From: Tony E. <te...@sg...> - 2011-05-23 21:18:26
|
This patch adds libpam testcases for pamfaillock and sudo. It also fixes minor login and su failures caused by screen. Note: The new testcases in libpam/tests/ should have their permissions set to 0755 before being checked into the git tree. Those files are: test_pamfaillock_lock.bash test_pamfaillock_unlock.bash test_sudo.bash Signed-off-by: Tony Ernst <te...@sg...> --- run.conf | 5 tests/test_login.bash | 4 tests/test_pamfaillock_lock.bash | 50 +++++ tests/test_pamfaillock_unlock.bash | 62 +++++++ tests/test_su.bash | 4 tests/test_sudo.bash | 322 +++++++++++++++++++++++++++++++++++++ 6 files changed, 445 insertions(+), 2 deletions(-) diff -uprN a/audit/libpam/run.conf b/libpam/run.conf --- a/audit/libpam/run.conf 2011-04-01 10:55:09.074884698 -0500 +++ b/libpam/run.conf 2011-05-12 14:42:31.151484551 -0500 @@ -43,9 +43,10 @@ function run_test { + sshd_fail + su + su_fail ++ sudo if [[ $DISTRO != "SUSE" ]] ; then - + pamtally2_lock - + pamtally2_unlock + + pamfaillock_lock + + pamfaillock_unlock fi if [[ $DISTRO != "RHEL" ]] ; then + vsftpd diff -uprN a/audit/libpam/tests/test_login.bash b/libpam/tests/test_login.bash --- a/audit/libpam/tests/test_login.bash 2011-04-01 10:55:09.091487863 -0500 +++ b/libpam/tests/test_login.bash 2011-05-12 11:22:19.476028068 -0500 @@ -24,6 +24,10 @@ source pam_functions.bash || exit 2 # allow TEST_USER to write to tmpfile chmod 666 $localtmp +# turn off screen in /etc/profile +backup /etc/profile +sed -i 's/\[ -w .*\]/false/' /etc/profile + # if in LSPP mode, map the TEST_USER to staff_u if [[ $PPROFILE == "lspp" ]]; then semanage login -d $TEST_USER diff -uprN a/audit/libpam/tests/test_pamfaillock_lock.bash b/libpam/tests/test_pamfaillock_lock.bash --- a/audit/libpam/tests/test_pamfaillock_lock.bash 1969-12-31 18:00:00.000000000 -0600 +++ b/libpam/tests/test_pamfaillock_lock.bash 2011-05-12 11:22:19.537557381 -0500 @@ -0,0 +1,50 @@ +#!/bin/bash +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### +# +# PURPOSE: +# Verify pam_faillock will lock an account + +source pam_functions.bash || exit 2 + +# setup +tuid=$(id -u $TEST_USER) +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error + +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us +# pre-set the number of failures. So we need to fail the login multiple times +# until we reach the deny limit. When this test was written, a RHEL6.1 +# evaluation system required three failures to trigger a lockout. YMMV. + +expect -c ' + spawn ssh $env(TEST_USER)@localhost + expect -nocase {Are you sure you want to continue} {send "yes\r"} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} {close; wait}' + +# test +msg_1="pam_faillock uid=$tuid : exe=./usr/sbin/sshd.*res=success.*" +augrok -q type=ANOM_LOGIN_FAILURES msg_1=~"$msg_1" || exit_fail +augrok -q type=RESP_ACCT_LOCK msg_1=~"$msg_1" || exit_fail + +# clean up +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error + +exit_pass diff -uprN a/audit/libpam/tests/test_pamfaillock_unlock.bash b/libpam/tests/test_pamfaillock_unlock.bash --- a/audit/libpam/tests/test_pamfaillock_unlock.bash 1969-12-31 18:00:00.000000000 -0600 +++ b/libpam/tests/test_pamfaillock_unlock.bash 2011-05-12 11:22:19.600063349 -0500 @@ -0,0 +1,62 @@ +#!/bin/bash +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### +# +# PURPOSE: +# Verify pam_faillock will unlock an account + +source pam_functions.bash || exit 2 + +# setup +tuid=$(id -u $TEST_USER) +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error + +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us +# pre-set the number of failures. So we need to fail the login multiple times +# until we reach the deny limit. When this test was written, a RHEL6.1 +# evaluation system required three failures to trigger a lockout. YMMV. + +expect -c ' + spawn ssh $env(TEST_USER)@localhost + expect -nocase {Are you sure you want to continue} {send "yes\r"} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} + expect -nocase {password: $} {send "badpassword\r"} + expect -nocase {permission denied} {close; wait}' + +# test +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error + +msg_1="faillock reset uid=$tuid: exe=./sbin/faillock.*res=success.*" +augrok -q type=USER_ACCT msg_1=~"$msg_1" || exit_fail + +# verify the account is unlocked +expect -c ' + spawn ssh $env(TEST_USER)@localhost + expect -nocase {Are you sure you want to continue} {send "yes\r"} + expect -nocase {password: $} { + send "$env(TEST_USER_PASSWD)\r" + send "PS1=:\\::\r" + } + expect {:::$} {close; wait}' + +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail + +exit_pass diff -uprN a/audit/libpam/tests/test_su.bash b/libpam/tests/test_su.bash --- a/audit/libpam/tests/test_su.bash 2011-04-01 10:55:09.136414077 -0500 +++ b/libpam/tests/test_su.bash 2011-05-12 11:22:19.470168134 -0500 @@ -25,6 +25,10 @@ if [[ $EUID == 0 ]]; then # allow TEST_USER to write to tmpfile created by root chmod 666 $tmp1 + # turn off screen in /etc/profile + backup /etc/profile + sed -i 's/\[ -w .*\]/false/' /etc/profile + # test # rerun this script as TEST_USER. Confine the exports to a subshell ( diff -uprN a/audit/libpam/tests/test_sudo.bash b/libpam/tests/test_sudo.bash --- a/audit/libpam/tests/test_sudo.bash 1969-12-31 18:00:00.000000000 -0600 +++ b/libpam/tests/test_sudo.bash 2011-05-12 11:22:19.512164331 -0500 @@ -0,0 +1,322 @@ +#!/bin/bash + +# Test case written by Stephan Mueller <smu...@at...> +# Copyright (c) 2010 atsec information security +# +# Purpose: Testing of sudo execution, authentication +# and sudoers enforcement +# +# Expected result: See the test definitions below for a description of +# the expected test results. +# +# Test execution: execute $0 as root +# +# The following matrices define the test units specified with this test. +# To read a matrix, use the following column definitions: +# 1st column: this lists the request +# 2nd column: this lists the configuration in sudoers +# between 1st and 2nd column, the equality between the +# value in the requested command and the value found in +# sudoers is specified +# 3rd column: marks the epxected result - either operation allowed or not +# 4th column: references the test case (you find it by searching the +# test definitions and looking for the suffix referenced +# by this column +# +# Note: any other component of sudoers or the request which are not +# tested are set such that the request is allowed +# +# Testing User_Alias +#User User Operation Test +#requesting configured allowed? case +#operation in sudoers +#---------------------------------------------------- +#User eq User y u1 +#User !eq User n u2 +#User in Group y u3 +#User !in Group n u4 + +# Testing Runas_Alias +#Target user Target user Operation Test +#requested in sudoers allowed? case +#----------------------------------------------------- +#User eq User y u1 +#User !eq User n t2 +#User in Group y t3 +#User !in Group n t4 + +# Testing Cmd_Alias +#CMD CMD Operation Test +#requested in sudoers allowed? case +#--------------------------------------------------- +#cmd eq cmd y u1 +#cmd !eq cmd n c2 +#cmd in dir y c3 +#cmd !in dir n c4 +# +# Testing password enforcement +#Password Password Operation Test +#in request setting in allowed? case +# sudoers +#---------------------------------------------------- +#right pass default y u1 +#wrong pass default n p2 +#right pass NOPASSWD: y p3 +#wrong pass NOPASSWD: y p4 +# +TESTS="u1 u2 u3 u4 t2 t3 t4 c2 c3 c4 p2 p3 p4" + +# DO NOT CHANGE +USERG="sudouser1" +USERG_ID=12345 +USERO="sudouser2" +USERO_ID=12346 +USERT="sudotarget" +USERT_ID=12347 +GROUP="sudogroup" +PASS="Tad6osBijy" +PASSENC='$6$Rpvtlluu$K63QZN9do4I03/uaKYVFxe3d7CZHOCUsAQNs7F5CQ.b.HJgcGaLOx6qRepDNko4xFxO0VFk4OEQzXHGBAtfHe0' +# DO NOT CHANGE + +# User definitions: +# USERG: member of group GROUP (should be used as requesting user) +# USERT: member of group GROUP (should be used as target user) +# USERO: not a member of GROUP (may be used as requesting and target user) +USER_SUDO_u1=$USERG +USER_EXEC_u1=$USERG +RUN_SUDO_u1=$USERT +RUN_EXEC_u1=$USERT +CMD_SUDO_u1="/usr/bin/id" +CMD_EXEC_u1="/usr/bin/id -u" +CMD_RES_u1=$USERT_ID +CMD_RET_u1=0 + +USER_SUDO_u2=$USERG +USER_EXEC_u2=$USERO +RUN_SUDO_u2=$USERT +RUN_EXEC_u2=$USERT +CMD_SUDO_u2="/usr/bin/id" +CMD_EXEC_u2="/usr/bin/id -u" +CMD_RES_u2="" +CMD_RET_u2=1 + +USER_SUDO_u3="%$GROUP" +USER_EXEC_u3=$USERG +RUN_SUDO_u3=$USERT +RUN_EXEC_u3=$USERT +CMD_SUDO_u3="/usr/bin/id" +CMD_EXEC_u3="/usr/bin/id -u" +CMD_RES_u3=$USERT_ID +CMD_RET_u3=0 + +USER_SUDO_u4="%$GROUP" +USER_EXEC_u4=$USERO +RUN_SUDO_u4=$USERT +RUN_EXEC_u4=$USERT +CMD_SUDO_u4="/usr/bin/id" +CMD_EXEC_u4="/usr/bin/id -u" +CMD_RES_u4="" +CMD_RET_u4=1 + +USER_SUDO_t2=$USERO +USER_EXEC_t2=$USERO +RUN_SUDO_t2=$USERT +RUN_EXEC_t2=$USERO +CMD_SUDO_t2="/usr/bin/id" +CMD_EXEC_t2="/usr/bin/id -u" +CMD_RES_t2="" +CMD_RET_t2=1 + +USER_SUDO_t3=$USERO +USER_EXEC_t3=$USERO +RUN_SUDO_t3="%$GROUP" +RUN_EXEC_t3=$USERT +CMD_SUDO_t3="/usr/bin/id" +CMD_EXEC_t3="/usr/bin/id -u" +CMD_RES_t3=$USERT_ID +CMD_RET_t3=0 + +USER_SUDO_t4=$USERO +USER_EXEC_t4=$USERO +RUN_SUDO_t4="%$GROUP" +RUN_EXEC_t4=$USERO +CMD_SUDO_t4="/usr/bin/id" +CMD_EXEC_t4="/usr/bin/id -u" +CMD_RES_t4="" +CMD_RET_t4=1 + +USER_SUDO_c2=$USERG +USER_EXEC_c2=$USERG +RUN_SUDO_c2=$USERT +RUN_EXEC_c2=$USERT +CMD_SUDO_c2="/usr/bin/id" +CMD_EXEC_c2="/bin/ls" +CMD_RES_c2="" +CMD_RET_c2=1 + +USER_SUDO_c3=$USERG +USER_EXEC_c3=$USERG +RUN_SUDO_c3=$USERT +RUN_EXEC_c3=$USERT +CMD_SUDO_c3="/usr/bin/" +CMD_EXEC_c3="/usr/bin/id -u" +CMD_RES_c3=$USERT_ID +CMD_RET_c3=0 + +USER_SUDO_c4=$USERG +USER_EXEC_c4=$USERG +RUN_SUDO_c4=$USERT +RUN_EXEC_c4=$USERT +CMD_SUDO_c4="/bin/" +CMD_EXEC_c4="/usr/bin/id -u" +CMD_RES_c4="" +CMD_RET_c4=1 + +USER_SUDO_p2=$USERG +USER_PASS_p2="wrongpass" +USER_EXEC_p2=$USERG +RUN_SUDO_p2=$USERT +RUN_EXEC_p2=$USERT +CMD_SUDO_p2="/usr/bin/id" +CMD_EXEC_p2="/usr/bin/id -u" +CMD_RES_p2="" +CMD_RET_p2=1 + +USER_SUDO_p3=$USERG +USER_EXEC_p3=$USERG +RUN_SUDO_p3=$USERT +RUN_EXEC_p3=$USERT +CMD_SUDO_p3="NOPASSWD: /usr/bin/id" +CMD_EXEC_p3="/usr/bin/id -u" +CMD_RES_p3=$USERT_ID +CMD_RET_p3=0 + +USER_SUDO_p4=$USERG +USER_PASS_p4="wrongpass" +USER_EXEC_p4=$USERG +RUN_SUDO_p4=$USERT +RUN_EXEC_p4=$USERT +CMD_SUDO_p4="NOPASSWD: /usr/bin/id" +CMD_EXEC_p4="/usr/bin/id -u" +CMD_RES_p4=$USERT_ID +CMD_RET_p4=0 + +########### no further test specification beyond this line ############ + +source pam_functions.bash || exit 2 + +setup_cleanup() { + prepend_cleanup "rm -rf /home/$USERG /home/$USERO /home/$USERT /var/mail/$USERG /var/mail/$USERO /var/mail/$USERT" + prepend_cleanup "rm -f /etc/sudoers.new" + prepend_cleanup "groupdel $GROUP" + prepend_cleanup "userdel $USERT" + prepend_cleanup "userdel $USERO" + prepend_cleanup "userdel $USERG" +} + +gen_user() { + userdel $USERG 2> /dev/null + userdel $USERO 2> /dev/null + userdel $USERT 2> /dev/null + groupdel $GROUP 2> /dev/null + groupadd $GROUP + useradd -u $USERG_ID -g $GROUP -p $PASSENC $USERG + useradd -u $USERO_ID -p $PASSENC $USERO + useradd -u $USERT_ID -g $GROUP -p $PASSENC $USERT +} + +setup_sudoers() { + local User_Alias=$1 + local Runas_Alias=$2 + shift; shift + local Cmd_Alias=$@ + + local perm= + perm=$(stat -c %a /etc/sudoers) + + perl -ne 'print unless /#SUDO_TESTING_START/../#SUDO_TESTING_END/' \ + < /etc/sudoers | sed -e 's/^Defaults requiretty/# Defaults requiretty/' > /etc/sudoers.new + # Only modify sudoers file when we are given some variables + # if not, we basically clean up sudoers + [ -n "$User_Alias" ] && { + echo "#SUDO_TESTING_START" >> /etc/sudoers.new + echo "User_Alias USER = $User_Alias" >> /etc/sudoers.new + echo "Runas_Alias RUNAS = $Runas_Alias" >> /etc/sudoers.new + echo "Defaults:USER timestamp_timeout=0" >> /etc/sudoers.new + echo "USER ALL = (RUNAS) $Cmd_Alias" >> /etc/sudoers.new + echo "#SUDO_TESTING_END" >> /etc/sudoers.new + } + mv -f /etc/sudoers.new /etc/sudoers + chmod $perm /etc/sudoers +} + +testloop() { + + local res="" + local ret="" + local testfail=0 + local testpass=0 + local testno=0 + + for i in $TESTS; do + local USER_SUDO="" + eval USER_SUDO=\$USER_SUDO_$i + local USER_EXEC="" + eval USER_EXEC=\$USER_EXEC_$i + local RUN_SUDO="" + eval RUN_SUDO=\$RUN_SUDO_$i + local RUN_EXEC="" + eval RUN_EXEC=\$RUN_EXEC_$i + local CMD_SUDO="" + eval CMD_SUDO=\$CMD_SUDO_$i + local CMD_EXEC="" + eval CMD_EXEC=\$CMD_EXEC_$i + local CMD_RES="" + eval CMD_RES=\$CMD_RES_$i + local CMD_RET="" + eval CMD_RET=\$CMD_RET_$i + local USER_PASS="" + eval USER_PASS=\$USER_PASS_$i + + [ -z "$USER_PASS" ] && USER_PASS=$PASS + + setup_sudoers $USER_SUDO $RUN_SUDO $CMD_SUDO + res=$(su -c "echo $USER_PASS | sudo -S -u $RUN_EXEC $CMD_EXEC 2>/dev/null" $USER_EXEC) + ret=$? + let testno=$testno+1 + + if [ "$res" = "$CMD_RES" -a "$ret" -eq "$CMD_RET" ]; then + echo "Test $i PASSED" + let testpass=$testpass+1 + else + echo "Test $i: actual result output $res - expected $CMD_RES" + echo "Test $i: actual return value $ret - expected $CMD_RET" + echo "Test $i FAILED" + let testfail=$testfail+1 + fi + done + + echo "Number of tests executed: $testno" + echo "Number of tests failed: $testfail" + echo "Number of tests passed: $testpass" + + return $testfail + +} + +main() { + setup_cleanup + + gen_user + backup /etc/sudoers + + testloop + if [ $? -gt 0 ]; then + exit_fail + else + exit_pass + fi +} + +main + |
From: Linda K. <lin...@hp...> - 2011-05-23 23:27:43
|
Hi Tony, Thanks for the patches. I have a question for you and a question for Stephan. Maybe more than one of eacy. Tony Ernst wrote: > This patch adds libpam testcases for pamfaillock and sudo. It also fixes > minor login and su failures caused by screen. What login and su failures are you seeing? I'm seeing a login failure but not an su fail but I'm not running screen so I'm curious. > Note: The new testcases in libpam/tests/ should have their permissions set > to 0755 before being checked into the git tree. Those files are: > test_pamfaillock_lock.bash > test_pamfaillock_unlock.bash > test_sudo.bash > > Signed-off-by: Tony Ernst <te...@sg...> > --- > run.conf | 5 > tests/test_login.bash | 4 > tests/test_pamfaillock_lock.bash | 50 +++++ > tests/test_pamfaillock_unlock.bash | 62 +++++++ > tests/test_su.bash | 4 > tests/test_sudo.bash | 322 +++++++++++++++++++++++++++++++++++++ > 6 files changed, 445 insertions(+), 2 deletions(-) > > diff -uprN a/audit/libpam/run.conf b/libpam/run.conf > --- a/audit/libpam/run.conf 2011-04-01 10:55:09.074884698 -0500 > +++ b/libpam/run.conf 2011-05-12 14:42:31.151484551 -0500 > @@ -43,9 +43,10 @@ function run_test { > + sshd_fail > + su > + su_fail > ++ sudo > if [[ $DISTRO != "SUSE" ]] ; then > - + pamtally2_lock > - + pamtally2_unlock > + + pamfaillock_lock > + + pamfaillock_unlock > fi > if [[ $DISTRO != "RHEL" ]] ; then > + vsftpd > diff -uprN a/audit/libpam/tests/test_login.bash b/libpam/tests/test_login.bash > --- a/audit/libpam/tests/test_login.bash 2011-04-01 10:55:09.091487863 -0500 > +++ b/libpam/tests/test_login.bash 2011-05-12 11:22:19.476028068 -0500 > @@ -24,6 +24,10 @@ source pam_functions.bash || exit 2 > # allow TEST_USER to write to tmpfile > chmod 666 $localtmp > > +# turn off screen in /etc/profile > +backup /etc/profile > +sed -i 's/\[ -w .*\]/false/' /etc/profile This seems a bit fragile. What if the /etc/profile happens to have another line that checks for a writable file? This substitution could break something else. Can your check be more explicit to look for more of the line? Or maybe it would be better to have a more convenient way to turn screen off? Like clear out SCREENEXEC and where the script checks for the writable tty, also check to see if SCREENEXEC is set. Then all you'd have to do is clear the value for SCREENEXEC. > + > # if in LSPP mode, map the TEST_USER to staff_u > if [[ $PPROFILE == "lspp" ]]; then > semanage login -d $TEST_USER > diff -uprN a/audit/libpam/tests/test_pamfaillock_lock.bash b/libpam/tests/test_pamfaillock_lock.bash > --- a/audit/libpam/tests/test_pamfaillock_lock.bash 1969-12-31 18:00:00.000000000 -0600 > +++ b/libpam/tests/test_pamfaillock_lock.bash 2011-05-12 11:22:19.537557381 -0500 > @@ -0,0 +1,50 @@ > +#!/bin/bash > +############################################################################### > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > +# > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of version 2 the GNU General Public License as > +# published by the Free Software Foundation. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +############################################################################### > +# > +# PURPOSE: > +# Verify pam_faillock will lock an account > + > +source pam_functions.bash || exit 2 > + > +# setup > +tuid=$(id -u $TEST_USER) > +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > + > +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > +# pre-set the number of failures. So we need to fail the login multiple times > +# until we reach the deny limit. When this test was written, a RHEL6.1 > +# evaluation system required three failures to trigger a lockout. YMMV. > + > +expect -c ' > + spawn ssh $env(TEST_USER)@localhost > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} {close; wait}' > + > +# test > +msg_1="pam_faillock uid=$tuid : exe=./usr/sbin/sshd.*res=success.*" > +augrok -q type=ANOM_LOGIN_FAILURES msg_1=~"$msg_1" || exit_fail > +augrok -q type=RESP_ACCT_LOCK msg_1=~"$msg_1" || exit_fail > + > +# clean up > +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > + > +exit_pass > diff -uprN a/audit/libpam/tests/test_pamfaillock_unlock.bash b/libpam/tests/test_pamfaillock_unlock.bash > --- a/audit/libpam/tests/test_pamfaillock_unlock.bash 1969-12-31 18:00:00.000000000 -0600 > +++ b/libpam/tests/test_pamfaillock_unlock.bash 2011-05-12 11:22:19.600063349 -0500 > @@ -0,0 +1,62 @@ > +#!/bin/bash > +############################################################################### > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > +# > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of version 2 the GNU General Public License as > +# published by the Free Software Foundation. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +############################################################################### > +# > +# PURPOSE: > +# Verify pam_faillock will unlock an account > + > +source pam_functions.bash || exit 2 > + > +# setup > +tuid=$(id -u $TEST_USER) > +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > + > +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > +# pre-set the number of failures. So we need to fail the login multiple times > +# until we reach the deny limit. When this test was written, a RHEL6.1 > +# evaluation system required three failures to trigger a lockout. YMMV. > + > +expect -c ' > + spawn ssh $env(TEST_USER)@localhost > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} > + expect -nocase {password: $} {send "badpassword\r"} > + expect -nocase {permission denied} {close; wait}' > + > +# test > +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > + > +msg_1="faillock reset uid=$tuid: exe=./sbin/faillock.*res=success.*" > +augrok -q type=USER_ACCT msg_1=~"$msg_1" || exit_fail > + > +# verify the account is unlocked > +expect -c ' > + spawn ssh $env(TEST_USER)@localhost > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > + expect -nocase {password: $} { > + send "$env(TEST_USER_PASSWD)\r" > + send "PS1=:\\::\r" > + } > + expect {:::$} {close; wait}' > + > +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" > +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail > +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail > + > +exit_pass > diff -uprN a/audit/libpam/tests/test_su.bash b/libpam/tests/test_su.bash > --- a/audit/libpam/tests/test_su.bash 2011-04-01 10:55:09.136414077 -0500 > +++ b/libpam/tests/test_su.bash 2011-05-12 11:22:19.470168134 -0500 > @@ -25,6 +25,10 @@ if [[ $EUID == 0 ]]; then > # allow TEST_USER to write to tmpfile created by root > chmod 666 $tmp1 > > + # turn off screen in /etc/profile > + backup /etc/profile > + sed -i 's/\[ -w .*\]/false/' /etc/profile > + > # test > # rerun this script as TEST_USER. Confine the exports to a subshell > ( > diff -uprN a/audit/libpam/tests/test_sudo.bash b/libpam/tests/test_sudo.bash > --- a/audit/libpam/tests/test_sudo.bash 1969-12-31 18:00:00.000000000 -0600 > +++ b/libpam/tests/test_sudo.bash 2011-05-12 11:22:19.512164331 -0500 This is a Stephan question: Do we not need to check anything audit related in the set of sudo test cases? This looks like a good functional test, so something we need, I'm just wondering when any of the audit records are important since sudo does cause some to be generated. Not sure if they're interesting or not. Also, are these tests actually testing anything in libpam? If not, I might move them to trustedprograms or our yet-to-be-created misc test directory. > @@ -0,0 +1,322 @@ > +#!/bin/bash > + > +# Test case written by Stephan Mueller <smu...@at...> > +# Copyright (c) 2010 atsec information security > +# > +# Purpose: Testing of sudo execution, authentication > +# and sudoers enforcement > +# > +# Expected result: See the test definitions below for a description of > +# the expected test results. > +# > +# Test execution: execute $0 as root > +# > +# The following matrices define the test units specified with this test. > +# To read a matrix, use the following column definitions: > +# 1st column: this lists the request > +# 2nd column: this lists the configuration in sudoers > +# between 1st and 2nd column, the equality between the > +# value in the requested command and the value found in > +# sudoers is specified > +# 3rd column: marks the epxected result - either operation allowed or not > +# 4th column: references the test case (you find it by searching the > +# test definitions and looking for the suffix referenced > +# by this column > +# > +# Note: any other component of sudoers or the request which are not > +# tested are set such that the request is allowed > +# > +# Testing User_Alias > +#User User Operation Test > +#requesting configured allowed? case > +#operation in sudoers > +#---------------------------------------------------- > +#User eq User y u1 > +#User !eq User n u2 > +#User in Group y u3 > +#User !in Group n u4 > + > +# Testing Runas_Alias > +#Target user Target user Operation Test > +#requested in sudoers allowed? case > +#----------------------------------------------------- > +#User eq User y u1 > +#User !eq User n t2 > +#User in Group y t3 > +#User !in Group n t4 > + > +# Testing Cmd_Alias > +#CMD CMD Operation Test > +#requested in sudoers allowed? case > +#--------------------------------------------------- > +#cmd eq cmd y u1 > +#cmd !eq cmd n c2 > +#cmd in dir y c3 > +#cmd !in dir n c4 > +# > +# Testing password enforcement > +#Password Password Operation Test > +#in request setting in allowed? case > +# sudoers > +#---------------------------------------------------- > +#right pass default y u1 > +#wrong pass default n p2 > +#right pass NOPASSWD: y p3 > +#wrong pass NOPASSWD: y p4 > +# > +TESTS="u1 u2 u3 u4 t2 t3 t4 c2 c3 c4 p2 p3 p4" > + > +# DO NOT CHANGE > +USERG="sudouser1" > +USERG_ID=12345 > +USERO="sudouser2" > +USERO_ID=12346 > +USERT="sudotarget" > +USERT_ID=12347 > +GROUP="sudogroup" > +PASS="Tad6osBijy" > +PASSENC='$6$Rpvtlluu$K63QZN9do4I03/uaKYVFxe3d7CZHOCUsAQNs7F5CQ.b.HJgcGaLOx6qRepDNko4xFxO0VFk4OEQzXHGBAtfHe0' > +# DO NOT CHANGE > + > +# User definitions: > +# USERG: member of group GROUP (should be used as requesting user) > +# USERT: member of group GROUP (should be used as target user) > +# USERO: not a member of GROUP (may be used as requesting and target user) > +USER_SUDO_u1=$USERG > +USER_EXEC_u1=$USERG > +RUN_SUDO_u1=$USERT > +RUN_EXEC_u1=$USERT > +CMD_SUDO_u1="/usr/bin/id" > +CMD_EXEC_u1="/usr/bin/id -u" > +CMD_RES_u1=$USERT_ID > +CMD_RET_u1=0 > + > +USER_SUDO_u2=$USERG > +USER_EXEC_u2=$USERO > +RUN_SUDO_u2=$USERT > +RUN_EXEC_u2=$USERT > +CMD_SUDO_u2="/usr/bin/id" > +CMD_EXEC_u2="/usr/bin/id -u" > +CMD_RES_u2="" > +CMD_RET_u2=1 > + > +USER_SUDO_u3="%$GROUP" > +USER_EXEC_u3=$USERG > +RUN_SUDO_u3=$USERT > +RUN_EXEC_u3=$USERT > +CMD_SUDO_u3="/usr/bin/id" > +CMD_EXEC_u3="/usr/bin/id -u" > +CMD_RES_u3=$USERT_ID > +CMD_RET_u3=0 > + > +USER_SUDO_u4="%$GROUP" > +USER_EXEC_u4=$USERO > +RUN_SUDO_u4=$USERT > +RUN_EXEC_u4=$USERT > +CMD_SUDO_u4="/usr/bin/id" > +CMD_EXEC_u4="/usr/bin/id -u" > +CMD_RES_u4="" > +CMD_RET_u4=1 > + > +USER_SUDO_t2=$USERO > +USER_EXEC_t2=$USERO > +RUN_SUDO_t2=$USERT > +RUN_EXEC_t2=$USERO > +CMD_SUDO_t2="/usr/bin/id" > +CMD_EXEC_t2="/usr/bin/id -u" > +CMD_RES_t2="" > +CMD_RET_t2=1 > + > +USER_SUDO_t3=$USERO > +USER_EXEC_t3=$USERO > +RUN_SUDO_t3="%$GROUP" > +RUN_EXEC_t3=$USERT > +CMD_SUDO_t3="/usr/bin/id" > +CMD_EXEC_t3="/usr/bin/id -u" > +CMD_RES_t3=$USERT_ID > +CMD_RET_t3=0 > + > +USER_SUDO_t4=$USERO > +USER_EXEC_t4=$USERO > +RUN_SUDO_t4="%$GROUP" > +RUN_EXEC_t4=$USERO > +CMD_SUDO_t4="/usr/bin/id" > +CMD_EXEC_t4="/usr/bin/id -u" > +CMD_RES_t4="" > +CMD_RET_t4=1 > + > +USER_SUDO_c2=$USERG > +USER_EXEC_c2=$USERG > +RUN_SUDO_c2=$USERT > +RUN_EXEC_c2=$USERT > +CMD_SUDO_c2="/usr/bin/id" > +CMD_EXEC_c2="/bin/ls" > +CMD_RES_c2="" > +CMD_RET_c2=1 > + > +USER_SUDO_c3=$USERG > +USER_EXEC_c3=$USERG > +RUN_SUDO_c3=$USERT > +RUN_EXEC_c3=$USERT > +CMD_SUDO_c3="/usr/bin/" > +CMD_EXEC_c3="/usr/bin/id -u" > +CMD_RES_c3=$USERT_ID > +CMD_RET_c3=0 > + > +USER_SUDO_c4=$USERG > +USER_EXEC_c4=$USERG > +RUN_SUDO_c4=$USERT > +RUN_EXEC_c4=$USERT > +CMD_SUDO_c4="/bin/" > +CMD_EXEC_c4="/usr/bin/id -u" > +CMD_RES_c4="" > +CMD_RET_c4=1 > + > +USER_SUDO_p2=$USERG > +USER_PASS_p2="wrongpass" > +USER_EXEC_p2=$USERG > +RUN_SUDO_p2=$USERT > +RUN_EXEC_p2=$USERT > +CMD_SUDO_p2="/usr/bin/id" > +CMD_EXEC_p2="/usr/bin/id -u" > +CMD_RES_p2="" > +CMD_RET_p2=1 > + > +USER_SUDO_p3=$USERG > +USER_EXEC_p3=$USERG > +RUN_SUDO_p3=$USERT > +RUN_EXEC_p3=$USERT > +CMD_SUDO_p3="NOPASSWD: /usr/bin/id" > +CMD_EXEC_p3="/usr/bin/id -u" > +CMD_RES_p3=$USERT_ID > +CMD_RET_p3=0 > + > +USER_SUDO_p4=$USERG > +USER_PASS_p4="wrongpass" > +USER_EXEC_p4=$USERG > +RUN_SUDO_p4=$USERT > +RUN_EXEC_p4=$USERT > +CMD_SUDO_p4="NOPASSWD: /usr/bin/id" > +CMD_EXEC_p4="/usr/bin/id -u" > +CMD_RES_p4=$USERT_ID > +CMD_RET_p4=0 > + > +########### no further test specification beyond this line ############ > + > +source pam_functions.bash || exit 2 > + > +setup_cleanup() { > + prepend_cleanup "rm -rf /home/$USERG /home/$USERO /home/$USERT /var/mail/$USERG /var/mail/$USERO /var/mail/$USERT" > + prepend_cleanup "rm -f /etc/sudoers.new" > + prepend_cleanup "groupdel $GROUP" > + prepend_cleanup "userdel $USERT" > + prepend_cleanup "userdel $USERO" > + prepend_cleanup "userdel $USERG" > +} > + > +gen_user() { > + userdel $USERG 2> /dev/null > + userdel $USERO 2> /dev/null > + userdel $USERT 2> /dev/null > + groupdel $GROUP 2> /dev/null > + groupadd $GROUP > + useradd -u $USERG_ID -g $GROUP -p $PASSENC $USERG > + useradd -u $USERO_ID -p $PASSENC $USERO > + useradd -u $USERT_ID -g $GROUP -p $PASSENC $USERT > +} > + > +setup_sudoers() { > + local User_Alias=$1 > + local Runas_Alias=$2 > + shift; shift > + local Cmd_Alias=$@ > + > + local perm= > + perm=$(stat -c %a /etc/sudoers) > + > + perl -ne 'print unless /#SUDO_TESTING_START/../#SUDO_TESTING_END/' \ > + < /etc/sudoers | sed -e 's/^Defaults requiretty/# Defaults requiretty/' > /etc/sudoers.new > + # Only modify sudoers file when we are given some variables > + # if not, we basically clean up sudoers > + [ -n "$User_Alias" ] && { > + echo "#SUDO_TESTING_START" >> /etc/sudoers.new > + echo "User_Alias USER = $User_Alias" >> /etc/sudoers.new > + echo "Runas_Alias RUNAS = $Runas_Alias" >> /etc/sudoers.new > + echo "Defaults:USER timestamp_timeout=0" >> /etc/sudoers.new > + echo "USER ALL = (RUNAS) $Cmd_Alias" >> /etc/sudoers.new > + echo "#SUDO_TESTING_END" >> /etc/sudoers.new > + } > + mv -f /etc/sudoers.new /etc/sudoers > + chmod $perm /etc/sudoers > +} > + > +testloop() { > + > + local res="" > + local ret="" > + local testfail=0 > + local testpass=0 > + local testno=0 > + > + for i in $TESTS; do > + local USER_SUDO="" > + eval USER_SUDO=\$USER_SUDO_$i > + local USER_EXEC="" > + eval USER_EXEC=\$USER_EXEC_$i > + local RUN_SUDO="" > + eval RUN_SUDO=\$RUN_SUDO_$i > + local RUN_EXEC="" > + eval RUN_EXEC=\$RUN_EXEC_$i > + local CMD_SUDO="" > + eval CMD_SUDO=\$CMD_SUDO_$i > + local CMD_EXEC="" > + eval CMD_EXEC=\$CMD_EXEC_$i > + local CMD_RES="" > + eval CMD_RES=\$CMD_RES_$i > + local CMD_RET="" > + eval CMD_RET=\$CMD_RET_$i > + local USER_PASS="" > + eval USER_PASS=\$USER_PASS_$i > + > + [ -z "$USER_PASS" ] && USER_PASS=$PASS > + > + setup_sudoers $USER_SUDO $RUN_SUDO $CMD_SUDO > + res=$(su -c "echo $USER_PASS | sudo -S -u $RUN_EXEC $CMD_EXEC 2>/dev/null" $USER_EXEC) > + ret=$? > + let testno=$testno+1 > + > + if [ "$res" = "$CMD_RES" -a "$ret" -eq "$CMD_RET" ]; then > + echo "Test $i PASSED" > + let testpass=$testpass+1 > + else > + echo "Test $i: actual result output $res - expected $CMD_RES" > + echo "Test $i: actual return value $ret - expected $CMD_RET" > + echo "Test $i FAILED" > + let testfail=$testfail+1 > + fi > + done > + > + echo "Number of tests executed: $testno" > + echo "Number of tests failed: $testfail" > + echo "Number of tests passed: $testpass" > + > + return $testfail > + > +} > + > +main() { > + setup_cleanup > + > + gen_user > + backup /etc/sudoers > + > + testloop > + if [ $? -gt 0 ]; then > + exit_fail Its possible to provide more information on the exit_fail line that would appear in the rollup.log file. Knowing how may tests failed might be interesting. > + else > + exit_pass > + fi > +} > + > +main > + > > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Tony E. <te...@sg...> - 2011-05-24 15:07:38
|
On Mon, May 23, 2011 at 07:26:07PM -0400, Linda Knippers wrote: > Hi Tony, > > Thanks for the patches. I have a question for you and a question for Stephan. > Maybe more than one of eacy. > > Tony Ernst wrote: > > This patch adds libpam testcases for pamfaillock and sudo. It also fixes > > minor login and su failures caused by screen. > > What login and su failures are you seeing? I'm seeing a login failure > but not an su fail but I'm not running screen so I'm curious. Hi Linda, The tests check the login/su audit record and expect to find a matching "terminal=". But screen grabs a new terminal, so it doesn't match. Disabling screen fixes the problem. > > Note: The new testcases in libpam/tests/ should have their permissions set > > to 0755 before being checked into the git tree. Those files are: > > test_pamfaillock_lock.bash > > test_pamfaillock_unlock.bash > > test_sudo.bash > > > > Signed-off-by: Tony Ernst <te...@sg...> > > --- > > run.conf | 5 > > tests/test_login.bash | 4 > > tests/test_pamfaillock_lock.bash | 50 +++++ > > tests/test_pamfaillock_unlock.bash | 62 +++++++ > > tests/test_su.bash | 4 > > tests/test_sudo.bash | 322 +++++++++++++++++++++++++++++++++++++ > > 6 files changed, 445 insertions(+), 2 deletions(-) > > > > diff -uprN a/audit/libpam/run.conf b/libpam/run.conf > > --- a/audit/libpam/run.conf 2011-04-01 10:55:09.074884698 -0500 > > +++ b/libpam/run.conf 2011-05-12 14:42:31.151484551 -0500 > > @@ -43,9 +43,10 @@ function run_test { > > + sshd_fail > > + su > > + su_fail > > ++ sudo > > if [[ $DISTRO != "SUSE" ]] ; then > > - + pamtally2_lock > > - + pamtally2_unlock > > + + pamfaillock_lock > > + + pamfaillock_unlock > > fi > > if [[ $DISTRO != "RHEL" ]] ; then > > + vsftpd > > diff -uprN a/audit/libpam/tests/test_login.bash b/libpam/tests/test_login.bash > > --- a/audit/libpam/tests/test_login.bash 2011-04-01 10:55:09.091487863 -0500 > > +++ b/libpam/tests/test_login.bash 2011-05-12 11:22:19.476028068 -0500 > > @@ -24,6 +24,10 @@ source pam_functions.bash || exit 2 > > # allow TEST_USER to write to tmpfile > > chmod 666 $localtmp > > > > +# turn off screen in /etc/profile > > +backup /etc/profile > > +sed -i 's/\[ -w .*\]/false/' /etc/profile > > This seems a bit fragile. What if the /etc/profile happens to have another > line that checks for a writable file? This substitution could break > something else. Can your check be more explicit to look for more of > the line? Agreed. Would this be acceptable? sed -i 's/\[ -w $(tty) \]/false/' /etc/profile > Or maybe it would be better to have a more convenient way to turn screen > off? Like clear out SCREENEXEC and where the script checks for the writable > tty, also check to see if SCREENEXEC is set. Then all you'd have to do is > clear the value for SCREENEXEC. > > > + > > # if in LSPP mode, map the TEST_USER to staff_u > > if [[ $PPROFILE == "lspp" ]]; then > > semanage login -d $TEST_USER > > diff -uprN a/audit/libpam/tests/test_pamfaillock_lock.bash b/libpam/tests/test_pamfaillock_lock.bash > > --- a/audit/libpam/tests/test_pamfaillock_lock.bash 1969-12-31 18:00:00.000000000 -0600 > > +++ b/libpam/tests/test_pamfaillock_lock.bash 2011-05-12 11:22:19.537557381 -0500 > > @@ -0,0 +1,50 @@ > > +#!/bin/bash > > +############################################################################### > > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > > +# > > +# This program is free software: you can redistribute it and/or modify > > +# it under the terms of version 2 the GNU General Public License as > > +# published by the Free Software Foundation. > > +# > > +# This program is distributed in the hope that it will be useful, > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > +# GNU General Public License for more details. > > +# > > +# You should have received a copy of the GNU General Public License > > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > > +############################################################################### > > +# > > +# PURPOSE: > > +# Verify pam_faillock will lock an account > > + > > +source pam_functions.bash || exit 2 > > + > > +# setup > > +tuid=$(id -u $TEST_USER) > > +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > > + > > +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > > +# pre-set the number of failures. So we need to fail the login multiple times > > +# until we reach the deny limit. When this test was written, a RHEL6.1 > > +# evaluation system required three failures to trigger a lockout. YMMV. > > + > > +expect -c ' > > + spawn ssh $env(TEST_USER)@localhost > > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} {close; wait}' > > + > > +# test > > +msg_1="pam_faillock uid=$tuid : exe=./usr/sbin/sshd.*res=success.*" > > +augrok -q type=ANOM_LOGIN_FAILURES msg_1=~"$msg_1" || exit_fail > > +augrok -q type=RESP_ACCT_LOCK msg_1=~"$msg_1" || exit_fail > > + > > +# clean up > > +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > > + > > +exit_pass > > diff -uprN a/audit/libpam/tests/test_pamfaillock_unlock.bash b/libpam/tests/test_pamfaillock_unlock.bash > > --- a/audit/libpam/tests/test_pamfaillock_unlock.bash 1969-12-31 18:00:00.000000000 -0600 > > +++ b/libpam/tests/test_pamfaillock_unlock.bash 2011-05-12 11:22:19.600063349 -0500 > > @@ -0,0 +1,62 @@ > > +#!/bin/bash > > +############################################################################### > > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > > +# > > +# This program is free software: you can redistribute it and/or modify > > +# it under the terms of version 2 the GNU General Public License as > > +# published by the Free Software Foundation. > > +# > > +# This program is distributed in the hope that it will be useful, > > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > +# GNU General Public License for more details. > > +# > > +# You should have received a copy of the GNU General Public License > > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > > +############################################################################### > > +# > > +# PURPOSE: > > +# Verify pam_faillock will unlock an account > > + > > +source pam_functions.bash || exit 2 > > + > > +# setup > > +tuid=$(id -u $TEST_USER) > > +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > > + > > +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > > +# pre-set the number of failures. So we need to fail the login multiple times > > +# until we reach the deny limit. When this test was written, a RHEL6.1 > > +# evaluation system required three failures to trigger a lockout. YMMV. > > + > > +expect -c ' > > + spawn ssh $env(TEST_USER)@localhost > > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} > > + expect -nocase {password: $} {send "badpassword\r"} > > + expect -nocase {permission denied} {close; wait}' > > + > > +# test > > +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > > + > > +msg_1="faillock reset uid=$tuid: exe=./sbin/faillock.*res=success.*" > > +augrok -q type=USER_ACCT msg_1=~"$msg_1" || exit_fail > > + > > +# verify the account is unlocked > > +expect -c ' > > + spawn ssh $env(TEST_USER)@localhost > > + expect -nocase {Are you sure you want to continue} {send "yes\r"} > > + expect -nocase {password: $} { > > + send "$env(TEST_USER_PASSWD)\r" > > + send "PS1=:\\::\r" > > + } > > + expect {:::$} {close; wait}' > > + > > +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" > > +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail > > +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail > > + > > +exit_pass > > diff -uprN a/audit/libpam/tests/test_su.bash b/libpam/tests/test_su.bash > > --- a/audit/libpam/tests/test_su.bash 2011-04-01 10:55:09.136414077 -0500 > > +++ b/libpam/tests/test_su.bash 2011-05-12 11:22:19.470168134 -0500 > > @@ -25,6 +25,10 @@ if [[ $EUID == 0 ]]; then > > # allow TEST_USER to write to tmpfile created by root > > chmod 666 $tmp1 > > > > + # turn off screen in /etc/profile > > + backup /etc/profile > > + sed -i 's/\[ -w .*\]/false/' /etc/profile > > + > > # test > > # rerun this script as TEST_USER. Confine the exports to a subshell > > ( > > diff -uprN a/audit/libpam/tests/test_sudo.bash b/libpam/tests/test_sudo.bash > > --- a/audit/libpam/tests/test_sudo.bash 1969-12-31 18:00:00.000000000 -0600 > > +++ b/libpam/tests/test_sudo.bash 2011-05-12 11:22:19.512164331 -0500 > > This is a Stephan question: Do we not need to check anything audit related > in the set of sudo test cases? This looks like a good functional test, so > something we need, I'm just wondering when any of the audit records are > important since sudo does cause some to be generated. Not sure if they're > interesting or not. > > Also, are these tests actually testing anything in libpam? If not, I > might move them to trustedprograms or our yet-to-be-created misc test > directory. Yes. sudo uses libpam for authentication. > > @@ -0,0 +1,322 @@ > > +#!/bin/bash > > + > > +# Test case written by Stephan Mueller <smu...@at...> > > +# Copyright (c) 2010 atsec information security > > +# > > +# Purpose: Testing of sudo execution, authentication > > +# and sudoers enforcement > > +# > > +# Expected result: See the test definitions below for a description of > > +# the expected test results. > > +# > > +# Test execution: execute $0 as root > > +# > > +# The following matrices define the test units specified with this test. > > +# To read a matrix, use the following column definitions: > > +# 1st column: this lists the request > > +# 2nd column: this lists the configuration in sudoers > > +# between 1st and 2nd column, the equality between the > > +# value in the requested command and the value found in > > +# sudoers is specified > > +# 3rd column: marks the epxected result - either operation allowed or not > > +# 4th column: references the test case (you find it by searching the > > +# test definitions and looking for the suffix referenced > > +# by this column > > +# > > +# Note: any other component of sudoers or the request which are not > > +# tested are set such that the request is allowed > > +# > > +# Testing User_Alias > > +#User User Operation Test > > +#requesting configured allowed? case > > +#operation in sudoers > > +#---------------------------------------------------- > > +#User eq User y u1 > > +#User !eq User n u2 > > +#User in Group y u3 > > +#User !in Group n u4 > > + > > +# Testing Runas_Alias > > +#Target user Target user Operation Test > > +#requested in sudoers allowed? case > > +#----------------------------------------------------- > > +#User eq User y u1 > > +#User !eq User n t2 > > +#User in Group y t3 > > +#User !in Group n t4 > > + > > +# Testing Cmd_Alias > > +#CMD CMD Operation Test > > +#requested in sudoers allowed? case > > +#--------------------------------------------------- > > +#cmd eq cmd y u1 > > +#cmd !eq cmd n c2 > > +#cmd in dir y c3 > > +#cmd !in dir n c4 > > +# > > +# Testing password enforcement > > +#Password Password Operation Test > > +#in request setting in allowed? case > > +# sudoers > > +#---------------------------------------------------- > > +#right pass default y u1 > > +#wrong pass default n p2 > > +#right pass NOPASSWD: y p3 > > +#wrong pass NOPASSWD: y p4 > > +# > > +TESTS="u1 u2 u3 u4 t2 t3 t4 c2 c3 c4 p2 p3 p4" > > + > > +# DO NOT CHANGE > > +USERG="sudouser1" > > +USERG_ID=12345 > > +USERO="sudouser2" > > +USERO_ID=12346 > > +USERT="sudotarget" > > +USERT_ID=12347 > > +GROUP="sudogroup" > > +PASS="Tad6osBijy" > > +PASSENC='$6$Rpvtlluu$K63QZN9do4I03/uaKYVFxe3d7CZHOCUsAQNs7F5CQ.b.HJgcGaLOx6qRepDNko4xFxO0VFk4OEQzXHGBAtfHe0' > > +# DO NOT CHANGE > > + > > +# User definitions: > > +# USERG: member of group GROUP (should be used as requesting user) > > +# USERT: member of group GROUP (should be used as target user) > > +# USERO: not a member of GROUP (may be used as requesting and target user) > > +USER_SUDO_u1=$USERG > > +USER_EXEC_u1=$USERG > > +RUN_SUDO_u1=$USERT > > +RUN_EXEC_u1=$USERT > > +CMD_SUDO_u1="/usr/bin/id" > > +CMD_EXEC_u1="/usr/bin/id -u" > > +CMD_RES_u1=$USERT_ID > > +CMD_RET_u1=0 > > + > > +USER_SUDO_u2=$USERG > > +USER_EXEC_u2=$USERO > > +RUN_SUDO_u2=$USERT > > +RUN_EXEC_u2=$USERT > > +CMD_SUDO_u2="/usr/bin/id" > > +CMD_EXEC_u2="/usr/bin/id -u" > > +CMD_RES_u2="" > > +CMD_RET_u2=1 > > + > > +USER_SUDO_u3="%$GROUP" > > +USER_EXEC_u3=$USERG > > +RUN_SUDO_u3=$USERT > > +RUN_EXEC_u3=$USERT > > +CMD_SUDO_u3="/usr/bin/id" > > +CMD_EXEC_u3="/usr/bin/id -u" > > +CMD_RES_u3=$USERT_ID > > +CMD_RET_u3=0 > > + > > +USER_SUDO_u4="%$GROUP" > > +USER_EXEC_u4=$USERO > > +RUN_SUDO_u4=$USERT > > +RUN_EXEC_u4=$USERT > > +CMD_SUDO_u4="/usr/bin/id" > > +CMD_EXEC_u4="/usr/bin/id -u" > > +CMD_RES_u4="" > > +CMD_RET_u4=1 > > + > > +USER_SUDO_t2=$USERO > > +USER_EXEC_t2=$USERO > > +RUN_SUDO_t2=$USERT > > +RUN_EXEC_t2=$USERO > > +CMD_SUDO_t2="/usr/bin/id" > > +CMD_EXEC_t2="/usr/bin/id -u" > > +CMD_RES_t2="" > > +CMD_RET_t2=1 > > + > > +USER_SUDO_t3=$USERO > > +USER_EXEC_t3=$USERO > > +RUN_SUDO_t3="%$GROUP" > > +RUN_EXEC_t3=$USERT > > +CMD_SUDO_t3="/usr/bin/id" > > +CMD_EXEC_t3="/usr/bin/id -u" > > +CMD_RES_t3=$USERT_ID > > +CMD_RET_t3=0 > > + > > +USER_SUDO_t4=$USERO > > +USER_EXEC_t4=$USERO > > +RUN_SUDO_t4="%$GROUP" > > +RUN_EXEC_t4=$USERO > > +CMD_SUDO_t4="/usr/bin/id" > > +CMD_EXEC_t4="/usr/bin/id -u" > > +CMD_RES_t4="" > > +CMD_RET_t4=1 > > + > > +USER_SUDO_c2=$USERG > > +USER_EXEC_c2=$USERG > > +RUN_SUDO_c2=$USERT > > +RUN_EXEC_c2=$USERT > > +CMD_SUDO_c2="/usr/bin/id" > > +CMD_EXEC_c2="/bin/ls" > > +CMD_RES_c2="" > > +CMD_RET_c2=1 > > + > > +USER_SUDO_c3=$USERG > > +USER_EXEC_c3=$USERG > > +RUN_SUDO_c3=$USERT > > +RUN_EXEC_c3=$USERT > > +CMD_SUDO_c3="/usr/bin/" > > +CMD_EXEC_c3="/usr/bin/id -u" > > +CMD_RES_c3=$USERT_ID > > +CMD_RET_c3=0 > > + > > +USER_SUDO_c4=$USERG > > +USER_EXEC_c4=$USERG > > +RUN_SUDO_c4=$USERT > > +RUN_EXEC_c4=$USERT > > +CMD_SUDO_c4="/bin/" > > +CMD_EXEC_c4="/usr/bin/id -u" > > +CMD_RES_c4="" > > +CMD_RET_c4=1 > > + > > +USER_SUDO_p2=$USERG > > +USER_PASS_p2="wrongpass" > > +USER_EXEC_p2=$USERG > > +RUN_SUDO_p2=$USERT > > +RUN_EXEC_p2=$USERT > > +CMD_SUDO_p2="/usr/bin/id" > > +CMD_EXEC_p2="/usr/bin/id -u" > > +CMD_RES_p2="" > > +CMD_RET_p2=1 > > + > > +USER_SUDO_p3=$USERG > > +USER_EXEC_p3=$USERG > > +RUN_SUDO_p3=$USERT > > +RUN_EXEC_p3=$USERT > > +CMD_SUDO_p3="NOPASSWD: /usr/bin/id" > > +CMD_EXEC_p3="/usr/bin/id -u" > > +CMD_RES_p3=$USERT_ID > > +CMD_RET_p3=0 > > + > > +USER_SUDO_p4=$USERG > > +USER_PASS_p4="wrongpass" > > +USER_EXEC_p4=$USERG > > +RUN_SUDO_p4=$USERT > > +RUN_EXEC_p4=$USERT > > +CMD_SUDO_p4="NOPASSWD: /usr/bin/id" > > +CMD_EXEC_p4="/usr/bin/id -u" > > +CMD_RES_p4=$USERT_ID > > +CMD_RET_p4=0 > > + > > +########### no further test specification beyond this line ############ > > + > > +source pam_functions.bash || exit 2 > > + > > +setup_cleanup() { > > + prepend_cleanup "rm -rf /home/$USERG /home/$USERO /home/$USERT /var/mail/$USERG /var/mail/$USERO /var/mail/$USERT" > > + prepend_cleanup "rm -f /etc/sudoers.new" > > + prepend_cleanup "groupdel $GROUP" > > + prepend_cleanup "userdel $USERT" > > + prepend_cleanup "userdel $USERO" > > + prepend_cleanup "userdel $USERG" > > +} > > + > > +gen_user() { > > + userdel $USERG 2> /dev/null > > + userdel $USERO 2> /dev/null > > + userdel $USERT 2> /dev/null > > + groupdel $GROUP 2> /dev/null > > + groupadd $GROUP > > + useradd -u $USERG_ID -g $GROUP -p $PASSENC $USERG > > + useradd -u $USERO_ID -p $PASSENC $USERO > > + useradd -u $USERT_ID -g $GROUP -p $PASSENC $USERT > > +} > > + > > +setup_sudoers() { > > + local User_Alias=$1 > > + local Runas_Alias=$2 > > + shift; shift > > + local Cmd_Alias=$@ > > + > > + local perm= > > + perm=$(stat -c %a /etc/sudoers) > > + > > + perl -ne 'print unless /#SUDO_TESTING_START/../#SUDO_TESTING_END/' \ > > + < /etc/sudoers | sed -e 's/^Defaults requiretty/# Defaults requiretty/' > /etc/sudoers.new > > + # Only modify sudoers file when we are given some variables > > + # if not, we basically clean up sudoers > > + [ -n "$User_Alias" ] && { > > + echo "#SUDO_TESTING_START" >> /etc/sudoers.new > > + echo "User_Alias USER = $User_Alias" >> /etc/sudoers.new > > + echo "Runas_Alias RUNAS = $Runas_Alias" >> /etc/sudoers.new > > + echo "Defaults:USER timestamp_timeout=0" >> /etc/sudoers.new > > + echo "USER ALL = (RUNAS) $Cmd_Alias" >> /etc/sudoers.new > > + echo "#SUDO_TESTING_END" >> /etc/sudoers.new > > + } > > + mv -f /etc/sudoers.new /etc/sudoers > > + chmod $perm /etc/sudoers > > +} > > + > > +testloop() { > > + > > + local res="" > > + local ret="" > > + local testfail=0 > > + local testpass=0 > > + local testno=0 > > + > > + for i in $TESTS; do > > + local USER_SUDO="" > > + eval USER_SUDO=\$USER_SUDO_$i > > + local USER_EXEC="" > > + eval USER_EXEC=\$USER_EXEC_$i > > + local RUN_SUDO="" > > + eval RUN_SUDO=\$RUN_SUDO_$i > > + local RUN_EXEC="" > > + eval RUN_EXEC=\$RUN_EXEC_$i > > + local CMD_SUDO="" > > + eval CMD_SUDO=\$CMD_SUDO_$i > > + local CMD_EXEC="" > > + eval CMD_EXEC=\$CMD_EXEC_$i > > + local CMD_RES="" > > + eval CMD_RES=\$CMD_RES_$i > > + local CMD_RET="" > > + eval CMD_RET=\$CMD_RET_$i > > + local USER_PASS="" > > + eval USER_PASS=\$USER_PASS_$i > > + > > + [ -z "$USER_PASS" ] && USER_PASS=$PASS > > + > > + setup_sudoers $USER_SUDO $RUN_SUDO $CMD_SUDO > > + res=$(su -c "echo $USER_PASS | sudo -S -u $RUN_EXEC $CMD_EXEC 2>/dev/null" $USER_EXEC) > > + ret=$? > > + let testno=$testno+1 > > + > > + if [ "$res" = "$CMD_RES" -a "$ret" -eq "$CMD_RET" ]; then > > + echo "Test $i PASSED" > > + let testpass=$testpass+1 > > + else > > + echo "Test $i: actual result output $res - expected $CMD_RES" > > + echo "Test $i: actual return value $ret - expected $CMD_RET" > > + echo "Test $i FAILED" > > + let testfail=$testfail+1 > > + fi > > + done > > + > > + echo "Number of tests executed: $testno" > > + echo "Number of tests failed: $testfail" > > + echo "Number of tests passed: $testpass" > > + > > + return $testfail > > + > > +} > > + > > +main() { > > + setup_cleanup > > + > > + gen_user > > + backup /etc/sudoers > > + > > + testloop > > + if [ $? -gt 0 ]; then > > + exit_fail > > Its possible to provide more information on the exit_fail line that would > appear in the rollup.log file. Knowing how may tests failed might be > interesting. > > > + else > > + exit_pass > > + fi > > +} > > + > > +main > > + > > > > ------------------------------------------------------------------------------ > > What Every C/C++ and Fortran developer Should Know! > > Read this article and learn how Intel has extended the reach of its > > next-generation tools to help Windows* and Linux* C/C++ and Fortran > > developers boost performance applications - including clusters. > > http://p.sf.net/sfu/intel-dev2devmay > > _______________________________________________ > > Audit-test-developer mailing list > > Aud...@li... > > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Linda K. <lin...@hp...> - 2011-05-24 16:05:51
|
Hi Tony, Tony Ernst wrote: > On Mon, May 23, 2011 at 07:26:07PM -0400, Linda Knippers wrote: >> Hi Tony, >> >> Thanks for the patches. I have a question for you and a question for Stephan. >> Maybe more than one of eacy. >> >> Tony Ernst wrote: >>> This patch adds libpam testcases for pamfaillock and sudo. It also fixes >>> minor login and su failures caused by screen. >> What login and su failures are you seeing? I'm seeing a login failure >> but not an su fail but I'm not running screen so I'm curious. > > Hi Linda, > > The tests check the login/su audit record and expect to find a matching > "terminal=". But screen grabs a new terminal, so it doesn't match. > Disabling screen fixes the problem. Ok, thanks. That makes sense. There must be something odd about my setup which is causing the login test to fail for me. It failed before though so its nothing to do with your patch. >>> Note: The new testcases in libpam/tests/ should have their permissions set >>> to 0755 before being checked into the git tree. Those files are: >>> test_pamfaillock_lock.bash >>> test_pamfaillock_unlock.bash >>> test_sudo.bash >>> >>> Signed-off-by: Tony Ernst <te...@sg...> >>> --- >>> run.conf | 5 >>> tests/test_login.bash | 4 >>> tests/test_pamfaillock_lock.bash | 50 +++++ >>> tests/test_pamfaillock_unlock.bash | 62 +++++++ >>> tests/test_su.bash | 4 >>> tests/test_sudo.bash | 322 +++++++++++++++++++++++++++++++++++++ >>> 6 files changed, 445 insertions(+), 2 deletions(-) >>> >>> diff -uprN a/audit/libpam/run.conf b/libpam/run.conf >>> --- a/audit/libpam/run.conf 2011-04-01 10:55:09.074884698 -0500 >>> +++ b/libpam/run.conf 2011-05-12 14:42:31.151484551 -0500 >>> @@ -43,9 +43,10 @@ function run_test { >>> + sshd_fail >>> + su >>> + su_fail >>> ++ sudo >>> if [[ $DISTRO != "SUSE" ]] ; then >>> - + pamtally2_lock >>> - + pamtally2_unlock >>> + + pamfaillock_lock >>> + + pamfaillock_unlock >>> fi >>> if [[ $DISTRO != "RHEL" ]] ; then >>> + vsftpd >>> diff -uprN a/audit/libpam/tests/test_login.bash b/libpam/tests/test_login.bash >>> --- a/audit/libpam/tests/test_login.bash 2011-04-01 10:55:09.091487863 -0500 >>> +++ b/libpam/tests/test_login.bash 2011-05-12 11:22:19.476028068 -0500 >>> @@ -24,6 +24,10 @@ source pam_functions.bash || exit 2 >>> # allow TEST_USER to write to tmpfile >>> chmod 666 $localtmp >>> >>> +# turn off screen in /etc/profile >>> +backup /etc/profile >>> +sed -i 's/\[ -w .*\]/false/' /etc/profile >> This seems a bit fragile. What if the /etc/profile happens to have another >> line that checks for a writable file? This substitution could break >> something else. Can your check be more explicit to look for more of >> the line? > > Agreed. Would this be acceptable? > > sed -i 's/\[ -w $(tty) \]/false/' /etc/profile Yeah, that's a little more specific. If that works I can just edit your patch before I submit it. -- ljk >> Or maybe it would be better to have a more convenient way to turn screen >> off? Like clear out SCREENEXEC and where the script checks for the writable >> tty, also check to see if SCREENEXEC is set. Then all you'd have to do is >> clear the value for SCREENEXEC. >> >>> + >>> # if in LSPP mode, map the TEST_USER to staff_u >>> if [[ $PPROFILE == "lspp" ]]; then >>> semanage login -d $TEST_USER >>> diff -uprN a/audit/libpam/tests/test_pamfaillock_lock.bash b/libpam/tests/test_pamfaillock_lock.bash >>> --- a/audit/libpam/tests/test_pamfaillock_lock.bash 1969-12-31 18:00:00.000000000 -0600 >>> +++ b/libpam/tests/test_pamfaillock_lock.bash 2011-05-12 11:22:19.537557381 -0500 >>> @@ -0,0 +1,50 @@ >>> +#!/bin/bash >>> +############################################################################### >>> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 >>> +# >>> +# This program is free software: you can redistribute it and/or modify >>> +# it under the terms of version 2 the GNU General Public License as >>> +# published by the Free Software Foundation. >>> +# >>> +# This program is distributed in the hope that it will be useful, >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>> +# GNU General Public License for more details. >>> +# >>> +# You should have received a copy of the GNU General Public License >>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. >>> +############################################################################### >>> +# >>> +# PURPOSE: >>> +# Verify pam_faillock will lock an account >>> + >>> +source pam_functions.bash || exit 2 >>> + >>> +# setup >>> +tuid=$(id -u $TEST_USER) >>> +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error >>> + >>> +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us >>> +# pre-set the number of failures. So we need to fail the login multiple times >>> +# until we reach the deny limit. When this test was written, a RHEL6.1 >>> +# evaluation system required three failures to trigger a lockout. YMMV. >>> + >>> +expect -c ' >>> + spawn ssh $env(TEST_USER)@localhost >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} {close; wait}' >>> + >>> +# test >>> +msg_1="pam_faillock uid=$tuid : exe=./usr/sbin/sshd.*res=success.*" >>> +augrok -q type=ANOM_LOGIN_FAILURES msg_1=~"$msg_1" || exit_fail >>> +augrok -q type=RESP_ACCT_LOCK msg_1=~"$msg_1" || exit_fail >>> + >>> +# clean up >>> +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error >>> + >>> +exit_pass >>> diff -uprN a/audit/libpam/tests/test_pamfaillock_unlock.bash b/libpam/tests/test_pamfaillock_unlock.bash >>> --- a/audit/libpam/tests/test_pamfaillock_unlock.bash 1969-12-31 18:00:00.000000000 -0600 >>> +++ b/libpam/tests/test_pamfaillock_unlock.bash 2011-05-12 11:22:19.600063349 -0500 >>> @@ -0,0 +1,62 @@ >>> +#!/bin/bash >>> +############################################################################### >>> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 >>> +# >>> +# This program is free software: you can redistribute it and/or modify >>> +# it under the terms of version 2 the GNU General Public License as >>> +# published by the Free Software Foundation. >>> +# >>> +# This program is distributed in the hope that it will be useful, >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>> +# GNU General Public License for more details. >>> +# >>> +# You should have received a copy of the GNU General Public License >>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. >>> +############################################################################### >>> +# >>> +# PURPOSE: >>> +# Verify pam_faillock will unlock an account >>> + >>> +source pam_functions.bash || exit 2 >>> + >>> +# setup >>> +tuid=$(id -u $TEST_USER) >>> +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error >>> + >>> +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us >>> +# pre-set the number of failures. So we need to fail the login multiple times >>> +# until we reach the deny limit. When this test was written, a RHEL6.1 >>> +# evaluation system required three failures to trigger a lockout. YMMV. >>> + >>> +expect -c ' >>> + spawn ssh $env(TEST_USER)@localhost >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} >>> + expect -nocase {password: $} {send "badpassword\r"} >>> + expect -nocase {permission denied} {close; wait}' >>> + >>> +# test >>> +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error >>> + >>> +msg_1="faillock reset uid=$tuid: exe=./sbin/faillock.*res=success.*" >>> +augrok -q type=USER_ACCT msg_1=~"$msg_1" || exit_fail >>> + >>> +# verify the account is unlocked >>> +expect -c ' >>> + spawn ssh $env(TEST_USER)@localhost >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} >>> + expect -nocase {password: $} { >>> + send "$env(TEST_USER_PASSWD)\r" >>> + send "PS1=:\\::\r" >>> + } >>> + expect {:::$} {close; wait}' >>> + >>> +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" >>> +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail >>> +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail >>> + >>> +exit_pass >>> diff -uprN a/audit/libpam/tests/test_su.bash b/libpam/tests/test_su.bash >>> --- a/audit/libpam/tests/test_su.bash 2011-04-01 10:55:09.136414077 -0500 >>> +++ b/libpam/tests/test_su.bash 2011-05-12 11:22:19.470168134 -0500 >>> @@ -25,6 +25,10 @@ if [[ $EUID == 0 ]]; then >>> # allow TEST_USER to write to tmpfile created by root >>> chmod 666 $tmp1 >>> >>> + # turn off screen in /etc/profile >>> + backup /etc/profile >>> + sed -i 's/\[ -w .*\]/false/' /etc/profile >>> + >>> # test >>> # rerun this script as TEST_USER. Confine the exports to a subshell >>> ( >>> diff -uprN a/audit/libpam/tests/test_sudo.bash b/libpam/tests/test_sudo.bash >>> --- a/audit/libpam/tests/test_sudo.bash 1969-12-31 18:00:00.000000000 -0600 >>> +++ b/libpam/tests/test_sudo.bash 2011-05-12 11:22:19.512164331 -0500 >> This is a Stephan question: Do we not need to check anything audit related >> in the set of sudo test cases? This looks like a good functional test, so >> something we need, I'm just wondering when any of the audit records are >> important since sudo does cause some to be generated. Not sure if they're >> interesting or not. >> >> Also, are these tests actually testing anything in libpam? If not, I >> might move them to trustedprograms or our yet-to-be-created misc test >> directory. > > Yes. sudo uses libpam for authentication. > >>> @@ -0,0 +1,322 @@ >>> +#!/bin/bash >>> + >>> +# Test case written by Stephan Mueller <smu...@at...> >>> +# Copyright (c) 2010 atsec information security >>> +# >>> +# Purpose: Testing of sudo execution, authentication >>> +# and sudoers enforcement >>> +# >>> +# Expected result: See the test definitions below for a description of >>> +# the expected test results. >>> +# >>> +# Test execution: execute $0 as root >>> +# >>> +# The following matrices define the test units specified with this test. >>> +# To read a matrix, use the following column definitions: >>> +# 1st column: this lists the request >>> +# 2nd column: this lists the configuration in sudoers >>> +# between 1st and 2nd column, the equality between the >>> +# value in the requested command and the value found in >>> +# sudoers is specified >>> +# 3rd column: marks the epxected result - either operation allowed or not >>> +# 4th column: references the test case (you find it by searching the >>> +# test definitions and looking for the suffix referenced >>> +# by this column >>> +# >>> +# Note: any other component of sudoers or the request which are not >>> +# tested are set such that the request is allowed >>> +# >>> +# Testing User_Alias >>> +#User User Operation Test >>> +#requesting configured allowed? case >>> +#operation in sudoers >>> +#---------------------------------------------------- >>> +#User eq User y u1 >>> +#User !eq User n u2 >>> +#User in Group y u3 >>> +#User !in Group n u4 >>> + >>> +# Testing Runas_Alias >>> +#Target user Target user Operation Test >>> +#requested in sudoers allowed? case >>> +#----------------------------------------------------- >>> +#User eq User y u1 >>> +#User !eq User n t2 >>> +#User in Group y t3 >>> +#User !in Group n t4 >>> + >>> +# Testing Cmd_Alias >>> +#CMD CMD Operation Test >>> +#requested in sudoers allowed? case >>> +#--------------------------------------------------- >>> +#cmd eq cmd y u1 >>> +#cmd !eq cmd n c2 >>> +#cmd in dir y c3 >>> +#cmd !in dir n c4 >>> +# >>> +# Testing password enforcement >>> +#Password Password Operation Test >>> +#in request setting in allowed? case >>> +# sudoers >>> +#---------------------------------------------------- >>> +#right pass default y u1 >>> +#wrong pass default n p2 >>> +#right pass NOPASSWD: y p3 >>> +#wrong pass NOPASSWD: y p4 >>> +# >>> +TESTS="u1 u2 u3 u4 t2 t3 t4 c2 c3 c4 p2 p3 p4" >>> + >>> +# DO NOT CHANGE >>> +USERG="sudouser1" >>> +USERG_ID=12345 >>> +USERO="sudouser2" >>> +USERO_ID=12346 >>> +USERT="sudotarget" >>> +USERT_ID=12347 >>> +GROUP="sudogroup" >>> +PASS="Tad6osBijy" >>> +PASSENC='$6$Rpvtlluu$K63QZN9do4I03/uaKYVFxe3d7CZHOCUsAQNs7F5CQ.b.HJgcGaLOx6qRepDNko4xFxO0VFk4OEQzXHGBAtfHe0' >>> +# DO NOT CHANGE >>> + >>> +# User definitions: >>> +# USERG: member of group GROUP (should be used as requesting user) >>> +# USERT: member of group GROUP (should be used as target user) >>> +# USERO: not a member of GROUP (may be used as requesting and target user) >>> +USER_SUDO_u1=$USERG >>> +USER_EXEC_u1=$USERG >>> +RUN_SUDO_u1=$USERT >>> +RUN_EXEC_u1=$USERT >>> +CMD_SUDO_u1="/usr/bin/id" >>> +CMD_EXEC_u1="/usr/bin/id -u" >>> +CMD_RES_u1=$USERT_ID >>> +CMD_RET_u1=0 >>> + >>> +USER_SUDO_u2=$USERG >>> +USER_EXEC_u2=$USERO >>> +RUN_SUDO_u2=$USERT >>> +RUN_EXEC_u2=$USERT >>> +CMD_SUDO_u2="/usr/bin/id" >>> +CMD_EXEC_u2="/usr/bin/id -u" >>> +CMD_RES_u2="" >>> +CMD_RET_u2=1 >>> + >>> +USER_SUDO_u3="%$GROUP" >>> +USER_EXEC_u3=$USERG >>> +RUN_SUDO_u3=$USERT >>> +RUN_EXEC_u3=$USERT >>> +CMD_SUDO_u3="/usr/bin/id" >>> +CMD_EXEC_u3="/usr/bin/id -u" >>> +CMD_RES_u3=$USERT_ID >>> +CMD_RET_u3=0 >>> + >>> +USER_SUDO_u4="%$GROUP" >>> +USER_EXEC_u4=$USERO >>> +RUN_SUDO_u4=$USERT >>> +RUN_EXEC_u4=$USERT >>> +CMD_SUDO_u4="/usr/bin/id" >>> +CMD_EXEC_u4="/usr/bin/id -u" >>> +CMD_RES_u4="" >>> +CMD_RET_u4=1 >>> + >>> +USER_SUDO_t2=$USERO >>> +USER_EXEC_t2=$USERO >>> +RUN_SUDO_t2=$USERT >>> +RUN_EXEC_t2=$USERO >>> +CMD_SUDO_t2="/usr/bin/id" >>> +CMD_EXEC_t2="/usr/bin/id -u" >>> +CMD_RES_t2="" >>> +CMD_RET_t2=1 >>> + >>> +USER_SUDO_t3=$USERO >>> +USER_EXEC_t3=$USERO >>> +RUN_SUDO_t3="%$GROUP" >>> +RUN_EXEC_t3=$USERT >>> +CMD_SUDO_t3="/usr/bin/id" >>> +CMD_EXEC_t3="/usr/bin/id -u" >>> +CMD_RES_t3=$USERT_ID >>> +CMD_RET_t3=0 >>> + >>> +USER_SUDO_t4=$USERO >>> +USER_EXEC_t4=$USERO >>> +RUN_SUDO_t4="%$GROUP" >>> +RUN_EXEC_t4=$USERO >>> +CMD_SUDO_t4="/usr/bin/id" >>> +CMD_EXEC_t4="/usr/bin/id -u" >>> +CMD_RES_t4="" >>> +CMD_RET_t4=1 >>> + >>> +USER_SUDO_c2=$USERG >>> +USER_EXEC_c2=$USERG >>> +RUN_SUDO_c2=$USERT >>> +RUN_EXEC_c2=$USERT >>> +CMD_SUDO_c2="/usr/bin/id" >>> +CMD_EXEC_c2="/bin/ls" >>> +CMD_RES_c2="" >>> +CMD_RET_c2=1 >>> + >>> +USER_SUDO_c3=$USERG >>> +USER_EXEC_c3=$USERG >>> +RUN_SUDO_c3=$USERT >>> +RUN_EXEC_c3=$USERT >>> +CMD_SUDO_c3="/usr/bin/" >>> +CMD_EXEC_c3="/usr/bin/id -u" >>> +CMD_RES_c3=$USERT_ID >>> +CMD_RET_c3=0 >>> + >>> +USER_SUDO_c4=$USERG >>> +USER_EXEC_c4=$USERG >>> +RUN_SUDO_c4=$USERT >>> +RUN_EXEC_c4=$USERT >>> +CMD_SUDO_c4="/bin/" >>> +CMD_EXEC_c4="/usr/bin/id -u" >>> +CMD_RES_c4="" >>> +CMD_RET_c4=1 >>> + >>> +USER_SUDO_p2=$USERG >>> +USER_PASS_p2="wrongpass" >>> +USER_EXEC_p2=$USERG >>> +RUN_SUDO_p2=$USERT >>> +RUN_EXEC_p2=$USERT >>> +CMD_SUDO_p2="/usr/bin/id" >>> +CMD_EXEC_p2="/usr/bin/id -u" >>> +CMD_RES_p2="" >>> +CMD_RET_p2=1 >>> + >>> +USER_SUDO_p3=$USERG >>> +USER_EXEC_p3=$USERG >>> +RUN_SUDO_p3=$USERT >>> +RUN_EXEC_p3=$USERT >>> +CMD_SUDO_p3="NOPASSWD: /usr/bin/id" >>> +CMD_EXEC_p3="/usr/bin/id -u" >>> +CMD_RES_p3=$USERT_ID >>> +CMD_RET_p3=0 >>> + >>> +USER_SUDO_p4=$USERG >>> +USER_PASS_p4="wrongpass" >>> +USER_EXEC_p4=$USERG >>> +RUN_SUDO_p4=$USERT >>> +RUN_EXEC_p4=$USERT >>> +CMD_SUDO_p4="NOPASSWD: /usr/bin/id" >>> +CMD_EXEC_p4="/usr/bin/id -u" >>> +CMD_RES_p4=$USERT_ID >>> +CMD_RET_p4=0 >>> + >>> +########### no further test specification beyond this line ############ >>> + >>> +source pam_functions.bash || exit 2 >>> + >>> +setup_cleanup() { >>> + prepend_cleanup "rm -rf /home/$USERG /home/$USERO /home/$USERT /var/mail/$USERG /var/mail/$USERO /var/mail/$USERT" >>> + prepend_cleanup "rm -f /etc/sudoers.new" >>> + prepend_cleanup "groupdel $GROUP" >>> + prepend_cleanup "userdel $USERT" >>> + prepend_cleanup "userdel $USERO" >>> + prepend_cleanup "userdel $USERG" >>> +} >>> + >>> +gen_user() { >>> + userdel $USERG 2> /dev/null >>> + userdel $USERO 2> /dev/null >>> + userdel $USERT 2> /dev/null >>> + groupdel $GROUP 2> /dev/null >>> + groupadd $GROUP >>> + useradd -u $USERG_ID -g $GROUP -p $PASSENC $USERG >>> + useradd -u $USERO_ID -p $PASSENC $USERO >>> + useradd -u $USERT_ID -g $GROUP -p $PASSENC $USERT >>> +} >>> + >>> +setup_sudoers() { >>> + local User_Alias=$1 >>> + local Runas_Alias=$2 >>> + shift; shift >>> + local Cmd_Alias=$@ >>> + >>> + local perm= >>> + perm=$(stat -c %a /etc/sudoers) >>> + >>> + perl -ne 'print unless /#SUDO_TESTING_START/../#SUDO_TESTING_END/' \ >>> + < /etc/sudoers | sed -e 's/^Defaults requiretty/# Defaults requiretty/' > /etc/sudoers.new >>> + # Only modify sudoers file when we are given some variables >>> + # if not, we basically clean up sudoers >>> + [ -n "$User_Alias" ] && { >>> + echo "#SUDO_TESTING_START" >> /etc/sudoers.new >>> + echo "User_Alias USER = $User_Alias" >> /etc/sudoers.new >>> + echo "Runas_Alias RUNAS = $Runas_Alias" >> /etc/sudoers.new >>> + echo "Defaults:USER timestamp_timeout=0" >> /etc/sudoers.new >>> + echo "USER ALL = (RUNAS) $Cmd_Alias" >> /etc/sudoers.new >>> + echo "#SUDO_TESTING_END" >> /etc/sudoers.new >>> + } >>> + mv -f /etc/sudoers.new /etc/sudoers >>> + chmod $perm /etc/sudoers >>> +} >>> + >>> +testloop() { >>> + >>> + local res="" >>> + local ret="" >>> + local testfail=0 >>> + local testpass=0 >>> + local testno=0 >>> + >>> + for i in $TESTS; do >>> + local USER_SUDO="" >>> + eval USER_SUDO=\$USER_SUDO_$i >>> + local USER_EXEC="" >>> + eval USER_EXEC=\$USER_EXEC_$i >>> + local RUN_SUDO="" >>> + eval RUN_SUDO=\$RUN_SUDO_$i >>> + local RUN_EXEC="" >>> + eval RUN_EXEC=\$RUN_EXEC_$i >>> + local CMD_SUDO="" >>> + eval CMD_SUDO=\$CMD_SUDO_$i >>> + local CMD_EXEC="" >>> + eval CMD_EXEC=\$CMD_EXEC_$i >>> + local CMD_RES="" >>> + eval CMD_RES=\$CMD_RES_$i >>> + local CMD_RET="" >>> + eval CMD_RET=\$CMD_RET_$i >>> + local USER_PASS="" >>> + eval USER_PASS=\$USER_PASS_$i >>> + >>> + [ -z "$USER_PASS" ] && USER_PASS=$PASS >>> + >>> + setup_sudoers $USER_SUDO $RUN_SUDO $CMD_SUDO >>> + res=$(su -c "echo $USER_PASS | sudo -S -u $RUN_EXEC $CMD_EXEC 2>/dev/null" $USER_EXEC) >>> + ret=$? >>> + let testno=$testno+1 >>> + >>> + if [ "$res" = "$CMD_RES" -a "$ret" -eq "$CMD_RET" ]; then >>> + echo "Test $i PASSED" >>> + let testpass=$testpass+1 >>> + else >>> + echo "Test $i: actual result output $res - expected $CMD_RES" >>> + echo "Test $i: actual return value $ret - expected $CMD_RET" >>> + echo "Test $i FAILED" >>> + let testfail=$testfail+1 >>> + fi >>> + done >>> + >>> + echo "Number of tests executed: $testno" >>> + echo "Number of tests failed: $testfail" >>> + echo "Number of tests passed: $testpass" >>> + >>> + return $testfail >>> + >>> +} >>> + >>> +main() { >>> + setup_cleanup >>> + >>> + gen_user >>> + backup /etc/sudoers >>> + >>> + testloop >>> + if [ $? -gt 0 ]; then >>> + exit_fail >> Its possible to provide more information on the exit_fail line that would >> appear in the rollup.log file. Knowing how may tests failed might be >> interesting. >> >>> + else >>> + exit_pass >>> + fi >>> +} >>> + >>> +main >>> + >>> >>> ------------------------------------------------------------------------------ >>> What Every C/C++ and Fortran developer Should Know! >>> Read this article and learn how Intel has extended the reach of its >>> next-generation tools to help Windows* and Linux* C/C++ and Fortran >>> developers boost performance applications - including clusters. >>> http://p.sf.net/sfu/intel-dev2devmay >>> _______________________________________________ >>> Audit-test-developer mailing list >>> Aud...@li... >>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: Tony E. <te...@sg...> - 2011-05-24 16:32:23
|
On Tue, May 24, 2011 at 12:05:34PM -0400, Linda Knippers wrote: > Hi Tony, > > Tony Ernst wrote: > > On Mon, May 23, 2011 at 07:26:07PM -0400, Linda Knippers wrote: > >> Hi Tony, > >> > >> Thanks for the patches. I have a question for you and a question for Stephan. > >> Maybe more than one of eacy. > >> > >> Tony Ernst wrote: > >>> This patch adds libpam testcases for pamfaillock and sudo. It also fixes > >>> minor login and su failures caused by screen. > >> What login and su failures are you seeing? I'm seeing a login failure > >> but not an su fail but I'm not running screen so I'm curious. > > > > Hi Linda, > > > > The tests check the login/su audit record and expect to find a matching > > "terminal=". But screen grabs a new terminal, so it doesn't match. > > Disabling screen fixes the problem. > > Ok, thanks. That makes sense. There must be something odd about > my setup which is causing the login test to fail for me. It failed > before though so its nothing to do with your patch. > > >>> Note: The new testcases in libpam/tests/ should have their permissions set > >>> to 0755 before being checked into the git tree. Those files are: > >>> test_pamfaillock_lock.bash > >>> test_pamfaillock_unlock.bash > >>> test_sudo.bash > >>> > >>> Signed-off-by: Tony Ernst <te...@sg...> > >>> --- > >>> run.conf | 5 > >>> tests/test_login.bash | 4 > >>> tests/test_pamfaillock_lock.bash | 50 +++++ > >>> tests/test_pamfaillock_unlock.bash | 62 +++++++ > >>> tests/test_su.bash | 4 > >>> tests/test_sudo.bash | 322 +++++++++++++++++++++++++++++++++++++ > >>> 6 files changed, 445 insertions(+), 2 deletions(-) > >>> > >>> diff -uprN a/audit/libpam/run.conf b/libpam/run.conf > >>> --- a/audit/libpam/run.conf 2011-04-01 10:55:09.074884698 -0500 > >>> +++ b/libpam/run.conf 2011-05-12 14:42:31.151484551 -0500 > >>> @@ -43,9 +43,10 @@ function run_test { > >>> + sshd_fail > >>> + su > >>> + su_fail > >>> ++ sudo > >>> if [[ $DISTRO != "SUSE" ]] ; then > >>> - + pamtally2_lock > >>> - + pamtally2_unlock > >>> + + pamfaillock_lock > >>> + + pamfaillock_unlock > >>> fi > >>> if [[ $DISTRO != "RHEL" ]] ; then > >>> + vsftpd > >>> diff -uprN a/audit/libpam/tests/test_login.bash b/libpam/tests/test_login.bash > >>> --- a/audit/libpam/tests/test_login.bash 2011-04-01 10:55:09.091487863 -0500 > >>> +++ b/libpam/tests/test_login.bash 2011-05-12 11:22:19.476028068 -0500 > >>> @@ -24,6 +24,10 @@ source pam_functions.bash || exit 2 > >>> # allow TEST_USER to write to tmpfile > >>> chmod 666 $localtmp > >>> > >>> +# turn off screen in /etc/profile > >>> +backup /etc/profile > >>> +sed -i 's/\[ -w .*\]/false/' /etc/profile > >> This seems a bit fragile. What if the /etc/profile happens to have another > >> line that checks for a writable file? This substitution could break > >> something else. Can your check be more explicit to look for more of > >> the line? > > > > Agreed. Would this be acceptable? > > > > sed -i 's/\[ -w $(tty) \]/false/' /etc/profile > > Yeah, that's a little more specific. If that works I can just > edit your patch before I submit it. Yes, it works. I gave it a quick test before suggesting it. Thanks Linda. Tony > -- ljk > > >> Or maybe it would be better to have a more convenient way to turn screen > >> off? Like clear out SCREENEXEC and where the script checks for the writable > >> tty, also check to see if SCREENEXEC is set. Then all you'd have to do is > >> clear the value for SCREENEXEC. > >> > >>> + > >>> # if in LSPP mode, map the TEST_USER to staff_u > >>> if [[ $PPROFILE == "lspp" ]]; then > >>> semanage login -d $TEST_USER > >>> diff -uprN a/audit/libpam/tests/test_pamfaillock_lock.bash b/libpam/tests/test_pamfaillock_lock.bash > >>> --- a/audit/libpam/tests/test_pamfaillock_lock.bash 1969-12-31 18:00:00.000000000 -0600 > >>> +++ b/libpam/tests/test_pamfaillock_lock.bash 2011-05-12 11:22:19.537557381 -0500 > >>> @@ -0,0 +1,50 @@ > >>> +#!/bin/bash > >>> +############################################################################### > >>> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > >>> +# > >>> +# This program is free software: you can redistribute it and/or modify > >>> +# it under the terms of version 2 the GNU General Public License as > >>> +# published by the Free Software Foundation. > >>> +# > >>> +# This program is distributed in the hope that it will be useful, > >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of > >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > >>> +# GNU General Public License for more details. > >>> +# > >>> +# You should have received a copy of the GNU General Public License > >>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. > >>> +############################################################################### > >>> +# > >>> +# PURPOSE: > >>> +# Verify pam_faillock will lock an account > >>> + > >>> +source pam_functions.bash || exit 2 > >>> + > >>> +# setup > >>> +tuid=$(id -u $TEST_USER) > >>> +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > >>> + > >>> +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > >>> +# pre-set the number of failures. So we need to fail the login multiple times > >>> +# until we reach the deny limit. When this test was written, a RHEL6.1 > >>> +# evaluation system required three failures to trigger a lockout. YMMV. > >>> + > >>> +expect -c ' > >>> + spawn ssh $env(TEST_USER)@localhost > >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} {close; wait}' > >>> + > >>> +# test > >>> +msg_1="pam_faillock uid=$tuid : exe=./usr/sbin/sshd.*res=success.*" > >>> +augrok -q type=ANOM_LOGIN_FAILURES msg_1=~"$msg_1" || exit_fail > >>> +augrok -q type=RESP_ACCT_LOCK msg_1=~"$msg_1" || exit_fail > >>> + > >>> +# clean up > >>> +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > >>> + > >>> +exit_pass > >>> diff -uprN a/audit/libpam/tests/test_pamfaillock_unlock.bash b/libpam/tests/test_pamfaillock_unlock.bash > >>> --- a/audit/libpam/tests/test_pamfaillock_unlock.bash 1969-12-31 18:00:00.000000000 -0600 > >>> +++ b/libpam/tests/test_pamfaillock_unlock.bash 2011-05-12 11:22:19.600063349 -0500 > >>> @@ -0,0 +1,62 @@ > >>> +#!/bin/bash > >>> +############################################################################### > >>> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 > >>> +# > >>> +# This program is free software: you can redistribute it and/or modify > >>> +# it under the terms of version 2 the GNU General Public License as > >>> +# published by the Free Software Foundation. > >>> +# > >>> +# This program is distributed in the hope that it will be useful, > >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of > >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > >>> +# GNU General Public License for more details. > >>> +# > >>> +# You should have received a copy of the GNU General Public License > >>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. > >>> +############################################################################### > >>> +# > >>> +# PURPOSE: > >>> +# Verify pam_faillock will unlock an account > >>> + > >>> +source pam_functions.bash || exit 2 > >>> + > >>> +# setup > >>> +tuid=$(id -u $TEST_USER) > >>> +grep -q pam_faillock /etc/pam.d/sshd || grep -q pam_faillock /etc/pam.d/password-auth || exit_error > >>> + > >>> +# Unlike pam_tally2, faillock doesn't have a --reset=n option that lets us > >>> +# pre-set the number of failures. So we need to fail the login multiple times > >>> +# until we reach the deny limit. When this test was written, a RHEL6.1 > >>> +# evaluation system required three failures to trigger a lockout. YMMV. > >>> + > >>> +expect -c ' > >>> + spawn ssh $env(TEST_USER)@localhost > >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} > >>> + expect -nocase {password: $} {send "badpassword\r"} > >>> + expect -nocase {permission denied} {close; wait}' > >>> + > >>> +# test > >>> +/sbin/faillock --user $TEST_USER --reset > /dev/null || exit_error > >>> + > >>> +msg_1="faillock reset uid=$tuid: exe=./sbin/faillock.*res=success.*" > >>> +augrok -q type=USER_ACCT msg_1=~"$msg_1" || exit_fail > >>> + > >>> +# verify the account is unlocked > >>> +expect -c ' > >>> + spawn ssh $env(TEST_USER)@localhost > >>> + expect -nocase {Are you sure you want to continue} {send "yes\r"} > >>> + expect -nocase {password: $} { > >>> + send "$env(TEST_USER_PASSWD)\r" > >>> + send "PS1=:\\::\r" > >>> + } > >>> + expect {:::$} {close; wait}' > >>> + > >>> +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" > >>> +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail > >>> +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail > >>> + > >>> +exit_pass > >>> diff -uprN a/audit/libpam/tests/test_su.bash b/libpam/tests/test_su.bash > >>> --- a/audit/libpam/tests/test_su.bash 2011-04-01 10:55:09.136414077 -0500 > >>> +++ b/libpam/tests/test_su.bash 2011-05-12 11:22:19.470168134 -0500 > >>> @@ -25,6 +25,10 @@ if [[ $EUID == 0 ]]; then > >>> # allow TEST_USER to write to tmpfile created by root > >>> chmod 666 $tmp1 > >>> > >>> + # turn off screen in /etc/profile > >>> + backup /etc/profile > >>> + sed -i 's/\[ -w .*\]/false/' /etc/profile > >>> + > >>> # test > >>> # rerun this script as TEST_USER. Confine the exports to a subshell > >>> ( > >>> diff -uprN a/audit/libpam/tests/test_sudo.bash b/libpam/tests/test_sudo.bash > >>> --- a/audit/libpam/tests/test_sudo.bash 1969-12-31 18:00:00.000000000 -0600 > >>> +++ b/libpam/tests/test_sudo.bash 2011-05-12 11:22:19.512164331 -0500 > >> This is a Stephan question: Do we not need to check anything audit related > >> in the set of sudo test cases? This looks like a good functional test, so > >> something we need, I'm just wondering when any of the audit records are > >> important since sudo does cause some to be generated. Not sure if they're > >> interesting or not. > >> > >> Also, are these tests actually testing anything in libpam? If not, I > >> might move them to trustedprograms or our yet-to-be-created misc test > >> directory. > > > > Yes. sudo uses libpam for authentication. > > > >>> @@ -0,0 +1,322 @@ > >>> +#!/bin/bash > >>> + > >>> +# Test case written by Stephan Mueller <smu...@at...> > >>> +# Copyright (c) 2010 atsec information security > >>> +# > >>> +# Purpose: Testing of sudo execution, authentication > >>> +# and sudoers enforcement > >>> +# > >>> +# Expected result: See the test definitions below for a description of > >>> +# the expected test results. > >>> +# > >>> +# Test execution: execute $0 as root > >>> +# > >>> +# The following matrices define the test units specified with this test. > >>> +# To read a matrix, use the following column definitions: > >>> +# 1st column: this lists the request > >>> +# 2nd column: this lists the configuration in sudoers > >>> +# between 1st and 2nd column, the equality between the > >>> +# value in the requested command and the value found in > >>> +# sudoers is specified > >>> +# 3rd column: marks the epxected result - either operation allowed or not > >>> +# 4th column: references the test case (you find it by searching the > >>> +# test definitions and looking for the suffix referenced > >>> +# by this column > >>> +# > >>> +# Note: any other component of sudoers or the request which are not > >>> +# tested are set such that the request is allowed > >>> +# > >>> +# Testing User_Alias > >>> +#User User Operation Test > >>> +#requesting configured allowed? case > >>> +#operation in sudoers > >>> +#---------------------------------------------------- > >>> +#User eq User y u1 > >>> +#User !eq User n u2 > >>> +#User in Group y u3 > >>> +#User !in Group n u4 > >>> + > >>> +# Testing Runas_Alias > >>> +#Target user Target user Operation Test > >>> +#requested in sudoers allowed? case > >>> +#----------------------------------------------------- > >>> +#User eq User y u1 > >>> +#User !eq User n t2 > >>> +#User in Group y t3 > >>> +#User !in Group n t4 > >>> + > >>> +# Testing Cmd_Alias > >>> +#CMD CMD Operation Test > >>> +#requested in sudoers allowed? case > >>> +#--------------------------------------------------- > >>> +#cmd eq cmd y u1 > >>> +#cmd !eq cmd n c2 > >>> +#cmd in dir y c3 > >>> +#cmd !in dir n c4 > >>> +# > >>> +# Testing password enforcement > >>> +#Password Password Operation Test > >>> +#in request setting in allowed? case > >>> +# sudoers > >>> +#---------------------------------------------------- > >>> +#right pass default y u1 > >>> +#wrong pass default n p2 > >>> +#right pass NOPASSWD: y p3 > >>> +#wrong pass NOPASSWD: y p4 > >>> +# > >>> +TESTS="u1 u2 u3 u4 t2 t3 t4 c2 c3 c4 p2 p3 p4" > >>> + > >>> +# DO NOT CHANGE > >>> +USERG="sudouser1" > >>> +USERG_ID=12345 > >>> +USERO="sudouser2" > >>> +USERO_ID=12346 > >>> +USERT="sudotarget" > >>> +USERT_ID=12347 > >>> +GROUP="sudogroup" > >>> +PASS="Tad6osBijy" > >>> +PASSENC='$6$Rpvtlluu$K63QZN9do4I03/uaKYVFxe3d7CZHOCUsAQNs7F5CQ.b.HJgcGaLOx6qRepDNko4xFxO0VFk4OEQzXHGBAtfHe0' > >>> +# DO NOT CHANGE > >>> + > >>> +# User definitions: > >>> +# USERG: member of group GROUP (should be used as requesting user) > >>> +# USERT: member of group GROUP (should be used as target user) > >>> +# USERO: not a member of GROUP (may be used as requesting and target user) > >>> +USER_SUDO_u1=$USERG > >>> +USER_EXEC_u1=$USERG > >>> +RUN_SUDO_u1=$USERT > >>> +RUN_EXEC_u1=$USERT > >>> +CMD_SUDO_u1="/usr/bin/id" > >>> +CMD_EXEC_u1="/usr/bin/id -u" > >>> +CMD_RES_u1=$USERT_ID > >>> +CMD_RET_u1=0 > >>> + > >>> +USER_SUDO_u2=$USERG > >>> +USER_EXEC_u2=$USERO > >>> +RUN_SUDO_u2=$USERT > >>> +RUN_EXEC_u2=$USERT > >>> +CMD_SUDO_u2="/usr/bin/id" > >>> +CMD_EXEC_u2="/usr/bin/id -u" > >>> +CMD_RES_u2="" > >>> +CMD_RET_u2=1 > >>> + > >>> +USER_SUDO_u3="%$GROUP" > >>> +USER_EXEC_u3=$USERG > >>> +RUN_SUDO_u3=$USERT > >>> +RUN_EXEC_u3=$USERT > >>> +CMD_SUDO_u3="/usr/bin/id" > >>> +CMD_EXEC_u3="/usr/bin/id -u" > >>> +CMD_RES_u3=$USERT_ID > >>> +CMD_RET_u3=0 > >>> + > >>> +USER_SUDO_u4="%$GROUP" > >>> +USER_EXEC_u4=$USERO > >>> +RUN_SUDO_u4=$USERT > >>> +RUN_EXEC_u4=$USERT > >>> +CMD_SUDO_u4="/usr/bin/id" > >>> +CMD_EXEC_u4="/usr/bin/id -u" > >>> +CMD_RES_u4="" > >>> +CMD_RET_u4=1 > >>> + > >>> +USER_SUDO_t2=$USERO > >>> +USER_EXEC_t2=$USERO > >>> +RUN_SUDO_t2=$USERT > >>> +RUN_EXEC_t2=$USERO > >>> +CMD_SUDO_t2="/usr/bin/id" > >>> +CMD_EXEC_t2="/usr/bin/id -u" > >>> +CMD_RES_t2="" > >>> +CMD_RET_t2=1 > >>> + > >>> +USER_SUDO_t3=$USERO > >>> +USER_EXEC_t3=$USERO > >>> +RUN_SUDO_t3="%$GROUP" > >>> +RUN_EXEC_t3=$USERT > >>> +CMD_SUDO_t3="/usr/bin/id" > >>> +CMD_EXEC_t3="/usr/bin/id -u" > >>> +CMD_RES_t3=$USERT_ID > >>> +CMD_RET_t3=0 > >>> + > >>> +USER_SUDO_t4=$USERO > >>> +USER_EXEC_t4=$USERO > >>> +RUN_SUDO_t4="%$GROUP" > >>> +RUN_EXEC_t4=$USERO > >>> +CMD_SUDO_t4="/usr/bin/id" > >>> +CMD_EXEC_t4="/usr/bin/id -u" > >>> +CMD_RES_t4="" > >>> +CMD_RET_t4=1 > >>> + > >>> +USER_SUDO_c2=$USERG > >>> +USER_EXEC_c2=$USERG > >>> +RUN_SUDO_c2=$USERT > >>> +RUN_EXEC_c2=$USERT > >>> +CMD_SUDO_c2="/usr/bin/id" > >>> +CMD_EXEC_c2="/bin/ls" > >>> +CMD_RES_c2="" > >>> +CMD_RET_c2=1 > >>> + > >>> +USER_SUDO_c3=$USERG > >>> +USER_EXEC_c3=$USERG > >>> +RUN_SUDO_c3=$USERT > >>> +RUN_EXEC_c3=$USERT > >>> +CMD_SUDO_c3="/usr/bin/" > >>> +CMD_EXEC_c3="/usr/bin/id -u" > >>> +CMD_RES_c3=$USERT_ID > >>> +CMD_RET_c3=0 > >>> + > >>> +USER_SUDO_c4=$USERG > >>> +USER_EXEC_c4=$USERG > >>> +RUN_SUDO_c4=$USERT > >>> +RUN_EXEC_c4=$USERT > >>> +CMD_SUDO_c4="/bin/" > >>> +CMD_EXEC_c4="/usr/bin/id -u" > >>> +CMD_RES_c4="" > >>> +CMD_RET_c4=1 > >>> + > >>> +USER_SUDO_p2=$USERG > >>> +USER_PASS_p2="wrongpass" > >>> +USER_EXEC_p2=$USERG > >>> +RUN_SUDO_p2=$USERT > >>> +RUN_EXEC_p2=$USERT > >>> +CMD_SUDO_p2="/usr/bin/id" > >>> +CMD_EXEC_p2="/usr/bin/id -u" > >>> +CMD_RES_p2="" > >>> +CMD_RET_p2=1 > >>> + > >>> +USER_SUDO_p3=$USERG > >>> +USER_EXEC_p3=$USERG > >>> +RUN_SUDO_p3=$USERT > >>> +RUN_EXEC_p3=$USERT > >>> +CMD_SUDO_p3="NOPASSWD: /usr/bin/id" > >>> +CMD_EXEC_p3="/usr/bin/id -u" > >>> +CMD_RES_p3=$USERT_ID > >>> +CMD_RET_p3=0 > >>> + > >>> +USER_SUDO_p4=$USERG > >>> +USER_PASS_p4="wrongpass" > >>> +USER_EXEC_p4=$USERG > >>> +RUN_SUDO_p4=$USERT > >>> +RUN_EXEC_p4=$USERT > >>> +CMD_SUDO_p4="NOPASSWD: /usr/bin/id" > >>> +CMD_EXEC_p4="/usr/bin/id -u" > >>> +CMD_RES_p4=$USERT_ID > >>> +CMD_RET_p4=0 > >>> + > >>> +########### no further test specification beyond this line ############ > >>> + > >>> +source pam_functions.bash || exit 2 > >>> + > >>> +setup_cleanup() { > >>> + prepend_cleanup "rm -rf /home/$USERG /home/$USERO /home/$USERT /var/mail/$USERG /var/mail/$USERO /var/mail/$USERT" > >>> + prepend_cleanup "rm -f /etc/sudoers.new" > >>> + prepend_cleanup "groupdel $GROUP" > >>> + prepend_cleanup "userdel $USERT" > >>> + prepend_cleanup "userdel $USERO" > >>> + prepend_cleanup "userdel $USERG" > >>> +} > >>> + > >>> +gen_user() { > >>> + userdel $USERG 2> /dev/null > >>> + userdel $USERO 2> /dev/null > >>> + userdel $USERT 2> /dev/null > >>> + groupdel $GROUP 2> /dev/null > >>> + groupadd $GROUP > >>> + useradd -u $USERG_ID -g $GROUP -p $PASSENC $USERG > >>> + useradd -u $USERO_ID -p $PASSENC $USERO > >>> + useradd -u $USERT_ID -g $GROUP -p $PASSENC $USERT > >>> +} > >>> + > >>> +setup_sudoers() { > >>> + local User_Alias=$1 > >>> + local Runas_Alias=$2 > >>> + shift; shift > >>> + local Cmd_Alias=$@ > >>> + > >>> + local perm= > >>> + perm=$(stat -c %a /etc/sudoers) > >>> + > >>> + perl -ne 'print unless /#SUDO_TESTING_START/../#SUDO_TESTING_END/' \ > >>> + < /etc/sudoers | sed -e 's/^Defaults requiretty/# Defaults requiretty/' > /etc/sudoers.new > >>> + # Only modify sudoers file when we are given some variables > >>> + # if not, we basically clean up sudoers > >>> + [ -n "$User_Alias" ] && { > >>> + echo "#SUDO_TESTING_START" >> /etc/sudoers.new > >>> + echo "User_Alias USER = $User_Alias" >> /etc/sudoers.new > >>> + echo "Runas_Alias RUNAS = $Runas_Alias" >> /etc/sudoers.new > >>> + echo "Defaults:USER timestamp_timeout=0" >> /etc/sudoers.new > >>> + echo "USER ALL = (RUNAS) $Cmd_Alias" >> /etc/sudoers.new > >>> + echo "#SUDO_TESTING_END" >> /etc/sudoers.new > >>> + } > >>> + mv -f /etc/sudoers.new /etc/sudoers > >>> + chmod $perm /etc/sudoers > >>> +} > >>> + > >>> +testloop() { > >>> + > >>> + local res="" > >>> + local ret="" > >>> + local testfail=0 > >>> + local testpass=0 > >>> + local testno=0 > >>> + > >>> + for i in $TESTS; do > >>> + local USER_SUDO="" > >>> + eval USER_SUDO=\$USER_SUDO_$i > >>> + local USER_EXEC="" > >>> + eval USER_EXEC=\$USER_EXEC_$i > >>> + local RUN_SUDO="" > >>> + eval RUN_SUDO=\$RUN_SUDO_$i > >>> + local RUN_EXEC="" > >>> + eval RUN_EXEC=\$RUN_EXEC_$i > >>> + local CMD_SUDO="" > >>> + eval CMD_SUDO=\$CMD_SUDO_$i > >>> + local CMD_EXEC="" > >>> + eval CMD_EXEC=\$CMD_EXEC_$i > >>> + local CMD_RES="" > >>> + eval CMD_RES=\$CMD_RES_$i > >>> + local CMD_RET="" > >>> + eval CMD_RET=\$CMD_RET_$i > >>> + local USER_PASS="" > >>> + eval USER_PASS=\$USER_PASS_$i > >>> + > >>> + [ -z "$USER_PASS" ] && USER_PASS=$PASS > >>> + > >>> + setup_sudoers $USER_SUDO $RUN_SUDO $CMD_SUDO > >>> + res=$(su -c "echo $USER_PASS | sudo -S -u $RUN_EXEC $CMD_EXEC 2>/dev/null" $USER_EXEC) > >>> + ret=$? > >>> + let testno=$testno+1 > >>> + > >>> + if [ "$res" = "$CMD_RES" -a "$ret" -eq "$CMD_RET" ]; then > >>> + echo "Test $i PASSED" > >>> + let testpass=$testpass+1 > >>> + else > >>> + echo "Test $i: actual result output $res - expected $CMD_RES" > >>> + echo "Test $i: actual return value $ret - expected $CMD_RET" > >>> + echo "Test $i FAILED" > >>> + let testfail=$testfail+1 > >>> + fi > >>> + done > >>> + > >>> + echo "Number of tests executed: $testno" > >>> + echo "Number of tests failed: $testfail" > >>> + echo "Number of tests passed: $testpass" > >>> + > >>> + return $testfail > >>> + > >>> +} > >>> + > >>> +main() { > >>> + setup_cleanup > >>> + > >>> + gen_user > >>> + backup /etc/sudoers > >>> + > >>> + testloop > >>> + if [ $? -gt 0 ]; then > >>> + exit_fail > >> Its possible to provide more information on the exit_fail line that would > >> appear in the rollup.log file. Knowing how may tests failed might be > >> interesting. > >> > >>> + else > >>> + exit_pass > >>> + fi > >>> +} > >>> + > >>> +main > >>> + > >>> > >>> ------------------------------------------------------------------------------ > >>> What Every C/C++ and Fortran developer Should Know! > >>> Read this article and learn how Intel has extended the reach of its > >>> next-generation tools to help Windows* and Linux* C/C++ and Fortran > >>> developers boost performance applications - including clusters. > >>> http://p.sf.net/sfu/intel-dev2devmay > >>> _______________________________________________ > >>> Audit-test-developer mailing list > >>> Aud...@li... > >>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > > -- Tony Ernst Linux System Software SGI te...@sg... |