support/testing: add audit runtime test

This test was suggested by Thomas, in:
https://lists.buildroot.org/pipermail/buildroot/2024-October/766091.html

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 60e0817ebe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Julien Olivain 2024-10-27 22:27:32 +01:00 committed by Peter Korsgaard
parent 17555734e8
commit ebd4fe2723
2 changed files with 92 additions and 0 deletions

View File

@ -1750,6 +1750,7 @@ F: support/testing/tests/package/test_acpica.py
F: support/testing/tests/package/test_acpica/
F: support/testing/tests/package/test_apache.py
F: support/testing/tests/package/test_attr.py
F: support/testing/tests/package/test_audit.py
F: support/testing/tests/package/test_bc.py
F: support/testing/tests/package/test_bitcoin.py
F: support/testing/tests/package/test_brotli.py

View File

@ -0,0 +1,91 @@
import os
import infra.basetest
class TestAudit(infra.basetest.BRTest):
# This test needs a Kernel with the audit support (the builtin
# test Kernel does not have this support). Since the audit support
# enabled by default, a kernel fragment is not required.
config = \
"""
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.6.58"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_PACKAGE_AUDIT=y
BR2_TARGET_ROOTFS_CPIO=y
BR2_TARGET_ROOTFS_CPIO_GZIP=y
# BR2_TARGET_ROOTFS_TAR is not set
"""
def test_run(self):
img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
kern = os.path.join(self.builddir, "images", "Image")
self.emulator.boot(arch="aarch64",
kernel=kern,
kernel_cmdline=["console=ttyAMA0"],
options=["-M", "virt",
"-cpu", "cortex-a57",
"-m", "256M",
"-initrd", img])
self.emulator.login()
# We check the program can run by showing its version. This
# invocation also checks the Kernel has the audit support
# enabled.
self.assertRunOk("auditctl -v")
# We define a normal user name for this test.
user = "audit-test"
# Audit rule inspired from auditctl manual page examples.
# We add an audit rule logging write access on the
# system password file.
cmd = "auditctl -a always,exit -F path=/etc/shadow -F perm=wa"
self.assertRunOk(cmd)
# We do a read-only access on this file, as the root user.
self.assertRunOk("cat /etc/shadow")
# We check our previous read-only access did NOT generated an
# event record.
ausearch_cmd = "ausearch --format text"
out, ret = self.emulator.run(ausearch_cmd)
self.assertEqual(ret, 0)
open_shadow_str = "acting as root, successfully opened-file /etc/shadow"
self.assertNotIn(open_shadow_str, "\n".join(out))
# We create a normal user. This will modify the shadow password file.
cmd = f"adduser -D -h /tmp -H -s /bin/sh {user}"
self.assertRunOk(cmd)
# We are now expecting an event record of this modification.
out, ret = self.emulator.run(ausearch_cmd)
self.assertEqual(ret, 0)
self.assertIn(open_shadow_str, "\n".join(out))
# We add a new audit rule, recording failed open of the system
# password file.
cmd = "auditctl -a always,exit -S openat -F success=0 -F path=/etc/shadow"
self.assertRunOk(cmd)
# We attempt to read the system password file as our new
# normal user. This command is expected to fail (as only root
# can root is supposed to read this file).
cmd = f"su - {user} -c 'cat /etc/shadow'"
_, ret = self.emulator.run(cmd)
self.assertNotEqual(ret, 0)
# Our last failed read attempt is supposed to have generated
# an event. We check we can see it in the log.
out, ret = self.emulator.run(ausearch_cmd)
self.assertEqual(ret, 0)
evt_str = f"acting as {user}, unsuccessfully opened-file /etc/shadow"
self.assertIn(evt_str, "\n".join(out))