diff --git a/tests/Makefile b/tests/Makefile index 1701fc1..6c5fe08 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -25,6 +25,7 @@ TESTS := \ login_tty \ lost_reset \ netfilter_pkt \ + signal \ syscalls_file \ syscall_module \ syscall_socketcall \ diff --git a/tests/signal/Makefile b/tests/signal/Makefile new file mode 100644 index 0000000..7ade09a --- /dev/null +++ b/tests/signal/Makefile @@ -0,0 +1,8 @@ +TARGETS=$(patsubst %.c,%,$(wildcard *.c)) + +LDLIBS += -lpthread + +all: $(TARGETS) +clean: + rm -f $(TARGETS) + diff --git a/tests/signal/test b/tests/signal/test new file mode 100755 index 0000000..16ad39b --- /dev/null +++ b/tests/signal/test @@ -0,0 +1,148 @@ +#!/usr/bin/perl + +use strict; +use File::Temp qw/ tempdir tempfile /; +use Test; +BEGIN { plan tests => 8 } + +### +# functions + +sub key_gen { + my @chars = ( "A" .. "Z", "a" .. "z" ); + my $key = "testsuite-" . time . "-"; + $key .= $chars[ rand @chars ] for 1 .. 8; + return $key; +} + +### +# setup + +my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) = + localtime(time); +$year += 1900; +$mon += 1; +my $startdate = "$year-$mon-$mday"; +my $starttime = "$hour:$min:$sec"; + +# create stdout/stderr sinks +( my $fh_out, my $stdout ) = tempfile( + TEMPLATE => '/tmp/audit-testsuite-out-XXXX', + UNLINK => 1 +); +( my $fh_err, my $stderr ) = tempfile( + TEMPLATE => '/tmp/audit-testsuite-err-XXXX', + UNLINK => 1 +); + +# clear all rules, turn on auditing +system("auditctl -D >/dev/null 2>&1"); +system("auditctl -e 1 >/dev/null 2>&1"); + +# Generate a unique test key +my $key = key_gen(); +my $result; + +### +# tests +# Test signals +# Add rule to catch signals generated by self +$result = + system( +"auditctl -a exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" + ); +ok( $result, 0 ); # Was the rule accepted? + +# Test signal to process group +my $task1_pid = fork(); +if ( not $task1_pid ) { + setpgrp || die; + + # create 2 child processes + fork || sleep 10; + fork || sleep 10; + sleep 10; +} +sleep 1; + +# generate signal +my $count = kill 'SIGTERM', -$task1_pid; +ok( $count, 1 ); # Was the signal delivered? +ok( $task1_pid > 0 ); # Did taskself start ok? + +# Delete audit rule +system( +"auditctl -d exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" +); + +# Test ptrace +# Add rule to catch ptrace +$result = + system( +"auditctl -a exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" + ); +ok( $result, 0 ); # Was the rule accepted? + +# Create task to which to attach +seek( $fh_out, 0, 0 ); +system("sleep .1 >/dev/null 2>&1 & echo \$! >$stdout"); +my $task2_pid = <$fh_out>; +chomp($task2_pid); + +# Generate a ptrace event +$result = system("strace -p $task2_pid >/dev/null 2>&1"); +ok( $result, 0 ); # Was the ptrace command successful? + +# Delete audit rule +$result = + system( +"auditctl -d exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" + ); + +# make sure the records had a chance to bubble through to the logs +system("auditctl -m syncmarker-$key"); +for ( my $i = 0 ; $i < 10 ; $i++ ) { + if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) { + last; + } + sleep(0.2); +} + +# find the events +seek( $fh_out, 0, 0 ); +seek( $fh_err, 0, 0 ); +$result = system( +"LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -k $key >$stdout 2>$stderr" +); +ok( $result, 0 ); # Was an event found? + +# test if we generate the OBJ_PID records correctly +my $line; +my $found_signal = 0; +my $found_ptrace = 0; +while ( $line = <$fh_out> ) { + if ( $line =~ /^type=OBJ_PID / ) { + if ( $line =~ / opid=([0-9]+) / ) { + if ( $1 == $task1_pid ) { + $found_signal = 1; + } + elsif ( $1 == $task2_pid ) { + $found_ptrace = 1; + } + } + } +} +ok( $found_signal, 1 ); # Was the first signal found? +ok( $found_ptrace, 1 ); # Was the ptrace found? + +if ( defined $ENV{ATS_DEBUG} && $ENV{ATS_DEBUG} == 1 ) { + if ( !$found_signal || !$found_ptrace ) { + print "pid=$!\n"; + print "pid=$task1_pid found_signal=$found_signal\n"; + print "pid=$task2_pid found_ptrace=$found_ptrace\n"; + } +} + +### +# cleanup +system("service auditd restart 2>/dev/null");