Index: trunk/test/testrun_1c.sh =================================================================== --- trunk/test/testrun_1c.sh (revision 54) +++ trunk/test/testrun_1c.sh (revision 55) @@ -23,5 +23,5 @@ export BUILDOPTS -MAXTEST=6; export MAXTEST +MAXTEST=7; export MAXTEST ## Quarantine SUID/SGID files if found @@ -39,4 +39,80 @@ # # SuidCheckQuarantineDelete = yes + +SUIDPOLICY_7=" +[ReadOnly] +file=${BASE} +[SuidCheck] +SuidCheckActive = yes +SuidCheckExclude = ${BASE}/a/a +SuidCheckInterval = 10 +SeveritySuidCheck = crit +SuidCheckQuarantineFiles = no +SuidCheckQuarantineMethod = 2 +SuidCheckQuarantineDelete = yes +" + +mod_suiddata_7 () { + one_sec_sleep + chmod 4444 "${BASE}/a/a/y" + chmod 4444 "${BASE}/a/a/a/y" + mkdir "${BASE}/a/abc" + touch "${BASE}/a/abc/y" + chmod 4444 "${BASE}/a/abc/y" +} + +chk_suiddata_7 () { + one_sec_sleep + tmp=`ls -l "${BASE}/a/a/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y"; + return 1 + fi + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/y (suid not kept)"; + return 1 + fi + tmp=`ls -l "${BASE}/a/a/a/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/a/a/y" $LOGFILE >/dev/null 2>&1 + if [ $? -eq 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y"; + return 1 + fi + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/a/a/y (suid not kept)"; + return 1 + fi + tmp=`ls -l "${BASE}/a/abc/y" 2>/dev/null | awk '{ print $1}'` + if [ "x$tmp" = "x-r-Sr--r--" ]; then + egrep "CRIT.*POLICY \[SuidCheck\].*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 + if [ $? -ne 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; + return 1 + fi + egrep "CRIT.*POLICY ADDED.*${BASE}/a/abc/y" $LOGFILE >/dev/null 2>&1 + if [ $? -ne 0 ]; then + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y"; + return 1 + fi + return 0; + else + [ -z "$verbose" ] || log_msg_fail "${BASE}/a/abc/y (suid not kept)"; + return 1 + fi +} + SUIDPOLICY_6="