Created test cases covering /etc/audit/rules.d/privileged.rules and /…

…etc/audit/audit.rules
rumch-se · Oct 4, 2023 · 89d2e8e · 89d2e8e
1 parent 9921054
commit 89d2e8e
Show file tree

Hide file tree

Showing 22 changed files with 142 additions and 0 deletions.
diff --git a/...itd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh b/...itd_configure_rules/audit_rules_suid_privilege_function/tests/correct_value.audit.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=euid"
+OTHER_FILTERS_EGID=" -C gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0"
+{{% endif %}}
+
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
diff --git a/...lege_function/tests/correct_value.pass.sh → ...on/tests/correct_value.privileged.pass.sh b/...lege_function/tests/correct_value.pass.sh → ...on/tests/correct_value.privileged.pass.sh
diff --git a/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh b/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_arch.audit.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=euid"
+OTHER_FILTERS_EGID=" -C gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0"
+{{% endif %}}
+
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
diff --git a/...rivilege_function/tests/miss_arch.fail.sh → ...nction/tests/miss_arch.privileged.fail.sh b/...rivilege_function/tests/miss_arch.fail.sh → ...nction/tests/miss_arch.privileged.fail.sh
diff --git a/...ing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh b/...ing/auditd_configure_rules/audit_rules_suid_privilege_function/tests/miss_c.audit.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product != "ol8" %}}
+OTHER_FILTERS_EUID=" -F euid=0"
+OTHER_FILTERS_EGID=" -F egid=0"
+{{% endif %}}
+
+echo "-a always,exit -F arch=b32 -S execve -C gid!=guid${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve -C uid!=euid${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
diff --git a/...d_privilege_function/tests/miss_c.fail.sh → ..._function/tests/miss_c.privileged.fail.sh b/...d_privilege_function/tests/miss_c.fail.sh → ..._function/tests/miss_c.privileged.fail.sh
diff --git a/...g/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh b/...g/auditd_configure_rules/audit_rules_suid_privilege_function/tests/no_rules.audit.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# packages = audit
+
+rm -rf /etc/audit/audit.rules
diff --git a/...privilege_function/tests/no_rules.fail.sh → ...unction/tests/no_rules.privileged.fail.sh b/...privilege_function/tests/no_rules.fail.sh → ...unction/tests/no_rules.privileged.fail.sh
diff --git a/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh b/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/other_key.audit.pass.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# packages = audit
+
+# This tests situation where key value is not std. And also situation where there is extra spaces in rules.
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C     uid!=euid"
+OTHER_FILTERS_EGID=" -C     gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C    uid!=euid    -F euid=0"
+OTHER_FILTERS_EGID=" -C    gid!=egid    -F egid=0"
+{{% endif %}}
+
+echo "  -a   always,exit   -F   arch=b32   -S   execve   ${OTHER_FILTERS_EGID}   -F   key=my_setgid-audit-rule  " > /etc/audit/audit.rules
+echo "  -a   always,exit   -F   arch=b64   -S   execve   ${OTHER_FILTERS_EGID}   -k   my_setgid-audit-rule  " >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b32 -S execve ${OTHER_FILTERS_EUID} -k my_setuid-audit-rule" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve ${OTHER_FILTERS_EUID} -F key=my_setuid-audit-rule" >> /etc/audit/audit.rules
diff --git a/...rivilege_function/tests/other_key.pass.sh → ...nction/tests/other_key.privileged.pass.sh b/...rivilege_function/tests/other_key.pass.sh → ...nction/tests/other_key.privileged.pass.sh
diff --git a/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh b/.../auditd_configure_rules/audit_rules_suid_privilege_function/tests/use_f_key.audit.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = audit
+
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=euid"
+OTHER_FILTERS_EGID=" -C gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0"
+{{% endif %}}
+
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -F key=setgid" > /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -F key=setgid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules
+echo "-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -F key=setuid" >> /etc/audit/audit.rules
diff --git a/...rivilege_function/tests/use_f_key.pass.sh → ...nction/tests/use_f_key.privileged.pass.sh b/...rivilege_function/tests/use_f_key.pass.sh → ...nction/tests/use_f_key.privileged.pass.sh
diff --git a/...ng/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh b/...ng/auditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_a.audit.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=euid"
+OTHER_FILTERS_EGID=" -C gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0"
+{{% endif %}}
+
+echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid" > /etc/audit/audit.rules
+echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid" >> /etc/audit/audit.rules
+echo "-a never,exit -F arch=b32 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
+echo "-a never,exit -F arch=b64 -S execve${OTHER_FILTERS_EUID} -k setuid" >> /etc/audit/audit.rules
diff --git a/..._privilege_function/tests/wrong_a.fail.sh → ...function/tests/wrong_a.privileged.fail.sh b/..._privilege_function/tests/wrong_a.fail.sh → ...function/tests/wrong_a.privileged.fail.sh
diff --git a/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh b/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_egid.audit.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=egid"
+OTHER_FILTERS_EGID=" -C gid!=egid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=egid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=egid -F egid=0"
+{{% endif %}}
+
+echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules
diff --git a/...ilege_function/tests/wrong_c_egid.fail.sh → ...ion/tests/wrong_c_egid.privileged.fail.sh b/...ilege_function/tests/wrong_c_egid.fail.sh → ...ion/tests/wrong_c_egid.privileged.fail.sh
diff --git a/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh b/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_c_euid.audit.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# packages = audit
+
+{{% if product == "ol8" %}}
+OTHER_FILTERS_EUID=" -C uid!=euid"
+OTHER_FILTERS_EGID=" -C gid!=euid"
+{{% else %}}
+OTHER_FILTERS_EUID=" -C uid!=euid -F euid=0"
+OTHER_FILTERS_EGID=" -C gid!=euid -F egid=0"
+{{% endif %}}
+
+echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setgid' > /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setgid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b32 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve${OTHER_FILTERS_EGID} -k setuid' >> /etc/audit/audit.rules
diff --git a/...ilege_function/tests/wrong_c_euid.fail.sh → ...ion/tests/wrong_c_euid.privileged.fail.sh b/...ilege_function/tests/wrong_c_euid.fail.sh → ...ion/tests/wrong_c_euid.privileged.fail.sh
diff --git a/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh b/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_egid.audit.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = audit
+{{% if product == "ol8" %}}
+# platform = Not Applicable
+{{% endif %}}
+
+echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F euid=0 -k setgid' > /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F euid=0 -k setgid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid' >> /etc/audit/audit.rules
diff --git a/...ilege_function/tests/wrong_f_egid.fail.sh → ...ion/tests/wrong_f_egid.privileged.fail.sh b/...ilege_function/tests/wrong_f_egid.fail.sh → ...ion/tests/wrong_f_egid.privileged.fail.sh
diff --git a/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh b/...ditd_configure_rules/audit_rules_suid_privilege_function/tests/wrong_f_euid.audit.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# packages = audit
+{{% if product == "ol8" %}}
+# platform = Not Applicable
+{{% endif %}}
+
+echo '-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid' > /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b32 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules
+echo '-a always,exit -F arch=b64 -S execve -C uid!=euid -F egid=0 -k setuid' >> /etc/audit/audit.rules
diff --git a/...ilege_function/tests/wrong_f_euid.fail.sh → ...ion/tests/wrong_f_euid.privileged.fail.sh b/...ilege_function/tests/wrong_f_euid.fail.sh → ...ion/tests/wrong_f_euid.privileged.fail.sh