From: <om...@re...> - 2011-12-01 14:11:40
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/README.netwk_svr | 8 +++++ audit/README.run | 59 +++++++++++++++++++++++++++++++++++- audit/audit-remote/README | 73 --------------------------------------------- 3 files changed, 66 insertions(+), 74 deletions(-) delete mode 100644 audit/audit-remote/README diff --git a/audit/README.netwk_svr b/audit/README.netwk_svr index e051019..1c594b5 100644 --- a/audit/README.netwk_svr +++ b/audit/README.netwk_svr @@ -57,3 +57,11 @@ address file changes. # run_init service netlabel restart # run_init service xinetd restart # run_init /etc/rc.local + +9. Create a file /usr/local/eal4_testing/audit-test/profile.bash with +exported PASSWD variable with password for administrative user (should +match also a password for root). This is required for restarting auditd +service by lblnet_tst_server over xinetd on NS for audit-remote tests, ie.: + + # echo 'export PASSWD=<eal password>' > \ + /usr/local/eal4_testing/audit-test/profile.bash diff --git a/audit/README.run b/audit/README.run index 2dec2c3..30d46f5 100644 --- a/audit/README.run +++ b/audit/README.run @@ -233,7 +233,7 @@ To run a single testcase by number: Workaround for MLS cron test failures ------------------------------------- -The MLS cron tests will fail until selinux-policy-3.7.19-127.el6 +The MLS cron tests will fail until selinux-policy-3.7.19-126.el6_2.3 is available. In the meantime, the following steps will work around the problem: @@ -317,3 +317,60 @@ Still in the "config.bash" file, set the "password" configuration parameter to the system password of the user that will execute the test cases. Execute "make run". + +Common reasons for failed results and known issues in audit-remote tests +------------------------------------------------------------------------ + +1) TOE and Network Server (NS for short) are have different time set. This + causes audit-remote tests to fail when looking for an audit record after + set test start time. Tests usually fail with "Missing DAEMON_ACCEPT record". + FIX: Sync time on TOE and NS, e.g. by using ntp daemon. + +2) The tests ask for a password and behave "strangely". + FIX: On TOE make sure that LBLNET_SVR_IPV4 contains IPv4 address of NS and + that PASSWD contains root / eal / admin password. Moreover, check that + profile.bash on NS correctly exports PASSWD with root / eal / admin password + (see README.netwk_svr). + +3) Tests hang on a TOE during execution. This can be a side effect when running + with SELinux in permissive mode. + FIX: Make sure SELinux is running in enforcing mode. + +4) Make sure you have really have correct permissions, owners, and SELinux + labels. + FIX: Follow related steps in README.run or reinstall if nothing helps :) + +5) TOE or NS unable to reach each other when using virt guests. This is + probably due to what `get_ipv4_addr` gives you for local_audit_server_ip. + FIX: Set local_audit_server_ip manually in audisp-remote_functions.bash to + local IPv4 address of global scope (if there are more of them, try them all + iteratively). Notice that you have to do this for both TOE and NS (they have + different setting for this variable!). + +6) NS fails to run init script via run_init due to bad password. + FIX: Make sure you have correctly set password in profile.bash, which should + be available in top-level audit-test directory. + +7) TOE has issues running remote actions on NS. + FIX: Suggested is debug you test env with simple action "ns_connection_check" + # /usr/bin/nc -v $LBLNET_SVR_IPV4 4000 <<< \ + "audit_remote_call:ns_connection_check,no_mode,<TOE IPv4 of global scope>;" + +8) Make sure all configuration files related to audit remote logging are in + a "default" state before executing tests. + FIX: Suggested is to backup and diff orig and current version of following + config files: + /etc/audit/auditd.conf + /etc/audisp/audisp-remote.conf + /etc/audisp/audispd.conf + /etc/audisp/plugins.d/au-remote.conf + +9) There are AVC denials on NS side when running the tests. They reguire + addition of following SELinux rule: + "allow auditctl_t inetd_t:tcp_socket { read write };". + This is a known issue due to leaked descriptors passed to a remote_call.bash + script when execute by lblnet_tst_server. + FIX: Uncomment net_hlp_socket_close(&sock) in file lblnet_test_server.c func + ctl_audit_remote_call() and rebuild the lblnet_server_binary. As a side-effect + you will loose verbosity in netcat on TOE side. Therefore it is not used by + default. diff --git a/audit/audit-remote/README b/audit/audit-remote/README deleted file mode 100644 index 696a77d..0000000 --- a/audit/audit-remote/README +++ /dev/null @@ -1,73 +0,0 @@ -Running audit-remote tests --------------------------- - -Audit-remote tests run also against network server (NS) and therefore -require manual configuration of a profile with varialbes to be exported. -If these variables are not set correctly, tests in test_remote_system.bash -will FAIL. Other tests do not require these exported variables. - -Next, make sure on network server (NS) that file profile.bash exists -in top-level directory (/usr/local/eal4_testing/audit-test/) and exports -PASSWD variable with password for administrative user (should -match also a password for root). This is required for restarting auditd -service by lblnet_tst_server over xinetd on NS for audit-remote tests. - -Now you can run the tests in a common way as described in README.run. - - -Common reasons for false ERORR or FAIL results and known issues ---------------------------------------------------------------- - -1) TOE and Network Server (NS for short) are have different time set. This - causes audit-remote tests to fail when looking for an audit record after - set test start time. Tests usually fail with "Missing DAEMON_ACCEPT record". - FIX: Sync time on TOE and NS, e.g. by using ntp daemon. - -2) The tests ask for a password and behave "strangely". - FIX: On TOE make sure to update for your test environment and manually source - audit-remote.profile file before running the tests. And check profile.bash - on NS. - -3) Tests hang on a TOE during execution. This can be a side effect when running - with SELinux in permissive mode. - FIX: Make sure SELinux is running in enforcing mode. - -4) Make sure you have really have correct permissions, owners, and SELinux - labels. - FIX: Follow related steps in README.run or reinstall if nothing helps :) - -5) TOE or NS unable to reach each other when using virt guests. This is - probably due to what `hostname --ip-address` gives you for - local_audit_server_ip. - FIX: Add manual entry for your hostname to /etc/hosts if using virtual guests - for test execution. - -6) NS fails to run init script via run_init due to bad password. - FIX: Make sure you have correctly set password in profile.bash, which should - be available in top-level audit-test directory. - -7) TOE has issues running remote actions on NS. - FIX: Suggested is debug you test env with simple action "ns_connection_check" - # /usr/bin/nc -v $LBLNET_SVR_IPV4 4000 <<< \ - "audit_remote_call:ns_connection_check,no_mode,$LOCAL_IPV4;" - -8) Make sure all configuration files related to audit remote logging are in - a "default" state before executing tests. - FIX: Suggested is to backup and diff orig and current version of following - config files: - /etc/audit/auditd.conf - /etc/audisp/audisp-remote.conf - /etc/audisp/audispd.conf - /etc/audisp/plugins.d/au-remote.conf - -9) There are AVC denials on NS side when running the tests. They reguire - addition of following SELinux rule: - "allow auditctl_t inetd_t:tcp_socket { read write };". - This is a known issue due to leaked descriptors passed to a remote_call.bash - script when execute by lblnet_tst_server. - FIX: Uncomment net_hlp_socket_close(&sock) in file lblnet_test_server.c func - ctl_audit_remote_call() and rebuild the lblnet_server_binary. As a side-effect - you will loose verbosity in netcat on TOE side. Therefore it is not used by - default. - -10) Free, as in beer, slot. -- 1.7.1 |