component:
  - audit
framework: beakerlib
require:
  - url: https://gitlab.cee.redhat.com/special-projects/tests/audit
    name: /Library/testing
    type: library
  - audit
adjust:
  - enabled: false
    when: distro < rhel-7
    continue: false
contact:
  - Ondrej Moris <omoris@redhat.com>
description: |+
    Attributes:

     * owner
     * group
     * permissions
     * selinux context

    Objects:

     * Directories:
     
       * /etc/audit/
       * /etc/audit/rules.d/
       * /var/log/audit/

     * Files:

       * /etc/audit/auditd.conf
       * /etc/audit/audit.rules
       * /var/log/audit/audit.log
       * /var/log/audit/audit.log.* (rotated logs)

    Expected Values: 

    In general we expect root for both user and group ownership for all objects.
    The only exception is when log_group is set non-root in audit.conf, then 
    /var/log/audit and all audit.log files should be owned by that particular
    group. Log files in /var/log/audit are writable by root only, rotated logs 
    are not writable. Detailed expected values can be found in tables below:

    User       : root
    Group      : root
    Context    : system_u:object_r:auditd_etc_t:s0
    Permissions:
     - /etc/audit/                0750
     - /etc/audit/rules.d/        0750
     - /etc/audit/auditd.conf     0640
     - /etc/audit/audit.rules     0640


    User       : root
    Group      : root/log_group
    Context    : system_u:object_r:auditd_log_t:s0
    Permissions:
     - /var/log/audit/            0700/0750
     - /var/log/audit/audit.log   0600/0640
     - /var/log/audit/audit.log.* 0400/0440


duration: 5m
enabled: true
extra-nitrate: TC#0533240
extra-summary: /CoreOS/audit/Sanity/permissions
extra-task: /CoreOS/audit/Sanity/permissions
link:
  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1362582
recommend:
  - audit
summary: Test for permissions of files related to audit
tag:
  - CI-Tier-1
  - NoRHEL4
  - Tier1
  - Tier1security
test: ./runtest.sh
tier: '1'
name: /Sanity/permissions
order: 50
id:
path: /Sanity/permissions
manual: false
tty: false
environment: {}
result: respect
where:
check: []
restart-on-exit-code: []
restart-max-count: 1
restart-with-reboot: false
sources:
  - /var/tmp/tmt/run-017/Plans/general/discover/Downstream_audit_tests/tests/main.fmf
  - /var/tmp/tmt/run-017/Plans/general/discover/Downstream_audit_tests/tests/Sanity/permissions/main.fmf
context: {}