forked from linux-audit/audit-testsuite
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: add test for signal and ptrace OBJ_PID records
See: linux-audit#81 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
- Loading branch information
Showing
3 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| TARGETS=$(patsubst %.c,%,$(wildcard *.c)) | ||
|
|
||
| LDLIBS += -lpthread | ||
|
|
||
| all: $(TARGETS) | ||
| clean: | ||
| rm -f $(TARGETS) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| #!/usr/bin/perl | ||
|
|
||
| use strict; | ||
| use File::Temp qw/ tempdir tempfile /; | ||
| use Test; | ||
| BEGIN { plan tests => 8 } | ||
|
|
||
| ### | ||
| # functions | ||
|
|
||
| sub key_gen { | ||
| my @chars = ( "A" .. "Z", "a" .. "z" ); | ||
| my $key = "testsuite-" . time . "-"; | ||
| $key .= $chars[ rand @chars ] for 1 .. 8; | ||
| return $key; | ||
| } | ||
|
|
||
| ### | ||
| # setup | ||
|
|
||
| my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) = | ||
| localtime(time); | ||
| $year += 1900; | ||
| $mon += 1; | ||
| my $startdate = "$year-$mon-$mday"; | ||
| my $starttime = "$hour:$min:$sec"; | ||
|
|
||
| # create stdout/stderr sinks | ||
| ( my $fh_out, my $stdout ) = tempfile( | ||
| TEMPLATE => '/tmp/audit-testsuite-out-XXXX', | ||
| UNLINK => 1 | ||
| ); | ||
| ( my $fh_err, my $stderr ) = tempfile( | ||
| TEMPLATE => '/tmp/audit-testsuite-err-XXXX', | ||
| UNLINK => 1 | ||
| ); | ||
|
|
||
| # clear all rules, turn on auditing | ||
| system("auditctl -D >/dev/null 2>&1"); | ||
| system("auditctl -e 1 >/dev/null 2>&1"); | ||
|
|
||
| # Generate a unique test key | ||
| my $key = key_gen(); | ||
| my $result; | ||
|
|
||
| ### | ||
| # tests | ||
| # Test signals | ||
| # Add rule to catch signals generated by self | ||
| $result = | ||
| system( | ||
| "auditctl -a exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" | ||
| ); | ||
| ok( $result, 0 ); # Was the rule accepted? | ||
|
|
||
| # Test signal to process group | ||
| my $task1_pid = fork(); | ||
| if ( not $task1_pid ) { | ||
| setpgrp || die; | ||
|
|
||
| # create 2 child processes | ||
| fork || sleep 10; | ||
| fork || sleep 10; | ||
| sleep 10; | ||
| } | ||
| sleep 1; | ||
|
|
||
| # generate signal | ||
| my $count = kill 'SIGTERM', -$task1_pid; | ||
| ok( $count, 1 ); # Was the signal delivered? | ||
| ok( $task1_pid > 0 ); # Did taskself start ok? | ||
|
|
||
| # Delete audit rule | ||
| system( | ||
| "auditctl -d exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" | ||
| ); | ||
|
|
||
| # Test ptrace | ||
| # Add rule to catch ptrace | ||
| $result = | ||
| system( | ||
| "auditctl -a exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" | ||
| ); | ||
| ok( $result, 0 ); # Was the rule accepted? | ||
|
|
||
| # Create task to which to attach | ||
| seek( $fh_out, 0, 0 ); | ||
| system("sleep .1 >/dev/null 2>&1 & echo \$! >$stdout"); | ||
| my $task2_pid = <$fh_out>; | ||
| chomp($task2_pid); | ||
|
|
||
| # Generate a ptrace event | ||
| $result = system("strace -p $task2_pid >/dev/null 2>&1"); | ||
| ok( $result, 0 ); # Was the ptrace command successful? | ||
|
|
||
| # Delete audit rule | ||
| $result = | ||
| system( | ||
| "auditctl -d exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" | ||
| ); | ||
|
|
||
| # make sure the records had a chance to bubble through to the logs | ||
| system("auditctl -m syncmarker-$key"); | ||
| for ( my $i = 0 ; $i < 10 ; $i++ ) { | ||
| if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) { | ||
| last; | ||
| } | ||
| sleep(0.2); | ||
| } | ||
|
|
||
| # find the events | ||
| seek( $fh_out, 0, 0 ); | ||
| seek( $fh_err, 0, 0 ); | ||
| $result = system( | ||
| "LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -k $key >$stdout 2>$stderr" | ||
| ); | ||
| ok( $result, 0 ); # Was an event found? | ||
|
|
||
| # test if we generate the OBJ_PID records correctly | ||
| my $line; | ||
| my $found_signal = 0; | ||
| my $found_ptrace = 0; | ||
| while ( $line = <$fh_out> ) { | ||
| if ( $line =~ /^type=OBJ_PID / ) { | ||
| if ( $line =~ / opid=([0-9]+) / ) { | ||
| if ( $1 == $task1_pid ) { | ||
| $found_signal = 1; | ||
| } | ||
| elsif ( $1 == $task2_pid ) { | ||
| $found_ptrace = 1; | ||
| } | ||
| } | ||
| } | ||
| } | ||
| ok( $found_signal, 1 ); # Was the first signal found? | ||
| ok( $found_ptrace, 1 ); # Was the ptrace found? | ||
|
|
||
| if ( defined $ENV{ATS_DEBUG} && $ENV{ATS_DEBUG} == 1 ) { | ||
| if ( !$found_signal || !$found_ptrace ) { | ||
| print "pid=$!\n"; | ||
| print "pid=$task1_pid found_signal=$found_signal\n"; | ||
| print "pid=$task2_pid found_ptrace=$found_ptrace\n"; | ||
| } | ||
| } | ||
|
|
||
| ### | ||
| # cleanup | ||
| system("service auditd restart 2>/dev/null"); |