Test Name: audit-updates-rhel53 - Bugzilla(s) 446080 Author: Eduard Benes Location: /CoreOS/audit/Sanity/audit-updates-rhel53 Short Description: Functionality tests for audit packages that have been updated to the newer upstream version 1.7.7 Long Description: See errata RHEA-2009:8168 for detailed description and expected results. Selected parts of how to test section provided by Steve Grubb: * New ausyscall program added for cross referencing syscall name and number info Not much to tell about this one. Just play with it and see if it breaks. ausyscall x86_64 dup should find 3 different dupes ausyscall x86_64 dup --exact should find one ausyscall x86_64 --dump should dump the whole syscall table * aureport now has a report about keys it sees in audit events This should be tested in the multiple key thing above. The --summary report should give totals for different keys. Otherwise it just pulls out each one. * The rule: -a always,user -S open -F filetype=file should not be legal. The older libs would allow it. * The rule: -a always,user -S open -F ppid=1 Should not be legal. The older libs would allow it. * The rule: -a always,exit -S open -F dir=/etc -k test Should be legal. The older version would see it as an error. * if you have /etc/audit/auditd.conf log_group=wheel (or anything other than root) and you have a rule like: -a always,exit -S open -F exit=-EPERM -k access you will get an audit record generated with a key of access against the dispatcher just by running aureport --start today. You should not get that generated. You will need to have wheel group access to /var/log/audit/audit* and /etc/audit/auditd.conf fixed in order to test this. * "aureport --start today PM" should produce an error. It did not previously. * ausearch interpretation of i386 syscalls on an x86_64 computer gave the wrong results. Use this audit event for testing on an x86_64 machine: type=SYSCALL msg=audit(1224864719.162:10038): arch=40000003 syscall=102 success=yes exit=5 a0=a a1=bfcc1f80 a2=25b0c4 a3=0 items=0 ppid=1 pid=11761 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="prelude-manager" exe="/usr/bin/prelude-manager" subj=system_u:system_r:prelude_t:s0-s15:c0.c1023 key=(null) should be a socketcall(recv) when "cat file | ausearch -i" is used.