support/testing: add audit runtime test

This test was suggested by Thomas, in: https://lists.buildroot.org/pipermail/buildroot/2024-October/766091.html Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 60e0817ebe) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-11-23 05:23:39 +08:00 · 2024-10-27 22:27:32 +01:00 · 2024-10-27 22:27:32 +01:00 · d81cd0b488
commit d81cd0b488
parent 9a3670d7d8
2 changed files with 92 additions and 0 deletions
--- a/1
+++ b/1
@ -1821,6 +1821,7 @@ F:	support/testing/tests/package/test_acpica/
 F:	support/testing/tests/package/test_apache.py
 F:	support/testing/tests/package/test_attr.py
 F:	support/testing/tests/package/test_audio_codec_base.py
+F:	support/testing/tests/package/test_audit.py
 F:	support/testing/tests/package/test_bc.py
 F:	support/testing/tests/package/test_bcc.py
 F:	support/testing/tests/package/test_bcc/
--- a/support/testing/tests/package/test_audit.py
+++ b/support/testing/tests/package/test_audit.py
@ -0,0 +1,91 @@
+import os
+
+import infra.basetest
+
+
+class TestAudit(infra.basetest.BRTest):
+    # This test needs a Kernel with the audit support (the builtin
+    # test Kernel does not have this support). Since the audit support
+    # enabled by default, a kernel fragment is not required.
+    config = \
+        """
+        BR2_aarch64=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.6.58"
+        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
+        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+        BR2_PACKAGE_AUDIT=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def test_run(self):
+        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
+        kern = os.path.join(self.builddir, "images", "Image")
+        self.emulator.boot(arch="aarch64",
+                           kernel=kern,
+                           kernel_cmdline=["console=ttyAMA0"],
+                           options=["-M", "virt",
+                                    "-cpu", "cortex-a57",
+                                    "-m", "256M",
+                                    "-initrd", img])
+        self.emulator.login()
+
+        # We check the program can run by showing its version. This
+        # invocation also checks the Kernel has the audit support
+        # enabled.
+        self.assertRunOk("auditctl -v")
+
+        # We define a normal user name for this test.
+        user = "audit-test"
+
+        # Audit rule inspired from auditctl manual page examples.
+
+        # We add an audit rule logging write access on the
+        # system password file.
+        cmd = "auditctl -a always,exit -F path=/etc/shadow -F perm=wa"
+        self.assertRunOk(cmd)
+
+        # We do a read-only access on this file, as the root user.
+        self.assertRunOk("cat /etc/shadow")
+
+        # We check our previous read-only access did NOT generated an
+        # event record.
+        ausearch_cmd = "ausearch --format text"
+        out, ret = self.emulator.run(ausearch_cmd)
+        self.assertEqual(ret, 0)
+        open_shadow_str = "acting as root, successfully opened-file /etc/shadow"
+        self.assertNotIn(open_shadow_str, "\n".join(out))
+
+        # We create a normal user. This will modify the shadow password file.
+        cmd = f"adduser -D -h /tmp -H -s /bin/sh {user}"
+        self.assertRunOk(cmd)
+
+        # We are now expecting an event record of this modification.
+        out, ret = self.emulator.run(ausearch_cmd)
+        self.assertEqual(ret, 0)
+        self.assertIn(open_shadow_str, "\n".join(out))
+
+        # We add a new audit rule, recording failed open of the system
+        # password file.
+        cmd = "auditctl -a always,exit -S openat -F success=0 -F path=/etc/shadow"
+        self.assertRunOk(cmd)
+
+        # We attempt to read the system password file as our new
+        # normal user. This command is expected to fail (as only root
+        # can root is supposed to read this file).
+        cmd = f"su - {user} -c 'cat /etc/shadow'"
+        _, ret = self.emulator.run(cmd)
+        self.assertNotEqual(ret, 0)
+
+        # Our last failed read attempt is supposed to have generated
+        # an event. We check we can see it in the log.
+        out, ret = self.emulator.run(ausearch_cmd)
+        self.assertEqual(ret, 0)
+        evt_str = f"acting as {user}, unsuccessfully opened-file /etc/shadow"
+        self.assertIn(evt_str, "\n".join(out))