From: Jiri J. <jja...@re...> - 2013-04-19 18:59:22
|
Hi, as our audit-test porting to RHEL7 continues, further "side changes" are being made to keep the suite clean and without unnecessary code that has accumulated in the past. This patch series was originally designed to eliminate unnecessary variables from README.netfilter and profile.sample, but has since grown to a much wider cleanup due to various "cascade effects", generated during the creation of the original cleanup. The series also contains fixes for the last cleanup series ("backwards-compatible rhel6.4 / rhel7 suite improvements/fixes"), during which a NS install was not tested and got broken. Some small features were also added. Note that this cleanup series is quite invasive in terms of suite execution flow, but the end result should be really easier to use and the changes are not that huge. The changes have undergone "retention" testing on RHEL6, with NS install this time. All changes should be backwards compatible as long as the new version of README.run is followed. Please feel free to comment any of the changes. The patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
From: Jiri J. <jja...@re...> - 2013-04-19 19:00:36
|
This regression was introduced by 7efc8ba. Before it, both TOE and NS used ping through loopback (get_ipv4_addr returned local IPv4 addr), but the variable itself was only used by TOE in real tests. Since NS doesn't have LOCAL_IPV4 set, it fails on the ping line. The ping doesn't add any valuable functionality or sensible check, ping via loopback should always succeed. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/audit-remote/tests/audisp-remote_functions.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit-test/audit-remote/tests/audisp-remote_functions.bash b/audit-test/audit-remote/tests/audisp-remote_functions.bash index 2259bf0..13bdb91 100644 --- a/audit-test/audit-remote/tests/audisp-remote_functions.bash +++ b/audit-test/audit-remote/tests/audisp-remote_functions.bash @@ -55,8 +55,8 @@ total_written=0 # Variables used by basic connection for TOE acting as server and client +# used only on the test machine for local auditd local_audit_server_ip="$LOCAL_IPV4" -ping $local_audit_server_ip -c 1 || exit_error "Unable to ping audit server" auditd_conf="/etc/audit/auditd.conf" audisp_remote_conf="/etc/audisp/audisp-remote.conf" -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:00:43
|
The command DOES NOT remove a role from a list of roles for some user, it in fact deletes all local customizations for that user (deletes the user). The -R parameter therefore doesn't make sense in that context and is ignored. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/selinux-policy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/selinux-policy/Makefile b/audit-test/utils/selinux-policy/Makefile index 2dc7459..da25e34 100644 --- a/audit-test/utils/selinux-policy/Makefile +++ b/audit-test/utils/selinux-policy/Makefile @@ -117,8 +117,8 @@ uninstall: if [ -n "$$role" ]; then \ echo "Removing role/type from the default_types file"; \ sed -i -e '/$(MODULE_ROLE)/d' $(SELINUX_POLICY_DEFTYPEFILE); \ - echo -n "Removing role \"$$role\" from user \"$(SELINUX_USER)\" ... "; \ - semanage user -d -R $$role $(SELINUX_USER) &> /dev/null && \ + echo -n "Removing local customizations from user \"$(SELINUX_USER)\" ... "; \ + semanage user -d $(SELINUX_USER) &> /dev/null && \ echo "ok" || echo "failed"; \ fi; \ echo -n "Unloading $(MODULE_NAME) module ... "; \ -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:00:53
|
This function broke upon the introduction of filename transition rules, which are printed by sesearch as well. This change ensures that only the original semantic te rules are processed and only the first one (without semicolon) is returned. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/syscalls/syscall_functions.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/audit-test/syscalls/syscall_functions.bash b/audit-test/syscalls/syscall_functions.bash index eb581c4..b70c9fa 100644 --- a/audit-test/syscalls/syscall_functions.bash +++ b/audit-test/syscalls/syscall_functions.bash @@ -408,7 +408,8 @@ function get_fsobj_context { function get_tmpfile_type { declare ftype - ftype=$(sesearch --type --class file --source $1 --target $2 | awk '{print $6}') + ftype=$(sesearch --type --class file --source $1 --target $2 | \ + awk '/Found [0-9]* semantic te rules:/ { next } { gsub(";", "", $6); print $6; exit 0 }') echo ${ftype%;} } -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:01:06
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- Makefile | 1 + audit-test/Makefile | 1 + audit-test/rules.mk | 3 ++- audit-test/trustedprograms/tests/policy/Makefile | 12 +++++++++++- audit-test/utils/Makefile | 5 +++++ audit-test/utils/bin/Makefile | 6 +++++- audit-test/utils/selinux-policy/Makefile | 12 +++++++++++- rules.mk | 3 ++- 8 files changed, 38 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 86aa53b..4a0c8bf 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ run: make report .PHONY: report +ALL_LOGS += logs-*.tar.gz report: systeminfo summary @tarball="logs-$$(date +'%m%d%Y_%H%M').tar.gz"; \ tar zcvf logs-$$(date +"%m%d%Y_%H%M").tar.gz $$(find . -name "*.log"); \ diff --git a/audit-test/Makefile b/audit-test/Makefile index ea537b0..6b1a0b0 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -82,6 +82,7 @@ dist: ls -l audit-test-$$rev.tar.gz .PHONY: report +ALL_LOGS += audit.run.log audit.rollup.log report: @# tty output has color, generated logs don't, so collect them @# instead of redirecting output of the above loop. diff --git a/audit-test/rules.mk b/audit-test/rules.mk index f02b869..b5c0d26 100644 --- a/audit-test/rules.mk +++ b/audit-test/rules.mk @@ -191,13 +191,14 @@ _clean: clean: _clean +ALL_LOGS += run.log rollup.log _distclean: clean @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \ for x in $(SUB_DIRS); do \ make -C $$x distclean; \ done; \ fi - $(RM) run.log + $(RM) $(ALL_LOGS) if [[ -L run.bash ]]; then $(RM) run.bash; fi distclean: _distclean diff --git a/audit-test/trustedprograms/tests/policy/Makefile b/audit-test/trustedprograms/tests/policy/Makefile index fd03e5e..a113fc7 100644 --- a/audit-test/trustedprograms/tests/policy/Makefile +++ b/audit-test/trustedprograms/tests/policy/Makefile @@ -37,7 +37,7 @@ TEST_BASEDIR := /usr/local/eal4_testing # # targets # -.PHONY: verifyme verify install uninstall relabel +.PHONY: verifyme verify distclean # base SELinux module targets include $(SELINUX_DEV_BASEDIR)/Makefile @@ -60,3 +60,13 @@ verify: echo "not installed"; \ fi; +# remove only generated files +distclean: + $(MAKE) clean + @ shopt -s nullglob; \ + for file in *.fc; do \ + [ -z "$$(cat $$file)" ] && rm -vf "$$file"; \ + done; \ + for file in *.if; do \ + [ -z "$$(grep -v '<summary></summary>' < $$file)" ] && rm -vf "$$file"; \ + done; diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile index 3fbf6af..489d98b 100644 --- a/audit-test/utils/Makefile +++ b/audit-test/utils/Makefile @@ -37,3 +37,8 @@ chmod_utils: README.augrok: augrok pod2text augrok > $@ + +.PHONY: README.augrok_clean +distclean: README.augrok_clean +README.augrok_clean: + $(RM) README.augrok diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile index 56cffce..098d46c 100644 --- a/audit-test/utils/bin/Makefile +++ b/audit-test/utils/bin/Makefile @@ -201,13 +201,17 @@ $(MQ_EXE): LDLIBS += -lrt endif $(RT_EXE): LDLIBS += -lrt -headerhack: +headerhack: @echo -en "/* Do NOT edit this file directly," \ "it is generated from /usr/include/linux/ipc.h\n" \ " which cannot be included due to an obsolete definition of" \ "struct ipc_perm */\n\n" > ipc_hack.h && \ gcc -E -dM /usr/include/linux/ipc.h | egrep "SEM|MSG|SHM" >> ipc_hack.h; +clean: headerhack_clean +headerhack_clean: + $(RM) ipc_hack.h + all: headerhack $(ALL_EXE) diff --git a/audit-test/utils/selinux-policy/Makefile b/audit-test/utils/selinux-policy/Makefile index da25e34..d966c46 100644 --- a/audit-test/utils/selinux-policy/Makefile +++ b/audit-test/utils/selinux-policy/Makefile @@ -43,7 +43,7 @@ MODULE_ROLE := lspp_test_r:lspp_harness_t # targets # -.PHONY: verify install uninstall relabel +.PHONY: verify install uninstall relabel distclean # base SELinux module targets include $(SELINUX_DEV_BASEDIR)/Makefile @@ -137,3 +137,13 @@ relabel: @echo "Relabeling LSPP tests in $(TEST_BASEDIR)" @restorecon -r $(TEST_BASEDIR) +# remove only generated files +distclean: + $(MAKE) clean + @ shopt -s nullglob; \ + for file in *.fc; do \ + [ -z "$$(cat $$file)" ] && rm -vf "$$file"; \ + done; \ + for file in *.if; do \ + [ -z "$$(grep -v '<summary></summary>' < $$file)" ] && rm -vf "$$file"; \ + done; diff --git a/rules.mk b/rules.mk index 51b0d1c..84af369 100644 --- a/rules.mk +++ b/rules.mk @@ -185,13 +185,14 @@ _clean: clean: _clean +ALL_LOGS += run.log rollup.log $(SYSTEMINFO) _distclean: clean @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \ for x in $(SUB_DIRS); do \ make -C $$x distclean; \ done; \ fi - $(RM) run.log + $(RM) $(ALL_LOGS) if [[ -L run.bash ]]; then $(RM) run.bash; fi distclean: _distclean -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 17:52:37
|
Looks good, -- ljk On 04/19/13 15:00, Jiri Jaburek wrote: > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > Makefile | 1 + > audit-test/Makefile | 1 + > audit-test/rules.mk | 3 ++- > audit-test/trustedprograms/tests/policy/Makefile | 12 +++++++++++- > audit-test/utils/Makefile | 5 +++++ > audit-test/utils/bin/Makefile | 6 +++++- > audit-test/utils/selinux-policy/Makefile | 12 +++++++++++- > rules.mk | 3 ++- > 8 files changed, 38 insertions(+), 5 deletions(-) > > diff --git a/Makefile b/Makefile > index 86aa53b..4a0c8bf 100644 > --- a/Makefile > +++ b/Makefile > @@ -45,6 +45,7 @@ run: > make report > > .PHONY: report > +ALL_LOGS += logs-*.tar.gz > report: systeminfo summary > @tarball="logs-$$(date +'%m%d%Y_%H%M').tar.gz"; \ > tar zcvf logs-$$(date +"%m%d%Y_%H%M").tar.gz $$(find . -name "*.log"); \ > diff --git a/audit-test/Makefile b/audit-test/Makefile > index ea537b0..6b1a0b0 100644 > --- a/audit-test/Makefile > +++ b/audit-test/Makefile > @@ -82,6 +82,7 @@ dist: > ls -l audit-test-$$rev.tar.gz > > .PHONY: report > +ALL_LOGS += audit.run.log audit.rollup.log > report: > @# tty output has color, generated logs don't, so collect them > @# instead of redirecting output of the above loop. > diff --git a/audit-test/rules.mk b/audit-test/rules.mk > index f02b869..b5c0d26 100644 > --- a/audit-test/rules.mk > +++ b/audit-test/rules.mk > @@ -191,13 +191,14 @@ _clean: > > clean: _clean > > +ALL_LOGS += run.log rollup.log > _distclean: clean > @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \ > for x in $(SUB_DIRS); do \ > make -C $$x distclean; \ > done; \ > fi > - $(RM) run.log > + $(RM) $(ALL_LOGS) > if [[ -L run.bash ]]; then $(RM) run.bash; fi > > distclean: _distclean > diff --git a/audit-test/trustedprograms/tests/policy/Makefile b/audit-test/trustedprograms/tests/policy/Makefile > index fd03e5e..a113fc7 100644 > --- a/audit-test/trustedprograms/tests/policy/Makefile > +++ b/audit-test/trustedprograms/tests/policy/Makefile > @@ -37,7 +37,7 @@ TEST_BASEDIR := /usr/local/eal4_testing > # > # targets > # > -.PHONY: verifyme verify install uninstall relabel > +.PHONY: verifyme verify distclean > > # base SELinux module targets > include $(SELINUX_DEV_BASEDIR)/Makefile > @@ -60,3 +60,13 @@ verify: > echo "not installed"; \ > fi; > > +# remove only generated files > +distclean: > + $(MAKE) clean > + @ shopt -s nullglob; \ > + for file in *.fc; do \ > + [ -z "$$(cat $$file)" ] && rm -vf "$$file"; \ > + done; \ > + for file in *.if; do \ > + [ -z "$$(grep -v '<summary></summary>' < $$file)" ] && rm -vf "$$file"; \ > + done; > diff --git a/audit-test/utils/Makefile b/audit-test/utils/Makefile > index 3fbf6af..489d98b 100644 > --- a/audit-test/utils/Makefile > +++ b/audit-test/utils/Makefile > @@ -37,3 +37,8 @@ chmod_utils: > > README.augrok: augrok > pod2text augrok > $@ > + > +.PHONY: README.augrok_clean > +distclean: README.augrok_clean > +README.augrok_clean: > + $(RM) README.augrok > diff --git a/audit-test/utils/bin/Makefile b/audit-test/utils/bin/Makefile > index 56cffce..098d46c 100644 > --- a/audit-test/utils/bin/Makefile > +++ b/audit-test/utils/bin/Makefile > @@ -201,13 +201,17 @@ $(MQ_EXE): LDLIBS += -lrt > endif > $(RT_EXE): LDLIBS += -lrt > > -headerhack: > +headerhack: > @echo -en "/* Do NOT edit this file directly," \ > "it is generated from /usr/include/linux/ipc.h\n" \ > " which cannot be included due to an obsolete definition of" \ > "struct ipc_perm */\n\n" > ipc_hack.h && \ > gcc -E -dM /usr/include/linux/ipc.h | egrep "SEM|MSG|SHM" >> ipc_hack.h; > > +clean: headerhack_clean > +headerhack_clean: > + $(RM) ipc_hack.h > + > > all: headerhack $(ALL_EXE) > > diff --git a/audit-test/utils/selinux-policy/Makefile b/audit-test/utils/selinux-policy/Makefile > index da25e34..d966c46 100644 > --- a/audit-test/utils/selinux-policy/Makefile > +++ b/audit-test/utils/selinux-policy/Makefile > @@ -43,7 +43,7 @@ MODULE_ROLE := lspp_test_r:lspp_harness_t > # targets > # > > -.PHONY: verify install uninstall relabel > +.PHONY: verify install uninstall relabel distclean > > # base SELinux module targets > include $(SELINUX_DEV_BASEDIR)/Makefile > @@ -137,3 +137,13 @@ relabel: > @echo "Relabeling LSPP tests in $(TEST_BASEDIR)" > @restorecon -r $(TEST_BASEDIR) > > +# remove only generated files > +distclean: > + $(MAKE) clean > + @ shopt -s nullglob; \ > + for file in *.fc; do \ > + [ -z "$$(cat $$file)" ] && rm -vf "$$file"; \ > + done; \ > + for file in *.if; do \ > + [ -z "$$(grep -v '<summary></summary>' < $$file)" ] && rm -vf "$$file"; \ > + done; > diff --git a/rules.mk b/rules.mk > index 51b0d1c..84af369 100644 > --- a/rules.mk > +++ b/rules.mk > @@ -185,13 +185,14 @@ _clean: > > clean: _clean > > +ALL_LOGS += run.log rollup.log $(SYSTEMINFO) > _distclean: clean > @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \ > for x in $(SUB_DIRS); do \ > make -C $$x distclean; \ > done; \ > fi > - $(RM) run.log > + $(RM) $(ALL_LOGS) > if [[ -L run.bash ]]; then $(RM) run.bash; fi > > distclean: _distclean > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:01:18
|
From: Miroslav Vadkerti <mva...@re...> There is often the need to check all AVCs created during test execution. The new option -a adds this functionality and prints all AVCs created during running of each test, including the output of audit2allow on these AVCs. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/utils/run.bash | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index 74f8c5f..f70b79a 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -52,6 +52,7 @@ source functions.bash || exit 2 unset logging unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width logging=false +opt_avc=false opt_verbose=false opt_debug=false opt_quiet=false @@ -350,6 +351,7 @@ Run a set of test cases, reporting pass/fail and tallying results. Output modes: (default) Pass/fail/error status only --list List the available tests + -a --avc Print AVCs after testexecution and audit2allow rules -v --verbose Copious output on fail or error -d --debug Copious output always -q --quiet Suppress error/fail message @@ -362,13 +364,14 @@ function parse_cmdline { declare args conf x # Use /usr/bin/getopt which supports GNU-style long options - args=$(getopt -o df:hl:qr:vw: \ - --long config:,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \ + args=$(getopt -o adf:hl:qr:vw: \ + --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \ -n "$0" -- "$@") || die eval set -- "$args" while true; do case $1 in + -a|--avc) opt_avc=true; shift ;; -d|--debug) opt_debug=true; opt_verbose=true; shift ;; -f|--config) opt_config=$2; shift 2 ;; -h|--help) usage; exit 0 ;; @@ -514,6 +517,8 @@ function run_tests { show_test "$@" fi + # get current time + stime=$(date +'%H:%M:%S') output=$( # note that putting run_test in the background results in no tty for pam tests ( exec > >(tee $hee) 2>&1; run_test "$@"; ) # & @@ -528,6 +533,7 @@ function run_tests { # wait $pid ) 2>&1 status=$? + etime=$(date +'%H:%M:%S') if $opt_debug; then nolog msg "$end_output" @@ -573,6 +579,14 @@ function run_tests { vmsg fi fi + + # print AVCs if requested + if $opt_avc; then + msg "<blue>-- Test execution AVC records ----------------------------------------------" + msg "$(ausearch -ts $stime -te $etime -m avc)" + msg "<blue>-- audit2allow -------------------------------------------------------------" + msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)" + fi done (( total = pass + fail + error )) -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 17:54:11
|
Looks good. - ljk On 04/19/13 15:01, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > There is often the need to check all AVCs created during test execution. > The new option -a adds this functionality and prints all AVCs created > during running of each test, including the output of audit2allow on > these AVCs. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/utils/run.bash | 18 ++++++++++++++++-- > 1 file changed, 16 insertions(+), 2 deletions(-) > > diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash > index 74f8c5f..f70b79a 100755 > --- a/audit-test/utils/run.bash > +++ b/audit-test/utils/run.bash > @@ -52,6 +52,7 @@ source functions.bash || exit 2 > unset logging > unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width > logging=false > +opt_avc=false > opt_verbose=false > opt_debug=false > opt_quiet=false > @@ -350,6 +351,7 @@ Run a set of test cases, reporting pass/fail and tallying results. > Output modes: > (default) Pass/fail/error status only > --list List the available tests > + -a --avc Print AVCs after testexecution and audit2allow rules > -v --verbose Copious output on fail or error > -d --debug Copious output always > -q --quiet Suppress error/fail message > @@ -362,13 +364,14 @@ function parse_cmdline { > declare args conf x > > # Use /usr/bin/getopt which supports GNU-style long options > - args=$(getopt -o df:hl:qr:vw: \ > - --long config:,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \ > + args=$(getopt -o adf:hl:qr:vw: \ > + --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \ > -n "$0" -- "$@") || die > eval set -- "$args" > > while true; do > case $1 in > + -a|--avc) opt_avc=true; shift ;; > -d|--debug) opt_debug=true; opt_verbose=true; shift ;; > -f|--config) opt_config=$2; shift 2 ;; > -h|--help) usage; exit 0 ;; > @@ -514,6 +517,8 @@ function run_tests { > show_test "$@" > fi > > + # get current time > + stime=$(date +'%H:%M:%S') > output=$( > # note that putting run_test in the background results in no tty for pam tests > ( exec > >(tee $hee) 2>&1; run_test "$@"; ) # & > @@ -528,6 +533,7 @@ function run_tests { > # wait $pid > ) 2>&1 > status=$? > + etime=$(date +'%H:%M:%S') > > if $opt_debug; then > nolog msg "$end_output" > @@ -573,6 +579,14 @@ function run_tests { > vmsg > fi > fi > + > + # print AVCs if requested > + if $opt_avc; then > + msg "<blue>-- Test execution AVC records ----------------------------------------------" > + msg "$(ausearch -ts $stime -te $etime -m avc)" > + msg "<blue>-- audit2allow -------------------------------------------------------------" > + msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)" > + fi > done > > (( total = pass + fail + error )) > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:01:31
|
The ipv6 link-local code in netfilebt/setup_default was already redundant, get_host_local had the ability before this cleanup. The `local_ipv6_if' in netfilter didn't have anything to do with ipv6 and was therefore renamed in the process. Everything else is just a rewrite of needlessly complicated code, removing extra variables along the way. Some variables were really unused even before this cleanup (ie. address* in netfilebt). Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/netfilebt/run.conf | 132 +++++++----------------------------------- audit-test/netfilter/run.conf | 95 ++++++++---------------------- 2 files changed, 46 insertions(+), 181 deletions(-) diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 1daf2d6..85a1958 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -381,32 +381,12 @@ function setup_default { cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;" case $op in sendrand_tcp) - if [[ $ipv == "ipv6" ]]; then - if [[ $local_ipv6_prefix == "fe80" ]]; then - local_host="$LOCAL_SEC_IPV6%$LOCAL_SEC_DEV" - echo " $local_host " - else - local_host="$LOCAL_SEC_IPV6" - echo " $local_host is global " - fi - else - local_host="$(get_host_local $ipv $host)" - fi + local_host="$(get_host_local $ipv $host)" cmd_str+="sleep:5;" cmd_str+="sendrand:$local_host,tcp,$port,1;" ;; sendrand_udp) - if [[ $ipv == "ipv6" ]]; then - if [[ $local_ipv6_prefix == "fe80" ]]; then - local_host="$LOCAL_SEC_IPV6%$LOCAL_SEC_DEV" - echo " $local_host " - else - local_host="$LOCAL_SEC_IPV6" - echo " $local_host is global" - fi - else - local_host="$(get_host_local $ipv $host)" - fi + local_host="$(get_host_local $ipv $host)" cmd_str+="sleep:5;" cmd_str+="sendrand:$local_host,udp,$port,1;" ;; @@ -817,102 +797,34 @@ function run_test { # pre-testrun checks/configuration ###################################################################### -unset local_ipv4 remote_ipv4 address_ipv4 - -unset local_ipv6_if -unset local_ipv6 remote_ipv6 address_ipv6 -unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw - -unset local_ipv6_prefix -unset remote_ipv6_prefix -unset address_ipv6_prefix - -unset address address_raw - # check the test profile -[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" +[[ -z "$PPROFILE" ]] && die "error: profile not set (PPROFILE)" # the remote labeled networking host/server -if [[ -n $SECNET_SVR_IPV4 ]]; then - lblnet_svr4_host=$SECNET_SVR_IPV4 -else +[[ -z "$SECNET_SVR_IPV4" ]] && \ die "error: labeled networking test server not specified (SECNET_SVR_IPV4)" -fi - - -# -# get ipv4 addresses -# - -local_ipv4="$LOCAL_SEC_IPV4" -remote_ipv4="$SECNET_SVR_IPV4" -address_ipv4="$ADDRESS_IPV4" - -# -# get ipv6 addresses -# - -# raw addresses -local_ipv6_raw="$LOCAL_SEC_IPV6" -remote_ipv6_raw="$SECNET_SVR_IPV6" -address_ipv6_raw="$LBLNET_SVR_IPV6" - -# prefix to determine if addresses are link local or global -local_ipv6_prefix=$(echo $LOCAL_SEC_IPV6 | head -c 4) -remote_ipv6_prefix=$(echo $SECNET_SVR_IPV6 | head -c 4) -address_ipv6_prefix=$(echo $LBLNET_SVR_IPV6 | head -c 4) - -# interface/scope -if [[ -n $BRIDGE_FILTER ]]; then - local_ipv6_if=$BRIDGE_FILTER -else - die "error: bridge interface not specified (BRIDGE_FILTER undefined)" -fi - -# adjust link-local addresses -if [[ $local_ipv6_prefix == "fe80" ]]; then - # link-local address, add a scope - local_ipv6="$local_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - local_ipv6="$local_ipv6_raw" -fi -if [[ $remote_ipv6_prefix == "fe80" ]]; then - # link-local address, add a scope - remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - remote_ipv6="$remote_ipv6_raw" -fi -if [[ $address_ipv6_prefix == "fe80" ]]; then - # link-local address, add a scope - address_ipv6="$address_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - address_ipv6="$address_ipv6_raw" -fi - -# -# generate the generic %ADDRESS[_RAW]% if possible -# +[[ -z "$SECNET_SVR_IPV6" ]] && \ + die "error: labeled networking test server not specified (SECNET_SVR_IPV6)" -if [[ -n $address_ipv6 && -z $address_ipv4 ]]; then - address="$address_ipv6" - address_raw="$address_ipv6_raw" -elif [[ -z $address_ipv6 && -n $address_ipv4 ]]; then - address="$address_ipv4" -fi +# the bridge with enslaved secnet device +[[ -z "$BRIDGE_FILTER" ]] && \ + die "error: bridge interface not specified (BRIDGE_FILTER undefined)" -if [[ -n $SECNET_SVR_IPV6 ]]; then - lblnet_svr6_host=$remote_ipv6 - lblnet_svr6_host_raw=$remote_ipv6_raw -else - die "error: networking test server not specified (SECNET_SVR_IPV6)" -fi # the local machine -lblnet_loc4_host=$local_ipv4 -lblnet_loc6_host=$local_ipv6 +lblnet_loc4_host="$LOCAL_SEC_IPV4" +lblnet_loc6_host="$LOCAL_SEC_IPV6" + +# the remote machine +lblnet_svr4_host="$SECNET_SVR_IPV4" +lblnet_svr6_host="$SECNET_SVR_IPV6" + +# link-local ipv6 addresses +for i in lblnet_loc6_host lblnet_svr6_host; do + prefix=$(eval echo \$$i | head -c 4) + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$BRIDGE_FILTER + unset prefix +done; case $PPROFILE in lspp) diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf index 5cb3363..271269b 100644 --- a/audit-test/netfilter/run.conf +++ b/audit-test/netfilter/run.conf @@ -952,7 +952,7 @@ function run_test { case $tnum in 29 | 30 | 31 | 32) read testres exitval pid <<< \ - "$(do_ping $host_remote $ipv $host $local_ipv6_if)" + "$(do_ping $host_remote $ipv $host $local_if)" ;; 45 | 46 | 47 | 48) read testres exitval pid <<< \ @@ -1238,81 +1238,34 @@ function run_test { # pre-testrun checks/configuration ###################################################################### -unset local_ipv4 remote_ipv4 - -unset local_ipv6_if -unset local_ipv6 remote_ipv6 -unset local_ipv6_raw remote_ipv6_raw - -unset local_ipv6_prefix -unset remote_ipv6_prefix +unset local_if # check the test profile -[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" +[[ -z "$PPROFILE" ]] && die "error: profile not set (PPROFILE)" # the remote labeled networking host/server -if [[ -n $LBLNET_SVR_IPV4 ]]; then - lblnet_svr4_host=$LBLNET_SVR_IPV4 -else +[[ -z "$LBLNET_SVR_IPV4" ]] && \ die "error: labeled networking test server not specified (LBLNET_SVR_IPV4)" -fi - - -# -# get ipv4 addresses -# - -local_ipv4="$LOCAL_IPV4" -remote_ipv4="$LBLNET_SVR_IPV4" - -echo $local_ipv4 -# -# get ipv6 addresses -# +[[ -z "$LBLNET_SVR_IPV6" ]] && \ + die "error: labeled networking test server not specified (LBLNET_SVR_IPV6)" # interface/scope -local_ipv6_if="$LOCAL_DEV" - -# raw addresses -local_ipv6_raw="$LOCAL_IPV6" -remote_ipv6_raw="$LBLNET_SVR_IPV6" - -# prefix to determine if addresses are link local or global -local_ipv6_prefix=$(echo $LOCAL_IPV6 | head -c 4) -remote_ipv6_prefix=$(echo $LBLNET_SVR_IPV6 | head -c 4) - -# adjust link-local addresses -if [[ $local_ipv6_prefix == "fe80" ]]; then - # link-local address, add a scope - local_ipv6="$local_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global or site local address and just use it - local_ipv6="$local_ipv6_raw" -fi -if [[ $remote_ipv6_prefix == "fe80" ]]; then - # link-local address, add a scope - remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" - echo $remote_ipv6 -else - # non link-local, assume global address and just use it - remote_ipv6="$remote_ipv6_raw" -fi - -# -# generate the generic %ADDRESS[_RAW]% if possible -# - -if [[ -n $LBLNET_SVR_IPV6 ]]; then - lblnet_svr6_host=$remote_ipv6 - echo $remote_ipv6 - lblnet_svr6_host_raw=$remote_ipv6_raw -else - die "error: labeled networking test server not specified (LBLNET_SVR_IPV6)" -fi +local_if="$LOCAL_DEV" # the local machine -lblnet_loc4_host=$local_ipv4 -lblnet_loc6_host=$local_ipv6 +lblnet_loc4_host="$LOCAL_IPV4" +lblnet_loc6_host="$LOCAL_IPV6" + +# the remote machine +lblnet_svr4_host="$LBLNET_SVR_IPV4" +lblnet_svr6_host="$LBLNET_SVR_IPV6" + +# link-local ipv6 addresses +for i in lblnet_loc6_host lblnet_svr6_host; do + prefix=$(eval echo \$$i | head -c 4) + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$local_if + unset prefix +done; case $PPROFILE in lspp) @@ -1687,7 +1640,7 @@ done + ping \ mlsop=eq expres=fail err=EPERM \ host=local type=unlabeled ipv=ipv4 \ - tnum=29 '$host_remote $ipv $host $local_ipv6_if' + tnum=29 '$host_remote $ipv $host $local_if' ## TESTCASE Test #29 tnum 30 ## Table Rule received ping requests (ipv4/icmp) are accepted ## and logged to audit. @@ -1697,7 +1650,7 @@ done + ping \ mlsop=eq expres=success \ host=local type=unlabeled ipv=ipv4 \ - tnum=30 '$host_remote $ipv $host $local_ipv6_if' + tnum=30 '$host_remote $ipv $host $local_if' ## TESTCASE Test #30 tnum 31 ## Table Rule received ping requests (ipv6/icmp) are dropped ## Input pings (ipv6/icmp) are sent over local loopback @@ -1706,7 +1659,7 @@ done + ping \ mlsop=eq expres=fail err=EPERM \ host=local type=unlabeled ipv=ipv6 \ - tnum=31 '$host_remote $ipv $host $local_ipv6_if' + tnum=31 '$host_remote $ipv $host $local_if' ## TESTCASE Test #31 tnum 32 ## Table Rule received ping requests (ipv6/icmp) are accepted ## and logged to audit. @@ -1716,7 +1669,7 @@ done + ping \ mlsop=eq expres=success \ host=local type=unlabeled ipv=ipv6 \ - tnum=32 '$host_remote $ipv $host $local_ipv6_if' + tnum=32 '$host_remote $ipv $host $local_if' ## TESTCASE Test #32 tnum 33 ## Table Rule INPUT chain policy (ipv4) is drop. Packets on ports 22, ## 4000, and $tst_port2 are accepted. Destination port range -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:01:44
|
addr_filter should be used for configuration files and its usage here is just to simplify link-local ipv6 address translation, which is now done by a simple loop Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/run.conf | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf index d7f2ee1..10eaa4f 100644 --- a/audit-test/network/run.conf +++ b/audit-test/network/run.conf @@ -964,24 +964,29 @@ function run_test { ###################################################################### # check the test profile -[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" +[[ -z "$PPROFILE" ]] && die "error: profile not set (PPROFILE)" # the remote labeled networking host/server -if [[ -n $LBLNET_SVR_IPV4 ]]; then - lblnet_svr4_host=$LBLNET_SVR_IPV4 -else +[[ -z "$LBLNET_SVR_IPV4" ]] && \ die "error: labeled networking test server not specified (LBLNET_SVR_IPV4)" -fi -if [[ -n $LBLNET_SVR_IPV6 ]]; then - lblnet_svr6_host=$(echo %REMOTE_IPV6% | ./addr_filter.bash) - lblnet_svr6_host_raw=$(echo %REMOTE_IPV6_RAW% | ./addr_filter.bash) -else +[[ -z "$LBLNET_SVR_IPV6" ]] && \ die "error: labeled networking test server not specified (LBLNET_SVR_IPV6)" -fi # the local machine -lblnet_loc4_host=$(echo %LOCAL_IPV4% | ./addr_filter.bash) -lblnet_loc6_host=$(echo %LOCAL_IPV6_RAW% | ./addr_filter.bash) +lblnet_loc4_host="$LOCAL_IPV4" +lblnet_loc6_host="$LOCAL_IPV6" + +# the remote machine +lblnet_svr4_host="$LBLNET_SVR_IPV4" +lblnet_svr6_host_raw="$LBLNET_SVR_IPV6" +lblnet_svr6_host="$lblnet_svr6_host_raw" + +# link-local ipv6 addresses +for i in lblnet_svr6_host; do + prefix=$(eval echo \$$i | head -c 4) + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$LOCAL_DEV + unset prefix +done; case $PPROFILE in lspp) -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 18:58:37
|
On 04/19/13 15:01, Jiri Jaburek wrote: > addr_filter should be used for configuration files and its usage > here is just to simplify link-local ipv6 address translation, > which is now done by a simple loop Ok, re-reading the README files, it's the netfilter tests that require global scope. Do you standard network tests still run with link scope? The README.netwk_svr file specify, although if someone wants to run the entire suite, they'll have to follow the instructions in README.netfilter. -- ljk > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/network/run.conf | 29 +++++++++++++++++------------ > 1 file changed, 17 insertions(+), 12 deletions(-) > > diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf > index d7f2ee1..10eaa4f 100644 > --- a/audit-test/network/run.conf > +++ b/audit-test/network/run.conf > @@ -964,24 +964,29 @@ function run_test { > ###################################################################### > > # check the test profile > -[[ -z $PPROFILE ]] && die "error: profile not set (PPROFILE)" > +[[ -z "$PPROFILE" ]] && die "error: profile not set (PPROFILE)" > > # the remote labeled networking host/server > -if [[ -n $LBLNET_SVR_IPV4 ]]; then > - lblnet_svr4_host=$LBLNET_SVR_IPV4 > -else > +[[ -z "$LBLNET_SVR_IPV4" ]] && \ > die "error: labeled networking test server not specified (LBLNET_SVR_IPV4)" > -fi > -if [[ -n $LBLNET_SVR_IPV6 ]]; then > - lblnet_svr6_host=$(echo %REMOTE_IPV6% | ./addr_filter.bash) > - lblnet_svr6_host_raw=$(echo %REMOTE_IPV6_RAW% | ./addr_filter.bash) > -else > +[[ -z "$LBLNET_SVR_IPV6" ]] && \ > die "error: labeled networking test server not specified (LBLNET_SVR_IPV6)" > -fi > > # the local machine > -lblnet_loc4_host=$(echo %LOCAL_IPV4% | ./addr_filter.bash) > -lblnet_loc6_host=$(echo %LOCAL_IPV6_RAW% | ./addr_filter.bash) > +lblnet_loc4_host="$LOCAL_IPV4" > +lblnet_loc6_host="$LOCAL_IPV6" > + > +# the remote machine > +lblnet_svr4_host="$LBLNET_SVR_IPV4" > +lblnet_svr6_host_raw="$LBLNET_SVR_IPV6" > +lblnet_svr6_host="$lblnet_svr6_host_raw" > + > +# link-local ipv6 addresses > +for i in lblnet_svr6_host; do > + prefix=$(eval echo \$$i | head -c 4) > + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$LOCAL_DEV > + unset prefix > +done; > > case $PPROFILE in > lspp) > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:01:56
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/addr_filter.bash | 35 ++++------------------------------- audit-test/network/addr_loop.bash | 16 +++------------- 2 files changed, 7 insertions(+), 44 deletions(-) diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash index cf62a51..a184107 100755 --- a/audit-test/network/addr_filter.bash +++ b/audit-test/network/addr_filter.bash @@ -25,13 +25,11 @@ set -x # main # -unset local_ipv4 remote_ipv4 address_ipv4 +unset local_ipv4 remote_ipv4 unset local_ipv6_if -unset local_ipv6 remote_ipv6 address_ipv6 -unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw - -unset address address_raw +unset local_ipv6 remote_ipv6 +unset local_ipv6_raw remote_ipv6_raw # # get ipv4 addresses @@ -39,7 +37,6 @@ unset address address_raw local_ipv4="$LOCAL_IPV4" remote_ipv4="$LBLNET_SVR_IPV4" -address_ipv4="$ADDRESS_IPV4" # # get ipv6 addresses @@ -51,7 +48,6 @@ local_ipv6_if="$LOCAL_DEV" # raw addresses local_ipv6_raw="$LOCAL_IPV6" remote_ipv6_raw="$LBLNET_SVR_IPV6" -address_ipv6_raw="$ADDRESS_IPV6" # adjust link-local addresses if [[ ${local_ipv6_raw/:*/} == "fe80" ]]; then @@ -68,24 +64,6 @@ else # non link-local, assume global address and just use it remote_ipv6="$remote_ipv6_raw" fi -if [[ ${address_ipv6_raw/:*/} == "fe80" ]]; then - # link-local address, add a scope - address_ipv6="$address_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - address_ipv6="$address_ipv6_raw" -fi - -# -# generate the generic %ADDRESS[_RAW]% if possible -# - -if [[ -n $address_ipv6 && -z $address_ipv4 ]]; then - address="$address_ipv6" - address_raw="$address_ipv6_raw" -elif [[ -z $address_ipv6 && -n $address_ipv4 ]]; then - address="$address_ipv4" -fi # # do the replacement @@ -93,12 +71,7 @@ fi sed "s/%LOCAL_IPV4%/$local_ipv4/g; \ s/%REMOTE_IPV4%/$remote_ipv4/g; \ - s/%ADDRESS_IPV4%/$address_ipv4/g; \ s/%LOCAL_IPV6%/$local_ipv6/g; \ s/%REMOTE_IPV6%/$remote_ipv6/g; \ - s/%ADDRESS_IPV6%/$address_ipv6/g; \ s/%LOCAL_IPV6_RAW%/$local_ipv6_raw/g; \ - s/%REMOTE_IPV6_RAW%/$remote_ipv6_raw/g; \ - s/%ADDRESS_IPV6_RAW%/$address_ipv6_raw/g; \ - s/%ADDRESS%/$address/g; \ - s/%ADDRESS_RAW%/$address_raw/g;" + s/%REMOTE_IPV6_RAW%/$remote_ipv6_raw/g;" diff --git a/audit-test/network/addr_loop.bash b/audit-test/network/addr_loop.bash index df4ca7f..8b6c8ef 100755 --- a/audit-test/network/addr_loop.bash +++ b/audit-test/network/addr_loop.bash @@ -33,15 +33,11 @@ function trim_input { # main # -unset addr_tmpl inet_tmpl +unset inet_tmpl # get the parameters -while getopts "A:L:" arg_param; do +while getopts "L:" arg_param; do case $arg_param in - A) - addr_tmpl=$OPTARG - break - ;; L) inet_tmpl=$OPTARG ;; @@ -51,18 +47,12 @@ done # loop on the addresses for addr_iter in $(trim_input); do - export ADDRESS_IPV4="" export LBLNET_SVR_IPV4="" - export ADDRESS_IPV6="" export LBLNET_SVR_IPV6="" - if [[ -n $addr_tmpl ]]; then - export ADDRESS_IPV4=`echo $addr_iter | cut -d '-' -f 1` - export ADDRESS_IPV6=`echo $addr_iter | cut -d '-' -f 2` - elif [[ -n $inet_tmpl ]]; then + if [[ -n $inet_tmpl ]]; then export LBLNET_SVR_IPV4=`echo $addr_iter | cut -d '-' -f 1` export LBLNET_SVR_IPV6=`echo $addr_iter | cut -d '-' -f 2` fi - [[ -n $addr_tmpl ]] && cat $addr_tmpl | ../addr_filter.bash [[ -n $inet_tmpl ]] && cat $inet_tmpl | ../addr_filter.bash done -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 19:00:50
|
Looks ok to me. -- ljk On 04/19/13 15:01, Jiri Jaburek wrote: > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/network/addr_filter.bash | 35 ++++------------------------------- > audit-test/network/addr_loop.bash | 16 +++------------- > 2 files changed, 7 insertions(+), 44 deletions(-) > > diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash > index cf62a51..a184107 100755 > --- a/audit-test/network/addr_filter.bash > +++ b/audit-test/network/addr_filter.bash > @@ -25,13 +25,11 @@ set -x > # main > # > > -unset local_ipv4 remote_ipv4 address_ipv4 > +unset local_ipv4 remote_ipv4 > > unset local_ipv6_if > -unset local_ipv6 remote_ipv6 address_ipv6 > -unset local_ipv6_raw remote_ipv6_raw address_ipv6_raw > - > -unset address address_raw > +unset local_ipv6 remote_ipv6 > +unset local_ipv6_raw remote_ipv6_raw > > # > # get ipv4 addresses > @@ -39,7 +37,6 @@ unset address address_raw > > local_ipv4="$LOCAL_IPV4" > remote_ipv4="$LBLNET_SVR_IPV4" > -address_ipv4="$ADDRESS_IPV4" > > # > # get ipv6 addresses > @@ -51,7 +48,6 @@ local_ipv6_if="$LOCAL_DEV" > # raw addresses > local_ipv6_raw="$LOCAL_IPV6" > remote_ipv6_raw="$LBLNET_SVR_IPV6" > -address_ipv6_raw="$ADDRESS_IPV6" > > # adjust link-local addresses > if [[ ${local_ipv6_raw/:*/} == "fe80" ]]; then > @@ -68,24 +64,6 @@ else > # non link-local, assume global address and just use it > remote_ipv6="$remote_ipv6_raw" > fi > -if [[ ${address_ipv6_raw/:*/} == "fe80" ]]; then > - # link-local address, add a scope > - address_ipv6="$address_ipv6_raw%$local_ipv6_if" > -else > - # non link-local, assume global address and just use it > - address_ipv6="$address_ipv6_raw" > -fi > - > -# > -# generate the generic %ADDRESS[_RAW]% if possible > -# > - > -if [[ -n $address_ipv6 && -z $address_ipv4 ]]; then > - address="$address_ipv6" > - address_raw="$address_ipv6_raw" > -elif [[ -z $address_ipv6 && -n $address_ipv4 ]]; then > - address="$address_ipv4" > -fi > > # > # do the replacement > @@ -93,12 +71,7 @@ fi > > sed "s/%LOCAL_IPV4%/$local_ipv4/g; \ > s/%REMOTE_IPV4%/$remote_ipv4/g; \ > - s/%ADDRESS_IPV4%/$address_ipv4/g; \ > s/%LOCAL_IPV6%/$local_ipv6/g; \ > s/%REMOTE_IPV6%/$remote_ipv6/g; \ > - s/%ADDRESS_IPV6%/$address_ipv6/g; \ > s/%LOCAL_IPV6_RAW%/$local_ipv6_raw/g; \ > - s/%REMOTE_IPV6_RAW%/$remote_ipv6_raw/g; \ > - s/%ADDRESS_IPV6_RAW%/$address_ipv6_raw/g; \ > - s/%ADDRESS%/$address/g; \ > - s/%ADDRESS_RAW%/$address_raw/g;" > + s/%REMOTE_IPV6_RAW%/$remote_ipv6_raw/g;" > diff --git a/audit-test/network/addr_loop.bash b/audit-test/network/addr_loop.bash > index df4ca7f..8b6c8ef 100755 > --- a/audit-test/network/addr_loop.bash > +++ b/audit-test/network/addr_loop.bash > @@ -33,15 +33,11 @@ function trim_input { > # main > # > > -unset addr_tmpl inet_tmpl > +unset inet_tmpl > > # get the parameters > -while getopts "A:L:" arg_param; do > +while getopts "L:" arg_param; do > case $arg_param in > - A) > - addr_tmpl=$OPTARG > - break > - ;; > L) > inet_tmpl=$OPTARG > ;; > @@ -51,18 +47,12 @@ done > # loop on the addresses > > for addr_iter in $(trim_input); do > - export ADDRESS_IPV4="" > export LBLNET_SVR_IPV4="" > - export ADDRESS_IPV6="" > export LBLNET_SVR_IPV6="" > > - if [[ -n $addr_tmpl ]]; then > - export ADDRESS_IPV4=`echo $addr_iter | cut -d '-' -f 1` > - export ADDRESS_IPV6=`echo $addr_iter | cut -d '-' -f 2` > - elif [[ -n $inet_tmpl ]]; then > + if [[ -n $inet_tmpl ]]; then > export LBLNET_SVR_IPV4=`echo $addr_iter | cut -d '-' -f 1` > export LBLNET_SVR_IPV6=`echo $addr_iter | cut -d '-' -f 2` > fi > - [[ -n $addr_tmpl ]] && cat $addr_tmpl | ../addr_filter.bash > [[ -n $inet_tmpl ]] && cat $inet_tmpl | ../addr_filter.bash > done > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:02:09
|
Use technique similar to netfilter/netfilebt after cleanups. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/addr_filter.bash | 41 +++++++++++-------------------------- 1 file changed, 12 insertions(+), 29 deletions(-) diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash index a184107..8aca399 100755 --- a/audit-test/network/addr_filter.bash +++ b/audit-test/network/addr_filter.bash @@ -25,45 +25,28 @@ set -x # main # +unset local_if unset local_ipv4 remote_ipv4 - -unset local_ipv6_if -unset local_ipv6 remote_ipv6 unset local_ipv6_raw remote_ipv6_raw +unset local_ipv6 remote_ipv6 -# -# get ipv4 addresses -# +local_if="$LOCAL_DEV" local_ipv4="$LOCAL_IPV4" remote_ipv4="$LBLNET_SVR_IPV4" -# -# get ipv6 addresses -# - -# interface/scope -local_ipv6_if="$LOCAL_DEV" - -# raw addresses local_ipv6_raw="$LOCAL_IPV6" remote_ipv6_raw="$LBLNET_SVR_IPV6" -# adjust link-local addresses -if [[ ${local_ipv6_raw/:*/} == "fe80" ]]; then - # link-local address, add a scope - local_ipv6="$local_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - local_ipv6="$local_ipv6_raw" -fi -if [[ ${remote_ipv6_raw/:*/} == "fe80" ]]; then - # link-local address, add a scope - remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" -else - # non link-local, assume global address and just use it - remote_ipv6="$remote_ipv6_raw" -fi +local_ipv6="$local_ipv6_raw" +remote_ipv6="$remote_ipv6_raw" + +# link-local ipv6 addresses +for i in local_ipv6 remote_ipv6; do + prefix=$(eval echo \$$i | head -c 4) + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$local_if + unset prefix +done; # # do the replacement -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 19:01:56
|
Looks ok to me, although the previous question about link scope applies here. -- ljk On 04/19/13 15:02, Jiri Jaburek wrote: > Use technique similar to netfilter/netfilebt after cleanups. > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/network/addr_filter.bash | 41 +++++++++++-------------------------- > 1 file changed, 12 insertions(+), 29 deletions(-) > > diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/addr_filter.bash > index a184107..8aca399 100755 > --- a/audit-test/network/addr_filter.bash > +++ b/audit-test/network/addr_filter.bash > @@ -25,45 +25,28 @@ set -x > # main > # > > +unset local_if > unset local_ipv4 remote_ipv4 > - > -unset local_ipv6_if > -unset local_ipv6 remote_ipv6 > unset local_ipv6_raw remote_ipv6_raw > +unset local_ipv6 remote_ipv6 > > -# > -# get ipv4 addresses > -# > +local_if="$LOCAL_DEV" > > local_ipv4="$LOCAL_IPV4" > remote_ipv4="$LBLNET_SVR_IPV4" > > -# > -# get ipv6 addresses > -# > - > -# interface/scope > -local_ipv6_if="$LOCAL_DEV" > - > -# raw addresses > local_ipv6_raw="$LOCAL_IPV6" > remote_ipv6_raw="$LBLNET_SVR_IPV6" > > -# adjust link-local addresses > -if [[ ${local_ipv6_raw/:*/} == "fe80" ]]; then > - # link-local address, add a scope > - local_ipv6="$local_ipv6_raw%$local_ipv6_if" > -else > - # non link-local, assume global address and just use it > - local_ipv6="$local_ipv6_raw" > -fi > -if [[ ${remote_ipv6_raw/:*/} == "fe80" ]]; then > - # link-local address, add a scope > - remote_ipv6="$remote_ipv6_raw%$local_ipv6_if" > -else > - # non link-local, assume global address and just use it > - remote_ipv6="$remote_ipv6_raw" > -fi > +local_ipv6="$local_ipv6_raw" > +remote_ipv6="$remote_ipv6_raw" > + > +# link-local ipv6 addresses > +for i in local_ipv6 remote_ipv6; do > + prefix=$(eval echo \$$i | head -c 4) > + [[ "$prefix" == "fe80" ]] && eval $i=\$$i%$local_if > + unset prefix > +done; > > # > # do the replacement > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:02:21
|
Since both are now used only for config file %VAR% replacement, it makes more sense to keep them with the config files. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/system/Makefile | 12 ++++++------ audit-test/network/{ => system}/addr_filter.bash | 0 audit-test/network/{ => system}/addr_loop.bash | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) rename audit-test/network/{ => system}/addr_filter.bash (100%) rename audit-test/network/{ => system}/addr_loop.bash (95%) diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index ff2285a..cf5d29a 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -30,11 +30,11 @@ install: install_client # helper target to get local addresses getaddress: install_check - @echo "Local IPv4 address -> %LOCAL_IPV4%" | ../addr_filter.bash - @echo "Local IPv6 address -> %LOCAL_IPV6_RAW%" | ../addr_filter.bash + @echo "Local IPv4 address -> %LOCAL_IPV4%" | ./addr_filter.bash + @echo "Local IPv6 address -> %LOCAL_IPV6_RAW%" | ./addr_filter.bash install_client: install_setrans install_ipsec_client install_netlabel - cat rc.local.client | ../addr_filter.bash > rc.local + cat rc.local.client | ./addr_filter.bash > rc.local install -o root -g root -m 755 rc.local /etc/rc.d if [[ ! -L /etc/rc3.d/S99local ]]; then \ (cd /etc/rc3.d; ln -s ../rc.local S99local); \ @@ -47,7 +47,7 @@ install_server: install_setrans install_ipsec_server install_netlabel exit 1; \ fi cat rc.local.server.in_header > rc.local - cat client_list.txt | ../addr_loop.bash -L rc.local.server.in_body >> rc.local + cat client_list.txt | ./addr_loop.bash -L rc.local.server.in_body >> rc.local cat rc.local.server.in_footer >> rc.local install -o root -g root -m 755 rc.local /etc/rc.d if [[ ! -L /etc/rc3.d/S99local ]]; then \ @@ -77,7 +77,7 @@ install_netlabel: chkconfig netlabel on install_ipsec_client: install_check - cat ipsec.conf.client | ../addr_filter.bash > ipsec.conf + cat ipsec.conf.client | ./addr_filter.bash > ipsec.conf install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets @@ -87,6 +87,6 @@ install_ipsec_server: exit 1; \ fi cat ipsec.conf.server.in_header > ipsec.conf - cat client_list.txt | ../addr_loop.bash -L ipsec.conf.server.in_body >> ipsec.conf + cat client_list.txt | ./addr_loop.bash -L ipsec.conf.server.in_body >> ipsec.conf install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/system/addr_filter.bash similarity index 100% rename from audit-test/network/addr_filter.bash rename to audit-test/network/system/addr_filter.bash diff --git a/audit-test/network/addr_loop.bash b/audit-test/network/system/addr_loop.bash similarity index 95% rename from audit-test/network/addr_loop.bash rename to audit-test/network/system/addr_loop.bash index 8b6c8ef..fa0789c 100755 --- a/audit-test/network/addr_loop.bash +++ b/audit-test/network/system/addr_loop.bash @@ -54,5 +54,5 @@ for addr_iter in $(trim_input); do export LBLNET_SVR_IPV4=`echo $addr_iter | cut -d '-' -f 1` export LBLNET_SVR_IPV6=`echo $addr_iter | cut -d '-' -f 2` fi - [[ -n $inet_tmpl ]] && cat $inet_tmpl | ../addr_filter.bash + [[ -n $inet_tmpl ]] && cat $inet_tmpl | ./addr_filter.bash done -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 19:04:27
|
Ok, -- ljk On 04/19/13 15:02, Jiri Jaburek wrote: > Since both are now used only for config file %VAR% replacement, > it makes more sense to keep them with the config files. > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/network/system/Makefile | 12 ++++++------ > audit-test/network/{ => system}/addr_filter.bash | 0 > audit-test/network/{ => system}/addr_loop.bash | 2 +- > 3 files changed, 7 insertions(+), 7 deletions(-) > rename audit-test/network/{ => system}/addr_filter.bash (100%) > rename audit-test/network/{ => system}/addr_loop.bash (95%) > > diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile > index ff2285a..cf5d29a 100644 > --- a/audit-test/network/system/Makefile > +++ b/audit-test/network/system/Makefile > @@ -30,11 +30,11 @@ install: install_client > > # helper target to get local addresses > getaddress: install_check > - @echo "Local IPv4 address -> %LOCAL_IPV4%" | ../addr_filter.bash > - @echo "Local IPv6 address -> %LOCAL_IPV6_RAW%" | ../addr_filter.bash > + @echo "Local IPv4 address -> %LOCAL_IPV4%" | ./addr_filter.bash > + @echo "Local IPv6 address -> %LOCAL_IPV6_RAW%" | ./addr_filter.bash > > install_client: install_setrans install_ipsec_client install_netlabel > - cat rc.local.client | ../addr_filter.bash > rc.local > + cat rc.local.client | ./addr_filter.bash > rc.local > install -o root -g root -m 755 rc.local /etc/rc.d > if [[ ! -L /etc/rc3.d/S99local ]]; then \ > (cd /etc/rc3.d; ln -s ../rc.local S99local); \ > @@ -47,7 +47,7 @@ install_server: install_setrans install_ipsec_server install_netlabel > exit 1; \ > fi > cat rc.local.server.in_header > rc.local > - cat client_list.txt | ../addr_loop.bash -L rc.local.server.in_body >> rc.local > + cat client_list.txt | ./addr_loop.bash -L rc.local.server.in_body >> rc.local > cat rc.local.server.in_footer >> rc.local > install -o root -g root -m 755 rc.local /etc/rc.d > if [[ ! -L /etc/rc3.d/S99local ]]; then \ > @@ -77,7 +77,7 @@ install_netlabel: > chkconfig netlabel on > > install_ipsec_client: install_check > - cat ipsec.conf.client | ../addr_filter.bash > ipsec.conf > + cat ipsec.conf.client | ./addr_filter.bash > ipsec.conf > install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf > install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets > > @@ -87,6 +87,6 @@ install_ipsec_server: > exit 1; \ > fi > cat ipsec.conf.server.in_header > ipsec.conf > - cat client_list.txt | ../addr_loop.bash -L ipsec.conf.server.in_body >> ipsec.conf > + cat client_list.txt | ./addr_loop.bash -L ipsec.conf.server.in_body >> ipsec.conf > install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf > install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets > diff --git a/audit-test/network/addr_filter.bash b/audit-test/network/system/addr_filter.bash > similarity index 100% > rename from audit-test/network/addr_filter.bash > rename to audit-test/network/system/addr_filter.bash > diff --git a/audit-test/network/addr_loop.bash b/audit-test/network/system/addr_loop.bash > similarity index 95% > rename from audit-test/network/addr_loop.bash > rename to audit-test/network/system/addr_loop.bash > index 8b6c8ef..fa0789c 100755 > --- a/audit-test/network/addr_loop.bash > +++ b/audit-test/network/system/addr_loop.bash > @@ -54,5 +54,5 @@ for addr_iter in $(trim_input); do > export LBLNET_SVR_IPV4=`echo $addr_iter | cut -d '-' -f 1` > export LBLNET_SVR_IPV6=`echo $addr_iter | cut -d '-' -f 2` > fi > - [[ -n $inet_tmpl ]] && cat $inet_tmpl | ../addr_filter.bash > + [[ -n $inet_tmpl ]] && cat $inet_tmpl | ./addr_filter.bash > done > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:02:34
|
The original addr_loop code fills in LBLNET_SVR_IPV[46] with IP addresses of the TOE(s) just so it can refer to NS as "local" and TOE as "remote" from the NS's point of view. This would be common in general networking, but with variables like LOCAL_IPV4 and LBLNET_SVR_IPV4, the rest of the suite refers to TOE as "local" and NS as "remote", making this piece of code very confusing. This also confused the author of commit 2f8f277, the code local_ipv4="$(get_ipv4_addr)" remote_ipv4="$LBLNET_SVR_IPV4" looked innocently enough (in the context explained above), but since remote_ipv4 contained TOE addresses from client_list.txt, local_ipv4 had to hold the address of the NS, retrieved here from "ip addr". Commit 2f8f277 breaks this, because it assumes that local_ipv4 is always local to TOE. The original code didn't even work without having LBLNET_PREFIX_IPV6 already exported in the current shell (as enforced by install_check_server, which is now removed), which is where addr_filter got local_ipv6 from on the NS. This commit therefore swaps local/remote in addr_loop and config files, so that "local" is always TOE-side and "remote" is always NS-side. Since the "ip addr" is no longer used (it had its own problems, described in commit msg of 2f8f277), the address of the NS has to be retrieved from elsewhere. Since the user is responsible for assigning IP addresses to interfaces and since there's no reliable way of getting the desired address (any interface can have multiple addresses), the user has to set the addresses manually, hence the README change. These addresses need to be available during install_server, so the profile.bash sourcing has been added. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netwk_svr | 29 +++++++++---- audit-test/network/system/addr_loop.bash | 8 ++-- .../network/system/ipsec.conf.server.in_body | 48 +++++++++++----------- 3 files changed, 48 insertions(+), 37 deletions(-) diff --git a/audit-test/README.netwk_svr b/audit-test/README.netwk_svr index b223162..053bce7 100644 --- a/audit-test/README.netwk_svr +++ b/audit-test/README.netwk_svr @@ -19,6 +19,24 @@ Build and install the lblnet_tst_server daemon as shown below: # make -C /usr/local/eal4_testing/audit-test/utils/network-server # make -C /usr/local/eal4_testing/audit-test/utils/network-server install + +Create a file /usr/local/eal4_testing/audit-test/profile.bash with +exported PASSWD variable with password for administrative user (should +match also a password for root). This is required for restarting auditd +service by lblnet_tst_server over xinetd on NS for audit-remote tests, +and LBLNET_SVR_IPV4, LBLNET_SVR_IPV6 variables with IP addresses that +should be used on NS, ie.: + +# cat > /usr/local/eal4_testing/audit-test/profile.bash <<EOF +export PASSWD=<eal/root password> +export LBLNET_SVR_IPV4=10.0.0.1 +export LBLNET_SVR_IPV6=fd00::1 +EOF + +Source the profile.bash file, exporting the variables in the current shell: + +# . /usr/local/eal4_testing/audit-test/profile.bash + Configure the server with the client IP address information. Create a file, @@ -43,16 +61,9 @@ below: # make -C /usr/local/eal4_testing/audit-test/network/system install_server -NOTE: The client address file must be updated and the above step -must be ru-run whenever a TOE's IP address changes. - -Create a file /usr/local/eal4_testing/audit-test/profile.bash with -exported PASSWD variable with password for administrative user (should -match also a password for root). This is required for restarting auditd -service by lblnet_tst_server over xinetd on NS for audit-remote tests, ie.: +NOTE: Whenever TOE's IP address changes, the steps above need to be re-done +(sourcing profile.bash, editing client_list.txt and performing install_server). -# echo 'export PASSWD=<eal/root password>' > \ - /usr/local/eal4_testing/audit-test/profile.bash Reboot the network test server or run the following commands: diff --git a/audit-test/network/system/addr_loop.bash b/audit-test/network/system/addr_loop.bash index fa0789c..9490a34 100755 --- a/audit-test/network/system/addr_loop.bash +++ b/audit-test/network/system/addr_loop.bash @@ -47,12 +47,12 @@ done # loop on the addresses for addr_iter in $(trim_input); do - export LBLNET_SVR_IPV4="" - export LBLNET_SVR_IPV6="" + export LOCAL_IPV4="" + export LOCAL_IPV6="" if [[ -n $inet_tmpl ]]; then - export LBLNET_SVR_IPV4=`echo $addr_iter | cut -d '-' -f 1` - export LBLNET_SVR_IPV6=`echo $addr_iter | cut -d '-' -f 2` + export LOCAL_IPV4=`echo $addr_iter | cut -d '-' -f 1` + export LOCAL_IPV6=`echo $addr_iter | cut -d '-' -f 2` fi [[ -n $inet_tmpl ]] && cat $inet_tmpl | ./addr_filter.bash done diff --git a/audit-test/network/system/ipsec.conf.server.in_body b/audit-test/network/system/ipsec.conf.server.in_body index 9cfd6b5..aab95ba 100644 --- a/audit-test/network/system/ipsec.conf.server.in_body +++ b/audit-test/network/system/ipsec.conf.server.in_body @@ -1,10 +1,10 @@ -conn test2-1-%REMOTE_IPV4% +conn test2-1-%LOCAL_IPV4% auto=route rekey=no authby=secret type=transport - left=%REMOTE_IPV4% - right=%LOCAL_IPV4% + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -13,13 +13,13 @@ conn test2-1-%REMOTE_IPV4% leftprotoport=tcp rightprotoport=tcp/4300 -conn test2-2-%REMOTE_IPV4% +conn test2-2-%LOCAL_IPV4% auto=route rekey=no authby=secret type=transport - left=%REMOTE_IPV4% - right=%LOCAL_IPV4% + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -28,14 +28,14 @@ conn test2-2-%REMOTE_IPV4% leftprotoport=tcp/4300 rightprotoport=tcp -conn test2-1-%REMOTE_IPV6% +conn test2-1-%LOCAL_IPV6% auto=route rekey=no connaddrfamily=ipv6 authby=secret type=transport - left=%REMOTE_IPV6% - right=%LOCAL_IPV6% + left=%LOCAL_IPV6% + right=%REMOTE_IPV6% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -44,14 +44,14 @@ conn test2-1-%REMOTE_IPV6% leftprotoport=tcp/4300 rightprotoport=tcp -conn test2-2-%REMOTE_IPV6% +conn test2-2-%LOCAL_IPV6% auto=route rekey=no connaddrfamily=ipv6 authby=secret type=transport - left=%REMOTE_IPV6% - right=%LOCAL_IPV6% + left=%LOCAL_IPV6% + right=%REMOTE_IPV6% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -60,13 +60,13 @@ conn test2-2-%REMOTE_IPV6% leftprotoport=tcp rightprotoport=tcp/4300 -conn test4-1-%REMOTE_IPV4% +conn test4-1-%LOCAL_IPV4% auto=route rekey=no authby=secret type=transport - left=%REMOTE_IPV4% - right=%LOCAL_IPV4% + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -75,13 +75,13 @@ conn test4-1-%REMOTE_IPV4% leftprotoport=udp rightprotoport=udp/4300 -conn test4-2-%REMOTE_IPV4% +conn test4-2-%LOCAL_IPV4% auto=route rekey=no authby=secret type=transport - left=%REMOTE_IPV4% - right=%LOCAL_IPV4% + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -90,14 +90,14 @@ conn test4-2-%REMOTE_IPV4% leftprotoport=udp/4300 rightprotoport=udp -conn test4-1-%REMOTE_IPV6% +conn test4-1-%LOCAL_IPV6% auto=route rekey=no connaddrfamily=ipv6 authby=secret type=transport - left=%REMOTE_IPV6% - right=%LOCAL_IPV6% + left=%LOCAL_IPV6% + right=%REMOTE_IPV6% ike=3des-sha1 phase2=ah phase2alg=sha1 @@ -106,14 +106,14 @@ conn test4-1-%REMOTE_IPV6% leftprotoport=udp rightprotoport=udp/4300 -conn test4-2-%REMOTE_IPV6% +conn test4-2-%LOCAL_IPV6% auto=route rekey=no connaddrfamily=ipv6 authby=secret type=transport - left=%REMOTE_IPV6% - right=%LOCAL_IPV6% + left=%LOCAL_IPV6% + right=%REMOTE_IPV6% ike=3des-sha1 phase2=ah phase2alg=sha1 -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:02:47
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/network/system/Makefile | 4 ++-- audit-test/network/system/addr_loop.bash | 41 +++++--------------------------- 2 files changed, 8 insertions(+), 37 deletions(-) diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index cf5d29a..e6b7944 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -47,7 +47,7 @@ install_server: install_setrans install_ipsec_server install_netlabel exit 1; \ fi cat rc.local.server.in_header > rc.local - cat client_list.txt | ./addr_loop.bash -L rc.local.server.in_body >> rc.local + cat client_list.txt | ./addr_loop.bash rc.local.server.in_body >> rc.local cat rc.local.server.in_footer >> rc.local install -o root -g root -m 755 rc.local /etc/rc.d if [[ ! -L /etc/rc3.d/S99local ]]; then \ @@ -87,6 +87,6 @@ install_ipsec_server: exit 1; \ fi cat ipsec.conf.server.in_header > ipsec.conf - cat client_list.txt | ./addr_loop.bash -L ipsec.conf.server.in_body >> ipsec.conf + cat client_list.txt | ./addr_loop.bash ipsec.conf.server.in_body >> ipsec.conf install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets diff --git a/audit-test/network/system/addr_loop.bash b/audit-test/network/system/addr_loop.bash index 9490a34..f91cd06 100755 --- a/audit-test/network/system/addr_loop.bash +++ b/audit-test/network/system/addr_loop.bash @@ -19,40 +19,11 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. ############################################################################### -#### -# -# helper functions -# - -function trim_input { - sed -e 's/[ \t]*#.*//;/^$/d' -e 's/ /-/g' -} - -#### -# -# main -# - -unset inet_tmpl - -# get the parameters -while getopts "L:" arg_param; do - case $arg_param in - L) - inet_tmpl=$OPTARG - ;; - esac -done - -# loop on the addresses - -for addr_iter in $(trim_input); do - export LOCAL_IPV4="" - export LOCAL_IPV6="" +[ $# -lt 1 -o -z "$1" ] && exit 1 +template="$1" - if [[ -n $inet_tmpl ]]; then - export LOCAL_IPV4=`echo $addr_iter | cut -d '-' -f 1` - export LOCAL_IPV6=`echo $addr_iter | cut -d '-' -f 2` - fi - [[ -n $inet_tmpl ]] && cat $inet_tmpl | ./addr_filter.bash +for addr_iter in $(sed 's/[ \t]*#.*//;/^$/d;s/ /-/'); do + export LOCAL_IPV4=`echo $addr_iter | cut -d '-' -f 1` + export LOCAL_IPV6=`echo $addr_iter | cut -d '-' -f 2` + cat "$template" | ./addr_filter.bash done -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:02:59
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 4 ---- audit-test/netfilebt/run.conf | 2 +- audit-test/utils/netfilter/config-server.bash | 10 ---------- audit-test/utils/netfilter/profile.sample | 1 - 4 files changed, 1 insertion(+), 16 deletions(-) diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 9308568..97daeb6 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -141,9 +141,6 @@ PASSWD The root/eal password for the TOE PATH "$PATH:." The PATH should include the local directory -AUDITPATH Usually "/usr/local/eal4_testing/audit-test", the - recommended location for installing the test suite - LOCAL_DEV Device for the TOE primary network, such as "eth3" LOCAL_SEC_DEV Device for the TOE secondary network, such as "eth4" @@ -206,7 +203,6 @@ export MODE=64 export PPROFILE=lspp export PATH="$PATH:." export PASSWD="redhat" -export AUDITPATH=/usr/local/eal4_testing/audit-test export LOCAL_DEV="eth3" export LOCAL_SEC_DEV="eth4" export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 85a1958..5b0cf58 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -569,7 +569,7 @@ function run_test { shift eval "$(parse_named "$@")" || exit_error - source $AUDITPATH/netfilebt/netfilebt_functions.bash || exit_error + source netfilebt_functions.bash || exit_error if [[ tnum -eq 41 ]]; then ./testperm.bash diff --git a/audit-test/utils/netfilter/config-server.bash b/audit-test/utils/netfilter/config-server.bash index 7f40a6b..e28bab9 100755 --- a/audit-test/utils/netfilter/config-server.bash +++ b/audit-test/utils/netfilter/config-server.bash @@ -91,15 +91,6 @@ PASSWD="$(ask "Superuser passwword")" echo "export PASSWD=$PASSWD" >> ./profile.$hostext echo "" -echo "The directory path to audit-test requested below is for the toe" -echo "the directory path to audit-test on the netserver should be the same" -echo "If the path on the netserver is different you will need to manually" -echo "edit the AUDITPATH environmental variable in the /tmp/profile file" -echo "on the netserver after the profile is copied to the netserver's /tmp" -echo "directory to reflect the correct path to the audit-tests directory" -echo "" - -AUDITPATH="$(ask "Directory path of audit-test (include audit-test)" "$AUDITPATH")" LOCAL_DEV="$(ask "Primary network device name of TOE" "$LOCAL_DEV")" LOCAL_SEC_DEV="$(ask "Secondary network device name of TOE" "$LOCAL_SEC_DEV")" LOCAL_SEC_MAC="$(ask "Secondary device mac address of TOE (mac/mask)" "$LOCAL_SEC_MAC")" @@ -108,7 +99,6 @@ LOCAL_IPV6="$(ask "IPV6 address of TOE primary device" "$LOCAL_IPV6")" LOCAL_SEC_IPV4="$(ask "IPV4 address of TOE secondary device" "$LOCAL_SEC_IPV4")" LOCAL_SEC_IPV6="$(ask "IPV6 address of TOE secondary device" "$LOCAL_SEC_IPV6")" -echo "export AUDITPATH=\"$AUDITPATH\"" >> ./profile.$hostext echo "export LOCAL_DEV=\"$LOCAL_DEV\"" >> ./profile.$hostext echo "export LOCAL_SEC_DEV=\"$LOCAL_SEC_DEV\"" >> ./profile.$hostext echo "export LOCAL_SEC_MAC=\"$LOCAL_SEC_MAC\"" >> ./profile.$hostext diff --git a/audit-test/utils/netfilter/profile.sample b/audit-test/utils/netfilter/profile.sample index ba749b1..5c86843 100644 --- a/audit-test/utils/netfilter/profile.sample +++ b/audit-test/utils/netfilter/profile.sample @@ -6,7 +6,6 @@ export MODE=64 export PPROFILE=lspp export PATH="$PATH:." export PASSWD="redhat" -export AUDITPATH="/usr/local/eal4_testing/audit-test" export LOCAL_DEV="eth3" export LOCAL_SEC_DEV="eth4" export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 20:14:52
|
I would normally complain about removing a configuration option but this one is a bit silly since there are other places in the suite that assume the location of the test suite, such as the lspp_test.fc part of the SELinux test policy. Just changing AUDITPATH wouldn't be enough if you really wanted to change the location of the tests. -- ljk On 04/19/13 15:02, Jiri Jaburek wrote: > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/README.netfilter | 4 ---- > audit-test/netfilebt/run.conf | 2 +- > audit-test/utils/netfilter/config-server.bash | 10 ---------- > audit-test/utils/netfilter/profile.sample | 1 - > 4 files changed, 1 insertion(+), 16 deletions(-) > > diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter > index 9308568..97daeb6 100644 > --- a/audit-test/README.netfilter > +++ b/audit-test/README.netfilter > @@ -141,9 +141,6 @@ PASSWD The root/eal password for the TOE > > PATH "$PATH:." The PATH should include the local directory > > -AUDITPATH Usually "/usr/local/eal4_testing/audit-test", the > - recommended location for installing the test suite > - > LOCAL_DEV Device for the TOE primary network, such as "eth3" > > LOCAL_SEC_DEV Device for the TOE secondary network, such as "eth4" > @@ -206,7 +203,6 @@ export MODE=64 > export PPROFILE=lspp > export PATH="$PATH:." > export PASSWD="redhat" > -export AUDITPATH=/usr/local/eal4_testing/audit-test > export LOCAL_DEV="eth3" > export LOCAL_SEC_DEV="eth4" > export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" > diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf > index 85a1958..5b0cf58 100644 > --- a/audit-test/netfilebt/run.conf > +++ b/audit-test/netfilebt/run.conf > @@ -569,7 +569,7 @@ function run_test { > shift > eval "$(parse_named "$@")" || exit_error > > - source $AUDITPATH/netfilebt/netfilebt_functions.bash || exit_error > + source netfilebt_functions.bash || exit_error > > if [[ tnum -eq 41 ]]; then > ./testperm.bash > diff --git a/audit-test/utils/netfilter/config-server.bash b/audit-test/utils/netfilter/config-server.bash > index 7f40a6b..e28bab9 100755 > --- a/audit-test/utils/netfilter/config-server.bash > +++ b/audit-test/utils/netfilter/config-server.bash > @@ -91,15 +91,6 @@ PASSWD="$(ask "Superuser passwword")" > echo "export PASSWD=$PASSWD" >> ./profile.$hostext > echo "" > > -echo "The directory path to audit-test requested below is for the toe" > -echo "the directory path to audit-test on the netserver should be the same" > -echo "If the path on the netserver is different you will need to manually" > -echo "edit the AUDITPATH environmental variable in the /tmp/profile file" > -echo "on the netserver after the profile is copied to the netserver's /tmp" > -echo "directory to reflect the correct path to the audit-tests directory" > -echo "" > - > -AUDITPATH="$(ask "Directory path of audit-test (include audit-test)" "$AUDITPATH")" > LOCAL_DEV="$(ask "Primary network device name of TOE" "$LOCAL_DEV")" > LOCAL_SEC_DEV="$(ask "Secondary network device name of TOE" "$LOCAL_SEC_DEV")" > LOCAL_SEC_MAC="$(ask "Secondary device mac address of TOE (mac/mask)" "$LOCAL_SEC_MAC")" > @@ -108,7 +99,6 @@ LOCAL_IPV6="$(ask "IPV6 address of TOE primary device" "$LOCAL_IPV6")" > LOCAL_SEC_IPV4="$(ask "IPV4 address of TOE secondary device" "$LOCAL_SEC_IPV4")" > LOCAL_SEC_IPV6="$(ask "IPV6 address of TOE secondary device" "$LOCAL_SEC_IPV6")" > > -echo "export AUDITPATH=\"$AUDITPATH\"" >> ./profile.$hostext > echo "export LOCAL_DEV=\"$LOCAL_DEV\"" >> ./profile.$hostext > echo "export LOCAL_SEC_DEV=\"$LOCAL_SEC_DEV\"" >> ./profile.$hostext > echo "export LOCAL_SEC_MAC=\"$LOCAL_SEC_MAC\"" >> ./profile.$hostext > diff --git a/audit-test/utils/netfilter/profile.sample b/audit-test/utils/netfilter/profile.sample > index ba749b1..5c86843 100644 > --- a/audit-test/utils/netfilter/profile.sample > +++ b/audit-test/utils/netfilter/profile.sample > @@ -6,7 +6,6 @@ export MODE=64 > export PPROFILE=lspp > export PATH="$PATH:." > export PASSWD="redhat" > -export AUDITPATH="/usr/local/eal4_testing/audit-test" > export LOCAL_DEV="eth3" > export LOCAL_SEC_DEV="eth4" > export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:03:11
|
The audit-test suite doesn't use them and the LTP suite exports them on its own based on context (ie. "localhost" or hostname) when unset, so it doesn't *require* the variables to be set. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 6 ------ audit-test/README.run | 6 ------ ltp/Makefile | 2 +- 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 97daeb6..5c6bac2 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -127,10 +127,6 @@ as well as an explanation of what they are. Variable Description -------- -------------------------------------------------- -RHOST Always "localhost", the loopback for IPv4 - -RHOST6 Always "::1", the loopback for IPv6 - MODE Usually 64 but could be 32 if the TOE is running a 32-bit OS @@ -197,8 +193,6 @@ of all configuration environment variables you need to successfully run the all tests in the suite. Also be aware you need to adjust correctly according to your configuration: -export RHOST="localhost" -export RHOST6="::1" export MODE=64 export PPROFILE=lspp export PATH="$PATH:." diff --git a/audit-test/README.run b/audit-test/README.run index 9ff1894..04e4cb3 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -206,8 +206,6 @@ On the test machine: From the /usr/local/eal4_testing/audit-test directory, perform the following commands to setup the required configuration for the labeled networking tests: -# export RHOST="localhost" -# export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" # export PATH="$PATH:." @@ -259,8 +257,6 @@ Otherwise, make sure that the labeled networking tests have been configured according to the instructions in the previous section. Set the following environment variables: -# export RHOST="localhost" -# export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" # export PATH="$PATH:." @@ -331,8 +327,6 @@ workaround if you experience these failures. # export PASSWD=<password> # export PPROFILE=lspp # export MODE=<whatever you want (64|32), but set it to something> - # export RHOST="localhost" - # export RHOST6="::1" # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" # export PATH="$PATH:." diff --git a/ltp/Makefile b/ltp/Makefile index a7f2385..278be2b 100644 --- a/ltp/Makefile +++ b/ltp/Makefile @@ -19,7 +19,7 @@ # # PURPOSE: Downloads and runs syscalls and cc_ospp tests from LTP suite # -# REQUIRENTS: Exported RHOST and PASSWD env variables +# REQUIRENTS: Exported PASSWD env variable # # HISTORY: # 11/11 originated by Miroslav Vadkerti <mva...@re...> -- 1.7.11.7 |
From: Linda K. <lin...@hp...> - 2013-04-22 20:17:17
|
Ok, -- ljk On 04/19/13 15:03, Jiri Jaburek wrote: > The audit-test suite doesn't use them and the LTP suite exports > them on its own based on context (ie. "localhost" or hostname) > when unset, so it doesn't *require* the variables to be set. > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/README.netfilter | 6 ------ > audit-test/README.run | 6 ------ > ltp/Makefile | 2 +- > 3 files changed, 1 insertion(+), 13 deletions(-) > > diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter > index 97daeb6..5c6bac2 100644 > --- a/audit-test/README.netfilter > +++ b/audit-test/README.netfilter > @@ -127,10 +127,6 @@ as well as an explanation of what they are. > > Variable Description > -------- -------------------------------------------------- > -RHOST Always "localhost", the loopback for IPv4 > - > -RHOST6 Always "::1", the loopback for IPv6 > - > MODE Usually 64 but could be 32 if the TOE is running > a 32-bit OS > > @@ -197,8 +193,6 @@ of all configuration environment variables you need to successfully run > the all tests in the suite. Also be aware you need to adjust correctly > according to your configuration: > > -export RHOST="localhost" > -export RHOST6="::1" > export MODE=64 > export PPROFILE=lspp > export PATH="$PATH:." > diff --git a/audit-test/README.run b/audit-test/README.run > index 9ff1894..04e4cb3 100644 > --- a/audit-test/README.run > +++ b/audit-test/README.run > @@ -206,8 +206,6 @@ On the test machine: > From the /usr/local/eal4_testing/audit-test directory, perform the following > commands to setup the required configuration for the labeled networking tests: > > -# export RHOST="localhost" > -# export RHOST6="::1" > # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" > # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" > # export PATH="$PATH:." > @@ -259,8 +257,6 @@ Otherwise, make sure that the labeled networking tests have been configured > according to the instructions in the previous section. Set the following > environment variables: > > -# export RHOST="localhost" > -# export RHOST6="::1" > # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" > # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" > # export PATH="$PATH:." > @@ -331,8 +327,6 @@ workaround if you experience these failures. > # export PASSWD=<password> > # export PPROFILE=lspp > # export MODE=<whatever you want (64|32), but set it to something> > - # export RHOST="localhost" > - # export RHOST6="::1" > # export LBLNET_SVR_IPV4="<local network test server IPV4 address>" > # export LBLNET_SVR_IPV6="<local network test server IPV6 address>" > # export PATH="$PATH:." > diff --git a/ltp/Makefile b/ltp/Makefile > index a7f2385..278be2b 100644 > --- a/ltp/Makefile > +++ b/ltp/Makefile > @@ -19,7 +19,7 @@ > # > # PURPOSE: Downloads and runs syscalls and cc_ospp tests from LTP suite > # > -# REQUIRENTS: Exported RHOST and PASSWD env variables > +# REQUIRENTS: Exported PASSWD env variable > # > # HISTORY: > # 11/11 originated by Miroslav Vadkerti <mva...@re...> > |
From: Jiri J. <jja...@re...> - 2013-04-19 19:03:24
|
This commit partially reverts commit "Update network test server for netfilter" (ceb6da241c2bcf95011d6194a646f90c04934fa9). Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 2 - audit-test/utils/network-server/clroute.bash | 9 ----- .../utils/network-server/lblnet_tst_server.c | 43 ---------------------- audit-test/utils/network-server/runnc4.bash | 16 -------- audit-test/utils/network-server/runnc6.bash | 7 ---- 5 files changed, 77 deletions(-) delete mode 100755 audit-test/utils/network-server/clroute.bash delete mode 100755 audit-test/utils/network-server/runnc4.bash delete mode 100755 audit-test/utils/network-server/runnc6.bash diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 5c6bac2..9ac976c 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -171,8 +171,6 @@ SECNET_SVR_DEV Device for the NS secondary interface, such as "eth1" SECNET_SVR_MAC MAC address of the secondary device on the NS -SECNET_IPV4 IPV4 address for the secondary network on NS - SNET4MASK Network mask for the secondary IPv4 network, such as "255.255.255.0" diff --git a/audit-test/utils/network-server/clroute.bash b/audit-test/utils/network-server/clroute.bash deleted file mode 100755 index 17ff1f1..0000000 --- a/audit-test/utils/network-server/clroute.bash +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -hostext="$(hostname | awk 'BEGIN { FS = "." } { print $1 }')" -source ../netfilter/profile.$hostext - -ifconfig $SECNET_SVR_DEV $SECNET_SVR_IPV4 netmask $SNET4MASK -ifconfig $SECNET_SVR_DEV up -route del -net $SECNET_IPV4 netmask $SNET4MASK gw $LOCAL_IPV4 dev $PITCHER_DEV -exit diff --git a/audit-test/utils/network-server/lblnet_tst_server.c b/audit-test/utils/network-server/lblnet_tst_server.c index 864f97b..b19123f 100644 --- a/audit-test/utils/network-server/lblnet_tst_server.c +++ b/audit-test/utils/network-server/lblnet_tst_server.c @@ -457,47 +457,6 @@ void ctl_lock(int sock, char *param) return; } -void ctl_nccon(int sock, char *param) -{ - char *host_str, *ipv_str, *port_str; - int rc; - - if (param == NULL) { - SMSG(SMSG_ERR, fprintf(log_fd, "error(nccon): bad message\n")); - return; - } - - /* parse the control message */ - host_str = strtok(param, ","); - ipv_str = strtok(NULL, ","); - port_str = strtok(NULL, ","); - - - SMSG(SMSG_NOTICE, fprintf(log_fd, "host = (%10s)\n, port = (%4s)\n", (char *)host_str, (char *)port_str)); - - pid_t pID = fork(); - if (pID == 0){ - if (strcasecmp(ipv_str, "ipv4") == 0) { - rc = execl("./runnc4.bash", (char *)port_str, (char *)NULL); - if (rc == -1) - SMSG(SMSG_ERR, fprintf(log_fd, "error(nccon): execl failed\n")); - } - else if (strcasecmp(ipv_str, "ipv6") == 0) { - rc = execl("./runnc6.bash", (char *)port_str, (char *)NULL); - if (rc == -1) - SMSG(SMSG_ERR, fprintf(log_fd, "error(nccon): execl failed\n")); - } - else - SMSG(SMSG_ERR, fprintf(log_fd, "error(nccon): invalid ipv value\n")); - } - else if (pID < 0) { - SMSG(SMSG_ERR, fprintf(log_fd, "error(nccon): fork failed\n")); - return; - } - else - SMSG(SMSG_NOTICE, fprintf(log_fd, "parent process continues\n")); -} - /** * ctl_sendrand - Handle the "sendrand" control message * @sock: socket @@ -1268,8 +1227,6 @@ int main(int argc, char *argv[]) ctl_sockcon(rem_sock, ctl_param); } else if (strcasecmp(ctl_cmd, "getcon") == 0) { ctl_getcon(rem_sock, ctl_param); - } else if (strcasecmp(ctl_cmd, "nccon") == 0) { - ctl_nccon(rem_sock, ctl_param); } else if (strcasecmp(ctl_cmd, "audit_remote_call") == 0) { ctl_audit_remote_call(rem_sock, ctl_param); } else if (strcasecmp(ctl_cmd, "ipsec") == 0) { diff --git a/audit-test/utils/network-server/runnc4.bash b/audit-test/utils/network-server/runnc4.bash deleted file mode 100755 index 6a77e39..0000000 --- a/audit-test/utils/network-server/runnc4.bash +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -hostext="$(hostname | awk 'BEGIN { FS = "." } { print $1 }')" -source ../netfilter/profile.$hostext -declare roret - -ifconfig $SECNET_SVR_DEV down -roret=$(route | grep $SECNET_IPV4) -if [[ -z $roret ]]; then - route add -net $SECNET_IPV4 netmask $SNET4MASK gw $LOCAL_IPV4 dev $PITCHER_DEV -fi -/usr/bin/nc -v -w 2 $CATCHER_IPV4 $CATCHER_PORT4 -sleep 2 -echo "restoring normal route" -./clroute.bash -exit diff --git a/audit-test/utils/network-server/runnc6.bash b/audit-test/utils/network-server/runnc6.bash deleted file mode 100755 index 0dfdddb..0000000 --- a/audit-test/utils/network-server/runnc6.bash +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -hostext="$(hostname | awk 'BEGIN { FS = "." } { print $1 }')" -source ../netfilter/profile.$hostext - -exec /usr/bin/nc -6 -w 2 $CATCHER_IPV6 $CATCHER_PORT6 -exit -- 1.7.11.7 |
From: Jiri J. <jja...@re...> - 2013-04-19 19:03:37
|
It was supposedly unused and it also appears to have served in setting up a routed configuration (no bridge). Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.netfilter | 22 +-- audit-test/README.run | 6 +- audit-test/netfilebt/run.conf | 3 +- audit-test/utils/netfilter/config-server.bash | 238 -------------------------- audit-test/utils/netfilter/profile.sample | 27 --- 5 files changed, 5 insertions(+), 291 deletions(-) delete mode 100755 audit-test/utils/netfilter/config-server.bash delete mode 100644 audit-test/utils/netfilter/profile.sample diff --git a/audit-test/README.netfilter b/audit-test/README.netfilter index 9ac976c..10a93ba 100644 --- a/audit-test/README.netfilter +++ b/audit-test/README.netfilter @@ -100,27 +100,7 @@ There are a number of environmental variables required in order to provide the information needed to set the rules in iptables, ip6tables and ebtables. Some of these environmental variables are also required by the network tests in the audit-test/network directory. These environmental variables -may be set manually prior to running the tests but the process of setting them -all is simplified by the config-server.bash script. This script will ask for -the pertinent ipv4, ipv6, and MAC addresses as well as device names to which -these addresses are assigned. This allows considerable flexibility in -configuring systems with 2 or possibly several more network interfaces on -both the TOE platform as well as the network server platform. - -The config-server.bash script will build a profile.<hostname> file in the -utils/netfilter directory in the audit-test suite path. This file -should be sourced prior to running the tests. It is important to pay -attention to the format and correctness of the answers. While the -config-server.bash script will echo your response to the questions and allow -you the opportunity to change your responses, it currently does no format -checking and cannot verify if an address or device name is accurate. It does -however use a profile.sample file in the same directory to provide a default -answer which is primarily provided for the purpose of giving a sample of the -format expected in the response. - -Alternatively, the profile.sample may be used as a template -for the profile.<hostname> file and manually edited with the -required information. +must be set manually prior to running the tests, see README.run. Below is a list of the environmental variables required to run all the tests as well as an explanation of what they are. diff --git a/audit-test/README.run b/audit-test/README.run index 04e4cb3..556d865 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -248,10 +248,10 @@ Change directory to the audit test suite. # cd /usr/local/eal4_testing/audit-test If the test suite was configured to run the netfilter -tests, source the profile script that was created as part -of the configuration. +tests, create a file with variables according to README.netfilter +and source it. -# . utils/netfilter/profile.<hostname> +# . profile.bash Otherwise, make sure that the labeled networking tests have been configured according to the instructions in the previous section. Set the following diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf index 5b0cf58..9d70edf 100644 --- a/audit-test/netfilebt/run.conf +++ b/audit-test/netfilebt/run.conf @@ -849,8 +849,7 @@ done ###################################################################### # It is important to note that prior to running any of the test below the -# system must be configured using the config-server.bash script or the -# environmental variables and routes must be set up manually. +# system must be properly configured. See the README.netfilter file. ## ## ebtables system calls diff --git a/audit-test/utils/netfilter/config-server.bash b/audit-test/utils/netfilter/config-server.bash deleted file mode 100755 index e28bab9..0000000 --- a/audit-test/utils/netfilter/config-server.bash +++ /dev/null @@ -1,238 +0,0 @@ -#!/bin/bash -# ============================================================================= -# Copyright 2010, 2011 International Business Machines Corp. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# ============================================================================= - -# This script querries the user for adresses (mac, ipv4, and ipv6), device -# names of the ethernet interfaces, network masks, and the superuser password -# for all 3 platforms needed to perform the netfilter tests. The script will -# acquire all the information needed for all 3 systems during it's run on the -# TOE (target of evaluation) platform. The only repeated question for the other -# two platforms is the superuser password. -# It will apply the addresses acquired to the correct interface on each -# platform and also create routes needed for the forwarding tests. -# -# -# -# -# This function sets the device interfaces on the TOE (target of evaluation) -# with the addresses obtained through the questioning in this script. Also -# the routes to the remote network server and the 3rd platform known as the -# catcher are added to tho route table -# -function setup_toe { -source ./profile.$hostext -ifconfig $LOCAL_DEV $LOCAL_IPV4 netmask $LNET4MASK -ifconfig $LOCAL_DEV inet6 add $LOCAL_IPV6/$LNET6MASK -ifconfig $BRIDGE_FILTER $LOCAL_SEC_IPV4 netmask $SNET4MASK -ifconfig $BRIDGE_FILTER inet6 add $LOCAL_SEC_IPV6/$SNET6MASK -route -A inet6 add $LBLNET_SVR_IPV6 dev $LOCAL_DEV -route -A inet6 add $SECNET_SVR_IPV6 dev $BRIDGE_FILTER -} -# -# This function assigns the addresses obtained during the questioning -# of the script to the interfaces on the remote network server running -# the lblnet_tst_server application. -# - -function setup_net_server { - -source ./profile.$hostext -ifconfig $LBLNET_SVR_DEV $LBLNET_SVR_IPV4 netmask $LNET4MASK -ifconfig $LBLNET_SVR_DEV inet6 add $LBLNET_SVR_IPV6/$LNET6MASK -ifconfig $SECNET_SVR_DEV $SECNET_SVR_IPV4 netmask $SNET4MASK -ifconfig $SECNET_SVR_DEV inet6 add $SECNET_SVR_IPV6/$SNET6MASK -} - -# -# This function asks the tester for the addresss and device particulars needed -# to run the filtering tests. There are a significant number of addresses and -# device names needed to not only set up the networking configuration, but also -# to provide the information needed to input the chain rules in iptables, -# ip6tables, and ebtables. -# -function get_env_variables { - -if test -f ./profile.sample - then - source ./profile.sample -fi - -if test -f ./profile.$hostext - then - rm -f ./profile.$hostext -fi -touch ./profile.$hostext -RHOST="localhost" -echo "export RHOST=\"localhost\"" >> ./profile.$hostext -RHOST6="::1" -echo "export RHOST6=\"::1\"" >> ./profile.$hostext -MODE="$(ask "64 bit or 32 bit" "$MODE")" -echo "export MODE=$MODE" >> ./profile.$hostext -PPROFILE="$(ask "Which profile lspp(mls) or capp(base)" "$PPROFILE")" -echo "export PPROFILE=$PPROFILE" >> ./profile.$hostext -PATH="$PATH:." -echo "export PATH=\"\$PATH:.\"" >> ./profile.$hostext - -PASSWD="$(ask "Superuser passwword")" -echo "export PASSWD=$PASSWD" >> ./profile.$hostext -echo "" - -LOCAL_DEV="$(ask "Primary network device name of TOE" "$LOCAL_DEV")" -LOCAL_SEC_DEV="$(ask "Secondary network device name of TOE" "$LOCAL_SEC_DEV")" -LOCAL_SEC_MAC="$(ask "Secondary device mac address of TOE (mac/mask)" "$LOCAL_SEC_MAC")" -LOCAL_IPV4="$(ask "IPV4 address of TOE primary device" "$LOCAL_IPV4")" -LOCAL_IPV6="$(ask "IPV6 address of TOE primary device" "$LOCAL_IPV6")" -LOCAL_SEC_IPV4="$(ask "IPV4 address of TOE secondary device" "$LOCAL_SEC_IPV4")" -LOCAL_SEC_IPV6="$(ask "IPV6 address of TOE secondary device" "$LOCAL_SEC_IPV6")" - -echo "export LOCAL_DEV=\"$LOCAL_DEV\"" >> ./profile.$hostext -echo "export LOCAL_SEC_DEV=\"$LOCAL_SEC_DEV\"" >> ./profile.$hostext -echo "export LOCAL_SEC_MAC=\"$LOCAL_SEC_MAC\"" >> ./profile.$hostext -echo "export LOCAL_IPV4=\"$LOCAL_IPV4\"" >> ./profile.$hostext -echo "export LOCAL_IPV6=\"$LOCAL_IPV6\"" >> ./profile.$hostext -echo "export LOCAL_SEC_IPV4=\"$LOCAL_SEC_IPV4\"" >> ./profile.$hostext -echo "export LOCAL_SEC_IPV6=\"$LOCAL_SEC_IPV6\"" >> ./profile.$hostext - -LBLNET_SVR_IPV4="$(ask "Network server's primary IPV4 address" "$LBLNET_SVR_IPV4")" -LBLNET_SVR_IPV6="$(ask "Network server's primary IPV6 address" "$LBLNET_SVR_IPV6")" -REMOTE_IPV6_RAW="$LBLNET_SVR_IPV6" -LBLNET_SVR_DEV="$(ask "Network server's primary device name" "$LBLNET_SVR_DEV")" -LNET4MASK="$(ask "Network server's primary IPV4 mask" "$SNET4MASK")" -LNET6MASK="$(ask "Network server's primary IPV6 mask" "$SNET6MASK")" -SECNET_SVR_IPV4="$(ask "Network server's secondary IPV4 address" "$SECNET_SVR_IPV4")" -SECNET_SVR_IPV6="$(ask "Network server's secondary IPV6 address" "$SECNET_SVR_IPV6")" -SECNET_SVR_DEV="$(ask "Network server's secondary device name" "$SECNET_SVR_DEV")" -SECNET_SVR_MAC="$(ask "Network server's secondary mac address (mac/mask)" "$SECNET_SVR_MAC")" -SNET4MASK="$(ask "Network server's secondary IPV4 mask" "$SNET4MASK")" -SNET6MASK="$(ask "Network server's secondary IPV6 mask" "$SNET6MASK")" - -echo "export LBLNET_SVR_IPV4=\"$LBLNET_SVR_IPV4\"" >> ./profile.$hostext -echo "export LBLNET_SVR_IPV6=\"$LBLNET_SVR_IPV6\"" >> ./profile.$hostext -echo "export REMOTE_IPV6_RAW=\"$LBLNET_SVR_IPV6\"" >> ./profile.$hostext -echo "export LBLNET_SVR_DEV=\"$LBLNET_SVR_DEV\"" >> ./profile.$hostext -echo "export LNET4MASK=\"$LNET4MASK\"" >> ./profile.$hostext -echo "export LNET6MASK=\"$LNET6MASK\"" >> ./profile.$hostext -echo "export SECNET_SVR_IPV4=\"$SECNET_SVR_IPV4\"" >> ./profile.$hostext -echo "export SECNET_SVR_IPV6=\"$SECNET_SVR_IPV6\"" >> ./profile.$hostext -echo "export SECNET_SVR_DEV=\"$SECNET_SVR_DEV\"" >> ./profile.$hostext -echo "export SECNET_SVR_MAC=\"$SECNET_SVR_MAC\"" >> ./profile.$hostext -echo "export SNET4MASK=\"$SNET4MASK\"" >> ./profile.$hostext -echo "export SNET6MASK=\"$SNET6MASK\"" >> ./profile.$hostext - -BRIDGE_FILTER="$(ask "Name of bridge device created for the filter testing" "$BRIDGE_FILTER")" - -echo "export BRIDGE_FILTER=\"$BRIDGE_FILTER\"" >> ./profile.$hostext - -} - -echo_user () { - echo >/dev/tty "$@" -} - -ask () { - echo_user - echo_user -n "$1 [$2] ? " - read res </dev/tty - [ -z "$res" ] && res="$2" - echo_user -n "$res (y/n)" - read ret </dev/tty - if [ "$ret" == "y" ]; then - echo "$res" - else - ask "$1" "$2" - fi -} - -confirm () { - res=$(ask "$1 (y/n)" "$2") - case "$res" in - [yYjJ]*) true ;; - *) false ;; - esac -} - -die () { - echo_user "FATAL: $*" - exit 1 -} - -echo "Valid role names are: toe, and netserver" -echo "" -echo "toe (target of evaluation) is the platform being certified" -echo "" -echo "netserver is the remote server where the lblnet_tst_server" -echo " is being run" -echo "" -echo "This script has to be run on the toe first. It will obtain required" -echo "info for both roles and create a file in the utils/netfilter" -echo "directory of the audit-test suite path named profile.<hostname>" -echo "The file profile.<hostname> on the toe should then be copied to the" -echo "utils/netfilter directory of the audit-test suite path on the netserver" -echo "as profile.<netserver's hostname> The file should then be" -echo "sourced on the netserver platform and this script ru on it" -echo "The profile should be sourced on each platform prior to running the" -echo "netfilter and netfilebt tests. This script needs to be re-run" -echo "whenever platform addresses or device names change" -echo "" -hostext="$(hostname | awk 'BEGIN { FS = "." } { print $1 }')" -SERVER_ROLE="$(ask "Which role does this server perform" "toe")" -if [[ "$SERVER_ROLE" == "toe" ]]; then - if test -f ./profile.$hostext - then - source ./profile.$hostext - else - if test -f ./profile.sample - then - source ./profile.sample - else - echo "There is no sample profile to use for default answers or" - echo "examples for format. Either you are not running in the" - echo "in the utils/netfilter directory of the audit-test suite" - echo "or the sample profile that is normally in the audit-test" - echo "directory has been deleted" - confirm "Do you want to continue anyway? " "n" || { - die "Configuration aborted." - } - fi - fi - - get_env_variables - setup_toe - echo "You should now check the profile.$hostext file in the" - echo "utils/netfilter directory of the audit-test suite path" - echo "for errors and if satisfied it is correct, copy it to the" - echo "utils/netfilter directory of the audit-test suite path on" - echo "the netserver as profile.<netserver hostname>" - exit -fi -if [[ "$SERVER_ROLE" == "netserver" ]]; then - if test -f ./profile.$hostext - then - PASSWD="$(ask "Superuser passwword")" - echo "export PASSWD=$PASSWD" >> ./profile.$hostext - setup_net_server - exit - else - echo "The utils/netfilter/profile.$hostext file in the audit-test suite" - echo "path does not exist" - echo "Copy the /utils/netfilter/profile.$hostext from toe platform" - echo "to the same named directory on the netserver" - exit - fi -fi -echo "Invalid role, role names are case sensitive" -exit diff --git a/audit-test/utils/netfilter/profile.sample b/audit-test/utils/netfilter/profile.sample deleted file mode 100644 index 5c86843..0000000 --- a/audit-test/utils/netfilter/profile.sample +++ /dev/null @@ -1,27 +0,0 @@ -# This is a sample profile used by config-server.bash to provide -# example format for answers to it's querries. -export RHOST="localhost" -export RHOST6="::1" -export MODE=64 -export PPROFILE=lspp -export PATH="$PATH:." -export PASSWD="redhat" -export LOCAL_DEV="eth3" -export LOCAL_SEC_DEV="eth4" -export LOCAL_SEC_MAC="78:2B:CB:4B:EB:BC" -export LOCAL_IPV4="10.0.0.2" -export LOCAL_IPV6="fd00::2" -export LOCAL_SEC_IPV4="10.0.1.2" -export LOCAL_SEC_IPV6="fd00:1::2" -export LBLNET_SVR_IPV4="10.0.0.1" -export LBLNET_SVR_IPV6="fd00::1" -export LBLNET_SVR_DEV="eth0" -export LNET4MASK="255.255.255.0" -export LNET6MASK="64" -export SECNET_SVR_IPV4="10.0.1.1" -export SECNET_SVR_IPV6="fd00:1::1" -export SECNET_SVR_DEV="eth1" -export SECNET_SVR_MAC="00:04:23:B3:B5:83" -export SNET4MASK="255.255.255.0" -export SNET6MASK="64" -export BRIDGE_FILTER="toebr" -- 1.7.11.7 |