From: James C. <cz...@li...> - 2011-07-10 23:57:31
Attachments:
make_ptch
|
Hi Linda This is the first in a series of 11 patches to support the iptables/ip6tables filtering tests. Ten of these are new files and 1 is a patch to lblnet_tst_server. Three of the new files are short bash scripts that exist in the utils/network-server directory along with the lblnet_tst_server. One is a new file in utils/bin which sets the MSG_OOB flag for some data to be sent so that the tcp URG flag is on . The remaining 6 new files are in a new subdirectory called netfilter. One of these is again very similar to the network_functions.bash file in the network directory and again the changes were obviously made to an older copy, but I didn't worry about that right now as we had agreed to try and find the commonality between all of them and possibly work it into one file. Any way here they come no special order and as before they are attachments to avoid my frustrating email issues. I will send one more patch later with the new subdirectory in the top level Makefile right in front of where you put netfilebt. Or behind if you prefer. I've always tested them with netfilter going first but it really shouldn't make any difference. Jim |
From: James C. <cz...@li...> - 2011-06-26 22:36:42
|
This patch is the first in a series of 9 patches. There are 7 new files and 2 patched files. The README.netfilter file, config-server.bash, and profile.sample file are used by both iptables/ip6tables and ebtables testing. This set of patches adds the ebtables test functionality. Hopefully the iptables/ip6tables patches will follow within a week or so. The tests have been against Intel based platforms running in capp and mls. One note is that these have been run with the lblnet_tst_server manually started and not with lblnet_tst-tcp installed as /etc/xinetd.d. I believe there are still issues with it running in that manner under RHEL6.1 These test cases have been tested on RHEL6.1 GA loaded with the kickstart ks-x86_64.cfg version 0.10-1 Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...>_ _ diff --git a/audit/Makefile b/audit/Makefile index 7c55745..46e2a84 100644 --- a/audit/Makefile +++ b/audit/Makefile @@ -20,7 +20,8 @@ TOPDIR = . include $(TOPDIR)/rules.mk RUN_DIRS = syscalls \ - network + network \ + netfilebt ifeq ($(MODE), $(NATIVE)) RUN_DIRS += fail-safe \ |
From: Linda K. <lin...@hp...> - 2011-06-29 19:15:28
|
Hi Jim, I appreciate that you've tried to send the patches inline but your mailer is munging them so that they don't apply. Its doing things like changing tabs into spaces. Will you please resend them as attachments, as you did with patches 3 and 6? I can use the comments and signed-off lines from your original posts so if you'd like, you can just reply to the original patch mail with an attachment for each. Thanks, -- ljk James Czyzak wrote: > This patch is the first in a series of 9 patches. There are 7 new files > and 2 patched files. The README.netfilter file, config-server.bash, > and profile.sample file are used by both iptables/ip6tables and ebtables > testing. This set of patches adds the ebtables test functionality. > Hopefully the iptables/ip6tables patches will follow within a week or > so. The tests have been against Intel based platforms running in capp > and mls. One note is that these have been run with the lblnet_tst_server > manually started and not with lblnet_tst-tcp installed as /etc/xinetd.d. > I believe there are still issues with it running in that manner under > RHEL6.1 These test cases have been tested on RHEL6.1 GA loaded with the > kickstart ks-x86_64.cfg version 0.10-1 > > Signed-off-by James Czyzak <cz...@li...> > <mailto:cz...@li...>_ > _ > diff --git a/audit/Makefile b/audit/Makefile > index 7c55745..46e2a84 100644 > --- a/audit/Makefile > +++ b/audit/Makefile > @@ -20,7 +20,8 @@ TOPDIR = . > include $(TOPDIR)/rules.mk > > RUN_DIRS = syscalls \ > - network > + network \ > + netfilebt > > ifeq ($(MODE), $(NATIVE)) > RUN_DIRS += fail-safe \ > |
From: James C. <cz...@li...> - 2011-06-29 21:41:44
|
Hi Linda I will try to answer the questions in a reply to each of the emails you sent with a question so you can see the question with my response. I will send the appropriate attachments in a reply to the original patch emails. This email will not have an attachment as I will send an attachment in reply to the original of this. Jim On 6/29/2011 2:13 PM, Linda Knippers wrote: > Hi Jim, > > I appreciate that you've tried to send the patches inline but your mailer > is munging them so that they don't apply. Its doing things like changing > tabs into spaces. > > Will you please resend them as attachments, as you did with patches 3 and 6? > I can use the comments and signed-off lines from your original posts so if > you'd like, you can just reply to the original patch mail with an attachment > for each. > > Thanks, > > -- ljk > > James Czyzak wrote: >> This patch is the first in a series of 9 patches. There are 7 new files >> and 2 patched files. The README.netfilter file, config-server.bash, >> and profile.sample file are used by both iptables/ip6tables and ebtables >> testing. This set of patches adds the ebtables test functionality. >> Hopefully the iptables/ip6tables patches will follow within a week or >> so. The tests have been against Intel based platforms running in capp >> and mls. One note is that these have been run with the lblnet_tst_server >> manually started and not with lblnet_tst-tcp installed as /etc/xinetd.d. >> I believe there are still issues with it running in that manner under >> RHEL6.1 These test cases have been tested on RHEL6.1 GA loaded with the >> kickstart ks-x86_64.cfg version 0.10-1 >> >> Signed-off-by James Czyzak<cz...@li...> >> <mailto:cz...@li...>_ >> _ >> diff --git a/audit/Makefile b/audit/Makefile >> index 7c55745..46e2a84 100644 >> --- a/audit/Makefile >> +++ b/audit/Makefile >> @@ -20,7 +20,8 @@ TOPDIR = . >> include $(TOPDIR)/rules.mk >> >> RUN_DIRS = syscalls \ >> - network >> + network \ >> + netfilebt >> >> ifeq ($(MODE), $(NATIVE)) >> RUN_DIRS += fail-safe \ >> |
From: James C. <cz...@li...> - 2011-06-30 01:53:07
|
diff --git a/audit/Makefile b/audit/Makefile index 7c55745..46e2a84 100644 --- a/audit/Makefile +++ b/audit/Makefile @@ -20,7 +20,8 @@ TOPDIR = . include $(TOPDIR)/rules.mk RUN_DIRS = syscalls \ - network + network \ + netfilebt ifeq ($(MODE), $(NATIVE)) RUN_DIRS += fail-safe \ |
From: Linda K. <lin...@hp...> - 2011-07-01 15:55:43
|
Ji Jim, I'm going to make a change here before I push this. See below. James Czyzak wrote: > Hi Linda > > See attachment > > On 6/26/2011 5:36 PM, James Czyzak wrote: >> This patch is the first in a series of 9 patches. There are 7 new >> files and 2 patched files. The README.netfilter file, >> config-server.bash, and profile.sample file are used by both >> iptables/ip6tables and ebtables testing. This set of patches adds the >> ebtables test functionality. Hopefully the iptables/ip6tables patches >> will follow within a week or so. The tests have been against Intel >> based platforms running in capp and mls. One note is that these have >> been run with the lblnet_tst_server manually started and not with >> lblnet_tst-tcp installed as /etc/xinetd.d. I believe there are still >> issues with it running in that manner under RHEL6.1 These test cases >> have been tested on RHEL6.1 GA loaded with the >> kickstart ks-x86_64.cfg version 0.10-1 >> >> Signed-off-by James Czyzak <cz...@li...> >> <mailto:cz...@li...>_ >> _ >> diff --git a/audit/Makefile b/audit/Makefile >> index 7c55745..46e2a84 100644 >> --- a/audit/Makefile >> +++ b/audit/Makefile >> @@ -20,7 +20,8 @@ TOPDIR = . >> include $(TOPDIR)/rules.mk >> >> RUN_DIRS = syscalls \ >> - network >> + network \ >> + netfilebt Anything in top list gets executed when we run 32-bit tests on a 64-bit envirnment, which I assume we don't need to do for the netfilter tests, right? If we only have to run the netfilter tests in the native mode for the OS/platform, I'll add the directory to the list below. Sound reasonable? -- ljk >> >> ifeq ($(MODE), $(NATIVE)) >> RUN_DIRS += fail-safe \ >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> >> >> _______________________________________________ >> Audit-test-developer mailing list >> Aud...@li... >> https://lists.sourceforge.net/lists/listinfo/audit-test-developer > |
From: Linda K. <lin...@hp...> - 2011-07-01 17:29:16
|
Hi Jim, I pushed the patches with the file location changes that we discussed. You should see all this in the git tree now. Let me know if something doesn't look right. -- ljk audit/Makefile | 3 +- audit/README.netfilter | 249 +++++ audit/netfilebt/Makefile | 25 + audit/netfilebt/netfilebt_functions.bash | 100 ++ audit/netfilebt/run.conf | 1455 ++++++++++++++++++++++++++++++ audit/netfilebt/testperm.bash | 44 + audit/utils/netfilter/config-server.bash | 300 ++++++ audit/utils/netfilter/profile.sample | 39 + 8 files changed, 2214 insertions(+), 1 deletions(-) create mode 100644 audit/README.netfilter create mode 100644 audit/netfilebt/Makefile create mode 100644 audit/netfilebt/netfilebt_functions.bash create mode 100644 audit/netfilebt/run.conf create mode 100755 audit/netfilebt/testperm.bash create mode 100755 audit/utils/netfilter/config-server.bash create mode 100644 audit/utils/netfilter/profile.sample |
From: James C. <cz...@li...> - 2011-06-26 22:37:17
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/README.netfilter b/audit/README.netfilter new file mode 100644 index 0000000..ae3413d --- /dev/null +++ b/audit/README.netfilter @@ -0,0 +1,250 @@ +README.netfilter + +ABOUT NETFILTER TESTS +The netfilter tests reside in the sub-directories netfilter and netfilebt of +the audit-test suite. The tests of the iptables and ip6tables reside in +netfilter, and the bridge table filtering tests are in netfilebt. The use +of a remote server running the lblnet_tst_serves required for these tests. + +The ebtables tests also require the creation of a bridge (logical) device on +a secondary network to which the secondary network's ethernet (physical) +device is enslaved. The bridge should be created prior to running the +config-server.bash script is run + +The iptables and ip6tables tests have a large number of the tests that run +over the local loopback device to a locally running lblnet_tst_server. +Some of the tests for iptables and ip6tables are run over the primry ethernet +device against a remote server executing the lblnet_tst_server application. +The locally run lblnet_tst_server which the iptables and ip6tables tests +utilize is automatically started and stopped in the run.conf file, however +the lblnet_tst_server that runs on the remote server must be started before +any of the tests can begin as connectivity to it is tested prior to the +start of any tests. If connectivity cannot be established the test will +error out. The iptables/ip6tables tests have some tests that check the +ability to filter packets requiring forwarding. This requires the use of +a third platform known as the catcher. It can be any platform capable of +running netcat listens. + +You should read the README.netwk_svr for instructions on how to setup the +remote network server. + +Their are a number of environmental variables required in order to provide +the information needed to set the rules in iptables, ip6tables and ebtables. +Some of these environmental variables are also required by the network +tests in the audit-test/network directory. These environmental variables +may be set manually prior to running the tests but the process of setting them +all is simplified by the config-server.bash script. This script will ask for +the pertinent ipv4, ipv6, and mac addresses as well as device names to which +these adresses are assigned. This allows considerable flexibility in +configuring systems with 2 or possibly several more network interfaces on +both the TOE platform as well as the network server platform. The +config-server.bash script will build a profile in the /tmp directory that +should be sourced prior to running the tests. it is important to pay +attention to the format and correctness of the answers. While the +config-server.bash script will echo your response to the questions and allow +you the opportunity to change your responses, it currently does no format +checking and cannot verify if an address or device name is accurate. It does +however use a profile.sample file to provide a default answer which is +primarily provided for the purpose of giving a sample of the format expected +in the response. + +TESTING STRATEGY +The strategy of the testing is to provide a known and preferable empty +chain in the tables prior to the start of the testing. Then a test message is +run throught the appropriate chain of the tables showiing that it is not +blocking or filtering on the test message. The rule is applied with the +approriate filter information and the test message is run through again. +The result is checked for the expected result of either the dropping, +acceptance, or rejection of the test message. Often the dropping of a message +is verified through the timeout of a listen for the message or the timeout +of a connect request. It is usually verified again via the action parameter +for the message type NETFILTER in the audit log which is rotated before +the start of each test. In the case of a chain policy drop rule the listen +or connect timeout must suffice. This is because the only way to audit a +dropped message is to insert a rule with a target of AUDIT_DROP, however +by inserting such a rule it would not verify that the drop is caused by the +policy change as opposed to the rule inserted to audit the drop. + +ENVIRONMENTAL VARIABLES +Below is a list of the environmental variables required to run all the tests +as well as an explanation of what they are. + +RHOST="localhost" (always the local loopback IPv4) + +RHOST6="::1" (always the local loopback IPv6) + +MODE (set to either 32 or 64 depending on whether the TOE OS is + installed as 32 bit or 64 bit) + +PPROFILE (set to capp if running selinux targeted policy (a.k.a base)on + the TOE or set to lspp if running mls policy on the TOE) + +PATH="$PATH:." (The PATH should include the local directory) + +PASSWD (This should be set to the super user password) + +AUDITPATH (Should be set to the audit-test suite directory on the TOE + the directory path should include audit-test. This would + normally be set to /usr/local/eal4_testing/audit-test) + +LOCAL_DEV (primary ethernet device of the TOE for example "eth0") + +LOCAL_SEC_DEV (secondary ethernet device of the TOE for example "eth1") + +LOCAL_SEC_MAC (MAC address of the secondary ethernet device on the TOE + +LOCAL_IPV4 (IPv4 address of primary device on TOE) + +LOCAL_IPV6 (IPv6 address of primary device on TOE) + +LOCAL_SEC_IPV4 (IPv4 address of secondary device on TOE) + +LOCAL_SEC_IPV6 (IPv6 address of secondary device on TOE) + +TOE_GLOBAL (This needs to be either a global or site local IPv6 + address for the primary device on the TOE. Link local + addresses are not forwarded and this is used in the + forwarding test) + +TOE_SEC_GLOBAL (Must be a global or site local IPv6 address for the + secondary device on the TOE) + +LBLNET_SVR_IPV4 (This is the IPv4 address for the primary device on the + network server where the lblnet_tst_server application + is running) +LBLNET_SVR_IPV6 (This is the IPv6 address for the primary device on the + network server where the lblnet_tst_server application + is running) + +LBLNET_SVR_DEV (The device name for the network server's primary interface + for example "eth0") + +LNET4MASK (Network mask being used on the primary IPv4 network for + example 255.255.255.0) + +LNET6MASK (Network mask being used on the primary IPv6 network, + specified in number of bits for example "64") + +SECNET_SVR_IPV4 (IPv4 address of the network server's secondary address) + +SECNET_SVR_IPV6 (IPv6 address of the network server's secondary address) + +SECNET_SVR_DEV (Device name for the network server's secondary interface + for example "eth1") + +SECNET_SVR_MAC (MAC address of secondary device on the network server + where the remote lblnet_tst_server application is running) + +SECNET_IPV4 (IPV4 address of the secondary device onn the network server + where the remote lblnet_tst_server application is running) + +SNET4MASK (Network mask being used on the secondary IPv4 network for + example 255.255.255.0) + +SNET6MASK (Network mask being used on the secondary IPv6 network, + specified in number of bits for example "64") + +CATCHER_IPV4 (IPv4 address of 3rd platform where netcat listen on + specified port is performed ...nc -l $CATCHER_PORT4) + +CATCHER_IPV6 (Global or site local IPv6 address of 3rd platform where + netcat listen is performed ...nc -l $CATCHER_PORT6) + +CATCHER_DEV (Device name of interface on 3rd platform providing + connectivity to the TOE's secondary network) + +CATCHER_PORT4 (Port # on 3rd platform designated for the IPv4 netcat listen + for example "4100") + +CATCHER_PORT6 (Port # on 3rd platform designated for the IPv4 netcat listen + for example "4200") + +PITCHER_IPV6 (Global or site local IPv6 address of network server's + primary network interface) + +PITCHER_DEV (Is always the same as LBLNET_SVR_DEV simply used in the + scripts to signify the forwarding tests) + +BRIDGE_FILTER (Name of the bridge created on TOE for the ebtables testing. + This bridge should have the secondary device enslaved to + it. + +PROCEDURES FOR CONFIGURATION + +The config-server.bash script in the top level directory of the audit-test +suite should be run on each platform prior to running any of the netfilter +tests. The config-server.bash script must be executed on the TOE first. + +The config-server script will query the user for the adresses, device names, +and network masks needed to properly configure the network, set routes in +the routing table, and set up the chain rules in iptables, ip6tables, and +ebtables. If you choose not to run the config-server.bash script you must set +the above environmental variables and routing tables manually prior to running +the tests. + +Prior to running the config-server.bash script you should create the logical +bridge on the TOE that will be used to test ebtables. The name of the logical +bridge will be requested by the config-server.bash script. The bridge can be +set up with the following commands: + +brctl addbr <bridge name> -- This creates an instance of the + ethernet bridge + +After executing this command it is a good time to modify the +ifcfg-<ethernet interface> in the /etc/sysconfig/network-scripts directory +Below is a sample of what the content of this file (ifcfg-eth1) might look +like if the ethernet interface name was eth1 and the bridge name was br1 + +DEVICE="eth1" +BOOTPROTO="static" +HWADDR="00:21:5E:F0:31:9F" +ONBOOT="yes" +BRIDGE="br1" + +brctl addif <bridge name> <ethernet interface> -- This assigns the ethernet + interface as a port of the bridge + +After executing this command it is a good time to create the +ifcfg-<bridge name> in the /etc/sysconfig/network-scripts directory +Below is a sample of what the content of this file (ifcfg-br1) might look +like if the ethernet interface name was eth1 and the bridge name was br1 + +DEVICE="br1" +BOOTPROTO="static" +IPADDR="192.168.1.67" +NETMASK="255.255.255.0" +IPV6INIT="yes" +ONBOOT="yes" +TYPE="Bridge" + +Restart the network at this point with either a "service network restart" if +running in capp mode or "run_init service network restart" if running mls +policy. + +brctl setageing <bridge name> 3600 --sets the ageing timer + +Setting the ageing timer to a high value is helpful to the testing as +it prevents the learned mac addresses in the bridge's forwarding database +from being deleted when it hasn't seen a frame from that mac address in the +timer number of seconds. + +The setup of this bridge will be placed within the config-server.bash script +at a later date. + +After the config-server script has been run there will be a file named profile +in /tmp. This file will contain all the export commands for the environmental +variables listed above. It contains environmental variables that are needed on +each of the 3 platforms. To keep from having to do the many queries again on +each platform the file /tmp/profile needs to be copied to the /tmp directory of +each of the other two platforms and a source /tmp/profile should be executed +on each of the platforms. The config-server script should be then be run on +the other two platforms (netserver and catcher) The order of the remaining +two platforms is not important. The config-server.bash script when +run on the other two platforms will only query for the role (netserver or +catcher) and the superuser password. It will use the information from the +/tmp/profile to setup the network configuration and routing + +Once the config-server.bash script has been run on each of the 3 platforms +(TOE first followed by the other two) The netfilter tests will be ready +to run. + |
From: Linda K. <lin...@hp...> - 2011-06-29 15:50:34
|
Hi Jim, I have a few questions and comments here. Some are general and some probably apply more to later patches but since this patch contains alot of the overview information (and is as far as I've gotten), I thought I'd add them here. These aren't questions that have to be resolved before I pull in the patches but I would like to discuss them and address some of them before we all start executing the tests. James Czyzak wrote: > Signed-off-by James Czyzak <cz...@li...> > <mailto:cz...@li...> > > diff --git a/audit/README.netfilter b/audit/README.netfilter > new file mode 100644 > index 0000000..ae3413d > --- /dev/null > +++ b/audit/README.netfilter > @@ -0,0 +1,250 @@ > +README.netfilter > + > +ABOUT NETFILTER TESTS > +The netfilter tests reside in the sub-directories netfilter and > netfilebt of > +the audit-test suite. The tests of the iptables and ip6tables reside in > +netfilter, and the bridge table filtering tests are in netfilebt. The use > +of a remote server running the lblnet_tst_serves required for these tests. > + > +The ebtables tests also require the creation of a bridge (logical) > device on > +a secondary network to which the secondary network's ethernet (physical) > +device is enslaved. The bridge should be created prior to running the > +config-server.bash script is run > + > +The iptables and ip6tables tests have a large number of the tests that run > +over the local loopback device to a locally running lblnet_tst_server. > +Some of the tests for iptables and ip6tables are run over the primry > ethernet > +device against a remote server executing the lblnet_tst_server application. > +The locally run lblnet_tst_server which the iptables and ip6tables tests > +utilize is automatically started and stopped in the run.conf file, however > +the lblnet_tst_server that runs on the remote server must be started before > +any of the tests can begin as connectivity to it is tested prior to the > +start of any tests. If connectivity cannot be established the test will > +error out. The iptables/ip6tables tests have some tests that check the > +ability to filter packets requiring forwarding. This requires the use of > +a third platform known as the catcher. It can be any platform capable of > +running netcat listens. > + > +You should read the README.netwk_svr for instructions on how to setup the > +remote network server. > + > +Their are a number of environmental variables required in order to provide > +the information needed to set the rules in iptables, ip6tables and > ebtables. > +Some of these environmental variables are also required by the network > +tests in the audit-test/network directory. These environmental variables > +may be set manually prior to running the tests but the process of > setting them > +all is simplified by the config-server.bash script. This script will > ask for > +the pertinent ipv4, ipv6, and mac addresses as well as device names to > which > +these adresses are assigned. What are the assumptions for the configuration of the system prior to running this script? Today, the network tests assume that the primary interfaces (which is all it cares about) are already configured. With that assumption, it only needs a few pieces of information and it can figure out the rest. Your script appears to want to configure everything? Or is it just the secondary interfaces? I think its asking too many questions. I'll comment more there but I'm wondering about the philosophy here. > This allows considerable flexibility in > +configuring systems with 2 or possibly several more network interfaces on > +both the TOE platform as well as the network server platform. The > +config-server.bash script will build a profile in the /tmp directory that > +should be sourced prior to running the tests. it is important to pay > +attention to the format and correctness of the answers. While the > +config-server.bash script will echo your response to the questions and > allow > +you the opportunity to change your responses, it currently does no format > +checking and cannot verify if an address or device name is accurate. It > does > +however use a profile.sample file to provide a default answer which is > +primarily provided for the purpose of giving a sample of the format > expected > +in the response. > + > +TESTING STRATEGY > +The strategy of the testing is to provide a known and preferable empty > +chain in the tables prior to the start of the testing. Then a test > message is > +run throught the appropriate chain of the tables showiing that it is not > +blocking or filtering on the test message. The rule is applied with the > +approriate filter information and the test message is run through again. > +The result is checked for the expected result of either the dropping, > +acceptance, or rejection of the test message. Often the dropping of a > message > +is verified through the timeout of a listen for the message or the timeout > +of a connect request. It is usually verified again via the action parameter > +for the message type NETFILTER in the audit log which is rotated before > +the start of each test. In the case of a chain policy drop rule the listen > +or connect timeout must suffice. This is because the only way to audit a > +dropped message is to insert a rule with a target of AUDIT_DROP, however > +by inserting such a rule it would not verify that the drop is caused by the > +policy change as opposed to the rule inserted to audit the drop. > + > +ENVIRONMENTAL VARIABLES > +Below is a list of the environmental variables required to run all the > tests > +as well as an explanation of what they are. I really appreciate that you've documented the environment variables. Just a few comments/clarifications. I think we should note the ones that are defined automatically and which ones the tester needs to set. > + > +RHOST="localhost" (always the local loopback IPv4) > + > +RHOST6="::1" (always the local loopback IPv6) > + > +MODE (set to either 32 or 64 depending on whether the TOE OS is > + installed as 32 bit or 64 bit) MODE is set automatically to the default for the system and only needs to be set to override if one wants to run in 32-bit mode on a 64-bit system. > + > +PPROFILE (set to capp if running selinux targeted policy (a.k.a > base)on > + the TOE or set to lspp if running mls policy on the TOE) PPROFILE is set automatically but can be manually test to override the default. > + > +PATH="$PATH:." (The PATH should include the local directory) > + > +PASSWD (This should be set to the super user password) This is both the testers passwd and the super user passwd. They need to be the same for some of the tests to run. > + > +AUDITPATH (Should be set to the audit-test suite directory on the TOE > + the directory path should include audit-test. This would > + normally be set to /usr/local/eal4_testing/audit-test) The lspp_test.fc assumes that the tests are always in /usr/local/eal4_testing, although it would be nice if it were configurable. Which tests use this variable and does the tester really have to set it? > + > +LOCAL_DEV (primary ethernet device of the TOE for example "eth0") > + > +LOCAL_SEC_DEV (secondary ethernet device of the TOE for example "eth1") > + > +LOCAL_SEC_MAC (MAC address of the secondary ethernet device on the TOE > + > +LOCAL_IPV4 (IPv4 address of primary device on TOE) > + > +LOCAL_IPV6 (IPv6 address of primary device on TOE) > + > +LOCAL_SEC_IPV4 (IPv4 address of secondary device on TOE) > + > +LOCAL_SEC_IPV6 (IPv6 address of secondary device on TOE) For all of the above, what is the minimum that needs to be set and what can be derived? If you look at network/addr_filter.bash, we calculate alot of this. Maybe its more complicated now if there are two interfaces required for the tests but we need to minimize the number of things the tester has to configure. > + > +TOE_GLOBAL (This needs to be either a global or site local IPv6 > + address for the primary device on the TOE. Link local > + addresses are not forwarded and this is used in the > + forwarding test) > + > +TOE_SEC_GLOBAL (Must be a global or site local IPv6 address for the > + secondary device on the TOE) For the above 2, does it have to be an active address, like for a test server machine? > + > +LBLNET_SVR_IPV4 (This is the IPv4 address for the primary device on the > + network server where the lblnet_tst_server application > + is running) > +LBLNET_SVR_IPV6 (This is the IPv6 address for the primary device on the > + network server where the lblnet_tst_server application > + is running) > + > +LBLNET_SVR_DEV (The device name for the network server's primary interface > + for example "eth0") If this is part of the network server setup, can't it be derived from the IP address? jk > + > +LNET4MASK (Network mask being used on the primary IPv4 network for > + example 255.255.255.0) > + > +LNET6MASK (Network mask being used on the primary IPv6 network, > + specified in number of bits for example "64") Can't the above 2 be derived? > + > +SECNET_SVR_IPV4 (IPv4 address of the network server's secondary address) > + > +SECNET_SVR_IPV6 (IPv6 address of the network server's secondary address) > + > +SECNET_SVR_DEV (Device name for the network server's secondary interface > + for example "eth1") > + > +SECNET_SVR_MAC (MAC address of secondary device on the network server > + where the remote lblnet_tst_server application is running) > + > +SECNET_IPV4 (IPV4 address of the secondary device onn the network > server > + where the remote lblnet_tst_server application is running) > + > +SNET4MASK (Network mask being used on the secondary IPv4 network for > + example 255.255.255.0) > + > +SNET6MASK (Network mask being used on the secondary IPv6 network, > + specified in number of bits for example "64") Ditto here. How much can be derived? > + > +CATCHER_IPV4 (IPv4 address of 3rd platform where netcat listen on > + specified port is performed ...nc -l $CATCHER_PORT4) > + > +CATCHER_IPV6 (Global or site local IPv6 address of 3rd platform where > + netcat listen is performed ...nc -l $CATCHER_PORT6) > + > +CATCHER_DEV (Device name of interface on 3rd platform providing > + connectivity to the TOE's secondary network) > + > +CATCHER_PORT4 (Port # on 3rd platform designated for the IPv4 netcat > listen > + for example "4100") > + > +CATCHER_PORT6 (Port # on 3rd platform designated for the IPv4 netcat > listen > + for example "4200") > + > +PITCHER_IPV6 (Global or site local IPv6 address of network server's > + primary network interface) > + > +PITCHER_DEV (Is always the same as LBLNET_SVR_DEV simply used in the > + scripts to signify the forwarding tests) It would be good if there was something earlier in the readme that talks about the test requirements (3 systems, 2 interfaces, roles of each, what's the catcher, what's the pitcher, etc.). I see some of that later in this file but I'm still puzzling over the pieces. > + > +BRIDGE_FILTER (Name of the bridge created on TOE for the ebtables > testing. > + This bridge should have the secondary device enslaved to > + it. > + > +PROCEDURES FOR CONFIGURATION > + > +The config-server.bash script in the top level directory of the audit-test > +suite should be run on each platform prior to running any of the netfilter > +tests. Is this something that is done once to set up the system or run each time someone logs in to run the test? If its each time, can running it be automated as part of the 'make run' for this set of tests? > The config-server.bash script must be executed on the TOE first. > + > +The config-server script will query the user for the adresses, device > names, > +and network masks needed to properly configure the network, set routes in > +the routing table, and set up the chain rules in iptables, ip6tables, and > +ebtables. If you choose not to run the config-server.bash script you > must set > +the above environmental variables and routing tables manually prior to > running > +the tests. > + > +Prior to running the config-server.bash script you should create the > logical > +bridge on the TOE that will be used to test ebtables. The name of the > logical > +bridge will be requested by the config-server.bash script. The bridge > can be > +set up with the following commands: > + > +brctl addbr <bridge name> -- This creates an instance of the > + ethernet bridge Can this be automated? Does the bridge name matter or can the test suite name and configure some reasonable default? > + > +After executing this command it is a good time to modify the > +ifcfg-<ethernet interface> in the /etc/sysconfig/network-scripts directory > +Below is a sample of what the content of this file (ifcfg-eth1) might look > +like if the ethernet interface name was eth1 and the bridge name was br1 > + > +DEVICE="eth1" > +BOOTPROTO="static" > +HWADDR="00:21:5E:F0:31:9F" > +ONBOOT="yes" > +BRIDGE="br1" > + > +brctl addif <bridge name> <ethernet interface> -- This assigns the ethernet > + interface as a port of the > bridge > + > +After executing this command it is a good time to create the > +ifcfg-<bridge name> in the /etc/sysconfig/network-scripts directory > +Below is a sample of what the content of this file (ifcfg-br1) might look > +like if the ethernet interface name was eth1 and the bridge name was br1 > + > +DEVICE="br1" > +BOOTPROTO="static" > +IPADDR="192.168.1.67" > +NETMASK="255.255.255.0" > +IPV6INIT="yes" > +ONBOOT="yes" > +TYPE="Bridge" > + > +Restart the network at this point with either a "service network > restart" if > +running in capp mode or "run_init service network restart" if running mls > +policy. > + > +brctl setageing <bridge name> 3600 --sets the ageing timer > + > +Setting the ageing timer to a high value is helpful to the testing as > +it prevents the learned mac addresses in the bridge's forwarding database > +from being deleted when it hasn't seen a frame from that mac address in the > +timer number of seconds. > + > +The setup of this bridge will be placed within the config-server.bash > script > +at a later date. > + > +After the config-server script has been run there will be a file named > profile > +in /tmp. This file will contain all the export commands for the > environmental > +variables listed above. It contains environmental variables that are > needed on > +each of the 3 platforms. To keep from having to do the many queries > again on > +each platform the file /tmp/profile needs to be copied to the /tmp > directory of > +each of the other two platforms and a source /tmp/profile should be > executed > +on each of the platforms. Is there a better location than /tmp, perhaps in the /usr/local/eal4_testing directory? My worries about /tmp are that, well, its temporary, but also that it is polyinstantiated so on an mls system, there can be lots of /tmp directories and depending on how you log in and what role you're in, things you put in /tmp might be hard to find. > The config-server script should be then be run on > +the other two platforms (netserver and catcher) The order of the remaining > +two platforms is not important. The config-server.bash script when > +run on the other two platforms will only query for the role (netserver or > +catcher) and the superuser password. It will use the information from the > +/tmp/profile to setup the network configuration and routing > + > +Once the config-server.bash script has been run on each of the 3 platforms > +(TOE first followed by the other two) The netfilter tests will be ready > +to run. > + > |
From: James C. <cz...@li...> - 2011-06-29 23:13:06
|
Hi Linda See answers below On 6/29/2011 10:48 AM, Linda Knippers wrote: > Hi Jim, > > I have a few questions and comments here. Some are general and some > probably apply more to later patches but since this patch contains > alot of the overview information (and is as far as I've gotten), > I thought I'd add them here. > > These aren't questions that have to be resolved before I pull in the > patches but I would like to discuss them and address some of them before > we all start executing the tests. > > James Czyzak wrote: >> Signed-off-by James Czyzak<cz...@li...> >> <mailto:cz...@li...> >> >> diff --git a/audit/README.netfilter b/audit/README.netfilter >> new file mode 100644 >> index 0000000..ae3413d >> --- /dev/null >> +++ b/audit/README.netfilter >> @@ -0,0 +1,250 @@ >> +README.netfilter >> + >> +ABOUT NETFILTER TESTS >> +The netfilter tests reside in the sub-directories netfilter and >> netfilebt of >> +the audit-test suite. The tests of the iptables and ip6tables reside in >> +netfilter, and the bridge table filtering tests are in netfilebt. The use >> +of a remote server running the lblnet_tst_serves required for these tests. >> + >> +The ebtables tests also require the creation of a bridge (logical) >> device on >> +a secondary network to which the secondary network's ethernet (physical) >> +device is enslaved. The bridge should be created prior to running the >> +config-server.bash script is run >> + >> +The iptables and ip6tables tests have a large number of the tests that run >> +over the local loopback device to a locally running lblnet_tst_server. >> +Some of the tests for iptables and ip6tables are run over the primry >> ethernet >> +device against a remote server executing the lblnet_tst_server application. >> +The locally run lblnet_tst_server which the iptables and ip6tables tests >> +utilize is automatically started and stopped in the run.conf file, however >> +the lblnet_tst_server that runs on the remote server must be started before >> +any of the tests can begin as connectivity to it is tested prior to the >> +start of any tests. If connectivity cannot be established the test will >> +error out. The iptables/ip6tables tests have some tests that check the >> +ability to filter packets requiring forwarding. This requires the use of >> +a third platform known as the catcher. It can be any platform capable of >> +running netcat listens. >> + >> +You should read the README.netwk_svr for instructions on how to setup the >> +remote network server. >> + >> +Their are a number of environmental variables required in order to provide >> +the information needed to set the rules in iptables, ip6tables and >> ebtables. >> +Some of these environmental variables are also required by the network >> +tests in the audit-test/network directory. These environmental variables >> +may be set manually prior to running the tests but the process of >> setting them >> +all is simplified by the config-server.bash script. This script will >> ask for >> +the pertinent ipv4, ipv6, and mac addresses as well as device names to >> which >> +these adresses are assigned. > What are the assumptions for the configuration of the system prior to > running this script? Today, the network tests assume that the primary > interfaces (which is all it cares about) are already configured. With > that assumption, it only needs a few pieces of information and it can > figure out the rest. Your script appears to want to configure everything? > Or is it just the secondary interfaces? I think its asking too many > questions. I'll comment more there but I'm wondering about the philosophy > here. > I assumed very little as far as configuration of the network prior to running this script. Since the complexity increased a bit with the need for 2 networks, the only thing I assumed was the platform would have at least 2 network interfaces. The idea was that if one or more networks were already configured as the tester so desired no harm done because worse case is you get a "SIOCSIFADDR: File exists" message to the tty/console if the configuration item already exists, but I was hoping to allow the flexibility of configuring any devices you wanted or reconfiguring for a test environment versus assuming which of the possible multiple interfaces is the primary and which is the secondary. There may be better ideas on how to do this. I realize that the question and answer is a bit lengthy and definitely requires some knowledge of what devices and addresses you have. >> This allows considerable flexibility in >> +configuring systems with 2 or possibly several more network interfaces on >> +both the TOE platform as well as the network server platform. The >> +config-server.bash script will build a profile in the /tmp directory that >> +should be sourced prior to running the tests. it is important to pay >> +attention to the format and correctness of the answers. While the >> +config-server.bash script will echo your response to the questions and >> allow >> +you the opportunity to change your responses, it currently does no format >> +checking and cannot verify if an address or device name is accurate. It >> does >> +however use a profile.sample file to provide a default answer which is >> +primarily provided for the purpose of giving a sample of the format >> expected >> +in the response. >> + >> +TESTING STRATEGY >> +The strategy of the testing is to provide a known and preferable empty >> +chain in the tables prior to the start of the testing. Then a test >> message is >> +run throught the appropriate chain of the tables showiing that it is not >> +blocking or filtering on the test message. The rule is applied with the >> +approriate filter information and the test message is run through again. >> +The result is checked for the expected result of either the dropping, >> +acceptance, or rejection of the test message. Often the dropping of a >> message >> +is verified through the timeout of a listen for the message or the timeout >> +of a connect request. It is usually verified again via the action parameter >> +for the message type NETFILTER in the audit log which is rotated before >> +the start of each test. In the case of a chain policy drop rule the listen >> +or connect timeout must suffice. This is because the only way to audit a >> +dropped message is to insert a rule with a target of AUDIT_DROP, however >> +by inserting such a rule it would not verify that the drop is caused by the >> +policy change as opposed to the rule inserted to audit the drop. >> + >> +ENVIRONMENTAL VARIABLES >> +Below is a list of the environmental variables required to run all the >> tests >> +as well as an explanation of what they are. > I really appreciate that you've documented the environment variables. > Just a few comments/clarifications. I think we should note the ones > that are defined automatically and which ones the tester needs to set. Yes this I agree I should identify those that are automatically set through the use of the script, of course since one does have the option of setting them all manually (Hopefully not), I wanted them to all be listed since they are all needed somewhere in the testing >> + >> +RHOST="localhost" (always the local loopback IPv4) >> + >> +RHOST6="::1" (always the local loopback IPv6) >> + >> +MODE (set to either 32 or 64 depending on whether the TOE OS is >> + installed as 32 bit or 64 bit) > MODE is set automatically to the default for the system and only needs to be > set to override if one wants to run in 32-bit mode on a 64-bit system. > If we can rely on this being set it can certainly be eliminated from the script >> + >> +PPROFILE (set to capp if running selinux targeted policy (a.k.a >> base)on >> + the TOE or set to lspp if running mls policy on the TOE) > PPROFILE is set automatically but can be manually test to override the default. Same answer as for Mode >> + >> +PATH="$PATH:." (The PATH should include the local directory) >> + >> +PASSWD (This should be set to the super user password) > This is both the testers passwd and the super user passwd. They need to > be the same for some of the tests to run. > Yes this is true and an assumption I made and probably shouldn't have. I think if we can rely on this being set prior to the test runs it could be eliminated also. >> + >> +AUDITPATH (Should be set to the audit-test suite directory on the TOE >> + the directory path should include audit-test. This would >> + normally be set to /usr/local/eal4_testing/audit-test) > The lspp_test.fc assumes that the tests are always in /usr/local/eal4_testing, > although it would be nice if it were configurable. Which tests use this > variable and does the tester really have to set it? > Actually I created it as I was thinking maybe all testing wouldn't have to be in this directory at some point but I also used it in some of the scripting in one you don't have yet (related to iptables/ip6tables) and the run.conf you do when I was trying to implicitly define where I was sourcing a file from. It can be eliminated and the source can be done relative to the directory run.conf is in. >> + >> +LOCAL_DEV (primary ethernet device of the TOE for example "eth0") >> + >> +LOCAL_SEC_DEV (secondary ethernet device of the TOE for example "eth1") >> + >> +LOCAL_SEC_MAC (MAC address of the secondary ethernet device on the TOE >> + >> +LOCAL_IPV4 (IPv4 address of primary device on TOE) >> + >> +LOCAL_IPV6 (IPv6 address of primary device on TOE) >> + >> +LOCAL_SEC_IPV4 (IPv4 address of secondary device on TOE) >> + >> +LOCAL_SEC_IPV6 (IPv6 address of secondary device on TOE) > For all of the above, what is the minimum that needs to be set and > what can be derived? If you look at network/addr_filter.bash, we > calculate alot of this. Maybe its more complicated now if there are > two interfaces required for the tests but we need to minimize the > number of things the tester has to configure. > Yes I would like to do this. I did originally look at the addr_filter.bash and considered deriving some from something like an ifconfig and ip show command, but the problem I had with doing that was once again if there is but one network it's not quite as difficult because the display generally lists the network interfaces in alphabetical order. I could assume that eth0 (if it is always named that) is the primary network but this did allow the option of creating it which ever way made the most sense to the tester, albeit a bit more complex with a better understanding of the networking on the system. I agree when I first started this endeavor I was a little concerned at how involved it was becoming. ip show does not give you the mac addresses but ifconfig does and they are needed to filter for ebtables testing. Also once you create a bridge, if you use a name such as I did br1 or anything that starts before e in ifconfig it shows up before eth0, but in the ip show command it will probably show up in the order that the device was created. (In my test case last) >> + >> +TOE_GLOBAL (This needs to be either a global or site local IPv6 >> + address for the primary device on the TOE. Link local >> + addresses are not forwarded and this is used in the >> + forwarding test) >> + >> +TOE_SEC_GLOBAL (Must be a global or site local IPv6 address for the >> + secondary device on the TOE) > For the above 2, does it have to be an active address, like for a > test server machine? >> + >> +LBLNET_SVR_IPV4 (This is the IPv4 address for the primary device on the >> + network server where the lblnet_tst_server application >> + is running) >> +LBLNET_SVR_IPV6 (This is the IPv6 address for the primary device on the >> + network server where the lblnet_tst_server application >> + is running) >> + >> +LBLNET_SVR_DEV (The device name for the network server's primary interface >> + for example "eth0") > If this is part of the network server setup, can't it be derived from the > IP address? > jk Some of these are redundant and in fact if we assume the network tests will always be run first they could be skipped i guess I was hoping that possibly this could be used to setup the networking configuration for everyone . I don't think I'm missing many of the environmental variable that network tests use. I was always somewhat worried about the case where someone would log in to a system and want to just run the filtering tests. However I suppose documentation could cover this event. >> + >> +LNET4MASK (Network mask being used on the primary IPv4 network for >> + example 255.255.255.0) >> + >> +LNET6MASK (Network mask being used on the primary IPv6 network, >> + specified in number of bits for example "64") > Can't the above 2 be derived? Yes they probably can again from the ip show or ifconfig once you have the device. It's just that when I was looking at it from the perspective of being able to reconfigure the system however you wanted it semed the masks could change if someone so desired. >> + >> +SECNET_SVR_IPV4 (IPv4 address of the network server's secondary address) >> + >> +SECNET_SVR_IPV6 (IPv6 address of the network server's secondary address) >> + >> +SECNET_SVR_DEV (Device name for the network server's secondary interface >> + for example "eth1") >> + >> +SECNET_SVR_MAC (MAC address of secondary device on the network server >> + where the remote lblnet_tst_server application is running) >> + >> +SECNET_IPV4 (IPV4 address of the secondary device onn the network >> server >> + where the remote lblnet_tst_server application is running) >> + >> +SNET4MASK (Network mask being used on the secondary IPv4 network for >> + example 255.255.255.0) >> + >> +SNET6MASK (Network mask being used on the secondary IPv6 network, >> + specified in number of bits for example "64") > Ditto here. How much can be derived? > Again nearly everything assuming you know the device name of what the tester considers the secondary network and you don't want to allow them to change it. The thing with the secondary network is that my suspicion is that most people will not already have this configured and by using the script as long as they have the right addresses and device names they intend to assign everything will be done correctly. They would need this info and have to manually do it if it's not already configured anyhow. >> + >> +CATCHER_IPV4 (IPv4 address of 3rd platform where netcat listen on >> + specified port is performed ...nc -l $CATCHER_PORT4) >> + >> +CATCHER_IPV6 (Global or site local IPv6 address of 3rd platform where >> + netcat listen is performed ...nc -l $CATCHER_PORT6) >> + >> +CATCHER_DEV (Device name of interface on 3rd platform providing >> + connectivity to the TOE's secondary network) >> + >> +CATCHER_PORT4 (Port # on 3rd platform designated for the IPv4 netcat >> listen >> + for example "4100") >> + >> +CATCHER_PORT6 (Port # on 3rd platform designated for the IPv4 netcat >> listen >> + for example "4200") >> + >> +PITCHER_IPV6 (Global or site local IPv6 address of network server's >> + primary network interface) >> + >> +PITCHER_DEV (Is always the same as LBLNET_SVR_DEV simply used in the >> + scripts to signify the forwarding tests) > It would be good if there was something earlier in the readme that talks > about the test requirements (3 systems, 2 interfaces, roles of each, what's > the catcher, what's the pitcher, etc.). I see some of that later in this > file but I'm still puzzling over the pieces. I actually thought (wasn't sure how to do it with vi without making it look a stick diagram) of creating a picture with the network, the 3 systems, the connections, and references to which addresses and masks belong where. I think it would probably make much more sense. I think we should talk about some of these things. Not sure I can talk about everything in this email. Would like to have a short phone conversation at some point. I think there could be some additional issues coming up. >> + >> +BRIDGE_FILTER (Name of the bridge created on TOE for the ebtables >> testing. >> + This bridge should have the secondary device enslaved to >> + it. >> + >> +PROCEDURES FOR CONFIGURATION >> + >> +The config-server.bash script in the top level directory of the audit-test >> +suite should be run on each platform prior to running any of the netfilter >> +tests. > Is this something that is done once to set up the system or run each > time someone logs in to run the test? If its each time, can running it > be automated as part of the 'make run' for this set of tests? > Once it has been run the only time it would need to be re-run is on a reboot of the system, and then only because you will likely loose some of the routes required in the routing table (I think this can be fixed too with a little effort, my first attempts were not successful and time was a factor) The one thing tht currently is required after logging in once this has been run is executing the "source /tmp/profile" command and I'm sure this could be done differently. I just didn't have luck doing the source form inside the run.conf for some reason and I wasn't exactly sure why but I'm pretty sure this could be overcome, although I have found it useful at times to have sourced it from my ssh login. >> The config-server.bash script must be executed on the TOE first. >> + >> +The config-server script will query the user for the adresses, device >> names, >> +and network masks needed to properly configure the network, set routes in >> +the routing table, and set up the chain rules in iptables, ip6tables, and >> +ebtables. If you choose not to run the config-server.bash script you >> must set >> +the above environmental variables and routing tables manually prior to >> running >> +the tests. >> + >> +Prior to running the config-server.bash script you should create the >> logical >> +bridge on the TOE that will be used to test ebtables. The name of the >> logical >> +bridge will be requested by the config-server.bash script. The bridge >> can be >> +set up with the following commands: >> + >> +brctl addbr<bridge name> -- This creates an instance of the >> + ethernet bridge > Can this be automated? Does the bridge name matter or can the test > suite name and configure some reasonable default? > The bridge name does not matter, I guess I was thinking that a system under test may already have a bridge that someone wants to use. Again remember no restrictions on the bridge name so it can how up anywhere in an ifconfig depending upon the name. I had intended at one point to automate this out of the config-server script thus allowing any name they want to use within reason. I'm thinking we may have a bridge discussion in one of the meetings, since normally one would create a bridge on a system utilizing KVM. I think the question becomes does someone who doesn't care about KVM even need to run ebtables testing. I utilize the host to access the bridge as opposed to a VM so it doesn't matter either way >> + >> +After executing this command it is a good time to modify the >> +ifcfg-<ethernet interface> in the /etc/sysconfig/network-scripts directory >> +Below is a sample of what the content of this file (ifcfg-eth1) might look >> +like if the ethernet interface name was eth1 and the bridge name was br1 >> + >> +DEVICE="eth1" >> +BOOTPROTO="static" >> +HWADDR="00:21:5E:F0:31:9F" >> +ONBOOT="yes" >> +BRIDGE="br1" >> + >> +brctl addif<bridge name> <ethernet interface> -- This assigns the ethernet >> + interface as a port of the >> bridge >> + >> +After executing this command it is a good time to create the >> +ifcfg-<bridge name> in the /etc/sysconfig/network-scripts directory >> +Below is a sample of what the content of this file (ifcfg-br1) might look >> +like if the ethernet interface name was eth1 and the bridge name was br1 >> + >> +DEVICE="br1" >> +BOOTPROTO="static" >> +IPADDR="192.168.1.67" >> +NETMASK="255.255.255.0" >> +IPV6INIT="yes" >> +ONBOOT="yes" >> +TYPE="Bridge" >> + >> +Restart the network at this point with either a "service network >> restart" if >> +running in capp mode or "run_init service network restart" if running mls >> +policy. >> + >> +brctl setageing<bridge name> 3600 --sets the ageing timer >> + >> +Setting the ageing timer to a high value is helpful to the testing as >> +it prevents the learned mac addresses in the bridge's forwarding database >> +from being deleted when it hasn't seen a frame from that mac address in the >> +timer number of seconds. >> + >> +The setup of this bridge will be placed within the config-server.bash >> script >> +at a later date. >> + >> +After the config-server script has been run there will be a file named >> profile >> +in /tmp. This file will contain all the export commands for the >> environmental >> +variables listed above. It contains environmental variables that are >> needed on >> +each of the 3 platforms. To keep from having to do the many queries >> again on >> +each platform the file /tmp/profile needs to be copied to the /tmp >> directory of >> +each of the other two platforms and a source /tmp/profile should be >> executed >> +on each of the platforms. > Is there a better location than /tmp, perhaps in the /usr/local/eal4_testing > directory? My worries about /tmp are that, well, its temporary, but also > that it is polyinstantiated so on an mls system, there can be lots of /tmp > directories and depending on how you log in and what role you're in, things > you put in /tmp might be hard to find. > Location is not important to me, and after doing several tests some defined location other than /tmp is probably a good idea. As a developer utilizing different machines from time to time or replacing one of the machines with another on occasion you can build up a number of /tmp/profile files. /tmp is not the most stable place to be keeping anything you want to hang onto for any length of time and your polyinstantiation comment is a good point. Over time I simply rename my profiles I've created to give me a hint as to which role and which machine the profile was for and then I can reuse them as the machines switch around. You can even replace the profile.sample file in the audit-test directory and when you run through the config-server.bash you will have all default answers and not have much typing to do. >> The config-server script should be then be run on >> +the other two platforms (netserver and catcher) The order of the remaining >> +two platforms is not important. The config-server.bash script when >> +run on the other two platforms will only query for the role (netserver or >> +catcher) and the superuser password. It will use the information from the >> +/tmp/profile to setup the network configuration and routing >> + >> +Once the config-server.bash script has been run on each of the 3 platforms >> +(TOE first followed by the other two) The netfilter tests will be ready >> +to run. >> + >> |
From: James C. <cz...@li...> - 2011-06-30 01:55:24
|
diff --git a/audit/README.netfilter b/audit/README.netfilter new file mode 100644 index 0000000..ae3413d --- /dev/null +++ b/audit/README.netfilter @@ -0,0 +1,250 @@ +README.netfilter + +ABOUT NETFILTER TESTS +The netfilter tests reside in the sub-directories netfilter and netfilebt of +the audit-test suite. The tests of the iptables and ip6tables reside in +netfilter, and the bridge table filtering tests are in netfilebt. The use +of a remote server running the lblnet_tst_serves required for these tests. + +The ebtables tests also require the creation of a bridge (logical) device on +a secondary network to which the secondary network's ethernet (physical) +device is enslaved. The bridge should be created prior to running the +config-server.bash script is run + +The iptables and ip6tables tests have a large number of the tests that run +over the local loopback device to a locally running lblnet_tst_server. +Some of the tests for iptables and ip6tables are run over the primry ethernet +device against a remote server executing the lblnet_tst_server application. +The locally run lblnet_tst_server which the iptables and ip6tables tests +utilize is automatically started and stopped in the run.conf file, however +the lblnet_tst_server that runs on the remote server must be started before +any of the tests can begin as connectivity to it is tested prior to the +start of any tests. If connectivity cannot be established the test will +error out. The iptables/ip6tables tests have some tests that check the +ability to filter packets requiring forwarding. This requires the use of +a third platform known as the catcher. It can be any platform capable of +running netcat listens. + +You should read the README.netwk_svr for instructions on how to setup the +remote network server. + +There are a number of environmental variables required in order to provide +the information needed to set the rules in iptables, ip6tables and ebtables. +Some of these environmental variables are also required by the network +tests in the audit-test/network directory. These environmental variables +may be set manually prior to running the tests but the process of setting them +all is simplified by the config-server.bash script. This script will ask for +the pertinent ipv4, ipv6, and mac addresses as well as device names to which +these adresses are assigned. This allows considerable flexibility in +configuring systems with 2 or possibly several more network interfaces on +both the TOE platform as well as the network server platform. The +config-server.bash script will build a profile in the /tmp directory that +should be sourced prior to running the tests. it is important to pay +attention to the format and correctness of the answers. While the +config-server.bash script will echo your response to the questions and allow +you the opportunity to change your responses, it currently does no format +checking and cannot verify if an address or device name is accurate. It does +however use a profile.sample file to provide a default answer which is +primarily provided for the purpose of giving a sample of the format expected +in the response. + +TESTING STRATEGY +The strategy of the testing is to provide a known and preferable empty +chain in the tables prior to the start of the testing. Then a test message is +run throught the appropriate chain of the tables showiing that it is not +blocking or filtering on the test message. The rule is applied with the +approriate filter information and the test message is run through again. +The result is checked for the expected result of either the dropping, +acceptance, or rejection of the test message. Often the dropping of a message +is verified through the timeout of a listen for the message or the timeout +of a connect request. It is usually verified again via the action parameter +for the message type NETFILTER in the audit log which is rotated before +the start of each test. In the case of a chain policy drop rule the listen +or connect timeout must suffice. This is because the only way to audit a +dropped message is to insert a rule with a target of AUDIT_DROP, however +by inserting such a rule it would not verify that the drop is caused by the +policy change as opposed to the rule inserted to audit the drop. + +ENVIRONMENTAL VARIABLES +Below is a list of the environmental variables required to run all the tests +as well as an explanation of what they are. + +RHOST="localhost" (always the local loopback IPv4) + +RHOST6="::1" (always the local loopback IPv6) + +MODE (set to either 32 or 64 depending on whether the TOE OS is + installed as 32 bit or 64 bit) + +PPROFILE (set to capp if running selinux targeted policy (a.k.a base)on + the TOE or set to lspp if running mls policy on the TOE) + +PATH="$PATH:." (The PATH should include the local directory) + +PASSWD (This should be set to the super user password) + +AUDITPATH (Should be set to the audit-test suite directory on the TOE + the directory path should include audit-test. This would + normally be set to /usr/local/eal4_testing/audit-test) + +LOCAL_DEV (primary ethernet device of the TOE for example "eth0") + +LOCAL_SEC_DEV (secondary ethernet device of the TOE for example "eth1") + +LOCAL_SEC_MAC (MAC address of the secondary ethernet device on the TOE + +LOCAL_IPV4 (IPv4 address of primary device on TOE) + +LOCAL_IPV6 (IPv6 address of primary device on TOE) + +LOCAL_SEC_IPV4 (IPv4 address of secondary device on TOE) + +LOCAL_SEC_IPV6 (IPv6 address of secondary device on TOE) + +TOE_GLOBAL (This needs to be either a global or site local IPv6 + address for the primary device on the TOE. Link local + addresses are not forwarded and this is used in the + forwarding test) + +TOE_SEC_GLOBAL (Must be a global or site local IPv6 address for the + secondary device on the TOE) + +LBLNET_SVR_IPV4 (This is the IPv4 address for the primary device on the + network server where the lblnet_tst_server application + is running) +LBLNET_SVR_IPV6 (This is the IPv6 address for the primary device on the + network server where the lblnet_tst_server application + is running) + +LBLNET_SVR_DEV (The device name for the network server's primary interface + for example "eth0") + +LNET4MASK (Network mask being used on the primary IPv4 network for + example 255.255.255.0) + +LNET6MASK (Network mask being used on the primary IPv6 network, + specified in number of bits for example "64") + +SECNET_SVR_IPV4 (IPv4 address of the network server's secondary address) + +SECNET_SVR_IPV6 (IPv6 address of the network server's secondary address) + +SECNET_SVR_DEV (Device name for the network server's secondary interface + for example "eth1") + +SECNET_SVR_MAC (MAC address of secondary device on the network server + where the remote lblnet_tst_server application is running) + +SECNET_IPV4 (IPV4 address of the secondary device onn the network server + where the remote lblnet_tst_server application is running) + +SNET4MASK (Network mask being used on the secondary IPv4 network for + example 255.255.255.0) + +SNET6MASK (Network mask being used on the secondary IPv6 network, + specified in number of bits for example "64") + +CATCHER_IPV4 (IPv4 address of 3rd platform where netcat listen on + specified port is performed ...nc -l $CATCHER_PORT4) + +CATCHER_IPV6 (Global or site local IPv6 address of 3rd platform where + netcat listen is performed ...nc -l $CATCHER_PORT6) + +CATCHER_DEV (Device name of interface on 3rd platform providing + connectivity to the TOE's secondary network) + +CATCHER_PORT4 (Port # on 3rd platform designated for the IPv4 netcat listen + for example "4100") + +CATCHER_PORT6 (Port # on 3rd platform designated for the IPv4 netcat listen + for example "4200") + +PITCHER_IPV6 (Global or site local IPv6 address of network server's + primary network interface) + +PITCHER_DEV (Is always the same as LBLNET_SVR_DEV simply used in the + scripts to signify the forwarding tests) + +BRIDGE_FILTER (Name of the bridge created on TOE for the ebtables testing. + This bridge should have the secondary device enslaved to + it. + +PROCEDURES FOR CONFIGURATION + +The config-server.bash script in the top level directory of the audit-test +suite should be run on each platform prior to running any of the netfilter +tests. The config-server.bash script must be executed on the TOE first. + +The config-server script will query the user for the adresses, device names, +and network masks needed to properly configure the network, set routes in +the routing table, and set up the chain rules in iptables, ip6tables, and +ebtables. If you choose not to run the config-server.bash script you must set +the above environmental variables and routing tables manually prior to running +the tests. + +Prior to running the config-server.bash script you should create the logical +bridge on the TOE that will be used to test ebtables. The name of the logical +bridge will be requested by the config-server.bash script. The bridge can be +set up with the following commands: + +brctl addbr <bridge name> -- This creates an instance of the + ethernet bridge + +After executing this command it is a good time to modify the +ifcfg-<ethernet interface> in the /etc/sysconfig/network-scripts directory +Below is a sample of what the content of this file (ifcfg-eth1) might look +like if the ethernet interface name was eth1 and the bridge name was br1 + +DEVICE="eth1" +BOOTPROTO="static" +HWADDR="00:21:5E:F0:31:9F" +ONBOOT="yes" +BRIDGE="br1" + +brctl addif <bridge name> <ethernet interface> -- This assigns the ethernet + interface as a port of the bridge + +After executing this command it is a good time to create the +ifcfg-<bridge name> in the /etc/sysconfig/network-scripts directory +Below is a sample of what the content of this file (ifcfg-br1) might look +like if the ethernet interface name was eth1 and the bridge name was br1 + +DEVICE="br1" +BOOTPROTO="static" +IPADDR="192.168.1.67" +NETMASK="255.255.255.0" +IPV6INIT="yes" +ONBOOT="yes" +TYPE="Bridge" + +Restart the network at this point with either a "service network restart" if +running in capp mode or "run_init service network restart" if running mls +policy. + +brctl setageing <bridge name> 3600 --sets the ageing timer + +Setting the ageing timer to a high value is helpful to the testing as +it prevents the learned mac addresses in the bridge's forwarding database +from being deleted when it hasn't seen a frame from that mac address in the +timer number of seconds. + +The setup of this bridge will be placed within the config-server.bash script +at a later date. + +After the config-server script has been run there will be a file named profile +in /tmp. This file will contain all the export commands for the environmental +variables listed above. It contains environmental variables that are needed on +each of the 3 platforms. To keep from having to do the many queries again on +each platform the file /tmp/profile needs to be copied to the /tmp directory of +each of the other two platforms and a source /tmp/profile should be executed +on each of the platforms. The config-server script should be then be run on +the other two platforms (netserver and catcher) The order of the remaining +two platforms is not important. The config-server.bash script when +run on the other two platforms will only query for the role (netserver or +catcher) and the superuser password. It will use the information from the +/tmp/profile to setup the network configuration and routing + +Once the config-server.bash script has been run on each of the 3 platforms +(TOE first followed by the other two) The netfilter tests will be ready +to run. + |
From: James C. <cz...@li...> - 2011-06-26 22:37:59
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/config-server.bash b/audit/config-server.bash new file mode 100755 index 0000000..e508bd5 --- /dev/null +++ b/audit/config-server.bash @@ -0,0 +1,300 @@ +#!/bin/bash +# ============================================================================= +# Copyright 2010, 2011 International Business Machines Corp. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ============================================================================= + +# This script querries the user for adresses (mac, ipv4, and ipv6), device +# names of the ethernet interfaces, network masks, and the superuser password +# for all 3 platforms needed to perform the netfilter tests. The script will +# acquire all the information needed for all 3 systems during it's run on the +# TOE (target of evaluation) platform. The only repeated question for the other +# two platforms is the superuser password. +# It will apply the addresses acquired to the correct interface on each +# platform and also create routes needed for the forwarding tests. +# +# +# +# +# This function sets the device interfaces on the TOE (target of evaluation) +# with the addresses obtained through the questioning in this script. Also +# the routes to the remote network server and the 3rd platform known as the +# catcher are added to tho route table +# +function setup_toe { +source /tmp/profile +ifconfig $LOCAL_DEV $LOCAL_IPV4 netmask $LNET4MASK +ifconfig $LOCAL_DEV inet6 add $LOCAL_IPV6/$LNET6MASK +ifconfig $LOCAL_DEV inet6 add $TOE_GLOBAL/$LNET6MASK +ifconfig $BRIDGE_FILTER $LOCAL_SEC_IPV4 netmask $SNET4MASK +ifconfig $BRIDGE_FILTER inet6 add $LOCAL_SEC_IPV6/$SNET6MASK +ifconfig $BRIDGE_FILTER inet6 add $TOE_SEC_GLOBAL/$SNET6MASK +route add -net $SECNET_IPV4 netmask $SNET4MASK dev $BRIDGE_FILTER +route -A inet6 add $LBLNET_SVR_IPV6 dev $LOCAL_DEV +route -A inet6 add $SECNET_SVR_IPV6 dev $BRIDGE_FILTER +route -A inet6 add $CATCHER_IPV6 dev $BRIDGE_FILTER +route -A inet6 add $PITCHER_IPV6 dev $LOCAL_DEV +} +# +# This function assigns the addresses obtained during the questioning +# of the script to the interfaces on the remote network server running +# the lblnet_tst_server application. +# + +function setup_net_server { + +source /tmp/profile +ifconfig $LBLNET_SVR_DEV $LBLNET_SVR_IPV4 netmask $LNET4MASK +ifconfig $LBLNET_SVR_DEV inet6 add $LBLNET_SVR_IPV6/$LNET6MASK +ifconfig $SECNET_SVR_DEV $SECNET_SVR_IPV4 netmask $SNET4MASK +ifconfig $SECNET_SVR_DEV inet6 add $SECNET_SVR_IPV6/$SNET6MASK +ifconfig $PITCHER_DEV inet6 add $PITCHER_IPV6/$LNET6MASK +route -A inet6 add $CATCHER_IPV6 gw $TOE_GLOBAL dev $PITCHER_DEV +} + +# +# This function sets the 3rd platforms interface that connects to the +# secondary network with the addresses obtained earlier by this script. +# it then sets up a netcat listen on the ipv4 port specified and a netcat +# listen on the ipv6 port specified for the purpose of receiving packets +# during the ipv4 and ipv6 forwarding test. These packets are sent from +# a netcat script called by the lblnet_tst_server and forwarded through +# the TOE. +function setup_catcher { + +source /tmp/profile +ifconfig $CATCHER_DEV $CATCHER_IPV4 netmask $SNET4MASK +ifconfig $CATCHER_DEV inet6 add $CATCHER_IPV6/$SNET6MASK +route add $LBLNET_SVR_IPV4 gw $LOCAL_SEC_IPV4 dev $CATCHER_DEV +route -A inet6 add $PITCHER_IPV6 gw $TOE_SEC_GLOBAL dev $CATCHER_DEV +nc -l $CATCHER_PORT4 & +nc -6 -l CATCHER_PORT6 & +} + +# +# This function asks the tester for the addresss and device particulars needed +# to run the filtering tests. There are a significant number of addresses and +# device names needed to not only set up the networking configuration, but also +# to provide the information needed to input the chain rules in iptables, +# ip6tables, and ebtables. +# +function get_env_variables { + +if test -f /usr/local/eal4_testing/audit-test/profile.sample + then + source /usr/local/eal4_testing/audit-test/profile.sample +fi + +if test -f /tmp/profile + then + rm -f /tmp/profile +fi +touch /tmp/profile +RHOST="localhost" +echo "export RHOST=\"localhost\"" >> /tmp/profile +RHOST6="::1" +echo "export RHOST6=\"::1\"" >> /tmp/profile +MODE="$(ask "64 bit or 32 bit" "$MODE")" +echo "export MODE=$MODE" >> /tmp/profile +PPROFILE="$(ask "Which profile lspp(mls) or capp(base)" "$PPROFILE")" +echo "export PPROFILE=$PPROFILE" >> /tmp/profile +PATH="$PATH:." +echo "export PATH=\"\$PATH:.\"" >> /tmp/profile + +PASSWD="$(ask "Superuser passwword")" +echo "export PASSWD=$PASSWD" >> /tmp/profile +echo "" + +echo "The directory path to audit-test requested below is for the toe" +echo "the directory path to audit-test on the netserver should be the same" +echo "If the path on the netserver is different you will need to manually" +echo "edit the AUDITPATH environmental variable in the /tmp/profile file" +echo "on the netserver after the profile is copied to the netserver's /tmp" +echo "directory to reflect the correct path to the audit-tests directory" +echo "" + +AUDITPATH="$(ask "Directory path of audit-test (include audit-test)" "$AUDITPATH")" +LOCAL_DEV="$(ask "Primary network device name of TOE" "$LOCAL_DEV")" +LOCAL_SEC_DEV="$(ask "Secondary network device name of TOE" "$LOCAL_SEC_DEV")" +LOCAL_SEC_MAC="$(ask "Secondary device mac address of TOE (mac/mask)" "$LOCAL_SEC_MAC")" +LOCAL_IPV4="$(ask "IPV4 address of TOE primary device" "$LOCAL_IPV4")" +LOCAL_IPV6="$(ask "IPV6 address of TOE primary device" "$LOCAL_IPV6")" +LOCAL_SEC_IPV4="$(ask "IPV4 address of TOE secondary device" "$LOCAL_SEC_IPV4")" +LOCAL_SEC_IPV6="$(ask "IPV6 address of TOE secondary device" "$LOCAL_SEC_IPV6")" +TOE_GLOBAL="$(ask "Global IPV6 address of TOE primary device" "$TOE_GLOBAL")" +TOE_SEC_GLOBAL="$(ask "Global IPV6 address of TOE secondary device" "$TOE_SEC_GLOBAL")" + +echo "export AUDITPATH=\"$AUDITPATH\"" >> /tmp/profile +echo "export LOCAL_DEV=\"$LOCAL_DEV\"" >> /tmp/profile +echo "export LOCAL_SEC_DEV=\"$LOCAL_SEC_DEV\"" >> /tmp/profile +echo "export LOCAL_SEC_MAC=\"$LOCAL_SEC_MAC\"" >> /tmp/profile +echo "export LOCAL_IPV4=\"$LOCAL_IPV4\"" >> /tmp/profile +echo "export LOCAL_SEC_IPV6=\"$LOCAL_SEC_IPV6\"" >> /tmp/profile +echo "export TOE_GLOBAL=\"$TOE_GLOBAL\"" >> /tmp/profile +echo "export TOE_SEC_GLOBAL=\"$TOE_SEC_GLOBAL\"" >> /tmp/profile + +LBLNET_SVR_IPV4="$(ask "Network server's primary IPV4 address" "$LBLNET_SVR_IPV4")" +LBLNET_SVR_IPV6="$(ask "Network server's primary IPV6 address" "$LBLNET_SVR_IPV6")" +REMOTE_IPV6_RAW="$LBLNET_SVR_IPV6" +LBLNET_SVR_DEV="$(ask "Network server's primary device name" "$LBLNET_SVR_DEV")" +LNET4MASK="$(ask "Network server's primary IPV4 mask" "$SNET4MASK")" +LNET6MASK="$(ask "Network server's primary IPV6 mask" "$SNET6MASK")" +SECNET_SVR_IPV4="$(ask "Network server's secondary IPV4 address" "$SECNET_SVR_IPV4")" +SECNET_SVR_IPV6="$(ask "Network server's secondary IPV6 address" "$SECNET_SVR_IPV6")" +SECNET_SVR_DEV="$(ask "Network server's secondary device name" "$SECNET_SVR_DEV")" +SECNET_SVR_MAC="$(ask "Network server's secondary mac address (mac/mask)" "$SECNET_SVR_MAC")" +SECNET_IPV4="$(ask "Network server's secondary IPV4 network address" "$SECNET_IPV4")" +SNET4MASK="$(ask "Network server's secondary IPV4 mask" "$SNET4MASK")" +SNET6MASK="$(ask "Network server's secondary IPV6 mask" "$SNET6MASK")" + +echo "export LBLNET_SVR_IPV4=\"$LBLNET_SVR_IPV4\"" >> /tmp/profile +echo "export LBLNET_SVR_IPV6=\"$LBLNET_SVR_IPV6\"" >> /tmp/profile +echo "export REMOTE_IPV6_RAW=\"$LBLNET_SVR_IPV6\"" >> /tmp/profile +echo "export LBLNET_SVR_DEV=\"$LBLNET_SVR_DEV\"" >> /tmp/profile +echo "export LNET4MASK=\"$LNET4MASK\"" >> /tmp/profile +echo "export LNET6MASK=\"$LNET6MASK\"" >> /tmp/profile +echo "export SECNET_SVR_IPV4=\"$SECNET_SVR_IPV4\"" >> /tmp/profile +echo "export SECNET_SVR_IPV6=\"$SECNET_SVR_IPV6\"" >> /tmp/profile +echo "export SECNET_SVR_DEV=\"$SECNET_SVR_DEV\"" >> /tmp/profile +echo "export SECNET_SVR_MAC=\"$SECNET_SVR_MAC\"" >> /tmp/profile +echo "export SECNET_IPV4=\"$SECNET_IPV4\"" >> /tmp/profile +echo "export SNET4MASK=\"$SNET4MASK\"" >> /tmp/profile +echo "export SNET6MASK=\"$SNET6MASK\"" >> /tmp/profile + +CATCHER_IPV4="$(ask "Catcher's secondary IPV4 address" "$CATCHER_IPV4")" +CATCHER_IPV6="$(ask "Catcher's secondary global IPV6 address" "$CATCHER_IPV6")" +CATCHER_DEV="$(ask "Catcher's secondary device name?" "$CATCHER_DEV")" + +PITCHER_IPV6="$(ask "Network server's primary global IPV6 address" "$PITCHER_IPV6")" +PITCHER_DEV="$LBLNET_SVR_DEV" + +BRIDGE_FILTER="$(ask "Name of bridge device created for the filter testing" "$BRIDGE_FILTER")" + +echo "export CATCHER_IPV4=\"$CATCHER_IPV4\"" >> /tmp/profile +echo "export CATCHER_IPV6=\"$CATCHER_IPV6\"" >> /tmp/profile +echo "export CATCHER_DEV=\"$CATCHER_DEV\"" >> /tmp/profile +echo "export CATCHER_PORT4=\"4100\"" >> /tmp/profile +echo "export CATCHER_PORT6=\"4200\"" >> /tmp/profile +echo "export PITCHER_IPV6=\"$PITCHER_IPV6\"" >> /tmp/profile +echo "export PITCHER_DEV=\"$PITCHER_DEV\"" >> /tmp/profile +echo "export BRIDGE_FILTER=\"$BRIDGE_FILTER\"" >> /tmp/profile + +} + +echo_user () { + echo >/dev/tty "$@" +} + +ask () { + echo_user + echo_user -n "$1 [$2] ? " + read res </dev/tty + [ -z "$res" ] && res="$2" + echo_user -n "$res (y/n)" + read ret </dev/tty + if [ "$ret" == "y" ]; then + echo "$res" + else + ask "$1" "$2" + fi +} + +confirm () { + res=$(ask "$1 (y/n)" "$2") + case "$res" in + [yYjJ]*) true ;; + *) false ;; + esac +} + +die () { + echo_user "FATAL: $*" + exit 1 +} + +echo "Valid role names are: toe, netserver, catcher" +echo "" +echo "toe (target of evaluation) is the platform being certified" +echo "" +echo "netserver is the remote server where the lblnet_tst_server" +echo " is being run" +echo "" +echo "catcher is the third platform that will be the recipient of packets" +exho "transmitted by the lblnet_tst_server during the forwarding tests." +echo "" +echo "This script has to be run on the toe first. It will obtain required" +echo "info for all three roles and create a file in /tmp named profile" +echo "The file profile on the toe should then be copied to the /tmp directory" +echo "of both the netserver and catcher prior to running this script on those" +echo " 2 platforms" +echo "" +SERVER_ROLE="$(ask "Which role does this server perform" "toe")" +if [[ "$SERVER_ROLE" == "toe" ]]; then + if test -f /tmp/profile + then + source /tmp/profile + else + if test -f ./profile.sample + then + source ./profile.sample + else + echo "There is no sample profile to use for default answers or" + echo "examples fo format. Either you are not running in the audit-test" + echo "directory or the sample profile that is normally in the" + echo "audit-test directory has been deleted" + confirm "Do you want to continue anyway? " "n" || { + die "Configuration aborted." + } + fi + fi + + get_env_variables + setup_toe + echo "You should now check the /tmp/profile file for errors" + echo "and if satisfied it is correct, copy it to both the" + echo "netserver's, and catcher's /tmp directory" + exit +fi +if [[ "$SERVER_ROLE" == "netserver" ]]; then + if test -f /tmp/profile + then + PASSWD="$(ask "Superuser passwword")" + echo "export PASSWD=$PASSWD" >> /tmp/profile + setup_net_server + exit + else + echo "/tmp/profile does not exist" + echo "Copy profie from toe platform to /tmp" + exit + fi +fi +if [[ "$SERVER_ROLE" == "catcher" ]]; then + if test -f /tmp/profile + then + PASSWD="$(ask "Superuser passwword")" + echo "export PASSWD=$PASSWD" >> /tmp/profile + source /tmp/profile + setup_catcher + exit + else + echo "/tmp/profile does not exist" + echo "Copy profie from toe platform to /tmp" + exit + fi +fi +echo "Invalid role, role names are case sensitive" +exit |
From: James C. <cz...@li...> - 2011-06-26 22:38:19
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/netfilebt/Makefile b/audit/netfilebt/Makefile new file mode 100644 index 0000000..a247c52 --- /dev/null +++ b/audit/netfilebt/Makefile @@ -0,0 +1,25 @@ +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +TOPDIR = .. + +include $(TOPDIR)/rules.mk + +.PHONY: unlock + +unlock: + [[ -n $$LBLNET_SVR_IPV6 ]] && \ + (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000) |
From: James C. <cz...@li...> - 2011-06-30 01:56:53
|
diff --git a/audit/netfilebt/Makefile b/audit/netfilebt/Makefile new file mode 100644 index 0000000..0426cca --- /dev/null +++ b/audit/netfilebt/Makefile @@ -0,0 +1,25 @@ +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2006 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +TOPDIR = .. + +include $(TOPDIR)/rules.mk + +.PHONY: unlock + +unlock: + [[ -n $$LBLNET_SVR_IPV6 ]] && \ + (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000) |
From: James C. <cz...@li...> - 2011-06-26 22:38:36
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/netfilebt/netfilebt_functions.bash b/audit/netfilebt/netfilebt_functions.bash new file mode 100644 index 0000000..4a821b9 --- /dev/null +++ b/audit/netfilebt/netfilebt_functions.bash @@ -0,0 +1,100 @@ +#!/bin/bash +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. |
From: James C. <cz...@li...> - 2011-06-30 02:13:31
|
diff --git a/audit/netfilebt/netfilebt_functions.bash b/audit/netfilebt/netfilebt_functions.bash new file mode 100644 index 0000000..32a221f --- /dev/null +++ b/audit/netfilebt/netfilebt_functions.bash @@ -0,0 +1,102 @@ +#!/bin/bash +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### + +# File History +# 11/30/2010 +# This file is nearly the same as the one in the network directory by the name +# of network_functions.bash Items not needed have been eliminated and is +# created as a different file to allow changes particular to ebtables in the +# future which may not be needed for network tests as is the case in the +# netfilter sub-directory for iptables/ip6tables filtering +# + +source testcase.bash || exit 2 + +###################################################################### +# global variables +###################################################################### + +# NOTE: these are not truly global since this file is sourced from inside +# run_test(), so declare them with "declare" + +# audit record fields +declare log_mark success +declare uid=0 euid=0 suid=0 fsuid=0 +declare gid=0 egid=0 sgid=0 fsgid=0 +declare result=0 + +###################################################################### +# common functions +###################################################################### + +# usage: check_result <success case> <result> <exit value> <testcase number> +function check_result { + declare suc=$1 res=$2 ext=$3 err_name=$4 + declare err + + if [[ -n $err_name ]]; then + err=$(get_error_code $err_name) + fi + + # yes/no set in common startup, so we can assume only two cases + case $suc in + success) + [[ $res != 0 ]] && exit_error "unexpected test result" + ;; + fail) + if [[ $res == 0 ]]; then + exit_fail "operation should have been denied" + elif [[ $res != 1 ]]; then + exit_error "unexpected test result" + fi + [[ $ext != $err ]] && exit_error "unexpected test error" + # audit represents errors as negative numbers so fixup the global + # field value + exitval=-$(get_error_code_raw $err_name) + ;; + esac +} + +# usage: get_error_code_raw <error_name, e.g. EPERM> +# this is a private function and should not be called outside the scope of +# this file +function get_error_code_raw { + case $1 in + ERESTARTSYS) + # XXX - this is to workaround a kernel audit ?bug? + echo "512" + ;; + *) + gcc -E -dM /usr/include/asm-generic/errno.h | grep $1 | awk '{print $3}' + ;; + esac +} + +# usage: get_error_code <error_name, e.g. EPERM> +function get_error_code { + case $1 in + ERESTARTSYS) + # XXX - this is to workaround a kernel audit ?bug? + get_error_code_raw EINTR + ;; + *) + get_error_code_raw $1 + ;; + esac +} + + |
From: James C. <cz...@li...> - 2011-06-26 22:39:07
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/netfilebt/run.conf b/audit/netfilebt/run.conf new file mode 100644 index 0000000..2415307 --- /dev/null +++ b/audit/netfilebt/run.conf @@ -0,0 +1,1455 @@ +#!/bin/bash +# ============================================================================= +# (c) Copyright Hewlett-Packard Development Company, L.P., 2005, 2006, 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ============================================================================= + +###################################################################### +# global variables +###################################################################### + +tstsvr_lock_timeout_lspp=3000 # in seconds (50m) +tstsvr_lock_timeout_capp=120 # in seconds (2m) +tstsvr_lock_timeout=0 +tstsvr_lock_held=0 +tst_port1=4100 +tst_port2=4200 +tst_port3=4300 + +###################################################################### +# helper functions +###################################################################### + +# +# get_test_domain - Get the SELinux domain for the test applet +# +# INPUT +# $1 : the labeling type +# $2 : the host type +# +# OUTPUT +# Writes the SELinux domain to stdout +# +# DESCRIPTION +# This function determines the correct SELinux domain to use for the test +# applet based on the given labeling type. +# +function get_test_domain { + declare type_arg=$1 host_arg=$2 + + case $PPROFILE-$host_arg in + lspp-*|capp-remote) + case $type_arg in + unlabeled) + echo "lspp_test_generic_t" + ;; + *) + exit_fail "invalid test argument" + ;; + ;; + esac + ;; + capp-local) + case $type_arg in + *) + echo "unconfined_t" + ;; + esac + ;; + esac +} + +# +# get_label_subj - Get the subject's sensitivity label for the test run +# +# INPUT +# $1 : the MLS "op" +# +# OUPUT +# Writes the subject's untranslated sensivity label to stdout +# +# DESCRIPTION +# This function sets the subject's sensitivity label for the test run +# based on the MLS "op". The MLS "op" will always specify the subject +# is to be equal to (eq) the object for the ebtables filtering tests. +# This MLS "op" definition assumes the Bell-LaPadula based MLS +# constraints in use by the SELinux MLS policy derived from the SELinux +# Reference Policy. +# +function get_label_subj { + declare mlsop_arg=$1 + + case $PPROFILE in + lspp) + case $mlsop_arg in + eq) + echo "SystemLow" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + capp) + case $mlsop_arg in + *) + # in targeted policy (the likely policy for CAPP) the s0 + # sensitivity label is translated into a NULL string so we + # have to use the untranslated sensitivity label + echo "s0" + ;; + esac + ;; + esac +} + +# +# get_label_obj - Get the object's sensitivity label for the test run +# +# INPUT +# $1 : the MLS "op" +# +# OUPUT +# Writes the object's untranslated sensivity label to stdout +# +# DESCRIPTION # This function determines the objects's sensitivity label for the test run +# based on the MLS "op". The MLS "op" specifies the subject is to be equal +# to (eq) the object. +# This MLS "op" definition assumes the Bell-LaPadula based MLS +# constraints in use by the SELinux MLS policy derived from the SELinux +# Reference Policy. +# +function get_label_obj { + declare mlsop_arg=$1 + + case $PPROFILE in + lspp) + case $mlsop_arg in + eq) + echo "SystemLow" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + capp) + case $mlsop_arg in + *) + # in targeted policy (the likely policy for CAPP) the s0 + # sensitivity label is translated into a NULL string so we + # have to use the untranslated sensitivity label + echo "s0" + ;; + esac + ;; + esac +} + +# +# get_host_local - Get the IP address to use as the local address for the test +# +# INPUT +# $1 : the IP version +# $2 : the host type +# +# OUTPUT +# Writes the IP address to stdout +# +# DESCRIPTION +# This function determines the correct local address to use for the test run +# based on an IP version string, "ipv4" or "ipv6", and the host type, "local" +# or "remote". While the "local" host types resolve to the IPv4 or IPv6 +# localhost address the "remote" host types resolve to IP addresses specified +# in environment variables which are queried at the start of the test run. +# +function get_host_local { + declare ipv_arg=$1 host_arg=$2 + + case $ipv_arg in + ipv4) + case $host_arg in + local) + echo "127.0.0.1" + ;; + remote) + echo "$lblnet_loc4_host" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + ipv6) + case $host_arg in + local) + echo "::1" + ;; + remote) + echo "$lblnet_loc6_host" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + *) + exit_fail "invalid test argument" + ;; + esac +} + +# +# get_host_remote - Get the IP address to use as the remote address +# +# INPUT +# $1 : the IP version +# $2 : the host type +# +# OUTPUT +# Writes the IP address to stdout +# +# DESCRIPTION +# This function determines the correct remote address to use for the test +# run based on an IP version string, "ipv4" or "ipv6", and the host type, +# "local" or "remote". While the "local" host types resolve to the IPv4 or +# IPv6 localhost address the "remote" host types resolve to IP addresses +# specified in environment variables which are queried at the start of the +# test run. +# +function get_host_remote { + declare ipv_arg=$1 host_arg=$2 + + case $ipv_arg in + ipv4) + case $host_arg in + local) + echo "127.0.0.1" + ;; + remote) + echo "$lblnet_svr4_host" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + ipv6) + case $host_arg in + local) + echo "::1" + ;; + remote) + echo "$lblnet_svr6_host" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + ;; + *) + exit_fail "invalid test argument" + ;; + esac +} + +# +# tstsvr_lock - Lock the remote test server +# +# INPUT +# none +# +# OUTPUT +# Returns true if the test server was able to be locked, false otherwise +# +# DESCRIPTION +# This function attempts to lock the remote test server with the timeout value +# specified in the global variable $tstsvr_lock_timeout. If the function is +# able to lock the remote test server then it returns true and sets the global +# variable $tstsvr_lock_held to 1 for use in the tstsvr_unlock() function. If +# for any reason the function is not able to lock the remote test server then +# the function returns false and the value in $tstsvr_lock_held is unchanged. +# This function assumes the remote node is running a test driver similar to the +# one found in "utils/network-server/lblnet_tst_server.c". +# +function tstsvr_lock { + declare rc + declare cmd_str="lock:set,$tstsvr_lock_timeout;" + + echo $lblnet_svr6_host + rc="$(nc -6 -w 1 $LBLNET_SVR_IPV6%$LOCAL_DEV 4000 <<< $cmd_str)" + if [[ $rc == 0 ]]; then + tstsvr_lock_held=1 + return 0 + fi + + return 1 +} + +# +# tstsvr_unlock - Unlock the remote test server +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function attempts to unlock the remote test server if it was locked +# previously during this test run. The function checks the $tstsvr_lock_held +# global variable and if the value is 1, set by the tstsvr_lock() function, +# then the function sends an unlock command to the remote test server. If the +# $tstsvr_lock_held variable is not set to 1 then this function does nothing. +# This function assumes the remote node is running a test driver similar to the +# one found in "utils/network-server/lblnet_tst_server.c". +# +function tstsvr_unlock { + declare cmd_str="lock:release;" + + if [[ $tstsvr_lock_held == 1 ]]; then + nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str + fi +} + +# +# verify_remote - Verify that the remote test server is available for use +# +# INPUT +# none +# +# OUTPUT +# Returns true if the remote test server is available, false otherwise +# +# DESCRIPTION +# This function checks to see if the remote test server is available for use +# and is able to be locked for this test run in which case it returns true. +# If the test server is offline, or in use by another host and unable to be +# locked then this function returns false. +# +function verify_remote { + tstsvr_lock + return $? +} + +###################################################################### +# defaults +###################################################################### + +# +# setup_default - Setup the remote test driver +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# All of the ebtables tests in this file need to either send data to a remote +# node or receive data from a remote node; this function does the required +# setup to initialize the remote node based on the individual test case. This +# function works for both "local" (localhost) and "remote" (non-localhost) +# host types using both IPv4 and IPv6. No ebtables tests are run on the local +# loopback device. This function determines the setup +# needed by the test using the "op", "host", "type", "mlsop", "ipv", and +# "port" named arguments as given on the test command line. On error the +# function calls exit_error() which marks the test case as resulting in an +# error. This function assumes the remote node is running a test driver +# similar to the one found in "utils/network-server/lblnet_tst_server.c". +# +function setup_default { + declare rc=1 + declare tspid=0 + declare cmd_str + declare remote_obj local_host + declare loop_cnt + + # generate the host command string + remote_obj="$(get_label_obj $mlsop)" + cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;" + case $op in + sendrand_tcp) + if [[ $ipv == "ipv6" ]]; then + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" + echo " $local_host " + else + local_host="$(get_host_local $ipv $host)" + fi + cmd_str+="sleep:5;" + cmd_str+="sendrand:$local_host,tcp,$port,1;" + ;; + sendrand_udp) + if [[ $ipv == "ipv6" ]]; then + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" + else + local_host="$(get_host_local $ipv $host)" + fi + cmd_str+="sleep:5;" + cmd_str+="sendrand:$local_host,udp,$port,1;" + ;; + recv_tcp) + cmd_str+="recv:$ipv,tcp,$port,0;" + ;; + +# recv_udp is not used in ebtables testing currently but is +# left in for possible future test cases as the operation +# already coded in the lblnet_tst_server + + recv_udp) + cmd_str+="recv:$ipv,udp,$port,1;" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + + # setup the remote test server (try more than once) + for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do + case $host in remote) + rc="$(nc -6 -w 2 $lblnet_svr6_host 4000 <<< $cmd_str)" + ;; + local) + # use the same port as the remote IPv4 setting + rc="$(nc -w 1 ::1 4000 <<< $cmd_str)" + ;; + *) + exit_fail "invalid test argument" + ;; + esac + if [[ $rc != 0 ]]; then + echo "notice: failed to setup remote test server, retrying" + echo "return code = "$rc" " + sleep 10 + fi + done + + # verify the setup + if [[ $rc != 0 ]]; then + exit_error "could not setup remote test server" + fi +} + + +###################################################################### +# run.bash overrides +###################################################################### + +# Rename the original run.bash + function to run+ and create our own + function +# that generates a tag for the test based on the named parameters. + +# +# + - Generate a unique tag for each test case and run the default "+" function +# +# INPUT +# $@ : test command line +# +# OUTPUT +# none +# +# DESCRIPTION +# This function acts as a wrapper for the original "+" function which is +# responsibile for running each test case shown at the bottom of this file. +# This wrapper function is necessary to automatically generate a unique tag for +# each test case based on it's named arguments. This tag is then used as an +# additional named argument for the default "+" function. +# +eval "function run+ $(type + | sed '1,2d')" +function + { + declare test=$1 tag # make sure it's not inherited from caller + shift + eval "$(parse_named "$@")" || exit_error + if [[ -z $tag ]]; then + # extract the named args that identify a unique testcase + run+ $test \ + tag="${test}__${host}_${type}_${ipv}_${expres}_subj_${mlsop}_obj" \ + "$@" + else + # use tag supplied in run.conf + run+ $test "$@" + fi +} + +# +# show_test - Display the test case details +# +# INPUT +# $@ : test command line +# +# OUTPUT +# Writes the test case details to stdout +# +# DESCRIPTION +# This function reads in the entire test case command line and depending on +# the verbosity of the test harness either the entire command line is dumped +# to stdout or just the tag named variable as generated by the +() function +# defined in this file. All output is handled by the fmt_test() function +# which is defined as by the test harness. This function was overloaded +# because of the special handling for the tag named variable. +# +function show_test { + if ! $opt_verbose; then + declare tag # make sure it's not inherited from caller + eval "$(parse_named "$@")" || exit_error + [[ -n $tag ]] && set -- "$tag" + fi + fmt_test "[$TESTNUM]" "$@" +} + +# +# network_cleanup - Release the lock on the remote test server +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function tries to unlock the remote test server by calling the +# tstsvr_unlock() function. +# +function network_cleanup { + tstsvr_unlock +} +prepend_cleanup 'network_cleanup' + + +# +# This function sets up the ebtables targets that allow an audit log +# of packets matching the rule that uses either AUDIT_DROP or +# AUDIT_ACCEPT as the target in the rule. +# +function ebtaudit_setup { + +ebtables -N AUDIT_DROP +ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP +ebtables -A AUDIT_DROP -j DROP +sleep 1 +ebtables -N AUDIT_ACCEPT +ebtables -A AUDIT_ACCEPT -j AUDIT --audit-type ACCEPT +ebtables -A AUDIT_ACCEPT -j ACCEPT +} + +###################################################################### +# run_test +###################################################################### + +# +# run_test - Execute an individual test case +# +# INPUT +# $@ : test command line +# +# OUTPUT +# Returns true on test success, other error values on test failure +# +# DESCRIPTION +# This function is responsibile for executing all aspects of an individual +# test case including the following: setup, audit configuration and rotation, +# test case execution, test case verification, and audit verification. Most of +# these tasks are handled by other helper function defined either in this file +# or in the test harness, however, they are called from inside this function +# based on the individual test case's requirements. In the case where a test +# is run and it returns true and the audit verification is successful then this +# function returns true and the test case can be considered to have passed. +# However, if either the test case returns non-true, the audit trail is not +# correct, or an error occurs elsewhere then this function calls either the +# exit_fail() or exit_error() functions to signify a test case failure. +# +function run_test { + declare syscall=$1 tst_name=$1 + declare x name value status log_mark + declare test_domain label_subj label_obj host_local host_remote + shift + eval "$(parse_named "$@")" || exit_error + + source $AUDITPATH/netfilebt/netfilebt_functions.bash || exit_error + + if [[ tnum -eq 41 ]]; then + ./testperm.bash + return $? + fi + + # get the derived variables + # NOTE: the $test_domain variable is always using the "local" version of + # the test domain because the value is always only used on the + # local machine (see below) + test_domain=$(get_test_domain $type local) + label_subj=$(get_label_subj $mlsop) + label_obj=$(get_label_obj $mlsop) + host_local=$(get_host_local $ipv $host) + host_remote=$(get_host_remote $ipv $host) + + # run the + # default setup + if [[ $PPROFILE = lspp ]] ; then + expect -c' + spawn run_init service ebtables restart + expect "Authenticating ccteam." + expect "Password:" + sleep 1 + send "$env(PASSWD)\r" + wait + close' + else + service ebtables restart + fi + ebtaudit_setup + sleep 4 + setup_default + + case $tnum in + 2) + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP + ebtables -L --Ln + ;; + 4) + ebtables -I INPUT 1 -p IPv4 --ip-source $SECNET_SVR_IPV4 -j AUDIT_DROP + ebtables -L --Ln + ;; + 5) + ebtables -I INPUT 1 -p IPv4 --ip-destination $LOCAL_SEC_IPV4 -j AUDIT_DROP + ebtables -L --Ln + ;; + 7) + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-source-port $tst_port1 -j AUDIT_DROP + ebtables -L --Ln + ;; + 8) + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_DROP + iptables -L --line-numbers -n + ;; + 10) + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-source-port 30000:60000 -j AUDIT_DROP + ebtables -L --Ln + ;; + 11) + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP --ip-destination-port $tst_port1 -j AUDIT_DROP + ebtables -L --Ln + ;; + 13) + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT + ebtables -I INPUT 2 -p IPv4 --ip-proto TCP --ip-destination-port $tst_port1 -j AUDIT_ACCEPT + ebtables -P INPUT DROP + ebtables -L --Ln + ;; + 14) + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP --ip-destination-port 22 -j AUDIT_ACCEPT + ebtables -P INPUT DROP + ebtables -L --Ln + ;; + 15) + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 16) + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP + ebtables -L --Ln + ;; + 17) + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 18) + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP + ebtables -L --Ln + ;; + 19) + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 20) + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP + ebtables -L --Ln + ;; + 22) + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP + ebtables -L --Ln + ;; + 24) + ebtables -I INPUT 1 -p IPv6 --ip6-source $SECNET_SVR_IPV6 -j AUDIT_DROP + ebtables -L --Ln + ;; + 25) + ebtables -I INPUT 1 -p IPv6 --ip6-destination $LOCAL_SEC_IPV6 -j AUDIT_DROP + ebtables -L --Ln + ;; + 27) + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-source-port $tst_port1 -j AUDIT_DROP + ebtables -L --Ln + ;; + 28) + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_DROP + iptables -L --line-numbers -n + ;; + 30) + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-source-port 30000:60000 -j AUDIT_DROP + ebtables -L --Ln + ;; + 31) + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP --ip6-destination-port $tst_port1 -j AUDIT_DROP + ebtables -L --Ln + ;; + 33) + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT + ebtables -I INPUT 2 -p IPv6 --ip6-proto TCP --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT + ebtables -P INPUT DROP + ebtables -L --Ln + ;; + 34) + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP --ip6-destination-port 22 -j AUDIT_ACCEPT + ebtables -P INPUT DROP + ebtables -L --Ln + ;; + 35) + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 36) + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j AUDIT_DROP + ebtables -L --Ln + ;; + 37) + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 38) + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP + ebtables -L --Ln + ;; + 39) + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT + ebtables -L --Ln + ;; + 40) + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP + ebtables -L --Ln + ;; + *) + sleep 1 + echo "test case = $tnum" + ;; + esac + + # force the audit log to rotate + rotate_audit_logs || exit_error + + # mark the log for augrok later + log_mark=$(stat -c %s $audit_log) + # run this in a subshell so that exit_* doesn't abort early + ( + declare testres exitval pid + declare tst_args=( $(eval echo \"${unnamed[*]}\") ) + set -x + # run the test itself + read testres exitval pid <<< \ + "$(runcon -t $test_domain -l $(get_label_subj $mlsop) \ + do_$tst_name "${tst_args[@]}")" + + echo "testres is "$testres" and exitval is "$exitval" " + [[ -z $testres || -z $exitval || -z $pid ]] && exit_error + check_result $expres $testres $exitval $err + +## audit.log is checked for packets of message type NETFILTER_PKT, +## the appropriate action (0 = accepted, 1 = dropped), and the interface on +## which it occurred ($LOCAL_SEC_DEV) against the tnums where an audit +## record is expected + + case $tnum in + 2 | 4 | 5 | 7 | 8 | 10 | 11) + asreturn=$(ausearch -m NETFILTER_PKT -if /var/log/audit/audit.log \ + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") + if [[ -n $asreturn ]]; then + echo " "$asreturn" " + exit_pass + else + exit_fail "missing log in audit.log" + fi + ;; + 13 | 15 | 19 | 33 | 37 | 39) + asreturn=$(ausearch -m NETFILTER_PKT -if /var/log/audit/audit.log \ + | grep action=0 | grep -m 1 inif="$LOCAL_SEC_DEV") + if [[ -n $asreturn ]]; then + echo " "$asreturn" " + exit_pass + else + exit_fail "missing log in audit.log" + fi + ;; + 16 | 18 | 20 | 22 | 24 | 25 | 27) + asreturn=$(ausearch -m NETFILTER_PKT -if /var/log/audit/audit.log \ + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") + if [[ -n $asreturn ]]; then + echo " "$asreturn" " + exit_pass + else + exit_fail "missing log in audit.log" + fi + ;; + 28 | 30 | 31 | 38 | 40) + asreturn=$(ausearch -m NETFILTER_PKT | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") + if [[ -n $asreturn ]]; then + echo " "$asreturn" " + exit_pass + else + exit_fail "missing log in audit.log" + fi + ;; + *) + exit_pass + ;; + esac + + ) + status=$? + if [[ $PPROFILE = lspp ]] ; then + expect -c' + spawn run_init service ebtables restart + expect "Authenticating ccteam." + expect "Password:" + sleep 1 + sleep 1 + send "$env(PASSWD)\r" + wait + close' + else + service ebtables restart + fi + + # whenever the test fails, pause so the test server can cleanup + [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10 + + # display the audit log items + if [[ $status != 0 ]]; then + echo + echo augrok output + echo ------------- + augrok --seek=$log_mark type!=DAEMON_ROTATE + fi + + return $status +} + +########## +# +# more helper functions (in place of addr_loop and addr_filter +# since we already needed environmental variables for the iptables +# and ip6tables filtering tests.) +# +########## +function get_ipv6_prefix { + if [[ -n $SECNET_SVR_IPV6 ]]; then + echo $SECNET_SVR_IPV6 | \ + awk 'BEGIN { FS = ":" } { print $1 }' +# was { print $1":"$2":"$3":"$4":" }' + elif [[ -n $SECNET_PREFIX_IPV6 ]]; then + echo $SECNET_PREFIX_IPV6 | sed 's/:\/[0-9]*//;s/:0*/:/g;' + else + ip -o -f inet6 addr show scope global | \ + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":"$4":" }' | \ + head -n 1 + fi +} + +function get_ipv6_iface { + declare prefix=$(get_ipv6_prefix) + ip -o -f inet6 addr show scope link | \ + grep $prefix | head -n 1 | \ + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' +} + +function get_ipv4_addr { + declare ip4prefix=$LOCAL_SEC_IPV4 + ip -o -f inet addr show scope global | \ + grep $ip4prefix | head -n 1 | \ + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' +} + +function get_ipv6_addr { + declare prefix=$(get_ipv6_prefix) + ip -o -f inet6 addr show scope link | \ + grep $prefix | head -n 1 | \ + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' +} + + +###################################################################### +# pre-testrun checks/configuration +###################################################################### + +unset local_ipv4 remote_ipv4 address_ipv4 + +unset local_ipv6_if +unset local_ipv6 remote_ipv6 address_ipv6 +unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw + +unset local_ipv6_prefix +unset remote_ipv6_prefix +unset address_ipv6_prefix + +unset address address_raw + +# check the test profile +[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" + +# the remote labeled networking host/server +if [[ -n $SECNET_SVR_IPV4 ]]; then + lblnet_svr4_host=$SECNET_SVR_IPV4 +else + die "error: labeled networking test server not specified (SECNET_SVR_IPV4)" +fi + + +# +# get ipv4 addresses +# + +local_ipv4="$(get_ipv4_addr)" +remote_ipv4="$SECNET_SVR_IPV4" address_ipv4="$ADDRESS_IPV4" + +# +# get ipv6 addresses +# + +# raw addresses +local_ipv6_raw="$(get_ipv6_addr)" +remote_ipv6_raw="$SECNET_SVR_IPV6" +address_ipv6_raw="$ADDRESS_IPV6" + +# prefix to determine if addresses are link local or global +local_ipv6_prefix=$(get_ipv6_prefix | head -c 4) +remote_ipv6_prefix=$(echo $SECNET_SVR_IPV6 | head -c 4) +address_ipv6_prefix=$(echo $ADDRESS_IPV6 | head -c 4) + +# interface/scope +if [[ -n $BRIDGE_FILTER ]]; then + local_ipv6_if=$BRIDGE_FILTER +else + local_ipv6_if="$(get_ipv6_iface)" +fi + +# adjust link-local addresses +if [[ $local_ipv6_prefix == "fe80" ]]; then + # link-local address, add a scope + local_ipv6="$local_ipv6_raw%$local_ipv6_if" +else + # non link-local, assume global address and just use it + local_ipv6="$local_ipv6_raw" +fi +if [[ $remote_ipv6_prefix == "fe80" ]]; then + # link-local address, add a scope + local_ipv6="$local_ipv6_raw%$local_ipv6_if" +else + # non link-local, assume global address and just use it + local_ipv6="$local_ipv6_raw" +fi +if [[ $remote_ipv6_prefix == "fe80" ]]; then + # link-local address, add a scope + remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" +else + # non link-local, assume global address and just use it + remote_ipv6="$remote_ipv6_raw" +fi +if [[ $address_ipv6_prefix == "fe80" ]]; then + # link-local address, add a scope + address_ipv6="$address_ipv6_raw%$local_ipv6_if" +else + # non link-local, assume global address and just use it + address_ipv6="$address_ipv6_raw" +fi + +# +# generate the generic %ADDRESS[_RAW]% if possible +# + +if [[ -n $address_ipv6 && -z $address_ipv4 ]]; then + address="$address_ipv6" + address_raw="$address_ipv6_raw" +elif [[ -z $address_ipv6 && -n $address_ipv4 ]]; then + address="$address_ipv4" +fi + +if [[ -n $SECNET_SVR_IPV6 ]]; then + lblnet_svr6_host=$remote_ipv6 + lblnet_svr6_host_raw=$remote_ipv6_raw +else + die "error: networking test server not specified (SECNET_SVR_IPV6)" +fi + +# the local machine +lblnet_loc4_host=$local_ipv4 +lblnet_loc6_host=$local_ipv6 + +case $PPROFILE in + lspp) + tstsvr_lock_timeout=$tstsvr_lock_timeout_lspp + ;; + capp) + tstsvr_lock_timeout=$tstsvr_lock_timeout_capp + ;; + *) + die "error: unknown test profile ($PPROFILE)" + ;; +esac + +# wait until remote is available +while ! verify_remote; do + echo "notice: test server is busy, sleeping for 60s ..." + sleep 60 +done + +###################################################################### +# test configuration +###################################################################### + +# It is important to note that prior to running any of the test below the +# system must be configured using the config-server.bash script or the +# environmental variables and routes must be set up manually. + +## +## ebtables system calls +## + +# The test cases below are in the following format, with optional elements +# denoted by square brackets ([...]): +# +# + <_syscall_> \ +# mlsop=<_mlsop_> expres=<_expres_> err=<_err_> \ +# host=<_host_> type=<_type_> op=<_op_> ipv=<_ipv_> port=<_port_> \ +# <_test_args_> +# +# Where the arguments are defined as follows: +# +# _syscall_ : the syscall itself is not being tested for ebtables but +# is being used to generate the traffic for the test +# +# _mlsop_ : the MLS label comparison operator for more information see +# the comments elsewhere in this file, only 1 value used for +# ebtables. For compatibitlity with lblnet_tst_server +# value: +# eq : the local test process label equals the remote +# process/packet/connection's label +# _expres_ : indicates that the operation should succeed (success) or +# fail (fail) based on the system's security policy +# _err_ : if the test should fail, it should fail with this error +# code/value +# _host_ : indicates if the test is against a local (local) or +# remote (remote) host, the actual remote IP address is +# determined from the SECNET_SVR_IPV4 and SECNET_SVR_IPV6 +# environment variables +# _type_ : the labeling protocol, kept for purposes of compatibility +# with the lblnet_tst_server. Only 1 type used: +# unlabeled : not a labeling protocol, no need for ebtables +# _op_ : the remote test driver command, there are four valid values: +# sendrand_tcp : initiate a TCP connection with the test +# machine and send data +# sendrand_udp : send UDP traffic to the test machine +# recv_tcp : accept TCP connections from the test +# machine and receive data from established +# connections +# recv_udp : receive UDP traffic from the test machine +# _ipv_ : the IP version, there are two values: ipv4 and ipv6 +# _port_ : the TCP or UDP port +# _test_args_ : arguments to supply to the test applet/program, these may +# be variables which are later expanded inside the run_test() +# function + +## SYSCALLS: accept() connect() recvfrom() +## PURPOSE: +## Verify that incoming packets are only allowed to pass on the bridge device +## when the ebtables chain rule or policy is set to accept the packet and +## are dropped when a chain rule or policy so dictates. A check is also made +## for an audit record of the accepted or dropped packet when the rule so +## specifies a target of AUDIT_ACCEPT or AUDIT_DROP. +## These test cases make use of a remote test driver to initiate a connection +## from the remote node to the host under test, see the setup_default() +## function above for details on configuring the remote test driver. In +## The test procedure is as follows: +## 1. Configure the audit subsystem to watch for the syscall record +## 2. Restart ebtables to set it to a known condition, add the AUDIT_ACCEPT +## and AUDIT_DROP chains and set the INPUT chain with the appropriate +## rule to test the specific filter feature. +## 3. Execute the test case on the local system and verify the result +## 4. Check the audit log for the correct syscall result and in the case of +## failure check for generated audit records indicating that a packet +## was dropped or in some cases of success we check that an audit record +## was generated for a packet that was acccepted. +## TESTCASE: Test #0 tnum 1 +## Table Rule no blocking +## Input TOE sends tcp connect to remote server over bridge +## Expected Result packets pass, connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=1 '$host_remote tcp $port' +## TESTCASE: Test #1 tnum 2 +## Table Rule drop incoming packets on device enslaved to bridge +## and log in audit.log +## Input TOE sends tcp connect to remote server over bridge +## Expected Result response packets dropped, connect times out, audit.log +## has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1\ + tnum=2 '$host_remote tcp $port' +## TESTCASE: Test #2 tnum 3 +## Table Rule no blocking +## Input TOE sends tcp connect to remote server over bridge +## Expected Result packets pass, connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=3 '$host_remote tcp $port' +## TESTCASE: Test #3 tnum 4 +## Table Rule drop packets with source address of remote server and log +## in audit.log +## Input TOE sends tcp connect to remote server over bridge +## Expected Result response packets dropped, connect times out, audit.log +## has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=4 '$host_remote tcp $port' +## TESTCASE: Test #4 tnum 5 +## Table Rule drop incoming packets to TOE bridge ipv4 address and log +## in audit.log +## Input TOE sends TCP connect to remote server over bridge +## Expected Result response packets dropped, connect times out, audit.log +## has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=5 '$host_remote tcp $port' +## TESTCASE: Test #5 tnum 6 +## Table Rule no blocking +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets pass, connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=6 '$host_remote tcp $port' +## TESTCASE: Test #6 tnum 7 +## Table Rule drop TCP packets with source port (tst_port1) and log +## in audit.log +## Input TOE sends TCP connect to remote server over bridge +## Expected Result response packets dropped, connect times out, audit.log +## has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ + tnum=7 '$host_remote tcp $port' +## TESTCASE: Test #7 tnum 8 +## Table Rule drop TCP packets with destination port (tst_port1) and log +## in audit.log +## Input remote server sends tcp connect to bridge ipv4 address +## with destination port (tst_port1) +## Expected Result response packets dropped, listen times out, audit.log +## has record ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=8 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #8 tnum 9 +## Table Rule no blocking +## Input remote server sends udp packets to bridge ipv4 address +## Expected Result packets pass through ++ recvfrom \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ + tnum=9 '$ipv $port' +## TESTCASE: Test #9 tnum 10 +## Table Rule drop UDP from source port range 30k - 60k and log in +## audit.log +## Input remote server sends udp packets to bridge ipv4 address +## Expected Result packets dropped, audit.log has record ++ recvfrom \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ + tnum=10 '$ipv $port' +## TESTCASE: Test #10 tnum 11 +## Table Rule drop UDP packets to destination port (tst_port1) and log +## audit.log +## Input remote server sends udp packets to bridge ipv4 address +## at destination port +## Expected Result packets dropped, audit.log has record ++ recvfrom \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ + tnum=11 '$ipv $port' +## TESTCASE: Test #11 tnum 12 +## Table Rule no blocking +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets pass, connection succeeds ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=12 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #12 tnum 13 +## Table Rule INPUT chain policy set to DROP, ACCEPT TCP packets to +## port destination port (tst_port1) and log in audit.log +## Input remote server sends tcp connect to bridge at destination +## port (tst_port1) +## Expected Result packets pass, connection succeeds, audit.log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=13 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #13 tnum 14 +## Table Rule INPUT chain policy set to DROP no other rule +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets dropped, listen times out, no audit record +## because the DROP policy is used due to the test +## requirement and not the AUDIT_DROP target/chain ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=14 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #14 tnum 15 +## Table Rule accept packets to logical bridge device (BRIDGE_FILTER) +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets pass, connection succeeds, audit.log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=15 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #15 tnum 16 +## Table Rule drop packets to logical bridge device (BRIDGE_FILTER) +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets dropped, listen times out, audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=16 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #16 tnum 17 +## Table Rule accepts packets from mac address of remote server eth1 +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets pass, connection succeeds, audit.log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=17 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #17 tnum 18 +## Table Rule drop packets from mac address of remote server +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets dropped, listen times out, audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=18 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #18 tnum 19 +## Table Rule accepts packets to mac address of TOE device enslaved +## to bridge +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets pass, connection succeeds, audit.log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=19 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #19 tnum 20 +## Table Rule drop packets to mac address of TOE device enslaved +## to bridge +## Input remote server sends tcp connect to bridge ipv4 address +## Expected Result packets dropped, listen times out, audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ + tnum=20 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #20 tnum 21 +## Table Rule no blocking +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=21 '$host_remote tcp $port' +## TESTCASE: Test #21 tnum 22 +## Table Rule drop packets to TOE device enslaved to bridge +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result response packets dropped, connect times out, audit.log +## has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=22 '$host_remote tcp $port' +## TESTCASE: Test #22 tnum 23 +## Table Rule no blocking +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=23 '$host_remote tcp $port' +## TESTCASE: Test #23 tnum 24 +## Table Rule drop packets with ipv6 source address of remote server +## and log in audit.log +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result response packets from remote server are dropped and +## connect times out. audit.log has records ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=24 '$host_remote tcp $port' +## TESTCASE: Test #24 tnum 25 +## Table Rule drop packets to TOE ipv6 address of bridge device and log +## in audit.log +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result response packets (ipv6) from remote server are dropped +## and connect times out. ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=25 '$host_remote tcp $port' +## TESTCASE: Test #25 tnum 26 +## Table Rule no blocking +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result connection succeeds ++ connect \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=26 '$host_remote tcp $port' +## TESTCASE: Test #26 tnum 27 +## Table Rule drop tcp (ipv6) packets with remote server source port +## tst_port1 and log in audit.log +## Input TOE sends tcp connect (ipv6) to remote server over bridge +## Expected Result response packets from remote server with specified source +## port are dropped, connect times out, audit.log has record ++ connect \ + mlsop=eq expres=fail err=ETIMEDOUT \ + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ + tnum=27 '$host_remote tcp $port' +## TESTCASE: Test #27 tnum 28 +## Table Rule drop tcp (ipv6) packets to TOE bridge with destination +## port tst_port1 and log in audit.log +## Input remote server sends tcp (ipv6) connect to TOE at port +## tst_port1 +## Expected Result packets to port are dropped, listen times out, +## audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=28 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #28 tnum 29 +## Table Rule no blocking +## Input remote server sends udp packets to bridge ipv6 address +## Expected Result packets pass through ++ recvfrom \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ + tnum=29 '$ipv $port' +## TESTCASE: Test #29 tnum 30 +## Table Rule udp (ipv6) packets to TOE with source port 30k - 60k range +## are dropped +## Input remote server sends udp packets to bridge ipv6 address +## Expected Result packets dropped, audit.log has record ++ recvfrom \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ + tnum=30 '$ipv $port' +## TESTCASE: Test #30 tnum 31 +## Table Rule udp (ipv6) packets to TOE with destination port tst_port1 +## are dropped +## Input remote server sends udp packets to bridge ipv6 address +## Expected Result packets dropped, audit.log has record ++ recvfrom \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ + tnum=31 '$ipv $port' +## TESTCASE: Test #31 tnum 32 +## Table Rule no blocking +## Input remote server sends tcp connect (ipv6) to TOE +## Expected Result connection succeeds ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=32 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #32 tnum 33 +## Table Rule INPUT chain policy set to DROP, tcp (ipv6) packets to +## TOE port tst_port1 allowed. log of accepted packets to +## to audit.log +## Input remote server sends tcp connect (ipv6) to TOE port +## tst_port1 +## Expected Result connect succeeds, audit log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=33 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #33 tnum 34 +## Table Rule INPUT chain policy set to DROP, only port 22 allowed. +## Input remote server sends tcp connect (ipv6) to TOE port +## tst_port1 +## Expected Result connect fails, listen times out, no log of connect packets ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=34 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #34 tnum 35 +## Table Rule logical bridge device accepts traffic and logs +## to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## address +## Expected Result connect succeeds, audit.log has record ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=35 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #35 tnum 36 +## Table Rule logical bridge device drops packets and logs to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## address +## Expected Result connect fails, listen times out, audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR\ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=36 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #36 tnum 37 +## Table Rule accept packets (ipv6) from mac address of remote server +## and log to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## Expected Result connect succeeds, packets logged in audit.log ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=37 '$ipv $port' +## TESTCASE: Test #37 tnum 38 +## Table Rule drop packets (ipv6) from mac address of remote server +## and log to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## Expected Result connect fails, listen times out, audit.log has record ++ accept \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=38 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #38 tnum 39 +## Table Rule accept packets (ipv6) to mac address of TOE device +## enslaved to bridge and log to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## Expected Result connect succeeds, packets logged in audit.log ++ accept \ + mlsop=eq expres=success \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=39 alarmv=90 '$ipv $port $alarmv' +## TESTCASE: Test #39 tnum 40 +## Table Rule drop packets (ipv6) to mac address of TOE device +## enslaved to bridge and log to audit.log +## Input remote server sends tcp connect (ipv6) to TOE bridge +## Expected Result connect fails, dropped packets logged in audit.log ++ accept \ + mlsop=eq expres=fail err=EINTR \ + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ + tnum=40 alarmv=90 '$ipv $port $alarmv' +## TESTCASE Test #40 tnum 41 +## No Table Rule This test insures a normal user does not have +## permision to modify the ebtables +## Input testperm.bash script adds a regular user and then +## su to the user and attempts to add a ebtables rule +## Expected Result Permission is denied and rule is not added ++ testperm.bash \ + mlsop=eq expres=success \ + host=local tnum=41 |
From: Linda K. <lin...@hp...> - 2011-06-29 16:05:00
|
Hi Jim, There's some stuff here that's a copy of the stuff in the network/run.conf file. I think we should move all the common stuff into a separate .bash file that each run.conf can reference. If you had to make changes to some of the functions (I didn't do a diff to find out), then we should see if the changes are ok for the network tests or whether we really do need separate functions in some cases, but I assume that most is sharable. -- ljk James Czyzak wrote: > Signed-off-by James Czyzak <cz...@li...> > <mailto:cz...@li...> > > diff --git a/audit/netfilebt/run.conf b/audit/netfilebt/run.conf > new file mode 100644 > index 0000000..2415307 > --- /dev/null > +++ b/audit/netfilebt/run.conf > @@ -0,0 +1,1455 @@ > +#!/bin/bash > +# > ============================================================================= > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2005, 2006, 2007 > +# > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of version 2 the GNU General Public License as > +# published by the Free Software Foundation. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see <http://www.gnu.org/licenses/>. > +# > ============================================================================= > + > +###################################################################### > +# global variables > +###################################################################### > + > +tstsvr_lock_timeout_lspp=3000 # in seconds (50m) > +tstsvr_lock_timeout_capp=120 # in seconds (2m) > +tstsvr_lock_timeout=0 > +tstsvr_lock_held=0 > +tst_port1=4100 > +tst_port2=4200 > +tst_port3=4300 > + > +###################################################################### > +# helper functions > +###################################################################### > + > +# > +# get_test_domain - Get the SELinux domain for the test applet > +# > +# INPUT > +# $1 : the labeling type > +# $2 : the host type > +# > +# OUTPUT > +# Writes the SELinux domain to stdout > +# > +# DESCRIPTION > +# This function determines the correct SELinux domain to use for the test > +# applet based on the given labeling type. > +# > +function get_test_domain { > + declare type_arg=$1 host_arg=$2 > + > + case $PPROFILE-$host_arg in > + lspp-*|capp-remote) > + case $type_arg in > + unlabeled) > + echo "lspp_test_generic_t" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + ;; > + esac > + ;; > + capp-local) > + case $type_arg in > + *) > + echo "unconfined_t" > + ;; > + esac > + ;; > + esac > +} > + > +# > +# get_label_subj - Get the subject's sensitivity label for the test run > +# > +# INPUT > +# $1 : the MLS "op" > +# > +# OUPUT > +# Writes the subject's untranslated sensivity label to stdout > +# > +# DESCRIPTION > +# This function sets the subject's sensitivity label for the test run > +# based on the MLS "op". The MLS "op" will always specify the subject > +# is to be equal to (eq) the object for the ebtables filtering tests. > +# This MLS "op" definition assumes the Bell-LaPadula based MLS > +# constraints in use by the SELinux MLS policy derived from the SELinux > +# Reference Policy. > +# > +function get_label_subj { > + declare mlsop_arg=$1 > + > + case $PPROFILE in > + lspp) > + case $mlsop_arg in > + eq) > + echo "SystemLow" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + capp) > + case $mlsop_arg in > + *) > + # in targeted policy (the likely policy for CAPP) the s0 > + # sensitivity label is translated into a NULL string > so we > + # have to use the untranslated sensitivity label > + echo "s0" > + ;; > + esac > + ;; > + esac > +} > + > +# > +# get_label_obj - Get the object's sensitivity label for the test run > +# > +# INPUT > +# $1 : the MLS "op" > +# > +# OUPUT > +# Writes the object's untranslated sensivity label to stdout > +# > +# DESCRIPTION > # This function determines the objects's sensitivity label for the test run > +# based on the MLS "op". The MLS "op" specifies the subject is to be equal > +# to (eq) the object. > +# This MLS "op" definition assumes the Bell-LaPadula based MLS > +# constraints in use by the SELinux MLS policy derived from the SELinux > +# Reference Policy. > +# > +function get_label_obj { > + declare mlsop_arg=$1 > + > + case $PPROFILE in > + lspp) > + case $mlsop_arg in > + eq) > + echo "SystemLow" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + capp) > + case $mlsop_arg in > + *) > + # in targeted policy (the likely policy for CAPP) the s0 > + # sensitivity label is translated into a NULL string > so we > + # have to use the untranslated sensitivity label > + echo "s0" > + ;; > + esac > + ;; > + esac > +} > + > +# > +# get_host_local - Get the IP address to use as the local address for > the test > +# > +# INPUT > +# $1 : the IP version > +# $2 : the host type > +# > +# OUTPUT > +# Writes the IP address to stdout > +# > +# DESCRIPTION > +# This function determines the correct local address to use for the > test run > +# based on an IP version string, "ipv4" or "ipv6", and the host type, > "local" > +# or "remote". While the "local" host types resolve to the IPv4 or IPv6 > +# localhost address the "remote" host types resolve to IP addresses > specified > +# in environment variables which are queried at the start of the test run. > +# > +function get_host_local { > + declare ipv_arg=$1 host_arg=$2 > + > + case $ipv_arg in > + ipv4) > + case $host_arg in > + local) > + echo "127.0.0.1" > + ;; > + remote) > + echo "$lblnet_loc4_host" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + ipv6) > + case $host_arg in > + local) > + echo "::1" > + ;; > + remote) > + echo "$lblnet_loc6_host" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > +} > + > +# > +# get_host_remote - Get the IP address to use as the remote address > +# > +# INPUT > +# $1 : the IP version > +# $2 : the host type > +# > +# OUTPUT > +# Writes the IP address to stdout > +# > +# DESCRIPTION > +# This function determines the correct remote address to use for the test > +# run based on an IP version string, "ipv4" or "ipv6", and the host type, > +# "local" or "remote". While the "local" host types resolve to the IPv4 or > +# IPv6 localhost address the "remote" host types resolve to IP addresses > +# specified in environment variables which are queried at the start of the > +# test run. > +# > +function get_host_remote { > + declare ipv_arg=$1 host_arg=$2 > + > + case $ipv_arg in > + ipv4) > + case $host_arg in > + local) > + echo "127.0.0.1" > + ;; > + remote) > + echo "$lblnet_svr4_host" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + ipv6) > + case $host_arg in > + local) > + echo "::1" > + ;; > + remote) > + echo "$lblnet_svr6_host" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > +} > + > +# > +# tstsvr_lock - Lock the remote test server > +# > +# INPUT > +# none > +# > +# OUTPUT > +# Returns true if the test server was able to be locked, false otherwise > +# > +# DESCRIPTION > +# This function attempts to lock the remote test server with the > timeout value > +# specified in the global variable $tstsvr_lock_timeout. If the > function is > +# able to lock the remote test server then it returns true and sets the > global > +# variable $tstsvr_lock_held to 1 for use in the tstsvr_unlock() > function. If > +# for any reason the function is not able to lock the remote test > server then > +# the function returns false and the value in $tstsvr_lock_held is > unchanged. > +# This function assumes the remote node is running a test driver > similar to the > +# one found in "utils/network-server/lblnet_tst_server.c". > +# > +function tstsvr_lock { > + declare rc > + declare cmd_str="lock:set,$tstsvr_lock_timeout;" > + > + echo $lblnet_svr6_host > + rc="$(nc -6 -w 1 $LBLNET_SVR_IPV6%$LOCAL_DEV 4000 <<< $cmd_str)" > + if [[ $rc == 0 ]]; then > + tstsvr_lock_held=1 > + return 0 > + fi > + > + return 1 > +} > + > +# > +# tstsvr_unlock - Unlock the remote test server > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function attempts to unlock the remote test server if it was locked > +# previously during this test run. The function checks the > $tstsvr_lock_held > +# global variable and if the value is 1, set by the tstsvr_lock() function, > +# then the function sends an unlock command to the remote test server. > If the > +# $tstsvr_lock_held variable is not set to 1 then this function does > nothing. > +# This function assumes the remote node is running a test driver > similar to the > +# one found in "utils/network-server/lblnet_tst_server.c". > +# > +function tstsvr_unlock { > + declare cmd_str="lock:release;" > + > + if [[ $tstsvr_lock_held == 1 ]]; then > + nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str > + fi > +} > + > +# > +# verify_remote - Verify that the remote test server is available for use > +# > +# INPUT > +# none > +# > +# OUTPUT > +# Returns true if the remote test server is available, false otherwise > +# > +# DESCRIPTION > +# This function checks to see if the remote test server is available > for use > +# and is able to be locked for this test run in which case it returns true. > +# If the test server is offline, or in use by another host and unable to be > +# locked then this function returns false. > +# > +function verify_remote { > + tstsvr_lock > + return $? > +} > + > +###################################################################### > +# defaults > +###################################################################### > + > +# > +# setup_default - Setup the remote test driver > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# All of the ebtables tests in this file need to either send data to a > remote > +# node or receive data from a remote node; this function does the required > +# setup to initialize the remote node based on the individual test > case. This > +# function works for both "local" (localhost) and "remote" (non-localhost) > +# host types using both IPv4 and IPv6. No ebtables tests are run on the > local > +# loopback device. This function determines the setup > +# needed by the test using the "op", "host", "type", "mlsop", "ipv", and > +# "port" named arguments as given on the test command line. On error the > +# function calls exit_error() which marks the test case as resulting in an > +# error. This function assumes the remote node is running a test driver > +# similar to the one found in "utils/network-server/lblnet_tst_server.c". > +# > +function setup_default { > + declare rc=1 > + declare tspid=0 > + declare cmd_str > + declare remote_obj local_host > + declare loop_cnt > + > + # generate the host command string > + remote_obj="$(get_label_obj $mlsop)" > + cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type > $host):$remote_obj;" > + case $op in > + sendrand_tcp) > + if [[ $ipv == "ipv6" ]]; then > + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" > + echo " $local_host " > + else > + local_host="$(get_host_local $ipv $host)" > + fi > + cmd_str+="sleep:5;" > + cmd_str+="sendrand:$local_host,tcp,$port,1;" > + ;; > + sendrand_udp) > + if [[ $ipv == "ipv6" ]]; then > + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" > + else > + local_host="$(get_host_local $ipv $host)" > + fi > + cmd_str+="sleep:5;" > + cmd_str+="sendrand:$local_host,udp,$port,1;" > + ;; > + recv_tcp) > + cmd_str+="recv:$ipv,tcp,$port,0;" > + ;; > + > +# recv_udp is not used in ebtables testing currently but is > +# left in for possible future test cases as the operation > +# already coded in the lblnet_tst_server > + > + recv_udp) > + cmd_str+="recv:$ipv,udp,$port,1;" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + > + # setup the remote test server (try more than once) > + for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do > + case $host in > remote) > + rc="$(nc -6 -w 2 $lblnet_svr6_host 4000 <<< $cmd_str)" > + ;; > + local) > + # use the same port as the remote IPv4 setting > + rc="$(nc -w 1 ::1 4000 <<< $cmd_str)" > + ;; > + *) > + exit_fail "invalid test argument" > + ;; > + esac > + if [[ $rc != 0 ]]; then > + echo "notice: failed to setup remote test server, retrying" > + echo "return code = "$rc" " > + sleep 10 > + fi > + done > + > + # verify the setup > + if [[ $rc != 0 ]]; then > + exit_error "could not setup remote test server" > + fi > +} > + > + > +###################################################################### > +# run.bash overrides > +###################################################################### > + > +# Rename the original run.bash + function to run+ and create our own + > function > +# that generates a tag for the test based on the named parameters. > + > +# > +# + - Generate a unique tag for each test case and run the default "+" > function > +# > +# INPUT > +# $@ : test command line > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function acts as a wrapper for the original "+" function which is > +# responsibile for running each test case shown at the bottom of this file. > +# This wrapper function is necessary to automatically generate a unique > tag for > +# each test case based on it's named arguments. This tag is then used > as an > +# additional named argument for the default "+" function. > +# > +eval "function run+ $(type + | sed '1,2d')" > +function + { > + declare test=$1 tag # make sure it's not inherited from caller > + shift > + eval "$(parse_named "$@")" || exit_error > + if [[ -z $tag ]]; then > + # extract the named args that identify a unique testcase > + run+ $test \ > + > tag="${test}__${host}_${type}_${ipv}_${expres}_subj_${mlsop}_obj" \ > + "$@" > + else > + # use tag supplied in run.conf > + run+ $test "$@" > + fi > +} > + > +# > +# show_test - Display the test case details > +# > +# INPUT > +# $@ : test command line > +# > +# OUTPUT > +# Writes the test case details to stdout > +# > +# DESCRIPTION > +# This function reads in the entire test case command line and depending on > +# the verbosity of the test harness either the entire command line is > dumped > +# to stdout or just the tag named variable as generated by the +() function > +# defined in this file. All output is handled by the fmt_test() function > +# which is defined as by the test harness. This function was overloaded > +# because of the special handling for the tag named variable. > +# > +function show_test { > + if ! $opt_verbose; then > + declare tag # make sure it's not inherited from caller > + eval "$(parse_named "$@")" || exit_error > + [[ -n $tag ]] && set -- "$tag" > + fi > + fmt_test "[$TESTNUM]" "$@" > +} > + > +# > +# network_cleanup - Release the lock on the remote test server > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function tries to unlock the remote test server by calling the > +# tstsvr_unlock() function. > +# > +function network_cleanup { > + tstsvr_unlock > +} > +prepend_cleanup 'network_cleanup' > + > + > +# > +# This function sets up the ebtables targets that allow an audit log > +# of packets matching the rule that uses either AUDIT_DROP or > +# AUDIT_ACCEPT as the target in the rule. > +# > +function ebtaudit_setup { > + > +ebtables -N AUDIT_DROP > +ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP > +ebtables -A AUDIT_DROP -j DROP > +sleep 1 > +ebtables -N AUDIT_ACCEPT > +ebtables -A AUDIT_ACCEPT -j AUDIT --audit-type ACCEPT > +ebtables -A AUDIT_ACCEPT -j ACCEPT > +} > + > +###################################################################### > +# run_test > +###################################################################### > + > +# > +# run_test - Execute an individual test case > +# > +# INPUT > +# $@ : test command line > +# > +# OUTPUT > +# Returns true on test success, other error values on test failure > +# > +# DESCRIPTION > +# This function is responsibile for executing all aspects of an individual > +# test case including the following: setup, audit configuration and > rotation, > +# test case execution, test case verification, and audit verification. > Most of > +# these tasks are handled by other helper function defined either in > this file > +# or in the test harness, however, they are called from inside this > function > +# based on the individual test case's requirements. In the case where > a test > +# is run and it returns true and the audit verification is successful > then this > +# function returns true and the test case can be considered to have passed. > +# However, if either the test case returns non-true, the audit trail is not > +# correct, or an error occurs elsewhere then this function calls either the > +# exit_fail() or exit_error() functions to signify a test case failure. > +# > +function run_test { > + declare syscall=$1 tst_name=$1 > + declare x name value status log_mark > + declare test_domain label_subj label_obj host_local host_remote > + shift > + eval "$(parse_named "$@")" || exit_error > + > + source $AUDITPATH/netfilebt/netfilebt_functions.bash || exit_error > + > + if [[ tnum -eq 41 ]]; then > + ./testperm.bash > + return $? > + fi > + > + # get the derived variables > + # NOTE: the $test_domain variable is always using the "local" > version of > + # the test domain because the value is always only used on the > + # local machine (see below) > + test_domain=$(get_test_domain $type local) > + label_subj=$(get_label_subj $mlsop) > + label_obj=$(get_label_obj $mlsop) > + host_local=$(get_host_local $ipv $host) > + host_remote=$(get_host_remote $ipv $host) > + > + # run the > + # default setup > + if [[ $PPROFILE = lspp ]] ; then > + expect -c' > + spawn run_init service ebtables restart > + expect "Authenticating ccteam." > + expect "Password:" > + sleep 1 > + send "$env(PASSWD)\r" > + wait > + close' > + else > + service ebtables restart > + fi > + ebtaudit_setup > + sleep 4 > + setup_default > + > + case $tnum in > + 2) > + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 4) > + ebtables -I INPUT 1 -p IPv4 --ip-source $SECNET_SVR_IPV4 > -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 5) > + ebtables -I INPUT 1 -p IPv4 --ip-destination > $LOCAL_SEC_IPV4 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 7) > + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP > --ip-source-port $tst_port1 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 8) > + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP > --ip-destination-port $tst_port1 -j AUDIT_DROP > + iptables -L --line-numbers -n > + ;; > + 10) > + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP > --ip-source-port 30000:60000 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 11) > + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP > --ip-destination-port $tst_port1 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 13) > + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP > --ip-destination-port 22 -j AUDIT_ACCEPT > + ebtables -I INPUT 2 -p IPv4 --ip-proto TCP > --ip-destination-port $tst_port1 -j AUDIT_ACCEPT > + ebtables -P INPUT DROP > + ebtables -L --Ln > + ;; > + 14) > + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP > --ip-destination-port 22 -j AUDIT_ACCEPT > + ebtables -P INPUT DROP > + ebtables -L --Ln > + ;; > + 15) > + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j > AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 16) > + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j > AUDIT_DROP > + ebtables -L --Ln > + ;; > + 17) > + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 18) > + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 19) > + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 20) > + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 22) > + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 24) > + ebtables -I INPUT 1 -p IPv6 --ip6-source > $SECNET_SVR_IPV6 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 25) > + ebtables -I INPUT 1 -p IPv6 --ip6-destination > $LOCAL_SEC_IPV6 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 27) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP > --ip6-source-port $tst_port1 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 28) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP > --ip6-destination-port $tst_port1 -j AUDIT_DROP > + iptables -L --line-numbers -n > + ;; > + 30) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP > --ip6-source-port 30000:60000 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 31) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP > --ip6-destination-port $tst_port1 -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 33) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP > --ip6-destination-port 22 -j AUDIT_ACCEPT > + ebtables -I INPUT 2 -p IPv6 --ip6-proto TCP > --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT > + ebtables -P INPUT DROP > + ebtables -L --Ln > + ;; > + 34) > + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP > --ip6-destination-port 22 -j AUDIT_ACCEPT > + ebtables -P INPUT DROP > + ebtables -L --Ln > + ;; > + 35) > + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j > AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 36) > + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j > AUDIT_DROP > + ebtables -L --Ln > + ;; > + 37) > + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 38) > + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + 39) > + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT > + ebtables -L --Ln > + ;; > + 40) > + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP > + ebtables -L --Ln > + ;; > + *) > + sleep 1 > + echo "test case = $tnum" > + ;; > + esac > + > + # force the audit log to rotate > + rotate_audit_logs || exit_error > + > + # mark the log for augrok later > + log_mark=$(stat -c %s $audit_log) > + # run this in a subshell so that exit_* doesn't abort early > + ( > + declare testres exitval pid > + declare tst_args=( $(eval echo \"${unnamed[*]}\") ) > + set -x > + # run the test itself > + read testres exitval pid <<< \ > + "$(runcon -t $test_domain -l $(get_label_subj $mlsop) \ > + do_$tst_name "${tst_args[@]}")" > + > + echo "testres is "$testres" and exitval is "$exitval" " > + [[ -z $testres || -z $exitval || -z $pid ]] && exit_error > + check_result $expres $testres $exitval $err > + > +## audit.log is checked for packets of message type NETFILTER_PKT, > +## the appropriate action (0 = accepted, 1 = dropped), and the > interface on > +## which it occurred ($LOCAL_SEC_DEV) against the tnums where an audit > +## record is expected > + > + case $tnum in > + 2 | 4 | 5 | 7 | 8 | 10 | 11) > + asreturn=$(ausearch -m NETFILTER_PKT -if > /var/log/audit/audit.log \ > + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") > + if [[ -n $asreturn ]]; then > + echo " "$asreturn" " > + exit_pass > + else > + exit_fail "missing log in audit.log" > + fi > + ;; > + 13 | 15 | 19 | 33 | 37 | 39) > + asreturn=$(ausearch -m NETFILTER_PKT -if > /var/log/audit/audit.log \ > + | grep action=0 | grep -m 1 inif="$LOCAL_SEC_DEV") > + if [[ -n $asreturn ]]; then > + echo " "$asreturn" " > + exit_pass > + else > + exit_fail "missing log in audit.log" > + fi > + ;; > + 16 | 18 | 20 | 22 | 24 | 25 | 27) > + asreturn=$(ausearch -m NETFILTER_PKT -if > /var/log/audit/audit.log \ > + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") > + if [[ -n $asreturn ]]; then > + echo " "$asreturn" " > + exit_pass > + else > + exit_fail "missing log in audit.log" > + fi > + ;; > + 28 | 30 | 31 | 38 | 40) > + asreturn=$(ausearch -m NETFILTER_PKT | grep action=1 | > grep -m 1 inif="$LOCAL_SEC_DEV") > + if [[ -n $asreturn ]]; then > + echo " "$asreturn" " > + exit_pass > + else > + exit_fail "missing log in audit.log" > + fi > + ;; > + *) > + exit_pass > + ;; > + esac > + > + ) > + status=$? > + if [[ $PPROFILE = lspp ]] ; then > + expect -c' > + spawn run_init service ebtables restart > + expect "Authenticating ccteam." > + expect "Password:" > + sleep 1 > + sleep 1 > + send "$env(PASSWD)\r" > + wait > + close' > + else > + service ebtables restart > + fi > + > + # whenever the test fails, pause so the test server can cleanup > + [[ "$expres" == "fail" || "$status" != "0" ]] && sleep 10 > + > + # display the audit log items > + if [[ $status != 0 ]]; then > + echo > + echo augrok output > + echo ------------- > + augrok --seek=$log_mark type!=DAEMON_ROTATE > + fi > + > + return $status > +} > + > +########## > +# > +# more helper functions (in place of addr_loop and addr_filter > +# since we already needed environmental variables for the iptables > +# and ip6tables filtering tests.) > +# > +########## > +function get_ipv6_prefix { > + if [[ -n $SECNET_SVR_IPV6 ]]; then > + echo $SECNET_SVR_IPV6 | \ > + awk 'BEGIN { FS = ":" } { print $1 }' > +# was { print $1":"$2":"$3":"$4":" }' > + elif [[ -n $SECNET_PREFIX_IPV6 ]]; then > + echo $SECNET_PREFIX_IPV6 | sed 's/:\/[0-9]*//;s/:0*/:/g;' > + else > + ip -o -f inet6 addr show scope global | \ > + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ > + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":"$4":" }' | \ > + head -n 1 > + fi > +} > + > +function get_ipv6_iface { > + declare prefix=$(get_ipv6_prefix) > + ip -o -f inet6 addr show scope link | \ > + grep $prefix | head -n 1 | \ > + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' > +} > + > +function get_ipv4_addr { > + declare ip4prefix=$LOCAL_SEC_IPV4 > + ip -o -f inet addr show scope global | \ > + grep $ip4prefix | head -n 1 | \ > + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' > +} > + > +function get_ipv6_addr { > + declare prefix=$(get_ipv6_prefix) > + ip -o -f inet6 addr show scope link | \ > + grep $prefix | head -n 1 | \ > + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' > +} > + > + > +###################################################################### > +# pre-testrun checks/configuration > +###################################################################### > + > +unset local_ipv4 remote_ipv4 address_ipv4 > + > +unset local_ipv6_if > +unset local_ipv6 remote_ipv6 address_ipv6 > +unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw > + > +unset local_ipv6_prefix > +unset remote_ipv6_prefix > +unset address_ipv6_prefix > + > +unset address address_raw > + > +# check the test profile > +[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" > + > +# the remote labeled networking host/server > +if [[ -n $SECNET_SVR_IPV4 ]]; then > + lblnet_svr4_host=$SECNET_SVR_IPV4 > +else > + die "error: labeled networking test server not specified > (SECNET_SVR_IPV4)" > +fi > + > + > +# > +# get ipv4 addresses > +# > + > +local_ipv4="$(get_ipv4_addr)" > +remote_ipv4="$SECNET_SVR_IPV4" > address_ipv4="$ADDRESS_IPV4" > + > +# > +# get ipv6 addresses > +# > + > +# raw addresses > +local_ipv6_raw="$(get_ipv6_addr)" > +remote_ipv6_raw="$SECNET_SVR_IPV6" > +address_ipv6_raw="$ADDRESS_IPV6" > + > +# prefix to determine if addresses are link local or global > +local_ipv6_prefix=$(get_ipv6_prefix | head -c 4) > +remote_ipv6_prefix=$(echo $SECNET_SVR_IPV6 | head -c 4) > +address_ipv6_prefix=$(echo $ADDRESS_IPV6 | head -c 4) > + > +# interface/scope > +if [[ -n $BRIDGE_FILTER ]]; then > + local_ipv6_if=$BRIDGE_FILTER > +else > + local_ipv6_if="$(get_ipv6_iface)" > +fi > + > +# adjust link-local addresses > +if [[ $local_ipv6_prefix == "fe80" ]]; then > + # link-local address, add a scope > + local_ipv6="$local_ipv6_raw%$local_ipv6_if" > +else > + # non link-local, assume global address and just use it > + local_ipv6="$local_ipv6_raw" > +fi > +if [[ $remote_ipv6_prefix == "fe80" ]]; then > + # link-local address, add a scope > + local_ipv6="$local_ipv6_raw%$local_ipv6_if" > +else > + # non link-local, assume global address and just use it > + local_ipv6="$local_ipv6_raw" > +fi > +if [[ $remote_ipv6_prefix == "fe80" ]]; then > + # link-local address, add a scope > + remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" > +else > + # non link-local, assume global address and just use it > + remote_ipv6="$remote_ipv6_raw" > +fi > +if [[ $address_ipv6_prefix == "fe80" ]]; then > + # link-local address, add a scope > + address_ipv6="$address_ipv6_raw%$local_ipv6_if" > +else > + # non link-local, assume global address and just use it > + address_ipv6="$address_ipv6_raw" > +fi > + > +# > +# generate the generic %ADDRESS[_RAW]% if possible > +# > + > +if [[ -n $address_ipv6 && -z $address_ipv4 ]]; then > + address="$address_ipv6" > + address_raw="$address_ipv6_raw" > +elif [[ -z $address_ipv6 && -n $address_ipv4 ]]; then > + address="$address_ipv4" > +fi > + > +if [[ -n $SECNET_SVR_IPV6 ]]; then > + lblnet_svr6_host=$remote_ipv6 > + lblnet_svr6_host_raw=$remote_ipv6_raw > +else > + die "error: networking test server not specified (SECNET_SVR_IPV6)" > +fi > + > +# the local machine > +lblnet_loc4_host=$local_ipv4 > +lblnet_loc6_host=$local_ipv6 > + > +case $PPROFILE in > + lspp) > + tstsvr_lock_timeout=$tstsvr_lock_timeout_lspp > + ;; > + capp) > + tstsvr_lock_timeout=$tstsvr_lock_timeout_capp > + ;; > + *) > + die "error: unknown test profile ($PPROFILE)" > + ;; > +esac > + > +# wait until remote is available > +while ! verify_remote; do > + echo "notice: test server is busy, sleeping for 60s ..." > + sleep 60 > +done > + > +###################################################################### > +# test configuration > +###################################################################### > + > +# It is important to note that prior to running any of the test below the > +# system must be configured using the config-server.bash script or the > +# environmental variables and routes must be set up manually. > + > +## > +## ebtables system calls > +## > + > +# The test cases below are in the following format, with optional elements > +# denoted by square brackets ([...]): > +# > +# + <_syscall_> \ > +# mlsop=<_mlsop_> expres=<_expres_> err=<_err_> \ > +# host=<_host_> type=<_type_> op=<_op_> ipv=<_ipv_> port=<_port_> \ > +# <_test_args_> > +# > +# Where the arguments are defined as follows: > +# > +# _syscall_ : the syscall itself is not being tested for ebtables but > +# is being used to generate the traffic for the test > +# > +# _mlsop_ : the MLS label comparison operator for more > information see > +# the comments elsewhere in this file, only 1 value > used for > +# ebtables. For compatibitlity with lblnet_tst_server > +# value: > +# eq : the local test process label equals the > remote > +# process/packet/connection's label > +# _expres_ : indicates that the operation should succeed (success) or > +# fail (fail) based on the system's security policy > +# _err_ : if the test should fail, it should fail with this error > +# code/value > +# _host_ : indicates if the test is against a local (local) or > +# remote (remote) host, the actual remote IP address is > +# determined from the SECNET_SVR_IPV4 and SECNET_SVR_IPV6 > +# environment variables > +# _type_ : the labeling protocol, kept for purposes of > compatibility > +# with the lblnet_tst_server. Only 1 type used: > +# unlabeled : not a labeling protocol, no need for > ebtables > +# _op_ : the remote test driver command, there are four valid > values: > +# sendrand_tcp : initiate a TCP connection with the test > +# machine and send data > +# sendrand_udp : send UDP traffic to the test machine > +# recv_tcp : accept TCP connections from the test > +# machine and receive data from > established > +# connections > +# recv_udp : receive UDP traffic from the test > machine > +# _ipv_ : the IP version, there are two values: ipv4 and ipv6 > +# _port_ : the TCP or UDP port > +# _test_args_ : arguments to supply to the test applet/program, > these may > +# be variables which are later expanded inside the > run_test() > +# function > + > +## SYSCALLS: accept() connect() recvfrom() > +## PURPOSE: > +## Verify that incoming packets are only allowed to pass on the bridge > device > +## when the ebtables chain rule or policy is set to accept the packet and > +## are dropped when a chain rule or policy so dictates. A check is also > made > +## for an audit record of the accepted or dropped packet when the rule so > +## specifies a target of AUDIT_ACCEPT or AUDIT_DROP. > +## These test cases make use of a remote test driver to initiate a > connection > +## from the remote node to the host under test, see the setup_default() > +## function above for details on configuring the remote test driver. In > +## The test procedure is as follows: > +## 1. Configure the audit subsystem to watch for the syscall record > +## 2. Restart ebtables to set it to a known condition, add the > AUDIT_ACCEPT > +## and AUDIT_DROP chains and set the INPUT chain with the appropriate > +## rule to test the specific filter feature. > +## 3. Execute the test case on the local system and verify the result > +## 4. Check the audit log for the correct syscall result and in the > case of > +## failure check for generated audit records indicating that a packet > +## was dropped or in some cases of success we check that an audit > record > +## was generated for a packet that was acccepted. > +## TESTCASE: Test #0 tnum 1 > +## Table Rule no blocking > +## Input TOE sends tcp connect to remote server over bridge > +## Expected Result packets pass, connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=1 '$host_remote tcp $port' > +## TESTCASE: Test #1 tnum 2 > +## Table Rule drop incoming packets on device enslaved to bridge > +## and log in audit.log > +## Input TOE sends tcp connect to remote server over bridge > +## Expected Result response packets dropped, connect times out, > audit.log > +## has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1\ > + tnum=2 '$host_remote tcp $port' > +## TESTCASE: Test #2 tnum 3 > +## Table Rule no blocking > +## Input TOE sends tcp connect to remote server over bridge > +## Expected Result packets pass, connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=3 '$host_remote tcp $port' > +## TESTCASE: Test #3 tnum 4 > +## Table Rule drop packets with source address of remote server > and log > +## in audit.log > +## Input TOE sends tcp connect to remote server over bridge > +## Expected Result response packets dropped, connect times out, > audit.log > +## has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=4 '$host_remote tcp $port' > +## TESTCASE: Test #4 tnum 5 > +## Table Rule drop incoming packets to TOE bridge ipv4 address > and log > +## in audit.log > +## Input TOE sends TCP connect to remote server over bridge > +## Expected Result response packets dropped, connect times out, > audit.log > +## has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=5 '$host_remote tcp $port' > +## TESTCASE: Test #5 tnum 6 > +## Table Rule no blocking > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets pass, connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=6 '$host_remote tcp $port' > +## TESTCASE: Test #6 tnum 7 > +## Table Rule drop TCP packets with source port (tst_port1) and log > +## in audit.log > +## Input TOE sends TCP connect to remote server over bridge > +## Expected Result response packets dropped, connect times out, > audit.log > +## has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=7 '$host_remote tcp $port' > +## TESTCASE: Test #7 tnum 8 > +## Table Rule drop TCP packets with destination port > (tst_port1) and log > +## in audit.log > +## Input remote server sends tcp connect to bridge ipv4 > address > +## with destination port (tst_port1) > +## Expected Result response packets dropped, listen times out, audit.log > +## has record > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=8 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #8 tnum 9 > +## Table Rule no blocking > +## Input remote server sends udp packets to bridge ipv4 > address > +## Expected Result packets pass through > ++ recvfrom \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ > + tnum=9 '$ipv $port' > +## TESTCASE: Test #9 tnum 10 > +## Table Rule drop UDP from source port range 30k - 60k and log in > +## audit.log > +## Input remote server sends udp packets to bridge ipv4 > address > +## Expected Result packets dropped, audit.log has record > ++ recvfrom \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ > + tnum=10 '$ipv $port' > +## TESTCASE: Test #10 tnum 11 > +## Table Rule drop UDP packets to destination port (tst_port1) > and log > +## audit.log > +## Input remote server sends udp packets to bridge ipv4 > address > +## at destination port > +## Expected Result packets dropped, audit.log has record > ++ recvfrom \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ > + tnum=11 '$ipv $port' > +## TESTCASE: Test #11 tnum 12 > +## Table Rule no blocking > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets pass, connection succeeds > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=12 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #12 tnum 13 > +## Table Rule INPUT chain policy set to DROP, ACCEPT TCP packets to > +## port destination port (tst_port1) and log in > audit.log > +## Input remote server sends tcp connect to bridge at > destination > +## port (tst_port1) > +## Expected Result packets pass, connection succeeds, audit.log has > record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=13 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #13 tnum 14 > +## Table Rule INPUT chain policy set to DROP no other rule > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets dropped, listen times out, no audit record > +## because the DROP policy is used due to the test > +## requirement and not the AUDIT_DROP target/chain > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=14 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #14 tnum 15 > +## Table Rule accept packets to logical bridge device > (BRIDGE_FILTER) > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets pass, connection succeeds, audit.log has > record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=15 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #15 tnum 16 > +## Table Rule drop packets to logical bridge device (BRIDGE_FILTER) > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets dropped, listen times out, audit.log has > record > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=16 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #16 tnum 17 > +## Table Rule accepts packets from mac address of remote server > eth1 > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets pass, connection succeeds, audit.log has > record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=17 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #17 tnum 18 > +## Table Rule drop packets from mac address of remote server > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets dropped, listen times out, audit.log has > record > ++ accept \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=18 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #18 tnum 19 > +## Table Rule accepts packets to mac address of TOE device enslaved > +## to bridge > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets pass, connection succeeds, audit.log has > record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=19 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #19 tnum 20 > +## Table Rule drop packets to mac address of TOE device enslaved > +## to bridge > +## Input remote server sends tcp connect to bridge ipv4 > address > +## Expected Result packets dropped, listen times out, audit.log has > record > ++ accept \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ > + tnum=20 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #20 tnum 21 > +## Table Rule no blocking > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=21 '$host_remote tcp $port' > +## TESTCASE: Test #21 tnum 22 > +## Table Rule drop packets to TOE device enslaved to bridge > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result response packets dropped, connect times out, > audit.log > +## has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=22 '$host_remote tcp $port' > +## TESTCASE: Test #22 tnum 23 > +## Table Rule no blocking > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=23 '$host_remote tcp $port' > +## TESTCASE: Test #23 tnum 24 > +## Table Rule drop packets with ipv6 source address of remote > server > +## and log in audit.log > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result response packets from remote server are dropped and > +## connect times out. audit.log has records > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=24 '$host_remote tcp $port' > +## TESTCASE: Test #24 tnum 25 > +## Table Rule drop packets to TOE ipv6 address of bridge device > and log > +## in audit.log > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result response packets (ipv6) from remote server are > dropped > +## and connect times out. > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=25 '$host_remote tcp $port' > +## TESTCASE: Test #25 tnum 26 > +## Table Rule no blocking > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result connection succeeds > ++ connect \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=26 '$host_remote tcp $port' > +## TESTCASE: Test #26 tnum 27 > +## Table Rule drop tcp (ipv6) packets with remote server source > port > +## tst_port1 and log in audit.log > +## Input TOE sends tcp connect (ipv6) to remote server > over bridge > +## Expected Result response packets from remote server with > specified source > +## port are dropped, connect times out, audit.log > has record > ++ connect \ > + mlsop=eq expres=fail err=ETIMEDOUT \ > + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=27 '$host_remote tcp $port' > +## TESTCASE: Test #27 tnum 28 > +## Table Rule drop tcp (ipv6) packets to TOE bridge with > destination > +## port tst_port1 and log in audit.log > +## Input remote server sends tcp (ipv6) connect to TOE at port > +## tst_port1 > +## Expected Result packets to port are dropped, listen times out, > +## audit.log has record > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=28 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #28 tnum 29 > +## Table Rule no blocking > +## Input remote server sends udp packets to bridge ipv6 > address > +## Expected Result packets pass through > ++ recvfrom \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ > + tnum=29 '$ipv $port' > +## TESTCASE: Test #29 tnum 30 > +## Table Rule udp (ipv6) packets to TOE with source port 30k - > 60k range > +## are dropped > +## Input remote server sends udp packets to bridge ipv6 > address > +## Expected Result packets dropped, audit.log has record > ++ recvfrom \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ > + tnum=30 '$ipv $port' > +## TESTCASE: Test #30 tnum 31 > +## Table Rule udp (ipv6) packets to TOE with destination port > tst_port1 > +## are dropped > +## Input remote server sends udp packets to bridge ipv6 > address > +## Expected Result packets dropped, audit.log has record > ++ recvfrom \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ > + tnum=31 '$ipv $port' > +## TESTCASE: Test #31 tnum 32 > +## Table Rule no blocking > +## Input remote server sends tcp connect (ipv6) to TOE > +## Expected Result connection succeeds > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=32 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #32 tnum 33 > +## Table Rule INPUT chain policy set to DROP, tcp (ipv6) packets to > +## TOE port tst_port1 allowed. log of accepted > packets to > +## to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE port > +## tst_port1 > +## Expected Result connect succeeds, audit log has record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=33 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #33 tnum 34 > +## Table Rule INPUT chain policy set to DROP, only port 22 allowed. > +## Input remote server sends tcp connect (ipv6) to TOE port > +## tst_port1 > +## Expected Result connect fails, listen times out, no log of > connect packets > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=34 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #34 tnum 35 > +## Table Rule logical bridge device accepts traffic and logs > +## to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## address > +## Expected Result connect succeeds, audit.log has record > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=35 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #35 tnum 36 > +## Table Rule logical bridge device drops packets and logs to > audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## address > +## Expected Result connect fails, listen times out, audit.log has record > ++ accept \ > + mlsop=eq expres=fail err=EINTR\ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=36 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #36 tnum 37 > +## Table Rule accept packets (ipv6) from mac address of remote > server > +## and log to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## Expected Result connect succeeds, packets logged in audit.log > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=37 '$ipv $port' > +## TESTCASE: Test #37 tnum 38 > +## Table Rule drop packets (ipv6) from mac address of remote server > +## and log to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## Expected Result connect fails, listen times out, audit.log has record > ++ accept \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=38 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #38 tnum 39 > +## Table Rule accept packets (ipv6) to mac address of TOE device > +## enslaved to bridge and log to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## Expected Result connect succeeds, packets logged in audit.log > ++ accept \ > + mlsop=eq expres=success \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=39 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE: Test #39 tnum 40 > +## Table Rule drop packets (ipv6) to mac address of TOE device > +## enslaved to bridge and log to audit.log > +## Input remote server sends tcp connect (ipv6) to TOE bridge > +## Expected Result connect fails, dropped packets logged in audit.log > ++ accept \ > + mlsop=eq expres=fail err=EINTR \ > + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ > + tnum=40 alarmv=90 '$ipv $port $alarmv' > +## TESTCASE Test #40 tnum 41 > +## No Table Rule This test insures a normal user does not have > +## permision to modify the ebtables > +## Input testperm.bash script adds a regular user and then > +## su to the user and attempts to add a ebtables rule > +## Expected Result Permission is denied and rule is not added > ++ testperm.bash \ > + mlsop=eq expres=success \ > + host=local tnum=41 > > > > > > > > > > > > > > > > > |
From: James C. <cz...@li...> - 2011-06-29 23:47:15
|
Hi Linda I agree there seems to be a fair amount of common code. Actually at one point there was a lot more than there is now I simply eliminated some so there wouldn't be so much that I wasn't using. (This is actually one topic I would like to discuss especially when we get into the area of labeled networking and some potential issues) The major differences that can not be shared will revolve around the setting of the ebtables rules, the setting of the ebtables CHAINS for auditing, the fact that a number of addresses are currently set via the environmental variables from the running of config-server.bash script, and the test cases themselves at the end of the file. The test cases at the end in addition to at times having different arguments also have comments as to what I set the chain rule to, what input I'm expecting and the expected result. On 6/29/2011 11:03 AM, Linda Knippers wrote: > Hi Jim, > > There's some stuff here that's a copy of the stuff in the network/run.conf > file. I think we should move all the common stuff into a separate .bash file > that each run.conf can reference. If you had to make changes to some of > the functions (I didn't do a diff to find out), then we should see if the > changes are ok for the network tests or whether we really do need separate > functions in some cases, but I assume that most is sharable. > > -- ljk > > James Czyzak wrote: >> Signed-off-by James Czyzak<cz...@li...> >> <mailto:cz...@li...> >> >> diff --git a/audit/netfilebt/run.conf b/audit/netfilebt/run.conf >> new file mode 100644 >> index 0000000..2415307 >> --- /dev/null >> +++ b/audit/netfilebt/run.conf >> @@ -0,0 +1,1455 @@ >> +#!/bin/bash >> +# >> ============================================================================= >> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2005, 2006, 2007 >> +# >> +# This program is free software: you can redistribute it and/or modify >> +# it under the terms of version 2 the GNU General Public License as >> +# published by the Free Software Foundation. >> +# >> +# This program is distributed in the hope that it will be useful, >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> +# GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public License >> +# along with this program. If not, see<http://www.gnu.org/licenses/>. >> +# >> ============================================================================= >> + >> +###################################################################### >> +# global variables >> +###################################################################### >> + >> +tstsvr_lock_timeout_lspp=3000 # in seconds (50m) >> +tstsvr_lock_timeout_capp=120 # in seconds (2m) >> +tstsvr_lock_timeout=0 >> +tstsvr_lock_held=0 >> +tst_port1=4100 >> +tst_port2=4200 >> +tst_port3=4300 >> + >> +###################################################################### >> +# helper functions >> +###################################################################### >> + >> +# >> +# get_test_domain - Get the SELinux domain for the test applet >> +# >> +# INPUT >> +# $1 : the labeling type >> +# $2 : the host type >> +# >> +# OUTPUT >> +# Writes the SELinux domain to stdout >> +# >> +# DESCRIPTION >> +# This function determines the correct SELinux domain to use for the test >> +# applet based on the given labeling type. >> +# >> +function get_test_domain { >> + declare type_arg=$1 host_arg=$2 >> + >> + case $PPROFILE-$host_arg in >> + lspp-*|capp-remote) >> + case $type_arg in >> + unlabeled) >> + echo "lspp_test_generic_t" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + ;; >> + esac >> + ;; >> + capp-local) >> + case $type_arg in >> + *) >> + echo "unconfined_t" >> + ;; >> + esac >> + ;; >> + esac >> +} >> + >> +# >> +# get_label_subj - Get the subject's sensitivity label for the test run >> +# >> +# INPUT >> +# $1 : the MLS "op" >> +# >> +# OUPUT >> +# Writes the subject's untranslated sensivity label to stdout >> +# >> +# DESCRIPTION >> +# This function sets the subject's sensitivity label for the test run >> +# based on the MLS "op". The MLS "op" will always specify the subject >> +# is to be equal to (eq) the object for the ebtables filtering tests. >> +# This MLS "op" definition assumes the Bell-LaPadula based MLS >> +# constraints in use by the SELinux MLS policy derived from the SELinux >> +# Reference Policy. >> +# >> +function get_label_subj { >> + declare mlsop_arg=$1 >> + >> + case $PPROFILE in >> + lspp) >> + case $mlsop_arg in >> + eq) >> + echo "SystemLow" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + capp) >> + case $mlsop_arg in >> + *) >> + # in targeted policy (the likely policy for CAPP) the s0 >> + # sensitivity label is translated into a NULL string >> so we >> + # have to use the untranslated sensitivity label >> + echo "s0" >> + ;; >> + esac >> + ;; >> + esac >> +} >> + >> +# >> +# get_label_obj - Get the object's sensitivity label for the test run >> +# >> +# INPUT >> +# $1 : the MLS "op" >> +# >> +# OUPUT >> +# Writes the object's untranslated sensivity label to stdout >> +# >> +# DESCRIPTION >> # This function determines the objects's sensitivity label for the test run >> +# based on the MLS "op". The MLS "op" specifies the subject is to be equal >> +# to (eq) the object. >> +# This MLS "op" definition assumes the Bell-LaPadula based MLS >> +# constraints in use by the SELinux MLS policy derived from the SELinux >> +# Reference Policy. >> +# >> +function get_label_obj { >> + declare mlsop_arg=$1 >> + >> + case $PPROFILE in >> + lspp) >> + case $mlsop_arg in >> + eq) >> + echo "SystemLow" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + capp) >> + case $mlsop_arg in >> + *) >> + # in targeted policy (the likely policy for CAPP) the s0 >> + # sensitivity label is translated into a NULL string >> so we >> + # have to use the untranslated sensitivity label >> + echo "s0" >> + ;; >> + esac >> + ;; >> + esac >> +} >> + >> +# >> +# get_host_local - Get the IP address to use as the local address for >> the test >> +# >> +# INPUT >> +# $1 : the IP version >> +# $2 : the host type >> +# >> +# OUTPUT >> +# Writes the IP address to stdout >> +# >> +# DESCRIPTION >> +# This function determines the correct local address to use for the >> test run >> +# based on an IP version string, "ipv4" or "ipv6", and the host type, >> "local" >> +# or "remote". While the "local" host types resolve to the IPv4 or IPv6 >> +# localhost address the "remote" host types resolve to IP addresses >> specified >> +# in environment variables which are queried at the start of the test run. >> +# >> +function get_host_local { >> + declare ipv_arg=$1 host_arg=$2 >> + >> + case $ipv_arg in >> + ipv4) >> + case $host_arg in >> + local) >> + echo "127.0.0.1" >> + ;; >> + remote) >> + echo "$lblnet_loc4_host" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + ipv6) >> + case $host_arg in >> + local) >> + echo "::1" >> + ;; >> + remote) >> + echo "$lblnet_loc6_host" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> +} >> + >> +# >> +# get_host_remote - Get the IP address to use as the remote address >> +# >> +# INPUT >> +# $1 : the IP version >> +# $2 : the host type >> +# >> +# OUTPUT >> +# Writes the IP address to stdout >> +# >> +# DESCRIPTION >> +# This function determines the correct remote address to use for the test >> +# run based on an IP version string, "ipv4" or "ipv6", and the host type, >> +# "local" or "remote". While the "local" host types resolve to the IPv4 or >> +# IPv6 localhost address the "remote" host types resolve to IP addresses >> +# specified in environment variables which are queried at the start of the >> +# test run. >> +# >> +function get_host_remote { >> + declare ipv_arg=$1 host_arg=$2 >> + >> + case $ipv_arg in >> + ipv4) >> + case $host_arg in >> + local) >> + echo "127.0.0.1" >> + ;; >> + remote) >> + echo "$lblnet_svr4_host" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + ipv6) >> + case $host_arg in >> + local) >> + echo "::1" >> + ;; >> + remote) >> + echo "$lblnet_svr6_host" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> +} >> + >> +# >> +# tstsvr_lock - Lock the remote test server >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# Returns true if the test server was able to be locked, false otherwise >> +# >> +# DESCRIPTION >> +# This function attempts to lock the remote test server with the >> timeout value >> +# specified in the global variable $tstsvr_lock_timeout. If the >> function is >> +# able to lock the remote test server then it returns true and sets the >> global >> +# variable $tstsvr_lock_held to 1 for use in the tstsvr_unlock() >> function. If >> +# for any reason the function is not able to lock the remote test >> server then >> +# the function returns false and the value in $tstsvr_lock_held is >> unchanged. >> +# This function assumes the remote node is running a test driver >> similar to the >> +# one found in "utils/network-server/lblnet_tst_server.c". >> +# >> +function tstsvr_lock { >> + declare rc >> + declare cmd_str="lock:set,$tstsvr_lock_timeout;" >> + >> + echo $lblnet_svr6_host >> + rc="$(nc -6 -w 1 $LBLNET_SVR_IPV6%$LOCAL_DEV 4000<<< $cmd_str)" >> + if [[ $rc == 0 ]]; then >> + tstsvr_lock_held=1 >> + return 0 >> + fi >> + >> + return 1 >> +} >> + >> +# >> +# tstsvr_unlock - Unlock the remote test server >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function attempts to unlock the remote test server if it was locked >> +# previously during this test run. The function checks the >> $tstsvr_lock_held >> +# global variable and if the value is 1, set by the tstsvr_lock() function, >> +# then the function sends an unlock command to the remote test server. >> If the >> +# $tstsvr_lock_held variable is not set to 1 then this function does >> nothing. >> +# This function assumes the remote node is running a test driver >> similar to the >> +# one found in "utils/network-server/lblnet_tst_server.c". >> +# >> +function tstsvr_unlock { >> + declare cmd_str="lock:release;" >> + >> + if [[ $tstsvr_lock_held == 1 ]]; then >> + nc -6 -w 1 $lblnet_svr6_host 4000<<< $cmd_str >> + fi >> +} >> + >> +# >> +# verify_remote - Verify that the remote test server is available for use >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# Returns true if the remote test server is available, false otherwise >> +# >> +# DESCRIPTION >> +# This function checks to see if the remote test server is available >> for use >> +# and is able to be locked for this test run in which case it returns true. >> +# If the test server is offline, or in use by another host and unable to be >> +# locked then this function returns false. >> +# >> +function verify_remote { >> + tstsvr_lock >> + return $? >> +} >> + >> +###################################################################### >> +# defaults >> +###################################################################### >> + >> +# >> +# setup_default - Setup the remote test driver >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# All of the ebtables tests in this file need to either send data to a >> remote >> +# node or receive data from a remote node; this function does the required >> +# setup to initialize the remote node based on the individual test >> case. This >> +# function works for both "local" (localhost) and "remote" (non-localhost) >> +# host types using both IPv4 and IPv6. No ebtables tests are run on the >> local >> +# loopback device. This function determines the setup >> +# needed by the test using the "op", "host", "type", "mlsop", "ipv", and >> +# "port" named arguments as given on the test command line. On error the >> +# function calls exit_error() which marks the test case as resulting in an >> +# error. This function assumes the remote node is running a test driver >> +# similar to the one found in "utils/network-server/lblnet_tst_server.c". >> +# >> +function setup_default { >> + declare rc=1 >> + declare tspid=0 >> + declare cmd_str >> + declare remote_obj local_host >> + declare loop_cnt >> + >> + # generate the host command string >> + remote_obj="$(get_label_obj $mlsop)" >> + cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type >> $host):$remote_obj;" >> + case $op in >> + sendrand_tcp) >> + if [[ $ipv == "ipv6" ]]; then >> + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" >> + echo " $local_host " >> + else >> + local_host="$(get_host_local $ipv $host)" >> + fi >> + cmd_str+="sleep:5;" >> + cmd_str+="sendrand:$local_host,tcp,$port,1;" >> + ;; >> + sendrand_udp) >> + if [[ $ipv == "ipv6" ]]; then >> + local_host="$LOCAL_SEC_IPV6%$SECNET_SVR_DEV" >> + else >> + local_host="$(get_host_local $ipv $host)" >> + fi >> + cmd_str+="sleep:5;" >> + cmd_str+="sendrand:$local_host,udp,$port,1;" >> + ;; >> + recv_tcp) >> + cmd_str+="recv:$ipv,tcp,$port,0;" >> + ;; >> + >> +# recv_udp is not used in ebtables testing currently but is >> +# left in for possible future test cases as the operation >> +# already coded in the lblnet_tst_server >> + >> + recv_udp) >> + cmd_str+="recv:$ipv,udp,$port,1;" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + >> + # setup the remote test server (try more than once) >> + for ((loop_cnt=0; loop_cnt<=2&& rc!=0; loop_cnt++)); do >> + case $host in >> remote) >> + rc="$(nc -6 -w 2 $lblnet_svr6_host 4000<<< $cmd_str)" >> + ;; >> + local) >> + # use the same port as the remote IPv4 setting >> + rc="$(nc -w 1 ::1 4000<<< $cmd_str)" >> + ;; >> + *) >> + exit_fail "invalid test argument" >> + ;; >> + esac >> + if [[ $rc != 0 ]]; then >> + echo "notice: failed to setup remote test server, retrying" >> + echo "return code = "$rc" " >> + sleep 10 >> + fi >> + done >> + >> + # verify the setup >> + if [[ $rc != 0 ]]; then >> + exit_error "could not setup remote test server" >> + fi >> +} >> + >> + >> +###################################################################### >> +# run.bash overrides >> +###################################################################### >> + >> +# Rename the original run.bash + function to run+ and create our own + >> function >> +# that generates a tag for the test based on the named parameters. >> + >> +# >> +# + - Generate a unique tag for each test case and run the default "+" >> function >> +# >> +# INPUT >> +# $@ : test command line >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function acts as a wrapper for the original "+" function which is >> +# responsibile for running each test case shown at the bottom of this file. >> +# This wrapper function is necessary to automatically generate a unique >> tag for >> +# each test case based on it's named arguments. This tag is then used >> as an >> +# additional named argument for the default "+" function. >> +# >> +eval "function run+ $(type + | sed '1,2d')" >> +function + { >> + declare test=$1 tag # make sure it's not inherited from caller >> + shift >> + eval "$(parse_named "$@")" || exit_error >> + if [[ -z $tag ]]; then >> + # extract the named args that identify a unique testcase >> + run+ $test \ >> + >> tag="${test}__${host}_${type}_${ipv}_${expres}_subj_${mlsop}_obj" \ >> + "$@" >> + else >> + # use tag supplied in run.conf >> + run+ $test "$@" >> + fi >> +} >> + >> +# >> +# show_test - Display the test case details >> +# >> +# INPUT >> +# $@ : test command line >> +# >> +# OUTPUT >> +# Writes the test case details to stdout >> +# >> +# DESCRIPTION >> +# This function reads in the entire test case command line and depending on >> +# the verbosity of the test harness either the entire command line is >> dumped >> +# to stdout or just the tag named variable as generated by the +() function >> +# defined in this file. All output is handled by the fmt_test() function >> +# which is defined as by the test harness. This function was overloaded >> +# because of the special handling for the tag named variable. >> +# >> +function show_test { >> + if ! $opt_verbose; then >> + declare tag # make sure it's not inherited from caller >> + eval "$(parse_named "$@")" || exit_error >> + [[ -n $tag ]]&& set -- "$tag" >> + fi >> + fmt_test "[$TESTNUM]" "$@" >> +} >> + >> +# >> +# network_cleanup - Release the lock on the remote test server >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function tries to unlock the remote test server by calling the >> +# tstsvr_unlock() function. >> +# >> +function network_cleanup { >> + tstsvr_unlock >> +} >> +prepend_cleanup 'network_cleanup' >> + >> + >> +# >> +# This function sets up the ebtables targets that allow an audit log >> +# of packets matching the rule that uses either AUDIT_DROP or >> +# AUDIT_ACCEPT as the target in the rule. >> +# >> +function ebtaudit_setup { >> + >> +ebtables -N AUDIT_DROP >> +ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP >> +ebtables -A AUDIT_DROP -j DROP >> +sleep 1 >> +ebtables -N AUDIT_ACCEPT >> +ebtables -A AUDIT_ACCEPT -j AUDIT --audit-type ACCEPT >> +ebtables -A AUDIT_ACCEPT -j ACCEPT >> +} >> + >> +###################################################################### >> +# run_test >> +###################################################################### >> + >> +# >> +# run_test - Execute an individual test case >> +# >> +# INPUT >> +# $@ : test command line >> +# >> +# OUTPUT >> +# Returns true on test success, other error values on test failure >> +# >> +# DESCRIPTION >> +# This function is responsibile for executing all aspects of an individual >> +# test case including the following: setup, audit configuration and >> rotation, >> +# test case execution, test case verification, and audit verification. >> Most of >> +# these tasks are handled by other helper function defined either in >> this file >> +# or in the test harness, however, they are called from inside this >> function >> +# based on the individual test case's requirements. In the case where >> a test >> +# is run and it returns true and the audit verification is successful >> then this >> +# function returns true and the test case can be considered to have passed. >> +# However, if either the test case returns non-true, the audit trail is not >> +# correct, or an error occurs elsewhere then this function calls either the >> +# exit_fail() or exit_error() functions to signify a test case failure. >> +# >> +function run_test { >> + declare syscall=$1 tst_name=$1 >> + declare x name value status log_mark >> + declare test_domain label_subj label_obj host_local host_remote >> + shift >> + eval "$(parse_named "$@")" || exit_error >> + >> + source $AUDITPATH/netfilebt/netfilebt_functions.bash || exit_error >> + >> + if [[ tnum -eq 41 ]]; then >> + ./testperm.bash >> + return $? >> + fi >> + >> + # get the derived variables >> + # NOTE: the $test_domain variable is always using the "local" >> version of >> + # the test domain because the value is always only used on the >> + # local machine (see below) >> + test_domain=$(get_test_domain $type local) >> + label_subj=$(get_label_subj $mlsop) >> + label_obj=$(get_label_obj $mlsop) >> + host_local=$(get_host_local $ipv $host) >> + host_remote=$(get_host_remote $ipv $host) >> + >> + # run the >> + # default setup >> + if [[ $PPROFILE = lspp ]] ; then >> + expect -c' >> + spawn run_init service ebtables restart >> + expect "Authenticating ccteam." >> + expect "Password:" >> + sleep 1 >> + send "$env(PASSWD)\r" >> + wait >> + close' >> + else >> + service ebtables restart >> + fi >> + ebtaudit_setup >> + sleep 4 >> + setup_default >> + >> + case $tnum in >> + 2) >> + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 4) >> + ebtables -I INPUT 1 -p IPv4 --ip-source $SECNET_SVR_IPV4 >> -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 5) >> + ebtables -I INPUT 1 -p IPv4 --ip-destination >> $LOCAL_SEC_IPV4 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 7) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP >> --ip-source-port $tst_port1 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 8) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP >> --ip-destination-port $tst_port1 -j AUDIT_DROP >> + iptables -L --line-numbers -n >> + ;; >> + 10) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP >> --ip-source-port 30000:60000 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 11) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto UDP >> --ip-destination-port $tst_port1 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 13) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP >> --ip-destination-port 22 -j AUDIT_ACCEPT >> + ebtables -I INPUT 2 -p IPv4 --ip-proto TCP >> --ip-destination-port $tst_port1 -j AUDIT_ACCEPT >> + ebtables -P INPUT DROP >> + ebtables -L --Ln >> + ;; >> + 14) >> + ebtables -I INPUT 1 -p IPv4 --ip-proto TCP >> --ip-destination-port 22 -j AUDIT_ACCEPT >> + ebtables -P INPUT DROP >> + ebtables -L --Ln >> + ;; >> + 15) >> + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j >> AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 16) >> + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j >> AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 17) >> + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 18) >> + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 19) >> + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 20) >> + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 22) >> + ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 24) >> + ebtables -I INPUT 1 -p IPv6 --ip6-source >> $SECNET_SVR_IPV6 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 25) >> + ebtables -I INPUT 1 -p IPv6 --ip6-destination >> $LOCAL_SEC_IPV6 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 27) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP >> --ip6-source-port $tst_port1 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 28) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP >> --ip6-destination-port $tst_port1 -j AUDIT_DROP >> + iptables -L --line-numbers -n >> + ;; >> + 30) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP >> --ip6-source-port 30000:60000 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 31) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto UDP >> --ip6-destination-port $tst_port1 -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 33) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP >> --ip6-destination-port 22 -j AUDIT_ACCEPT >> + ebtables -I INPUT 2 -p IPv6 --ip6-proto TCP >> --ip6-destination-port $tst_port1 -j AUDIT_ACCEPT >> + ebtables -P INPUT DROP >> + ebtables -L --Ln >> + ;; >> + 34) >> + ebtables -I INPUT 1 -p IPv6 --ip6-proto TCP >> --ip6-destination-port 22 -j AUDIT_ACCEPT >> + ebtables -P INPUT DROP >> + ebtables -L --Ln >> + ;; >> + 35) >> + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j >> AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 36) >> + ebtables -I INPUT 1 --logical-in $BRIDGE_FILTER -j >> AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 37) >> + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 38) >> + ebtables -I INPUT 1 -s $SECNET_SVR_MAC -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + 39) >> + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_ACCEPT >> + ebtables -L --Ln >> + ;; >> + 40) >> + ebtables -I INPUT 1 -d $LOCAL_SEC_MAC -j AUDIT_DROP >> + ebtables -L --Ln >> + ;; >> + *) >> + sleep 1 >> + echo "test case = $tnum" >> + ;; >> + esac >> + >> + # force the audit log to rotate >> + rotate_audit_logs || exit_error >> + >> + # mark the log for augrok later >> + log_mark=$(stat -c %s $audit_log) >> + # run this in a subshell so that exit_* doesn't abort early >> + ( >> + declare testres exitval pid >> + declare tst_args=( $(eval echo \"${unnamed[*]}\") ) >> + set -x >> + # run the test itself >> + read testres exitval pid<<< \ >> + "$(runcon -t $test_domain -l $(get_label_subj $mlsop) \ >> + do_$tst_name "${tst_args[@]}")" >> + >> + echo "testres is "$testres" and exitval is "$exitval" " >> + [[ -z $testres || -z $exitval || -z $pid ]]&& exit_error >> + check_result $expres $testres $exitval $err >> + >> +## audit.log is checked for packets of message type NETFILTER_PKT, >> +## the appropriate action (0 = accepted, 1 = dropped), and the >> interface on >> +## which it occurred ($LOCAL_SEC_DEV) against the tnums where an audit >> +## record is expected >> + >> + case $tnum in >> + 2 | 4 | 5 | 7 | 8 | 10 | 11) >> + asreturn=$(ausearch -m NETFILTER_PKT -if >> /var/log/audit/audit.log \ >> + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") >> + if [[ -n $asreturn ]]; then >> + echo " "$asreturn" " >> + exit_pass >> + else >> + exit_fail "missing log in audit.log" >> + fi >> + ;; >> + 13 | 15 | 19 | 33 | 37 | 39) >> + asreturn=$(ausearch -m NETFILTER_PKT -if >> /var/log/audit/audit.log \ >> + | grep action=0 | grep -m 1 inif="$LOCAL_SEC_DEV") >> + if [[ -n $asreturn ]]; then >> + echo " "$asreturn" " >> + exit_pass >> + else >> + exit_fail "missing log in audit.log" >> + fi >> + ;; >> + 16 | 18 | 20 | 22 | 24 | 25 | 27) >> + asreturn=$(ausearch -m NETFILTER_PKT -if >> /var/log/audit/audit.log \ >> + | grep action=1 | grep -m 1 inif="$LOCAL_SEC_DEV") >> + if [[ -n $asreturn ]]; then >> + echo " "$asreturn" " >> + exit_pass >> + else >> + exit_fail "missing log in audit.log" >> + fi >> + ;; >> + 28 | 30 | 31 | 38 | 40) >> + asreturn=$(ausearch -m NETFILTER_PKT | grep action=1 | >> grep -m 1 inif="$LOCAL_SEC_DEV") >> + if [[ -n $asreturn ]]; then >> + echo " "$asreturn" " >> + exit_pass >> + else >> + exit_fail "missing log in audit.log" >> + fi >> + ;; >> + *) >> + exit_pass >> + ;; >> + esac >> + >> + ) >> + status=$? >> + if [[ $PPROFILE = lspp ]] ; then >> + expect -c' >> + spawn run_init service ebtables restart >> + expect "Authenticating ccteam." >> + expect "Password:" >> + sleep 1 >> + sleep 1 >> + send "$env(PASSWD)\r" >> + wait >> + close' >> + else >> + service ebtables restart >> + fi >> + >> + # whenever the test fails, pause so the test server can cleanup >> + [[ "$expres" == "fail" || "$status" != "0" ]]&& sleep 10 >> + >> + # display the audit log items >> + if [[ $status != 0 ]]; then >> + echo >> + echo augrok output >> + echo ------------- >> + augrok --seek=$log_mark type!=DAEMON_ROTATE >> + fi >> + >> + return $status >> +} >> + >> +########## >> +# >> +# more helper functions (in place of addr_loop and addr_filter >> +# since we already needed environmental variables for the iptables >> +# and ip6tables filtering tests.) >> +# >> +########## >> +function get_ipv6_prefix { >> + if [[ -n $SECNET_SVR_IPV6 ]]; then >> + echo $SECNET_SVR_IPV6 | \ >> + awk 'BEGIN { FS = ":" } { print $1 }' >> +# was { print $1":"$2":"$3":"$4":" }' >> + elif [[ -n $SECNET_PREFIX_IPV6 ]]; then >> + echo $SECNET_PREFIX_IPV6 | sed 's/:\/[0-9]*//;s/:0*/:/g;' >> + else >> + ip -o -f inet6 addr show scope global | \ >> + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ >> + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":"$4":" }' | \ >> + head -n 1 >> + fi >> +} >> + >> +function get_ipv6_iface { >> + declare prefix=$(get_ipv6_prefix) >> + ip -o -f inet6 addr show scope link | \ >> + grep $prefix | head -n 1 | \ >> + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' >> +} >> + >> +function get_ipv4_addr { >> + declare ip4prefix=$LOCAL_SEC_IPV4 >> + ip -o -f inet addr show scope global | \ >> + grep $ip4prefix | head -n 1 | \ >> + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' >> +} >> + >> +function get_ipv6_addr { >> + declare prefix=$(get_ipv6_prefix) >> + ip -o -f inet6 addr show scope link | \ >> + grep $prefix | head -n 1 | \ >> + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' >> +} >> + >> + >> +###################################################################### >> +# pre-testrun checks/configuration >> +###################################################################### >> + >> +unset local_ipv4 remote_ipv4 address_ipv4 >> + >> +unset local_ipv6_if >> +unset local_ipv6 remote_ipv6 address_ipv6 >> +unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw >> + >> +unset local_ipv6_prefix >> +unset remote_ipv6_prefix >> +unset address_ipv6_prefix >> + >> +unset address address_raw >> + >> +# check the test profile >> +[[ -z $PPROFILE ]]&& die "error: profile not set (PPROFILE)" >> + >> +# the remote labeled networking host/server >> +if [[ -n $SECNET_SVR_IPV4 ]]; then >> + lblnet_svr4_host=$SECNET_SVR_IPV4 >> +else >> + die "error: labeled networking test server not specified >> (SECNET_SVR_IPV4)" >> +fi >> + >> + >> +# >> +# get ipv4 addresses >> +# >> + >> +local_ipv4="$(get_ipv4_addr)" >> +remote_ipv4="$SECNET_SVR_IPV4" >> address_ipv4="$ADDRESS_IPV4" >> + >> +# >> +# get ipv6 addresses >> +# >> + >> +# raw addresses >> +local_ipv6_raw="$(get_ipv6_addr)" >> +remote_ipv6_raw="$SECNET_SVR_IPV6" >> +address_ipv6_raw="$ADDRESS_IPV6" >> + >> +# prefix to determine if addresses are link local or global >> +local_ipv6_prefix=$(get_ipv6_prefix | head -c 4) >> +remote_ipv6_prefix=$(echo $SECNET_SVR_IPV6 | head -c 4) >> +address_ipv6_prefix=$(echo $ADDRESS_IPV6 | head -c 4) >> + >> +# interface/scope >> +if [[ -n $BRIDGE_FILTER ]]; then >> + local_ipv6_if=$BRIDGE_FILTER >> +else >> + local_ipv6_if="$(get_ipv6_iface)" >> +fi >> + >> +# adjust link-local addresses >> +if [[ $local_ipv6_prefix == "fe80" ]]; then >> + # link-local address, add a scope >> + local_ipv6="$local_ipv6_raw%$local_ipv6_if" >> +else >> + # non link-local, assume global address and just use it >> + local_ipv6="$local_ipv6_raw" >> +fi >> +if [[ $remote_ipv6_prefix == "fe80" ]]; then >> + # link-local address, add a scope >> + local_ipv6="$local_ipv6_raw%$local_ipv6_if" >> +else >> + # non link-local, assume global address and just use it >> + local_ipv6="$local_ipv6_raw" >> +fi >> +if [[ $remote_ipv6_prefix == "fe80" ]]; then >> + # link-local address, add a scope >> + remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" >> +else >> + # non link-local, assume global address and just use it >> + remote_ipv6="$remote_ipv6_raw" >> +fi >> +if [[ $address_ipv6_prefix == "fe80" ]]; then >> + # link-local address, add a scope >> + address_ipv6="$address_ipv6_raw%$local_ipv6_if" >> +else >> + # non link-local, assume global address and just use it >> + address_ipv6="$address_ipv6_raw" >> +fi >> + >> +# >> +# generate the generic %ADDRESS[_RAW]% if possible >> +# >> + >> +if [[ -n $address_ipv6&& -z $address_ipv4 ]]; then >> + address="$address_ipv6" >> + address_raw="$address_ipv6_raw" >> +elif [[ -z $address_ipv6&& -n $address_ipv4 ]]; then >> + address="$address_ipv4" >> +fi >> + >> +if [[ -n $SECNET_SVR_IPV6 ]]; then >> + lblnet_svr6_host=$remote_ipv6 >> + lblnet_svr6_host_raw=$remote_ipv6_raw >> +else >> + die "error: networking test server not specified (SECNET_SVR_IPV6)" >> +fi >> + >> +# the local machine >> +lblnet_loc4_host=$local_ipv4 >> +lblnet_loc6_host=$local_ipv6 >> + >> +case $PPROFILE in >> + lspp) >> + tstsvr_lock_timeout=$tstsvr_lock_timeout_lspp >> + ;; >> + capp) >> + tstsvr_lock_timeout=$tstsvr_lock_timeout_capp >> + ;; >> + *) >> + die "error: unknown test profile ($PPROFILE)" >> + ;; >> +esac >> + >> +# wait until remote is available >> +while ! verify_remote; do >> + echo "notice: test server is busy, sleeping for 60s ..." >> + sleep 60 >> +done >> + >> +###################################################################### >> +# test configuration >> +###################################################################### >> + >> +# It is important to note that prior to running any of the test below the >> +# system must be configured using the config-server.bash script or the >> +# environmental variables and routes must be set up manually. >> + >> +## >> +## ebtables system calls >> +## >> + >> +# The test cases below are in the following format, with optional elements >> +# denoted by square brackets ([...]): >> +# >> +# +<_syscall_> \ >> +# mlsop=<_mlsop_> expres=<_expres_> err=<_err_> \ >> +# host=<_host_> type=<_type_> op=<_op_> ipv=<_ipv_> port=<_port_> \ >> +#<_test_args_> >> +# >> +# Where the arguments are defined as follows: >> +# >> +# _syscall_ : the syscall itself is not being tested for ebtables but >> +# is being used to generate the traffic for the test >> +# >> +# _mlsop_ : the MLS label comparison operator for more >> information see >> +# the comments elsewhere in this file, only 1 value >> used for >> +# ebtables. For compatibitlity with lblnet_tst_server >> +# value: >> +# eq : the local test process label equals the >> remote >> +# process/packet/connection's label >> +# _expres_ : indicates that the operation should succeed (success) or >> +# fail (fail) based on the system's security policy >> +# _err_ : if the test should fail, it should fail with this error >> +# code/value >> +# _host_ : indicates if the test is against a local (local) or >> +# remote (remote) host, the actual remote IP address is >> +# determined from the SECNET_SVR_IPV4 and SECNET_SVR_IPV6 >> +# environment variables >> +# _type_ : the labeling protocol, kept for purposes of >> compatibility >> +# with the lblnet_tst_server. Only 1 type used: >> +# unlabeled : not a labeling protocol, no need for >> ebtables >> +# _op_ : the remote test driver command, there are four valid >> values: >> +# sendrand_tcp : initiate a TCP connection with the test >> +# machine and send data >> +# sendrand_udp : send UDP traffic to the test machine >> +# recv_tcp : accept TCP connections from the test >> +# machine and receive data from >> established >> +# connections >> +# recv_udp : receive UDP traffic from the test >> machine >> +# _ipv_ : the IP version, there are two values: ipv4 and ipv6 >> +# _port_ : the TCP or UDP port >> +# _test_args_ : arguments to supply to the test applet/program, >> these may >> +# be variables which are later expanded inside the >> run_test() >> +# function >> + >> +## SYSCALLS: accept() connect() recvfrom() >> +## PURPOSE: >> +## Verify that incoming packets are only allowed to pass on the bridge >> device >> +## when the ebtables chain rule or policy is set to accept the packet and >> +## are dropped when a chain rule or policy so dictates. A check is also >> made >> +## for an audit record of the accepted or dropped packet when the rule so >> +## specifies a target of AUDIT_ACCEPT or AUDIT_DROP. >> +## These test cases make use of a remote test driver to initiate a >> connection >> +## from the remote node to the host under test, see the setup_default() >> +## function above for details on configuring the remote test driver. In >> +## The test procedure is as follows: >> +## 1. Configure the audit subsystem to watch for the syscall record >> +## 2. Restart ebtables to set it to a known condition, add the >> AUDIT_ACCEPT >> +## and AUDIT_DROP chains and set the INPUT chain with the appropriate >> +## rule to test the specific filter feature. >> +## 3. Execute the test case on the local system and verify the result >> +## 4. Check the audit log for the correct syscall result and in the >> case of >> +## failure check for generated audit records indicating that a packet >> +## was dropped or in some cases of success we check that an audit >> record >> +## was generated for a packet that was acccepted. >> +## TESTCASE: Test #0 tnum 1 >> +## Table Rule no blocking >> +## Input TOE sends tcp connect to remote server over bridge >> +## Expected Result packets pass, connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=1 '$host_remote tcp $port' >> +## TESTCASE: Test #1 tnum 2 >> +## Table Rule drop incoming packets on device enslaved to bridge >> +## and log in audit.log >> +## Input TOE sends tcp connect to remote server over bridge >> +## Expected Result response packets dropped, connect times out, >> audit.log >> +## has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1\ >> + tnum=2 '$host_remote tcp $port' >> +## TESTCASE: Test #2 tnum 3 >> +## Table Rule no blocking >> +## Input TOE sends tcp connect to remote server over bridge >> +## Expected Result packets pass, connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=3 '$host_remote tcp $port' >> +## TESTCASE: Test #3 tnum 4 >> +## Table Rule drop packets with source address of remote server >> and log >> +## in audit.log >> +## Input TOE sends tcp connect to remote server over bridge >> +## Expected Result response packets dropped, connect times out, >> audit.log >> +## has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=4 '$host_remote tcp $port' >> +## TESTCASE: Test #4 tnum 5 >> +## Table Rule drop incoming packets to TOE bridge ipv4 address >> and log >> +## in audit.log >> +## Input TOE sends TCP connect to remote server over bridge >> +## Expected Result response packets dropped, connect times out, >> audit.log >> +## has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=5 '$host_remote tcp $port' >> +## TESTCASE: Test #5 tnum 6 >> +## Table Rule no blocking >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets pass, connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=6 '$host_remote tcp $port' >> +## TESTCASE: Test #6 tnum 7 >> +## Table Rule drop TCP packets with source port (tst_port1) and log >> +## in audit.log >> +## Input TOE sends TCP connect to remote server over bridge >> +## Expected Result response packets dropped, connect times out, >> audit.log >> +## has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=7 '$host_remote tcp $port' >> +## TESTCASE: Test #7 tnum 8 >> +## Table Rule drop TCP packets with destination port >> (tst_port1) and log >> +## in audit.log >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## with destination port (tst_port1) >> +## Expected Result response packets dropped, listen times out, audit.log >> +## has record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=8 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #8 tnum 9 >> +## Table Rule no blocking >> +## Input remote server sends udp packets to bridge ipv4 >> address >> +## Expected Result packets pass through >> ++ recvfrom \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ >> + tnum=9 '$ipv $port' >> +## TESTCASE: Test #9 tnum 10 >> +## Table Rule drop UDP from source port range 30k - 60k and log in >> +## audit.log >> +## Input remote server sends udp packets to bridge ipv4 >> address >> +## Expected Result packets dropped, audit.log has record >> ++ recvfrom \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ >> + tnum=10 '$ipv $port' >> +## TESTCASE: Test #10 tnum 11 >> +## Table Rule drop UDP packets to destination port (tst_port1) >> and log >> +## audit.log >> +## Input remote server sends udp packets to bridge ipv4 >> address >> +## at destination port >> +## Expected Result packets dropped, audit.log has record >> ++ recvfrom \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv4 port=$tst_port1 \ >> + tnum=11 '$ipv $port' >> +## TESTCASE: Test #11 tnum 12 >> +## Table Rule no blocking >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets pass, connection succeeds >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=12 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #12 tnum 13 >> +## Table Rule INPUT chain policy set to DROP, ACCEPT TCP packets to >> +## port destination port (tst_port1) and log in >> audit.log >> +## Input remote server sends tcp connect to bridge at >> destination >> +## port (tst_port1) >> +## Expected Result packets pass, connection succeeds, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=13 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #13 tnum 14 >> +## Table Rule INPUT chain policy set to DROP no other rule >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets dropped, listen times out, no audit record >> +## because the DROP policy is used due to the test >> +## requirement and not the AUDIT_DROP target/chain >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=14 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #14 tnum 15 >> +## Table Rule accept packets to logical bridge device >> (BRIDGE_FILTER) >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets pass, connection succeeds, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=15 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #15 tnum 16 >> +## Table Rule drop packets to logical bridge device (BRIDGE_FILTER) >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets dropped, listen times out, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=16 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #16 tnum 17 >> +## Table Rule accepts packets from mac address of remote server >> eth1 >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets pass, connection succeeds, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=17 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #17 tnum 18 >> +## Table Rule drop packets from mac address of remote server >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets dropped, listen times out, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=18 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #18 tnum 19 >> +## Table Rule accepts packets to mac address of TOE device enslaved >> +## to bridge >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets pass, connection succeeds, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=19 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #19 tnum 20 >> +## Table Rule drop packets to mac address of TOE device enslaved >> +## to bridge >> +## Input remote server sends tcp connect to bridge ipv4 >> address >> +## Expected Result packets dropped, listen times out, audit.log has >> record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv4 port=$tst_port1 \ >> + tnum=20 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #20 tnum 21 >> +## Table Rule no blocking >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=21 '$host_remote tcp $port' >> +## TESTCASE: Test #21 tnum 22 >> +## Table Rule drop packets to TOE device enslaved to bridge >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result response packets dropped, connect times out, >> audit.log >> +## has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=22 '$host_remote tcp $port' >> +## TESTCASE: Test #22 tnum 23 >> +## Table Rule no blocking >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=23 '$host_remote tcp $port' >> +## TESTCASE: Test #23 tnum 24 >> +## Table Rule drop packets with ipv6 source address of remote >> server >> +## and log in audit.log >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result response packets from remote server are dropped and >> +## connect times out. audit.log has records >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=24 '$host_remote tcp $port' >> +## TESTCASE: Test #24 tnum 25 >> +## Table Rule drop packets to TOE ipv6 address of bridge device >> and log >> +## in audit.log >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result response packets (ipv6) from remote server are >> dropped >> +## and connect times out. >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=25 '$host_remote tcp $port' >> +## TESTCASE: Test #25 tnum 26 >> +## Table Rule no blocking >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result connection succeeds >> ++ connect \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=26 '$host_remote tcp $port' >> +## TESTCASE: Test #26 tnum 27 >> +## Table Rule drop tcp (ipv6) packets with remote server source >> port >> +## tst_port1 and log in audit.log >> +## Input TOE sends tcp connect (ipv6) to remote server >> over bridge >> +## Expected Result response packets from remote server with >> specified source >> +## port are dropped, connect times out, audit.log >> has record >> ++ connect \ >> + mlsop=eq expres=fail err=ETIMEDOUT \ >> + host=remote type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=27 '$host_remote tcp $port' >> +## TESTCASE: Test #27 tnum 28 >> +## Table Rule drop tcp (ipv6) packets to TOE bridge with >> destination >> +## port tst_port1 and log in audit.log >> +## Input remote server sends tcp (ipv6) connect to TOE at port >> +## tst_port1 >> +## Expected Result packets to port are dropped, listen times out, >> +## audit.log has record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=28 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #28 tnum 29 >> +## Table Rule no blocking >> +## Input remote server sends udp packets to bridge ipv6 >> address >> +## Expected Result packets pass through >> ++ recvfrom \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ >> + tnum=29 '$ipv $port' >> +## TESTCASE: Test #29 tnum 30 >> +## Table Rule udp (ipv6) packets to TOE with source port 30k - >> 60k range >> +## are dropped >> +## Input remote server sends udp packets to bridge ipv6 >> address >> +## Expected Result packets dropped, audit.log has record >> ++ recvfrom \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ >> + tnum=30 '$ipv $port' >> +## TESTCASE: Test #30 tnum 31 >> +## Table Rule udp (ipv6) packets to TOE with destination port >> tst_port1 >> +## are dropped >> +## Input remote server sends udp packets to bridge ipv6 >> address >> +## Expected Result packets dropped, audit.log has record >> ++ recvfrom \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_udp ipv=ipv6 port=$tst_port1 \ >> + tnum=31 '$ipv $port' >> +## TESTCASE: Test #31 tnum 32 >> +## Table Rule no blocking >> +## Input remote server sends tcp connect (ipv6) to TOE >> +## Expected Result connection succeeds >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=32 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #32 tnum 33 >> +## Table Rule INPUT chain policy set to DROP, tcp (ipv6) packets to >> +## TOE port tst_port1 allowed. log of accepted >> packets to >> +## to audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE port >> +## tst_port1 >> +## Expected Result connect succeeds, audit log has record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=33 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #33 tnum 34 >> +## Table Rule INPUT chain policy set to DROP, only port 22 allowed. >> +## Input remote server sends tcp connect (ipv6) to TOE port >> +## tst_port1 >> +## Expected Result connect fails, listen times out, no log of >> connect packets >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=34 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #34 tnum 35 >> +## Table Rule logical bridge device accepts traffic and logs >> +## to audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE bridge >> +## address >> +## Expected Result connect succeeds, audit.log has record >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=35 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #35 tnum 36 >> +## Table Rule logical bridge device drops packets and logs to >> audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE bridge >> +## address >> +## Expected Result connect fails, listen times out, audit.log has record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR\ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=36 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #36 tnum 37 >> +## Table Rule accept packets (ipv6) from mac address of remote >> server >> +## and log to audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE bridge >> +## Expected Result connect succeeds, packets logged in audit.log >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=37 '$ipv $port' >> +## TESTCASE: Test #37 tnum 38 >> +## Table Rule drop packets (ipv6) from mac address of remote server >> +## and log to audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE bridge >> +## Expected Result connect fails, listen times out, audit.log has record >> ++ accept \ >> + mlsop=eq expres=fail err=EINTR \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 port=$tst_port1 \ >> + tnum=38 alarmv=90 '$ipv $port $alarmv' >> +## TESTCASE: Test #38 tnum 39 >> +## Table Rule accept packets (ipv6) to mac address of TOE device >> +## enslaved to bridge and log to audit.log >> +## Input remote server sends tcp connect (ipv6) to TOE bridge >> +## Expected Result connect succeeds, packets logged in audit.log >> ++ accept \ >> + mlsop=eq expres=success \ >> + host=remote type=unlabeled op=sendrand_tcp ipv=ipv6 ... [truncated message content] |
From: James C. <cz...@li...> - 2011-06-26 22:39:48
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/netfilebt/testperm.bash b/audit/netfilebt/testperm.bash new file mode 100755 index 0000000..3dada18 --- /dev/null +++ b/audit/netfilebt/testperm.bash @@ -0,0 +1,44 @@ +#!/bin/bash +# ============================================================================= +# Copyright 2010, 2011 International Business Machines Corp. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ============================================================================= + +# This function adds a non-privleged user, becomes that user for the purpose +# of attempting to insert an ebtables rule. The operation is expected to fail +# and return a non-zero status, otherwise the test has failed because a +# non-privleged user should not be able to modify ebtables + +source ../utils/functions.bash || exit 2 + +set -x + +rc=0 +export TEST_USER=testuser2 +useradd -m -p usertest "$TEST_USER" +/bin/su - $TEST_USER -c "/sbin/ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j DROP" +rc=$? +if [[ $rc -ne 0 ]]; then + echo "operation not permitted, return code is $rc" + userdel -r "$TEST_USER" &>/dev/null + ebtables -L + exit_pass +else + echo "test failed, ebtables operation permitted" + userdel -r "$TEST_USER" &>/dev/null + ebtables -L + exit_fail +fi +exit |
From: James C. <cz...@li...> - 2011-06-30 02:00:02
|
diff --git a/audit/netfilebt/testperm.bash b/audit/netfilebt/testperm.bash new file mode 100755 index 0000000..3dada18 --- /dev/null +++ b/audit/netfilebt/testperm.bash @@ -0,0 +1,44 @@ +#!/bin/bash +# ============================================================================= +# Copyright 2010, 2011 International Business Machines Corp. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ============================================================================= + +# This function adds a non-privleged user, becomes that user for the purpose +# of attempting to insert an ebtables rule. The operation is expected to fail +# and return a non-zero status, otherwise the test has failed because a +# non-privleged user should not be able to modify ebtables + +source ../utils/functions.bash || exit 2 + +set -x + +rc=0 +export TEST_USER=testuser2 +useradd -m -p usertest "$TEST_USER" +/bin/su - $TEST_USER -c "/sbin/ebtables -I INPUT 1 -i $SECNET_SVR_DEV -j DROP" +rc=$? +if [[ $rc -ne 0 ]]; then + echo "operation not permitted, return code is $rc" + userdel -r "$TEST_USER" &>/dev/null + ebtables -L + exit_pass +else + echo "test failed, ebtables operation permitted" + userdel -r "$TEST_USER" &>/dev/null + ebtables -L + exit_fail +fi +exit |
From: James C. <cz...@li...> - 2011-06-26 22:40:21
|
Signed-off-by James Czyzak <cz...@li...> <mailto:cz...@li...> diff --git a/audit/profile.sample b/audit/profile.sample new file mode 100644 index 0000000..eccfa61 --- /dev/null +++ b/audit/profile.sample @@ -0,0 +1,39 @@ +# This is a sample profile used by config-server.bash to provide +# example format for answers to it's querries. +export RHOST="localhost" +export RHOST6="::1" +export MODE=64 +export PPROFILE=lspp +export PATH="$PATH:." +export PASSWD=r3dt3am +export PASSWD=r3dt3am +export AUDITPATH="/usr/local/eal4_testing/audit-test" +export LOCAL_DEV="eth0" +export LOCAL_SEC_DEV="eth1" +export LOCAL_SEC_MAC="00:1A:64:4F:4B:B8/01:00:00:00:00:00" +export LOCAL_IPV4="9.47.83.167" +export LOCAL_IPV6="fe80::21a:64ff:fe4f:4bb6" +export LOCAL_SEC_IPV4="192.168.1.167" +export LOCAL_SEC_IPV6="fe80::21a:64ff:fe4f:4bb8" +export TOE_GLOBAL="2020::21a:64ff:fe4f:4bb6" +export TOE_SEC_GLOBAL="2010::21a:64ff:fe4f:4bb8" +export LBLNET_SVR_IPV4="9.47.83.164" +export LBLNET_SVR_IPV6="fe80::21a:64ff:fef5:e760" +export REMOTE_IPV6_RAW="fe80::21a:64ff:fef5:e760" +export LBLNET_SVR_DEV="eth0" +export LNET4MASK="255.255.255.0" +export LNET6MASK="64" +export SECNET_SVR_IPV4="192.168.1.164" +export SECNET_SVR_IPV6="fe80::21a:64ff:fef5:e762" +export SECNET_SVR_DEV="eth1" +export SECNET_SVR_MAC="00:1A:64:F5:E7:62/01:00:00:00:00:00" +export SECNET_IPV4="192.168.1.0" +export SNET4MASK="255.255.255.0" +export SNET6MASK="64" +export CATCHER_IPV4="192.168.1.163" +export CATCHER_IPV6="2010::214:5eff:feda:9528" +export CATCHER_DEV="eth1" +export CATCHER_PORT4="5100" +export CATCHER_PORT6="5200" +export PITCHER_IPV6="2020::21a:64ff:fef5:e760" +export PITCHER_DEV="eth0" +export BRIDGE_FILTER="br1" |
From: Linda K. <lin...@hp...> - 2011-06-29 16:13:05
|
Hi Jim, My previous comments will apply here as well of course. James Czyzak wrote: > Signed-off-by James Czyzak <cz...@li...> > <mailto:cz...@li...> > > diff --git a/audit/profile.sample b/audit/profile.sample > new file mode 100644 > index 0000000..eccfa61 > --- /dev/null > +++ b/audit/profile.sample > @@ -0,0 +1,39 @@ > +# This is a sample profile used by config-server.bash to provide > +# example format for answers to it's querries. > +export RHOST="localhost" > +export RHOST6="::1" > +export MODE=64 > +export PPROFILE=lspp > +export PATH="$PATH:." > +export PASSWD=r3dt3am > +export PASSWD=r3dt3am PASSWD in here twice. > +export AUDITPATH="/usr/local/eal4_testing/audit-test" > +export LOCAL_DEV="eth0" > +export LOCAL_SEC_DEV="eth1" > +export LOCAL_SEC_MAC="00:1A:64:4F:4B:B8/01:00:00:00:00:00" > +export LOCAL_IPV4="9.47.83.167" > +export LOCAL_IPV6="fe80::21a:64ff:fe4f:4bb6" > +export LOCAL_SEC_IPV4="192.168.1.167" > +export LOCAL_SEC_IPV6="fe80::21a:64ff:fe4f:4bb8" > +export TOE_GLOBAL="2020::21a:64ff:fe4f:4bb6" > +export TOE_SEC_GLOBAL="2010::21a:64ff:fe4f:4bb8" > +export LBLNET_SVR_IPV4="9.47.83.164" > +export LBLNET_SVR_IPV6="fe80::21a:64ff:fef5:e760" > +export REMOTE_IPV6_RAW="fe80::21a:64ff:fef5:e760" > +export LBLNET_SVR_DEV="eth0" > +export LNET4MASK="255.255.255.0" > +export LNET6MASK="64" > +export SECNET_SVR_IPV4="192.168.1.164" > +export SECNET_SVR_IPV6="fe80::21a:64ff:fef5:e762" > +export SECNET_SVR_DEV="eth1" > +export SECNET_SVR_MAC="00:1A:64:F5:E7:62/01:00:00:00:00:00" > +export SECNET_IPV4="192.168.1.0" > +export SNET4MASK="255.255.255.0" > +export SNET6MASK="64" > +export CATCHER_IPV4="192.168.1.163" > +export CATCHER_IPV6="2010::214:5eff:feda:9528" > +export CATCHER_DEV="eth1" > +export CATCHER_PORT4="5100" > +export CATCHER_PORT6="5200" > +export PITCHER_IPV6="2020::21a:64ff:fef5:e760" > +export PITCHER_DEV="eth0" > +export BRIDGE_FILTER="br1" > |
From: James C. <cz...@li...> - 2011-06-29 23:58:35
|
Hi Linda Noted. I think this is the last message you sent me with comments, if not please remind me which I missed. The next set of messages you will see will be replies to the patches I sent with no attached files with attached patch files. On 6/29/2011 11:11 AM, Linda Knippers wrote: > Hi Jim, > > My previous comments will apply here as well of course. > > James Czyzak wrote: >> Signed-off-by James Czyzak<cz...@li...> >> <mailto:cz...@li...> >> >> diff --git a/audit/profile.sample b/audit/profile.sample >> new file mode 100644 >> index 0000000..eccfa61 >> --- /dev/null >> +++ b/audit/profile.sample >> @@ -0,0 +1,39 @@ >> +# This is a sample profile used by config-server.bash to provide >> +# example format for answers to it's querries. >> +export RHOST="localhost" >> +export RHOST6="::1" >> +export MODE=64 >> +export PPROFILE=lspp >> +export PATH="$PATH:." >> +export PASSWD=r3dt3am >> +export PASSWD=r3dt3am > PASSWD in here twice. > >> +export AUDITPATH="/usr/local/eal4_testing/audit-test" >> +export LOCAL_DEV="eth0" >> +export LOCAL_SEC_DEV="eth1" >> +export LOCAL_SEC_MAC="00:1A:64:4F:4B:B8/01:00:00:00:00:00" >> +export LOCAL_IPV4="9.47.83.167" >> +export LOCAL_IPV6="fe80::21a:64ff:fe4f:4bb6" >> +export LOCAL_SEC_IPV4="192.168.1.167" >> +export LOCAL_SEC_IPV6="fe80::21a:64ff:fe4f:4bb8" >> +export TOE_GLOBAL="2020::21a:64ff:fe4f:4bb6" >> +export TOE_SEC_GLOBAL="2010::21a:64ff:fe4f:4bb8" >> +export LBLNET_SVR_IPV4="9.47.83.164" >> +export LBLNET_SVR_IPV6="fe80::21a:64ff:fef5:e760" >> +export REMOTE_IPV6_RAW="fe80::21a:64ff:fef5:e760" >> +export LBLNET_SVR_DEV="eth0" >> +export LNET4MASK="255.255.255.0" >> +export LNET6MASK="64" >> +export SECNET_SVR_IPV4="192.168.1.164" >> +export SECNET_SVR_IPV6="fe80::21a:64ff:fef5:e762" >> +export SECNET_SVR_DEV="eth1" >> +export SECNET_SVR_MAC="00:1A:64:F5:E7:62/01:00:00:00:00:00" >> +export SECNET_IPV4="192.168.1.0" >> +export SNET4MASK="255.255.255.0" >> +export SNET6MASK="64" >> +export CATCHER_IPV4="192.168.1.163" >> +export CATCHER_IPV6="2010::214:5eff:feda:9528" >> +export CATCHER_DEV="eth1" >> +export CATCHER_PORT4="5100" >> +export CATCHER_PORT6="5200" >> +export PITCHER_IPV6="2020::21a:64ff:fef5:e760" >> +export PITCHER_DEV="eth0" >> +export BRIDGE_FILTER="br1" >> |
From: Linda K. <lin...@hp...> - 2011-06-30 00:49:41
|
Hi Jim, James Czyzak wrote: > Hi Linda > > Noted. I think this is the last message you sent me with comments, if > not please remind me which I missed. This was the last message. -- ljk > The next set of messages you will > see will be replies to the patches I sent with no attached files with > attached patch files. > > On 6/29/2011 11:11 AM, Linda Knippers wrote: >> Hi Jim, >> >> My previous comments will apply here as well of course. >> >> James Czyzak wrote: >>> Signed-off-by James Czyzak<cz...@li...> >>> <mailto:cz...@li...> >>> >>> diff --git a/audit/profile.sample b/audit/profile.sample >>> new file mode 100644 >>> index 0000000..eccfa61 >>> --- /dev/null >>> +++ b/audit/profile.sample >>> @@ -0,0 +1,39 @@ >>> +# This is a sample profile used by config-server.bash to provide >>> +# example format for answers to it's querries. >>> +export RHOST="localhost" >>> +export RHOST6="::1" >>> +export MODE=64 >>> +export PPROFILE=lspp >>> +export PATH="$PATH:." >>> +export PASSWD=r3dt3am >>> +export PASSWD=r3dt3am >> PASSWD in here twice. >> >>> +export AUDITPATH="/usr/local/eal4_testing/audit-test" >>> +export LOCAL_DEV="eth0" >>> +export LOCAL_SEC_DEV="eth1" >>> +export LOCAL_SEC_MAC="00:1A:64:4F:4B:B8/01:00:00:00:00:00" >>> +export LOCAL_IPV4="9.47.83.167" >>> +export LOCAL_IPV6="fe80::21a:64ff:fe4f:4bb6" >>> +export LOCAL_SEC_IPV4="192.168.1.167" >>> +export LOCAL_SEC_IPV6="fe80::21a:64ff:fe4f:4bb8" >>> +export TOE_GLOBAL="2020::21a:64ff:fe4f:4bb6" >>> +export TOE_SEC_GLOBAL="2010::21a:64ff:fe4f:4bb8" >>> +export LBLNET_SVR_IPV4="9.47.83.164" >>> +export LBLNET_SVR_IPV6="fe80::21a:64ff:fef5:e760" >>> +export REMOTE_IPV6_RAW="fe80::21a:64ff:fef5:e760" >>> +export LBLNET_SVR_DEV="eth0" >>> +export LNET4MASK="255.255.255.0" >>> +export LNET6MASK="64" >>> +export SECNET_SVR_IPV4="192.168.1.164" >>> +export SECNET_SVR_IPV6="fe80::21a:64ff:fef5:e762" >>> +export SECNET_SVR_DEV="eth1" >>> +export SECNET_SVR_MAC="00:1A:64:F5:E7:62/01:00:00:00:00:00" >>> +export SECNET_IPV4="192.168.1.0" >>> +export SNET4MASK="255.255.255.0" >>> +export SNET6MASK="64" >>> +export CATCHER_IPV4="192.168.1.163" >>> +export CATCHER_IPV6="2010::214:5eff:feda:9528" >>> +export CATCHER_DEV="eth1" >>> +export CATCHER_PORT4="5100" >>> +export CATCHER_PORT6="5200" >>> +export PITCHER_IPV6="2020::21a:64ff:fef5:e760" >>> +export PITCHER_DEV="eth0" >>> +export BRIDGE_FILTER="br1" >>> > > |