Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: add filter_saddr_fam test #87

Closed
wants to merge 1 commit into from
Closed

RFE: add filter_saddr_fam test #87

wants to merge 1 commit into from

Conversation

rgbriggs
Copy link
Member

@rgbriggs rgbriggs commented May 8, 2019

Signed-off-by: Richard Guy Briggs rgb@redhat.com

@rgbriggs rgbriggs force-pushed the ghak64-saddr_fam branch 2 times, most recently from 4794a3a to 2a5a5de Compare May 8, 2019 16:25
@rgbriggs
Copy link
Member Author

rgbriggs commented May 8, 2019

Sorry, added the AF_MAX check and formatting bit me. I'm done with the forced pushes for now.

@pcmoore pcmoore changed the title tests: add filter_saddr_fam test RFE: add filter_saddr_fam test May 8, 2019
pcmoore pushed a commit to linux-audit/audit-kernel that referenced this pull request May 24, 2019
@rgbriggs @pcmoore
audit: add saddr_fam filter field
bf36123 
Provide a method to filter out sockaddr and bind calls by network
address family.

Existing SOCKADDR records are listed for any network activity.
Implement the AUDIT_SADDR_FAM field selector to be able to classify or
limit records to specific network address families, such as AF_INET or
AF_INET6.

An example of a network record that is unlikely to be useful and flood
the logs:

type=SOCKADDR msg=audit(07/27/2017 12:18:27.019:845) : saddr={ fam=local
path=/var/run/nscd/socket }
type=SYSCALL msg=audit(07/27/2017 12:18:27.019:845) : arch=x86_64
syscall=connect success=no exit=ENOENT(No such file or directory) a0=0x3
a1=0x7fff229c4980 a2=0x6e a3=0x6 items=1 ppid=3301 pid=6145 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb
sgid=sgrubb fsgid=sgrubb tty=pts3 ses=4 comm=bash exe=/usr/bin/bash
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=network-test

Please see the audit-testsuite PR at
linux-audit/audit-testsuite#87
Please see the github issue
#64
Please see the github issue for the accompanying userspace support
linux-audit/audit-userspace#93

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: merge fuzz in auditfilter.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
@pcmoore
Copy link
Member

pcmoore commented Dec 12, 2019

I see the following failures when I run this:

# uname -a
secnext.fc32.x86_64 #1 SMP Tue Dec 10 19:29:35 EST 2019 x86_64 x86_64 x86_64 GNU/Linux

Running as   user    root
        with context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        on   system  Fedora

exec_execve/test ......... ok   
exec_name/test ........... ok     
file_create/test ......... ok   
file_delete/test ......... ok   
file_rename/test ......... ok   
filter_exclude/test ...... ok     
filter_saddr_fam/test .... 1/5 Use of uninitialized value $1 in string eq at filter_saddr_fam/test line 117, <$fh> line 12.
# Test 4 got: "0" (filter_saddr_fam/test at line 127)
#   Expected: "1"
#  filter_saddr_fam/test line 127 is: ok( $found_msg,    1 );     # Was the inet message found?
# Test 5 got: <UNDEF> (filter_saddr_fam/test at line 128)
#   Expected: ""
#  filter_saddr_fam/test line 128 is: ok( $found_unfilt, "" );    # Were non-inet messages filtered?
filter_saddr_fam/test .... Failed 2/5 subtests 
filter_sessionid/test .... ok   
login_tty/test ........... ok   
lost_reset/test .......... ok   
netfilter_pkt/test ....... ok     
syscalls_file/test ....... ok   
syscall_module/test ...... ok   
syscall_socketcall/test .. ok   
user_msg/test ............ ok   

Test Summary Report
-------------------
filter_saddr_fam/test  (Wstat: 0 Tests: 5 Failed: 2)
  Failed tests:  4-5
Files=15, Tests=109, 16 wallclock secs ( 0.07 usr  0.04 sys +  6.21 cusr  2.44 csys =  8.76 CPU)
Result: FAIL
Failed 1/15 test programs. 2/109 subtests failed.

1..5
# Running under perl version 5.030001 for linux
# Current time local: Thu Dec 12 13:29:25 2019
# Current time GMT:   Thu Dec 12 18:29:25 2019
# Using Test.pm version 1.31
ok 1
not ok 2
# Test 2 got: "65280" (./test at line 59)
#   Expected: "0"
#  ./test line 59 is: ok( $result, 0 );
not ok 3
# Test 3 got: "256" (./test at line 86)
#   Expected: "0"
#  ./test line 86 is: ok( $result, 0 );    # Was an event found?
not ok 4
# Test 4 got: "0" (./test at line 127)
#   Expected: "1"
#  ./test line 127 is: ok( $found_msg,    1 );     # Was the inet message found?
ok 5
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

I'm assuming this was working for you @rgbriggs, right? I just wanted to check before I dig into these failures.

@rgbriggs
Copy link
Member Author

rgbriggs commented Dec 12, 2019 via email

@rgbriggs
tests: add filter_saddr_fam test
8762d2b 
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
@pcmoore
Copy link
Member

pcmoore commented Dec 12, 2019

Merged via 73342b7, although I had to fix a style error caught by Travis and ./tools/check-syntax.

@pcmoore pcmoore closed this Dec 12, 2019
@rgbriggs
Copy link
Member Author

rgbriggs commented Dec 12, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement pending/info pending/review priority/low
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rgbriggs @pcmoore