forked from linux-audit/audit-testsuite
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: add test for signal and ptrace OBJ_PID records
See: linux-audit#81 Signed-off-by: Richard Guy Briggs <[email protected]>
- Loading branch information
Showing
3 changed files
with
164 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
TARGETS=$(patsubst %.c,%,$(wildcard *.c)) | ||
|
||
LDLIBS += -lpthread | ||
|
||
all: $(TARGETS) | ||
clean: | ||
rm -f $(TARGETS) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
#!/usr/bin/perl | ||
|
||
use strict; | ||
use File::Temp qw/ tempdir tempfile /; | ||
use Test; | ||
BEGIN { plan tests => 8 } | ||
|
||
### | ||
# functions | ||
|
||
sub key_gen { | ||
my @chars = ( "A" .. "Z", "a" .. "z" ); | ||
my $key = "testsuite-" . time . "-"; | ||
$key .= $chars[ rand @chars ] for 1 .. 8; | ||
return $key; | ||
} | ||
|
||
### | ||
# setup | ||
|
||
my ( $sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst ) = | ||
localtime(time); | ||
$year += 1900; | ||
$mon += 1; | ||
my $startdate = "$year-$mon-$mday"; | ||
my $starttime = "$hour:$min:$sec"; | ||
|
||
# create stdout/stderr sinks | ||
( my $fh_out, my $stdout ) = tempfile( | ||
TEMPLATE => '/tmp/audit-testsuite-out-XXXX', | ||
UNLINK => 1 | ||
); | ||
( my $fh_err, my $stderr ) = tempfile( | ||
TEMPLATE => '/tmp/audit-testsuite-err-XXXX', | ||
UNLINK => 1 | ||
); | ||
|
||
# clear all rules, turn on auditing | ||
#system("auditctl -D >/dev/null 2>&1"); | ||
#system("auditctl -e 1 >/dev/null 2>&1"); | ||
|
||
# Generate a unique test key | ||
my $key = key_gen(); | ||
my $result; | ||
|
||
### | ||
# tests | ||
# Test signals | ||
# Add rule to catch signals generated by self | ||
$result = | ||
system( | ||
"auditctl -a exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" | ||
); | ||
ok( $result, 0 ); # Was the rule accepted? | ||
|
||
# Start sleeps to provide target tasks | ||
seek( $fh_out, 0, 0 ); | ||
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout"); | ||
my $task1_pid = <$fh_out>; | ||
chomp($task1_pid); | ||
seek( $fh_out, 0, 0 ); | ||
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout"); | ||
my $task2_pid = <$fh_out>; | ||
chomp($task2_pid); | ||
|
||
# generate signals | ||
my $count = kill 'HUP', $task1_pid, $task2_pid; | ||
ok( $count, 2 ); # Were two processes signalled? | ||
|
||
# Delete audit rule | ||
system( | ||
"auditctl -d exit,always -F arch=b$ENV{MODE} -S kill -F pid=$$ -F key=$key >/dev/null 2>&1" | ||
); | ||
|
||
# Test ptrace | ||
# Add rule to catch ptrace | ||
$result = | ||
system( | ||
"auditctl -a exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" | ||
); | ||
ok( $result, 0 ); # Was the rule accepted? | ||
|
||
# Create task to which to attach | ||
seek( $fh_out, 0, 0 ); | ||
system("sleep 2 >/dev/null 2>&1 & echo \$! >$stdout"); | ||
my $task3_pid = <$fh_out>; | ||
chomp($task3_pid); | ||
|
||
# Generate a ptrace event | ||
$result = system("strace -p $task3_pid >/dev/null 2>&1"); | ||
ok( $result, 0 ); # Was the ptrace command successful? | ||
|
||
# Delete audit rule | ||
$result = | ||
system( | ||
"auditctl -d exit,always -F arch=b$ENV{MODE} -S ptrace -F key=$key >/dev/null 2>&1" | ||
); | ||
|
||
+# make sure the records had a chance to bubble through to the logs | ||
system("auditctl -m syncmarker-$key"); | ||
for ( my $i = 0 ; $i < 10 ; $i++ ) { | ||
if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) { | ||
last; | ||
} | ||
sleep(0.2); | ||
} | ||
|
||
# find the config change event | ||
seek( $fh_out, 0, 0 ); | ||
seek( $fh_err, 0, 0 ); | ||
$result = system( | ||
"LC_TIME=\"en_DK.utf8\" ausearch --start $startdate $starttime -i -k $key >$stdout 2>$stderr" | ||
); | ||
ok( $result, 0 ); # Was an event found? | ||
|
||
# test if we generate the obj_pid records correctly | ||
my $line; | ||
my $found_signal1 = 0; | ||
my $found_signal2 = 0; | ||
my $found_ptrace = 0; | ||
while ( $line = <$fh_out> ) { | ||
|
||
# find the CONFIG_CHANGE record | ||
if ( $line =~ /^type=OBJ_PID / ) { | ||
|
||
# find the lost value | ||
if ( $line =~ / opid=([0-9]+) / ) { | ||
if ( $1 == $task1_pid ) { | ||
$found_signal1 = 1; | ||
} | ||
elsif ( $1 == $task2_pid ) { | ||
$found_signal2 = 1; | ||
} | ||
elsif ( $1 == $task3_pid ) { | ||
$found_ptrace = 1; | ||
} | ||
} | ||
} | ||
} | ||
ok( $found_signal1, 1 ); # Was the first signal found? | ||
ok( $found_signal2, 1 ); # Was the second signal found? | ||
ok( $found_ptrace, 1 ); # Was the ptrace found? | ||
|
||
if ( defined $ENV{ATS_DEBUG} && $ENV{ATS_DEBUG} == 1 ) { | ||
if ( !$found_signal1 || !$found_signal2 || !$found_ptrace == 2 ) { | ||
print "pid=$!\n"; | ||
print "pid=$task1_pid found_signal1=$found_signal1\n"; | ||
print "pid=$task2_pid found_signal2=$found_signal2\n"; | ||
print "pid=$task3_pid found_ptrace=$found_ptrace\n"; | ||
} | ||
} | ||
|
||
### | ||
# cleanup | ||
system("service auditd restart 2>/dev/null"); |