RFE: add test for audit lost counter reset

[rgbriggs]

See:
linux-audit/audit-kernel#3
https://github.com/linux-audit/audit-kernel/wiki/RFE-Reset-the-Lost-Record-Counter

Signed-off-by: Richard Guy Briggs rgb@redhat.com

[pcmoore]

Any reason why we don't restart auditd with systemctl so that we put the system back the way it was intended?

[rgbriggs]

systemctl doesn't exist on rhel6, but now that I think of it, this feature isn't supported in rhel6.
Instead, we could use "service auditd start" since that redirects to systemd.

[pcmoore]

Another reason why we should restart auditd using whatever the system's service manager (almost surely systemd/systemctl these days).

[rgbriggs]

True for fedora, rhel7, Debian 8.

[rgbriggs]

Fixed, amendment pushed.

[rgbriggs]

Update: rgbriggs@970f6d6

[pcmoore]

Please see comments inline.

[pcmoore]

The backlog issue on test cleanup remains (see my earlier comments).

[pcmoore]

This test fails for me on my test system:

# ./test 
1..6
# Running under perl version 5.024001 for linux
# Current time local: Tue Apr 18 17:25:37 2017
# Current time GMT:   Tue Apr 18 21:25:37 2017
# Using Test.pm version 1.28_01
Stopping logging: [  OK  ]
ok 1
ok 2
ok 3
ok 4
ok 5
not ok 6
# Failed test 6 in ./test at line 79
#  ./test line 79 is: ok($result_lost == $lost); # Do the two lost values agree?
Stopping logging: [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

Test system information:

# uname -r
4.11.0-0.rc7.git0.1.1.secnext.fc27.x86_64
# rpm -q audit
audit-2.7.5-1.fc27.x86_64

[rgbriggs]

Works fine on my Rawhide and RHEL7 VMs. I need more information. If I can't put that information in the test and I can't reproduce it, I need your help.

[pcmoore]

Works fine on my Rawhide and RHEL7 VMs. I need more information. If I can't put that information in the test and I can't reproduce it, I need your help.

The failing test is the ok($result_lost == $lost) check, on my Rawhide system $loss reports 0 and $report_lost reports 2. Looking a bit closer, I think something odd is happening when auditctl reports the lost counter, for example:

# uname -r
4.11.0-0.rc7.git0.1.1.secnext.fc27.x86_64
# rpm -q audit
audit-2.7.6-1.fc27.x86_64
# auditctl -s
enabled 1
failure 1
pid 1409
rate_limit 0
backlog_limit 64
lost 0
backlog 0
backlog_wait_time 60000
loginuid_immutable 0 unlocked
# auditctl --reset-lost
lost: 2

It is worth mentioning that this is on an idle system that isn't generating any audit records (and no indication of lost records in the kernel's ring buffer). It is easily repeatable for me.

[rgbriggs]

Ok, all my test VMs have a boot parameter of "audit=1" to force auditting on always, so when that is not set, stopping the daemon would have the kernel ignore those messages and not increase the lost count significantly. Either that, or the flood ping command failed. Testing without "audit=1" I get the same result you did, so I'll need to think of another way to trigger this without needing a change to the kernel boot parameters and rebooting.

[pcmoore]

Testing with "audit=1" on the kernel command line is good, but it is equally important (perhaps more so) to test the default configuration that many distributions use, e.g. "audit=0".

[rgbriggs]

On 2017-04-25 08:21, Paul Moore wrote: Testing with "audit=1" on the kernel command line is good, but it is equally important (perhaps more so) to test the default configuration that many distributions use, e.g. "audit=0".

Yes, I fully agree. Maybe the tests should be iterated through both settings.

#41 (comment)

- RGB

…

-- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

[rgbriggs]

Ok, I was able to pass the test by deleting the "audit=" kernel boot parameter, setting backlog_limit (-b) to 1, backlog_wait_time to 1(ms), enable (-e) to 1, starting and stopping the daemon multiple times and using a floodping to generate messages. Update pushed to my pull request.

[pcmoore]

I didn't think this needed to be said, but please don't add a tab/indent to blank lines.

[pcmoore]

See above comment about indents on blank lines.

[pcmoore]

@rgbriggs Okay, this looks reasonable. Let's do two final things so we can get this merged:

• Add the test to tests/Makefile so it runs by default (that is your desire, yes?)
• Wrap your additional debug output with ATS_DEBUG, see 29aa532 and RFE: create a debug flag/option so we have a consistent way to toggle debugging output #54

[pcmoore]

It would appear there is a problem with lost_reset/test on line 7:

BEGIN { plan tests => 5 + $iterations }

... if I run the test directly from the lost_reset directory things work as expected:

# cd tests/lost_reset
# ./test
1..5
# Running under perl version 5.026000 for linux
# Current time local: Wed Jul 12 11:19:31 2017
# Current time GMT:   Wed Jul 12 15:19:31 2017
# Using Test.pm version 1.30
ok 1
ok 2
ok 3
ok 4
ok 5
ok 6
ok 7
ok 8
ok 9
ok 10
ok 11
ok 12
ok 13
ok 14
ok 15
Stopping logging: [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

... however if I run it using make test from the top level directory things fall apart:

# make test
make -C tests test
{snip}
Running as   user    root
        with context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        on   system  Fedora

exec_execve/test ......... ok   
exec_name/test ........... ok   
file_create/test ......... ok   
file_delete/test ......... ok   
file_rename/test ......... ok   
filter_exclude/test ...... ok     
filter_sessionid/test .... ok   
login_tty/test ........... ok   
lost_reset/test .......... Use of uninitialized value $iterations in addition (+) at lost_reset/test line 7.
lost_reset/test .......... All 5 subtests passed 
netfilter_pkt/test ....... ok     
syscalls_file/test ....... ok   
syscall_module/test ...... ok   
syscall_socketcall/test .. ok   
user_msg/test ............ ok   

Test Summary Report
-------------------
lost_reset/test        (Wstat: 0 Tests: 15 Failed: 10)
  Failed tests:  6-15
  Parse errors: Bad plan.  You planned 5 tests but ran 15.
Files=14, Tests=88, 29 wallclock secs ( 0.06 usr  0.01 sys +  0.88 cusr  0.50 csys =  1.45 CPU)
Result: FAIL
Failed 1/14 test programs. 10/88 subtests failed.
make[1]: *** [Makefile:39: test] Error 255
make[1]: Leaving directory '/root/sources/audit-testsuite/tests'
make: *** [Makefile:10: test] Error 2

I'm guessing you never tested this by running make test, or is this WORKSFORME?

[rgbriggs]

Only ran that isolated test. This is bizarre. When run isolated, $iterations is visible inside the "BEGIN..." on line 7, but it is not visible when run as part of the suite. What could cause this? I even tried changing the variable name to avoid other name collisions, but same result. I may have to hard-code it.

[pcmoore]

Hard code it. No need to make this more complicated.

Also a lesson to be learned that tests should be verified both by running the full suite and the isolated test(s).

[rgbriggs]

Yes, really. I don't like magic numbers buried deep in the code. This gives it a name and a way to track the usage throughout the file. Otherwise I'll track down why the difference between running one test and running the suite...

[pcmoore]

Change it.

[pcmoore]

Change it.

It just occurred to me that some additional commentary is probably warranted given the fact that we are even discussing this.

I agree, like most sane people, that magic numbers are generally bad, however, not every constant in every bit of source code is a "magic number". In your current patch(set) the "$iterations" variable is only used in one location ... a rather conventional if-conditional, this makes the value rather obvious, especially given the size of the file and the rather simple nature of the test.

Yes, it is annoying that we can't seem to use a variable in the test's BEGIN {...} stanza, if we could I would agree to keeping the $iterations variable, but we can't. You've placed a comment after the BEGIN statement which seems to implying that the 5 + 10 is linked to the $iterations variable, IMHO the following is just as meaningful, if not more so:

BEGIN { plan tests => 15 } # five fixed tests + the main for loop below

... it also has the benefit of not looking stupid.

[rgbriggs]

On 2017-07-14 16:38, Paul Moore wrote: > Change it. It just occurred to me that some additional commentary is probably warranted given the fact that we are even discussing this.

I thought that was obvious...

I agree, like most sane people, that magic numbers are generally bad, however, not every constant in every bit of source code is a "magic number". In your current patch(set) the "$iterations" variable is only used in one location ... [a rather conventional if-conditional](https://github.com/linux-audit/audit-testsuite/blob/9f0745ebd17971ffd5a6324d0c099908f7ed4f02/tests/lost_reset/test#L28), this makes the value rather obvious, especially given the size of the file and the rather simple nature of the test.

Putting those kinds of numbers near the top well identified helps. I failed to describe how it was used either in a self-describing variable or in a comment.

Yes, it is annoying that we can't seem to use a variable in the test's `BEGIN {...}` stanza, if we could I would agree to keeping the $iterations variable, but we can't. You've placed a comment after the `BEGIN` statement which seems to implying that the `5 + 10` is linked to the $iterations variable, IMHO the following is just as meaningful, if not more so: BEGIN { plan tests => 15 } # five fixed tests + the main for loop below

My code comment was incomplete and misleading, assisting in the confusion. Leaving as it as I had it but changing the comment to "# 5 fixed tests plus $iterations" I think is far clearer and much quicker to find with basic text search tools. I tried escaping it to fix it and made it worse.

... it also has the benefit of not looking stupid.

I strongly disagree on this last statement, but I guess that is this "judgement" and "taste" people keep talking about.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #41 (comment)

- RGB

…

-- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

[pcmoore]

It isn't clear to me from your last response if you are planning another revision, but just to be clear on my expectations: I'm waiting on another revision to get rid of the $iterations variable and the "5 + 10" nonsense.

[rgbriggs]

Cleaned up iterations comment: rgbriggs@027d515
Resolved merge conflict: rgbriggs@278d7ee

[pcmoore]

In the future please do not merge the upstream branches back into your forked branch, it makes it very messy when I pull from you. If you need to resync with upstream, rebase your development branch.

[pcmoore]

Merged via d549ded.

I also merged a commit to fix a number of style/formatting diffs, see 1807b2f. As this PR originally predated the 'make check-syntax' style checker I didn't require the code to satisfy all those style checks, but in the future having a clean 'make check-syntax' run will be necessary for merging.