechanism (ssh) is used to check
the correct auid value. So this patch set will need more work. I would suggest to move
the currently removed auid testing to the ssh tests. This should be sufficient for checking
the correct functionality of pam_loginuid.
>
> If something has changed causing us to no longer have a valid
> login test, I'd rather see the test fail until we do have a valid
> login test.
I think when we introduce the auid testing part to the ssh tests the login testing is again
on pair with the current upstream code.
Hopefully my intentions are more clear now :)
/M
>
> -- ljk
>
> >
> > Signed-off-by: Miroslav Vadkerti <mva...@re...>
> > ---
> > audit-test/libpam/tests/test_login.bash | 4 ++++
> > audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
> > audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
> > audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
> > audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
> > audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
> > 6 files changed, 41 insertions(+), 9 deletions(-)
> >
> > diff --git a/audit-test/libpam/tests/test_login.bash
> > b/audit-test/libpam/tests/test_login.bash
> > index 3d05afa..d834900 100755
> > --- a/audit-test/libpam/tests/test_login.bash
> > +++ b/audit-test/libpam/tests/test_login.bash
> > @@ -26,7 +26,11 @@ chmod 666 $localtmp
> >
> > # turn off screen in /etc/profile
> > backup /etc/profile
> > +backup /etc/pam.d/login
> > sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >
> > # if in LSPP mode, map the TEST_USER to staff_u
> > if [[ $PPROFILE == "lspp" ]]; then
> > diff --git a/audit-test/libpam/tests/test_mls_default_login.bash
> > b/audit-test/libpam/tests/test_mls_default_login.bash
> > index 6fca015..ac7f2b7 100755
> > --- a/audit-test/libpam/tests/test_mls_default_login.bash
> > +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> > @@ -44,6 +44,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -63,11 +68,11 @@ pts=${pts##*/}
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*"
> > augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> > augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > # Check for ROLE_ASSIGN event for testuser
> > augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range
> > acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0
> > new-seuser=staff_u
> > new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r
> > new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
> > # Check for USER_ROLE_CHANGE for login command
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
> >
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_mls_level_login.bash
> > b/audit-test/libpam/tests/test_mls_level_login.bash
> > index 436bcda..063647f 100755
> > --- a/audit-test/libpam/tests/test_mls_level_login.bash
> > +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> > @@ -42,6 +42,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -68,7 +73,7 @@ fi
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
> > augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> > augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*"
> > auid=$auid || exit_fail
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" ||
> > exit_fail
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > index 92562f9..ba04604 100755
> > --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > @@ -42,6 +42,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -52,11 +57,14 @@ backup /var/run/utmp
> > expect -nocase {level} {send "Y\r"}
> > expect -nocase {role:} {send "\r"}
> > expect -nocase {level:} {send "s15\r"}
> > - expect -nocase {"authentication failure"} {close; wait}'
> > + expect {
> > + -nocase {"authentication failure"} {close; wait}
> > + -nocase {"Cannot make/remove"} {close; wait}
> > + }'
> > )
> >
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*"
> > auid=$auid || exit_fail
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" ||
> > exit_fail
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_namespace.bash
> > b/audit-test/libpam/tests/test_namespace.bash
> > index 6fb20da..6642350 100755
> > --- a/audit-test/libpam/tests/test_namespace.bash
> > +++ b/audit-test/libpam/tests/test_namespace.bash
> > @@ -59,6 +59,11 @@ backup /var/run/utmp
> > backup /etc/security/namespace.conf
> > echo "/tmp /tmp-parent/tmp-inst/ level root,adm" >
> > /etc/security/namespace.conf
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > tmpinstdir=/tmp-parent/tmp-inst/
> > tmpnewfile=/tmp/newfile
> >
> > @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open
> > -F uid=$auid || \
> > )
> > # Check the path and context in the audit record.
> > augrok type==SYSCALL \
> > - subj=$s0_context auid=$auid success=yes \
> > + subj=$s0_context success=yes \
> > name=$tmpnewfile obj=$s0_obj\
> > || exit_fail "missing audit record"
> >
> > @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
> >
> > # Check the path and context in the audit record.
> > augrok --seek=$log_mark type==SYSCALL \
> > - subj=$s2_context auid=$auid success=yes \
> > + subj=$s2_context success=yes \
> > name=$tmpnewfile obj=$s2_obj\
> > || exit_fail "missing audit record"
> >
> > diff --git a/audit-test/trustedprograms/tests/test_lpq.bash
> > b/audit-test/trustedprograms/tests/test_lpq.bash
> > index 0cbd45f..ee0f60d 100755
> > --- a/audit-test/trustedprograms/tests/test_lpq.bash
> > +++ b/audit-test/trustedprograms/tests/test_lpq.bash
> > @@ -50,6 +50,11 @@ backup /var/run/utmp
> > semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
> > exit_error "unable to set $TEST_USER to staff_u"
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > prepend_cleanup rm -f $CON1OUT $CON2OUT
> > runcon $LPQ1CON lpq -P $printer > $CON1OUT
> >
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>
--
Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic
|
|
From: Linda K. <lin...@hp...> - 2013-08-28 16:29:12
|
Hi Miroslav,
Miroslav Vadkerti wrote:
> Hi Linda,
>
> ----- Original Message -----
>> On 08/21/13 12:21, Jiri Jaburek wrote:
>>> From: Miroslav Vadkerti <mva...@re...>
>>>
>>> This patch incorporates changes that make possible
>>> merging of subsequent test runs.
>>>
>>> The logs are now stored also separately for each test
>>> in the logs subdirectory of the test bucket. The run and
>>> rollup logs are generated from these logs. The output
>>> of the run.bash should remain the same.
>> So this is for the case where you might need to re-run a particular
>> test case? So you don't have to run the complete bucket to get
>> a good log?
>
> Yes that is correct. You can run only failed tests and if previously
> other tests pass you will get a good total log.
>
>>> This patch also fixes the --list option that now does
>>> not delete the contents of run and rollup log.
>>>
>>> This patch adds generate (-g|--generate) option that generates
>>> the total run and rollup logs. This might be useful if these
>>> were deleted or not created after aborting testing with SIGINT.
>> Does this option catch the case where a specific test result might be
>> missing?
>> Is there any way to know that not all the test cases were run?
>
> If there are missing cases the log is still generated but will contain only
> the run tests. There is a way to tell that which tests weren't run and
> we want in the next patch series add an option to run.bash that will run
> all tests that did not pass or weren't run yet. You will be able also to
> combine this option with the --list option to list only those tests.
Ok, thanks for the explanation.
This patch is fine with me.
-- ljk
>
> /M
>
>> -- ljk
>>
>>> The distclean make target removes the new logs directory.
>>>
>>> Signed-off-by: Miroslav Vadkerti <mva...@re...>
>>> ---
>>> audit-test/rules.mk | 4 +-
>>> audit-test/utils/run.bash | 132
>>> +++++++++++++++++++++++++++++++++++-----------
>>> 2 files changed, 104 insertions(+), 32 deletions(-)
>>>
>>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>>> index 1534c66..a53d979 100644
>>> --- a/audit-test/rules.mk
>>> +++ b/audit-test/rules.mk
>>> @@ -194,14 +194,14 @@ _clean:
>>>
>>> clean: _clean
>>>
>>> -ALL_LOGS += run.log rollup.log
>>> +ALL_LOGS += run.log rollup.log logs
>>> _distclean: clean
>>> @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
>>> for x in $(SUB_DIRS); do \
>>> make -C $$x distclean; \
>>> done; \
>>> fi
>>> - $(RM) $(ALL_LOGS)
>>> + $(RM) -r $(ALL_LOGS)
>>> if [[ -L run.bash ]]; then $(RM) run.bash; fi
>>>
>>> distclean: _distclean
>>> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
>>> index f70b79a..890f84a 100755
>>> --- a/audit-test/utils/run.bash
>>> +++ b/audit-test/utils/run.bash
>>> @@ -51,6 +51,7 @@ source functions.bash || exit 2
>>>
>>> unset logging
>>> unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup
>>> opt_timeout opt_width
>>> +echoing=true
>>> logging=false
>>> opt_avc=false
>>> opt_verbose=false
>>> @@ -59,6 +60,7 @@ opt_quiet=false
>>> opt_config=run.conf
>>> opt_list=false
>>> opt_log=run.log
>>> +opt_logdir=logs
>>> opt_rollup=rollup.log
>>> opt_timeout=30
>>> opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
>>> @@ -140,9 +142,8 @@ function dmsg {
>>> }
>>>
>>> function prf {
>>> - printf "$(colorize "$1")" "${@:2}"
>>> - $logging || return
>>> - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
>>> + $echoing && printf "$(colorize "$1")" "${@:2}"
>>> + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup"
>>>>> "$opt_log"
>>> }
>>>
>>> #----------------------------------------------------------------------
>>> @@ -219,6 +220,11 @@ function startup {
>>> trap - 1 2;
>>> fi
>>>
>>> + # Create log directory if needed
>>> + if [[ ! -d "$opt_logdir" ]]; then
>>> + mkdir "$opt_logdir"
>>> + fi
>>> +
>>> # Initialize audit configuration and make sure auditd is running
>>> auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
>>> cp -a "$auditd_conf" "$auditd_orig" || return 2
>>> @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
>>> Run a set of test cases, reporting pass/fail and tallying results.
>>>
>>> -f --config=FILE Use a config file other than run.conf
>>> + -g --generate Generate run.log and rollup.log from $opt_logdir
>>> --header Don't run anything, just output the log header
>>> -l --log=FILE Output to a log other than run.log
>>> -r --rollup=FILE Output to a rollup other than rollup.log
>>> -t --timeout=SEC Seconds to wait for a test to timeout, default 30
>>> + -o --logdir=DIR Output directory of per test logs
>>> -w --width=COLS Set COLS output width instead of auto-detect
>>> -h --help Show this help
>>>
>>> @@ -364,8 +372,8 @@ function parse_cmdline {
>>> declare args conf x
>>>
>>> # Use /usr/bin/getopt which supports GNU-style long options
>>> - args=$(getopt -o adf:hl:qr:vw: \
>>> - --long
>>> config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width:
>>> \
>>> + args=$(getopt -o adf:ghl:qr:o:vw: \
>>> + --long
>>> config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width:
>>> \
>>> -n "$0" -- "$@") || die
>>> eval set -- "$args"
>>>
>>> @@ -374,6 +382,7 @@ function parse_cmdline {
>>> -a|--avc) opt_avc=true; shift ;;
>>> -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
>>> -f|--config) opt_config=$2; shift 2 ;;
>>> + -g|--generate) logging=true; generate_logs; exit 0 ;;
>>> -h|--help) usage; exit 0 ;;
>>> --header) show_header; exit 0 ;;
>>> --list) opt_list=true; shift ;;
>>> @@ -381,6 +390,7 @@ function parse_cmdline {
>>> -q|--quiet) opt_quiet=true; shift ;;
>>> -r|--rollup) opt_rollup=$2; shift 2 ;;
>>> -t|--timeout) opt_timeout=$2; shift 2 ;;
>>> + -o|--logdir) opt_logdir=$2; shift 2 ;;
>>> --nocolor) colorize() { monoize "$@"; }; shift ;;
>>> -v|--verbose) opt_verbose=true; shift ;;
>>> -w|--width) opt_width=$2; shift 2 ;;
>>> @@ -389,9 +399,6 @@ function parse_cmdline {
>>> esac
>>> done
>>>
>>> - # Open the logs now that opt_log and opt_rollup are set
>>> - open_log
>>> -
>>> # Load the config
>>> dmsg "Loading config from $opt_config"
>>> conf="$(<$opt_config)
>>> @@ -413,8 +420,10 @@ function parse_cmdline {
>>> done
>>> else
>>> # add by number
>>> - dmsg " [$1] ${TESTS[$1]}"
>>> - TNUMS[$1]=$1
>>> + if [ $1 -lt ${#TESTS[@]} ]; then
>>> + dmsg " [$1] ${TESTS[$1]}"
>>> + TNUMS[$1]=$1
>>> + fi
>>> fi
>>> shift
>>> done
>>> @@ -435,21 +444,24 @@ function parse_cmdline {
>>> done
>>> exit 0
>>> fi
>>> +
>>> + # Open the logs before running the tests
>>> + open_log
>>> }
>>>
>>> function show_header {
>>> - prf "\n"
>>> - prf "%-32s %s\n" Started: "$(date)"
>>> - prf "%-32s %s\n" Kernel: "$(uname -r)"
>>> - prf "%-32s %s\n" Architecture: "$(uname -m)"
>>> - prf "%-32s %s\n" Mode: "${MODE:-(native)}"
>>> - prf "%-32s %s\n" Hostname: "$(uname -n)"
>>> - prf "%-32s %s\n" Profile: "$PPROFILE"
>>> - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>>> + nolog prf "\n"
>>> + nolog prf "%-32s %s\n" Started: "$(date)"
>>> + nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
>>> + nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
>>> + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
>>> + nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
>>> + nolog prf "%-32s %s\n" Profile: "$PPROFILE"
>>> + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q
>>> selinux-policy)"
>>> if [[ $PPROFILE == lspp ]] ; then
>>> - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep
>>> lspp_test | awk '{print $2}')"
>>> + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
>>> grep lspp_test | awk '{print $2}')"
>>> fi
>>> - prf "\n%s\n" "$(sestatus)"
>>> + nolog prf "\n%s\n" "$(sestatus)"
>>> }
>>>
>>> function fmt_test {
>>> @@ -485,20 +497,55 @@ function show_test {
>>> fmt_test "[$TESTNUM]" "$@"
>>> }
>>>
>>> +function noecho {
>>> + declare echoing=false
>>> + "$@"
>>> +}
>>> +
>>> function nolog {
>>> declare logging=false
>>> "$@"
>>> }
>>>
>>> +function generate_logs {
>>> + declare pass fail error
>>> +
>>> + # clear run and rollup logs
>>> + echo -n > $opt_log
>>> + echo -n > $opt_rollup
>>> +
>>> + # create total run log
>>> + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1
>>> \2/g' | sort -k2 -n | tr ' ' '.'); do
>>> + cat $log >> $opt_log
>>> + echo >> $opt_log
>>> + done
>>> +
>>> + # create total rollup log
>>> + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1
>>> \2/g' | sort -k2 -n | tr ' ' '.'); do
>>> + cat $log | sed '1,/--------/d' >> $opt_rollup
>>> + done
>>> +
>>> + pass=$(grep "PASS" $opt_rollup | wc -l)
>>> + fail=$(grep "FAIL" $opt_rollup | wc -l)
>>> + error=$(grep "ERROR" $opt_rollup | wc -l)
>>> + (( total = pass + fail + error ))
>>> + llmsg
>>> + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> + prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> + prf "%s\n" "------------------"
>>> + prf "%4d total\n" $total
>>> +}
>>> +
>>> function run_tests {
>>> - declare TESTNUM output status hee s
>>> + declare TESTNUM output status hee s log stats header
>>> declare begin_output="<blue>--- begin output
>>> -----------------------------------------------------------"
>>> declare end_output="<blue>--- end output
>>> -------------------------------------------------------------"
>>>
>>> show_header
>>> - msg
>>> - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> - prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>> + nolog msg
>>> + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>>
>>> if $opt_debug; then
>>> hee=/dev/stderr
>>> @@ -507,6 +554,11 @@ function run_tests {
>>> fi
>>>
>>> for TESTNUM in "${TNUMS[@]}"; do
>>> + noecho prf "$(show_header)\n" ""
>>> + llmsg
>>> + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>> +
>>> eval "set -- ${TESTS[TESTNUM]}"
>>>
>>> if $opt_debug; then
>>> @@ -587,15 +639,35 @@ function run_tests {
>>> msg "<blue>-- audit2allow
>>> -------------------------------------------------------------"
>>> msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
>>> fi
>>> +
>>> + # copy header to run and rollup log
>>> + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
>>> + echo >> $opt_logdir/$opt_log.$TESTNUM
>>> + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
>>> + echo >> $opt_logdir/$opt_rollup.$TESTNUM
>>> +
>>> + # copy test output to own log file
>>> + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
>>> + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
>>> + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
>>> + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
>>> +
>>> + # clear log and rollup
>>> + echo -n > $opt_log
>>> + echo -n > $opt_rollup
>>> done
>>>
>>> + # create current stats
>>> (( total = pass + fail + error ))
>>> - msg
>>> - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> - prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> - prf "%s\n" "------------------"
>>> - prf "%4d total\n" $total
>>> + nolog msg
>>> + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> + nolog prf "%s\n" "------------------"
>>> + nolog prf "%4d total\n" $total
>>> +
>>> + # create silently run and rollup logs
>>> + noecho generate_logs
>>>
>>> return 0
>>> }
>>>
>>
>> ------------------------------------------------------------------------------
>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> Discover the easy way to master current and previous Microsoft technologies
>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>> tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
>
|
5 messages has been excluded from this view by a project administrator.
