#1 Add CI tests using the standard test interface
Closed a year ago by sturivny. Opened 2 years ago by sturivny.
git://fedorapeople.org/~sturivny/audit master  into  master

Add CI tests using the standard test interface
Serhii Turivny • 2 years ago  
tests/README.rst
file added
empty or binary file added
tests/ausearch-smoke/Makefile
file added
+67

@@ -0,0 +1,67 @@

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/audit/ausearch-smoke

+ #   Description: Sanity test for ausearch

+ #   Author: Ondrej Moris <omoris@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/audit/Sanity/ausearch-smoke

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE ausearch-test.c aucoverage aumerge

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 	test -x aumerge || chmod a+x aumerge

+ 	test -x aucoverage || chmod a+x aucoverage

+ 	gcc -g -W -Wall -Wundef -D_GNU_SOURCE ausearch-test.c -o ausearch-test -lauparse -laudit

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 	rm -f ausearch-test

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:          Ondrej Moris <omoris@redhat.com>" > $(METADATA)

+ 	@echo "Name:           $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:    $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:           $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:    Sanity test for ausearch" >> $(METADATA)

+ 	@echo "Type:           Sanity" >> $(METADATA)

+ 	@echo "TestTime:       15m" >> $(METADATA)

+ 	@echo "RunFor:         audit" >> $(METADATA)

+ 	@echo "Requires:       gcc rpm-build audit audit-libs audit-libs-devel gzip sharutils" >> $(METADATA)

+ 	@echo "Releases:       RHEL6 RHEL7" >> $(METADATA)

+ 	@echo "Priority:       Normal" >> $(METADATA)

+ 	@echo "License:        GPLv2" >> $(METADATA)

+ 	@echo "Confidential:   no" >> $(METADATA)

+ 	@echo "Destructive:    no" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

tests/ausearch-smoke/PURPOSE
file added
+7

@@ -0,0 +1,7 @@

+ PURPOSE of /CoreOS/audit/Sanity/ausearch-smoke

+ Description: Sanity test for ausearch

+ Author: Ondrej Moris <omoris@redhat.com>

+ 

+ Uses ausearch-test [1] provided by Steve Grubb.

+ 

+ [1] http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz

tests/ausearch-smoke/aucoverage
file added
+24

@@ -0,0 +1,24 @@

+ #!/bin/sh

+ if [ $# -ne 1 ] ; then

+ 	echo "aucoverage LOG1 | --dump"

+ 	exit 1

+ fi

+ INLOG="$1"

+ if [ "$1" = "--dump" ] ; then

+ 	ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort

+ 	exit 0

+ fi

+ if [ ! -e $INLOG ] ; then

+ 	echo "Can't read $INLOG"

+ 	exit 1

+ fi

+ types=`ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort`

+ #echo -e "$types\n\n"

+ for t in $types

+ do

+ 	ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null 1>&2

+ 	if [ $? -ne 0 ] ; then

+ 		echo "Missing $t"

+ 	fi

+ done

+ 

tests/ausearch-smoke/aumerge
file added
+39

@@ -0,0 +1,39 @@

+ #!/bin/sh

+ if [ $# -ne 2 -o "$1" = "--help" ] ; then

+ 	echo "aumerge LOG1 LOG2"

+ 	echo "Where LOG2 is the one that is appended to."

+ 	exit 1

+ fi

+ INLOG="$1"

+ OUTLOG="$2"

+ if [ ! -e $INLOG ] ; then

+ 	echo "Can't read $INLOG"

+ 	exit 1

+ fi

+ if [ ! -e $OUTLOG ] ; then

+ 	echo "Can't read $OUTLOG"

+ 	exit 1

+ fi

+ appended=0

+ types=`ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort`

+ #echo -e "$types\n\n"

+ for t in $types

+ do

+ 	ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null 1>&2

+ 	if [ $? -eq 0 ] ; then

+ 		#echo "Found $t"

+ 		ausearch -if $OUTLOG -m $t --just-one --raw 2>/dev/null 1>&2

+ 		if [ $? -ne 0 ] ; then

+ 			ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null >> $OUTLOG

+ 			echo "Appended $t to $OUTLOG"

+ 			appended=1

+ 		fi

+ 	fi

+ done

+ 

+ if [ $appended -eq 0 ] ; then

+ 	echo "There are no new records to merge"

+         exit 2

+ fi

+ 

+ exit 0

tests/ausearch-smoke/ausearch-test.c
file added
+326

@@ -0,0 +1,326 @@

+ /*

+  * ausearch-test.c - ausearch testing utility

+  * version: 0.5

+  * Copyright 2014 Red Hat Inc., Durham, North Carolina.

+  * All Rights Reserved.

+  *

+  * This program is free software; you can redistribute it and/or modify

+  * it under the terms of the GNU General Public License as published by

+  * the Free Software Foundation; either version 2 of the License, or

+  * (at your option) any later version.

+  *

+  * This program is distributed in the hope that it will be useful,

+  * but WITHOUT ANY WARRANTY; without even the implied warranty of

+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+  * GNU General Public License for more details.

+  *

+  * You should have received a copy of the GNU General Public License

+  * along with this program; if not, write to the Free Software

+  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

+  *

+  * Authors:

+  *     Steve Grubb <sgrubb@redhat.com>

+  */

+ 

+ #include <stdio.h>

+ #include <locale.h>

+ #include <libaudit.h>

+ #include <string.h>

+ #include <stdlib.h>

+ #include <unistd.h>

+ #include <auparse.h>

+ 

+ static char *AUSEARCH = NULL;

+ static char *LOG = NULL;

+ static int continue_on_error = 0;

+ 

+ struct nv_pair {

+ 	const char *field;

+ 	const char *option;

+ };

+ 

+ static struct nv_pair options[] =

+ {

+  {"comm", "-c" },

+  {"exit", "-e" },

+  {"name", "-f" },

+  {"cwd", "-f" }, // INFO: old ausearch will fail this, comment out accordingly

+  {"path", "-f" },

+  {"saddr", "-f" },  // if unix socket

+  {"gid", "--gid" },

+  {"egid", "-ge" },

+  {"hostname", "-hn" },

+  {"addr", "-hn" },

+  {"saddr", "-hn" },

+  {"key", "-k" },

+  {"type", "-m" },

+  {"node", "-n" },

+  {"pid", "-p" },

+  {"ppid", "-pp" },

+  {"obj", "-o" },

+  {"syscall", "-sc" },

+  {"tcontext", "-se" },

+  {"scontext", "-se" },

+  {"subj", "-su" },

+  {"ses", "--session" },

+  {"subj", "--subject" },

+  {"scontext", "--subject" },

+  {"res", "--success" },

+  {"result", "--success" },

+  {"success", "--success" },

+  {"tty", "-tm" },

+  {"terminal", "-tm" },

+  {"uid", "-ui" },

+  {"euid", "-ue" },

+  {"auid", "-ul" },

+  {"loginuid", "-ul" },

+  {"uuid", "--uuid" },

+  {"vm", "--vm-name" },

+  {"exe", "-x" },

+  { NULL, NULL}

+ };

+ 

+ const char *opt_lookup(const char *f)

+ {

+ 	unsigned int i = 0;

+ 	while (options[i].field != NULL) {

+ 		if (strcasecmp(f, options[i].field) == 0)

+ 			break;

+ 		i++;

+ 	}

+ 	return options[i].option;

+ }

+ 

+ int run_ausearch(auparse_state_t *au, char *line, const char *opt, 

+ 		const char *val, const char *cmd)

+ {

+ 	int rc = system(line);

+ 	if (rc) {

+ 		printf("\n");

+ 		printf("Failed to locate a record\n");

+ 		printf("Current test option: %s %s\n",

+ 				opt, val);

+ 		printf("Command used: %s\n", cmd);

+ 		printf("Full record being tested: %s\n",

+ 			auparse_get_record_text(au));

+ 		if (!continue_on_error) {

+ 			free(line);

+ 			exit(1);

+ 		} else

+ 			return 1;

+ 	}

+ 	return 0;

+ }

+ 

+ /*

+  * This tests one complete record

+  */

+ int do_record_test(auparse_state_t *au)

+ {

+ 	char cmd[8192], *ptr;

+ 	int hn = 0, li = 0, ses = 0, first = 0;

+ 	auparse_first_field(au);

+ 	ptr = cmd;

+ 	ptr = stpcpy(ptr, AUSEARCH);

+ 	ptr = stpcpy(ptr, " -if ");

+ 	ptr = stpcpy(ptr, LOG);

+ 

+ 	do {

+ 		char *line;

+ 		if (first == 0) {

+ 			char buf[64];

+ 			unsigned long serial = auparse_get_serial(au);

+ 

+ 			snprintf(buf, sizeof(buf), "%lu", serial);

+ 			ptr = stpcpy(ptr, " -a ");

+ 			ptr = stpcpy(ptr, buf);

+ 			asprintf(&line, "%s  >/dev/null 2>&1", cmd);

+ 			if (run_ausearch(au, line, "-a", buf, cmd)) {

+ 				free(line);

+ 				return 1;

+ 			}

+ 			free(line);

+ 			first = 1;

+ 		}

+ 		const char *field = auparse_get_field_name(au);

+ 		if (field) {

+ 			const char *opt = opt_lookup(field);

+ 			if (opt) {

+ 				char buf[4096];

+ 				int type = auparse_get_type(au);

+ 				const char *val = auparse_get_field_str(au);

+ 				if (val == NULL) {

+ 					printf("can't get value for %s in %s\n",

+ 						field,

+ 						auparse_get_record_text(au));

+ 					exit(1);

+ 				}

+ 				if (strcmp(val, "?") == 0)

+ 					// skip the unknowns

+ 					continue;

+ 				if (strcmp(opt, "--success") == 0) {

+ 					// Correct the value

+ 					if (val[0] == 's')

+ 						val = "yes";

+ 					else if (val[0] == 'y')

+ 						val = "yes";

+ 					else if (val[0] == '1')

+ 						val = "yes";

+ 					else

+ 						val = "no";

+ 				}

+ 				if (strcmp(field, "key") == 0) {

+ 					// skip (none)

+ 					if (val[0] == '(')

+ 						continue;

+ 				}

+ 				if (strcmp(opt, "-tm") == 0) {

+ 					// Skip (null)

+ 					if (val[0] == '(')

+ 						continue;

+ 				}

+ 				if (strcmp(opt, "-hn") == 0) {

+ 					// some records have both addr and 

+ 					// hostname filled in - only use the

+ 					// first one

+ 					if (hn) continue;

+ 					hn = 1;

+ 				}

+ 				if (strcmp(field, "saddr") == 0) {

+ 					if (type == AUDIT_SOCKADDR) {

+ 						// If unix socket skip the

+ 						// the identifier for its type

+ 						val = auparse_interpret_field(au);

+ 						if (strncmp(val, "local",

+ 								5) == 0)

+ 							val += 6;

+ 						else if (strncmp(val, "netlink",

+ 							7) == 0)

+ 						// skip netlink - not a real

+ 						// address

+ 							continue;

+ 					}

+ 				}

+ 				if (strcmp(field, "name") == 0) {

+ 					if (strcmp(val, "(null)") == 0)

+ 					// Some files temporarily have

+ 					// no name - skip them

+ 						continue;

+ 				}

+ 				if (type == AUDIT_USER_AVC)

+ 					// USER AVCs are a mess - skip

+ 					continue;

+ 				if (type == AUDIT_LOGIN) {

+ 					// On login records, only second auid

+ 					// is searchable

+ 					if (strcmp(field, "auid") == 0 &&

+ 						li == 0) {

+ 						li = 1;

+ 						continue;

+ 					}

+ 					// On login records, only second ses

+ 					// is searchable

+ 					if (strcmp(field, "ses") == 0 &&

+ 						ses == 0) {

+ 						ses = 1;

+ 						continue;

+ 					}

+ 				}

+ 				if (type == AUDIT_USER_LOGIN) {

+ 					// On user login records, only second

+ 					// uid is searchable

+ 					if (strcmp(field, "uid") == 0 &&

+ 						li == 0) {

+ 						li = 1;

+ 						continue;

+ 					}

+ 				}

+ 				if (type == AUDIT_USER_LOGOUT) {

+ 					// On user login records, only second

+ 					// uid is searchable

+ 					if (strcmp(field, "uid") == 0 &&

+ 						li == 0) {

+ 						li = 1;

+ 						continue;

+ 					}

+ 				}

+ 

+ 				if (auparse_get_field_type(au) ==

+ 						AUPARSE_TYPE_ESCAPED &&

+ 						val[0] != '"') {

+ 					snprintf(buf, sizeof(buf), "\'%s\'",

+ 					auparse_interpret_field(au));

+ 					val = buf;

+ 				}

+ 

+ 				ptr = stpcpy(ptr, " ");

+ 				ptr = stpcpy(ptr, opt);

+ 				ptr = stpcpy(ptr, " ");

+ 				ptr = stpcpy(ptr, val);

+ 				asprintf(&line, "%s  >/dev/null 2>&1", cmd);

+ 				if (run_ausearch(au, line, opt, val, cmd)) {

+ 					free(line);

+ 					return 1;

+ 				}

+ 				free(line);

+ 			}

+ 		}

+ 	} while (auparse_next_field(au));

+ 	return 0;

+ }

+ 

+ int main(int argc, char *argv[])

+ {

+ 	auparse_state_t *au;

+ 	int opt = 1, problems = 0;

+ 

+ 	setlocale (LC_ALL, "");

+ 	while (argc > opt) {

+ 		if (strcmp(argv[opt], "--help") == 0) {

+ 			printf("ausearch-test [path to different ausearch|log] [--continue]\n");

+ 			return 0;

+ 		}

+ //printf("opt=%d, argv[opt]=%s\n", opt, argv[opt]);

+ 		if (strcmp(argv[opt], "--continue") == 0)

+ 			continue_on_error = 1;

+ 		else if (access(argv[opt], X_OK) == 0)

+ 			AUSEARCH = strdup(argv[opt]);

+ 		else if (access(argv[opt], R_OK) == 0) {

+ 			LOG = strdup(argv[opt]);

+ 		} else {

+ 			printf("Can't find replacement for ausearch: %s\n", argv[opt]);

+ 			return 1;

+ 		}

+ 		opt++;

+ 	}

+ 	if (AUSEARCH == NULL)

+ 		AUSEARCH = strdup("ausearch");

+ 	if (LOG == NULL)

+ 		LOG = strdup("./audit.log");

+ 

+ 	au = auparse_init(AUSOURCE_FILE, LOG);

+ 	if (au == NULL) {

+ 		printf("Error initializing\n");

+ 		return 1;

+ 	}

+ 

+ 	printf("Starting the test\n");

+ 	do {

+ 		auparse_first_record(au);

+ 		do {	// Do the test on the record

+ 			if (do_record_test(au)) {

+ 				problems++;

+ 				break; // --continue given, do next event

+ 			}

+ 		} while (auparse_next_record(au) > 0);

+ 	} while (auparse_next_event(au) > 0);

+ 

+ 	auparse_destroy(au);

+ 	if (problems)

+ 		printf("Done - %d problems detected\n", problems);

+ 	else

+ 		printf("Done - no problems detected\n");

+ 

+ 	return 0;

+ }

+ 

tests/ausearch-smoke/runtest.sh
file added
+172

@@ -0,0 +1,172 @@

+ #!/bin/bash

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/audit/ausearch-smoke

+ #   Description: Sanity test for ausearch

+ #   Author: Ondrej Moris <omoris@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include rhts environment

+ . /usr/bin/rhts-environment.sh

+ . /usr/lib/beakerlib/beakerlib.sh

+ 

+ PACKAGE="audit"

+ 

+ 

+ rlJournalStart

+ 

+   rlPhaseStartSetup

+     rlCheckRpm "audit" || rlDie    

+     rlRun "cp -f audit.log.$(uname -m) audit.log" 0 

+     rlLog "Merging system audit.log to check new events"

+     if ./aumerge /var/log/audit/audit.log audit.log; then

+         rlLog "New events have been found!"

+         cp audit.log audit.log.$(uname -m) && \

+             gzip -c audit.log.$(uname -m) | \

+             uuencode audit.log.$(uname -m).gz | \

+             mail -s "ausearch-smoke update ($(uname -m))" omoris@redhat.com

+     else

+         rlLog "No new events have been found"

+     fi    

+     total=$(./aucoverage --dump | wc -l)

+     missing=$(./aucoverage audit.log | wc -l)

+     rlLog "Using sample audit.log missing $missing of $total event types"

+ 	if [[ ! -x ausearch-test ]] ; then

+ 	    rlLog "ausearch-test has not been built, attempting to build now."

+ 		rlRun "gcc -g -W -Wall -Wundef -D_GNU_SOURCE ausearch-test.c -o ausearch-test -lauparse -laudit" 0

+     fi

+   rlPhaseEnd

+ 

+   rlPhaseStartTest "ausearch-test"

+     rlRun -s "./ausearch-test audit.log --continue"

+     rlAssertGrep "Done - no problems detected" $rlRun_LOG

+   rlPhaseEnd

+ 

+   if rlIsRHEL '>=6.6' ; then

+       rlPhaseStartTest "checkpoint"

+         rlRun "auditctl -m test1" 0 "Generating message test1"

+ 	rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test1" 0 \

+ 	    "Creating checkpoint 1, test1 should be reported"

+ 	rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test1" 1 \

+ 	    "Moving checkpoint 1, test1 should not be reported"

+ 	rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test1" 0 \

+ 	    "Creating checkpoint 2, test1 should be reported"

+ 	rlRun "auditctl -m test2" 0  "Generating message test2"

+ 	rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test2" 0 \

+ 	    "Moving checkpoint 1, test2 should be reported"

+ 	rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test2" 1 \

+ 	    "Moving checkpoint 1, test2 should not be reported"

+ 	rlRun "auditctl -m test3" 0 "Generating message test1"

+ 	rlRun -s "ausearch -ts recent --checkpoint chk2 -m USER | grep test" 0 \

+ 	    "Moving checkpoint 2, only test[23] should be reported"

+ 	rlAssertNotGrep "test1" $rlRun_LOG

+ 	rlAssertGrep "test2" $rlRun_LOG

+ 	rlAssertGrep "test3" $rlRun_LOG

+ 	rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test" 1 \

+ 	    "Moving checkpoint 2, not test should be reported"

+ 	rlRun "auditctl -m test4" 0  "Generating message test1"

+ 	rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test4" 0 \

+ 	    "Moving checkpoint 2, test4 should be reported"

+       rlPhaseEnd

+   fi

+ 

+   rlPhaseStartTest "ausearch: display of commas between categories"

+     cat > audit.log.c <<_EOF

+ type=AVC msg=audit(1405523880.601:4179): avc:  denied  { read } for  pid=20157 comm="bash" name="user20200" dev=vda3 ino=144202 scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=lnk_file

+ type=SYSCALL msg=audit(1405523880.601:4179): arch=c000003e syscall=2 success=no exit=-13 a0=87d750 a1=401 a2=180 a3=1b items=1 ppid=20156 pid=20157 auid=508 uid=508 gid=508 euid=508 suid=508 fsuid=508 egid=508 sgid=508 fsgid=508 tty=pts2 ses=395 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875 key=(null)

+ type=CWD msg=audit(1405523880.601:4179):  cwd="/nfs/staff/user20200"

+ type=PATH msg=audit(1405523880.601:4179): item=0 name="/u/user20200/.bash_history" nametype=UNKNOWN

+ _EOF

+     rlRun "ausearch -if audit.log.c -m avc |grep 'type=SYSCALL.*subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'"

+     rlRun "ausearch -if audit.log.c -m avc |grep 'type=AVC.*scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'"

+     rlRun "ausearch -if audit.log.c -m avc -i |grep 'type=SYSCALL.*subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'"

+     rlRun "ausearch -if audit.log.c -m avc -i |grep 'type=AVC.*scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'"

+   rlPhaseEnd

+ 

+ if rlIsRHEL '>=6.6'; then

+   rlPhaseStartTest "rebase to 2.3.7"

+         rlLog "ausearch shouldn't interpret 'fp' field in CRYPTO_KEY_USER events"

+         cat > audit_crypto_key.log <<_EOF

+ type=CRYPTO_KEY_USER msg=audit(1314776321.939:65010): user pid=633 uid=0 auid=0 ses=1445 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=9e:c3:25:e6:60:97:6b:2b:d0:c1:98:90:a1:b6:b4:d7 direction=? spid=633 suid=0 : exe="/usr/sbin/sshd" hostname=? addr=10.10.36.180 terminal=? res=success'

+ _EOF

+         rlRun "ausearch -m CRYPTO_KEY_USER -i -if audit_crypto_key.log" 0

+         rlRun "ausearch -m CRYPTO_KEY_USER -i -if audit_crypto_key.log | grep 'type=CRYPTO_KEY_USER.*fp=9e:c3:25:e6:60:97:6b:2b:d0:c1:98:90:a1:b6:b4:d7'" 0

+ 

+         rlLog "test debug option for corrupted events entries (missing auid or pid fields)"

+         cat > audit_corrupted.log <<_EOF

+ type=CRYPTO_KEY_USER msg=audit(1314776321.939:65011): user pid=633 uid=0 ses=1445 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=02:41:d6:dd:8e:57:f9:0b:48:7a:22:7c:3f:23:26:3f direction=? spid=633 suid=0 : exe="/usr/sbin/sshd" hostname=? addr=10.10.36.180 terminal=? res=success'

+ _EOF

+         rlRun "ausearch -if audit_corrupted.log -ua 0 2>&1 | grep '<no matches>'"

+         rlRun "ausearch -if audit_corrupted.log -ua 0 --debug 2>&1 | grep 'Malformed event skipped, rc=7. type=CRYPTO_KEY_USER'"

+ 

+         rlLog "Interpret syscall field in SECCOMP events"

+         # rhel 6 doesn't have seccomp but it still may be used as an aggregating server for rhel7/fedora events

+ 	# syscall events for all architectures

+         cat > audit_seccomp.log <<_EOF

+ type=SECCOMP msg=audit(1395076595.898:756): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ type=SECCOMP msg=audit(1395076595.898:757): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000016 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ type=SECCOMP msg=audit(1395076595.898:758): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ type=SECCOMP msg=audit(1395076595.898:759): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=40000003 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c0000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ type=SECCOMP msg=audit(1395076595.898:761): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c00000b7 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0

+ _EOF

+ 

+ 

+         #Check that all syscalls are interpretted:

+         rlRun "ausearch -if audit_seccomp.log -i" 0

+         found_events=`ausearch -if audit_seccomp.log -i | grep '^type=SECCOMP' | wc -l`

+         rlAssertEquals "Check that all syscalls are interpretted" $found_events 6

+         rlRun "ausearch -m SECCOMP -if audit_seccomp.log -i" 0

+         found_events2=`ausearch -m SECCOMP -if audit_seccomp.log -i | grep '^type=SECCOMP' | wc -l`

+         rlAssertEquals "Check that all syscalls are interpretted" $found_events2 6

+ 

+         #Check that you can search for syscall by name

+         #find name of syscall 231, ausearch search by name only for current architecture

+ 	# it internally translate syscall name to its number and searches by number

+         sys_name=`ausyscall --dump | grep 231 | awk -F ' ' '{print $2}'`

+         echo $sys_name

+         rlRun "ausearch -if audit_seccomp.log -sc $sys_name -i" 0

+ 

+         #Check that you can find syscall 231

+         rlRun "ausearch -if audit_seccomp.log -sc 231 -i" 0

+         found_events3=`ausearch -if audit_seccomp.log -sc 231 -i | grep '^type=SECCOMP' | wc -l`

+         rlAssertEquals "Check that all syscalls are interpretted" $found_events3 6

+ 

+ 	# check if ausearch can use directory as 'input'

+ 	rlFileBackup --clean /var/log/audit2

+ 	mkdir /var/log/audit2

+ 	rlRun "cp /var/log/audit/* /var/log/audit2"

+ 	# audit.log is usually long, so print only 'tail' 

+ 	rlRun "ausearch -if /var/log/audit2 | tail"

+ 	# it should output more lines than 1 (means <no matches> with old audit)

+ 	rlAssertGreater "Check if ausearch show something" `ausearch -if /var/log/audit2|wc -l` 1

+   rlPhaseEnd

+ fi

+ 

+   rlPhaseStartCleanup

+     rlRun "rm -f $rlRun_LOG chk*" 0 "Clean-up"

+     rlFileRestore

+   rlPhaseEnd

+ 

+ rlJournalEnd

+ 

+ rlJournalPrintText

tests/tests.yml
file added
+18

@@ -0,0 +1,18 @@

+ ---

+ # Tests for audit

+ - hosts: localhost

+   roles:

+   - role: standard-test-beakerlib

+     tags:

+     - classic

+     - container

+     tests:

+     - ausearch-smoke

+     required_packages:

+     - audit

+     - audit-libs

+     - audit-libs-devel

+     - gcc

+     - gzip

+     - rpm-build

+     - sharutils

no initial comment

Justification

Adds tests according to the CI wiki specifically the standard test interface in the spec.

The playbook includes Tier1 level test cases that have been tested in the following contexts and is passing reliably: Classic and Container. Test logs are stored in the artifacts directory.

The following steps are used to execute the tests using the standard test interface:

Test environment

Make sure you have installed packages from the spec

$ rpm -q ansible python2-dnf libselinux-python standard-test-roles
ansible-2.3.2.0-1.fc26.noarch
python2-dnf-2.6.3-11.fc26.noarch
libselinux-python-2.6-7.fc26.x86_64
standard-test-roles-2.4-1.fc26.noarch

Run tests for Classic

$ export TEST_SUBJECTS=
$ sudo ansible-playbook --tags classic tests.yml

Snip of the example test run:

TASK [standard-test-beakerlib : Check the results] ************************************
changed: [localhost]
PLAY RECAP ****************************************************************************
localhost                  : ok=30   changed=18   unreachable=0    failed=0

PASS basic-sanity
PASS selftest
PASS selftest
PASS pam_unix
PASS Test-coverage-for-TTY-auditing
PASS Test-coverage-for-TTY-auditing
PASS ausearch-smoke
PASS ausearch-smoke

Run tests for Container

$ export TEST_SUBJECTS=docker:docker.io/library/fedora:26
$ sudo ansible-playbook --tags=container tests.yml

Snip of the example test run:

TASK [standard-test-beakerlib : Check the results] ************************************************************************************************
changed: [ed021fcff70ff478a2bc76f8d7ca81405b234dd81ade8105d0c4b60928e0164d]

PLAY RECAP *************************************************************************************
ed021fcff70ff478a2bc76f8d7ca81405b234dd81ade8105d0c4b60928e0164d : ok=15   changed=11   unreachable=0    failed=0   

Notes

Tests will be enabled in CI, yet gating is currently disabled, so nothing will change. Tests will run on each dist-git commit, they are not triggered on koji builds and if you are using FMN, it should notify you of failures normally.

The RH QE maintainer contact in case you have questions: sturivny @redhat.com
The idea is that these tests become yours just as you're maintaining the package, there will, of course, be people around if you have questions or troubles.

Pull-Request has been closed by sturivny

a year ago