component: - audit framework: beakerlib require: - library(audit/testing) adjust: - enabled: false when: distro == rhel-4 continue: false contact: - omoris@redhat.com description: | Test Name: audit-updates-rhel53 - Bugzilla(s) 446080 Author: Eduard Benes Location: /CoreOS/audit/Sanity/audit-updates-rhel53 Short Description: Functionality tests for audit packages that have been updated to the newer upstream version 1.7.7 Long Description: See errata RHEA-2009:8168 for detailed description and expected results. Selected parts of how to test section provided by Steve Grubb: * New ausyscall program added for cross referencing syscall name and number info Not much to tell about this one. Just play with it and see if it breaks. ausyscall x86_64 dup should find 3 different dupes ausyscall x86_64 dup --exact should find one ausyscall x86_64 --dump should dump the whole syscall table * aureport now has a report about keys it sees in audit events This should be tested in the multiple key thing above. The --summary report should give totals for different keys. Otherwise it just pulls out each one. * The rule: -a always,user -S open -F filetype=file should not be legal. The older libs would allow it. * The rule: -a always,user -S open -F ppid=1 Should not be legal. The older libs would allow it. * The rule: -a always,exit -S open -F dir=/etc -k test Should be legal. The older version would see it as an error. * if you have /etc/audit/auditd.conf log_group=wheel (or anything other than root) and you have a rule like: -a always,exit -S open -F exit=-EPERM -k access you will get an audit record generated with a key of access against the dispatcher just by running aureport --start today. You should not get that generated. You will need to have wheel group access to /var/log/audit/audit* and /etc/audit/auditd.conf fixed in order to test this. * "aureport --start today PM" should produce an error. It did not previously. * ausearch interpretation of i386 syscalls on an x86_64 computer gave the wrong results. Use this audit event for testing on an x86_64 machine: type=SYSCALL msg=audit(1224864719.162:10038): arch=40000003 syscall=102 success=yes exit=5 a0=a a1=bfcc1f80 a2=25b0c4 a3=0 items=0 ppid=1 pid=11761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="prelude-manager" exe="/usr/bin/prelude-manager" subj=system_u:system_r:prelude_t:s0-s15:c0.c1023 key=(null) should be a socketcall(recv) when "cat file | ausearch -i" is used. duration: 15m enabled: true extra-nitrate: TC#0075622 extra-summary: /CoreOS/audit/Sanity/audit-updates-rhel53 extra-task: /CoreOS/audit/Sanity/audit-updates-rhel53 link: - relates: https://bugzilla.redhat.com/show_bug.cgi?id=446080 recommend: - audit - audit-libs - audit-libs-devel - procps-ng summary: Functionality tests for audit packages that have been updated to the newer upstream version 1.7.7 tag: - CI-Tier-1 - NoRHEL4 - TIPpass - TIPpass_Security - Tier1 - Tier1security test: ./runtest.sh tier: '1' name: /Sanity/audit-updates-rhel53 order: 50 id: path: /Sanity/audit-updates-rhel53 manual: false tty: false environment: {} result: respect where: check: [] restart-on-exit-code: [] restart-max-count: 1 restart-with-reboot: false sources: - /var/tmp/tmt/run-017/Plans/general/discover/Downstream_audit_tests/tests/main.fmf - /var/tmp/tmt/run-017/Plans/general/discover/Downstream_audit_tests/tests/Sanity/audit-updates-rhel53/main.fmf context: {}