Menu
▾
▴
Re: [Audit-test-developer] augrok requirement question
|
From: Linda K. <lin...@hp...> - 2011-04-04 17:37:36
|
Tony Ernst wrote:
> On Mon, Apr 04, 2011 at 01:00:01PM -0400, Linda Knippers wrote:
>> Tony Ernst wrote:
>>> Hi,
>>>
>>> I just upgraded a RHEL 6.1 test machine, and I see a couple failures that
>>> I didn't see previously. This is caused by 'screen', which was previously
>>> disabled but is being used now.
>>>
>>> The libpam login test uses 'expect' to login, then gets it's terminal by
>>> running 'tty' ("pts/7"). Later, the test uses augrok to find a USER_AUTH
>>> message in the audit log with "exe=/bin/login terminal=pts/7 res=success".
>>> This fails because the audit log message actually says "pts/6".
>>>
>>> The login happens on pts/6, and when 'screen' is invoked it gets a new
>>> terminal (pts/7). Thus, the test is searching for the wrong terminal.
>>>
>>> The simplist fix for this is to not try to match the terminal. The test
>>> suite rotates the audit log before running the test, so there is only
>>> one USER_AUTH message in the log. Is there any reason I can't just remove
>>> the terminal check?
>> The terminal is part of what's supposed to be audited, I believe.
>> We're supposed to verify the information in the audit record, not just
>> that there is an audit record. We can confirm with Stephan that we need
>> this check but I believe we do.
>
> It makes sense that we'd have to verify the tty in the audit record.
>
>> The use of 'screen' is optional so I wonder if we can configure the test
>> user to not use it? Or is there something other than 'tty' we could use
>> to snag the actual login pty?
>
> Screen is invoked in /etc/profile. I don't see an easy way to exclude the
> test user.
We could put an empty /etc/profile in place as part of the test case
prep when we add the user and then have the cleanup put the original
back. There might even be a 'backup' shell function that will do that
for us as other tests modify/restore system files as part of their
execution.
> I've never run audit-test on RHEL 5, but wouldn't this have been
> a problem there too?
We didn't use screen in our configuration.
-- ljk
>
> Tony
>
|