5:59 p.m.
In our LSPP concall on Monday I said I'd give our audit tests a try
on the latest kernel. I ran our CAPP audit test suite on an ia32
box installed with FC5T2, the lspp.10 kernel, the 1.1.4 audit tools
and the MLS policy in permissive mode. This is what I got:
fchmod, fchown, fchown32 tests failed to run because the test cases
got errors trying to insert a watch.
/sbin/auditctl -w /tmp/audit_testPZbtbq -k _tmp_audit_testPZbtbq
Error sending watch insert request (Invalid argument)
Not sure if this is a
kernel/user-space compatibility problem or
we just don't have all the new code in yet.
The negative test cases for our msgctl-set and semctl-set
because they didn't see the right audit records. These tests
attempt to remove a message queue or semaphore set with
insufficient permissions. Our tests are looking for an IPC record
whether the syscall fails or succeeds and I only got one on the success
case.
Our tests for successful mounts and symlinks failed but I believe its
because I got AVC denied messages and that goofed up the way the tests
look for the right fields in the audit records.
The *xattr tests failed to build so I haven't run those yet.
I'll look at the *xattr tests next and also try to set up an x86_64 box.
All in all though, not too bad.
-- ljk
9:20 p.m.
On Tue, Mar 07, 2006 at 06:59:42PM -0500, Linda Knippers wrote:
In our LSPP concall on Monday I said I'd give our audit tests a
try
on the latest kernel. I ran our CAPP audit test suite on an ia32
box installed with FC5T2, the lspp.10 kernel, the 1.1.4 audit tools
and the MLS policy in permissive mode.
Thank you for doing this!
This is what I got:
fchmod, fchown, fchown32 tests failed to run because the test cases
got errors trying to insert a watch.
> /sbin/auditctl -w /tmp/audit_testPZbtbq -k _tmp_audit_testPZbtbq
> Error sending watch insert request (Invalid argument)
Not sure if this is a kernel/user-space compatibility problem or
we just don't have all the new code in yet.
auditctl needs to be modified to match Amy's new string interface.
Amy and Steve, what's your status on getting that matched up and a
working auditctl into rawhide? This is getting kind of urgent...
The negative test cases for our msgctl-set and semctl-set
because they didn't see the right audit records. These tests
attempt to remove a message queue or semaphore set with
insufficient permissions. Our tests are looking for an IPC record
whether the syscall fails or succeeds and I only got one on the success
case.
Dustin and I have been reworking the ipc audit code, we should have an
updated patch ready tomorrow.
The *xattr tests failed to build so I haven't run those yet.
Missing libattr-devel?
-Klaus
5:18 a.m.
On Thursday 09 March 2006 22:20, Klaus Weidner wrote:
auditctl needs to be modified to match Amy's new string
interface.
Amy and Steve, what's your status on getting that matched up and a
working auditctl into rawhide? This is getting kind of urgent...
I can't do anything with rawhide until FC5 forks from it. Even then I may need
to wait a little while. There has to be a smooth transition or we have
problems. In the meantime, I bet Amy has something she's using to test
with...
-Steve
1:59 p.m.
On Fri, Mar 10, 2006 at 06:18:27AM -0500, Steve Grubb wrote:
On Thursday 09 March 2006 22:20, Klaus Weidner wrote:
> auditctl needs to be modified to match Amy's new string interface.
> Amy and Steve, what's your status on getting that matched up and a
> working auditctl into rawhide? This is getting kind of urgent...
I can't do anything with rawhide until FC5 forks from it. Even then
I may need to wait a little while. There has to be a smooth
transition or we have problems.
How about creating an rpm for the lspp group to test, but not
releasing it publicly?
In the meantime, I bet Amy has something she's using to test
with...
Yes, but it would be nice if other folks besides myself could do some
testing.
9:05 a.m.
Klaus Weidner wrote:
>The negative test cases for our msgctl-set and semctl-set
>because they didn't see the right audit records. These tests
>attempt to remove a message queue or semaphore set with
>insufficient permissions. Our tests are looking for an IPC record
>whether the syscall fails or succeeds and I only got one on the success
>case.
Dustin and I have been reworking the ipc audit code, we should have an
updated patch ready tomorrow.
Great. It will be easy for me to retest.
>The *xattr tests failed to build so I haven't run those yet.
Missing libattr-devel?
Actually it was xattr.h being moved so it was an easy fix but I got
test failures when running most of those tests and I haven't had a
chance to look at the details yet. Next on my todo list.
-- ljk
6858
days inactive
6864
days old
linux-audit@lists.linux-audit.osci.io
4 comments
4 participants
participants (4)
-
Amy Griffis -
Klaus Weidner -
Linda Knippers -
Steve Grubb