source: trunk/test/testrun_1c.sh@ 298

Last change on this file since 298 was 115, checked in by rainer, 17 years ago

Fix the problem that new suid/sgid file found by the file system check already will not be quarantined in the suid check (ticket #71).

  • Property svn:executable set to *
File size: 9.6 KB
Line 
1#! /bin/sh
2
3#
4# Copyright Rainer Wichmann (2006)
5#
6# License Information:
7# This program is free software; you can redistribute it and/or modify
8# it under the terms of the GNU General Public License as published by
9# the Free Software Foundation; either version 2 of the License, or
10# (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20#
21
22BUILDOPTS="--quiet $TRUST --enable-xml-log --enable-suidcheck --prefix=$PW_DIR --localstatedir=$PW_DIR --with-config-file=$RCFILE --with-log-file=$LOGFILE --with-pid-file=$PW_DIR/.samhain_lock --with-data-file=$PW_DIR/.samhain_file"
23export BUILDOPTS
24
25MAXTEST=7; export MAXTEST
26
27## Quarantine SUID/SGID files if found
28#
29# SuidCheckQuarantineFiles = yes
30
31## Method for Quarantining files:
32# 0 - Delete or truncate the file.
33# 1 - Remove SUID/SGID permissions from file.
34# 2 - Move SUID/SGID file to quarantine dir.
35#
36# SuidCheckQuarantineMethod = 0
37
38## For method 0 and 2, really delete instead of truncating
39#
40# SuidCheckQuarantineDelete = yes
41
42SUIDPOLICY_7="
43[ReadOnly]
44file=${BASE}
45[SuidCheck]
46SuidCheckActive = yes
47SuidCheckExclude = ${BASE}/a/a
48SuidCheckInterval = 10
49SeveritySuidCheck = crit
50SuidCheckQuarantineFiles = no
51SuidCheckQuarantineMethod = 2
52SuidCheckQuarantineDelete = yes
53"
54
55mod_suiddata_7 () {
56 one_sec_sleep
57 chmod 4444 "${BASE}/a/a/y"
58 chmod 4444 "${BASE}/a/a/a/y"
59 mkdir "${BASE}/a/abc"
60 touch "${BASE}/a/abc/y"
61 chmod 4444 "${BASE}/a/abc/y"
62}
63
64chk_suiddata_7 () {
65 one_sec_sleep
66 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
67 if [ "x$tmp" = "x-r-Sr--r--" ]; then
68 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
69 if [ $? -eq 0 ]; then
70 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
71 return 1
72 fi
73 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
74 if [ $? -eq 0 ]; then
75 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
76 return 1
77 fi
78 else
79 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)";
80 return 1
81 fi
82 tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'`
83 if [ "x$tmp" = "x-r-Sr--r--" ]; then
84 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
85 if [ $? -eq 0 ]; then
86 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
87 return 1
88 fi
89 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
90 if [ $? -eq 0 ]; then
91 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y";
92 return 1
93 fi
94 else
95 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)";
96 return 1
97 fi
98 tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'`
99 if [ "x$tmp" = "x-r-Sr--r--" ]; then
100 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
101 if [ $? -ne 0 ]; then
102 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
103 return 1
104 fi
105 egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
106 if [ $? -ne 0 ]; then
107 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y";
108 return 1
109 fi
110 return 0;
111 else
112 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)";
113 return 1
114 fi
115}
116
117
118SUIDPOLICY_6="
119[ReadOnly]
120file=${BASE}
121[SuidCheck]
122SuidCheckActive = yes
123SuidCheckInterval = 10
124SeveritySuidCheck = crit
125SuidCheckQuarantineFiles = no
126SuidCheckQuarantineMethod = 2
127SuidCheckQuarantineDelete = yes
128"
129
130mod_suiddata_6 () {
131 one_sec_sleep
132 chmod 4755 "${BASE}/a/a/y"
133}
134
135chk_suiddata_6 () {
136 one_sec_sleep
137 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
138 if [ "x$tmp" = "x-rwsr-xr-x" ]; then
139 egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
140 if [ $? -ne 0 ]; then
141 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
142 return 1
143 fi
144 egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
145 if [ $? -ne 0 ]; then
146 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y";
147 return 1
148 fi
149 return 0;
150 else
151 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)";
152 return 1
153 fi
154}
155
156SUIDPOLICY_5="
157[ReadOnly]
158file=${BASE}
159[SuidCheck]
160SuidCheckActive = yes
161SuidCheckInterval = 10
162SeveritySuidCheck = crit
163SuidCheckQuarantineFiles = yes
164SuidCheckQuarantineMethod = 2
165SuidCheckQuarantineDelete = yes
166"
167
168mod_suiddata_5 () {
169 one_sec_sleep
170 chmod 4755 "${BASE}/a/a/y"
171}
172
173chk_suiddata_5 () {
174 one_sec_sleep
175 if [ ! -f "${BASE}/a/a/x" ]; then
176 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/x (erroneously deleted)";
177 return 1
178 fi
179 if [ -f "${BASE}/a/a/y" ]; then
180 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not deleted)";
181 return 1
182 fi
183 if [ -f .quarantine/y ]; then
184 if [ -f .quarantine/y.info ]; then
185 return 0;
186 else
187 [ -z "$verbose" ] || log_msg_fail ".quarantine/y.info (missing)";
188 return 1
189 fi
190 else
191 [ -z "$verbose" ] || log_msg_fail ".quarantine/y (missing)";
192 return 1
193 fi
194}
195
196SUIDPOLICY_4="
197[ReadOnly]
198file=${BASE}
199[SuidCheck]
200SuidCheckActive = yes
201SuidCheckInterval = 10
202SeveritySuidCheck = crit
203SuidCheckQuarantineFiles = yes
204SuidCheckQuarantineMethod = 2
205SuidCheckQuarantineDelete = no
206"
207
208mod_suiddata_4 () {
209 one_sec_sleep
210 chmod 4755 "${BASE}/a/a/y"
211}
212
213chk_suiddata_4 () {
214 one_sec_sleep
215 tmp=`cat "${BASE}/a/a/y" 2>/dev/null | wc -c`
216 if [ $tmp -ne 0 ]; then
217 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not truncated)";
218 return 1
219 fi
220 if [ -f .quarantine/y ]; then
221 if [ -f .quarantine/y.info ]; then
222 return 0;
223 else
224 [ -z "$verbose" ] || log_msg_fail ".quarantine/y.info (missing)";
225 return 1
226 fi
227 else
228 [ -z "$verbose" ] || log_msg_fail ".quarantine/y (missing)";
229 return 1
230 fi
231}
232
233SUIDPOLICY_3="
234[ReadOnly]
235file=${BASE}
236[SuidCheck]
237SuidCheckActive = yes
238SuidCheckInterval = 10
239SeveritySuidCheck = crit
240SuidCheckQuarantineFiles = yes
241SuidCheckQuarantineMethod = 1
242SuidCheckQuarantineDelete = no
243"
244
245mod_suiddata_3 () {
246 one_sec_sleep
247 chmod 4755 "${BASE}/a/a/y"
248}
249
250chk_suiddata_3 () {
251 one_sec_sleep
252 tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'`
253 if [ "x$tmp" = "x-rwxr-xr-x" ]; then
254 return 0;
255 else
256 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not removed)";
257 return 1
258 fi
259}
260
261SUIDPOLICY_2="
262[ReadOnly]
263file=${BASE}
264[SuidCheck]
265SuidCheckActive = yes
266SuidCheckInterval = 10
267SeveritySuidCheck = crit
268SuidCheckQuarantineFiles = yes
269SuidCheckQuarantineMethod = 0
270SuidCheckQuarantineDelete = no
271"
272
273mod_suiddata_2 () {
274 one_sec_sleep
275 chmod 4755 "${BASE}/a/a/y"
276}
277
278chk_suiddata_2 () {
279 one_sec_sleep
280 tmp=`cat "${BASE}/a/a/y" 2>/dev/null | wc -c`
281 if [ $tmp -ne 0 ]; then
282 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not truncated)";
283 return 1
284 fi
285}
286
287SUIDPOLICY_1="
288[ReadOnly]
289file=${BASE}
290[SuidCheck]
291SuidCheckActive = yes
292SuidCheckInterval = 10
293SeveritySuidCheck = crit
294SuidCheckQuarantineFiles = yes
295SuidCheckQuarantineMethod = 0
296SuidCheckQuarantineDelete = yes
297"
298
299mod_suiddata_1 () {
300 one_sec_sleep
301 chmod 4755 "${BASE}/a/a/y"
302}
303
304chk_suiddata_1 () {
305 one_sec_sleep
306 if [ -f "${BASE}/a/a/y" ]; then
307 [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (not removed)";
308 return 1
309 fi
310}
311
312prep_suidpolicy ()
313{
314 test -f "${RCFILE}" || touch "${RCFILE}"
315 eval echo '"$'"SUIDPOLICY_$1"'"' >>"${RCFILE}"
316 if [ "x$1" = "x5" ]; then
317 chmod 4755 "${BASE}/a/a/x"
318 fi
319}
320
321testrun_internal_1c ()
322{
323 [ -z "$verbose" ] || echo Working directory: $PW_DIR
324 [ -z "$verbose" ] || { echo MAKE is $MAKE; echo; }
325
326 #
327 # test standalone compilation
328 #
329 [ -z "$verbose" ] || { echo; echo "${S}Building standalone agent${E}"; echo; }
330
331 if test -r "Makefile"; then
332 $MAKE distclean >/dev/null
333 fi
334
335 ${TOP_SRCDIR}/configure ${BUILDOPTS}
336
337 #
338 if test x$? = x0; then
339 [ -z "$verbose" ] || log_msg_ok "configure...";
340 $MAKE 'DBGDEF=-DSH_SUIDTESTDIR=\"${BASE}\"' >/dev/null 2>&1
341 if test x$? = x0; then
342 [ -z "$verbose" ] || log_msg_ok "make...";
343 else
344 [ -z "$quiet" ] && log_msg_fail "make...";
345 return 1
346 fi
347
348 else
349 [ -z "$quiet" ] && log_msg_fail "configure...";
350 return 1
351 fi
352
353 [ -z "$verbose" ] || { echo; echo "${S}Running test suite${E}"; echo; }
354
355 tcount=1
356 POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
357
358 until [ -z "$POLICY" ]
359 do
360 prep_init
361 check_err $? ${tcount}; errval=$?
362 if [ $errval -eq 0 ]; then
363 prep_testdata
364 check_err $? ${tcount}; errval=$?
365 fi
366 if [ $errval -eq 0 ]; then
367 prep_suidpolicy ${tcount}
368 check_err $? ${tcount}; errval=$?
369 fi
370 if [ $errval -eq 0 ]; then
371 run_init
372 check_err $? ${tcount}; errval=$?
373 fi
374 if [ $errval -eq 0 ]; then
375 eval mod_suiddata_${tcount}
376 check_err $? ${tcount}; errval=$?
377 fi
378 if [ $errval -eq 0 ]; then
379 run_check
380 check_err $? ${tcount}; errval=$?
381 fi
382 if [ $errval -eq 0 ]; then
383 eval chk_suiddata_${tcount}
384 check_err $? ${tcount}; errval=$?
385 fi
386 if [ $testrun1_setup -eq 0 ]; then
387 if [ $errval -eq 0 ]; then
388 run_update
389 check_err $? ${tcount}; errval=$?
390 fi
391 if [ $errval -eq 0 ]; then
392 run_check_after_update
393 check_err $? ${tcount}; errval=$?
394 fi
395 fi
396 #
397 if [ $errval -eq 0 ]; then
398 [ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST};
399 fi
400 let "tcount = tcount + 1" >/dev/null
401 POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
402 done
403
404 return 0
405}
406
407testrun1c ()
408{
409 log_start "RUN STANDALONE W/SUIDCHK"
410 testrun_internal_1c
411 log_end "RUN STANDALONE W/SUIDCHK"
412 return 0
413}
414
Note: See TracBrowser for help on using the repository browser.