Skip to content

Commit

Permalink
tests: add file_permission test
Browse files Browse the repository at this point in the history
Add a very basic file permission change event filtering tests using the
perl Test::Simple framework and with the file_delete test as inspiration.

See: #12

Signed-off-by: Ricardo Robaina <[email protected]>
  • Loading branch information
rprobaina committed Aug 16, 2023
1 parent 802305e commit 1e4e2c7
Show file tree
Hide file tree
Showing 3 changed files with 131 additions and 0 deletions.
1 change: 1 addition & 0 deletions tests/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ TESTS := \
file_create \
file_delete \
file_rename \
file_permission \
filter_exclude \
filter_saddr_fam \
filter_sessionid \
Expand Down
8 changes: 8 additions & 0 deletions tests/file_permission/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
TARGETS=$(patsubst %.c,%,$(wildcard *.c))

LDLIBS += -lpthread

all: $(TARGETS)
clean:
rm -f $(TARGETS)

122 changes: 122 additions & 0 deletions tests/file_permission/test
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
#!/usr/bin/perl

use strict;

use Test;
BEGIN { plan tests => 3 }

use File::Temp qw/ tempdir tempfile /;

###
# functions

sub key_gen {
my @chars = ( "A" .. "Z", "a" .. "z" );
my $key = "testsuite-" . time . "-";
$key .= $chars[ rand @chars ] for 1 .. 8;
return $key;
}

###
# setup

# reset audit
system("auditctl -D >& /dev/null");

# create temp directory
my $dir = tempdir( TEMPLATE => '/tmp/audit-testsuite-XXXX', CLEANUP => 1 );

# create stdout/stderr sinks
( my $fh_out, my $stdout ) = tempfile(
TEMPLATE => '/tmp/audit-testsuite-out-XXXX',
UNLINK => 1
);
( my $fh_err, my $stderr ) = tempfile(
TEMPLATE => '/tmp/audit-testsuite-err-XXXX',
UNLINK => 1
);

###
# tests

# set the directory watch
my $key = key_gen();
system("auditctl -a always,exit -F dir=$dir -k $key");

# create a new file in the watched directory
( my $fh, my $filename ) =
tempfile( TEMPLATE => $dir . "/file-XXXX", UNLINK => 1 );
(
my $dev,
my $ino,
my $mode,
my $nlink,
my $uid,
my $gid,
my $rdev,
my $size,
my $atime,
my $mtime,
my $ctime,
my $blksize,
my $blocks
) = stat($filename);
my $dev_fmt = sprintf( "%02x:%02x", $dev >> 8, $dev & 0x00ff );
my $uid_fmt = getpwuid($uid);
my $gid_fmt = getgrgid($uid);

# change the file permissions
chmod( 0775, $filename );

# make sure the records had a chance to bubble through to the logs
system("auditctl -m syncmarker-$key");
for ( my $i = 0 ; $i < 10 ; $i++ ) {
if ( system("ausearch -m USER | grep -q syncmarker-$key") eq 0 ) {
last;
}
sleep(0.2);
}

# test if we generate any audit records from the watch
my $result = system("ausearch -i -k $key > $stdout 2> $stderr");
ok( $result, 0 );

# test if we generate the SYSCALL and PATH(NORMAL) records correctly
my $line;
my $found_syscall = 0;
my $found_normal = 0;
while ( $line = <$fh_out> ) {

# test if we generate a SYSCALL record
if ( $line =~ /^type=SYSCALL / ) {
if ( ( $line =~ / syscall=(f)?chmod(at|at2)? / )
and $line =~ / success=yes / )
{
$found_syscall = 1;
}
}
if ( $line =~ /^type=PATH / ) {

# test if we generate a PATH(nametype=NORMAL) record
if ( $line =~ / name=$filename /
and $line =~ / dev=$dev_fmt /
and $line =~ / inode=$ino /
and $line =~ / ouid=$uid_fmt /
and $line =~ / ogid=$gid_fmt /
and $line =~ / (nametype|objtype)=NORMAL /
and $line =~ / cap_fp=none /
and $line =~ / cap_fi=none /
and $line =~ / cap_fe=0 /
and $line =~ / cap_fver=0 / )
{
$found_normal = 1;
}
}
}
ok($found_syscall);
ok($found_normal);

###
# cleanup

system("auditctl -D >& /dev/null");

0 comments on commit 1e4e2c7

Please sign in to comment.