From: Linda K. <lin...@hp...> - 2011-04-04 17:37:36
|
Tony Ernst wrote: > On Mon, Apr 04, 2011 at 01:00:01PM -0400, Linda Knippers wrote: >> Tony Ernst wrote: >>> Hi, >>> >>> I just upgraded a RHEL 6.1 test machine, and I see a couple failures that >>> I didn't see previously. This is caused by 'screen', which was previously >>> disabled but is being used now. >>> >>> The libpam login test uses 'expect' to login, then gets it's terminal by >>> running 'tty' ("pts/7"). Later, the test uses augrok to find a USER_AUTH >>> message in the audit log with "exe=/bin/login terminal=pts/7 res=success". >>> This fails because the audit log message actually says "pts/6". >>> >>> The login happens on pts/6, and when 'screen' is invoked it gets a new >>> terminal (pts/7). Thus, the test is searching for the wrong terminal. >>> >>> The simplist fix for this is to not try to match the terminal. The test >>> suite rotates the audit log before running the test, so there is only >>> one USER_AUTH message in the log. Is there any reason I can't just remove >>> the terminal check? >> The terminal is part of what's supposed to be audited, I believe. >> We're supposed to verify the information in the audit record, not just >> that there is an audit record. We can confirm with Stephan that we need >> this check but I believe we do. > > It makes sense that we'd have to verify the tty in the audit record. > >> The use of 'screen' is optional so I wonder if we can configure the test >> user to not use it? Or is there something other than 'tty' we could use >> to snag the actual login pty? > > Screen is invoked in /etc/profile. I don't see an easy way to exclude the > test user. We could put an empty /etc/profile in place as part of the test case prep when we add the user and then have the cleanup put the original back. There might even be a 'backup' shell function that will do that for us as other tests modify/restore system files as part of their execution. > I've never run audit-test on RHEL 5, but wouldn't this have been > a problem there too? We didn't use screen in our configuration. -- ljk > > Tony > |