Context Navigation

source: trunk/test/testrun_1c.sh@ 55

Last change on this file since 55 was 55, checked in by rainer, 18 years ago
Fix for bug with SuidCheckExclude (ticket #30)
Property svn:executable set to ``*
File size: 9.4 KB

Line
1	#! /bin/sh
2
3	#
4	# Copyright Rainer Wichmann (2006)
5	#
6	# License Information:
7	# This program is free software; you can redistribute it and/or modify
8	# it under the terms of the GNU General Public License as published by
9	# the Free Software Foundation; either version 2 of the License, or
10	# (at your option) any later version.
11	#
12	# This program is distributed in the hope that it will be useful,
13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	# GNU General Public License for more details.
16	#
17	# You should have received a copy of the GNU General Public License
18	# along with this program; if not, write to the Free Software
19	# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20	#
21
22	BUILDOPTS="--quiet $TRUST --enable-xml-log --enable-suidcheck --prefix=$PW_DIR --localstatedir=$PW_DIR --with-config-file=$RCFILE --with-log-file=$LOGFILE --with-pid-file=$PW_DIR/.samhain_lock --with-data-file=$PW_DIR/.samhain_file"
23	export BUILDOPTS
24
25	MAXTEST=7; export MAXTEST
26
27	## Quarantine SUID/SGID files if found
28	#
29	# SuidCheckQuarantineFiles = yes
30
31	## Method for Quarantining files:
32	# 0 - Delete or truncate the file.
33	# 1 - Remove SUID/SGID permissions from file.
34	# 2 - Move SUID/SGID file to quarantine dir.
35	#
36	# SuidCheckQuarantineMethod = 0
37
38	## For method 0 and 2, really delete instead of truncating
39	#
40	# SuidCheckQuarantineDelete = yes
41
42	SUIDPOLICY_7="
43	[ReadOnly]
44	file=${BASE}
45	[SuidCheck]
46	SuidCheckActive = yes
47	SuidCheckExclude = ${BASE}/a/a
48	SuidCheckInterval = 10
49	SeveritySuidCheck = crit
50	SuidCheckQuarantineFiles = no
51	SuidCheckQuarantineMethod = 2
52	SuidCheckQuarantineDelete = yes
53	"
54
55	mod_suiddata_7 () {
56	one_sec_sleep
57	chmod 4444 "${BASE}/a/a/y"
58	chmod 4444 "${BASE}/a/a/a/y"
59	mkdir "${BASE}/a/abc"
60	touch "${BASE}/a/abc/y"
61	chmod 4444 "${BASE}/a/abc/y"
62	}
63
64	chk_suiddata_7 () {
65	one_sec_sleep
66	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}'`
67	if [ "x$tmp" = "x-r-Sr--r--" ]; then
68	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
69	if [ $? -eq 0 ]; then
70	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
71	return 1
72	fi
73	egrep "CRIT.POLICY ADDED.${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
74	if [ $? -eq 0 ]; then
75	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
76	return 1
77	fi
78	else
79	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not kept)";
80	return 1
81	fi
82	tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null \| awk '{ print $1}'`
83	if [ "x$tmp" = "x-r-Sr--r--" ]; then
84	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
85	if [ $? -eq 0 ]; then
86	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y";
87	return 1
88	fi
89	egrep "CRIT.POLICY ADDED.${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
90	if [ $? -eq 0 ]; then
91	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y";
92	return 1
93	fi
94	else
95	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y (suid not kept)";
96	return 1
97	fi
98	tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null \| awk '{ print $1}'`
99	if [ "x$tmp" = "x-r-Sr--r--" ]; then
100	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
101	if [ $? -ne 0 ]; then
102	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y";
103	return 1
104	fi
105	egrep "CRIT.POLICY ADDED.${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
106	if [ $? -ne 0 ]; then
107	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y";
108	return 1
109	fi
110	return 0;
111	else
112	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y (suid not kept)";
113	return 1
114	fi
115	}
116
117
118	SUIDPOLICY_6="
119	[ReadOnly]
120	file=${BASE}
121	[SuidCheck]
122	SuidCheckActive = yes
123	SuidCheckInterval = 10
124	SeveritySuidCheck = crit
125	SuidCheckQuarantineFiles = no
126	SuidCheckQuarantineMethod = 2
127	SuidCheckQuarantineDelete = yes
128	"
129
130	mod_suiddata_6 () {
131	one_sec_sleep
132	chmod 4755 "${BASE}/a/a/y"
133	}
134
135	chk_suiddata_6 () {
136	one_sec_sleep
137	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}'`
138	if [ "x$tmp" = "x-rwsr-xr-x" ]; then
139	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
140	if [ $? -ne 0 ]; then
141	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
142	return 1
143	fi
144	egrep "CRIT.POLICY ADDED.${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
145	if [ $? -ne 0 ]; then
146	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
147	return 1
148	fi
149	return 0;
150	else
151	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not kept)";
152	return 1
153	fi
154	}
155
156	SUIDPOLICY_5="
157	[ReadOnly]
158	file=${BASE}
159	[SuidCheck]
160	SuidCheckActive = yes
161	SuidCheckInterval = 10
162	SeveritySuidCheck = crit
163	SuidCheckQuarantineFiles = yes
164	SuidCheckQuarantineMethod = 2
165	SuidCheckQuarantineDelete = yes
166	"
167
168	mod_suiddata_5 () {
169	one_sec_sleep
170	chmod 4755 "${BASE}/a/a/y"
171	}
172
173	chk_suiddata_5 () {
174	one_sec_sleep
175	if [ -f "${BASE}/a/a/y" ]; then
176	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not deleted)";
177	return 1
178	fi
179	if [ -f .quarantine/y ]; then
180	if [ -f .quarantine/y.info ]; then
181	return 0;
182	else
183	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y.info (missing)";
184	return 1
185	fi
186	else
187	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y (missing)";
188	return 1
189	fi
190	}
191
192	SUIDPOLICY_4="
193	[ReadOnly]
194	file=${BASE}
195	[SuidCheck]
196	SuidCheckActive = yes
197	SuidCheckInterval = 10
198	SeveritySuidCheck = crit
199	SuidCheckQuarantineFiles = yes
200	SuidCheckQuarantineMethod = 2
201	SuidCheckQuarantineDelete = no
202	"
203
204	mod_suiddata_4 () {
205	one_sec_sleep
206	chmod 4755 "${BASE}/a/a/y"
207	}
208
209	chk_suiddata_4 () {
210	one_sec_sleep
211	tmp=`cat "${BASE}/a/a/y" 2>/dev/null \| wc -c`
212	if [ $tmp -ne 0 ]; then
213	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not truncated)";
214	return 1
215	fi
216	if [ -f .quarantine/y ]; then
217	if [ -f .quarantine/y.info ]; then
218	return 0;
219	else
220	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y.info (missing)";
221	return 1
222	fi
223	else
224	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y (missing)";
225	return 1
226	fi
227	}
228
229	SUIDPOLICY_3="
230	[ReadOnly]
231	file=${BASE}
232	[SuidCheck]
233	SuidCheckActive = yes
234	SuidCheckInterval = 10
235	SeveritySuidCheck = crit
236	SuidCheckQuarantineFiles = yes
237	SuidCheckQuarantineMethod = 1
238	SuidCheckQuarantineDelete = no
239	"
240
241	mod_suiddata_3 () {
242	one_sec_sleep
243	chmod 4755 "${BASE}/a/a/y"
244	}
245
246	chk_suiddata_3 () {
247	one_sec_sleep
248	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}'`
249	if [ "x$tmp" = "x-rwxr-xr-x" ]; then
250	return 0;
251	else
252	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not removed)";
253	return 1
254	fi
255	}
256
257	SUIDPOLICY_2="
258	[ReadOnly]
259	file=${BASE}
260	[SuidCheck]
261	SuidCheckActive = yes
262	SuidCheckInterval = 10
263	SeveritySuidCheck = crit
264	SuidCheckQuarantineFiles = yes
265	SuidCheckQuarantineMethod = 0
266	SuidCheckQuarantineDelete = no
267	"
268
269	mod_suiddata_2 () {
270	one_sec_sleep
271	chmod 4755 "${BASE}/a/a/y"
272	}
273
274	chk_suiddata_2 () {
275	one_sec_sleep
276	tmp=`cat "${BASE}/a/a/y" 2>/dev/null \| wc -c`
277	if [ $tmp -ne 0 ]; then
278	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not truncated)";
279	return 1
280	fi
281	}
282
283	SUIDPOLICY_1="
284	[ReadOnly]
285	file=${BASE}
286	[SuidCheck]
287	SuidCheckActive = yes
288	SuidCheckInterval = 10
289	SeveritySuidCheck = crit
290	SuidCheckQuarantineFiles = yes
291	SuidCheckQuarantineMethod = 0
292	SuidCheckQuarantineDelete = yes
293	"
294
295	mod_suiddata_1 () {
296	one_sec_sleep
297	chmod 4755 "${BASE}/a/a/y"
298	}
299
300	chk_suiddata_1 () {
301	one_sec_sleep
302	if [ -f "${BASE}/a/a/y" ]; then
303	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not removed)";
304	return 1
305	fi
306	}
307
308	prep_suidpolicy ()
309	{
310	test -f "${RCFILE}" \|\| touch "${RCFILE}"
311	eval echo '"$'"SUIDPOLICY_$1"'"' >>"${RCFILE}"
312	}
313
314	testrun_internal_1c ()
315	{
316	[ -z "$verbose" ] \|\| echo Working directory: $PW_DIR
317	[ -z "$verbose" ] \|\| { echo MAKE is $MAKE; echo; }
318
319	#
320	# test standalone compilation
321	#
322	[ -z "$verbose" ] \|\| { echo; echo "${S}Building standalone agent${E}"; echo; }
323
324	if test -r "Makefile"; then
325	$MAKE distclean >/dev/null
326	fi
327
328	${TOP_SRCDIR}/configure ${BUILDOPTS}
329
330	#
331	if test x$? = x0; then
332	[ -z "$verbose" ] \|\| log_msg_ok "configure...";
333	$MAKE 'DBGDEF=-DSH_SUIDTESTDIR=\"${BASE}\"' >/dev/null 2>&1
334	if test x$? = x0; then
335	[ -z "$verbose" ] \|\| log_msg_ok "make...";
336	else
337	[ -z "$quiet" ] && log_msg_fail "make...";
338	return 1
339	fi
340
341	else
342	[ -z "$quiet" ] && log_msg_fail "configure...";
343	return 1
344	fi
345
346	[ -z "$verbose" ] \|\| { echo; echo "${S}Running test suite${E}"; echo; }
347
348	tcount=1
349	POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
350
351	until [ -z "$POLICY" ]
352	do
353	prep_init
354	check_err $? ${tcount}; errval=$?
355	if [ $errval -eq 0 ]; then
356	prep_testdata
357	check_err $? ${tcount}; errval=$?
358	fi
359	if [ $errval -eq 0 ]; then
360	prep_suidpolicy ${tcount}
361	check_err $? ${tcount}; errval=$?
362	fi
363	if [ $errval -eq 0 ]; then
364	run_init
365	check_err $? ${tcount}; errval=$?
366	fi
367	if [ $errval -eq 0 ]; then
368	eval mod_suiddata_${tcount}
369	check_err $? ${tcount}; errval=$?
370	fi
371	if [ $errval -eq 0 ]; then
372	run_check
373	check_err $? ${tcount}; errval=$?
374	fi
375	if [ $errval -eq 0 ]; then
376	eval chk_suiddata_${tcount}
377	check_err $? ${tcount}; errval=$?
378	fi
379	if [ $testrun1_setup -eq 0 ]; then
380	if [ $errval -eq 0 ]; then
381	run_update
382	check_err $? ${tcount}; errval=$?
383	fi
384	if [ $errval -eq 0 ]; then
385	run_check_after_update
386	check_err $? ${tcount}; errval=$?
387	fi
388	fi
389	#
390	if [ $errval -eq 0 ]; then
391	[ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST};
392	fi
393	let "tcount = tcount + 1" >/dev/null
394	POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
395	done
396
397	return 0
398	}
399
400	testrun1c ()
401	{
402	log_start "RUN STANDALONE W/SUIDCHK"
403	testrun_internal_1c
404	log_end "RUN STANDALONE W/SUIDCHK"
405	return 0
406	}
407

Note: See TracBrowser for help on using the repository browser.

Download in other formats: