forked from os-autoinst/os-autoinst-distri-opensuse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ima_appraisal_audit.pm
61 lines (50 loc) · 2.23 KB
/
ima_appraisal_audit.pm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Copyright 2019-2021 SUSE LLC
# SPDX-License-Identifier: GPL-2.0-or-later
#
# Summary: Test audit function for IMA appraisal
# Note: This case should come after 'ima_appraisal_digital_signatures'
# Maintainer: llzhao <llzhao@suse.com>
# Tags: poo#49568, poo#92347
use base 'opensusebasetest';
use strict;
use warnings;
use testapi;
use utils;
use bootloader_setup qw(add_grub_cmdline_settings replace_grub_cmdline_settings);
use power_action_utils 'power_action';
sub audit_verify {
}
sub run {
my ($self) = @_;
$self->select_serial_terminal;
my $sample_app = '/usr/bin/yes';
my $sample_cmd = 'yes --version';
systemctl('is-active auditd');
if (script_run("grep CONFIG_INTEGRITY_TRUSTED_KEYRING=y /boot/config-`uname -r`") == 0) {
record_soft_failure("bsc#1157432 for SLE15SP2+: CA could not be loaded into the .ima or .evm keyring");
}
else {
# Make sure IMA is in the enforce mode
validate_script_output "grep -E 'ima_appraise=(fix|log|off)' /etc/default/grub || echo 'IMA enforced'", sub { m/IMA enforced/ };
assert_script_run("test -e /etc/sysconfig/ima-policy", fail_message => 'ima-policy file is missing');
# Clear security.ima no matter whether it existing
script_run "setfattr -x security.ima $sample_app";
validate_script_output "getfattr -m security.ima -d $sample_app", sub { m/^$/ };
assert_script_run("echo -n '' > /var/log/audit/audit.log");
my $ret = script_output($sample_cmd, 30, proceed_on_failure => 1);
die "$sample_app should not have permission to run" if ($ret !~ "\Q$sample_app\E: *Permission denied");
validate_script_output "ausearch -m INTEGRITY_DATA", sub { m/\Q$sample_app\E/ };
# Test both default(no ima_apprais=) and ima_appraise=log situation
add_grub_cmdline_settings("ima_appraise=log", update_grub => 1);
power_action("reboot", textmode => 1);
$self->wait_boot(textmode => 1);
$self->select_serial_terminal;
assert_script_run("echo -n '' > /var/log/audit/audit.log");
assert_script_run "$sample_cmd";
validate_script_output "ausearch -m INTEGRITY_DATA", sub { m/\Q$sample_app\E/ };
}
}
sub test_flags {
return {always_rollback => 1};
}
1;