|
| 1 | +#!/usr/bin/perl |
| 2 | + |
| 3 | +use strict; |
| 4 | + |
| 5 | +use Test; |
| 6 | +BEGIN { plan tests => 3 } |
| 7 | + |
| 8 | +use File::Temp qw/ tempdir tempfile /; |
| 9 | + |
| 10 | +### |
| 11 | +# functions |
| 12 | + |
| 13 | +sub key_gen { |
| 14 | + my @chars = ("A".."Z", "a".."z"); |
| 15 | + my $key = "testsuite-" . time . "-"; |
| 16 | + $key .= $chars[rand @chars] for 1..8; |
| 17 | + return $key; |
| 18 | +} |
| 19 | + |
| 20 | +### |
| 21 | +# setup |
| 22 | + |
| 23 | +# reset audit |
| 24 | +system("auditctl -D >& /dev/null"); |
| 25 | + |
| 26 | +# create stdout/stderr sinks |
| 27 | +(my $fh_out, my $stdout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-out-XXXX', |
| 28 | + UNLINK => 1); |
| 29 | +(my $fh_err, my $stderr) = tempfile(TEMPLATE => '/tmp/audit-testsuite-err-XXXX', |
| 30 | + UNLINK => 1); |
| 31 | +(my $fh_out_set, my $stdout_set) = tempfile(TEMPLATE => '/tmp/audit-testsuite-out-set-XXXX', |
| 32 | + UNLINK => 1); |
| 33 | +(my $fh_err_set, my $stderr_set) = tempfile(TEMPLATE => '/tmp/audit-testsuite-err-set-XXXX', |
| 34 | + UNLINK => 1); |
| 35 | +(my $fh_ses, my $sesout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-ses-XXXX', |
| 36 | + UNLINK => 1); |
| 37 | +(my $fh_pid, my $pidout) = tempfile(TEMPLATE => '/tmp/audit-testsuite-pid-XXXX', |
| 38 | + UNLINK => 1); |
| 39 | + |
| 40 | +### |
| 41 | +# tests |
| 42 | + |
| 43 | +my $result; |
| 44 | + |
| 45 | +# discover our sesssion ID |
| 46 | +system("cat /proc/self/sessionid > $sesout"); |
| 47 | +my $sessionid = <$fh_ses>; |
| 48 | +chomp($sessionid); |
| 49 | + |
| 50 | +# create a key and rule |
| 51 | +my $key = key_gen(); |
| 52 | +$result = system("auditctl -a always,exit -F arch=b64 -F path=/tmp/$key -F sessionid=$sessionid -k $key"); |
| 53 | +ok($result, 0); |
| 54 | +$result = system("auditctl -a always,exit -F arch=b64 -F path=/tmp/${key}_set -F sessionid_set=1 -k ${key}_set"); |
| 55 | +ok($result, 0); |
| 56 | + |
| 57 | +# send the userspace message (NOTE: requires bash) |
| 58 | +system("echo \$\$ > $pidout; exec touch /tmp/$key /tmp/${key}_set"); |
| 59 | +my $pid = <$fh_pid>; |
| 60 | +chomp($pid); |
| 61 | + |
| 62 | +# test for the SYSCALL message |
| 63 | +$result = system("ausearch -i -m SYSCALL -sc open -p $pid --session $sessionid -k $key > $stdout 2> $stderr"); |
| 64 | +ok($result, 0); |
| 65 | +$result = system("ausearch -i -m SYSCALL -sc open -p $pid --sessionid_set 1 -k ${key}_set > $stdout_set 2> $stderr_set"); |
| 66 | +ok($result, 0); |
| 67 | + |
| 68 | +# test if we generate the SYSCALL record correctly |
| 69 | +my $line; |
| 70 | +my $syscall_msg_match = 0; |
| 71 | +my $syscall_msg_match_set = 0; |
| 72 | +while ($line = <$fh_out>) { |
| 73 | + # test if SYSCALL record matches |
| 74 | + if ($line =~ m?^type=SYSCALL ? and |
| 75 | + $line =~ m? pid=$pid ? and |
| 76 | + $line =~ m? ses=$sessionid ? and |
| 77 | + $line =~ m? key=$key ?) { |
| 78 | + $syscall_msg_match = 1; |
| 79 | + last; |
| 80 | + } |
| 81 | +} |
| 82 | +ok($syscall_msg_match); |
| 83 | +while ($line = <$fh_out_set>) { |
| 84 | + # test if SYSCALL record matches |
| 85 | + if ($line =~ m?^type=SYSCALL ? and |
| 86 | + $line =~ m? pid=$pid ? and |
| 87 | + $line =~ m? ses=$sessionid ? and |
| 88 | + $line =~ m? key=${key}_set ?) { |
| 89 | + $syscall_msg_match_set = 1; |
| 90 | + last; |
| 91 | + } |
| 92 | +} |
| 93 | +ok($syscall_msg_match_set); |
| 94 | + |
| 95 | +### |
| 96 | +# cleanup |
| 97 | + |
| 98 | +system("auditctl -D >& /dev/null"); |
| 99 | + |
0 commit comments