diff options
author | Ashlee Young <ashlee@wildernessvoice.com> | 2016-01-20 01:10:01 +0000 |
---|---|---|
committer | Ashlee Young <ashlee@wildernessvoice.com> | 2016-01-20 01:10:11 +0000 |
commit | 19d701ddf07d855128ded0cf2b573ce468e3bdd6 (patch) | |
tree | 0edcd3461ca903c76e431bb7c6348c42a0f12488 /framework/src/audit/auparse/test | |
parent | fac6fbefbfad1cf837ddd88bc0d330559c8eb6f9 (diff) |
Removing Suricata and Audit from source repo, and updated build.sh to avoid building suricata. Will re-address this in C release via tar balls.
Change-Id: I3710076f8b7f3313cb3cb5260c4eb0a6834d4f6e
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/auparse/test')
-rw-r--r-- | framework/src/audit/auparse/test/Makefile.am | 91 | ||||
-rw-r--r-- | framework/src/audit/auparse/test/auparse_test.c | 469 | ||||
-rwxr-xr-x | framework/src/audit/auparse/test/auparse_test.py | 262 | ||||
-rw-r--r-- | framework/src/audit/auparse/test/auparse_test.ref | 803 | ||||
-rw-r--r-- | framework/src/audit/auparse/test/auparse_test.ref.py | 793 | ||||
-rw-r--r-- | framework/src/audit/auparse/test/test.log | 10 | ||||
-rw-r--r-- | framework/src/audit/auparse/test/test2.log | 10 |
7 files changed, 0 insertions, 2438 deletions
diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am deleted file mode 100644 index 19793508..00000000 --- a/framework/src/audit/auparse/test/Makefile.am +++ /dev/null @@ -1,91 +0,0 @@ -# Makefile.am -- -# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina. -# All Rights Reserved. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Authors: -# Steve Grubb <sgrubb@redhat.com> -# - -CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur -AUTOMAKE_OPTIONS = no-dependencies -check_PROGRAMS = auparse_test -dist_check_SCRIPTS = auparse_test.py -EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log - -AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib - -auparse_test_SOURCES = auparse_test.c -auparse_test_LDFLAGS = -static -auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ - ${top_builddir}/lib/libaudit.la - -drop_srcdir = sed 's,$(srcdir)/test,test,' - -check: auparse_test - test "$(top_srcdir)" = "$(top_builddir)" || \ - cp $(top_srcdir)/auparse/test/test*.log . - LC_ALL=C \ - ./auparse_test > auparse_test.cur - diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur -if HAVE_PYTHON - cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python - PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ - LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ - srcdir=$(srcdir) $(srcdir)/auparse_test.py \ - | $(drop_srcdir) > auparse_test.cur - diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur -endif - echo -e "===================\nAuparse Test Passes\n===================" - -diffcheck: auparse_test - ./auparse_test > auparse_test.cur - diff -u $(srcdir)/auparse_test.ref auparse_test.cur - -memcheck: auparse_test - valgrind --leak-check=yes --show-reachable=yes ./auparse_test - -pycheck: auparse_test.py -if HAVE_PYTHON - PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ - LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ - srcdir=$(srcdir) $(srcdir)/auparse_test.py -endif - -pydiffcheck: auparse_test.py -if HAVE_PYTHON - PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ - LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ - srcdir=$(srcdir) $(srcdir)/auparse_test.py \ - | $(drop_srcdir) > auparse_test.cur - diff $(srcdir)/auparse_test.ref auparse_test.cur -endif - -pymemcheck: auparse_test.py -if HAVE_PYTHON - PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ - LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py - -${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c - cd ${top_builddir}/bindings/python && make -endif - -clean-generic: - $(RM) *.cur -if HAVE_PYTHON - $(RM) ${top_builddir}/bindings/swig/python/_audit.so -endif - test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c deleted file mode 100644 index a6477d41..00000000 --- a/framework/src/audit/auparse/test/auparse_test.c +++ /dev/null @@ -1,469 +0,0 @@ -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <string.h> -#include <locale.h> -#include <errno.h> -#include <libaudit.h> -#include <auparse.h> - - -static const char *buf[] = { - "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n" - "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", - - "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", - - NULL -}; - - -static void walk_test(auparse_state_t *au) -{ - int event_cnt = 1, record_cnt; - - do { - if (auparse_first_record(au) <= 0) { - printf("Error getting first record (%s)\n", - strerror(errno)); - exit(1); - } - printf("event %d has %d records\n", event_cnt, - auparse_get_num_records(au)); - record_cnt = 1; - do { - printf(" record %d of type %d(%s) has %d fields\n", - record_cnt, - auparse_get_type(au), - audit_msg_type_to_name(auparse_get_type(au)), - auparse_get_num_fields(au)); - printf(" line=%d file=%s\n", - auparse_get_line_number(au), - auparse_get_filename(au) ? - auparse_get_filename(au) : "None"); - const au_event_t *e = auparse_get_timestamp(au); - if (e == NULL) { - printf("Error getting timestamp - aborting\n"); - exit(1); - } - printf(" event time: %u.%u:%lu, host=%s\n", - (unsigned)e->sec, - e->milli, e->serial, e->host ? e->host : "?"); - auparse_first_field(au); - do { - printf(" %s=%s (%s)\n", - auparse_get_field_name(au), - auparse_get_field_str(au), - auparse_interpret_field(au)); - } while (auparse_next_field(au) > 0); - printf("\n"); - record_cnt++; - } while(auparse_next_record(au) > 0); - event_cnt++; - } while (auparse_next_event(au) > 0); -} - -void light_test(auparse_state_t *au) -{ - int record_cnt; - - do { - if (auparse_first_record(au) <= 0) { - puts("Error getting first record"); - exit(1); - } - printf("event has %d records\n", auparse_get_num_records(au)); - record_cnt = 1; - do { - printf(" record %d of type %d(%s) has %d fields\n", - record_cnt, - auparse_get_type(au), - audit_msg_type_to_name(auparse_get_type(au)), - auparse_get_num_fields(au)); - printf(" line=%d file=%s\n", - auparse_get_line_number(au), - auparse_get_filename(au) ? - auparse_get_filename(au) : "None"); - const au_event_t *e = auparse_get_timestamp(au); - if (e == NULL) { - printf("Error getting timestamp - aborting\n"); - exit(1); - } - printf(" event time: %u.%u:%lu, host=%s\n", - (unsigned)e->sec, - e->milli, e->serial, - e->host ? e->host : "?"); - printf("\n"); - record_cnt++; - } while(auparse_next_record(au) > 0); - - } while (auparse_next_event(au) > 0); -} - -void simple_search(ausource_t source, austop_t where) -{ - auparse_state_t *au; - const char *val; - - if (source == AUSOURCE_FILE) { - au = auparse_init(AUSOURCE_FILE, "./test.log"); - val = "4294967295"; - } else { - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - val = "848"; - } - if (au == NULL) { - printf("auparse_init error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){ - printf("ausearch_add_item error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_set_stop(au, where)){ - printf("ausearch_set_stop error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_next_event(au) <= 0) - printf("Error searching for auid - %s\n", strerror(errno)); - else - printf("Found %s = %s\n", auparse_get_field_name(au), - auparse_get_field_str(au)); - auparse_destroy(au); -} - -void compound_search(ausearch_rule_t how) -{ - auparse_state_t *au; - - au = auparse_init(AUSOURCE_FILE, "./test.log"); - if (au == NULL) { - printf("auparse_init error - %s\n", strerror(errno)); - exit(1); - } - if (how == AUSEARCH_RULE_AND) { - if (ausearch_add_item(au, "uid", "=", "0", - AUSEARCH_RULE_CLEAR)){ - printf("ausearch_add_item 1 error - %s\n", - strerror(errno)); - exit(1); - } - if (ausearch_add_item(au, "pid", "=", "13015", how)){ - printf("ausearch_add_item 2 error - %s\n", - strerror(errno)); - exit(1); - } - if (ausearch_add_item(au, "type", "=", "USER_START", how)){ - printf("ausearch_add_item 3 error - %s\n", - strerror(errno)); - exit(1); - } - } else { - if (ausearch_add_item(au, "auid", "=", "42", - AUSEARCH_RULE_CLEAR)){ - printf("ausearch_add_item 4 error - %s\n", - strerror(errno)); - exit(1); - } - // should stop on this one - if (ausearch_add_item(au, "auid", "=", "0", how)){ - printf("ausearch_add_item 5 error - %s\n", - strerror(errno)); - exit(1); - } - if (ausearch_add_item(au, "auid", "=", "500", how)){ - printf("ausearch_add_item 6 error - %s\n", - strerror(errno)); - exit(1); - } - } - if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){ - printf("ausearch_set_stop error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_next_event(au) <= 0) - printf("Error searching for auid - %s\n", strerror(errno)); - else - printf("Found %s = %s\n", auparse_get_field_name(au), - auparse_get_field_str(au)); - auparse_destroy(au); -} - -void regex_search(const char *expr) -{ - auparse_state_t *au; - int rc; - - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - if (au == NULL) { - printf("auparse_init error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_add_regex(au, expr)){ - printf("ausearch_add_regex error - %s\n", strerror(errno)); - exit(1); - } - if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){ - printf("ausearch_set_stop error - %s\n", strerror(errno)); - exit(1); - } - rc = ausearch_next_event(au); - if (rc < 0) - printf("Error searching for %s - %s\n", expr, strerror(errno)); - else if (rc == 0) - printf("Not found\n"); - else - printf("Found %s = %s\n", auparse_get_field_name(au), - auparse_get_field_str(au)); - auparse_destroy(au); -} - -static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) -{ - int *event_cnt = (int *)user_data; - int record_cnt; - - if (cb_event_type == AUPARSE_CB_EVENT_READY) { - if (auparse_first_record(au) <= 0) { - printf("can't get first record\n"); - return; - } - printf("event %d has %d records\n", *event_cnt, - auparse_get_num_records(au)); - record_cnt = 1; - do { - printf(" record %d of type %d(%s) has %d fields\n", - record_cnt, - auparse_get_type(au), - audit_msg_type_to_name(auparse_get_type(au)), - auparse_get_num_fields(au)); - printf(" line=%d file=%s\n", - auparse_get_line_number(au), - auparse_get_filename(au) ? - auparse_get_filename(au) : "None"); - const au_event_t *e = auparse_get_timestamp(au); - if (e == NULL) { - return; - } - printf(" event time: %u.%u:%lu, host=%s\n", - (unsigned)e->sec, - e->milli, e->serial, - e->host ? e->host : "?"); - auparse_first_field(au); - do { - printf(" %s=%s (%s)\n", - auparse_get_field_name(au), - auparse_get_field_str(au), - auparse_interpret_field(au)); - } while (auparse_next_field(au) > 0); - printf("\n"); - record_cnt++; - } while(auparse_next_record(au) > 0); - (*event_cnt)++; - } -} - -int main(void) -{ - //char *files[4] = { "test.log", "test2.log", "test3.log", NULL }; - char *files[3] = { "test.log", "test2.log", NULL }; - setlocale (LC_ALL, ""); - auparse_state_t *au; - - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - - printf("Starting Test 1, iterate...\n"); - while (auparse_next_event(au) > 0) { - if (auparse_find_field(au, "auid")) { - printf("%s=%s\n", auparse_get_field_name(au), - auparse_get_field_str(au)); - printf("interp auid=%s\n", auparse_interpret_field(au)); - } else - printf("Error iterating to auid\n"); - } - auparse_reset(au); - while (auparse_next_event(au) > 0) { - if (auparse_find_field(au, "auid")) { - do { - printf("%s=%s\n", auparse_get_field_name(au), - auparse_get_field_str(au)); - printf("interp auid=%s\n", auparse_interpret_field(au)); - } while (auparse_find_field_next(au)); - } else - printf("Error iterating to auid\n"); - } - printf("Test 1 Done\n\n"); - - /* Reset, now lets go to beginning and walk the list manually */ - printf("Starting Test 2, walk events, records, and fields...\n"); - auparse_reset(au); - walk_test(au); - auparse_destroy(au); - printf("Test 2 Done\n\n"); - - /* Reset, now lets go to beginning and walk the list manually */ - printf("Starting Test 3, walk events, records of 1 buffer...\n"); - au = auparse_init(AUSOURCE_BUFFER, buf[1]); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - light_test(au); - auparse_destroy(au); - printf("Test 3 Done\n\n"); - - printf("Starting Test 4, walk events, records of 1 file...\n"); - au = auparse_init(AUSOURCE_FILE, "./test.log"); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - walk_test(au); - auparse_destroy(au); - printf("Test 4 Done\n\n"); - - printf("Starting Test 5, walk events, records of 2 files...\n"); - au = auparse_init(AUSOURCE_FILE_ARRAY, files); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - walk_test(au); - auparse_destroy(au); - printf("Test 5 Done\n\n"); - - printf("Starting Test 6, search...\n"); - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){ - printf("Error - %s", strerror(errno)); - return 1; - } - if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ - printf("Error - %s", strerror(errno)); - exit(1); - } - if (ausearch_next_event(au) != 0) { - printf("Error search found something it shouldn't have\n"); - } - puts("auid = 500 not found...which is correct"); - ausearch_clear(au); - auparse_destroy(au); - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){ - printf("Error - %s", strerror(errno)); - return 1; - } - if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ - printf("Error - %s", strerror(errno)); - exit(1); - } - if (ausearch_next_event(au) <= 0) { - printf("Error searching for existence of auid\n"); - } - puts("auid exists...which is correct"); - puts("Testing BUFFER_ARRAY, stop on field"); - simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD); - puts("Testing BUFFER_ARRAY, stop on record"); - simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD); - puts("Testing BUFFER_ARRAY, stop on event"); - simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT); - puts("Testing test.log, stop on field"); - simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD); - puts("Testing test.log, stop on record"); - simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD); - puts("Testing test.log, stop on event"); - simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT); - auparse_destroy(au); - printf("Test 6 Done\n\n"); - - printf("Starting Test 7, compound search...\n"); - au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); - if (au == NULL) { - printf("Error - %s\n", strerror(errno)); - return 1; - } - compound_search(AUSEARCH_RULE_AND); - compound_search(AUSEARCH_RULE_OR); - auparse_destroy(au); - printf("Test 7 Done\n\n"); - - printf("Starting Test 8, regex search...\n"); - puts("Doing regex match..."); - regex_search("1143146623"); - puts("Doing regex wildcard search..."); - regex_search("11431466.*146"); - printf("Test 8 Done\n\n"); - - /* Note: this should match Test 2 exactly */ - printf("Starting Test 9, buffer feed...\n"); - { - int event_cnt = 1; - size_t len, chunk_len = 3; - const char **cur_buf, *p_beg, *p_end, *p_chunk_beg, - *p_chunk_end; - - au = auparse_init(AUSOURCE_FEED, 0); - auparse_add_callback(au, auparse_callback, &event_cnt, NULL); - for (cur_buf = buf, p_beg = *cur_buf; *cur_buf; - cur_buf++, p_beg = *cur_buf) { - len = strlen(p_beg); - p_end = p_beg + len; - p_chunk_beg = p_beg; - while (p_chunk_beg < p_end) { - p_chunk_end = p_chunk_beg + chunk_len; - if (p_chunk_end > p_end) - p_chunk_end = p_end; - - //fwrite(p_chunk_beg, 1, - // p_chunk_end-p_chunk_beg, stdout); - auparse_feed(au, p_chunk_beg, - p_chunk_end-p_chunk_beg); - p_chunk_beg = p_chunk_end; - } - } - - auparse_flush_feed(au); - auparse_destroy(au); - } - printf("Test 9 Done\n\n"); - - /* Note: this should match Test 4 exactly */ - printf("Starting Test 10, file feed...\n"); - { - int *event_cnt = malloc(sizeof(int)); - size_t len; - char filename[] = "./test.log"; - char buf[4]; - FILE *fp; - - *event_cnt = 1; - au = auparse_init(AUSOURCE_FEED, 0); - auparse_add_callback(au, auparse_callback, event_cnt, free); - if ((fp = fopen(filename, "r")) == NULL) { - fprintf(stderr, "could not open '%s', %s\n", - filename, strerror(errno)); - return 1; - } - while ((len = fread(buf, 1, sizeof(buf), fp))) { - auparse_feed(au, buf, len); - } - - fclose(fp); - auparse_flush_feed(au); - auparse_destroy(au); - } - printf("Test 10 Done\n\n"); - - puts("Finished non-admin tests\n"); - - return 0; -} - diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py deleted file mode 100755 index 9d9a5c4d..00000000 --- a/framework/src/audit/auparse/test/auparse_test.py +++ /dev/null @@ -1,262 +0,0 @@ -#!/usr/bin/env python - -import os -srcdir = os.getenv('srcdir') - -buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", -"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", -] -files = [srcdir + "/test.log", srcdir + "/test2.log"] - -import sys -import time -load_path = '../../bindings/python/build/lib.linux-i686-2.4' -if False: - sys.path.insert(0, load_path) - -import auparse -import audit - -def none_to_null(s): - 'used so output matches C version' - if s is None: - return '(null)' - else: - return s - -def walk_test(au): - event_cnt = 1 - - au.reset() - while True: - if not au.first_record(): - print "Error getting first record" - sys.exit(1) - - print "event %d has %d records" % (event_cnt, au.get_num_records()) - - record_cnt = 1 - while True: - print " record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), - au.get_num_fields()) - print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) - event = au.get_timestamp() - if event is None: - print "Error getting timestamp - aborting" - sys.exit(1) - - print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - au.first_field() - while True: - print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) - if not au.next_field(): break - print - record_cnt += 1 - if not au.next_record(): break - event_cnt += 1 - if not au.parse_next_event(): break - - -def light_test(au): - while True: - if not au.first_record(): - print "Error getting first record" - sys.exit(1) - - print "event has %d records" % (au.get_num_records()) - - record_cnt = 1 - while True: - print " record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), - au.get_num_fields()) - print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) - event = au.get_timestamp() - if event is None: - print "Error getting timestamp - aborting" - sys.exit(1) - - print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - print - record_cnt += 1 - if not au.next_record(): break - if not au.parse_next_event(): break - -def simple_search(au, source, where): - - if source == auparse.AUSOURCE_FILE: - au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); - val = "4294967295" - else: - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - val = "848" - - au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR) - au.search_set_stop(where) - if not au.search_next_event(): - print "Error searching for auid" - else: - print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) - -def compound_search(au, how): - au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); - if how == auparse.AUSEARCH_RULE_AND: - au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR) - au.search_add_item("pid", "=", "13015", how) - au.search_add_item("type", "=", "USER_START", how) - else: - au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR) - # should stop on this one - au.search_add_item("auid", "=", "0", how) - au.search_add_item("auid", "=", "500", how) - - au.search_set_stop(auparse.AUSEARCH_STOP_FIELD) - if not au.search_next_event(): - print "Error searching for auid" - else: - print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) - -def feed_callback(au, cb_event_type, event_cnt): - if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: - if not au.first_record(): - print "Error getting first record" - sys.exit(1) - - print "event %d has %d records" % (event_cnt[0], au.get_num_records()) - - record_cnt = 1 - while True: - print " record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), - au.get_num_fields()) - print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) - event = au.get_timestamp() - if event is None: - print "Error getting timestamp - aborting" - sys.exit(1) - - print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - au.first_field() - while True: - print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) - if not au.next_field(): break - print - record_cnt += 1 - if not au.next_record(): break - event_cnt[0] += 1 - -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - -print "Starting Test 1, iterate..." -while au.parse_next_event(): - if au.find_field("auid"): - print "%s=%s" % (au.get_field_name(), au.get_field_str()) - print "interp auid=%s" % (au.interpret_field()) - else: - print "Error iterating to auid" -print "Test 1 Done\n" - -# Reset, now lets go to beginning and walk the list manually */ -print "Starting Test 2, walk events, records, and fields..." -au.reset() -walk_test(au) -print "Test 2 Done\n" - -# Reset, now lets go to beginning and walk the list manually */ -print "Starting Test 3, walk events, records of 1 buffer..." -au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1]) -light_test(au); -print "Test 3 Done\n" - -print "Starting Test 4, walk events, records of 1 file..." -au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); -walk_test(au); -print "Test 4 Done\n" - -print "Starting Test 5, walk events, records of 2 files..." -au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files); -walk_test(au); -print "Test 5 Done\n" - -print "Starting Test 6, search..." -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) -au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR) -au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) -if au.search_next_event(): - print "Error search found something it shouldn't have" -else: - print "auid = 500 not found...which is correct" -au.search_clear() -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) -#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR) -au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR) -au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) -if not au.search_next_event(): - print "Error searching for existence of auid" -print "auid exists...which is correct" -print "Testing BUFFER_ARRAY, stop on field" -simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD) -print "Testing BUFFER_ARRAY, stop on record" -simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD) -print "Testing BUFFER_ARRAY, stop on event" -simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT) -print "Testing test.log, stop on field" -simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD) -print "Testing test.log, stop on record" -simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD) -print "Testing test.log, stop on event" -simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT) -print "Test 6 Done\n" - -print "Starting Test 7, compound search..." -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) -compound_search(au, auparse.AUSEARCH_RULE_AND) -compound_search(au, auparse.AUSEARCH_RULE_OR) -print "Test 7 Done\n" - -print "Starting Test 8, regex search..." -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) -print "Doing regex match...\n" -au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) -print "Test 8 Done\n" - -# Note: this should match Test 2 exactly -# Note: this should match Test 2 exactly -print "Starting Test 9, buffer feed..." -au = auparse.AuParser(auparse.AUSOURCE_FEED); -event_cnt = 1 -au.add_callback(feed_callback, [event_cnt]) -chunk_len = 3 -for s in buf: - s_len = len(s) - beg = 0 - while beg < s_len: - end = min(s_len, beg + chunk_len) - data = s[beg:end] - beg += chunk_len - au.feed(data) -au.flush_feed() -print "Test 9 Done\n" - -# Note: this should match Test 4 exactly -print "Starting Test 10, file feed..." -au = auparse.AuParser(auparse.AUSOURCE_FEED); -event_cnt = 1 -au.add_callback(feed_callback, [event_cnt]) -f = open(srcdir + "/test.log"); -while True: - data = f.read(4) - if not data: break - au.feed(data) -au.flush_feed() -print "Test 10 Done\n" - -print "Finished non-admin tests\n" - -au = None -sys.exit(0) - diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref deleted file mode 100644 index 6cc399bd..00000000 --- a/framework/src/audit/auparse/test/auparse_test.ref +++ /dev/null @@ -1,803 +0,0 @@ -Starting Test 1, iterate... -auid=4294967295 -interp auid=unset -auid=848 -interp auid=unknown(848) -auid=848 -interp auid=unknown(848) -auid=4294967295 -interp auid=unset -auid=848 -interp auid=unknown(848) -auid=848 -interp auid=unknown(848) -auid=848 -interp auid=unknown(848) -Test 1 Done - -Starting Test 2, walk events, records, and fields... -event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None - event time: 1143146623.787:142, host=? - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=4294967295 (unset) - auid=848 (unknown(848)) - -event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None - event time: 1143146623.875:143, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) - success=yes (yes) - exit=0 (0) - a0=7fffffa9a9f0 (0x7fffffa9a9f0) - a1=3958d11333 (0x3958d11333) - a2=5131f0 (0x5131f0) - a3=20 (0x20) - items=1 (1) - pid=2027 (2027) - auid=848 (unknown(848)) - uid=0 (root) - gid=0 (root) - euid=0 (root) - suid=0 (root) - fsuid=0 (root) - egid=0 (root) - sgid=0 (root) - fsgid=0 (root) - tty=tty3 (tty3) - comm="login" (login) - exe="/bin/login" (/bin/login) - subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) - -event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None - event time: 1143146623.879:146, host=? - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=848 (unknown(848)) - uid=848 (unknown(848)) - exe="/bin/login" (/bin/login) - hostname=? (?) - addr=? (?) - terminal=tty3 (tty3) - res=success (success) - -Test 2 Done - -Starting Test 3, walk events, records of 1 buffer... -event has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=1 file=None - event time: 1143146623.879:146, host=? - -Test 3 Done - -Starting Test 4, walk events, records of 1 file... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=./test.log - event time: 1170021493.977:293, host=? - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=./test.log - event time: 1170021493.977:293, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=./test.log - event time: 1170021493.977:293, host=? - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=./test.log - event time: 1170021493.977:293, host=? - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=./test.log - event time: 1170021601.340:294, host=? - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=./test.log - event time: 1170021601.342:295, host=? - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=./test.log - event time: 1170021601.343:296, host=? - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=./test.log - event time: 1170021601.344:297, host=? - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=./test.log - event time: 1170021601.364:298, host=? - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=./test.log - event time: 1170021601.366:299, host=? - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 4 Done - -Starting Test 5, walk events, records of 2 files... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test.log - event time: 1170021493.977:293, host=? - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test.log - event time: 1170021493.977:293, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test.log - event time: 1170021493.977:293, host=? - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test.log - event time: 1170021493.977:293, host=? - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test.log - event time: 1170021601.340:294, host=? - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test.log - event time: 1170021601.342:295, host=? - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test.log - event time: 1170021601.343:296, host=? - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test.log - event time: 1170021601.344:297, host=? - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test.log - event time: 1170021601.364:298, host=? - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test.log - event time: 1170021601.366:299, host=? - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 8 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test2.log - event time: 1170021493.977:293, host=? - type=AVC (AVC) - seresult=denied (denied) - seperms=read (read) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test2.log - event time: 1170021493.977:293, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test2.log - event time: 1170021493.977:293, host=? - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test2.log - event time: 1170021493.977:293, host=? - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 9 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test2.log - event time: 1170021601.340:294, host=? - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 10 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test2.log - event time: 1170021601.342:295, host=? - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 11 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test2.log - event time: 1170021601.343:296, host=? - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 12 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test2.log - event time: 1170021601.344:297, host=? - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 13 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test2.log - event time: 1170021601.364:298, host=? - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 14 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test2.log - event time: 1170021601.366:299, host=? - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 5 Done - -Starting Test 6, search... -auid = 500 not found...which is correct -auid exists...which is correct -Testing BUFFER_ARRAY, stop on field -Found auid = 848 -Testing BUFFER_ARRAY, stop on record -Found type = SYSCALL -Testing BUFFER_ARRAY, stop on event -Found type = SYSCALL -Testing test.log, stop on field -Found auid = 4294967295 -Testing test.log, stop on record -Found type = SYSCALL -Testing test.log, stop on event -Found type = AVC -Test 6 Done - -Starting Test 7, compound search... -Found type = USER_START -Found auid = 0 -Test 7 Done - -Starting Test 8, regex search... -Doing regex match... -Found type = LOGIN -Doing regex wildcard search... -Found type = USER_LOGIN -Test 8 Done - -Starting Test 9, buffer feed... -event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None - event time: 1143146623.787:142, host=? - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=4294967295 (unset) - auid=848 (unknown(848)) - -event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None - event time: 1143146623.875:143, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) - success=yes (yes) - exit=0 (0) - a0=7fffffa9a9f0 (0x7fffffa9a9f0) - a1=3958d11333 (0x3958d11333) - a2=5131f0 (0x5131f0) - a3=20 (0x20) - items=1 (1) - pid=2027 (2027) - auid=848 (unknown(848)) - uid=0 (root) - gid=0 (root) - euid=0 (root) - suid=0 (root) - fsuid=0 (root) - egid=0 (root) - sgid=0 (root) - fsgid=0 (root) - tty=tty3 (tty3) - comm="login" (login) - exe="/bin/login" (/bin/login) - subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) - -event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None - event time: 1143146623.879:146, host=? - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=848 (unknown(848)) - uid=848 (unknown(848)) - exe="/bin/login" (/bin/login) - hostname=? (?) - addr=? (?) - terminal=tty3 (tty3) - res=success (success) - -Test 9 Done - -Starting Test 10, file feed... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=None - event time: 1170021493.977:293, host=? - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=None - event time: 1170021493.977:293, host=? - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=None - event time: 1170021493.977:293, host=? - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=None - event time: 1170021493.977:293, host=? - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=None - event time: 1170021601.340:294, host=? - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=None - event time: 1170021601.342:295, host=? - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=None - event time: 1170021601.343:296, host=? - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=None - event time: 1170021601.344:297, host=? - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=None - event time: 1170021601.364:298, host=? - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=None - event time: 1170021601.366:299, host=? - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 10 Done - -Finished non-admin tests - diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py deleted file mode 100644 index d25e0645..00000000 --- a/framework/src/audit/auparse/test/auparse_test.ref.py +++ /dev/null @@ -1,793 +0,0 @@ -Starting Test 1, iterate... -auid=4294967295 -interp auid=unset -auid=848 -interp auid=unknown(848) -auid=848 -interp auid=unknown(848) -Test 1 Done - -Starting Test 2, walk events, records, and fields... -event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None - event time: 1143146623.787:142, host=(null) - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=4294967295 (unset) - auid=848 (unknown(848)) - -event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None - event time: 1143146623.875:143, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) - success=yes (yes) - exit=0 (0) - a0=7fffffa9a9f0 (0x7fffffa9a9f0) - a1=3958d11333 (0x3958d11333) - a2=5131f0 (0x5131f0) - a3=20 (0x20) - items=1 (1) - pid=2027 (2027) - auid=848 (unknown(848)) - uid=0 (root) - gid=0 (root) - euid=0 (root) - suid=0 (root) - fsuid=0 (root) - egid=0 (root) - sgid=0 (root) - fsgid=0 (root) - tty=tty3 (tty3) - comm="login" (login) - exe="/bin/login" (/bin/login) - subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) - -event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None - event time: 1143146623.879:146, host=(null) - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=848 (unknown(848)) - uid=848 (unknown(848)) - exe="/bin/login" (/bin/login) - hostname=? (?) - addr=? (?) - terminal=tty3 (tty3) - res=success (success) - -Test 2 Done - -Starting Test 3, walk events, records of 1 buffer... -event has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=1 file=None - event time: 1143146623.879:146, host=(null) - -Test 3 Done - -Starting Test 4, walk events, records of 1 file... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test.log - event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test.log - event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test.log - event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test.log - event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test.log - event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test.log - event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test.log - event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test.log - event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test.log - event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test.log - event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 4 Done - -Starting Test 5, walk events, records of 2 files... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test.log - event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test.log - event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test.log - event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test.log - event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test.log - event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test.log - event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test.log - event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test.log - event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test.log - event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test.log - event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 8 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test2.log - event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read (read) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test2.log - event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test2.log - event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test2.log - event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 9 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test2.log - event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 10 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test2.log - event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 11 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test2.log - event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 12 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test2.log - event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 13 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test2.log - event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 14 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test2.log - event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 5 Done - -Starting Test 6, search... -auid = 500 not found...which is correct -auid exists...which is correct -Testing BUFFER_ARRAY, stop on field -Found auid = 848 -Testing BUFFER_ARRAY, stop on record -Found type = SYSCALL -Testing BUFFER_ARRAY, stop on event -Found type = SYSCALL -Testing test.log, stop on field -Found auid = 4294967295 -Testing test.log, stop on record -Found type = SYSCALL -Testing test.log, stop on event -Found type = AVC -Test 6 Done - -Starting Test 7, compound search... -Found type = USER_START -Found auid = 0 -Test 7 Done - -Starting Test 8, regex search... -Doing regex match... - -Test 8 Done - -Starting Test 9, buffer feed... -event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None - event time: 1143146623.787:142, host=(null) - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=4294967295 (unset) - auid=848 (unknown(848)) - -event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None - event time: 1143146623.875:143, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) - success=yes (yes) - exit=0 (0) - a0=7fffffa9a9f0 (0x7fffffa9a9f0) - a1=3958d11333 (0x3958d11333) - a2=5131f0 (0x5131f0) - a3=20 (0x20) - items=1 (1) - pid=2027 (2027) - auid=848 (unknown(848)) - uid=0 (root) - gid=0 (root) - euid=0 (root) - suid=0 (root) - fsuid=0 (root) - egid=0 (root) - sgid=0 (root) - fsgid=0 (root) - tty=tty3 (tty3) - comm="login" (login) - exe="/bin/login" (/bin/login) - subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) - -event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None - event time: 1143146623.879:146, host=(null) - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) - auid=848 (unknown(848)) - uid=848 (unknown(848)) - exe="/bin/login" (/bin/login) - hostname=? (?) - addr=? (?) - terminal=tty3 (tty3) - res=success (success) - -Test 9 Done - -Starting Test 10, file feed... -event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=None - event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) - pid=13010 (13010) - comm="pickup" (pickup) - name="maildrop" (maildrop) - dev=hda7 (hda7) - ino=14911367 (14911367) - scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - tclass=dir (dir) - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=None - event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) - success=no (no) - exit=-13 (-13(Permission denied)) - a0=5555665d91b0 (0x5555665d91b0) - a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) - a2=5555665d91b8 (0x5555665d91b8) - a3=0 (0x0) - items=1 (1) - ppid=2013 (2013) - pid=13010 (13010) - auid=4294967295 (unset) - uid=890 (unknown(890)) - gid=890 (unknown(890)) - euid=890 (unknown(890)) - suid=890 (unknown(890)) - fsuid=890 (unknown(890)) - egid=890 (unknown(890)) - sgid=890 (unknown(890)) - fsgid=890 (unknown(890)) - tty=(none) ((none)) - comm="pickup" (pickup) - exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) - subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) - key=(null) ((null)) - - record 3 of type 1307(CWD) has 2 fields - line=3 file=None - event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=None - event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) - inode=14911367 (14911367) - dev=03:07 (03:07) - mode=040730 (dir,730) - ouid=890 (unknown(890)) - ogid=891 (unknown(891)) - rdev=00:00 (00:00) - obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) - -event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=None - event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=None - event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=None - event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) - auid=4294967295 (unset) - auid=0 (root) - -event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=None - event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=None - event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=None - event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) - auid=0 (root) - subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) - acct=root (root) - exe="/usr/sbin/crond" (/usr/sbin/crond) - hostname=? (?) - addr=? (?) - terminal=cron (cron) - res=success (success) - -Test 10 Done - -Finished non-admin tests - diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log deleted file mode 100644 index e0ffabf5..00000000 --- a/framework/src/audit/auparse/test/test.log +++ /dev/null @@ -1,10 +0,0 @@ -type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir -type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) -type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" -type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 -type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 -type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log deleted file mode 100644 index 588f1e04..00000000 --- a/framework/src/audit/auparse/test/test2.log +++ /dev/null @@ -1,10 +0,0 @@ -type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir -type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) -type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" -type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 -type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' -type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 -type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' -type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' |