Menu
▾
▴
[Audit-test-developer] [PATCH 1/1] audit-test/README distributed into README.run and README.netwk_svr
|
From: <om...@re...> - 2011-12-01 14:11:40
|
From: Ondrej Moris <om...@re...>
Signed-off-by: Ondrej Moris <om...@re...>
---
audit/README.netwk_svr | 8 +++++
audit/README.run | 59 +++++++++++++++++++++++++++++++++++-
audit/audit-remote/README | 73 ---------------------------------------------
3 files changed, 66 insertions(+), 74 deletions(-)
delete mode 100644 audit/audit-remote/README
diff --git a/audit/README.netwk_svr b/audit/README.netwk_svr
index e051019..1c594b5 100644
--- a/audit/README.netwk_svr
+++ b/audit/README.netwk_svr
@@ -57,3 +57,11 @@ address file changes.
# run_init service netlabel restart
# run_init service xinetd restart
# run_init /etc/rc.local
+
+9. Create a file /usr/local/eal4_testing/audit-test/profile.bash with
+exported PASSWD variable with password for administrative user (should
+match also a password for root). This is required for restarting auditd
+service by lblnet_tst_server over xinetd on NS for audit-remote tests, ie.:
+
+ # echo 'export PASSWD=<eal password>' > \
+ /usr/local/eal4_testing/audit-test/profile.bash
diff --git a/audit/README.run b/audit/README.run
index 2dec2c3..30d46f5 100644
--- a/audit/README.run
+++ b/audit/README.run
@@ -233,7 +233,7 @@ To run a single testcase by number:
Workaround for MLS cron test failures
-------------------------------------
-The MLS cron tests will fail until selinux-policy-3.7.19-127.el6
+The MLS cron tests will fail until selinux-policy-3.7.19-126.el6_2.3
is available. In the meantime, the following steps will work
around the problem:
@@ -317,3 +317,60 @@ Still in the "config.bash" file, set the "password" configuration parameter
to the system password of the user that will execute the test cases.
Execute "make run".
+
+Common reasons for failed results and known issues in audit-remote tests
+------------------------------------------------------------------------
+
+1) TOE and Network Server (NS for short) are have different time set. This
+ causes audit-remote tests to fail when looking for an audit record after
+ set test start time. Tests usually fail with "Missing DAEMON_ACCEPT record".
+ FIX: Sync time on TOE and NS, e.g. by using ntp daemon.
+
+2) The tests ask for a password and behave "strangely".
+ FIX: On TOE make sure that LBLNET_SVR_IPV4 contains IPv4 address of NS and
+ that PASSWD contains root / eal / admin password. Moreover, check that
+ profile.bash on NS correctly exports PASSWD with root / eal / admin password
+ (see README.netwk_svr).
+
+3) Tests hang on a TOE during execution. This can be a side effect when running
+ with SELinux in permissive mode.
+ FIX: Make sure SELinux is running in enforcing mode.
+
+4) Make sure you have really have correct permissions, owners, and SELinux
+ labels.
+ FIX: Follow related steps in README.run or reinstall if nothing helps :)
+
+5) TOE or NS unable to reach each other when using virt guests. This is
+ probably due to what `get_ipv4_addr` gives you for local_audit_server_ip.
+ FIX: Set local_audit_server_ip manually in audisp-remote_functions.bash to
+ local IPv4 address of global scope (if there are more of them, try them all
+ iteratively). Notice that you have to do this for both TOE and NS (they have
+ different setting for this variable!).
+
+6) NS fails to run init script via run_init due to bad password.
+ FIX: Make sure you have correctly set password in profile.bash, which should
+ be available in top-level audit-test directory.
+
+7) TOE has issues running remote actions on NS.
+ FIX: Suggested is debug you test env with simple action "ns_connection_check"
+ # /usr/bin/nc -v $LBLNET_SVR_IPV4 4000 <<< \
+ "audit_remote_call:ns_connection_check,no_mode,<TOE IPv4 of global scope>;"
+
+8) Make sure all configuration files related to audit remote logging are in
+ a "default" state before executing tests.
+ FIX: Suggested is to backup and diff orig and current version of following
+ config files:
+ /etc/audit/auditd.conf
+ /etc/audisp/audisp-remote.conf
+ /etc/audisp/audispd.conf
+ /etc/audisp/plugins.d/au-remote.conf
+
+9) There are AVC denials on NS side when running the tests. They reguire
+ addition of following SELinux rule:
+ "allow auditctl_t inetd_t:tcp_socket { read write };".
+ This is a known issue due to leaked descriptors passed to a remote_call.bash
+ script when execute by lblnet_tst_server.
+ FIX: Uncomment net_hlp_socket_close(&sock) in file lblnet_test_server.c func
+ ctl_audit_remote_call() and rebuild the lblnet_server_binary. As a side-effect
+ you will loose verbosity in netcat on TOE side. Therefore it is not used by
+ default.
diff --git a/audit/audit-remote/README b/audit/audit-remote/README
deleted file mode 100644
index 696a77d..0000000
--- a/audit/audit-remote/README
+++ /dev/null
@@ -1,73 +0,0 @@
-Running audit-remote tests
---------------------------
-
-Audit-remote tests run also against network server (NS) and therefore
-require manual configuration of a profile with varialbes to be exported.
-If these variables are not set correctly, tests in test_remote_system.bash
-will FAIL. Other tests do not require these exported variables.
-
-Next, make sure on network server (NS) that file profile.bash exists
-in top-level directory (/usr/local/eal4_testing/audit-test/) and exports
-PASSWD variable with password for administrative user (should
-match also a password for root). This is required for restarting auditd
-service by lblnet_tst_server over xinetd on NS for audit-remote tests.
-
-Now you can run the tests in a common way as described in README.run.
-
-
-Common reasons for false ERORR or FAIL results and known issues
----------------------------------------------------------------
-
-1) TOE and Network Server (NS for short) are have different time set. This
- causes audit-remote tests to fail when looking for an audit record after
- set test start time. Tests usually fail with "Missing DAEMON_ACCEPT record".
- FIX: Sync time on TOE and NS, e.g. by using ntp daemon.
-
-2) The tests ask for a password and behave "strangely".
- FIX: On TOE make sure to update for your test environment and manually source
- audit-remote.profile file before running the tests. And check profile.bash
- on NS.
-
-3) Tests hang on a TOE during execution. This can be a side effect when running
- with SELinux in permissive mode.
- FIX: Make sure SELinux is running in enforcing mode.
-
-4) Make sure you have really have correct permissions, owners, and SELinux
- labels.
- FIX: Follow related steps in README.run or reinstall if nothing helps :)
-
-5) TOE or NS unable to reach each other when using virt guests. This is
- probably due to what `hostname --ip-address` gives you for
- local_audit_server_ip.
- FIX: Add manual entry for your hostname to /etc/hosts if using virtual guests
- for test execution.
-
-6) NS fails to run init script via run_init due to bad password.
- FIX: Make sure you have correctly set password in profile.bash, which should
- be available in top-level audit-test directory.
-
-7) TOE has issues running remote actions on NS.
- FIX: Suggested is debug you test env with simple action "ns_connection_check"
- # /usr/bin/nc -v $LBLNET_SVR_IPV4 4000 <<< \
- "audit_remote_call:ns_connection_check,no_mode,$LOCAL_IPV4;"
-
-8) Make sure all configuration files related to audit remote logging are in
- a "default" state before executing tests.
- FIX: Suggested is to backup and diff orig and current version of following
- config files:
- /etc/audit/auditd.conf
- /etc/audisp/audisp-remote.conf
- /etc/audisp/audispd.conf
- /etc/audisp/plugins.d/au-remote.conf
-
-9) There are AVC denials on NS side when running the tests. They reguire
- addition of following SELinux rule:
- "allow auditctl_t inetd_t:tcp_socket { read write };".
- This is a known issue due to leaked descriptors passed to a remote_call.bash
- script when execute by lblnet_tst_server.
- FIX: Uncomment net_hlp_socket_close(&sock) in file lblnet_test_server.c func
- ctl_audit_remote_call() and rebuild the lblnet_server_binary. As a side-effect
- you will loose verbosity in netcat on TOE side. Therefore it is not used by
- default.
-
-10) Free, as in beer, slot.
--
1.7.1
|