Menu
▾
▴
[Audit-test-developer] audit-remote behavior
|
From: Linda K. <lin...@hp...> - 2012-01-20 01:11:38
|
I'm seeing strange things with the first 10 audit-remote tests. These are the test_remote_system.bash tests. The first problem I had was really strange. When I install a TOE or the lblnet test server, I always create an account for myself and then the eal account, both as admin accounts. When I was looking at the run.log file, I noticed that the test was looking for some account information by greping /etc/aliases and it was coming up with my account since it was listed first as an alias for root, followed by eal. I switched the two accounts in that file and now the test picks up eal account information, although that apparently wasn't a problem and didn't fix anything. The next thing I noticed was that the tests were unable to restart auditd on the lblnet server. This is the really odd part. The lblnet test server was running as 'ljk'. I don't know how that happened since it is an xinetd server but I can see for the /var/log/messages file that messages emitted for the lblnet test server where tagged as from 'ljk' and the run_init in the log was showing that it was failing because the passwd it was using isn't my passwd. I changed my passwd on the lblnet server to be the same as the eal and root passwd, and then the first 4 tests started to pass. Then I rebooted the lblnet test server and now it seems to be running normally. That was very odd. All I can guess is that I must have restarted the xinetd service as myself at some point. Anyway, I just mention that in case someone else sees the same problem. Now I have the first 4 tests passing but the next 6 failing with a "check_msg_from_client" error. I started running test 4 by itself to try to troubleshoot the problem and what I see when I run the tests is that the audit logs on the lblnet server rotate several times during the test execution so I get 4 logs from just the one test. The audit message that the test is looking for when it fails is in /var/log/audit/audit.log.2. This pretty repeatable. The tests use ausearch to find the records. Does ausearch not look at the audit.log.N files? I've attached the run.log from test 4 as well as the 4 audit log files I see on the lblnet server. Any ideas? -- ljk |