-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: add filter_saddr_fam test #87
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rgbriggs
force-pushed
the
ghak64-saddr_fam
branch
2 times, most recently
from
May 8, 2019 16:25
4794a3a
to
2a5a5de
Compare
Sorry, added the AF_MAX check and formatting bit me. I'm done with the forced pushes for now. |
pcmoore
changed the title
tests: add filter_saddr_fam test
RFE: add filter_saddr_fam test
May 8, 2019
pcmoore
pushed a commit
to linux-audit/audit-kernel
that referenced
this pull request
May 24, 2019
Provide a method to filter out sockaddr and bind calls by network address family. Existing SOCKADDR records are listed for any network activity. Implement the AUDIT_SADDR_FAM field selector to be able to classify or limit records to specific network address families, such as AF_INET or AF_INET6. An example of a network record that is unlikely to be useful and flood the logs: type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local path=/var/run/nscd/socket } type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64 syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3 a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=network-test Please see the audit-testsuite PR at linux-audit/audit-testsuite#87 Please see the github issue #64 Please see the github issue for the accompanying userspace support linux-audit/audit-userspace#93 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: merge fuzz in auditfilter.c] Signed-off-by: Paul Moore <paul@paul-moore.com>
I see the following failures when I run this:
I'm assuming this was working for you @rgbriggs, right? I just wanted to check before I dig into these failures. |
rgbriggs
force-pushed
the
ghak64-saddr_fam
branch
from
December 12, 2019 19:08
2a5a5de
to
678d7d4
Compare
On 2019-12-12 10:31, Paul Moore wrote:
I see the following failures when I run this:
filter_saddr_fam/test .... 1/5 Use of uninitialized value $1 in string eq at filter_saddr_fam/test line 117, <$fh> line 12.
# Test 4 got: "0" (filter_saddr_fam/test at line 127)
# Expected: "1"
# filter_saddr_fam/test line 127 is: ok( $found_msg, 1 ); # Was the inet message found?
# Test 5 got: <UNDEF> (filter_saddr_fam/test at line 128)
# Expected: ""
# filter_saddr_fam/test line 128 is: ok( $found_unfilt, "" ); # Were non-inet messages filtered?
filter_saddr_fam/test .... Failed 2/5 subtests
filter_saddr_fam/test (Wstat: 0 Tests: 5 Failed: 2)
Failed tests: 4-5
...
ok 1
not ok 2
# Test 2 got: "65280" (./test at line 59)
# Expected: "0"
# ./test line 59 is: ok( $result, 0 );
not ok 3
# Test 3 got: "256" (./test at line 86)
# Expected: "0"
# ./test line 86 is: ok( $result, 0 ); # Was an event found?
not ok 4
# Test 4 got: "0" (./test at line 127)
# Expected: "1"
# ./test line 127 is: ok( $found_msg, 1 ); # Was the inet message found?
ok 5
I'm assuming this was working for you @rgbriggs, right? I just wanted to check before I dig into these failures.
It was, but omoris caught something in here:
linux-audit/audit-kernel#64 (comment)
The search term should be changed from:
/ fam=([a-z]+) /
to
/ saddr_fam=([a-z]+) /
For some reason, I thought Ondrej had updated that test. I've just updated it and pushed a fixed copy:
rgbriggs@678d7d4
Sorry to slow you down!
|
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
rgbriggs
force-pushed
the
ghak64-saddr_fam
branch
from
December 12, 2019 19:41
678d7d4
to
8762d2b
Compare
Merged via 73342b7, although I had to fix a style error caught by Travis and |
On 2019-12-12 11:13, Richard Guy Briggs wrote:
For some reason, I thought Ondrej had updated that test. I've just updated it and pushed a fixed copy:
rgbriggs@678d7d4
...and travis says that's broken, so here's an update:
rgbriggs@8762d2b
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Richard Guy Briggs rgb@redhat.com