source: branches/samhain-2_2-branch/test/testrun_1c.sh@ 401

Last change on this file since 401 was 55, checked in by rainer, 18 years ago

Fix for bug with SuidCheckExclude (ticket #30)

  • Property svn:executable set to *
File size: 9.4 KB
Line 
1#! /bin/sh
2
3#
4# Copyright Rainer Wichmann (2006)
5#
6# License Information:
7# This program is free software; you can redistribute it and/or modify
8# it under the terms of the GNU General Public License as published by
9# the Free Software Foundation; either version 2 of the License, or
10# (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20#
21
22BUILDOPTS="--quiet $TRUST --enable-xml-log --enable-suidcheck --prefix=$PW_DIR --localstatedir=$PW_DIR --with-config-file=$RCFILE --with-log-file=$LOGFILE --with-pid-file=$PW_DIR/.samhain_lock --with-data-file=$PW_DIR/.samhain_file"
23export BUILDOPTS
24
25MAXTEST=7; export MAXTEST
26
27## Quarantine SUID/SGID files if found
28#
29# SuidCheckQuarantineFiles = yes
30
31## Method for Quarantining files:
32# 0 - Delete or truncate the file.
33# 1 - Remove SUID/SGID permissions from file.
34# 2 - Move SUID/SGID file to quarantine dir.
35#
36# SuidCheckQuarantineMethod = 0
37
38## For method 0 and 2, really delete instead of truncating
39#
40# SuidCheckQuarantineDelete = yes
41
42SUIDPOLICY_7="
43[ReadOnly]
44file=${BASE}
45[SuidCheck]
46SuidCheckActive = yes
47SuidCheckExclude = ${BASE}/a/a
48SuidCheckInterval = 10
49SeveritySuidCheck = crit
50SuidCheckQuarantineFiles = no
51SuidCheckQuarantineMethod = 2
52SuidCheckQuarantineDelete = yes
53"
54
55mod_suiddata_7 () {
56 one_sec_sleep
57 chmod 4444 "${BASE}/a/a/y"
58 chmod 4444 "${BASE}/a/a/a/y"
59 mkdir "${BASE}/a/abc"
60 touch "${BASE}/a/abc/y"
61 chmod 4444 "${BASE}/a/abc/y"
62}
63
64chk_suiddata_7 () {
65 one_sec_sleep
66 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
67 if [ "x$tmp" = "x-r-Sr--r--" ]; then
68 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
71 return 1
72 fi
73 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
74 if [ $? -eq 0 ]; then
75 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
76 return 1
77 fi
78 else
79 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)";
80 return 1
81 fi
82 tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'`
83 if [ "x$tmp" = "x-r-Sr--r--" ]; then
84 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
85 if [ $? -eq 0 ]; then
86 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
87 return 1
88 fi
89 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
90 if [ $? -eq 0 ]; then
91 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
92 return 1
93 fi
94 else
95 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)";
96 return 1
97 fi
98 tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'`
99 if [ "x$tmp" = "x-r-Sr--r--" ]; then
100 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
101 if [ $? -ne 0 ]; then
102 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
103 return 1
104 fi
105 egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
106 if [ $? -ne 0 ]; then
107 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
108 return 1
109 fi
110 return 0;
111 else
112 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)";
113 return 1
114 fi
115}
116
117
118SUIDPOLICY_6="
119[ReadOnly]
120file=${BASE}
121[SuidCheck]
122SuidCheckActive = yes
123SuidCheckInterval = 10
124SeveritySuidCheck = crit
125SuidCheckQuarantineFiles = no
126SuidCheckQuarantineMethod = 2
127SuidCheckQuarantineDelete = yes
128"
129
130mod_suiddata_6 () {
131 one_sec_sleep
132 chmod 4755 "${BASE}/a/a/y"
133}
134
135chk_suiddata_6 () {
136 one_sec_sleep
137 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
138 if [ "x$tmp" = "x-rwsr-xr-x" ]; then
139 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
140 if [ $? -ne 0 ]; then
141 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
142 return 1
143 fi
144 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
145 if [ $? -ne 0 ]; then
146 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
147 return 1
148 fi
149 return 0;
150 else
151 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)";
152 return 1
153 fi
154}
155
156SUIDPOLICY_5="
157[ReadOnly]
158file=${BASE}
159[SuidCheck]
160SuidCheckActive = yes
161SuidCheckInterval = 10
162SeveritySuidCheck = crit
163SuidCheckQuarantineFiles = yes
164SuidCheckQuarantineMethod = 2
165SuidCheckQuarantineDelete = yes
166"
167
168mod_suiddata_5 () {
169 one_sec_sleep
170 chmod 4755 "${BASE}/a/a/y"
171}
172
173chk_suiddata_5 () {
174 one_sec_sleep
175 if [ -f "${BASE}/a/a/y" ]; then
176 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not deleted)";
177 return 1
178 fi
179 if [ -f .quarantine/y ]; then
180 if [ -f .quarantine/y.info ]; then
181 return 0;
182 else
183 [ -z "$verbose" ] || log_msg_fail ".quarantine/y.info (missing)";
184 return 1
185 fi
186 else
187 [ -z "$verbose" ] || log_msg_fail ".quarantine/y (missing)";
188 return 1
189 fi
190}
191
192SUIDPOLICY_4="
193[ReadOnly]
194file=${BASE}
195[SuidCheck]
196SuidCheckActive = yes
197SuidCheckInterval = 10
198SeveritySuidCheck = crit
199SuidCheckQuarantineFiles = yes
200SuidCheckQuarantineMethod = 2
201SuidCheckQuarantineDelete = no
202"
203
204mod_suiddata_4 () {
205 one_sec_sleep
206 chmod 4755 "${BASE}/a/a/y"
207}
208
209chk_suiddata_4 () {
210 one_sec_sleep
211 tmp=`cat "${BASE}/a/a/y" 2>/dev/null | wc -c`
212 if [ $tmp -ne 0 ]; then
213 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not truncated)";
214 return 1
215 fi
216 if [ -f .quarantine/y ]; then
217 if [ -f .quarantine/y.info ]; then
218 return 0;
219 else
220 [ -z "$verbose" ] || log_msg_fail ".quarantine/y.info (missing)";
221 return 1
222 fi
223 else
224 [ -z "$verbose" ] || log_msg_fail ".quarantine/y (missing)";
225 return 1
226 fi
227}
228
229SUIDPOLICY_3="
230[ReadOnly]
231file=${BASE}
232[SuidCheck]
233SuidCheckActive = yes
234SuidCheckInterval = 10
235SeveritySuidCheck = crit
236SuidCheckQuarantineFiles = yes
237SuidCheckQuarantineMethod = 1
238SuidCheckQuarantineDelete = no
239"
240
241mod_suiddata_3 () {
242 one_sec_sleep
243 chmod 4755 "${BASE}/a/a/y"
244}
245
246chk_suiddata_3 () {
247 one_sec_sleep
248 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
249 if [ "x$tmp" = "x-rwxr-xr-x" ]; then
250 return 0;
251 else
252 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not removed)";
253 return 1
254 fi
255}
256
257SUIDPOLICY_2="
258[ReadOnly]
259file=${BASE}
260[SuidCheck]
261SuidCheckActive = yes
262SuidCheckInterval = 10
263SeveritySuidCheck = crit
264SuidCheckQuarantineFiles = yes
265SuidCheckQuarantineMethod = 0
266SuidCheckQuarantineDelete = no
267"
268
269mod_suiddata_2 () {
270 one_sec_sleep
271 chmod 4755 "${BASE}/a/a/y"
272}
273
274chk_suiddata_2 () {
275 one_sec_sleep
276 tmp=`cat "${BASE}/a/a/y" 2>/dev/null | wc -c`
277 if [ $tmp -ne 0 ]; then
278 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not truncated)";
279 return 1
280 fi
281}
282
283SUIDPOLICY_1="
284[ReadOnly]
285file=${BASE}
286[SuidCheck]
287SuidCheckActive = yes
288SuidCheckInterval = 10
289SeveritySuidCheck = crit
290SuidCheckQuarantineFiles = yes
291SuidCheckQuarantineMethod = 0
292SuidCheckQuarantineDelete = yes
293"
294
295mod_suiddata_1 () {
296 one_sec_sleep
297 chmod 4755 "${BASE}/a/a/y"
298}
299
300chk_suiddata_1 () {
301 one_sec_sleep
302 if [ -f "${BASE}/a/a/y" ]; then
303 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not removed)";
304 return 1
305 fi
306}
307
308prep_suidpolicy ()
309{
310 test -f "${RCFILE}" || touch "${RCFILE}"
311 eval echo '"$'"SUIDPOLICY_$1"'"' >>"${RCFILE}"
312}
313
314testrun_internal_1c ()
315{
316 [ -z "$verbose" ] || echo Working directory: $PW_DIR
317 [ -z "$verbose" ] || { echo MAKE is $MAKE; echo; }
318
319 #
320 # test standalone compilation
321 #
322 [ -z "$verbose" ] || { echo; echo "${S}Building standalone agent${E}"; echo; }
323
324 if test -r "Makefile"; then
325 $MAKE distclean >/dev/null
326 fi
327
328 ${TOP_SRCDIR}/configure ${BUILDOPTS}
329
330 #
331 if test x$? = x0; then
332 [ -z "$verbose" ] || log_msg_ok "configure...";
333 $MAKE 'DBGDEF=-DSH_SUIDTESTDIR=\"${BASE}\"' >/dev/null 2>&1
334 if test x$? = x0; then
335 [ -z "$verbose" ] || log_msg_ok "make...";
336 else
337 [ -z "$quiet" ] && log_msg_fail "make...";
338 return 1
339 fi
340
341 else
342 [ -z "$quiet" ] && log_msg_fail "configure...";
343 return 1
344 fi
345
346 [ -z "$verbose" ] || { echo; echo "${S}Running test suite${E}"; echo; }
347
348 tcount=1
349 POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
350
351 until [ -z "$POLICY" ]
352 do
353 prep_init
354 check_err $? ${tcount}; errval=$?
355 if [ $errval -eq 0 ]; then
356 prep_testdata
357 check_err $? ${tcount}; errval=$?
358 fi
359 if [ $errval -eq 0 ]; then
360 prep_suidpolicy ${tcount}
361 check_err $? ${tcount}; errval=$?
362 fi
363 if [ $errval -eq 0 ]; then
364 run_init
365 check_err $? ${tcount}; errval=$?
366 fi
367 if [ $errval -eq 0 ]; then
368 eval mod_suiddata_${tcount}
369 check_err $? ${tcount}; errval=$?
370 fi
371 if [ $errval -eq 0 ]; then
372 run_check
373 check_err $? ${tcount}; errval=$?
374 fi
375 if [ $errval -eq 0 ]; then
376 eval chk_suiddata_${tcount}
377 check_err $? ${tcount}; errval=$?
378 fi
379 if [ $testrun1_setup -eq 0 ]; then
380 if [ $errval -eq 0 ]; then
381 run_update
382 check_err $? ${tcount}; errval=$?
383 fi
384 if [ $errval -eq 0 ]; then
385 run_check_after_update
386 check_err $? ${tcount}; errval=$?
387 fi
388 fi
389 #
390 if [ $errval -eq 0 ]; then
391 [ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST};
392 fi
393 let "tcount = tcount + 1" >/dev/null
394 POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
395 done
396
397 return 0
398}
399
400testrun1c ()
401{
402 log_start "RUN STANDALONE W/SUIDCHK"
403 testrun_internal_1c
404 log_end "RUN STANDALONE W/SUIDCHK"
405 return 0
406}
407
Note: See TracBrowser for help on using the repository browser.