From 28b9b8c696731f6d4c689b10ddef3a0d44116bec Mon Sep 17 00:00:00 2001 From: Serhii Turivny Date: Oct 03 2017 08:42:27 +0000 Subject: Add CI tests using the standard test interface Adds tests according to the CI wiki [0] specifically the standard test interface in the spec [1]. [0] https://fedoraproject.org/wiki/CI [1] https://fedoraproject.org/wiki/Changes/InvokingTests --- diff --git a/tests/README.rst b/tests/README.rst new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/README.rst diff --git a/tests/ausearch-smoke/Makefile b/tests/ausearch-smoke/Makefile new file mode 100644 index 0000000..abb557d --- /dev/null +++ b/tests/ausearch-smoke/Makefile @@ -0,0 +1,67 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/audit/ausearch-smoke +# Description: Sanity test for ausearch +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/audit/Sanity/ausearch-smoke +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE ausearch-test.c aucoverage aumerge + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x aumerge || chmod a+x aumerge + test -x aucoverage || chmod a+x aucoverage + gcc -g -W -Wall -Wundef -D_GNU_SOURCE ausearch-test.c -o ausearch-test -lauparse -laudit + +clean: + rm -f *~ $(BUILT_FILES) + rm -f ausearch-test + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Sanity test for ausearch" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: audit" >> $(METADATA) + @echo "Requires: gcc rpm-build audit audit-libs audit-libs-devel gzip sharutils" >> $(METADATA) + @echo "Releases: RHEL6 RHEL7" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/ausearch-smoke/PURPOSE b/tests/ausearch-smoke/PURPOSE new file mode 100644 index 0000000..9f95124 --- /dev/null +++ b/tests/ausearch-smoke/PURPOSE @@ -0,0 +1,7 @@ +PURPOSE of /CoreOS/audit/Sanity/ausearch-smoke +Description: Sanity test for ausearch +Author: Ondrej Moris + +Uses ausearch-test [1] provided by Steve Grubb. + +[1] http://people.redhat.com/sgrubb/audit/ausearch-test-0.5.tar.gz diff --git a/tests/ausearch-smoke/aucoverage b/tests/ausearch-smoke/aucoverage new file mode 100755 index 0000000..d9b02cb --- /dev/null +++ b/tests/ausearch-smoke/aucoverage @@ -0,0 +1,24 @@ +#!/bin/sh +if [ $# -ne 1 ] ; then + echo "aucoverage LOG1 | --dump" + exit 1 +fi +INLOG="$1" +if [ "$1" = "--dump" ] ; then + ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort + exit 0 +fi +if [ ! -e $INLOG ] ; then + echo "Can't read $INLOG" + exit 1 +fi +types=`ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort` +#echo -e "$types\n\n" +for t in $types +do + ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null 1>&2 + if [ $? -ne 0 ] ; then + echo "Missing $t" + fi +done + diff --git a/tests/ausearch-smoke/aumerge b/tests/ausearch-smoke/aumerge new file mode 100755 index 0000000..020a914 --- /dev/null +++ b/tests/ausearch-smoke/aumerge @@ -0,0 +1,39 @@ +#!/bin/sh +if [ $# -ne 2 -o "$1" = "--help" ] ; then + echo "aumerge LOG1 LOG2" + echo "Where LOG2 is the one that is appended to." + exit 1 +fi +INLOG="$1" +OUTLOG="$2" +if [ ! -e $INLOG ] ; then + echo "Can't read $INLOG" + exit 1 +fi +if [ ! -e $OUTLOG ] ; then + echo "Can't read $OUTLOG" + exit 1 +fi +appended=0 +types=`ausearch -m 2>&1 | tr ' ' '\n'| egrep [A-Z] | egrep -v 'ALL|Argument|Valid|EOE|TRUSTED_APP|KERNEL_OTHER' | sort` +#echo -e "$types\n\n" +for t in $types +do + ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null 1>&2 + if [ $? -eq 0 ] ; then + #echo "Found $t" + ausearch -if $OUTLOG -m $t --just-one --raw 2>/dev/null 1>&2 + if [ $? -ne 0 ] ; then + ausearch -if $INLOG -m $t --just-one --raw 2>/dev/null >> $OUTLOG + echo "Appended $t to $OUTLOG" + appended=1 + fi + fi +done + +if [ $appended -eq 0 ] ; then + echo "There are no new records to merge" + exit 2 +fi + +exit 0 diff --git a/tests/ausearch-smoke/ausearch-test.c b/tests/ausearch-smoke/ausearch-test.c new file mode 100644 index 0000000..4950ca6 --- /dev/null +++ b/tests/ausearch-smoke/ausearch-test.c @@ -0,0 +1,326 @@ +/* + * ausearch-test.c - ausearch testing utility + * version: 0.5 + * Copyright 2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb + */ + +#include +#include +#include +#include +#include +#include +#include + +static char *AUSEARCH = NULL; +static char *LOG = NULL; +static int continue_on_error = 0; + +struct nv_pair { + const char *field; + const char *option; +}; + +static struct nv_pair options[] = +{ + {"comm", "-c" }, + {"exit", "-e" }, + {"name", "-f" }, + {"cwd", "-f" }, // INFO: old ausearch will fail this, comment out accordingly + {"path", "-f" }, + {"saddr", "-f" }, // if unix socket + {"gid", "--gid" }, + {"egid", "-ge" }, + {"hostname", "-hn" }, + {"addr", "-hn" }, + {"saddr", "-hn" }, + {"key", "-k" }, + {"type", "-m" }, + {"node", "-n" }, + {"pid", "-p" }, + {"ppid", "-pp" }, + {"obj", "-o" }, + {"syscall", "-sc" }, + {"tcontext", "-se" }, + {"scontext", "-se" }, + {"subj", "-su" }, + {"ses", "--session" }, + {"subj", "--subject" }, + {"scontext", "--subject" }, + {"res", "--success" }, + {"result", "--success" }, + {"success", "--success" }, + {"tty", "-tm" }, + {"terminal", "-tm" }, + {"uid", "-ui" }, + {"euid", "-ue" }, + {"auid", "-ul" }, + {"loginuid", "-ul" }, + {"uuid", "--uuid" }, + {"vm", "--vm-name" }, + {"exe", "-x" }, + { NULL, NULL} +}; + +const char *opt_lookup(const char *f) +{ + unsigned int i = 0; + while (options[i].field != NULL) { + if (strcasecmp(f, options[i].field) == 0) + break; + i++; + } + return options[i].option; +} + +int run_ausearch(auparse_state_t *au, char *line, const char *opt, + const char *val, const char *cmd) +{ + int rc = system(line); + if (rc) { + printf("\n"); + printf("Failed to locate a record\n"); + printf("Current test option: %s %s\n", + opt, val); + printf("Command used: %s\n", cmd); + printf("Full record being tested: %s\n", + auparse_get_record_text(au)); + if (!continue_on_error) { + free(line); + exit(1); + } else + return 1; + } + return 0; +} + +/* + * This tests one complete record + */ +int do_record_test(auparse_state_t *au) +{ + char cmd[8192], *ptr; + int hn = 0, li = 0, ses = 0, first = 0; + auparse_first_field(au); + ptr = cmd; + ptr = stpcpy(ptr, AUSEARCH); + ptr = stpcpy(ptr, " -if "); + ptr = stpcpy(ptr, LOG); + + do { + char *line; + if (first == 0) { + char buf[64]; + unsigned long serial = auparse_get_serial(au); + + snprintf(buf, sizeof(buf), "%lu", serial); + ptr = stpcpy(ptr, " -a "); + ptr = stpcpy(ptr, buf); + asprintf(&line, "%s >/dev/null 2>&1", cmd); + if (run_ausearch(au, line, "-a", buf, cmd)) { + free(line); + return 1; + } + free(line); + first = 1; + } + const char *field = auparse_get_field_name(au); + if (field) { + const char *opt = opt_lookup(field); + if (opt) { + char buf[4096]; + int type = auparse_get_type(au); + const char *val = auparse_get_field_str(au); + if (val == NULL) { + printf("can't get value for %s in %s\n", + field, + auparse_get_record_text(au)); + exit(1); + } + if (strcmp(val, "?") == 0) + // skip the unknowns + continue; + if (strcmp(opt, "--success") == 0) { + // Correct the value + if (val[0] == 's') + val = "yes"; + else if (val[0] == 'y') + val = "yes"; + else if (val[0] == '1') + val = "yes"; + else + val = "no"; + } + if (strcmp(field, "key") == 0) { + // skip (none) + if (val[0] == '(') + continue; + } + if (strcmp(opt, "-tm") == 0) { + // Skip (null) + if (val[0] == '(') + continue; + } + if (strcmp(opt, "-hn") == 0) { + // some records have both addr and + // hostname filled in - only use the + // first one + if (hn) continue; + hn = 1; + } + if (strcmp(field, "saddr") == 0) { + if (type == AUDIT_SOCKADDR) { + // If unix socket skip the + // the identifier for its type + val = auparse_interpret_field(au); + if (strncmp(val, "local", + 5) == 0) + val += 6; + else if (strncmp(val, "netlink", + 7) == 0) + // skip netlink - not a real + // address + continue; + } + } + if (strcmp(field, "name") == 0) { + if (strcmp(val, "(null)") == 0) + // Some files temporarily have + // no name - skip them + continue; + } + if (type == AUDIT_USER_AVC) + // USER AVCs are a mess - skip + continue; + if (type == AUDIT_LOGIN) { + // On login records, only second auid + // is searchable + if (strcmp(field, "auid") == 0 && + li == 0) { + li = 1; + continue; + } + // On login records, only second ses + // is searchable + if (strcmp(field, "ses") == 0 && + ses == 0) { + ses = 1; + continue; + } + } + if (type == AUDIT_USER_LOGIN) { + // On user login records, only second + // uid is searchable + if (strcmp(field, "uid") == 0 && + li == 0) { + li = 1; + continue; + } + } + if (type == AUDIT_USER_LOGOUT) { + // On user login records, only second + // uid is searchable + if (strcmp(field, "uid") == 0 && + li == 0) { + li = 1; + continue; + } + } + + if (auparse_get_field_type(au) == + AUPARSE_TYPE_ESCAPED && + val[0] != '"') { + snprintf(buf, sizeof(buf), "\'%s\'", + auparse_interpret_field(au)); + val = buf; + } + + ptr = stpcpy(ptr, " "); + ptr = stpcpy(ptr, opt); + ptr = stpcpy(ptr, " "); + ptr = stpcpy(ptr, val); + asprintf(&line, "%s >/dev/null 2>&1", cmd); + if (run_ausearch(au, line, opt, val, cmd)) { + free(line); + return 1; + } + free(line); + } + } + } while (auparse_next_field(au)); + return 0; +} + +int main(int argc, char *argv[]) +{ + auparse_state_t *au; + int opt = 1, problems = 0; + + setlocale (LC_ALL, ""); + while (argc > opt) { + if (strcmp(argv[opt], "--help") == 0) { + printf("ausearch-test [path to different ausearch|log] [--continue]\n"); + return 0; + } +//printf("opt=%d, argv[opt]=%s\n", opt, argv[opt]); + if (strcmp(argv[opt], "--continue") == 0) + continue_on_error = 1; + else if (access(argv[opt], X_OK) == 0) + AUSEARCH = strdup(argv[opt]); + else if (access(argv[opt], R_OK) == 0) { + LOG = strdup(argv[opt]); + } else { + printf("Can't find replacement for ausearch: %s\n", argv[opt]); + return 1; + } + opt++; + } + if (AUSEARCH == NULL) + AUSEARCH = strdup("ausearch"); + if (LOG == NULL) + LOG = strdup("./audit.log"); + + au = auparse_init(AUSOURCE_FILE, LOG); + if (au == NULL) { + printf("Error initializing\n"); + return 1; + } + + printf("Starting the test\n"); + do { + auparse_first_record(au); + do { // Do the test on the record + if (do_record_test(au)) { + problems++; + break; // --continue given, do next event + } + } while (auparse_next_record(au) > 0); + } while (auparse_next_event(au) > 0); + + auparse_destroy(au); + if (problems) + printf("Done - %d problems detected\n", problems); + else + printf("Done - no problems detected\n"); + + return 0; +} + diff --git a/tests/ausearch-smoke/runtest.sh b/tests/ausearch-smoke/runtest.sh new file mode 100755 index 0000000..2448b11 --- /dev/null +++ b/tests/ausearch-smoke/runtest.sh @@ -0,0 +1,172 @@ +#!/bin/bash +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/audit/ausearch-smoke +# Description: Sanity test for ausearch +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/lib/beakerlib/beakerlib.sh + +PACKAGE="audit" + + +rlJournalStart + + rlPhaseStartSetup + rlCheckRpm "audit" || rlDie + rlRun "cp -f audit.log.$(uname -m) audit.log" 0 + rlLog "Merging system audit.log to check new events" + if ./aumerge /var/log/audit/audit.log audit.log; then + rlLog "New events have been found!" + cp audit.log audit.log.$(uname -m) && \ + gzip -c audit.log.$(uname -m) | \ + uuencode audit.log.$(uname -m).gz | \ + mail -s "ausearch-smoke update ($(uname -m))" omoris@redhat.com + else + rlLog "No new events have been found" + fi + total=$(./aucoverage --dump | wc -l) + missing=$(./aucoverage audit.log | wc -l) + rlLog "Using sample audit.log missing $missing of $total event types" + if [[ ! -x ausearch-test ]] ; then + rlLog "ausearch-test has not been built, attempting to build now." + rlRun "gcc -g -W -Wall -Wundef -D_GNU_SOURCE ausearch-test.c -o ausearch-test -lauparse -laudit" 0 + fi + rlPhaseEnd + + rlPhaseStartTest "ausearch-test" + rlRun -s "./ausearch-test audit.log --continue" + rlAssertGrep "Done - no problems detected" $rlRun_LOG + rlPhaseEnd + + if rlIsRHEL '>=6.6' ; then + rlPhaseStartTest "checkpoint" + rlRun "auditctl -m test1" 0 "Generating message test1" + rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test1" 0 \ + "Creating checkpoint 1, test1 should be reported" + rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test1" 1 \ + "Moving checkpoint 1, test1 should not be reported" + rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test1" 0 \ + "Creating checkpoint 2, test1 should be reported" + rlRun "auditctl -m test2" 0 "Generating message test2" + rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test2" 0 \ + "Moving checkpoint 1, test2 should be reported" + rlRun "ausearch -ts recent --checkpoint chk1 -m USER | grep test2" 1 \ + "Moving checkpoint 1, test2 should not be reported" + rlRun "auditctl -m test3" 0 "Generating message test1" + rlRun -s "ausearch -ts recent --checkpoint chk2 -m USER | grep test" 0 \ + "Moving checkpoint 2, only test[23] should be reported" + rlAssertNotGrep "test1" $rlRun_LOG + rlAssertGrep "test2" $rlRun_LOG + rlAssertGrep "test3" $rlRun_LOG + rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test" 1 \ + "Moving checkpoint 2, not test should be reported" + rlRun "auditctl -m test4" 0 "Generating message test1" + rlRun "ausearch -ts recent --checkpoint chk2 -m USER | grep test4" 0 \ + "Moving checkpoint 2, test4 should be reported" + rlPhaseEnd + fi + + rlPhaseStartTest "ausearch: display of commas between categories" + cat > audit.log.c <<_EOF +type=AVC msg=audit(1405523880.601:4179): avc: denied { read } for pid=20157 comm="bash" name="user20200" dev=vda3 ino=144202 scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=lnk_file +type=SYSCALL msg=audit(1405523880.601:4179): arch=c000003e syscall=2 success=no exit=-13 a0=87d750 a1=401 a2=180 a3=1b items=1 ppid=20156 pid=20157 auid=508 uid=508 gid=508 euid=508 suid=508 fsuid=508 egid=508 sgid=508 fsgid=508 tty=pts2 ses=395 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875 key=(null) +type=CWD msg=audit(1405523880.601:4179): cwd="/nfs/staff/user20200" +type=PATH msg=audit(1405523880.601:4179): item=0 name="/u/user20200/.bash_history" nametype=UNKNOWN +_EOF + rlRun "ausearch -if audit.log.c -m avc |grep 'type=SYSCALL.*subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'" + rlRun "ausearch -if audit.log.c -m avc |grep 'type=AVC.*scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'" + rlRun "ausearch -if audit.log.c -m avc -i |grep 'type=SYSCALL.*subj=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'" + rlRun "ausearch -if audit.log.c -m avc -i |grep 'type=AVC.*scontext=unconfined_u:unconfined_r:sandbox_t:s0:c304,c875'" + rlPhaseEnd + +if rlIsRHEL '>=6.6'; then + rlPhaseStartTest "rebase to 2.3.7" + rlLog "ausearch shouldn't interpret 'fp' field in CRYPTO_KEY_USER events" + cat > audit_crypto_key.log <<_EOF +type=CRYPTO_KEY_USER msg=audit(1314776321.939:65010): user pid=633 uid=0 auid=0 ses=1445 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=9e:c3:25:e6:60:97:6b:2b:d0:c1:98:90:a1:b6:b4:d7 direction=? spid=633 suid=0 : exe="/usr/sbin/sshd" hostname=? addr=10.10.36.180 terminal=? res=success' +_EOF + rlRun "ausearch -m CRYPTO_KEY_USER -i -if audit_crypto_key.log" 0 + rlRun "ausearch -m CRYPTO_KEY_USER -i -if audit_crypto_key.log | grep 'type=CRYPTO_KEY_USER.*fp=9e:c3:25:e6:60:97:6b:2b:d0:c1:98:90:a1:b6:b4:d7'" 0 + + rlLog "test debug option for corrupted events entries (missing auid or pid fields)" + cat > audit_corrupted.log <<_EOF +type=CRYPTO_KEY_USER msg=audit(1314776321.939:65011): user pid=633 uid=0 ses=1445 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=02:41:d6:dd:8e:57:f9:0b:48:7a:22:7c:3f:23:26:3f direction=? spid=633 suid=0 : exe="/usr/sbin/sshd" hostname=? addr=10.10.36.180 terminal=? res=success' +_EOF + rlRun "ausearch -if audit_corrupted.log -ua 0 2>&1 | grep ''" + rlRun "ausearch -if audit_corrupted.log -ua 0 --debug 2>&1 | grep 'Malformed event skipped, rc=7. type=CRYPTO_KEY_USER'" + + rlLog "Interpret syscall field in SECCOMP events" + # rhel 6 doesn't have seccomp but it still may be used as an aggregating server for rhel7/fedora events + # syscall events for all architectures + cat > audit_seccomp.log <<_EOF +type=SECCOMP msg=audit(1395076595.898:756): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +type=SECCOMP msg=audit(1395076595.898:757): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=80000016 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +type=SECCOMP msg=audit(1395076595.898:758): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c000003e syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +type=SECCOMP msg=audit(1395076595.898:759): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=40000003 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +type=SECCOMP msg=audit(1395076595.898:760): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c0000015 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +type=SECCOMP msg=audit(1395076595.898:761): auid=1000 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=3283 comm="test" sig=31 arch=c00000b7 syscall=231 compat=0 ip=0x7fe37deb9c09 code=0x0 +_EOF + + + #Check that all syscalls are interpretted: + rlRun "ausearch -if audit_seccomp.log -i" 0 + found_events=`ausearch -if audit_seccomp.log -i | grep '^type=SECCOMP' | wc -l` + rlAssertEquals "Check that all syscalls are interpretted" $found_events 6 + rlRun "ausearch -m SECCOMP -if audit_seccomp.log -i" 0 + found_events2=`ausearch -m SECCOMP -if audit_seccomp.log -i | grep '^type=SECCOMP' | wc -l` + rlAssertEquals "Check that all syscalls are interpretted" $found_events2 6 + + #Check that you can search for syscall by name + #find name of syscall 231, ausearch search by name only for current architecture + # it internally translate syscall name to its number and searches by number + sys_name=`ausyscall --dump | grep 231 | awk -F ' ' '{print $2}'` + echo $sys_name + rlRun "ausearch -if audit_seccomp.log -sc $sys_name -i" 0 + + #Check that you can find syscall 231 + rlRun "ausearch -if audit_seccomp.log -sc 231 -i" 0 + found_events3=`ausearch -if audit_seccomp.log -sc 231 -i | grep '^type=SECCOMP' | wc -l` + rlAssertEquals "Check that all syscalls are interpretted" $found_events3 6 + + # check if ausearch can use directory as 'input' + rlFileBackup --clean /var/log/audit2 + mkdir /var/log/audit2 + rlRun "cp /var/log/audit/* /var/log/audit2" + # audit.log is usually long, so print only 'tail' + rlRun "ausearch -if /var/log/audit2 | tail" + # it should output more lines than 1 (means with old audit) + rlAssertGreater "Check if ausearch show something" `ausearch -if /var/log/audit2|wc -l` 1 + rlPhaseEnd +fi + + rlPhaseStartCleanup + rlRun "rm -f $rlRun_LOG chk*" 0 "Clean-up" + rlFileRestore + rlPhaseEnd + +rlJournalEnd + +rlJournalPrintText diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..d7c0c8f --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,18 @@ +--- +# Tests for audit +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - container + tests: + - ausearch-smoke + required_packages: + - audit + - audit-libs + - audit-libs-devel + - gcc + - gzip + - rpm-build + - sharutils