Context Navigation

testrun_1c.sh@ 590

Last change on this file since 590 was 393, checked in by katerina, 14 years ago
Fix for ticket #290 (SUID regression test breaks with selinux).
Property svn:executable set to ``*
File size: 9.7 KB

Line
1	#! /bin/sh
2
3	#
4	# Copyright Rainer Wichmann (2006)
5	#
6	# License Information:
7	# This program is free software; you can redistribute it and/or modify
8	# it under the terms of the GNU General Public License as published by
9	# the Free Software Foundation; either version 2 of the License, or
10	# (at your option) any later version.
11	#
12	# This program is distributed in the hope that it will be useful,
13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	# GNU General Public License for more details.
16	#
17	# You should have received a copy of the GNU General Public License
18	# along with this program; if not, write to the Free Software
19	# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20	#
21
22	BUILDOPTS="--quiet $TRUST --enable-xml-log --enable-suidcheck --prefix=$PW_DIR --localstatedir=$PW_DIR --with-config-file=$RCFILE --with-log-file=$LOGFILE --with-pid-file=$PW_DIR/.samhain_lock --with-data-file=$PW_DIR/.samhain_file"
23	export BUILDOPTS
24
25	MAXTEST=7; export MAXTEST
26
27	## Quarantine SUID/SGID files if found
28	#
29	# SuidCheckQuarantineFiles = yes
30
31	## Method for Quarantining files:
32	# 0 - Delete or truncate the file.
33	# 1 - Remove SUID/SGID permissions from file.
34	# 2 - Move SUID/SGID file to quarantine dir.
35	#
36	# SuidCheckQuarantineMethod = 0
37
38	## For method 0 and 2, really delete instead of truncating
39	#
40	# SuidCheckQuarantineDelete = yes
41
42	SUIDPOLICY_7="
43	[ReadOnly]
44	file=${BASE}
45	[SuidCheck]
46	SuidCheckActive = yes
47	SuidCheckExclude = ${BASE}/a/a
48	SuidCheckInterval = 10
49	SeveritySuidCheck = crit
50	SuidCheckQuarantineFiles = no
51	SuidCheckQuarantineMethod = 2
52	SuidCheckQuarantineDelete = yes
53	"
54
55	mod_suiddata_7 () {
56	one_sec_sleep
57	chmod 4444 "${BASE}/a/a/y"
58	chmod 4444 "${BASE}/a/a/a/y"
59	mkdir "${BASE}/a/abc"
60	touch "${BASE}/a/abc/y"
61	chmod 4444 "${BASE}/a/abc/y"
62	}
63
64	chk_suiddata_7 () {
65	one_sec_sleep
66	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}' \| cut -c 1-10`
67	if [ "x$tmp" = "x-r-Sr--r--" ]; then
68	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
69	if [ $? -eq 0 ]; then
70	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
71	return 1
72	fi
73	egrep "CRIT.POLICY ADDED.${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
74	if [ $? -eq 0 ]; then
75	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
76	return 1
77	fi
78	else
79	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not kept)";
80	return 1
81	fi
82	tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null \| awk '{ print $1}' \| cut -c 1-10`
83	if [ "x$tmp" = "x-r-Sr--r--" ]; then
84	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
85	if [ $? -eq 0 ]; then
86	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y";
87	return 1
88	fi
89	egrep "CRIT.POLICY ADDED.${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1
90	if [ $? -eq 0 ]; then
91	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y";
92	return 1
93	fi
94	else
95	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/a/y (suid not kept)";
96	return 1
97	fi
98	tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null \| awk '{ print $1}' \| cut -c 1-10`
99	if [ "x$tmp" = "x-r-Sr--r--" ]; then
100	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
101	if [ $? -ne 0 ]; then
102	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y";
103	return 1
104	fi
105	egrep "CRIT.POLICY ADDED.${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1
106	if [ $? -ne 0 ]; then
107	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y";
108	return 1
109	fi
110	return 0;
111	else
112	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/abc/y (suid not kept)";
113	return 1
114	fi
115	}
116
117
118	SUIDPOLICY_6="
119	[ReadOnly]
120	file=${BASE}
121	[SuidCheck]
122	SuidCheckActive = yes
123	SuidCheckInterval = 10
124	SeveritySuidCheck = crit
125	SuidCheckQuarantineFiles = no
126	SuidCheckQuarantineMethod = 2
127	SuidCheckQuarantineDelete = yes
128	"
129
130	mod_suiddata_6 () {
131	one_sec_sleep
132	chmod 4755 "${BASE}/a/a/y"
133	}
134
135	chk_suiddata_6 () {
136	one_sec_sleep
137	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}' \| cut -c 1-10`
138	if [ "x$tmp" = "x-rwsr-xr-x" ]; then
139	egrep "CRIT.POLICY \[SuidCheck\].${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
140	if [ $? -ne 0 ]; then
141	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
142	return 1
143	fi
144	egrep "CRIT.POLICY ADDED.${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1
145	if [ $? -ne 0 ]; then
146	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y";
147	return 1
148	fi
149	return 0;
150	else
151	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not kept)";
152	return 1
153	fi
154	}
155
156	SUIDPOLICY_5="
157	[ReadOnly]
158	file=${BASE}
159	[SuidCheck]
160	SuidCheckActive = yes
161	SuidCheckInterval = 10
162	SeveritySuidCheck = crit
163	SuidCheckQuarantineFiles = yes
164	SuidCheckQuarantineMethod = 2
165	SuidCheckQuarantineDelete = yes
166	"
167
168	mod_suiddata_5 () {
169	one_sec_sleep
170	chmod 4755 "${BASE}/a/a/y"
171	}
172
173	chk_suiddata_5 () {
174	one_sec_sleep
175	if [ ! -f "${BASE}/a/a/x" ]; then
176	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/x (erroneously deleted)";
177	return 1
178	fi
179	if [ -f "${BASE}/a/a/y" ]; then
180	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not deleted)";
181	return 1
182	fi
183	if [ -f .quarantine/y ]; then
184	if [ -f .quarantine/y.info ]; then
185	return 0;
186	else
187	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y.info (missing)";
188	return 1
189	fi
190	else
191	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y (missing)";
192	return 1
193	fi
194	}
195
196	SUIDPOLICY_4="
197	[ReadOnly]
198	file=${BASE}
199	[SuidCheck]
200	SuidCheckActive = yes
201	SuidCheckInterval = 10
202	SeveritySuidCheck = crit
203	SuidCheckQuarantineFiles = yes
204	SuidCheckQuarantineMethod = 2
205	SuidCheckQuarantineDelete = no
206	"
207
208	mod_suiddata_4 () {
209	one_sec_sleep
210	chmod 4755 "${BASE}/a/a/y"
211	}
212
213	chk_suiddata_4 () {
214	one_sec_sleep
215	tmp=`cat "${BASE}/a/a/y" 2>/dev/null \| wc -c`
216	if [ $tmp -ne 0 ]; then
217	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not truncated)";
218	return 1
219	fi
220	if [ -f .quarantine/y ]; then
221	if [ -f .quarantine/y.info ]; then
222	return 0;
223	else
224	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y.info (missing)";
225	return 1
226	fi
227	else
228	[ -z "$verbose" ] \|\| log_msg_fail ".quarantine/y (missing)";
229	return 1
230	fi
231	}
232
233	SUIDPOLICY_3="
234	[ReadOnly]
235	file=${BASE}
236	[SuidCheck]
237	SuidCheckActive = yes
238	SuidCheckInterval = 10
239	SeveritySuidCheck = crit
240	SuidCheckQuarantineFiles = yes
241	SuidCheckQuarantineMethod = 1
242	SuidCheckQuarantineDelete = no
243	"
244
245	mod_suiddata_3 () {
246	one_sec_sleep
247	chmod 4755 "${BASE}/a/a/y"
248	}
249
250	chk_suiddata_3 () {
251	one_sec_sleep
252	tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null \| awk '{ print $1}' \| cut -c 1-10`
253	if [ "x$tmp" = "x-rwxr-xr-x" ]; then
254	return 0;
255	else
256	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (suid not removed)";
257	return 1
258	fi
259	}
260
261	SUIDPOLICY_2="
262	[ReadOnly]
263	file=${BASE}
264	[SuidCheck]
265	SuidCheckActive = yes
266	SuidCheckInterval = 10
267	SeveritySuidCheck = crit
268	SuidCheckQuarantineFiles = yes
269	SuidCheckQuarantineMethod = 0
270	SuidCheckQuarantineDelete = no
271	"
272
273	mod_suiddata_2 () {
274	one_sec_sleep
275	chmod 4755 "${BASE}/a/a/y"
276	}
277
278	chk_suiddata_2 () {
279	one_sec_sleep
280	tmp=`cat "${BASE}/a/a/y" 2>/dev/null \| wc -c`
281	if [ $tmp -ne 0 ]; then
282	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not truncated)";
283	return 1
284	fi
285	}
286
287	SUIDPOLICY_1="
288	[ReadOnly]
289	file=${BASE}
290	[SuidCheck]
291	SuidCheckActive = yes
292	SuidCheckInterval = 10
293	SeveritySuidCheck = crit
294	SuidCheckQuarantineFiles = yes
295	SuidCheckQuarantineMethod = 0
296	SuidCheckQuarantineDelete = yes
297	"
298
299	mod_suiddata_1 () {
300	one_sec_sleep
301	chmod 4755 "${BASE}/a/a/y"
302	}
303
304	chk_suiddata_1 () {
305	one_sec_sleep
306	if [ -f "${BASE}/a/a/y" ]; then
307	[ -z "$verbose" ] \|\| log_msg_fail "${BASE}/a/a/y (not removed)";
308	return 1
309	fi
310	}
311
312	prep_suidpolicy ()
313	{
314	test -f "${RCFILE}" \|\| touch "${RCFILE}"
315	eval echo '"$'"SUIDPOLICY_$1"'"' >>"${RCFILE}"
316	if [ "x$1" = "x5" ]; then
317	chmod 4755 "${BASE}/a/a/x"
318	fi
319	}
320
321	testrun_internal_1c ()
322	{
323	[ -z "$verbose" ] \|\| echo Working directory: $PW_DIR
324	[ -z "$verbose" ] \|\| { echo MAKE is $MAKE; echo; }
325
326	#
327	# test standalone compilation
328	#
329	[ -z "$verbose" ] \|\| { echo; echo "${S}Building standalone agent${E}"; echo; }
330
331	if test -r "Makefile"; then
332	$MAKE distclean >/dev/null
333	fi
334
335	${TOP_SRCDIR}/configure ${BUILDOPTS}
336
337	#
338	if test x$? = x0; then
339	[ -z "$verbose" ] \|\| log_msg_ok "configure...";
340	$MAKE 'DBGDEF=-DSH_SUIDTESTDIR=\"${BASE}\"' >/dev/null 2>&1
341	if test x$? = x0; then
342	[ -z "$verbose" ] \|\| log_msg_ok "make DBGDEF=-DSH_SUIDTESTDIR=${BASE} ...";
343	else
344	[ -z "$quiet" ] && log_msg_fail "make...";
345	return 1
346	fi
347
348	else
349	[ -z "$quiet" ] && log_msg_fail "configure...";
350	return 1
351	fi
352
353	[ -z "$verbose" ] \|\| { echo; echo "${S}Running test suite${E}"; echo; }
354
355	tcount=1
356	POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
357
358	until [ -z "$POLICY" ]
359	do
360	prep_init
361	check_err $? ${tcount}; errval=$?
362	if [ $errval -eq 0 ]; then
363	prep_testdata
364	check_err $? ${tcount}; errval=$?
365	fi
366	if [ $errval -eq 0 ]; then
367	prep_suidpolicy ${tcount}
368	check_err $? ${tcount}; errval=$?
369	fi
370	if [ $errval -eq 0 ]; then
371	run_init
372	check_err $? ${tcount}; errval=$?
373	fi
374	if [ $errval -eq 0 ]; then
375	eval mod_suiddata_${tcount}
376	check_err $? ${tcount}; errval=$?
377	fi
378	if [ $errval -eq 0 ]; then
379	run_check
380	check_err $? ${tcount}; errval=$?
381	fi
382	if [ $errval -eq 0 ]; then
383	eval chk_suiddata_${tcount}
384	check_err $? ${tcount}; errval=$?
385	fi
386	if [ $testrun1_setup -eq 0 ]; then
387	if [ $errval -eq 0 ]; then
388	run_update
389	check_err $? ${tcount}; errval=$?
390	fi
391	if [ $errval -eq 0 ]; then
392	run_check_after_update
393	check_err $? ${tcount}; errval=$?
394	fi
395	fi
396	#
397	if [ $errval -eq 0 ]; then
398	[ -z "$quiet" ] && log_ok ${tcount} ${MAXTEST};
399	fi
400	let "tcount = tcount + 1" >/dev/null
401	POLICY=`eval echo '"$'"SUIDPOLICY_$tcount"'"'`
402	done
403
404	return 0
405	}
406
407	testrun1c ()
408	{
409	log_start "RUN STANDALONE W/SUIDCHK"
410	testrun_internal_1c
411	log_end "RUN STANDALONE W/SUIDCHK"
412	return 0
413	}
414

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/test/testrun_1c.sh@ 590

Download in other formats: